summaryrefslogtreecommitdiffstats
path: root/security/moz.build
blob: c1f9155c80cf2c7250821e5064863471cb27ed73 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
# vim: set filetype=python:
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.

with Files("**"):
    BUG_COMPONENT = ("Core", "Security: PSM")

with Files("generate*.py"):
    BUG_COMPONENT = ("Firefox Build System", "General")

with Files("nss/**"):
    BUG_COMPONENT = ("NSS", "Libraries")

with Files("nss.symbols"):
    BUG_COMPONENT = ("NSS", "Libraries")

if CONFIG["MOZ_SYSTEM_NSS"]:
    Library("nss")
    OS_LIBS += CONFIG["NSS_LIBS"]

include("/build/gyp_base.mozbuild")
if CONFIG["MOZ_FOLD_LIBS"]:
    GeckoSharedLibrary("nss", linkage=None)
    # TODO: The library name can be changed when bug 845217 is fixed.
    SHARED_LIBRARY_NAME = "nss3"

    USE_LIBS += [
        "nspr4",
        "nss3_static",
        "nssutil",
        "plc4",
        "plds4",
        "smime3_static",
        "ssl",
    ]

    OS_LIBS += CONFIG["REALTIME_LIBS"]

    SYMBOLS_FILE = "nss.symbols"
    # This changes the default targets in the NSS build, among
    # other things.
    gyp_vars["moz_fold_libs"] = 1
    # Some things in NSS need to link against nssutil, which
    # gets folded, so this tells them what to link against.
    gyp_vars["moz_folded_library_name"] = "nss"
    # Force things in NSS that want to link against NSPR to link
    # against the folded library.
    gyp_vars["nspr_libs"] = "nss"
elif not CONFIG["MOZ_SYSTEM_NSS"]:
    Library("nss")
    USE_LIBS += [
        "nss3",
        "nssutil3",
        "smime3",
        "sqlite",
        "ssl3",
    ]
    gyp_vars["nspr_libs"] = "nspr"
else:
    gyp_vars["nspr_libs"] = "nspr"
    # Bug 1805371: We need a static copy of NSS for the tlsserver test
    # binaries even when building with system NSS. But there's no good
    # way to build NSS that does not pollute dist/bin with shared
    # object files. For now, we have to build mozpkix only and disable
    # the affected tests.
    gyp_vars["mozpkix_only"] = 1

# This disables building some NSS tools.
gyp_vars["mozilla_client"] = 1

# This builds NSS tools in COMM applications that Firefox doesn't build.
if CONFIG["MOZ_BUILD_APP"].startswith("comm/"):
    gyp_vars["comm_client"] = 1

# We run shlibsign as part of packaging, not build.
gyp_vars["sign_libs"] = 0
gyp_vars["python"] = CONFIG["PYTHON3"]
# The NSS gyp files do not have a default for this.
gyp_vars["nss_dist_dir"] = "$PRODUCT_DIR/dist"
# NSS wants to put public headers in $nss_dist_dir/public/nss by default,
# which would wind up being mapped to dist/include/public/nss (by
# gyp_reader's `handle_copies`).
# This forces it to put them in dist/include/nss.
gyp_vars["nss_public_dist_dir"] = "$PRODUCT_DIR/dist"
gyp_vars["nss_dist_obj_dir"] = "$PRODUCT_DIR/dist/bin"
# We don't currently build NSS tests.
gyp_vars["disable_tests"] = 1
gyp_vars["disable_dbm"] = 1
gyp_vars["disable_libpkix"] = 1
gyp_vars["enable_sslkeylogfile"] = 1
# Whether we're using system NSS or Rust nssckbi, we don't need
# to build C nssckbi
gyp_vars["disable_ckbi"] = 1
# pkg-config won't reliably find zlib on our builders, so just force it.
# System zlib is only used for modutil and signtool unless
# SSL zlib is enabled, which we are disabling immediately below this.
gyp_vars["zlib_libs"] = "-lz"
gyp_vars["ssl_enable_zlib"] = 0
# System sqlite here is the in-tree mozsqlite.
gyp_vars["use_system_sqlite"] = 1
gyp_vars["sqlite_libs"] = "sqlite"
gyp_vars["enable_draft_hpke"] = 1

# Clang can build NSS with its integrated assembler since version 9.
if (
    CONFIG["CPU_ARCH"] == "x86_64"
    and CONFIG["CC_TYPE"] == "clang"
    and int(CONFIG["CC_VERSION"].split(".")[0]) >= 9
):
    gyp_vars["force_integrated_as"] = 1


if CONFIG["MOZ_SYSTEM_NSPR"]:
    gyp_vars["nspr_include_dir"] = "%" + CONFIG["NSPR_INCLUDE_DIR"]
    gyp_vars["nspr_lib_dir"] = "%" + CONFIG["NSPR_LIB_DIR"]
else:
    gyp_vars["nspr_include_dir"] = "!/dist/include/nspr"
    gyp_vars["nspr_lib_dir"] = ""  # gyp wants a value, but we don't need
    # it to be valid.

# The Python scripts that detect clang need it to be set as CC
# in the environment, which isn't true here. I don't know that
# setting that would be harmful, but we already have this information
# anyway.
if CONFIG["CC_TYPE"] in ("clang", "clang-cl"):
    gyp_vars["cc_is_clang"] = 1
if CONFIG["GCC_USE_GNU_LD"]:
    gyp_vars["cc_use_gnu_ld"] = 1

GYP_DIRS += ["nss"]
GYP_DIRS["nss"].input = "nss/nss.gyp"
GYP_DIRS["nss"].variables = gyp_vars

sandbox_vars = {
    # NSS explicitly exports its public symbols
    # with linker scripts.
    "COMPILE_FLAGS": {
        "VISIBILITY": [],
        "WARNINGS_CFLAGS": [
            f for f in CONFIG["WARNINGS_CFLAGS"] if f != "-Wsign-compare"
        ],
    },
    # NSS' build system doesn't currently build NSS with PGO.
    # We could probably do so, but not without a lot of
    # careful consideration.
    "NO_PGO": True,
}
if CONFIG["OS_TARGET"] == "WINNT":
    # We want to remove XP_WIN32 eventually. See bug 1535219 for details.
    sandbox_vars["CFLAGS"] = ["-DXP_WIN32"]
    if CONFIG["CPU_ARCH"] == "x86":
        # This should really be the default.
        sandbox_vars["ASFLAGS"] = ["-safeseh"]

    DELAYLOAD_DLLS += [
        "winmm.dll",
    ]

if CONFIG["OS_TARGET"] == "Android":
    sandbox_vars["CFLAGS"] = [
        "-include",
        TOPSRCDIR + "/security/manager/android_stub.h",
    ]
    if CONFIG["ANDROID_VERSION"]:
        sandbox_vars["CFLAGS"] += ["-DANDROID_VERSION=" + CONFIG["ANDROID_VERSION"]]
if CONFIG["MOZ_SYSTEM_NSS"]:
    sandbox_vars["CXXFLAGS"] = CONFIG["NSS_CFLAGS"]
GYP_DIRS["nss"].sandbox_vars = sandbox_vars
GYP_DIRS["nss"].no_chromium = True
GYP_DIRS["nss"].no_unified = True
# This maps action names from gyp files to
# Python scripts that can be used in moz.build GENERATED_FILES.
GYP_DIRS["nss"].action_overrides = {
    "generate_certdata_c": "generate_certdata.py",
    "generate_mapfile": "generate_mapfile.py",
}

if CONFIG["NSS_EXTRA_SYMBOLS_FILE"]:
    DEFINES["NSS_EXTRA_SYMBOLS_FILE"] = CONFIG["NSS_EXTRA_SYMBOLS_FILE"]

SPHINX_TREES["nss"] = "nss/doc/rst"

with Files("nss/doc/rst/**"):
    SCHEDULES.exclusive = ["nss"]