74a8ec946b
2020-05-12 Kevin Jacobs <kjacobs@mozilla.com> * gtests/freebl_gtest/mpi_unittest.cc: Bug 1561331 - Additional modular inverse test r=jcj [e2061fe522f5] [tip] 2020-05-08 Jan-Marek Glogowski <glogow@fbihome.de> * coreconf/rules.mk, lib/ckfw/builtins/Makefile, lib/ckfw/builtins/testlib/Makefile, lib/ckfw/capi/Makefile, lib/dev/Makefile, lib/freebl/Makefile, lib/pk11wrap/Makefile, lib/softoken/Makefile: Bug 1629553 Use order-prereq for $(MAKE_OBJDIR) r=rrelyea Introduces a simple "%/d" rule to create directories using $(MAKE_OBJDIR) and replace all explicit $(MAKE_OBJDIR) calls with an order-only-prerequisites. To expand the $(@D) prerequisite, this needs .SECONDEXPANSION. [c3f11da5acfc] 2020-05-05 Jan-Marek Glogowski <glogow@fbihome.de> * coreconf/IRIX.mk, coreconf/OS2.mk, coreconf/README, coreconf/SunOS4.1.3_U1.mk, coreconf/SunOS5.mk, coreconf/UNIX.mk, coreconf/WIN32.mk, coreconf/config.mk, coreconf/location.mk, coreconf/mkdepend/Makefile, coreconf/mkdepend/cppsetup.c, coreconf/mkdepend/def.h, coreconf/mkdepend/ifparser.c, coreconf/mkdepend/ifparser.h, coreconf/mkdepend/imakemdep.h, coreconf/mkdepend/include.c, coreconf/mkdepend/main.c, coreconf/mkdepend/mkdepend.man, coreconf/mkdepend/parse.c, coreconf/mkdepend/pr.c, coreconf/rules.mk: Bug 1438431 Remove mkdepend tool and targets r=rrelyea [6c5f91e098a1] * coreconf/README, coreconf/rules.mk: Bug 1629553 Drop duplicate header DIR variables r=rrelyea [d1f954627260] * coreconf/OpenUNIX.mk, coreconf/README, coreconf/SCO_SV3.2.mk, coreconf/config.mk, coreconf/cpdist.pl, coreconf/import.pl, coreconf/jdk.mk, coreconf/jniregen.pl, coreconf/module.mk, coreconf/outofdate.pl, coreconf/release.pl, coreconf/rules.mk, coreconf/ruleset.mk, coreconf/source.mk, coreconf/version.mk: Bug 1629553 Drop coreconf java support r=rrelyea There aren't an Java sources in NSS, so just drop all the stuff referencing java, jars, jni, etc. I didn't try to remove it from tests. [7d285fe69c8c] * cmd/crmf-cgi/Makefile, cmd/crmf-cgi/config.mk, cmd/crmftest/Makefile, cmd/crmftest/config.mk, cmd/lib/Makefile, cmd/lib/config.mk, cmd/lib/manifest.mn, cmd/libpkix/config.mk, cmd/libpkix/perf/Makefile, cmd/libpkix/perf/manifest.mn, cmd/libpkix/pkix/Makefile, cmd/libpkix/pkix/certsel/Makefile, cmd/libpkix/pkix/certsel/manifest.mn, cmd/libpkix/pkix/checker/Makefile, cmd/libpkix/pkix/checker/manifest.mn, cmd/libpkix/pkix/crlsel/Makefile, cmd/libpkix/pkix/crlsel/manifest.mn, cmd/libpkix/pkix/params/Makefile, cmd/libpkix/pkix/params/manifest.mn, cmd/libpkix/pkix/results/Makefile, cmd/libpkix/pkix/results/manifest.mn, cmd/libpkix/pkix/store/Makefile, cmd/libpkix/pkix/store/manifest.mn, cmd/libpkix/pkix/top/Makefile, cmd/libpkix/pkix/top/manifest.mn, cmd/libpkix/pkix/util/Makefile, cmd/libpkix/pkix/util/manifest.mn, cmd/libpkix/pkix_pl/Makefile, cmd/libpkix/pkix_pl/module/Makefile, cmd/libpkix/pkix_pl/module/manifest.mn, cmd/libpkix/pkix_pl/pki/Makefile, cmd/libpkix/pkix_pl/pki/manifest.mn, cmd/libpkix/pkix_pl/system/Makefile, cmd/libpkix/pkix_pl/system/manifest.mn, cmd/libpkix/testutil/manifest.mn, cpputil/Makefile, cpputil/config.mk, cpputil/manifest.mn, lib/base/Makefile, lib/base/config.mk, lib/base/manifest.mn, lib/certdb/Makefile, lib/certdb/config.mk, lib/certdb/manifest.mn, lib/certhigh/Makefile, lib/certhigh/config.mk, lib/certhigh/manifest.mn, lib/ckfw/Makefile, lib/ckfw/builtins/Makefile, lib/ckfw/builtins/config.mk, lib/ckfw/builtins/manifest.mn, lib/ckfw/builtins/testlib/Makefile, lib/ckfw/builtins/testlib/config.mk, lib/ckfw/builtins/testlib/manifest.mn, lib/ckfw/capi/Makefile, lib/ckfw/capi/config.mk, lib/ckfw/capi/manifest.mn, lib/ckfw/config.mk, lib/ckfw/dbm/Makefile, lib/ckfw/dbm/config.mk, lib/ckfw/dbm/manifest.mn, lib/ckfw/manifest.mn, lib/crmf/Makefile, lib/crmf/config.mk, lib/crmf/manifest.mn, lib/cryptohi/Makefile, lib/cryptohi/config.mk, lib/cryptohi/manifest.mn, lib/dbm/src/config.mk, lib/dbm/src/manifest.mn, lib/dev/Makefile, lib/dev/config.mk, lib/dev/manifest.mn, lib/jar/Makefile, lib/jar/config.mk, lib/jar/manifest.mn, lib/libpkix/Makefile, lib/libpkix/config.mk, lib/libpkix/include/Makefile, lib/libpkix/include/config.mk, lib/libpkix/pkix/Makefile, lib/libpkix/pkix/certsel/Makefile, lib/libpkix/pkix/certsel/config.mk, lib/libpkix/pkix/certsel/manifest.mn, lib/libpkix/pkix/checker/Makefile, lib/libpkix/pkix/checker/config.mk, lib/libpkix/pkix/checker/manifest.mn, lib/libpkix/pkix/config.mk, lib/libpkix/pkix/crlsel/Makefile, lib/libpkix/pkix/crlsel/config.mk, lib/libpkix/pkix/crlsel/manifest.mn, lib/libpkix/pkix/params/Makefile, lib/libpkix/pkix/params/config.mk, lib/libpkix/pkix/params/manifest.mn, lib/libpkix/pkix/results/Makefile, lib/libpkix/pkix/results/config.mk, lib/libpkix/pkix/results/manifest.mn, lib/libpkix/pkix/store/Makefile, lib/libpkix/pkix/store/config.mk, lib/libpkix/pkix/store/manifest.mn, lib/libpkix/pkix/top/Makefile, lib/libpkix/pkix/top/config.mk, lib/libpkix/pkix/top/manifest.mn, lib/libpkix/pkix/util/Makefile, lib/libpkix/pkix/util/config.mk, lib/libpkix/pkix/util/manifest.mn, lib/libpkix/pkix_pl_nss/Makefile, lib/libpkix/pkix_pl_nss/config.mk, lib/libpkix/pkix_pl_nss/module/Makefile, lib/libpkix/pkix_pl_nss/module/config.mk, lib/libpkix/pkix_pl_nss/module/manifest.mn, lib/libpkix/pkix_pl_nss/pki/Makefile, lib/libpkix/pkix_pl_nss/pki/config.mk, lib/libpkix/pkix_pl_nss/pki/manifest.mn, lib/libpkix/pkix_pl_nss/system/Makefile, lib/libpkix/pkix_pl_nss/system/config.mk, lib/libpkix/pkix_pl_nss/system/manifest.mn, lib/pk11wrap/Makefile, lib/pk11wrap/config.mk, lib/pk11wrap/manifest.mn, lib/pkcs12/Makefile, lib/pkcs12/config.mk, lib/pkcs12/manifest.mn, lib/pkcs7/Makefile, lib/pkcs7/config.mk, lib/pkcs7/manifest.mn, lib/pki/Makefile, lib/pki/config.mk, lib/pki/manifest.mn, lib/sqlite/Makefile, lib/sysinit/Makefile, lib/util/Makefile, lib/zlib/Makefile, lib/zlib/config.mk, lib/zlib/manifest.mn: Bug 1629553 Merge simple config.mk files r=rrelyea There is really no good reason to explicitly change the TARGET variable. And the empty SHARED_LIBRARY variable should also be in the manifest.mn to begin with. All the other empty variables start empty or undefined, so there is also no need to explicitly set them empty. [dc1ef0faf4a6] * cmd/libpkix/testutil/config.mk, coreconf/OS2.mk, coreconf/WIN32.mk, coreconf/ruleset.mk, coreconf/suffix.mk, gtests/common/Makefile, gtests/common/manifest.mn, gtests/google_test/Makefile, gtests/google_test/manifest.mn, gtests/pkcs11testmodule/Makefile, gtests/pkcs11testmodule/config.mk, gtests/pkcs11testmodule/manifest.mn, lib/ckfw/builtins/config.mk, lib/ckfw/builtins/manifest.mn, lib/ckfw/builtins/testlib/config.mk, lib/ckfw/capi/config.mk, lib/ckfw/capi/manifest.mn, lib/freebl/config.mk, lib/nss/config.mk, lib/nss/manifest.mn, lib/smime/config.mk, lib/smime/manifest.mn, lib/softoken/config.mk, lib/softoken/legacydb/config.mk, lib/softoken/legacydb/manifest.mn, lib/softoken/manifest.mn, lib/sqlite/config.mk, lib/sqlite/manifest.mn, lib/ssl/config.mk, lib/ssl/manifest.mn, lib/sysinit/config.mk, lib/sysinit/manifest.mn, lib/util/config.mk, lib/util/manifest.mn: Bug 1629553 Rework the LIBRARY_NAME ruleset r=rrelyea * Drop the WIN% "32" default DLL suffix * Add default resource file handling => drop default RES * Generate IMPORT_LIBRARY based on IMPORT_LIB_SUFFIX and SHARED_LIBRARY, so we can drop all the explicit empty IMPORT_LIBRARY lines Originally this patch also tried to add a default MAPFILE rule, but this fails, because the ARCH makefiles set linker flags based on an existing MAPFILE variable. [877d721d93cd] * coreconf/rules.mk: Bug 1629553 Use an eval template for C++ compile rules r=rrelyea These pattern rules already had a comment to keep both in sync, so just use an eval template to enforce this. [9b628d9c57e5] * lib/freebl/Makefile: Bug 1629553 Use an eval template for freebl libs r=rrelyea [71dd05b782e4] * coreconf/rules.mk: Bug 1629553 Use an eval template for export targets r=rrelyea [45db681898be] * lib/pk11wrap/manifest.mn, lib/pk11wrap/pk11load.c, lib/pk11wrap/pk11wrap.gyp: Bug 1629553 Prefix pk11wrap (SHLIB|LIBRARY)_VERSION with NSS_ r=rrelyea In the manifest.mn the LIBRARY_VERSION is normally used to define the major version of the build shared library. This ust works for the pk11wrap case, because pk11wrap is a static library. But it's still very confusing when reading the manifest.mn. Also the referenced define in the code is just named SHLIB_VERSION. So this prefixes the defines and the variables with NSS_, because it tries to load the NSS library, just as the SOFTOKEN_.*_VERSION is used to load the versioned softokn library. [cbb737bc6c0c] * Makefile, cmd/Makefile, cmd/shlibsign/Makefile, cmd/smimetools/rules.mk, coreconf/rules.mk, gtests/manifest.mn, lib/freebl/Makefile, lib/manifest.mn, manifest.mn: Bug 290526 Drop double-colon usage and add directory depends r=rrelyea Double-colon rule behaviour isn't really compatible with parallel build. This gets rid of all of them, so we can codify the directory dependencies. This leaves just three problems, which aren't really fixable with the current build system without completely replacing it: * everything depends on nsinstall * everything depends on installed headers * ckfw child directories depend on the build parent libs This is handled by the prepare_build target. Overall this allows most if the build to run in parallel. P.S. the release_md:: has to stay :-( P.P.S. no clue, why freebl must use libs: instead of using the TARGETS and .PHONY variables [f3a0ef69c056] * coreconf/WIN32.mk, gtests/certdb_gtest/manifest.mn, gtests/common/Makefile, gtests/google_test/Makefile, gtests/google_test/manifest.mn, gtests/pkcs11testmodule/Makefile: Bug 290526 Fix gtests build for WIN% targets r=rrelyea The google_test gtest build doesn't provide any exports for the shared library on Windows and the gyp build also builds just a static library. So build gtest and gtestutil libraries as static. For whatever reason, the Windows linker doesn't find the main function inside the gtestutil library, if we don't tell it to build a console executable. But linking works fine, if the object file is used directly. But since we can have different main() objects based on build flags, we enforce building console applications binaries. [a82a55886c1d] * cmd/bltest/manifest.mn, cmd/chktest/manifest.mn, cmd/crmf- cgi/manifest.mn, cmd/crmftest/manifest.mn, cmd/fipstest/manifest.mn, cmd/lib/Makefile, cmd/libpkix/testutil/Makefile, cmd/lowhashtest/manifest.mn, cmd/modutil/manifest.mn, cmd/pk11gcmtest/manifest.mn, cmd/pk11mode/manifest.mn, cmd/rsapoptst/manifest.mn, cmd/signtool/manifest.mn, cmd/ssltap/manifest.mn, coreconf/README, coreconf/rules.mk, cpputil/manifest.mn, gtests/google_test/manifest.mn, gtests/pkcs11testmodule/Makefile, lib/base/Makefile, lib/certdb/Makefile, lib/certhigh/Makefile, lib/ckfw/Makefile, lib/crmf/Makefile, lib/cryptohi/Makefile, lib/dbm/include/Makefile, lib/dev/Makefile, lib/dev/manifest.mn, lib/freebl/Makefile, lib/libpkix/Makefile, lib/libpkix/include/Makefile, lib/libpkix/include/manifest.mn, lib/libpkix/pkix/Makefile, lib/libpkix/pkix/certsel/Makefile, lib/libpkix/pkix/certsel/manifest.mn, lib/libpkix/pkix/checker/Makefile, lib/libpkix/pkix/checker/manifest.mn, lib/libpkix/pkix/crlsel/Makefile, lib/libpkix/pkix/crlsel/manifest.mn, lib/libpkix/pkix/params/Makefile, lib/libpkix/pkix/params/manifest.mn, lib/libpkix/pkix/results/Makefile, lib/libpkix/pkix/results/manifest.mn, lib/libpkix/pkix/store/Makefile, lib/libpkix/pkix/store/manifest.mn, lib/libpkix/pkix/top/Makefile, lib/libpkix/pkix/top/manifest.mn, lib/libpkix/pkix/util/Makefile, lib/libpkix/pkix/util/manifest.mn, lib/libpkix/pkix_pl_nss/Makefile, lib/libpkix/pkix_pl_nss/module/Makefile, lib/libpkix/pkix_pl_nss/module/manifest.mn, lib/libpkix/pkix_pl_nss/pki/Makefile, lib/libpkix/pkix_pl_nss/pki/manifest.mn, lib/libpkix/pkix_pl_nss/system/Makefile, lib/libpkix/pkix_pl_nss/system/manifest.mn, lib/nss/Makefile, lib/pk11wrap/Makefile, lib/pki/Makefile, lib/pki/manifest.mn, lib/softoken/Makefile, lib/softoken/legacydb/Makefile, lib/sqlite/Makefile, lib/sqlite/manifest.mn, lib/ssl/Makefile, lib/util/Makefile, lib/zlib/Makefile: Bug 290526 Drop recursive private_exports r=rrelyea Copying private headers is now simply included in the exports target, as these headers use an extra directory anyway. [989ecbd870f3] * Makefile, cmd/shlibsign/Makefile, coreconf/Makefile, coreconf/README, coreconf/nsinstall/Makefile, coreconf/rules.mk, coreconf/ruleset.mk, lib/Makefile, lib/ckfw/Makefile: Bug 290526 Parallelize part of the NSS build r=rrelyea This still serializes many targets, but at least these targets themself run their build in parallel. The main serialization happens in nss/Makefile and nss/coreconf/rules.mk's all target. We can't add these as real dependencies, as all Makefile snippets use the same variable names. I tried to always run sub-makes to hack in the depndencies, but these don't know of each other, so targets very often run twice, and this breaks the build. Having a tests:: target and a tests directory leads to misery (and doesn't work), so it's renamed to check. This just works with NSS_DISABLE_GTESTS=1 specified and is fixed by a follow up patch, which removes the double-colon usage and adds the directory dependencies! [5d0bfa092e0f] * coreconf/UNIX.mk, coreconf/WIN32.mk, coreconf/mkdepend/Makefile, coreconf/nsinstall/Makefile, coreconf/ruleset.mk: Bug 290526 Don't delete directories r=rrelyea If these files exist and aren't directories, there might be other problems. Trying to "fix" them by removing will break the build. [fb377d36262d] * coreconf/rules.mk: Bug 290526 Handle empty install variables r=rrelyea Originally I added the install commands to the individual build targets. But this breaks the incremental build, because there is actually no dependency for the install. But it turns out, that in the end it's enough to ignore empty defined variables, so just do this. [585942b1d556] * coreconf/rules.mk: Bug 290526 Handle parallel PROGRAM and PROGRAMS r=rrelyea I have no real clue, why PROGRAMS is actually working in the sequence build. There is no special make code really handling it, except for the install target. This patches code is inspired by the $(eval ...) example in the GNU make documentation. It generates a program specific make target and maps the programs objects based on the defined variables. [d30a6953b897] Differential Revision: https://phabricator.services.mozilla.com/D75385 |
||
---|---|---|
.. | ||
automation | ||
cmd | ||
coreconf | ||
cpputil | ||
doc | ||
fuzz | ||
gtests | ||
lib | ||
nss/automation/abi-check | ||
nss-tool | ||
pkg | ||
tests | ||
.arcconfig | ||
.clang-format | ||
.gitignore | ||
.sancov-blacklist | ||
.taskcluster.yml | ||
build.sh | ||
COPYING | ||
exports.gyp | ||
help.txt | ||
mach | ||
Makefile | ||
manifest.mn | ||
nss.gyp | ||
readme.md | ||
TAG-INFO | ||
TAG-INFO.rej | ||
trademarks.txt |
Network Security Services
Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. NSS supports TLS 1.2, TLS 1.3, PKCS #5, PKCS#7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards.
Getting started
In order to get started create a new directory on that you will be uses as your local work area, and check out NSS and NSPR. (Note that there's no git mirror of NSPR and you require mercurial to get the latest NSPR source.)
git clone https://github.com/nss-dev/nss.git
hg clone https://hg.mozilla.org/projects/nspr
NSS can also be cloned with mercurial
hg clone https://hg.mozilla.org/projects/nss
Building NSS
This build system is under development. It does not yet support all the features or platforms that NSS supports. To build on anything other than Mac or Linux please use the legacy build system as described below.
Build requirements:
After changing into the NSS directory a typical build is done as follows
./build.sh
Once the build is done the build output is found in the directory
../dist/Debug
for debug builds and ../dist/Release
for opt builds.
Exported header files can be found in the include
directory, library files in
directory lib
, and tools in directory bin
. In order to run the tools, set
your system environment to use the libraries of your build from the "lib"
directory, e.g., using the LD_LIBRARY_PATH
or DYLD_LIBRARY_PATH
.
See help.txt for more information on using build.sh.
Building NSS (legacy build system)
After changing into the NSS directory a typical build of 32-bit NSS is done as follows:
make nss_build_all
The following environment variables might be useful:
-
BUILD_OPT=1
to get an optimised build -
USE_64=1
to get a 64-bit build (recommended)
The complete list of environment variables can be found here.
To clean the build directory run:
make nss_clean_all
Tests
Setup
Make sure that the address $HOST.$DOMSUF
on your computer is available. This
is necessary because NSS tests generate certificates and establish TLS
connections, which requires a fully qualified domain name.
You can test this by
calling ping $HOST.$DOMSUF
. If this is working, you're all set. If it's not,
set or export:
HOST=nss
DOMSUF=local
Note that you might have to add nss.local
to /etc/hosts
if it's not
there. The entry should look something like 127.0.0.1 nss.local nss
.
Running tests
Runnning all tests will take a while!
cd tests
./all.sh
Make sure that all environment variables set for the build are set while running
the tests as well. Test results are published in the folder
../../test_results/
.
Individual tests can be run with the NSS_TESTS
environment variable,
e.g. NSS_TESTS=ssl_gtests ./all.sh
or by changing into the according directory
and running the bash script there cd ssl_gtests && ./ssl_gtests.sh
. The
following tests are available:
cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests bogo policy
To make tests run faster it's recommended to set NSS_CYCLES=standard
to run
only the standard cycle.
Releases
NSS releases can be found at Mozilla's download server. Because NSS depends on the base library NSPR you should download the archive that combines both NSS and NSPR.
Contributing
Bugzilla is used to track NSS development and bugs. File new bugs in the NSS product.
A list with good first bugs to start with are listed here.
NSS Folder Structure
The nss directory contains the following important subdirectories:
-
coreconf
contains the build logic. -
lib
contains all library code that is used to create the runtime libraries. -
cmd
contains a set of various tool programs that are built with NSS. Several tools are general purpose and can be used to inspect and manipulate the storage files that software using the NSS library creates and modifies. Other tools are only used for testing purposes. -
test
andgtests
contain the NSS test suite. Whiletest
contains shell scripts to drive test programs incmd
,gtests
holds a set of gtests.
A more comprehensible overview of the NSS folder structure and API guidelines can be found here.
Build mechanisms related to FIPS compliance
NSS supports build configurations for FIPS-140 compliance, and alternative build configurations that disable functionality specific to FIPS-140 compliance.
This section documents the environment variables and build parameters that control these configurations.
Build FIPS startup tests
The C macro NSS_NO_INIT_SUPPORT controls the FIPS startup self tests. If NSS_NO_INIT_SUPPORT is defined, the startup tests are disabled.
The legacy build system (make) by default disables these tests. To enable these tests, set environment variable NSS_FORCE_FIPS=1 at build time.
The gyp build system by default disables these tests. To enable these tests, pass parameter --enable-fips to build.sh.
Building either FIPS compliant or alternative compliant code
The C macro NSS_FIPS_DISABLED can be used to disable some FIPS compliant code and enable alternative implementations.
The legacy build system (make) never defines NSS_FIPS_DISABLED and always uses the FIPS compliant code.
The gyp build system by default defines NSS_FIPS_DISABLED. To use the FIPS compliant code, pass parameter --enable-fips to build.sh.
Test execution
The NSS test suite may contain tests that are included, excluded, or are different based on the FIPS build configuration. To execute the correct tests, it's necessary to determine which build configuration was used.
The legacy build system (make) uses environment variables to control all aspects of the build configuration, including FIPS build configuration.
Because the gyp build system doesn't use environment variables to control the build configuration, the NSS tests cannot rely on environment variables to determine the build configuration.
A helper binary named nss-build-flags is produced as part of the NSS build, which prints the C macro symbols that were defined at build time, and which are relevant to test execution.