public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/nss/, dev-libs/nss/files/
@ 2018-03-05 20:47 Ian Stakenvicius
  0 siblings, 0 replies; 19+ messages in thread
From: Ian Stakenvicius @ 2018-03-05 20:47 UTC (permalink / raw
  To: gentoo-commits

commit:     6a151dad6741ecc70051f8269f78ebfe7dcbe0d3
Author:     Ian Stakenvicius <axs <AT> gentoo <DOT> org>
AuthorDate: Mon Mar  5 20:22:35 2018 +0000
Commit:     Ian Stakenvicius <axs <AT> gentoo <DOT> org>
CommitDate: Mon Mar  5 20:47:16 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6a151dad

dev-libs/nss: fix compilation on amd64 of v3.35

Upstream fixed in 3.36 and backported to 3.35 (unreleased) via
https://bugzilla.mozilla.org/show_bug.cgi?id=1432455

Bug: http://bugs.gentoo.org/646382
Package-Manager: Portage-2.3.19, Repoman-2.3.6

 .../files/nss-3.35-Hacl_Poly1305_64-aarch64.patch  | 36 ++++++++++++++++++++++
 dev-libs/nss/nss-3.35.ebuild                       |  3 ++
 2 files changed, 39 insertions(+)

diff --git a/dev-libs/nss/files/nss-3.35-Hacl_Poly1305_64-aarch64.patch b/dev-libs/nss/files/nss-3.35-Hacl_Poly1305_64-aarch64.patch
new file mode 100644
index 00000000000..c05d103e25b
--- /dev/null
+++ b/dev-libs/nss/files/nss-3.35-Hacl_Poly1305_64-aarch64.patch
@@ -0,0 +1,36 @@
+
+# HG changeset patch
+# User Daiki Ueno <dueno@redhat.com>
+# Date 1516710574 -3600
+# Node ID 74e679158d1bfe05c173e995ae7dc5a05ae02fe0
+# Parent  b3feffd76f4714139f72369f82b28619a704dbd6
+Bug 1432455, Build Hacl_Poly1305_64.o on AArch64 even with make, r=fkiefer
+
+diff --git a/lib/freebl/Makefile b/lib/freebl/Makefile
+--- a/lib/freebl/Makefile
++++ b/lib/freebl/Makefile
+@@ -522,17 +522,22 @@ ifndef NSS_DISABLE_CHACHAPOLY
+ 
+         ifneq (1,$(CC_IS_GCC))
+             EXTRA_SRCS += chacha20.c
+             VERIFIED_SRCS += Hacl_Chacha20.c
+         else
+             EXTRA_SRCS += chacha20_vec.c
+         endif
+     else
+-        EXTRA_SRCS += poly1305.c
++        ifeq ($(CPU_ARCH),aarch64)
++            EXTRA_SRCS += Hacl_Poly1305_64.c
++        else
++            EXTRA_SRCS += poly1305.c
++        endif
++
+         EXTRA_SRCS += chacha20.c
+         VERIFIED_SRCS += Hacl_Chacha20.c
+     endif # x86_64
+ endif # NSS_DISABLE_CHACHAPOLY
+ 
+ ifeq (,$(filter-out i386 x386 x86 x86_64 aarch64,$(CPU_ARCH)))
+     # All intel architectures get the 64 bit version
+     # With custom uint128 if necessary (faster than generic 32 bit version).
+

diff --git a/dev-libs/nss/nss-3.35.ebuild b/dev-libs/nss/nss-3.35.ebuild
index d21c8184ed4..dac240facdf 100644
--- a/dev-libs/nss/nss-3.35.ebuild
+++ b/dev-libs/nss/nss-3.35.ebuild
@@ -63,6 +63,9 @@ src_prepare() {
 			"${DISTDIR}/${PN}-cacert-class1-class3.patch"
 		)
 	fi
+	# bug 646382
+	# https://bugzilla.mozilla.org/show_bug.cgi?id=1432455
+	PATCHES+=( "${FILESDIR}"/${P}-Hacl_Poly1305_64-aarch64.patch )
 
 	default
 


^ permalink raw reply related	[flat|nested] 19+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/nss/, dev-libs/nss/files/
@ 2024-08-02 13:21 Joonas Niilola
  0 siblings, 0 replies; 19+ messages in thread
From: Joonas Niilola @ 2024-08-02 13:21 UTC (permalink / raw
  To: gentoo-commits

commit:     6ddeb6dd95cf0c75ec02179600ef72f5ed22230f
Author:     Joonas Niilola <juippis <AT> gentoo <DOT> org>
AuthorDate: Fri Aug  2 13:18:49 2024 +0000
Commit:     Joonas Niilola <juippis <AT> gentoo <DOT> org>
CommitDate: Fri Aug  2 13:18:49 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6ddeb6dd

dev-libs/nss: add 3.103

 - rebase nss-3.53-gentoo-fixups.patch to apply on 3.103,
 - update comment about 'standard' and 'full' test cycle differences.

Signed-off-by: Joonas Niilola <juippis <AT> gentoo.org>

 dev-libs/nss/Manifest                              |   1 +
 ...ss-3.103-gentoo-fixes-add-pkgconfig-files.patch | 268 +++++++++++++
 dev-libs/nss/nss-3.103.ebuild                      | 419 +++++++++++++++++++++
 3 files changed, 688 insertions(+)

diff --git a/dev-libs/nss/Manifest b/dev-libs/nss/Manifest
index 40e2084d85bf..12673537ba54 100644
--- a/dev-libs/nss/Manifest
+++ b/dev-libs/nss/Manifest
@@ -3,5 +3,6 @@ DIST nss-3.101.1.tar.gz 76462490 BLAKE2B 578a5ce6c9157c25db801a3fe37e094d8005130
 DIST nss-3.101.2.tar.gz 76462495 BLAKE2B 3a0dfd7aa68bc11f332decfc9cb7003b8d8fa6a9dad556ad736229d7d3847e68aeaf5b74e68989a0483bd1b9e2e3afd3bdf8df3d428ebc815eda9a255f5695aa SHA512 65ac338ee1b13ecc2b190f1ea39c987110a06f3b67610e094ffc1ef4117d487c34af1e11b90de0c28035bfc5cb10ca7996ed991d9afce7985973fabb48cd7ac8
 DIST nss-3.102.1.tar.gz 76460182 BLAKE2B 47e61d13bf4d6615ecc830d7c745a7a736fe5f1b4de7375f4cf9274db8f42b5ea7cd737e03f6a83e26579cfec1ff1b349e24e548a57fd2d0950b955bfd208851 SHA512 1df10aab1f37c1d00dc3b81aaa341f99c2bac22997aae412ee639e0959ffa37e35cbc21b0f90c2612401aadb119bab4202209186f54fb8d58cf7c3123456e90f
 DIST nss-3.102.tar.gz 76455599 BLAKE2B 78eb95279640dcc46c29decd35fc4c2a2a591c5a39b8dbfcb232d72a08d1ee44d836ce8ee06fff2fe677d3ea19a8b6219a1fe9296f9b56ebfbab7295583e71fe SHA512 2706f15447afd6c26f6784e56c01e8328456523b464a2df2b054f230b6e6b5db2fdeccac74f4f4f0d683d7d4471a8ec1321102082d8a22d91887153a60ffac5b
+DIST nss-3.103.tar.gz 76470174 BLAKE2B 0d57ad2479f26d0ff8f3021b435ee936e82408e5f3f213804397934f1d01c2178f641247cfc84de36616eb92d06fb002fb77a4285ff84a86a3217e960d175475 SHA512 bc7680fc34d84de7953b27f1a220681f3f5c5a501a82be210ec6134894313f6a2c9bfcc350f4802152a5e3a1fc2defc74d700445ade338d6c86a923ac8b4dc75
 DIST nss-3.90.2.tar.gz 72215444 BLAKE2B 74b8eebf5f053dcebd9c6e6ef17c6113ac42a01f910f4ba621dadb09739d5a6090d022800d2c3a4bc0c58413f03512ca611ead1098488d303f1ee1e4bca5c222 SHA512 048a0c0a06fef8cd9c363ac511b9d6125ec131a306c5e093525a937f9e8740f1a2163f274c9a3907ed38331b2fb99b22b528b5e89da1e186c9ba9473d959ef4a
 DIST nss-cacert-class1-class3-r2.patch 21925 BLAKE2B 7627ff9a09f084c19d72d0490676865e3cab3ca7c920ae1ce4bea2db664f37fd0aa84fcda919809a516891ab2a62e2e7a43a9d6ada4c231adfe4c216525fac7d SHA512 1ce6ff9ab310aaca9005eafb461338b291df8523cc7044e096cd75774ce746c26eed19ec6bb2643c6c67f94650f2f309463492d80a90568f38ce2557f8ada2f4

diff --git a/dev-libs/nss/files/nss-3.103-gentoo-fixes-add-pkgconfig-files.patch b/dev-libs/nss/files/nss-3.103-gentoo-fixes-add-pkgconfig-files.patch
new file mode 100644
index 000000000000..85676f8d9eaa
--- /dev/null
+++ b/dev-libs/nss/files/nss-3.103-gentoo-fixes-add-pkgconfig-files.patch
@@ -0,0 +1,268 @@
+diff -Naur a/Makefile b/Makefile
+--- a/Makefile	2024-08-01 16:24:30.000000000 +0300
++++ b/Makefile	2024-08-02 10:27:34.449032964 +0300
+@@ -4,6 +4,8 @@
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+ # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ 
++default: nss_build_all
++
+ #######################################################################
+ # (1) Include initial platform-independent assignments (MANDATORY).   #
+ #######################################################################
+@@ -48,12 +50,9 @@
+ #######################################################################
+ 
+ nss_build_all:
+-	$(MAKE) build_nspr
+ 	$(MAKE) all
+-	$(MAKE) latest
+ 
+ nss_clean_all:
+-	$(MAKE) clobber_nspr
+ 	$(MAKE) clobber
+ 
+ NSPR_CONFIG_STATUS = $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)/config.status
+@@ -138,21 +137,6 @@
+ 	--prefix='$(NSS_GYP_PREFIX)'
+ endif
+ 
+-ifndef NSS_DISABLE_NSPR_TESTS
+-build_nspr: $(NSPR_CONFIG_STATUS)
+-	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)
+-	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)/pr/tests
+-else
+-build_nspr: $(NSPR_CONFIG_STATUS)
+-	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)
+-endif
+-
+-install_nspr: build_nspr
+-	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) install
+-
+-clobber_nspr: $(NSPR_CONFIG_STATUS)
+-	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) clobber
+-
+ build_docs:
+ 	$(MAKE) -C $(CORE_DEPTH)/doc
+ 
+diff -Naur a/config/Makefile b/config/Makefile
+--- /dev/null
++++ b/config/Makefile
+@@ -0,0 +1,40 @@
++CORE_DEPTH = ..
++DEPTH      = ..
++
++include $(CORE_DEPTH)/coreconf/config.mk
++
++NSS_MAJOR_VERSION = $(shell grep -F "NSS_VMAJOR" ../lib/nss/nss.h | awk '{print $$3}')
++NSS_MINOR_VERSION = $(shell grep -F "NSS_VMINOR" ../lib/nss/nss.h | awk '{print $$3}')
++NSS_PATCH_VERSION = $(shell grep -F "NSS_VPATCH" ../lib/nss/nss.h | awk '{print $$3}')
++PREFIX = /usr
++
++all: export libs
++
++export:
++	# Create the nss.pc file
++	mkdir -p $(DIST)/lib/pkgconfig
++	sed -e "s,@prefix@,$(PREFIX)," \
++	    -e "s,@exec_prefix@,\$${prefix}," \
++	    -e "s,@libdir@,\$${prefix}/lib64," \
++	    -e "s,@includedir@,\$${prefix}/include/nss," \
++	    -e "s,@NSS_MAJOR_VERSION@,$(NSS_MAJOR_VERSION),g" \
++	    -e "s,@NSS_MINOR_VERSION@,$(NSS_MINOR_VERSION)," \
++	    -e "s,@NSS_PATCH_VERSION@,$(NSS_PATCH_VERSION)," \
++	    nss.pc.in > nss.pc
++	chmod 0644 nss.pc
++	ln -sf ../../../../config/nss.pc $(DIST)/lib/pkgconfig
++
++	# Create the nss-config script
++	mkdir -p $(DIST)/bin
++	sed -e "s,@prefix@,$(PREFIX)," \
++	    -e "s,@NSS_MAJOR_VERSION@,$(NSS_MAJOR_VERSION)," \
++	    -e "s,@NSS_MINOR_VERSION@,$(NSS_MINOR_VERSION)," \
++	    -e "s,@NSS_PATCH_VERSION@,$(NSS_PATCH_VERSION)," \
++	    nss-config.in > nss-config
++	chmod 0755 nss-config
++	ln -sf ../../../config/nss-config $(DIST)/bin
++
++libs:
++
++dummy: all export libs
++
+diff -Naur a/config/nss-config.in b/config/nss-config.in
+--- /dev/null
++++ b/config/nss-config.in
+@@ -0,0 +1,145 @@
++#!/bin/sh
++
++prefix=@prefix@
++
++major_version=@NSS_MAJOR_VERSION@
++minor_version=@NSS_MINOR_VERSION@
++patch_version=@NSS_PATCH_VERSION@
++
++usage()
++{
++	cat <<EOF
++Usage: nss-config [OPTIONS] [LIBRARIES]
++Options:
++	[--prefix[=DIR]]
++	[--exec-prefix[=DIR]]
++	[--includedir[=DIR]]
++	[--libdir[=DIR]]
++	[--version]
++	[--libs]
++	[--cflags]
++Dynamic Libraries:
++	nss
++	ssl
++	smime
++	nssutil
++EOF
++	exit $1
++}
++
++if test $# -eq 0; then
++	usage 1 1>&2
++fi
++
++lib_ssl=yes
++lib_smime=yes
++lib_nss=yes
++lib_nssutil=yes
++
++while test $# -gt 0; do
++  case "$1" in
++  -*=*) optarg=$(echo "$1" | sed 's/[-_a-zA-Z0-9]*=//') ;;
++  *) optarg= ;;
++  esac
++
++  case $1 in
++    --prefix=*)
++      prefix=${optarg}
++      ;;
++    --prefix)
++      echo_prefix=yes
++      ;;
++    --exec-prefix=*)
++      exec_prefix=${optarg}
++      ;;
++    --exec-prefix)
++      echo_exec_prefix=yes
++      ;;
++    --includedir=*)
++      includedir=${optarg}
++      ;;
++    --includedir)
++      echo_includedir=yes
++      ;;
++    --libdir=*)
++      libdir=${optarg}
++      ;;
++    --libdir)
++      echo_libdir=yes
++      ;;
++    --version)
++      echo ${major_version}.${minor_version}.${patch_version}
++      ;;
++    --cflags)
++      echo_cflags=yes
++      ;;
++    --libs)
++      echo_libs=yes
++      ;;
++    ssl)
++      lib_ssl=yes
++      ;;
++    smime)
++      lib_smime=yes
++      ;;
++    nss)
++      lib_nss=yes
++      ;;
++    nssutil)
++      lib_nssutil=yes
++      ;;
++    *)
++      usage 1 1>&2
++      ;;
++  esac
++  shift
++done
++
++# Set variables that may be dependent upon other variables
++if test -z "${exec_prefix}"; then
++    exec_prefix=$(pkg-config --variable=exec_prefix nss)
++fi
++if test -z "${includedir}"; then
++    includedir=$(pkg-config --variable=includedir nss)
++fi
++if test -z "${libdir}"; then
++    libdir=$(pkg-config --variable=libdir nss)
++fi
++
++if test "${echo_prefix}" = "yes"; then
++    echo ${prefix}
++fi
++
++if test "${echo_exec_prefix}" = "yes"; then
++    echo ${exec_prefix}
++fi
++
++if test "${echo_includedir}" = "yes"; then
++    echo ${includedir}
++fi
++
++if test "${echo_libdir}" = "yes"; then
++    echo ${libdir}
++fi
++
++if test "${echo_cflags}" = "yes"; then
++    echo -I${includedir}
++fi
++
++if test "${echo_libs}" = "yes"; then
++      libdirs=""
++      if test -n "${lib_ssl}"; then
++	libdirs="${libdirs} -lssl${major_version}"
++      fi
++      if test -n "${lib_smime}"; then
++	libdirs="${libdirs} -lsmime${major_version}"
++      fi
++      if test -n "${lib_nss}"; then
++	libdirs="${libdirs} -lnss${major_version}"
++      fi
++      if test -n "${lib_nssutil}"; then
++       libdirs="${libdirs} -lnssutil${major_version}"
++      fi
++      echo ${libdirs}
++fi
++
+diff -Naur a/config/nss.pc.in b/config/nss.pc.in
+--- /dev/null
++++ b/config/nss.pc.in
+@@ -0,0 +1,12 @@
++prefix=@prefix@
++exec_prefix=@exec_prefix@
++libdir=@libdir@
++includedir=@includedir@
++
++Name: NSS
++Description: Network Security Services
++Version: @NSS_MAJOR_VERSION@.@NSS_MINOR_VERSION@.@NSS_PATCH_VERSION@
++Requires: nspr >= 4.25
++Libs: -lssl3 -lsmime3 -lnss3 -lnssutil3
++Cflags: -I${includedir}
++
+diff -Naur a/manifest.mn b/manifest.mn
+--- a/manifest.mn
++++ b/manifest.mn
+@@ -10,7 +10,7 @@ IMPORTS =	nspr20/v4.8 \
+ 
+ RELEASE = nss
+ 
+-DIRS = coreconf lib cmd cpputil gtests
++DIRS = coreconf lib cmd cpputil config
+ 
+ lib: coreconf
+ cmd: lib

diff --git a/dev-libs/nss/nss-3.103.ebuild b/dev-libs/nss/nss-3.103.ebuild
new file mode 100644
index 000000000000..d1dc0d9c119c
--- /dev/null
+++ b/dev-libs/nss/nss-3.103.ebuild
@@ -0,0 +1,419 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit flag-o-matic multilib toolchain-funcs multilib-minimal
+
+NSPR_VER="4.35"
+RTM_NAME="NSS_${PV//./_}_RTM"
+
+DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
+HOMEPAGE="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS"
+SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
+	cacert? ( https://dev.gentoo.org/~juippis/mozilla/patchsets/nss-3.101-cacert-class1-class3.patch )"
+
+LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~x64-solaris"
+IUSE="cacert test +utils cpu_flags_ppc_altivec cpu_flags_x86_avx2 cpu_flags_x86_sse3 cpu_flags_ppc_vsx"
+RESTRICT="!test? ( test )"
+# pkg-config called by nss-config -> virtual/pkgconfig in RDEPEND
+RDEPEND="
+	>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
+	>=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
+	>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]
+	virtual/pkgconfig
+"
+DEPEND="${RDEPEND}"
+BDEPEND="dev-lang/perl"
+
+S="${WORKDIR}/${P}/${PN}"
+
+MULTILIB_CHOST_TOOLS=(
+	/usr/bin/nss-config
+)
+
+PATCHES=(
+	"${FILESDIR}"/nss-3.103-gentoo-fixes-add-pkgconfig-files.patch
+	"${FILESDIR}"/nss-3.21-gentoo-fixup-warnings.patch
+	"${FILESDIR}"/nss-3.87-use-clang-as-bgo892686.patch
+)
+
+src_prepare() {
+	default
+
+	if use cacert ; then
+		eapply -p2 "${DISTDIR}"/nss-3.101-cacert-class1-class3.patch
+	fi
+
+	pushd coreconf >/dev/null || die
+	# hack nspr paths
+	echo 'INCLUDES += -I$(DIST)/include/dbm' \
+		>> headers.mk || die "failed to append include"
+
+	# modify install path
+	sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
+		-i source.mk || die
+
+	# Respect LDFLAGS
+	sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
+
+	# Workaround make-4.4's change to sub-make, bmo#1800237, bgo#882069
+	sed -i -e "s/^CPU_TAG = _.*/CPU_TAG = _$(nssarch)/" Linux.mk || die
+
+	popd >/dev/null || die
+
+	# Fix pkgconfig file for Prefix
+	sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
+		config/Makefile || die
+
+	# use host shlibsign if need be #436216
+	if tc-is-cross-compiler ; then
+		sed -i \
+			-e 's:"${2}"/shlibsign:shlibsign:' \
+			cmd/shlibsign/sign.sh || die
+	fi
+
+	# dirty hack
+	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
+		lib/ssl/config.mk || die
+	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
+		cmd/platlibs.mk || die
+
+	multilib_copy_sources
+
+	strip-flags
+}
+
+multilib_src_configure() {
+	# Ensure we stay multilib aware
+	sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
+}
+
+nssarch() {
+	# Most of the arches are the same as $ARCH
+	local t=${1:-${CHOST}}
+	case ${t} in
+		*86*-pc-solaris2*) echo "i86pc"   ;;
+		aarch64*)          echo "aarch64" ;;
+		hppa*)             echo "parisc"  ;;
+		i?86*)             echo "i686"    ;;
+		x86_64*)           echo "x86_64"  ;;
+		*)                 tc-arch ${t}   ;;
+	esac
+}
+
+nssbits() {
+	local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
+	if [[ ${1} == BUILD_ ]]; then
+		cc=$(tc-getBUILD_CC)
+	else
+		cc=$(tc-getCC)
+	fi
+	# TODO: Port this to toolchain-funcs tc-get-ptr-size/tc-get-build-ptr-size
+	echo > "${T}"/test.c || die
+	${cc} ${!cppflags} ${!cflags} -fno-lto -c "${T}"/test.c -o "${T}/${1}test.o" || die
+	case $(file -S "${T}/${1}test.o") in
+		*32-bit*x86-64*) echo USE_X32=1;;
+		*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
+		*32-bit*|*ppc*|*i386*) ;;
+		*) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
+	esac
+}
+
+multilib_src_compile() {
+	# use ABI to determine bit'ness, or fallback if unset
+	local buildbits mybits
+	case "${ABI}" in
+		n32) mybits="USE_N32=1";;
+		x32) mybits="USE_X32=1";;
+		s390x|*64) mybits="USE_64=1";;
+		${DEFAULT_ABI})
+			einfo "Running compilation test to determine bit'ness"
+			mybits=$(nssbits)
+			;;
+	esac
+	# bitness of host may differ from target
+	if tc-is-cross-compiler; then
+		buildbits=$(nssbits BUILD_)
+	fi
+
+	local makeargs=(
+		CC="$(tc-getCC)"
+		CCC="$(tc-getCXX)"
+		AR="$(tc-getAR) rc \$@"
+		RANLIB="$(tc-getRANLIB)"
+		OPTIMIZER=
+		${mybits}
+		disable_ckbi=0
+	)
+
+	# Take care of nspr settings #436216
+	local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
+	unset NSPR_INCLUDE_DIR
+
+	export NSS_ALLOW_SSLKEYLOGFILE=1
+	export NSS_ENABLE_WERROR=0 #567158
+	export BUILD_OPT=1
+	export NSS_USE_SYSTEM_SQLITE=1
+	export NSDISTMODE=copy
+	export FREEBL_NO_DEPEND=1
+	export FREEBL_LOWHASH=1
+	export NSS_SEED_ONLY_DEV_URANDOM=1
+	export USE_SYSTEM_ZLIB=1
+	export ZLIB_LIBS=-lz
+	export ASFLAGS=""
+	# Fix build failure on arm64
+	export NS_USE_GCC=1
+	# Detect compiler type and set proper environment value
+	if tc-is-gcc; then
+		export CC_IS_GCC=1
+	elif tc-is-clang; then
+		export CC_IS_CLANG=1
+	fi
+
+	export NSS_DISABLE_GTESTS=$(usex !test 1 0)
+
+	# Include exportable custom settings defined by users, #900915
+	# Two examples uses:
+	#   EXTRA_NSSCONF="MYONESWITCH=1"
+	#   EXTRA_NSSCONF="MYVALUE=0 MYOTHERVALUE=1 MYTHIRDVALUE=1"
+	# e.g.
+	#   EXTRA_NSSCONF="NSS_ALLOW_SSLKEYLOGFILE=0"
+	# or
+	#   EXTRA_NSSCONF="NSS_ALLOW_SSLKEYLOGFILE=0 NSS_ENABLE_WERROR=1"
+	# etc.
+	if [[ -n "${EXTRA_NSSCONF}" ]]; then
+		ewarn "EXTRA_NSSCONF applied, please disable custom settings before reporting bugs."
+		read -a myextranssconf <<< "${EXTRA_NSSCONF}"
+
+		for (( i=0; i<${#myextranssconf[@]}; i++ )); do
+			export "${myextranssconf[$i]}"
+			echo "exported ${myextranssconf[$i]}"
+		done
+	fi
+
+	# explicitly disable altivec/vsx if not requested
+	# https://bugs.gentoo.org/789114
+	case ${ARCH} in
+		ppc*)
+			use cpu_flags_ppc_altivec || export NSS_DISABLE_ALTIVEC=1
+			use cpu_flags_ppc_vsx || export NSS_DISABLE_CRYPTO_VSX=1
+			;;
+	esac
+
+	use cpu_flags_x86_avx2 || export NSS_DISABLE_AVX2=1
+	use cpu_flags_x86_sse3 || export NSS_DISABLE_SSE3=1
+
+	local d
+
+	# Build the host tools first.
+	LDFLAGS="${BUILD_LDFLAGS}" \
+	XCFLAGS="${BUILD_CFLAGS}" \
+	NSPR_LIB_DIR="${T}/fakedir" \
+	emake -C coreconf \
+		CC="$(tc-getBUILD_CC)" \
+			${buildbits-${mybits}}
+	makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
+
+	# Then build the target tools.
+	for d in . lib/dbm ; do
+		CPPFLAGS="${myCPPFLAGS}" \
+		XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
+		NSPR_LIB_DIR="${T}/fakedir" \
+		emake "${makeargs[@]}" -C ${d} OS_TEST="$(nssarch)"
+	done
+}
+
+multilib_src_test() {
+	einfo "Tests can take a *long* time, especially on a multilib system."
+	einfo "~10 minutes per lib configuration with only 'standard' tests,"
+	einfo "~40 minutes per lib configuration with 'full' tests. Bug #852755"
+
+	# https://www.linuxfromscratch.org/blfs/view/svn/postlfs/nss.html
+	# https://firefox-source-docs.mozilla.org/security/nss/legacy/nss_sources_building_testing/index.html#running_the_nss_test_suite
+	# https://www-archive.mozilla.org/projects/security/pki/nss/testnss_32.html (older)
+	export BUILD_OPT=1
+	export HOST="localhost"
+	export DOMSUF="localdomain"
+	export USE_IP=TRUE
+	export IP_ADDRESS="127.0.0.1"
+
+	# Only run the standard cycle instead of full, reducing testing time from 45 minutes to 15
+	# per lib implementation.
+	export NSS_CYCLES=standard
+
+	NSINSTALL="${PWD}/$(find -type f -name nsinstall)"
+
+	cd "${BUILD_DIR}"/tests || die
+	# Hack to get current objdir (prefixed dir where built binaries are)
+	# Without this, at least multilib tests go wrong when building the amd64 variant
+	# after x86.
+	local objdir=$(find "${BUILD_DIR}"/dist -maxdepth 1 -iname Linux* | rev | cut -d/ -f1 | rev)
+
+	# Can tweak to a subset of tests in future if we need to, but would prefer not
+	OBJDIR="${objdir}" DIST="${BUILD_DIR}/dist" MOZILLA_ROOT="${BUILD_DIR}" ./all.sh || die
+}
+
+# Altering these 3 libraries breaks the CHK verification.
+# All of the following cause it to break:
+# - stripping
+# - prelink
+# - ELF signing
+# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
+# Either we have to NOT strip them, or we have to forcibly resign after
+# stripping.
+#local_libdir="$(get_libdir)"
+#export STRIP_MASK="
+#	*/${local_libdir}/libfreebl3.so*
+#	*/${local_libdir}/libnssdbm3.so*
+#	*/${local_libdir}/libsoftokn3.so*"
+
+export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
+
+generate_chk() {
+	local shlibsign="$1"
+	local libdir="$2"
+	einfo "Resigning core NSS libraries for FIPS validation"
+	shift 2
+	local i
+	for i in ${NSS_CHK_SIGN_LIBS} ; do
+		local libname=lib${i}.so
+		local chkname=lib${i}.chk
+		"${shlibsign}" \
+			-i "${libdir}"/${libname} \
+			-o "${libdir}"/${chkname}.tmp \
+		&& mv -f \
+			"${libdir}"/${chkname}.tmp \
+			"${libdir}"/${chkname} \
+		|| die "Failed to sign ${libname}"
+	done
+}
+
+cleanup_chk() {
+	local libdir="$1"
+	shift 1
+	local i
+	for i in ${NSS_CHK_SIGN_LIBS} ; do
+		local libfname="${libdir}/lib${i}.so"
+		# If the major version has changed, then we have old chk files.
+		[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
+			&& rm -f "${libfname}.chk"
+	done
+}
+
+multilib_src_install() {
+	pushd dist >/dev/null || die
+
+	dodir /usr/$(get_libdir)
+	cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
+	local i
+	for i in crmf freebl nssb nssckfw ; do
+		cp -L */lib/lib${i}.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
+	done
+
+	# Install nss-config and pkgconfig file
+	dodir /usr/bin
+	cp -L */bin/nss-config "${ED}"/usr/bin || die
+	dodir /usr/$(get_libdir)/pkgconfig
+	cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
+
+	# create an nss-softokn.pc from nss.pc for libfreebl and some private headers
+	# bug 517266
+	sed 	-e 's#Libs:#Libs: -lfreebl#' \
+		-e 's#Cflags:#Cflags: -I${includedir}/private#' \
+		*/lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
+		|| die "could not create nss-softokn.pc"
+
+	# all the include files
+	insinto /usr/include/nss
+	doins public/nss/*.{h,api}
+	insinto /usr/include/nss/private
+	doins private/nss/{blapi,alghmac,cmac}.h
+
+	popd >/dev/null || die
+
+	local f nssutils
+	# Always enabled because we need it for chk generation.
+	nssutils=( shlibsign )
+
+	if multilib_is_native_abi ; then
+		if use utils; then
+			# The tests we do not need to install.
+			#nssutils_test="bltest crmftest dbtest dertimetest
+			#fipstest remtest sdrtest"
+			# checkcert utils has been removed in nss-3.22:
+			# https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
+			# https://hg.mozilla.org/projects/nss/rev/df1729d37870
+			# certcgi has been removed in nss-3.36:
+			# https://bugzilla.mozilla.org/show_bug.cgi?id=1426602
+			nssutils+=(
+				addbuiltin
+				atob
+				baddbdir
+				btoa
+				certutil
+				cmsutil
+				conflict
+				crlutil
+				derdump
+				digest
+				makepqg
+				mangle
+				modutil
+				multinit
+				nonspr10
+				ocspclnt
+				oidcalc
+				p7content
+				p7env
+				p7sign
+				p7verify
+				pk11mode
+				pk12util
+				pp
+				rsaperf
+				selfserv
+				signtool
+				signver
+				ssltap
+				strsclnt
+				symkeyutil
+				tstclnt
+				vfychain
+				vfyserv
+			)
+			# install man-pages for utils (bug #516810)
+			doman doc/nroff/*.1
+		fi
+		pushd dist/*/bin >/dev/null || die
+		for f in ${nssutils[@]}; do
+			dobin ${f}
+		done
+		popd >/dev/null || die
+	fi
+}
+
+pkg_postinst() {
+	multilib_pkg_postinst() {
+		# We must re-sign the libraries AFTER they are stripped.
+		local shlibsign="${EROOT}/usr/bin/shlibsign"
+		# See if we can execute it (cross-compiling & such). #436216
+		"${shlibsign}" -h >&/dev/null
+		if [[ $? -gt 1 ]] ; then
+			shlibsign="shlibsign"
+		fi
+		generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
+	}
+
+	multilib_foreach_abi multilib_pkg_postinst
+}
+
+pkg_postrm() {
+	multilib_pkg_postrm() {
+		cleanup_chk "${EROOT}"/usr/$(get_libdir)
+	}
+
+	multilib_foreach_abi multilib_pkg_postrm
+}


^ permalink raw reply related	[flat|nested] 19+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/nss/, dev-libs/nss/files/
@ 2024-04-15  6:40 Joonas Niilola
  0 siblings, 0 replies; 19+ messages in thread
From: Joonas Niilola @ 2024-04-15  6:40 UTC (permalink / raw
  To: gentoo-commits

commit:     53f7db69d823842e9ab24aae0107928ae794fb33
Author:     Joonas Niilola <juippis <AT> gentoo <DOT> org>
AuthorDate: Mon Apr 15 06:40:00 2024 +0000
Commit:     Joonas Niilola <juippis <AT> gentoo <DOT> org>
CommitDate: Mon Apr 15 06:40:53 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=53f7db69

dev-libs/nss: revbump 3.90.2 ESR with a patch from upstream

Bug: https://bugs.gentoo.org/928401
Bug: https://bugs.gentoo.org/928403
Signed-off-by: Joonas Niilola <juippis <AT> gentoo.org>

 .../nss-3.90-remove-support-of-curve25519.patch    |  78 ++++
 dev-libs/nss/nss-3.90.2-r1.ebuild                  | 420 +++++++++++++++++++++
 2 files changed, 498 insertions(+)

diff --git a/dev-libs/nss/files/nss-3.90-remove-support-of-curve25519.patch b/dev-libs/nss/files/nss-3.90-remove-support-of-curve25519.patch
new file mode 100644
index 000000000000..d883db8181d1
--- /dev/null
+++ b/dev-libs/nss/files/nss-3.90-remove-support-of-curve25519.patch
@@ -0,0 +1,78 @@
+# HG changeset patch
+# User Natalia Kulatova <nkulatova@mozilla.com>
+# Date 1687519432 0
+#      Fri Jun 23 11:23:52 2023 +0000
+# Node ID 653f4c1b58425219c0e9c005d555994a3fe1fa72
+# Parent  f095bf91ffaa273ea38ca6df34c905e5442de012
+Bug 1836925 - Removing the support of Curve25519 r=bbeurdouche,nss-reviewers
+
+Differential Revision: https://phabricator.services.mozilla.com/D180068
+
+diff -r f095bf91ffaa -r 653f4c1b5842 lib/freebl/Makefile
+--- a/lib/freebl/Makefile	Fri Jun 23 08:56:27 2023 +0000
++++ b/lib/freebl/Makefile	Fri Jun 23 11:23:52 2023 +0000
+@@ -568,9 +568,6 @@
+             HAVE_INT128_SUPPORT = 1
+             DEFINES += -DHAVE_INT128_SUPPORT
+     else ifeq (1,$(CC_IS_GCC))
+-        ifeq ($(CPU_ARCH),x86_64)
+-            SUPPORTS_VALE_CURVE25519 = 1
+-        endif
+         ifneq (,$(filter 4.6 4.7 4.8 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION))))
+             HAVE_INT128_SUPPORT = 1
+             DEFINES += -DHAVE_INT128_SUPPORT
+@@ -595,11 +592,6 @@
+     DEFINES += -DKRML_VERIFIED_UINT128
+ endif
+ 
+-ifdef SUPPORTS_VALE_CURVE25519
+-    VERIFIED_SRCS += Hacl_Curve25519_64.c
+-    DEFINES += -DHACL_CAN_COMPILE_INLINE_ASM
+-endif
+-
+ ifndef NSS_DISABLE_CHACHAPOLY
+     ifeq ($(CPU_ARCH),x86_64)
+         ifndef NSS_DISABLE_AVX2
+diff -r f095bf91ffaa -r 653f4c1b5842 lib/freebl/freebl.gyp
+--- a/lib/freebl/freebl.gyp	Fri Jun 23 08:56:27 2023 +0000
++++ b/lib/freebl/freebl.gyp	Fri Jun 23 11:23:52 2023 +0000
+@@ -866,12 +866,6 @@
+           }],
+         ],
+       }],
+-      [ 'supports_vale_curve25519==1', {
+-        'defines': [
+-          # The Makefile does version-tests on GCC, but we're not doing that here.
+-          'HACL_CAN_COMPILE_INLINE_ASM',
+-        ],
+-      }],
+       [ 'OS=="linux" or OS=="android"', {
+         'conditions': [
+           [ 'target_arch=="x64"', {
+@@ -934,11 +928,6 @@
+   'variables': {
+     'module': 'nss',
+     'conditions': [
+-      [ 'target_arch=="x64" and cc_is_gcc==1', {
+-        'supports_vale_curve25519%': 1,
+-      }, {
+-        'supports_vale_curve25519%': 0,
+-      }],
+       [ 'target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64"', {
+         'have_int128_support%': 1,
+       }, {
+diff -r f095bf91ffaa -r 653f4c1b5842 lib/freebl/freebl_base.gypi
+--- a/lib/freebl/freebl_base.gypi	Fri Jun 23 08:56:27 2023 +0000
++++ b/lib/freebl/freebl_base.gypi	Fri Jun 23 11:23:52 2023 +0000
+@@ -154,11 +154,6 @@
+         'ecl/curve25519_32.c',
+       ],
+     }],
+-    ['supports_vale_curve25519==1', {
+-      'sources': [
+-        'verified/Hacl_Curve25519_64.c',
+-      ],
+-    }],
+     ['(target_arch!="ppc64" and target_arch!="ppc64le") or disable_altivec==1', {
+       'sources': [
+         # Gyp does not support per-file cflags, so working around like this.

diff --git a/dev-libs/nss/nss-3.90.2-r1.ebuild b/dev-libs/nss/nss-3.90.2-r1.ebuild
new file mode 100644
index 000000000000..f1b7e6697ccc
--- /dev/null
+++ b/dev-libs/nss/nss-3.90.2-r1.ebuild
@@ -0,0 +1,420 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit flag-o-matic multilib toolchain-funcs multilib-minimal
+
+NSPR_VER="4.35"
+RTM_NAME="NSS_${PV//./_}_RTM"
+
+DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
+HOMEPAGE="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS"
+SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
+	cacert? ( https://dev.gentoo.org/~whissi/dist/ca-certificates/nss-cacert-class1-class3-r2.patch )"
+
+LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~x64-solaris"
+IUSE="cacert test +utils cpu_flags_ppc_altivec cpu_flags_x86_avx2 cpu_flags_x86_sse3 cpu_flags_ppc_vsx"
+RESTRICT="!test? ( test )"
+# pkg-config called by nss-config -> virtual/pkgconfig in RDEPEND
+RDEPEND="
+	>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
+	>=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
+	>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]
+	virtual/pkgconfig
+"
+DEPEND="${RDEPEND}"
+BDEPEND="dev-lang/perl"
+
+S="${WORKDIR}/${P}/${PN}"
+
+MULTILIB_CHOST_TOOLS=(
+	/usr/bin/nss-config
+)
+
+PATCHES=(
+	"${FILESDIR}/${PN}-3.53-gentoo-fixups.patch"
+	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
+	"${FILESDIR}"/nss-3.87-use-clang-as-bgo892686.patch
+	"${FILESDIR}"/nss-3.90.2-bmo-1885749-disable-ASM-C25519-on-non-X86_64.patch
+	"${FILESDIR}"/nss-3.90-remove-support-of-curve25519.patch
+)
+
+src_prepare() {
+	default
+
+	if use cacert ; then
+		eapply -p2 "${DISTDIR}"/nss-cacert-class1-class3-r2.patch
+	fi
+
+	pushd coreconf >/dev/null || die
+	# hack nspr paths
+	echo 'INCLUDES += -I$(DIST)/include/dbm' \
+		>> headers.mk || die "failed to append include"
+
+	# modify install path
+	sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
+		-i source.mk || die
+
+	# Respect LDFLAGS
+	sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
+
+	# Workaround make-4.4's change to sub-make, bmo#1800237, bgo#882069
+	sed -i -e "s/^CPU_TAG = _.*/CPU_TAG = _$(nssarch)/" Linux.mk || die
+
+	popd >/dev/null || die
+
+	# Fix pkgconfig file for Prefix
+	sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
+		config/Makefile || die
+
+	# use host shlibsign if need be #436216
+	if tc-is-cross-compiler ; then
+		sed -i \
+			-e 's:"${2}"/shlibsign:shlibsign:' \
+			cmd/shlibsign/sign.sh || die
+	fi
+
+	# dirty hack
+	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
+		lib/ssl/config.mk || die
+	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
+		cmd/platlibs.mk || die
+
+	multilib_copy_sources
+
+	strip-flags
+}
+
+multilib_src_configure() {
+	# Ensure we stay multilib aware
+	sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
+}
+
+nssarch() {
+	# Most of the arches are the same as $ARCH
+	local t=${1:-${CHOST}}
+	case ${t} in
+		*86*-pc-solaris2*) echo "i86pc"   ;;
+		aarch64*)          echo "aarch64" ;;
+		hppa*)             echo "parisc"  ;;
+		i?86*)             echo "i686"    ;;
+		x86_64*)           echo "x86_64"  ;;
+		*)                 tc-arch ${t}   ;;
+	esac
+}
+
+nssbits() {
+	local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
+	if [[ ${1} == BUILD_ ]]; then
+		cc=$(tc-getBUILD_CC)
+	else
+		cc=$(tc-getCC)
+	fi
+	# TODO: Port this to toolchain-funcs tc-get-ptr-size/tc-get-build-ptr-size
+	echo > "${T}"/test.c || die
+	${cc} ${!cppflags} ${!cflags} -fno-lto -c "${T}"/test.c -o "${T}/${1}test.o" || die
+	case $(file -S "${T}/${1}test.o") in
+		*32-bit*x86-64*) echo USE_X32=1;;
+		*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
+		*32-bit*|*ppc*|*i386*) ;;
+		*) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
+	esac
+}
+
+multilib_src_compile() {
+	# use ABI to determine bit'ness, or fallback if unset
+	local buildbits mybits
+	case "${ABI}" in
+		n32) mybits="USE_N32=1";;
+		x32) mybits="USE_X32=1";;
+		s390x|*64) mybits="USE_64=1";;
+		${DEFAULT_ABI})
+			einfo "Running compilation test to determine bit'ness"
+			mybits=$(nssbits)
+			;;
+	esac
+	# bitness of host may differ from target
+	if tc-is-cross-compiler; then
+		buildbits=$(nssbits BUILD_)
+	fi
+
+	local makeargs=(
+		CC="$(tc-getCC)"
+		CCC="$(tc-getCXX)"
+		AR="$(tc-getAR) rc \$@"
+		RANLIB="$(tc-getRANLIB)"
+		OPTIMIZER=
+		${mybits}
+		disable_ckbi=0
+	)
+
+	# Take care of nspr settings #436216
+	local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
+	unset NSPR_INCLUDE_DIR
+
+	export NSS_ALLOW_SSLKEYLOGFILE=1
+	export NSS_ENABLE_WERROR=0 #567158
+	export BUILD_OPT=1
+	export NSS_USE_SYSTEM_SQLITE=1
+	export NSDISTMODE=copy
+	export FREEBL_NO_DEPEND=1
+	export FREEBL_LOWHASH=1
+	export NSS_SEED_ONLY_DEV_URANDOM=1
+	export USE_SYSTEM_ZLIB=1
+	export ZLIB_LIBS=-lz
+	export ASFLAGS=""
+	# Fix build failure on arm64
+	export NS_USE_GCC=1
+	# Detect compiler type and set proper environment value
+	if tc-is-gcc; then
+		export CC_IS_GCC=1
+	elif tc-is-clang; then
+		export CC_IS_CLANG=1
+	fi
+
+	export NSS_DISABLE_GTESTS=$(usex !test 1 0)
+
+	# Include exportable custom settings defined by users, #900915
+	# Two examples uses:
+	#   EXTRA_NSSCONF="MYONESWITCH=1"
+	#   EXTRA_NSSCONF="MYVALUE=0 MYOTHERVALUE=1 MYTHIRDVALUE=1"
+	# e.g.
+	#   EXTRA_NSSCONF="NSS_ALLOW_SSLKEYLOGFILE=0"
+	# or
+	#   EXTRA_NSSCONF="NSS_ALLOW_SSLKEYLOGFILE=0 NSS_ENABLE_WERROR=1"
+	# etc.
+	if [[ -n "${EXTRA_NSSCONF}" ]]; then
+		ewarn "EXTRA_NSSCONF applied, please disable custom settings before reporting bugs."
+		read -a myextranssconf <<< "${EXTRA_NSSCONF}"
+
+		for (( i=0; i<${#myextranssconf[@]}; i++ )); do
+			export "${myextranssconf[$i]}"
+			echo "exported ${myextranssconf[$i]}"
+		done
+	fi
+
+	# explicitly disable altivec/vsx if not requested
+	# https://bugs.gentoo.org/789114
+	case ${ARCH} in
+		ppc*)
+			use cpu_flags_ppc_altivec || export NSS_DISABLE_ALTIVEC=1
+			use cpu_flags_ppc_vsx || export NSS_DISABLE_CRYPTO_VSX=1
+			;;
+	esac
+
+	use cpu_flags_x86_avx2 || export NSS_DISABLE_AVX2=1
+	use cpu_flags_x86_sse3 || export NSS_DISABLE_SSE3=1
+
+	local d
+
+	# Build the host tools first.
+	LDFLAGS="${BUILD_LDFLAGS}" \
+	XCFLAGS="${BUILD_CFLAGS}" \
+	NSPR_LIB_DIR="${T}/fakedir" \
+	emake -C coreconf \
+		CC="$(tc-getBUILD_CC)" \
+			${buildbits-${mybits}}
+	makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
+
+	# Then build the target tools.
+	for d in . lib/dbm ; do
+		CPPFLAGS="${myCPPFLAGS}" \
+		XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
+		NSPR_LIB_DIR="${T}/fakedir" \
+		emake "${makeargs[@]}" -C ${d} OS_TEST="$(nssarch)"
+	done
+}
+
+multilib_src_test() {
+	einfo "Tests can take a *long* time, especially on a multilib system."
+	einfo "30-45+ minutes per lib configuration. Bug #852755"
+
+	# https://www.linuxfromscratch.org/blfs/view/svn/postlfs/nss.html
+	# https://firefox-source-docs.mozilla.org/security/nss/legacy/nss_sources_building_testing/index.html#running_the_nss_test_suite
+	# https://www-archive.mozilla.org/projects/security/pki/nss/testnss_32.html (older)
+	export BUILD_OPT=1
+	export HOST="localhost"
+	export DOMSUF="localdomain"
+	export USE_IP=TRUE
+	export IP_ADDRESS="127.0.0.1"
+
+	# Only run the standard cycle instead of full, reducing testing time from 45 minutes to 15
+	# per lib implementation.
+	export NSS_CYCLES=standard
+
+	NSINSTALL="${PWD}/$(find -type f -name nsinstall)"
+
+	cd "${BUILD_DIR}"/tests || die
+	# Hack to get current objdir (prefixed dir where built binaries are)
+	# Without this, at least multilib tests go wrong when building the amd64 variant
+	# after x86.
+	local objdir=$(find "${BUILD_DIR}"/dist -maxdepth 1 -iname Linux* | rev | cut -d/ -f1 | rev)
+
+	# Can tweak to a subset of tests in future if we need to, but would prefer not
+	OBJDIR="${objdir}" DIST="${BUILD_DIR}/dist" MOZILLA_ROOT="${BUILD_DIR}" ./all.sh || die
+}
+
+# Altering these 3 libraries breaks the CHK verification.
+# All of the following cause it to break:
+# - stripping
+# - prelink
+# - ELF signing
+# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
+# Either we have to NOT strip them, or we have to forcibly resign after
+# stripping.
+#local_libdir="$(get_libdir)"
+#export STRIP_MASK="
+#	*/${local_libdir}/libfreebl3.so*
+#	*/${local_libdir}/libnssdbm3.so*
+#	*/${local_libdir}/libsoftokn3.so*"
+
+export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
+
+generate_chk() {
+	local shlibsign="$1"
+	local libdir="$2"
+	einfo "Resigning core NSS libraries for FIPS validation"
+	shift 2
+	local i
+	for i in ${NSS_CHK_SIGN_LIBS} ; do
+		local libname=lib${i}.so
+		local chkname=lib${i}.chk
+		"${shlibsign}" \
+			-i "${libdir}"/${libname} \
+			-o "${libdir}"/${chkname}.tmp \
+		&& mv -f \
+			"${libdir}"/${chkname}.tmp \
+			"${libdir}"/${chkname} \
+		|| die "Failed to sign ${libname}"
+	done
+}
+
+cleanup_chk() {
+	local libdir="$1"
+	shift 1
+	local i
+	for i in ${NSS_CHK_SIGN_LIBS} ; do
+		local libfname="${libdir}/lib${i}.so"
+		# If the major version has changed, then we have old chk files.
+		[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
+			&& rm -f "${libfname}.chk"
+	done
+}
+
+multilib_src_install() {
+	pushd dist >/dev/null || die
+
+	dodir /usr/$(get_libdir)
+	cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
+	local i
+	for i in crmf freebl nssb nssckfw ; do
+		cp -L */lib/lib${i}.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
+	done
+
+	# Install nss-config and pkgconfig file
+	dodir /usr/bin
+	cp -L */bin/nss-config "${ED}"/usr/bin || die
+	dodir /usr/$(get_libdir)/pkgconfig
+	cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
+
+	# create an nss-softokn.pc from nss.pc for libfreebl and some private headers
+	# bug 517266
+	sed 	-e 's#Libs:#Libs: -lfreebl#' \
+		-e 's#Cflags:#Cflags: -I${includedir}/private#' \
+		*/lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
+		|| die "could not create nss-softokn.pc"
+
+	# all the include files
+	insinto /usr/include/nss
+	doins public/nss/*.{h,api}
+	insinto /usr/include/nss/private
+	doins private/nss/{blapi,alghmac,cmac}.h
+
+	popd >/dev/null || die
+
+	local f nssutils
+	# Always enabled because we need it for chk generation.
+	nssutils=( shlibsign )
+
+	if multilib_is_native_abi ; then
+		if use utils; then
+			# The tests we do not need to install.
+			#nssutils_test="bltest crmftest dbtest dertimetest
+			#fipstest remtest sdrtest"
+			# checkcert utils has been removed in nss-3.22:
+			# https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
+			# https://hg.mozilla.org/projects/nss/rev/df1729d37870
+			# certcgi has been removed in nss-3.36:
+			# https://bugzilla.mozilla.org/show_bug.cgi?id=1426602
+			nssutils+=(
+				addbuiltin
+				atob
+				baddbdir
+				btoa
+				certutil
+				cmsutil
+				conflict
+				crlutil
+				derdump
+				digest
+				makepqg
+				mangle
+				modutil
+				multinit
+				nonspr10
+				ocspclnt
+				oidcalc
+				p7content
+				p7env
+				p7sign
+				p7verify
+				pk11mode
+				pk12util
+				pp
+				rsaperf
+				selfserv
+				signtool
+				signver
+				ssltap
+				strsclnt
+				symkeyutil
+				tstclnt
+				vfychain
+				vfyserv
+			)
+			# install man-pages for utils (bug #516810)
+			doman doc/nroff/*.1
+		fi
+		pushd dist/*/bin >/dev/null || die
+		for f in ${nssutils[@]}; do
+			dobin ${f}
+		done
+		popd >/dev/null || die
+	fi
+}
+
+pkg_postinst() {
+	multilib_pkg_postinst() {
+		# We must re-sign the libraries AFTER they are stripped.
+		local shlibsign="${EROOT}/usr/bin/shlibsign"
+		# See if we can execute it (cross-compiling & such). #436216
+		"${shlibsign}" -h >&/dev/null
+		if [[ $? -gt 1 ]] ; then
+			shlibsign="shlibsign"
+		fi
+		generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
+	}
+
+	multilib_foreach_abi multilib_pkg_postinst
+}
+
+pkg_postrm() {
+	multilib_pkg_postrm() {
+		cleanup_chk "${EROOT}"/usr/$(get_libdir)
+	}
+
+	multilib_foreach_abi multilib_pkg_postrm
+}


^ permalink raw reply related	[flat|nested] 19+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/nss/, dev-libs/nss/files/
@ 2024-03-17  8:18 Joonas Niilola
  0 siblings, 0 replies; 19+ messages in thread
From: Joonas Niilola @ 2024-03-17  8:18 UTC (permalink / raw
  To: gentoo-commits

commit:     31089ae8f5885ba9b6f2fef5c1bc195614f634d2
Author:     Joonas Niilola <juippis <AT> gentoo <DOT> org>
AuthorDate: Sun Mar 17 08:17:37 2024 +0000
Commit:     Joonas Niilola <juippis <AT> gentoo <DOT> org>
CommitDate: Sun Mar 17 08:18:16 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=31089ae8

dev-libs/nss: fix 3.90.2esr on arm64 with an upstream patch

Closes: https://bugs.gentoo.org/926625
Signed-off-by: Joonas Niilola <juippis <AT> gentoo.org>

 ...-1885749-disable-ASM-C25519-on-non-X86_64.patch | 35 ++++++++++++++++++++++
 dev-libs/nss/nss-3.90.2.ebuild                     |  1 +
 2 files changed, 36 insertions(+)

diff --git a/dev-libs/nss/files/nss-3.90.2-bmo-1885749-disable-ASM-C25519-on-non-X86_64.patch b/dev-libs/nss/files/nss-3.90.2-bmo-1885749-disable-ASM-C25519-on-non-X86_64.patch
new file mode 100644
index 000000000000..e5769308144c
--- /dev/null
+++ b/dev-libs/nss/files/nss-3.90.2-bmo-1885749-disable-ASM-C25519-on-non-X86_64.patch
@@ -0,0 +1,35 @@
+
+# HG changeset patch
+# User Natalia Kulatova <nkulatova@mozilla.com>
+# Date 1685981398 0
+# Node ID 52a5d8fe37410d940e7d3ca244146ebc46a7d52a
+# Parent  52969cff7db635e0ee10fad66eed2c0cfdcf999b
+Bug 1836781 - Disabling ASM C25519 for A but X86_64 r=bbeurdouche,nss-reviewers
+
+Differential Revision: https://phabricator.services.mozilla.com/D179969
+
+diff --git a/lib/freebl/Makefile b/lib/freebl/Makefile
+--- a/lib/freebl/Makefile
++++ b/lib/freebl/Makefile
+@@ -563,17 +563,19 @@ endif # target == SunO
+ ifdef USE_64
+ # no __int128 at least up to lcc 1.23 (pretending to be gcc5)
+ # NB: CC_NAME is not defined here
+ ifneq ($(shell $(CC) -? 2>&1 >/dev/null </dev/null | sed -e 's/:.*//;1q'),lcc)
+     ifdef CC_IS_CLANG
+             HAVE_INT128_SUPPORT = 1
+             DEFINES += -DHAVE_INT128_SUPPORT
+     else ifeq (1,$(CC_IS_GCC))
+-        SUPPORTS_VALE_CURVE25519 = 1
++        ifeq ($(CPU_ARCH),x86_64)
++            SUPPORTS_VALE_CURVE25519 = 1
++        endif
+         ifneq (,$(filter 4.6 4.7 4.8 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION))))
+             HAVE_INT128_SUPPORT = 1
+             DEFINES += -DHAVE_INT128_SUPPORT
+         endif
+         ifneq (,$(filter 0 1 2 3 4,$(word 1,$(GCC_VERSION))))
+             NSS_DISABLE_AVX2 = 1
+         endif
+         ifeq (,$(filter 0 1 2 3 4,$(word 1,$(GCC_VERSION))))
+

diff --git a/dev-libs/nss/nss-3.90.2.ebuild b/dev-libs/nss/nss-3.90.2.ebuild
index 62ba736993a0..a23171281796 100644
--- a/dev-libs/nss/nss-3.90.2.ebuild
+++ b/dev-libs/nss/nss-3.90.2.ebuild
@@ -38,6 +38,7 @@ PATCHES=(
 	"${FILESDIR}/${PN}-3.53-gentoo-fixups.patch"
 	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
 	"${FILESDIR}"/nss-3.87-use-clang-as-bgo892686.patch
+	"${FILESDIR}"/nss-3.90.2-bmo-1885749-disable-ASM-C25519-on-non-X86_64.patch
 )
 
 src_prepare() {


^ permalink raw reply related	[flat|nested] 19+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/nss/, dev-libs/nss/files/
@ 2023-02-10  8:57 Joonas Niilola
  0 siblings, 0 replies; 19+ messages in thread
From: Joonas Niilola @ 2023-02-10  8:57 UTC (permalink / raw
  To: gentoo-commits

commit:     b1252dba7fd5da0686396d7138f601740116b8b0
Author:     Joonas Niilola <juippis <AT> gentoo <DOT> org>
AuthorDate: Fri Feb 10 08:55:06 2023 +0000
Commit:     Joonas Niilola <juippis <AT> gentoo <DOT> org>
CommitDate: Fri Feb 10 08:57:19 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b1252dba

dev-libs/nss: add 3.88.1

Closes: https://bugs.gentoo.org/892686
Signed-off-by: Joonas Niilola <juippis <AT> gentoo.org>

 dev-libs/nss/Manifest                              |   1 +
 .../files/nss-3.87-use-clang-as-bgo892686.patch    |  85 +++++
 dev-libs/nss/nss-3.88.1.ebuild                     | 394 +++++++++++++++++++++
 3 files changed, 480 insertions(+)

diff --git a/dev-libs/nss/Manifest b/dev-libs/nss/Manifest
index 7dea4ccdf2ed..5ca3926c8ee3 100644
--- a/dev-libs/nss/Manifest
+++ b/dev-libs/nss/Manifest
@@ -1,3 +1,4 @@
 DIST nss-3.79.2.tar.gz 84825187 BLAKE2B 9589095a0f3af5201662fe96ba4dac73c661db3abde534941ea61d597dce1016dc06f8559e26fafc940f2b123987381e1faa22ff6a995ef3cc0a9dc4ebe7a4ad SHA512 52ca7574d2bb6e2fd874ac40f3e75d58135b103d8bd4b964a9262b5c302b4668ff7c8f5dabbef46e413fd72faeddc44057bc7b489946813331cc9a481d078181
 DIST nss-3.87.tar.gz 71435408 BLAKE2B 0d69e18b1e2c4ccfc86db8f3afba94d5000e8ab2a4e766eb6f99f13f57d78b62dd711a0f5f70a24378a3cf1e435cc8ecb7e6fbeae18d5db0176660a0ea35dac2 SHA512 4ec7b94e537df109638b821f3a7e3b7bf31d89c3739a6e4c85cad4fab876390ae482971d6f66198818400f467661e86f39dc1d2a4a88077fd81e3a0b7ed64110
+DIST nss-3.88.1.tar.gz 71607211 BLAKE2B ff84d3153a01519a52e83be5327453d8e6a81e1f62ccd69906b549fe42ec5ebf075b403395a67bc75f3c7f7dd33ef49f3b1f33558652ff75ee87e2970b2e06a4 SHA512 d15289803a4c3caa1b7a8872b761a95b4f571688c8b8ffaf2a1478e032a356fbcf8a9239ebe1777561503329f63dd237384e1d8af9ca70fb48b40e70954b455a
 DIST nss-cacert-class1-class3-r2.patch 21925 BLAKE2B 7627ff9a09f084c19d72d0490676865e3cab3ca7c920ae1ce4bea2db664f37fd0aa84fcda919809a516891ab2a62e2e7a43a9d6ada4c231adfe4c216525fac7d SHA512 1ce6ff9ab310aaca9005eafb461338b291df8523cc7044e096cd75774ce746c26eed19ec6bb2643c6c67f94650f2f309463492d80a90568f38ce2557f8ada2f4

diff --git a/dev-libs/nss/files/nss-3.87-use-clang-as-bgo892686.patch b/dev-libs/nss/files/nss-3.87-use-clang-as-bgo892686.patch
new file mode 100644
index 000000000000..633d251868a8
--- /dev/null
+++ b/dev-libs/nss/files/nss-3.87-use-clang-as-bgo892686.patch
@@ -0,0 +1,85 @@
+diff -Naur a/lib/freebl/freebl_base.gypi b/lib/freebl/freebl_base.gypi
+--- a/lib/freebl/freebl_base.gypi	2023-02-10 09:25:24.750840063 +0200
++++ b/lib/freebl/freebl_base.gypi	2023-02-10 09:28:01.621413675 +0200
+@@ -72,19 +72,6 @@
+             'mpi/mpi_amd64_common.S',
+             'mpi/mp_comba.c',
+           ],
+-          'conditions': [
+-            [ 'cc_is_clang==1 and fuzz!=1 and coverage!=1 and force_integrated_as!=1', {
+-              'cflags': [
+-                '-no-integrated-as',
+-              ],
+-              'cflags_mozilla': [
+-                '-no-integrated-as',
+-              ],
+-              'asflags_mozilla': [
+-                '-no-integrated-as',
+-              ],
+-            }],
+-          ],
+         }],
+         [ 'target_arch=="ia32"', {
+           'sources': [
+diff -Naur a/lib/freebl/freebl.gyp b/lib/freebl/freebl.gyp
+--- a/lib/freebl/freebl.gyp	2023-02-10 09:25:24.750840063 +0200
++++ b/lib/freebl/freebl.gyp	2023-02-10 09:27:43.549117181 +0200
+@@ -16,19 +16,6 @@
+       'dependencies': [
+         '<(DEPTH)/exports.gyp:nss_exports'
+       ],
+-      'conditions': [
+-        [ 'cc_is_clang==1 and force_integrated_as!=1', {
+-          'cflags': [
+-            '-no-integrated-as',
+-          ],
+-          'cflags_mozilla': [
+-            '-no-integrated-as',
+-          ],
+-          'asflags_mozilla': [
+-            '-no-integrated-as',
+-          ],
+-        }],
+-      ],
+     },
+     {
+       'target_name': 'intel-gcm-wrap_c_lib',
+@@ -325,19 +312,6 @@
+       'dependencies': [
+         '<(DEPTH)/exports.gyp:nss_exports'
+       ],
+-      'conditions': [
+-        [ 'cc_is_clang==1 and force_integrated_as!=1', {
+-          'cflags': [
+-            '-no-integrated-as',
+-          ],
+-          'cflags_mozilla': [
+-            '-no-integrated-as',
+-          ],
+-          'asflags_mozilla': [
+-            '-no-integrated-as',
+-          ],
+-        }],
+-      ],
+     },
+     {
+       'target_name': 'ppc-gcm-wrap-nodepend_c_lib',
+diff -Naur a/lib/freebl/Makefile b/lib/freebl/Makefile
+--- a/lib/freebl/Makefile	2023-02-10 09:25:24.749840047 +0200
++++ b/lib/freebl/Makefile	2023-02-10 09:26:23.932810998 +0200
+@@ -731,15 +731,6 @@
+ # GCM binary needs -mssse3
+ #
+ $(OBJDIR)/$(PROG_PREFIX)intel-gcm-wrap$(OBJ_SUFFIX): CFLAGS += -mssse3
+-
+-# The integrated assembler in Clang 3.2 does not support % in the
+-# expression of a .set directive. intel-gcm.s uses .set to give
+-# symbolic names to registers, for example,
+-#     .set  Htbl, %rdi
+-# So we can't use Clang's integrated assembler with intel-gcm.s.
+-ifdef CC_IS_CLANG
+-$(OBJDIR)/$(PROG_PREFIX)intel-gcm$(OBJ_SUFFIX): CFLAGS += -no-integrated-as
+-endif
+ endif
+ 
+ ifdef INTEL_GCM_CLANG_CL

diff --git a/dev-libs/nss/nss-3.88.1.ebuild b/dev-libs/nss/nss-3.88.1.ebuild
new file mode 100644
index 000000000000..bde8efaba018
--- /dev/null
+++ b/dev-libs/nss/nss-3.88.1.ebuild
@@ -0,0 +1,394 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit flag-o-matic multilib toolchain-funcs multilib-minimal
+
+NSPR_VER="4.35"
+RTM_NAME="NSS_${PV//./_}_RTM"
+
+DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
+HOMEPAGE="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS"
+SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
+	cacert? ( https://dev.gentoo.org/~whissi/dist/ca-certificates/nss-cacert-class1-class3-r2.patch )"
+
+LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~x64-solaris ~x86-solaris"
+IUSE="cacert test +utils cpu_flags_ppc_altivec cpu_flags_ppc_vsx"
+RESTRICT="!test? ( test )"
+# pkg-config called by nss-config -> virtual/pkgconfig in RDEPEND
+RDEPEND="
+	>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
+	>=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
+	>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]
+	virtual/pkgconfig
+"
+DEPEND="${RDEPEND}"
+BDEPEND="dev-lang/perl"
+
+S="${WORKDIR}/${P}/${PN}"
+
+MULTILIB_CHOST_TOOLS=(
+	/usr/bin/nss-config
+)
+
+PATCHES=(
+	"${FILESDIR}/${PN}-3.53-gentoo-fixups.patch"
+	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
+	"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
+	"${FILESDIR}"/nss-3.87-use-clang-as-bgo892686.patch
+)
+
+QA_PKGCONFIG_VERSION="${PV}.0"
+
+src_prepare() {
+	default
+
+	if use cacert ; then
+		eapply -p2 "${DISTDIR}"/nss-cacert-class1-class3-r2.patch
+	fi
+
+	pushd coreconf >/dev/null || die
+	# hack nspr paths
+	echo 'INCLUDES += -I$(DIST)/include/dbm' \
+		>> headers.mk || die "failed to append include"
+
+	# modify install path
+	sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
+		-i source.mk || die
+
+	# Respect LDFLAGS
+	sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
+
+	# Workaround make-4.4's change to sub-make, bmo#1800237, bgo#882069
+	sed -i -e "s/^CPU_TAG = _.*/CPU_TAG = _$(nssarch)/" Linux.mk || die
+
+	popd >/dev/null || die
+
+	# Fix pkgconfig file for Prefix
+	sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
+		config/Makefile || die
+
+	# use host shlibsign if need be #436216
+	if tc-is-cross-compiler ; then
+		sed -i \
+			-e 's:"${2}"/shlibsign:shlibsign:' \
+			cmd/shlibsign/sign.sh || die
+	fi
+
+	# dirty hack
+	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
+		lib/ssl/config.mk || die
+	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
+		cmd/platlibs.mk || die
+
+	multilib_copy_sources
+
+	strip-flags
+}
+
+multilib_src_configure() {
+	# Ensure we stay multilib aware
+	sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
+}
+
+nssarch() {
+	# Most of the arches are the same as $ARCH
+	local t=${1:-${CHOST}}
+	case ${t} in
+		*86*-pc-solaris2*) echo "i86pc"   ;;
+		aarch64*)          echo "aarch64" ;;
+		hppa*)             echo "parisc"  ;;
+		i?86*)             echo "i686"    ;;
+		x86_64*)           echo "x86_64"  ;;
+		*)                 tc-arch ${t}   ;;
+	esac
+}
+
+nssbits() {
+	local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
+	if [[ ${1} == BUILD_ ]]; then
+		cc=$(tc-getBUILD_CC)
+	else
+		cc=$(tc-getCC)
+	fi
+	echo > "${T}"/test.c || die
+	${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die
+	case $(file "${T}/${1}test.o") in
+		*32-bit*x86-64*) echo USE_X32=1;;
+		*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
+		*32-bit*|*ppc*|*i386*) ;;
+		*) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
+	esac
+}
+
+multilib_src_compile() {
+	# use ABI to determine bit'ness, or fallback if unset
+	local buildbits mybits
+	case "${ABI}" in
+		n32) mybits="USE_N32=1";;
+		x32) mybits="USE_X32=1";;
+		s390x|*64) mybits="USE_64=1";;
+		${DEFAULT_ABI})
+			einfo "Running compilation test to determine bit'ness"
+			mybits=$(nssbits)
+			;;
+	esac
+	# bitness of host may differ from target
+	if tc-is-cross-compiler; then
+		buildbits=$(nssbits BUILD_)
+	fi
+
+	local makeargs=(
+		CC="$(tc-getCC)"
+		CCC="$(tc-getCXX)"
+		AR="$(tc-getAR) rc \$@"
+		RANLIB="$(tc-getRANLIB)"
+		OPTIMIZER=
+		${mybits}
+		disable_ckbi=0
+	)
+
+	# Take care of nspr settings #436216
+	local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
+	unset NSPR_INCLUDE_DIR
+
+	export NSS_ALLOW_SSLKEYLOGFILE=1
+	export NSS_ENABLE_WERROR=0 #567158
+	export BUILD_OPT=1
+	export NSS_USE_SYSTEM_SQLITE=1
+	export NSDISTMODE=copy
+	export FREEBL_NO_DEPEND=1
+	export FREEBL_LOWHASH=1
+	export NSS_SEED_ONLY_DEV_URANDOM=1
+	export USE_SYSTEM_ZLIB=1
+	export ZLIB_LIBS=-lz
+	export ASFLAGS=""
+	# Fix build failure on arm64
+	export NS_USE_GCC=1
+	# Detect compiler type and set proper environment value
+	if tc-is-gcc; then
+		export CC_IS_GCC=1
+	elif tc-is-clang; then
+		export CC_IS_CLANG=1
+	fi
+
+	export NSS_DISABLE_GTESTS=$(usex !test 1 0)
+
+	# explicitly disable altivec/vsx if not requested
+	# https://bugs.gentoo.org/789114
+	case ${ARCH} in
+		ppc*)
+			use cpu_flags_ppc_altivec || export NSS_DISABLE_ALTIVEC=1
+			use cpu_flags_ppc_vsx || export NSS_DISABLE_CRYPTO_VSX=1
+			;;
+	esac
+
+	local d
+
+	# Build the host tools first.
+	LDFLAGS="${BUILD_LDFLAGS}" \
+	XCFLAGS="${BUILD_CFLAGS}" \
+	NSPR_LIB_DIR="${T}/fakedir" \
+	emake -C coreconf \
+		CC="$(tc-getBUILD_CC)" \
+		${buildbits-${mybits}}
+	makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
+
+	# Then build the target tools.
+	for d in . lib/dbm ; do
+		CPPFLAGS="${myCPPFLAGS}" \
+		XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
+		NSPR_LIB_DIR="${T}/fakedir" \
+		emake "${makeargs[@]}" -C ${d} OS_TEST="$(nssarch)"
+	done
+}
+
+multilib_src_test() {
+	einfo "Tests can take a *long* time, especially on a multilib system."
+	einfo "30-45+ minutes per lib configuration. Bug #852755"
+
+	# https://www.linuxfromscratch.org/blfs/view/svn/postlfs/nss.html
+	# https://firefox-source-docs.mozilla.org/security/nss/legacy/nss_sources_building_testing/index.html#running_the_nss_test_suite
+	# https://www-archive.mozilla.org/projects/security/pki/nss/testnss_32.html (older)
+	export BUILD_OPT=1
+	export HOST="localhost"
+	export DOMSUF="localdomain"
+	export USE_IP=TRUE
+	export IP_ADDRESS="127.0.0.1"
+
+	NSINSTALL="${PWD}/$(find -type f -name nsinstall)"
+
+	cd "${BUILD_DIR}"/tests || die
+	# Hack to get current objdir (prefixed dir where built binaries are)
+	# Without this, at least multilib tests go wrong when building the amd64 variant
+	# after x86.
+	local objdir=$(find "${BUILD_DIR}"/dist -maxdepth 1 -iname Linux* | rev | cut -d/ -f1 | rev)
+
+	# Can tweak to a subset of tests in future if we need to, but would prefer not
+	OBJDIR="${objdir}" DIST="${BUILD_DIR}/dist" MOZILLA_ROOT="${BUILD_DIR}" ./all.sh || die
+}
+
+# Altering these 3 libraries breaks the CHK verification.
+# All of the following cause it to break:
+# - stripping
+# - prelink
+# - ELF signing
+# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
+# Either we have to NOT strip them, or we have to forcibly resign after
+# stripping.
+#local_libdir="$(get_libdir)"
+#export STRIP_MASK="
+#	*/${local_libdir}/libfreebl3.so*
+#	*/${local_libdir}/libnssdbm3.so*
+#	*/${local_libdir}/libsoftokn3.so*"
+
+export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
+
+generate_chk() {
+	local shlibsign="$1"
+	local libdir="$2"
+	einfo "Resigning core NSS libraries for FIPS validation"
+	shift 2
+	local i
+	for i in ${NSS_CHK_SIGN_LIBS} ; do
+		local libname=lib${i}.so
+		local chkname=lib${i}.chk
+		"${shlibsign}" \
+			-i "${libdir}"/${libname} \
+			-o "${libdir}"/${chkname}.tmp \
+		&& mv -f \
+			"${libdir}"/${chkname}.tmp \
+			"${libdir}"/${chkname} \
+		|| die "Failed to sign ${libname}"
+	done
+}
+
+cleanup_chk() {
+	local libdir="$1"
+	shift 1
+	local i
+	for i in ${NSS_CHK_SIGN_LIBS} ; do
+		local libfname="${libdir}/lib${i}.so"
+		# If the major version has changed, then we have old chk files.
+		[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
+			&& rm -f "${libfname}.chk"
+	done
+}
+
+multilib_src_install() {
+	pushd dist >/dev/null || die
+
+	dodir /usr/$(get_libdir)
+	cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
+	local i
+	for i in crmf freebl nssb nssckfw ; do
+		cp -L */lib/lib${i}.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
+	done
+
+	# Install nss-config and pkgconfig file
+	dodir /usr/bin
+	cp -L */bin/nss-config "${ED}"/usr/bin || die
+	dodir /usr/$(get_libdir)/pkgconfig
+	cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
+
+	# create an nss-softokn.pc from nss.pc for libfreebl and some private headers
+	# bug 517266
+	sed 	-e 's#Libs:#Libs: -lfreebl#' \
+		-e 's#Cflags:#Cflags: -I${includedir}/private#' \
+		*/lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
+		|| die "could not create nss-softokn.pc"
+
+	# all the include files
+	insinto /usr/include/nss
+	doins public/nss/*.{h,api}
+	insinto /usr/include/nss/private
+	doins private/nss/{blapi,alghmac,cmac}.h
+
+	popd >/dev/null || die
+
+	local f nssutils
+	# Always enabled because we need it for chk generation.
+	nssutils=( shlibsign )
+
+	if multilib_is_native_abi ; then
+		if use utils; then
+			# The tests we do not need to install.
+			#nssutils_test="bltest crmftest dbtest dertimetest
+			#fipstest remtest sdrtest"
+			# checkcert utils has been removed in nss-3.22:
+			# https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
+			# https://hg.mozilla.org/projects/nss/rev/df1729d37870
+			# certcgi has been removed in nss-3.36:
+			# https://bugzilla.mozilla.org/show_bug.cgi?id=1426602
+			nssutils+=(
+				addbuiltin
+				atob
+				baddbdir
+				btoa
+				certutil
+				cmsutil
+				conflict
+				crlutil
+				derdump
+				digest
+				makepqg
+				mangle
+				modutil
+				multinit
+				nonspr10
+				ocspclnt
+				oidcalc
+				p7content
+				p7env
+				p7sign
+				p7verify
+				pk11mode
+				pk12util
+				pp
+				rsaperf
+				selfserv
+				signtool
+				signver
+				ssltap
+				strsclnt
+				symkeyutil
+				tstclnt
+				vfychain
+				vfyserv
+			)
+			# install man-pages for utils (bug #516810)
+			doman doc/nroff/*.1
+		fi
+		pushd dist/*/bin >/dev/null || die
+		for f in ${nssutils[@]}; do
+			dobin ${f}
+		done
+		popd >/dev/null || die
+	fi
+}
+
+pkg_postinst() {
+	multilib_pkg_postinst() {
+		# We must re-sign the libraries AFTER they are stripped.
+		local shlibsign="${EROOT}/usr/bin/shlibsign"
+		# See if we can execute it (cross-compiling & such). #436216
+		"${shlibsign}" -h >&/dev/null
+		if [[ $? -gt 1 ]] ; then
+			shlibsign="shlibsign"
+		fi
+		generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
+	}
+
+	multilib_foreach_abi multilib_pkg_postinst
+}
+
+pkg_postrm() {
+	multilib_pkg_postrm() {
+		cleanup_chk "${EROOT}"/usr/$(get_libdir)
+	}
+
+	multilib_foreach_abi multilib_pkg_postrm
+}


^ permalink raw reply related	[flat|nested] 19+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/nss/, dev-libs/nss/files/
@ 2022-11-01  8:49 Joonas Niilola
  0 siblings, 0 replies; 19+ messages in thread
From: Joonas Niilola @ 2022-11-01  8:49 UTC (permalink / raw
  To: gentoo-commits

commit:     04b9c445ff45199ad6440a218d015bf58f02b72b
Author:     Joonas Niilola <juippis <AT> gentoo <DOT> org>
AuthorDate: Tue Nov  1 08:39:27 2022 +0000
Commit:     Joonas Niilola <juippis <AT> gentoo <DOT> org>
CommitDate: Tue Nov  1 08:49:14 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=04b9c445

dev-libs/nss: add 3.79.2

Bug: https://bugs.gentoo.org/877169
Signed-off-by: Joonas Niilola <juippis <AT> gentoo.org>

 dev-libs/nss/Manifest                              |   1 +
 .../nss/files/nss-3.79-fix-client-cert-crash.patch |  23 ++
 dev-libs/nss/nss-3.79.2.ebuild                     | 391 +++++++++++++++++++++
 3 files changed, 415 insertions(+)

diff --git a/dev-libs/nss/Manifest b/dev-libs/nss/Manifest
index a0b5d5d0b745..dd8aeff08fed 100644
--- a/dev-libs/nss/Manifest
+++ b/dev-libs/nss/Manifest
@@ -1,3 +1,4 @@
 DIST nss-3.79.1.tar.gz 84694831 BLAKE2B 209a502ba4b808bb4cb9b8775328fa26e36c55147ee5da7b8f661349129250f09685dd69919e24d7ff72cc55a2e9cbbbc9c059e543cf1b0a6a08e809be262d4c SHA512 e841efe9d0300d99b50e54c159c75df76c09c34c74bbc9b6ca007ad017b2cb91a8d33f6f4195e52bd8f3ed7be5d53f3ce7ce10825fa21abbf5dbba3db109e037
+DIST nss-3.79.2.tar.gz 84825187 BLAKE2B 9589095a0f3af5201662fe96ba4dac73c661db3abde534941ea61d597dce1016dc06f8559e26fafc940f2b123987381e1faa22ff6a995ef3cc0a9dc4ebe7a4ad SHA512 52ca7574d2bb6e2fd874ac40f3e75d58135b103d8bd4b964a9262b5c302b4668ff7c8f5dabbef46e413fd72faeddc44057bc7b489946813331cc9a481d078181
 DIST nss-3.84.tar.gz 84851235 BLAKE2B 5dead5ae336998db97acc6dc2a59b387aac9baeba0f2fad6eaf921bdc894867f6177179545378091d9b50b295b71409781b5ef5044222afe7a1cd2f920a7d15f SHA512 b4ed4b2e44d9f896a4a4c33f92813a84825dc4502f4e14e047f3583666c453138515e6edbcd71144c4b02a8ee16b3443803f1ff12458fd82c338ee1dd911b175
 DIST nss-cacert-class1-class3-r2.patch 21925 BLAKE2B 7627ff9a09f084c19d72d0490676865e3cab3ca7c920ae1ce4bea2db664f37fd0aa84fcda919809a516891ab2a62e2e7a43a9d6ada4c231adfe4c216525fac7d SHA512 1ce6ff9ab310aaca9005eafb461338b291df8523cc7044e096cd75774ce746c26eed19ec6bb2643c6c67f94650f2f309463492d80a90568f38ce2557f8ada2f4

diff --git a/dev-libs/nss/files/nss-3.79-fix-client-cert-crash.patch b/dev-libs/nss/files/nss-3.79-fix-client-cert-crash.patch
new file mode 100644
index 000000000000..5f80fdc09b7e
--- /dev/null
+++ b/dev-libs/nss/files/nss-3.79-fix-client-cert-crash.patch
@@ -0,0 +1,23 @@
+diff --git a/lib/ssl/authcert.c b/lib/ssl/authcert.c
+--- a/lib/ssl/authcert.c
++++ b/lib/ssl/authcert.c
+@@ -212,17 +212,17 @@ NSS_GetClientAuthData(void *arg,
+                                                pw_arg);
+         } else {
+             int nnames = 0;
+             char **names = ssl_DistNamesToStrings(caNames, &nnames);
+             rv = CERT_FilterCertListByCANames(certList, nnames, names,
+                                               certUsageSSLClient);
+             ssl_FreeDistNamesStrings(names, nnames);
+         }
+-        if ((rv != SECSuccess) || CERT_LIST_EMPTY(certList)) {
++        if ((rv != SECSuccess) || (certList && CERT_LIST_EMPTY(certList))) {
+             CERT_DestroyCertList(certList);
+             certList = NULL;
+         }
+     }
+     if (certList == NULL) {
+         /* no user certs meeting the nickname/usage requirements found */
+         return SECFailure;
+     }
+

diff --git a/dev-libs/nss/nss-3.79.2.ebuild b/dev-libs/nss/nss-3.79.2.ebuild
new file mode 100644
index 000000000000..7f2b0be9c181
--- /dev/null
+++ b/dev-libs/nss/nss-3.79.2.ebuild
@@ -0,0 +1,391 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit flag-o-matic multilib toolchain-funcs multilib-minimal
+
+NSPR_VER="4.34.1"
+RTM_NAME="NSS_${PV//./_}_RTM"
+
+DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
+HOMEPAGE="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS"
+SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
+	cacert? ( https://dev.gentoo.org/~whissi/dist/ca-certificates/nss-cacert-class1-class3-r2.patch )"
+
+LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~x64-solaris ~x86-solaris"
+IUSE="cacert test +utils cpu_flags_ppc_altivec cpu_flags_ppc_vsx"
+RESTRICT="!test? ( test )"
+# pkg-config called by nss-config -> virtual/pkgconfig in RDEPEND
+RDEPEND="
+	>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
+	>=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
+	>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]
+	virtual/pkgconfig
+"
+DEPEND="${RDEPEND}"
+BDEPEND="dev-lang/perl"
+
+S="${WORKDIR}/${P}/${PN}"
+
+MULTILIB_CHOST_TOOLS=(
+	/usr/bin/nss-config
+)
+
+PATCHES=(
+	# Custom changes for gentoo
+	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
+	"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
+	"${FILESDIR}/${PN}-3.53-gentoo-fixups.patch"
+	"${FILESDIR}/${PN}-3.79-fix-client-cert-crash.patch"
+	"${FILESDIR}/${PN}-3.79-gcc-13.patch"
+)
+
+src_prepare() {
+	default
+
+	if use cacert ; then
+		eapply -p2 "${DISTDIR}"/nss-cacert-class1-class3-r2.patch
+	fi
+
+	pushd coreconf >/dev/null || die
+
+	# hack nspr paths
+	echo 'INCLUDES += -I$(DIST)/include/dbm' \
+		>> headers.mk || die "failed to append include"
+
+	# modify install path
+	sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
+		-i source.mk || die
+
+	# Respect LDFLAGS
+	sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
+
+	popd >/dev/null || die
+
+	# Fix pkgconfig file for Prefix
+	sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
+		config/Makefile || die
+
+	# use host shlibsign if need be #436216
+	if tc-is-cross-compiler ; then
+		sed -i \
+			-e 's:"${2}"/shlibsign:shlibsign:' \
+			cmd/shlibsign/sign.sh || die
+	fi
+
+	# dirty hack
+	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
+		lib/ssl/config.mk || die
+	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
+		cmd/platlibs.mk || die
+
+	multilib_copy_sources
+
+	strip-flags
+}
+
+multilib_src_configure() {
+	# Ensure we stay multilib aware
+	sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
+}
+
+nssarch() {
+	# Most of the arches are the same as $ARCH
+	local t=${1:-${CHOST}}
+	case ${t} in
+		*86*-pc-solaris2*) echo "i86pc"   ;;
+		aarch64*)          echo "aarch64" ;;
+		hppa*)             echo "parisc"  ;;
+		i?86*)             echo "i686"    ;;
+		x86_64*)           echo "x86_64"  ;;
+		*)                 tc-arch ${t}   ;;
+	esac
+}
+
+nssbits() {
+	local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
+	if [[ ${1} == BUILD_ ]]; then
+		cc=$(tc-getBUILD_CC)
+	else
+		cc=$(tc-getCC)
+	fi
+	echo > "${T}"/test.c || die
+	${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die
+	case $(file "${T}/${1}test.o") in
+		*32-bit*x86-64*) echo USE_X32=1;;
+		*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
+		*32-bit*|*ppc*|*i386*) ;;
+		*) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
+	esac
+}
+
+multilib_src_compile() {
+	# use ABI to determine bit'ness, or fallback if unset
+	local buildbits mybits
+	case "${ABI}" in
+		n32) mybits="USE_N32=1";;
+		x32) mybits="USE_X32=1";;
+		s390x|*64) mybits="USE_64=1";;
+		${DEFAULT_ABI})
+			einfo "Running compilation test to determine bit'ness"
+			mybits=$(nssbits)
+			;;
+	esac
+	# bitness of host may differ from target
+	if tc-is-cross-compiler; then
+		buildbits=$(nssbits BUILD_)
+	fi
+
+	local makeargs=(
+		CC="$(tc-getCC)"
+		CCC="$(tc-getCXX)"
+		AR="$(tc-getAR) rc \$@"
+		RANLIB="$(tc-getRANLIB)"
+		OPTIMIZER=
+		${mybits}
+	)
+
+	# Take care of nspr settings #436216
+	local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
+	unset NSPR_INCLUDE_DIR
+
+	export NSS_ALLOW_SSLKEYLOGFILE=1
+	export NSS_ENABLE_WERROR=0 #567158
+	export BUILD_OPT=1
+	export NSS_USE_SYSTEM_SQLITE=1
+	export NSDISTMODE=copy
+	export FREEBL_NO_DEPEND=1
+	export FREEBL_LOWHASH=1
+	export NSS_SEED_ONLY_DEV_URANDOM=1
+	export USE_SYSTEM_ZLIB=1
+	export ZLIB_LIBS=-lz
+	export ASFLAGS=""
+	# Fix build failure on arm64
+	export NS_USE_GCC=1
+	# Detect compiler type and set proper environment value
+	if tc-is-gcc; then
+		export CC_IS_GCC=1
+	elif tc-is-clang; then
+		export CC_IS_CLANG=1
+	fi
+
+	export NSS_DISABLE_GTESTS=$(usex !test 1 0)
+
+	# explicitly disable altivec/vsx if not requested
+	# https://bugs.gentoo.org/789114
+	case ${ARCH} in
+		ppc*)
+			use cpu_flags_ppc_altivec || export NSS_DISABLE_ALTIVEC=1
+			use cpu_flags_ppc_vsx || export NSS_DISABLE_CRYPTO_VSX=1
+			;;
+	esac
+
+	local d
+
+	# Build the host tools first.
+	LDFLAGS="${BUILD_LDFLAGS}" \
+	XCFLAGS="${BUILD_CFLAGS}" \
+	NSPR_LIB_DIR="${T}/fakedir" \
+	emake -C coreconf \
+		CC="$(tc-getBUILD_CC)" \
+		${buildbits-${mybits}}
+	makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
+
+	# Then build the target tools.
+	for d in . lib/dbm ; do
+		CPPFLAGS="${myCPPFLAGS}" \
+		XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
+		NSPR_LIB_DIR="${T}/fakedir" \
+		emake "${makeargs[@]}" -C ${d} OS_TEST="$(nssarch)"
+	done
+}
+
+multilib_src_test() {
+	einfo "Tests can take a *long* time, especially on a multilib system."
+	einfo "30-45+ minutes per lib configuration. Bug #852755"
+
+	# https://www.linuxfromscratch.org/blfs/view/svn/postlfs/nss.html
+	# https://firefox-source-docs.mozilla.org/security/nss/legacy/nss_sources_building_testing/index.html#running_the_nss_test_suite
+	# https://www-archive.mozilla.org/projects/security/pki/nss/testnss_32.html (older)
+	export BUILD_OPT=1
+	export HOST="localhost"
+	export DOMSUF="localdomain"
+	export USE_IP=TRUE
+	export IP_ADDRESS="127.0.0.1"
+
+	NSINSTALL="${PWD}/$(find -type f -name nsinstall)"
+
+	cd "${BUILD_DIR}"/tests || die
+	# Hack to get current objdir (prefixed dir where built binaries are)
+	# Without this, at least multilib tests go wrong when building the amd64 variant
+	# after x86.
+	local objdir=$(find "${BUILD_DIR}"/dist -maxdepth 1 -iname Linux* | rev | cut -d/ -f1 | rev)
+
+	# Can tweak to a subset of tests in future if we need to, but would prefer not
+	OBJDIR="${objdir}" DIST="${BUILD_DIR}/dist" MOZILLA_ROOT="${BUILD_DIR}" ./all.sh || die
+}
+
+# Altering these 3 libraries breaks the CHK verification.
+# All of the following cause it to break:
+# - stripping
+# - prelink
+# - ELF signing
+# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
+# Either we have to NOT strip them, or we have to forcibly resign after
+# stripping.
+#local_libdir="$(get_libdir)"
+#export STRIP_MASK="
+#	*/${local_libdir}/libfreebl3.so*
+#	*/${local_libdir}/libnssdbm3.so*
+#	*/${local_libdir}/libsoftokn3.so*"
+
+export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
+
+generate_chk() {
+	local shlibsign="$1"
+	local libdir="$2"
+	einfo "Resigning core NSS libraries for FIPS validation"
+	shift 2
+	local i
+	for i in ${NSS_CHK_SIGN_LIBS} ; do
+		local libname=lib${i}.so
+		local chkname=lib${i}.chk
+		"${shlibsign}" \
+			-i "${libdir}"/${libname} \
+			-o "${libdir}"/${chkname}.tmp \
+		&& mv -f \
+			"${libdir}"/${chkname}.tmp \
+			"${libdir}"/${chkname} \
+		|| die "Failed to sign ${libname}"
+	done
+}
+
+cleanup_chk() {
+	local libdir="$1"
+	shift 1
+	local i
+	for i in ${NSS_CHK_SIGN_LIBS} ; do
+		local libfname="${libdir}/lib${i}.so"
+		# If the major version has changed, then we have old chk files.
+		[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
+			&& rm -f "${libfname}.chk"
+	done
+}
+
+multilib_src_install() {
+	pushd dist >/dev/null || die
+
+	dodir /usr/$(get_libdir)
+	cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
+	local i
+	for i in crmf freebl nssb nssckfw ; do
+		cp -L */lib/lib${i}.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
+	done
+
+	# Install nss-config and pkgconfig file
+	dodir /usr/bin
+	cp -L */bin/nss-config "${ED}"/usr/bin || die
+	dodir /usr/$(get_libdir)/pkgconfig
+	cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
+
+	# create an nss-softokn.pc from nss.pc for libfreebl and some private headers
+	# bug 517266
+	sed -e 's#Libs:#Libs: -lfreebl#' \
+		-e 's#Cflags:#Cflags: -I${includedir}/private#' \
+		*/lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
+		|| die "could not create nss-softokn.pc"
+
+	# all the include files
+	insinto /usr/include/nss
+	doins public/nss/*.{h,api}
+	insinto /usr/include/nss/private
+	doins private/nss/{blapi,alghmac,cmac}.h
+
+	popd >/dev/null || die
+
+	local f nssutils
+	# Always enabled because we need it for chk generation.
+	nssutils=( shlibsign )
+
+	if multilib_is_native_abi ; then
+		if use utils; then
+			# The tests we do not need to install.
+			#nssutils_test="bltest crmftest dbtest dertimetest
+			#fipstest remtest sdrtest"
+			# checkcert utils has been removed in nss-3.22:
+			# https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
+			# https://hg.mozilla.org/projects/nss/rev/df1729d37870
+			# certcgi has been removed in nss-3.36:
+			# https://bugzilla.mozilla.org/show_bug.cgi?id=1426602
+			nssutils+=(
+				addbuiltin
+				atob
+				baddbdir
+				btoa
+				certutil
+				cmsutil
+				conflict
+				crlutil
+				derdump
+				digest
+				makepqg
+				mangle
+				modutil
+				multinit
+				nonspr10
+				ocspclnt
+				oidcalc
+				p7content
+				p7env
+				p7sign
+				p7verify
+				pk11mode
+				pk12util
+				pp
+				rsaperf
+				selfserv
+				signtool
+				signver
+				ssltap
+				strsclnt
+				symkeyutil
+				tstclnt
+				vfychain
+				vfyserv
+			)
+			# install man-pages for utils (bug #516810)
+			doman doc/nroff/*.1
+		fi
+		pushd dist/*/bin >/dev/null || die
+		for f in ${nssutils[@]}; do
+			dobin ${f}
+		done
+		popd >/dev/null || die
+	fi
+}
+
+pkg_postinst() {
+	multilib_pkg_postinst() {
+		# We must re-sign the libraries AFTER they are stripped.
+		local shlibsign="${EROOT}/usr/bin/shlibsign"
+		# See if we can execute it (cross-compiling & such). #436216
+		"${shlibsign}" -h >&/dev/null
+		if [[ $? -gt 1 ]] ; then
+			shlibsign="shlibsign"
+		fi
+		generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
+	}
+
+	multilib_foreach_abi multilib_pkg_postinst
+}
+
+pkg_postrm() {
+	multilib_pkg_postrm() {
+		cleanup_chk "${EROOT}"/usr/$(get_libdir)
+	}
+
+	multilib_foreach_abi multilib_pkg_postrm
+}


^ permalink raw reply related	[flat|nested] 19+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/nss/, dev-libs/nss/files/
@ 2021-04-16 11:34 Thomas Deutschmann
  0 siblings, 0 replies; 19+ messages in thread
From: Thomas Deutschmann @ 2021-04-16 11:34 UTC (permalink / raw
  To: gentoo-commits

commit:     d81e6654725a8f93a3046cdd1c018612bffe7b2e
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Fri Apr 16 10:54:22 2021 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Fri Apr 16 11:34:00 2021 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d81e6654

dev-libs/nss: drop old

Package-Manager: Portage-3.0.18, Repoman-3.0.3
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>

 dev-libs/nss/Manifest                              |   2 -
 .../nss/files/nss-3.53-fix-building-on-ppc.patch   |  39 ---
 ...8-always-tolerate-the-first-CCS-in-TLS1.3.patch | 200 ------------
 dev-libs/nss/nss-3.58-r2.ebuild                    | 360 ---------------------
 dev-libs/nss/nss-3.62.ebuild                       | 359 --------------------
 5 files changed, 960 deletions(-)

diff --git a/dev-libs/nss/Manifest b/dev-libs/nss/Manifest
index c54a531abad..94f7cbcc143 100644
--- a/dev-libs/nss/Manifest
+++ b/dev-libs/nss/Manifest
@@ -1,4 +1,2 @@
-DIST nss-3.58.tar.gz 81846254 BLAKE2B f8e7d0b231916b197ad21706a057d055f8377059d76d4f09aff523cc4cd071a3184f02dc488259df22109b70be7b8a5d5fa7ea2273a830de825cc9a8c95dcca9 SHA512 03d2ab1517ac07620ea3f02dcf680cf019e0129006ff2559b2d0a047036340c20b98c9679b17a594e5502aa30e158caf309f046901b9ec7c7adeeaa13ec50b80
-DIST nss-3.62.tar.gz 82159506 BLAKE2B 9abd7504766fb57214a16608a7299f8cf6d25c9a4e285665eabd812bce536ba244b698de31fd53796148f3856e4bee6c8a03ce5b6c5234a9337d7af8f300f007 SHA512 7044008ea8e5d6f658da96e202a896e24a1ffa29d7ca862f32ed37cfa09adf8c2d5fbc371e3af6bc5151b2d1216c38207976b41888d5ad8efd4dc3049cb5831d
 DIST nss-3.63.tar.gz 82167087 BLAKE2B 3db1aea3aea8373ba8e285a5a87e8b5e39107af8cc5977701fb2fe29b6e7657dba1b1ea3bf80aa0768b0d5f6d130cacc3e029eec69b071a0d87da0825860ffd9 SHA512 2f1f75dce7fd049453cbcf53263a3d9d4d9e62ad2cc2fef4dd0d5645fe14dad4ce47ed64aae507a09214d7fccbe83c142844121f55b44783e5a1bcfe24ea671c
 DIST nss-cacert-class1-class3.patch 22950 BLAKE2B 9d5e60df5f161a3c27c41e5a9419440a54f888eda454e3cde5ebe626d4075b65cf9938b5144d0fb022377f4bd415bff5e5c67d104409860aa9391b3eb8872c68 SHA512 a5aa740bf110a3f0262e3f1ef2fc739ac2b44f042e220039d48aee8e97cd764d5c10718220364f4098aba955882bd02cadb5481512388971a8290312f88a7df0

diff --git a/dev-libs/nss/files/nss-3.53-fix-building-on-ppc.patch b/dev-libs/nss/files/nss-3.53-fix-building-on-ppc.patch
deleted file mode 100644
index 962b9cb1eed..00000000000
--- a/dev-libs/nss/files/nss-3.53-fix-building-on-ppc.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-https://bugzilla.mozilla.org/show_bug.cgi?id=1642174
-
-From a7a862bab5e4aae4615ddae3cbe230345f92ed0d Mon Sep 17 00:00:00 2001
-From: Lauri Kasanen <cand@gmx.com>
-Date: Mon, 1 Jun 2020 12:11:45 +0300
-Subject: [PATCH v3] Bug 1642174 /usr/bin/ld: OBJS/Linux_SINGLE_SHLIB/sha512-p8.o:
- ABI version 2 is not compatible with ABI version 1 output
-
-Don't try to build the SHA-2 accelerated asm on old-ABI ppc.
-
-Currently make only, I don't have enough gyp-fu to do that side.
-However, the reporters of 1642174 and 1635625 both used make, not gyp.
-
-Signed-off-by: Lauri Kasanen <cand@gmx.com>
----
- lib/freebl/Makefile | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/lib/freebl/Makefile b/lib/freebl/Makefile
-index 5f7384429..e0461c7d3 100644
---- a/lib/freebl/Makefile
-+++ b/lib/freebl/Makefile
-@@ -267,9 +267,12 @@ ifeq ($(CPU_ARCH),arm)
- endif
- ifeq ($(CPU_ARCH),ppc)
-     EXTRA_SRCS += gcm-ppc.c
--    ASFILES += sha512-p8.s
- ifdef USE_64
-     DEFINES += -DNSS_NO_INIT_SUPPORT
-+    PPC_ABI := $(shell $(CC) -dM -E - < /dev/null | awk '$$2 == "_CALL_ELF" {print $$3}')
-+    ifeq ($(PPC_ABI),2)
-+        ASFILES += sha512-p8.s
-+    endif
- endif # USE_64
- endif # ppc
- endif # Linux
--- 
-2.19.1
-

diff --git a/dev-libs/nss/files/nss-3.58-always-tolerate-the-first-CCS-in-TLS1.3.patch b/dev-libs/nss/files/nss-3.58-always-tolerate-the-first-CCS-in-TLS1.3.patch
deleted file mode 100644
index a92c0389936..00000000000
--- a/dev-libs/nss/files/nss-3.58-always-tolerate-the-first-CCS-in-TLS1.3.patch
+++ /dev/null
@@ -1,200 +0,0 @@
-
-# HG changeset patch
-# User Daiki Ueno <dueno@redhat.com>
-# Date 1603691171 -3600
-# Node ID b03a4fc5b902498414b02640dcb2717dfef9682f
-# Parent  6f79a76958129dc09c353c288f115fd9a51ab7d4
-Bug 1672703, always tolerate the first CCS in TLS 1.3, r=mt
-
-Summary:
-This flips the meaning of the flag for checking excessive CCS
-messages, so it only rejects multiple CCS messages while the first CCS
-message is always accepted.
-
-Reviewers: mt
-
-Reviewed By: mt
-
-Bug #: 1672703
-
-Differential Revision: https://phabricator.services.mozilla.com/D94603
-
---- a/gtests/ssl_gtest/ssl_tls13compat_unittest.cc
-+++ b/gtests/ssl_gtest/ssl_tls13compat_unittest.cc
-@@ -343,29 +343,28 @@ TEST_F(TlsConnectStreamTls13, ChangeCiph
-   // Client sends CCS before starting the handshake.
-   client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs)));
-   client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs)));
-   ConnectExpectAlert(server_, kTlsAlertUnexpectedMessage);
-   server_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER);
-   client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT);
- }
- 
--// The server rejects a ChangeCipherSpec if the client advertises an
--// empty session ID.
-+// The server accepts a ChangeCipherSpec even if the client advertises
-+// an empty session ID.
- TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterClientHelloEmptySid) {
-   EnsureTlsSetup();
-   ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
- 
-   StartConnect();
-   client_->Handshake();  // Send ClientHello
-   client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs)));  // Send CCS
- 
--  server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
--  server_->Handshake();  // Consume ClientHello and CCS
--  server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
-+  Handshake();
-+  CheckConnected();
- }
- 
- // The server rejects multiple ChangeCipherSpec even if the client
- // indicates compatibility mode with non-empty session ID.
- TEST_F(Tls13CompatTest, ChangeCipherSpecAfterClientHelloTwice) {
-   EnsureTlsSetup();
-   ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
-   EnableCompatMode();
-@@ -376,36 +375,37 @@ TEST_F(Tls13CompatTest, ChangeCipherSpec
-   client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs)));
-   client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs)));
- 
-   server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
-   server_->Handshake();  // Consume ClientHello and CCS.
-   server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
- }
- 
--// The client rejects a ChangeCipherSpec if it advertises an empty
-+// The client accepts a ChangeCipherSpec even if it advertises an empty
- // session ID.
- TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterServerHelloEmptySid) {
-   EnsureTlsSetup();
-   ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
- 
-   // To replace Finished with a CCS below
-   auto filter = MakeTlsFilter<TlsHandshakeDropper>(server_);
-   filter->SetHandshakeTypes({kTlsHandshakeFinished});
-   filter->EnableDecryption();
- 
-   StartConnect();
-   client_->Handshake();  // Send ClientHello
-   server_->Handshake();  // Consume ClientHello, and
-                          // send ServerHello..CertificateVerify
-   // Send CCS
-   server_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs)));
--  client_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
--  client_->Handshake();  // Consume ClientHello and CCS
--  client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
-+
-+  // No alert is sent from the client. As Finished is dropped, we
-+  // can't use Handshake() and CheckConnected().
-+  client_->Handshake();
- }
- 
- // The client rejects multiple ChangeCipherSpec in a row even if the
- // client indicates compatibility mode with non-empty session ID.
- TEST_F(Tls13CompatTest, ChangeCipherSpecAfterServerHelloTwice) {
-   EnsureTlsSetup();
-   ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
-   EnableCompatMode();
---- a/lib/ssl/ssl3con.c
-+++ b/lib/ssl/ssl3con.c
-@@ -6640,21 +6640,17 @@ ssl_CheckServerSessionIdCorrectness(sslS
-         if (sentFakeSid) {
-             return !sidMatch;
-         }
-         return PR_TRUE;
-     }
- 
-     /* TLS 1.3: We sent a session ID.  The server's should match. */
-     if (!IS_DTLS(ss) && (sentRealSid || sentFakeSid)) {
--        if (sidMatch) {
--            ss->ssl3.hs.allowCcs = PR_TRUE;
--            return PR_TRUE;
--        }
--        return PR_FALSE;
-+        return sidMatch;
-     }
- 
-     /* TLS 1.3 (no SID)/DTLS 1.3: The server shouldn't send a session ID. */
-     return sidBytes->len == 0;
- }
- 
- static SECStatus
- ssl_CheckServerRandom(sslSocket *ss)
-@@ -8691,17 +8687,16 @@ ssl3_HandleClientHello(sslSocket *ss, PR
-         if (sidBytes.len > 0 && !IS_DTLS(ss)) {
-             SECITEM_FreeItem(&ss->ssl3.hs.fakeSid, PR_FALSE);
-             rv = SECITEM_CopyItem(NULL, &ss->ssl3.hs.fakeSid, &sidBytes);
-             if (rv != SECSuccess) {
-                 desc = internal_error;
-                 errCode = PORT_GetError();
-                 goto alert_loser;
-             }
--            ss->ssl3.hs.allowCcs = PR_TRUE;
-         }
- 
-         /* TLS 1.3 requires that compression include only null. */
-         if (comps.len != 1 || comps.data[0] != ssl_compression_null) {
-             goto alert_loser;
-         }
- 
-         /* If there is a cookie, then this is a second ClientHello (TLS 1.3). */
-@@ -13061,25 +13056,24 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Cip
-          * will fail if the server fails to negotiate compatibility mode in a
-          * 0-RTT session that is resumed from a session that did negotiate it.
-          * We don't care about that corner case right now. */
-         if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3 &&
-             cText->hdr[0] == ssl_ct_change_cipher_spec &&
-             ss->ssl3.hs.ws != idle_handshake &&
-             cText->buf->len == 1 &&
-             cText->buf->buf[0] == change_cipher_spec_choice) {
--            if (ss->ssl3.hs.allowCcs) {
--                /* Ignore the first CCS. */
--                ss->ssl3.hs.allowCcs = PR_FALSE;
-+            if (!ss->ssl3.hs.rejectCcs) {
-+                /* Allow only the first CCS. */
-+                ss->ssl3.hs.rejectCcs = PR_TRUE;
-                 return SECSuccess;
--            }
--
--            /* Compatibility mode is not negotiated. */
--            alert = unexpected_message;
--            PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
-+            } else {
-+                alert = unexpected_message;
-+                PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
-+            }
-         }
- 
-         if ((IS_DTLS(ss) && !dtls13_AeadLimitReached(spec)) ||
-             (!IS_DTLS(ss) && ss->sec.isServer &&
-              ss->ssl3.hs.zeroRttIgnore == ssl_0rtt_ignore_trial)) {
-             /* Silently drop the packet unless we sent a fatal alert. */
-             if (ss->ssl3.fatalAlertSent) {
-                 return SECFailure;
---- a/lib/ssl/sslimpl.h
-+++ b/lib/ssl/sslimpl.h
-@@ -705,20 +705,17 @@ typedef struct SSL3HandshakeStateStr {
-     sslZeroRttIgnore zeroRttIgnore;       /* Are we ignoring 0-RTT? */
-     ssl3CipherSuite zeroRttSuite;         /* The cipher suite we used for 0-RTT. */
-     PRCList bufferedEarlyData;            /* Buffered TLS 1.3 early data
-                                            * on server.*/
-     PRBool helloRetry;                    /* True if HelloRetryRequest has been sent
-                                            * or received. */
-     PRBool receivedCcs;                   /* A server received ChangeCipherSpec
-                                            * before the handshake started. */
--    PRBool allowCcs;                      /* A server allows ChangeCipherSpec
--                                           * as the middlebox compatibility mode
--                                           * is explicitly indicarted by
--                                           * legacy_session_id in TLS 1.3 ClientHello. */
-+    PRBool rejectCcs;                     /* Excessive ChangeCipherSpecs are rejected. */
-     PRBool clientCertRequested;           /* True if CertificateRequest received. */
-     PRBool endOfFlight;                   /* Processed a full flight (DTLS 1.3). */
-     ssl3KEADef kea_def_mutable;           /* Used to hold the writable kea_def
-                                            * we use for TLS 1.3 */
-     PRUint16 ticketNonce;                 /* A counter we use for tickets. */
-     SECItem fakeSid;                      /* ... (server) the SID the client used. */
- 
-     /* rttEstimate is used to guess the round trip time between server and client.
-

diff --git a/dev-libs/nss/nss-3.58-r2.ebuild b/dev-libs/nss/nss-3.58-r2.ebuild
deleted file mode 100644
index 8ca8cd6f203..00000000000
--- a/dev-libs/nss/nss-3.58-r2.ebuild
+++ /dev/null
@@ -1,360 +0,0 @@
-# Copyright 1999-2021 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit flag-o-matic multilib toolchain-funcs multilib-minimal
-
-NSPR_VER="4.29"
-RTM_NAME="NSS_${PV//./_}_RTM"
-
-DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
-HOMEPAGE="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS"
-SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
-	cacert? ( https://dev.gentoo.org/~axs/distfiles/${PN}-cacert-class1-class3.patch )"
-
-LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
-SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~s390 sparc x86 ~amd64-linux ~x86-linux ~x64-solaris ~x86-solaris"
-IUSE="cacert utils"
-# pkg-config called by nss-config -> virtual/pkgconfig in RDEPEND
-RDEPEND="
-	>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
-	>=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
-	>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]
-	virtual/pkgconfig
-"
-DEPEND="${RDEPEND}"
-
-RESTRICT="test"
-
-S="${WORKDIR}/${P}/${PN}"
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/nss-config
-)
-
-PATCHES=(
-	# Custom changes for gentoo
-	"${FILESDIR}/${PN}-3.53-gentoo-fixups.patch"
-	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
-	"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
-	"${FILESDIR}/${PN}-3.53-fix-building-on-ppc.patch"
-	"${FILESDIR}/${PN}-3.58-always-tolerate-the-first-CCS-in-TLS1.3.patch"
-)
-
-src_prepare() {
-	if use cacert ; then #521462
-		PATCHES+=(
-			"${DISTDIR}/${PN}-cacert-class1-class3.patch"
-		)
-	fi
-
-	default
-
-	pushd coreconf >/dev/null || die
-	# hack nspr paths
-	echo 'INCLUDES += -I$(DIST)/include/dbm' \
-		>> headers.mk || die "failed to append include"
-
-	# modify install path
-	sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
-		-i source.mk || die
-
-	# Respect LDFLAGS
-	sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
-	popd >/dev/null || die
-
-	# Fix pkgconfig file for Prefix
-	sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
-		config/Makefile || die
-
-	# use host shlibsign if need be #436216
-	if tc-is-cross-compiler ; then
-		sed -i \
-			-e 's:"${2}"/shlibsign:shlibsign:' \
-			cmd/shlibsign/sign.sh || die
-	fi
-
-	# dirty hack
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
-		lib/ssl/config.mk || die
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
-		cmd/platlibs.mk || die
-
-	multilib_copy_sources
-
-	strip-flags
-}
-
-multilib_src_configure() {
-	# Ensure we stay multilib aware
-	sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
-}
-
-nssarch() {
-	# Most of the arches are the same as $ARCH
-	local t=${1:-${CHOST}}
-	case ${t} in
-		aarch64*)echo "aarch64";;
-		hppa*)   echo "parisc";;
-		i?86*)   echo "i686";;
-		x86_64*) echo "x86_64";;
-		*)       tc-arch ${t};;
-	esac
-}
-
-nssbits() {
-	local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
-	if [[ ${1} == BUILD_ ]]; then
-		cc=$(tc-getBUILD_CC)
-	else
-		cc=$(tc-getCC)
-	fi
-	echo > "${T}"/test.c || die
-	${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die
-	case $(file "${T}/${1}test.o") in
-		*32-bit*x86-64*) echo USE_X32=1;;
-		*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
-		*32-bit*|*ppc*|*i386*) ;;
-		*) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
-	esac
-}
-
-multilib_src_compile() {
-	# use ABI to determine bit'ness, or fallback if unset
-	local buildbits mybits
-	case "${ABI}" in
-		n32) mybits="USE_N32=1";;
-		x32) mybits="USE_X32=1";;
-		s390x|*64) mybits="USE_64=1";;
-		${DEFAULT_ABI})
-			einfo "Running compilation test to determine bit'ness"
-			mybits=$(nssbits)
-			;;
-	esac
-	# bitness of host may differ from target
-	if tc-is-cross-compiler; then
-		buildbits=$(nssbits BUILD_)
-	fi
-
-	local makeargs=(
-		CC="$(tc-getCC)"
-		CCC="$(tc-getCXX)"
-		AR="$(tc-getAR) rc \$@"
-		RANLIB="$(tc-getRANLIB)"
-		OPTIMIZER=
-		${mybits}
-	)
-
-	# Take care of nspr settings #436216
-	local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
-	unset NSPR_INCLUDE_DIR
-
-	export NSS_ALLOW_SSLKEYLOGFILE=1
-	export NSS_ENABLE_WERROR=0 #567158
-	export BUILD_OPT=1
-	export NSS_USE_SYSTEM_SQLITE=1
-	export NSDISTMODE=copy
-	export FREEBL_NO_DEPEND=1
-	export FREEBL_LOWHASH=1
-	export NSS_SEED_ONLY_DEV_URANDOM=1
-	export USE_SYSTEM_ZLIB=1
-	export ZLIB_LIBS=-lz
-	export ASFLAGS=""
-	# Fix build failure on arm64
-	export NS_USE_GCC=1
-	# Detect compiler type and set proper environment value
-	if tc-is-gcc; then
-		export CC_IS_GCC=1
-	elif tc-is-clang; then
-		export CC_IS_CLANG=1
-	fi
-
-	local d
-
-	# Build the host tools first.
-	LDFLAGS="${BUILD_LDFLAGS}" \
-	XCFLAGS="${BUILD_CFLAGS}" \
-	NSPR_LIB_DIR="${T}/fakedir" \
-	emake -j1 -C coreconf \
-		CC="$(tc-getBUILD_CC)" \
-		${buildbits-${mybits}}
-	makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
-
-	# Then build the target tools.
-	for d in . lib/dbm ; do
-		CPPFLAGS="${myCPPFLAGS}" \
-		XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
-		NSPR_LIB_DIR="${T}/fakedir" \
-		emake -j1 "${makeargs[@]}" -C ${d} OS_TEST="$(nssarch)"
-	done
-}
-
-# Altering these 3 libraries breaks the CHK verification.
-# All of the following cause it to break:
-# - stripping
-# - prelink
-# - ELF signing
-# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
-# Either we have to NOT strip them, or we have to forcibly resign after
-# stripping.
-#local_libdir="$(get_libdir)"
-#export STRIP_MASK="
-#	*/${local_libdir}/libfreebl3.so*
-#	*/${local_libdir}/libnssdbm3.so*
-#	*/${local_libdir}/libsoftokn3.so*"
-
-export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
-
-generate_chk() {
-	local shlibsign="$1"
-	local libdir="$2"
-	einfo "Resigning core NSS libraries for FIPS validation"
-	shift 2
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libname=lib${i}.so
-		local chkname=lib${i}.chk
-		"${shlibsign}" \
-			-i "${libdir}"/${libname} \
-			-o "${libdir}"/${chkname}.tmp \
-		&& mv -f \
-			"${libdir}"/${chkname}.tmp \
-			"${libdir}"/${chkname} \
-		|| die "Failed to sign ${libname}"
-	done
-}
-
-cleanup_chk() {
-	local libdir="$1"
-	shift 1
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libfname="${libdir}/lib${i}.so"
-		# If the major version has changed, then we have old chk files.
-		[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
-			&& rm -f "${libfname}.chk"
-	done
-}
-
-multilib_src_install() {
-	pushd dist >/dev/null || die
-
-	dodir /usr/$(get_libdir)
-	cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
-	local i
-	for i in crmf freebl nssb nssckfw ; do
-		cp -L */lib/lib${i}.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
-	done
-
-	# Install nss-config and pkgconfig file
-	dodir /usr/bin
-	cp -L */bin/nss-config "${ED}"/usr/bin || die
-	dodir /usr/$(get_libdir)/pkgconfig
-	cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
-
-	# create an nss-softokn.pc from nss.pc for libfreebl and some private headers
-	# bug 517266
-	sed 	-e 's#Libs:#Libs: -lfreebl#' \
-		-e 's#Cflags:#Cflags: -I${includedir}/private#' \
-		*/lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
-		|| die "could not create nss-softokn.pc"
-
-	# all the include files
-	insinto /usr/include/nss
-	doins public/nss/*.{h,api}
-	insinto /usr/include/nss/private
-	doins private/nss/{blapi,alghmac,cmac}.h
-
-	popd >/dev/null || die
-
-	local f nssutils
-	# Always enabled because we need it for chk generation.
-	nssutils=( shlibsign )
-
-	if multilib_is_native_abi ; then
-		if use utils; then
-			# The tests we do not need to install.
-			#nssutils_test="bltest crmftest dbtest dertimetest
-			#fipstest remtest sdrtest"
-			# checkcert utils has been removed in nss-3.22:
-			# https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
-			# https://hg.mozilla.org/projects/nss/rev/df1729d37870
-			# certcgi has been removed in nss-3.36:
-			# https://bugzilla.mozilla.org/show_bug.cgi?id=1426602
-			nssutils+=(
-				addbuiltin
-				atob
-				baddbdir
-				btoa
-				certutil
-				cmsutil
-				conflict
-				crlutil
-				derdump
-				digest
-				makepqg
-				mangle
-				modutil
-				multinit
-				nonspr10
-				ocspclnt
-				oidcalc
-				p7content
-				p7env
-				p7sign
-				p7verify
-				pk11mode
-				pk12util
-				pp
-				rsaperf
-				selfserv
-				signtool
-				signver
-				ssltap
-				strsclnt
-				symkeyutil
-				tstclnt
-				vfychain
-				vfyserv
-			)
-			# install man-pages for utils (bug #516810)
-			doman doc/nroff/*.1
-		fi
-		pushd dist/*/bin >/dev/null || die
-		for f in ${nssutils[@]}; do
-			dobin ${f}
-		done
-		popd >/dev/null || die
-	fi
-
-	# Prelink breaks the CHK files. We don't have any reliable way to run
-	# shlibsign after prelink.
-	dodir /etc/prelink.conf.d
-	printf -- "-b ${EPREFIX}/usr/$(get_libdir)/lib%s.so\n" ${NSS_CHK_SIGN_LIBS} \
-		> "${ED}"/etc/prelink.conf.d/nss.conf
-}
-
-pkg_postinst() {
-	multilib_pkg_postinst() {
-		# We must re-sign the libraries AFTER they are stripped.
-		local shlibsign="${EROOT}/usr/bin/shlibsign"
-		# See if we can execute it (cross-compiling & such). #436216
-		"${shlibsign}" -h >&/dev/null
-		if [[ $? -gt 1 ]] ; then
-			shlibsign="shlibsign"
-		fi
-		generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postinst
-}
-
-pkg_postrm() {
-	multilib_pkg_postrm() {
-		cleanup_chk "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postrm
-}

diff --git a/dev-libs/nss/nss-3.62.ebuild b/dev-libs/nss/nss-3.62.ebuild
deleted file mode 100644
index 5e3240e8db8..00000000000
--- a/dev-libs/nss/nss-3.62.ebuild
+++ /dev/null
@@ -1,359 +0,0 @@
-# Copyright 1999-2021 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit flag-o-matic multilib toolchain-funcs multilib-minimal
-
-NSPR_VER="4.29"
-RTM_NAME="NSS_${PV//./_}_RTM"
-
-DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
-HOMEPAGE="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS"
-SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
-	cacert? ( https://dev.gentoo.org/~axs/distfiles/${PN}-cacert-class1-class3.patch )"
-
-LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~x64-solaris ~x86-solaris"
-IUSE="cacert utils"
-# pkg-config called by nss-config -> virtual/pkgconfig in RDEPEND
-RDEPEND="
-	>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
-	>=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
-	>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]
-	virtual/pkgconfig
-"
-DEPEND="${RDEPEND}"
-
-RESTRICT="test"
-
-S="${WORKDIR}/${P}/${PN}"
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/nss-config
-)
-
-PATCHES=(
-	# Custom changes for gentoo
-	"${FILESDIR}/${PN}-3.53-gentoo-fixups.patch"
-	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
-	"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
-)
-
-src_prepare() {
-	if use cacert ; then #521462
-		PATCHES+=(
-			"${DISTDIR}/${PN}-cacert-class1-class3.patch"
-		)
-	fi
-
-	default
-
-	pushd coreconf >/dev/null || die
-	# hack nspr paths
-	echo 'INCLUDES += -I$(DIST)/include/dbm' \
-		>> headers.mk || die "failed to append include"
-
-	# modify install path
-	sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
-		-i source.mk || die
-
-	# Respect LDFLAGS
-	sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
-	popd >/dev/null || die
-
-	# Fix pkgconfig file for Prefix
-	sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
-		config/Makefile || die
-
-	# use host shlibsign if need be #436216
-	if tc-is-cross-compiler ; then
-		sed -i \
-			-e 's:"${2}"/shlibsign:shlibsign:' \
-			cmd/shlibsign/sign.sh || die
-	fi
-
-	# dirty hack
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
-		lib/ssl/config.mk || die
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
-		cmd/platlibs.mk || die
-
-	multilib_copy_sources
-
-	strip-flags
-}
-
-multilib_src_configure() {
-	# Ensure we stay multilib aware
-	sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
-}
-
-nssarch() {
-	# Most of the arches are the same as $ARCH
-	local t=${1:-${CHOST}}
-	case ${t} in
-		*86*-pc-solaris2*) echo "i86pc"   ;;
-		aarch64*)          echo "aarch64" ;;
-		hppa*)             echo "parisc"  ;;
-		i?86*)             echo "i686"    ;;
-		x86_64*)           echo "x86_64"  ;;
-		*)                 tc-arch ${t}   ;;
-	esac
-}
-
-nssbits() {
-	local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
-	if [[ ${1} == BUILD_ ]]; then
-		cc=$(tc-getBUILD_CC)
-	else
-		cc=$(tc-getCC)
-	fi
-	echo > "${T}"/test.c || die
-	${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die
-	case $(file "${T}/${1}test.o") in
-		*32-bit*x86-64*) echo USE_X32=1;;
-		*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
-		*32-bit*|*ppc*|*i386*) ;;
-		*) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
-	esac
-}
-
-multilib_src_compile() {
-	# use ABI to determine bit'ness, or fallback if unset
-	local buildbits mybits
-	case "${ABI}" in
-		n32) mybits="USE_N32=1";;
-		x32) mybits="USE_X32=1";;
-		s390x|*64) mybits="USE_64=1";;
-		${DEFAULT_ABI})
-			einfo "Running compilation test to determine bit'ness"
-			mybits=$(nssbits)
-			;;
-	esac
-	# bitness of host may differ from target
-	if tc-is-cross-compiler; then
-		buildbits=$(nssbits BUILD_)
-	fi
-
-	local makeargs=(
-		CC="$(tc-getCC)"
-		CCC="$(tc-getCXX)"
-		AR="$(tc-getAR) rc \$@"
-		RANLIB="$(tc-getRANLIB)"
-		OPTIMIZER=
-		${mybits}
-	)
-
-	# Take care of nspr settings #436216
-	local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
-	unset NSPR_INCLUDE_DIR
-
-	export NSS_ALLOW_SSLKEYLOGFILE=1
-	export NSS_ENABLE_WERROR=0 #567158
-	export BUILD_OPT=1
-	export NSS_USE_SYSTEM_SQLITE=1
-	export NSDISTMODE=copy
-	export FREEBL_NO_DEPEND=1
-	export FREEBL_LOWHASH=1
-	export NSS_SEED_ONLY_DEV_URANDOM=1
-	export USE_SYSTEM_ZLIB=1
-	export ZLIB_LIBS=-lz
-	export ASFLAGS=""
-	# Fix build failure on arm64
-	export NS_USE_GCC=1
-	# Detect compiler type and set proper environment value
-	if tc-is-gcc; then
-		export CC_IS_GCC=1
-	elif tc-is-clang; then
-		export CC_IS_CLANG=1
-	fi
-
-	local d
-
-	# Build the host tools first.
-	LDFLAGS="${BUILD_LDFLAGS}" \
-	XCFLAGS="${BUILD_CFLAGS}" \
-	NSPR_LIB_DIR="${T}/fakedir" \
-	emake -j1 -C coreconf \
-		CC="$(tc-getBUILD_CC)" \
-		${buildbits-${mybits}}
-	makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
-
-	# Then build the target tools.
-	for d in . lib/dbm ; do
-		CPPFLAGS="${myCPPFLAGS}" \
-		XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
-		NSPR_LIB_DIR="${T}/fakedir" \
-		emake -j1 "${makeargs[@]}" -C ${d} OS_TEST="$(nssarch)"
-	done
-}
-
-# Altering these 3 libraries breaks the CHK verification.
-# All of the following cause it to break:
-# - stripping
-# - prelink
-# - ELF signing
-# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
-# Either we have to NOT strip them, or we have to forcibly resign after
-# stripping.
-#local_libdir="$(get_libdir)"
-#export STRIP_MASK="
-#	*/${local_libdir}/libfreebl3.so*
-#	*/${local_libdir}/libnssdbm3.so*
-#	*/${local_libdir}/libsoftokn3.so*"
-
-export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
-
-generate_chk() {
-	local shlibsign="$1"
-	local libdir="$2"
-	einfo "Resigning core NSS libraries for FIPS validation"
-	shift 2
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libname=lib${i}.so
-		local chkname=lib${i}.chk
-		"${shlibsign}" \
-			-i "${libdir}"/${libname} \
-			-o "${libdir}"/${chkname}.tmp \
-		&& mv -f \
-			"${libdir}"/${chkname}.tmp \
-			"${libdir}"/${chkname} \
-		|| die "Failed to sign ${libname}"
-	done
-}
-
-cleanup_chk() {
-	local libdir="$1"
-	shift 1
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libfname="${libdir}/lib${i}.so"
-		# If the major version has changed, then we have old chk files.
-		[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
-			&& rm -f "${libfname}.chk"
-	done
-}
-
-multilib_src_install() {
-	pushd dist >/dev/null || die
-
-	dodir /usr/$(get_libdir)
-	cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
-	local i
-	for i in crmf freebl nssb nssckfw ; do
-		cp -L */lib/lib${i}.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
-	done
-
-	# Install nss-config and pkgconfig file
-	dodir /usr/bin
-	cp -L */bin/nss-config "${ED}"/usr/bin || die
-	dodir /usr/$(get_libdir)/pkgconfig
-	cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
-
-	# create an nss-softokn.pc from nss.pc for libfreebl and some private headers
-	# bug 517266
-	sed 	-e 's#Libs:#Libs: -lfreebl#' \
-		-e 's#Cflags:#Cflags: -I${includedir}/private#' \
-		*/lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
-		|| die "could not create nss-softokn.pc"
-
-	# all the include files
-	insinto /usr/include/nss
-	doins public/nss/*.{h,api}
-	insinto /usr/include/nss/private
-	doins private/nss/{blapi,alghmac,cmac}.h
-
-	popd >/dev/null || die
-
-	local f nssutils
-	# Always enabled because we need it for chk generation.
-	nssutils=( shlibsign )
-
-	if multilib_is_native_abi ; then
-		if use utils; then
-			# The tests we do not need to install.
-			#nssutils_test="bltest crmftest dbtest dertimetest
-			#fipstest remtest sdrtest"
-			# checkcert utils has been removed in nss-3.22:
-			# https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
-			# https://hg.mozilla.org/projects/nss/rev/df1729d37870
-			# certcgi has been removed in nss-3.36:
-			# https://bugzilla.mozilla.org/show_bug.cgi?id=1426602
-			nssutils+=(
-				addbuiltin
-				atob
-				baddbdir
-				btoa
-				certutil
-				cmsutil
-				conflict
-				crlutil
-				derdump
-				digest
-				makepqg
-				mangle
-				modutil
-				multinit
-				nonspr10
-				ocspclnt
-				oidcalc
-				p7content
-				p7env
-				p7sign
-				p7verify
-				pk11mode
-				pk12util
-				pp
-				rsaperf
-				selfserv
-				signtool
-				signver
-				ssltap
-				strsclnt
-				symkeyutil
-				tstclnt
-				vfychain
-				vfyserv
-			)
-			# install man-pages for utils (bug #516810)
-			doman doc/nroff/*.1
-		fi
-		pushd dist/*/bin >/dev/null || die
-		for f in ${nssutils[@]}; do
-			dobin ${f}
-		done
-		popd >/dev/null || die
-	fi
-
-	# Prelink breaks the CHK files. We don't have any reliable way to run
-	# shlibsign after prelink.
-	dodir /etc/prelink.conf.d
-	printf -- "-b ${EPREFIX}/usr/$(get_libdir)/lib%s.so\n" ${NSS_CHK_SIGN_LIBS} \
-		> "${ED}"/etc/prelink.conf.d/nss.conf
-}
-
-pkg_postinst() {
-	multilib_pkg_postinst() {
-		# We must re-sign the libraries AFTER they are stripped.
-		local shlibsign="${EROOT}/usr/bin/shlibsign"
-		# See if we can execute it (cross-compiling & such). #436216
-		"${shlibsign}" -h >&/dev/null
-		if [[ $? -gt 1 ]] ; then
-			shlibsign="shlibsign"
-		fi
-		generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postinst
-}
-
-pkg_postrm() {
-	multilib_pkg_postrm() {
-		cleanup_chk "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postrm
-}


^ permalink raw reply related	[flat|nested] 19+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/nss/, dev-libs/nss/files/
@ 2021-01-09 13:53 Lars Wendler
  0 siblings, 0 replies; 19+ messages in thread
From: Lars Wendler @ 2021-01-09 13:53 UTC (permalink / raw
  To: gentoo-commits

commit:     d48f363a93e6caf204fb0447c7a35a7288c82ee1
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Sat Jan  9 13:49:38 2021 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Sat Jan  9 13:53:07 2021 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d48f363a

dev-libs/nss: Removed old

Package-Manager: Portage-3.0.12, Repoman-3.0.2
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>

 dev-libs/nss/Manifest                              |   1 -
 ...t-hold-slot-lock-when-taking-session-lock.patch |  93 ------
 dev-libs/nss/nss-3.59-r1.ebuild                    | 360 ---------------------
 3 files changed, 454 deletions(-)

diff --git a/dev-libs/nss/Manifest b/dev-libs/nss/Manifest
index d5daaa19eb3..7b74a4a17fd 100644
--- a/dev-libs/nss/Manifest
+++ b/dev-libs/nss/Manifest
@@ -1,5 +1,4 @@
 DIST nss-3.58.tar.gz 81846254 BLAKE2B f8e7d0b231916b197ad21706a057d055f8377059d76d4f09aff523cc4cd071a3184f02dc488259df22109b70be7b8a5d5fa7ea2273a830de825cc9a8c95dcca9 SHA512 03d2ab1517ac07620ea3f02dcf680cf019e0129006ff2559b2d0a047036340c20b98c9679b17a594e5502aa30e158caf309f046901b9ec7c7adeeaa13ec50b80
-DIST nss-3.59.tar.gz 82141516 BLAKE2B 74959b14ec42b4628dfc3365af00420cdbd41d202541e9379f6a4448c4496b76307af48c9ec405b370f8770327ce56742b4382f8cd49724b42732ce5cc5b0779 SHA512 8963e846f2ff7222457ae59f042672cf4e44f7752807226f46c215a772fd1cbd65d0ce634da4afb698eabd4eb1c1e78146cc2a089339ada11da03d259c609a38
 DIST nss-3.60.1.tar.gz 82036869 BLAKE2B 71f4ab4ee41a05b05493bb43bd0ebaa6258122ddf6bc82af565121ec32f72ae0f187ac2383501ed8e228b32b796f75a89538c76f737530215b3c6448ef1242a3 SHA512 ba398ddad6f90f3562a041b7fd5fc7b72eb20961cc5c1f4890c3b0d95d438404b26ae6feb54cb8c650707134479a915e1f522f0e9257bc2ede053dd0811156d5
 DIST nss-3.60.tar.gz 82035831 BLAKE2B fffc0e26d58d4625be1b8b0123f248a0c7994b18868ece534ba4d60131dd4897d075d7b2dba672c31ccd333e0c18ea384e2aa2f495c23b5430d6d10b91922873 SHA512 6463b2da28b5d9f1f20d45f77a3179e2b93c874af5742c7fc51eb7c44cef93270acacf79174dc63905f227256cbcee23a36f98f1cfed10dd5c56ffc0a76e2695
 DIST nss-cacert-class1-class3.patch 22950 BLAKE2B 9d5e60df5f161a3c27c41e5a9419440a54f888eda454e3cde5ebe626d4075b65cf9938b5144d0fb022377f4bd415bff5e5c67d104409860aa9391b3eb8872c68 SHA512 a5aa740bf110a3f0262e3f1ef2fc739ac2b44f042e220039d48aee8e97cd764d5c10718220364f4098aba955882bd02cadb5481512388971a8290312f88a7df0

diff --git a/dev-libs/nss/files/nss-3.59-dont-hold-slot-lock-when-taking-session-lock.patch b/dev-libs/nss/files/nss-3.59-dont-hold-slot-lock-when-taking-session-lock.patch
deleted file mode 100644
index be4ebfe4796..00000000000
--- a/dev-libs/nss/files/nss-3.59-dont-hold-slot-lock-when-taking-session-lock.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-
-# HG changeset patch
-# User Kevin Jacobs <kjacobs@mozilla.com>
-# Date 1606813429 0
-# Node ID 19585ccc7a1f0f4e9a8d2b9c5ceeb408ea90acb9
-# Parent  f1e48fbead3d9e69500d7aedc1ef6e4bf334f41e
-Bug 1679290 - Don't hold slot lock when taking session lock r=bbeurdouche
-
-[[ https://hg.mozilla.org/projects/nss/rev/0ed11a5835ac1556ff978362cd61069d48f4c5db | 0ed11a5835ac1556ff978362cd61069d48f4c5db ]] fixed a number of race conditions related to NSSSlot member accesses. Unfortunately the locking order that was imposed by that patch has been found to cause problems for at least one PKCS11 module, libnsspem.
-
-This patch drops nested locking in favor of unlocking/re-locking. While this isn't perfect, the original problem in bug 1663661 was that `slot->token` could become NULL, which we can easily check after reacquiring.
-
-Differential Revision: https://phabricator.services.mozilla.com/D98247
-
-diff --git a/lib/dev/devslot.c b/lib/dev/devslot.c
---- a/lib/dev/devslot.c
-+++ b/lib/dev/devslot.c
-@@ -183,25 +183,32 @@ nssSlot_IsTokenPresent(
-     if ((slot->ckFlags & CKF_TOKEN_PRESENT) == 0) {
-         if (!slot->token) {
-             /* token was never present */
-             isPresent = PR_FALSE;
-             goto done; /* slot lock held */
-         }
-         session = nssToken_GetDefaultSession(slot->token);
-         if (session) {
-+            nssSlot_ExitMonitor(slot);
-             nssSession_EnterMonitor(session);
-             /* token is not present */
-             if (session->handle != CK_INVALID_HANDLE) {
-                 /* session is valid, close and invalidate it */
-                 CKAPI(epv)
-                     ->C_CloseSession(session->handle);
-                 session->handle = CK_INVALID_HANDLE;
-             }
-             nssSession_ExitMonitor(session);
-+            nssSlot_EnterMonitor(slot);
-+            if (!slot->token) {
-+                /* Check token presence after re-acquiring lock */
-+                isPresent = PR_FALSE;
-+                goto done; /* slot lock held */
-+            }
-         }
-         if (slot->token->base.name[0] != 0) {
-             /* notify the high-level cache that the token is removed */
-             slot->token->base.name[0] = 0; /* XXX */
-             nssToken_NotifyCertsNotVisible(slot->token);
-         }
-         slot->token->base.name[0] = 0; /* XXX */
-         /* clear the token cache */
-@@ -218,34 +225,41 @@ nssSlot_IsTokenPresent(
-     }
- 
-     /* token is present, use the session info to determine if the card
-      * has been removed and reinserted.
-      */
-     session = nssToken_GetDefaultSession(slot->token);
-     if (session) {
-         PRBool tokenRemoved;
-+        nssSlot_ExitMonitor(slot);
-         nssSession_EnterMonitor(session);
-         if (session->handle != CK_INVALID_HANDLE) {
-             CK_SESSION_INFO sessionInfo;
-             ckrv = CKAPI(epv)->C_GetSessionInfo(session->handle, &sessionInfo);
-             if (ckrv != CKR_OK) {
-                 /* session is screwy, close and invalidate it */
-                 CKAPI(epv)
-                     ->C_CloseSession(session->handle);
-                 session->handle = CK_INVALID_HANDLE;
-             }
-         }
-         tokenRemoved = (session->handle == CK_INVALID_HANDLE);
-         nssSession_ExitMonitor(session);
-+        nssSlot_EnterMonitor(slot);
-         /* token not removed, finished */
-         if (!tokenRemoved) {
-             isPresent = PR_TRUE;
-             goto done; /* slot lock held */
-         }
-+        if (!slot->token) {
-+            /* Check token presence after re-acquiring lock */
-+            isPresent = PR_FALSE;
-+            goto done; /* slot lock held */
-+        }
-     }
-     /* the token has been removed, and reinserted, or the slot contains
-      * a token it doesn't recognize. invalidate all the old
-      * information we had on this token, if we can't refresh, clear
-      * the present flag */
-     nssToken_NotifyCertsNotVisible(slot->token);
-     nssToken_Remove(slot->token);
-     /* token has been removed, need to refresh with new session */
-

diff --git a/dev-libs/nss/nss-3.59-r1.ebuild b/dev-libs/nss/nss-3.59-r1.ebuild
deleted file mode 100644
index 5342986caa4..00000000000
--- a/dev-libs/nss/nss-3.59-r1.ebuild
+++ /dev/null
@@ -1,360 +0,0 @@
-# Copyright 1999-2021 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit flag-o-matic multilib toolchain-funcs multilib-minimal
-
-NSPR_VER="4.29"
-RTM_NAME="NSS_${PV//./_}_RTM"
-
-DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
-HOMEPAGE="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS"
-SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
-	cacert? ( https://dev.gentoo.org/~axs/distfiles/${PN}-cacert-class1-class3.patch )"
-
-LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~sparc-solaris ~x64-solaris ~x86-solaris"
-IUSE="cacert utils"
-# pkg-config called by nss-config -> virtual/pkgconfig in RDEPEND
-RDEPEND="
-	>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
-	>=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
-	>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]
-	virtual/pkgconfig
-"
-DEPEND="${RDEPEND}"
-
-RESTRICT="test"
-
-S="${WORKDIR}/${P}/${PN}"
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/nss-config
-)
-
-PATCHES=(
-	# Custom changes for gentoo
-	"${FILESDIR}/${PN}-3.53-gentoo-fixups.patch"
-	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
-	"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
-	"${FILESDIR}/${PN}-3.53-fix-building-on-ppc.patch"
-	"${FILESDIR}/${PN}-3.59-dont-hold-slot-lock-when-taking-session-lock.patch"
-)
-
-src_prepare() {
-	if use cacert ; then #521462
-		PATCHES+=(
-			"${DISTDIR}/${PN}-cacert-class1-class3.patch"
-		)
-	fi
-
-	default
-
-	pushd coreconf >/dev/null || die
-	# hack nspr paths
-	echo 'INCLUDES += -I$(DIST)/include/dbm' \
-		>> headers.mk || die "failed to append include"
-
-	# modify install path
-	sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
-		-i source.mk || die
-
-	# Respect LDFLAGS
-	sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
-	popd >/dev/null || die
-
-	# Fix pkgconfig file for Prefix
-	sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
-		config/Makefile || die
-
-	# use host shlibsign if need be #436216
-	if tc-is-cross-compiler ; then
-		sed -i \
-			-e 's:"${2}"/shlibsign:shlibsign:' \
-			cmd/shlibsign/sign.sh || die
-	fi
-
-	# dirty hack
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
-		lib/ssl/config.mk || die
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
-		cmd/platlibs.mk || die
-
-	multilib_copy_sources
-
-	strip-flags
-}
-
-multilib_src_configure() {
-	# Ensure we stay multilib aware
-	sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
-}
-
-nssarch() {
-	# Most of the arches are the same as $ARCH
-	local t=${1:-${CHOST}}
-	case ${t} in
-		aarch64*)echo "aarch64";;
-		hppa*)   echo "parisc";;
-		i?86*)   echo "i686";;
-		x86_64*) echo "x86_64";;
-		*)       tc-arch ${t};;
-	esac
-}
-
-nssbits() {
-	local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
-	if [[ ${1} == BUILD_ ]]; then
-		cc=$(tc-getBUILD_CC)
-	else
-		cc=$(tc-getCC)
-	fi
-	echo > "${T}"/test.c || die
-	${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die
-	case $(file "${T}/${1}test.o") in
-		*32-bit*x86-64*) echo USE_X32=1;;
-		*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
-		*32-bit*|*ppc*|*i386*) ;;
-		*) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
-	esac
-}
-
-multilib_src_compile() {
-	# use ABI to determine bit'ness, or fallback if unset
-	local buildbits mybits
-	case "${ABI}" in
-		n32) mybits="USE_N32=1";;
-		x32) mybits="USE_X32=1";;
-		s390x|*64) mybits="USE_64=1";;
-		${DEFAULT_ABI})
-			einfo "Running compilation test to determine bit'ness"
-			mybits=$(nssbits)
-			;;
-	esac
-	# bitness of host may differ from target
-	if tc-is-cross-compiler; then
-		buildbits=$(nssbits BUILD_)
-	fi
-
-	local makeargs=(
-		CC="$(tc-getCC)"
-		CCC="$(tc-getCXX)"
-		AR="$(tc-getAR) rc \$@"
-		RANLIB="$(tc-getRANLIB)"
-		OPTIMIZER=
-		${mybits}
-	)
-
-	# Take care of nspr settings #436216
-	local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
-	unset NSPR_INCLUDE_DIR
-
-	export NSS_ALLOW_SSLKEYLOGFILE=1
-	export NSS_ENABLE_WERROR=0 #567158
-	export BUILD_OPT=1
-	export NSS_USE_SYSTEM_SQLITE=1
-	export NSDISTMODE=copy
-	export FREEBL_NO_DEPEND=1
-	export FREEBL_LOWHASH=1
-	export NSS_SEED_ONLY_DEV_URANDOM=1
-	export USE_SYSTEM_ZLIB=1
-	export ZLIB_LIBS=-lz
-	export ASFLAGS=""
-	# Fix build failure on arm64
-	export NS_USE_GCC=1
-	# Detect compiler type and set proper environment value
-	if tc-is-gcc; then
-		export CC_IS_GCC=1
-	elif tc-is-clang; then
-		export CC_IS_CLANG=1
-	fi
-
-	local d
-
-	# Build the host tools first.
-	LDFLAGS="${BUILD_LDFLAGS}" \
-	XCFLAGS="${BUILD_CFLAGS}" \
-	NSPR_LIB_DIR="${T}/fakedir" \
-	emake -j1 -C coreconf \
-		CC="$(tc-getBUILD_CC)" \
-		${buildbits-${mybits}}
-	makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
-
-	# Then build the target tools.
-	for d in . lib/dbm ; do
-		CPPFLAGS="${myCPPFLAGS}" \
-		XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
-		NSPR_LIB_DIR="${T}/fakedir" \
-		emake -j1 "${makeargs[@]}" -C ${d} OS_TEST="$(nssarch)"
-	done
-}
-
-# Altering these 3 libraries breaks the CHK verification.
-# All of the following cause it to break:
-# - stripping
-# - prelink
-# - ELF signing
-# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
-# Either we have to NOT strip them, or we have to forcibly resign after
-# stripping.
-#local_libdir="$(get_libdir)"
-#export STRIP_MASK="
-#	*/${local_libdir}/libfreebl3.so*
-#	*/${local_libdir}/libnssdbm3.so*
-#	*/${local_libdir}/libsoftokn3.so*"
-
-export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
-
-generate_chk() {
-	local shlibsign="$1"
-	local libdir="$2"
-	einfo "Resigning core NSS libraries for FIPS validation"
-	shift 2
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libname=lib${i}.so
-		local chkname=lib${i}.chk
-		"${shlibsign}" \
-			-i "${libdir}"/${libname} \
-			-o "${libdir}"/${chkname}.tmp \
-		&& mv -f \
-			"${libdir}"/${chkname}.tmp \
-			"${libdir}"/${chkname} \
-		|| die "Failed to sign ${libname}"
-	done
-}
-
-cleanup_chk() {
-	local libdir="$1"
-	shift 1
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libfname="${libdir}/lib${i}.so"
-		# If the major version has changed, then we have old chk files.
-		[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
-			&& rm -f "${libfname}.chk"
-	done
-}
-
-multilib_src_install() {
-	pushd dist >/dev/null || die
-
-	dodir /usr/$(get_libdir)
-	cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
-	local i
-	for i in crmf freebl nssb nssckfw ; do
-		cp -L */lib/lib${i}.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
-	done
-
-	# Install nss-config and pkgconfig file
-	dodir /usr/bin
-	cp -L */bin/nss-config "${ED}"/usr/bin || die
-	dodir /usr/$(get_libdir)/pkgconfig
-	cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
-
-	# create an nss-softokn.pc from nss.pc for libfreebl and some private headers
-	# bug 517266
-	sed 	-e 's#Libs:#Libs: -lfreebl#' \
-		-e 's#Cflags:#Cflags: -I${includedir}/private#' \
-		*/lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
-		|| die "could not create nss-softokn.pc"
-
-	# all the include files
-	insinto /usr/include/nss
-	doins public/nss/*.{h,api}
-	insinto /usr/include/nss/private
-	doins private/nss/{blapi,alghmac,cmac}.h
-
-	popd >/dev/null || die
-
-	local f nssutils
-	# Always enabled because we need it for chk generation.
-	nssutils=( shlibsign )
-
-	if multilib_is_native_abi ; then
-		if use utils; then
-			# The tests we do not need to install.
-			#nssutils_test="bltest crmftest dbtest dertimetest
-			#fipstest remtest sdrtest"
-			# checkcert utils has been removed in nss-3.22:
-			# https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
-			# https://hg.mozilla.org/projects/nss/rev/df1729d37870
-			# certcgi has been removed in nss-3.36:
-			# https://bugzilla.mozilla.org/show_bug.cgi?id=1426602
-			nssutils+=(
-				addbuiltin
-				atob
-				baddbdir
-				btoa
-				certutil
-				cmsutil
-				conflict
-				crlutil
-				derdump
-				digest
-				makepqg
-				mangle
-				modutil
-				multinit
-				nonspr10
-				ocspclnt
-				oidcalc
-				p7content
-				p7env
-				p7sign
-				p7verify
-				pk11mode
-				pk12util
-				pp
-				rsaperf
-				selfserv
-				signtool
-				signver
-				ssltap
-				strsclnt
-				symkeyutil
-				tstclnt
-				vfychain
-				vfyserv
-			)
-			# install man-pages for utils (bug #516810)
-			doman doc/nroff/*.1
-		fi
-		pushd dist/*/bin >/dev/null || die
-		for f in ${nssutils[@]}; do
-			dobin ${f}
-		done
-		popd >/dev/null || die
-	fi
-
-	# Prelink breaks the CHK files. We don't have any reliable way to run
-	# shlibsign after prelink.
-	dodir /etc/prelink.conf.d
-	printf -- "-b ${EPREFIX}/usr/$(get_libdir)/lib%s.so\n" ${NSS_CHK_SIGN_LIBS} \
-		> "${ED}"/etc/prelink.conf.d/nss.conf
-}
-
-pkg_postinst() {
-	multilib_pkg_postinst() {
-		# We must re-sign the libraries AFTER they are stripped.
-		local shlibsign="${EROOT}/usr/bin/shlibsign"
-		# See if we can execute it (cross-compiling & such). #436216
-		"${shlibsign}" -h >&/dev/null
-		if [[ $? -gt 1 ]] ; then
-			shlibsign="shlibsign"
-		fi
-		generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postinst
-}
-
-pkg_postrm() {
-	multilib_pkg_postrm() {
-		cleanup_chk "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postrm
-}


^ permalink raw reply related	[flat|nested] 19+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/nss/, dev-libs/nss/files/
@ 2020-12-01 16:56 Thomas Deutschmann
  0 siblings, 0 replies; 19+ messages in thread
From: Thomas Deutschmann @ 2020-12-01 16:56 UTC (permalink / raw
  To: gentoo-commits

commit:     d3f2cba10c86d044abad85e9b00b539e365eca8f
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Tue Dec  1 16:53:52 2020 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Tue Dec  1 16:56:36 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d3f2cba1

dev-libs/nss: don't hold slot lock when taking session lock

Closes: https://bugs.gentoo.org/756244
Package-Manager: Portage-3.0.10, Repoman-3.0.2
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>

 ...t-hold-slot-lock-when-taking-session-lock.patch | 93 ++++++++++++++++++++++
 .../nss/{nss-3.59.ebuild => nss-3.59-r1.ebuild}    |  1 +
 2 files changed, 94 insertions(+)

diff --git a/dev-libs/nss/files/nss-3.59-dont-hold-slot-lock-when-taking-session-lock.patch b/dev-libs/nss/files/nss-3.59-dont-hold-slot-lock-when-taking-session-lock.patch
new file mode 100644
index 00000000000..be4ebfe4796
--- /dev/null
+++ b/dev-libs/nss/files/nss-3.59-dont-hold-slot-lock-when-taking-session-lock.patch
@@ -0,0 +1,93 @@
+
+# HG changeset patch
+# User Kevin Jacobs <kjacobs@mozilla.com>
+# Date 1606813429 0
+# Node ID 19585ccc7a1f0f4e9a8d2b9c5ceeb408ea90acb9
+# Parent  f1e48fbead3d9e69500d7aedc1ef6e4bf334f41e
+Bug 1679290 - Don't hold slot lock when taking session lock r=bbeurdouche
+
+[[ https://hg.mozilla.org/projects/nss/rev/0ed11a5835ac1556ff978362cd61069d48f4c5db | 0ed11a5835ac1556ff978362cd61069d48f4c5db ]] fixed a number of race conditions related to NSSSlot member accesses. Unfortunately the locking order that was imposed by that patch has been found to cause problems for at least one PKCS11 module, libnsspem.
+
+This patch drops nested locking in favor of unlocking/re-locking. While this isn't perfect, the original problem in bug 1663661 was that `slot->token` could become NULL, which we can easily check after reacquiring.
+
+Differential Revision: https://phabricator.services.mozilla.com/D98247
+
+diff --git a/lib/dev/devslot.c b/lib/dev/devslot.c
+--- a/lib/dev/devslot.c
++++ b/lib/dev/devslot.c
+@@ -183,25 +183,32 @@ nssSlot_IsTokenPresent(
+     if ((slot->ckFlags & CKF_TOKEN_PRESENT) == 0) {
+         if (!slot->token) {
+             /* token was never present */
+             isPresent = PR_FALSE;
+             goto done; /* slot lock held */
+         }
+         session = nssToken_GetDefaultSession(slot->token);
+         if (session) {
++            nssSlot_ExitMonitor(slot);
+             nssSession_EnterMonitor(session);
+             /* token is not present */
+             if (session->handle != CK_INVALID_HANDLE) {
+                 /* session is valid, close and invalidate it */
+                 CKAPI(epv)
+                     ->C_CloseSession(session->handle);
+                 session->handle = CK_INVALID_HANDLE;
+             }
+             nssSession_ExitMonitor(session);
++            nssSlot_EnterMonitor(slot);
++            if (!slot->token) {
++                /* Check token presence after re-acquiring lock */
++                isPresent = PR_FALSE;
++                goto done; /* slot lock held */
++            }
+         }
+         if (slot->token->base.name[0] != 0) {
+             /* notify the high-level cache that the token is removed */
+             slot->token->base.name[0] = 0; /* XXX */
+             nssToken_NotifyCertsNotVisible(slot->token);
+         }
+         slot->token->base.name[0] = 0; /* XXX */
+         /* clear the token cache */
+@@ -218,34 +225,41 @@ nssSlot_IsTokenPresent(
+     }
+ 
+     /* token is present, use the session info to determine if the card
+      * has been removed and reinserted.
+      */
+     session = nssToken_GetDefaultSession(slot->token);
+     if (session) {
+         PRBool tokenRemoved;
++        nssSlot_ExitMonitor(slot);
+         nssSession_EnterMonitor(session);
+         if (session->handle != CK_INVALID_HANDLE) {
+             CK_SESSION_INFO sessionInfo;
+             ckrv = CKAPI(epv)->C_GetSessionInfo(session->handle, &sessionInfo);
+             if (ckrv != CKR_OK) {
+                 /* session is screwy, close and invalidate it */
+                 CKAPI(epv)
+                     ->C_CloseSession(session->handle);
+                 session->handle = CK_INVALID_HANDLE;
+             }
+         }
+         tokenRemoved = (session->handle == CK_INVALID_HANDLE);
+         nssSession_ExitMonitor(session);
++        nssSlot_EnterMonitor(slot);
+         /* token not removed, finished */
+         if (!tokenRemoved) {
+             isPresent = PR_TRUE;
+             goto done; /* slot lock held */
+         }
++        if (!slot->token) {
++            /* Check token presence after re-acquiring lock */
++            isPresent = PR_FALSE;
++            goto done; /* slot lock held */
++        }
+     }
+     /* the token has been removed, and reinserted, or the slot contains
+      * a token it doesn't recognize. invalidate all the old
+      * information we had on this token, if we can't refresh, clear
+      * the present flag */
+     nssToken_NotifyCertsNotVisible(slot->token);
+     nssToken_Remove(slot->token);
+     /* token has been removed, need to refresh with new session */
+

diff --git a/dev-libs/nss/nss-3.59.ebuild b/dev-libs/nss/nss-3.59-r1.ebuild
similarity index 99%
rename from dev-libs/nss/nss-3.59.ebuild
rename to dev-libs/nss/nss-3.59-r1.ebuild
index 37ab7c58696..82184ff8a71 100644
--- a/dev-libs/nss/nss-3.59.ebuild
+++ b/dev-libs/nss/nss-3.59-r1.ebuild
@@ -40,6 +40,7 @@ PATCHES=(
 	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
 	"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
 	"${FILESDIR}/${PN}-3.53-fix-building-on-ppc.patch"
+	"${FILESDIR}/${PN}-3.59-dont-hold-slot-lock-when-taking-session-lock.patch"
 )
 
 src_prepare() {


^ permalink raw reply related	[flat|nested] 19+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/nss/, dev-libs/nss/files/
@ 2020-08-30 22:57 Thomas Deutschmann
  0 siblings, 0 replies; 19+ messages in thread
From: Thomas Deutschmann @ 2020-08-30 22:57 UTC (permalink / raw
  To: gentoo-commits

commit:     9522aa465f097bca10a2e9ee5c3e2586d3fcd26e
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Sun Aug 30 22:56:35 2020 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Sun Aug 30 22:56:35 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9522aa46

dev-libs/nss: security cleanup

Bug: https://bugs.gentoo.org/734986
Package-Manager: Portage-3.0.4, Repoman-3.0.1
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>

 dev-libs/nss/Manifest                           |   4 -
 dev-libs/nss/files/nss-3.47-gentoo-fixups.patch | 242 ----------------
 dev-libs/nss/nss-3.51.ebuild                    | 357 -----------------------
 dev-libs/nss/nss-3.52.1-r1.ebuild               | 361 ------------------------
 dev-libs/nss/nss-3.53.1.ebuild                  | 351 -----------------------
 dev-libs/nss/nss-3.54-r1.ebuild                 | 351 -----------------------
 6 files changed, 1666 deletions(-)

diff --git a/dev-libs/nss/Manifest b/dev-libs/nss/Manifest
index e2468639f8b..a4426510d65 100644
--- a/dev-libs/nss/Manifest
+++ b/dev-libs/nss/Manifest
@@ -1,7 +1,3 @@
-DIST nss-3.51.tar.gz 78305125 BLAKE2B 2c7b90d4cc9fe283bf81e21d0dceefff503e5a31f0053828b140b2b927ddab8c8881b23c7d4c003f3e2d0dcd22efbe699baee63443cab6e72d33a552fd430e3c SHA512 9c894b1ea41449b000750a7b3a89fcb43dfc3d0d4d6dcc0dc288bc73996f76f1ee1ede927a8aecae6d4a07f9f3d3e3a042c6a60cf06e27e0cdc004fce2e510fd
-DIST nss-3.52.1.tar.gz 81222116 BLAKE2B e7a1a24c0a4765fb13a4c13a93187a26df6df68b3e8d623514928cf505215e67f5f22387b6a6b0680117b1c2af13752cb981c173bb50424784d05b459704d528 SHA512 be8746984e3028e5ed49f2132ca08687f6ac75e50208d8cfd6ffbcfd5db1ab8dcaf1f2a0a6c6c1920573de80490301b21c022759c7e2309a22d29698bb169dd6
-DIST nss-3.53.1.tar.gz 81297900 BLAKE2B 7a053aa8322cb55b787730c87f1a6e8a799265574114d63257699348f4921007457d19e5fdc4684a512a91478d1912db45ce066daa8b9d9cde5130ff506aed9e SHA512 5d7572999a007c513df4cbdf74769c1a4eb53eb8680da27a89fea770763d88b6bea80cd9ab20426a905396745129276cffb6dd9e8e1e6377fa98c0a103b522d0
-DIST nss-3.54.tar.gz 81190188 BLAKE2B bf91aa3e2081f0d123d3adfbfc2e3cadfeccf6b15ce03f429fede73bd57ebf96ba7317b890762b01820d75020bb99383c022e2e6558aa1a6d44e8c92cd533bd2 SHA512 9b9253469514c085730ae580f6544e882a8264e253687950627a4fa1eeb956287c9da46caf7d8988cd6363f6dee26cb8db755203375751fe53795697d7ae9b7b
 DIST nss-3.55.tar.gz 81759883 BLAKE2B 5b663d2b1861eb74cf070f2711b4db1afbfbc40b08e1f117e6b4a62e9f997de06889de3afc654cf6547c371ab2a1183904a1a014d1dc4b3e94f734107c81e1cf SHA512 acae7b803a3219cd4b78216cb8a6352805741e42eca6a42a5e6289ebbabc6189c7c6bc138cbd8a93d8631d06175c4d34e72957d49fe726adada6aaa2566e399e
 DIST nss-3.56.tar.gz 81706176 BLAKE2B 84c3b9fd649ce38ad843725b180982692dcac34e851734813b959734054f2e9ebfad66496de320f46e861381f6d5f52db0cc4c0953f7504b79f6b529b871f173 SHA512 f2eed8252c13b38a4d80a11203136d22a521205f814b6d954cc119ccf8921fcb8f689d919944bea4739d1575e9bda7e13cf2ad054ac91d51e049abe246efc845
 DIST nss-cacert-class1-class3.patch 22950 BLAKE2B 9d5e60df5f161a3c27c41e5a9419440a54f888eda454e3cde5ebe626d4075b65cf9938b5144d0fb022377f4bd415bff5e5c67d104409860aa9391b3eb8872c68 SHA512 a5aa740bf110a3f0262e3f1ef2fc739ac2b44f042e220039d48aee8e97cd764d5c10718220364f4098aba955882bd02cadb5481512388971a8290312f88a7df0

diff --git a/dev-libs/nss/files/nss-3.47-gentoo-fixups.patch b/dev-libs/nss/files/nss-3.47-gentoo-fixups.patch
deleted file mode 100644
index 29b3a2a7232..00000000000
--- a/dev-libs/nss/files/nss-3.47-gentoo-fixups.patch
+++ /dev/null
@@ -1,242 +0,0 @@
---- a/config/Makefile
-+++ b/config/Makefile
-@@ -0,0 +1,40 @@
-+CORE_DEPTH = ..
-+DEPTH      = ..
-+
-+include $(CORE_DEPTH)/coreconf/config.mk
-+
-+NSS_MAJOR_VERSION = `grep "NSS_VMAJOR" ../lib/nss/nss.h | awk '{print $$3}'`
-+NSS_MINOR_VERSION = `grep "NSS_VMINOR" ../lib/nss/nss.h | awk '{print $$3}'`
-+NSS_PATCH_VERSION = `grep "NSS_VPATCH" ../lib/nss/nss.h | awk '{print $$3}'`
-+PREFIX = /usr
-+
-+all: export libs
-+
-+export:
-+	# Create the nss.pc file
-+	mkdir -p $(DIST)/lib/pkgconfig
-+	sed -e "s,@prefix@,$(PREFIX)," \
-+	    -e "s,@exec_prefix@,\$${prefix}," \
-+	    -e "s,@libdir@,\$${prefix}/lib64," \
-+	    -e "s,@includedir@,\$${prefix}/include/nss," \
-+	    -e "s,@NSS_MAJOR_VERSION@,$(NSS_MAJOR_VERSION),g" \
-+	    -e "s,@NSS_MINOR_VERSION@,$(NSS_MINOR_VERSION)," \
-+	    -e "s,@NSS_PATCH_VERSION@,$(NSS_PATCH_VERSION)," \
-+	    nss.pc.in > nss.pc
-+	chmod 0644 nss.pc
-+	ln -sf ../../../../config/nss.pc $(DIST)/lib/pkgconfig
-+
-+	# Create the nss-config script
-+	mkdir -p $(DIST)/bin
-+	sed -e "s,@prefix@,$(PREFIX)," \
-+	    -e "s,@NSS_MAJOR_VERSION@,$(NSS_MAJOR_VERSION)," \
-+	    -e "s,@NSS_MINOR_VERSION@,$(NSS_MINOR_VERSION)," \
-+	    -e "s,@NSS_PATCH_VERSION@,$(NSS_PATCH_VERSION)," \
-+	    nss-config.in > nss-config
-+	chmod 0755 nss-config
-+	ln -sf ../../../config/nss-config $(DIST)/bin
-+
-+libs:
-+
-+dummy: all export libs
-+
---- a/config/nss-config.in
-+++ b/config/nss-config.in
-@@ -0,0 +1,145 @@
-+#!/bin/sh
-+
-+prefix=@prefix@
-+
-+major_version=@NSS_MAJOR_VERSION@
-+minor_version=@NSS_MINOR_VERSION@
-+patch_version=@NSS_PATCH_VERSION@
-+
-+usage()
-+{
-+	cat <<EOF
-+Usage: nss-config [OPTIONS] [LIBRARIES]
-+Options:
-+	[--prefix[=DIR]]
-+	[--exec-prefix[=DIR]]
-+	[--includedir[=DIR]]
-+	[--libdir[=DIR]]
-+	[--version]
-+	[--libs]
-+	[--cflags]
-+Dynamic Libraries:
-+	nss
-+	ssl
-+	smime
-+	nssutil
-+EOF
-+	exit $1
-+}
-+
-+if test $# -eq 0; then
-+	usage 1 1>&2
-+fi
-+
-+lib_ssl=yes
-+lib_smime=yes
-+lib_nss=yes
-+lib_nssutil=yes
-+
-+while test $# -gt 0; do
-+  case "$1" in
-+  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
-+  *) optarg= ;;
-+  esac
-+
-+  case $1 in
-+    --prefix=*)
-+      prefix=$optarg
-+      ;;
-+    --prefix)
-+      echo_prefix=yes
-+      ;;
-+    --exec-prefix=*)
-+      exec_prefix=$optarg
-+      ;;
-+    --exec-prefix)
-+      echo_exec_prefix=yes
-+      ;;
-+    --includedir=*)
-+      includedir=$optarg
-+      ;;
-+    --includedir)
-+      echo_includedir=yes
-+      ;;
-+    --libdir=*)
-+      libdir=$optarg
-+      ;;
-+    --libdir)
-+      echo_libdir=yes
-+      ;;
-+    --version)
-+      echo ${major_version}.${minor_version}.${patch_version}
-+      ;;
-+    --cflags)
-+      echo_cflags=yes
-+      ;;
-+    --libs)
-+      echo_libs=yes
-+      ;;
-+    ssl)
-+      lib_ssl=yes
-+      ;;
-+    smime)
-+      lib_smime=yes
-+      ;;
-+    nss)
-+      lib_nss=yes
-+      ;;
-+    nssutil)
-+      lib_nssutil=yes
-+      ;;
-+    *)
-+      usage 1 1>&2
-+      ;;
-+  esac
-+  shift
-+done
-+
-+# Set variables that may be dependent upon other variables
-+if test -z "$exec_prefix"; then
-+    exec_prefix=`pkg-config --variable=exec_prefix nss`
-+fi
-+if test -z "$includedir"; then
-+    includedir=`pkg-config --variable=includedir nss`
-+fi
-+if test -z "$libdir"; then
-+    libdir=`pkg-config --variable=libdir nss`
-+fi
-+
-+if test "$echo_prefix" = "yes"; then
-+    echo $prefix
-+fi
-+
-+if test "$echo_exec_prefix" = "yes"; then
-+    echo $exec_prefix
-+fi
-+
-+if test "$echo_includedir" = "yes"; then
-+    echo $includedir
-+fi
-+
-+if test "$echo_libdir" = "yes"; then
-+    echo $libdir
-+fi
-+
-+if test "$echo_cflags" = "yes"; then
-+    echo -I$includedir
-+fi
-+
-+if test "$echo_libs" = "yes"; then
-+      libdirs=""
-+      if test -n "$lib_ssl"; then
-+	libdirs="$libdirs -lssl${major_version}"
-+      fi
-+      if test -n "$lib_smime"; then
-+	libdirs="$libdirs -lsmime${major_version}"
-+      fi
-+      if test -n "$lib_nss"; then
-+	libdirs="$libdirs -lnss${major_version}"
-+      fi
-+      if test -n "$lib_nssutil"; then
-+       libdirs="$libdirs -lnssutil${major_version}"
-+      fi
-+      echo $libdirs
-+fi
-+
---- a/config/nss.pc.in
-+++ b/config/nss.pc.in
-@@ -0,0 +1,12 @@
-+prefix=@prefix@
-+exec_prefix=@exec_prefix@
-+libdir=@libdir@
-+includedir=@includedir@
-+
-+Name: NSS
-+Description: Network Security Services
-+Version: @NSS_MAJOR_VERSION@.@NSS_MINOR_VERSION@.@NSS_PATCH_VERSION@
-+Requires: nspr >= 4.8
-+Libs: -lssl3 -lsmime3 -lnss3 -lnssutil3
-+Cflags: -I${includedir}
-+
---- a/Makefile
-+++ b/Makefile
-@@ -47,7 +47,7 @@
- # (7) Execute "local" rules. (OPTIONAL).                              #
- #######################################################################
- 
--nss_build_all: build_nspr all latest
-+nss_build_all: all latest
- 
- nss_clean_all: clobber_nspr clobber
- 
-@@ -133,16 +133,6 @@
- 	--prefix='$(NSS_GYP_PREFIX)'
- endif
- 
--build_nspr: $(NSPR_CONFIG_STATUS)
--	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)
--	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)/pr/tests
--
--install_nspr: build_nspr
--	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) install
--
--clobber_nspr: $(NSPR_CONFIG_STATUS)
--	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) clobber
--
- build_docs:
- 	$(MAKE) -C $(CORE_DEPTH)/doc
- 
---- a/manifest.mn
-+++ b/manifest.mn
-@@ -10,4 +10,4 @@
- 
- RELEASE = nss
- 
--DIRS = coreconf lib cmd cpputil gtests
-+DIRS = coreconf lib cmd cpputil config

diff --git a/dev-libs/nss/nss-3.51.ebuild b/dev-libs/nss/nss-3.51.ebuild
deleted file mode 100644
index 25170cb99d3..00000000000
--- a/dev-libs/nss/nss-3.51.ebuild
+++ /dev/null
@@ -1,357 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit eutils flag-o-matic multilib toolchain-funcs multilib-minimal
-
-NSPR_VER="4.25"
-RTM_NAME="NSS_${PV//./_}_RTM"
-
-DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
-HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/"
-SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
-	cacert? ( https://dev.gentoo.org/~axs/distfiles/${PN}-cacert-class1-class3.patch )"
-
-LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
-SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 s390 sparc x86 ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
-IUSE="cacert utils"
-RDEPEND="
-	>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
-	>=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
-	>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]
-	virtual/pkgconfig
-"
-DEPEND="${RDEPEND}"
-
-RESTRICT="test"
-
-S="${WORKDIR}/${P}/${PN}"
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/nss-config
-)
-
-PATCHES=(
-	# Custom changes for gentoo
-	"${FILESDIR}/${PN}-3.47-gentoo-fixups.patch"
-	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
-	"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
-)
-
-src_prepare() {
-	if use cacert ; then #521462
-		PATCHES+=(
-			"${DISTDIR}/${PN}-cacert-class1-class3.patch"
-		)
-	fi
-
-	default
-
-	pushd coreconf >/dev/null || die
-	# hack nspr paths
-	echo 'INCLUDES += -I$(DIST)/include/dbm' \
-		>> headers.mk || die "failed to append include"
-
-	# modify install path
-	sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
-		-i source.mk || die
-
-	# Respect LDFLAGS
-	sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
-	popd >/dev/null || die
-
-	# Fix pkgconfig file for Prefix
-	sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
-		config/Makefile || die
-
-	# use host shlibsign if need be #436216
-	if tc-is-cross-compiler ; then
-		sed -i \
-			-e 's:"${2}"/shlibsign:shlibsign:' \
-			cmd/shlibsign/sign.sh || die
-	fi
-
-	# dirty hack
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
-		lib/ssl/config.mk || die
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
-		cmd/platlibs.mk || die
-
-	multilib_copy_sources
-
-	strip-flags
-}
-
-multilib_src_configure() {
-	# Ensure we stay multilib aware
-	sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
-}
-
-nssarch() {
-	# Most of the arches are the same as $ARCH
-	local t=${1:-${CHOST}}
-	case ${t} in
-		aarch64*)echo "aarch64";;
-		hppa*)   echo "parisc";;
-		i?86*)   echo "i686";;
-		x86_64*) echo "x86_64";;
-		*)       tc-arch ${t};;
-	esac
-}
-
-nssbits() {
-	local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
-	if [[ ${1} == BUILD_ ]]; then
-		cc=$(tc-getBUILD_CC)
-	else
-		cc=$(tc-getCC)
-	fi
-	echo > "${T}"/test.c || die
-	${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die
-	case $(file "${T}/${1}test.o") in
-		*32-bit*x86-64*) echo USE_X32=1;;
-		*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
-		*32-bit*|*ppc*|*i386*) ;;
-		*) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
-	esac
-}
-
-multilib_src_compile() {
-	# use ABI to determine bit'ness, or fallback if unset
-	local buildbits mybits
-	case "${ABI}" in
-		n32) mybits="USE_N32=1";;
-		x32) mybits="USE_X32=1";;
-		s390x|*64) mybits="USE_64=1";;
-		${DEFAULT_ABI})
-			einfo "Running compilation test to determine bit'ness"
-			mybits=$(nssbits)
-			;;
-	esac
-	# bitness of host may differ from target
-	if tc-is-cross-compiler; then
-		buildbits=$(nssbits BUILD_)
-	fi
-
-	local makeargs=(
-		CC="$(tc-getCC)"
-		CCC="$(tc-getCXX)"
-		AR="$(tc-getAR) rc \$@"
-		RANLIB="$(tc-getRANLIB)"
-		OPTIMIZER=
-		${mybits}
-	)
-
-	# Take care of nspr settings #436216
-	local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
-	unset NSPR_INCLUDE_DIR
-
-	# Do not let `uname` be used.
-	if use kernel_linux ; then
-		makeargs+=(
-			OS_TARGET=Linux
-			OS_RELEASE=2.6
-			OS_TEST="$(nssarch)"
-		)
-	fi
-
-	export NSS_ALLOW_SSLKEYLOGFILE=1
-	export NSS_ENABLE_WERROR=0 #567158
-	export BUILD_OPT=1
-	export NSS_USE_SYSTEM_SQLITE=1
-	export NSDISTMODE=copy
-	export NSS_ENABLE_ECC=1
-	export FREEBL_NO_DEPEND=1
-	export FREEBL_LOWHASH=1
-	export NSS_SEED_ONLY_DEV_URANDOM=1
-	export ASFLAGS=""
-
-	local d
-
-	# Build the host tools first.
-	LDFLAGS="${BUILD_LDFLAGS}" \
-	XCFLAGS="${BUILD_CFLAGS}" \
-	NSPR_LIB_DIR="${T}/fakedir" \
-	emake -j1 -C coreconf \
-		CC="$(tc-getBUILD_CC)" \
-		${buildbits-${mybits}}
-	makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
-
-	# Then build the target tools.
-	for d in . lib/dbm ; do
-		CPPFLAGS="${myCPPFLAGS}" \
-		XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
-		NSPR_LIB_DIR="${T}/fakedir" \
-		emake -j1 "${makeargs[@]}" -C ${d}
-	done
-}
-
-# Altering these 3 libraries breaks the CHK verification.
-# All of the following cause it to break:
-# - stripping
-# - prelink
-# - ELF signing
-# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
-# Either we have to NOT strip them, or we have to forcibly resign after
-# stripping.
-#local_libdir="$(get_libdir)"
-#export STRIP_MASK="
-#	*/${local_libdir}/libfreebl3.so*
-#	*/${local_libdir}/libnssdbm3.so*
-#	*/${local_libdir}/libsoftokn3.so*"
-
-export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
-
-generate_chk() {
-	local shlibsign="$1"
-	local libdir="$2"
-	einfo "Resigning core NSS libraries for FIPS validation"
-	shift 2
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libname=lib${i}.so
-		local chkname=lib${i}.chk
-		"${shlibsign}" \
-			-i "${libdir}"/${libname} \
-			-o "${libdir}"/${chkname}.tmp \
-		&& mv -f \
-			"${libdir}"/${chkname}.tmp \
-			"${libdir}"/${chkname} \
-		|| die "Failed to sign ${libname}"
-	done
-}
-
-cleanup_chk() {
-	local libdir="$1"
-	shift 1
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libfname="${libdir}/lib${i}.so"
-		# If the major version has changed, then we have old chk files.
-		[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
-			&& rm -f "${libfname}.chk"
-	done
-}
-
-multilib_src_install() {
-	pushd dist >/dev/null || die
-
-	dodir /usr/$(get_libdir)
-	cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
-	local i
-	for i in crmf freebl nssb nssckfw ; do
-		cp -L */lib/lib${i}.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
-	done
-
-	# Install nss-config and pkgconfig file
-	dodir /usr/bin
-	cp -L */bin/nss-config "${ED}"/usr/bin || die
-	dodir /usr/$(get_libdir)/pkgconfig
-	cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
-
-	# create an nss-softokn.pc from nss.pc for libfreebl and some private headers
-	# bug 517266
-	sed 	-e 's#Libs:#Libs: -lfreebl#' \
-		-e 's#Cflags:#Cflags: -I${includedir}/private#' \
-		*/lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
-		|| die "could not create nss-softokn.pc"
-
-	# all the include files
-	insinto /usr/include/nss
-	doins public/nss/*.{h,api}
-	insinto /usr/include/nss/private
-	doins private/nss/{blapi,alghmac,cmac}.h
-
-	popd >/dev/null || die
-
-	local f nssutils
-	# Always enabled because we need it for chk generation.
-	nssutils=( shlibsign )
-
-	if multilib_is_native_abi ; then
-		if use utils; then
-			# The tests we do not need to install.
-			#nssutils_test="bltest crmftest dbtest dertimetest
-			#fipstest remtest sdrtest"
-			# checkcert utils has been removed in nss-3.22:
-			# https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
-			# https://hg.mozilla.org/projects/nss/rev/df1729d37870
-			# certcgi has been removed in nss-3.36:
-			# https://bugzilla.mozilla.org/show_bug.cgi?id=1426602
-			nssutils+=(
-				addbuiltin
-				atob
-				baddbdir
-				btoa
-				certutil
-				cmsutil
-				conflict
-				crlutil
-				derdump
-				digest
-				makepqg
-				mangle
-				modutil
-				multinit
-				nonspr10
-				ocspclnt
-				oidcalc
-				p7content
-				p7env
-				p7sign
-				p7verify
-				pk11mode
-				pk12util
-				pp
-				rsaperf
-				selfserv
-				signtool
-				signver
-				ssltap
-				strsclnt
-				symkeyutil
-				tstclnt
-				vfychain
-				vfyserv
-			)
-			# install man-pages for utils (bug #516810)
-			doman doc/nroff/*.1
-		fi
-		pushd dist/*/bin >/dev/null || die
-		for f in ${nssutils[@]}; do
-			dobin ${f}
-		done
-		popd >/dev/null || die
-	fi
-
-	# Prelink breaks the CHK files. We don't have any reliable way to run
-	# shlibsign after prelink.
-	dodir /etc/prelink.conf.d
-	printf -- "-b ${EPREFIX}/usr/$(get_libdir)/lib%s.so\n" ${NSS_CHK_SIGN_LIBS} \
-		> "${ED}"/etc/prelink.conf.d/nss.conf
-}
-
-pkg_postinst() {
-	multilib_pkg_postinst() {
-		# We must re-sign the libraries AFTER they are stripped.
-		local shlibsign="${EROOT}/usr/bin/shlibsign"
-		# See if we can execute it (cross-compiling & such). #436216
-		"${shlibsign}" -h >&/dev/null
-		if [[ $? -gt 1 ]] ; then
-			shlibsign="shlibsign"
-		fi
-		generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postinst
-}
-
-pkg_postrm() {
-	multilib_pkg_postrm() {
-		cleanup_chk "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postrm
-}

diff --git a/dev-libs/nss/nss-3.52.1-r1.ebuild b/dev-libs/nss/nss-3.52.1-r1.ebuild
deleted file mode 100644
index ac5506ab597..00000000000
--- a/dev-libs/nss/nss-3.52.1-r1.ebuild
+++ /dev/null
@@ -1,361 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit eutils flag-o-matic multilib toolchain-funcs multilib-minimal
-
-NSPR_VER="4.25"
-RTM_NAME="NSS_${PV//./_}_RTM"
-
-DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
-HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/"
-SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
-	cacert? ( https://dev.gentoo.org/~axs/distfiles/${PN}-cacert-class1-class3.patch )"
-
-LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
-SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 s390 sparc x86 ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
-IUSE="cacert utils"
-# pkg-config called by nss-config -> virtual/pkgconfig in RDEPEND
-RDEPEND="
-	>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
-	>=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
-	>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]
-	virtual/pkgconfig
-"
-DEPEND="${RDEPEND}"
-
-RESTRICT="test"
-
-S="${WORKDIR}/${P}/${PN}"
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/nss-config
-)
-
-PATCHES=(
-	# Custom changes for gentoo
-	"${FILESDIR}/${PN}-3.47-gentoo-fixups.patch"
-	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
-	"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
-	"${FILESDIR}/${PN}-3.53-fix-building-on-ppc.patch"
-)
-
-src_prepare() {
-	if use cacert ; then #521462
-		PATCHES+=(
-			"${DISTDIR}/${PN}-cacert-class1-class3.patch"
-		)
-	fi
-
-	default
-
-	pushd coreconf >/dev/null || die
-	# hack nspr paths
-	echo 'INCLUDES += -I$(DIST)/include/dbm' \
-		>> headers.mk || die "failed to append include"
-
-	# modify install path
-	sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
-		-i source.mk || die
-
-	# Respect LDFLAGS
-	sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
-	popd >/dev/null || die
-
-	# Fix pkgconfig file for Prefix
-	sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
-		config/Makefile || die
-
-	# use host shlibsign if need be #436216
-	if tc-is-cross-compiler ; then
-		sed -i \
-			-e 's:"${2}"/shlibsign:shlibsign:' \
-			cmd/shlibsign/sign.sh || die
-	fi
-
-	# dirty hack
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
-		lib/ssl/config.mk || die
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
-		cmd/platlibs.mk || die
-
-	multilib_copy_sources
-
-	strip-flags
-}
-
-multilib_src_configure() {
-	# Ensure we stay multilib aware
-	sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
-}
-
-nssarch() {
-	# Most of the arches are the same as $ARCH
-	local t=${1:-${CHOST}}
-	case ${t} in
-		aarch64*)echo "aarch64";;
-		hppa*)   echo "parisc";;
-		i?86*)   echo "i686";;
-		x86_64*) echo "x86_64";;
-		*)       tc-arch ${t};;
-	esac
-}
-
-nssbits() {
-	local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
-	if [[ ${1} == BUILD_ ]]; then
-		cc=$(tc-getBUILD_CC)
-	else
-		cc=$(tc-getCC)
-	fi
-	echo > "${T}"/test.c || die
-	${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die
-	case $(file "${T}/${1}test.o") in
-		*32-bit*x86-64*) echo USE_X32=1;;
-		*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
-		*32-bit*|*ppc*|*i386*) ;;
-		*) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
-	esac
-}
-
-multilib_src_compile() {
-	# use ABI to determine bit'ness, or fallback if unset
-	local buildbits mybits
-	case "${ABI}" in
-		n32) mybits="USE_N32=1";;
-		x32) mybits="USE_X32=1";;
-		s390x|*64) mybits="USE_64=1";;
-		${DEFAULT_ABI})
-			einfo "Running compilation test to determine bit'ness"
-			mybits=$(nssbits)
-			;;
-	esac
-	# bitness of host may differ from target
-	if tc-is-cross-compiler; then
-		buildbits=$(nssbits BUILD_)
-	fi
-
-	local makeargs=(
-		CC="$(tc-getCC)"
-		CCC="$(tc-getCXX)"
-		AR="$(tc-getAR) rc \$@"
-		RANLIB="$(tc-getRANLIB)"
-		OPTIMIZER=
-		${mybits}
-	)
-
-	# Take care of nspr settings #436216
-	local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
-	unset NSPR_INCLUDE_DIR
-
-	# Do not let `uname` be used.
-	if use kernel_linux ; then
-		makeargs+=(
-			OS_TARGET=Linux
-			OS_RELEASE=2.6
-			OS_TEST="$(nssarch)"
-		)
-	fi
-
-	export NSS_ALLOW_SSLKEYLOGFILE=1
-	export NSS_ENABLE_WERROR=0 #567158
-	export BUILD_OPT=1
-	export NSS_USE_SYSTEM_SQLITE=1
-	export NSDISTMODE=copy
-	export NSS_ENABLE_ECC=1
-	export FREEBL_NO_DEPEND=1
-	export FREEBL_LOWHASH=1
-	export NSS_SEED_ONLY_DEV_URANDOM=1
-	export ASFLAGS=""
-	export USE_SYSTEM_ZLIB=1
-	export ZLIB_LIBS=-lz
-
-	local d
-
-	# Build the host tools first.
-	LDFLAGS="${BUILD_LDFLAGS}" \
-	XCFLAGS="${BUILD_CFLAGS}" \
-	NSPR_LIB_DIR="${T}/fakedir" \
-	emake -j1 -C coreconf \
-		CC="$(tc-getBUILD_CC)" \
-		${buildbits-${mybits}}
-	makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
-
-	# Then build the target tools.
-	for d in . lib/dbm ; do
-		CPPFLAGS="${myCPPFLAGS}" \
-		XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
-		NSPR_LIB_DIR="${T}/fakedir" \
-		emake -j1 "${makeargs[@]}" -C ${d}
-	done
-}
-
-# Altering these 3 libraries breaks the CHK verification.
-# All of the following cause it to break:
-# - stripping
-# - prelink
-# - ELF signing
-# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
-# Either we have to NOT strip them, or we have to forcibly resign after
-# stripping.
-#local_libdir="$(get_libdir)"
-#export STRIP_MASK="
-#	*/${local_libdir}/libfreebl3.so*
-#	*/${local_libdir}/libnssdbm3.so*
-#	*/${local_libdir}/libsoftokn3.so*"
-
-export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
-
-generate_chk() {
-	local shlibsign="$1"
-	local libdir="$2"
-	einfo "Resigning core NSS libraries for FIPS validation"
-	shift 2
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libname=lib${i}.so
-		local chkname=lib${i}.chk
-		"${shlibsign}" \
-			-i "${libdir}"/${libname} \
-			-o "${libdir}"/${chkname}.tmp \
-		&& mv -f \
-			"${libdir}"/${chkname}.tmp \
-			"${libdir}"/${chkname} \
-		|| die "Failed to sign ${libname}"
-	done
-}
-
-cleanup_chk() {
-	local libdir="$1"
-	shift 1
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libfname="${libdir}/lib${i}.so"
-		# If the major version has changed, then we have old chk files.
-		[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
-			&& rm -f "${libfname}.chk"
-	done
-}
-
-multilib_src_install() {
-	pushd dist >/dev/null || die
-
-	dodir /usr/$(get_libdir)
-	cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
-	local i
-	for i in crmf freebl nssb nssckfw ; do
-		cp -L */lib/lib${i}.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
-	done
-
-	# Install nss-config and pkgconfig file
-	dodir /usr/bin
-	cp -L */bin/nss-config "${ED}"/usr/bin || die
-	dodir /usr/$(get_libdir)/pkgconfig
-	cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
-
-	# create an nss-softokn.pc from nss.pc for libfreebl and some private headers
-	# bug 517266
-	sed 	-e 's#Libs:#Libs: -lfreebl#' \
-		-e 's#Cflags:#Cflags: -I${includedir}/private#' \
-		*/lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
-		|| die "could not create nss-softokn.pc"
-
-	# all the include files
-	insinto /usr/include/nss
-	doins public/nss/*.{h,api}
-	insinto /usr/include/nss/private
-	doins private/nss/{blapi,alghmac,cmac}.h
-
-	popd >/dev/null || die
-
-	local f nssutils
-	# Always enabled because we need it for chk generation.
-	nssutils=( shlibsign )
-
-	if multilib_is_native_abi ; then
-		if use utils; then
-			# The tests we do not need to install.
-			#nssutils_test="bltest crmftest dbtest dertimetest
-			#fipstest remtest sdrtest"
-			# checkcert utils has been removed in nss-3.22:
-			# https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
-			# https://hg.mozilla.org/projects/nss/rev/df1729d37870
-			# certcgi has been removed in nss-3.36:
-			# https://bugzilla.mozilla.org/show_bug.cgi?id=1426602
-			nssutils+=(
-				addbuiltin
-				atob
-				baddbdir
-				btoa
-				certutil
-				cmsutil
-				conflict
-				crlutil
-				derdump
-				digest
-				makepqg
-				mangle
-				modutil
-				multinit
-				nonspr10
-				ocspclnt
-				oidcalc
-				p7content
-				p7env
-				p7sign
-				p7verify
-				pk11mode
-				pk12util
-				pp
-				rsaperf
-				selfserv
-				signtool
-				signver
-				ssltap
-				strsclnt
-				symkeyutil
-				tstclnt
-				vfychain
-				vfyserv
-			)
-			# install man-pages for utils (bug #516810)
-			doman doc/nroff/*.1
-		fi
-		pushd dist/*/bin >/dev/null || die
-		for f in ${nssutils[@]}; do
-			dobin ${f}
-		done
-		popd >/dev/null || die
-	fi
-
-	# Prelink breaks the CHK files. We don't have any reliable way to run
-	# shlibsign after prelink.
-	dodir /etc/prelink.conf.d
-	printf -- "-b ${EPREFIX}/usr/$(get_libdir)/lib%s.so\n" ${NSS_CHK_SIGN_LIBS} \
-		> "${ED}"/etc/prelink.conf.d/nss.conf
-}
-
-pkg_postinst() {
-	multilib_pkg_postinst() {
-		# We must re-sign the libraries AFTER they are stripped.
-		local shlibsign="${EROOT}/usr/bin/shlibsign"
-		# See if we can execute it (cross-compiling & such). #436216
-		"${shlibsign}" -h >&/dev/null
-		if [[ $? -gt 1 ]] ; then
-			shlibsign="shlibsign"
-		fi
-		generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postinst
-}
-
-pkg_postrm() {
-	multilib_pkg_postrm() {
-		cleanup_chk "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postrm
-}

diff --git a/dev-libs/nss/nss-3.53.1.ebuild b/dev-libs/nss/nss-3.53.1.ebuild
deleted file mode 100644
index d94d193dbe9..00000000000
--- a/dev-libs/nss/nss-3.53.1.ebuild
+++ /dev/null
@@ -1,351 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit eutils flag-o-matic multilib toolchain-funcs multilib-minimal
-
-NSPR_VER="4.25"
-RTM_NAME="NSS_${PV//./_}_RTM"
-
-DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
-HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/"
-SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
-	cacert? ( https://dev.gentoo.org/~axs/distfiles/${PN}-cacert-class1-class3.patch )"
-
-LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
-IUSE="cacert utils"
-# pkg-config called by nss-config -> virtual/pkgconfig in RDEPEND
-RDEPEND="
-	>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
-	>=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
-	>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]
-	virtual/pkgconfig
-"
-DEPEND="${RDEPEND}"
-
-RESTRICT="test"
-
-S="${WORKDIR}/${P}/${PN}"
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/nss-config
-)
-
-PATCHES=(
-	# Custom changes for gentoo
-	"${FILESDIR}/${PN}-3.53-gentoo-fixups.patch"
-	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
-	"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
-	"${FILESDIR}/${PN}-3.53-fix-building-on-ppc.patch"
-)
-
-src_prepare() {
-	if use cacert ; then #521462
-		PATCHES+=(
-			"${DISTDIR}/${PN}-cacert-class1-class3.patch"
-		)
-	fi
-
-	default
-
-	pushd coreconf >/dev/null || die
-	# hack nspr paths
-	echo 'INCLUDES += -I$(DIST)/include/dbm' \
-		>> headers.mk || die "failed to append include"
-
-	# modify install path
-	sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
-		-i source.mk || die
-
-	# Respect LDFLAGS
-	sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
-	popd >/dev/null || die
-
-	# Fix pkgconfig file for Prefix
-	sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
-		config/Makefile || die
-
-	# use host shlibsign if need be #436216
-	if tc-is-cross-compiler ; then
-		sed -i \
-			-e 's:"${2}"/shlibsign:shlibsign:' \
-			cmd/shlibsign/sign.sh || die
-	fi
-
-	# dirty hack
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
-		lib/ssl/config.mk || die
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
-		cmd/platlibs.mk || die
-
-	multilib_copy_sources
-
-	strip-flags
-}
-
-multilib_src_configure() {
-	# Ensure we stay multilib aware
-	sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
-}
-
-nssarch() {
-	# Most of the arches are the same as $ARCH
-	local t=${1:-${CHOST}}
-	case ${t} in
-		aarch64*)echo "aarch64";;
-		hppa*)   echo "parisc";;
-		i?86*)   echo "i686";;
-		x86_64*) echo "x86_64";;
-		*)       tc-arch ${t};;
-	esac
-}
-
-nssbits() {
-	local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
-	if [[ ${1} == BUILD_ ]]; then
-		cc=$(tc-getBUILD_CC)
-	else
-		cc=$(tc-getCC)
-	fi
-	echo > "${T}"/test.c || die
-	${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die
-	case $(file "${T}/${1}test.o") in
-		*32-bit*x86-64*) echo USE_X32=1;;
-		*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
-		*32-bit*|*ppc*|*i386*) ;;
-		*) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
-	esac
-}
-
-multilib_src_compile() {
-	# use ABI to determine bit'ness, or fallback if unset
-	local buildbits mybits
-	case "${ABI}" in
-		n32) mybits="USE_N32=1";;
-		x32) mybits="USE_X32=1";;
-		s390x|*64) mybits="USE_64=1";;
-		${DEFAULT_ABI})
-			einfo "Running compilation test to determine bit'ness"
-			mybits=$(nssbits)
-			;;
-	esac
-	# bitness of host may differ from target
-	if tc-is-cross-compiler; then
-		buildbits=$(nssbits BUILD_)
-	fi
-
-	local makeargs=(
-		CC="$(tc-getCC)"
-		CCC="$(tc-getCXX)"
-		AR="$(tc-getAR) rc \$@"
-		RANLIB="$(tc-getRANLIB)"
-		OPTIMIZER=
-		${mybits}
-	)
-
-	# Take care of nspr settings #436216
-	local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
-	unset NSPR_INCLUDE_DIR
-
-	export NSS_ALLOW_SSLKEYLOGFILE=1
-	export NSS_ENABLE_WERROR=0 #567158
-	export BUILD_OPT=1
-	export NSS_USE_SYSTEM_SQLITE=1
-	export NSDISTMODE=copy
-	export FREEBL_NO_DEPEND=1
-	export FREEBL_LOWHASH=1
-	export NSS_SEED_ONLY_DEV_URANDOM=1
-	export USE_SYSTEM_ZLIB=1
-	export ZLIB_LIBS=-lz
-	export ASFLAGS=""
-
-	local d
-
-	# Build the host tools first.
-	LDFLAGS="${BUILD_LDFLAGS}" \
-	XCFLAGS="${BUILD_CFLAGS}" \
-	NSPR_LIB_DIR="${T}/fakedir" \
-	emake -j1 -C coreconf \
-		CC="$(tc-getBUILD_CC)" \
-		${buildbits-${mybits}}
-	makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
-
-	# Then build the target tools.
-	for d in . lib/dbm ; do
-		CPPFLAGS="${myCPPFLAGS}" \
-		XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
-		NSPR_LIB_DIR="${T}/fakedir" \
-		emake -j1 "${makeargs[@]}" -C ${d}
-	done
-}
-
-# Altering these 3 libraries breaks the CHK verification.
-# All of the following cause it to break:
-# - stripping
-# - prelink
-# - ELF signing
-# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
-# Either we have to NOT strip them, or we have to forcibly resign after
-# stripping.
-#local_libdir="$(get_libdir)"
-#export STRIP_MASK="
-#	*/${local_libdir}/libfreebl3.so*
-#	*/${local_libdir}/libnssdbm3.so*
-#	*/${local_libdir}/libsoftokn3.so*"
-
-export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
-
-generate_chk() {
-	local shlibsign="$1"
-	local libdir="$2"
-	einfo "Resigning core NSS libraries for FIPS validation"
-	shift 2
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libname=lib${i}.so
-		local chkname=lib${i}.chk
-		"${shlibsign}" \
-			-i "${libdir}"/${libname} \
-			-o "${libdir}"/${chkname}.tmp \
-		&& mv -f \
-			"${libdir}"/${chkname}.tmp \
-			"${libdir}"/${chkname} \
-		|| die "Failed to sign ${libname}"
-	done
-}
-
-cleanup_chk() {
-	local libdir="$1"
-	shift 1
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libfname="${libdir}/lib${i}.so"
-		# If the major version has changed, then we have old chk files.
-		[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
-			&& rm -f "${libfname}.chk"
-	done
-}
-
-multilib_src_install() {
-	pushd dist >/dev/null || die
-
-	dodir /usr/$(get_libdir)
-	cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
-	local i
-	for i in crmf freebl nssb nssckfw ; do
-		cp -L */lib/lib${i}.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
-	done
-
-	# Install nss-config and pkgconfig file
-	dodir /usr/bin
-	cp -L */bin/nss-config "${ED}"/usr/bin || die
-	dodir /usr/$(get_libdir)/pkgconfig
-	cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
-
-	# create an nss-softokn.pc from nss.pc for libfreebl and some private headers
-	# bug 517266
-	sed 	-e 's#Libs:#Libs: -lfreebl#' \
-		-e 's#Cflags:#Cflags: -I${includedir}/private#' \
-		*/lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
-		|| die "could not create nss-softokn.pc"
-
-	# all the include files
-	insinto /usr/include/nss
-	doins public/nss/*.{h,api}
-	insinto /usr/include/nss/private
-	doins private/nss/{blapi,alghmac,cmac}.h
-
-	popd >/dev/null || die
-
-	local f nssutils
-	# Always enabled because we need it for chk generation.
-	nssutils=( shlibsign )
-
-	if multilib_is_native_abi ; then
-		if use utils; then
-			# The tests we do not need to install.
-			#nssutils_test="bltest crmftest dbtest dertimetest
-			#fipstest remtest sdrtest"
-			# checkcert utils has been removed in nss-3.22:
-			# https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
-			# https://hg.mozilla.org/projects/nss/rev/df1729d37870
-			# certcgi has been removed in nss-3.36:
-			# https://bugzilla.mozilla.org/show_bug.cgi?id=1426602
-			nssutils+=(
-				addbuiltin
-				atob
-				baddbdir
-				btoa
-				certutil
-				cmsutil
-				conflict
-				crlutil
-				derdump
-				digest
-				makepqg
-				mangle
-				modutil
-				multinit
-				nonspr10
-				ocspclnt
-				oidcalc
-				p7content
-				p7env
-				p7sign
-				p7verify
-				pk11mode
-				pk12util
-				pp
-				rsaperf
-				selfserv
-				signtool
-				signver
-				ssltap
-				strsclnt
-				symkeyutil
-				tstclnt
-				vfychain
-				vfyserv
-			)
-			# install man-pages for utils (bug #516810)
-			doman doc/nroff/*.1
-		fi
-		pushd dist/*/bin >/dev/null || die
-		for f in ${nssutils[@]}; do
-			dobin ${f}
-		done
-		popd >/dev/null || die
-	fi
-
-	# Prelink breaks the CHK files. We don't have any reliable way to run
-	# shlibsign after prelink.
-	dodir /etc/prelink.conf.d
-	printf -- "-b ${EPREFIX}/usr/$(get_libdir)/lib%s.so\n" ${NSS_CHK_SIGN_LIBS} \
-		> "${ED}"/etc/prelink.conf.d/nss.conf
-}
-
-pkg_postinst() {
-	multilib_pkg_postinst() {
-		# We must re-sign the libraries AFTER they are stripped.
-		local shlibsign="${EROOT}/usr/bin/shlibsign"
-		# See if we can execute it (cross-compiling & such). #436216
-		"${shlibsign}" -h >&/dev/null
-		if [[ $? -gt 1 ]] ; then
-			shlibsign="shlibsign"
-		fi
-		generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postinst
-}
-
-pkg_postrm() {
-	multilib_pkg_postrm() {
-		cleanup_chk "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postrm
-}

diff --git a/dev-libs/nss/nss-3.54-r1.ebuild b/dev-libs/nss/nss-3.54-r1.ebuild
deleted file mode 100644
index 5d96e159be4..00000000000
--- a/dev-libs/nss/nss-3.54-r1.ebuild
+++ /dev/null
@@ -1,351 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit eutils flag-o-matic multilib toolchain-funcs multilib-minimal
-
-NSPR_VER="4.26"
-RTM_NAME="NSS_${PV//./_}_RTM"
-
-DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
-HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/"
-SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
-	cacert? ( https://dev.gentoo.org/~axs/distfiles/${PN}-cacert-class1-class3.patch )"
-
-LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
-IUSE="cacert utils"
-# pkg-config called by nss-config -> virtual/pkgconfig in RDEPEND
-RDEPEND="
-	>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
-	>=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
-	>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]
-	virtual/pkgconfig
-"
-DEPEND="${RDEPEND}"
-
-RESTRICT="test"
-
-S="${WORKDIR}/${P}/${PN}"
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/nss-config
-)
-
-PATCHES=(
-	# Custom changes for gentoo
-	"${FILESDIR}/${PN}-3.53-gentoo-fixups.patch"
-	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
-	"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
-	"${FILESDIR}/${PN}-3.53-fix-building-on-ppc.patch"
-)
-
-src_prepare() {
-	if use cacert ; then #521462
-		PATCHES+=(
-			"${DISTDIR}/${PN}-cacert-class1-class3.patch"
-		)
-	fi
-
-	default
-
-	pushd coreconf >/dev/null || die
-	# hack nspr paths
-	echo 'INCLUDES += -I$(DIST)/include/dbm' \
-		>> headers.mk || die "failed to append include"
-
-	# modify install path
-	sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
-		-i source.mk || die
-
-	# Respect LDFLAGS
-	sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
-	popd >/dev/null || die
-
-	# Fix pkgconfig file for Prefix
-	sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
-		config/Makefile || die
-
-	# use host shlibsign if need be #436216
-	if tc-is-cross-compiler ; then
-		sed -i \
-			-e 's:"${2}"/shlibsign:shlibsign:' \
-			cmd/shlibsign/sign.sh || die
-	fi
-
-	# dirty hack
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
-		lib/ssl/config.mk || die
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
-		cmd/platlibs.mk || die
-
-	multilib_copy_sources
-
-	strip-flags
-}
-
-multilib_src_configure() {
-	# Ensure we stay multilib aware
-	sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
-}
-
-nssarch() {
-	# Most of the arches are the same as $ARCH
-	local t=${1:-${CHOST}}
-	case ${t} in
-		aarch64*)echo "aarch64";;
-		hppa*)   echo "parisc";;
-		i?86*)   echo "i686";;
-		x86_64*) echo "x86_64";;
-		*)       tc-arch ${t};;
-	esac
-}
-
-nssbits() {
-	local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
-	if [[ ${1} == BUILD_ ]]; then
-		cc=$(tc-getBUILD_CC)
-	else
-		cc=$(tc-getCC)
-	fi
-	echo > "${T}"/test.c || die
-	${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die
-	case $(file "${T}/${1}test.o") in
-		*32-bit*x86-64*) echo USE_X32=1;;
-		*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
-		*32-bit*|*ppc*|*i386*) ;;
-		*) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
-	esac
-}
-
-multilib_src_compile() {
-	# use ABI to determine bit'ness, or fallback if unset
-	local buildbits mybits
-	case "${ABI}" in
-		n32) mybits="USE_N32=1";;
-		x32) mybits="USE_X32=1";;
-		s390x|*64) mybits="USE_64=1";;
-		${DEFAULT_ABI})
-			einfo "Running compilation test to determine bit'ness"
-			mybits=$(nssbits)
-			;;
-	esac
-	# bitness of host may differ from target
-	if tc-is-cross-compiler; then
-		buildbits=$(nssbits BUILD_)
-	fi
-
-	local makeargs=(
-		CC="$(tc-getCC)"
-		CCC="$(tc-getCXX)"
-		AR="$(tc-getAR) rc \$@"
-		RANLIB="$(tc-getRANLIB)"
-		OPTIMIZER=
-		${mybits}
-	)
-
-	# Take care of nspr settings #436216
-	local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
-	unset NSPR_INCLUDE_DIR
-
-	export NSS_ALLOW_SSLKEYLOGFILE=1
-	export NSS_ENABLE_WERROR=0 #567158
-	export BUILD_OPT=1
-	export NSS_USE_SYSTEM_SQLITE=1
-	export NSDISTMODE=copy
-	export FREEBL_NO_DEPEND=1
-	export FREEBL_LOWHASH=1
-	export NSS_SEED_ONLY_DEV_URANDOM=1
-	export USE_SYSTEM_ZLIB=1
-	export ZLIB_LIBS=-lz
-	export ASFLAGS=""
-
-	local d
-
-	# Build the host tools first.
-	LDFLAGS="${BUILD_LDFLAGS}" \
-	XCFLAGS="${BUILD_CFLAGS}" \
-	NSPR_LIB_DIR="${T}/fakedir" \
-	emake -j1 -C coreconf \
-		CC="$(tc-getBUILD_CC)" \
-		${buildbits-${mybits}}
-	makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
-
-	# Then build the target tools.
-	for d in . lib/dbm ; do
-		CPPFLAGS="${myCPPFLAGS}" \
-		XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
-		NSPR_LIB_DIR="${T}/fakedir" \
-		emake -j1 "${makeargs[@]}" -C ${d}
-	done
-}
-
-# Altering these 3 libraries breaks the CHK verification.
-# All of the following cause it to break:
-# - stripping
-# - prelink
-# - ELF signing
-# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
-# Either we have to NOT strip them, or we have to forcibly resign after
-# stripping.
-#local_libdir="$(get_libdir)"
-#export STRIP_MASK="
-#	*/${local_libdir}/libfreebl3.so*
-#	*/${local_libdir}/libnssdbm3.so*
-#	*/${local_libdir}/libsoftokn3.so*"
-
-export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
-
-generate_chk() {
-	local shlibsign="$1"
-	local libdir="$2"
-	einfo "Resigning core NSS libraries for FIPS validation"
-	shift 2
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libname=lib${i}.so
-		local chkname=lib${i}.chk
-		"${shlibsign}" \
-			-i "${libdir}"/${libname} \
-			-o "${libdir}"/${chkname}.tmp \
-		&& mv -f \
-			"${libdir}"/${chkname}.tmp \
-			"${libdir}"/${chkname} \
-		|| die "Failed to sign ${libname}"
-	done
-}
-
-cleanup_chk() {
-	local libdir="$1"
-	shift 1
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libfname="${libdir}/lib${i}.so"
-		# If the major version has changed, then we have old chk files.
-		[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
-			&& rm -f "${libfname}.chk"
-	done
-}
-
-multilib_src_install() {
-	pushd dist >/dev/null || die
-
-	dodir /usr/$(get_libdir)
-	cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
-	local i
-	for i in crmf freebl nssb nssckfw ; do
-		cp -L */lib/lib${i}.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
-	done
-
-	# Install nss-config and pkgconfig file
-	dodir /usr/bin
-	cp -L */bin/nss-config "${ED}"/usr/bin || die
-	dodir /usr/$(get_libdir)/pkgconfig
-	cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
-
-	# create an nss-softokn.pc from nss.pc for libfreebl and some private headers
-	# bug 517266
-	sed 	-e 's#Libs:#Libs: -lfreebl#' \
-		-e 's#Cflags:#Cflags: -I${includedir}/private#' \
-		*/lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
-		|| die "could not create nss-softokn.pc"
-
-	# all the include files
-	insinto /usr/include/nss
-	doins public/nss/*.{h,api}
-	insinto /usr/include/nss/private
-	doins private/nss/{blapi,alghmac,cmac}.h
-
-	popd >/dev/null || die
-
-	local f nssutils
-	# Always enabled because we need it for chk generation.
-	nssutils=( shlibsign )
-
-	if multilib_is_native_abi ; then
-		if use utils; then
-			# The tests we do not need to install.
-			#nssutils_test="bltest crmftest dbtest dertimetest
-			#fipstest remtest sdrtest"
-			# checkcert utils has been removed in nss-3.22:
-			# https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
-			# https://hg.mozilla.org/projects/nss/rev/df1729d37870
-			# certcgi has been removed in nss-3.36:
-			# https://bugzilla.mozilla.org/show_bug.cgi?id=1426602
-			nssutils+=(
-				addbuiltin
-				atob
-				baddbdir
-				btoa
-				certutil
-				cmsutil
-				conflict
-				crlutil
-				derdump
-				digest
-				makepqg
-				mangle
-				modutil
-				multinit
-				nonspr10
-				ocspclnt
-				oidcalc
-				p7content
-				p7env
-				p7sign
-				p7verify
-				pk11mode
-				pk12util
-				pp
-				rsaperf
-				selfserv
-				signtool
-				signver
-				ssltap
-				strsclnt
-				symkeyutil
-				tstclnt
-				vfychain
-				vfyserv
-			)
-			# install man-pages for utils (bug #516810)
-			doman doc/nroff/*.1
-		fi
-		pushd dist/*/bin >/dev/null || die
-		for f in ${nssutils[@]}; do
-			dobin ${f}
-		done
-		popd >/dev/null || die
-	fi
-
-	# Prelink breaks the CHK files. We don't have any reliable way to run
-	# shlibsign after prelink.
-	dodir /etc/prelink.conf.d
-	printf -- "-b ${EPREFIX}/usr/$(get_libdir)/lib%s.so\n" ${NSS_CHK_SIGN_LIBS} \
-		> "${ED}"/etc/prelink.conf.d/nss.conf
-}
-
-pkg_postinst() {
-	multilib_pkg_postinst() {
-		# We must re-sign the libraries AFTER they are stripped.
-		local shlibsign="${EROOT}/usr/bin/shlibsign"
-		# See if we can execute it (cross-compiling & such). #436216
-		"${shlibsign}" -h >&/dev/null
-		if [[ $? -gt 1 ]] ; then
-			shlibsign="shlibsign"
-		fi
-		generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postinst
-}
-
-pkg_postrm() {
-	multilib_pkg_postrm() {
-		cleanup_chk "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postrm
-}


^ permalink raw reply related	[flat|nested] 19+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/nss/, dev-libs/nss/files/
@ 2020-06-28 19:05 Thomas Deutschmann
  0 siblings, 0 replies; 19+ messages in thread
From: Thomas Deutschmann @ 2020-06-28 19:05 UTC (permalink / raw
  To: gentoo-commits

commit:     893f2d565c0bc752426907f28a641bec6828574c
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Sun Jun 28 19:05:08 2020 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Sun Jun 28 19:05:19 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=893f2d56

dev-libs/nss: fix building on PPC

Closes: https://bugs.gentoo.org/722110
Package-Manager: Portage-2.3.101, Repoman-2.3.22
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>

 .../nss/files/nss-3.53-fix-building-on-ppc.patch   | 39 ++++++++++++++++++++++
 dev-libs/nss/nss-3.52.1-r1.ebuild                  |  1 +
 dev-libs/nss/nss-3.53.1.ebuild                     |  1 +
 3 files changed, 41 insertions(+)

diff --git a/dev-libs/nss/files/nss-3.53-fix-building-on-ppc.patch b/dev-libs/nss/files/nss-3.53-fix-building-on-ppc.patch
new file mode 100644
index 00000000000..be2d4802c4c
--- /dev/null
+++ b/dev-libs/nss/files/nss-3.53-fix-building-on-ppc.patch
@@ -0,0 +1,39 @@
+https://bugzilla.mozilla.org/show_bug.cgi?id=1642174
+
+From 9e4f30b3168a95243df0c0891e3e432bc95382ad Mon Sep 17 00:00:00 2001
+From: Lauri Kasanen <cand@gmx.com>
+Date: Mon, 1 Jun 2020 12:11:45 +0300
+Subject: [PATCH v2] Bug 1642174 /usr/bin/ld: OBJS/Linux_SINGLE_SHLIB/sha512-p8.o:
+ ABI version 2 is not compatible with ABI version 1 output
+
+Don't try to build the SHA-2 accelerated asm on old-ABI ppc.
+
+Currently make only, I don't have enough gyp-fu to do that side.
+However, the reporters of 1642174 and 1635625 both used make, not gyp.
+
+Signed-off-by: Lauri Kasanen <cand@gmx.com>
+---
+ lib/freebl/Makefile | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/lib/freebl/Makefile b/lib/freebl/Makefile
+index 5f7384429..d01587c7a 100644
+--- a/lib/freebl/Makefile
++++ b/lib/freebl/Makefile
+@@ -267,9 +267,12 @@ ifeq ($(CPU_ARCH),arm)
+ endif
+ ifeq ($(CPU_ARCH),ppc)
+     EXTRA_SRCS += gcm-ppc.c
+-    ASFILES += sha512-p8.s
++    PPC_ABI := $(shell $(CC) -dM -E - < /dev/null | grep _CALL_ELF | awk '{ print $3 }')
+ ifdef USE_64
+     DEFINES += -DNSS_NO_INIT_SUPPORT
++    ifeq ($(PPC_ABI),2)
++        ASFILES += sha512-p8.s
++    endif
+ endif # USE_64
+ endif # ppc
+ endif # Linux
+-- 
+2.19.1
+

diff --git a/dev-libs/nss/nss-3.52.1-r1.ebuild b/dev-libs/nss/nss-3.52.1-r1.ebuild
index fcd9c6e73a8..56359ce5955 100644
--- a/dev-libs/nss/nss-3.52.1-r1.ebuild
+++ b/dev-libs/nss/nss-3.52.1-r1.ebuild
@@ -39,6 +39,7 @@ PATCHES=(
 	"${FILESDIR}/${PN}-3.47-gentoo-fixups.patch"
 	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
 	"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
+	"${FILESDIR}/${PN}-3.53-fix-building-on-ppc.patch"
 )
 
 src_prepare() {

diff --git a/dev-libs/nss/nss-3.53.1.ebuild b/dev-libs/nss/nss-3.53.1.ebuild
index df2971ed709..d94d193dbe9 100644
--- a/dev-libs/nss/nss-3.53.1.ebuild
+++ b/dev-libs/nss/nss-3.53.1.ebuild
@@ -39,6 +39,7 @@ PATCHES=(
 	"${FILESDIR}/${PN}-3.53-gentoo-fixups.patch"
 	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
 	"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
+	"${FILESDIR}/${PN}-3.53-fix-building-on-ppc.patch"
 )
 
 src_prepare() {


^ permalink raw reply related	[flat|nested] 19+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/nss/, dev-libs/nss/files/
@ 2019-10-20 14:54 Lars Wendler
  0 siblings, 0 replies; 19+ messages in thread
From: Lars Wendler @ 2019-10-20 14:54 UTC (permalink / raw
  To: gentoo-commits

commit:     90a14e747543cb7cdaa0c30a21aae01030fd98fa
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Sun Oct 20 14:53:56 2019 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Sun Oct 20 14:54:19 2019 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=90a14e74

dev-libs/nss: Bump to version 3.47

Package-Manager: Portage-2.3.77, Repoman-2.3.17
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>

 dev-libs/nss/Manifest                           |   1 +
 dev-libs/nss/files/nss-3.47-enable-pem.patch    |  11 +
 dev-libs/nss/files/nss-3.47-gentoo-fixups.patch | 242 +++++++++++++++
 dev-libs/nss/nss-3.47.ebuild                    | 373 ++++++++++++++++++++++++
 4 files changed, 627 insertions(+)

diff --git a/dev-libs/nss/Manifest b/dev-libs/nss/Manifest
index 1c9580a8742..108988a7784 100644
--- a/dev-libs/nss/Manifest
+++ b/dev-libs/nss/Manifest
@@ -1,5 +1,6 @@
 DIST nss-3.40.1.tar.gz 23311074 BLAKE2B 9cd723e983a3f70748b0734bb2a6cc1ddfa280f1c167c3b1b371a58900fb3d9b3bf3482293bb8614d39ffb538bcca815a2aedbe03d2d643731817452f82bc2ca SHA512 464ae843161e8deb911975d2117e8bf1194a968689b4ce70f9a12d5a33dba7ddd69f1248ec45244139c30fcc87678b206a4e124f032b26ead8bf894e4e8d0564
 DIST nss-3.46.1.tar.gz 76417797 BLAKE2B c65679a7eb50991958858afe2a20824dd9ff4c0f554f3c1964ccec269c2da9de1fa674a6ebf24fd3c8465315e491a9b50188382d1032b0cfe74c289d49049926 SHA512 f4c24f0e31d11413cbbf791a24687c02cd934b9baf4a3e9ce27406638a1d497654fbeec79c22ab4ad29374dd0063c05104c9514580b1b8156ed8d18404e1681b
 DIST nss-3.46.tar.gz 76417155 BLAKE2B 18e22a60df185764f434779211289a78d05270d8493766100e378e2ecfdb3013feb73359088d53667fb3c57a5b29633c9f800d29739cff5aab2af81e7ddbe2d7 SHA512 de309ec8d6aa2c3cf4d5ebfe9fa1f8bf5def717d22018d5c88c1de963b4ae7b0d69ad64e68d830574fc85613483fd538cb2f319ffb3fa2e1b97ec02f85d37c48
+DIST nss-3.47.tar.gz 76461837 BLAKE2B 8b11b5330cf134f2f94c2b4a07d52e153ff40006770e31cbba379ff623b822778bd8ae4510493912263299bbb8f6e0706f30d59633256a3141cbd8faedd1f257 SHA512 99d04d28c38092826f5aab125662780865de49a97743ff0ab49a191bafae3ba3a937369cd6909ab23e7dcaf06482c8852b31ef057dc12c758f2681e03822e247
 DIST nss-cacert-class1-class3.patch 22950 BLAKE2B 9d5e60df5f161a3c27c41e5a9419440a54f888eda454e3cde5ebe626d4075b65cf9938b5144d0fb022377f4bd415bff5e5c67d104409860aa9391b3eb8872c68 SHA512 a5aa740bf110a3f0262e3f1ef2fc739ac2b44f042e220039d48aee8e97cd764d5c10718220364f4098aba955882bd02cadb5481512388971a8290312f88a7df0
 DIST nss-pem-20160329.tar.xz 27732 BLAKE2B 7c23133a7bfb969d8eac98fb6311e76ab60c5d6601c7329f3c492da30c017e66d64a1f8bc827dd36e52e65c1a1ec02b58816442aaf410345c5ed759a02264b84 SHA512 5834b06e4c64205447573d4f4c8989e20986ae67ee00eebce3817eb73794a6355a404143ba1c676ec302ceefaf9df103cb879b1d4ff14ba4e3790dbee3e40eb2

diff --git a/dev-libs/nss/files/nss-3.47-enable-pem.patch b/dev-libs/nss/files/nss-3.47-enable-pem.patch
new file mode 100644
index 00000000000..47a01c322bb
--- /dev/null
+++ b/dev-libs/nss/files/nss-3.47-enable-pem.patch
@@ -0,0 +1,11 @@
+--- a/lib/ckfw/manifest.mn
++++ b/lib/ckfw/manifest.mn
+@@ -5,7 +5,7 @@
+ 
+ CORE_DEPTH = ../..
+ 
+-DIRS = builtins
++DIRS = builtins pem
+ 
+ PRIVATE_EXPORTS = \
+ 	ck.h		  \

diff --git a/dev-libs/nss/files/nss-3.47-gentoo-fixups.patch b/dev-libs/nss/files/nss-3.47-gentoo-fixups.patch
new file mode 100644
index 00000000000..9bf9e016357
--- /dev/null
+++ b/dev-libs/nss/files/nss-3.47-gentoo-fixups.patch
@@ -0,0 +1,242 @@
+--- a/config/Makefile
++++ b/config/Makefile
+@@ -0,0 +1,40 @@
++CORE_DEPTH = ..
++DEPTH      = ..
++
++include $(CORE_DEPTH)/coreconf/config.mk
++
++NSS_MAJOR_VERSION = `grep "NSS_VMAJOR" ../lib/nss/nss.h | awk '{print $$3}'`
++NSS_MINOR_VERSION = `grep "NSS_VMINOR" ../lib/nss/nss.h | awk '{print $$3}'`
++NSS_PATCH_VERSION = `grep "NSS_VPATCH" ../lib/nss/nss.h | awk '{print $$3}'`
++PREFIX = /usr
++
++all: export libs
++
++export:
++	# Create the nss.pc file
++	mkdir -p $(DIST)/lib/pkgconfig
++	sed -e "s,@prefix@,$(PREFIX)," \
++	    -e "s,@exec_prefix@,\$${prefix}," \
++	    -e "s,@libdir@,\$${prefix}/lib64," \
++	    -e "s,@includedir@,\$${prefix}/include/nss," \
++	    -e "s,@NSS_MAJOR_VERSION@,$(NSS_MAJOR_VERSION),g" \
++	    -e "s,@NSS_MINOR_VERSION@,$(NSS_MINOR_VERSION)," \
++	    -e "s,@NSS_PATCH_VERSION@,$(NSS_PATCH_VERSION)," \
++	    nss.pc.in > nss.pc
++	chmod 0644 nss.pc
++	ln -sf ../../../../config/nss.pc $(DIST)/lib/pkgconfig
++
++	# Create the nss-config script
++	mkdir -p $(DIST)/bin
++	sed -e "s,@prefix@,$(PREFIX)," \
++	    -e "s,@NSS_MAJOR_VERSION@,$(NSS_MAJOR_VERSION)," \
++	    -e "s,@NSS_MINOR_VERSION@,$(NSS_MINOR_VERSION)," \
++	    -e "s,@NSS_PATCH_VERSION@,$(NSS_PATCH_VERSION)," \
++	    nss-config.in > nss-config
++	chmod 0755 nss-config
++	ln -sf ../../../config/nss-config $(DIST)/bin
++
++libs:
++
++dummy: all export libs
++
+--- a/config/nss-config.in
++++ b/config/nss-config.in
+@@ -0,0 +1,145 @@
++#!/bin/sh
++
++prefix=@prefix@
++
++major_version=@NSS_MAJOR_VERSION@
++minor_version=@NSS_MINOR_VERSION@
++patch_version=@NSS_PATCH_VERSION@
++
++usage()
++{
++	cat <<EOF
++Usage: nss-config [OPTIONS] [LIBRARIES]
++Options:
++	[--prefix[=DIR]]
++	[--exec-prefix[=DIR]]
++	[--includedir[=DIR]]
++	[--libdir[=DIR]]
++	[--version]
++	[--libs]
++	[--cflags]
++Dynamic Libraries:
++	nss
++	ssl
++	smime
++	nssutil
++EOF
++	exit $1
++}
++
++if test $# -eq 0; then
++	usage 1 1>&2
++fi
++
++lib_ssl=yes
++lib_smime=yes
++lib_nss=yes
++lib_nssutil=yes
++
++while test $# -gt 0; do
++  case "$1" in
++  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
++  *) optarg= ;;
++  esac
++
++  case $1 in
++    --prefix=*)
++      prefix=$optarg
++      ;;
++    --prefix)
++      echo_prefix=yes
++      ;;
++    --exec-prefix=*)
++      exec_prefix=$optarg
++      ;;
++    --exec-prefix)
++      echo_exec_prefix=yes
++      ;;
++    --includedir=*)
++      includedir=$optarg
++      ;;
++    --includedir)
++      echo_includedir=yes
++      ;;
++    --libdir=*)
++      libdir=$optarg
++      ;;
++    --libdir)
++      echo_libdir=yes
++      ;;
++    --version)
++      echo ${major_version}.${minor_version}.${patch_version}
++      ;;
++    --cflags)
++      echo_cflags=yes
++      ;;
++    --libs)
++      echo_libs=yes
++      ;;
++    ssl)
++      lib_ssl=yes
++      ;;
++    smime)
++      lib_smime=yes
++      ;;
++    nss)
++      lib_nss=yes
++      ;;
++    nssutil)                                                      
++      lib_nssutil=yes                                             
++      ;;
++    *)
++      usage 1 1>&2
++      ;;
++  esac
++  shift
++done
++
++# Set variables that may be dependent upon other variables
++if test -z "$exec_prefix"; then
++    exec_prefix=`pkg-config --variable=exec_prefix nss`
++fi
++if test -z "$includedir"; then
++    includedir=`pkg-config --variable=includedir nss`
++fi
++if test -z "$libdir"; then
++    libdir=`pkg-config --variable=libdir nss`
++fi
++
++if test "$echo_prefix" = "yes"; then
++    echo $prefix
++fi
++
++if test "$echo_exec_prefix" = "yes"; then
++    echo $exec_prefix
++fi
++
++if test "$echo_includedir" = "yes"; then
++    echo $includedir
++fi
++
++if test "$echo_libdir" = "yes"; then
++    echo $libdir
++fi
++
++if test "$echo_cflags" = "yes"; then
++    echo -I$includedir
++fi
++
++if test "$echo_libs" = "yes"; then
++      libdirs=""
++      if test -n "$lib_ssl"; then
++	libdirs="$libdirs -lssl${major_version}"
++      fi
++      if test -n "$lib_smime"; then
++	libdirs="$libdirs -lsmime${major_version}"
++      fi
++      if test -n "$lib_nss"; then
++	libdirs="$libdirs -lnss${major_version}"
++      fi
++      if test -n "$lib_nssutil"; then
++       libdirs="$libdirs -lnssutil${major_version}"
++      fi
++      echo $libdirs
++fi      
++
+--- a/config/nss.pc.in
++++ b/config/nss.pc.in
+@@ -0,0 +1,12 @@
++prefix=@prefix@
++exec_prefix=@exec_prefix@
++libdir=@libdir@
++includedir=@includedir@
++
++Name: NSS
++Description: Network Security Services
++Version: @NSS_MAJOR_VERSION@.@NSS_MINOR_VERSION@.@NSS_PATCH_VERSION@
++Requires: nspr >= 4.8
++Libs: -lssl3 -lsmime3 -lnss3 -lnssutil3
++Cflags: -I${includedir}
++
+--- a/Makefile
++++ b/Makefile
+@@ -47,7 +47,7 @@
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+ #######################################################################
+ 
+-nss_build_all: build_nspr all latest
++nss_build_all: all latest
+ 
+ nss_clean_all: clobber_nspr clobber
+ 
+@@ -133,16 +133,6 @@
+ 	--prefix='$(NSS_GYP_PREFIX)'
+ endif
+ 
+-build_nspr: $(NSPR_CONFIG_STATUS)
+-	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)
+-	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)/pr/tests
+-
+-install_nspr: build_nspr
+-	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) install
+-
+-clobber_nspr: $(NSPR_CONFIG_STATUS)
+-	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) clobber
+-
+ build_docs:
+ 	$(MAKE) -C $(CORE_DEPTH)/doc
+ 
+--- a/manifest.mn
++++ b/manifest.mn
+@@ -10,4 +10,4 @@
+ 
+ RELEASE = nss
+ 
+-DIRS = coreconf lib cmd cpputil gtests
++DIRS = coreconf lib cmd cpputil config

diff --git a/dev-libs/nss/nss-3.47.ebuild b/dev-libs/nss/nss-3.47.ebuild
new file mode 100644
index 00000000000..3c41aeeeb56
--- /dev/null
+++ b/dev-libs/nss/nss-3.47.ebuild
@@ -0,0 +1,373 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit eutils flag-o-matic multilib toolchain-funcs multilib-minimal
+
+NSPR_VER="4.22"
+RTM_NAME="NSS_${PV//./_}_RTM"
+# Rev of https://git.fedorahosted.org/cgit/nss-pem.git
+PEM_GIT_REV="429b0222759d8ad8e6dcd29e62875ae3efd69116"
+PEM_P="${PN}-pem-20160329"
+
+DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
+HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/"
+SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
+	cacert? ( https://dev.gentoo.org/~axs/distfiles/${PN}-cacert-class1-class3.patch )
+	nss-pem? ( https://dev.gentoo.org/~polynomial-c/${PEM_P}.tar.xz )"
+
+LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
+IUSE="cacert +nss-pem utils"
+CDEPEND=">=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
+	>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]"
+DEPEND=">=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]
+	>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
+	${CDEPEND}"
+RDEPEND=">=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
+	${CDEPEND}
+"
+
+RESTRICT="test"
+
+S="${WORKDIR}/${P}/${PN}"
+
+MULTILIB_CHOST_TOOLS=(
+	/usr/bin/nss-config
+)
+
+PATCHES=(
+	# Custom changes for gentoo
+	"${FILESDIR}/${PN}-3.47-gentoo-fixups.patch"
+	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
+	"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
+)
+
+src_unpack() {
+	unpack ${A}
+	if use nss-pem ; then
+		mv "${PN}"/lib/ckfw/pem/ "${S}"/lib/ckfw/ || die
+	fi
+}
+
+src_prepare() {
+	if use nss-pem ; then
+		PATCHES+=(
+			"${FILESDIR}/${PN}-3.47-enable-pem.patch"
+		)
+	fi
+	if use cacert ; then #521462
+		PATCHES+=(
+			"${DISTDIR}/${PN}-cacert-class1-class3.patch"
+		)
+	fi
+
+	default
+
+	pushd coreconf >/dev/null || die
+	# hack nspr paths
+	echo 'INCLUDES += -I$(DIST)/include/dbm' \
+		>> headers.mk || die "failed to append include"
+
+	# modify install path
+	sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
+		-i source.mk || die
+
+	# Respect LDFLAGS
+	sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
+	popd >/dev/null || die
+
+	# Fix pkgconfig file for Prefix
+	sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
+		config/Makefile || die
+
+	# use host shlibsign if need be #436216
+	if tc-is-cross-compiler ; then
+		sed -i \
+			-e 's:"${2}"/shlibsign:shlibsign:' \
+			cmd/shlibsign/sign.sh || die
+	fi
+
+	# dirty hack
+	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
+		lib/ssl/config.mk || die
+	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
+		cmd/platlibs.mk || die
+
+	multilib_copy_sources
+
+	strip-flags
+}
+
+multilib_src_configure() {
+	# Ensure we stay multilib aware
+	sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
+}
+
+nssarch() {
+	# Most of the arches are the same as $ARCH
+	local t=${1:-${CHOST}}
+	case ${t} in
+		aarch64*)echo "aarch64";;
+		hppa*)   echo "parisc";;
+		i?86*)   echo "i686";;
+		x86_64*) echo "x86_64";;
+		*)       tc-arch ${t};;
+	esac
+}
+
+nssbits() {
+	local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
+	if [[ ${1} == BUILD_ ]]; then
+		cc=$(tc-getBUILD_CC)
+	else
+		cc=$(tc-getCC)
+	fi
+	echo > "${T}"/test.c || die
+	${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die
+	case $(file "${T}/${1}test.o") in
+		*32-bit*x86-64*) echo USE_X32=1;;
+		*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
+		*32-bit*|*ppc*|*i386*) ;;
+		*) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
+	esac
+}
+
+multilib_src_compile() {
+	# use ABI to determine bit'ness, or fallback if unset
+	local buildbits mybits
+	case "${ABI}" in
+		n32) mybits="USE_N32=1";;
+		x32) mybits="USE_X32=1";;
+		s390x|*64) mybits="USE_64=1";;
+		${DEFAULT_ABI})
+			einfo "Running compilation test to determine bit'ness"
+			mybits=$(nssbits)
+			;;
+	esac
+	# bitness of host may differ from target
+	if tc-is-cross-compiler; then
+		buildbits=$(nssbits BUILD_)
+	fi
+
+	local makeargs=(
+		CC="$(tc-getCC)"
+		CCC="$(tc-getCXX)"
+		AR="$(tc-getAR) rc \$@"
+		RANLIB="$(tc-getRANLIB)"
+		OPTIMIZER=
+		${mybits}
+	)
+
+	# Take care of nspr settings #436216
+	local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
+	unset NSPR_INCLUDE_DIR
+
+	# Do not let `uname` be used.
+	if use kernel_linux ; then
+		makeargs+=(
+			OS_TARGET=Linux
+			OS_RELEASE=2.6
+			OS_TEST="$(nssarch)"
+		)
+	fi
+
+	export NSS_ENABLE_WERROR=0 #567158
+	export BUILD_OPT=1
+	export NSS_USE_SYSTEM_SQLITE=1
+	export NSDISTMODE=copy
+	export NSS_ENABLE_ECC=1
+	export FREEBL_NO_DEPEND=1
+	export FREEBL_LOWHASH=1
+	export NSS_SEED_ONLY_DEV_URANDOM=1
+	export ASFLAGS=""
+
+	local d
+
+	# Build the host tools first.
+	LDFLAGS="${BUILD_LDFLAGS}" \
+	XCFLAGS="${BUILD_CFLAGS}" \
+	NSPR_LIB_DIR="${T}/fakedir" \
+	emake -j1 -C coreconf \
+		CC="$(tc-getBUILD_CC)" \
+		${buildbits:-${mybits}}
+	makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
+
+	# Then build the target tools.
+	for d in . lib/dbm ; do
+		CPPFLAGS="${myCPPFLAGS}" \
+		XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
+		NSPR_LIB_DIR="${T}/fakedir" \
+		emake -j1 "${makeargs[@]}" -C ${d}
+	done
+}
+
+# Altering these 3 libraries breaks the CHK verification.
+# All of the following cause it to break:
+# - stripping
+# - prelink
+# - ELF signing
+# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
+# Either we have to NOT strip them, or we have to forcibly resign after
+# stripping.
+#local_libdir="$(get_libdir)"
+#export STRIP_MASK="
+#	*/${local_libdir}/libfreebl3.so*
+#	*/${local_libdir}/libnssdbm3.so*
+#	*/${local_libdir}/libsoftokn3.so*"
+
+export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
+
+generate_chk() {
+	local shlibsign="$1"
+	local libdir="$2"
+	einfo "Resigning core NSS libraries for FIPS validation"
+	shift 2
+	local i
+	for i in ${NSS_CHK_SIGN_LIBS} ; do
+		local libname=lib${i}.so
+		local chkname=lib${i}.chk
+		"${shlibsign}" \
+			-i "${libdir}"/${libname} \
+			-o "${libdir}"/${chkname}.tmp \
+		&& mv -f \
+			"${libdir}"/${chkname}.tmp \
+			"${libdir}"/${chkname} \
+		|| die "Failed to sign ${libname}"
+	done
+}
+
+cleanup_chk() {
+	local libdir="$1"
+	shift 1
+	local i
+	for i in ${NSS_CHK_SIGN_LIBS} ; do
+		local libfname="${libdir}/lib${i}.so"
+		# If the major version has changed, then we have old chk files.
+		[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
+			&& rm -f "${libfname}.chk"
+	done
+}
+
+multilib_src_install() {
+	pushd dist >/dev/null || die
+
+	dodir /usr/$(get_libdir)
+	cp -L */lib/*$(get_libname) "${ED%/}"/usr/$(get_libdir) || die "copying shared libs failed"
+	local i
+	for i in crmf freebl nssb nssckfw ; do
+		cp -L */lib/lib${i}.a "${ED%/}"/usr/$(get_libdir) || die "copying libs failed"
+	done
+
+	# Install nss-config and pkgconfig file
+	dodir /usr/bin
+	cp -L */bin/nss-config "${ED%/}"/usr/bin || die
+	dodir /usr/$(get_libdir)/pkgconfig
+	cp -L */lib/pkgconfig/nss.pc "${ED%/}"/usr/$(get_libdir)/pkgconfig || die
+
+	# create an nss-softokn.pc from nss.pc for libfreebl and some private headers
+	# bug 517266
+	sed 	-e 's#Libs:#Libs: -lfreebl#' \
+		-e 's#Cflags:#Cflags: -I${includedir}/private#' \
+		*/lib/pkgconfig/nss.pc >"${ED%/}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
+		|| die "could not create nss-softokn.pc"
+
+	# all the include files
+	insinto /usr/include/nss
+	doins public/nss/*.{h,api}
+	insinto /usr/include/nss/private
+	doins private/nss/{blapi,alghmac}.h
+
+	popd >/dev/null || die
+
+	local f nssutils
+	# Always enabled because we need it for chk generation.
+	nssutils=( shlibsign )
+
+	if multilib_is_native_abi ; then
+		if use utils; then
+			# The tests we do not need to install.
+			#nssutils_test="bltest crmftest dbtest dertimetest
+			#fipstest remtest sdrtest"
+			# checkcert utils has been removed in nss-3.22:
+			# https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
+			# https://hg.mozilla.org/projects/nss/rev/df1729d37870
+			# certcgi has been removed in nss-3.36:
+			# https://bugzilla.mozilla.org/show_bug.cgi?id=1426602
+			nssutils+=(
+				addbuiltin
+				atob
+				baddbdir
+				btoa
+				certutil
+				cmsutil
+				conflict
+				crlutil
+				derdump
+				digest
+				makepqg
+				mangle
+				modutil
+				multinit
+				nonspr10
+				ocspclnt
+				oidcalc
+				p7content
+				p7env
+				p7sign
+				p7verify
+				pk11mode
+				pk12util
+				pp
+				rsaperf
+				selfserv
+				signtool
+				signver
+				ssltap
+				strsclnt
+				symkeyutil
+				tstclnt
+				vfychain
+				vfyserv
+			)
+			# install man-pages for utils (bug #516810)
+			doman doc/nroff/*.1
+		fi
+		pushd dist/*/bin >/dev/null || die
+		for f in ${nssutils[@]}; do
+			dobin ${f}
+		done
+		popd >/dev/null || die
+	fi
+
+	# Prelink breaks the CHK files. We don't have any reliable way to run
+	# shlibsign after prelink.
+	dodir /etc/prelink.conf.d
+	printf -- "-b ${EPREFIX}/usr/$(get_libdir)/lib%s.so\n" ${NSS_CHK_SIGN_LIBS} \
+		> "${ED%/}"/etc/prelink.conf.d/nss.conf
+}
+
+pkg_postinst() {
+	multilib_pkg_postinst() {
+		# We must re-sign the libraries AFTER they are stripped.
+		local shlibsign="${EROOT}/usr/bin/shlibsign"
+		# See if we can execute it (cross-compiling & such). #436216
+		"${shlibsign}" -h >&/dev/null
+		if [[ $? -gt 1 ]] ; then
+			shlibsign="shlibsign"
+		fi
+		generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
+	}
+
+	multilib_foreach_abi multilib_pkg_postinst
+}
+
+pkg_postrm() {
+	multilib_pkg_postrm() {
+		cleanup_chk "${EROOT}"/usr/$(get_libdir)
+	}
+
+	multilib_foreach_abi multilib_pkg_postrm
+}


^ permalink raw reply related	[flat|nested] 19+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/nss/, dev-libs/nss/files/
@ 2019-01-22 20:04 Ian Stakenvicius
  0 siblings, 0 replies; 19+ messages in thread
From: Ian Stakenvicius @ 2019-01-22 20:04 UTC (permalink / raw
  To: gentoo-commits

commit:     78717184c7294a8a8a444c6a957f7a15358c39b9
Author:     Ian Stakenvicius <axs <AT> gentoo <DOT> org>
AuthorDate: Tue Jan 22 16:46:07 2019 +0000
Commit:     Ian Stakenvicius <axs <AT> gentoo <DOT> org>
CommitDate: Tue Jan 22 20:03:31 2019 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=78717184

dev-libs/nss: patch to fix a rare CMS related crash

Patch forward-ported from 3.36.7 (will also be included in 3.42)

Signed-off-by: Ian Stakenvicius <axs <AT> gentoo.org>
Package-Manager: Portage-2.3.49, Repoman-2.3.11

 dev-libs/nss/files/nss-3.36.7-fix-cms.patch        | 531 +++++++++++++++++++++
 .../nss/{nss-3.41.ebuild => nss-3.40.1-r1.ebuild}  |   4 +-
 .../nss/{nss-3.41.ebuild => nss-3.41-r1.ebuild}    |   4 +-
 3 files changed, 537 insertions(+), 2 deletions(-)

diff --git a/dev-libs/nss/files/nss-3.36.7-fix-cms.patch b/dev-libs/nss/files/nss-3.36.7-fix-cms.patch
new file mode 100644
index 00000000000..57b4cdaf5a5
--- /dev/null
+++ b/dev-libs/nss/files/nss-3.36.7-fix-cms.patch
@@ -0,0 +1,531 @@
+From d54a1f812ae23ec11d2af6ed93ba1a11609421a8 Mon Sep 17 00:00:00 2001
+From: "J.C. Jones" <jjones@mozilla.com>
+Date: Mon, 14 Jan 2019 10:35:25 -0700
+Subject: [PATCH] Bug 1507135 - Add additional null checks to CMS message
+ functions r=mt
+
+Differential review: https://phabricator.services.mozilla.com//D16488
+
+--HG--
+branch : NSS_3_36_BRANCH
+extra : transplant_source : 1%02%80%21%BE%C8B%D5%21%D7%0CR%00%ED%B6%EA%84a%FA%23
+---
+ lib/smime/cmsmessage.c | 69 ++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 59 insertions(+), 10 deletions(-)
+
+diff --git a/lib/smime/cmsmessage.c b/lib/smime/cmsmessage.c
+index 27d1256ec..f41a432b1 100644
+--- a/lib/smime/cmsmessage.c
++++ b/lib/smime/cmsmessage.c
+@@ -29,8 +29,9 @@ NSS_CMSMessage_Create(PLArenaPool *poolp)
+ 
+     if (poolp == NULL) {
+         poolp = PORT_NewArena(1024); /* XXX what is right value? */
+-        if (poolp == NULL)
++        if (poolp == NULL) {
+             return NULL;
++        }
+         poolp_is_ours = PR_TRUE;
+     }
+ 
+@@ -44,8 +45,9 @@ NSS_CMSMessage_Create(PLArenaPool *poolp)
+             if (mark) {
+                 PORT_ArenaRelease(poolp, mark);
+             }
+-        } else
++        } else {
+             PORT_FreeArena(poolp, PR_FALSE);
++        }
+         return NULL;
+     }
+ 
+@@ -53,8 +55,9 @@ NSS_CMSMessage_Create(PLArenaPool *poolp)
+     cmsg->poolp_is_ours = poolp_is_ours;
+     cmsg->refCount = 1;
+ 
+-    if (mark)
++    if (mark) {
+         PORT_ArenaUnmark(poolp, mark);
++    }
+ 
+     return cmsg;
+ }
+@@ -73,8 +76,13 @@ NSS_CMSMessage_SetEncodingParams(NSSCMSMessage *cmsg,
+                                  NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg,
+                                  SECAlgorithmID **detached_digestalgs, SECItem **detached_digests)
+ {
+-    if (pwfn)
++    if (cmsg == NULL) {
++        return;
++    }
++    if (pwfn) {
+         PK11_SetPasswordFunc(pwfn);
++    }
++
+     cmsg->pwfn_arg = pwfn_arg;
+     cmsg->decrypt_key_cb = decrypt_key_cb;
+     cmsg->decrypt_key_cb_arg = decrypt_key_cb_arg;
+@@ -89,18 +97,21 @@ void
+ NSS_CMSMessage_Destroy(NSSCMSMessage *cmsg)
+ {
+     PORT_Assert(cmsg->refCount > 0);
+-    if (cmsg->refCount <= 0) /* oops */
++    if (cmsg->refCount <= 0) { /* oops */
+         return;
++    }
+ 
+     cmsg->refCount--; /* thread safety? */
+-    if (cmsg->refCount > 0)
++    if (cmsg->refCount > 0) {
+         return;
++    }
+ 
+     NSS_CMSContentInfo_Destroy(&(cmsg->contentInfo));
+ 
+     /* if poolp is not NULL, cmsg is the owner of its arena */
+-    if (cmsg->poolp_is_ours)
++    if (cmsg->poolp_is_ours) {
+         PORT_FreeArena(cmsg->poolp, PR_FALSE); /* XXX clear it? */
++    }
+ }
+ 
+ /*
+@@ -112,8 +123,9 @@ NSS_CMSMessage_Destroy(NSSCMSMessage *cmsg)
+ NSSCMSMessage *
+ NSS_CMSMessage_Copy(NSSCMSMessage *cmsg)
+ {
+-    if (cmsg == NULL)
++    if (cmsg == NULL) {
+         return NULL;
++    }
+ 
+     PORT_Assert(cmsg->refCount > 0);
+ 
+@@ -127,6 +139,10 @@ NSS_CMSMessage_Copy(NSSCMSMessage *cmsg)
+ PLArenaPool *
+ NSS_CMSMessage_GetArena(NSSCMSMessage *cmsg)
+ {
++    if (cmsg == NULL) {
++        return NULL;
++    }
++
+     return cmsg->poolp;
+ }
+ 
+@@ -136,6 +152,10 @@ NSS_CMSMessage_GetArena(NSSCMSMessage *cmsg)
+ NSSCMSContentInfo *
+ NSS_CMSMessage_GetContentInfo(NSSCMSMessage *cmsg)
+ {
++    if (cmsg == NULL) {
++        return NULL;
++    }
++
+     return &(cmsg->contentInfo);
+ }
+ 
+@@ -147,6 +167,10 @@ NSS_CMSMessage_GetContentInfo(NSSCMSMessage *cmsg)
+ SECItem *
+ NSS_CMSMessage_GetContent(NSSCMSMessage *cmsg)
+ {
++    if (cmsg == NULL) {
++        return NULL;
++    }
++
+     /* this is a shortcut */
+     NSSCMSContentInfo *cinfo = NSS_CMSMessage_GetContentInfo(cmsg);
+     SECItem *pItem = NSS_CMSContentInfo_GetInnerContent(cinfo);
+@@ -164,6 +188,10 @@ NSS_CMSMessage_ContentLevelCount(NSSCMSMessage *cmsg)
+     int count = 0;
+     NSSCMSContentInfo *cinfo;
+ 
++    if (cmsg == NULL) {
++        return 0;
++    }
++
+     /* walk down the chain of contentinfos */
+     for (cinfo = &(cmsg->contentInfo); cinfo != NULL;) {
+         count++;
+@@ -183,6 +211,10 @@ NSS_CMSMessage_ContentLevel(NSSCMSMessage *cmsg, int n)
+     int count = 0;
+     NSSCMSContentInfo *cinfo;
+ 
++    if (cmsg == NULL) {
++        return NULL;
++    }
++
+     /* walk down the chain of contentinfos */
+     for (cinfo = &(cmsg->contentInfo); cinfo != NULL && count < n;
+          cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
+@@ -200,6 +232,10 @@ NSS_CMSMessage_ContainsCertsOrCrls(NSSCMSMessage *cmsg)
+ {
+     NSSCMSContentInfo *cinfo;
+ 
++    if (cmsg == NULL) {
++        return PR_FALSE;
++    }
++
+     /* descend into CMS message */
+     for (cinfo = &(cmsg->contentInfo); cinfo != NULL;
+          cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
+@@ -221,6 +257,10 @@ NSS_CMSMessage_IsEncrypted(NSSCMSMessage *cmsg)
+ {
+     NSSCMSContentInfo *cinfo;
+ 
++    if (cmsg == NULL) {
++        return PR_FALSE;
++    }
++
+     /* walk down the chain of contentinfos */
+     for (cinfo = &(cmsg->contentInfo); cinfo != NULL;
+          cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
+@@ -251,13 +291,21 @@ NSS_CMSMessage_IsSigned(NSSCMSMessage *cmsg)
+ {
+     NSSCMSContentInfo *cinfo;
+ 
++    if (cmsg == NULL) {
++        return PR_FALSE;
++    }
++
+     /* walk down the chain of contentinfos */
+     for (cinfo = &(cmsg->contentInfo); cinfo != NULL;
+          cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
+         switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) {
+             case SEC_OID_PKCS7_SIGNED_DATA:
+-                if (!NSS_CMSArray_IsEmpty((void **)cinfo->content.signedData->signerInfos))
++                if (cinfo->content.signedData == NULL) {
++                    return PR_FALSE;
++                }
++                if (!NSS_CMSArray_IsEmpty((void **)cinfo->content.signedData->signerInfos)) {
+                     return PR_TRUE;
++                }
+                 break;
+             default:
+                 /* callback here for generic wrappers? */
+@@ -278,8 +326,9 @@ NSS_CMSMessage_IsContentEmpty(NSSCMSMessage *cmsg, unsigned int minLen)
+ {
+     SECItem *item = NULL;
+ 
+-    if (cmsg == NULL)
++    if (cmsg == NULL) {
+         return PR_TRUE;
++    }
+ 
+     item = NSS_CMSContentInfo_GetContent(NSS_CMSMessage_GetContentInfo(cmsg));
+ 
+From fa26771e9515cc82c941fcef689dd797a3e308c3 Mon Sep 17 00:00:00 2001
+From: "J.C. Jones" <jjones@mozilla.com>
+Date: Fri, 11 Jan 2019 22:33:16 -0700
+Subject: [PATCH] Bug 1507174 - Add additional null checks to other CMS
+ functions r=mt
+
+Differential review: https://phabricator.services.mozilla.com//D16383
+
+--HG--
+branch : NSS_3_36_BRANCH
+extra : transplant_source : %B5%A8su%96%5B%BE%F9%CD%93%E0%EE%93a4c%1BYp%09
+---
+ lib/smime/cmscinfo.c   | 92 ++++++++++++++++++++++++++++++++++++------
+ lib/smime/cmsdigdata.c |  4 +-
+ lib/smime/cmsencdata.c |  4 +-
+ lib/smime/cmsenvdata.c |  5 +++
+ lib/smime/cmsmessage.c |  3 ++
+ lib/smime/cmsudf.c     |  2 +-
+ 6 files changed, 95 insertions(+), 15 deletions(-)
+
+diff --git a/lib/smime/cmscinfo.c b/lib/smime/cmscinfo.c
+index 08db662f8..453ccaada 100644
+--- a/lib/smime/cmscinfo.c
++++ b/lib/smime/cmscinfo.c
+@@ -51,6 +51,10 @@ NSS_CMSContentInfo_Destroy(NSSCMSContentInfo *cinfo)
+ {
+     SECOidTag kind;
+ 
++    if (cinfo == NULL) {
++        return;
++    }
++
+     kind = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
+     switch (kind) {
+         case SEC_OID_PKCS7_ENVELOPED_DATA:
+@@ -86,6 +90,11 @@ NSSCMSContentInfo *
+ NSS_CMSContentInfo_GetChildContentInfo(NSSCMSContentInfo *cinfo)
+ {
+     NSSCMSContentInfo *ccinfo = NULL;
++
++    if (cinfo == NULL) {
++        return NULL;
++    }
++
+     SECOidTag tag = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
+     switch (tag) {
+         case SEC_OID_PKCS7_SIGNED_DATA:
+@@ -127,6 +136,9 @@ SECStatus
+ NSS_CMSContentInfo_SetDontStream(NSSCMSContentInfo *cinfo, PRBool dontStream)
+ {
+     SECStatus rv;
++    if (cinfo == NULL) {
++        return SECFailure;
++    }
+ 
+     rv = NSS_CMSContentInfo_Private_Init(cinfo);
+     if (rv != SECSuccess) {
+@@ -145,15 +157,20 @@ NSS_CMSContentInfo_SetContent(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo,
+                               SECOidTag type, void *ptr)
+ {
+     SECStatus rv;
++    if (cinfo == NULL || cmsg == NULL) {
++        return SECFailure;
++    }
+ 
+     cinfo->contentTypeTag = SECOID_FindOIDByTag(type);
+-    if (cinfo->contentTypeTag == NULL)
++    if (cinfo->contentTypeTag == NULL) {
+         return SECFailure;
++    }
+ 
+     /* do not copy the oid, just create a reference */
+     rv = SECITEM_CopyItem(cmsg->poolp, &(cinfo->contentType), &(cinfo->contentTypeTag->oid));
+-    if (rv != SECSuccess)
++    if (rv != SECSuccess) {
+         return SECFailure;
++    }
+ 
+     cinfo->content.pointer = ptr;
+ 
+@@ -185,8 +202,9 @@ SECStatus
+ NSS_CMSContentInfo_SetContent_Data(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo,
+                                    SECItem *data, PRBool detached)
+ {
+-    if (NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_DATA, (void *)data) != SECSuccess)
++    if (NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_DATA, (void *)data) != SECSuccess) {
+         return SECFailure;
++    }
+     if (detached) {
+         cinfo->rawContent = NULL;
+     }
+@@ -230,6 +248,10 @@ NSS_CMSContentInfo_SetContent_EncryptedData(NSSCMSMessage *cmsg, NSSCMSContentIn
+ void *
+ NSS_CMSContentInfo_GetContent(NSSCMSContentInfo *cinfo)
+ {
++    if (cinfo == NULL) {
++        return NULL;
++    }
++
+     SECOidTag tag = cinfo->contentTypeTag
+                         ? cinfo->contentTypeTag->offset
+                         : SEC_OID_UNKNOWN;
+@@ -260,6 +282,10 @@ NSS_CMSContentInfo_GetInnerContent(NSSCMSContentInfo *cinfo)
+     SECOidTag tag;
+     SECItem *pItem = NULL;
+ 
++    if (cinfo == NULL) {
++        return NULL;
++    }
++
+     tag = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
+     if (NSS_CMSType_IsData(tag)) {
+         pItem = cinfo->content.data;
+@@ -282,6 +308,10 @@ NSS_CMSContentInfo_GetInnerContent(NSSCMSContentInfo *cinfo)
+ SECOidTag
+ NSS_CMSContentInfo_GetContentTypeTag(NSSCMSContentInfo *cinfo)
+ {
++    if (cinfo == NULL) {
++        return SEC_OID_UNKNOWN;
++    }
++
+     if (cinfo->contentTypeTag == NULL)
+         cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType));
+ 
+@@ -294,11 +324,17 @@ NSS_CMSContentInfo_GetContentTypeTag(NSSCMSContentInfo *cinfo)
+ SECItem *
+ NSS_CMSContentInfo_GetContentTypeOID(NSSCMSContentInfo *cinfo)
+ {
+-    if (cinfo->contentTypeTag == NULL)
++    if (cinfo == NULL) {
++        return NULL;
++    }
++
++    if (cinfo->contentTypeTag == NULL) {
+         cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType));
++    }
+ 
+-    if (cinfo->contentTypeTag == NULL)
++    if (cinfo->contentTypeTag == NULL) {
+         return NULL;
++    }
+ 
+     return &(cinfo->contentTypeTag->oid);
+ }
+@@ -310,8 +346,13 @@ NSS_CMSContentInfo_GetContentTypeOID(NSSCMSContentInfo *cinfo)
+ SECOidTag
+ NSS_CMSContentInfo_GetContentEncAlgTag(NSSCMSContentInfo *cinfo)
+ {
+-    if (cinfo->contentEncAlgTag == SEC_OID_UNKNOWN)
++    if (cinfo == NULL) {
++        return SEC_OID_UNKNOWN;
++    }
++
++    if (cinfo->contentEncAlgTag == SEC_OID_UNKNOWN) {
+         cinfo->contentEncAlgTag = SECOID_GetAlgorithmTag(&(cinfo->contentEncAlg));
++    }
+ 
+     return cinfo->contentEncAlgTag;
+ }
+@@ -322,6 +363,10 @@ NSS_CMSContentInfo_GetContentEncAlgTag(NSSCMSContentInfo *cinfo)
+ SECAlgorithmID *
+ NSS_CMSContentInfo_GetContentEncAlg(NSSCMSContentInfo *cinfo)
+ {
++    if (cinfo == NULL) {
++        return NULL;
++    }
++
+     return &(cinfo->contentEncAlg);
+ }
+ 
+@@ -330,10 +375,14 @@ NSS_CMSContentInfo_SetContentEncAlg(PLArenaPool *poolp, NSSCMSContentInfo *cinfo
+                                     SECOidTag bulkalgtag, SECItem *parameters, int keysize)
+ {
+     SECStatus rv;
++    if (cinfo == NULL) {
++        return SECFailure;
++    }
+ 
+     rv = SECOID_SetAlgorithmID(poolp, &(cinfo->contentEncAlg), bulkalgtag, parameters);
+-    if (rv != SECSuccess)
++    if (rv != SECSuccess) {
+         return SECFailure;
++    }
+     cinfo->keysize = keysize;
+     return SECSuccess;
+ }
+@@ -343,27 +392,42 @@ NSS_CMSContentInfo_SetContentEncAlgID(PLArenaPool *poolp, NSSCMSContentInfo *cin
+                                       SECAlgorithmID *algid, int keysize)
+ {
+     SECStatus rv;
++    if (cinfo == NULL) {
++        return SECFailure;
++    }
+ 
+     rv = SECOID_CopyAlgorithmID(poolp, &(cinfo->contentEncAlg), algid);
+-    if (rv != SECSuccess)
++    if (rv != SECSuccess) {
+         return SECFailure;
+-    if (keysize >= 0)
++    }
++    if (keysize >= 0) {
+         cinfo->keysize = keysize;
++    }
+     return SECSuccess;
+ }
+ 
+ void
+ NSS_CMSContentInfo_SetBulkKey(NSSCMSContentInfo *cinfo, PK11SymKey *bulkkey)
+ {
+-    cinfo->bulkkey = PK11_ReferenceSymKey(bulkkey);
+-    cinfo->keysize = PK11_GetKeyStrength(cinfo->bulkkey, &(cinfo->contentEncAlg));
++    if (cinfo == NULL) {
++        return;
++    }
++
++    if (bulkkey == NULL) {
++        cinfo->bulkkey = NULL;
++        cinfo->keysize = 0;
++    } else {
++        cinfo->bulkkey = PK11_ReferenceSymKey(bulkkey);
++        cinfo->keysize = PK11_GetKeyStrength(cinfo->bulkkey, &(cinfo->contentEncAlg));
++    }
+ }
+ 
+ PK11SymKey *
+ NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo *cinfo)
+ {
+-    if (cinfo->bulkkey == NULL)
++    if (cinfo == NULL || cinfo->bulkkey == NULL) {
+         return NULL;
++    }
+ 
+     return PK11_ReferenceSymKey(cinfo->bulkkey);
+ }
+@@ -371,5 +435,9 @@ NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo *cinfo)
+ int
+ NSS_CMSContentInfo_GetBulkKeySize(NSSCMSContentInfo *cinfo)
+ {
++    if (cinfo == NULL) {
++        return 0;
++    }
++
+     return cinfo->keysize;
+ }
+diff --git a/lib/smime/cmsdigdata.c b/lib/smime/cmsdigdata.c
+index 9ea22702e..a249686bb 100644
+--- a/lib/smime/cmsdigdata.c
++++ b/lib/smime/cmsdigdata.c
+@@ -56,7 +56,9 @@ void
+ NSS_CMSDigestedData_Destroy(NSSCMSDigestedData *digd)
+ {
+     /* everything's in a pool, so don't worry about the storage */
+-    NSS_CMSContentInfo_Destroy(&(digd->contentInfo));
++    if (digd != NULL) {
++        NSS_CMSContentInfo_Destroy(&(digd->contentInfo));
++    }
+     return;
+ }
+ 
+diff --git a/lib/smime/cmsencdata.c b/lib/smime/cmsencdata.c
+index c3a4549ad..8b520b439 100644
+--- a/lib/smime/cmsencdata.c
++++ b/lib/smime/cmsencdata.c
+@@ -87,7 +87,9 @@ void
+ NSS_CMSEncryptedData_Destroy(NSSCMSEncryptedData *encd)
+ {
+     /* everything's in a pool, so don't worry about the storage */
+-    NSS_CMSContentInfo_Destroy(&(encd->contentInfo));
++    if (encd != NULL) {
++        NSS_CMSContentInfo_Destroy(&(encd->contentInfo));
++    }
+     return;
+ }
+ 
+diff --git a/lib/smime/cmsenvdata.c b/lib/smime/cmsenvdata.c
+index f2c8e171d..9bc77be8b 100644
+--- a/lib/smime/cmsenvdata.c
++++ b/lib/smime/cmsenvdata.c
+@@ -144,6 +144,11 @@ NSS_CMSEnvelopedData_Encode_BeforeStart(NSSCMSEnvelopedData *envd)
+     poolp = envd->cmsg->poolp;
+     cinfo = &(envd->contentInfo);
+ 
++    if (cinfo == NULL) {
++        PORT_SetError(SEC_ERROR_BAD_DATA);
++        goto loser;
++    }
++
+     recipientinfos = envd->recipientInfos;
+     if (recipientinfos == NULL) {
+         PORT_SetError(SEC_ERROR_BAD_DATA);
+diff --git a/lib/smime/cmsmessage.c b/lib/smime/cmsmessage.c
+index f41a432b1..366b71aba 100644
+--- a/lib/smime/cmsmessage.c
++++ b/lib/smime/cmsmessage.c
+@@ -96,6 +96,9 @@ NSS_CMSMessage_SetEncodingParams(NSSCMSMessage *cmsg,
+ void
+ NSS_CMSMessage_Destroy(NSSCMSMessage *cmsg)
+ {
++    if (cmsg == NULL)
++        return;
++
+     PORT_Assert(cmsg->refCount > 0);
+     if (cmsg->refCount <= 0) { /* oops */
+         return;
+diff --git a/lib/smime/cmsudf.c b/lib/smime/cmsudf.c
+index 3ef4268d4..5c8a81e6d 100644
+--- a/lib/smime/cmsudf.c
++++ b/lib/smime/cmsudf.c
+@@ -239,7 +239,7 @@ NSS_CMSGenericWrapperData_Destroy(SECOidTag type, NSSCMSGenericWrapperData *gd)
+ {
+     const nsscmstypeInfo *typeInfo = nss_cmstype_lookup(type);
+ 
+-    if (typeInfo && typeInfo->destroy) {
++    if (typeInfo && (typeInfo->destroy) && (gd != NULL)) {
+         (*typeInfo->destroy)(gd);
+     }
+ }

diff --git a/dev-libs/nss/nss-3.41.ebuild b/dev-libs/nss/nss-3.40.1-r1.ebuild
similarity index 98%
copy from dev-libs/nss/nss-3.41.ebuild
copy to dev-libs/nss/nss-3.40.1-r1.ebuild
index 9ce8edd6659..907e54788a6 100644
--- a/dev-libs/nss/nss-3.41.ebuild
+++ b/dev-libs/nss/nss-3.40.1-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2018 Gentoo Authors
+# Copyright 1999-2019 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
@@ -43,6 +43,8 @@ PATCHES=(
 	"${FILESDIR}/${PN}-3.32-gentoo-fixups.patch"
 	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
 	"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
+	# fix for bugs ported forward from 3.36.7
+	"${FILESDIR}/${PN}-3.36.7-fix-cms.patch"
 )
 
 src_unpack() {

diff --git a/dev-libs/nss/nss-3.41.ebuild b/dev-libs/nss/nss-3.41-r1.ebuild
similarity index 98%
rename from dev-libs/nss/nss-3.41.ebuild
rename to dev-libs/nss/nss-3.41-r1.ebuild
index 9ce8edd6659..907e54788a6 100644
--- a/dev-libs/nss/nss-3.41.ebuild
+++ b/dev-libs/nss/nss-3.41-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2018 Gentoo Authors
+# Copyright 1999-2019 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
@@ -43,6 +43,8 @@ PATCHES=(
 	"${FILESDIR}/${PN}-3.32-gentoo-fixups.patch"
 	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
 	"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
+	# fix for bugs ported forward from 3.36.7
+	"${FILESDIR}/${PN}-3.36.7-fix-cms.patch"
 )
 
 src_unpack() {


^ permalink raw reply related	[flat|nested] 19+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/nss/, dev-libs/nss/files/
@ 2019-01-18 15:37 Lars Wendler
  0 siblings, 0 replies; 19+ messages in thread
From: Lars Wendler @ 2019-01-18 15:37 UTC (permalink / raw
  To: gentoo-commits

commit:     df02357fdc345dcb1f32ba05cede11a94036ff54
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Fri Jan 18 15:16:38 2019 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Fri Jan 18 15:16:38 2019 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=df02357f

dev-libs/nss: Removed old.

Package-Manager: Portage-2.3.56, Repoman-2.3.12
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>

 dev-libs/nss/Manifest                           |   3 -
 dev-libs/nss/files/nss-3.28-gentoo-fixups.patch | 241 ---------------
 dev-libs/nss/nss-3.29.5.ebuild                  | 334 ---------------------
 dev-libs/nss/nss-3.37.3.ebuild                  | 371 ------------------------
 dev-libs/nss/nss-3.40.ebuild                    | 371 ------------------------
 5 files changed, 1320 deletions(-)

diff --git a/dev-libs/nss/Manifest b/dev-libs/nss/Manifest
index aa72e5cc2a6..f0a8a67af27 100644
--- a/dev-libs/nss/Manifest
+++ b/dev-libs/nss/Manifest
@@ -1,7 +1,4 @@
-DIST nss-3.29.5.tar.gz 7480246 BLAKE2B 9ab16cbbd95aa31358b5b686bee64cd81c8343524dad8aac084f7c86883f1eaead78912dc1021b0461d027b0085356c4b7156f1d80010c3a0ece29d542deef50 SHA512 ce18bc7e793d2b3698db412b2e5fcabbfd9862eca3def120d5e44bc67276526bff6b33ffa84b8128f8af6d35101000e6f7bb24194f63a55461b3c245fac11faa
-DIST nss-3.37.3.tar.gz 23034239 BLAKE2B 3e30b0fe14501ca0e6b9d14322af73f191164989e6857b9ba46572b7363cdc65c88b672285982f2764ed44fcaf615cb249eea2f45b98050dfc6675003dc74a3b SHA512 11b21818f9fcff11d0e7f4c066ae9fbce0052a30a6b30df9a20022792039b5348554834a472e1b1195e467b9902067f9719678d5ca32efb4e60f1df161feed6f
 DIST nss-3.40.1.tar.gz 23311074 BLAKE2B 9cd723e983a3f70748b0734bb2a6cc1ddfa280f1c167c3b1b371a58900fb3d9b3bf3482293bb8614d39ffb538bcca815a2aedbe03d2d643731817452f82bc2ca SHA512 464ae843161e8deb911975d2117e8bf1194a968689b4ce70f9a12d5a33dba7ddd69f1248ec45244139c30fcc87678b206a4e124f032b26ead8bf894e4e8d0564
-DIST nss-3.40.tar.gz 23308315 BLAKE2B 02cc3ea9589f888e108bd3a6a99d5f52927bb4c63b2d9e03df88b7c1a188b6f2cd47d281dd5234b141b41684043e71d9fbee8f99223d0f5ae9778a4e1cfaa1ce SHA512 3781c94595126757c95ea82c3134eb3f06f4c3814e9ed2bfceae22623a413d622349d08c6779e1230b2dbebd1f07aba58094fe83dcddebb3e043481e7a478239
 DIST nss-3.41.tar.gz 23319563 BLAKE2B 76636b704cd572f9b840c7699c29697a4a882e66afcc3895ceb7b59a7af7af2513074e1abc6a028a13126d44e0cf722ab29e52a4c69640a2247814292efa282d SHA512 b5a43fe86ded664002fd714c493d9222a64539cd6139b64720625d1742fec5100712cbe401c90c79196e9cbad9ec07d9b4f0f517ce34e4b207beaa3e01c9e114
 DIST nss-cacert-class1-class3.patch 22950 BLAKE2B 9d5e60df5f161a3c27c41e5a9419440a54f888eda454e3cde5ebe626d4075b65cf9938b5144d0fb022377f4bd415bff5e5c67d104409860aa9391b3eb8872c68 SHA512 a5aa740bf110a3f0262e3f1ef2fc739ac2b44f042e220039d48aee8e97cd764d5c10718220364f4098aba955882bd02cadb5481512388971a8290312f88a7df0
 DIST nss-pem-20160329.tar.xz 27732 BLAKE2B 7c23133a7bfb969d8eac98fb6311e76ab60c5d6601c7329f3c492da30c017e66d64a1f8bc827dd36e52e65c1a1ec02b58816442aaf410345c5ed759a02264b84 SHA512 5834b06e4c64205447573d4f4c8989e20986ae67ee00eebce3817eb73794a6355a404143ba1c676ec302ceefaf9df103cb879b1d4ff14ba4e3790dbee3e40eb2

diff --git a/dev-libs/nss/files/nss-3.28-gentoo-fixups.patch b/dev-libs/nss/files/nss-3.28-gentoo-fixups.patch
deleted file mode 100644
index 69aa6528961..00000000000
--- a/dev-libs/nss/files/nss-3.28-gentoo-fixups.patch
+++ /dev/null
@@ -1,241 +0,0 @@
---- nss/config/Makefile
-+++ nss/config/Makefile
-@@ -0,0 +1,40 @@
-+CORE_DEPTH = ..
-+DEPTH      = ..
-+
-+include $(CORE_DEPTH)/coreconf/config.mk
-+
-+NSS_MAJOR_VERSION = `grep "NSS_VMAJOR" ../lib/nss/nss.h | awk '{print $$3}'`
-+NSS_MINOR_VERSION = `grep "NSS_VMINOR" ../lib/nss/nss.h | awk '{print $$3}'`
-+NSS_PATCH_VERSION = `grep "NSS_VPATCH" ../lib/nss/nss.h | awk '{print $$3}'`
-+PREFIX = /usr
-+
-+all: export libs
-+
-+export:
-+	# Create the nss.pc file
-+	mkdir -p $(DIST)/lib/pkgconfig
-+	sed -e "s,@prefix@,$(PREFIX)," \
-+	    -e "s,@exec_prefix@,\$${prefix}," \
-+	    -e "s,@libdir@,\$${prefix}/lib64," \
-+	    -e "s,@includedir@,\$${prefix}/include/nss," \
-+	    -e "s,@NSS_MAJOR_VERSION@,$(NSS_MAJOR_VERSION),g" \
-+	    -e "s,@NSS_MINOR_VERSION@,$(NSS_MINOR_VERSION)," \
-+	    -e "s,@NSS_PATCH_VERSION@,$(NSS_PATCH_VERSION)," \
-+	    nss.pc.in > nss.pc
-+	chmod 0644 nss.pc
-+	ln -sf ../../../../config/nss.pc $(DIST)/lib/pkgconfig
-+
-+	# Create the nss-config script
-+	mkdir -p $(DIST)/bin
-+	sed -e "s,@prefix@,$(PREFIX)," \
-+	    -e "s,@NSS_MAJOR_VERSION@,$(NSS_MAJOR_VERSION)," \
-+	    -e "s,@NSS_MINOR_VERSION@,$(NSS_MINOR_VERSION)," \
-+	    -e "s,@NSS_PATCH_VERSION@,$(NSS_PATCH_VERSION)," \
-+	    nss-config.in > nss-config
-+	chmod 0755 nss-config
-+	ln -sf ../../../config/nss-config $(DIST)/bin
-+
-+libs:
-+
-+dummy: all export libs
-+
---- nss/config/nss-config.in
-+++ nss/config/nss-config.in
-@@ -0,0 +1,145 @@
-+#!/bin/sh
-+
-+prefix=@prefix@
-+
-+major_version=@NSS_MAJOR_VERSION@
-+minor_version=@NSS_MINOR_VERSION@
-+patch_version=@NSS_PATCH_VERSION@
-+
-+usage()
-+{
-+	cat <<EOF
-+Usage: nss-config [OPTIONS] [LIBRARIES]
-+Options:
-+	[--prefix[=DIR]]
-+	[--exec-prefix[=DIR]]
-+	[--includedir[=DIR]]
-+	[--libdir[=DIR]]
-+	[--version]
-+	[--libs]
-+	[--cflags]
-+Dynamic Libraries:
-+	nss
-+	ssl
-+	smime
-+	nssutil
-+EOF
-+	exit $1
-+}
-+
-+if test $# -eq 0; then
-+	usage 1 1>&2
-+fi
-+
-+lib_ssl=yes
-+lib_smime=yes
-+lib_nss=yes
-+lib_nssutil=yes
-+
-+while test $# -gt 0; do
-+  case "$1" in
-+  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
-+  *) optarg= ;;
-+  esac
-+
-+  case $1 in
-+    --prefix=*)
-+      prefix=$optarg
-+      ;;
-+    --prefix)
-+      echo_prefix=yes
-+      ;;
-+    --exec-prefix=*)
-+      exec_prefix=$optarg
-+      ;;
-+    --exec-prefix)
-+      echo_exec_prefix=yes
-+      ;;
-+    --includedir=*)
-+      includedir=$optarg
-+      ;;
-+    --includedir)
-+      echo_includedir=yes
-+      ;;
-+    --libdir=*)
-+      libdir=$optarg
-+      ;;
-+    --libdir)
-+      echo_libdir=yes
-+      ;;
-+    --version)
-+      echo ${major_version}.${minor_version}.${patch_version}
-+      ;;
-+    --cflags)
-+      echo_cflags=yes
-+      ;;
-+    --libs)
-+      echo_libs=yes
-+      ;;
-+    ssl)
-+      lib_ssl=yes
-+      ;;
-+    smime)
-+      lib_smime=yes
-+      ;;
-+    nss)
-+      lib_nss=yes
-+      ;;
-+    nssutil)                                                      
-+      lib_nssutil=yes                                             
-+      ;;
-+    *)
-+      usage 1 1>&2
-+      ;;
-+  esac
-+  shift
-+done
-+
-+# Set variables that may be dependent upon other variables
-+if test -z "$exec_prefix"; then
-+    exec_prefix=`pkg-config --variable=exec_prefix nss`
-+fi
-+if test -z "$includedir"; then
-+    includedir=`pkg-config --variable=includedir nss`
-+fi
-+if test -z "$libdir"; then
-+    libdir=`pkg-config --variable=libdir nss`
-+fi
-+
-+if test "$echo_prefix" = "yes"; then
-+    echo $prefix
-+fi
-+
-+if test "$echo_exec_prefix" = "yes"; then
-+    echo $exec_prefix
-+fi
-+
-+if test "$echo_includedir" = "yes"; then
-+    echo $includedir
-+fi
-+
-+if test "$echo_libdir" = "yes"; then
-+    echo $libdir
-+fi
-+
-+if test "$echo_cflags" = "yes"; then
-+    echo -I$includedir
-+fi
-+
-+if test "$echo_libs" = "yes"; then
-+      libdirs=""
-+      if test -n "$lib_ssl"; then
-+	libdirs="$libdirs -lssl${major_version}"
-+      fi
-+      if test -n "$lib_smime"; then
-+	libdirs="$libdirs -lsmime${major_version}"
-+      fi
-+      if test -n "$lib_nss"; then
-+	libdirs="$libdirs -lnss${major_version}"
-+      fi
-+      if test -n "$lib_nssutil"; then
-+       libdirs="$libdirs -lnssutil${major_version}"
-+      fi
-+      echo $libdirs
-+fi      
-+
---- nss/config/nss.pc.in
-+++ nss/config/nss.pc.in
-@@ -0,0 +1,12 @@
-+prefix=@prefix@
-+exec_prefix=@exec_prefix@
-+libdir=@libdir@
-+includedir=@includedir@
-+
-+Name: NSS
-+Description: Network Security Services
-+Version: @NSS_MAJOR_VERSION@.@NSS_MINOR_VERSION@.@NSS_PATCH_VERSION@
-+Requires: nspr >= 4.8
-+Libs: -lssl3 -lsmime3 -lnss3 -lnssutil3
-+Cflags: -I${includedir}
-+
---- nss/Makefile
-+++ nss/Makefile
-@@ -46,7 +46,7 @@
- # (7) Execute "local" rules. (OPTIONAL).                              #
- #######################################################################
- 
--nss_build_all: build_nspr all latest
-+nss_build_all: all latest
- 
- nss_clean_all: clobber_nspr clobber
- 
-@@ -143,15 +143,6 @@
- 	--prefix='$(NSS_GYP_PREFIX)'
- endif
- 
--build_nspr: $(NSPR_CONFIG_STATUS)
--	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)
--
--install_nspr: build_nspr
--	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) install
--
--clobber_nspr: $(NSPR_CONFIG_STATUS)
--	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) clobber
--
- build_docs:
- 	$(MAKE) -C $(CORE_DEPTH)/doc
- 
---- nss/manifest.mn
-+++ nss/manifest.mn
-@@ -10,4 +10,4 @@
- 
- RELEASE = nss
- 
--DIRS = coreconf lib cmd gtests
-+DIRS = coreconf lib cmd config

diff --git a/dev-libs/nss/nss-3.29.5.ebuild b/dev-libs/nss/nss-3.29.5.ebuild
deleted file mode 100644
index 3c5afbacf3b..00000000000
--- a/dev-libs/nss/nss-3.29.5.ebuild
+++ /dev/null
@@ -1,334 +0,0 @@
-# Copyright 1999-2018 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-
-inherit eutils flag-o-matic multilib toolchain-funcs multilib-minimal
-
-NSPR_VER="4.13.1"
-RTM_NAME="NSS_${PV//./_}_RTM"
-# Rev of https://git.fedorahosted.org/cgit/nss-pem.git
-PEM_GIT_REV="429b0222759d8ad8e6dcd29e62875ae3efd69116"
-PEM_P="${PN}-pem-20160329"
-
-DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
-HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/"
-SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
-	cacert? ( https://dev.gentoo.org/~axs/distfiles/${PN}-cacert-class1-class3.patch )
-	nss-pem? ( https://dev.gentoo.org/~polynomial-c/${PEM_P}.tar.xz )"
-
-LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
-SLOT="0"
-KEYWORDS="alpha amd64 arm arm64 hppa ia64 ~m68k ~mips ppc ppc64 s390 ~sh sparc x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
-IUSE="cacert +nss-pem utils"
-CDEPEND=">=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
-	>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]"
-DEPEND=">=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]
-	>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
-	${CDEPEND}"
-RDEPEND=">=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
-	${CDEPEND}"
-
-RESTRICT="test"
-
-S="${WORKDIR}/${P}/${PN}"
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/nss-config
-)
-
-PATCHES=(
-	# Custom changes for gentoo
-	"${FILESDIR}/${PN}-3.28-gentoo-fixups.patch"
-	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
-	"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
-)
-
-src_unpack() {
-	unpack ${A}
-	if use nss-pem ; then
-		mv "${PN}"/lib/ckfw/pem/ "${S}"/lib/ckfw/ || die
-	fi
-}
-
-src_prepare() {
-	if use nss-pem ; then
-		PATCHES+=(
-			"${FILESDIR}/${PN}-3.21-enable-pem.patch"
-		)
-	fi
-	if use cacert ; then #521462
-		PATCHES+=(
-			"${DISTDIR}/${PN}-cacert-class1-class3.patch"
-		)
-	fi
-
-	default
-
-	pushd coreconf >/dev/null || die
-	# hack nspr paths
-	echo 'INCLUDES += -I$(DIST)/include/dbm' \
-		>> headers.mk || die "failed to append include"
-
-	# modify install path
-	sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
-		-i source.mk || die
-
-	# Respect LDFLAGS
-	sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
-	popd >/dev/null || die
-
-	# Fix pkgconfig file for Prefix
-	sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
-		config/Makefile || die
-
-	# use host shlibsign if need be #436216
-	if tc-is-cross-compiler ; then
-		sed -i \
-			-e 's:"${2}"/shlibsign:shlibsign:' \
-			cmd/shlibsign/sign.sh || die
-	fi
-
-	# dirty hack
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
-		lib/ssl/config.mk || die
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
-		cmd/platlibs.mk || die
-
-	multilib_copy_sources
-
-	strip-flags
-}
-
-multilib_src_configure() {
-	# Ensure we stay multilib aware
-	sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
-}
-
-nssarch() {
-	# Most of the arches are the same as $ARCH
-	local t=${1:-${CHOST}}
-	case ${t} in
-		aarch64*)echo "aarch64";;
-		hppa*)   echo "parisc";;
-		i?86*)   echo "i686";;
-		x86_64*) echo "x86_64";;
-		*)       tc-arch ${t};;
-	esac
-}
-
-nssbits() {
-	local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
-	if [[ ${1} == BUILD_ ]]; then
-		cc=$(tc-getBUILD_CC)
-	else
-		cc=$(tc-getCC)
-	fi
-	echo > "${T}"/test.c || die
-	${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die
-	case $(file "${T}/${1}test.o") in
-		*32-bit*x86-64*) echo USE_X32=1;;
-		*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
-		*32-bit*|*ppc*|*i386*) ;;
-		*) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
-	esac
-}
-
-multilib_src_compile() {
-	# use ABI to determine bit'ness, or fallback if unset
-	local buildbits mybits
-	case "${ABI}" in
-		n32) mybits="USE_N32=1";;
-		x32) mybits="USE_X32=1";;
-		s390x|*64) mybits="USE_64=1";;
-		${DEFAULT_ABI})
-			einfo "Running compilation test to determine bit'ness"
-			mybits=$(nssbits)
-			;;
-	esac
-	# bitness of host may differ from target
-	if tc-is-cross-compiler; then
-		buildbits=$(nssbits BUILD_)
-	fi
-
-	local makeargs=(
-		CC="$(tc-getCC)"
-		AR="$(tc-getAR) rc \$@"
-		RANLIB="$(tc-getRANLIB)"
-		OPTIMIZER=
-		${mybits}
-	)
-
-	# Take care of nspr settings #436216
-	local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
-	unset NSPR_INCLUDE_DIR
-
-	# Do not let `uname` be used.
-	if use kernel_linux ; then
-		makeargs+=(
-			OS_TARGET=Linux
-			OS_RELEASE=2.6
-			OS_TEST="$(nssarch)"
-		)
-	fi
-
-	export NSS_ENABLE_WERROR=0 #567158
-	export BUILD_OPT=1
-	export NSS_USE_SYSTEM_SQLITE=1
-	export NSDISTMODE=copy
-	export NSS_ENABLE_ECC=1
-	export FREEBL_NO_DEPEND=1
-	export ASFLAGS=""
-
-	local d
-
-	# Build the host tools first.
-	LDFLAGS="${BUILD_LDFLAGS}" \
-	XCFLAGS="${BUILD_CFLAGS}" \
-	NSPR_LIB_DIR="${T}/fakedir" \
-	emake -j1 -C coreconf \
-		CC="$(tc-getBUILD_CC)" \
-		${buildbits:-${mybits}}
-	makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
-
-	# Then build the target tools.
-	for d in . lib/dbm ; do
-		CPPFLAGS="${myCPPFLAGS}" \
-		XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
-		NSPR_LIB_DIR="${T}/fakedir" \
-		emake -j1 "${makeargs[@]}" -C ${d}
-	done
-}
-
-# Altering these 3 libraries breaks the CHK verification.
-# All of the following cause it to break:
-# - stripping
-# - prelink
-# - ELF signing
-# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
-# Either we have to NOT strip them, or we have to forcibly resign after
-# stripping.
-#local_libdir="$(get_libdir)"
-#export STRIP_MASK="
-#	*/${local_libdir}/libfreebl3.so*
-#	*/${local_libdir}/libnssdbm3.so*
-#	*/${local_libdir}/libsoftokn3.so*"
-
-export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
-
-generate_chk() {
-	local shlibsign="$1"
-	local libdir="$2"
-	einfo "Resigning core NSS libraries for FIPS validation"
-	shift 2
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libname=lib${i}.so
-		local chkname=lib${i}.chk
-		"${shlibsign}" \
-			-i "${libdir}"/${libname} \
-			-o "${libdir}"/${chkname}.tmp \
-		&& mv -f \
-			"${libdir}"/${chkname}.tmp \
-			"${libdir}"/${chkname} \
-		|| die "Failed to sign ${libname}"
-	done
-}
-
-cleanup_chk() {
-	local libdir="$1"
-	shift 1
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libfname="${libdir}/lib${i}.so"
-		# If the major version has changed, then we have old chk files.
-		[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
-			&& rm -f "${libfname}.chk"
-	done
-}
-
-multilib_src_install() {
-	pushd dist >/dev/null || die
-
-	dodir /usr/$(get_libdir)
-	cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
-	cp -L */lib/libcrmf.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
-	cp -L */lib/libfreebl.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
-
-	# Install nss-config and pkgconfig file
-	dodir /usr/bin
-	cp -L */bin/nss-config "${ED}"/usr/bin || die
-	dodir /usr/$(get_libdir)/pkgconfig
-	cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
-
-	# create an nss-softokn.pc from nss.pc for libfreebl and some private headers
-	# bug 517266
-	sed 	-e 's#Libs:#Libs: -lfreebl#' \
-		-e 's#Cflags:#Cflags: -I${includedir}/private#' \
-		*/lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
-		|| die "could not create nss-softokn.pc"
-
-	# all the include files
-	insinto /usr/include/nss
-	doins public/nss/*.h
-	insinto /usr/include/nss/private
-	doins private/nss/{blapi,alghmac}.h
-
-	popd >/dev/null || die
-
-	local f nssutils
-	# Always enabled because we need it for chk generation.
-	nssutils="shlibsign"
-
-	if multilib_is_native_abi ; then
-		if use utils; then
-			# The tests we do not need to install.
-			#nssutils_test="bltest crmftest dbtest dertimetest
-			#fipstest remtest sdrtest"
-			# checkcert utils has been removed in nss-3.22:
-			# https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
-			# https://hg.mozilla.org/projects/nss/rev/df1729d37870
-			nssutils="addbuiltin atob baddbdir btoa certcgi certutil
-			cmsutil conflict crlutil derdump digest makepqg mangle modutil multinit
-			nonspr10 ocspclnt oidcalc p7content p7env p7sign p7verify pk11mode
-			pk12util pp rsaperf selfserv shlibsign signtool signver ssltap strsclnt
-			symkeyutil tstclnt vfychain vfyserv"
-			# install man-pages for utils (bug #516810)
-			doman doc/nroff/*.1
-		fi
-		pushd dist/*/bin >/dev/null || die
-		for f in ${nssutils}; do
-			dobin ${f}
-		done
-		popd >/dev/null || die
-	fi
-
-	# Prelink breaks the CHK files. We don't have any reliable way to run
-	# shlibsign after prelink.
-	dodir /etc/prelink.conf.d
-	printf -- "-b ${EPREFIX}/usr/$(get_libdir)/lib%s.so\n" ${NSS_CHK_SIGN_LIBS} \
-		> "${ED}"/etc/prelink.conf.d/nss.conf
-}
-
-pkg_postinst() {
-	multilib_pkg_postinst() {
-		# We must re-sign the libraries AFTER they are stripped.
-		local shlibsign="${EROOT}/usr/bin/shlibsign"
-		# See if we can execute it (cross-compiling & such). #436216
-		"${shlibsign}" -h >&/dev/null
-		if [[ $? -gt 1 ]] ; then
-			shlibsign="shlibsign"
-		fi
-		generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postinst
-}
-
-pkg_postrm() {
-	multilib_pkg_postrm() {
-		cleanup_chk "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postrm
-}

diff --git a/dev-libs/nss/nss-3.37.3.ebuild b/dev-libs/nss/nss-3.37.3.ebuild
deleted file mode 100644
index b8389b3ef86..00000000000
--- a/dev-libs/nss/nss-3.37.3.ebuild
+++ /dev/null
@@ -1,371 +0,0 @@
-# Copyright 1999-2018 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-
-inherit eutils flag-o-matic multilib toolchain-funcs multilib-minimal
-
-NSPR_VER="4.16"
-RTM_NAME="NSS_${PV//./_}_RTM"
-# Rev of https://git.fedorahosted.org/cgit/nss-pem.git
-PEM_GIT_REV="429b0222759d8ad8e6dcd29e62875ae3efd69116"
-PEM_P="${PN}-pem-20160329"
-
-DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
-HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/"
-SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
-	cacert? ( https://dev.gentoo.org/~axs/distfiles/${PN}-cacert-class1-class3.patch )
-	nss-pem? ( https://dev.gentoo.org/~polynomial-c/${PEM_P}.tar.xz )"
-
-LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
-SLOT="0"
-KEYWORDS="~alpha amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
-IUSE="cacert +nss-pem utils"
-CDEPEND=">=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
-	>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]"
-DEPEND=">=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]
-	>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
-	${CDEPEND}"
-RDEPEND=">=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
-	${CDEPEND}
-"
-
-RESTRICT="test"
-
-S="${WORKDIR}/${P}/${PN}"
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/nss-config
-)
-
-PATCHES=(
-	# Custom changes for gentoo
-	"${FILESDIR}/${PN}-3.32-gentoo-fixups.patch"
-	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
-	"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
-)
-
-src_unpack() {
-	unpack ${A}
-	if use nss-pem ; then
-		mv "${PN}"/lib/ckfw/pem/ "${S}"/lib/ckfw/ || die
-	fi
-}
-
-src_prepare() {
-	if use nss-pem ; then
-		PATCHES+=(
-			"${FILESDIR}/${PN}-3.21-enable-pem.patch"
-		)
-	fi
-	if use cacert ; then #521462
-		PATCHES+=(
-			"${DISTDIR}/${PN}-cacert-class1-class3.patch"
-		)
-	fi
-
-	default
-
-	pushd coreconf >/dev/null || die
-	# hack nspr paths
-	echo 'INCLUDES += -I$(DIST)/include/dbm' \
-		>> headers.mk || die "failed to append include"
-
-	# modify install path
-	sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
-		-i source.mk || die
-
-	# Respect LDFLAGS
-	sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
-	popd >/dev/null || die
-
-	# Fix pkgconfig file for Prefix
-	sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
-		config/Makefile || die
-
-	# use host shlibsign if need be #436216
-	if tc-is-cross-compiler ; then
-		sed -i \
-			-e 's:"${2}"/shlibsign:shlibsign:' \
-			cmd/shlibsign/sign.sh || die
-	fi
-
-	# dirty hack
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
-		lib/ssl/config.mk || die
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
-		cmd/platlibs.mk || die
-
-	multilib_copy_sources
-
-	strip-flags
-}
-
-multilib_src_configure() {
-	# Ensure we stay multilib aware
-	sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
-}
-
-nssarch() {
-	# Most of the arches are the same as $ARCH
-	local t=${1:-${CHOST}}
-	case ${t} in
-		aarch64*)echo "aarch64";;
-		hppa*)   echo "parisc";;
-		i?86*)   echo "i686";;
-		x86_64*) echo "x86_64";;
-		*)       tc-arch ${t};;
-	esac
-}
-
-nssbits() {
-	local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
-	if [[ ${1} == BUILD_ ]]; then
-		cc=$(tc-getBUILD_CC)
-	else
-		cc=$(tc-getCC)
-	fi
-	echo > "${T}"/test.c || die
-	${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die
-	case $(file "${T}/${1}test.o") in
-		*32-bit*x86-64*) echo USE_X32=1;;
-		*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
-		*32-bit*|*ppc*|*i386*) ;;
-		*) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
-	esac
-}
-
-multilib_src_compile() {
-	# use ABI to determine bit'ness, or fallback if unset
-	local buildbits mybits
-	case "${ABI}" in
-		n32) mybits="USE_N32=1";;
-		x32) mybits="USE_X32=1";;
-		s390x|*64) mybits="USE_64=1";;
-		${DEFAULT_ABI})
-			einfo "Running compilation test to determine bit'ness"
-			mybits=$(nssbits)
-			;;
-	esac
-	# bitness of host may differ from target
-	if tc-is-cross-compiler; then
-		buildbits=$(nssbits BUILD_)
-	fi
-
-	local makeargs=(
-		CC="$(tc-getCC)"
-		CCC="$(tc-getCXX)"
-		AR="$(tc-getAR) rc \$@"
-		RANLIB="$(tc-getRANLIB)"
-		OPTIMIZER=
-		${mybits}
-	)
-
-	# Take care of nspr settings #436216
-	local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
-	unset NSPR_INCLUDE_DIR
-
-	# Do not let `uname` be used.
-	if use kernel_linux ; then
-		makeargs+=(
-			OS_TARGET=Linux
-			OS_RELEASE=2.6
-			OS_TEST="$(nssarch)"
-		)
-	fi
-
-	export NSS_ENABLE_WERROR=0 #567158
-	export BUILD_OPT=1
-	export NSS_USE_SYSTEM_SQLITE=1
-	export NSDISTMODE=copy
-	export NSS_ENABLE_ECC=1
-	export FREEBL_NO_DEPEND=1
-	export ASFLAGS=""
-
-	local d
-
-	# Build the host tools first.
-	LDFLAGS="${BUILD_LDFLAGS}" \
-	XCFLAGS="${BUILD_CFLAGS}" \
-	NSPR_LIB_DIR="${T}/fakedir" \
-	emake -j1 -C coreconf \
-		CC="$(tc-getBUILD_CC)" \
-		${buildbits:-${mybits}}
-	makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
-
-	# Then build the target tools.
-	for d in . lib/dbm ; do
-		CPPFLAGS="${myCPPFLAGS}" \
-		XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
-		NSPR_LIB_DIR="${T}/fakedir" \
-		emake -j1 "${makeargs[@]}" -C ${d}
-	done
-}
-
-# Altering these 3 libraries breaks the CHK verification.
-# All of the following cause it to break:
-# - stripping
-# - prelink
-# - ELF signing
-# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
-# Either we have to NOT strip them, or we have to forcibly resign after
-# stripping.
-#local_libdir="$(get_libdir)"
-#export STRIP_MASK="
-#	*/${local_libdir}/libfreebl3.so*
-#	*/${local_libdir}/libnssdbm3.so*
-#	*/${local_libdir}/libsoftokn3.so*"
-
-export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
-
-generate_chk() {
-	local shlibsign="$1"
-	local libdir="$2"
-	einfo "Resigning core NSS libraries for FIPS validation"
-	shift 2
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libname=lib${i}.so
-		local chkname=lib${i}.chk
-		"${shlibsign}" \
-			-i "${libdir}"/${libname} \
-			-o "${libdir}"/${chkname}.tmp \
-		&& mv -f \
-			"${libdir}"/${chkname}.tmp \
-			"${libdir}"/${chkname} \
-		|| die "Failed to sign ${libname}"
-	done
-}
-
-cleanup_chk() {
-	local libdir="$1"
-	shift 1
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libfname="${libdir}/lib${i}.so"
-		# If the major version has changed, then we have old chk files.
-		[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
-			&& rm -f "${libfname}.chk"
-	done
-}
-
-multilib_src_install() {
-	pushd dist >/dev/null || die
-
-	dodir /usr/$(get_libdir)
-	cp -L */lib/*$(get_libname) "${ED%/}"/usr/$(get_libdir) || die "copying shared libs failed"
-	local i
-	for i in crmf freebl nssb nssckfw ; do
-		cp -L */lib/lib${i}.a "${ED%/}"/usr/$(get_libdir) || die "copying libs failed"
-	done
-
-	# Install nss-config and pkgconfig file
-	dodir /usr/bin
-	cp -L */bin/nss-config "${ED%/}"/usr/bin || die
-	dodir /usr/$(get_libdir)/pkgconfig
-	cp -L */lib/pkgconfig/nss.pc "${ED%/}"/usr/$(get_libdir)/pkgconfig || die
-
-	# create an nss-softokn.pc from nss.pc for libfreebl and some private headers
-	# bug 517266
-	sed 	-e 's#Libs:#Libs: -lfreebl#' \
-		-e 's#Cflags:#Cflags: -I${includedir}/private#' \
-		*/lib/pkgconfig/nss.pc >"${ED%/}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
-		|| die "could not create nss-softokn.pc"
-
-	# all the include files
-	insinto /usr/include/nss
-	doins public/nss/*.{h,api}
-	insinto /usr/include/nss/private
-	doins private/nss/{blapi,alghmac}.h
-
-	popd >/dev/null || die
-
-	local f nssutils
-	# Always enabled because we need it for chk generation.
-	nssutils=( shlibsign )
-
-	if multilib_is_native_abi ; then
-		if use utils; then
-			# The tests we do not need to install.
-			#nssutils_test="bltest crmftest dbtest dertimetest
-			#fipstest remtest sdrtest"
-			# checkcert utils has been removed in nss-3.22:
-			# https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
-			# https://hg.mozilla.org/projects/nss/rev/df1729d37870
-			# certcgi has been removed in nss-3.36:
-			# https://bugzilla.mozilla.org/show_bug.cgi?id=1426602
-			nssutils+=(
-				addbuiltin
-				atob
-				baddbdir
-				btoa
-				certutil
-				cmsutil
-				conflict
-				crlutil
-				derdump
-				digest
-				makepqg
-				mangle
-				modutil
-				multinit
-				nonspr10
-				ocspclnt
-				oidcalc
-				p7content
-				p7env
-				p7sign
-				p7verify
-				pk11mode
-				pk12util
-				pp
-				rsaperf
-				selfserv
-				signtool
-				signver
-				ssltap
-				strsclnt
-				symkeyutil
-				tstclnt
-				vfychain
-				vfyserv
-			)
-			# install man-pages for utils (bug #516810)
-			doman doc/nroff/*.1
-		fi
-		pushd dist/*/bin >/dev/null || die
-		for f in ${nssutils[@]}; do
-			dobin ${f}
-		done
-		popd >/dev/null || die
-	fi
-
-	# Prelink breaks the CHK files. We don't have any reliable way to run
-	# shlibsign after prelink.
-	dodir /etc/prelink.conf.d
-	printf -- "-b ${EPREFIX}/usr/$(get_libdir)/lib%s.so\n" ${NSS_CHK_SIGN_LIBS} \
-		> "${ED%/}"/etc/prelink.conf.d/nss.conf
-}
-
-pkg_postinst() {
-	multilib_pkg_postinst() {
-		# We must re-sign the libraries AFTER they are stripped.
-		local shlibsign="${EROOT}/usr/bin/shlibsign"
-		# See if we can execute it (cross-compiling & such). #436216
-		"${shlibsign}" -h >&/dev/null
-		if [[ $? -gt 1 ]] ; then
-			shlibsign="shlibsign"
-		fi
-		generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postinst
-}
-
-pkg_postrm() {
-	multilib_pkg_postrm() {
-		cleanup_chk "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postrm
-}

diff --git a/dev-libs/nss/nss-3.40.ebuild b/dev-libs/nss/nss-3.40.ebuild
deleted file mode 100644
index 9ce8edd6659..00000000000
--- a/dev-libs/nss/nss-3.40.ebuild
+++ /dev/null
@@ -1,371 +0,0 @@
-# Copyright 1999-2018 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit eutils flag-o-matic multilib toolchain-funcs multilib-minimal
-
-NSPR_VER="4.16"
-RTM_NAME="NSS_${PV//./_}_RTM"
-# Rev of https://git.fedorahosted.org/cgit/nss-pem.git
-PEM_GIT_REV="429b0222759d8ad8e6dcd29e62875ae3efd69116"
-PEM_P="${PN}-pem-20160329"
-
-DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
-HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/"
-SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
-	cacert? ( https://dev.gentoo.org/~axs/distfiles/${PN}-cacert-class1-class3.patch )
-	nss-pem? ( https://dev.gentoo.org/~polynomial-c/${PEM_P}.tar.xz )"
-
-LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
-IUSE="cacert +nss-pem utils"
-CDEPEND=">=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
-	>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]"
-DEPEND=">=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]
-	>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
-	${CDEPEND}"
-RDEPEND=">=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
-	${CDEPEND}
-"
-
-RESTRICT="test"
-
-S="${WORKDIR}/${P}/${PN}"
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/nss-config
-)
-
-PATCHES=(
-	# Custom changes for gentoo
-	"${FILESDIR}/${PN}-3.32-gentoo-fixups.patch"
-	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
-	"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
-)
-
-src_unpack() {
-	unpack ${A}
-	if use nss-pem ; then
-		mv "${PN}"/lib/ckfw/pem/ "${S}"/lib/ckfw/ || die
-	fi
-}
-
-src_prepare() {
-	if use nss-pem ; then
-		PATCHES+=(
-			"${FILESDIR}/${PN}-3.21-enable-pem.patch"
-		)
-	fi
-	if use cacert ; then #521462
-		PATCHES+=(
-			"${DISTDIR}/${PN}-cacert-class1-class3.patch"
-		)
-	fi
-
-	default
-
-	pushd coreconf >/dev/null || die
-	# hack nspr paths
-	echo 'INCLUDES += -I$(DIST)/include/dbm' \
-		>> headers.mk || die "failed to append include"
-
-	# modify install path
-	sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
-		-i source.mk || die
-
-	# Respect LDFLAGS
-	sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
-	popd >/dev/null || die
-
-	# Fix pkgconfig file for Prefix
-	sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
-		config/Makefile || die
-
-	# use host shlibsign if need be #436216
-	if tc-is-cross-compiler ; then
-		sed -i \
-			-e 's:"${2}"/shlibsign:shlibsign:' \
-			cmd/shlibsign/sign.sh || die
-	fi
-
-	# dirty hack
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
-		lib/ssl/config.mk || die
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
-		cmd/platlibs.mk || die
-
-	multilib_copy_sources
-
-	strip-flags
-}
-
-multilib_src_configure() {
-	# Ensure we stay multilib aware
-	sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
-}
-
-nssarch() {
-	# Most of the arches are the same as $ARCH
-	local t=${1:-${CHOST}}
-	case ${t} in
-		aarch64*)echo "aarch64";;
-		hppa*)   echo "parisc";;
-		i?86*)   echo "i686";;
-		x86_64*) echo "x86_64";;
-		*)       tc-arch ${t};;
-	esac
-}
-
-nssbits() {
-	local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
-	if [[ ${1} == BUILD_ ]]; then
-		cc=$(tc-getBUILD_CC)
-	else
-		cc=$(tc-getCC)
-	fi
-	echo > "${T}"/test.c || die
-	${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die
-	case $(file "${T}/${1}test.o") in
-		*32-bit*x86-64*) echo USE_X32=1;;
-		*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
-		*32-bit*|*ppc*|*i386*) ;;
-		*) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
-	esac
-}
-
-multilib_src_compile() {
-	# use ABI to determine bit'ness, or fallback if unset
-	local buildbits mybits
-	case "${ABI}" in
-		n32) mybits="USE_N32=1";;
-		x32) mybits="USE_X32=1";;
-		s390x|*64) mybits="USE_64=1";;
-		${DEFAULT_ABI})
-			einfo "Running compilation test to determine bit'ness"
-			mybits=$(nssbits)
-			;;
-	esac
-	# bitness of host may differ from target
-	if tc-is-cross-compiler; then
-		buildbits=$(nssbits BUILD_)
-	fi
-
-	local makeargs=(
-		CC="$(tc-getCC)"
-		CCC="$(tc-getCXX)"
-		AR="$(tc-getAR) rc \$@"
-		RANLIB="$(tc-getRANLIB)"
-		OPTIMIZER=
-		${mybits}
-	)
-
-	# Take care of nspr settings #436216
-	local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
-	unset NSPR_INCLUDE_DIR
-
-	# Do not let `uname` be used.
-	if use kernel_linux ; then
-		makeargs+=(
-			OS_TARGET=Linux
-			OS_RELEASE=2.6
-			OS_TEST="$(nssarch)"
-		)
-	fi
-
-	export NSS_ENABLE_WERROR=0 #567158
-	export BUILD_OPT=1
-	export NSS_USE_SYSTEM_SQLITE=1
-	export NSDISTMODE=copy
-	export NSS_ENABLE_ECC=1
-	export FREEBL_NO_DEPEND=1
-	export ASFLAGS=""
-
-	local d
-
-	# Build the host tools first.
-	LDFLAGS="${BUILD_LDFLAGS}" \
-	XCFLAGS="${BUILD_CFLAGS}" \
-	NSPR_LIB_DIR="${T}/fakedir" \
-	emake -j1 -C coreconf \
-		CC="$(tc-getBUILD_CC)" \
-		${buildbits:-${mybits}}
-	makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
-
-	# Then build the target tools.
-	for d in . lib/dbm ; do
-		CPPFLAGS="${myCPPFLAGS}" \
-		XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
-		NSPR_LIB_DIR="${T}/fakedir" \
-		emake -j1 "${makeargs[@]}" -C ${d}
-	done
-}
-
-# Altering these 3 libraries breaks the CHK verification.
-# All of the following cause it to break:
-# - stripping
-# - prelink
-# - ELF signing
-# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
-# Either we have to NOT strip them, or we have to forcibly resign after
-# stripping.
-#local_libdir="$(get_libdir)"
-#export STRIP_MASK="
-#	*/${local_libdir}/libfreebl3.so*
-#	*/${local_libdir}/libnssdbm3.so*
-#	*/${local_libdir}/libsoftokn3.so*"
-
-export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
-
-generate_chk() {
-	local shlibsign="$1"
-	local libdir="$2"
-	einfo "Resigning core NSS libraries for FIPS validation"
-	shift 2
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libname=lib${i}.so
-		local chkname=lib${i}.chk
-		"${shlibsign}" \
-			-i "${libdir}"/${libname} \
-			-o "${libdir}"/${chkname}.tmp \
-		&& mv -f \
-			"${libdir}"/${chkname}.tmp \
-			"${libdir}"/${chkname} \
-		|| die "Failed to sign ${libname}"
-	done
-}
-
-cleanup_chk() {
-	local libdir="$1"
-	shift 1
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libfname="${libdir}/lib${i}.so"
-		# If the major version has changed, then we have old chk files.
-		[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
-			&& rm -f "${libfname}.chk"
-	done
-}
-
-multilib_src_install() {
-	pushd dist >/dev/null || die
-
-	dodir /usr/$(get_libdir)
-	cp -L */lib/*$(get_libname) "${ED%/}"/usr/$(get_libdir) || die "copying shared libs failed"
-	local i
-	for i in crmf freebl nssb nssckfw ; do
-		cp -L */lib/lib${i}.a "${ED%/}"/usr/$(get_libdir) || die "copying libs failed"
-	done
-
-	# Install nss-config and pkgconfig file
-	dodir /usr/bin
-	cp -L */bin/nss-config "${ED%/}"/usr/bin || die
-	dodir /usr/$(get_libdir)/pkgconfig
-	cp -L */lib/pkgconfig/nss.pc "${ED%/}"/usr/$(get_libdir)/pkgconfig || die
-
-	# create an nss-softokn.pc from nss.pc for libfreebl and some private headers
-	# bug 517266
-	sed 	-e 's#Libs:#Libs: -lfreebl#' \
-		-e 's#Cflags:#Cflags: -I${includedir}/private#' \
-		*/lib/pkgconfig/nss.pc >"${ED%/}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
-		|| die "could not create nss-softokn.pc"
-
-	# all the include files
-	insinto /usr/include/nss
-	doins public/nss/*.{h,api}
-	insinto /usr/include/nss/private
-	doins private/nss/{blapi,alghmac}.h
-
-	popd >/dev/null || die
-
-	local f nssutils
-	# Always enabled because we need it for chk generation.
-	nssutils=( shlibsign )
-
-	if multilib_is_native_abi ; then
-		if use utils; then
-			# The tests we do not need to install.
-			#nssutils_test="bltest crmftest dbtest dertimetest
-			#fipstest remtest sdrtest"
-			# checkcert utils has been removed in nss-3.22:
-			# https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
-			# https://hg.mozilla.org/projects/nss/rev/df1729d37870
-			# certcgi has been removed in nss-3.36:
-			# https://bugzilla.mozilla.org/show_bug.cgi?id=1426602
-			nssutils+=(
-				addbuiltin
-				atob
-				baddbdir
-				btoa
-				certutil
-				cmsutil
-				conflict
-				crlutil
-				derdump
-				digest
-				makepqg
-				mangle
-				modutil
-				multinit
-				nonspr10
-				ocspclnt
-				oidcalc
-				p7content
-				p7env
-				p7sign
-				p7verify
-				pk11mode
-				pk12util
-				pp
-				rsaperf
-				selfserv
-				signtool
-				signver
-				ssltap
-				strsclnt
-				symkeyutil
-				tstclnt
-				vfychain
-				vfyserv
-			)
-			# install man-pages for utils (bug #516810)
-			doman doc/nroff/*.1
-		fi
-		pushd dist/*/bin >/dev/null || die
-		for f in ${nssutils[@]}; do
-			dobin ${f}
-		done
-		popd >/dev/null || die
-	fi
-
-	# Prelink breaks the CHK files. We don't have any reliable way to run
-	# shlibsign after prelink.
-	dodir /etc/prelink.conf.d
-	printf -- "-b ${EPREFIX}/usr/$(get_libdir)/lib%s.so\n" ${NSS_CHK_SIGN_LIBS} \
-		> "${ED%/}"/etc/prelink.conf.d/nss.conf
-}
-
-pkg_postinst() {
-	multilib_pkg_postinst() {
-		# We must re-sign the libraries AFTER they are stripped.
-		local shlibsign="${EROOT}/usr/bin/shlibsign"
-		# See if we can execute it (cross-compiling & such). #436216
-		"${shlibsign}" -h >&/dev/null
-		if [[ $? -gt 1 ]] ; then
-			shlibsign="shlibsign"
-		fi
-		generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postinst
-}
-
-pkg_postrm() {
-	multilib_pkg_postrm() {
-		cleanup_chk "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postrm
-}


^ permalink raw reply related	[flat|nested] 19+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/nss/, dev-libs/nss/files/
@ 2017-07-30 14:32 Jory Pratt
  0 siblings, 0 replies; 19+ messages in thread
From: Jory Pratt @ 2017-07-30 14:32 UTC (permalink / raw
  To: gentoo-commits

commit:     655ceca26319d33003ad981b3202c31233777dd8
Author:     Jory A. Pratt <anarchy <AT> gentoo <DOT> org>
AuthorDate: Sun Jul 30 14:31:24 2017 +0000
Commit:     Jory Pratt <anarchy <AT> gentoo <DOT> org>
CommitDate: Sun Jul 30 14:32:02 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=655ceca2

dev-libs/nss: Upstream version bump, rebase gentoo pkgconfig patch

Package-Manager: Portage-2.3.6, Repoman-2.3.3

 dev-libs/nss/Manifest                           |   1 +
 dev-libs/nss/files/nss-3.32-gentoo-fixups.patch | 274 +++++++++++++++++++
 dev-libs/nss/nss-3.32.ebuild                    | 340 ++++++++++++++++++++++++
 3 files changed, 615 insertions(+)

diff --git a/dev-libs/nss/Manifest b/dev-libs/nss/Manifest
index ec8d2813098..dca6632a35b 100644
--- a/dev-libs/nss/Manifest
+++ b/dev-libs/nss/Manifest
@@ -1,4 +1,5 @@
 DIST nss-3.29.5.tar.gz 7480246 SHA256 5df483b73535d726207483f6349df23fe56aee83382b94b13298aec2e254d985 SHA512 ce18bc7e793d2b3698db412b2e5fcabbfd9862eca3def120d5e44bc67276526bff6b33ffa84b8128f8af6d35101000e6f7bb24194f63a55461b3c245fac11faa WHIRLPOOL ca341bc9e76208e01ee9b1b1fa8a67dd502676d1a2062468722ad80ed81fa3e4b0958907892871249b3596b310aa813259cf47b5bc64ec37b05613dc9d31323f
 DIST nss-3.31.tar.gz 9537011 SHA256 e90561256a3271486162c1fbe8d614d118c333d36a4455be2af8688bd420a65d SHA512 2b56405b32d37cc4386cbbe54462cc57092e47b3418a743adbae14e1825ca69d07256fbfe16c0cfd7540c46cea67259151b42a0d95419c80964015eacdcafea1 WHIRLPOOL b63b481436feaf48ef3acc03e7af3831b743e91fda802f1fb5d4e782cbefab979dda5b643766f3a600b16ff815a90dacabd0b06b79baa76386237b56e74676fb
+DIST nss-3.32.tar.gz 9493574 SHA256 35c6f381cc96bb25e4f924469f6ba3e57b3a16e0c2fb7e295a284a00d57ed335 SHA512 7a01f81e23ef9649fd26b8423b015f4df5878c94f6ff591727086644b01db3dbc36de4e131cf70a6f84564e46c8decb7c4f7780fca12270eb900de1f8a11ee3c WHIRLPOOL bd1a9a8da509143ba995c2a4aac43df991703c1170e2654a8e762fbaf1b26e4f95f85c9d06db45126247a6d52828060c5283fb9cf1e4328952bc518ee38316c4
 DIST nss-cacert-class1-class3.patch 22950 SHA256 6bba29cee34276e2ca6436dabedfeba2b61fb46668c5d5ceabf0c871574649bf SHA512 a5aa740bf110a3f0262e3f1ef2fc739ac2b44f042e220039d48aee8e97cd764d5c10718220364f4098aba955882bd02cadb5481512388971a8290312f88a7df0 WHIRLPOOL 1246223b01292604e5609bb9c580f092dc5937bf8c98f6891b099e8bab960e03612b6617e30a55d6ff8817d88f190e03812fe8f89f84f25c20970493dc2f7700
 DIST nss-pem-20160329.tar.xz 27732 SHA256 6c13c342e7a9fe34b585556099beca33c3078b3df3e11b72827fb70232ac1443 SHA512 5834b06e4c64205447573d4f4c8989e20986ae67ee00eebce3817eb73794a6355a404143ba1c676ec302ceefaf9df103cb879b1d4ff14ba4e3790dbee3e40eb2 WHIRLPOOL 16fb714fab29e44f7a15fa1928a0f4c1a770f0847b8da97816e29a3b124dee782cffe2357648c445f4d29081f349571b6fffe48c5bc725c7c2dde491f3e0e836

diff --git a/dev-libs/nss/files/nss-3.32-gentoo-fixups.patch b/dev-libs/nss/files/nss-3.32-gentoo-fixups.patch
new file mode 100644
index 00000000000..1773da98819
--- /dev/null
+++ b/dev-libs/nss/files/nss-3.32-gentoo-fixups.patch
@@ -0,0 +1,274 @@
+From 8e49e1c92dadc2e7a41cad44637f4a224e4f5b39 Mon Sep 17 00:00:00 2001
+From: "Jory A. Pratt" <anarchy@gentoo.org>
+Date: Fri, 28 Jul 2017 14:00:41 -0500
+Subject: [PATCH] add pkg-config file
+
+Signed-off-by: Jory A. Pratt <anarchy@gentoo.org>
+---
+ Makefile             |  11 +---
+ config/Makefile      |  40 ++++++++++++++
+ config/nss-config.in | 145 +++++++++++++++++++++++++++++++++++++++++++++++++++
+ config/nss.pc.in     |  12 +++++
+ manifest.mn          |   2 +-
+ 5 files changed, 199 insertions(+), 11 deletions(-)
+ create mode 100644 config/Makefile
+ create mode 100644 config/nss-config.in
+ create mode 100644 config/nss.pc.in
+
+diff --git a/Makefile b/Makefile
+index 48bae37..9850883 100644
+--- a/Makefile
++++ b/Makefile
+@@ -47,7 +47,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+ #######################################################################
+ 
+-nss_build_all: build_nspr all latest
++nss_build_all: all latest
+ 
+ nss_clean_all: clobber_nspr clobber
+ 
+@@ -135,15 +135,6 @@ $(NSPR_CONFIG_STATUS): $(NSPR_CONFIGURE)
+ 	--prefix='$(NSS_GYP_PREFIX)'
+ endif
+ 
+-build_nspr: $(NSPR_CONFIG_STATUS)
+-	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)
+-
+-install_nspr: build_nspr
+-	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) install
+-
+-clobber_nspr: $(NSPR_CONFIG_STATUS)
+-	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) clobber
+-
+ build_docs:
+ 	$(MAKE) -C $(CORE_DEPTH)/doc
+ 
+diff --git a/config/Makefile b/config/Makefile
+new file mode 100644
+index 0000000..600fe48
+--- /dev/null
++++ b/config/Makefile
+@@ -0,0 +1,40 @@
++CORE_DEPTH = ..
++DEPTH      = ..
++
++include $(CORE_DEPTH)/coreconf/config.mk
++
++NSS_MAJOR_VERSION = `grep "NSS_VMAJOR" ../lib/nss/nss.h | awk '{print $$3}'`
++NSS_MINOR_VERSION = `grep "NSS_VMINOR" ../lib/nss/nss.h | awk '{print $$3}'`
++NSS_PATCH_VERSION = `grep "NSS_VPATCH" ../lib/nss/nss.h | awk '{print $$3}'`
++PREFIX = /usr
++
++all: export libs
++
++export:
++	# Create the nss.pc file
++	mkdir -p $(DIST)/lib/pkgconfig
++	sed -e "s,@prefix@,$(PREFIX)," \
++	    -e "s,@exec_prefix@,\$${prefix}," \
++	    -e "s,@libdir@,\$${prefix}/lib64," \
++	    -e "s,@includedir@,\$${prefix}/include/nss," \
++	    -e "s,@NSS_MAJOR_VERSION@,$(NSS_MAJOR_VERSION),g" \
++	    -e "s,@NSS_MINOR_VERSION@,$(NSS_MINOR_VERSION)," \
++	    -e "s,@NSS_PATCH_VERSION@,$(NSS_PATCH_VERSION)," \
++	    nss.pc.in > nss.pc
++	chmod 0644 nss.pc
++	ln -sf ../../../../config/nss.pc $(DIST)/lib/pkgconfig
++
++	# Create the nss-config script
++	mkdir -p $(DIST)/bin
++	sed -e "s,@prefix@,$(PREFIX)," \
++	    -e "s,@NSS_MAJOR_VERSION@,$(NSS_MAJOR_VERSION)," \
++	    -e "s,@NSS_MINOR_VERSION@,$(NSS_MINOR_VERSION)," \
++	    -e "s,@NSS_PATCH_VERSION@,$(NSS_PATCH_VERSION)," \
++	    nss-config.in > nss-config
++	chmod 0755 nss-config
++	ln -sf ../../../config/nss-config $(DIST)/bin
++
++libs:
++
++dummy: all export libs
++
+diff --git a/config/nss-config.in b/config/nss-config.in
+new file mode 100644
+index 0000000..1d7c444
+--- /dev/null
++++ b/config/nss-config.in
+@@ -0,0 +1,145 @@
++#!/bin/sh
++
++prefix=@prefix@
++
++major_version=@NSS_MAJOR_VERSION@
++minor_version=@NSS_MINOR_VERSION@
++patch_version=@NSS_PATCH_VERSION@
++
++usage()
++{
++	cat <<EOF
++Usage: nss-config [OPTIONS] [LIBRARIES]
++Options:
++	[--prefix[=DIR]]
++	[--exec-prefix[=DIR]]
++	[--includedir[=DIR]]
++	[--libdir[=DIR]]
++	[--version]
++	[--libs]
++	[--cflags]
++Dynamic Libraries:
++	nss
++	ssl
++	smime
++	nssutil
++EOF
++	exit $1
++}
++
++if test $# -eq 0; then
++	usage 1 1>&2
++fi
++
++lib_ssl=yes
++lib_smime=yes
++lib_nss=yes
++lib_nssutil=yes
++
++while test $# -gt 0; do
++  case "$1" in
++  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
++  *) optarg= ;;
++  esac
++
++  case $1 in
++    --prefix=*)
++      prefix=$optarg
++      ;;
++    --prefix)
++      echo_prefix=yes
++      ;;
++    --exec-prefix=*)
++      exec_prefix=$optarg
++      ;;
++    --exec-prefix)
++      echo_exec_prefix=yes
++      ;;
++    --includedir=*)
++      includedir=$optarg
++      ;;
++    --includedir)
++      echo_includedir=yes
++      ;;
++    --libdir=*)
++      libdir=$optarg
++      ;;
++    --libdir)
++      echo_libdir=yes
++      ;;
++    --version)
++      echo ${major_version}.${minor_version}.${patch_version}
++      ;;
++    --cflags)
++      echo_cflags=yes
++      ;;
++    --libs)
++      echo_libs=yes
++      ;;
++    ssl)
++      lib_ssl=yes
++      ;;
++    smime)
++      lib_smime=yes
++      ;;
++    nss)
++      lib_nss=yes
++      ;;
++    nssutil)                                                      
++      lib_nssutil=yes                                             
++      ;;
++    *)
++      usage 1 1>&2
++      ;;
++  esac
++  shift
++done
++
++# Set variables that may be dependent upon other variables
++if test -z "$exec_prefix"; then
++    exec_prefix=`pkg-config --variable=exec_prefix nss`
++fi
++if test -z "$includedir"; then
++    includedir=`pkg-config --variable=includedir nss`
++fi
++if test -z "$libdir"; then
++    libdir=`pkg-config --variable=libdir nss`
++fi
++
++if test "$echo_prefix" = "yes"; then
++    echo $prefix
++fi
++
++if test "$echo_exec_prefix" = "yes"; then
++    echo $exec_prefix
++fi
++
++if test "$echo_includedir" = "yes"; then
++    echo $includedir
++fi
++
++if test "$echo_libdir" = "yes"; then
++    echo $libdir
++fi
++
++if test "$echo_cflags" = "yes"; then
++    echo -I$includedir
++fi
++
++if test "$echo_libs" = "yes"; then
++      libdirs=""
++      if test -n "$lib_ssl"; then
++	libdirs="$libdirs -lssl${major_version}"
++      fi
++      if test -n "$lib_smime"; then
++	libdirs="$libdirs -lsmime${major_version}"
++      fi
++      if test -n "$lib_nss"; then
++	libdirs="$libdirs -lnss${major_version}"
++      fi
++      if test -n "$lib_nssutil"; then
++       libdirs="$libdirs -lnssutil${major_version}"
++      fi
++      echo $libdirs
++fi      
++
+diff --git a/config/nss.pc.in b/config/nss.pc.in
+new file mode 100644
+index 0000000..df9e2cf
+--- /dev/null
++++ b/config/nss.pc.in
+@@ -0,0 +1,12 @@
++prefix=@prefix@
++exec_prefix=@exec_prefix@
++libdir=@libdir@
++includedir=@includedir@
++
++Name: NSS
++Description: Network Security Services
++Version: @NSS_MAJOR_VERSION@.@NSS_MINOR_VERSION@.@NSS_PATCH_VERSION@
++Requires: nspr >= 4.8
++Libs: -lssl3 -lsmime3 -lnss3 -lnssutil3
++Cflags: -I${includedir}
++
+diff --git a/manifest.mn b/manifest.mn
+index 500a5ad..87c905e 100644
+--- a/manifest.mn
++++ b/manifest.mn
+@@ -10,4 +10,4 @@ IMPORTS =	nspr20/v4.8 \
+ 
+ RELEASE = nss
+ 
+-DIRS = coreconf lib cmd cpputil gtests
++DIRS = coreconf lib cmd cpputil config
+-- 
+2.13.3
+

diff --git a/dev-libs/nss/nss-3.32.ebuild b/dev-libs/nss/nss-3.32.ebuild
new file mode 100644
index 00000000000..2932e76b9fb
--- /dev/null
+++ b/dev-libs/nss/nss-3.32.ebuild
@@ -0,0 +1,340 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit eutils flag-o-matic multilib toolchain-funcs multilib-minimal
+
+NSPR_VER="4.16"
+RTM_NAME="NSS_${PV//./_}_RTM"
+# Rev of https://git.fedorahosted.org/cgit/nss-pem.git
+PEM_GIT_REV="429b0222759d8ad8e6dcd29e62875ae3efd69116"
+PEM_P="${PN}-pem-20160329"
+
+DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
+HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/"
+SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
+	cacert? ( https://dev.gentoo.org/~axs/distfiles/${PN}-cacert-class1-class3.patch )
+	nss-pem? ( https://dev.gentoo.org/~polynomial-c/${PEM_P}.tar.xz )"
+
+LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
+IUSE="cacert +nss-pem utils"
+CDEPEND=">=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
+	>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]"
+DEPEND=">=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]
+	>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
+	${CDEPEND}"
+RDEPEND=">=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
+	${CDEPEND}
+	abi_x86_32? (
+		!<=app-emulation/emul-linux-x86-baselibs-20140508-r12
+		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+	)"
+
+RESTRICT="test"
+
+S="${WORKDIR}/${P}/${PN}"
+
+MULTILIB_CHOST_TOOLS=(
+	/usr/bin/nss-config
+)
+
+PATCHES=(
+	# Custom changes for gentoo
+	"${FILESDIR}/${PN}-3.32-gentoo-fixups.patch"
+	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
+	"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
+)
+
+src_unpack() {
+	unpack ${A}
+	if use nss-pem ; then
+		mv "${PN}"/lib/ckfw/pem/ "${S}"/lib/ckfw/ || die
+	fi
+}
+
+src_prepare() {
+	if use nss-pem ; then
+		PATCHES+=(
+			"${FILESDIR}/${PN}-3.21-enable-pem.patch"
+		)
+	fi
+	if use cacert ; then #521462
+		PATCHES+=(
+			"${DISTDIR}/${PN}-cacert-class1-class3.patch"
+		)
+	fi
+
+	default
+
+	pushd coreconf >/dev/null || die
+	# hack nspr paths
+	echo 'INCLUDES += -I$(DIST)/include/dbm' \
+		>> headers.mk || die "failed to append include"
+
+	# modify install path
+	sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
+		-i source.mk || die
+
+	# Respect LDFLAGS
+	sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
+	popd >/dev/null || die
+
+	# Fix pkgconfig file for Prefix
+	sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
+		config/Makefile || die
+
+	# use host shlibsign if need be #436216
+	if tc-is-cross-compiler ; then
+		sed -i \
+			-e 's:"${2}"/shlibsign:shlibsign:' \
+			cmd/shlibsign/sign.sh || die
+	fi
+
+	# dirty hack
+	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
+		lib/ssl/config.mk || die
+	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
+		cmd/platlibs.mk || die
+
+	multilib_copy_sources
+
+	strip-flags
+}
+
+multilib_src_configure() {
+	# Ensure we stay multilib aware
+	sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
+}
+
+nssarch() {
+	# Most of the arches are the same as $ARCH
+	local t=${1:-${CHOST}}
+	case ${t} in
+		aarch64*)echo "aarch64";;
+		hppa*)   echo "parisc";;
+		i?86*)   echo "i686";;
+		x86_64*) echo "x86_64";;
+		*)       tc-arch ${t};;
+	esac
+}
+
+nssbits() {
+	local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
+	if [[ ${1} == BUILD_ ]]; then
+		cc=$(tc-getBUILD_CC)
+	else
+		cc=$(tc-getCC)
+	fi
+	echo > "${T}"/test.c || die
+	${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die
+	case $(file "${T}/${1}test.o") in
+		*32-bit*x86-64*) echo USE_X32=1;;
+		*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
+		*32-bit*|*ppc*|*i386*) ;;
+		*) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
+	esac
+}
+
+multilib_src_compile() {
+	# use ABI to determine bit'ness, or fallback if unset
+	local buildbits mybits
+	case "${ABI}" in
+		n32) mybits="USE_N32=1";;
+		x32) mybits="USE_X32=1";;
+		s390x|*64) mybits="USE_64=1";;
+		${DEFAULT_ABI})
+			einfo "Running compilation test to determine bit'ness"
+			mybits=$(nssbits)
+			;;
+	esac
+	# bitness of host may differ from target
+	if tc-is-cross-compiler; then
+		buildbits=$(nssbits BUILD_)
+	fi
+
+	local makeargs=(
+		CC="$(tc-getCC)"
+		AR="$(tc-getAR) rc \$@"
+		RANLIB="$(tc-getRANLIB)"
+		OPTIMIZER=
+		${mybits}
+	)
+
+	# Take care of nspr settings #436216
+	local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
+	unset NSPR_INCLUDE_DIR
+
+	# Do not let `uname` be used.
+	if use kernel_linux ; then
+		makeargs+=(
+			OS_TARGET=Linux
+			OS_RELEASE=2.6
+			OS_TEST="$(nssarch)"
+		)
+	fi
+
+	export NSS_ENABLE_WERROR=0 #567158
+	export BUILD_OPT=1
+	export NSS_USE_SYSTEM_SQLITE=1
+	export NSDISTMODE=copy
+	export NSS_ENABLE_ECC=1
+	export FREEBL_NO_DEPEND=1
+	export ASFLAGS=""
+
+	local d
+
+	# Build the host tools first.
+	LDFLAGS="${BUILD_LDFLAGS}" \
+	XCFLAGS="${BUILD_CFLAGS}" \
+	NSPR_LIB_DIR="${T}/fakedir" \
+	emake -j1 -C coreconf \
+		CC="$(tc-getBUILD_CC)" \
+		${buildbits:-${mybits}}
+	makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
+
+	# Then build the target tools.
+	for d in . lib/dbm ; do
+		CPPFLAGS="${myCPPFLAGS}" \
+		XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
+		NSPR_LIB_DIR="${T}/fakedir" \
+		emake -j1 "${makeargs[@]}" -C ${d}
+	done
+}
+
+# Altering these 3 libraries breaks the CHK verification.
+# All of the following cause it to break:
+# - stripping
+# - prelink
+# - ELF signing
+# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
+# Either we have to NOT strip them, or we have to forcibly resign after
+# stripping.
+#local_libdir="$(get_libdir)"
+#export STRIP_MASK="
+#	*/${local_libdir}/libfreebl3.so*
+#	*/${local_libdir}/libnssdbm3.so*
+#	*/${local_libdir}/libsoftokn3.so*"
+
+export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
+
+generate_chk() {
+	local shlibsign="$1"
+	local libdir="$2"
+	einfo "Resigning core NSS libraries for FIPS validation"
+	shift 2
+	local i
+	for i in ${NSS_CHK_SIGN_LIBS} ; do
+		local libname=lib${i}.so
+		local chkname=lib${i}.chk
+		"${shlibsign}" \
+			-i "${libdir}"/${libname} \
+			-o "${libdir}"/${chkname}.tmp \
+		&& mv -f \
+			"${libdir}"/${chkname}.tmp \
+			"${libdir}"/${chkname} \
+		|| die "Failed to sign ${libname}"
+	done
+}
+
+cleanup_chk() {
+	local libdir="$1"
+	shift 1
+	local i
+	for i in ${NSS_CHK_SIGN_LIBS} ; do
+		local libfname="${libdir}/lib${i}.so"
+		# If the major version has changed, then we have old chk files.
+		[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
+			&& rm -f "${libfname}.chk"
+	done
+}
+
+multilib_src_install() {
+	pushd dist >/dev/null || die
+
+	dodir /usr/$(get_libdir)
+	cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
+	local i
+	for i in crmf freebl nssb nssckfw ; do
+		cp -L */lib/lib${i}.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
+	done
+
+	# Install nss-config and pkgconfig file
+	dodir /usr/bin
+	cp -L */bin/nss-config "${ED}"/usr/bin || die
+	dodir /usr/$(get_libdir)/pkgconfig
+	cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
+
+	# create an nss-softokn.pc from nss.pc for libfreebl and some private headers
+	# bug 517266
+	sed 	-e 's#Libs:#Libs: -lfreebl#' \
+		-e 's#Cflags:#Cflags: -I${includedir}/private#' \
+		*/lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
+		|| die "could not create nss-softokn.pc"
+
+	# all the include files
+	insinto /usr/include/nss
+	doins public/nss/*.{h,api}
+	insinto /usr/include/nss/private
+	doins private/nss/{blapi,alghmac}.h
+
+	popd >/dev/null || die
+
+	local f nssutils
+	# Always enabled because we need it for chk generation.
+	nssutils="shlibsign"
+
+	if multilib_is_native_abi ; then
+		if use utils; then
+			# The tests we do not need to install.
+			#nssutils_test="bltest crmftest dbtest dertimetest
+			#fipstest remtest sdrtest"
+			# checkcert utils has been removed in nss-3.22:
+			# https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
+			# https://hg.mozilla.org/projects/nss/rev/df1729d37870
+			nssutils="addbuiltin atob baddbdir btoa certcgi certutil
+			cmsutil conflict crlutil derdump digest makepqg mangle modutil multinit
+			nonspr10 ocspclnt oidcalc p7content p7env p7sign p7verify pk11mode
+			pk12util pp rsaperf selfserv shlibsign signtool signver ssltap strsclnt
+			symkeyutil tstclnt vfychain vfyserv"
+			# install man-pages for utils (bug #516810)
+			doman doc/nroff/*.1
+		fi
+		pushd dist/*/bin >/dev/null || die
+		for f in ${nssutils}; do
+			dobin ${f}
+		done
+		popd >/dev/null || die
+	fi
+
+	# Prelink breaks the CHK files. We don't have any reliable way to run
+	# shlibsign after prelink.
+	dodir /etc/prelink.conf.d
+	printf -- "-b ${EPREFIX}/usr/$(get_libdir)/lib%s.so\n" ${NSS_CHK_SIGN_LIBS} \
+		> "${ED}"/etc/prelink.conf.d/nss.conf
+}
+
+pkg_postinst() {
+	multilib_pkg_postinst() {
+		# We must re-sign the libraries AFTER they are stripped.
+		local shlibsign="${EROOT}/usr/bin/shlibsign"
+		# See if we can execute it (cross-compiling & such). #436216
+		"${shlibsign}" -h >&/dev/null
+		if [[ $? -gt 1 ]] ; then
+			shlibsign="shlibsign"
+		fi
+		generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
+	}
+
+	multilib_foreach_abi multilib_pkg_postinst
+}
+
+pkg_postrm() {
+	multilib_pkg_postrm() {
+		cleanup_chk "${EROOT}"/usr/$(get_libdir)
+	}
+
+	multilib_foreach_abi multilib_pkg_postrm
+}


^ permalink raw reply related	[flat|nested] 19+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/nss/, dev-libs/nss/files/
@ 2017-01-19 15:41 Ian Stakenvicius
  0 siblings, 0 replies; 19+ messages in thread
From: Ian Stakenvicius @ 2017-01-19 15:41 UTC (permalink / raw
  To: gentoo-commits

commit:     05c31f8cca591b3ce8219e4def7c26c7b1b130d6
Author:     Ian Stakenvicius <axs <AT> gentoo <DOT> org>
AuthorDate: Thu Jan 19 15:40:12 2017 +0000
Commit:     Ian Stakenvicius <axs <AT> gentoo <DOT> org>
CommitDate: Thu Jan 19 15:40:50 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=05c31f8c

dev-libs/nss: clean old, security bug 604916

Package-Manager: portage-2.3.0

 dev-libs/nss/Manifest                             |   7 -
 dev-libs/nss/files/nss-3.21-cacert-class3.patch   | 203 -------------
 dev-libs/nss/files/nss-3.21-gentoo-fixups.patch   | 238 ---------------
 dev-libs/nss/files/nss-3.21-hppa-byte_order.patch |  16 -
 dev-libs/nss/files/nss-3.21-pem-werror.patch      | 141 ---------
 dev-libs/nss/nss-3.22.2.ebuild                    | 331 ---------------------
 dev-libs/nss/nss-3.23.ebuild                      | 340 ----------------------
 dev-libs/nss/nss-3.25-r1.ebuild                   | 339 ---------------------
 dev-libs/nss/nss-3.26.1.ebuild                    | 338 ---------------------
 dev-libs/nss/nss-3.27.2.ebuild                    | 339 ---------------------
 10 files changed, 2292 deletions(-)

diff --git a/dev-libs/nss/Manifest b/dev-libs/nss/Manifest
index 51c832c..e485949 100644
--- a/dev-libs/nss/Manifest
+++ b/dev-libs/nss/Manifest
@@ -1,10 +1,3 @@
-DIST nss-3.14.1-add_spi+cacerts_ca_certs.patch 25018 SHA256 82ca25982828fd7153ad15fc6e81408c115476eeeb4045d3a71469380b56824b SHA512 2aafbd972b073061bfd66a66a4b50060691957f2910f716f7a69d22d655c499f186f05db2101bea5248a00949f339327ba8bfffec024c61c8ee908766201ae00 WHIRLPOOL c9fe397e316dac7983b187acf7227078ebd8f8da5df53f77f2564489e85f123c4d2afb88d56e8dc14b9ebfffe8a71ade4724b3c1ea683c5c4c487cb3a64eda43
-DIST nss-3.22.2.tar.gz 6982164 SHA256 07d49287c527ac31200f02dcf8494cef19e936d8ed470802749c4dfc782d3650 SHA512 0c73ba579cb697fe295bca2ee62315bc1830b542f607c1ecfbf591fa881d2ccfb5a6d830b47cd1434bdfbac07e03848b4fe9e6bda9c6d131a2c34973dc3b337c WHIRLPOOL 37137526ffc6f583ba54615c5fadb1076a5c0830b8aef6db394fb1da02345d5b1cf394b6a3cac7b8ce5727bf23ed1053f3f0f2865f0eab7c922c8459d5768142
-DIST nss-3.23.tar.gz 7467001 SHA256 94b383e31c9671e9dfcca81084a8a813817e8f05a57f54533509b318d26e11cf SHA512 f3e388a415493685faa6df932e9e968af41ea2e8e4cba3fbd539c60177443e4042e8d2e2bfe74183552e14522d49048be2f80fbe038bdbd499971e82abf2cc32 WHIRLPOOL 77e22bd7a525c5b10723e1d5fb6db1e9d2efebfcdf9828aa79296f71c441c065201ecda56291f37790333d9b1d1e38fef1391a033382a885b83da31a646d6243
-DIST nss-3.25.tar.gz 7338238 SHA256 5d1ad475da19d0c033a716350dc5f8a747999d3eba5ac07ee0368c5bad6e2359 SHA512 a33cff42d0d85eea091057648d598b7421de88f16ed357965ea08a8812de968c3f18d45452afd21afc90122f65c2c5bb2d7071357947b45e935aae55d28c4218 WHIRLPOOL 3857bffe7a58043612bbeaf0e596b3afdd4f0792441af667fb503dd2d354a535bb8523c258242b470d888ef2beff267b4480e6398a3328f0c44193b83f4a5934
-DIST nss-3.26.1.tar.gz 7387756 SHA256 abebb079288e4b0d34648a1fcdba8564ac05b29f5f1d19b53021ccb3ac37ad25 SHA512 f2a6754e4766cdf169b0abfc0ff47c469ae0e6ddc08c020ef154da7806e8ce31b49076af11b659bf19e9c4b5c6e53a0ac9e7855ee1c33b98a45cfeec446b93bd WHIRLPOOL 9152e3c7430b3362647adb494d1983cc37659b1d8691f1f1e21470aab4f496f3aecd925b8e19d83fa3735e72eeb6d6579bcc304c30e48359d05cb6e052610b0f
-DIST nss-3.27.2.tar.gz 7397599 SHA256 dc8ac8524469d0230274fd13a53fdcd74efe4aa67205dde1a4a92be87dc28524 SHA512 699847665e93fd649cb60ce6bc8f849f452779e7232a09bbeb0613f9e6c57bb81948f1ae59cc86648e41a212cda259109850ccd14546d35910deb75f5d2a13b8 WHIRLPOOL 08229d87de1c7020c1d7fc12fb8a2afc4bc9ab9f0208aad12698aba17386fbe9163cb506101c7d4d568409fd99141fb88c0e71fc32cecbc6640a4a8f7a4efabf
 DIST nss-3.28.1.tar.gz 7451477 SHA256 58cc0c05c0ed9523e6d820bea74f513538f48c87aac931876e3d3775de1a82ad SHA512 f10c8e404741fafe5e5772dc754ff4503ec1826942db5fbc13b99155fcac50f29e1405dd249b69a27f27ebcfef73849b1f0f636a2076ab761384e8a0ed9a2b8b WHIRLPOOL e1a6b9886759159294c4d8e47e693a2e790703e368ede18425c9a9130df72ac56a6e717cb794607c7bcfc68c82df9aec8771bc74e729f5bbd70fdcd8ce0fed3b
 DIST nss-cacert-class1-class3.patch 22950 SHA256 6bba29cee34276e2ca6436dabedfeba2b61fb46668c5d5ceabf0c871574649bf SHA512 a5aa740bf110a3f0262e3f1ef2fc739ac2b44f042e220039d48aee8e97cd764d5c10718220364f4098aba955882bd02cadb5481512388971a8290312f88a7df0 WHIRLPOOL 1246223b01292604e5609bb9c580f092dc5937bf8c98f6891b099e8bab960e03612b6617e30a55d6ff8817d88f190e03812fe8f89f84f25c20970493dc2f7700
-DIST nss-pem-20140125.tar.bz2 28805 SHA256 62604dfc4178399a804e87ca7566d8316a0a40a535de3b2d0fa48fd80c97f768 SHA512 352faf812735e1374c534ada6dd577842603ea193dafaacfd51f201599ffe3f7a23ce1c673421e42f8b692091b58085f90843c29f70ae916949715e7baba2b39 WHIRLPOOL 3ae81410f6f4d2699e9dc55982cad03c226045fbeee25984d53d37ff78ce5c96d008d6837e1c0a10b6c96cdff17c21142e437159896d314e81afc8820867ca62
 DIST nss-pem-20160329.tar.xz 27732 SHA256 6c13c342e7a9fe34b585556099beca33c3078b3df3e11b72827fb70232ac1443 SHA512 5834b06e4c64205447573d4f4c8989e20986ae67ee00eebce3817eb73794a6355a404143ba1c676ec302ceefaf9df103cb879b1d4ff14ba4e3790dbee3e40eb2 WHIRLPOOL 16fb714fab29e44f7a15fa1928a0f4c1a770f0847b8da97816e29a3b124dee782cffe2357648c445f4d29081f349571b6fffe48c5bc725c7c2dde491f3e0e836

diff --git a/dev-libs/nss/files/nss-3.21-cacert-class3.patch b/dev-libs/nss/files/nss-3.21-cacert-class3.patch
deleted file mode 100644
index fb4cf74..00000000
--- a/dev-libs/nss/files/nss-3.21-cacert-class3.patch
+++ /dev/null
@@ -1,203 +0,0 @@
---- nss/lib/ckfw/builtins/certdata.txt
-+++ nss/lib/ckfw/builtins/certdata.txt
-@@ -30351,3 +30351,200 @@
- CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
- CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
- CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-+
-+#
-+# Certificate "CAcert Inc."
-+#
-+# Issuer: E=support@cacert.org,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA
-+# Serial Number: 672138 (0xa418a)
-+# Subject: CN=CAcert Class 3 Root,OU=http://www.CAcert.org,O=CAcert Inc.
-+# Not Valid Before: Mon May 23 17:48:02 2011
-+# Not Valid After : Thu May 20 17:48:02 2021
-+# Fingerprint (SHA-256): 4E:DD:E9:E5:5C:A4:53:B3:88:88:7C:AA:25:D5:C5:C5:BC:CF:28:91:D7:3B:87:49:58:08:29:3D:5F:AC:83:C8
-+# Fingerprint (SHA1): AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE
-+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-+CKA_TOKEN CK_BBOOL CK_TRUE
-+CKA_PRIVATE CK_BBOOL CK_FALSE
-+CKA_MODIFIABLE CK_BBOOL CK_FALSE
-+CKA_LABEL UTF8 "CAcert Inc."
-+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-+CKA_SUBJECT MULTILINE_OCTAL
-+\060\124\061\024\060\022\006\003\125\004\012\023\013\103\101\143
-+\145\162\164\040\111\156\143\056\061\036\060\034\006\003\125\004
-+\013\023\025\150\164\164\160\072\057\057\167\167\167\056\103\101
-+\143\145\162\164\056\157\162\147\061\034\060\032\006\003\125\004
-+\003\023\023\103\101\143\145\162\164\040\103\154\141\163\163\040
-+\063\040\122\157\157\164
-+END
-+CKA_ID UTF8 "0"
-+CKA_ISSUER MULTILINE_OCTAL
-+\060\171\061\020\060\016\006\003\125\004\012\023\007\122\157\157
-+\164\040\103\101\061\036\060\034\006\003\125\004\013\023\025\150
-+\164\164\160\072\057\057\167\167\167\056\143\141\143\145\162\164
-+\056\157\162\147\061\042\060\040\006\003\125\004\003\023\031\103
-+\101\040\103\145\162\164\040\123\151\147\156\151\156\147\040\101
-+\165\164\150\157\162\151\164\171\061\041\060\037\006\011\052\206
-+\110\206\367\015\001\011\001\026\022\163\165\160\160\157\162\164
-+\100\143\141\143\145\162\164\056\157\162\147
-+END
-+CKA_SERIAL_NUMBER MULTILINE_OCTAL
-+\002\003\012\101\212
-+END
-+CKA_VALUE MULTILINE_OCTAL
-+\060\202\007\131\060\202\005\101\240\003\002\001\002\002\003\012
-+\101\212\060\015\006\011\052\206\110\206\367\015\001\001\013\005
-+\000\060\171\061\020\060\016\006\003\125\004\012\023\007\122\157
-+\157\164\040\103\101\061\036\060\034\006\003\125\004\013\023\025
-+\150\164\164\160\072\057\057\167\167\167\056\143\141\143\145\162
-+\164\056\157\162\147\061\042\060\040\006\003\125\004\003\023\031
-+\103\101\040\103\145\162\164\040\123\151\147\156\151\156\147\040
-+\101\165\164\150\157\162\151\164\171\061\041\060\037\006\011\052
-+\206\110\206\367\015\001\011\001\026\022\163\165\160\160\157\162
-+\164\100\143\141\143\145\162\164\056\157\162\147\060\036\027\015
-+\061\061\060\065\062\063\061\067\064\070\060\062\132\027\015\062
-+\061\060\065\062\060\061\067\064\070\060\062\132\060\124\061\024
-+\060\022\006\003\125\004\012\023\013\103\101\143\145\162\164\040
-+\111\156\143\056\061\036\060\034\006\003\125\004\013\023\025\150
-+\164\164\160\072\057\057\167\167\167\056\103\101\143\145\162\164
-+\056\157\162\147\061\034\060\032\006\003\125\004\003\023\023\103
-+\101\143\145\162\164\040\103\154\141\163\163\040\063\040\122\157
-+\157\164\060\202\002\042\060\015\006\011\052\206\110\206\367\015
-+\001\001\001\005\000\003\202\002\017\000\060\202\002\012\002\202
-+\002\001\000\253\111\065\021\110\174\322\046\176\123\224\317\103
-+\251\335\050\327\102\052\213\363\207\170\031\130\174\017\236\332
-+\211\175\341\373\353\162\220\015\164\241\226\144\253\237\240\044
-+\231\163\332\342\125\166\307\027\173\365\004\254\106\270\303\276
-+\177\144\215\020\154\044\363\141\234\300\362\220\372\121\346\365
-+\151\001\143\303\017\126\342\112\102\317\342\104\214\045\050\250
-+\305\171\011\175\106\271\212\363\351\363\064\051\010\105\344\034
-+\237\313\224\004\034\201\250\024\263\230\145\304\103\354\116\202
-+\215\011\321\275\252\133\215\222\320\354\336\220\305\177\012\302
-+\343\353\346\061\132\136\164\076\227\063\131\350\303\003\075\140
-+\063\277\367\321\157\107\304\315\356\142\203\122\156\056\010\232
-+\244\331\025\030\221\246\205\222\107\260\256\110\353\155\267\041
-+\354\205\032\150\162\065\253\377\360\020\135\300\364\224\247\152
-+\325\073\222\176\114\220\005\176\223\301\054\213\244\216\142\164
-+\025\161\156\013\161\003\352\257\025\070\232\324\322\005\162\157
-+\214\371\053\353\132\162\045\371\071\106\343\162\033\076\004\303
-+\144\047\042\020\052\212\117\130\247\003\255\276\264\056\023\355
-+\135\252\110\327\325\175\324\052\173\134\372\106\004\120\344\314
-+\016\102\133\214\355\333\362\317\374\226\223\340\333\021\066\124
-+\142\064\070\217\014\140\233\073\227\126\070\255\363\322\133\213
-+\240\133\352\116\226\270\174\327\325\240\206\160\100\323\221\051
-+\267\242\074\255\365\214\273\317\032\222\212\344\064\173\300\330
-+\154\137\351\012\302\303\247\040\232\132\337\054\135\122\134\272
-+\107\325\233\357\044\050\160\070\040\057\325\177\051\300\262\101
-+\003\150\222\314\340\234\314\227\113\105\357\072\020\012\253\160
-+\072\230\225\160\255\065\261\352\205\053\244\034\200\041\061\251
-+\256\140\172\200\046\110\000\270\001\300\223\143\125\042\221\074
-+\126\347\257\333\072\045\363\217\061\124\352\046\213\201\131\371
-+\241\321\123\021\305\173\235\003\366\164\021\340\155\261\054\077
-+\054\206\221\231\161\232\246\167\213\064\140\321\024\264\054\254
-+\235\257\214\020\323\237\304\152\370\157\023\374\163\131\367\146
-+\102\164\036\212\343\370\334\322\157\230\234\313\107\230\225\100
-+\005\373\351\002\003\001\000\001\243\202\002\015\060\202\002\011
-+\060\035\006\003\125\035\016\004\026\004\024\165\250\161\140\114
-+\210\023\360\170\331\211\167\265\155\305\211\337\274\261\172\060
-+\201\243\006\003\125\035\043\004\201\233\060\201\230\200\024\026
-+\265\062\033\324\307\363\340\346\216\363\275\322\260\072\356\262
-+\071\030\321\241\175\244\173\060\171\061\020\060\016\006\003\125
-+\004\012\023\007\122\157\157\164\040\103\101\061\036\060\034\006
-+\003\125\004\013\023\025\150\164\164\160\072\057\057\167\167\167
-+\056\143\141\143\145\162\164\056\157\162\147\061\042\060\040\006
-+\003\125\004\003\023\031\103\101\040\103\145\162\164\040\123\151
-+\147\156\151\156\147\040\101\165\164\150\157\162\151\164\171\061
-+\041\060\037\006\011\052\206\110\206\367\015\001\011\001\026\022
-+\163\165\160\160\157\162\164\100\143\141\143\145\162\164\056\157
-+\162\147\202\001\000\060\017\006\003\125\035\023\001\001\377\004
-+\005\060\003\001\001\377\060\135\006\010\053\006\001\005\005\007
-+\001\001\004\121\060\117\060\043\006\010\053\006\001\005\005\007
-+\060\001\206\027\150\164\164\160\072\057\057\157\143\163\160\056
-+\103\101\143\145\162\164\056\157\162\147\057\060\050\006\010\053
-+\006\001\005\005\007\060\002\206\034\150\164\164\160\072\057\057
-+\167\167\167\056\103\101\143\145\162\164\056\157\162\147\057\143
-+\141\056\143\162\164\060\112\006\003\125\035\040\004\103\060\101
-+\060\077\006\010\053\006\001\004\001\201\220\112\060\063\060\061
-+\006\010\053\006\001\005\005\007\002\001\026\045\150\164\164\160
-+\072\057\057\167\167\167\056\103\101\143\145\162\164\056\157\162
-+\147\057\151\156\144\145\170\056\160\150\160\077\151\144\075\061
-+\060\060\064\006\011\140\206\110\001\206\370\102\001\010\004\047
-+\026\045\150\164\164\160\072\057\057\167\167\167\056\103\101\143
-+\145\162\164\056\157\162\147\057\151\156\144\145\170\056\160\150
-+\160\077\151\144\075\061\060\060\120\006\011\140\206\110\001\206
-+\370\102\001\015\004\103\026\101\124\157\040\147\145\164\040\171
-+\157\165\162\040\157\167\156\040\143\145\162\164\151\146\151\143
-+\141\164\145\040\146\157\162\040\106\122\105\105\054\040\147\157
-+\040\164\157\040\150\164\164\160\072\057\057\167\167\167\056\103
-+\101\143\145\162\164\056\157\162\147\060\015\006\011\052\206\110
-+\206\367\015\001\001\013\005\000\003\202\002\001\000\051\050\205
-+\256\104\251\271\257\244\171\023\360\250\243\053\227\140\363\134
-+\356\343\057\301\366\342\146\240\021\256\066\067\072\166\025\004
-+\123\352\102\365\371\352\300\025\330\246\202\331\344\141\256\162
-+\013\051\134\220\103\350\101\262\341\167\333\002\023\104\170\107
-+\125\257\130\374\314\230\366\105\271\321\040\370\330\041\007\376
-+\155\252\163\324\263\306\007\351\011\205\314\073\362\266\276\054
-+\034\045\325\161\214\071\265\056\352\276\030\201\272\260\223\270
-+\017\343\346\327\046\214\061\132\162\003\204\122\346\246\365\063
-+\042\105\012\310\013\015\212\270\066\157\220\011\241\253\275\327
-+\325\116\056\161\242\324\256\372\247\124\053\353\065\215\132\267
-+\124\210\057\356\164\237\355\110\026\312\015\110\320\224\323\254
-+\244\242\366\044\337\222\343\275\353\103\100\221\156\034\030\216
-+\126\264\202\022\363\251\223\237\324\274\234\255\234\165\356\132
-+\227\033\225\347\164\055\034\017\260\054\227\237\373\251\063\071
-+\172\347\003\072\222\216\042\366\214\015\344\331\176\015\166\030
-+\367\001\371\357\226\226\242\125\163\300\074\161\264\035\032\126
-+\103\267\303\012\215\162\374\342\020\011\013\101\316\214\224\240
-+\371\003\375\161\163\113\212\127\063\345\216\164\176\025\001\000
-+\346\314\112\034\347\177\225\031\055\305\245\014\213\273\265\355
-+\205\263\134\323\337\270\271\362\312\307\015\001\024\254\160\130
-+\305\214\215\063\324\235\146\243\032\120\225\043\374\110\340\006
-+\103\022\331\315\247\206\071\057\066\162\243\200\020\344\341\363
-+\321\313\133\032\300\344\200\232\174\023\163\006\117\333\243\153
-+\044\012\272\263\034\274\112\170\273\345\343\165\070\245\110\247
-+\242\036\257\166\324\136\367\070\206\126\132\211\316\326\303\247
-+\171\262\122\240\306\361\205\264\045\214\362\077\226\263\020\331
-+\215\154\127\073\237\157\206\072\030\202\042\066\310\260\221\070
-+\333\052\241\223\252\204\077\365\047\145\256\163\325\310\325\323
-+\167\352\113\235\307\101\273\307\300\343\240\077\344\175\244\215
-+\163\346\022\113\337\241\163\163\163\072\200\350\325\313\216\057
-+\313\352\023\247\326\101\213\254\372\074\211\327\044\365\116\264
-+\340\141\222\267\363\067\230\304\276\226\243\267\212
-+END
-+
-+# Trust for "CAcert Inc."
-+# Issuer: E=support@cacert.org,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA
-+# Serial Number: 672138 (0xa418a)
-+# Subject: CN=CAcert Class 3 Root,OU=http://www.CAcert.org,O=CAcert Inc.
-+# Not Valid Before: Mon May 23 17:48:02 2011
-+# Not Valid After : Thu May 20 17:48:02 2021
-+# Fingerprint (SHA-256): 4E:DD:E9:E5:5C:A4:53:B3:88:88:7C:AA:25:D5:C5:C5:BC:CF:28:91:D7:3B:87:49:58:08:29:3D:5F:AC:83:C8
-+# Fingerprint (SHA1): AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE
-+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-+CKA_TOKEN CK_BBOOL CK_TRUE
-+CKA_PRIVATE CK_BBOOL CK_FALSE
-+CKA_MODIFIABLE CK_BBOOL CK_FALSE
-+CKA_LABEL UTF8 "CAcert Inc."
-+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-+\255\174\077\144\374\104\071\376\364\351\013\350\364\174\154\372
-+\212\255\375\316
-+END
-+CKA_CERT_MD5_HASH MULTILINE_OCTAL
-+\367\045\022\202\116\147\265\320\215\222\267\174\013\206\172\102
-+END
-+CKA_ISSUER MULTILINE_OCTAL
-+\060\171\061\020\060\016\006\003\125\004\012\023\007\122\157\157
-+\164\040\103\101\061\036\060\034\006\003\125\004\013\023\025\150
-+\164\164\160\072\057\057\167\167\167\056\143\141\143\145\162\164
-+\056\157\162\147\061\042\060\040\006\003\125\004\003\023\031\103
-+\101\040\103\145\162\164\040\123\151\147\156\151\156\147\040\101
-+\165\164\150\157\162\151\164\171\061\041\060\037\006\011\052\206
-+\110\206\367\015\001\011\001\026\022\163\165\160\160\157\162\164
-+\100\143\141\143\145\162\164\056\157\162\147
-+END
-+CKA_SERIAL_NUMBER MULTILINE_OCTAL
-+\002\003\012\101\212
-+END
-+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE

diff --git a/dev-libs/nss/files/nss-3.21-gentoo-fixups.patch b/dev-libs/nss/files/nss-3.21-gentoo-fixups.patch
deleted file mode 100644
index 29cda28..00000000
--- a/dev-libs/nss/files/nss-3.21-gentoo-fixups.patch
+++ /dev/null
@@ -1,238 +0,0 @@
---- nss/config/Makefile
-+++ nss/config/Makefile
-@@ -0,0 +1,40 @@
-+CORE_DEPTH = ..
-+DEPTH      = ..
-+
-+include $(CORE_DEPTH)/coreconf/config.mk
-+
-+NSS_MAJOR_VERSION = `grep "NSS_VMAJOR" ../lib/nss/nss.h | awk '{print $$3}'`
-+NSS_MINOR_VERSION = `grep "NSS_VMINOR" ../lib/nss/nss.h | awk '{print $$3}'`
-+NSS_PATCH_VERSION = `grep "NSS_VPATCH" ../lib/nss/nss.h | awk '{print $$3}'`
-+PREFIX = /usr
-+
-+all: export libs
-+
-+export:
-+	# Create the nss.pc file
-+	mkdir -p $(DIST)/lib/pkgconfig
-+	sed -e "s,@prefix@,$(PREFIX)," \
-+	    -e "s,@exec_prefix@,\$${prefix}," \
-+	    -e "s,@libdir@,\$${prefix}/lib64," \
-+	    -e "s,@includedir@,\$${prefix}/include/nss," \
-+	    -e "s,@NSS_MAJOR_VERSION@,$(NSS_MAJOR_VERSION),g" \
-+	    -e "s,@NSS_MINOR_VERSION@,$(NSS_MINOR_VERSION)," \
-+	    -e "s,@NSS_PATCH_VERSION@,$(NSS_PATCH_VERSION)," \
-+	    nss.pc.in > nss.pc
-+	chmod 0644 nss.pc
-+	ln -sf ../../../../config/nss.pc $(DIST)/lib/pkgconfig
-+
-+	# Create the nss-config script
-+	mkdir -p $(DIST)/bin
-+	sed -e "s,@prefix@,$(PREFIX)," \
-+	    -e "s,@NSS_MAJOR_VERSION@,$(NSS_MAJOR_VERSION)," \
-+	    -e "s,@NSS_MINOR_VERSION@,$(NSS_MINOR_VERSION)," \
-+	    -e "s,@NSS_PATCH_VERSION@,$(NSS_PATCH_VERSION)," \
-+	    nss-config.in > nss-config
-+	chmod 0755 nss-config
-+	ln -sf ../../../config/nss-config $(DIST)/bin
-+
-+libs:
-+
-+dummy: all export libs
-+
---- nss/config/nss-config.in
-+++ nss/config/nss-config.in
-@@ -0,0 +1,145 @@
-+#!/bin/sh
-+
-+prefix=@prefix@
-+
-+major_version=@NSS_MAJOR_VERSION@
-+minor_version=@NSS_MINOR_VERSION@
-+patch_version=@NSS_PATCH_VERSION@
-+
-+usage()
-+{
-+	cat <<EOF
-+Usage: nss-config [OPTIONS] [LIBRARIES]
-+Options:
-+	[--prefix[=DIR]]
-+	[--exec-prefix[=DIR]]
-+	[--includedir[=DIR]]
-+	[--libdir[=DIR]]
-+	[--version]
-+	[--libs]
-+	[--cflags]
-+Dynamic Libraries:
-+	nss
-+	ssl
-+	smime
-+	nssutil
-+EOF
-+	exit $1
-+}
-+
-+if test $# -eq 0; then
-+	usage 1 1>&2
-+fi
-+
-+lib_ssl=yes
-+lib_smime=yes
-+lib_nss=yes
-+lib_nssutil=yes
-+
-+while test $# -gt 0; do
-+  case "$1" in
-+  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
-+  *) optarg= ;;
-+  esac
-+
-+  case $1 in
-+    --prefix=*)
-+      prefix=$optarg
-+      ;;
-+    --prefix)
-+      echo_prefix=yes
-+      ;;
-+    --exec-prefix=*)
-+      exec_prefix=$optarg
-+      ;;
-+    --exec-prefix)
-+      echo_exec_prefix=yes
-+      ;;
-+    --includedir=*)
-+      includedir=$optarg
-+      ;;
-+    --includedir)
-+      echo_includedir=yes
-+      ;;
-+    --libdir=*)
-+      libdir=$optarg
-+      ;;
-+    --libdir)
-+      echo_libdir=yes
-+      ;;
-+    --version)
-+      echo ${major_version}.${minor_version}.${patch_version}
-+      ;;
-+    --cflags)
-+      echo_cflags=yes
-+      ;;
-+    --libs)
-+      echo_libs=yes
-+      ;;
-+    ssl)
-+      lib_ssl=yes
-+      ;;
-+    smime)
-+      lib_smime=yes
-+      ;;
-+    nss)
-+      lib_nss=yes
-+      ;;
-+    nssutil)                                                      
-+      lib_nssutil=yes                                             
-+      ;;
-+    *)
-+      usage 1 1>&2
-+      ;;
-+  esac
-+  shift
-+done
-+
-+# Set variables that may be dependent upon other variables
-+if test -z "$exec_prefix"; then
-+    exec_prefix=`pkg-config --variable=exec_prefix nss`
-+fi
-+if test -z "$includedir"; then
-+    includedir=`pkg-config --variable=includedir nss`
-+fi
-+if test -z "$libdir"; then
-+    libdir=`pkg-config --variable=libdir nss`
-+fi
-+
-+if test "$echo_prefix" = "yes"; then
-+    echo $prefix
-+fi
-+
-+if test "$echo_exec_prefix" = "yes"; then
-+    echo $exec_prefix
-+fi
-+
-+if test "$echo_includedir" = "yes"; then
-+    echo $includedir
-+fi
-+
-+if test "$echo_libdir" = "yes"; then
-+    echo $libdir
-+fi
-+
-+if test "$echo_cflags" = "yes"; then
-+    echo -I$includedir
-+fi
-+
-+if test "$echo_libs" = "yes"; then
-+      libdirs=""
-+      if test -n "$lib_ssl"; then
-+	libdirs="$libdirs -lssl${major_version}"
-+      fi
-+      if test -n "$lib_smime"; then
-+	libdirs="$libdirs -lsmime${major_version}"
-+      fi
-+      if test -n "$lib_nss"; then
-+	libdirs="$libdirs -lnss${major_version}"
-+      fi
-+      if test -n "$lib_nssutil"; then
-+       libdirs="$libdirs -lnssutil${major_version}"
-+      fi
-+      echo $libdirs
-+fi      
-+
---- nss/config/nss.pc.in
-+++ nss/config/nss.pc.in
-@@ -0,0 +1,12 @@
-+prefix=@prefix@
-+exec_prefix=@exec_prefix@
-+libdir=@libdir@
-+includedir=@includedir@
-+
-+Name: NSS
-+Description: Network Security Services
-+Version: @NSS_MAJOR_VERSION@.@NSS_MINOR_VERSION@.@NSS_PATCH_VERSION@
-+Requires: nspr >= 4.8
-+Libs: -lssl3 -lsmime3 -lnss3 -lnssutil3
-+Cflags: -I${includedir}
-+
---- nss/Makefile
-+++ nss/Makefile
-@@ -46,7 +46,7 @@
- # (7) Execute "local" rules. (OPTIONAL).                              #
- #######################################################################
- 
--nss_build_all: build_nspr all
-+nss_build_all: all
- 
- nss_clean_all: clobber_nspr clobber
- 
-@@ -115,12 +115,6 @@
- 	--with-dist-prefix='$(NSPR_PREFIX)' \
- 	--with-dist-includedir='$(NSPR_PREFIX)/include'
- 
--build_nspr: $(NSPR_CONFIG_STATUS)
--	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)
--
--clobber_nspr: $(NSPR_CONFIG_STATUS)
--	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) clobber
--
- build_docs:
- 	$(MAKE) -C $(CORE_DEPTH)/doc
- 
---- nss/manifest.mn
-+++ nss/manifest.mn
-@@ -10,4 +10,4 @@
- 
- RELEASE = nss
- 
--DIRS = coreconf lib cmd external_tests
-+DIRS = coreconf lib cmd config

diff --git a/dev-libs/nss/files/nss-3.21-hppa-byte_order.patch b/dev-libs/nss/files/nss-3.21-hppa-byte_order.patch
deleted file mode 100644
index 703df99..00000000
--- a/dev-libs/nss/files/nss-3.21-hppa-byte_order.patch
+++ /dev/null
@@ -1,16 +0,0 @@
---- a/nss/lib/dbm/include/mcom_db.h
-+++ b/nss/lib/dbm/include/mcom_db.h
-@@ -110,11 +110,13 @@
- #endif /* !BYTE_ORDER */
- #endif /* __sun */
- 
-+#ifndef BYTE_ORDER
- #if defined(__hpux) || defined(__hppa)
- #define BYTE_ORDER BIG_ENDIAN
- #define BIG_ENDIAN      4321
- #define LITTLE_ENDIAN   1234            /* LSB first: i386, vax, all NT risc */
- #endif
-+#endif /* !BYTE_ORDER */
- 
- #if defined(AIXV3) || defined(AIX)
- /* BYTE_ORDER, LITTLE_ENDIAN, BIG_ENDIAN are all defined here */

diff --git a/dev-libs/nss/files/nss-3.21-pem-werror.patch b/dev-libs/nss/files/nss-3.21-pem-werror.patch
deleted file mode 100644
index 5a984ae3..00000000
--- a/dev-libs/nss/files/nss-3.21-pem-werror.patch
+++ /dev/null
@@ -1,141 +0,0 @@
---- nss/lib/ckfw/pem/ckpem.h
-+++ nss/lib/ckfw/pem/ckpem.h
-@@ -233,6 +233,9 @@ struct pemLOWKEYPrivateKeyStr {
- };
- typedef struct pemLOWKEYPrivateKeyStr pemLOWKEYPrivateKey;
- 
-+/* NOTE: Discrepancy with the the way callers use of the return value as a count
-+ * Fix this when we sync. up with the cleanup work being done at nss-pem project.
-+ */
- SECStatus ReadDERFromFile(SECItem ***derlist, char *filename, PRBool ascii, int *cipher, char **ivstring, PRBool certsonly);
- const NSSItem * pem_FetchAttribute ( pemInternalObject *io, CK_ATTRIBUTE_TYPE type);
- void pem_PopulateModulusExponent(pemInternalObject *io);
---- nss/lib/ckfw/pem/pinst.c
-+++ nss/lib/ckfw/pem/pinst.c
-@@ -472,7 +472,9 @@ AddCertificate(char *certfile, char *key
-     char *ivstring = NULL;
-     int cipher;
- 
--    nobjs = ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
-+    /* TODO: Fix discrepancy between our usage of the return value as
-+     * as an int (a count) and the declaration as a SECStatus. */
-+    nobjs = (int) ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
-     if (nobjs <= 0) {
-         nss_ZFreeIf(objs);
-         return CKR_GENERAL_ERROR;
-@@ -515,8 +517,10 @@ AddCertificate(char *certfile, char *key
-         if (keyfile) {          /* add the private key */
-             SECItem **keyobjs = NULL;
-             int kobjs = 0;
-+            /* TODO: Fix discrepancy between our usage of the return value as
-+             * as an int and the declaration as a SECStatus. */
-             kobjs =
--                ReadDERFromFile(&keyobjs, keyfile, PR_TRUE, &cipher,
-+                (int) ReadDERFromFile(&keyobjs, keyfile, PR_TRUE, &cipher,
-                                 &ivstring, PR_FALSE);
-             if (kobjs < 1) {
-                 error = CKR_GENERAL_ERROR;
---- nss/lib/ckfw/pem/pobject.c
-+++ nss/lib/ckfw/pem/pobject.c
-@@ -630,6 +630,11 @@ pem_DestroyInternalObject
-         if (io->u.key.ivstring)
-             free(io->u.key.ivstring);
-         break;
-+    case pemAll:
-+        /* pemAll is not used, keep the compiler happy
-+         * TODO: investigate a proper solution
-+         */
-+        return;
-     }
- 
-     if (NULL != gobj)
-@@ -1044,7 +1049,9 @@ pem_CreateObject
-     int nobjs = 0;
-     int i;
-     int objid;
-+#if 0
-     pemToken *token;
-+#endif
-     int cipher;
-     char *ivstring = NULL;
-     pemInternalObject *listObj = NULL;
-@@ -1073,7 +1080,9 @@ pem_CreateObject
-     }
-     slotID = nssCKFWSlot_GetSlotID(fwSlot);
- 
-+#if 0
-     token = (pemToken *) mdToken->etc;
-+#endif
- 
-     /*
-      * only create keys and certs.
-@@ -1114,7 +1123,11 @@ pem_CreateObject
-     }
- 
-     if (objClass == CKO_CERTIFICATE) {
--        nobjs = ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
-+        /* TODO: Fix discrepancy between our usage of the return value as
-+         * as an int and the declaration as a SECStatus. Typecasting as a
-+         * temporary workaround.
-+         */
-+        nobjs = (int) ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
-         if (nobjs < 1)
-             goto loser;
- 
---- nss/lib/ckfw/pem/rsawrapr.c
-+++ nss/lib/ckfw/pem/rsawrapr.c
-@@ -93,6 +93,8 @@ pem_PublicModulusLen(NSSLOWKEYPublicKey
-     return 0;
- }
- 
-+/* unused functions */
-+#if 0
- static SHA1Context *SHA1_CloneContext(SHA1Context * original)
- {
-     SHA1Context *clone = NULL;
-@@ -215,6 +217,7 @@ oaep_xor_with_h2(unsigned char *salt, un
- 
-     return SECSuccess;
- }
-+#endif /* unused functions */
- 
- /*
-  * Format one block of data for public/private key encryption using
---- nss/lib/ckfw/pem/util.c
-+++ nss/lib/ckfw/pem/util.c
-@@ -131,7 +131,8 @@ static SECStatus FileToItem(SECItem * ds
-     return SECFailure;
- }
- 
--int
-+/* FIX: Returns a SECStatus yet callers take result as a count */
-+SECStatus
- ReadDERFromFile(SECItem *** derlist, char *filename, PRBool ascii,
- 		int *cipher, char **ivstring, PRBool certsonly)
- {
-@@ -237,7 +238,12 @@ ReadDERFromFile(SECItem *** derlist, cha
- 		    goto loser;
- 		}
-                 if ((certsonly && !key) || (!certsonly && key)) {
-+		    error = CKR_OK;
- 		    PUT_Object(der, error);
-+		    if (error != CKR_OK) {
-+			free(der);
-+			goto loser;
-+		    }
-                 } else {
-                     free(der->data);
-                     free(der);
-@@ -255,7 +261,12 @@ ReadDERFromFile(SECItem *** derlist, cha
- 	    }
- 
- 	    /* NOTE: This code path has never been tested. */
-+	    error = CKR_OK;
- 	    PUT_Object(der, error);
-+	    if (error != CKR_OK) {
-+		free(der);
-+		goto loser;
-+	    }
- 	}
- 
- 	nss_ZFreeIf(filedata.data);

diff --git a/dev-libs/nss/nss-3.22.2.ebuild b/dev-libs/nss/nss-3.22.2.ebuild
deleted file mode 100644
index 3cc54a5..00000000
--- a/dev-libs/nss/nss-3.22.2.ebuild
+++ /dev/null
@@ -1,331 +0,0 @@
-# Copyright 1999-2016 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI="5"
-
-inherit eutils flag-o-matic multilib toolchain-funcs multilib-minimal
-
-NSPR_VER="4.12"
-RTM_NAME="NSS_${PV//./_}_RTM"
-# Rev of https://git.fedorahosted.org/cgit/nss-pem.git
-PEM_GIT_REV="015ae754dd9f6fbcd7e52030ec9732eb27fc06a8"
-PEM_P="${PN}-pem-20140125"
-
-DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
-HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/"
-SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
-	cacert? ( https://dev.gentoo.org/~anarchy/patches/${PN}-3.14.1-add_spi+cacerts_ca_certs.patch )
-	nss-pem? ( https://dev.gentoo.org/~anarchy/dist/${PEM_P}.tar.bz2 )"
-
-LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
-SLOT="0"
-KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
-IUSE="+cacert +nss-pem utils"
-CDEPEND=">=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
-	>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]"
-DEPEND=">=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]
-	>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
-	${CDEPEND}"
-RDEPEND=">=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
-	${CDEPEND}
-	abi_x86_32? (
-		!<=app-emulation/emul-linux-x86-baselibs-20140508-r12
-		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
-	)"
-
-RESTRICT="test"
-
-S="${WORKDIR}/${P}/${PN}"
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/nss-config
-)
-
-src_unpack() {
-	unpack ${A}
-	if use nss-pem ; then
-		mv "${PN}"/lib/ckfw/pem/ "${S}"/lib/ckfw/ || die
-	fi
-}
-
-src_prepare() {
-	# Custom changes for gentoo
-	epatch "${FILESDIR}/${PN}-3.21-gentoo-fixups.patch"
-	epatch "${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
-	epatch "${FILESDIR}/${PN}-3.21-hppa-byte_order.patch"
-
-	if use cacert ; then
-		epatch "${DISTDIR}/${PN}-3.14.1-add_spi+cacerts_ca_certs.patch"
-		epatch "${FILESDIR}/${PN}-3.21-cacert-class3.patch" #521462
-	fi
-	use nss-pem && epatch "${FILESDIR}/${PN}-3.21-enable-pem.patch" \
-		"${FILESDIR}/${PN}-3.21-pem-werror.patch"
-
-	pushd coreconf >/dev/null || die
-	# hack nspr paths
-	echo 'INCLUDES += -I$(DIST)/include/dbm' \
-		>> headers.mk || die "failed to append include"
-
-	# modify install path
-	sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
-		-i source.mk || die
-
-	# Respect LDFLAGS
-	sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
-	popd >/dev/null || die
-
-	# Fix pkgconfig file for Prefix
-	sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
-		config/Makefile || die
-
-	# use host shlibsign if need be #436216
-	if tc-is-cross-compiler ; then
-		sed -i \
-			-e 's:"${2}"/shlibsign:shlibsign:' \
-			cmd/shlibsign/sign.sh || die
-	fi
-
-	# dirty hack
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
-		lib/ssl/config.mk || die
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
-		cmd/platlibs.mk || die
-
-	multilib_copy_sources
-
-	strip-flags
-}
-
-multilib_src_configure() {
-	# Ensure we stay multilib aware
-	sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
-}
-
-nssarch() {
-	# Most of the arches are the same as $ARCH
-	local t=${1:-${CHOST}}
-	case ${t} in
-		aarch64*)echo "aarch64";;
-		hppa*)   echo "parisc";;
-		i?86*)   echo "i686";;
-		x86_64*) echo "x86_64";;
-		*)       tc-arch ${t};;
-	esac
-}
-
-nssbits() {
-	local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
-	if [[ ${1} == BUILD_ ]]; then
-		cc=$(tc-getBUILD_CC)
-	else
-		cc=$(tc-getCC)
-	fi
-	echo > "${T}"/test.c || die
-	${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die
-	case $(file "${T}/${1}test.o") in
-		*32-bit*x86-64*) echo USE_X32=1;;
-		*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
-		*32-bit*|*ppc*|*i386*) ;;
-		*) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
-	esac
-}
-
-multilib_src_compile() {
-	# use ABI to determine bit'ness, or fallback if unset
-	local buildbits mybits
-	case "${ABI}" in
-		n32) mybits="USE_N32=1";;
-		x32) mybits="USE_X32=1";;
-		s390x|*64) mybits="USE_64=1";;
-		${DEFAULT_ABI})
-			einfo "Running compilation test to determine bit'ness"
-			mybits=$(nssbits)
-			;;
-	esac
-	# bitness of host may differ from target
-	if tc-is-cross-compiler; then
-		buildbits=$(nssbits BUILD_)
-	fi
-
-	local makeargs=(
-		CC="$(tc-getCC)"
-		AR="$(tc-getAR) rc \$@"
-		RANLIB="$(tc-getRANLIB)"
-		OPTIMIZER=
-		${mybits}
-	)
-
-	# Take care of nspr settings #436216
-	local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
-	unset NSPR_INCLUDE_DIR
-
-	# Do not let `uname` be used.
-	if use kernel_linux ; then
-		makeargs+=(
-			OS_TARGET=Linux
-			OS_RELEASE=2.6
-			OS_TEST="$(nssarch)"
-		)
-	fi
-
-	export NSS_ENABLE_WERROR=0 #567158
-	export BUILD_OPT=1
-	export NSS_USE_SYSTEM_SQLITE=1
-	export NSDISTMODE=copy
-	export NSS_ENABLE_ECC=1
-	export FREEBL_NO_DEPEND=1
-	export ASFLAGS=""
-
-	local d
-
-	# Build the host tools first.
-	LDFLAGS="${BUILD_LDFLAGS}" \
-	XCFLAGS="${BUILD_CFLAGS}" \
-	NSPR_LIB_DIR="${T}/fakedir" \
-	emake -j1 -C coreconf \
-		CC="$(tc-getBUILD_CC)" \
-		${buildbits:-${mybits}}
-	makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
-
-	# Then build the target tools.
-	for d in . lib/dbm ; do
-		CPPFLAGS="${myCPPFLAGS}" \
-		XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
-		NSPR_LIB_DIR="${T}/fakedir" \
-		emake -j1 "${makeargs[@]}" -C ${d}
-	done
-}
-
-# Altering these 3 libraries breaks the CHK verification.
-# All of the following cause it to break:
-# - stripping
-# - prelink
-# - ELF signing
-# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
-# Either we have to NOT strip them, or we have to forcibly resign after
-# stripping.
-#local_libdir="$(get_libdir)"
-#export STRIP_MASK="
-#	*/${local_libdir}/libfreebl3.so*
-#	*/${local_libdir}/libnssdbm3.so*
-#	*/${local_libdir}/libsoftokn3.so*"
-
-export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
-
-generate_chk() {
-	local shlibsign="$1"
-	local libdir="$2"
-	einfo "Resigning core NSS libraries for FIPS validation"
-	shift 2
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libname=lib${i}.so
-		local chkname=lib${i}.chk
-		"${shlibsign}" \
-			-i "${libdir}"/${libname} \
-			-o "${libdir}"/${chkname}.tmp \
-		&& mv -f \
-			"${libdir}"/${chkname}.tmp \
-			"${libdir}"/${chkname} \
-		|| die "Failed to sign ${libname}"
-	done
-}
-
-cleanup_chk() {
-	local libdir="$1"
-	shift 1
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libfname="${libdir}/lib${i}.so"
-		# If the major version has changed, then we have old chk files.
-		[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
-			&& rm -f "${libfname}.chk"
-	done
-}
-
-multilib_src_install() {
-	pushd dist >/dev/null || die
-
-	dodir /usr/$(get_libdir)
-	cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
-	cp -L */lib/libcrmf.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
-	cp -L */lib/libfreebl.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
-
-	# Install nss-config and pkgconfig file
-	dodir /usr/bin
-	cp -L */bin/nss-config "${ED}"/usr/bin || die
-	dodir /usr/$(get_libdir)/pkgconfig
-	cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
-
-	# create an nss-softokn.pc from nss.pc for libfreebl and some private headers
-	# bug 517266
-	sed 	-e 's#Libs:#Libs: -lfreebl#' \
-		-e 's#Cflags:#Cflags: -I${includedir}/private#' \
-		*/lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
-		|| die "could not create nss-softokn.pc"
-
-	# all the include files
-	insinto /usr/include/nss
-	doins public/nss/*.h
-	insinto /usr/include/nss/private
-	doins private/nss/{blapi,alghmac}.h
-
-	popd >/dev/null || die
-
-	local f nssutils
-	# Always enabled because we need it for chk generation.
-	nssutils="shlibsign"
-
-	if multilib_is_native_abi ; then
-		if use utils; then
-			# The tests we do not need to install.
-			#nssutils_test="bltest crmftest dbtest dertimetest
-			#fipstest remtest sdrtest"
-			# checkcert utils has been removed in nss-3.22:
-			# https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
-			# https://hg.mozilla.org/projects/nss/rev/df1729d37870
-			nssutils="addbuiltin atob baddbdir btoa certcgi certutil
-			cmsutil conflict crlutil derdump digest makepqg mangle modutil multinit
-			nonspr10 ocspclnt oidcalc p7content p7env p7sign p7verify pk11mode
-			pk12util pp rsaperf selfserv shlibsign signtool signver ssltap strsclnt
-			symkeyutil tstclnt vfychain vfyserv"
-			# install man-pages for utils (bug #516810)
-			doman doc/nroff/*.1
-		fi
-		pushd dist/*/bin >/dev/null || die
-		for f in ${nssutils}; do
-			dobin ${f}
-		done
-		popd >/dev/null || die
-	fi
-
-	# Prelink breaks the CHK files. We don't have any reliable way to run
-	# shlibsign after prelink.
-	dodir /etc/prelink.conf.d
-	printf -- "-b ${EPREFIX}/usr/$(get_libdir)/lib%s.so\n" ${NSS_CHK_SIGN_LIBS} \
-		> "${ED}"/etc/prelink.conf.d/nss.conf
-}
-
-pkg_postinst() {
-	multilib_pkg_postinst() {
-		# We must re-sign the libraries AFTER they are stripped.
-		local shlibsign="${EROOT}/usr/bin/shlibsign"
-		# See if we can execute it (cross-compiling & such). #436216
-		"${shlibsign}" -h >&/dev/null
-		if [[ $? -gt 1 ]] ; then
-			shlibsign="shlibsign"
-		fi
-		generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postinst
-}
-
-pkg_postrm() {
-	multilib_pkg_postrm() {
-		cleanup_chk "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postrm
-}

diff --git a/dev-libs/nss/nss-3.23.ebuild b/dev-libs/nss/nss-3.23.ebuild
deleted file mode 100644
index 3087247..00000000
--- a/dev-libs/nss/nss-3.23.ebuild
+++ /dev/null
@@ -1,340 +0,0 @@
-# Copyright 1999-2016 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI=6
-
-inherit eutils flag-o-matic multilib toolchain-funcs multilib-minimal
-
-NSPR_VER="4.12"
-RTM_NAME="NSS_${PV//./_}_RTM"
-# Rev of https://git.fedorahosted.org/cgit/nss-pem.git
-PEM_GIT_REV="015ae754dd9f6fbcd7e52030ec9732eb27fc06a8"
-PEM_P="${PN}-pem-20140125"
-
-DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
-HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/"
-SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
-	cacert? ( https://dev.gentoo.org/~anarchy/patches/${PN}-3.14.1-add_spi+cacerts_ca_certs.patch )
-	nss-pem? ( https://dev.gentoo.org/~anarchy/dist/${PEM_P}.tar.bz2 )"
-
-LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
-SLOT="0"
-KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
-IUSE="+cacert +nss-pem utils"
-CDEPEND=">=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
-	>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]"
-DEPEND=">=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]
-	>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
-	${CDEPEND}"
-RDEPEND=">=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
-	${CDEPEND}
-	abi_x86_32? (
-		!<=app-emulation/emul-linux-x86-baselibs-20140508-r12
-		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
-	)"
-
-RESTRICT="test"
-
-S="${WORKDIR}/${P}/${PN}"
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/nss-config
-)
-
-PATCHES=(
-	# Custom changes for gentoo
-	"${FILESDIR}/${PN}-3.21-gentoo-fixups.patch"
-	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
-	"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
-)
-
-src_unpack() {
-	unpack ${A}
-	if use nss-pem ; then
-		mv "${PN}"/lib/ckfw/pem/ "${S}"/lib/ckfw/ || die
-	fi
-}
-
-src_prepare() {
-	if use nss-pem ; then
-		PATCHES+=(
-			"${FILESDIR}/${PN}-3.21-enable-pem.patch"
-			"${FILESDIR}/${PN}-3.21-pem-werror.patch"
-		)
-	fi
-
-	default
-
-	if use cacert ; then
-			eapply -p4 "${DISTDIR}/${PN}-3.14.1-add_spi+cacerts_ca_certs.patch"
-			eapply "${FILESDIR}/${PN}-3.21-cacert-class3.patch" #521462
-	fi
-
-	pushd coreconf >/dev/null || die
-	# hack nspr paths
-	echo 'INCLUDES += -I$(DIST)/include/dbm' \
-		>> headers.mk || die "failed to append include"
-
-	# modify install path
-	sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
-		-i source.mk || die
-
-	# Respect LDFLAGS
-	sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
-	popd >/dev/null || die
-
-	# Fix pkgconfig file for Prefix
-	sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
-		config/Makefile || die
-
-	# use host shlibsign if need be #436216
-	if tc-is-cross-compiler ; then
-		sed -i \
-			-e 's:"${2}"/shlibsign:shlibsign:' \
-			cmd/shlibsign/sign.sh || die
-	fi
-
-	# dirty hack
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
-		lib/ssl/config.mk || die
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
-		cmd/platlibs.mk || die
-
-	multilib_copy_sources
-
-	strip-flags
-}
-
-multilib_src_configure() {
-	# Ensure we stay multilib aware
-	sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
-}
-
-nssarch() {
-	# Most of the arches are the same as $ARCH
-	local t=${1:-${CHOST}}
-	case ${t} in
-		aarch64*)echo "aarch64";;
-		hppa*)   echo "parisc";;
-		i?86*)   echo "i686";;
-		x86_64*) echo "x86_64";;
-		*)       tc-arch ${t};;
-	esac
-}
-
-nssbits() {
-	local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
-	if [[ ${1} == BUILD_ ]]; then
-		cc=$(tc-getBUILD_CC)
-	else
-		cc=$(tc-getCC)
-	fi
-	echo > "${T}"/test.c || die
-	${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die
-	case $(file "${T}/${1}test.o") in
-		*32-bit*x86-64*) echo USE_X32=1;;
-		*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
-		*32-bit*|*ppc*|*i386*) ;;
-		*) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
-	esac
-}
-
-multilib_src_compile() {
-	# use ABI to determine bit'ness, or fallback if unset
-	local buildbits mybits
-	case "${ABI}" in
-		n32) mybits="USE_N32=1";;
-		x32) mybits="USE_X32=1";;
-		s390x|*64) mybits="USE_64=1";;
-		${DEFAULT_ABI})
-			einfo "Running compilation test to determine bit'ness"
-			mybits=$(nssbits)
-			;;
-	esac
-	# bitness of host may differ from target
-	if tc-is-cross-compiler; then
-		buildbits=$(nssbits BUILD_)
-	fi
-
-	local makeargs=(
-		CC="$(tc-getCC)"
-		AR="$(tc-getAR) rc \$@"
-		RANLIB="$(tc-getRANLIB)"
-		OPTIMIZER=
-		${mybits}
-	)
-
-	# Take care of nspr settings #436216
-	local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
-	unset NSPR_INCLUDE_DIR
-
-	# Do not let `uname` be used.
-	if use kernel_linux ; then
-		makeargs+=(
-			OS_TARGET=Linux
-			OS_RELEASE=2.6
-			OS_TEST="$(nssarch)"
-		)
-	fi
-
-	export NSS_ENABLE_WERROR=0 #567158
-	export BUILD_OPT=1
-	export NSS_USE_SYSTEM_SQLITE=1
-	export NSDISTMODE=copy
-	export NSS_ENABLE_ECC=1
-	export FREEBL_NO_DEPEND=1
-	export ASFLAGS=""
-
-	local d
-
-	# Build the host tools first.
-	LDFLAGS="${BUILD_LDFLAGS}" \
-	XCFLAGS="${BUILD_CFLAGS}" \
-	NSPR_LIB_DIR="${T}/fakedir" \
-	emake -j1 -C coreconf \
-		CC="$(tc-getBUILD_CC)" \
-		${buildbits:-${mybits}}
-	makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
-
-	# Then build the target tools.
-	for d in . lib/dbm ; do
-		CPPFLAGS="${myCPPFLAGS}" \
-		XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
-		NSPR_LIB_DIR="${T}/fakedir" \
-		emake -j1 "${makeargs[@]}" -C ${d}
-	done
-}
-
-# Altering these 3 libraries breaks the CHK verification.
-# All of the following cause it to break:
-# - stripping
-# - prelink
-# - ELF signing
-# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
-# Either we have to NOT strip them, or we have to forcibly resign after
-# stripping.
-#local_libdir="$(get_libdir)"
-#export STRIP_MASK="
-#	*/${local_libdir}/libfreebl3.so*
-#	*/${local_libdir}/libnssdbm3.so*
-#	*/${local_libdir}/libsoftokn3.so*"
-
-export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
-
-generate_chk() {
-	local shlibsign="$1"
-	local libdir="$2"
-	einfo "Resigning core NSS libraries for FIPS validation"
-	shift 2
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libname=lib${i}.so
-		local chkname=lib${i}.chk
-		"${shlibsign}" \
-			-i "${libdir}"/${libname} \
-			-o "${libdir}"/${chkname}.tmp \
-		&& mv -f \
-			"${libdir}"/${chkname}.tmp \
-			"${libdir}"/${chkname} \
-		|| die "Failed to sign ${libname}"
-	done
-}
-
-cleanup_chk() {
-	local libdir="$1"
-	shift 1
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libfname="${libdir}/lib${i}.so"
-		# If the major version has changed, then we have old chk files.
-		[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
-			&& rm -f "${libfname}.chk"
-	done
-}
-
-multilib_src_install() {
-	pushd dist >/dev/null || die
-
-	dodir /usr/$(get_libdir)
-	cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
-	cp -L */lib/libcrmf.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
-	cp -L */lib/libfreebl.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
-
-	# Install nss-config and pkgconfig file
-	dodir /usr/bin
-	cp -L */bin/nss-config "${ED}"/usr/bin || die
-	dodir /usr/$(get_libdir)/pkgconfig
-	cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
-
-	# create an nss-softokn.pc from nss.pc for libfreebl and some private headers
-	# bug 517266
-	sed 	-e 's#Libs:#Libs: -lfreebl#' \
-		-e 's#Cflags:#Cflags: -I${includedir}/private#' \
-		*/lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
-		|| die "could not create nss-softokn.pc"
-
-	# all the include files
-	insinto /usr/include/nss
-	doins public/nss/*.h
-	insinto /usr/include/nss/private
-	doins private/nss/{blapi,alghmac}.h
-
-	popd >/dev/null || die
-
-	local f nssutils
-	# Always enabled because we need it for chk generation.
-	nssutils="shlibsign"
-
-	if multilib_is_native_abi ; then
-		if use utils; then
-			# The tests we do not need to install.
-			#nssutils_test="bltest crmftest dbtest dertimetest
-			#fipstest remtest sdrtest"
-			# checkcert utils has been removed in nss-3.22:
-			# https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
-			# https://hg.mozilla.org/projects/nss/rev/df1729d37870
-			nssutils="addbuiltin atob baddbdir btoa certcgi certutil
-			cmsutil conflict crlutil derdump digest makepqg mangle modutil multinit
-			nonspr10 ocspclnt oidcalc p7content p7env p7sign p7verify pk11mode
-			pk12util pp rsaperf selfserv shlibsign signtool signver ssltap strsclnt
-			symkeyutil tstclnt vfychain vfyserv"
-			# install man-pages for utils (bug #516810)
-			doman doc/nroff/*.1
-		fi
-		pushd dist/*/bin >/dev/null || die
-		for f in ${nssutils}; do
-			dobin ${f}
-		done
-		popd >/dev/null || die
-	fi
-
-	# Prelink breaks the CHK files. We don't have any reliable way to run
-	# shlibsign after prelink.
-	dodir /etc/prelink.conf.d
-	printf -- "-b ${EPREFIX}/usr/$(get_libdir)/lib%s.so\n" ${NSS_CHK_SIGN_LIBS} \
-		> "${ED}"/etc/prelink.conf.d/nss.conf
-}
-
-pkg_postinst() {
-	multilib_pkg_postinst() {
-		# We must re-sign the libraries AFTER they are stripped.
-		local shlibsign="${EROOT}/usr/bin/shlibsign"
-		# See if we can execute it (cross-compiling & such). #436216
-		"${shlibsign}" -h >&/dev/null
-		if [[ $? -gt 1 ]] ; then
-			shlibsign="shlibsign"
-		fi
-		generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postinst
-}
-
-pkg_postrm() {
-	multilib_pkg_postrm() {
-		cleanup_chk "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postrm
-}

diff --git a/dev-libs/nss/nss-3.25-r1.ebuild b/dev-libs/nss/nss-3.25-r1.ebuild
deleted file mode 100644
index ede1f3a..00000000
--- a/dev-libs/nss/nss-3.25-r1.ebuild
+++ /dev/null
@@ -1,339 +0,0 @@
-# Copyright 1999-2016 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI=6
-
-inherit eutils flag-o-matic multilib toolchain-funcs multilib-minimal
-
-NSPR_VER="4.12"
-RTM_NAME="NSS_${PV//./_}_RTM"
-# Rev of https://git.fedorahosted.org/cgit/nss-pem.git
-PEM_GIT_REV="015ae754dd9f6fbcd7e52030ec9732eb27fc06a8"
-PEM_P="${PN}-pem-20140125"
-
-DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
-HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/"
-SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
-	nss-pem? ( https://dev.gentoo.org/~anarchy/dist/${PEM_P}.tar.bz2 )"
-
-LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
-IUSE="cacert +nss-pem utils"
-CDEPEND=">=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
-	>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]"
-DEPEND=">=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]
-	>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
-	${CDEPEND}"
-RDEPEND=">=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
-	${CDEPEND}
-	abi_x86_32? (
-		!<=app-emulation/emul-linux-x86-baselibs-20140508-r12
-		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
-	)"
-
-RESTRICT="test"
-
-S="${WORKDIR}/${P}/${PN}"
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/nss-config
-)
-
-PATCHES=(
-	# Custom changes for gentoo
-	"${FILESDIR}/${PN}-3.21-gentoo-fixups.patch"
-	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
-	"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
-)
-
-src_unpack() {
-	unpack ${A}
-	if use nss-pem ; then
-		mv "${PN}"/lib/ckfw/pem/ "${S}"/lib/ckfw/ || die
-	fi
-}
-
-src_prepare() {
-	if use nss-pem ; then
-		PATCHES+=(
-			"${FILESDIR}/${PN}-3.21-enable-pem.patch"
-			"${FILESDIR}/${PN}-3.21-pem-werror.patch"
-		)
-	fi
-	if use cacert ; then #521462
-		PATCHES+=(
-			"${FILESDIR}/${PN}-3.21-cacert-class3.patch"
-		)
-	fi
-
-	default
-
-	pushd coreconf >/dev/null || die
-	# hack nspr paths
-	echo 'INCLUDES += -I$(DIST)/include/dbm' \
-		>> headers.mk || die "failed to append include"
-
-	# modify install path
-	sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
-		-i source.mk || die
-
-	# Respect LDFLAGS
-	sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
-	popd >/dev/null || die
-
-	# Fix pkgconfig file for Prefix
-	sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
-		config/Makefile || die
-
-	# use host shlibsign if need be #436216
-	if tc-is-cross-compiler ; then
-		sed -i \
-			-e 's:"${2}"/shlibsign:shlibsign:' \
-			cmd/shlibsign/sign.sh || die
-	fi
-
-	# dirty hack
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
-		lib/ssl/config.mk || die
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
-		cmd/platlibs.mk || die
-
-	multilib_copy_sources
-
-	strip-flags
-}
-
-multilib_src_configure() {
-	# Ensure we stay multilib aware
-	sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
-}
-
-nssarch() {
-	# Most of the arches are the same as $ARCH
-	local t=${1:-${CHOST}}
-	case ${t} in
-		aarch64*)echo "aarch64";;
-		hppa*)   echo "parisc";;
-		i?86*)   echo "i686";;
-		x86_64*) echo "x86_64";;
-		*)       tc-arch ${t};;
-	esac
-}
-
-nssbits() {
-	local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
-	if [[ ${1} == BUILD_ ]]; then
-		cc=$(tc-getBUILD_CC)
-	else
-		cc=$(tc-getCC)
-	fi
-	echo > "${T}"/test.c || die
-	${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die
-	case $(file "${T}/${1}test.o") in
-		*32-bit*x86-64*) echo USE_X32=1;;
-		*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
-		*32-bit*|*ppc*|*i386*) ;;
-		*) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
-	esac
-}
-
-multilib_src_compile() {
-	# use ABI to determine bit'ness, or fallback if unset
-	local buildbits mybits
-	case "${ABI}" in
-		n32) mybits="USE_N32=1";;
-		x32) mybits="USE_X32=1";;
-		s390x|*64) mybits="USE_64=1";;
-		${DEFAULT_ABI})
-			einfo "Running compilation test to determine bit'ness"
-			mybits=$(nssbits)
-			;;
-	esac
-	# bitness of host may differ from target
-	if tc-is-cross-compiler; then
-		buildbits=$(nssbits BUILD_)
-	fi
-
-	local makeargs=(
-		CC="$(tc-getCC)"
-		AR="$(tc-getAR) rc \$@"
-		RANLIB="$(tc-getRANLIB)"
-		OPTIMIZER=
-		${mybits}
-	)
-
-	# Take care of nspr settings #436216
-	local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
-	unset NSPR_INCLUDE_DIR
-
-	# Do not let `uname` be used.
-	if use kernel_linux ; then
-		makeargs+=(
-			OS_TARGET=Linux
-			OS_RELEASE=2.6
-			OS_TEST="$(nssarch)"
-		)
-	fi
-
-	export NSS_ENABLE_WERROR=0 #567158
-	export BUILD_OPT=1
-	export NSS_USE_SYSTEM_SQLITE=1
-	export NSDISTMODE=copy
-	export NSS_ENABLE_ECC=1
-	export FREEBL_NO_DEPEND=1
-	export ASFLAGS=""
-
-	local d
-
-	# Build the host tools first.
-	LDFLAGS="${BUILD_LDFLAGS}" \
-	XCFLAGS="${BUILD_CFLAGS}" \
-	NSPR_LIB_DIR="${T}/fakedir" \
-	emake -j1 -C coreconf \
-		CC="$(tc-getBUILD_CC)" \
-		${buildbits:-${mybits}}
-	makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
-
-	# Then build the target tools.
-	for d in . lib/dbm ; do
-		CPPFLAGS="${myCPPFLAGS}" \
-		XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
-		NSPR_LIB_DIR="${T}/fakedir" \
-		emake -j1 "${makeargs[@]}" -C ${d}
-	done
-}
-
-# Altering these 3 libraries breaks the CHK verification.
-# All of the following cause it to break:
-# - stripping
-# - prelink
-# - ELF signing
-# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
-# Either we have to NOT strip them, or we have to forcibly resign after
-# stripping.
-#local_libdir="$(get_libdir)"
-#export STRIP_MASK="
-#	*/${local_libdir}/libfreebl3.so*
-#	*/${local_libdir}/libnssdbm3.so*
-#	*/${local_libdir}/libsoftokn3.so*"
-
-export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
-
-generate_chk() {
-	local shlibsign="$1"
-	local libdir="$2"
-	einfo "Resigning core NSS libraries for FIPS validation"
-	shift 2
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libname=lib${i}.so
-		local chkname=lib${i}.chk
-		"${shlibsign}" \
-			-i "${libdir}"/${libname} \
-			-o "${libdir}"/${chkname}.tmp \
-		&& mv -f \
-			"${libdir}"/${chkname}.tmp \
-			"${libdir}"/${chkname} \
-		|| die "Failed to sign ${libname}"
-	done
-}
-
-cleanup_chk() {
-	local libdir="$1"
-	shift 1
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libfname="${libdir}/lib${i}.so"
-		# If the major version has changed, then we have old chk files.
-		[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
-			&& rm -f "${libfname}.chk"
-	done
-}
-
-multilib_src_install() {
-	pushd dist >/dev/null || die
-
-	dodir /usr/$(get_libdir)
-	cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
-	cp -L */lib/libcrmf.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
-	cp -L */lib/libfreebl.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
-
-	# Install nss-config and pkgconfig file
-	dodir /usr/bin
-	cp -L */bin/nss-config "${ED}"/usr/bin || die
-	dodir /usr/$(get_libdir)/pkgconfig
-	cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
-
-	# create an nss-softokn.pc from nss.pc for libfreebl and some private headers
-	# bug 517266
-	sed 	-e 's#Libs:#Libs: -lfreebl#' \
-		-e 's#Cflags:#Cflags: -I${includedir}/private#' \
-		*/lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
-		|| die "could not create nss-softokn.pc"
-
-	# all the include files
-	insinto /usr/include/nss
-	doins public/nss/*.h
-	insinto /usr/include/nss/private
-	doins private/nss/{blapi,alghmac}.h
-
-	popd >/dev/null || die
-
-	local f nssutils
-	# Always enabled because we need it for chk generation.
-	nssutils="shlibsign"
-
-	if multilib_is_native_abi ; then
-		if use utils; then
-			# The tests we do not need to install.
-			#nssutils_test="bltest crmftest dbtest dertimetest
-			#fipstest remtest sdrtest"
-			# checkcert utils has been removed in nss-3.22:
-			# https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
-			# https://hg.mozilla.org/projects/nss/rev/df1729d37870
-			nssutils="addbuiltin atob baddbdir btoa certcgi certutil
-			cmsutil conflict crlutil derdump digest makepqg mangle modutil multinit
-			nonspr10 ocspclnt oidcalc p7content p7env p7sign p7verify pk11mode
-			pk12util pp rsaperf selfserv shlibsign signtool signver ssltap strsclnt
-			symkeyutil tstclnt vfychain vfyserv"
-			# install man-pages for utils (bug #516810)
-			doman doc/nroff/*.1
-		fi
-		pushd dist/*/bin >/dev/null || die
-		for f in ${nssutils}; do
-			dobin ${f}
-		done
-		popd >/dev/null || die
-	fi
-
-	# Prelink breaks the CHK files. We don't have any reliable way to run
-	# shlibsign after prelink.
-	dodir /etc/prelink.conf.d
-	printf -- "-b ${EPREFIX}/usr/$(get_libdir)/lib%s.so\n" ${NSS_CHK_SIGN_LIBS} \
-		> "${ED}"/etc/prelink.conf.d/nss.conf
-}
-
-pkg_postinst() {
-	multilib_pkg_postinst() {
-		# We must re-sign the libraries AFTER they are stripped.
-		local shlibsign="${EROOT}/usr/bin/shlibsign"
-		# See if we can execute it (cross-compiling & such). #436216
-		"${shlibsign}" -h >&/dev/null
-		if [[ $? -gt 1 ]] ; then
-			shlibsign="shlibsign"
-		fi
-		generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postinst
-}
-
-pkg_postrm() {
-	multilib_pkg_postrm() {
-		cleanup_chk "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postrm
-}

diff --git a/dev-libs/nss/nss-3.26.1.ebuild b/dev-libs/nss/nss-3.26.1.ebuild
deleted file mode 100644
index 3e9034e..00000000
--- a/dev-libs/nss/nss-3.26.1.ebuild
+++ /dev/null
@@ -1,338 +0,0 @@
-# Copyright 1999-2016 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI=6
-
-inherit eutils flag-o-matic multilib toolchain-funcs multilib-minimal
-
-NSPR_VER="4.12"
-RTM_NAME="NSS_${PV//./_}_RTM"
-# Rev of https://git.fedorahosted.org/cgit/nss-pem.git
-PEM_GIT_REV="429b0222759d8ad8e6dcd29e62875ae3efd69116"
-PEM_P="${PN}-pem-20160329"
-
-DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
-HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/"
-SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
-	nss-pem? ( https://dev.gentoo.org/~polynomial-c/${PEM_P}.tar.xz )"
-
-LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
-IUSE="cacert +nss-pem utils"
-CDEPEND=">=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
-	>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]"
-DEPEND=">=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]
-	>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
-	${CDEPEND}"
-RDEPEND=">=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
-	${CDEPEND}
-	abi_x86_32? (
-		!<=app-emulation/emul-linux-x86-baselibs-20140508-r12
-		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
-	)"
-
-RESTRICT="test"
-
-S="${WORKDIR}/${P}/${PN}"
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/nss-config
-)
-
-PATCHES=(
-	# Custom changes for gentoo
-	"${FILESDIR}/${PN}-3.21-gentoo-fixups.patch"
-	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
-	"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
-)
-
-src_unpack() {
-	unpack ${A}
-	if use nss-pem ; then
-		mv "${PN}"/lib/ckfw/pem/ "${S}"/lib/ckfw/ || die
-	fi
-}
-
-src_prepare() {
-	if use nss-pem ; then
-		PATCHES+=(
-			"${FILESDIR}/${PN}-3.21-enable-pem.patch"
-		)
-	fi
-	if use cacert ; then #521462
-		PATCHES+=(
-			"${FILESDIR}/${PN}-3.21-cacert-class3.patch"
-		)
-	fi
-
-	default
-
-	pushd coreconf >/dev/null || die
-	# hack nspr paths
-	echo 'INCLUDES += -I$(DIST)/include/dbm' \
-		>> headers.mk || die "failed to append include"
-
-	# modify install path
-	sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
-		-i source.mk || die
-
-	# Respect LDFLAGS
-	sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
-	popd >/dev/null || die
-
-	# Fix pkgconfig file for Prefix
-	sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
-		config/Makefile || die
-
-	# use host shlibsign if need be #436216
-	if tc-is-cross-compiler ; then
-		sed -i \
-			-e 's:"${2}"/shlibsign:shlibsign:' \
-			cmd/shlibsign/sign.sh || die
-	fi
-
-	# dirty hack
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
-		lib/ssl/config.mk || die
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
-		cmd/platlibs.mk || die
-
-	multilib_copy_sources
-
-	strip-flags
-}
-
-multilib_src_configure() {
-	# Ensure we stay multilib aware
-	sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
-}
-
-nssarch() {
-	# Most of the arches are the same as $ARCH
-	local t=${1:-${CHOST}}
-	case ${t} in
-		aarch64*)echo "aarch64";;
-		hppa*)   echo "parisc";;
-		i?86*)   echo "i686";;
-		x86_64*) echo "x86_64";;
-		*)       tc-arch ${t};;
-	esac
-}
-
-nssbits() {
-	local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
-	if [[ ${1} == BUILD_ ]]; then
-		cc=$(tc-getBUILD_CC)
-	else
-		cc=$(tc-getCC)
-	fi
-	echo > "${T}"/test.c || die
-	${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die
-	case $(file "${T}/${1}test.o") in
-		*32-bit*x86-64*) echo USE_X32=1;;
-		*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
-		*32-bit*|*ppc*|*i386*) ;;
-		*) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
-	esac
-}
-
-multilib_src_compile() {
-	# use ABI to determine bit'ness, or fallback if unset
-	local buildbits mybits
-	case "${ABI}" in
-		n32) mybits="USE_N32=1";;
-		x32) mybits="USE_X32=1";;
-		s390x|*64) mybits="USE_64=1";;
-		${DEFAULT_ABI})
-			einfo "Running compilation test to determine bit'ness"
-			mybits=$(nssbits)
-			;;
-	esac
-	# bitness of host may differ from target
-	if tc-is-cross-compiler; then
-		buildbits=$(nssbits BUILD_)
-	fi
-
-	local makeargs=(
-		CC="$(tc-getCC)"
-		AR="$(tc-getAR) rc \$@"
-		RANLIB="$(tc-getRANLIB)"
-		OPTIMIZER=
-		${mybits}
-	)
-
-	# Take care of nspr settings #436216
-	local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
-	unset NSPR_INCLUDE_DIR
-
-	# Do not let `uname` be used.
-	if use kernel_linux ; then
-		makeargs+=(
-			OS_TARGET=Linux
-			OS_RELEASE=2.6
-			OS_TEST="$(nssarch)"
-		)
-	fi
-
-	export NSS_ENABLE_WERROR=0 #567158
-	export BUILD_OPT=1
-	export NSS_USE_SYSTEM_SQLITE=1
-	export NSDISTMODE=copy
-	export NSS_ENABLE_ECC=1
-	export FREEBL_NO_DEPEND=1
-	export ASFLAGS=""
-
-	local d
-
-	# Build the host tools first.
-	LDFLAGS="${BUILD_LDFLAGS}" \
-	XCFLAGS="${BUILD_CFLAGS}" \
-	NSPR_LIB_DIR="${T}/fakedir" \
-	emake -j1 -C coreconf \
-		CC="$(tc-getBUILD_CC)" \
-		${buildbits:-${mybits}}
-	makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
-
-	# Then build the target tools.
-	for d in . lib/dbm ; do
-		CPPFLAGS="${myCPPFLAGS}" \
-		XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
-		NSPR_LIB_DIR="${T}/fakedir" \
-		emake -j1 "${makeargs[@]}" -C ${d}
-	done
-}
-
-# Altering these 3 libraries breaks the CHK verification.
-# All of the following cause it to break:
-# - stripping
-# - prelink
-# - ELF signing
-# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
-# Either we have to NOT strip them, or we have to forcibly resign after
-# stripping.
-#local_libdir="$(get_libdir)"
-#export STRIP_MASK="
-#	*/${local_libdir}/libfreebl3.so*
-#	*/${local_libdir}/libnssdbm3.so*
-#	*/${local_libdir}/libsoftokn3.so*"
-
-export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
-
-generate_chk() {
-	local shlibsign="$1"
-	local libdir="$2"
-	einfo "Resigning core NSS libraries for FIPS validation"
-	shift 2
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libname=lib${i}.so
-		local chkname=lib${i}.chk
-		"${shlibsign}" \
-			-i "${libdir}"/${libname} \
-			-o "${libdir}"/${chkname}.tmp \
-		&& mv -f \
-			"${libdir}"/${chkname}.tmp \
-			"${libdir}"/${chkname} \
-		|| die "Failed to sign ${libname}"
-	done
-}
-
-cleanup_chk() {
-	local libdir="$1"
-	shift 1
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libfname="${libdir}/lib${i}.so"
-		# If the major version has changed, then we have old chk files.
-		[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
-			&& rm -f "${libfname}.chk"
-	done
-}
-
-multilib_src_install() {
-	pushd dist >/dev/null || die
-
-	dodir /usr/$(get_libdir)
-	cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
-	cp -L */lib/libcrmf.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
-	cp -L */lib/libfreebl.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
-
-	# Install nss-config and pkgconfig file
-	dodir /usr/bin
-	cp -L */bin/nss-config "${ED}"/usr/bin || die
-	dodir /usr/$(get_libdir)/pkgconfig
-	cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
-
-	# create an nss-softokn.pc from nss.pc for libfreebl and some private headers
-	# bug 517266
-	sed 	-e 's#Libs:#Libs: -lfreebl#' \
-		-e 's#Cflags:#Cflags: -I${includedir}/private#' \
-		*/lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
-		|| die "could not create nss-softokn.pc"
-
-	# all the include files
-	insinto /usr/include/nss
-	doins public/nss/*.h
-	insinto /usr/include/nss/private
-	doins private/nss/{blapi,alghmac}.h
-
-	popd >/dev/null || die
-
-	local f nssutils
-	# Always enabled because we need it for chk generation.
-	nssutils="shlibsign"
-
-	if multilib_is_native_abi ; then
-		if use utils; then
-			# The tests we do not need to install.
-			#nssutils_test="bltest crmftest dbtest dertimetest
-			#fipstest remtest sdrtest"
-			# checkcert utils has been removed in nss-3.22:
-			# https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
-			# https://hg.mozilla.org/projects/nss/rev/df1729d37870
-			nssutils="addbuiltin atob baddbdir btoa certcgi certutil
-			cmsutil conflict crlutil derdump digest makepqg mangle modutil multinit
-			nonspr10 ocspclnt oidcalc p7content p7env p7sign p7verify pk11mode
-			pk12util pp rsaperf selfserv shlibsign signtool signver ssltap strsclnt
-			symkeyutil tstclnt vfychain vfyserv"
-			# install man-pages for utils (bug #516810)
-			doman doc/nroff/*.1
-		fi
-		pushd dist/*/bin >/dev/null || die
-		for f in ${nssutils}; do
-			dobin ${f}
-		done
-		popd >/dev/null || die
-	fi
-
-	# Prelink breaks the CHK files. We don't have any reliable way to run
-	# shlibsign after prelink.
-	dodir /etc/prelink.conf.d
-	printf -- "-b ${EPREFIX}/usr/$(get_libdir)/lib%s.so\n" ${NSS_CHK_SIGN_LIBS} \
-		> "${ED}"/etc/prelink.conf.d/nss.conf
-}
-
-pkg_postinst() {
-	multilib_pkg_postinst() {
-		# We must re-sign the libraries AFTER they are stripped.
-		local shlibsign="${EROOT}/usr/bin/shlibsign"
-		# See if we can execute it (cross-compiling & such). #436216
-		"${shlibsign}" -h >&/dev/null
-		if [[ $? -gt 1 ]] ; then
-			shlibsign="shlibsign"
-		fi
-		generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postinst
-}
-
-pkg_postrm() {
-	multilib_pkg_postrm() {
-		cleanup_chk "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postrm
-}

diff --git a/dev-libs/nss/nss-3.27.2.ebuild b/dev-libs/nss/nss-3.27.2.ebuild
deleted file mode 100644
index c1ef5c7..00000000
--- a/dev-libs/nss/nss-3.27.2.ebuild
+++ /dev/null
@@ -1,339 +0,0 @@
-# Copyright 1999-2017 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI=6
-
-inherit eutils flag-o-matic multilib toolchain-funcs multilib-minimal
-
-NSPR_VER="4.12"
-RTM_NAME="NSS_${PV//./_}_RTM"
-# Rev of https://git.fedorahosted.org/cgit/nss-pem.git
-PEM_GIT_REV="429b0222759d8ad8e6dcd29e62875ae3efd69116"
-PEM_P="${PN}-pem-20160329"
-
-DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
-HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/"
-SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
-	cacert? ( https://dev.gentoo.org/~axs/distfiles/${PN}-cacert-class1-class3.patch )
-	nss-pem? ( https://dev.gentoo.org/~polynomial-c/${PEM_P}.tar.xz )"
-
-LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
-SLOT="0"
-KEYWORDS="alpha amd64 arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
-IUSE="cacert +nss-pem utils"
-CDEPEND=">=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
-	>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]"
-DEPEND=">=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]
-	>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
-	${CDEPEND}"
-RDEPEND=">=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
-	${CDEPEND}
-	abi_x86_32? (
-		!<=app-emulation/emul-linux-x86-baselibs-20140508-r12
-		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
-	)"
-
-RESTRICT="test"
-
-S="${WORKDIR}/${P}/${PN}"
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/nss-config
-)
-
-PATCHES=(
-	# Custom changes for gentoo
-	"${FILESDIR}/${PN}-3.21-gentoo-fixups.patch"
-	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
-	"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
-)
-
-src_unpack() {
-	unpack ${A}
-	if use nss-pem ; then
-		mv "${PN}"/lib/ckfw/pem/ "${S}"/lib/ckfw/ || die
-	fi
-}
-
-src_prepare() {
-	if use nss-pem ; then
-		PATCHES+=(
-			"${FILESDIR}/${PN}-3.21-enable-pem.patch"
-		)
-	fi
-	if use cacert ; then #521462
-		PATCHES+=(
-			"${DISTDIR}/${PN}-cacert-class1-class3.patch"
-		)
-	fi
-
-	default
-
-	pushd coreconf >/dev/null || die
-	# hack nspr paths
-	echo 'INCLUDES += -I$(DIST)/include/dbm' \
-		>> headers.mk || die "failed to append include"
-
-	# modify install path
-	sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
-		-i source.mk || die
-
-	# Respect LDFLAGS
-	sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
-	popd >/dev/null || die
-
-	# Fix pkgconfig file for Prefix
-	sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
-		config/Makefile || die
-
-	# use host shlibsign if need be #436216
-	if tc-is-cross-compiler ; then
-		sed -i \
-			-e 's:"${2}"/shlibsign:shlibsign:' \
-			cmd/shlibsign/sign.sh || die
-	fi
-
-	# dirty hack
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
-		lib/ssl/config.mk || die
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
-		cmd/platlibs.mk || die
-
-	multilib_copy_sources
-
-	strip-flags
-}
-
-multilib_src_configure() {
-	# Ensure we stay multilib aware
-	sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
-}
-
-nssarch() {
-	# Most of the arches are the same as $ARCH
-	local t=${1:-${CHOST}}
-	case ${t} in
-		aarch64*)echo "aarch64";;
-		hppa*)   echo "parisc";;
-		i?86*)   echo "i686";;
-		x86_64*) echo "x86_64";;
-		*)       tc-arch ${t};;
-	esac
-}
-
-nssbits() {
-	local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
-	if [[ ${1} == BUILD_ ]]; then
-		cc=$(tc-getBUILD_CC)
-	else
-		cc=$(tc-getCC)
-	fi
-	echo > "${T}"/test.c || die
-	${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die
-	case $(file "${T}/${1}test.o") in
-		*32-bit*x86-64*) echo USE_X32=1;;
-		*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
-		*32-bit*|*ppc*|*i386*) ;;
-		*) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
-	esac
-}
-
-multilib_src_compile() {
-	# use ABI to determine bit'ness, or fallback if unset
-	local buildbits mybits
-	case "${ABI}" in
-		n32) mybits="USE_N32=1";;
-		x32) mybits="USE_X32=1";;
-		s390x|*64) mybits="USE_64=1";;
-		${DEFAULT_ABI})
-			einfo "Running compilation test to determine bit'ness"
-			mybits=$(nssbits)
-			;;
-	esac
-	# bitness of host may differ from target
-	if tc-is-cross-compiler; then
-		buildbits=$(nssbits BUILD_)
-	fi
-
-	local makeargs=(
-		CC="$(tc-getCC)"
-		AR="$(tc-getAR) rc \$@"
-		RANLIB="$(tc-getRANLIB)"
-		OPTIMIZER=
-		${mybits}
-	)
-
-	# Take care of nspr settings #436216
-	local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
-	unset NSPR_INCLUDE_DIR
-
-	# Do not let `uname` be used.
-	if use kernel_linux ; then
-		makeargs+=(
-			OS_TARGET=Linux
-			OS_RELEASE=2.6
-			OS_TEST="$(nssarch)"
-		)
-	fi
-
-	export NSS_ENABLE_WERROR=0 #567158
-	export BUILD_OPT=1
-	export NSS_USE_SYSTEM_SQLITE=1
-	export NSDISTMODE=copy
-	export NSS_ENABLE_ECC=1
-	export FREEBL_NO_DEPEND=1
-	export ASFLAGS=""
-
-	local d
-
-	# Build the host tools first.
-	LDFLAGS="${BUILD_LDFLAGS}" \
-	XCFLAGS="${BUILD_CFLAGS}" \
-	NSPR_LIB_DIR="${T}/fakedir" \
-	emake -j1 -C coreconf \
-		CC="$(tc-getBUILD_CC)" \
-		${buildbits:-${mybits}}
-	makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
-
-	# Then build the target tools.
-	for d in . lib/dbm ; do
-		CPPFLAGS="${myCPPFLAGS}" \
-		XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
-		NSPR_LIB_DIR="${T}/fakedir" \
-		emake -j1 "${makeargs[@]}" -C ${d}
-	done
-}
-
-# Altering these 3 libraries breaks the CHK verification.
-# All of the following cause it to break:
-# - stripping
-# - prelink
-# - ELF signing
-# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
-# Either we have to NOT strip them, or we have to forcibly resign after
-# stripping.
-#local_libdir="$(get_libdir)"
-#export STRIP_MASK="
-#	*/${local_libdir}/libfreebl3.so*
-#	*/${local_libdir}/libnssdbm3.so*
-#	*/${local_libdir}/libsoftokn3.so*"
-
-export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
-
-generate_chk() {
-	local shlibsign="$1"
-	local libdir="$2"
-	einfo "Resigning core NSS libraries for FIPS validation"
-	shift 2
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libname=lib${i}.so
-		local chkname=lib${i}.chk
-		"${shlibsign}" \
-			-i "${libdir}"/${libname} \
-			-o "${libdir}"/${chkname}.tmp \
-		&& mv -f \
-			"${libdir}"/${chkname}.tmp \
-			"${libdir}"/${chkname} \
-		|| die "Failed to sign ${libname}"
-	done
-}
-
-cleanup_chk() {
-	local libdir="$1"
-	shift 1
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libfname="${libdir}/lib${i}.so"
-		# If the major version has changed, then we have old chk files.
-		[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
-			&& rm -f "${libfname}.chk"
-	done
-}
-
-multilib_src_install() {
-	pushd dist >/dev/null || die
-
-	dodir /usr/$(get_libdir)
-	cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
-	cp -L */lib/libcrmf.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
-	cp -L */lib/libfreebl.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
-
-	# Install nss-config and pkgconfig file
-	dodir /usr/bin
-	cp -L */bin/nss-config "${ED}"/usr/bin || die
-	dodir /usr/$(get_libdir)/pkgconfig
-	cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
-
-	# create an nss-softokn.pc from nss.pc for libfreebl and some private headers
-	# bug 517266
-	sed 	-e 's#Libs:#Libs: -lfreebl#' \
-		-e 's#Cflags:#Cflags: -I${includedir}/private#' \
-		*/lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
-		|| die "could not create nss-softokn.pc"
-
-	# all the include files
-	insinto /usr/include/nss
-	doins public/nss/*.h
-	insinto /usr/include/nss/private
-	doins private/nss/{blapi,alghmac}.h
-
-	popd >/dev/null || die
-
-	local f nssutils
-	# Always enabled because we need it for chk generation.
-	nssutils="shlibsign"
-
-	if multilib_is_native_abi ; then
-		if use utils; then
-			# The tests we do not need to install.
-			#nssutils_test="bltest crmftest dbtest dertimetest
-			#fipstest remtest sdrtest"
-			# checkcert utils has been removed in nss-3.22:
-			# https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
-			# https://hg.mozilla.org/projects/nss/rev/df1729d37870
-			nssutils="addbuiltin atob baddbdir btoa certcgi certutil
-			cmsutil conflict crlutil derdump digest makepqg mangle modutil multinit
-			nonspr10 ocspclnt oidcalc p7content p7env p7sign p7verify pk11mode
-			pk12util pp rsaperf selfserv shlibsign signtool signver ssltap strsclnt
-			symkeyutil tstclnt vfychain vfyserv"
-			# install man-pages for utils (bug #516810)
-			doman doc/nroff/*.1
-		fi
-		pushd dist/*/bin >/dev/null || die
-		for f in ${nssutils}; do
-			dobin ${f}
-		done
-		popd >/dev/null || die
-	fi
-
-	# Prelink breaks the CHK files. We don't have any reliable way to run
-	# shlibsign after prelink.
-	dodir /etc/prelink.conf.d
-	printf -- "-b ${EPREFIX}/usr/$(get_libdir)/lib%s.so\n" ${NSS_CHK_SIGN_LIBS} \
-		> "${ED}"/etc/prelink.conf.d/nss.conf
-}
-
-pkg_postinst() {
-	multilib_pkg_postinst() {
-		# We must re-sign the libraries AFTER they are stripped.
-		local shlibsign="${EROOT}/usr/bin/shlibsign"
-		# See if we can execute it (cross-compiling & such). #436216
-		"${shlibsign}" -h >&/dev/null
-		if [[ $? -gt 1 ]] ; then
-			shlibsign="shlibsign"
-		fi
-		generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postinst
-}
-
-pkg_postrm() {
-	multilib_pkg_postrm() {
-		cleanup_chk "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postrm
-}


^ permalink raw reply related	[flat|nested] 19+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/nss/, dev-libs/nss/files/
@ 2016-12-23  9:57 Lars Wendler
  0 siblings, 0 replies; 19+ messages in thread
From: Lars Wendler @ 2016-12-23  9:57 UTC (permalink / raw
  To: gentoo-commits

commit:     03b621dc695b5fa65be2cd713b51bbc22957efd3
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Fri Dec 23 09:56:52 2016 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Fri Dec 23 09:56:52 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=03b621dc

dev-libs/nss: Removed old.

Package-Manager: Portage-2.3.3, Repoman-2.3.1

 dev-libs/nss/Manifest                              |   4 -
 dev-libs/nss/files/nss-3.14.2-solaris-gcc.patch    |  24 --
 .../nss/files/nss-3.15-gentoo-fixup-warnings.patch |  10 -
 dev-libs/nss/files/nss-3.15.4-enable-pem.patch     |  13 -
 dev-libs/nss/files/nss-3.17.1-gentoo-fixups.patch  | 241 ---------------
 dev-libs/nss/files/nss-cacert-class3.patch         | 204 -------------
 dev-libs/nss/nss-3.20.ebuild                       | 326 --------------------
 dev-libs/nss/nss-3.27.1.ebuild                     | 338 ---------------------
 dev-libs/nss/nss-3.27.ebuild                       | 338 ---------------------
 9 files changed, 1498 deletions(-)

diff --git a/dev-libs/nss/Manifest b/dev-libs/nss/Manifest
index fa1784d..c5f1d3b 100644
--- a/dev-libs/nss/Manifest
+++ b/dev-libs/nss/Manifest
@@ -1,14 +1,10 @@
 DIST nss-3.14.1-add_spi+cacerts_ca_certs.patch 25018 SHA256 82ca25982828fd7153ad15fc6e81408c115476eeeb4045d3a71469380b56824b SHA512 2aafbd972b073061bfd66a66a4b50060691957f2910f716f7a69d22d655c499f186f05db2101bea5248a00949f339327ba8bfffec024c61c8ee908766201ae00 WHIRLPOOL c9fe397e316dac7983b187acf7227078ebd8f8da5df53f77f2564489e85f123c4d2afb88d56e8dc14b9ebfffe8a71ade4724b3c1ea683c5c4c487cb3a64eda43
-DIST nss-3.20.tar.gz 6955552 SHA256 5e38d4b9837ca338af966b97fc91c07f67ad647fb38dc4af3cfd0d84e477d15c SHA512 50f666209cadd4e463f98643ec67e35f4d1b88381e17db9eed7c67559b19799fcc27e49d72536f546d4c45bca2afa4664e5590f868775a4397a77111d68fc366 WHIRLPOOL 84f20e6764b3621762fcfcb9223a3861e1f5ff02078b19b7df2eb58430a5f96943d962dca2d3366b18cd434acf3d3be746242c5064497167d5671c50233834de
 DIST nss-3.22.2.tar.gz 6982164 SHA256 07d49287c527ac31200f02dcf8494cef19e936d8ed470802749c4dfc782d3650 SHA512 0c73ba579cb697fe295bca2ee62315bc1830b542f607c1ecfbf591fa881d2ccfb5a6d830b47cd1434bdfbac07e03848b4fe9e6bda9c6d131a2c34973dc3b337c WHIRLPOOL 37137526ffc6f583ba54615c5fadb1076a5c0830b8aef6db394fb1da02345d5b1cf394b6a3cac7b8ce5727bf23ed1053f3f0f2865f0eab7c922c8459d5768142
 DIST nss-3.23.tar.gz 7467001 SHA256 94b383e31c9671e9dfcca81084a8a813817e8f05a57f54533509b318d26e11cf SHA512 f3e388a415493685faa6df932e9e968af41ea2e8e4cba3fbd539c60177443e4042e8d2e2bfe74183552e14522d49048be2f80fbe038bdbd499971e82abf2cc32 WHIRLPOOL 77e22bd7a525c5b10723e1d5fb6db1e9d2efebfcdf9828aa79296f71c441c065201ecda56291f37790333d9b1d1e38fef1391a033382a885b83da31a646d6243
 DIST nss-3.25.tar.gz 7338238 SHA256 5d1ad475da19d0c033a716350dc5f8a747999d3eba5ac07ee0368c5bad6e2359 SHA512 a33cff42d0d85eea091057648d598b7421de88f16ed357965ea08a8812de968c3f18d45452afd21afc90122f65c2c5bb2d7071357947b45e935aae55d28c4218 WHIRLPOOL 3857bffe7a58043612bbeaf0e596b3afdd4f0792441af667fb503dd2d354a535bb8523c258242b470d888ef2beff267b4480e6398a3328f0c44193b83f4a5934
 DIST nss-3.26.1.tar.gz 7387756 SHA256 abebb079288e4b0d34648a1fcdba8564ac05b29f5f1d19b53021ccb3ac37ad25 SHA512 f2a6754e4766cdf169b0abfc0ff47c469ae0e6ddc08c020ef154da7806e8ce31b49076af11b659bf19e9c4b5c6e53a0ac9e7855ee1c33b98a45cfeec446b93bd WHIRLPOOL 9152e3c7430b3362647adb494d1983cc37659b1d8691f1f1e21470aab4f496f3aecd925b8e19d83fa3735e72eeb6d6579bcc304c30e48359d05cb6e052610b0f
-DIST nss-3.27.1.tar.gz 7397737 SHA256 fd3637a1930cd838239a89633a7ed9a18859ae9b599043f3a18f726dc4ec2a6b SHA512 b52bc18e42cab78a325a8c4fcf2894ca879cecbb657a852baf460551ed9727f145bc328ebb61a43a1605b457f923a1495707ac4aee27be70220463818ed8db8d WHIRLPOOL 17174b7d43bd82b9e805d653a7ea8b79bc2647a5891806c1cb77e2ac99e40eb64ffee03e105a41c375ba37e26cafeff4bd4bad27c48e94ed388d0215d0545364
 DIST nss-3.27.2.tar.gz 7397599 SHA256 dc8ac8524469d0230274fd13a53fdcd74efe4aa67205dde1a4a92be87dc28524 SHA512 699847665e93fd649cb60ce6bc8f849f452779e7232a09bbeb0613f9e6c57bb81948f1ae59cc86648e41a212cda259109850ccd14546d35910deb75f5d2a13b8 WHIRLPOOL 08229d87de1c7020c1d7fc12fb8a2afc4bc9ab9f0208aad12698aba17386fbe9163cb506101c7d4d568409fd99141fb88c0e71fc32cecbc6640a4a8f7a4efabf
-DIST nss-3.27.tar.gz 7397210 SHA256 021aa936b06f5815474dd5c137f2325b3fe06caa38d9798ca53ec30b537301fa SHA512 a79c31d3ade72897928cdb1cfbf9236ea781fb1951904f2f5d9688afc4e55722ba75ea5a46622d1fa45d55bb2666d05a0df3a2c2ac16ce53335722618523c272 WHIRLPOOL 16277ba6cb3c71afeab7a5ce92ba0b3c0ec8622edc87bb1fe48dad86a910fa71a09db4c83ec8a973a048c5b925dbad2bc9d6361a66b94744479c47364e7ad5c5
 DIST nss-3.28.tar.gz 7440502 SHA256 c79dd15f66f581c294ce0ef032119357d03fee3a0aa61be263747d84f1b33254 SHA512 dd442c6d04edd0507cc49a1e3c2bfaa64555f7cde5cb9e512ccf33f14de458dddbb17efddd83271056ed6e6e32327e6e1b6f6609e1910a05e625b08e6f0965df WHIRLPOOL d013972f18d75e83da03c3903b712ef1094e6b8543c1755ea2b7ed7f6335e39ac20112808c86bb9df74cda4a8c5c1159401ecd05d1d8b07b3ecdca85f7f0ac82
 DIST nss-cacert-class1-class3.patch 22950 SHA256 6bba29cee34276e2ca6436dabedfeba2b61fb46668c5d5ceabf0c871574649bf SHA512 a5aa740bf110a3f0262e3f1ef2fc739ac2b44f042e220039d48aee8e97cd764d5c10718220364f4098aba955882bd02cadb5481512388971a8290312f88a7df0 WHIRLPOOL 1246223b01292604e5609bb9c580f092dc5937bf8c98f6891b099e8bab960e03612b6617e30a55d6ff8817d88f190e03812fe8f89f84f25c20970493dc2f7700
-DIST nss-pem-015ae754dd9f6fbcd7e52030ec9732eb27fc06a8.tar.bz2 27506 SHA256 50d9ec26a75835e900302f631456e278e13d4b435b8f98aa69f79dd439ddc6ab SHA512 0158a140f112a905f7db5a4f4d04f49f6742db1d2665ddf6c32913c367f0b93a57f86ba13b9883a42a528aff44c48196941d7c0fd7a27005db6adaf07802e501 WHIRLPOOL 279ef11d2d6f0cb7c192189d64bc6971cdada7417b93a65a3ff0ba4548b736b53b9812803024c2349114e94e0864f2b58c23812687ed3f75cf28334b0f6e11ac
 DIST nss-pem-20140125.tar.bz2 28805 SHA256 62604dfc4178399a804e87ca7566d8316a0a40a535de3b2d0fa48fd80c97f768 SHA512 352faf812735e1374c534ada6dd577842603ea193dafaacfd51f201599ffe3f7a23ce1c673421e42f8b692091b58085f90843c29f70ae916949715e7baba2b39 WHIRLPOOL 3ae81410f6f4d2699e9dc55982cad03c226045fbeee25984d53d37ff78ce5c96d008d6837e1c0a10b6c96cdff17c21142e437159896d314e81afc8820867ca62
 DIST nss-pem-20160329.tar.xz 27732 SHA256 6c13c342e7a9fe34b585556099beca33c3078b3df3e11b72827fb70232ac1443 SHA512 5834b06e4c64205447573d4f4c8989e20986ae67ee00eebce3817eb73794a6355a404143ba1c676ec302ceefaf9df103cb879b1d4ff14ba4e3790dbee3e40eb2 WHIRLPOOL 16fb714fab29e44f7a15fa1928a0f4c1a770f0847b8da97816e29a3b124dee782cffe2357648c445f4d29081f349571b6fffe48c5bc725c7c2dde491f3e0e836

diff --git a/dev-libs/nss/files/nss-3.14.2-solaris-gcc.patch b/dev-libs/nss/files/nss-3.14.2-solaris-gcc.patch
deleted file mode 100644
index a23725d..00000000
--- a/dev-libs/nss/files/nss-3.14.2-solaris-gcc.patch
+++ /dev/null
@@ -1,24 +0,0 @@
---- nss-3.14.2/mozilla/security/coreconf/SunOS5.mk
-+++ nss-3.14.2/mozilla/security/coreconf/SunOS5.mk
-@@ -5,6 +5,9 @@
- 
- include $(CORE_DEPTH)/coreconf/UNIX.mk
- 
-+NS_USE_GCC = 1
-+GCC_USE_GNU_LD = 1
-+
- # Sun's WorkShop defines v8, v8plus and v9 architectures.
- # gcc on Solaris defines v8 and v9 "cpus".  
- # gcc's v9 is equivalent to Workshop's v8plus.
-@@ -71,11 +74,6 @@
- NOMD_OS_CFLAGS += $(DSO_CFLAGS) $(OS_DEFINES) $(SOL_CFLAGS)
- 
- MKSHLIB  = $(CC) $(DSO_LDOPTS) $(RPATH)
--ifdef NS_USE_GCC
--ifeq (GNU,$(findstring GNU,$(shell `$(CC) -print-prog-name=ld` -v 2>&1)))
--	GCC_USE_GNU_LD = 1
--endif
--endif
- ifdef MAPFILE
- ifdef NS_USE_GCC
- ifdef GCC_USE_GNU_LD

diff --git a/dev-libs/nss/files/nss-3.15-gentoo-fixup-warnings.patch b/dev-libs/nss/files/nss-3.15-gentoo-fixup-warnings.patch
deleted file mode 100644
index 3ce2c0e..00000000
--- a/dev-libs/nss/files/nss-3.15-gentoo-fixup-warnings.patch
+++ /dev/null
@@ -1,10 +0,0 @@
---- nss-3.15/nss/coreconf/Linux.mk
-+++ nss-3.15/nss/coreconf/Linux.mk
-@@ -116,6 +116,7 @@
- 		OPTIMIZER += -gdwarf-2
- 	endif
- endif
-+OPTIMIZER += -fno-strict-aliasing
- endif
- 
- 

diff --git a/dev-libs/nss/files/nss-3.15.4-enable-pem.patch b/dev-libs/nss/files/nss-3.15.4-enable-pem.patch
deleted file mode 100644
index 8e61024..00000000
--- a/dev-libs/nss/files/nss-3.15.4-enable-pem.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-Patches taken from http://pkgs.fedoraproject.org/cgit/nss.git/
-
---- nss/lib/ckfw/manifest.mn.libpem
-+++ nss/lib/ckfw/manifest.mn
-@@ -5,7 +5,7 @@
- 
- CORE_DEPTH = ../..
- 
--DIRS = builtins 
-+DIRS = builtins pem
- 
- PRIVATE_EXPORTS = \
- 	ck.h		  \

diff --git a/dev-libs/nss/files/nss-3.17.1-gentoo-fixups.patch b/dev-libs/nss/files/nss-3.17.1-gentoo-fixups.patch
deleted file mode 100644
index 26b488a..00000000
--- a/dev-libs/nss/files/nss-3.17.1-gentoo-fixups.patch
+++ /dev/null
@@ -1,241 +0,0 @@
---- nss-3.17.1/nss/config/Makefile
-+++ nss-3.17.1/nss/config/Makefile
-@@ -0,0 +1,40 @@
-+CORE_DEPTH = ..
-+DEPTH      = ..
-+
-+include $(CORE_DEPTH)/coreconf/config.mk
-+
-+NSS_MAJOR_VERSION = `grep "NSS_VMAJOR" ../lib/nss/nss.h | awk '{print $$3}'`
-+NSS_MINOR_VERSION = `grep "NSS_VMINOR" ../lib/nss/nss.h | awk '{print $$3}'`
-+NSS_PATCH_VERSION = `grep "NSS_VPATCH" ../lib/nss/nss.h | awk '{print $$3}'`
-+PREFIX = /usr
-+
-+all: export libs
-+
-+export:
-+	# Create the nss.pc file
-+	mkdir -p $(DIST)/lib/pkgconfig
-+	sed -e "s,@prefix@,$(PREFIX)," \
-+	    -e "s,@exec_prefix@,\$${prefix}," \
-+	    -e "s,@libdir@,\$${prefix}/lib64," \
-+	    -e "s,@includedir@,\$${prefix}/include/nss," \
-+	    -e "s,@NSS_MAJOR_VERSION@,$(NSS_MAJOR_VERSION),g" \
-+	    -e "s,@NSS_MINOR_VERSION@,$(NSS_MINOR_VERSION)," \
-+	    -e "s,@NSS_PATCH_VERSION@,$(NSS_PATCH_VERSION)," \
-+	    nss.pc.in > nss.pc
-+	chmod 0644 nss.pc
-+	ln -sf ../../../../config/nss.pc $(DIST)/lib/pkgconfig
-+
-+	# Create the nss-config script
-+	mkdir -p $(DIST)/bin
-+	sed -e "s,@prefix@,$(PREFIX)," \
-+	    -e "s,@NSS_MAJOR_VERSION@,$(NSS_MAJOR_VERSION)," \
-+	    -e "s,@NSS_MINOR_VERSION@,$(NSS_MINOR_VERSION)," \
-+	    -e "s,@NSS_PATCH_VERSION@,$(NSS_PATCH_VERSION)," \
-+	    nss-config.in > nss-config
-+	chmod 0755 nss-config
-+	ln -sf ../../../config/nss-config $(DIST)/bin
-+
-+libs:
-+
-+dummy: all export libs
-+
---- nss-3.17.1/nss/config/nss-config.in
-+++ nss-3.17.1/nss/config/nss-config.in
-@@ -0,0 +1,145 @@
-+#!/bin/sh
-+
-+prefix=@prefix@
-+
-+major_version=@NSS_MAJOR_VERSION@
-+minor_version=@NSS_MINOR_VERSION@
-+patch_version=@NSS_PATCH_VERSION@
-+
-+usage()
-+{
-+	cat <<EOF
-+Usage: nss-config [OPTIONS] [LIBRARIES]
-+Options:
-+	[--prefix[=DIR]]
-+	[--exec-prefix[=DIR]]
-+	[--includedir[=DIR]]
-+	[--libdir[=DIR]]
-+	[--version]
-+	[--libs]
-+	[--cflags]
-+Dynamic Libraries:
-+	nss
-+	ssl
-+	smime
-+	nssutil
-+EOF
-+	exit $1
-+}
-+
-+if test $# -eq 0; then
-+	usage 1 1>&2
-+fi
-+
-+lib_ssl=yes
-+lib_smime=yes
-+lib_nss=yes
-+lib_nssutil=yes
-+
-+while test $# -gt 0; do
-+  case "$1" in
-+  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
-+  *) optarg= ;;
-+  esac
-+
-+  case $1 in
-+    --prefix=*)
-+      prefix=$optarg
-+      ;;
-+    --prefix)
-+      echo_prefix=yes
-+      ;;
-+    --exec-prefix=*)
-+      exec_prefix=$optarg
-+      ;;
-+    --exec-prefix)
-+      echo_exec_prefix=yes
-+      ;;
-+    --includedir=*)
-+      includedir=$optarg
-+      ;;
-+    --includedir)
-+      echo_includedir=yes
-+      ;;
-+    --libdir=*)
-+      libdir=$optarg
-+      ;;
-+    --libdir)
-+      echo_libdir=yes
-+      ;;
-+    --version)
-+      echo ${major_version}.${minor_version}.${patch_version}
-+      ;;
-+    --cflags)
-+      echo_cflags=yes
-+      ;;
-+    --libs)
-+      echo_libs=yes
-+      ;;
-+    ssl)
-+      lib_ssl=yes
-+      ;;
-+    smime)
-+      lib_smime=yes
-+      ;;
-+    nss)
-+      lib_nss=yes
-+      ;;
-+    nssutil)                                                      
-+      lib_nssutil=yes                                             
-+      ;;
-+    *)
-+      usage 1 1>&2
-+      ;;
-+  esac
-+  shift
-+done
-+
-+# Set variables that may be dependent upon other variables
-+if test -z "$exec_prefix"; then
-+    exec_prefix=`pkg-config --variable=exec_prefix nss`
-+fi
-+if test -z "$includedir"; then
-+    includedir=`pkg-config --variable=includedir nss`
-+fi
-+if test -z "$libdir"; then
-+    libdir=`pkg-config --variable=libdir nss`
-+fi
-+
-+if test "$echo_prefix" = "yes"; then
-+    echo $prefix
-+fi
-+
-+if test "$echo_exec_prefix" = "yes"; then
-+    echo $exec_prefix
-+fi
-+
-+if test "$echo_includedir" = "yes"; then
-+    echo $includedir
-+fi
-+
-+if test "$echo_libdir" = "yes"; then
-+    echo $libdir
-+fi
-+
-+if test "$echo_cflags" = "yes"; then
-+    echo -I$includedir
-+fi
-+
-+if test "$echo_libs" = "yes"; then
-+      libdirs=""
-+      if test -n "$lib_ssl"; then
-+	libdirs="$libdirs -lssl${major_version}"
-+      fi
-+      if test -n "$lib_smime"; then
-+	libdirs="$libdirs -lsmime${major_version}"
-+      fi
-+      if test -n "$lib_nss"; then
-+	libdirs="$libdirs -lnss${major_version}"
-+      fi
-+      if test -n "$lib_nssutil"; then
-+       libdirs="$libdirs -lnssutil${major_version}"
-+      fi
-+      echo $libdirs
-+fi      
-+
---- nss-3.17.1/nss/config/nss.pc.in
-+++ nss-3.17.1/nss/config/nss.pc.in
-@@ -0,0 +1,12 @@
-+prefix=@prefix@
-+exec_prefix=@exec_prefix@
-+libdir=@libdir@
-+includedir=@includedir@
-+
-+Name: NSS
-+Description: Network Security Services
-+Version: @NSS_MAJOR_VERSION@.@NSS_MINOR_VERSION@.@NSS_PATCH_VERSION@
-+Requires: nspr >= 4.8
-+Libs: -lssl3 -lsmime3 -lnss3 -lnssutil3
-+Cflags: -I${includedir}
-+
---- nss-3.17.1/nss/Makefile
-+++ nss-3.17.1/nss/Makefile
-@@ -44,7 +44,7 @@
- # (7) Execute "local" rules. (OPTIONAL).                              #
- #######################################################################
- 
--nss_build_all: build_nspr all
-+nss_build_all: all
- 
- nss_clean_all: clobber_nspr clobber
- 
-@@ -109,12 +109,6 @@
- 	--with-dist-prefix='$(NSPR_PREFIX)' \
- 	--with-dist-includedir='$(NSPR_PREFIX)/include'
- 
--build_nspr: $(NSPR_CONFIG_STATUS)
--	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)
--
--clobber_nspr: $(NSPR_CONFIG_STATUS)
--	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) clobber
--
- build_docs:
- 	$(MAKE) -C $(CORE_DEPTH)/doc
- 
---- nss-3.17.1/nss/manifest.mn
-+++ nss-3.17.1/nss/manifest.mn
-@@ -10,7 +10,7 @@
- 
- RELEASE = nss
- 
--DIRS = coreconf lib cmd
-+DIRS = coreconf lib cmd config
- 
- ifdef NSS_BUILD_GTESTS
- DIRS += external_tests

diff --git a/dev-libs/nss/files/nss-cacert-class3.patch b/dev-libs/nss/files/nss-cacert-class3.patch
deleted file mode 100644
index 47f4da5..00000000
--- a/dev-libs/nss/files/nss-cacert-class3.patch
+++ /dev/null
@@ -1,204 +0,0 @@
-diff -urN a/nss/lib/ckfw/builtins/certdata.txt b/nss/lib/ckfw/builtins/certdata.txt
---- a/nss/lib/ckfw/builtins/certdata.txt	2015-01-22 13:49:26.000000000 -0600
-+++ b/nss/lib/ckfw/builtins/certdata.txt	2015-03-21 20:24:59.913637329 -0500
-@@ -30320,3 +30320,200 @@
- CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
- CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
- CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-+
-+#
-+# Certificate "CAcert Inc."
-+#
-+# Issuer: E=support@cacert.org,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA
-+# Serial Number: 672138 (0xa418a)
-+# Subject: CN=CAcert Class 3 Root,OU=http://www.CAcert.org,O=CAcert Inc.
-+# Not Valid Before: Mon May 23 17:48:02 2011
-+# Not Valid After : Thu May 20 17:48:02 2021
-+# Fingerprint (SHA-256): 4E:DD:E9:E5:5C:A4:53:B3:88:88:7C:AA:25:D5:C5:C5:BC:CF:28:91:D7:3B:87:49:58:08:29:3D:5F:AC:83:C8
-+# Fingerprint (SHA1): AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE
-+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-+CKA_TOKEN CK_BBOOL CK_TRUE
-+CKA_PRIVATE CK_BBOOL CK_FALSE
-+CKA_MODIFIABLE CK_BBOOL CK_FALSE
-+CKA_LABEL UTF8 "CAcert Inc."
-+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-+CKA_SUBJECT MULTILINE_OCTAL
-+\060\124\061\024\060\022\006\003\125\004\012\023\013\103\101\143
-+\145\162\164\040\111\156\143\056\061\036\060\034\006\003\125\004
-+\013\023\025\150\164\164\160\072\057\057\167\167\167\056\103\101
-+\143\145\162\164\056\157\162\147\061\034\060\032\006\003\125\004
-+\003\023\023\103\101\143\145\162\164\040\103\154\141\163\163\040
-+\063\040\122\157\157\164
-+END
-+CKA_ID UTF8 "0"
-+CKA_ISSUER MULTILINE_OCTAL
-+\060\171\061\020\060\016\006\003\125\004\012\023\007\122\157\157
-+\164\040\103\101\061\036\060\034\006\003\125\004\013\023\025\150
-+\164\164\160\072\057\057\167\167\167\056\143\141\143\145\162\164
-+\056\157\162\147\061\042\060\040\006\003\125\004\003\023\031\103
-+\101\040\103\145\162\164\040\123\151\147\156\151\156\147\040\101
-+\165\164\150\157\162\151\164\171\061\041\060\037\006\011\052\206
-+\110\206\367\015\001\011\001\026\022\163\165\160\160\157\162\164
-+\100\143\141\143\145\162\164\056\157\162\147
-+END
-+CKA_SERIAL_NUMBER MULTILINE_OCTAL
-+\002\003\012\101\212
-+END
-+CKA_VALUE MULTILINE_OCTAL
-+\060\202\007\131\060\202\005\101\240\003\002\001\002\002\003\012
-+\101\212\060\015\006\011\052\206\110\206\367\015\001\001\013\005
-+\000\060\171\061\020\060\016\006\003\125\004\012\023\007\122\157
-+\157\164\040\103\101\061\036\060\034\006\003\125\004\013\023\025
-+\150\164\164\160\072\057\057\167\167\167\056\143\141\143\145\162
-+\164\056\157\162\147\061\042\060\040\006\003\125\004\003\023\031
-+\103\101\040\103\145\162\164\040\123\151\147\156\151\156\147\040
-+\101\165\164\150\157\162\151\164\171\061\041\060\037\006\011\052
-+\206\110\206\367\015\001\011\001\026\022\163\165\160\160\157\162
-+\164\100\143\141\143\145\162\164\056\157\162\147\060\036\027\015
-+\061\061\060\065\062\063\061\067\064\070\060\062\132\027\015\062
-+\061\060\065\062\060\061\067\064\070\060\062\132\060\124\061\024
-+\060\022\006\003\125\004\012\023\013\103\101\143\145\162\164\040
-+\111\156\143\056\061\036\060\034\006\003\125\004\013\023\025\150
-+\164\164\160\072\057\057\167\167\167\056\103\101\143\145\162\164
-+\056\157\162\147\061\034\060\032\006\003\125\004\003\023\023\103
-+\101\143\145\162\164\040\103\154\141\163\163\040\063\040\122\157
-+\157\164\060\202\002\042\060\015\006\011\052\206\110\206\367\015
-+\001\001\001\005\000\003\202\002\017\000\060\202\002\012\002\202
-+\002\001\000\253\111\065\021\110\174\322\046\176\123\224\317\103
-+\251\335\050\327\102\052\213\363\207\170\031\130\174\017\236\332
-+\211\175\341\373\353\162\220\015\164\241\226\144\253\237\240\044
-+\231\163\332\342\125\166\307\027\173\365\004\254\106\270\303\276
-+\177\144\215\020\154\044\363\141\234\300\362\220\372\121\346\365
-+\151\001\143\303\017\126\342\112\102\317\342\104\214\045\050\250
-+\305\171\011\175\106\271\212\363\351\363\064\051\010\105\344\034
-+\237\313\224\004\034\201\250\024\263\230\145\304\103\354\116\202
-+\215\011\321\275\252\133\215\222\320\354\336\220\305\177\012\302
-+\343\353\346\061\132\136\164\076\227\063\131\350\303\003\075\140
-+\063\277\367\321\157\107\304\315\356\142\203\122\156\056\010\232
-+\244\331\025\030\221\246\205\222\107\260\256\110\353\155\267\041
-+\354\205\032\150\162\065\253\377\360\020\135\300\364\224\247\152
-+\325\073\222\176\114\220\005\176\223\301\054\213\244\216\142\164
-+\025\161\156\013\161\003\352\257\025\070\232\324\322\005\162\157
-+\214\371\053\353\132\162\045\371\071\106\343\162\033\076\004\303
-+\144\047\042\020\052\212\117\130\247\003\255\276\264\056\023\355
-+\135\252\110\327\325\175\324\052\173\134\372\106\004\120\344\314
-+\016\102\133\214\355\333\362\317\374\226\223\340\333\021\066\124
-+\142\064\070\217\014\140\233\073\227\126\070\255\363\322\133\213
-+\240\133\352\116\226\270\174\327\325\240\206\160\100\323\221\051
-+\267\242\074\255\365\214\273\317\032\222\212\344\064\173\300\330
-+\154\137\351\012\302\303\247\040\232\132\337\054\135\122\134\272
-+\107\325\233\357\044\050\160\070\040\057\325\177\051\300\262\101
-+\003\150\222\314\340\234\314\227\113\105\357\072\020\012\253\160
-+\072\230\225\160\255\065\261\352\205\053\244\034\200\041\061\251
-+\256\140\172\200\046\110\000\270\001\300\223\143\125\042\221\074
-+\126\347\257\333\072\045\363\217\061\124\352\046\213\201\131\371
-+\241\321\123\021\305\173\235\003\366\164\021\340\155\261\054\077
-+\054\206\221\231\161\232\246\167\213\064\140\321\024\264\054\254
-+\235\257\214\020\323\237\304\152\370\157\023\374\163\131\367\146
-+\102\164\036\212\343\370\334\322\157\230\234\313\107\230\225\100
-+\005\373\351\002\003\001\000\001\243\202\002\015\060\202\002\011
-+\060\035\006\003\125\035\016\004\026\004\024\165\250\161\140\114
-+\210\023\360\170\331\211\167\265\155\305\211\337\274\261\172\060
-+\201\243\006\003\125\035\043\004\201\233\060\201\230\200\024\026
-+\265\062\033\324\307\363\340\346\216\363\275\322\260\072\356\262
-+\071\030\321\241\175\244\173\060\171\061\020\060\016\006\003\125
-+\004\012\023\007\122\157\157\164\040\103\101\061\036\060\034\006
-+\003\125\004\013\023\025\150\164\164\160\072\057\057\167\167\167
-+\056\143\141\143\145\162\164\056\157\162\147\061\042\060\040\006
-+\003\125\004\003\023\031\103\101\040\103\145\162\164\040\123\151
-+\147\156\151\156\147\040\101\165\164\150\157\162\151\164\171\061
-+\041\060\037\006\011\052\206\110\206\367\015\001\011\001\026\022
-+\163\165\160\160\157\162\164\100\143\141\143\145\162\164\056\157
-+\162\147\202\001\000\060\017\006\003\125\035\023\001\001\377\004
-+\005\060\003\001\001\377\060\135\006\010\053\006\001\005\005\007
-+\001\001\004\121\060\117\060\043\006\010\053\006\001\005\005\007
-+\060\001\206\027\150\164\164\160\072\057\057\157\143\163\160\056
-+\103\101\143\145\162\164\056\157\162\147\057\060\050\006\010\053
-+\006\001\005\005\007\060\002\206\034\150\164\164\160\072\057\057
-+\167\167\167\056\103\101\143\145\162\164\056\157\162\147\057\143
-+\141\056\143\162\164\060\112\006\003\125\035\040\004\103\060\101
-+\060\077\006\010\053\006\001\004\001\201\220\112\060\063\060\061
-+\006\010\053\006\001\005\005\007\002\001\026\045\150\164\164\160
-+\072\057\057\167\167\167\056\103\101\143\145\162\164\056\157\162
-+\147\057\151\156\144\145\170\056\160\150\160\077\151\144\075\061
-+\060\060\064\006\011\140\206\110\001\206\370\102\001\010\004\047
-+\026\045\150\164\164\160\072\057\057\167\167\167\056\103\101\143
-+\145\162\164\056\157\162\147\057\151\156\144\145\170\056\160\150
-+\160\077\151\144\075\061\060\060\120\006\011\140\206\110\001\206
-+\370\102\001\015\004\103\026\101\124\157\040\147\145\164\040\171
-+\157\165\162\040\157\167\156\040\143\145\162\164\151\146\151\143
-+\141\164\145\040\146\157\162\040\106\122\105\105\054\040\147\157
-+\040\164\157\040\150\164\164\160\072\057\057\167\167\167\056\103
-+\101\143\145\162\164\056\157\162\147\060\015\006\011\052\206\110
-+\206\367\015\001\001\013\005\000\003\202\002\001\000\051\050\205
-+\256\104\251\271\257\244\171\023\360\250\243\053\227\140\363\134
-+\356\343\057\301\366\342\146\240\021\256\066\067\072\166\025\004
-+\123\352\102\365\371\352\300\025\330\246\202\331\344\141\256\162
-+\013\051\134\220\103\350\101\262\341\167\333\002\023\104\170\107
-+\125\257\130\374\314\230\366\105\271\321\040\370\330\041\007\376
-+\155\252\163\324\263\306\007\351\011\205\314\073\362\266\276\054
-+\034\045\325\161\214\071\265\056\352\276\030\201\272\260\223\270
-+\017\343\346\327\046\214\061\132\162\003\204\122\346\246\365\063
-+\042\105\012\310\013\015\212\270\066\157\220\011\241\253\275\327
-+\325\116\056\161\242\324\256\372\247\124\053\353\065\215\132\267
-+\124\210\057\356\164\237\355\110\026\312\015\110\320\224\323\254
-+\244\242\366\044\337\222\343\275\353\103\100\221\156\034\030\216
-+\126\264\202\022\363\251\223\237\324\274\234\255\234\165\356\132
-+\227\033\225\347\164\055\034\017\260\054\227\237\373\251\063\071
-+\172\347\003\072\222\216\042\366\214\015\344\331\176\015\166\030
-+\367\001\371\357\226\226\242\125\163\300\074\161\264\035\032\126
-+\103\267\303\012\215\162\374\342\020\011\013\101\316\214\224\240
-+\371\003\375\161\163\113\212\127\063\345\216\164\176\025\001\000
-+\346\314\112\034\347\177\225\031\055\305\245\014\213\273\265\355
-+\205\263\134\323\337\270\271\362\312\307\015\001\024\254\160\130
-+\305\214\215\063\324\235\146\243\032\120\225\043\374\110\340\006
-+\103\022\331\315\247\206\071\057\066\162\243\200\020\344\341\363
-+\321\313\133\032\300\344\200\232\174\023\163\006\117\333\243\153
-+\044\012\272\263\034\274\112\170\273\345\343\165\070\245\110\247
-+\242\036\257\166\324\136\367\070\206\126\132\211\316\326\303\247
-+\171\262\122\240\306\361\205\264\045\214\362\077\226\263\020\331
-+\215\154\127\073\237\157\206\072\030\202\042\066\310\260\221\070
-+\333\052\241\223\252\204\077\365\047\145\256\163\325\310\325\323
-+\167\352\113\235\307\101\273\307\300\343\240\077\344\175\244\215
-+\163\346\022\113\337\241\163\163\163\072\200\350\325\313\216\057
-+\313\352\023\247\326\101\213\254\372\074\211\327\044\365\116\264
-+\340\141\222\267\363\067\230\304\276\226\243\267\212
-+END
-+
-+# Trust for "CAcert Inc."
-+# Issuer: E=support@cacert.org,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA
-+# Serial Number: 672138 (0xa418a)
-+# Subject: CN=CAcert Class 3 Root,OU=http://www.CAcert.org,O=CAcert Inc.
-+# Not Valid Before: Mon May 23 17:48:02 2011
-+# Not Valid After : Thu May 20 17:48:02 2021
-+# Fingerprint (SHA-256): 4E:DD:E9:E5:5C:A4:53:B3:88:88:7C:AA:25:D5:C5:C5:BC:CF:28:91:D7:3B:87:49:58:08:29:3D:5F:AC:83:C8
-+# Fingerprint (SHA1): AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE
-+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-+CKA_TOKEN CK_BBOOL CK_TRUE
-+CKA_PRIVATE CK_BBOOL CK_FALSE
-+CKA_MODIFIABLE CK_BBOOL CK_FALSE
-+CKA_LABEL UTF8 "CAcert Inc."
-+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-+\255\174\077\144\374\104\071\376\364\351\013\350\364\174\154\372
-+\212\255\375\316
-+END
-+CKA_CERT_MD5_HASH MULTILINE_OCTAL
-+\367\045\022\202\116\147\265\320\215\222\267\174\013\206\172\102
-+END
-+CKA_ISSUER MULTILINE_OCTAL
-+\060\171\061\020\060\016\006\003\125\004\012\023\007\122\157\157
-+\164\040\103\101\061\036\060\034\006\003\125\004\013\023\025\150
-+\164\164\160\072\057\057\167\167\167\056\143\141\143\145\162\164
-+\056\157\162\147\061\042\060\040\006\003\125\004\003\023\031\103
-+\101\040\103\145\162\164\040\123\151\147\156\151\156\147\040\101
-+\165\164\150\157\162\151\164\171\061\041\060\037\006\011\052\206
-+\110\206\367\015\001\011\001\026\022\163\165\160\160\157\162\164
-+\100\143\141\143\145\162\164\056\157\162\147
-+END
-+CKA_SERIAL_NUMBER MULTILINE_OCTAL
-+\002\003\012\101\212
-+END
-+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE

diff --git a/dev-libs/nss/nss-3.20.ebuild b/dev-libs/nss/nss-3.20.ebuild
deleted file mode 100644
index 7153cea..00000000
--- a/dev-libs/nss/nss-3.20.ebuild
+++ /dev/null
@@ -1,326 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI=5
-inherit eutils flag-o-matic multilib toolchain-funcs multilib-minimal
-
-NSPR_VER="4.10.8"
-RTM_NAME="NSS_${PV//./_}_RTM"
-# Rev of https://git.fedorahosted.org/cgit/nss-pem.git
-PEM_GIT_REV="015ae754dd9f6fbcd7e52030ec9732eb27fc06a8"
-PEM_P="${PN}-pem-${PEM_GIT_REV}"
-
-DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
-HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/"
-SRC_URI="http://archive.mozilla.org/pub/mozilla.org/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
-	cacert? ( https://dev.gentoo.org/~anarchy/patches/${PN}-3.14.1-add_spi+cacerts_ca_certs.patch )
-	nss-pem? ( https://git.fedorahosted.org/cgit/nss-pem.git/snapshot/${PEM_P}.tar.bz2 )"
-
-LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
-SLOT="0"
-KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
-IUSE="+cacert +nss-pem utils"
-CDEPEND=">=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
-	>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]"
-DEPEND=">=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]
-	>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
-	${CDEPEND}"
-RDEPEND=">=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
-	${CDEPEND}
-	abi_x86_32? (
-		!<=app-emulation/emul-linux-x86-baselibs-20140508-r12
-		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
-	)"
-
-RESTRICT="test"
-
-S="${WORKDIR}/${P}/${PN}"
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/nss-config
-)
-
-src_unpack() {
-	unpack ${A}
-	if use nss-pem ; then
-		mv "${PEM_P}"/nss/lib/ckfw/pem/ "${S}"/lib/ckfw/ || die
-	fi
-}
-
-src_prepare() {
-	# Custom changes for gentoo
-	epatch "${FILESDIR}/${PN}-3.17.1-gentoo-fixups.patch"
-	epatch "${FILESDIR}/${PN}-3.15-gentoo-fixup-warnings.patch"
-	use cacert && epatch "${DISTDIR}/${PN}-3.14.1-add_spi+cacerts_ca_certs.patch"
-	use nss-pem && epatch "${FILESDIR}/${PN}-3.15.4-enable-pem.patch"
-	epatch "${FILESDIR}/nss-3.14.2-solaris-gcc.patch"
-	epatch "${FILESDIR}/${PN}-cacert-class3.patch" # 521462
-
-	pushd coreconf >/dev/null || die
-	# hack nspr paths
-	echo 'INCLUDES += -I$(DIST)/include/dbm' \
-		>> headers.mk || die "failed to append include"
-
-	# modify install path
-	sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
-		-i source.mk || die
-
-	# Respect LDFLAGS
-	sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
-	popd >/dev/null || die
-
-	# Fix pkgconfig file for Prefix
-	sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
-		config/Makefile || die
-
-	# use host shlibsign if need be #436216
-	if tc-is-cross-compiler ; then
-		sed -i \
-			-e 's:"${2}"/shlibsign:shlibsign:' \
-			cmd/shlibsign/sign.sh || die
-	fi
-
-	# dirty hack
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
-		lib/ssl/config.mk || die
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
-		cmd/platlibs.mk || die
-
-	multilib_copy_sources
-
-	strip-flags
-}
-
-multilib_src_configure() {
-	# Ensure we stay multilib aware
-	sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
-}
-
-nssarch() {
-	# Most of the arches are the same as $ARCH
-	local t=${1:-${CHOST}}
-	case ${t} in
-		aarch64*)echo "aarch64";;
-		hppa*)   echo "parisc";;
-		i?86*)   echo "i686";;
-		x86_64*) echo "x86_64";;
-		*)       tc-arch ${t};;
-	esac
-}
-
-nssbits() {
-	local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
-	if [[ ${1} == BUILD_ ]]; then
-		cc=$(tc-getBUILD_CC)
-	else
-		cc=$(tc-getCC)
-	fi
-	echo > "${T}"/test.c || die
-	${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die
-	case $(file "${T}/${1}test.o") in
-		*32-bit*x86-64*) echo USE_X32=1;;
-		*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
-		*32-bit*|*ppc*|*i386*) ;;
-		*) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
-	esac
-}
-
-multilib_src_compile() {
-	# use ABI to determine bit'ness, or fallback if unset
-	local buildbits mybits
-	case "${ABI}" in
-		n32) mybits="USE_N32=1";;
-		x32) mybits="USE_X32=1";;
-		s390x|*64) mybits="USE_64=1";;
-		${DEFAULT_ABI})
-			einfo "Running compilation test to determine bit'ness"
-			mybits=$(nssbits)
-			;;
-	esac
-	# bitness of host may differ from target
-	if tc-is-cross-compiler; then
-		buildbits=$(nssbits BUILD_)
-	fi
-
-	local makeargs=(
-		CC="$(tc-getCC)"
-		AR="$(tc-getAR) rc \$@"
-		RANLIB="$(tc-getRANLIB)"
-		OPTIMIZER=
-		${mybits}
-	)
-
-	# Take care of nspr settings #436216
-	local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
-	unset NSPR_INCLUDE_DIR
-
-	# Do not let `uname` be used.
-	if use kernel_linux ; then
-		makeargs+=(
-			OS_TARGET=Linux
-			OS_RELEASE=2.6
-			OS_TEST="$(nssarch)"
-		)
-	fi
-
-	export BUILD_OPT=1
-	export NSS_USE_SYSTEM_SQLITE=1
-	export NSDISTMODE=copy
-	export NSS_ENABLE_ECC=1
-	export FREEBL_NO_DEPEND=1
-	export ASFLAGS=""
-
-	local d
-
-	# Build the host tools first.
-	LDFLAGS="${BUILD_LDFLAGS}" \
-	XCFLAGS="${BUILD_CFLAGS}" \
-	NSPR_LIB_DIR="${T}/fakedir" \
-	emake -j1 -C coreconf \
-		CC="$(tc-getBUILD_CC)" \
-		${buildbits:-${mybits}}
-	makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
-
-	# Then build the target tools.
-	for d in . lib/dbm ; do
-		CPPFLAGS="${myCPPFLAGS}" \
-		XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
-		NSPR_LIB_DIR="${T}/fakedir" \
-		emake -j1 "${makeargs[@]}" -C ${d}
-	done
-}
-
-# Altering these 3 libraries breaks the CHK verification.
-# All of the following cause it to break:
-# - stripping
-# - prelink
-# - ELF signing
-# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
-# Either we have to NOT strip them, or we have to forcibly resign after
-# stripping.
-#local_libdir="$(get_libdir)"
-#export STRIP_MASK="
-#	*/${local_libdir}/libfreebl3.so*
-#	*/${local_libdir}/libnssdbm3.so*
-#	*/${local_libdir}/libsoftokn3.so*"
-
-export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
-
-generate_chk() {
-	local shlibsign="$1"
-	local libdir="$2"
-	einfo "Resigning core NSS libraries for FIPS validation"
-	shift 2
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libname=lib${i}.so
-		local chkname=lib${i}.chk
-		"${shlibsign}" \
-			-i "${libdir}"/${libname} \
-			-o "${libdir}"/${chkname}.tmp \
-		&& mv -f \
-			"${libdir}"/${chkname}.tmp \
-			"${libdir}"/${chkname} \
-		|| die "Failed to sign ${libname}"
-	done
-}
-
-cleanup_chk() {
-	local libdir="$1"
-	shift 1
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libfname="${libdir}/lib${i}.so"
-		# If the major version has changed, then we have old chk files.
-		[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
-			&& rm -f "${libfname}.chk"
-	done
-}
-
-multilib_src_install() {
-	pushd dist >/dev/null || die
-
-	dodir /usr/$(get_libdir)
-	cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
-	cp -L */lib/libcrmf.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
-	cp -L */lib/libfreebl.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
-
-	# Install nss-config and pkgconfig file
-	dodir /usr/bin
-	cp -L */bin/nss-config "${ED}"/usr/bin || die
-	dodir /usr/$(get_libdir)/pkgconfig
-	cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
-
-	# create an nss-softokn.pc from nss.pc for libfreebl and some private headers
-	# bug 517266
-	sed 	-e 's#Libs:#Libs: -lfreebl#' \
-		-e 's#Cflags:#Cflags: -I${includedir}/private#' \
-		*/lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
-		|| die "could not create nss-softokn.pc"
-
-	# all the include files
-	insinto /usr/include/nss
-	doins public/nss/*.h
-	insinto /usr/include/nss/private
-	doins private/nss/{blapi,alghmac}.h
-
-	popd >/dev/null || die
-
-	local f nssutils
-	# Always enabled because we need it for chk generation.
-	nssutils="shlibsign"
-
-	if multilib_is_native_abi ; then
-		if use utils; then
-			# The tests we do not need to install.
-			#nssutils_test="bltest crmftest dbtest dertimetest
-			#fipstest remtest sdrtest"
-			nssutils="addbuiltin atob baddbdir btoa certcgi certutil checkcert
-			cmsutil conflict crlutil derdump digest makepqg mangle modutil multinit
-			nonspr10 ocspclnt oidcalc p7content p7env p7sign p7verify pk11mode
-			pk12util pp rsaperf selfserv shlibsign signtool signver ssltap strsclnt
-			symkeyutil tstclnt vfychain vfyserv"
-			# install man-pages for utils (bug #516810)
-			doman doc/nroff/*.1
-		fi
-		pushd dist/*/bin >/dev/null || die
-		for f in ${nssutils}; do
-			dobin ${f}
-		done
-		popd >/dev/null || die
-	fi
-
-	# Prelink breaks the CHK files. We don't have any reliable way to run
-	# shlibsign after prelink.
-	local l libs=() liblist
-	for l in ${NSS_CHK_SIGN_LIBS} ; do
-		libs+=("${EPREFIX}/usr/$(get_libdir)/lib${l}.so")
-	done
-	liblist=$(printf '%s:' "${libs[@]}")
-	echo -e "PRELINK_PATH_MASK=${liblist%:}" > "${T}/90nss-${ABI}"
-	doenvd "${T}/90nss-${ABI}"
-}
-
-pkg_postinst() {
-	multilib_pkg_postinst() {
-		# We must re-sign the libraries AFTER they are stripped.
-		local shlibsign="${EROOT}/usr/bin/shlibsign"
-		# See if we can execute it (cross-compiling & such). #436216
-		"${shlibsign}" -h >&/dev/null
-		if [[ $? -gt 1 ]] ; then
-			shlibsign="shlibsign"
-		fi
-		generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postinst
-}
-
-pkg_postrm() {
-	multilib_pkg_postrm() {
-		cleanup_chk "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postrm
-}

diff --git a/dev-libs/nss/nss-3.27.1.ebuild b/dev-libs/nss/nss-3.27.1.ebuild
deleted file mode 100644
index 3e9034e..00000000
--- a/dev-libs/nss/nss-3.27.1.ebuild
+++ /dev/null
@@ -1,338 +0,0 @@
-# Copyright 1999-2016 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI=6
-
-inherit eutils flag-o-matic multilib toolchain-funcs multilib-minimal
-
-NSPR_VER="4.12"
-RTM_NAME="NSS_${PV//./_}_RTM"
-# Rev of https://git.fedorahosted.org/cgit/nss-pem.git
-PEM_GIT_REV="429b0222759d8ad8e6dcd29e62875ae3efd69116"
-PEM_P="${PN}-pem-20160329"
-
-DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
-HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/"
-SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
-	nss-pem? ( https://dev.gentoo.org/~polynomial-c/${PEM_P}.tar.xz )"
-
-LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
-IUSE="cacert +nss-pem utils"
-CDEPEND=">=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
-	>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]"
-DEPEND=">=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]
-	>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
-	${CDEPEND}"
-RDEPEND=">=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
-	${CDEPEND}
-	abi_x86_32? (
-		!<=app-emulation/emul-linux-x86-baselibs-20140508-r12
-		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
-	)"
-
-RESTRICT="test"
-
-S="${WORKDIR}/${P}/${PN}"
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/nss-config
-)
-
-PATCHES=(
-	# Custom changes for gentoo
-	"${FILESDIR}/${PN}-3.21-gentoo-fixups.patch"
-	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
-	"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
-)
-
-src_unpack() {
-	unpack ${A}
-	if use nss-pem ; then
-		mv "${PN}"/lib/ckfw/pem/ "${S}"/lib/ckfw/ || die
-	fi
-}
-
-src_prepare() {
-	if use nss-pem ; then
-		PATCHES+=(
-			"${FILESDIR}/${PN}-3.21-enable-pem.patch"
-		)
-	fi
-	if use cacert ; then #521462
-		PATCHES+=(
-			"${FILESDIR}/${PN}-3.21-cacert-class3.patch"
-		)
-	fi
-
-	default
-
-	pushd coreconf >/dev/null || die
-	# hack nspr paths
-	echo 'INCLUDES += -I$(DIST)/include/dbm' \
-		>> headers.mk || die "failed to append include"
-
-	# modify install path
-	sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
-		-i source.mk || die
-
-	# Respect LDFLAGS
-	sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
-	popd >/dev/null || die
-
-	# Fix pkgconfig file for Prefix
-	sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
-		config/Makefile || die
-
-	# use host shlibsign if need be #436216
-	if tc-is-cross-compiler ; then
-		sed -i \
-			-e 's:"${2}"/shlibsign:shlibsign:' \
-			cmd/shlibsign/sign.sh || die
-	fi
-
-	# dirty hack
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
-		lib/ssl/config.mk || die
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
-		cmd/platlibs.mk || die
-
-	multilib_copy_sources
-
-	strip-flags
-}
-
-multilib_src_configure() {
-	# Ensure we stay multilib aware
-	sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
-}
-
-nssarch() {
-	# Most of the arches are the same as $ARCH
-	local t=${1:-${CHOST}}
-	case ${t} in
-		aarch64*)echo "aarch64";;
-		hppa*)   echo "parisc";;
-		i?86*)   echo "i686";;
-		x86_64*) echo "x86_64";;
-		*)       tc-arch ${t};;
-	esac
-}
-
-nssbits() {
-	local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
-	if [[ ${1} == BUILD_ ]]; then
-		cc=$(tc-getBUILD_CC)
-	else
-		cc=$(tc-getCC)
-	fi
-	echo > "${T}"/test.c || die
-	${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die
-	case $(file "${T}/${1}test.o") in
-		*32-bit*x86-64*) echo USE_X32=1;;
-		*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
-		*32-bit*|*ppc*|*i386*) ;;
-		*) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
-	esac
-}
-
-multilib_src_compile() {
-	# use ABI to determine bit'ness, or fallback if unset
-	local buildbits mybits
-	case "${ABI}" in
-		n32) mybits="USE_N32=1";;
-		x32) mybits="USE_X32=1";;
-		s390x|*64) mybits="USE_64=1";;
-		${DEFAULT_ABI})
-			einfo "Running compilation test to determine bit'ness"
-			mybits=$(nssbits)
-			;;
-	esac
-	# bitness of host may differ from target
-	if tc-is-cross-compiler; then
-		buildbits=$(nssbits BUILD_)
-	fi
-
-	local makeargs=(
-		CC="$(tc-getCC)"
-		AR="$(tc-getAR) rc \$@"
-		RANLIB="$(tc-getRANLIB)"
-		OPTIMIZER=
-		${mybits}
-	)
-
-	# Take care of nspr settings #436216
-	local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
-	unset NSPR_INCLUDE_DIR
-
-	# Do not let `uname` be used.
-	if use kernel_linux ; then
-		makeargs+=(
-			OS_TARGET=Linux
-			OS_RELEASE=2.6
-			OS_TEST="$(nssarch)"
-		)
-	fi
-
-	export NSS_ENABLE_WERROR=0 #567158
-	export BUILD_OPT=1
-	export NSS_USE_SYSTEM_SQLITE=1
-	export NSDISTMODE=copy
-	export NSS_ENABLE_ECC=1
-	export FREEBL_NO_DEPEND=1
-	export ASFLAGS=""
-
-	local d
-
-	# Build the host tools first.
-	LDFLAGS="${BUILD_LDFLAGS}" \
-	XCFLAGS="${BUILD_CFLAGS}" \
-	NSPR_LIB_DIR="${T}/fakedir" \
-	emake -j1 -C coreconf \
-		CC="$(tc-getBUILD_CC)" \
-		${buildbits:-${mybits}}
-	makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
-
-	# Then build the target tools.
-	for d in . lib/dbm ; do
-		CPPFLAGS="${myCPPFLAGS}" \
-		XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
-		NSPR_LIB_DIR="${T}/fakedir" \
-		emake -j1 "${makeargs[@]}" -C ${d}
-	done
-}
-
-# Altering these 3 libraries breaks the CHK verification.
-# All of the following cause it to break:
-# - stripping
-# - prelink
-# - ELF signing
-# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
-# Either we have to NOT strip them, or we have to forcibly resign after
-# stripping.
-#local_libdir="$(get_libdir)"
-#export STRIP_MASK="
-#	*/${local_libdir}/libfreebl3.so*
-#	*/${local_libdir}/libnssdbm3.so*
-#	*/${local_libdir}/libsoftokn3.so*"
-
-export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
-
-generate_chk() {
-	local shlibsign="$1"
-	local libdir="$2"
-	einfo "Resigning core NSS libraries for FIPS validation"
-	shift 2
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libname=lib${i}.so
-		local chkname=lib${i}.chk
-		"${shlibsign}" \
-			-i "${libdir}"/${libname} \
-			-o "${libdir}"/${chkname}.tmp \
-		&& mv -f \
-			"${libdir}"/${chkname}.tmp \
-			"${libdir}"/${chkname} \
-		|| die "Failed to sign ${libname}"
-	done
-}
-
-cleanup_chk() {
-	local libdir="$1"
-	shift 1
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libfname="${libdir}/lib${i}.so"
-		# If the major version has changed, then we have old chk files.
-		[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
-			&& rm -f "${libfname}.chk"
-	done
-}
-
-multilib_src_install() {
-	pushd dist >/dev/null || die
-
-	dodir /usr/$(get_libdir)
-	cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
-	cp -L */lib/libcrmf.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
-	cp -L */lib/libfreebl.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
-
-	# Install nss-config and pkgconfig file
-	dodir /usr/bin
-	cp -L */bin/nss-config "${ED}"/usr/bin || die
-	dodir /usr/$(get_libdir)/pkgconfig
-	cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
-
-	# create an nss-softokn.pc from nss.pc for libfreebl and some private headers
-	# bug 517266
-	sed 	-e 's#Libs:#Libs: -lfreebl#' \
-		-e 's#Cflags:#Cflags: -I${includedir}/private#' \
-		*/lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
-		|| die "could not create nss-softokn.pc"
-
-	# all the include files
-	insinto /usr/include/nss
-	doins public/nss/*.h
-	insinto /usr/include/nss/private
-	doins private/nss/{blapi,alghmac}.h
-
-	popd >/dev/null || die
-
-	local f nssutils
-	# Always enabled because we need it for chk generation.
-	nssutils="shlibsign"
-
-	if multilib_is_native_abi ; then
-		if use utils; then
-			# The tests we do not need to install.
-			#nssutils_test="bltest crmftest dbtest dertimetest
-			#fipstest remtest sdrtest"
-			# checkcert utils has been removed in nss-3.22:
-			# https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
-			# https://hg.mozilla.org/projects/nss/rev/df1729d37870
-			nssutils="addbuiltin atob baddbdir btoa certcgi certutil
-			cmsutil conflict crlutil derdump digest makepqg mangle modutil multinit
-			nonspr10 ocspclnt oidcalc p7content p7env p7sign p7verify pk11mode
-			pk12util pp rsaperf selfserv shlibsign signtool signver ssltap strsclnt
-			symkeyutil tstclnt vfychain vfyserv"
-			# install man-pages for utils (bug #516810)
-			doman doc/nroff/*.1
-		fi
-		pushd dist/*/bin >/dev/null || die
-		for f in ${nssutils}; do
-			dobin ${f}
-		done
-		popd >/dev/null || die
-	fi
-
-	# Prelink breaks the CHK files. We don't have any reliable way to run
-	# shlibsign after prelink.
-	dodir /etc/prelink.conf.d
-	printf -- "-b ${EPREFIX}/usr/$(get_libdir)/lib%s.so\n" ${NSS_CHK_SIGN_LIBS} \
-		> "${ED}"/etc/prelink.conf.d/nss.conf
-}
-
-pkg_postinst() {
-	multilib_pkg_postinst() {
-		# We must re-sign the libraries AFTER they are stripped.
-		local shlibsign="${EROOT}/usr/bin/shlibsign"
-		# See if we can execute it (cross-compiling & such). #436216
-		"${shlibsign}" -h >&/dev/null
-		if [[ $? -gt 1 ]] ; then
-			shlibsign="shlibsign"
-		fi
-		generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postinst
-}
-
-pkg_postrm() {
-	multilib_pkg_postrm() {
-		cleanup_chk "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postrm
-}

diff --git a/dev-libs/nss/nss-3.27.ebuild b/dev-libs/nss/nss-3.27.ebuild
deleted file mode 100644
index 3e9034e..00000000
--- a/dev-libs/nss/nss-3.27.ebuild
+++ /dev/null
@@ -1,338 +0,0 @@
-# Copyright 1999-2016 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI=6
-
-inherit eutils flag-o-matic multilib toolchain-funcs multilib-minimal
-
-NSPR_VER="4.12"
-RTM_NAME="NSS_${PV//./_}_RTM"
-# Rev of https://git.fedorahosted.org/cgit/nss-pem.git
-PEM_GIT_REV="429b0222759d8ad8e6dcd29e62875ae3efd69116"
-PEM_P="${PN}-pem-20160329"
-
-DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
-HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/"
-SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
-	nss-pem? ( https://dev.gentoo.org/~polynomial-c/${PEM_P}.tar.xz )"
-
-LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
-IUSE="cacert +nss-pem utils"
-CDEPEND=">=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
-	>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]"
-DEPEND=">=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]
-	>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
-	${CDEPEND}"
-RDEPEND=">=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
-	${CDEPEND}
-	abi_x86_32? (
-		!<=app-emulation/emul-linux-x86-baselibs-20140508-r12
-		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
-	)"
-
-RESTRICT="test"
-
-S="${WORKDIR}/${P}/${PN}"
-
-MULTILIB_CHOST_TOOLS=(
-	/usr/bin/nss-config
-)
-
-PATCHES=(
-	# Custom changes for gentoo
-	"${FILESDIR}/${PN}-3.21-gentoo-fixups.patch"
-	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
-	"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
-)
-
-src_unpack() {
-	unpack ${A}
-	if use nss-pem ; then
-		mv "${PN}"/lib/ckfw/pem/ "${S}"/lib/ckfw/ || die
-	fi
-}
-
-src_prepare() {
-	if use nss-pem ; then
-		PATCHES+=(
-			"${FILESDIR}/${PN}-3.21-enable-pem.patch"
-		)
-	fi
-	if use cacert ; then #521462
-		PATCHES+=(
-			"${FILESDIR}/${PN}-3.21-cacert-class3.patch"
-		)
-	fi
-
-	default
-
-	pushd coreconf >/dev/null || die
-	# hack nspr paths
-	echo 'INCLUDES += -I$(DIST)/include/dbm' \
-		>> headers.mk || die "failed to append include"
-
-	# modify install path
-	sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
-		-i source.mk || die
-
-	# Respect LDFLAGS
-	sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
-	popd >/dev/null || die
-
-	# Fix pkgconfig file for Prefix
-	sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
-		config/Makefile || die
-
-	# use host shlibsign if need be #436216
-	if tc-is-cross-compiler ; then
-		sed -i \
-			-e 's:"${2}"/shlibsign:shlibsign:' \
-			cmd/shlibsign/sign.sh || die
-	fi
-
-	# dirty hack
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
-		lib/ssl/config.mk || die
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
-		cmd/platlibs.mk || die
-
-	multilib_copy_sources
-
-	strip-flags
-}
-
-multilib_src_configure() {
-	# Ensure we stay multilib aware
-	sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
-}
-
-nssarch() {
-	# Most of the arches are the same as $ARCH
-	local t=${1:-${CHOST}}
-	case ${t} in
-		aarch64*)echo "aarch64";;
-		hppa*)   echo "parisc";;
-		i?86*)   echo "i686";;
-		x86_64*) echo "x86_64";;
-		*)       tc-arch ${t};;
-	esac
-}
-
-nssbits() {
-	local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
-	if [[ ${1} == BUILD_ ]]; then
-		cc=$(tc-getBUILD_CC)
-	else
-		cc=$(tc-getCC)
-	fi
-	echo > "${T}"/test.c || die
-	${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die
-	case $(file "${T}/${1}test.o") in
-		*32-bit*x86-64*) echo USE_X32=1;;
-		*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
-		*32-bit*|*ppc*|*i386*) ;;
-		*) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
-	esac
-}
-
-multilib_src_compile() {
-	# use ABI to determine bit'ness, or fallback if unset
-	local buildbits mybits
-	case "${ABI}" in
-		n32) mybits="USE_N32=1";;
-		x32) mybits="USE_X32=1";;
-		s390x|*64) mybits="USE_64=1";;
-		${DEFAULT_ABI})
-			einfo "Running compilation test to determine bit'ness"
-			mybits=$(nssbits)
-			;;
-	esac
-	# bitness of host may differ from target
-	if tc-is-cross-compiler; then
-		buildbits=$(nssbits BUILD_)
-	fi
-
-	local makeargs=(
-		CC="$(tc-getCC)"
-		AR="$(tc-getAR) rc \$@"
-		RANLIB="$(tc-getRANLIB)"
-		OPTIMIZER=
-		${mybits}
-	)
-
-	# Take care of nspr settings #436216
-	local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
-	unset NSPR_INCLUDE_DIR
-
-	# Do not let `uname` be used.
-	if use kernel_linux ; then
-		makeargs+=(
-			OS_TARGET=Linux
-			OS_RELEASE=2.6
-			OS_TEST="$(nssarch)"
-		)
-	fi
-
-	export NSS_ENABLE_WERROR=0 #567158
-	export BUILD_OPT=1
-	export NSS_USE_SYSTEM_SQLITE=1
-	export NSDISTMODE=copy
-	export NSS_ENABLE_ECC=1
-	export FREEBL_NO_DEPEND=1
-	export ASFLAGS=""
-
-	local d
-
-	# Build the host tools first.
-	LDFLAGS="${BUILD_LDFLAGS}" \
-	XCFLAGS="${BUILD_CFLAGS}" \
-	NSPR_LIB_DIR="${T}/fakedir" \
-	emake -j1 -C coreconf \
-		CC="$(tc-getBUILD_CC)" \
-		${buildbits:-${mybits}}
-	makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
-
-	# Then build the target tools.
-	for d in . lib/dbm ; do
-		CPPFLAGS="${myCPPFLAGS}" \
-		XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
-		NSPR_LIB_DIR="${T}/fakedir" \
-		emake -j1 "${makeargs[@]}" -C ${d}
-	done
-}
-
-# Altering these 3 libraries breaks the CHK verification.
-# All of the following cause it to break:
-# - stripping
-# - prelink
-# - ELF signing
-# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
-# Either we have to NOT strip them, or we have to forcibly resign after
-# stripping.
-#local_libdir="$(get_libdir)"
-#export STRIP_MASK="
-#	*/${local_libdir}/libfreebl3.so*
-#	*/${local_libdir}/libnssdbm3.so*
-#	*/${local_libdir}/libsoftokn3.so*"
-
-export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
-
-generate_chk() {
-	local shlibsign="$1"
-	local libdir="$2"
-	einfo "Resigning core NSS libraries for FIPS validation"
-	shift 2
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libname=lib${i}.so
-		local chkname=lib${i}.chk
-		"${shlibsign}" \
-			-i "${libdir}"/${libname} \
-			-o "${libdir}"/${chkname}.tmp \
-		&& mv -f \
-			"${libdir}"/${chkname}.tmp \
-			"${libdir}"/${chkname} \
-		|| die "Failed to sign ${libname}"
-	done
-}
-
-cleanup_chk() {
-	local libdir="$1"
-	shift 1
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libfname="${libdir}/lib${i}.so"
-		# If the major version has changed, then we have old chk files.
-		[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
-			&& rm -f "${libfname}.chk"
-	done
-}
-
-multilib_src_install() {
-	pushd dist >/dev/null || die
-
-	dodir /usr/$(get_libdir)
-	cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
-	cp -L */lib/libcrmf.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
-	cp -L */lib/libfreebl.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
-
-	# Install nss-config and pkgconfig file
-	dodir /usr/bin
-	cp -L */bin/nss-config "${ED}"/usr/bin || die
-	dodir /usr/$(get_libdir)/pkgconfig
-	cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
-
-	# create an nss-softokn.pc from nss.pc for libfreebl and some private headers
-	# bug 517266
-	sed 	-e 's#Libs:#Libs: -lfreebl#' \
-		-e 's#Cflags:#Cflags: -I${includedir}/private#' \
-		*/lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
-		|| die "could not create nss-softokn.pc"
-
-	# all the include files
-	insinto /usr/include/nss
-	doins public/nss/*.h
-	insinto /usr/include/nss/private
-	doins private/nss/{blapi,alghmac}.h
-
-	popd >/dev/null || die
-
-	local f nssutils
-	# Always enabled because we need it for chk generation.
-	nssutils="shlibsign"
-
-	if multilib_is_native_abi ; then
-		if use utils; then
-			# The tests we do not need to install.
-			#nssutils_test="bltest crmftest dbtest dertimetest
-			#fipstest remtest sdrtest"
-			# checkcert utils has been removed in nss-3.22:
-			# https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
-			# https://hg.mozilla.org/projects/nss/rev/df1729d37870
-			nssutils="addbuiltin atob baddbdir btoa certcgi certutil
-			cmsutil conflict crlutil derdump digest makepqg mangle modutil multinit
-			nonspr10 ocspclnt oidcalc p7content p7env p7sign p7verify pk11mode
-			pk12util pp rsaperf selfserv shlibsign signtool signver ssltap strsclnt
-			symkeyutil tstclnt vfychain vfyserv"
-			# install man-pages for utils (bug #516810)
-			doman doc/nroff/*.1
-		fi
-		pushd dist/*/bin >/dev/null || die
-		for f in ${nssutils}; do
-			dobin ${f}
-		done
-		popd >/dev/null || die
-	fi
-
-	# Prelink breaks the CHK files. We don't have any reliable way to run
-	# shlibsign after prelink.
-	dodir /etc/prelink.conf.d
-	printf -- "-b ${EPREFIX}/usr/$(get_libdir)/lib%s.so\n" ${NSS_CHK_SIGN_LIBS} \
-		> "${ED}"/etc/prelink.conf.d/nss.conf
-}
-
-pkg_postinst() {
-	multilib_pkg_postinst() {
-		# We must re-sign the libraries AFTER they are stripped.
-		local shlibsign="${EROOT}/usr/bin/shlibsign"
-		# See if we can execute it (cross-compiling & such). #436216
-		"${shlibsign}" -h >&/dev/null
-		if [[ $? -gt 1 ]] ; then
-			shlibsign="shlibsign"
-		fi
-		generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postinst
-}
-
-pkg_postrm() {
-	multilib_pkg_postrm() {
-		cleanup_chk "${EROOT}"/usr/$(get_libdir)
-	}
-
-	multilib_foreach_abi multilib_pkg_postrm
-}


^ permalink raw reply related	[flat|nested] 19+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/nss/, dev-libs/nss/files/
@ 2016-12-23  9:57 Lars Wendler
  0 siblings, 0 replies; 19+ messages in thread
From: Lars Wendler @ 2016-12-23  9:57 UTC (permalink / raw
  To: gentoo-commits

commit:     f1941b3190d2accaef1639ccf407f94a2a12f647
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Fri Dec 23 09:52:32 2016 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Fri Dec 23 09:52:32 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f1941b31

dev-libs/nss: Bump to version 3.28

Package-Manager: Portage-2.3.3, Repoman-2.3.1

 dev-libs/nss/Manifest                           |   1 +
 dev-libs/nss/files/nss-3.28-gentoo-fixups.patch | 241 +++++++++++++++++
 dev-libs/nss/nss-3.28.ebuild                    | 339 ++++++++++++++++++++++++
 3 files changed, 581 insertions(+)

diff --git a/dev-libs/nss/Manifest b/dev-libs/nss/Manifest
index 998387a..fa1784d 100644
--- a/dev-libs/nss/Manifest
+++ b/dev-libs/nss/Manifest
@@ -7,6 +7,7 @@ DIST nss-3.26.1.tar.gz 7387756 SHA256 abebb079288e4b0d34648a1fcdba8564ac05b29f5f
 DIST nss-3.27.1.tar.gz 7397737 SHA256 fd3637a1930cd838239a89633a7ed9a18859ae9b599043f3a18f726dc4ec2a6b SHA512 b52bc18e42cab78a325a8c4fcf2894ca879cecbb657a852baf460551ed9727f145bc328ebb61a43a1605b457f923a1495707ac4aee27be70220463818ed8db8d WHIRLPOOL 17174b7d43bd82b9e805d653a7ea8b79bc2647a5891806c1cb77e2ac99e40eb64ffee03e105a41c375ba37e26cafeff4bd4bad27c48e94ed388d0215d0545364
 DIST nss-3.27.2.tar.gz 7397599 SHA256 dc8ac8524469d0230274fd13a53fdcd74efe4aa67205dde1a4a92be87dc28524 SHA512 699847665e93fd649cb60ce6bc8f849f452779e7232a09bbeb0613f9e6c57bb81948f1ae59cc86648e41a212cda259109850ccd14546d35910deb75f5d2a13b8 WHIRLPOOL 08229d87de1c7020c1d7fc12fb8a2afc4bc9ab9f0208aad12698aba17386fbe9163cb506101c7d4d568409fd99141fb88c0e71fc32cecbc6640a4a8f7a4efabf
 DIST nss-3.27.tar.gz 7397210 SHA256 021aa936b06f5815474dd5c137f2325b3fe06caa38d9798ca53ec30b537301fa SHA512 a79c31d3ade72897928cdb1cfbf9236ea781fb1951904f2f5d9688afc4e55722ba75ea5a46622d1fa45d55bb2666d05a0df3a2c2ac16ce53335722618523c272 WHIRLPOOL 16277ba6cb3c71afeab7a5ce92ba0b3c0ec8622edc87bb1fe48dad86a910fa71a09db4c83ec8a973a048c5b925dbad2bc9d6361a66b94744479c47364e7ad5c5
+DIST nss-3.28.tar.gz 7440502 SHA256 c79dd15f66f581c294ce0ef032119357d03fee3a0aa61be263747d84f1b33254 SHA512 dd442c6d04edd0507cc49a1e3c2bfaa64555f7cde5cb9e512ccf33f14de458dddbb17efddd83271056ed6e6e32327e6e1b6f6609e1910a05e625b08e6f0965df WHIRLPOOL d013972f18d75e83da03c3903b712ef1094e6b8543c1755ea2b7ed7f6335e39ac20112808c86bb9df74cda4a8c5c1159401ecd05d1d8b07b3ecdca85f7f0ac82
 DIST nss-cacert-class1-class3.patch 22950 SHA256 6bba29cee34276e2ca6436dabedfeba2b61fb46668c5d5ceabf0c871574649bf SHA512 a5aa740bf110a3f0262e3f1ef2fc739ac2b44f042e220039d48aee8e97cd764d5c10718220364f4098aba955882bd02cadb5481512388971a8290312f88a7df0 WHIRLPOOL 1246223b01292604e5609bb9c580f092dc5937bf8c98f6891b099e8bab960e03612b6617e30a55d6ff8817d88f190e03812fe8f89f84f25c20970493dc2f7700
 DIST nss-pem-015ae754dd9f6fbcd7e52030ec9732eb27fc06a8.tar.bz2 27506 SHA256 50d9ec26a75835e900302f631456e278e13d4b435b8f98aa69f79dd439ddc6ab SHA512 0158a140f112a905f7db5a4f4d04f49f6742db1d2665ddf6c32913c367f0b93a57f86ba13b9883a42a528aff44c48196941d7c0fd7a27005db6adaf07802e501 WHIRLPOOL 279ef11d2d6f0cb7c192189d64bc6971cdada7417b93a65a3ff0ba4548b736b53b9812803024c2349114e94e0864f2b58c23812687ed3f75cf28334b0f6e11ac
 DIST nss-pem-20140125.tar.bz2 28805 SHA256 62604dfc4178399a804e87ca7566d8316a0a40a535de3b2d0fa48fd80c97f768 SHA512 352faf812735e1374c534ada6dd577842603ea193dafaacfd51f201599ffe3f7a23ce1c673421e42f8b692091b58085f90843c29f70ae916949715e7baba2b39 WHIRLPOOL 3ae81410f6f4d2699e9dc55982cad03c226045fbeee25984d53d37ff78ce5c96d008d6837e1c0a10b6c96cdff17c21142e437159896d314e81afc8820867ca62

diff --git a/dev-libs/nss/files/nss-3.28-gentoo-fixups.patch b/dev-libs/nss/files/nss-3.28-gentoo-fixups.patch
new file mode 100644
index 00000000..69aa652
--- /dev/null
+++ b/dev-libs/nss/files/nss-3.28-gentoo-fixups.patch
@@ -0,0 +1,241 @@
+--- nss/config/Makefile
++++ nss/config/Makefile
+@@ -0,0 +1,40 @@
++CORE_DEPTH = ..
++DEPTH      = ..
++
++include $(CORE_DEPTH)/coreconf/config.mk
++
++NSS_MAJOR_VERSION = `grep "NSS_VMAJOR" ../lib/nss/nss.h | awk '{print $$3}'`
++NSS_MINOR_VERSION = `grep "NSS_VMINOR" ../lib/nss/nss.h | awk '{print $$3}'`
++NSS_PATCH_VERSION = `grep "NSS_VPATCH" ../lib/nss/nss.h | awk '{print $$3}'`
++PREFIX = /usr
++
++all: export libs
++
++export:
++	# Create the nss.pc file
++	mkdir -p $(DIST)/lib/pkgconfig
++	sed -e "s,@prefix@,$(PREFIX)," \
++	    -e "s,@exec_prefix@,\$${prefix}," \
++	    -e "s,@libdir@,\$${prefix}/lib64," \
++	    -e "s,@includedir@,\$${prefix}/include/nss," \
++	    -e "s,@NSS_MAJOR_VERSION@,$(NSS_MAJOR_VERSION),g" \
++	    -e "s,@NSS_MINOR_VERSION@,$(NSS_MINOR_VERSION)," \
++	    -e "s,@NSS_PATCH_VERSION@,$(NSS_PATCH_VERSION)," \
++	    nss.pc.in > nss.pc
++	chmod 0644 nss.pc
++	ln -sf ../../../../config/nss.pc $(DIST)/lib/pkgconfig
++
++	# Create the nss-config script
++	mkdir -p $(DIST)/bin
++	sed -e "s,@prefix@,$(PREFIX)," \
++	    -e "s,@NSS_MAJOR_VERSION@,$(NSS_MAJOR_VERSION)," \
++	    -e "s,@NSS_MINOR_VERSION@,$(NSS_MINOR_VERSION)," \
++	    -e "s,@NSS_PATCH_VERSION@,$(NSS_PATCH_VERSION)," \
++	    nss-config.in > nss-config
++	chmod 0755 nss-config
++	ln -sf ../../../config/nss-config $(DIST)/bin
++
++libs:
++
++dummy: all export libs
++
+--- nss/config/nss-config.in
++++ nss/config/nss-config.in
+@@ -0,0 +1,145 @@
++#!/bin/sh
++
++prefix=@prefix@
++
++major_version=@NSS_MAJOR_VERSION@
++minor_version=@NSS_MINOR_VERSION@
++patch_version=@NSS_PATCH_VERSION@
++
++usage()
++{
++	cat <<EOF
++Usage: nss-config [OPTIONS] [LIBRARIES]
++Options:
++	[--prefix[=DIR]]
++	[--exec-prefix[=DIR]]
++	[--includedir[=DIR]]
++	[--libdir[=DIR]]
++	[--version]
++	[--libs]
++	[--cflags]
++Dynamic Libraries:
++	nss
++	ssl
++	smime
++	nssutil
++EOF
++	exit $1
++}
++
++if test $# -eq 0; then
++	usage 1 1>&2
++fi
++
++lib_ssl=yes
++lib_smime=yes
++lib_nss=yes
++lib_nssutil=yes
++
++while test $# -gt 0; do
++  case "$1" in
++  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
++  *) optarg= ;;
++  esac
++
++  case $1 in
++    --prefix=*)
++      prefix=$optarg
++      ;;
++    --prefix)
++      echo_prefix=yes
++      ;;
++    --exec-prefix=*)
++      exec_prefix=$optarg
++      ;;
++    --exec-prefix)
++      echo_exec_prefix=yes
++      ;;
++    --includedir=*)
++      includedir=$optarg
++      ;;
++    --includedir)
++      echo_includedir=yes
++      ;;
++    --libdir=*)
++      libdir=$optarg
++      ;;
++    --libdir)
++      echo_libdir=yes
++      ;;
++    --version)
++      echo ${major_version}.${minor_version}.${patch_version}
++      ;;
++    --cflags)
++      echo_cflags=yes
++      ;;
++    --libs)
++      echo_libs=yes
++      ;;
++    ssl)
++      lib_ssl=yes
++      ;;
++    smime)
++      lib_smime=yes
++      ;;
++    nss)
++      lib_nss=yes
++      ;;
++    nssutil)                                                      
++      lib_nssutil=yes                                             
++      ;;
++    *)
++      usage 1 1>&2
++      ;;
++  esac
++  shift
++done
++
++# Set variables that may be dependent upon other variables
++if test -z "$exec_prefix"; then
++    exec_prefix=`pkg-config --variable=exec_prefix nss`
++fi
++if test -z "$includedir"; then
++    includedir=`pkg-config --variable=includedir nss`
++fi
++if test -z "$libdir"; then
++    libdir=`pkg-config --variable=libdir nss`
++fi
++
++if test "$echo_prefix" = "yes"; then
++    echo $prefix
++fi
++
++if test "$echo_exec_prefix" = "yes"; then
++    echo $exec_prefix
++fi
++
++if test "$echo_includedir" = "yes"; then
++    echo $includedir
++fi
++
++if test "$echo_libdir" = "yes"; then
++    echo $libdir
++fi
++
++if test "$echo_cflags" = "yes"; then
++    echo -I$includedir
++fi
++
++if test "$echo_libs" = "yes"; then
++      libdirs=""
++      if test -n "$lib_ssl"; then
++	libdirs="$libdirs -lssl${major_version}"
++      fi
++      if test -n "$lib_smime"; then
++	libdirs="$libdirs -lsmime${major_version}"
++      fi
++      if test -n "$lib_nss"; then
++	libdirs="$libdirs -lnss${major_version}"
++      fi
++      if test -n "$lib_nssutil"; then
++       libdirs="$libdirs -lnssutil${major_version}"
++      fi
++      echo $libdirs
++fi      
++
+--- nss/config/nss.pc.in
++++ nss/config/nss.pc.in
+@@ -0,0 +1,12 @@
++prefix=@prefix@
++exec_prefix=@exec_prefix@
++libdir=@libdir@
++includedir=@includedir@
++
++Name: NSS
++Description: Network Security Services
++Version: @NSS_MAJOR_VERSION@.@NSS_MINOR_VERSION@.@NSS_PATCH_VERSION@
++Requires: nspr >= 4.8
++Libs: -lssl3 -lsmime3 -lnss3 -lnssutil3
++Cflags: -I${includedir}
++
+--- nss/Makefile
++++ nss/Makefile
+@@ -46,7 +46,7 @@
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+ #######################################################################
+ 
+-nss_build_all: build_nspr all latest
++nss_build_all: all latest
+ 
+ nss_clean_all: clobber_nspr clobber
+ 
+@@ -143,15 +143,6 @@
+ 	--prefix='$(NSS_GYP_PREFIX)'
+ endif
+ 
+-build_nspr: $(NSPR_CONFIG_STATUS)
+-	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)
+-
+-install_nspr: build_nspr
+-	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) install
+-
+-clobber_nspr: $(NSPR_CONFIG_STATUS)
+-	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) clobber
+-
+ build_docs:
+ 	$(MAKE) -C $(CORE_DEPTH)/doc
+ 
+--- nss/manifest.mn
++++ nss/manifest.mn
+@@ -10,4 +10,4 @@
+ 
+ RELEASE = nss
+ 
+-DIRS = coreconf lib cmd gtests
++DIRS = coreconf lib cmd config

diff --git a/dev-libs/nss/nss-3.28.ebuild b/dev-libs/nss/nss-3.28.ebuild
new file mode 100644
index 00000000..5b74267
--- /dev/null
+++ b/dev-libs/nss/nss-3.28.ebuild
@@ -0,0 +1,339 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+
+inherit eutils flag-o-matic multilib toolchain-funcs multilib-minimal
+
+NSPR_VER="4.12"
+RTM_NAME="NSS_${PV//./_}_RTM"
+# Rev of https://git.fedorahosted.org/cgit/nss-pem.git
+PEM_GIT_REV="429b0222759d8ad8e6dcd29e62875ae3efd69116"
+PEM_P="${PN}-pem-20160329"
+
+DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
+HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/"
+SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
+	cacert? ( https://dev.gentoo.org/~axs/distfiles/${PN}-cacert-class1-class3.patch )
+	nss-pem? ( https://dev.gentoo.org/~polynomial-c/${PEM_P}.tar.xz )"
+
+LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
+IUSE="cacert +nss-pem utils"
+CDEPEND=">=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
+	>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]"
+DEPEND=">=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]
+	>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
+	${CDEPEND}"
+RDEPEND=">=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
+	${CDEPEND}
+	abi_x86_32? (
+		!<=app-emulation/emul-linux-x86-baselibs-20140508-r12
+		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+	)"
+
+RESTRICT="test"
+
+S="${WORKDIR}/${P}/${PN}"
+
+MULTILIB_CHOST_TOOLS=(
+	/usr/bin/nss-config
+)
+
+PATCHES=(
+	# Custom changes for gentoo
+	"${FILESDIR}/${PN}-3.28-gentoo-fixups.patch"
+	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
+	"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
+)
+
+src_unpack() {
+	unpack ${A}
+	if use nss-pem ; then
+		mv "${PN}"/lib/ckfw/pem/ "${S}"/lib/ckfw/ || die
+	fi
+}
+
+src_prepare() {
+	if use nss-pem ; then
+		PATCHES+=(
+			"${FILESDIR}/${PN}-3.21-enable-pem.patch"
+		)
+	fi
+	if use cacert ; then #521462
+		PATCHES+=(
+			"${DISTDIR}/${PN}-cacert-class1-class3.patch"
+		)
+	fi
+
+	default
+
+	pushd coreconf >/dev/null || die
+	# hack nspr paths
+	echo 'INCLUDES += -I$(DIST)/include/dbm' \
+		>> headers.mk || die "failed to append include"
+
+	# modify install path
+	sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
+		-i source.mk || die
+
+	# Respect LDFLAGS
+	sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
+	popd >/dev/null || die
+
+	# Fix pkgconfig file for Prefix
+	sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
+		config/Makefile || die
+
+	# use host shlibsign if need be #436216
+	if tc-is-cross-compiler ; then
+		sed -i \
+			-e 's:"${2}"/shlibsign:shlibsign:' \
+			cmd/shlibsign/sign.sh || die
+	fi
+
+	# dirty hack
+	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
+		lib/ssl/config.mk || die
+	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
+		cmd/platlibs.mk || die
+
+	multilib_copy_sources
+
+	strip-flags
+}
+
+multilib_src_configure() {
+	# Ensure we stay multilib aware
+	sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
+}
+
+nssarch() {
+	# Most of the arches are the same as $ARCH
+	local t=${1:-${CHOST}}
+	case ${t} in
+		aarch64*)echo "aarch64";;
+		hppa*)   echo "parisc";;
+		i?86*)   echo "i686";;
+		x86_64*) echo "x86_64";;
+		*)       tc-arch ${t};;
+	esac
+}
+
+nssbits() {
+	local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
+	if [[ ${1} == BUILD_ ]]; then
+		cc=$(tc-getBUILD_CC)
+	else
+		cc=$(tc-getCC)
+	fi
+	echo > "${T}"/test.c || die
+	${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die
+	case $(file "${T}/${1}test.o") in
+		*32-bit*x86-64*) echo USE_X32=1;;
+		*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
+		*32-bit*|*ppc*|*i386*) ;;
+		*) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
+	esac
+}
+
+multilib_src_compile() {
+	# use ABI to determine bit'ness, or fallback if unset
+	local buildbits mybits
+	case "${ABI}" in
+		n32) mybits="USE_N32=1";;
+		x32) mybits="USE_X32=1";;
+		s390x|*64) mybits="USE_64=1";;
+		${DEFAULT_ABI})
+			einfo "Running compilation test to determine bit'ness"
+			mybits=$(nssbits)
+			;;
+	esac
+	# bitness of host may differ from target
+	if tc-is-cross-compiler; then
+		buildbits=$(nssbits BUILD_)
+	fi
+
+	local makeargs=(
+		CC="$(tc-getCC)"
+		AR="$(tc-getAR) rc \$@"
+		RANLIB="$(tc-getRANLIB)"
+		OPTIMIZER=
+		${mybits}
+	)
+
+	# Take care of nspr settings #436216
+	local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
+	unset NSPR_INCLUDE_DIR
+
+	# Do not let `uname` be used.
+	if use kernel_linux ; then
+		makeargs+=(
+			OS_TARGET=Linux
+			OS_RELEASE=2.6
+			OS_TEST="$(nssarch)"
+		)
+	fi
+
+	export NSS_ENABLE_WERROR=0 #567158
+	export BUILD_OPT=1
+	export NSS_USE_SYSTEM_SQLITE=1
+	export NSDISTMODE=copy
+	export NSS_ENABLE_ECC=1
+	export FREEBL_NO_DEPEND=1
+	export ASFLAGS=""
+
+	local d
+
+	# Build the host tools first.
+	LDFLAGS="${BUILD_LDFLAGS}" \
+	XCFLAGS="${BUILD_CFLAGS}" \
+	NSPR_LIB_DIR="${T}/fakedir" \
+	emake -j1 -C coreconf \
+		CC="$(tc-getBUILD_CC)" \
+		${buildbits:-${mybits}}
+	makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
+
+	# Then build the target tools.
+	for d in . lib/dbm ; do
+		CPPFLAGS="${myCPPFLAGS}" \
+		XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
+		NSPR_LIB_DIR="${T}/fakedir" \
+		emake -j1 "${makeargs[@]}" -C ${d}
+	done
+}
+
+# Altering these 3 libraries breaks the CHK verification.
+# All of the following cause it to break:
+# - stripping
+# - prelink
+# - ELF signing
+# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
+# Either we have to NOT strip them, or we have to forcibly resign after
+# stripping.
+#local_libdir="$(get_libdir)"
+#export STRIP_MASK="
+#	*/${local_libdir}/libfreebl3.so*
+#	*/${local_libdir}/libnssdbm3.so*
+#	*/${local_libdir}/libsoftokn3.so*"
+
+export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
+
+generate_chk() {
+	local shlibsign="$1"
+	local libdir="$2"
+	einfo "Resigning core NSS libraries for FIPS validation"
+	shift 2
+	local i
+	for i in ${NSS_CHK_SIGN_LIBS} ; do
+		local libname=lib${i}.so
+		local chkname=lib${i}.chk
+		"${shlibsign}" \
+			-i "${libdir}"/${libname} \
+			-o "${libdir}"/${chkname}.tmp \
+		&& mv -f \
+			"${libdir}"/${chkname}.tmp \
+			"${libdir}"/${chkname} \
+		|| die "Failed to sign ${libname}"
+	done
+}
+
+cleanup_chk() {
+	local libdir="$1"
+	shift 1
+	local i
+	for i in ${NSS_CHK_SIGN_LIBS} ; do
+		local libfname="${libdir}/lib${i}.so"
+		# If the major version has changed, then we have old chk files.
+		[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
+			&& rm -f "${libfname}.chk"
+	done
+}
+
+multilib_src_install() {
+	pushd dist >/dev/null || die
+
+	dodir /usr/$(get_libdir)
+	cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
+	cp -L */lib/libcrmf.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
+	cp -L */lib/libfreebl.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
+
+	# Install nss-config and pkgconfig file
+	dodir /usr/bin
+	cp -L */bin/nss-config "${ED}"/usr/bin || die
+	dodir /usr/$(get_libdir)/pkgconfig
+	cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
+
+	# create an nss-softokn.pc from nss.pc for libfreebl and some private headers
+	# bug 517266
+	sed 	-e 's#Libs:#Libs: -lfreebl#' \
+		-e 's#Cflags:#Cflags: -I${includedir}/private#' \
+		*/lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
+		|| die "could not create nss-softokn.pc"
+
+	# all the include files
+	insinto /usr/include/nss
+	doins public/nss/*.h
+	insinto /usr/include/nss/private
+	doins private/nss/{blapi,alghmac}.h
+
+	popd >/dev/null || die
+
+	local f nssutils
+	# Always enabled because we need it for chk generation.
+	nssutils="shlibsign"
+
+	if multilib_is_native_abi ; then
+		if use utils; then
+			# The tests we do not need to install.
+			#nssutils_test="bltest crmftest dbtest dertimetest
+			#fipstest remtest sdrtest"
+			# checkcert utils has been removed in nss-3.22:
+			# https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
+			# https://hg.mozilla.org/projects/nss/rev/df1729d37870
+			nssutils="addbuiltin atob baddbdir btoa certcgi certutil
+			cmsutil conflict crlutil derdump digest makepqg mangle modutil multinit
+			nonspr10 ocspclnt oidcalc p7content p7env p7sign p7verify pk11mode
+			pk12util pp rsaperf selfserv shlibsign signtool signver ssltap strsclnt
+			symkeyutil tstclnt vfychain vfyserv"
+			# install man-pages for utils (bug #516810)
+			doman doc/nroff/*.1
+		fi
+		pushd dist/*/bin >/dev/null || die
+		for f in ${nssutils}; do
+			dobin ${f}
+		done
+		popd >/dev/null || die
+	fi
+
+	# Prelink breaks the CHK files. We don't have any reliable way to run
+	# shlibsign after prelink.
+	dodir /etc/prelink.conf.d
+	printf -- "-b ${EPREFIX}/usr/$(get_libdir)/lib%s.so\n" ${NSS_CHK_SIGN_LIBS} \
+		> "${ED}"/etc/prelink.conf.d/nss.conf
+}
+
+pkg_postinst() {
+	multilib_pkg_postinst() {
+		# We must re-sign the libraries AFTER they are stripped.
+		local shlibsign="${EROOT}/usr/bin/shlibsign"
+		# See if we can execute it (cross-compiling & such). #436216
+		"${shlibsign}" -h >&/dev/null
+		if [[ $? -gt 1 ]] ; then
+			shlibsign="shlibsign"
+		fi
+		generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
+	}
+
+	multilib_foreach_abi multilib_pkg_postinst
+}
+
+pkg_postrm() {
+	multilib_pkg_postrm() {
+		cleanup_chk "${EROOT}"/usr/$(get_libdir)
+	}
+
+	multilib_foreach_abi multilib_pkg_postrm
+}


^ permalink raw reply related	[flat|nested] 19+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/nss/, dev-libs/nss/files/
@ 2015-11-26 21:56 Jory Pratt
  0 siblings, 0 replies; 19+ messages in thread
From: Jory Pratt @ 2015-11-26 21:56 UTC (permalink / raw
  To: gentoo-commits

commit:     ce1156e0cc0094ecf6a62693e3f38980ecf3d023
Author:     Jory A. Pratt <anarchy <AT> gentoo <DOT> org>
AuthorDate: Thu Nov 26 21:55:27 2015 +0000
Commit:     Jory Pratt <anarchy <AT> gentoo <DOT> org>
CommitDate: Thu Nov 26 21:55:27 2015 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ce1156e0

dev-libs/nss - basic version bump 3.21

 dev-libs/nss/Manifest                              |   2 +
 dev-libs/nss/files/nss-3.21-cacert-class3.patch    | 204 +++++++++++++
 dev-libs/nss/files/nss-3.21-enable-pem.patch       |  12 +
 .../nss/files/nss-3.21-gentoo-fixup-warnings.patch |  11 +
 dev-libs/nss/files/nss-3.21-gentoo-fixups.patch    | 243 +++++++++++++++
 dev-libs/nss/files/nss-3.21-pem-werror.patch       | 146 +++++++++
 dev-libs/nss/nss-3.21.ebuild                       | 326 +++++++++++++++++++++
 7 files changed, 944 insertions(+)

diff --git a/dev-libs/nss/Manifest b/dev-libs/nss/Manifest
index 5ce5b51..670c75d 100644
--- a/dev-libs/nss/Manifest
+++ b/dev-libs/nss/Manifest
@@ -2,4 +2,6 @@ DIST nss-3.14.1-add_spi+cacerts_ca_certs.patch 25018 SHA256 82ca25982828fd7153ad
 DIST nss-3.19.2.tar.gz 6953657 SHA256 1306663e8f61d8449ad8cbcffab743a604dcd9f6f34232c210847c51dce2c9ae SHA512 d3c45010f8dace58f9da9efe0f9792f8b8a69384e100663f33c949685cdd1ce70e5131f279bc82336622841c41dbc0a4d70a7cc6839a1782dbe8b3c3fd8bc59d WHIRLPOOL d69ab02e12f6b22f47df7be7925343c58e68a69b33833b85d6f2ca70f652d9d159accea45f2c141fa89245ab64dffff0f1289129427564203fe2faf3af1c11e3
 DIST nss-3.20.1.tar.gz 6958956 SHA256 ad3c8f11dfd9570c2d04a6140d5ef7c2bdd0fe30d6c9e5548721a4251a5e8c97 SHA512 c8db693a81b8ddb4d2a742c2fce3f23dd40736e54c55c0de072f84572fcdad8fb7646e4b8ea696e4c97ea6c9cb0fa144f573f8776c2839eb25c4075b50d01d74 WHIRLPOOL 3d4667b243ba6ac596ea7e9936bf9cba7aa1b9767fd19b53352c3a9a9eef0f1a0a9e7da719634dbc9dfcc087d187d5e774ae351c1e57545e8b8c1f40e41e42e6
 DIST nss-3.20.tar.gz 6955552 SHA256 5e38d4b9837ca338af966b97fc91c07f67ad647fb38dc4af3cfd0d84e477d15c SHA512 50f666209cadd4e463f98643ec67e35f4d1b88381e17db9eed7c67559b19799fcc27e49d72536f546d4c45bca2afa4664e5590f868775a4397a77111d68fc366 WHIRLPOOL 84f20e6764b3621762fcfcb9223a3861e1f5ff02078b19b7df2eb58430a5f96943d962dca2d3366b18cd434acf3d3be746242c5064497167d5671c50233834de
+DIST nss-3.21.tar.gz 6978112 SHA256 3f7a5b027d7cdd5c0e4ff7544da33fdc6f56c2f8c27fff02938fd4a6fbe87239 SHA512 0645465b5d1ab05d819355a3f4a2879499539a00d95bfab3ca14a7dcd901e510b5d9ae797386ff5a42f68b0b57f7bbec4ec9d3a85ebd508eb824aba1fb589d53 WHIRLPOOL 7504d83de606d61840e06cb855ea688eb022d5eef062bcb7ac4d1064db96b96e35ae4ce0aff9d389a2140a7c3b974aaa9a86ada52af1199d462fdb48b11b42e4
 DIST nss-pem-015ae754dd9f6fbcd7e52030ec9732eb27fc06a8.tar.bz2 27506 SHA256 50d9ec26a75835e900302f631456e278e13d4b435b8f98aa69f79dd439ddc6ab SHA512 0158a140f112a905f7db5a4f4d04f49f6742db1d2665ddf6c32913c367f0b93a57f86ba13b9883a42a528aff44c48196941d7c0fd7a27005db6adaf07802e501 WHIRLPOOL 279ef11d2d6f0cb7c192189d64bc6971cdada7417b93a65a3ff0ba4548b736b53b9812803024c2349114e94e0864f2b58c23812687ed3f75cf28334b0f6e11ac
+DIST nss-pem-20140125.tar.bz2 28805 SHA256 62604dfc4178399a804e87ca7566d8316a0a40a535de3b2d0fa48fd80c97f768 SHA512 352faf812735e1374c534ada6dd577842603ea193dafaacfd51f201599ffe3f7a23ce1c673421e42f8b692091b58085f90843c29f70ae916949715e7baba2b39 WHIRLPOOL 3ae81410f6f4d2699e9dc55982cad03c226045fbeee25984d53d37ff78ce5c96d008d6837e1c0a10b6c96cdff17c21142e437159896d314e81afc8820867ca62

diff --git a/dev-libs/nss/files/nss-3.21-cacert-class3.patch b/dev-libs/nss/files/nss-3.21-cacert-class3.patch
new file mode 100644
index 0000000..565f3e6
--- /dev/null
+++ b/dev-libs/nss/files/nss-3.21-cacert-class3.patch
@@ -0,0 +1,204 @@
+diff -urN a/nss/lib/ckfw/builtins/certdata.txt b/nss/lib/ckfw/builtins/certdata.txt
+--- a/nss/lib/ckfw/builtins/certdata.txt	2015-11-15 09:25:06.142786072 -0600
++++ b/nss/lib/ckfw/builtins/certdata.txt	2015-11-15 09:36:02.976756787 -0600
+@@ -30351,3 +30351,200 @@
+ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
++
++#
++# Certificate "CAcert Inc."
++#
++# Issuer: E=support@cacert.org,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA
++# Serial Number: 672138 (0xa418a)
++# Subject: CN=CAcert Class 3 Root,OU=http://www.CAcert.org,O=CAcert Inc.
++# Not Valid Before: Mon May 23 17:48:02 2011
++# Not Valid After : Thu May 20 17:48:02 2021
++# Fingerprint (SHA-256): 4E:DD:E9:E5:5C:A4:53:B3:88:88:7C:AA:25:D5:C5:C5:BC:CF:28:91:D7:3B:87:49:58:08:29:3D:5F:AC:83:C8
++# Fingerprint (SHA1): AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE
++CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "CAcert Inc."
++CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
++CKA_SUBJECT MULTILINE_OCTAL
++\060\124\061\024\060\022\006\003\125\004\012\023\013\103\101\143
++\145\162\164\040\111\156\143\056\061\036\060\034\006\003\125\004
++\013\023\025\150\164\164\160\072\057\057\167\167\167\056\103\101
++\143\145\162\164\056\157\162\147\061\034\060\032\006\003\125\004
++\003\023\023\103\101\143\145\162\164\040\103\154\141\163\163\040
++\063\040\122\157\157\164
++END
++CKA_ID UTF8 "0"
++CKA_ISSUER MULTILINE_OCTAL
++\060\171\061\020\060\016\006\003\125\004\012\023\007\122\157\157
++\164\040\103\101\061\036\060\034\006\003\125\004\013\023\025\150
++\164\164\160\072\057\057\167\167\167\056\143\141\143\145\162\164
++\056\157\162\147\061\042\060\040\006\003\125\004\003\023\031\103
++\101\040\103\145\162\164\040\123\151\147\156\151\156\147\040\101
++\165\164\150\157\162\151\164\171\061\041\060\037\006\011\052\206
++\110\206\367\015\001\011\001\026\022\163\165\160\160\157\162\164
++\100\143\141\143\145\162\164\056\157\162\147
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\003\012\101\212
++END
++CKA_VALUE MULTILINE_OCTAL
++\060\202\007\131\060\202\005\101\240\003\002\001\002\002\003\012
++\101\212\060\015\006\011\052\206\110\206\367\015\001\001\013\005
++\000\060\171\061\020\060\016\006\003\125\004\012\023\007\122\157
++\157\164\040\103\101\061\036\060\034\006\003\125\004\013\023\025
++\150\164\164\160\072\057\057\167\167\167\056\143\141\143\145\162
++\164\056\157\162\147\061\042\060\040\006\003\125\004\003\023\031
++\103\101\040\103\145\162\164\040\123\151\147\156\151\156\147\040
++\101\165\164\150\157\162\151\164\171\061\041\060\037\006\011\052
++\206\110\206\367\015\001\011\001\026\022\163\165\160\160\157\162
++\164\100\143\141\143\145\162\164\056\157\162\147\060\036\027\015
++\061\061\060\065\062\063\061\067\064\070\060\062\132\027\015\062
++\061\060\065\062\060\061\067\064\070\060\062\132\060\124\061\024
++\060\022\006\003\125\004\012\023\013\103\101\143\145\162\164\040
++\111\156\143\056\061\036\060\034\006\003\125\004\013\023\025\150
++\164\164\160\072\057\057\167\167\167\056\103\101\143\145\162\164
++\056\157\162\147\061\034\060\032\006\003\125\004\003\023\023\103
++\101\143\145\162\164\040\103\154\141\163\163\040\063\040\122\157
++\157\164\060\202\002\042\060\015\006\011\052\206\110\206\367\015
++\001\001\001\005\000\003\202\002\017\000\060\202\002\012\002\202
++\002\001\000\253\111\065\021\110\174\322\046\176\123\224\317\103
++\251\335\050\327\102\052\213\363\207\170\031\130\174\017\236\332
++\211\175\341\373\353\162\220\015\164\241\226\144\253\237\240\044
++\231\163\332\342\125\166\307\027\173\365\004\254\106\270\303\276
++\177\144\215\020\154\044\363\141\234\300\362\220\372\121\346\365
++\151\001\143\303\017\126\342\112\102\317\342\104\214\045\050\250
++\305\171\011\175\106\271\212\363\351\363\064\051\010\105\344\034
++\237\313\224\004\034\201\250\024\263\230\145\304\103\354\116\202
++\215\011\321\275\252\133\215\222\320\354\336\220\305\177\012\302
++\343\353\346\061\132\136\164\076\227\063\131\350\303\003\075\140
++\063\277\367\321\157\107\304\315\356\142\203\122\156\056\010\232
++\244\331\025\030\221\246\205\222\107\260\256\110\353\155\267\041
++\354\205\032\150\162\065\253\377\360\020\135\300\364\224\247\152
++\325\073\222\176\114\220\005\176\223\301\054\213\244\216\142\164
++\025\161\156\013\161\003\352\257\025\070\232\324\322\005\162\157
++\214\371\053\353\132\162\045\371\071\106\343\162\033\076\004\303
++\144\047\042\020\052\212\117\130\247\003\255\276\264\056\023\355
++\135\252\110\327\325\175\324\052\173\134\372\106\004\120\344\314
++\016\102\133\214\355\333\362\317\374\226\223\340\333\021\066\124
++\142\064\070\217\014\140\233\073\227\126\070\255\363\322\133\213
++\240\133\352\116\226\270\174\327\325\240\206\160\100\323\221\051
++\267\242\074\255\365\214\273\317\032\222\212\344\064\173\300\330
++\154\137\351\012\302\303\247\040\232\132\337\054\135\122\134\272
++\107\325\233\357\044\050\160\070\040\057\325\177\051\300\262\101
++\003\150\222\314\340\234\314\227\113\105\357\072\020\012\253\160
++\072\230\225\160\255\065\261\352\205\053\244\034\200\041\061\251
++\256\140\172\200\046\110\000\270\001\300\223\143\125\042\221\074
++\126\347\257\333\072\045\363\217\061\124\352\046\213\201\131\371
++\241\321\123\021\305\173\235\003\366\164\021\340\155\261\054\077
++\054\206\221\231\161\232\246\167\213\064\140\321\024\264\054\254
++\235\257\214\020\323\237\304\152\370\157\023\374\163\131\367\146
++\102\164\036\212\343\370\334\322\157\230\234\313\107\230\225\100
++\005\373\351\002\003\001\000\001\243\202\002\015\060\202\002\011
++\060\035\006\003\125\035\016\004\026\004\024\165\250\161\140\114
++\210\023\360\170\331\211\167\265\155\305\211\337\274\261\172\060
++\201\243\006\003\125\035\043\004\201\233\060\201\230\200\024\026
++\265\062\033\324\307\363\340\346\216\363\275\322\260\072\356\262
++\071\030\321\241\175\244\173\060\171\061\020\060\016\006\003\125
++\004\012\023\007\122\157\157\164\040\103\101\061\036\060\034\006
++\003\125\004\013\023\025\150\164\164\160\072\057\057\167\167\167
++\056\143\141\143\145\162\164\056\157\162\147\061\042\060\040\006
++\003\125\004\003\023\031\103\101\040\103\145\162\164\040\123\151
++\147\156\151\156\147\040\101\165\164\150\157\162\151\164\171\061
++\041\060\037\006\011\052\206\110\206\367\015\001\011\001\026\022
++\163\165\160\160\157\162\164\100\143\141\143\145\162\164\056\157
++\162\147\202\001\000\060\017\006\003\125\035\023\001\001\377\004
++\005\060\003\001\001\377\060\135\006\010\053\006\001\005\005\007
++\001\001\004\121\060\117\060\043\006\010\053\006\001\005\005\007
++\060\001\206\027\150\164\164\160\072\057\057\157\143\163\160\056
++\103\101\143\145\162\164\056\157\162\147\057\060\050\006\010\053
++\006\001\005\005\007\060\002\206\034\150\164\164\160\072\057\057
++\167\167\167\056\103\101\143\145\162\164\056\157\162\147\057\143
++\141\056\143\162\164\060\112\006\003\125\035\040\004\103\060\101
++\060\077\006\010\053\006\001\004\001\201\220\112\060\063\060\061
++\006\010\053\006\001\005\005\007\002\001\026\045\150\164\164\160
++\072\057\057\167\167\167\056\103\101\143\145\162\164\056\157\162
++\147\057\151\156\144\145\170\056\160\150\160\077\151\144\075\061
++\060\060\064\006\011\140\206\110\001\206\370\102\001\010\004\047
++\026\045\150\164\164\160\072\057\057\167\167\167\056\103\101\143
++\145\162\164\056\157\162\147\057\151\156\144\145\170\056\160\150
++\160\077\151\144\075\061\060\060\120\006\011\140\206\110\001\206
++\370\102\001\015\004\103\026\101\124\157\040\147\145\164\040\171
++\157\165\162\040\157\167\156\040\143\145\162\164\151\146\151\143
++\141\164\145\040\146\157\162\040\106\122\105\105\054\040\147\157
++\040\164\157\040\150\164\164\160\072\057\057\167\167\167\056\103
++\101\143\145\162\164\056\157\162\147\060\015\006\011\052\206\110
++\206\367\015\001\001\013\005\000\003\202\002\001\000\051\050\205
++\256\104\251\271\257\244\171\023\360\250\243\053\227\140\363\134
++\356\343\057\301\366\342\146\240\021\256\066\067\072\166\025\004
++\123\352\102\365\371\352\300\025\330\246\202\331\344\141\256\162
++\013\051\134\220\103\350\101\262\341\167\333\002\023\104\170\107
++\125\257\130\374\314\230\366\105\271\321\040\370\330\041\007\376
++\155\252\163\324\263\306\007\351\011\205\314\073\362\266\276\054
++\034\045\325\161\214\071\265\056\352\276\030\201\272\260\223\270
++\017\343\346\327\046\214\061\132\162\003\204\122\346\246\365\063
++\042\105\012\310\013\015\212\270\066\157\220\011\241\253\275\327
++\325\116\056\161\242\324\256\372\247\124\053\353\065\215\132\267
++\124\210\057\356\164\237\355\110\026\312\015\110\320\224\323\254
++\244\242\366\044\337\222\343\275\353\103\100\221\156\034\030\216
++\126\264\202\022\363\251\223\237\324\274\234\255\234\165\356\132
++\227\033\225\347\164\055\034\017\260\054\227\237\373\251\063\071
++\172\347\003\072\222\216\042\366\214\015\344\331\176\015\166\030
++\367\001\371\357\226\226\242\125\163\300\074\161\264\035\032\126
++\103\267\303\012\215\162\374\342\020\011\013\101\316\214\224\240
++\371\003\375\161\163\113\212\127\063\345\216\164\176\025\001\000
++\346\314\112\034\347\177\225\031\055\305\245\014\213\273\265\355
++\205\263\134\323\337\270\271\362\312\307\015\001\024\254\160\130
++\305\214\215\063\324\235\146\243\032\120\225\043\374\110\340\006
++\103\022\331\315\247\206\071\057\066\162\243\200\020\344\341\363
++\321\313\133\032\300\344\200\232\174\023\163\006\117\333\243\153
++\044\012\272\263\034\274\112\170\273\345\343\165\070\245\110\247
++\242\036\257\166\324\136\367\070\206\126\132\211\316\326\303\247
++\171\262\122\240\306\361\205\264\045\214\362\077\226\263\020\331
++\215\154\127\073\237\157\206\072\030\202\042\066\310\260\221\070
++\333\052\241\223\252\204\077\365\047\145\256\163\325\310\325\323
++\167\352\113\235\307\101\273\307\300\343\240\077\344\175\244\215
++\163\346\022\113\337\241\163\163\163\072\200\350\325\313\216\057
++\313\352\023\247\326\101\213\254\372\074\211\327\044\365\116\264
++\340\141\222\267\363\067\230\304\276\226\243\267\212
++END
++
++# Trust for "CAcert Inc."
++# Issuer: E=support@cacert.org,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA
++# Serial Number: 672138 (0xa418a)
++# Subject: CN=CAcert Class 3 Root,OU=http://www.CAcert.org,O=CAcert Inc.
++# Not Valid Before: Mon May 23 17:48:02 2011
++# Not Valid After : Thu May 20 17:48:02 2021
++# Fingerprint (SHA-256): 4E:DD:E9:E5:5C:A4:53:B3:88:88:7C:AA:25:D5:C5:C5:BC:CF:28:91:D7:3B:87:49:58:08:29:3D:5F:AC:83:C8
++# Fingerprint (SHA1): AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE
++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "CAcert Inc."
++CKA_CERT_SHA1_HASH MULTILINE_OCTAL
++\255\174\077\144\374\104\071\376\364\351\013\350\364\174\154\372
++\212\255\375\316
++END
++CKA_CERT_MD5_HASH MULTILINE_OCTAL
++\367\045\022\202\116\147\265\320\215\222\267\174\013\206\172\102
++END
++CKA_ISSUER MULTILINE_OCTAL
++\060\171\061\020\060\016\006\003\125\004\012\023\007\122\157\157
++\164\040\103\101\061\036\060\034\006\003\125\004\013\023\025\150
++\164\164\160\072\057\057\167\167\167\056\143\141\143\145\162\164
++\056\157\162\147\061\042\060\040\006\003\125\004\003\023\031\103
++\101\040\103\145\162\164\040\123\151\147\156\151\156\147\040\101
++\165\164\150\157\162\151\164\171\061\041\060\037\006\011\052\206
++\110\206\367\015\001\011\001\026\022\163\165\160\160\157\162\164
++\100\143\141\143\145\162\164\056\157\162\147
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\003\012\101\212
++END
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE

diff --git a/dev-libs/nss/files/nss-3.21-enable-pem.patch b/dev-libs/nss/files/nss-3.21-enable-pem.patch
new file mode 100644
index 0000000..c60f051
--- /dev/null
+++ b/dev-libs/nss/files/nss-3.21-enable-pem.patch
@@ -0,0 +1,12 @@
+diff -urN a/nss/lib/ckfw/manifest.mn b/nss/lib/ckfw/manifest.mn
+--- a/nss/lib/ckfw/manifest.mn	2015-11-15 09:25:06.130786072 -0600
++++ b/nss/lib/ckfw/manifest.mn	2015-11-15 09:31:03.372770145 -0600
+@@ -5,7 +5,7 @@
+ 
+ CORE_DEPTH = ../..
+ 
+-DIRS = builtins 
++DIRS = builtins pem
+ 
+ PRIVATE_EXPORTS = \
+ 	ck.h		  \

diff --git a/dev-libs/nss/files/nss-3.21-gentoo-fixup-warnings.patch b/dev-libs/nss/files/nss-3.21-gentoo-fixup-warnings.patch
new file mode 100644
index 0000000..ed8a0aa
--- /dev/null
+++ b/dev-libs/nss/files/nss-3.21-gentoo-fixup-warnings.patch
@@ -0,0 +1,11 @@
+diff -urN a/nss/coreconf/Linux.mk b/nss/coreconf/Linux.mk
+--- a/nss/coreconf/Linux.mk	2015-11-15 09:25:06.672786048 -0600
++++ b/nss/coreconf/Linux.mk	2015-11-15 09:29:26.682774456 -0600
+@@ -130,6 +130,7 @@
+ 		OPTIMIZER += -gdwarf-2
+ 	endif
+ endif
++OPTIMIZER += -fno-strict-aliasing
+ endif
+ 
+ ifndef COMPILER_TAG
\ No newline at end of file

diff --git a/dev-libs/nss/files/nss-3.21-gentoo-fixups.patch b/dev-libs/nss/files/nss-3.21-gentoo-fixups.patch
new file mode 100644
index 0000000..3381982
--- /dev/null
+++ b/dev-libs/nss/files/nss-3.21-gentoo-fixups.patch
@@ -0,0 +1,243 @@
+diff -urN a/nss/config/Makefile b/nss/config/Makefile
+--- a/nss/config/Makefile	1969-12-31 18:00:00.000000000 -0600
++++ b/nss/config/Makefile	2015-11-15 10:42:46.249578304 -0600
+@@ -0,0 +1,40 @@
++CORE_DEPTH = ..
++DEPTH      = ..
++
++include $(CORE_DEPTH)/coreconf/config.mk
++
++NSS_MAJOR_VERSION = `grep "NSS_VMAJOR" ../lib/nss/nss.h | awk '{print $$3}'`
++NSS_MINOR_VERSION = `grep "NSS_VMINOR" ../lib/nss/nss.h | awk '{print $$3}'`
++NSS_PATCH_VERSION = `grep "NSS_VPATCH" ../lib/nss/nss.h | awk '{print $$3}'`
++PREFIX = /usr
++
++all: export libs
++
++export:
++	# Create the nss.pc file
++	mkdir -p $(DIST)/lib/pkgconfig
++	sed -e "s,@prefix@,$(PREFIX)," \
++	    -e "s,@exec_prefix@,\$${prefix}," \
++	    -e "s,@libdir@,\$${prefix}/lib64," \
++	    -e "s,@includedir@,\$${prefix}/include/nss," \
++	    -e "s,@NSS_MAJOR_VERSION@,$(NSS_MAJOR_VERSION),g" \
++	    -e "s,@NSS_MINOR_VERSION@,$(NSS_MINOR_VERSION)," \
++	    -e "s,@NSS_PATCH_VERSION@,$(NSS_PATCH_VERSION)," \
++	    nss.pc.in > nss.pc
++	chmod 0644 nss.pc
++	ln -sf ../../../../config/nss.pc $(DIST)/lib/pkgconfig
++
++	# Create the nss-config script
++	mkdir -p $(DIST)/bin
++	sed -e "s,@prefix@,$(PREFIX)," \
++	    -e "s,@NSS_MAJOR_VERSION@,$(NSS_MAJOR_VERSION)," \
++	    -e "s,@NSS_MINOR_VERSION@,$(NSS_MINOR_VERSION)," \
++	    -e "s,@NSS_PATCH_VERSION@,$(NSS_PATCH_VERSION)," \
++	    nss-config.in > nss-config
++	chmod 0755 nss-config
++	ln -sf ../../../config/nss-config $(DIST)/bin
++
++libs:
++
++dummy: all export libs
++
+diff -urN a/nss/config/nss-config.in b/nss/config/nss-config.in
+--- a/nss/config/nss-config.in	1969-12-31 18:00:00.000000000 -0600
++++ b/nss/config/nss-config.in	2015-11-15 10:42:46.250578304 -0600
+@@ -0,0 +1,145 @@
++#!/bin/sh
++
++prefix=@prefix@
++
++major_version=@NSS_MAJOR_VERSION@
++minor_version=@NSS_MINOR_VERSION@
++patch_version=@NSS_PATCH_VERSION@
++
++usage()
++{
++	cat <<EOF
++Usage: nss-config [OPTIONS] [LIBRARIES]
++Options:
++	[--prefix[=DIR]]
++	[--exec-prefix[=DIR]]
++	[--includedir[=DIR]]
++	[--libdir[=DIR]]
++	[--version]
++	[--libs]
++	[--cflags]
++Dynamic Libraries:
++	nss
++	ssl
++	smime
++	nssutil
++EOF
++	exit $1
++}
++
++if test $# -eq 0; then
++	usage 1 1>&2
++fi
++
++lib_ssl=yes
++lib_smime=yes
++lib_nss=yes
++lib_nssutil=yes
++
++while test $# -gt 0; do
++  case "$1" in
++  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
++  *) optarg= ;;
++  esac
++
++  case $1 in
++    --prefix=*)
++      prefix=$optarg
++      ;;
++    --prefix)
++      echo_prefix=yes
++      ;;
++    --exec-prefix=*)
++      exec_prefix=$optarg
++      ;;
++    --exec-prefix)
++      echo_exec_prefix=yes
++      ;;
++    --includedir=*)
++      includedir=$optarg
++      ;;
++    --includedir)
++      echo_includedir=yes
++      ;;
++    --libdir=*)
++      libdir=$optarg
++      ;;
++    --libdir)
++      echo_libdir=yes
++      ;;
++    --version)
++      echo ${major_version}.${minor_version}.${patch_version}
++      ;;
++    --cflags)
++      echo_cflags=yes
++      ;;
++    --libs)
++      echo_libs=yes
++      ;;
++    ssl)
++      lib_ssl=yes
++      ;;
++    smime)
++      lib_smime=yes
++      ;;
++    nss)
++      lib_nss=yes
++      ;;
++    nssutil)                                                      
++      lib_nssutil=yes                                             
++      ;;
++    *)
++      usage 1 1>&2
++      ;;
++  esac
++  shift
++done
++
++# Set variables that may be dependent upon other variables
++if test -z "$exec_prefix"; then
++    exec_prefix=`pkg-config --variable=exec_prefix nss`
++fi
++if test -z "$includedir"; then
++    includedir=`pkg-config --variable=includedir nss`
++fi
++if test -z "$libdir"; then
++    libdir=`pkg-config --variable=libdir nss`
++fi
++
++if test "$echo_prefix" = "yes"; then
++    echo $prefix
++fi
++
++if test "$echo_exec_prefix" = "yes"; then
++    echo $exec_prefix
++fi
++
++if test "$echo_includedir" = "yes"; then
++    echo $includedir
++fi
++
++if test "$echo_libdir" = "yes"; then
++    echo $libdir
++fi
++
++if test "$echo_cflags" = "yes"; then
++    echo -I$includedir
++fi
++
++if test "$echo_libs" = "yes"; then
++      libdirs=""
++      if test -n "$lib_ssl"; then
++	libdirs="$libdirs -lssl${major_version}"
++      fi
++      if test -n "$lib_smime"; then
++	libdirs="$libdirs -lsmime${major_version}"
++      fi
++      if test -n "$lib_nss"; then
++	libdirs="$libdirs -lnss${major_version}"
++      fi
++      if test -n "$lib_nssutil"; then
++       libdirs="$libdirs -lnssutil${major_version}"
++      fi
++      echo $libdirs
++fi      
++
+diff -urN a/nss/config/nss.pc.in b/nss/config/nss.pc.in
+--- a/nss/config/nss.pc.in	1969-12-31 18:00:00.000000000 -0600
++++ b/nss/config/nss.pc.in	2015-11-15 10:42:46.251578304 -0600
+@@ -0,0 +1,12 @@
++prefix=@prefix@
++exec_prefix=@exec_prefix@
++libdir=@libdir@
++includedir=@includedir@
++
++Name: NSS
++Description: Network Security Services
++Version: @NSS_MAJOR_VERSION@.@NSS_MINOR_VERSION@.@NSS_PATCH_VERSION@
++Requires: nspr >= 4.8
++Libs: -lssl3 -lsmime3 -lnss3 -lnssutil3
++Cflags: -I${includedir}
++
+diff -urN a/nss/Makefile b/nss/Makefile
+--- a/nss/Makefile	2015-11-15 09:25:06.410786060 -0600
++++ b/nss/Makefile	2015-11-15 10:42:46.252578304 -0600
+@@ -46,7 +46,7 @@
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+ #######################################################################
+ 
+-nss_build_all: build_nspr all
++nss_build_all: all
+ 
+ nss_clean_all: clobber_nspr clobber
+ 
+@@ -115,12 +115,6 @@
+ 	--with-dist-prefix='$(NSPR_PREFIX)' \
+ 	--with-dist-includedir='$(NSPR_PREFIX)/include'
+ 
+-build_nspr: $(NSPR_CONFIG_STATUS)
+-	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)
+-
+-clobber_nspr: $(NSPR_CONFIG_STATUS)
+-	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) clobber
+-
+ build_docs:
+ 	$(MAKE) -C $(CORE_DEPTH)/doc
+ 
+diff -urN a/nss/manifest.mn b/nss/manifest.mn
+--- a/nss/manifest.mn	2015-11-15 09:25:06.411786060 -0600
++++ b/nss/manifest.mn	2015-11-15 10:43:15.633576994 -0600
+@@ -10,4 +10,4 @@
+ 
+ RELEASE = nss
+ 
+-DIRS = coreconf lib cmd external_tests
++DIRS = coreconf lib cmd config

diff --git a/dev-libs/nss/files/nss-3.21-pem-werror.patch b/dev-libs/nss/files/nss-3.21-pem-werror.patch
new file mode 100644
index 0000000..392d74a
--- /dev/null
+++ b/dev-libs/nss/files/nss-3.21-pem-werror.patch
@@ -0,0 +1,146 @@
+diff -up ./nss/lib/ckfw/pem/ckpem.h.compile_Werror ./nss/lib/ckfw/pem/ckpem.h
+--- ./nss/lib/ckfw/pem/ckpem.h.compile_Werror	2014-01-23 06:28:18.000000000 -0800
++++ ./nss/lib/ckfw/pem/ckpem.h	2015-11-13 12:07:29.219887390 -0800
+@@ -233,6 +233,9 @@ struct pemLOWKEYPrivateKeyStr {
+ };
+ typedef struct pemLOWKEYPrivateKeyStr pemLOWKEYPrivateKey;
+ 
++/* NOTE: Discrepancy with the the way callers use of the return value as a count
++ * Fix this when we sync. up with the cleanup work being done at nss-pem project.
++ */
+ SECStatus ReadDERFromFile(SECItem ***derlist, char *filename, PRBool ascii, int *cipher, char **ivstring, PRBool certsonly);
+ const NSSItem * pem_FetchAttribute ( pemInternalObject *io, CK_ATTRIBUTE_TYPE type);
+ void pem_PopulateModulusExponent(pemInternalObject *io);
+diff -up ./nss/lib/ckfw/pem/pinst.c.compile_Werror ./nss/lib/ckfw/pem/pinst.c
+--- ./nss/lib/ckfw/pem/pinst.c.compile_Werror	2014-01-23 06:28:18.000000000 -0800
++++ ./nss/lib/ckfw/pem/pinst.c	2015-11-13 12:07:29.219887390 -0800
+@@ -472,7 +472,9 @@ AddCertificate(char *certfile, char *key
+     char *ivstring = NULL;
+     int cipher;
+ 
+-    nobjs = ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
++    /* TODO: Fix discrepancy between our usage of the return value as
++     * as an int (a count) and the declaration as a SECStatus. */
++    nobjs = (int) ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
+     if (nobjs <= 0) {
+         nss_ZFreeIf(objs);
+         return CKR_GENERAL_ERROR;
+@@ -515,8 +517,10 @@ AddCertificate(char *certfile, char *key
+         if (keyfile) {          /* add the private key */
+             SECItem **keyobjs = NULL;
+             int kobjs = 0;
++            /* TODO: Fix discrepancy between our usage of the return value as
++             * as an int and the declaration as a SECStatus. */
+             kobjs =
+-                ReadDERFromFile(&keyobjs, keyfile, PR_TRUE, &cipher,
++                (int) ReadDERFromFile(&keyobjs, keyfile, PR_TRUE, &cipher,
+                                 &ivstring, PR_FALSE);
+             if (kobjs < 1) {
+                 error = CKR_GENERAL_ERROR;
+diff -up ./nss/lib/ckfw/pem/pobject.c.compile_Werror ./nss/lib/ckfw/pem/pobject.c
+--- ./nss/lib/ckfw/pem/pobject.c.compile_Werror	2014-01-23 06:28:18.000000000 -0800
++++ ./nss/lib/ckfw/pem/pobject.c	2015-11-13 12:07:29.220887368 -0800
+@@ -630,6 +630,11 @@ pem_DestroyInternalObject
+         if (io->u.key.ivstring)
+             free(io->u.key.ivstring);
+         break;
++    case pemAll:
++        /* pemAll is not used, keep the compiler happy
++         * TODO: investigate a proper solution
++         */
++        return;
+     }
+ 
+     if (NULL != gobj)
+@@ -1044,7 +1049,9 @@ pem_CreateObject
+     int nobjs = 0;
+     int i;
+     int objid;
++#if 0
+     pemToken *token;
++#endif
+     int cipher;
+     char *ivstring = NULL;
+     pemInternalObject *listObj = NULL;
+@@ -1073,7 +1080,9 @@ pem_CreateObject
+     }
+     slotID = nssCKFWSlot_GetSlotID(fwSlot);
+ 
++#if 0
+     token = (pemToken *) mdToken->etc;
++#endif
+ 
+     /*
+      * only create keys and certs.
+@@ -1114,7 +1123,11 @@ pem_CreateObject
+     }
+ 
+     if (objClass == CKO_CERTIFICATE) {
+-        nobjs = ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
++        /* TODO: Fix discrepancy between our usage of the return value as
++         * as an int and the declaration as a SECStatus. Typecasting as a
++         * temporary workaround.
++         */
++        nobjs = (int) ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
+         if (nobjs < 1)
+             goto loser;
+ 
+diff -up ./nss/lib/ckfw/pem/rsawrapr.c.compile_Werror ./nss/lib/ckfw/pem/rsawrapr.c
+--- ./nss/lib/ckfw/pem/rsawrapr.c.compile_Werror	2014-01-23 06:28:18.000000000 -0800
++++ ./nss/lib/ckfw/pem/rsawrapr.c	2015-11-13 12:07:29.220887368 -0800
+@@ -93,6 +93,8 @@ pem_PublicModulusLen(NSSLOWKEYPublicKey
+     return 0;
+ }
+ 
++/* unused functions */
++#if 0
+ static SHA1Context *SHA1_CloneContext(SHA1Context * original)
+ {
+     SHA1Context *clone = NULL;
+@@ -215,6 +217,7 @@ oaep_xor_with_h2(unsigned char *salt, un
+ 
+     return SECSuccess;
+ }
++#endif /* unused functions */
+ 
+ /*
+  * Format one block of data for public/private key encryption using
+diff -up ./nss/lib/ckfw/pem/util.c.compile_Werror ./nss/lib/ckfw/pem/util.c
+--- ./nss/lib/ckfw/pem/util.c.compile_Werror	2014-01-23 06:28:18.000000000 -0800
++++ ./nss/lib/ckfw/pem/util.c	2015-11-13 12:22:52.282196306 -0800
+@@ -131,7 +131,8 @@ static SECStatus FileToItem(SECItem * ds
+     return SECFailure;
+ }
+ 
+-int
++/* FIX: Returns a SECStatus yet callers take result as a count */
++SECStatus
+ ReadDERFromFile(SECItem *** derlist, char *filename, PRBool ascii,
+ 		int *cipher, char **ivstring, PRBool certsonly)
+ {
+@@ -237,7 +238,12 @@ ReadDERFromFile(SECItem *** derlist, cha
+ 		    goto loser;
+ 		}
+                 if ((certsonly && !key) || (!certsonly && key)) {
++		    error = CKR_OK;
+ 		    PUT_Object(der, error);
++		    if (error != CKR_OK) {
++			free(der);
++			goto loser;
++		    }
+                 } else {
+                     free(der->data);
+                     free(der);
+@@ -255,7 +261,12 @@ ReadDERFromFile(SECItem *** derlist, cha
+ 	    }
+ 
+ 	    /* NOTE: This code path has never been tested. */
++	    error = CKR_OK;
+ 	    PUT_Object(der, error);
++	    if (error != CKR_OK) {
++		free(der);
++		goto loser;
++	    }
+ 	}
+ 
+ 	nss_ZFreeIf(filedata.data);

diff --git a/dev-libs/nss/nss-3.21.ebuild b/dev-libs/nss/nss-3.21.ebuild
new file mode 100644
index 0000000..c3b279a
--- /dev/null
+++ b/dev-libs/nss/nss-3.21.ebuild
@@ -0,0 +1,326 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+inherit eutils flag-o-matic multilib toolchain-funcs multilib-minimal
+
+NSPR_VER="4.10.8"
+RTM_NAME="NSS_${PV//./_}_RTM"
+# Rev of https://git.fedorahosted.org/cgit/nss-pem.git
+PEM_GIT_REV="015ae754dd9f6fbcd7e52030ec9732eb27fc06a8"
+PEM_P="${PN}-pem-20140125"
+
+DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
+HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/"
+SRC_URI="http://archive.mozilla.org/pub/mozilla.org/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
+	cacert? ( https://dev.gentoo.org/~anarchy/patches/${PN}-3.14.1-add_spi+cacerts_ca_certs.patch )
+	nss-pem? ( https://dev.gentoo.org/~anarchy/dist/${PEM_P}.tar.bz2 )"
+
+LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
+IUSE="+cacert +nss-pem utils"
+CDEPEND=">=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
+	>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]"
+DEPEND=">=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]
+	>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
+	${CDEPEND}"
+RDEPEND=">=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
+	${CDEPEND}
+	abi_x86_32? (
+		!<=app-emulation/emul-linux-x86-baselibs-20140508-r12
+		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+	)"
+
+RESTRICT="test"
+
+S="${WORKDIR}/${P}/${PN}"
+
+MULTILIB_CHOST_TOOLS=(
+	/usr/bin/nss-config
+)
+
+src_unpack() {
+	unpack ${A}
+	if use nss-pem ; then
+		mv "${PN}"/lib/ckfw/pem/ "${S}"/lib/ckfw/ || die
+	fi
+}
+
+src_prepare() {
+	# Custom changes for gentoo
+	epatch "${FILESDIR}/${PN}-3.21-gentoo-fixups.patch"
+	epatch "${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
+	use cacert && epatch "${DISTDIR}/${PN}-3.14.1-add_spi+cacerts_ca_certs.patch"
+	use nss-pem && epatch "${FILESDIR}/${PN}-3.21-enable-pem.patch" \
+		"${FILESDIR}/${PN}-3.21-pem-werror.patch"
+	epatch "${FILESDIR}/${PN}-3.21-cacert-class3.patch" # 521462
+
+	pushd coreconf >/dev/null || die
+	# hack nspr paths
+	echo 'INCLUDES += -I$(DIST)/include/dbm' \
+		>> headers.mk || die "failed to append include"
+
+	# modify install path
+	sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
+		-i source.mk || die
+
+	# Respect LDFLAGS
+	sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
+	popd >/dev/null || die
+
+	# Fix pkgconfig file for Prefix
+	sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
+		config/Makefile || die
+
+	# use host shlibsign if need be #436216
+	if tc-is-cross-compiler ; then
+		sed -i \
+			-e 's:"${2}"/shlibsign:shlibsign:' \
+			cmd/shlibsign/sign.sh || die
+	fi
+
+	# dirty hack
+	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
+		lib/ssl/config.mk || die
+	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
+		cmd/platlibs.mk || die
+
+	multilib_copy_sources
+
+	strip-flags
+}
+
+multilib_src_configure() {
+	# Ensure we stay multilib aware
+	sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
+}
+
+nssarch() {
+	# Most of the arches are the same as $ARCH
+	local t=${1:-${CHOST}}
+	case ${t} in
+		aarch64*)echo "aarch64";;
+		hppa*)   echo "parisc";;
+		i?86*)   echo "i686";;
+		x86_64*) echo "x86_64";;
+		*)       tc-arch ${t};;
+	esac
+}
+
+nssbits() {
+	local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
+	if [[ ${1} == BUILD_ ]]; then
+		cc=$(tc-getBUILD_CC)
+	else
+		cc=$(tc-getCC)
+	fi
+	echo > "${T}"/test.c || die
+	${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die
+	case $(file "${T}/${1}test.o") in
+		*32-bit*x86-64*) echo USE_X32=1;;
+		*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
+		*32-bit*|*ppc*|*i386*) ;;
+		*) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
+	esac
+}
+
+multilib_src_compile() {
+	# use ABI to determine bit'ness, or fallback if unset
+	local buildbits mybits
+	case "${ABI}" in
+		n32) mybits="USE_N32=1";;
+		x32) mybits="USE_X32=1";;
+		s390x|*64) mybits="USE_64=1";;
+		${DEFAULT_ABI})
+			einfo "Running compilation test to determine bit'ness"
+			mybits=$(nssbits)
+			;;
+	esac
+	# bitness of host may differ from target
+	if tc-is-cross-compiler; then
+		buildbits=$(nssbits BUILD_)
+	fi
+
+	local makeargs=(
+		CC="$(tc-getCC)"
+		AR="$(tc-getAR) rc \$@"
+		RANLIB="$(tc-getRANLIB)"
+		OPTIMIZER=
+		${mybits}
+	)
+
+	# Take care of nspr settings #436216
+	local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
+	unset NSPR_INCLUDE_DIR
+
+	# Do not let `uname` be used.
+	if use kernel_linux ; then
+		makeargs+=(
+			OS_TARGET=Linux
+			OS_RELEASE=2.6
+			OS_TEST="$(nssarch)"
+		)
+	fi
+
+	export BUILD_OPT=1
+	export NSS_USE_SYSTEM_SQLITE=1
+	export NSDISTMODE=copy
+	export NSS_ENABLE_ECC=1
+	export FREEBL_NO_DEPEND=1
+	export ASFLAGS=""
+
+	local d
+
+	# Build the host tools first.
+	LDFLAGS="${BUILD_LDFLAGS}" \
+	XCFLAGS="${BUILD_CFLAGS}" \
+	NSPR_LIB_DIR="${T}/fakedir" \
+	emake -j1 -C coreconf \
+		CC="$(tc-getBUILD_CC)" \
+		${buildbits:-${mybits}}
+	makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
+
+	# Then build the target tools.
+	for d in . lib/dbm ; do
+		CPPFLAGS="${myCPPFLAGS}" \
+		XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
+		NSPR_LIB_DIR="${T}/fakedir" \
+		emake -j1 "${makeargs[@]}" -C ${d}
+	done
+}
+
+# Altering these 3 libraries breaks the CHK verification.
+# All of the following cause it to break:
+# - stripping
+# - prelink
+# - ELF signing
+# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
+# Either we have to NOT strip them, or we have to forcibly resign after
+# stripping.
+#local_libdir="$(get_libdir)"
+#export STRIP_MASK="
+#	*/${local_libdir}/libfreebl3.so*
+#	*/${local_libdir}/libnssdbm3.so*
+#	*/${local_libdir}/libsoftokn3.so*"
+
+export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
+
+generate_chk() {
+	local shlibsign="$1"
+	local libdir="$2"
+	einfo "Resigning core NSS libraries for FIPS validation"
+	shift 2
+	local i
+	for i in ${NSS_CHK_SIGN_LIBS} ; do
+		local libname=lib${i}.so
+		local chkname=lib${i}.chk
+		"${shlibsign}" \
+			-i "${libdir}"/${libname} \
+			-o "${libdir}"/${chkname}.tmp \
+		&& mv -f \
+			"${libdir}"/${chkname}.tmp \
+			"${libdir}"/${chkname} \
+		|| die "Failed to sign ${libname}"
+	done
+}
+
+cleanup_chk() {
+	local libdir="$1"
+	shift 1
+	local i
+	for i in ${NSS_CHK_SIGN_LIBS} ; do
+		local libfname="${libdir}/lib${i}.so"
+		# If the major version has changed, then we have old chk files.
+		[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
+			&& rm -f "${libfname}.chk"
+	done
+}
+
+multilib_src_install() {
+	pushd dist >/dev/null || die
+
+	dodir /usr/$(get_libdir)
+	cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
+	cp -L */lib/libcrmf.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
+	cp -L */lib/libfreebl.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
+
+	# Install nss-config and pkgconfig file
+	dodir /usr/bin
+	cp -L */bin/nss-config "${ED}"/usr/bin || die
+	dodir /usr/$(get_libdir)/pkgconfig
+	cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
+
+	# create an nss-softokn.pc from nss.pc for libfreebl and some private headers
+	# bug 517266
+	sed 	-e 's#Libs:#Libs: -lfreebl#' \
+		-e 's#Cflags:#Cflags: -I${includedir}/private#' \
+		*/lib/pkgconfig/nss.pc >"${ED}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
+		|| die "could not create nss-softokn.pc"
+
+	# all the include files
+	insinto /usr/include/nss
+	doins public/nss/*.h
+	insinto /usr/include/nss/private
+	doins private/nss/{blapi,alghmac}.h
+
+	popd >/dev/null || die
+
+	local f nssutils
+	# Always enabled because we need it for chk generation.
+	nssutils="shlibsign"
+
+	if multilib_is_native_abi ; then
+		if use utils; then
+			# The tests we do not need to install.
+			#nssutils_test="bltest crmftest dbtest dertimetest
+			#fipstest remtest sdrtest"
+			nssutils="addbuiltin atob baddbdir btoa certcgi certutil checkcert
+			cmsutil conflict crlutil derdump digest makepqg mangle modutil multinit
+			nonspr10 ocspclnt oidcalc p7content p7env p7sign p7verify pk11mode
+			pk12util pp rsaperf selfserv shlibsign signtool signver ssltap strsclnt
+			symkeyutil tstclnt vfychain vfyserv"
+			# install man-pages for utils (bug #516810)
+			doman doc/nroff/*.1
+		fi
+		pushd dist/*/bin >/dev/null || die
+		for f in ${nssutils}; do
+			dobin ${f}
+		done
+		popd >/dev/null || die
+	fi
+
+	# Prelink breaks the CHK files. We don't have any reliable way to run
+	# shlibsign after prelink.
+	local l libs=() liblist
+	for l in ${NSS_CHK_SIGN_LIBS} ; do
+		libs+=("${EPREFIX}/usr/$(get_libdir)/lib${l}.so")
+	done
+	liblist=$(printf '%s:' "${libs[@]}")
+	echo -e "PRELINK_PATH_MASK=${liblist%:}" > "${T}/90nss-${ABI}"
+	doenvd "${T}/90nss-${ABI}"
+}
+
+pkg_postinst() {
+	multilib_pkg_postinst() {
+		# We must re-sign the libraries AFTER they are stripped.
+		local shlibsign="${EROOT}/usr/bin/shlibsign"
+		# See if we can execute it (cross-compiling & such). #436216
+		"${shlibsign}" -h >&/dev/null
+		if [[ $? -gt 1 ]] ; then
+			shlibsign="shlibsign"
+		fi
+		generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
+	}
+
+	multilib_foreach_abi multilib_pkg_postinst
+}
+
+pkg_postrm() {
+	multilib_pkg_postrm() {
+		cleanup_chk "${EROOT}"/usr/$(get_libdir)
+	}
+
+	multilib_foreach_abi multilib_pkg_postrm
+}


^ permalink raw reply related	[flat|nested] 19+ messages in thread

end of thread, other threads:[~2024-08-02 13:22 UTC | newest]

Thread overview: 19+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-03-05 20:47 [gentoo-commits] repo/gentoo:master commit in: dev-libs/nss/, dev-libs/nss/files/ Ian Stakenvicius
  -- strict thread matches above, loose matches on Subject: below --
2024-08-02 13:21 Joonas Niilola
2024-04-15  6:40 Joonas Niilola
2024-03-17  8:18 Joonas Niilola
2023-02-10  8:57 Joonas Niilola
2022-11-01  8:49 Joonas Niilola
2021-04-16 11:34 Thomas Deutschmann
2021-01-09 13:53 Lars Wendler
2020-12-01 16:56 Thomas Deutschmann
2020-08-30 22:57 Thomas Deutschmann
2020-06-28 19:05 Thomas Deutschmann
2019-10-20 14:54 Lars Wendler
2019-01-22 20:04 Ian Stakenvicius
2019-01-18 15:37 Lars Wendler
2017-07-30 14:32 Jory Pratt
2017-01-19 15:41 Ian Stakenvicius
2016-12-23  9:57 Lars Wendler
2016-12-23  9:57 Lars Wendler
2015-11-26 21:56 Jory Pratt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox