2016-11-09 17:37:09 +00:00
|
|
|
# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
|
|
|
|
# vim: set filetype=python:
|
|
|
|
# This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
|
2017-03-09 10:33:30 +00:00
|
|
|
with Files("**"):
|
|
|
|
BUG_COMPONENT = ("Core", "Security: PSM")
|
|
|
|
|
|
|
|
with Files("generate*.py"):
|
2018-03-14 20:44:46 +00:00
|
|
|
BUG_COMPONENT = ("Firefox Build System", "General")
|
2017-03-09 10:33:30 +00:00
|
|
|
|
|
|
|
with Files("nss/**"):
|
|
|
|
BUG_COMPONENT = ("NSS", "Libraries")
|
|
|
|
|
|
|
|
with Files("nss.symbols"):
|
|
|
|
BUG_COMPONENT = ("NSS", "Libraries")
|
|
|
|
|
2016-11-09 17:37:09 +00:00
|
|
|
if CONFIG["MOZ_SYSTEM_NSS"]:
|
|
|
|
Library("nss")
|
|
|
|
OS_LIBS += CONFIG["NSS_LIBS"]
|
2018-10-02 12:59:34 +00:00
|
|
|
|
|
|
|
include("/build/gyp_base.mozbuild")
|
|
|
|
if CONFIG["MOZ_FOLD_LIBS"]:
|
|
|
|
GeckoSharedLibrary("nss", linkage=None)
|
|
|
|
# TODO: The library name can be changed when bug 845217 is fixed.
|
|
|
|
SHARED_LIBRARY_NAME = "nss3"
|
|
|
|
|
|
|
|
USE_LIBS += [
|
|
|
|
"nspr4",
|
|
|
|
"nss3_static",
|
|
|
|
"nssutil",
|
|
|
|
"plc4",
|
|
|
|
"plds4",
|
|
|
|
"smime3_static",
|
|
|
|
"ssl",
|
|
|
|
]
|
|
|
|
|
|
|
|
OS_LIBS += CONFIG["REALTIME_LIBS"]
|
|
|
|
|
|
|
|
SYMBOLS_FILE = "nss.symbols"
|
|
|
|
# This changes the default targets in the NSS build, among
|
|
|
|
# other things.
|
|
|
|
gyp_vars["moz_fold_libs"] = 1
|
|
|
|
# Some things in NSS need to link against nssutil, which
|
|
|
|
# gets folded, so this tells them what to link against.
|
|
|
|
gyp_vars["moz_folded_library_name"] = "nss"
|
|
|
|
# Force things in NSS that want to link against NSPR to link
|
|
|
|
# against the folded library.
|
|
|
|
gyp_vars["nspr_libs"] = "nss"
|
|
|
|
elif not CONFIG["MOZ_SYSTEM_NSS"]:
|
|
|
|
Library("nss")
|
|
|
|
USE_LIBS += [
|
|
|
|
"nss3",
|
|
|
|
"nssutil3",
|
|
|
|
"smime3",
|
|
|
|
"sqlite",
|
|
|
|
"ssl3",
|
|
|
|
]
|
|
|
|
gyp_vars["nspr_libs"] = "nspr"
|
2016-11-09 17:37:09 +00:00
|
|
|
else:
|
2018-10-02 12:59:34 +00:00
|
|
|
gyp_vars["nspr_libs"] = "nspr"
|
2023-01-03 17:48:24 +00:00
|
|
|
# Bug 1805371: We need a static copy of NSS for the tlsserver test
|
|
|
|
# binaries even when building with system NSS. But there's no good
|
|
|
|
# way to build NSS that does not pollute dist/bin with shared
|
|
|
|
# object files. For now, we have to build mozpkix only and disable
|
|
|
|
# the affected tests.
|
|
|
|
gyp_vars["mozpkix_only"] = 1
|
2018-10-02 12:59:34 +00:00
|
|
|
|
|
|
|
# This disables building some NSS tools.
|
|
|
|
gyp_vars["mozilla_client"] = 1
|
2019-03-13 22:32:46 +00:00
|
|
|
|
|
|
|
# This builds NSS tools in COMM applications that Firefox doesn't build.
|
|
|
|
if CONFIG["MOZ_BUILD_APP"].startswith("comm/"):
|
|
|
|
gyp_vars["comm_client"] = 1
|
|
|
|
|
2018-10-02 12:59:34 +00:00
|
|
|
# We run shlibsign as part of packaging, not build.
|
|
|
|
gyp_vars["sign_libs"] = 0
|
2020-05-05 19:53:22 +00:00
|
|
|
gyp_vars["python"] = CONFIG["PYTHON3"]
|
2018-10-02 12:59:34 +00:00
|
|
|
# The NSS gyp files do not have a default for this.
|
|
|
|
gyp_vars["nss_dist_dir"] = "$PRODUCT_DIR/dist"
|
|
|
|
# NSS wants to put public headers in $nss_dist_dir/public/nss by default,
|
|
|
|
# which would wind up being mapped to dist/include/public/nss (by
|
|
|
|
# gyp_reader's `handle_copies`).
|
|
|
|
# This forces it to put them in dist/include/nss.
|
|
|
|
gyp_vars["nss_public_dist_dir"] = "$PRODUCT_DIR/dist"
|
|
|
|
gyp_vars["nss_dist_obj_dir"] = "$PRODUCT_DIR/dist/bin"
|
|
|
|
# We don't currently build NSS tests.
|
|
|
|
gyp_vars["disable_tests"] = 1
|
2019-12-16 17:35:49 +00:00
|
|
|
gyp_vars["disable_dbm"] = 1
|
2018-10-02 12:59:34 +00:00
|
|
|
gyp_vars["disable_libpkix"] = 1
|
2019-01-25 18:43:23 +00:00
|
|
|
gyp_vars["enable_sslkeylogfile"] = 1
|
2022-10-31 17:09:43 +00:00
|
|
|
# Whether we're using system NSS or Rust nssckbi, we don't need
|
|
|
|
# to build C nssckbi
|
|
|
|
gyp_vars["disable_ckbi"] = 1
|
2018-10-02 12:59:34 +00:00
|
|
|
# pkg-config won't reliably find zlib on our builders, so just force it.
|
|
|
|
# System zlib is only used for modutil and signtool unless
|
|
|
|
# SSL zlib is enabled, which we are disabling immediately below this.
|
|
|
|
gyp_vars["zlib_libs"] = "-lz"
|
|
|
|
gyp_vars["ssl_enable_zlib"] = 0
|
|
|
|
# System sqlite here is the in-tree mozsqlite.
|
|
|
|
gyp_vars["use_system_sqlite"] = 1
|
|
|
|
gyp_vars["sqlite_libs"] = "sqlite"
|
2020-12-04 15:26:17 +00:00
|
|
|
gyp_vars["enable_draft_hpke"] = 1
|
2018-10-02 12:59:34 +00:00
|
|
|
|
2022-01-12 21:48:20 +00:00
|
|
|
# Clang can build NSS with its integrated assembler since version 9.
|
|
|
|
if (
|
|
|
|
CONFIG["CPU_ARCH"] == "x86_64"
|
|
|
|
and CONFIG["CC_TYPE"] == "clang"
|
|
|
|
and int(CONFIG["CC_VERSION"].split(".")[0]) >= 9
|
|
|
|
):
|
|
|
|
gyp_vars["force_integrated_as"] = 1
|
|
|
|
|
2018-10-02 12:59:34 +00:00
|
|
|
|
|
|
|
if CONFIG["MOZ_SYSTEM_NSPR"]:
|
|
|
|
gyp_vars["nspr_include_dir"] = "%" + CONFIG["NSPR_INCLUDE_DIR"]
|
|
|
|
gyp_vars["nspr_lib_dir"] = "%" + CONFIG["NSPR_LIB_DIR"]
|
|
|
|
else:
|
|
|
|
gyp_vars["nspr_include_dir"] = "!/dist/include/nspr"
|
|
|
|
gyp_vars["nspr_lib_dir"] = "" # gyp wants a value, but we don't need
|
|
|
|
# it to be valid.
|
|
|
|
|
|
|
|
# The Python scripts that detect clang need it to be set as CC
|
|
|
|
# in the environment, which isn't true here. I don't know that
|
|
|
|
# setting that would be harmful, but we already have this information
|
|
|
|
# anyway.
|
|
|
|
if CONFIG["CC_TYPE"] in ("clang", "clang-cl"):
|
|
|
|
gyp_vars["cc_is_clang"] = 1
|
|
|
|
if CONFIG["GCC_USE_GNU_LD"]:
|
|
|
|
gyp_vars["cc_use_gnu_ld"] = 1
|
|
|
|
|
|
|
|
GYP_DIRS += ["nss"]
|
|
|
|
GYP_DIRS["nss"].input = "nss/nss.gyp"
|
|
|
|
GYP_DIRS["nss"].variables = gyp_vars
|
|
|
|
|
|
|
|
sandbox_vars = {
|
|
|
|
# NSS explicitly exports its public symbols
|
|
|
|
# with linker scripts.
|
|
|
|
"COMPILE_FLAGS": {
|
|
|
|
"VISIBILITY": [],
|
2022-10-27 22:26:48 +00:00
|
|
|
"WARNINGS_CFLAGS": [
|
|
|
|
f for f in CONFIG["WARNINGS_CFLAGS"] if f != "-Wsign-compare"
|
|
|
|
],
|
2018-10-02 12:59:34 +00:00
|
|
|
},
|
|
|
|
# NSS' build system doesn't currently build NSS with PGO.
|
|
|
|
# We could probably do so, but not without a lot of
|
|
|
|
# careful consideration.
|
|
|
|
"NO_PGO": True,
|
|
|
|
}
|
|
|
|
if CONFIG["OS_TARGET"] == "WINNT":
|
2019-03-21 01:28:50 +00:00
|
|
|
# We want to remove XP_WIN32 eventually. See bug 1535219 for details.
|
Bug 1851092 - land NSS NSS_3_94_RTM UPGRADE_NSS_RELEASE, r=nss-reviewers,jschanck
2023-10-02 Natalia Kulatova <nkulatova@mozilla.com>
* doc/rst/releases/nss_3_94.rst:
Documentation: Release notes for NSS 3.94
[8c67d6c2d718] [NSS_3_94_RTM] <NSS_3_94_BRANCH>
* .hgtags:
Added tag NSS_3_94_RTM for changeset a4d8f6ff9c3b
[18307440cfb0] <NSS_3_94_BRANCH>
* doc/rst/releases/index.rst:
Release notes for NSS 3.94
[a4d8f6ff9c3b] <NSS_3_94_BRANCH>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.94 final
[0af23c222caf] <NSS_3_94_BRANCH>
2023-09-21 Benjamin Beurdouche <beurdouche@mozilla.com>
* .hgtags:
Removed tag NSS_3_94_BETA1
[1a3ea35e31a2]
2023-09-20 Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
* automation/taskcluster/scripts/run_hacl.sh,
lib/freebl/verified/Hacl_Hash_SHA3.c,
lib/freebl/verified/Hacl_IntTypes_Intrinsics.h,
lib/freebl/verified/Hacl_IntTypes_Intrinsics_128.h,
lib/freebl/verified/Hacl_Krmllib.h, lib/freebl/verified/Hacl_P256.c,
lib/freebl/verified/internal/Hacl_Bignum_Base.h,
lib/freebl/verified/internal/Hacl_Hash_SHA1.h,
lib/freebl/verified/internal/Hacl_Hash_SHA2.h,
lib/freebl/verified/internal/Hacl_IntTypes_Intrinsics.h,
lib/freebl/verified/internal/Hacl_IntTypes_Intrinsics_128.h,
lib/freebl/verified/internal/Hacl_Krmllib.h,
lib/freebl/verified/internal/Hacl_P256.h,
lib/freebl/verified/internal/lib_intrinsics.h,
lib/freebl/verified/karamel/include/krml/internal/target.h, lib/free
bl/verified/karamel/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h,
lib/freebl/verified/karamel/krmllib/dist/minimal/Makefile.basic,
lib/freebl/verified/lib_intrinsics.h:
Bug 1853737 - Updated code and commit ID for HACL*. r=jschanck
[3501ba1860c3]
2023-09-20 Iaroslav Gridin <iaroslav.gridin@tuni.fi>
* tests/acvp/fuzzed/ecdsa.json:
Bug 1840510: update ACVP fuzzed test vector: refuzzed with current
NSS r=jschanck
[da1cde22e844]
2023-09-15 Robert Relyea <rrelyea@redhat.com>
* automation/abi-check/expected-report-libnssutil3.so.txt,
lib/freebl/nsslowhash.c, lib/freebl/stubs.c, lib/freebl/stubs.h,
lib/pk11wrap/pk11util.c, lib/softoken/pkcs11.c,
lib/util/nssutil.def, lib/util/secport.c, lib/util/secport.h:
Bug 1827303 Softoken C_ calls should use system FIPS setting to
select NSC_ or FC_ variants.
NSS softoken presents a PKCS #11 API to the NSS low level crypto.
This allows NSS to have native support for replacement PKCS #11
libraries, and is also the FIPS boundary, allowing the rest of NSS
to change without affecting any FIPS validations.
Some applications that need crypto, but have their own higher level
implementations of SSL or S/MIME use NSS softoken. Softoken has 2
general APIs: NSC_xxxx calls which implement the normal NSS
interface, but does not include any FIPS restrictions, The FC_xxx
interfaces which implements FIPS restrictions on the semantics of
the calls and additional FIPS requirements (like self-tests and
software integrity checks). The official PKCS #11 APIs are C_xxx
interfaces, and NSS exports those as aliases for NSC_xxxx calls.
Right now applications that use softoken have to know the NSS names
if they want to access the FIPS api. This bugs removes this
restriction and causes calls to C_xxxx to alias to FC_xxxxx if the
system is in FIPS mode. If the system has no system FIPS indicator,
or the that indicator is off, the C_xxxx will continue to call
NSC_xxxxx. NSS itself will continue to use NSC_xxxx or FC_xxxx
according to the NSS internal FIPS settings.
---------------- Currently there are 3 layers in NSS with code that
identifies the whether the system is in NSS: nss proper (which is
also exported to applications), and freebl for the Freebl hash
direct case. This code would add a 3rd (in softoken). Rather than
adding a third, this patch relocates the main function to nssutil
where softoken, nss, and freebl can all access it. The exception is
when building freebl with 'NODEPEND' (freebl can provide hashing
without dependencies on NSPR or NSSUTIL), there needs to be a stub
implementation. In most platforms and cases this stub is never
compiled.
[762cb673ca8c]
* .hgignore, automation/taskcluster/scripts/split.sh, cmd/Makefile,
cmd/dbtool/Makefile, cmd/dbtool/dbtool.c, cmd/dbtool/dbtool.gyp,
cmd/dbtool/manifest.mn, cmd/manifest.mn, lib/softoken/sdb.h,
nss.gyp:
Bug 1774659 NSS needs a database tool that can dump the low level
representation of the database. r=jschanck
When debugging the database, it would be helpful to know what is in
the database is a nicely formated way. certutil dumps a high level
view of the certs and keys, sqlite3 can dump the low level tables
and raw entries. It would be useful to dump the database as softoken
sees the database.
This code grabs a copy of the latest sdb.c from softoken and uses it
to fetch the database entries, then parses them as necessary. It
uses the pkcs11 table in libsec to format the result data into human
readable strings.
[e52240a4bc62]
2023-09-08 John Schanck <jschanck@mozilla.com>
* gtests/mozpkix_gtest/pkixnames_tests.cpp:
Bug 1852179 - declare string literals using char in
pkixnames_tests.cpp. r=nss-reviewers,nkulatova
[dbed9fc0522a]
Differential Revision: https://phabricator.services.mozilla.com/D189815
2023-10-02 20:43:59 +00:00
|
|
|
sandbox_vars["CFLAGS"] = [
|
|
|
|
"-DXP_WIN32",
|
|
|
|
"-Wno-error=unused-function", # bug 1856445
|
|
|
|
]
|
2018-10-02 12:59:34 +00:00
|
|
|
if CONFIG["CPU_ARCH"] == "x86":
|
|
|
|
# This should really be the default.
|
|
|
|
sandbox_vars["ASFLAGS"] = ["-safeseh"]
|
2022-02-02 13:43:51 +00:00
|
|
|
|
|
|
|
DELAYLOAD_DLLS += [
|
|
|
|
"winmm.dll",
|
|
|
|
]
|
|
|
|
|
2018-10-02 12:59:34 +00:00
|
|
|
if CONFIG["OS_TARGET"] == "Android":
|
|
|
|
sandbox_vars["CFLAGS"] = [
|
|
|
|
"-include",
|
|
|
|
TOPSRCDIR + "/security/manager/android_stub.h",
|
|
|
|
]
|
|
|
|
if CONFIG["ANDROID_VERSION"]:
|
|
|
|
sandbox_vars["CFLAGS"] += ["-DANDROID_VERSION=" + CONFIG["ANDROID_VERSION"]]
|
|
|
|
if CONFIG["MOZ_SYSTEM_NSS"]:
|
|
|
|
sandbox_vars["CXXFLAGS"] = CONFIG["NSS_CFLAGS"]
|
|
|
|
GYP_DIRS["nss"].sandbox_vars = sandbox_vars
|
|
|
|
GYP_DIRS["nss"].no_chromium = True
|
|
|
|
GYP_DIRS["nss"].no_unified = True
|
|
|
|
# This maps action names from gyp files to
|
|
|
|
# Python scripts that can be used in moz.build GENERATED_FILES.
|
|
|
|
GYP_DIRS["nss"].action_overrides = {
|
|
|
|
"generate_mapfile": "generate_mapfile.py",
|
|
|
|
}
|
2016-11-09 17:37:09 +00:00
|
|
|
|
|
|
|
if CONFIG["NSS_EXTRA_SYMBOLS_FILE"]:
|
|
|
|
DEFINES["NSS_EXTRA_SYMBOLS_FILE"] = CONFIG["NSS_EXTRA_SYMBOLS_FILE"]
|
2021-07-22 12:10:19 +00:00
|
|
|
|
|
|
|
SPHINX_TREES["nss"] = "nss/doc/rst"
|
|
|
|
|
|
|
|
with Files("nss/doc/rst/**"):
|
|
|
|
SCHEDULES.exclusive = ["nss"]
|