Bug 1543545 - Option to produce static libraries, r=kevinjacobs

Summary:
The fine folks in application services would like to use NSS, but would greatly
prefer static linking.  Part of that is driven by iOS constraints on performance
and a possible rejection from the store for dynamic linking (NSS dynamically
loads softoken).  This provides a build option that produces a fully statically
linked set of libraries.

Reviewers: KevinJacobs

Tags: #secure-revision

Bug #: 1543545

Differential Revision: https://phabricator.services.mozilla.com/D29303

--HG--
extra : rebase_source : 8d75b17776ecde38c7350cf70946e0221349e01f

build.sh

@@ -94,7 +94,8 @@ while [ $# -gt 0 ]; do
         --sancov=?*) enable_sancov "${1#*=}" ;;
         --emit-llvm) gyp_params+=(-Demit_llvm=1 -Dsign_libs=0) ;;
         --no-zdefs) gyp_params+=(-Dno_zdefs=1) ;;
-        --test) gyp_params+=(-Dtest_build=1) ;;
+        --test) gyp_params+=(-Dtest_build=1 -Dstatic_libs=1) ;;
+        --static) gyp_params+=(-Dstatic_libs=1) ;;
         --ct-verif) gyp_params+=(-Dct_verif=1) ;;
         --nspr) nspr_clean; rebuild_nspr=1 ;;
         --with-nspr=?*) set_nspr_path "${1#*=}"; no_local_nspr=1 ;;

coreconf/config.gypi

@@ -99,6 +99,7 @@
     'moz_folded_library_name%': '',
     'sanitizer_flags%': 0,
     'test_build%': 0,
+    'static_libs%': 0,
     'no_zdefs%': 0,
     'fuzz%': 0,
     'fuzz_tls%': 0,
@@ -122,6 +123,7 @@
     'variables': {
       'mapfile%': '',
       'test_build%': 0,
+      'static_libs%': 0,
       'debug_optimization_level%': '0',
       'release_optimization_level%': '2',
     },
@@ -142,6 +144,11 @@
           'NSS_NO_INIT_SUPPORT',
         ],
       }],
+      [ 'static_libs==1', {
+        'variables': {
+          'standalone_static_library': '1',
+        },
+      }],
       [ 'OS!="android" and OS!="mac" and OS!="win"', {
         'libraries': [
           '-lpthread',
@@ -257,7 +264,7 @@
             }],
           }]
         ],
-      }, 'test_build==1 and _type=="shared_library"', {
+      }, 'static_libs==1 and _type=="shared_library"', {
         # When linking a shared lib against a static one, XCode doesn't
         # export the latter's symbols by default. -all_load fixes that.
         'xcode_settings': {

coreconf/fuzz.sh

@@ -14,7 +14,7 @@ if [ -z "$CC" ]; then
     export CXX=clang++
 fi
 
-gyp_params+=(-Dtest_build=1 -Dfuzz=1 -Dsign_libs=0)
+gyp_params+=(-Dtest_build=1 -Dstatic_libs=1 -Dfuzz=1 -Dsign_libs=0)
 
 # Add debug symbols even for opt builds.
 nspr_params+=(--enable-debug-symbols)

gtests/pk11_gtest/pk11_gtest.gyp

@@ -29,27 +29,29 @@
       ],
       'dependencies': [
         '<(DEPTH)/exports.gyp:nss_exports',
-        '<(DEPTH)/lib/util/util.gyp:nssutil3',
         '<(DEPTH)/cpputil/cpputil.gyp:cpputil',
         '<(DEPTH)/gtests/google_test/google_test.gyp:gtest',
       ],
       'conditions': [
-        [ 'test_build==1', {
+        [ 'static_libs==1', {
           'dependencies': [
-            '<(DEPTH)/lib/nss/nss.gyp:nss_static',
-            '<(DEPTH)/lib/pk11wrap/pk11wrap.gyp:pk11wrap_static',
-            '<(DEPTH)/lib/cryptohi/cryptohi.gyp:cryptohi',
-            '<(DEPTH)/lib/certhigh/certhigh.gyp:certhi',
-            '<(DEPTH)/lib/certdb/certdb.gyp:certdb',
             '<(DEPTH)/lib/base/base.gyp:nssb',
+            '<(DEPTH)/lib/certdb/certdb.gyp:certdb',
+            '<(DEPTH)/lib/certhigh/certhigh.gyp:certhi',
+            '<(DEPTH)/lib/cryptohi/cryptohi.gyp:cryptohi',
             '<(DEPTH)/lib/dev/dev.gyp:nssdev',
+            '<(DEPTH)/lib/freebl/freebl.gyp:freebl_static',
+            '<(DEPTH)/lib/nss/nss.gyp:nss_static',
+            '<(DEPTH)/lib/pk11wrap/pk11wrap.gyp:pk11wrap_static',
             '<(DEPTH)/lib/pki/pki.gyp:nsspki',
             '<(DEPTH)/lib/ssl/ssl.gyp:ssl',
+            '<(DEPTH)/lib/util/util.gyp:nssutil',
           ],
         }, {
           'dependencies': [
             '<(DEPTH)/lib/nss/nss.gyp:nss3',
             '<(DEPTH)/lib/ssl/ssl.gyp:ssl3',
+            '<(DEPTH)/lib/util/util.gyp:nssutil3',
           ],
         }],
       ],

gtests/softoken_gtest/softoken_gtest.gyp

@@ -19,7 +19,7 @@
         '<(DEPTH)/gtests/google_test/google_test.gyp:gtest',
       ],
       'conditions': [
-        [ 'test_build==1', {
+        [ 'static_libs==1', {
           'dependencies': [
             '<(DEPTH)/lib/nss/nss.gyp:nss_static',
             '<(DEPTH)/lib/pk11wrap/pk11wrap.gyp:pk11wrap_static',

gtests/ssl_gtest/ssl_gtest.gyp

@@ -76,7 +76,7 @@
         '<(DEPTH)/lib/libpkix/libpkix.gyp:libpkix',
       ],
       'conditions': [
-        [ 'test_build==1', {
+        [ 'static_libs==1', {
           'dependencies': [
             '<(DEPTH)/lib/pk11wrap/pk11wrap.gyp:pk11wrap_static',
           ],

help.txt

@@ -40,6 +40,7 @@ NSS build tool options:
                      (requires the gold linker, use clang-3.8 for SAW)
     --no-zdefs       don't set -Wl,-z,defs
     --test           ignore map files and export everything we have
+    --static         create static libraries and use static linking
     --ct-verif       build with valgrind for ct-verif
     --nspr           force a rebuild of NSPR
     --with-nspr      use the NSPR build at the given locations

lib/pk11wrap/pk11load.c

@@ -353,7 +353,7 @@ SECMOD_SetRootCerts(PK11SlotInfo *slot, SECMODModule *mod)
     }
 }
 
-#ifndef NSS_TEST_BUILD
+#ifndef NSS_STATIC_SOFTOKEN
 static const char *my_shlib_name =
     SHLIB_PREFIX "nss" SHLIB_VERSION "." SHLIB_SUFFIX;
 static const char *softoken_shlib_name =
@@ -403,7 +403,7 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule)
 
     /* internal modules get loaded from their internal list */
     if (mod->internal && (mod->dllName == NULL)) {
-#ifdef NSS_TEST_BUILD
+#ifdef NSS_STATIC_SOFTOKEN
         entry = (CK_C_GetFunctionList)NSC_GetFunctionList;
 #else
         /*
@@ -430,7 +430,7 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule)
 
         if (mod->isModuleDB) {
             mod->moduleDBFunc = (CK_C_GetFunctionList)
-#ifdef NSS_TEST_BUILD
+#ifdef NSS_STATIC_SOFTOKEN
                 NSC_ModuleDBFunc;
 #else
                 PR_FindSymbol(softokenLib, "NSC_ModuleDBFunc");
@@ -612,7 +612,7 @@ SECMOD_UnloadModule(SECMODModule *mod)
      * if not, we should change this to SECFailure and move it above the
      * mod->loaded = PR_FALSE; */
     if (mod->internal && (mod->dllName == NULL)) {
-#ifndef NSS_TEST_BUILD
+#ifndef NSS_STATIC_SOFTOKEN
         if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) {
             if (softokenLib) {
                 disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD");

lib/pk11wrap/pk11wrap.gyp

@@ -10,7 +10,7 @@
       'target_name': 'pk11wrap_static',
       'type': 'static_library',
       'defines': [
-        'NSS_TEST_BUILD',
+        'NSS_STATIC_SOFTOKEN',
       ],
       'dependencies': [
         'pk11wrap_base',

lib/softoken/pkcs11.c

@@ -3157,7 +3157,7 @@ nsc_CommonFinalize(CK_VOID_PTR pReserved, PRBool isFIPS)
      * this call doesn't force freebl to be reloaded. */
     BL_SetForkState(PR_FALSE);
 
-#ifndef NSS_TEST_BUILD
+#ifndef NSS_STATIC_SOFTOKEN
     /* unload freeBL shared library from memory. This may only decrement the
      * OS refcount if it's been loaded multiple times, eg. by libssl */
     BL_Unload();

lib/softoken/softoken.gyp

@@ -10,7 +10,7 @@
       'target_name': 'softokn_static',
       'type': 'static_library',
       'defines': [
-        'NSS_TEST_BUILD',
+        'NSS_STATIC_SOFTOKEN',
       ],
       'dependencies': [
         'softokn_base',