bug 1295937 - build NSS using gyp files. r=glandium
authorTed Mielczarek <ted@mielczarek.org>
Wed, 09 Nov 2016 12:37:09 -0500
changeset 368291 ee70776759bf296c951a9805d5b79169291be4d3
parent 368290 165a160a0f689ab1e0143376d7ee8ce07c300fb6
child 368292 c138e5675e8c09579bd06d0b5963ea255e5aa78a
push id6996
push userjlorenzo@mozilla.com
push dateMon, 06 Mar 2017 20:48:21 +0000
treeherdermozilla-beta@d89512dab048 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersglandium
bugs1295937
milestone53.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
bug 1295937 - build NSS using gyp files. r=glandium MozReview-Commit-ID: Gm1PLWSJwbD
build/autoconf/nspr-build.m4
config/external/nss/Makefile.in
config/external/nss/crmf/moz.build
config/external/nss/moz.build
config/external/nss/nss.mk
config/external/nss/nss.symbols
moz.build
old-configure.in
python/mozbuild/mozbuild/frontend/emitter.py
security/generate_certdata.py
security/generate_mapfile.py
security/moz.build
security/nss.symbols
--- a/build/autoconf/nspr-build.m4
+++ b/build/autoconf/nspr-build.m4
@@ -151,16 +151,18 @@ if test -n "$MOZ_SYSTEM_NSPR" -o -n "$NS
                 AC_MSG_ERROR([system NSPR does not support PR_STATIC_ASSERT or including prtypes.h does not provide it]))
     AC_TRY_COMPILE([#include "prtypes.h"],
                 [#ifndef PR_UINT64
                  #error PR_UINT64 not defined or requires including prtypes.h
                  #endif],
                 ,
                 AC_MSG_ERROR([system NSPR does not support PR_UINT64 or including prtypes.h does not provide it]))
     CFLAGS=$_SAVE_CFLAGS
+    NSPR_INCLUDE_DIR=`echo ${NSPR_CFLAGS} | sed -e 's/.*-I\([^ ]*\).*/\1/'`
+    NSPR_LIB_DIR=`echo ${NSPR_LIBS} | sed -e 's/.*-L\([^ ]*\).*/\1/'`
 elif test -z "$JS_POSIX_NSPR"; then
     NSPR_INCLUDE_DIR="${DIST}/include/nspr"
     NSPR_CFLAGS="-I${NSPR_INCLUDE_DIR}"
     if test -n "$GNU_CC"; then
         if test -n "$MOZ_FOLD_LIBS"; then
            NSPR_LIB_DIR=${DIST}/lib
         else
            NSPR_LIB_DIR=${DIST}/bin
deleted file mode 100644
--- a/config/external/nss/Makefile.in
+++ /dev/null
@@ -1,485 +0,0 @@
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-ifndef MOZ_SYSTEM_NSS
-
-CC_WRAPPER =
-CXX_WRAPPER =
-
-default::
-
-include $(topsrcdir)/config/makefiles/functions.mk
-
-NSS_LIBS = \
-  nss3 \
-  nssutil3 \
-  smime3 \
-  ssl3 \
-  $(NULL)
-
-ifdef MOZ_FOLD_LIBS
-NSS_DLLS = $(LIBRARY_NAME)
-else
-NSS_DLLS = $(NSS_LIBS)
-endif
-
-NSS_EXTRA_DLLS = \
-  nssckbi \
-  softokn3 \
-  $(NULL)
-
-ifndef NSS_DISABLE_DBM
-NSS_EXTRA_DLLS += nssdbm3
-endif
-
-SDK_LIBS = crmf
-
-ifneq (,$(filter WINNT,$(OS_ARCH)))
-SDK_LIBS += $(NSS_DLLS)
-endif
-
-# Default
-HAVE_FREEBL_LIBS = 1
-
-# 32-bit HP-UX PA-RISC
-ifeq ($(OS_ARCH), HP-UX)
-ifneq ($(OS_TEST), ia64)
-ifndef HAVE_64BIT_BUILD
-HAVE_FREEBL_LIBS =
-HAVE_FREEBL_LIBS_32INT32 = 1
-HAVE_FREEBL_LIBS_32FPU = 1
-endif
-endif
-endif
-
-# SunOS SPARC
-ifeq ($(OS_ARCH), SunOS)
-ifneq (86,$(findstring 86,$(OS_TEST)))
-ifdef HAVE_64BIT_BUILD
-HAVE_FREEBL_LIBS =
-HAVE_FREEBL_LIBS_64 = 1
-else
-HAVE_FREEBL_LIBS =
-HAVE_FREEBL_LIBS_32FPU = 1
-HAVE_FREEBL_LIBS_32INT64 = 1
-endif
-endif
-endif
-
-ifeq ($(OS_TARGET),Linux)
-HAVE_FREEBL_LIBS = 
-HAVE_FREEBL_LIBS_PRIV = 1
-FREEBL_LOWHASH_FLAG = FREEBL_LOWHASH=1
-endif
-
-ifdef HAVE_FREEBL_LIBS
-NSS_EXTRA_DLLS += freebl3
-endif
-ifdef HAVE_FREEBL_LIBS_PRIV
-NSS_EXTRA_DLLS += freeblpriv3
-endif
-ifdef HAVE_FREEBL_LIBS_32INT32
-NSS_EXTRA_DLLS += freebl_32int_3
-endif
-ifdef HAVE_FREEBL_LIBS_32FPU
-NSS_EXTRA_DLLS += freebl_32fpu_3
-endif
-ifdef HAVE_FREEBL_LIBS_32INT64
-NSS_EXTRA_DLLS += freebl_32int64_3
-endif
-ifdef HAVE_FREEBL_LIBS_64
-NSS_EXTRA_DLLS += freebl_64int_3
-NSS_EXTRA_DLLS += freebl_64fpu_3
-endif
-
-# For all variables such as DLLFLAGS, that may contain $(DIST)
-DIST := $(ABS_DIST)
-# TODO: move this all to configure, but in Python
-ifndef MOZ_BUILD_NSPR
-NSPR_INCLUDE_DIR = $(firstword $(filter -I%,$(NSPR_CFLAGS)))
-ifneq (,$(strip $(NSPR_INCLUDE_DIR)))
-NSPR_INCLUDE_DIR := $(subst -I,,$(subst -I$(DIST),-I$(ABS_DIST),$(NSPR_INCLUDE_DIR)))
-else
-$(error Your NSPR CFLAGS are broken!)
-endif
-NSPR_LIB_DIR = $(firstword $(filter -L%,$(NSPR_LIBS)))
-ifneq (,$(strip $(NSPR_LIB_DIR)))
-NSPR_LIB_DIR := $(subst -L,,$(subst -L$(DIST),-L$(ABS_DIST),$(NSPR_LIB_DIR)))
-else
-$(error Your NSPR LDFLAGS are broken!)
-endif
-endif
-
-# To get debug symbols from NSS
-export MOZ_DEBUG_SYMBOLS
-
-DEFAULT_GMAKE_FLAGS =
-DEFAULT_GMAKE_FLAGS += CC='$(CC)'
-DEFAULT_GMAKE_FLAGS += MT='$(MT)'
-DEFAULT_GMAKE_FLAGS += LD='$(LD)'
-DEFAULT_GMAKE_FLAGS += SOURCE_MD_DIR=$(ABS_DIST)
-DEFAULT_GMAKE_FLAGS += SOURCE_MDHEADERS_DIR=$(NSPR_INCLUDE_DIR)
-DEFAULT_GMAKE_FLAGS += DIST=$(ABS_DIST)
-DEFAULT_GMAKE_FLAGS += NSPR_INCLUDE_DIR=$(NSPR_INCLUDE_DIR)
-DEFAULT_GMAKE_FLAGS += NSPR_LIB_DIR=$(NSPR_LIB_DIR)
-DEFAULT_GMAKE_FLAGS += MOZILLA_CLIENT=1
-DEFAULT_GMAKE_FLAGS += NO_MDUPDATE=1
-DEFAULT_GMAKE_FLAGS += NSS_ENABLE_ECC=1
-DEFAULT_GMAKE_FLAGS += NSS_ENABLE_TLS_1_3=1
-ifeq ($(OS_ARCH)_$(GNU_CC),WINNT_1)
-DEFAULT_GMAKE_FLAGS += OS_DLLFLAGS='-static-libgcc' NSPR31_LIB_PREFIX=lib
-endif
-ifndef MOZ_SYSTEM_SQLITE
-ifdef MOZ_FOLD_LIBS
-DEFAULT_GMAKE_FLAGS += SQLITE_LIB_NAME=nss3
-else
-DEFAULT_GMAKE_FLAGS += SQLITE_LIB_NAME=mozsqlite3
-DEFAULT_GMAKE_FLAGS += SQLITE_LIB_DIR=$(ABS_DIST)/../config/external/sqlite
-endif # MOZ_FOLD_LIBS
-DEFAULT_GMAKE_FLAGS += SQLITE_INCLUDE_DIR=$(ABS_DIST)/include
-endif
-ifdef NSS_DISABLE_DBM 
-DEFAULT_GMAKE_FLAGS += NSS_DISABLE_DBM=1
-endif
-# Hack to force NSS build system to use "normal" object directories
-DEFAULT_GMAKE_FLAGS += topsrcdir='$(topsrcdir)'
-# topsrcdir can't be expanded here because msys path mangling likes to break
-# paths in that case.
-DEFAULT_GMAKE_FLAGS += BUILD='$(MOZ_BUILD_ROOT)/security/$$(subst $$(topsrcdir)/security/,,$$(CURDIR))'
-DEFAULT_GMAKE_FLAGS += BUILD_TREE='$$(BUILD)' OBJDIR='$$(BUILD)' DEPENDENCIES='$$(BUILD)/.deps' SINGLE_SHLIB_DIR='$$(BUILD)'
-DEFAULT_GMAKE_FLAGS += SOURCE_XP_DIR=$(ABS_DIST)
-ifndef MOZ_DEBUG
-DEFAULT_GMAKE_FLAGS += BUILD_OPT=1 OPT_CODE_SIZE=1
-endif
-ifdef GNU_CC
-DEFAULT_GMAKE_FLAGS += NS_USE_GCC=1
-else
-DEFAULT_GMAKE_FLAGS += NS_USE_GCC=
-endif
-ifdef USE_N32
-# It is not really necessary to specify USE_PTHREADS=1.  USE_PTHREADS
-# merely adds _PTH to coreconf's OBJDIR name.
-DEFAULT_GMAKE_FLAGS += USE_N32=1 USE_PTHREADS=1
-endif
-ifdef HAVE_64BIT_BUILD
-DEFAULT_GMAKE_FLAGS += USE_64=1
-endif
-ifeq ($(OS_ARCH),WINNT)
-DEFAULT_GMAKE_FLAGS += OS_TARGET=WIN95
-ifdef MOZ_DEBUG
-ifndef MOZ_NO_DEBUG_RTL
-DEFAULT_GMAKE_FLAGS += USE_DEBUG_RTL=1
-endif
-endif
-endif # WINNT
-ifeq ($(OS_ARCH),Darwin)
-# Make nsinstall use absolute symlinks by default when building NSS
-# for Mozilla on Mac OS X. (Bugzilla bug 193164)
-ifndef NSDISTMODE
-DEFAULT_GMAKE_FLAGS += NSDISTMODE=absolute_symlink
-endif
-ifdef MACOS_SDK_DIR
-DEFAULT_GMAKE_FLAGS += MACOS_SDK_DIR=$(MACOS_SDK_DIR)
-endif
-endif
-
-# Turn off TLS compression support because it requires system zlib.
-# See bug 580679 comment 18.
-DEFAULT_GMAKE_FLAGS += NSS_SSL_ENABLE_ZLIB=
-
-# Disable building of the test programs in security/nss/lib/zlib
-DEFAULT_GMAKE_FLAGS += PROGRAMS=
-
-# Disable creating .chk files. They will be generated from packager.mk
-# When bug 681624 lands, we can replace CHECKLOC= with SKIP_SHLIBSIGN=1
-DEFAULT_GMAKE_FLAGS += CHECKLOC=
-
-ifdef CROSS_COMPILE
-
-DEFAULT_GMAKE_FLAGS += \
-	NATIVE_CC='$(HOST_CC)' \
-	CC='$(CC)' \
-	CCC='$(CXX)' \
-	AS='$(AS)' \
-	AR='$(AR) $(AR_FLAGS:$@=$$@)' \
-	RANLIB='$(RANLIB)' \
-	RC='$(RC) $(RCFLAGS)' \
-	OS_ARCH='$(OS_ARCH)' \
-	OS_TEST='$(OS_TEST)' \
-	CPU_ARCH='$(TARGET_CPU)' \
-	$(NULL)
-
-# Android has pthreads integrated into -lc, so OS_PTHREAD is set to nothing
-ifeq ($(OS_TARGET), Android)
-DEFAULT_GMAKE_FLAGS += \
-	OS_RELEASE='2.6' \
-	OS_PTHREAD= \
-	$(NULL)
-
-DEFAULT_GMAKE_FLAGS += ARCHFLAG='$(filter-out -W%,$(CFLAGS)) -DCHECK_FORK_GETPID $(addprefix -DANDROID_VERSION=,$(ANDROID_VERSION)) -include $(topsrcdir)/security/manager/android_stub.h'
-endif
-endif
-
-ifdef WRAP_LDFLAGS
-NSS_EXTRA_LDFLAGS += $(WRAP_LDFLAGS)
-endif
-
-# The SHARED_LIBS part is needed unconditionally on Android.  It's not
-# clear why this is the case, but see bug 1133073 (starting around
-# comment #8) for context.
-ifneq (,$(or $(MOZ_GLUE_WRAP_LDFLAGS), $(filter Android, $(OS_TARGET))))
-NSS_EXTRA_LDFLAGS += $(SHARED_LIBS:$(DEPTH)%=$(MOZ_BUILD_ROOT)%) $(MOZ_GLUE_WRAP_LDFLAGS)
-endif
-
-ifneq (,$(NSS_EXTRA_LDFLAGS))
-DEFAULT_GMAKE_FLAGS += \
-	LDFLAGS='$(LDFLAGS) $(NSS_EXTRA_LDFLAGS)' \
-	DSO_LDOPTS='$(DSO_LDOPTS) $(LDFLAGS) $(NSS_EXTRA_LDFLAGS)' \
-	$(NULL)
-endif
-
-DEFAULT_GMAKE_FLAGS += FREEBL_NO_DEPEND=0 $(FREEBL_LOWHASH_FLAG)
-DEFAULT_GMAKE_FLAGS += NSS_ALLOW_SSLKEYLOGFILE=1
-
-ifdef MOZ_NO_WLZDEFS
-DEFAULT_GMAKE_FLAGS += ZDEFS_FLAG=
-endif
-ifdef MOZ_CFLAGS_NSS
-NSS_XCFLAGS += $(filter-out -W%,$(CFLAGS))
-DEFAULT_GMAKE_FLAGS += DARWIN_DYLIB_VERSIONS='-compatibility_version 1 -current_version 1 $(LDFLAGS)'
-endif
-ifeq (1_1,$(CLANG_CL)_$(MOZ_ASAN))
-XLDFLAGS := $(OS_LDFLAGS)
-DEFAULT_GMAKE_FLAGS += XLDFLAGS='$(XLDFLAGS)'
-endif
-
-DEFAULT_GMAKE_FLAGS += NSS_NO_PKCS11_BYPASS=1
-
-# Put NSS headers directly under $(DIST)/include
-DEFAULT_GMAKE_FLAGS += PUBLIC_EXPORT_DIR='$(ABS_DIST)/include/$$(MODULE)'
-DEFAULT_GMAKE_FLAGS += SOURCE_XPHEADERS_DIR='$$(SOURCE_XP_DIR)/include/$$(MODULE)'
-DEFAULT_GMAKE_FLAGS += MODULE_INCLUDES='$$(addprefix -I$$(SOURCE_XP_DIR)/include/,$$(REQUIRES))'
-
-# Work around NSS's MAKE_OBJDIR being racy. See bug #836220
-DEFAULT_GMAKE_FLAGS += MAKE_OBJDIR='$$(INSTALL) -D $$(OBJDIR)'
-
-# Work around NSS adding IMPORT_LIBRARY to TARGETS with no rule for
-# it, creating race conditions. See bug #836220
-DEFAULT_GMAKE_FLAGS += TARGETS='$$(LIBRARY) $$(SHARED_LIBRARY) $$(PROGRAM)'
-
-ifdef MOZ_FOLD_LIBS_FLAGS
-NSS_XCFLAGS += $(MOZ_FOLD_LIBS_FLAGS)
-endif
-
-# Pass on the MSVC target arch from the main build system.
-# Note this is case- and switch-character sensitive, while
-# the MSVC option is not.
-ifeq (WINNT,$(OS_TARGET))
-NSS_XCFLAGS += $(filter -arch:%,$(CFLAGS))
-endif
-
-# Export accumulated XCFLAGS to modify nss defaults.
-DEFAULT_GMAKE_FLAGS += XCFLAGS='$(NSS_XCFLAGS)'
-
-NSS_SRCDIR = $(topsrcdir)
-
-NSS_DIRS =
-ifndef MOZ_FOLD_LIBS
-NSS_DIRS += nss/lib
-else
-ifndef NSS_DISABLE_DBM
-NSS_DIRS += nss/lib/dbm
-endif
-endif
-NSS_DIRS += \
-  nss/cmd/lib \
-  nss/cmd/shlibsign \
-  $(NULL)
-
-ifdef ENABLE_TESTS
-NSS_DIRS += \
-  nss/cmd/certutil \
-  nss/cmd/pk12util \
-  nss/cmd/modutil \
-  $(NULL)
-endif
-
-ifneq (,$(filter %--build-id,$(LDFLAGS)))
-DEFAULT_GMAKE_ENV = LDFLAGS=-Wl,--build-id
-endif
-
-ifdef MOZ_FOLD_LIBS
-# TODO: The following can be replaced by something simpler when bug 844880
-# is fixed.
-# All static libraries required for nss, smime, ssl and nssutil.
-# The strip is needed to remove potential linefeed characters, since they hang
-# around in some cases on Windows.
-NSS_STATIC_LIBS := $(strip $(shell $(MAKE) --no-print-directory -f $(srcdir)/nss.mk DEPTH='$(DEPTH)' topsrcdir='$(topsrcdir)' srcdir='$(srcdir)' echo-variable-libs))
-# Corresponding build directories
-NSS_STATIC_DIRS := $(foreach lib,$(NSS_STATIC_LIBS),$(patsubst %/,%,$(dir $(lib))))
-NSS_DIRS += $(NSS_STATIC_DIRS)
-
-# TODO: The following can be replaced by something simpler when bug 844884
-# is fixed.
-# Remaining nss/lib directories
-NSS_DIRS += nss/lib/freebl nss/lib/softoken nss/lib/jar nss/lib/crmf nss/lib/ckfw
-
-DEFAULT_GMAKE_FLAGS += NSS_DISABLE_LIBPKIX=1
-
-ifeq (WINNT,$(OS_TARGET))
-NSS_DIRS += nss/lib/zlib
-endif
-endif # MOZ_FOLD_LIBS
-
-# Filter-out $(LIBRARY_NAME) because it's already handled in config/rules.mk.
-NSS_DIST_DLL_FILES := $(addprefix $(DIST)/lib/$(DLL_PREFIX),$(addsuffix $(DLL_SUFFIX),$(filter-out $(LIBRARY_NAME),$(NSS_DLLS)) $(NSS_EXTRA_DLLS)))
-NSS_DIST_DLL_DEST := $(DIST)/bin
-NSS_DIST_DLL_TARGET := target
-INSTALL_TARGETS += NSS_DIST_DLL
-
-ifeq ($(OS_ARCH)_$(1), SunOS_softokn3)
-# has to use copy mode on Solaris, see #665509
-$(DIST)/bin/$(DLL_PREFIX)softokn3$(DLL_SUFFIX): INSTALL := $(INSTALL) -t
-endif
-
-NSS_SDK_LIB_FILES := \
-  $(addprefix $(DIST)/lib/$(LIB_PREFIX),$(addsuffix .$(LIB_SUFFIX),$(SDK_LIBS))) \
-  $(addprefix $(DIST)/bin/$(DLL_PREFIX),$(addsuffix $(DLL_SUFFIX),$(NSS_DLLS))) \
-  $(NULL)
-NSS_SDK_LIB_DEST := $(DIST)/sdk/lib
-NSS_SDK_LIB_TARGET := target
-INSTALL_TARGETS += NSS_SDK_LIB
-
-ifdef MOZ_FOLD_LIBS
-# Add all static libraries for nss, smime, ssl and nssutil
-STATIC_LIBS += $(addprefix $(DEPTH)/security/,$(NSS_STATIC_LIBS))
-
-IMPORT_LIB_FILES = $(IMPORT_LIBRARY)
-IMPORT_LIB_DEST ?= $(DIST)/lib
-IMPORT_LIB_TARGET = target
-INSTALL_TARGETS += IMPORT_LIB
-
-endif # MOZ_FOLD_LIBS
-
-include $(topsrcdir)/config/rules.mk
-
-ifeq (1,$(ALLOW_COMPILER_WARNINGS))
-DEFAULT_GMAKE_FLAGS += NSS_ENABLE_WERROR=0
-endif
-
-# Can't pass this in DEFAULT_GMAKE_FLAGS because that overrides
-# definitions in NSS, so just export it into the sub-make's environment.
-ifeq (WINNT_1,$(OS_TARGET)_$(MOZ_MEMORY))
-DLLFLAGS := -LIBPATH:$(ABS_DIST)/../mozglue/build -DEFAULTLIB:mozglue
-export DLLFLAGS
-endif
-
-ifdef MOZ_FOLD_LIBS
-# Force the linker to include everything from the static libraries.
-EXPAND_LIBS_EXEC += --extract
-
-$(SHARED_LIBRARY): $(addprefix $(DEPTH)/security/,$(NSS_STATIC_LIBS))
-
-ifdef IMPORT_LIB_SUFFIX
-IMPORT_PREFIX = $(LIB_PREFIX)
-IMPORT_SUFFIX = .$(IMPORT_LIB_SUFFIX)
-else
-IMPORT_PREFIX = $(DLL_PREFIX)
-IMPORT_SUFFIX = $(DLL_SUFFIX)
-endif
-
-NSPR_IMPORT_LIBS = $(addprefix $(DIST)/lib/$(IMPORT_PREFIX),$(addsuffix $(IMPORT_SUFFIX),nspr4 plc4 plds4))
-SQLITE_IMPORT_LIB = $(DIST)/lib/$(IMPORT_PREFIX)mozsqlite3$(IMPORT_SUFFIX)
-
-# TODO: The following can be replaced by something simpler when bug 844884
-# is fixed.
-# Associate target files with the rules that build them.
-$(DIST)/lib/$(LIB_PREFIX)crmf.$(LIB_SUFFIX): libs-nss/lib/crmf
-$(DIST)/lib/$(DLL_PREFIX)freebl3$(DLL_SUFFIX): libs-nss/lib/freebl
-$(DIST)/lib/$(DLL_PREFIX)nssckbi$(DLL_SUFFIX): libs-nss/lib/ckfw
-$(DIST)/lib/$(DLL_PREFIX)softokn3$(DLL_SUFFIX): libs-nss/lib/softoken
-$(DIST)/lib/$(DLL_PREFIX)nssdbm3$(DLL_SUFFIX): libs-nss/lib/softoken
-$(foreach lib,$(NSS_STATIC_LIBS),$(eval $(DEPTH)/security/$(lib): libs-$(patsubst %/,%,$(dir $(lib)))))
-
-# Create fake import libraries for the folded libraries, so that linking
-# against them works both for the NSS build system (see dependencies below)
-# and for the rest of the mozilla build system.
-$(NSPR_IMPORT_LIBS) \
-$(SQLITE_IMPORT_LIB) \
-$(DIST)/lib/$(IMPORT_PREFIX)nssutil3$(IMPORT_SUFFIX) \
-$(DIST)/lib/$(IMPORT_PREFIX)ssl3$(IMPORT_SUFFIX) \
-$(DIST)/lib/$(IMPORT_PREFIX)smime3$(IMPORT_SUFFIX): $(DIST)/lib/$(IMPORT_PREFIX)nss3$(IMPORT_SUFFIX)
-ifeq (WINNT,$(OS_TARGET))
-	cp $< $@
-else
-	ln -sf $< $@
-endif
-
-# Interdependencies between nss sub-directories, and dependencies on NSPR/SQLite
-libs-nss/lib/ckfw: libs-nss/lib/nss/../base $(NSPR_IMPORT_LIBS)
-libs-nss/lib/softoken: $(NSPR_IMPORT_LIBS) $(SQLITE_IMPORT_LIB)
-libs-nss/lib/softoken: libs-nss/lib/freebl
-ifndef NSS_DISABLE_DBM
-libs-nss/lib/softoken: libs-nss/lib/dbm
-endif
-libs-nss/lib/softoken: $(DIST)/lib/$(IMPORT_PREFIX)nssutil3$(IMPORT_SUFFIX)
-libs-nss/lib/freebl: $(DIST)/lib/$(IMPORT_PREFIX)nssutil3$(IMPORT_SUFFIX) $(NSPR_IMPORT_LIBS)
-
-# For each directory where we build static libraries, force the NSS build system
-# to only build static libraries.
-$(addprefix libs-,$(NSS_STATIC_DIRS)): DEFAULT_GMAKE_FLAGS += SHARED_LIBRARY= IMPORT_LIBRARY=
-else
-$(STATIC_LIBS) $(NSS_DIST_DLL_FILES) $(NSS_SDK_LIB_FILES): libs-nss/lib
-endif # MOZ_FOLD_LIBS
-
-ifeq ($(NSINSTALL_PY),$(NSINSTALL))
-DEFAULT_GMAKE_FLAGS += PYTHON='$(PYTHON)'
-DEFAULT_GMAKE_FLAGS += NSINSTALL_PY='$(abspath $(topsrcdir)/config/nsinstall.py)'
-DEFAULT_GMAKE_FLAGS += NSINSTALL='$$(PYTHON) $$(NSINSTALL_PY)'
-else
-DEFAULT_GMAKE_FLAGS += NSINSTALL='$(abspath $(NSINSTALL))'
-endif
-ifeq ($(OS_ARCH),WINNT)
-DEFAULT_GMAKE_FLAGS += INSTALL='$$(NSINSTALL) -t'
-endif
-DEFAULT_GMAKE_FLAGS += $(EXTRA_GMAKE_FLAGS)
-
-$(addprefix libs-,$(NSS_DIRS)): libs-%:
-# Work around NSS's export rule being racy when recursing for private_export
-# See bug #836220.
-$(addprefix export-,$(NSS_DIRS)): EXTRA_GMAKE_FLAGS = PRIVATE_EXPORTS=
-$(addprefix export-,$(NSS_DIRS)): export-%: private_export-%
-$(addprefix private_export-,$(NSS_DIRS)): EXTRA_GMAKE_FLAGS =
-$(addprefix private_export-,$(NSS_DIRS)): private_export-%:
-
-$(foreach p,libs export private_export,$(addprefix $(p)-,$(NSS_DIRS))):
-	$(DEFAULT_GMAKE_ENV) $(MAKE) -C $(NSS_SRCDIR)/security/$* $(@:-$*=) $(DEFAULT_GMAKE_FLAGS)
-
-export:: $(addprefix export-,$(NSS_DIRS))
-
-$(addprefix clean-,$(NSS_DIRS)): clean-%:
-	$(MAKE) -C $(NSS_SRCDIR)/security/$* $(DEFAULT_GMAKE_FLAGS) clean
-
-clean clobber clobber_all realclean distclean depend:: $(addprefix clean-,$(NSS_DIRS))
-
-NSS_CMD_TARGETS := $(addprefix libs-,$(filter-out nss/cmd/lib,$(filter nss/cmd/%,$(NSS_DIRS))))
-target:: $(NSS_CMD_TARGETS)
-
-ifdef MOZ_FOLD_LIBS
-$(NSS_CMD_TARGETS): $(addprefix $(DIST)/lib/$(IMPORT_PREFIX),$(addsuffix $(IMPORT_SUFFIX),$(NSS_LIBS)))
-libs-nss/cmd/modutil: libs-nss/lib/jar
-ifeq (WINNT,$(OS_TARGET))
-libs-nss/cmd/modutil: libs-nss/lib/zlib
-endif
-$(NSS_CMD_TARGETS): libs-nss/cmd/lib
-else
-$(NSS_CMD_TARGETS): libs-nss/lib libs-nss/cmd/lib
-endif # MOZ_FOLD_LIBS
-
-# Work around NSS build system race condition creating certdata.c in
-# security/nss/lib/ckfw/builtins. See bug #836220.
-libs-nss/lib$(if $(MOZ_FOLD_LIBS),/ckfw): $(call mkdir_deps,$(DEPTH)/security/nss/lib/ckfw/builtins)
-
-endif
deleted file mode 100644
--- a/config/external/nss/crmf/moz.build
+++ /dev/null
@@ -1,20 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-Library('crmf')
-
-if CONFIG['MOZ_SYSTEM_NSS']:
-    OS_LIBS += [l for l in CONFIG['NSS_LIBS'] if l.startswith('-L')]
-    OS_LIBS += ['-lcrmf']
-else:
-    USE_LIBS += [
-        # The dependency on nss is not real, but is required to force the
-        # parent directory being built before this one. This has no
-        # practical effect on linkage, since the only thing linking crmf
-        # will need nss anyways.
-        'nss',
-        'static:/security/nss/lib/crmf/crmf',
-    ]
deleted file mode 100644
--- a/config/external/nss/nss.mk
+++ /dev/null
@@ -1,27 +0,0 @@
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-include $(DEPTH)/config/autoconf.mk
-
-include $(topsrcdir)/config/config.mk
-
-dirs :=
-
-define add_dirs
-SHARED_LIBRARY_DIRS :=
-include $(topsrcdir)/security/$(1)/config.mk
-dirs += $$(addprefix $(1)/,$$(SHARED_LIBRARY_DIRS)) $(1)
-endef
-$(foreach dir,util nss ssl smime,$(eval $(call add_dirs,nss/lib/$(dir))))
-
-libs :=
-define add_lib
-LIBRARY_NAME :=
-include $(topsrcdir)/security/$(1)/manifest.mn
-libs += $$(addprefix $(1)/,$(LIB_PREFIX)$$(LIBRARY_NAME).$(LIB_SUFFIX))
-endef
-$(foreach dir,$(dirs),$(eval $(call add_lib,$(dir))))
-
-echo-variable-%:
-	@echo $($*)
--- a/moz.build
+++ b/moz.build
@@ -65,17 +65,17 @@ if not CONFIG['JS_STANDALONE']:
 if CONFIG['USE_ICU']:
     DIRS += ['config/external/icu']
 
 if CONFIG['COMPILE_ENVIRONMENT']:
 
     if not CONFIG['JS_STANDALONE']:
         DIRS += [
             'config/external',
-            'config/external/nss',
+            'security',
         ]
 
     if CONFIG['BUILD_CTYPES']:
         DIRS += ['config/external/ffi']
 
     DIRS += ['js/src']
 else:
     TEST_DIRS += ['js/src/tests']
--- a/old-configure.in
+++ b/old-configure.in
@@ -2125,16 +2125,25 @@ MOZ_ARG_WITH_BOOL(system-nss,
 if test -n "$_USE_SYSTEM_NSS"; then
     AM_PATH_NSS(3.28, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
 fi
 
 if test -n "$MOZ_SYSTEM_NSS"; then
    NSS_LIBS="$NSS_LIBS -lcrmf"
 else
    NSS_CFLAGS="-I${DIST}/include/nss"
+   case "${OS_ARCH}" in
+        # This is to match the conditions in security/generate_mapfile.py,
+        # plus Windows which doesn't run that script.
+        WINNT|Darwin|Linux)
+            ;;
+        *)
+            AC_MSG_ERROR([building in-tree NSS is not supported on this platform. Use --with-system-nss])
+            ;;
+   esac
 fi
 
 if test -z "$SKIP_LIBRARY_CHECKS"; then
 dnl system JPEG support
 dnl ========================================================
 MOZ_ARG_WITH_STRING(system-jpeg,
 [  --with-system-jpeg[=PFX]
                           Use system libjpeg [installed at prefix PFX]],
--- a/python/mozbuild/mozbuild/frontend/emitter.py
+++ b/python/mozbuild/mozbuild/frontend/emitter.py
@@ -179,18 +179,16 @@ class TreeMetadataEmitter(LoggingMixin):
         # Keep track of external paths (third party build systems), starting
         # from what we run a subconfigure in. We'll eliminate some directories
         # as we traverse them with moz.build (e.g. js/src).
         subconfigures = os.path.join(self.config.topobjdir, 'subconfigures')
         paths = []
         if os.path.exists(subconfigures):
             paths = open(subconfigures).read().splitlines()
         self._external_paths = set(mozpath.normsep(d) for d in paths)
-        # Add security/nss manually, since it doesn't have a subconfigure.
-        self._external_paths.add('security/nss')
 
         self._emitter_time = 0.0
         self._object_count = 0
         self._test_files_converter = SupportFilesConverter()
 
     def summary(self):
         return ExecutionSummary(
             'Processed into {object_count:d} build config descriptors in '
new file mode 100644
--- /dev/null
+++ b/security/generate_certdata.py
@@ -0,0 +1,11 @@
+#!/usr/bin/env python
+#
+# This exists to paper over differences between gyp's `action` definitions
+# and moz.build `GENERATED_FILES` semantics.
+
+import buildconfig
+import subprocess
+
+def main(output, *inputs):
+    output.write(subprocess.check_output([buildconfig.substs['PERL']] + list(inputs)))
+    return None
new file mode 100644
--- /dev/null
+++ b/security/generate_mapfile.py
@@ -0,0 +1,54 @@
+#!/usr/bin/env python
+
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+# This script processes NSS .def files according to the rules defined in
+# a comment at the top of each one. The files are used to define the
+# exports from NSS shared libraries, with -DEFFILE on Windows, a linker
+# script on Linux, or with -exported_symbols_list on OS X.
+#
+# The NSS build system processes them using a series of sed replacements,
+# but the Mozilla build system is already running a Python script to generate
+# the file so it's simpler to just do the replacement in Python.
+
+import buildconfig
+
+
+def main(output, input):
+    # There's a check in old-configure.in under the system-nss handling
+    # that should match this.
+    if buildconfig.substs['OS_ARCH'] not in ('Linux', 'Darwin'):
+        print "Error: unhandled OS_ARCH %s" % buildconfig.substs['OS_ARCH']
+        return 1
+    is_linux = buildconfig.substs['OS_ARCH'] == 'Linux'
+
+    with open(input, 'rb') as f:
+        for line in f:
+            line = line.rstrip()
+            # Remove all lines containing ';-'
+            if ';-' in line:
+                continue
+            # On non-Linux, remove all lines containing ';+'
+            if not is_linux and ';+' in line:
+                continue
+            # Remove the string ' DATA '.
+            line = line.replace(' DATA ', '')
+            # Remove the string ';+'
+            line = line.replace(';+', '')
+            # Remove the string ';;'
+            line = line.replace(';;', '')
+            # If a ';' is present, remove everything after it,
+            # and on non-Linux, remove it as well.
+            i = line.find(';')
+            if i != -1:
+                if is_linux:
+                    line = line[:i+1]
+                else:
+                    line = line[:i]
+            # On non-Linux, symbols get an underscore in front.
+            if line and not is_linux:
+                output.write('_')
+            output.write(line)
+            output.write('\n')
rename from config/external/nss/moz.build
rename to security/moz.build
--- a/config/external/nss/moz.build
+++ b/security/moz.build
@@ -1,42 +1,125 @@
 # -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
 # vim: set filetype=python:
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-DIRS += ['crmf']
-
 if CONFIG['MOZ_SYSTEM_NSS']:
     Library('nss')
     OS_LIBS += CONFIG['NSS_LIBS']
-elif CONFIG['MOZ_FOLD_LIBS']:
-    GeckoSharedLibrary('nss', linkage=None)
-    # TODO: The library name can be changed when bug 845217 is fixed.
-    SHARED_LIBRARY_NAME = 'nss3'
+else:
+    include('/build/gyp_base.mozbuild')
+    if CONFIG['MOZ_FOLD_LIBS']:
+        GeckoSharedLibrary('nss', linkage=None)
+        # TODO: The library name can be changed when bug 845217 is fixed.
+        SHARED_LIBRARY_NAME = 'nss3'
+
+        SDK_LIBRARY = True
+
+        USE_LIBS += [
+            'nspr4',
+            'nss3_static',
+            'nssutil',
+            'plc4',
+            'plds4',
+            'smime3_static',
+            'ssl',
+        ]
+
+        OS_LIBS += CONFIG['REALTIME_LIBS']
 
-    SDK_LIBRARY = True
-
-    USE_LIBS += [
-        'nspr4',
-        'plc4',
-        'plds4',
-    ]
+        SYMBOLS_FILE = 'nss.symbols'
+        # This changes the default targets in the NSS build, among
+        # other things.
+        gyp_vars['moz_fold_libs'] = 1
+        # Some things in NSS need to link against nssutil, which
+        # gets folded, so this tells them what to link against.
+        gyp_vars['moz_folded_library_name'] = 'nss'
+        # Force things in NSS that want to link against NSPR to link
+        # against the folded library.
+        gyp_vars['nspr_libs'] = 'nss'
+    else:
+        Library('nss')
+        USE_LIBS += [
+            'nss3',
+            'nssutil3',
+            'smime3',
+            'sqlite',
+            'ssl3',
+        ]
+        gyp_vars['nspr_libs'] = 'nspr4 plc4 plds4'
 
-    OS_LIBS += CONFIG['REALTIME_LIBS']
+    # This disables building some NSS tools.
+    gyp_vars['mozilla_client'] = 1
+    # We run shlibsign as part of packaging, not build.
+    gyp_vars['sign_libs'] = 0
+    gyp_vars['python'] = CONFIG['PYTHON']
+    # The NSS gyp files do not have a default for this.
+    gyp_vars['nss_dist_dir'] = '$PRODUCT_DIR/dist'
+    # NSS wants to put public headers in $nss_dist_dir/public/nss by default,
+    # which would wind up being mapped to dist/include/public/nss (by
+    # gyp_reader's `handle_copies`).
+    # This forces it to put them in dist/include/nss.
+    gyp_vars['nss_public_dist_dir'] = '$PRODUCT_DIR/dist'
+    gyp_vars['nss_dist_obj_dir'] = '$PRODUCT_DIR/dist/bin'
+    # We don't currently build NSS tests.
+    gyp_vars['disable_tests'] = 1
+    if CONFIG['NSS_DISABLE_DBM']:
+        gyp_vars['disable_dbm'] = 1
+    gyp_vars['disable_libpkix'] = 1
+    # pkg-config won't reliably find zlib on our builders, so just force it.
+    # System zlib is only used for modutil and signtool unless
+    # SSL zlib is enabled, which we are disabling immediately below this.
+    gyp_vars['zlib_libs'] = '-lz'
+    gyp_vars['ssl_enable_zlib'] = 0
+    # System sqlite here is the in-tree mozsqlite.
+    gyp_vars['use_system_sqlite'] = 1
+    gyp_vars['sqlite_libs'] = 'sqlite'
+    gyp_vars['nspr_include_dir'] = CONFIG['NSPR_INCLUDE_DIR']
+    gyp_vars['nspr_lib_dir'] = CONFIG['NSPR_LIB_DIR']
+    # The Python scripts that detect clang need it to be set as CC
+    # in the environment, which isn't true here. I don't know that
+    # setting that would be harmful, but we already have this information
+    # anyway.
+    if CONFIG['CLANG_CXX']:
+        gyp_vars['cc_is_clang'] = 1
 
-    SYMBOLS_FILE = 'nss.symbols'
-else:
-    Library('nss')
-    USE_LIBS += [
-        '/security/nss/lib/nss/nss3',
-        '/security/nss/lib/smime/smime3',
-        '/security/nss/lib/ssl/ssl3',
-        '/security/nss/lib/util/nssutil3',
-        'sqlite',
-    ]
+    GYP_DIRS += ['nss']
+    GYP_DIRS['nss'].input = 'nss/nss.gyp'
+    GYP_DIRS['nss'].variables = gyp_vars
 
-# XXX: We should fix these warnings.
-ALLOW_COMPILER_WARNINGS = True
+    sandbox_vars = {
+        # NSS explicitly exports its public symbols
+        # with linker scripts.
+        'NO_VISIBILITY_FLAGS': True,
+        # XXX: We should fix these warnings.
+        'ALLOW_COMPILER_WARNINGS': True,
+        # NSS' build system doesn't currently build NSS with PGO.
+        # We could probably do so, but not without a lot of
+        # careful consideration.
+        'NO_PGO': True,
+    }
+    if CONFIG['OS_TARGET'] == 'WINNT':
+        if CONFIG['CPU_ARCH'] == 'x86':
+            # This should really be the default.
+            sandbox_vars['ASFLAGS'] = ['-safeseh']
+    if CONFIG['OS_TARGET'] == 'Android':
+        sandbox_vars['CFLAGS'] = [
+            '-include', TOPSRCDIR + '/security/manager/android_stub.h',
+            # Setting sandbox_vars['DEFINES'] is broken currently.
+            '-DCHECK_FORK_GETPID',
+        ]
+        if CONFIG['ANDROID_VERSION']:
+            sandbox_vars['CFLAGS'] += ['-DANDROID_VERSION=' + CONFIG['ANDROID_VERSION']]
+    GYP_DIRS['nss'].sandbox_vars = sandbox_vars
+    GYP_DIRS['nss'].no_chromium = True
+    GYP_DIRS['nss'].no_unified = True
+    # This maps action names from gyp files to
+    # Python scripts that can be used in moz.build GENERATED_FILES.
+    GYP_DIRS['nss'].action_overrides = {
+        'generate_certdata_c': 'generate_certdata.py',
+        'generate_mapfile': 'generate_mapfile.py',
+    }
 
 if CONFIG['NSS_EXTRA_SYMBOLS_FILE']:
     DEFINES['NSS_EXTRA_SYMBOLS_FILE'] = CONFIG['NSS_EXTRA_SYMBOLS_FILE']
rename from config/external/nss/nss.symbols
rename to security/nss.symbols
--- a/config/external/nss/nss.symbols
+++ b/security/nss.symbols
@@ -8,17 +8,17 @@
 # specify that NSPR's symbols should be globally visible.  Otherwise, NSPR's
 # exported symbols would be hidden.
 # .def files on Windows don't allow wildcards, of course, which is why this is
 # excluded on Windows, but it doesn't matter because the symbols are already
 # exported in NSPR (Windows peculiarity).
 PR_*
 PL_*
 #endif
-#include ../../../db/sqlite3/src/sqlite.symbols
+#include ../db/sqlite3/src/sqlite.symbols
 ATOB_AsciiToData
 ATOB_AsciiToData_Util
 ATOB_ConvertAsciiToItem
 ATOB_ConvertAsciiToItem_Util
 BTOA_ConvertItemToAscii_Util
 BTOA_DataToAscii
 BTOA_DataToAscii_Util
 CERT_AddCertToListHead