nss: upgrade 3.118.1 -> 3.119

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Wang Mingyu <wangmy@fujitsu.com> 2025-12-09 17:55:28 +0800
committer: Khem Raj <raj.khem@gmail.com> 2025-12-09 15:11:00 -0800
commit: 1645c5e5187e4611c0e6c151f31ee8ecef71456c (patch)
tree: 94604e347e03e1256394f536b9f0dbcf30966150 /meta-oe/recipes-support/nss/nss_3.119.bb
parent: 573a77680e8c2ac43eb5827be040bc8e3e21f954 (diff)
download: meta-openembedded-1645c5e5187e4611c0e6c151f31ee8ecef71456c.tar.gz
1 files changed, 291 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/nss/nss_3.119.bb b/meta-oe/recipes-support/nss/nss_3.119.bb
new file mode 100644
index 0000000000..a0345eb8aa
--- /dev/null
+++ b/meta-oe/recipes-support/nss/nss_3.119.bb
@@ -0,0 +1,291 @@
+SUMMARY = "Mozilla's SSL and TLS implementation"
+DESCRIPTION = "Network Security Services (NSS) is a set of libraries \
+designed to support cross-platform development of \
+security-enabled client and server applications. \
+Applications built with NSS can support SSL v2 and v3, \
+TLS, PKCS 5, PKCS 7, PKCS 11, PKCS 12, S/MIME, X.509 \
+v3 certificates, and other security standards."
+HOMEPAGE = "https://firefox-source-docs.mozilla.org/security/nss/index.html"
+SECTION = "libs"
+DEPENDS = "sqlite3 nspr zlib nss-native"
+DEPENDS:class-native = "sqlite3-native nspr-native zlib-native"
+LICENSE = "(MPL-2.0 & MIT) | (MPL-2.0 & GPL-2.0-or-later & MIT) | (MPL-2.0 & LGPL-2.1-or-later & MIT)"
+LIC_FILES_CHKSUM = "file://nss/COPYING;md5=3b1e88e1b9c0b5a4b2881d46cce06a18 \
+                    file://nss/lib/freebl/mpi/doc/LICENSE;md5=491f158d09d948466afce85d6f1fe18f \
+                    file://nss/lib/freebl/mpi/doc/LICENSE-MPL;md5=5d425c8f3157dbf212db2ec53d9e5132 \
+                    file://nss/lib/freebl/verified/Hacl_Poly1305_256.c;beginline=1;endline=22;md5=cc22f07b95d28d56baeb757df46ee7c8"
+VERSION_DIR = "${@d.getVar('BP').upper().replace('-', '_').replace('.', '_') + '_RTM'}"
+SRC_URI = "https://ftp.mozilla.org/pub/security/nss/releases/${VERSION_DIR}/src/${BP}.tar.gz \
+           file://nss.pc.in \
+           file://blank-cert9.db \
+           file://blank-key4.db \
+           file://system-pkcs11.txt \
+           file://0001-nss-fix-support-cross-compiling.patch \
+           file://0002-nss-no-rpath-for-cross-compiling.patch \
+           file://0003-nss-fix-incorrect-shebang-of-perl.patch \
+           file://0004-nss-disable-Wvarargs-with-clang.patch \
+           file://0005-nss-does-not-build-on-mips-with-clang-because-wrong-.patch  \
+           file://0006-Fix-nss-multilib-build-on-openSUSE-11.x-32bit.patch \
+           file://0007-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch \
+           "
+SRC_URI[sha256sum] = "e8412db6c9d6f531e8adfe8a122ec33a8fae920681ff47231a1349bdd399f0e9"
+UPSTREAM_CHECK_URI = "https://ftp.mozilla.org/pub/security/nss/releases/"
+UPSTREAM_CHECK_REGEX = "NSS_(?P<pver>\d+(\_\d+)+)"
+inherit siteinfo
+TD = "${S}/tentative-dist"
+TDS = "${S}/tentative-dist-staging"
+TARGET_CC_ARCH += "${LDFLAGS}"
+CFLAGS:append:class-native = " -D_XOPEN_SOURCE "
+do_configure:prepend:libc-musl () {
+    sed -i -e '/-DHAVE_SYS_CDEFS_H/d' ${S}/nss/lib/dbm/config/config.mk
+}
+do_configure:prepend:powerpc64le:toolchain-clang () {
+    sed -i -e 's/\-std=c99/\-std=gnu99/g' ${S}/nss/coreconf/command.mk
+}
+do_configure:prepend:powerpc64:toolchain-clang () {
+    sed -i -e 's/\-std=c99/\-std=gnu99/g' ${S}/nss/coreconf/command.mk
+}
+do_compile:prepend:class-native() {
+    export NSPR_INCLUDE_DIR=${STAGING_INCDIR_NATIVE}/nspr
+    export NSPR_LIB_DIR=${STAGING_LIBDIR_NATIVE}
+}
+do_compile:prepend:class-nativesdk() {
+    export LDFLAGS=""
+}
+do_compile:prepend:class-native() {
+    # Need to set RPATH so that chrpath will do its job correctly
+    RPATH="-Wl,-rpath-link,${STAGING_LIBDIR_NATIVE} -Wl,-rpath-link,${STAGING_BASE_LIBDIR_NATIVE} -Wl,-rpath,${STAGING_LIBDIR_NATIVE} -Wl,-rpath,${STAGING_BASE_LIBDIR_NATIVE}"
+}
+NATIVE_CC:class-target:toolchain-clang = "clang --rtlib=libgcc --unwindlib=libgcc"
+NATIVE_CC:class-nativesdk:toolchain-clang = "clang --rtlib=libgcc --unwindlib=libgcc"
+NATIVE_CC ?= "${BUILD_CC}"
+do_compile() {
+    export NSPR_INCLUDE_DIR=${STAGING_INCDIR}/nspr
+    export CROSS_COMPILE=1
+    export NATIVE_CC="${NATIVE_CC}"
+    # Additional defines needed on Centos 7
+    export NATIVE_FLAGS="${BUILD_CFLAGS} -DLINUX -Dlinux"
+    export BUILD_OPT=1
+    # POSIX.1-2001 states that the behaviour of getcwd() when passing a null
+    # pointer as the buf argument, is unspecified.
+    export NATIVE_FLAGS="${NATIVE_FLAGS} -DGETCWD_CANT_MALLOC"
+    export FREEBL_NO_DEPEND=1
+    export FREEBL_LOWHASH=1
+    export LIBDIR=${libdir}
+    export MOZILLA_CLIENT=1
+    export NSS_USE_SYSTEM_SQLITE=1
+    export NSS_ENABLE_ECC=1
+    export NSS_ENABLE_WERROR=0
+    ${@bb.utils.contains("TUNE_FEATURES", "crypto", "export NSS_USE_ARM_HW_CRYPTO=1", "", d)}
+    export OS_RELEASE=3.4
+    export OS_TARGET=Linux
+    export OS_ARCH=Linux
+    if [ "${TARGET_ARCH}" = "powerpc" ]; then
+        OS_TEST=ppc
+    elif [ "${TARGET_ARCH}" = "powerpc64" -o "${TARGET_ARCH}" = "powerpc64le" ]; then
+        OS_TEST=ppc64
+    elif [ "${TARGET_ARCH}" = "mips" -o "${TARGET_ARCH}" = "mipsel" -o "${TARGET_ARCH}" = "mips64" -o "${TARGET_ARCH}" = "mips64el" ]; then
+        OS_TEST=mips
+    elif [ "${TARGET_ARCH}" = "aarch64_be" ]; then
+        OS_TEST="aarch64"
+    else
+        OS_TEST="${TARGET_ARCH}"
+    fi
+    if [ "${SITEINFO_BITS}" = "64" ]; then
+        export USE_64=1
+    elif [ "${TARGET_ARCH}" = "x86_64" -a "${SITEINFO_BITS}" = "32" ]; then
+        export USE_X32=1
+    fi
+    export NSS_DISABLE_GTESTS=1
+    # We can modify CC in the environment, but if we set it via an
+    # argument to make, nsinstall, a host program, will also build with it!
+    #
+    # nss pretty much does its own thing with CFLAGS, so we put them into CC.
+    # Optimization will get clobbered, but most of the stuff will survive.
+    # The motivation for this is to point to the correct place for debug
+    # source files and CFLAGS does that.  Nothing uses CCC.
+    #
+    export CC="${CC} ${CFLAGS}"
+    make -C ./nss CCC="${CXX} -g" \
+        OS_TEST=${OS_TEST} \
+        RPATH="${RPATH}" \
+        autobuild
+}
+do_compile[vardepsexclude] += "SITEINFO_BITS"
+do_install:prepend:class-nativesdk() {
+    export LDFLAGS=""
+}
+do_install() {
+    export CROSS_COMPILE=1
+    export NATIVE_CC="${NATIVE_CC}"
+    export BUILD_OPT=1
+    export FREEBL_NO_DEPEND=1
+    export LIBDIR=${libdir}
+    export MOZILLA_CLIENT=1
+    export NSS_USE_SYSTEM_SQLITE=1
+    export NSS_ENABLE_ECC=1
+    export OS_RELEASE=3.4
+    export OS_TARGET=Linux
+    export OS_ARCH=Linux
+    if [ "${TARGET_ARCH}" = "powerpc" ]; then
+        OS_TEST=ppc
+    elif [ "${TARGET_ARCH}" = "powerpc64" -o "${TARGET_ARCH}" = "powerpc64le" ]; then
+        OS_TEST=ppc64
+    elif [ "${TARGET_ARCH}" = "mips" -o "${TARGET_ARCH}" = "mipsel" -o "${TARGET_ARCH}" = "mips64" -o "${TARGET_ARCH}" = "mips64el" ]; then
+        OS_TEST=mips
+    elif [ "${TARGET_ARCH}" = "aarch64_be" ]; then
+        CPU_ARCH=aarch64
+        OS_TEST="aarch64"
+    else
+        OS_TEST="${TARGET_ARCH}"
+    fi
+    if [ "${SITEINFO_BITS}" = "64" ]; then
+        export USE_64=1
+    elif [ "${TARGET_ARCH}" = "x86_64" -a "${SITEINFO_BITS}" = "32" ]; then
+        export USE_X32=1
+    fi
+    export NSS_DISABLE_GTESTS=1
+    make -C ./nss \
+        CCC="${CXX}" \
+        OS_TEST=${OS_TEST} \
+        SOURCE_LIB_DIR="${TD}/${libdir}" \
+        SOURCE_BIN_DIR="${TD}/${bindir}" \
+        install
+    install -d ${D}/${libdir}/
+    for file in ${S}/dist/*.OBJ/lib/*.so; do
+        echo "Installing `basename $file`..."
+        cp $file  ${D}/${libdir}/
+    done
+    for shared_lib in ${TD}/${libdir}/*.so.*; do
+        if [ -f $shared_lib ]; then
+            cp $shared_lib ${D}/${libdir}
+            ln -sf $(basename $shared_lib) ${D}/${libdir}/$(basename $shared_lib .1oe)
+        fi
+    done
+    for shared_lib in ${TD}/${libdir}/*.so; do
+        if [ -f $shared_lib -a ! -e ${D}/${libdir}/$shared_lib ]; then
+            cp $shared_lib ${D}/${libdir}
+        fi
+    done
+    install -d ${D}/${includedir}/nss3
+    install -m 644 -t ${D}/${includedir}/nss3 dist/public/nss/*
+    install -d ${D}/${bindir}
+    for binary in ${TD}/${bindir}/*; do
+        install -m 755 -t ${D}/${bindir} $binary
+    done
+}
+do_install[vardepsexclude] += "SITEINFO_BITS"
+do_install:append() {
+    # Create empty .chk files for the NSS libraries at build time. They could
+    # be regenerated at target's boot time.
+    for file in libsoftokn3.chk libfreebl3.chk libnssdbm3.chk; do
+        touch ${D}/${libdir}/$file
+        chmod 755 ${D}/${libdir}/$file
+    done
+    install -d ${D}${libdir}/pkgconfig/
+    sed 's/%NSS_VERSION%/${PV}/' ${UNPACKDIR}/nss.pc.in | sed 's/%NSPR_VERSION%/4.9.2/' > ${D}${libdir}/pkgconfig/nss.pc
+    sed -i s:OEPREFIX:${prefix}:g ${D}${libdir}/pkgconfig/nss.pc
+    sed -i s:OEEXECPREFIX:${exec_prefix}:g ${D}${libdir}/pkgconfig/nss.pc
+    sed -i s:OELIBDIR:${libdir}:g ${D}${libdir}/pkgconfig/nss.pc
+    sed -i s:OEINCDIR:${includedir}/nss3:g ${D}${libdir}/pkgconfig/nss.pc
+}
+do_install:append:class-target() {
+    # It used to call certutil to create a blank certificate with empty password at
+    # build time, but the checksum of key4.db changes every time when certutil is called.
+    # It causes non-determinism issue, so provide databases with a blank certificate
+    # which are originally from output of nss in qemux86-64 build. You can get these
+    # databases by:
+    # certutil -N -d sql:/database/path/ --empty-password
+    install -d ${D}${sysconfdir}/pki/nssdb/
+    install -m 0644 ${UNPACKDIR}/blank-cert9.db ${D}${sysconfdir}/pki/nssdb/cert9.db
+    install -m 0644 ${UNPACKDIR}/blank-key4.db ${D}${sysconfdir}/pki/nssdb/key4.db
+    install -m 0644 ${UNPACKDIR}/system-pkcs11.txt ${D}${sysconfdir}/pki/nssdb/pkcs11.txt
+}
+PACKAGE_WRITE_DEPS += "nss-native"
+pkg_postinst:${PN} () {
+    for I in $D${libdir}/lib*.chk; do
+        DN=`dirname $I`
+        BN=`basename $I .chk`
+        FN=$DN/$BN.so
+        shlibsign -i $FN
+        if [ $? -ne 0 ]; then
+            echo "shlibsign -i $FN failed"
+        fi
+    done
+}
+PACKAGES =+ "${PN}-smime"
+FILES:${PN}-smime = "\
+    ${bindir}/smime \
+"
+FILES:${PN} = "\
+    ${sysconfdir} \
+    ${bindir} \
+    ${libdir}/lib*.chk \
+    ${libdir}/lib*.so \
+    "
+FILES:${PN}-dev = "\
+    ${libdir}/nss \
+    ${libdir}/pkgconfig/* \
+    ${includedir}/* \
+    "
+RDEPENDS:${PN}-smime = "perl"
+BBCLASSEXTEND = "native nativesdk"
+CVE_PRODUCT += "network_security_services"
+CVE_STATUS_GROUPS += "CVE_STATUS_NSS"
+CVE_STATUS_NSS[status] = "not-applicable-config: This only affect the legacy db (libnssdbm), only compiled with --enable-legacy-db"
+CVE_STATUS_NSS = "CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698"
+CVE_STATUS[CVE-2022-3479] = "not-applicable-config: vulnerability was introduced in 3.77 and fixed in 3.87"
author	Wang Mingyu <wangmy@fujitsu.com>	2025-12-09 17:55:28 +0800
committer	Khem Raj <raj.khem@gmail.com>	2025-12-09 15:11:00 -0800
commit	1645c5e5187e4611c0e6c151f31ee8ecef71456c (patch)
tree	94604e347e03e1256394f536b9f0dbcf30966150 /meta-oe/recipes-support/nss/nss_3.119.bb
parent	573a77680e8c2ac43eb5827be040bc8e3e21f954 (diff)
download	meta-openembedded-1645c5e5187e4611c0e6c151f31ee8ecef71456c.tar.gz

diff --git a/meta-oe/recipes-support/nss/nss_3.119.bb b/meta-oe/recipes-support/nss/nss_3.119.bb new file mode 100644 index 0000000000..a0345eb8aa --- /dev/null +++ b/meta-oe/recipes-support/nss/nss_3.119.bb
@@ -0,0 +1,291 @@
	1	SUMMARY = "Mozilla's SSL and TLS implementation"
	2	DESCRIPTION = "Network Security Services (NSS) is a set of libraries \
	3	designed to support cross-platform development of \
	4	security-enabled client and server applications. \
	5	Applications built with NSS can support SSL v2 and v3, \
	6	TLS, PKCS 5, PKCS 7, PKCS 11, PKCS 12, S/MIME, X.509 \
	7	v3 certificates, and other security standards."
	8	HOMEPAGE = "https://firefox-source-docs.mozilla.org/security/nss/index.html"
	9	SECTION = "libs"
	10
	11	DEPENDS = "sqlite3 nspr zlib nss-native"
	12	DEPENDS:class-native = "sqlite3-native nspr-native zlib-native"
	13
	14	LICENSE = "(MPL-2.0 & MIT) \| (MPL-2.0 & GPL-2.0-or-later & MIT) \| (MPL-2.0 & LGPL-2.1-or-later & MIT)"
	15
	16	LIC_FILES_CHKSUM = "file://nss/COPYING;md5=3b1e88e1b9c0b5a4b2881d46cce06a18 \
	17	file://nss/lib/freebl/mpi/doc/LICENSE;md5=491f158d09d948466afce85d6f1fe18f \
	18	file://nss/lib/freebl/mpi/doc/LICENSE-MPL;md5=5d425c8f3157dbf212db2ec53d9e5132 \
	19	file://nss/lib/freebl/verified/Hacl_Poly1305_256.c;beginline=1;endline=22;md5=cc22f07b95d28d56baeb757df46ee7c8"
	20
	21	VERSION_DIR = "${@d.getVar('BP').upper().replace('-', '_').replace('.', '_') + '_RTM'}"
	22
	23	SRC_URI = "https://ftp.mozilla.org/pub/security/nss/releases/${VERSION_DIR}/src/${BP}.tar.gz \
	24	file://nss.pc.in \
	25	file://blank-cert9.db \
	26	file://blank-key4.db \
	27	file://system-pkcs11.txt \
	28	file://0001-nss-fix-support-cross-compiling.patch \
	29	file://0002-nss-no-rpath-for-cross-compiling.patch \
	30	file://0003-nss-fix-incorrect-shebang-of-perl.patch \
	31	file://0004-nss-disable-Wvarargs-with-clang.patch \
	32	file://0005-nss-does-not-build-on-mips-with-clang-because-wrong-.patch \
	33	file://0006-Fix-nss-multilib-build-on-openSUSE-11.x-32bit.patch \
	34	file://0007-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch \
	35	"
	36	SRC_URI[sha256sum] = "e8412db6c9d6f531e8adfe8a122ec33a8fae920681ff47231a1349bdd399f0e9"
	37
	38	UPSTREAM_CHECK_URI = "https://ftp.mozilla.org/pub/security/nss/releases/"
	39	UPSTREAM_CHECK_REGEX = "NSS_(?P<pver>\d+(\_\d+)+)"
	40
	41	inherit siteinfo
	42
	43	TD = "${S}/tentative-dist"
	44	TDS = "${S}/tentative-dist-staging"
	45
	46	TARGET_CC_ARCH += "${LDFLAGS}"
	47
	48	CFLAGS:append:class-native = " -D_XOPEN_SOURCE "
	49
	50	do_configure:prepend:libc-musl () {
	51	sed -i -e '/-DHAVE_SYS_CDEFS_H/d' ${S}/nss/lib/dbm/config/config.mk
	52	}
	53
	54	do_configure:prepend:powerpc64le:toolchain-clang () {
	55	sed -i -e 's/\-std=c99/\-std=gnu99/g' ${S}/nss/coreconf/command.mk
	56	}
	57
	58	do_configure:prepend:powerpc64:toolchain-clang () {
	59	sed -i -e 's/\-std=c99/\-std=gnu99/g' ${S}/nss/coreconf/command.mk
	60	}
	61
	62	do_compile:prepend:class-native() {
	63	export NSPR_INCLUDE_DIR=${STAGING_INCDIR_NATIVE}/nspr
	64	export NSPR_LIB_DIR=${STAGING_LIBDIR_NATIVE}
	65	}
	66
	67	do_compile:prepend:class-nativesdk() {
	68	export LDFLAGS=""
	69	}
	70
	71	do_compile:prepend:class-native() {
	72	# Need to set RPATH so that chrpath will do its job correctly
	73	RPATH="-Wl,-rpath-link,${STAGING_LIBDIR_NATIVE} -Wl,-rpath-link,${STAGING_BASE_LIBDIR_NATIVE} -Wl,-rpath,${STAGING_LIBDIR_NATIVE} -Wl,-rpath,${STAGING_BASE_LIBDIR_NATIVE}"
	74	}
	75
	76	NATIVE_CC:class-target:toolchain-clang = "clang --rtlib=libgcc --unwindlib=libgcc"
	77	NATIVE_CC:class-nativesdk:toolchain-clang = "clang --rtlib=libgcc --unwindlib=libgcc"
	78	NATIVE_CC ?= "${BUILD_CC}"
	79
	80	do_compile() {
	81	export NSPR_INCLUDE_DIR=${STAGING_INCDIR}/nspr
	82
	83	export CROSS_COMPILE=1
	84	export NATIVE_CC="${NATIVE_CC}"
	85	# Additional defines needed on Centos 7
	86	export NATIVE_FLAGS="${BUILD_CFLAGS} -DLINUX -Dlinux"
	87	export BUILD_OPT=1
	88
	89	# POSIX.1-2001 states that the behaviour of getcwd() when passing a null
	90	# pointer as the buf argument, is unspecified.
	91	export NATIVE_FLAGS="${NATIVE_FLAGS} -DGETCWD_CANT_MALLOC"
	92
	93	export FREEBL_NO_DEPEND=1
	94	export FREEBL_LOWHASH=1
	95
	96	export LIBDIR=${libdir}
	97	export MOZILLA_CLIENT=1
	98	export NSS_USE_SYSTEM_SQLITE=1
	99	export NSS_ENABLE_ECC=1
	100	export NSS_ENABLE_WERROR=0
	101
	102	${@bb.utils.contains("TUNE_FEATURES", "crypto", "export NSS_USE_ARM_HW_CRYPTO=1", "", d)}
	103
	104	export OS_RELEASE=3.4
	105	export OS_TARGET=Linux
	106	export OS_ARCH=Linux
	107
	108	if [ "${TARGET_ARCH}" = "powerpc" ]; then
	109	OS_TEST=ppc
	110	elif [ "${TARGET_ARCH}" = "powerpc64" -o "${TARGET_ARCH}" = "powerpc64le" ]; then
	111	OS_TEST=ppc64
	112	elif [ "${TARGET_ARCH}" = "mips" -o "${TARGET_ARCH}" = "mipsel" -o "${TARGET_ARCH}" = "mips64" -o "${TARGET_ARCH}" = "mips64el" ]; then
	113	OS_TEST=mips
	114	elif [ "${TARGET_ARCH}" = "aarch64_be" ]; then
	115	OS_TEST="aarch64"
	116	else
	117	OS_TEST="${TARGET_ARCH}"
	118	fi
	119
	120	if [ "${SITEINFO_BITS}" = "64" ]; then
	121	export USE_64=1
	122	elif [ "${TARGET_ARCH}" = "x86_64" -a "${SITEINFO_BITS}" = "32" ]; then
	123	export USE_X32=1
	124	fi
	125
	126	export NSS_DISABLE_GTESTS=1
	127	# We can modify CC in the environment, but if we set it via an
	128	# argument to make, nsinstall, a host program, will also build with it!
	129	#
	130	# nss pretty much does its own thing with CFLAGS, so we put them into CC.
	131	# Optimization will get clobbered, but most of the stuff will survive.
	132	# The motivation for this is to point to the correct place for debug
	133	# source files and CFLAGS does that. Nothing uses CCC.
	134	#
	135	export CC="${CC} ${CFLAGS}"
	136	make -C ./nss CCC="${CXX} -g" \
	137	OS_TEST=${OS_TEST} \
	138	RPATH="${RPATH}" \
	139	autobuild
	140	}
	141
	142	do_compile[vardepsexclude] += "SITEINFO_BITS"
	143
	144	do_install:prepend:class-nativesdk() {
	145	export LDFLAGS=""
	146	}
	147
	148	do_install() {
	149	export CROSS_COMPILE=1
	150	export NATIVE_CC="${NATIVE_CC}"
	151	export BUILD_OPT=1
	152
	153	export FREEBL_NO_DEPEND=1
	154
	155	export LIBDIR=${libdir}
	156	export MOZILLA_CLIENT=1
	157	export NSS_USE_SYSTEM_SQLITE=1
	158	export NSS_ENABLE_ECC=1
	159
	160	export OS_RELEASE=3.4
	161	export OS_TARGET=Linux
	162	export OS_ARCH=Linux
	163
	164	if [ "${TARGET_ARCH}" = "powerpc" ]; then
	165	OS_TEST=ppc
	166	elif [ "${TARGET_ARCH}" = "powerpc64" -o "${TARGET_ARCH}" = "powerpc64le" ]; then
	167	OS_TEST=ppc64
	168	elif [ "${TARGET_ARCH}" = "mips" -o "${TARGET_ARCH}" = "mipsel" -o "${TARGET_ARCH}" = "mips64" -o "${TARGET_ARCH}" = "mips64el" ]; then
	169	OS_TEST=mips
	170	elif [ "${TARGET_ARCH}" = "aarch64_be" ]; then
	171	CPU_ARCH=aarch64
	172	OS_TEST="aarch64"
	173	else
	174	OS_TEST="${TARGET_ARCH}"
	175	fi
	176	if [ "${SITEINFO_BITS}" = "64" ]; then
	177	export USE_64=1
	178	elif [ "${TARGET_ARCH}" = "x86_64" -a "${SITEINFO_BITS}" = "32" ]; then
	179	export USE_X32=1
	180	fi
	181
	182	export NSS_DISABLE_GTESTS=1
	183
	184	make -C ./nss \
	185	CCC="${CXX}" \
	186	OS_TEST=${OS_TEST} \
	187	SOURCE_LIB_DIR="${TD}/${libdir}" \
	188	SOURCE_BIN_DIR="${TD}/${bindir}" \
	189	install
	190
	191	install -d ${D}/${libdir}/
	192	for file in ${S}/dist/.OBJ/lib/.so; do
	193	echo "Installing `basename $file`..."
	194	cp $file ${D}/${libdir}/
	195	done
	196
	197	for shared_lib in ${TD}/${libdir}/.so.; do
	198	if [ -f $shared_lib ]; then
	199	cp $shared_lib ${D}/${libdir}
	200	ln -sf $(basename $shared_lib) ${D}/${libdir}/$(basename $shared_lib .1oe)
	201	fi
	202	done
	203	for shared_lib in ${TD}/${libdir}/*.so; do
	204	if [ -f $shared_lib -a ! -e ${D}/${libdir}/$shared_lib ]; then
	205	cp $shared_lib ${D}/${libdir}
	206	fi
	207	done
	208
	209	install -d ${D}/${includedir}/nss3
	210	install -m 644 -t ${D}/${includedir}/nss3 dist/public/nss/*
	211
	212	install -d ${D}/${bindir}
	213	for binary in ${TD}/${bindir}/*; do
	214	install -m 755 -t ${D}/${bindir} $binary
	215	done
	216	}
	217
	218	do_install[vardepsexclude] += "SITEINFO_BITS"
	219
	220	do_install:append() {
	221	# Create empty .chk files for the NSS libraries at build time. They could
	222	# be regenerated at target's boot time.
	223	for file in libsoftokn3.chk libfreebl3.chk libnssdbm3.chk; do
	224	touch ${D}/${libdir}/$file
	225	chmod 755 ${D}/${libdir}/$file
	226	done
	227
	228	install -d ${D}${libdir}/pkgconfig/
	229	sed 's/%NSS_VERSION%/${PV}/' ${UNPACKDIR}/nss.pc.in \| sed 's/%NSPR_VERSION%/4.9.2/' > ${D}${libdir}/pkgconfig/nss.pc
	230	sed -i s:OEPREFIX:${prefix}:g ${D}${libdir}/pkgconfig/nss.pc
	231	sed -i s:OEEXECPREFIX:${exec_prefix}:g ${D}${libdir}/pkgconfig/nss.pc
	232	sed -i s:OELIBDIR:${libdir}:g ${D}${libdir}/pkgconfig/nss.pc
	233	sed -i s:OEINCDIR:${includedir}/nss3:g ${D}${libdir}/pkgconfig/nss.pc
	234	}
	235
	236	do_install:append:class-target() {
	237	# It used to call certutil to create a blank certificate with empty password at
	238	# build time, but the checksum of key4.db changes every time when certutil is called.
	239	# It causes non-determinism issue, so provide databases with a blank certificate
	240	# which are originally from output of nss in qemux86-64 build. You can get these
	241	# databases by:
	242	# certutil -N -d sql:/database/path/ --empty-password
	243	install -d ${D}${sysconfdir}/pki/nssdb/
	244	install -m 0644 ${UNPACKDIR}/blank-cert9.db ${D}${sysconfdir}/pki/nssdb/cert9.db
	245	install -m 0644 ${UNPACKDIR}/blank-key4.db ${D}${sysconfdir}/pki/nssdb/key4.db
	246	install -m 0644 ${UNPACKDIR}/system-pkcs11.txt ${D}${sysconfdir}/pki/nssdb/pkcs11.txt
	247	}
	248
	249	PACKAGE_WRITE_DEPS += "nss-native"
	250
	251	pkg_postinst:${PN} () {
	252	for I in $D${libdir}/lib*.chk; do
	253	DN=`dirname $I`
	254	BN=`basename $I .chk`
	255	FN=$DN/$BN.so
	256	shlibsign -i $FN
	257	if [ $? -ne 0 ]; then
	258	echo "shlibsign -i $FN failed"
	259	fi
	260	done
	261	}
	262
	263	PACKAGES =+ "${PN}-smime"
	264	FILES:${PN}-smime = "\
	265	${bindir}/smime \
	266	"
	267
	268	FILES:${PN} = "\
	269	${sysconfdir} \
	270	${bindir} \
	271	${libdir}/lib*.chk \
	272	${libdir}/lib*.so \
	273	"
	274
	275	FILES:${PN}-dev = "\
	276	${libdir}/nss \
	277	${libdir}/pkgconfig/* \
	278	${includedir}/* \
	279	"
	280
	281	RDEPENDS:${PN}-smime = "perl"
	282
	283	BBCLASSEXTEND = "native nativesdk"
	284
	285	CVE_PRODUCT += "network_security_services"
	286
	287	CVE_STATUS_GROUPS += "CVE_STATUS_NSS"
	288	CVE_STATUS_NSS[status] = "not-applicable-config: This only affect the legacy db (libnssdbm), only compiled with --enable-legacy-db"
	289	CVE_STATUS_NSS = "CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698"
	290
	291	CVE_STATUS[CVE-2022-3479] = "not-applicable-config: vulnerability was introduced in 3.77 and fixed in 3.87"