diff options
author | Armin Kuster <akuster808@gmail.com> | 2017-11-03 12:54:45 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-11-07 13:25:31 +0000 |
commit | 2e2ba4597e80b451e98d8197a66ef9011a4701c1 (patch) | |
tree | 18ab9612b3bd0781007cf7388b7f1f40bd79b8e5 /meta/recipes-support/nss/nss_3.31.1.bb | |
parent | 4e6d285e091ed6508a751b20d4b3cecc99a53eae (diff) | |
download | poky-2e2ba4597e80b451e98d8197a66ef9011a4701c1.tar.gz |
nss: update to 3.33.0
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.33_release_notes
* TLS compression is no longer supported. API calls that attempt to enable compression are accepted without failure. However, TLS compression will remain disabled.
* This version of NSS uses a formally verified implementation of Curve25519 on 64-bit systems.
* The compile time flag DISABLE_ECC has been removed.
* When NSS is compiled without NSS_FORCE_FIPS=1 startup checks are not performed anymore.
* Fixes CVE-2017-7805, a potential use-after-free in TLS 1.2 server when verifying client authentication
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.32_release_notes
The Websites (TLS/SSL) trust bit was turned off for the following root certificates.
* CN = AddTrust Class 1 CA Root
SHA-256 Fingerprint: 8C:72:09:27:9A:C0:4E:27:5E:16:D0:7F:D3:B7:75:E8:01:54:B5:96:80:46:E3:1F:52:DD:25:76:63:24:E9:A7
* CN = Swisscom Root CA 2
SHA-256 Fingerprint: F0:9B:12:2C:71:14:F4:A0:9B:D4:EA:4F:4A:99:D5:58:B4:6E:4C:25:CD:81:14:0D:29:C0:56:13:91:4C:38:41
The following CA certificates were Removed:
* CN = AddTrust Public CA Root
SHA-256 Fingerprint: 07:91:CA:07:49:B2:07:82:AA:D3:C7:D7:BD:0C:DF:C9:48:58:35:84:3E:B2:D7:99:60:09:CE:43:AB:6C:69:27
* CN = AddTrust Qualified CA Root
SHA-256 Fingerprint: 80:95:21:08:05:DB:4B:BC:35:5E:44:28:D8:FD:6E:C2:CD:E3:AB:5F:B9:7A:99:42:98:8E:B8:F4:DC:D0:60:16
* CN = China Internet Network Information Center EV Certificates Root
SHA-256 Fingerprint: 1C:01:C6:F4:DB:B2:FE:FC:22:55:8B:2B:CA:32:56:3F:49:84:4A:CF:C3:2B:7B:E4:B0:FF:59:9F:9E:8C:7A:F7
* CN = CNNIC ROOT
SHA-256 Fingerprint: E2:83:93:77:3D:A8:45:A6:79:F2:08:0C:C7:FB:44:A3:B7:A1:C3:79:2C:B7:EB:77:29:FD:CB:6A:8D:99:AE:A7
* CN = ComSign Secured CA
SHA-256 Fingerprint: 50:79:41:C7:44:60:A0:B4:70:86:22:0D:4E:99:32:57:2A:B5:D1:B5:BB:CB:89:80:AB:1C:B1:76:51:A8:44:D2
* CN = GeoTrust Global CA 2
SHA-256 Fingerprint: CA:2D:82:A0:86:77:07:2F:8A:B6:76:4F:F0:35:67:6C:FE:3E:5E:32:5E:01:21:72:DF:3F:92:09:6D:B7:9B:85
* CN = Secure Certificate Services
SHA-256 Fingerprint: BD:81:CE:3B:4F:65:91:D1:1A:67:B5:FC:7A:47:FD:EF:25:52:1B:F9:AA:4E:18:B9:E3:DF:2E:34:A7:80:3B:E8
* CN = Swisscom Root CA 1
SHA-256 Fingerprint: 21:DB:20:12:36:60:BB:2E:D4:18:20:5D:A1:1E:E7:A8:5A:65:E2:BC:6E:55:B5:AF:7E:78:99:C8:A2:66:D9:2E
* CN = Swisscom Root EV CA 2
SHA-256 Fingerprint: D9:5F:EA:3C:A4:EE:DC:E7:4C:D7:6E:75:FC:6D:1F:F6:2C:44:1F:0F:A8:BC:77:F0:34:B1:9E:5D:B2:58:01:5D
* CN = Trusted Certificate Services
SHA-256 Fingerprint: 3F:06:E5:56:81:D4:96:F5:BE:16:9E:B5:38:9F:9F:2B:8F:F6:1E:17:08:DF:68:81:72:48:49:CD:5D:27:CB:69
* CN = UTN-USERFirst-Hardware
SHA-256 Fingerprint: 6E:A5:47:41:D0:04:66:7E:ED:1B:48:16:63:4A:A3:A7:9E:6E:4B:96:95:0F:82:79:DA:FC:8D:9B:D8:81:21:37
* CN = UTN-USERFirst-Object
SHA-256 Fingerprint: 6F:FF:78:E4:00:A7:0C:11:01:1C:D8:59:77:C4:59:FB:5A:F9:6A:3D:F0:54:08:20:D0:F4:B8:60:78:75:E5:8F
(From OE-Core rev: 83d79f449c33eff7bba92dfda8ffd4b699fb6462)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-support/nss/nss_3.31.1.bb')
-rw-r--r-- | meta/recipes-support/nss/nss_3.31.1.bb | 248 |
1 files changed, 0 insertions, 248 deletions
diff --git a/meta/recipes-support/nss/nss_3.31.1.bb b/meta/recipes-support/nss/nss_3.31.1.bb deleted file mode 100644 index 588708fc31..0000000000 --- a/meta/recipes-support/nss/nss_3.31.1.bb +++ /dev/null | |||
@@ -1,248 +0,0 @@ | |||
1 | SUMMARY = "Mozilla's SSL and TLS implementation" | ||
2 | DESCRIPTION = "Network Security Services (NSS) is a set of libraries \ | ||
3 | designed to support cross-platform development of \ | ||
4 | security-enabled client and server applications. \ | ||
5 | Applications built with NSS can support SSL v2 and v3, \ | ||
6 | TLS, PKCS 5, PKCS 7, PKCS 11, PKCS 12, S/MIME, X.509 \ | ||
7 | v3 certificates, and other security standards." | ||
8 | HOMEPAGE = "http://www.mozilla.org/projects/security/pki/nss/" | ||
9 | SECTION = "libs" | ||
10 | |||
11 | LICENSE = "MPL-2.0 | (MPL-2.0 & GPL-2.0+) | (MPL-2.0 & LGPL-2.1+)" | ||
12 | |||
13 | LIC_FILES_CHKSUM = "file://nss/COPYING;md5=3b1e88e1b9c0b5a4b2881d46cce06a18 \ | ||
14 | file://nss/lib/freebl/mpi/doc/LICENSE;md5=491f158d09d948466afce85d6f1fe18f \ | ||
15 | file://nss/lib/freebl/mpi/doc/LICENSE-MPL;md5=5d425c8f3157dbf212db2ec53d9e5132" | ||
16 | |||
17 | VERSION_DIR = "${@d.getVar('BP').upper().replace('-', '_').replace('.', '_') + '_RTM'}" | ||
18 | |||
19 | SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSION_DIR}/src/${BP}.tar.gz \ | ||
20 | file://nss.pc.in \ | ||
21 | file://signlibs.sh \ | ||
22 | file://0001-nss-fix-support-cross-compiling.patch \ | ||
23 | file://nss-no-rpath-for-cross-compiling.patch \ | ||
24 | file://nss-fix-incorrect-shebang-of-perl.patch \ | ||
25 | file://nss-fix-nsinstall-build.patch \ | ||
26 | file://disable-Wvarargs-with-clang.patch \ | ||
27 | file://pqg.c-ULL_addend.patch \ | ||
28 | file://Fix-compilation-for-X32.patch \ | ||
29 | " | ||
30 | |||
31 | SRC_URI[md5sum] = "ebb44f1394250d2cf6ec3c2e3d71fa20" | ||
32 | SRC_URI[sha256sum] = "933439214dc03ee60e86d1419c19e1568998b0776dde987f41fa70ced6cd08dc" | ||
33 | |||
34 | UPSTREAM_CHECK_URI = "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Releases" | ||
35 | UPSTREAM_CHECK_REGEX = "NSS_(?P<pver>.+)_release_notes" | ||
36 | |||
37 | inherit siteinfo | ||
38 | |||
39 | DEPENDS = "sqlite3 nspr zlib nss-native" | ||
40 | DEPENDS_class-native = "sqlite3-native nspr-native zlib-native" | ||
41 | RDEPENDS_${PN}-smime = "perl" | ||
42 | |||
43 | TD = "${S}/tentative-dist" | ||
44 | TDS = "${S}/tentative-dist-staging" | ||
45 | |||
46 | TARGET_CC_ARCH += "${LDFLAGS}" | ||
47 | |||
48 | do_configure_prepend_libc-musl () { | ||
49 | sed -i -e '/-DHAVE_SYS_CDEFS_H/d' ${S}/nss/lib/dbm/config/config.mk | ||
50 | } | ||
51 | |||
52 | do_compile_prepend_class-native() { | ||
53 | export NSPR_INCLUDE_DIR=${STAGING_INCDIR_NATIVE} | ||
54 | export NSPR_LIB_DIR=${STAGING_LIBDIR_NATIVE} | ||
55 | export NSS_ENABLE_WERROR=0 | ||
56 | } | ||
57 | |||
58 | do_compile_prepend_class-nativesdk() { | ||
59 | export LDFLAGS="" | ||
60 | } | ||
61 | |||
62 | do_compile_prepend_class-native() { | ||
63 | # Need to set RPATH so that chrpath will do its job correctly | ||
64 | RPATH="-Wl,-rpath-link,${STAGING_LIBDIR_NATIVE} -Wl,-rpath-link,${STAGING_BASE_LIBDIR_NATIVE} -Wl,-rpath,${STAGING_LIBDIR_NATIVE} -Wl,-rpath,${STAGING_BASE_LIBDIR_NATIVE}" | ||
65 | } | ||
66 | |||
67 | do_compile() { | ||
68 | export CROSS_COMPILE=1 | ||
69 | export NATIVE_CC="${BUILD_CC}" | ||
70 | export NATIVE_FLAGS="${BUILD_CFLAGS}" | ||
71 | export BUILD_OPT=1 | ||
72 | |||
73 | export FREEBL_NO_DEPEND=1 | ||
74 | export FREEBL_LOWHASH=1 | ||
75 | |||
76 | export LIBDIR=${libdir} | ||
77 | export MOZILLA_CLIENT=1 | ||
78 | export NS_USE_GCC=1 | ||
79 | export NSS_USE_SYSTEM_SQLITE=1 | ||
80 | export NSS_ENABLE_ECC=1 | ||
81 | |||
82 | export OS_RELEASE=3.4 | ||
83 | export OS_TARGET=Linux | ||
84 | export OS_ARCH=Linux | ||
85 | |||
86 | if [ "${TARGET_ARCH}" = "powerpc" ]; then | ||
87 | OS_TEST=ppc | ||
88 | elif [ "${TARGET_ARCH}" = "powerpc64" ]; then | ||
89 | OS_TEST=ppc64 | ||
90 | elif [ "${TARGET_ARCH}" = "mips" -o "${TARGET_ARCH}" = "mipsel" -o "${TARGET_ARCH}" = "mips64" -o "${TARGET_ARCH}" = "mips64el" ]; then | ||
91 | OS_TEST=mips | ||
92 | else | ||
93 | OS_TEST="${TARGET_ARCH}" | ||
94 | fi | ||
95 | |||
96 | if [ "${SITEINFO_BITS}" = "64" ]; then | ||
97 | export USE_64=1 | ||
98 | elif [ "${TARGET_ARCH}" = "x86_64" -a "${SITEINFO_BITS}" = "32" ]; then | ||
99 | export USE_X32=1 | ||
100 | fi | ||
101 | |||
102 | export NSS_DISABLE_GTESTS=1 | ||
103 | |||
104 | # We can modify CC in the environment, but if we set it via an | ||
105 | # argument to make, nsinstall, a host program, will also build with it! | ||
106 | # | ||
107 | export CC="${CC} -g" | ||
108 | make -C ./nss CCC="${CXX} -g" \ | ||
109 | OS_TEST=${OS_TEST} \ | ||
110 | RPATH="${RPATH}" | ||
111 | } | ||
112 | do_compile[vardepsexclude] += "SITEINFO_BITS" | ||
113 | |||
114 | |||
115 | do_install_prepend_class-nativesdk() { | ||
116 | export LDFLAGS="" | ||
117 | } | ||
118 | |||
119 | do_install() { | ||
120 | export CROSS_COMPILE=1 | ||
121 | export NATIVE_CC="${BUILD_CC}" | ||
122 | export BUILD_OPT=1 | ||
123 | |||
124 | export FREEBL_NO_DEPEND=1 | ||
125 | |||
126 | export LIBDIR=${libdir} | ||
127 | export MOZILLA_CLIENT=1 | ||
128 | export NS_USE_GCC=1 | ||
129 | export NSS_USE_SYSTEM_SQLITE=1 | ||
130 | export NSS_ENABLE_ECC=1 | ||
131 | |||
132 | export OS_RELEASE=3.4 | ||
133 | export OS_TARGET=Linux | ||
134 | export OS_ARCH=Linux | ||
135 | |||
136 | if [ "${TARGET_ARCH}" = "powerpc" ]; then | ||
137 | OS_TEST=ppc | ||
138 | elif [ "${TARGET_ARCH}" = "powerpc64" ]; then | ||
139 | OS_TEST=ppc64 | ||
140 | elif [ "${TARGET_ARCH}" = "mips" -o "${TARGET_ARCH}" = "mipsel" -o "${TARGET_ARCH}" = "mips64" -o "${TARGET_ARCH}" = "mips64el" ]; then | ||
141 | OS_TEST=mips | ||
142 | else | ||
143 | OS_TEST="${TARGET_ARCH}" | ||
144 | fi | ||
145 | if [ "${SITEINFO_BITS}" = "64" ]; then | ||
146 | export USE_64=1 | ||
147 | elif [ "${TARGET_ARCH}" = "x86_64" -a "${SITEINFO_BITS}" = "32" ]; then | ||
148 | export USE_X32=1 | ||
149 | fi | ||
150 | |||
151 | export NSS_DISABLE_GTESTS=1 | ||
152 | |||
153 | make -C ./nss \ | ||
154 | CCC="${CXX}" \ | ||
155 | OS_TEST=${OS_TEST} \ | ||
156 | SOURCE_LIB_DIR="${TD}/${libdir}" \ | ||
157 | SOURCE_BIN_DIR="${TD}/${bindir}" \ | ||
158 | install | ||
159 | |||
160 | install -d ${D}/${libdir}/ | ||
161 | for file in ${S}/dist/*.OBJ/lib/*.so; do | ||
162 | echo "Installing `basename $file`..." | ||
163 | cp $file ${D}/${libdir}/ | ||
164 | done | ||
165 | |||
166 | for shared_lib in ${TD}/${libdir}/*.so.*; do | ||
167 | if [ -f $shared_lib ]; then | ||
168 | cp $shared_lib ${D}/${libdir} | ||
169 | ln -sf $(basename $shared_lib) ${D}/${libdir}/$(basename $shared_lib .1oe) | ||
170 | fi | ||
171 | done | ||
172 | for shared_lib in ${TD}/${libdir}/*.so; do | ||
173 | if [ -f $shared_lib -a ! -e ${D}/${libdir}/$shared_lib ]; then | ||
174 | cp $shared_lib ${D}/${libdir} | ||
175 | fi | ||
176 | done | ||
177 | |||
178 | install -d ${D}/${includedir}/nss3 | ||
179 | install -m 644 -t ${D}/${includedir}/nss3 dist/public/nss/* | ||
180 | |||
181 | install -d ${D}/${bindir} | ||
182 | for binary in ${TD}/${bindir}/*; do | ||
183 | install -m 755 -t ${D}/${bindir} $binary | ||
184 | done | ||
185 | } | ||
186 | do_install[vardepsexclude] += "SITEINFO_BITS" | ||
187 | |||
188 | do_install_append() { | ||
189 | # Create empty .chk files for the NSS libraries at build time. They could | ||
190 | # be regenerated at target's boot time. | ||
191 | for file in libsoftokn3.chk libfreebl3.chk libnssdbm3.chk; do | ||
192 | touch ${D}/${libdir}/$file | ||
193 | chmod 755 ${D}/${libdir}/$file | ||
194 | done | ||
195 | install -D -m 755 ${WORKDIR}/signlibs.sh ${D}/${bindir}/signlibs.sh | ||
196 | |||
197 | install -d ${D}${libdir}/pkgconfig/ | ||
198 | sed 's/%NSS_VERSION%/${PV}/' ${WORKDIR}/nss.pc.in | sed 's/%NSPR_VERSION%/4.9.2/' > ${D}${libdir}/pkgconfig/nss.pc | ||
199 | sed -i s:OEPREFIX:${prefix}:g ${D}${libdir}/pkgconfig/nss.pc | ||
200 | sed -i s:OEEXECPREFIX:${exec_prefix}:g ${D}${libdir}/pkgconfig/nss.pc | ||
201 | sed -i s:OELIBDIR:${libdir}:g ${D}${libdir}/pkgconfig/nss.pc | ||
202 | sed -i s:OEINCDIR:${includedir}/nss3:g ${D}${libdir}/pkgconfig/nss.pc | ||
203 | } | ||
204 | |||
205 | do_install_append_class-target() { | ||
206 | # Create a blank certificate | ||
207 | mkdir -p ${D}${sysconfdir}/pki/nssdb/ | ||
208 | touch ./empty_password | ||
209 | certutil -N -d ${D}${sysconfdir}/pki/nssdb/ -f ./empty_password | ||
210 | chmod 644 ${D}${sysconfdir}/pki/nssdb/*.db | ||
211 | rm ./empty_password | ||
212 | } | ||
213 | |||
214 | PACKAGE_WRITE_DEPS += "nss-native" | ||
215 | pkg_postinst_${PN} () { | ||
216 | if [ -n "$D" ]; then | ||
217 | for I in $D${libdir}/lib*.chk; do | ||
218 | DN=`dirname $I` | ||
219 | BN=`basename $I .chk` | ||
220 | FN=$DN/$BN.so | ||
221 | shlibsign -i $FN | ||
222 | if [ $? -ne 0 ]; then | ||
223 | exit 1 | ||
224 | fi | ||
225 | done | ||
226 | else | ||
227 | signlibs.sh | ||
228 | fi | ||
229 | } | ||
230 | |||
231 | PACKAGES =+ "${PN}-smime" | ||
232 | FILES_${PN}-smime = "\ | ||
233 | ${bindir}/smime \ | ||
234 | " | ||
235 | FILES_${PN} = "\ | ||
236 | ${sysconfdir} \ | ||
237 | ${bindir} \ | ||
238 | ${libdir}/lib*.chk \ | ||
239 | ${libdir}/lib*.so \ | ||
240 | " | ||
241 | FILES_${PN}-dev = "\ | ||
242 | ${libdir}/nss \ | ||
243 | ${libdir}/pkgconfig/* \ | ||
244 | ${includedir}/* \ | ||
245 | " | ||
246 | |||
247 | BBCLASSEXTEND = "native nativesdk" | ||
248 | |||