38a4d77665
This adds a patch from Debian, as they're already have security modules from NSS in it's own library directory rather than /usr/lib{,64}/ and patch in loading of libsoftokn as well. The patch and our own fix of the patch (well, they hardcode Debian specific stuff in there) ensures that SECMOD_AddNewModule() will find the right module from the derivation's output path, so the built-in CA root certificates are recognized and verified correctly.
105 lines
3.3 KiB
Nix
105 lines
3.3 KiB
Nix
{ stdenv, fetchurl, fetchgit, nspr, perl, zlib, sqlite
|
|
, includeTools ? false
|
|
}:
|
|
|
|
let
|
|
|
|
nssConfig = fetchurl {
|
|
url = "http://sources.gentoo.org/viewcvs.py/*checkout*/gentoo-x86/dev-libs/nss/files/3.12-nss-config.in?rev=1.2";
|
|
sha256 = "1ck9q68fxkjq16nflixbqi4xc6bmylmj994h3f1j42g8mp0xf0vd";
|
|
};
|
|
|
|
nssPEM = fetchgit {
|
|
url = "git://git.fedorahosted.org/git/nss-pem.git";
|
|
rev = "07a683505d4a0a1113c4085c1ce117425d0afd80";
|
|
sha256 = "e4a9396d90e50e8b3cceff45f312eda9aaf356423f4eddd354a0e1afbbfd4cf8";
|
|
};
|
|
|
|
secLoadPatch = fetchurl {
|
|
url = "http://patch-tracker.debian.org/patch/series/dl/nss/2:3.13.5-1/85_security_load.patch";
|
|
sha256 = "8a8d0ae4ebbd7c389973fa5d26d8bc5f473046c6cb1d8283cb9a3c1f4c565c47";
|
|
};
|
|
|
|
in stdenv.mkDerivation rec {
|
|
name = "nss-${version}";
|
|
version = "3.13.6";
|
|
|
|
src = let
|
|
uscoreVersion = stdenv.lib.replaceChars ["."] ["_"] version;
|
|
releasePath = "releases/NSS_${uscoreVersion}_RTM/src/nss-${version}.tar.gz";
|
|
in fetchurl {
|
|
url = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/${releasePath}";
|
|
sha256 = "f7e90727e0ecc1c29de10da39a79bc9c53b814ccfbf40720e053b29c683d43a0";
|
|
};
|
|
|
|
buildInputs = [ nspr perl zlib sqlite ];
|
|
|
|
postUnpack = ''
|
|
cp -rdv "${nssPEM}/mozilla/security/nss/lib/ckfw/pem" \
|
|
"$sourceRoot/mozilla/security/nss/lib/ckfw/"
|
|
chmod -R u+w "$sourceRoot/mozilla/security/nss/lib/ckfw/pem"
|
|
'';
|
|
|
|
patches = [
|
|
./nss-3.12.5-gentoo-fixups.diff
|
|
secLoadPatch
|
|
./nix_secload_fixup.patch
|
|
];
|
|
|
|
postPatch = ''
|
|
sed -i -e 's/^DIRS.*$/& pem/' mozilla/security/nss/lib/ckfw/manifest.mn
|
|
sed -i -e "/^PREFIX =/s:= /usr:= $out:" mozilla/security/nss/config/Makefile
|
|
'';
|
|
|
|
preConfigure = "cd mozilla/security/nss";
|
|
|
|
makeFlags = [
|
|
"NSPR_INCLUDE_DIR=${nspr}/include/nspr"
|
|
"NSPR_LIB_DIR=${nspr}/lib"
|
|
"NSDISTMODE=copy"
|
|
"BUILD_OPT=1"
|
|
"SOURCE_PREFIX=\$(out)"
|
|
"NSS_ENABLE_ECC=1"
|
|
"NSS_USE_SYSTEM_SQLITE=1"
|
|
] ++ stdenv.lib.optional stdenv.is64bit "USE_64=1";
|
|
|
|
buildFlags = [ "build_coreconf" "build_dbm" "all" ];
|
|
|
|
postInstall =
|
|
''
|
|
#find $out -name "*.a" | xargs rm
|
|
rm -rf $out/private
|
|
mv $out/public $out/include
|
|
mv $out/*.OBJ/* $out/
|
|
rmdir $out/*.OBJ
|
|
${if includeTools then "" else "rm -rf $out/bin"}
|
|
|
|
# Borrowed from Gentoo. Firefox expects an nss-config script,
|
|
# but NSS doesn't provide it.
|
|
|
|
NSS_VMAJOR=`cat lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'`
|
|
NSS_VMINOR=`cat lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'`
|
|
NSS_VPATCH=`cat lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'`
|
|
|
|
${if includeTools then "" else "mkdir $out/bin"}
|
|
cp ${nssConfig} $out/bin/nss-config
|
|
chmod u+x $out/bin/nss-config
|
|
substituteInPlace $out/bin/nss-config \
|
|
--subst-var-by MOD_MAJOR_VERSION $NSS_VMAJOR \
|
|
--subst-var-by MOD_MINOR_VERSION $NSS_VMINOR \
|
|
--subst-var-by MOD_PATCH_VERSION $NSS_VPATCH \
|
|
--subst-var-by prefix $out \
|
|
--subst-var-by exec_prefix $out \
|
|
--subst-var-by includedir $out/include/nss \
|
|
--subst-var-by libdir $out/lib
|
|
''; # */
|
|
|
|
postFixup = ''
|
|
for libname in freebl3 nssdbm3 softokn3
|
|
do
|
|
libfile="$out/lib/lib$libname.so"
|
|
LD_LIBRARY_PATH=$out/lib $out/bin/shlibsign -v -i "$libfile"
|
|
done
|
|
'';
|
|
}
|