summaryrefslogtreecommitdiffstats
path: root/meta/recipes-support/nss
Commit message (Collapse)AuthorAgeFilesLines
* nss: update to 3.39 includes CVE-2018-12384Armin Kuster2018-11-071-2/+2
| | | | | | | | | see: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.39_release_notes (From OE-Core rev: 9d5d19cee30ac73b9fbf75308e5729857384983e) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: fix non-determinism when create a blank certificateKai Kang2018-10-124-8/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | It uses certutil from nss to create a blank certificate. But the checksum of database file key4.db changes every time: $ certutil -N -d sql:. --empty-password $ md5sum * f9dac2cfcb07cc8ca6db442a9a570906 cert9.db b892c5ff7c1977d4728240b0cf628377 key4.db 7b9136cb03f07ae62eb213a5239fda71 pkcs11.txt $ rm * $ certutil -N -d sql:. --empty-password $ md5sum * f9dac2cfcb07cc8ca6db442a9a570906 cert9.db 405d55178e866a115c1aa975fccfa764 key4.db 7b9136cb03f07ae62eb213a5239fda71 pkcs11.txt Provide pre-created databases with a blank certificate to fix non-determinism issue. And these database files are from nss qemux86-64 build. (From OE-Core rev: e64a30f7af87fa960b012ace92c51b88e8abae68) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss :improve reproducibilityHongxu Jia2018-08-291-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | - Explicitly requests the newer database `sql:' rather than retrieved from NSS_DEFAULT_DB_TYPE - Removes build path prefix from pkcs11.txt Refers certutil manual: [certutil manual] -d [prefix]directory Specify the database directory containing the certificate and key database files. certutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). NSS recognizes the following prefixes: sql: requests the newer database dbm: requests the legacy database If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then dbm: is the default. [certutil manual] (From OE-Core rev: e9b99efe4b5cf7e810156f7bb55736e01be36a45) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: update to 3.38Armin Kuster2018-07-062-115/+2
| | | | | | | | | | | remove patch now included in release. includes: CVE-2018-0495 (From OE-Core rev: f0ad38d02da0bbcc1534dcc99d10436675932ed9) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: update to 3.37.1Armin Kuster2018-06-275-44/+123
| | | | | | | | | | | | | | | | remove Fix-compilation-for-X32.patch as a solution simular is included in update. notable changes: The TLS 1.3 implementation was updated to Draft 28. The CA certificates list was updated to version 2.24. refresh patches fix 32 bit build error nss bug: https://bugzilla.mozilla.org/show_bug.cgi?format=default&id=1459739 (From OE-Core rev: 1ed072515f2a23de75ee56b86d8607c85b42605c) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: Fix build error for aarch64be.Lei Maohui2018-06-271-0/+5
| | | | | | | | (From OE-Core rev: 2d9a8a5539342faa1827f4902b1095a9f3448c66) Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: update to 3.36.1Armin Kuster2018-05-293-153/+2
| | | | | | | | | | | | removed patches included in update: 0001-Bug-1437734-Use-snprintf-in-sign.c-r-ttaubert.patch nss-build-hacl-poly1305-aarch64.patch (From OE-Core rev: 9755699275e6290950145685c186082dfcd28a9e) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: Use snprintf in sign.cKhem Raj2018-03-302-0/+120
| | | | | | | | | | | | Fies security warnings | sign.c:86:31: error: 'sprintf' may write a terminating nul past the end of the destination [-Werror=format-overflow=] | sprintf(fullfn, "%s/%s", tree, tempfn); (From OE-Core rev: 7171e96f3a5f54c63674cf5282aea31bcb9cd7f9) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: update to 3.35Armin Kuster2018-03-302-2/+33
| | | | | | | | (From OE-Core rev: d136548ad7aef23021eac6af2ffc6317f36bd1c5) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: update to 3.34.1Armin Kuster2018-01-021-2/+2
| | | | | | | | | | | | | The following CA certificate was Re-Added. It was removed in NSS 3.34, but has been re-added with only the Email trust bit set. (bug 1418678) CN = Certum CA, O=Unizeto Sp. z o.o. SHA-256 Fingerprint: D8:E0:FE:BC:1D:B2:E3:8D:00:94:0F:37:D2:7D:41:34:4D:99:3E:73:4B:99:D5:65:6D:97:78:D4:D8:14:36:24 (From OE-Core rev: cc76625cc19422fba045a308aca017c8f4c8fa5f) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: update to 3.34Armin Kuster2017-12-021-2/+2
| | | | | | | | | | | for more info see: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.34_release_notes (From OE-Core rev: 55ad71fd60507d566bf5235b5a119b327184fcf0) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: pay attention to CFLAGSJoe Slater2017-11-301-1/+6
| | | | | | | | | | nss ignores CFLAGS so we suggest them via CC. (From OE-Core rev: 95b65eefe7eb001752a37d1015bbf9be63bfd6bb) Signed-off-by: Joe Slater <jslater@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: update to 3.33.0Armin Kuster2017-11-071-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.33_release_notes * TLS compression is no longer supported. API calls that attempt to enable compression are accepted without failure. However, TLS compression will remain disabled. * This version of NSS uses a formally verified implementation of Curve25519 on 64-bit systems. * The compile time flag DISABLE_ECC has been removed. * When NSS is compiled without NSS_FORCE_FIPS=1 startup checks are not performed anymore. * Fixes CVE-2017-7805, a potential use-after-free in TLS 1.2 server when verifying client authentication https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.32_release_notes The Websites (TLS/SSL) trust bit was turned off for the following root certificates. * CN = AddTrust Class 1 CA Root SHA-256 Fingerprint: 8C:72:09:27:9A:C0:4E:27:5E:16:D0:7F:D3:B7:75:E8:01:54:B5:96:80:46:E3:1F:52:DD:25:76:63:24:E9:A7 * CN = Swisscom Root CA 2 SHA-256 Fingerprint: F0:9B:12:2C:71:14:F4:A0:9B:D4:EA:4F:4A:99:D5:58:B4:6E:4C:25:CD:81:14:0D:29:C0:56:13:91:4C:38:41 The following CA certificates were Removed: * CN = AddTrust Public CA Root SHA-256 Fingerprint: 07:91:CA:07:49:B2:07:82:AA:D3:C7:D7:BD:0C:DF:C9:48:58:35:84:3E:B2:D7:99:60:09:CE:43:AB:6C:69:27 * CN = AddTrust Qualified CA Root SHA-256 Fingerprint: 80:95:21:08:05:DB:4B:BC:35:5E:44:28:D8:FD:6E:C2:CD:E3:AB:5F:B9:7A:99:42:98:8E:B8:F4:DC:D0:60:16 * CN = China Internet Network Information Center EV Certificates Root SHA-256 Fingerprint: 1C:01:C6:F4:DB:B2:FE:FC:22:55:8B:2B:CA:32:56:3F:49:84:4A:CF:C3:2B:7B:E4:B0:FF:59:9F:9E:8C:7A:F7 * CN = CNNIC ROOT SHA-256 Fingerprint: E2:83:93:77:3D:A8:45:A6:79:F2:08:0C:C7:FB:44:A3:B7:A1:C3:79:2C:B7:EB:77:29:FD:CB:6A:8D:99:AE:A7 * CN = ComSign Secured CA SHA-256 Fingerprint: 50:79:41:C7:44:60:A0:B4:70:86:22:0D:4E:99:32:57:2A:B5:D1:B5:BB:CB:89:80:AB:1C:B1:76:51:A8:44:D2 * CN = GeoTrust Global CA 2 SHA-256 Fingerprint: CA:2D:82:A0:86:77:07:2F:8A:B6:76:4F:F0:35:67:6C:FE:3E:5E:32:5E:01:21:72:DF:3F:92:09:6D:B7:9B:85 * CN = Secure Certificate Services SHA-256 Fingerprint: BD:81:CE:3B:4F:65:91:D1:1A:67:B5:FC:7A:47:FD:EF:25:52:1B:F9:AA:4E:18:B9:E3:DF:2E:34:A7:80:3B:E8 * CN = Swisscom Root CA 1 SHA-256 Fingerprint: 21:DB:20:12:36:60:BB:2E:D4:18:20:5D:A1:1E:E7:A8:5A:65:E2:BC:6E:55:B5:AF:7E:78:99:C8:A2:66:D9:2E * CN = Swisscom Root EV CA 2 SHA-256 Fingerprint: D9:5F:EA:3C:A4:EE:DC:E7:4C:D7:6E:75:FC:6D:1F:F6:2C:44:1F:0F:A8:BC:77:F0:34:B1:9E:5D:B2:58:01:5D * CN = Trusted Certificate Services SHA-256 Fingerprint: 3F:06:E5:56:81:D4:96:F5:BE:16:9E:B5:38:9F:9F:2B:8F:F6:1E:17:08:DF:68:81:72:48:49:CD:5D:27:CB:69 * CN = UTN-USERFirst-Hardware SHA-256 Fingerprint: 6E:A5:47:41:D0:04:66:7E:ED:1B:48:16:63:4A:A3:A7:9E:6E:4B:96:95:0F:82:79:DA:FC:8D:9B:D8:81:21:37 * CN = UTN-USERFirst-Object SHA-256 Fingerprint: 6F:FF:78:E4:00:A7:0C:11:01:1C:D8:59:77:C4:59:FB:5A:F9:6A:3D:F0:54:08:20:D0:F4:B8:60:78:75:E5:8F (From OE-Core rev: 83d79f449c33eff7bba92dfda8ffd4b699fb6462) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nspr, nss: Use BUILD_CC instead of hardcoded "gcc"Nikolay Merinov2017-10-071-3/+3
| | | | | | | | | | | | | Recipes nspr_4.16.bb and nss_3.31.1.bb ignored BUILD_CC and it's BUILD_CFLAGS and tried to compile with hardcoded "gcc" instead. As result build for this recipes will fail if host use different name for compiler or require any flags. (From OE-Core rev: 79e3339ab9edacb9e34d3725305d5880a974364a) Signed-off-by: Nikolay Merinov <n.merinov@inango-systems.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: 3.30.2 -> 3.31.1Kai Kang2017-08-182-45/+6
| | | | | | | | | | | Upgrade nss from 3.30.2 to latest stable version 3.31.1. * remove 0001-Fix-warnings-found-with-gcc7.patch which is not needed now (From OE-Core rev: 86838f1c06002a62ded12a9a66d1eb82093c85a9) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta: Add/fix missing Upstream-Status to patchesRichard Purdie2017-06-271-0/+2
| | | | | | | | | This adds or fixes the Upstream-Status for all remaining patches missing it in OE-Core. (From OE-Core rev: 563cab8e823c3fde8ae4785ceaf4d68a5d3e25df) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: Upgrade 3.29.1 to 3.30.2Fan Xin2017-05-301-3/+3
| | | | | | | | | Upgrade nss from 3.29.1 to 3.30.2 (From OE-Core rev: 08139f4c4a58a7bda2e7857349d56621d886278b) Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: Update to 3.29.1Khem Raj2017-05-122-14/+55
| | | | | | | | | | Also fix build with gcc7 along (From OE-Core rev: 5b8c7e4cc54353014e9e023e29a6ff97aefd5179) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: update to 3.28.1Alexander Kanavin2017-03-013-75/+52
| | | | | | | | | | Rebase nss-fix-support-cross-compiling.patch (From OE-Core rev: f65baebafc3d1389c5e5000c6cd921b7569123a1) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: Fix nss-native so the checksum doesn't change with BUILD_ARCHRichard Purdie2017-02-091-0/+2
| | | | | | | | | | | | | | | Switching between 32 and 64 bit BUILD_ARCH shows: $ bitbake-diffsigs tmp-sstatesamehash*/stamps/*/nss-native/3.27.1-r0.do_compile.sigdata.* basehash changed from 944cc4554a823ba966aeda0ac3d33b79 to 2475db3659c248d81d0e4dadb3c1b4cd Variable SITEINFO_BITS value changed from '32' to '64' We shouldn't have this dependency and it would fail oe-selftest test_sstate_32_64_same_hash if nss-native were included, therefore exclude it. (From OE-Core rev: d1109378d730c5cf50240c4d1a468e3aef5208ea) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: Add PACKAGE_WRITE_DEPSJussi Kukkonen2017-01-201-0/+1
| | | | | | | | | | nss-native is required in postinst. It's also needed during build so not removed from DEPENDS. (From OE-Core rev: 88540c5b08dea069660d1a68e506aebdd68e6ae0) Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: fix for x32Christopher Larson2017-01-092-0/+32
| | | | | | | | | | | This was casting to a pointer, and the pointer sizes are 32-bit on X32, not 64-bit. Adjust as appropriate. (From OE-Core rev: d9dca61ed26af166df913f34bdce3f2830682b33) Signed-off-by: Christopher Larson <chris_larson@mentor.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: Fix postinstall scriptDavid Vincent2017-01-091-6/+6
| | | | | | | | | | | | | When installing NSS on a read-only rootfs, the current postinstall scriptlet exits after having run the signing part. This causes an error when appending the task because the rest of the script is simply ignored and therefore never run. (From OE-Core rev: 8f782f7095e718dd9452055af53363beb6bdbece) Signed-off-by: David Vincent <freesilicon@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: update to 3.27.1Alexander Kanavin2016-10-282-7/+7
| | | | | | | | (From OE-Core rev: 564c93fcc09c615ebcc51b30959a9848d8c193f7) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: update to 3.25Alexander Kanavin2016-09-031-3/+3
| | | | | | | (From OE-Core rev: fa11e90f691e4f4eee8a231abfe179b0f4992da9) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: Fix build on mips/clangKhem Raj2016-07-202-0/+24
| | | | | | | | | | | | This issue is also reported here https://trac.macports.org/ticket/51709 Patch is also from same ticket (From OE-Core rev: 119ff60101ed6fd542f1280d37a24411d8b14264) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: Fix build with clangKhem Raj2016-07-203-5/+41
| | | | | | | | | | | | | | | Add a patch to disable a clang specific warning and avoid passing clang options to gcc when we have cross compiler is clang but host compiler is gcc We do not need to use target cflags when building native pieces and hence avoid the inter-mixing of compiler options (From OE-Core rev: d13640f39f8f467597daa42774102329e82d9b68) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: update to 3.24Alexander Kanavin2016-07-102-31/+3
| | | | | | | | | | Drop merged 0001-Fix-build-failure-on-opensuse-13.1.patch (From OE-Core rev: 755dda7f9a054c6069ef95e3ee4fe7d604378446) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: Upgrade to 3.23Khem Raj2016-05-131-4/+4
| | | | | | | | | | | | | | | | | | | | | | | Disable Werror on native builds. This helps in building nss-native on build hosts which have gcc < 4.9 eg. ubuntu 14.04 The real issue is that we use headers from native staging sysroot and it has the updated glibc headers which then ends up with errors e.g. | In function 'memset', | inlined from 'sec_PKCS7Encrypt' at p7local.c:715:14: | /usr/include/x86_64-linux-gnu/bits/string3.h:81:30: error: call to '__warn_memset_zero_len' declared with attribute warning: memset used with constant zero length parameter; this could be due to transposed parameters [-Werror] | __warn_memset_zero_len (); | ^ | cc1: all warnings being treated as errors | make[2]: *** [Linux3.4_x86_64_glibc_PTH_64_OPT.OBJ/p7local.o] Error 1 (From OE-Core rev: e69feac4066c8c27b50c88daf9ebaa27a5c54646) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: define RPATH variable for nss-nativeMarkus Lehtonen2016-02-161-1/+7
| | | | | | | | | | | | | | | | | | | | Otherwise the nss libs do not get any RPATH/RUNPATH. Consequently, the .so dependencies of nss libs are always searched from the base lib directories of the host (i.e. /lib/ and /usr/lib). This causes problems with nss-native where the .so's should be searched from the base lib directories of the sysroot instead of the host file system. This particular problem has probably been unnoticed as most users are likely to have nss libraries installed on their host system. In this case everything most likely work as expected. [YOCTO #9041] (From OE-Core rev: f78664219503cc176ca1c10a4397ca8a2883eb71) Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: Undefine HAVE_SYS_CDEFS_HKhem Raj2016-01-241-0/+4
| | | | | | | | | | nss's build system assumes that cdefs.h is always available on linux which is not the case with musl (From OE-Core rev: c4a5a8c4a6dbdcf735024aaee9e36a7a7b56cb96) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: update to 3.21Alexander Kanavin2016-01-202-3/+35
| | | | | | | | | | | | Explicitly disable tests (they were previously implicitly disabled upstream), as they cause various architecture-specific build failures. Add 0001-Fix-build-failure-on-opensuse-13.1.patch that fixes compilation using gcc 4.8. (From OE-Core rev: 1cf3f0685b42ce494d7b2b327d54c9652a6de42d) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta: more removals of redunant FILES_${PN}-dbgRoss Burton2015-12-161-1/+0
| | | | | | | | | | In some recipes overly-split -dbg packages were merged into PN-dbg. Unless there's a very good reason, recipes should have a single -dev and -dbg package. (From OE-Core rev: a3b000643898d7402b9e57c02e8d10e677cc9722) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* package_regex.inc: split the rest of the entries to their recipesAlexander Kanavin2015-12-081-0/+3
| | | | | | | | (From OE-Core rev: 73e2555cc7d529a93362b3fcfea3fbc7a4c60ca1) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: Upgrade 3.19.1 -> 3.19.2Jussi Kukkonen2015-08-161-3/+3
| | | | | | | | | | This is a bug fix release. (From OE-Core rev: 9d8062a0953f03089f751af435c18f5174e1ce67) Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: advance to version 3.19.1Joe Slater2015-08-012-11/+10
| | | | | | | | | | | Picks up fixes for CVE-2015-2721 and CVE-2015-2730. Specify previously overlooked license file COPYING. Fold nss.inc into recipe. (From OE-Core rev: 6a68e5d9ee6122f0ed70396569eb6cd1a3297c9d) Signed-off-by: Joe Slater <jslater@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: improve the script signlibs.shJackie Huang2015-04-241-1/+1
| | | | | | | | | | | The *.chk files are installed in ${libdir} by nss, which is already known, no need to 'find' to get the file list, and 'ls' is more faster than 'find'. (From OE-Core rev: 7eba8ba126e8757d0b1d5c3a758748e42c3646ff) Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: Fix build in x32 ABIAníbal Limón2015-04-101-0/+4
| | | | | | | | | | | | When try to build nss with x32 ABI enabled fails because it need to be specified USE_X32 env var. [YOCTO #7420] (From OE-Core rev: 2898c2cf94bd690ebfc4ab5f4d220e6ea05aca82) Signed-off-by: Aníbal Limón <anibal.limon@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: generate debug infoJoe Slater2015-04-081-6/+7
| | | | | | | | | | | | | | | Because the build of nss seems to ignore CFLAGS, we never have put source code in the -dbg package. We do not address the CFLAGS issue, but we do add -g to the definition of CC so that we will generate debug info. We also let package.bbclass populate the -dbg package instead of forcing the contents locally. (From OE-Core rev: 0ec01bbd845b61798366441b2c7e5b8738db6b32) Signed-off-by: Joe Slater <jslater@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: move /usr/bin/smime to nss-smimeMartin Jansa2015-03-221-1/+5
| | | | | | | | | * remove perl runtime dependency from main package (From OE-Core rev: c799c753d56fcb9468d32d7622817ecf7932cdf4) Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: update package to 3.17.3 and build fixArmin Kuster2015-01-294-8/+43
| | | | | | | | | | | | | | | | | | | | | Update includes: CVE-2014-1569 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1569 for changelog information see https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17.3_release_notes We had a build failure on 32 bit hosts so including a patch from: http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=mhatle/dora-misc Wenzong Fan (1): nss: workaround multilib build on 32bit host (From OE-Core rev: ccb86249b2b29686303ed04aac74887f0fa490df) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: Upgrade to 3.17.2Chong Lu2014-11-122-8/+8
| | | | | | | | (From OE-Core rev: 34593e222fe1cc6f8b30d71aeaa5078b1c1724f1) Signed-off-by: Chong Lu <Chong.Lu@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: Upgrade to 3.17Saul Wold2014-11-0615-1281/+9
| | | | | | | | | | | CVE patches removed since they have been implemented upstream Rename patch dir (files) to generic PN name (From OE-Core rev: ff3ca87477f2caf9e2228ed100f243f5ea831577) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: nss.pc is not target specificSaul Wold2014-09-301-2/+4
| | | | | | | | | RPM4 requires an nss-native component (From OE-Core rev: f70efca58e9411feb251c9d00066f8631b167004) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss.inc: Fix LICENSEElizabeth Flanagan2014-09-291-1/+1
| | | | | | | | | | | | From reading the COPYING and various license headers, the nss LICENSE was incorrect. It's actually MPL-2.0 (not 1.1) with a few different Or instances. (From OE-Core rev: ed3e7d4a584d836887d798e0f30339808d09804f) Signed-off-by: Elizabeth Flanagan <elizabeth.flanagan@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: CVE-2014-1544Li Wang2014-08-272-0/+42
| | | | | | | | | | | | | | | | | the patch comes from: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-1544 https://hg.mozilla.org/projects/nss/rev/204f22c527f8 author Robert Relyea <rrelyea@redhat.com> https://bugzilla.mozilla.org/show_bug.cgi?id=963150 Bug 963150: Add nssCertificate_AddRef and nssCertificate_Destroy calls to PK11_ImportCert to prevent nssTrustDomain_AddCertsToCache from freeing the CERTCertificate associated with the NSSCertificate. r=wtc. (From OE-Core rev: 7ef613c7f4b9e4ff153766f31dae81fc4810c0df) Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss*: Replace hardcoded "/etc" with "${sysconfdir}"Robert P. J. Day2014-08-061-3/+3
| | | | | | | (From OE-Core rev: 1c44e057c66fe20d491fcb3ae45defe0a300b256) Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: CVE-2013-5606Li Wang2014-07-292-0/+49
| | | | | | | | | | | | | | | | | | | | the patch comes from: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5606 https://bugzilla.mozilla.org/show_bug.cgi?id=910438 http://hg.mozilla.org/projects/nss/rev/d29898e0981c The CERT_VerifyCert function in lib/certhigh/certvfy.c in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 provides an unexpected return value for an incompatible key-usage certificate when the CERTVerifyLog argument is valid, which might allow remote attackers to bypass intended access restrictions via a crafted certificate. (From OE-Core rev: 1e153b1b21276d56144add464d592cd7b96a4ede) Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss-3.15.1: fix CVE-2013-1739yzhu12014-06-242-0/+82
| | | | | | | | | | | | | | | Mozilla Network Security Services (NSS) before 3.15.2 does not ensure that data structures are initialized before read operations, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a decryption failure. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1739 (From OE-Core rev: 9b43af77d112e75fa9827a9080b7e94f41f9a116) Signed-off-by: yzhu1 <yanjun.zhu@windriver.com> Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: CVE-2013-1740Li Wang2014-05-212-0/+917
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | the patch comes from: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1740 https://bugzilla.mozilla.org/show_bug.cgi?id=919877 https://bugzilla.mozilla.org/show_bug.cgi?id=713933 changeset: 10946:f28426e944ae user: Wan-Teh Chang <wtc@google.com> date: Tue Nov 26 16:44:39 2013 -0800 summary: Bug 713933: Handle the return value of both ssl3_HandleRecord calls changeset: 10945:774c7dec7565 user: Wan-Teh Chang <wtc@google.com> date: Mon Nov 25 19:16:23 2013 -0800 summary: Bug 713933: Declare the |falseStart| local variable in the smallest changeset: 10848:141fae8fb2e8 user: Wan-Teh Chang <wtc@google.com> date: Mon Sep 23 11:25:41 2013 -0700 summary: Bug 681839: Allow SSL_HandshakeNegotiatedExtension to be called before the handshake is finished, r=brian@briansmith.org changeset: 10898:1b9c43d28713 user: Brian Smith <brian@briansmith.org> date: Thu Oct 31 15:40:42 2013 -0700 summary: Bug 713933: Make SSL False Start work with asynchronous certificate validation, r=wtc (From OE-Core rev: 11e728e64e37eec72ed0cb3fb4d5a49ddeb88666) Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>