DXR will be turned off on Tuesday, December 29th. It will redirect to Searchfox.
See the announcement on Discourse.

DXR is a code search and navigation tool aimed at making sense of large projects. It supports full-text and regex searches as well as structural queries.

Mercurial (56e7b9127e89)

VCS Links

Line Code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186
# Network Security Services

Network Security Services (NSS) is a set of libraries designed to support
cross-platform development of security-enabled client and server
applications. NSS supports SSL v3-TLS 1.2 (experimental TLS 1.3), PKCS #5, PKCS#7,
PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security

## Getting started

In order to get started create a new directory on that you will be uses as your
local work area, and check out NSS and NSPR. (Note that there's no git mirror of
NSPR and you require mercurial to get the latest NSPR source.)

    git clone https://github.com/nss-dev/nss.git
    hg clone https://hg.mozilla.org/projects/nspr

NSS can also be cloned with mercurial

    hg clone https://hg.mozilla.org/projects/nss

## Building NSS

**This build system is under development. It does not yet support all the
features or platforms that NSS supports. To build on anything other than Mac or
Linux please use the legacy build system as described below.**

Build requirements:

* [gyp](https://gyp.gsrc.io/)
* [ninja](https://ninja-build.org/)

After changing into the NSS directory a typical build is done as follows


Once the build is done the build output is found in the directory
`../dist/Debug` for debug builds and `../dist/Release` for opt builds.
Exported header files can be found in the `include` directory, library files in
directory `lib`, and tools in directory `bin`. In order to run the tools, set
your system environment to use the libraries of your build from the "lib"
directory, e.g., using the `LD_LIBRARY_PATH` or `DYLD_LIBRARY_PATH`.

See [help.txt](https://hg.mozilla.org/projects/nss/raw-file/tip/help.txt) for
more information on using build.sh.

## Building NSS (legacy build system)

After changing into the NSS directory a typical build of 32-bit NSS is done as

    make nss_build_all

The following environment variables might be useful:

* `BUILD_OPT=1` to get an optimised build

* `USE_64=1` to get a 64-bit build (recommended)

The complete list of environment variables can be found

To clean the build directory run:

    make nss_clean_all

## Tests

### Setup

Make sure that the address `$HOST.$DOMSUF` on your computer is available. This
is necessary because NSS tests generate certificates and establish TLS
connections, which requires a fully qualified domain name.
You can test this by
calling `ping $HOST.$DOMSUF`. If this is working, you're all set.  If it's not,
set or export:


Note that you might have to add `nss.local` to `/etc/hosts` if it's not
there. The entry should look something like ` nss.local nss`.

### Running tests

**Runnning all tests will take a while!**

    cd tests

Make sure that all environment variables set for the build are set while running
the tests as well.  Test results are published in the folder

Individual tests can be run with the `NSS_TESTS` environment variable,
e.g. `NSS_TESTS=ssl_gtests ./all.sh` or by changing into the according directory
and running the bash script there `cd ssl_gtests && ./ssl_gtests.sh`.  The
following tests are available:

    cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests bogo policy

To make tests run faster it's recommended to set `NSS_CYCLES=standard` to run
only the standard cycle.

## Releases

NSS releases can be found at [Mozilla's download
server](https://ftp.mozilla.org/pub/security/nss/releases/). Because NSS depends
on the base library NSPR you should download the archive that combines both NSS
and NSPR.

## Contributing

[Bugzilla](https://bugzilla.mozilla.org/) is used to track NSS development and
bugs. File new bugs in the NSS product.

A list with good first bugs to start with are [listed

### NSS Folder Structure

The nss directory contains the following important subdirectories:

- `coreconf` contains the build logic.

- `lib` contains all library code that is used to create the runtime libraries.

- `cmd` contains a set of various tool programs that are built with NSS. Several
  tools are general purpose and can be used to inspect and manipulate the
  storage files that software using the NSS library creates and modifies. Other
  tools are only used for testing purposes.

- `test` and `gtests` contain the NSS test suite. While `test` contains shell
  scripts to drive test programs in `cmd`, `gtests` holds a set of

A more comprehensible overview of the NSS folder structure and API guidelines
can be found

## Build mechanisms related to FIPS compliance

NSS supports build configurations for FIPS-140 compliance, and alternative build
configurations that disable functionality specific to FIPS-140 compliance.

This section documents the environment variables and build parameters that
control these configurations.

### Build FIPS startup tests

The C macro NSS_NO_INIT_SUPPORT controls the FIPS startup self tests.
If NSS_NO_INIT_SUPPORT is defined, the startup tests are disabled.

The legacy build system (make) by default disables these tests.
To enable these tests, set environment variable NSS_FORCE_FIPS=1 at build time.

The gyp build system by default disables these tests.
To enable these tests, pass parameter --enable-fips to build.sh.

### Building either FIPS compliant or alternative compliant code

The C macro NSS_FIPS_DISABLED can be used to disable some FIPS compliant code
and enable alternative implementations.

The legacy build system (make) never defines NSS_FIPS_DISABLED and always uses
the FIPS compliant code.

The gyp build system by default defines NSS_FIPS_DISABLED.
To use the FIPS compliant code, pass parameter --enable-fips to build.sh.

### Test execution

The NSS test suite may contain tests that are included, excluded, or are
different based on the FIPS build configuration. To execute the correct tests,
it's necessary to determine which build configuration was used.

The legacy build system (make) uses environment variables to control all
aspects of the build configuration, including FIPS build configuration.

Because the gyp build system doesn't use environment variables to control the
build configuration, the NSS tests cannot rely on environment variables to
determine the build configuration.

A helper binary named nss-build-flags is produced as part of the NSS build,
which prints the C macro symbols that were defined at build time, and which are
relevant to test execution.