From 2e2ba4597e80b451e98d8197a66ef9011a4701c1 Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Fri, 3 Nov 2017 12:54:45 -0700 Subject: nss: update to 3.33.0 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.33_release_notes * TLS compression is no longer supported. API calls that attempt to enable compression are accepted without failure. However, TLS compression will remain disabled. * This version of NSS uses a formally verified implementation of Curve25519 on 64-bit systems. * The compile time flag DISABLE_ECC has been removed. * When NSS is compiled without NSS_FORCE_FIPS=1 startup checks are not performed anymore. * Fixes CVE-2017-7805, a potential use-after-free in TLS 1.2 server when verifying client authentication https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.32_release_notes The Websites (TLS/SSL) trust bit was turned off for the following root certificates. * CN = AddTrust Class 1 CA Root SHA-256 Fingerprint: 8C:72:09:27:9A:C0:4E:27:5E:16:D0:7F:D3:B7:75:E8:01:54:B5:96:80:46:E3:1F:52:DD:25:76:63:24:E9:A7 * CN = Swisscom Root CA 2 SHA-256 Fingerprint: F0:9B:12:2C:71:14:F4:A0:9B:D4:EA:4F:4A:99:D5:58:B4:6E:4C:25:CD:81:14:0D:29:C0:56:13:91:4C:38:41 The following CA certificates were Removed: * CN = AddTrust Public CA Root SHA-256 Fingerprint: 07:91:CA:07:49:B2:07:82:AA:D3:C7:D7:BD:0C:DF:C9:48:58:35:84:3E:B2:D7:99:60:09:CE:43:AB:6C:69:27 * CN = AddTrust Qualified CA Root SHA-256 Fingerprint: 80:95:21:08:05:DB:4B:BC:35:5E:44:28:D8:FD:6E:C2:CD:E3:AB:5F:B9:7A:99:42:98:8E:B8:F4:DC:D0:60:16 * CN = China Internet Network Information Center EV Certificates Root SHA-256 Fingerprint: 1C:01:C6:F4:DB:B2:FE:FC:22:55:8B:2B:CA:32:56:3F:49:84:4A:CF:C3:2B:7B:E4:B0:FF:59:9F:9E:8C:7A:F7 * CN = CNNIC ROOT SHA-256 Fingerprint: E2:83:93:77:3D:A8:45:A6:79:F2:08:0C:C7:FB:44:A3:B7:A1:C3:79:2C:B7:EB:77:29:FD:CB:6A:8D:99:AE:A7 * CN = ComSign Secured CA SHA-256 Fingerprint: 50:79:41:C7:44:60:A0:B4:70:86:22:0D:4E:99:32:57:2A:B5:D1:B5:BB:CB:89:80:AB:1C:B1:76:51:A8:44:D2 * CN = GeoTrust Global CA 2 SHA-256 Fingerprint: CA:2D:82:A0:86:77:07:2F:8A:B6:76:4F:F0:35:67:6C:FE:3E:5E:32:5E:01:21:72:DF:3F:92:09:6D:B7:9B:85 * CN = Secure Certificate Services SHA-256 Fingerprint: BD:81:CE:3B:4F:65:91:D1:1A:67:B5:FC:7A:47:FD:EF:25:52:1B:F9:AA:4E:18:B9:E3:DF:2E:34:A7:80:3B:E8 * CN = Swisscom Root CA 1 SHA-256 Fingerprint: 21:DB:20:12:36:60:BB:2E:D4:18:20:5D:A1:1E:E7:A8:5A:65:E2:BC:6E:55:B5:AF:7E:78:99:C8:A2:66:D9:2E * CN = Swisscom Root EV CA 2 SHA-256 Fingerprint: D9:5F:EA:3C:A4:EE:DC:E7:4C:D7:6E:75:FC:6D:1F:F6:2C:44:1F:0F:A8:BC:77:F0:34:B1:9E:5D:B2:58:01:5D * CN = Trusted Certificate Services SHA-256 Fingerprint: 3F:06:E5:56:81:D4:96:F5:BE:16:9E:B5:38:9F:9F:2B:8F:F6:1E:17:08:DF:68:81:72:48:49:CD:5D:27:CB:69 * CN = UTN-USERFirst-Hardware SHA-256 Fingerprint: 6E:A5:47:41:D0:04:66:7E:ED:1B:48:16:63:4A:A3:A7:9E:6E:4B:96:95:0F:82:79:DA:FC:8D:9B:D8:81:21:37 * CN = UTN-USERFirst-Object SHA-256 Fingerprint: 6F:FF:78:E4:00:A7:0C:11:01:1C:D8:59:77:C4:59:FB:5A:F9:6A:3D:F0:54:08:20:D0:F4:B8:60:78:75:E5:8F (From OE-Core rev: 83d79f449c33eff7bba92dfda8ffd4b699fb6462) Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie --- meta/recipes-support/nss/nss_3.31.1.bb | 248 --------------------------------- 1 file changed, 248 deletions(-) delete mode 100644 meta/recipes-support/nss/nss_3.31.1.bb (limited to 'meta/recipes-support/nss/nss_3.31.1.bb') diff --git a/meta/recipes-support/nss/nss_3.31.1.bb b/meta/recipes-support/nss/nss_3.31.1.bb deleted file mode 100644 index 588708fc31..0000000000 --- a/meta/recipes-support/nss/nss_3.31.1.bb +++ /dev/null @@ -1,248 +0,0 @@ -SUMMARY = "Mozilla's SSL and TLS implementation" -DESCRIPTION = "Network Security Services (NSS) is a set of libraries \ -designed to support cross-platform development of \ -security-enabled client and server applications. \ -Applications built with NSS can support SSL v2 and v3, \ -TLS, PKCS 5, PKCS 7, PKCS 11, PKCS 12, S/MIME, X.509 \ -v3 certificates, and other security standards." -HOMEPAGE = "http://www.mozilla.org/projects/security/pki/nss/" -SECTION = "libs" - -LICENSE = "MPL-2.0 | (MPL-2.0 & GPL-2.0+) | (MPL-2.0 & LGPL-2.1+)" - -LIC_FILES_CHKSUM = "file://nss/COPYING;md5=3b1e88e1b9c0b5a4b2881d46cce06a18 \ - file://nss/lib/freebl/mpi/doc/LICENSE;md5=491f158d09d948466afce85d6f1fe18f \ - file://nss/lib/freebl/mpi/doc/LICENSE-MPL;md5=5d425c8f3157dbf212db2ec53d9e5132" - -VERSION_DIR = "${@d.getVar('BP').upper().replace('-', '_').replace('.', '_') + '_RTM'}" - -SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSION_DIR}/src/${BP}.tar.gz \ - file://nss.pc.in \ - file://signlibs.sh \ - file://0001-nss-fix-support-cross-compiling.patch \ - file://nss-no-rpath-for-cross-compiling.patch \ - file://nss-fix-incorrect-shebang-of-perl.patch \ - file://nss-fix-nsinstall-build.patch \ - file://disable-Wvarargs-with-clang.patch \ - file://pqg.c-ULL_addend.patch \ - file://Fix-compilation-for-X32.patch \ - " - -SRC_URI[md5sum] = "ebb44f1394250d2cf6ec3c2e3d71fa20" -SRC_URI[sha256sum] = "933439214dc03ee60e86d1419c19e1568998b0776dde987f41fa70ced6cd08dc" - -UPSTREAM_CHECK_URI = "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Releases" -UPSTREAM_CHECK_REGEX = "NSS_(?P.+)_release_notes" - -inherit siteinfo - -DEPENDS = "sqlite3 nspr zlib nss-native" -DEPENDS_class-native = "sqlite3-native nspr-native zlib-native" -RDEPENDS_${PN}-smime = "perl" - -TD = "${S}/tentative-dist" -TDS = "${S}/tentative-dist-staging" - -TARGET_CC_ARCH += "${LDFLAGS}" - -do_configure_prepend_libc-musl () { - sed -i -e '/-DHAVE_SYS_CDEFS_H/d' ${S}/nss/lib/dbm/config/config.mk -} - -do_compile_prepend_class-native() { - export NSPR_INCLUDE_DIR=${STAGING_INCDIR_NATIVE} - export NSPR_LIB_DIR=${STAGING_LIBDIR_NATIVE} - export NSS_ENABLE_WERROR=0 -} - -do_compile_prepend_class-nativesdk() { - export LDFLAGS="" -} - -do_compile_prepend_class-native() { - # Need to set RPATH so that chrpath will do its job correctly - RPATH="-Wl,-rpath-link,${STAGING_LIBDIR_NATIVE} -Wl,-rpath-link,${STAGING_BASE_LIBDIR_NATIVE} -Wl,-rpath,${STAGING_LIBDIR_NATIVE} -Wl,-rpath,${STAGING_BASE_LIBDIR_NATIVE}" -} - -do_compile() { - export CROSS_COMPILE=1 - export NATIVE_CC="${BUILD_CC}" - export NATIVE_FLAGS="${BUILD_CFLAGS}" - export BUILD_OPT=1 - - export FREEBL_NO_DEPEND=1 - export FREEBL_LOWHASH=1 - - export LIBDIR=${libdir} - export MOZILLA_CLIENT=1 - export NS_USE_GCC=1 - export NSS_USE_SYSTEM_SQLITE=1 - export NSS_ENABLE_ECC=1 - - export OS_RELEASE=3.4 - export OS_TARGET=Linux - export OS_ARCH=Linux - - if [ "${TARGET_ARCH}" = "powerpc" ]; then - OS_TEST=ppc - elif [ "${TARGET_ARCH}" = "powerpc64" ]; then - OS_TEST=ppc64 - elif [ "${TARGET_ARCH}" = "mips" -o "${TARGET_ARCH}" = "mipsel" -o "${TARGET_ARCH}" = "mips64" -o "${TARGET_ARCH}" = "mips64el" ]; then - OS_TEST=mips - else - OS_TEST="${TARGET_ARCH}" - fi - - if [ "${SITEINFO_BITS}" = "64" ]; then - export USE_64=1 - elif [ "${TARGET_ARCH}" = "x86_64" -a "${SITEINFO_BITS}" = "32" ]; then - export USE_X32=1 - fi - - export NSS_DISABLE_GTESTS=1 - - # We can modify CC in the environment, but if we set it via an - # argument to make, nsinstall, a host program, will also build with it! - # - export CC="${CC} -g" - make -C ./nss CCC="${CXX} -g" \ - OS_TEST=${OS_TEST} \ - RPATH="${RPATH}" -} -do_compile[vardepsexclude] += "SITEINFO_BITS" - - -do_install_prepend_class-nativesdk() { - export LDFLAGS="" -} - -do_install() { - export CROSS_COMPILE=1 - export NATIVE_CC="${BUILD_CC}" - export BUILD_OPT=1 - - export FREEBL_NO_DEPEND=1 - - export LIBDIR=${libdir} - export MOZILLA_CLIENT=1 - export NS_USE_GCC=1 - export NSS_USE_SYSTEM_SQLITE=1 - export NSS_ENABLE_ECC=1 - - export OS_RELEASE=3.4 - export OS_TARGET=Linux - export OS_ARCH=Linux - - if [ "${TARGET_ARCH}" = "powerpc" ]; then - OS_TEST=ppc - elif [ "${TARGET_ARCH}" = "powerpc64" ]; then - OS_TEST=ppc64 - elif [ "${TARGET_ARCH}" = "mips" -o "${TARGET_ARCH}" = "mipsel" -o "${TARGET_ARCH}" = "mips64" -o "${TARGET_ARCH}" = "mips64el" ]; then - OS_TEST=mips - else - OS_TEST="${TARGET_ARCH}" - fi - if [ "${SITEINFO_BITS}" = "64" ]; then - export USE_64=1 - elif [ "${TARGET_ARCH}" = "x86_64" -a "${SITEINFO_BITS}" = "32" ]; then - export USE_X32=1 - fi - - export NSS_DISABLE_GTESTS=1 - - make -C ./nss \ - CCC="${CXX}" \ - OS_TEST=${OS_TEST} \ - SOURCE_LIB_DIR="${TD}/${libdir}" \ - SOURCE_BIN_DIR="${TD}/${bindir}" \ - install - - install -d ${D}/${libdir}/ - for file in ${S}/dist/*.OBJ/lib/*.so; do - echo "Installing `basename $file`..." - cp $file ${D}/${libdir}/ - done - - for shared_lib in ${TD}/${libdir}/*.so.*; do - if [ -f $shared_lib ]; then - cp $shared_lib ${D}/${libdir} - ln -sf $(basename $shared_lib) ${D}/${libdir}/$(basename $shared_lib .1oe) - fi - done - for shared_lib in ${TD}/${libdir}/*.so; do - if [ -f $shared_lib -a ! -e ${D}/${libdir}/$shared_lib ]; then - cp $shared_lib ${D}/${libdir} - fi - done - - install -d ${D}/${includedir}/nss3 - install -m 644 -t ${D}/${includedir}/nss3 dist/public/nss/* - - install -d ${D}/${bindir} - for binary in ${TD}/${bindir}/*; do - install -m 755 -t ${D}/${bindir} $binary - done -} -do_install[vardepsexclude] += "SITEINFO_BITS" - -do_install_append() { - # Create empty .chk files for the NSS libraries at build time. They could - # be regenerated at target's boot time. - for file in libsoftokn3.chk libfreebl3.chk libnssdbm3.chk; do - touch ${D}/${libdir}/$file - chmod 755 ${D}/${libdir}/$file - done - install -D -m 755 ${WORKDIR}/signlibs.sh ${D}/${bindir}/signlibs.sh - - install -d ${D}${libdir}/pkgconfig/ - sed 's/%NSS_VERSION%/${PV}/' ${WORKDIR}/nss.pc.in | sed 's/%NSPR_VERSION%/4.9.2/' > ${D}${libdir}/pkgconfig/nss.pc - sed -i s:OEPREFIX:${prefix}:g ${D}${libdir}/pkgconfig/nss.pc - sed -i s:OEEXECPREFIX:${exec_prefix}:g ${D}${libdir}/pkgconfig/nss.pc - sed -i s:OELIBDIR:${libdir}:g ${D}${libdir}/pkgconfig/nss.pc - sed -i s:OEINCDIR:${includedir}/nss3:g ${D}${libdir}/pkgconfig/nss.pc -} - -do_install_append_class-target() { - # Create a blank certificate - mkdir -p ${D}${sysconfdir}/pki/nssdb/ - touch ./empty_password - certutil -N -d ${D}${sysconfdir}/pki/nssdb/ -f ./empty_password - chmod 644 ${D}${sysconfdir}/pki/nssdb/*.db - rm ./empty_password -} - -PACKAGE_WRITE_DEPS += "nss-native" -pkg_postinst_${PN} () { - if [ -n "$D" ]; then - for I in $D${libdir}/lib*.chk; do - DN=`dirname $I` - BN=`basename $I .chk` - FN=$DN/$BN.so - shlibsign -i $FN - if [ $? -ne 0 ]; then - exit 1 - fi - done - else - signlibs.sh - fi -} - -PACKAGES =+ "${PN}-smime" -FILES_${PN}-smime = "\ - ${bindir}/smime \ -" -FILES_${PN} = "\ - ${sysconfdir} \ - ${bindir} \ - ${libdir}/lib*.chk \ - ${libdir}/lib*.so \ - " -FILES_${PN}-dev = "\ - ${libdir}/nss \ - ${libdir}/pkgconfig/* \ - ${includedir}/* \ - " - -BBCLASSEXTEND = "native nativesdk" - -- cgit v1.2.3-54-g00ecf