From 05afab094d4a264c0a25ad3b36cae0ef3fb33e56 Mon Sep 17 00:00:00 2001 From: Mingli Yu Date: Thu, 7 Mar 2024 13:51:36 +0800 Subject: nss: Upgrade 3.74 -> 3.98 * Remove one backported patch and rebase two patches to the new version. * License update: Copyright year updated to 2023 Signed-off-by: Mingli Yu Signed-off-by: Khem Raj --- ...-Pin-validation-date-for-PayPalEE-test-ce.patch | 64 ----- ...a-configure-option-to-disable-ARM-HW-cryp.patch | 14 +- .../nss/0001-nss-fix-support-cross-compiling.patch | 14 +- meta-oe/recipes-support/nss/nss_3.74.bb | 290 --------------------- meta-oe/recipes-support/nss/nss_3.98.bb | 289 ++++++++++++++++++++ 5 files changed, 303 insertions(+), 368 deletions(-) delete mode 100644 meta-oe/recipes-support/nss/nss/0001-Bug-1750624-Pin-validation-date-for-PayPalEE-test-ce.patch delete mode 100644 meta-oe/recipes-support/nss/nss_3.74.bb create mode 100644 meta-oe/recipes-support/nss/nss_3.98.bb (limited to 'meta-oe/recipes-support') diff --git a/meta-oe/recipes-support/nss/nss/0001-Bug-1750624-Pin-validation-date-for-PayPalEE-test-ce.patch b/meta-oe/recipes-support/nss/nss/0001-Bug-1750624-Pin-validation-date-for-PayPalEE-test-ce.patch deleted file mode 100644 index d905bf10e..000000000 --- a/meta-oe/recipes-support/nss/nss/0001-Bug-1750624-Pin-validation-date-for-PayPalEE-test-ce.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 1109c1b8259ad840ac1688d533f76ca268c67b6b Mon Sep 17 00:00:00 2001 -From: "John M. Schanck" -Date: Sat, 5 Feb 2022 11:12:43 +0000 -Subject: [PATCH] Bug 1750624 - Pin validation date for PayPalEE test cert. - r=nss-reviewers,bbeurdouche,rrelyea - -Differential Revision: https://phabricator.services.mozilla.com/D136289 - ---HG-- -extra : moz-landing-system : lando - -Upstream-Status: Backport - ---- - tests/chains/chains.sh | 6 +++++- - tests/chains/scenarios/realcerts.cfg | 1 + - 2 files changed, 6 insertions(+), 1 deletion(-) - -diff --git a/tests/chains/chains.sh b/tests/chains/chains.sh -index 32c7ef54c..e13ae52f9 100755 ---- a/nss/tests/chains/chains.sh -+++ b/nss/tests/chains/chains.sh -@@ -917,7 +917,7 @@ verify_cert() - done - - VFY_OPTS_TNAME="${DB_OPT} ${ENGINE} ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${TRUST_OPT}" -- VFY_OPTS_ALL="${DB_OPT} ${ENGINE} -vv ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}" -+ VFY_OPTS_ALL="${DB_OPT} ${ENGINE} -vv ${VFY_TIME_OPT} ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}" - - TESTNAME="Verifying certificate(s) ${VFY_LIST} with flags ${VFY_OPTS_TNAME}" - echo "${SCRIPTNAME}: ${TESTNAME}" -@@ -1118,6 +1118,7 @@ parse_config() - ;; - "verify") - VERIFY="${VALUE}" -+ VFY_TIME_OPT= - TRUST= - TRUST_AND_DB= - POLICY= -@@ -1126,6 +1127,9 @@ parse_config() - REV_OPTS= - USAGE_OPT= - ;; -+ "at_time") -+ VFY_TIME_OPT="-b ${VALUE}" -+ ;; - "cert") - VERIFY="${VERIFY} ${VALUE}" - ;; -diff --git a/tests/chains/scenarios/realcerts.cfg b/tests/chains/scenarios/realcerts.cfg -index 305443fc3..f8b0fc452 100644 ---- a/nss/tests/chains/scenarios/realcerts.cfg -+++ b/nss/tests/chains/scenarios/realcerts.cfg -@@ -22,6 +22,7 @@ verify TestUser51:x - - verify PayPalEE:x - policy OID.2.16.840.1.114412.2.1 -+ at_time 2201010000Z - result pass - - verify BrAirWaysBadSig:x --- -2.25.1 - diff --git a/meta-oe/recipes-support/nss/nss/0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch b/meta-oe/recipes-support/nss/nss/0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch index 72ee1ee00..b7f1b01a1 100644 --- a/meta-oe/recipes-support/nss/nss/0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch +++ b/meta-oe/recipes-support/nss/nss/0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch @@ -1,4 +1,4 @@ -From 9937e89c22eb2f2db9a936e7bc4442857b4192f5 Mon Sep 17 00:00:00 2001 +From 7c8f367faf8848a43a414079189e10270d6c0fcc Mon Sep 17 00:00:00 2001 From: Alexander Kanavin Date: Wed, 18 Dec 2019 12:29:50 +0100 Subject: [PATCH] freebl: add a configure option to disable ARM HW crypto @@ -15,10 +15,10 @@ Signed-off-by: Alexander Kanavin 2 files changed, 5 insertions(+) diff --git a/nss/lib/freebl/Makefile b/nss/lib/freebl/Makefile -index b38889f..4616aac 100644 +index 7ee8736..f9b4925 100644 --- a/nss/lib/freebl/Makefile +++ b/nss/lib/freebl/Makefile -@@ -139,6 +139,8 @@ endif +@@ -142,6 +142,8 @@ endif endif endif endif @@ -27,16 +27,16 @@ index b38889f..4616aac 100644 ifeq ($(CPU_ARCH),aarch64) ifdef CC_IS_CLANG DEFINES += -DUSE_HW_AES -DUSE_HW_SHA1 -DUSE_HW_SHA2 -@@ -180,6 +182,7 @@ endif +@@ -183,6 +185,7 @@ endif endif endif endif +endif - ifeq ($(OS_TARGET),OSF1) - DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_NO_MP_WORD + ifeq (OS2,$(OS_TARGET)) + ASFILES = mpi_x86_os2.s diff --git a/nss/lib/freebl/gcm.c b/nss/lib/freebl/gcm.c -index ac461b4..04cb180 100644 +index 2dae724..9ee7fc8 100644 --- a/nss/lib/freebl/gcm.c +++ b/nss/lib/freebl/gcm.c @@ -18,6 +18,7 @@ diff --git a/meta-oe/recipes-support/nss/nss/0001-nss-fix-support-cross-compiling.patch b/meta-oe/recipes-support/nss/nss/0001-nss-fix-support-cross-compiling.patch index 950fae667..2385fd3b9 100644 --- a/meta-oe/recipes-support/nss/nss/0001-nss-fix-support-cross-compiling.patch +++ b/meta-oe/recipes-support/nss/nss/0001-nss-fix-support-cross-compiling.patch @@ -1,4 +1,4 @@ -From 919fc5d674fae99fe21ba1351d98b75e466f425f Mon Sep 17 00:00:00 2001 +From 46ab1ca6e6fb8e1196e0665a54506dff370f8f2a Mon Sep 17 00:00:00 2001 From: Alexander Kanavin Date: Wed, 22 Feb 2017 11:36:11 +0200 Subject: [PATCH] nss: fix support cross compiling @@ -10,15 +10,15 @@ Signed-off-by: Hongxu Jia Signed-off-by: Alexander Kanavin --- - nss/coreconf/arch.mk | 2 +- + nss/coreconf/arch.mk | 4 ++-- nss/lib/freebl/Makefile | 6 ++++++ - 2 files changed, 7 insertions(+), 1 deletion(-) + 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/nss/coreconf/arch.mk b/nss/coreconf/arch.mk -index 2012d18..78fca62 100644 +index 17e9fae..bc4180a 100644 --- a/nss/coreconf/arch.mk +++ b/nss/coreconf/arch.mk -@@ -26,11 +26,11 @@ OS_ARCH := $(subst /,_,$(shell uname -s) +@@ -26,11 +26,11 @@ OS_ARCH := $(subst /,_,$(shell uname -s)) # Attempt to differentiate between sparc and x86 Solaris # @@ -31,9 +31,9 @@ index 2012d18..78fca62 100644 + OS_RELEASE ?= $(shell uname -r) endif - # + diff --git a/nss/lib/freebl/Makefile b/nss/lib/freebl/Makefile -index 0b8c6f4..b38889f 100644 +index eeee90a..7ee8736 100644 --- a/nss/lib/freebl/Makefile +++ b/nss/lib/freebl/Makefile @@ -36,6 +36,12 @@ ifdef USE_64 diff --git a/meta-oe/recipes-support/nss/nss_3.74.bb b/meta-oe/recipes-support/nss/nss_3.74.bb deleted file mode 100644 index ea5abe07f..000000000 --- a/meta-oe/recipes-support/nss/nss_3.74.bb +++ /dev/null @@ -1,290 +0,0 @@ -SUMMARY = "Mozilla's SSL and TLS implementation" -DESCRIPTION = "Network Security Services (NSS) is a set of libraries \ -designed to support cross-platform development of \ -security-enabled client and server applications. \ -Applications built with NSS can support SSL v2 and v3, \ -TLS, PKCS 5, PKCS 7, PKCS 11, PKCS 12, S/MIME, X.509 \ -v3 certificates, and other security standards." -HOMEPAGE = "http://www.mozilla.org/projects/security/pki/nss/" -SECTION = "libs" - -DEPENDS = "sqlite3 nspr zlib nss-native" -DEPENDS:class-native = "sqlite3-native nspr-native zlib-native" - -LICENSE = "(MPL-2.0 & MIT) | (MPL-2.0 & GPL-2.0-or-later & MIT) | (MPL-2.0 & LGPL-2.1-or-later & MIT)" - -LIC_FILES_CHKSUM = "file://nss/COPYING;md5=3b1e88e1b9c0b5a4b2881d46cce06a18 \ - file://nss/lib/freebl/mpi/doc/LICENSE;md5=491f158d09d948466afce85d6f1fe18f \ - file://nss/lib/freebl/mpi/doc/LICENSE-MPL;md5=5d425c8f3157dbf212db2ec53d9e5132 \ - file://nss/lib/freebl/verified/Hacl_Poly1305_256.c;beginline=1;endline=22;md5=d4096c1e4421ee56e9e0f441a8161f78" - -VERSION_DIR = "${@d.getVar('BP').upper().replace('-', '_').replace('.', '_') + '_RTM'}" - -SRC_URI = "http://ftp.mozilla.org/pub/security/nss/releases/${VERSION_DIR}/src/${BP}.tar.gz \ - file://nss.pc.in \ - file://0001-nss-fix-support-cross-compiling.patch \ - file://nss-no-rpath-for-cross-compiling.patch \ - file://nss-fix-incorrect-shebang-of-perl.patch \ - file://disable-Wvarargs-with-clang.patch \ - file://pqg.c-ULL_addend.patch \ - file://blank-cert9.db \ - file://blank-key4.db \ - file://system-pkcs11.txt \ - file://nss-fix-nsinstall-build.patch \ - file://0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch \ - file://0001-Bug-1750624-Pin-validation-date-for-PayPalEE-test-ce.patch \ - " -SRC_URI[sha256sum] = "88928811f9f40f87d42e2eaccdf6e454562e51486067f2ddbe90aa47ea6cd056" - -UPSTREAM_CHECK_URI = "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Releases" -UPSTREAM_CHECK_REGEX = "NSS_(?P.+)_release_notes" - -inherit siteinfo - -TD = "${S}/tentative-dist" -TDS = "${S}/tentative-dist-staging" - -TARGET_CC_ARCH += "${LDFLAGS}" - -CFLAGS:append:class-native = " -D_XOPEN_SOURCE " - -do_configure:prepend:libc-musl () { - sed -i -e '/-DHAVE_SYS_CDEFS_H/d' ${S}/nss/lib/dbm/config/config.mk -} - -do_configure:prepend:powerpc64le:toolchain-clang () { - sed -i -e 's/\-std=c99/\-std=gnu99/g' ${S}/nss/coreconf/command.mk -} - -do_configure:prepend:powerpc64:toolchain-clang () { - sed -i -e 's/\-std=c99/\-std=gnu99/g' ${S}/nss/coreconf/command.mk -} - -do_compile:prepend:class-native() { - export NSPR_INCLUDE_DIR=${STAGING_INCDIR_NATIVE}/nspr - export NSPR_LIB_DIR=${STAGING_LIBDIR_NATIVE} -} - -do_compile:prepend:class-nativesdk() { - export LDFLAGS="" -} - -do_compile:prepend:class-native() { - # Need to set RPATH so that chrpath will do its job correctly - RPATH="-Wl,-rpath-link,${STAGING_LIBDIR_NATIVE} -Wl,-rpath-link,${STAGING_BASE_LIBDIR_NATIVE} -Wl,-rpath,${STAGING_LIBDIR_NATIVE} -Wl,-rpath,${STAGING_BASE_LIBDIR_NATIVE}" -} - -do_compile() { - export NSPR_INCLUDE_DIR=${STAGING_INCDIR}/nspr - - export CROSS_COMPILE=1 - export NATIVE_CC="${BUILD_CC}" - # Additional defines needed on Centos 7 - export NATIVE_FLAGS="${BUILD_CFLAGS} -DLINUX -Dlinux" - export BUILD_OPT=1 - - # POSIX.1-2001 states that the behaviour of getcwd() when passing a null - # pointer as the buf argument, is unspecified. - export NATIVE_FLAGS="${NATIVE_FLAGS} -DGETCWD_CANT_MALLOC" - - export FREEBL_NO_DEPEND=1 - export FREEBL_LOWHASH=1 - - export LIBDIR=${libdir} - export MOZILLA_CLIENT=1 - export NS_USE_GCC=1 - export NSS_USE_SYSTEM_SQLITE=1 - export NSS_ENABLE_ECC=1 - export NSS_ENABLE_WERROR=0 - - ${@bb.utils.contains("TUNE_FEATURES", "crypto", "export NSS_USE_ARM_HW_CRYPTO=1", "", d)} - - export OS_RELEASE=3.4 - export OS_TARGET=Linux - export OS_ARCH=Linux - - if [ "${TARGET_ARCH}" = "powerpc" ]; then - OS_TEST=ppc - elif [ "${TARGET_ARCH}" = "powerpc64" -o "${TARGET_ARCH}" = "powerpc64le" ]; then - OS_TEST=ppc64 - elif [ "${TARGET_ARCH}" = "mips" -o "${TARGET_ARCH}" = "mipsel" -o "${TARGET_ARCH}" = "mips64" -o "${TARGET_ARCH}" = "mips64el" ]; then - OS_TEST=mips - elif [ "${TARGET_ARCH}" = "aarch64_be" ]; then - OS_TEST="aarch64" - else - OS_TEST="${TARGET_ARCH}" - fi - - if [ "${SITEINFO_BITS}" = "64" ]; then - export USE_64=1 - elif [ "${TARGET_ARCH}" = "x86_64" -a "${SITEINFO_BITS}" = "32" ]; then - export USE_X32=1 - fi - - export NSS_DISABLE_GTESTS=1 - # We can modify CC in the environment, but if we set it via an - # argument to make, nsinstall, a host program, will also build with it! - # - # nss pretty much does its own thing with CFLAGS, so we put them into CC. - # Optimization will get clobbered, but most of the stuff will survive. - # The motivation for this is to point to the correct place for debug - # source files and CFLAGS does that. Nothing uses CCC. - # - export CC="${CC} ${CFLAGS}" - make -C ./nss CCC="${CXX} -g" \ - OS_TEST=${OS_TEST} \ - RPATH="${RPATH}" \ - autobuild -} - -do_compile[vardepsexclude] += "SITEINFO_BITS" - -do_install:prepend:class-nativesdk() { - export LDFLAGS="" -} - -do_install() { - export CROSS_COMPILE=1 - export NATIVE_CC="${BUILD_CC}" - export BUILD_OPT=1 - - export FREEBL_NO_DEPEND=1 - - export LIBDIR=${libdir} - export MOZILLA_CLIENT=1 - export NS_USE_GCC=1 - export NSS_USE_SYSTEM_SQLITE=1 - export NSS_ENABLE_ECC=1 - - export OS_RELEASE=3.4 - export OS_TARGET=Linux - export OS_ARCH=Linux - - if [ "${TARGET_ARCH}" = "powerpc" ]; then - OS_TEST=ppc - elif [ "${TARGET_ARCH}" = "powerpc64" -o "${TARGET_ARCH}" = "powerpc64le" ]; then - OS_TEST=ppc64 - elif [ "${TARGET_ARCH}" = "mips" -o "${TARGET_ARCH}" = "mipsel" -o "${TARGET_ARCH}" = "mips64" -o "${TARGET_ARCH}" = "mips64el" ]; then - OS_TEST=mips - elif [ "${TARGET_ARCH}" = "aarch64_be" ]; then - CPU_ARCH=aarch64 - OS_TEST="aarch64" - else - OS_TEST="${TARGET_ARCH}" - fi - if [ "${SITEINFO_BITS}" = "64" ]; then - export USE_64=1 - elif [ "${TARGET_ARCH}" = "x86_64" -a "${SITEINFO_BITS}" = "32" ]; then - export USE_X32=1 - fi - - export NSS_DISABLE_GTESTS=1 - - make -C ./nss \ - CCC="${CXX}" \ - OS_TEST=${OS_TEST} \ - SOURCE_LIB_DIR="${TD}/${libdir}" \ - SOURCE_BIN_DIR="${TD}/${bindir}" \ - install - - install -d ${D}/${libdir}/ - for file in ${S}/dist/*.OBJ/lib/*.so; do - echo "Installing `basename $file`..." - cp $file ${D}/${libdir}/ - done - - for shared_lib in ${TD}/${libdir}/*.so.*; do - if [ -f $shared_lib ]; then - cp $shared_lib ${D}/${libdir} - ln -sf $(basename $shared_lib) ${D}/${libdir}/$(basename $shared_lib .1oe) - fi - done - for shared_lib in ${TD}/${libdir}/*.so; do - if [ -f $shared_lib -a ! -e ${D}/${libdir}/$shared_lib ]; then - cp $shared_lib ${D}/${libdir} - fi - done - - install -d ${D}/${includedir}/nss3 - install -m 644 -t ${D}/${includedir}/nss3 dist/public/nss/* - - install -d ${D}/${bindir} - for binary in ${TD}/${bindir}/*; do - install -m 755 -t ${D}/${bindir} $binary - done -} - -do_install[vardepsexclude] += "SITEINFO_BITS" - -do_install:append() { - # Create empty .chk files for the NSS libraries at build time. They could - # be regenerated at target's boot time. - for file in libsoftokn3.chk libfreebl3.chk libnssdbm3.chk; do - touch ${D}/${libdir}/$file - chmod 755 ${D}/${libdir}/$file - done - - install -d ${D}${libdir}/pkgconfig/ - sed 's/%NSS_VERSION%/${PV}/' ${WORKDIR}/nss.pc.in | sed 's/%NSPR_VERSION%/4.9.2/' > ${D}${libdir}/pkgconfig/nss.pc - sed -i s:OEPREFIX:${prefix}:g ${D}${libdir}/pkgconfig/nss.pc - sed -i s:OEEXECPREFIX:${exec_prefix}:g ${D}${libdir}/pkgconfig/nss.pc - sed -i s:OELIBDIR:${libdir}:g ${D}${libdir}/pkgconfig/nss.pc - sed -i s:OEINCDIR:${includedir}/nss3:g ${D}${libdir}/pkgconfig/nss.pc -} - -do_install:append:class-target() { - # It used to call certutil to create a blank certificate with empty password at - # build time, but the checksum of key4.db changes every time when certutil is called. - # It causes non-determinism issue, so provide databases with a blank certificate - # which are originally from output of nss in qemux86-64 build. You can get these - # databases by: - # certutil -N -d sql:/database/path/ --empty-password - install -d ${D}${sysconfdir}/pki/nssdb/ - install -m 0644 ${WORKDIR}/blank-cert9.db ${D}${sysconfdir}/pki/nssdb/cert9.db - install -m 0644 ${WORKDIR}/blank-key4.db ${D}${sysconfdir}/pki/nssdb/key4.db - install -m 0644 ${WORKDIR}/system-pkcs11.txt ${D}${sysconfdir}/pki/nssdb/pkcs11.txt -} - -PACKAGE_WRITE_DEPS += "nss-native" - -pkg_postinst:${PN} () { - for I in $D${libdir}/lib*.chk; do - DN=`dirname $I` - BN=`basename $I .chk` - FN=$DN/$BN.so - shlibsign -i $FN - if [ $? -ne 0 ]; then - echo "shlibsign -i $FN failed" - fi - done -} - -PACKAGES =+ "${PN}-smime" -FILES:${PN}-smime = "\ - ${bindir}/smime \ -" - -FILES:${PN} = "\ - ${sysconfdir} \ - ${bindir} \ - ${libdir}/lib*.chk \ - ${libdir}/lib*.so \ - " - -FILES:${PN}-dev = "\ - ${libdir}/nss \ - ${libdir}/pkgconfig/* \ - ${includedir}/* \ - " - -RDEPENDS:${PN}-smime = "perl" - -BBCLASSEXTEND = "native nativesdk" - -CVE_PRODUCT += "network_security_services" - -CVE_STATUS_GROUPS += "CVE_STATUS_NSS" -CVE_STATUS_NSS[status] = "not-applicable-config: This only affect the legacy db (libnssdbm), only compiled with --enable-legacy-db" -CVE_STATUS_NSS = "CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698" - -CVE_STATUS[CVE-2022-3479] = "not-applicable-config: vulnerability was introduced in 3.77 and fixed in 3.87" diff --git a/meta-oe/recipes-support/nss/nss_3.98.bb b/meta-oe/recipes-support/nss/nss_3.98.bb new file mode 100644 index 000000000..01501362e --- /dev/null +++ b/meta-oe/recipes-support/nss/nss_3.98.bb @@ -0,0 +1,289 @@ +SUMMARY = "Mozilla's SSL and TLS implementation" +DESCRIPTION = "Network Security Services (NSS) is a set of libraries \ +designed to support cross-platform development of \ +security-enabled client and server applications. \ +Applications built with NSS can support SSL v2 and v3, \ +TLS, PKCS 5, PKCS 7, PKCS 11, PKCS 12, S/MIME, X.509 \ +v3 certificates, and other security standards." +HOMEPAGE = "http://www.mozilla.org/projects/security/pki/nss/" +SECTION = "libs" + +DEPENDS = "sqlite3 nspr zlib nss-native" +DEPENDS:class-native = "sqlite3-native nspr-native zlib-native" + +LICENSE = "(MPL-2.0 & MIT) | (MPL-2.0 & GPL-2.0-or-later & MIT) | (MPL-2.0 & LGPL-2.1-or-later & MIT)" + +LIC_FILES_CHKSUM = "file://nss/COPYING;md5=3b1e88e1b9c0b5a4b2881d46cce06a18 \ + file://nss/lib/freebl/mpi/doc/LICENSE;md5=491f158d09d948466afce85d6f1fe18f \ + file://nss/lib/freebl/mpi/doc/LICENSE-MPL;md5=5d425c8f3157dbf212db2ec53d9e5132 \ + file://nss/lib/freebl/verified/Hacl_Poly1305_256.c;beginline=1;endline=22;md5=cc22f07b95d28d56baeb757df46ee7c8" + +VERSION_DIR = "${@d.getVar('BP').upper().replace('-', '_').replace('.', '_') + '_RTM'}" + +SRC_URI = "http://ftp.mozilla.org/pub/security/nss/releases/${VERSION_DIR}/src/${BP}.tar.gz \ + file://nss.pc.in \ + file://0001-nss-fix-support-cross-compiling.patch \ + file://nss-no-rpath-for-cross-compiling.patch \ + file://nss-fix-incorrect-shebang-of-perl.patch \ + file://disable-Wvarargs-with-clang.patch \ + file://pqg.c-ULL_addend.patch \ + file://blank-cert9.db \ + file://blank-key4.db \ + file://system-pkcs11.txt \ + file://nss-fix-nsinstall-build.patch \ + file://0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch \ + " +SRC_URI[sha256sum] = "f549cc33d35c0601674bfacf7c6ad683c187595eb4125b423238d3e9aa4209ce" + +UPSTREAM_CHECK_URI = "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Releases" +UPSTREAM_CHECK_REGEX = "NSS_(?P.+)_release_notes" + +inherit siteinfo + +TD = "${S}/tentative-dist" +TDS = "${S}/tentative-dist-staging" + +TARGET_CC_ARCH += "${LDFLAGS}" + +CFLAGS:append:class-native = " -D_XOPEN_SOURCE " + +do_configure:prepend:libc-musl () { + sed -i -e '/-DHAVE_SYS_CDEFS_H/d' ${S}/nss/lib/dbm/config/config.mk +} + +do_configure:prepend:powerpc64le:toolchain-clang () { + sed -i -e 's/\-std=c99/\-std=gnu99/g' ${S}/nss/coreconf/command.mk +} + +do_configure:prepend:powerpc64:toolchain-clang () { + sed -i -e 's/\-std=c99/\-std=gnu99/g' ${S}/nss/coreconf/command.mk +} + +do_compile:prepend:class-native() { + export NSPR_INCLUDE_DIR=${STAGING_INCDIR_NATIVE}/nspr + export NSPR_LIB_DIR=${STAGING_LIBDIR_NATIVE} +} + +do_compile:prepend:class-nativesdk() { + export LDFLAGS="" +} + +do_compile:prepend:class-native() { + # Need to set RPATH so that chrpath will do its job correctly + RPATH="-Wl,-rpath-link,${STAGING_LIBDIR_NATIVE} -Wl,-rpath-link,${STAGING_BASE_LIBDIR_NATIVE} -Wl,-rpath,${STAGING_LIBDIR_NATIVE} -Wl,-rpath,${STAGING_BASE_LIBDIR_NATIVE}" +} + +do_compile() { + export NSPR_INCLUDE_DIR=${STAGING_INCDIR}/nspr + + export CROSS_COMPILE=1 + export NATIVE_CC="${BUILD_CC}" + # Additional defines needed on Centos 7 + export NATIVE_FLAGS="${BUILD_CFLAGS} -DLINUX -Dlinux" + export BUILD_OPT=1 + + # POSIX.1-2001 states that the behaviour of getcwd() when passing a null + # pointer as the buf argument, is unspecified. + export NATIVE_FLAGS="${NATIVE_FLAGS} -DGETCWD_CANT_MALLOC" + + export FREEBL_NO_DEPEND=1 + export FREEBL_LOWHASH=1 + + export LIBDIR=${libdir} + export MOZILLA_CLIENT=1 + export NS_USE_GCC=1 + export NSS_USE_SYSTEM_SQLITE=1 + export NSS_ENABLE_ECC=1 + export NSS_ENABLE_WERROR=0 + + ${@bb.utils.contains("TUNE_FEATURES", "crypto", "export NSS_USE_ARM_HW_CRYPTO=1", "", d)} + + export OS_RELEASE=3.4 + export OS_TARGET=Linux + export OS_ARCH=Linux + + if [ "${TARGET_ARCH}" = "powerpc" ]; then + OS_TEST=ppc + elif [ "${TARGET_ARCH}" = "powerpc64" -o "${TARGET_ARCH}" = "powerpc64le" ]; then + OS_TEST=ppc64 + elif [ "${TARGET_ARCH}" = "mips" -o "${TARGET_ARCH}" = "mipsel" -o "${TARGET_ARCH}" = "mips64" -o "${TARGET_ARCH}" = "mips64el" ]; then + OS_TEST=mips + elif [ "${TARGET_ARCH}" = "aarch64_be" ]; then + OS_TEST="aarch64" + else + OS_TEST="${TARGET_ARCH}" + fi + + if [ "${SITEINFO_BITS}" = "64" ]; then + export USE_64=1 + elif [ "${TARGET_ARCH}" = "x86_64" -a "${SITEINFO_BITS}" = "32" ]; then + export USE_X32=1 + fi + + export NSS_DISABLE_GTESTS=1 + # We can modify CC in the environment, but if we set it via an + # argument to make, nsinstall, a host program, will also build with it! + # + # nss pretty much does its own thing with CFLAGS, so we put them into CC. + # Optimization will get clobbered, but most of the stuff will survive. + # The motivation for this is to point to the correct place for debug + # source files and CFLAGS does that. Nothing uses CCC. + # + export CC="${CC} ${CFLAGS}" + make -C ./nss CCC="${CXX} -g" \ + OS_TEST=${OS_TEST} \ + RPATH="${RPATH}" \ + autobuild +} + +do_compile[vardepsexclude] += "SITEINFO_BITS" + +do_install:prepend:class-nativesdk() { + export LDFLAGS="" +} + +do_install() { + export CROSS_COMPILE=1 + export NATIVE_CC="${BUILD_CC}" + export BUILD_OPT=1 + + export FREEBL_NO_DEPEND=1 + + export LIBDIR=${libdir} + export MOZILLA_CLIENT=1 + export NS_USE_GCC=1 + export NSS_USE_SYSTEM_SQLITE=1 + export NSS_ENABLE_ECC=1 + + export OS_RELEASE=3.4 + export OS_TARGET=Linux + export OS_ARCH=Linux + + if [ "${TARGET_ARCH}" = "powerpc" ]; then + OS_TEST=ppc + elif [ "${TARGET_ARCH}" = "powerpc64" -o "${TARGET_ARCH}" = "powerpc64le" ]; then + OS_TEST=ppc64 + elif [ "${TARGET_ARCH}" = "mips" -o "${TARGET_ARCH}" = "mipsel" -o "${TARGET_ARCH}" = "mips64" -o "${TARGET_ARCH}" = "mips64el" ]; then + OS_TEST=mips + elif [ "${TARGET_ARCH}" = "aarch64_be" ]; then + CPU_ARCH=aarch64 + OS_TEST="aarch64" + else + OS_TEST="${TARGET_ARCH}" + fi + if [ "${SITEINFO_BITS}" = "64" ]; then + export USE_64=1 + elif [ "${TARGET_ARCH}" = "x86_64" -a "${SITEINFO_BITS}" = "32" ]; then + export USE_X32=1 + fi + + export NSS_DISABLE_GTESTS=1 + + make -C ./nss \ + CCC="${CXX}" \ + OS_TEST=${OS_TEST} \ + SOURCE_LIB_DIR="${TD}/${libdir}" \ + SOURCE_BIN_DIR="${TD}/${bindir}" \ + install + + install -d ${D}/${libdir}/ + for file in ${S}/dist/*.OBJ/lib/*.so; do + echo "Installing `basename $file`..." + cp $file ${D}/${libdir}/ + done + + for shared_lib in ${TD}/${libdir}/*.so.*; do + if [ -f $shared_lib ]; then + cp $shared_lib ${D}/${libdir} + ln -sf $(basename $shared_lib) ${D}/${libdir}/$(basename $shared_lib .1oe) + fi + done + for shared_lib in ${TD}/${libdir}/*.so; do + if [ -f $shared_lib -a ! -e ${D}/${libdir}/$shared_lib ]; then + cp $shared_lib ${D}/${libdir} + fi + done + + install -d ${D}/${includedir}/nss3 + install -m 644 -t ${D}/${includedir}/nss3 dist/public/nss/* + + install -d ${D}/${bindir} + for binary in ${TD}/${bindir}/*; do + install -m 755 -t ${D}/${bindir} $binary + done +} + +do_install[vardepsexclude] += "SITEINFO_BITS" + +do_install:append() { + # Create empty .chk files for the NSS libraries at build time. They could + # be regenerated at target's boot time. + for file in libsoftokn3.chk libfreebl3.chk libnssdbm3.chk; do + touch ${D}/${libdir}/$file + chmod 755 ${D}/${libdir}/$file + done + + install -d ${D}${libdir}/pkgconfig/ + sed 's/%NSS_VERSION%/${PV}/' ${WORKDIR}/nss.pc.in | sed 's/%NSPR_VERSION%/4.9.2/' > ${D}${libdir}/pkgconfig/nss.pc + sed -i s:OEPREFIX:${prefix}:g ${D}${libdir}/pkgconfig/nss.pc + sed -i s:OEEXECPREFIX:${exec_prefix}:g ${D}${libdir}/pkgconfig/nss.pc + sed -i s:OELIBDIR:${libdir}:g ${D}${libdir}/pkgconfig/nss.pc + sed -i s:OEINCDIR:${includedir}/nss3:g ${D}${libdir}/pkgconfig/nss.pc +} + +do_install:append:class-target() { + # It used to call certutil to create a blank certificate with empty password at + # build time, but the checksum of key4.db changes every time when certutil is called. + # It causes non-determinism issue, so provide databases with a blank certificate + # which are originally from output of nss in qemux86-64 build. You can get these + # databases by: + # certutil -N -d sql:/database/path/ --empty-password + install -d ${D}${sysconfdir}/pki/nssdb/ + install -m 0644 ${WORKDIR}/blank-cert9.db ${D}${sysconfdir}/pki/nssdb/cert9.db + install -m 0644 ${WORKDIR}/blank-key4.db ${D}${sysconfdir}/pki/nssdb/key4.db + install -m 0644 ${WORKDIR}/system-pkcs11.txt ${D}${sysconfdir}/pki/nssdb/pkcs11.txt +} + +PACKAGE_WRITE_DEPS += "nss-native" + +pkg_postinst:${PN} () { + for I in $D${libdir}/lib*.chk; do + DN=`dirname $I` + BN=`basename $I .chk` + FN=$DN/$BN.so + shlibsign -i $FN + if [ $? -ne 0 ]; then + echo "shlibsign -i $FN failed" + fi + done +} + +PACKAGES =+ "${PN}-smime" +FILES:${PN}-smime = "\ + ${bindir}/smime \ +" + +FILES:${PN} = "\ + ${sysconfdir} \ + ${bindir} \ + ${libdir}/lib*.chk \ + ${libdir}/lib*.so \ + " + +FILES:${PN}-dev = "\ + ${libdir}/nss \ + ${libdir}/pkgconfig/* \ + ${includedir}/* \ + " + +RDEPENDS:${PN}-smime = "perl" + +BBCLASSEXTEND = "native nativesdk" + +CVE_PRODUCT += "network_security_services" + +CVE_STATUS_GROUPS += "CVE_STATUS_NSS" +CVE_STATUS_NSS[status] = "not-applicable-config: This only affect the legacy db (libnssdbm), only compiled with --enable-legacy-db" +CVE_STATUS_NSS = "CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698" + +CVE_STATUS[CVE-2022-3479] = "not-applicable-config: vulnerability was introduced in 3.77 and fixed in 3.87" -- cgit v1.2.3-54-g00ecf