9 files changed, 85 insertions, 89 deletions

diff --git a/meta-oe/recipes-support/nss/nss/0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch b/meta-oe/recipes-support/nss/nss/0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch
index 1a87a0577f..b7f1b01a14 100644
--- a/meta-oe/recipes-support/nss/nss/0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch
+++ b/meta-oe/recipes-support/nss/nss/0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch
@@ -1,4 +1,4 @@
-From 8b67c22b057e158f61c9fdd5b01f37195c6f5ca4 Mon Sep 17 00:00:00 2001
+From 7c8f367faf8848a43a414079189e10270d6c0fcc Mon Sep 17 00:00:00 2001
 From: Alexander Kanavin <alex.kanavin@gmail.com>
 Date: Wed, 18 Dec 2019 12:29:50 +0100
 Subject: [PATCH] freebl: add a configure option to disable ARM HW crypto
@@ -10,34 +10,33 @@ Upstream-Status: Pending
 Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
 
 ---
- nss/lib/freebl/Makefile | 4 ++++
+ nss/lib/freebl/Makefile | 3 +++
  nss/lib/freebl/gcm.c    | 2 ++
- 2 files changed, 6 insertions(+)
+ 2 files changed, 5 insertions(+)
 
 diff --git a/nss/lib/freebl/Makefile b/nss/lib/freebl/Makefile
-index f99f769..b0ec81b 100644
+index 7ee8736..f9b4925 100644
 --- a/nss/lib/freebl/Makefile
 +++ b/nss/lib/freebl/Makefile
-@@ -125,6 +125,9 @@ else
-         DEFINES += -DNSS_X86
- endif
+@@ -142,6 +142,8 @@ endif
+         endif
+     endif
  endif
-+
 +ifdef NSS_USE_ARM_HW_CRYPTO
 +    DEFINES += -DNSS_USE_ARM_HW_CRYPTO
  ifeq ($(CPU_ARCH),aarch64)
-     DEFINES += -DUSE_HW_AES -DUSE_HW_SHA2
-     EXTRA_SRCS += aes-armv8.c gcm-aarch64.c sha256-armv8.c
-@@ -148,6 +151,7 @@ endif
+     ifdef CC_IS_CLANG
+         DEFINES += -DUSE_HW_AES -DUSE_HW_SHA1 -DUSE_HW_SHA2
+@@ -183,6 +185,7 @@ endif
          endif
      endif
  endif
 +endif
  
- ifeq ($(OS_TARGET),OSF1)
-     DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_NO_MP_WORD
+ ifeq (OS2,$(OS_TARGET))
+     ASFILES  = mpi_x86_os2.s
 diff --git a/nss/lib/freebl/gcm.c b/nss/lib/freebl/gcm.c
-index c2cc18d..b77f573 100644
+index 2dae724..9ee7fc8 100644
 --- a/nss/lib/freebl/gcm.c
 +++ b/nss/lib/freebl/gcm.c
 @@ -18,6 +18,7 @@
diff --git a/meta-oe/recipes-support/nss/nss/0001-nss-fix-support-cross-compiling.patch b/meta-oe/recipes-support/nss/nss/0001-nss-fix-support-cross-compiling.patch
index 3d90e2d951..2385fd3b9d 100644
--- a/meta-oe/recipes-support/nss/nss/0001-nss-fix-support-cross-compiling.patch
+++ b/meta-oe/recipes-support/nss/nss/0001-nss-fix-support-cross-compiling.patch
@@ -1,4 +1,4 @@
-From 8cea16e7550ae14494fbb3a8fe9f5452e6bd1407 Mon Sep 17 00:00:00 2001
+From 46ab1ca6e6fb8e1196e0665a54506dff370f8f2a Mon Sep 17 00:00:00 2001
 From: Alexander Kanavin <alex.kanavin@gmail.com>
 Date: Wed, 22 Feb 2017 11:36:11 +0200
 Subject: [PATCH] nss: fix support cross compiling
@@ -10,15 +10,20 @@ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
 Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
 
 ---
- nss/coreconf/arch.mk    | 2 +-
+ nss/coreconf/arch.mk    | 4 ++--
  nss/lib/freebl/Makefile | 6 ++++++
- 2 files changed, 7 insertions(+), 1 deletion(-)
+ 2 files changed, 8 insertions(+), 2 deletions(-)
 
 diff --git a/nss/coreconf/arch.mk b/nss/coreconf/arch.mk
-index 790372d..2563134 100644
+index 17e9fae..bc4180a 100644
 --- a/nss/coreconf/arch.mk
 +++ b/nss/coreconf/arch.mk
-@@ -30,7 +30,7 @@ OS_TEST := $(shell uname -m)
+@@ -26,11 +26,11 @@ OS_ARCH := $(subst /,_,$(shell uname -s))
+ # Attempt to differentiate between sparc and x86 Solaris
+ #
+ 
+-OS_TEST := $(shell uname -m)
++OS_TEST ?= $(shell uname -m)
  ifeq ($(OS_TEST),i86pc)
      OS_RELEASE := $(shell uname -r)_$(OS_TEST)
  else
@@ -26,9 +31,9 @@ index 790372d..2563134 100644
 +    OS_RELEASE ?= $(shell uname -r)
  endif
  
- #
+ 
 diff --git a/nss/lib/freebl/Makefile b/nss/lib/freebl/Makefile
-index 52d827c..f99f769 100644
+index eeee90a..7ee8736 100644
 --- a/nss/lib/freebl/Makefile
 +++ b/nss/lib/freebl/Makefile
 @@ -36,6 +36,12 @@ ifdef USE_64
diff --git a/meta-oe/recipes-support/nss/nss/disable-Wvarargs-with-clang.patch b/meta-oe/recipes-support/nss/nss/disable-Wvarargs-with-clang.patch
index e87dc9f76b..4c9bea30c0 100644
--- a/meta-oe/recipes-support/nss/nss/disable-Wvarargs-with-clang.patch
+++ b/meta-oe/recipes-support/nss/nss/disable-Wvarargs-with-clang.patch
@@ -1,4 +1,4 @@
-From c5b2c6327f3692ed07bf8d212123e0bf08485722 Mon Sep 17 00:00:00 2001
+From f613c9a9107435a40d91329f33f12cfb16927f07 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Sat, 7 Mar 2020 08:34:02 -0800
 Subject: [PATCH] nss,nspr: Add recipes
diff --git a/meta-oe/recipes-support/nss/nss/nss-fix-incorrect-shebang-of-perl.patch b/meta-oe/recipes-support/nss/nss/nss-fix-incorrect-shebang-of-perl.patch
index 6f02dbcb4b..735b06b5ca 100644
--- a/meta-oe/recipes-support/nss/nss/nss-fix-incorrect-shebang-of-perl.patch
+++ b/meta-oe/recipes-support/nss/nss/nss-fix-incorrect-shebang-of-perl.patch
@@ -1,4 +1,4 @@
-From 028ec9c7e9f7a6f083eec987f3ad7e7623398d9d Mon Sep 17 00:00:00 2001
+From 2ce67b1f4b1f582d556ae058da10698bbaa0edc1 Mon Sep 17 00:00:00 2001
 From: Ovidiu Panait <ovidiu.panait@windriver.com>
 Date: Mon, 13 Jul 2020 12:12:31 +0300
 Subject: [PATCH] nss: fix incorrect shebang of perl
diff --git a/meta-oe/recipes-support/nss/nss/nss-fix-nsinstall-build.patch b/meta-oe/recipes-support/nss/nss/nss-fix-nsinstall-build.patch
index fbfa828b23..a1897f88d8 100644
--- a/meta-oe/recipes-support/nss/nss/nss-fix-nsinstall-build.patch
+++ b/meta-oe/recipes-support/nss/nss/nss-fix-nsinstall-build.patch
@@ -1,4 +1,4 @@
-From 2701905e689cf7c1ee7ca2d116f20b5bbc146431 Mon Sep 17 00:00:00 2001
+From f9b2b1c738576a17460aebd005f511f427aa1974 Mon Sep 17 00:00:00 2001
 From: Wenzong Fan <wenzong.fan@windriver.com>
 Date: Sat, 7 Mar 2020 08:34:02 -0800
 Subject: [PATCH] Fix nss multilib build on openSUSE 11.x 32bit
@@ -15,7 +15,7 @@ on host to install built files, it doesn't need any cross-compling or
 multilib build options. Just clean the ARCHFLAG and LDFLAGS to fix this
 error.
 
-Upstream-Status: Pending
+Upstream-Status: Inappropriate [configuration]
 
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
 ===================================================
diff --git a/meta-oe/recipes-support/nss/nss/nss-no-rpath-for-cross-compiling.patch b/meta-oe/recipes-support/nss/nss/nss-no-rpath-for-cross-compiling.patch
index 7dbc1a3721..8c715cc447 100644
--- a/meta-oe/recipes-support/nss/nss/nss-no-rpath-for-cross-compiling.patch
+++ b/meta-oe/recipes-support/nss/nss/nss-no-rpath-for-cross-compiling.patch
@@ -1,4 +1,4 @@
-From dc51214895bcd63fc8eb8d1fe7941cd3e5500620 Mon Sep 17 00:00:00 2001
+From 73edfbdf33fe4e41724e7e947033d8caeec8f3d0 Mon Sep 17 00:00:00 2001
 From: Hongxu Jia <hongxu.jia@windriver.com>
 Date: Sat, 7 Mar 2020 08:34:02 -0800
 Subject: [PATCH] nss:no rpath for cross compiling
diff --git a/meta-oe/recipes-support/nss/nss/pqg.c-ULL_addend.patch b/meta-oe/recipes-support/nss/nss/pqg.c-ULL_addend.patch
index 5505ae36ac..589b4d5e7f 100644
--- a/meta-oe/recipes-support/nss/nss/pqg.c-ULL_addend.patch
+++ b/meta-oe/recipes-support/nss/nss/pqg.c-ULL_addend.patch
@@ -1,4 +1,4 @@
-From a550bdf458f11dff46ebddbac94cf48c27d3471e Mon Sep 17 00:00:00 2001
+From cbd367160338847b28fc801a12c74f1c8b5b03ee Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Sat, 7 Mar 2020 08:34:02 -0800
 Subject: [PATCH] nss does not build on mips with clang because wrong types are
@@ -16,7 +16,7 @@ Upstream-Status: Pending
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/nss/lib/freebl/pqg.c b/nss/lib/freebl/pqg.c
-index 626b2fb..052ad36 100644
+index 1b03278..ad895b7 100644
 --- a/nss/lib/freebl/pqg.c
 +++ b/nss/lib/freebl/pqg.c
 @@ -326,8 +326,8 @@ generate_h_candidate(SECItem *hit, mp_int *H)
diff --git a/meta-oe/recipes-support/nss/nss/signlibs.sh b/meta-oe/recipes-support/nss/nss/signlibs.sh
deleted file mode 100644
index a74e499f8c..0000000000
--- a/meta-oe/recipes-support/nss/nss/signlibs.sh
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/bin/sh
-
-# signlibs.sh
-#
-# (c)2010 Wind River Systems, Inc.
-#
-# regenerates the .chk files for the NSS libraries that require it
-# since the ones that are built have incorrect checksums that were
-# calculated on the host where they really need to be done on the
-# target
-
-CHK_FILES=`ls /lib*/*.chk /usr/lib*/*.chk 2>/dev/null`
-SIGN_BINARY=`which shlibsign`
-for I in $CHK_FILES
-do
-       DN=`dirname $I`
-       BN=`basename $I .chk`
-       FN=$DN/$BN.so
-       $SIGN_BINARY -i $FN
-done
diff --git a/meta-oe/recipes-support/nss/nss_3.54.bb b/meta-oe/recipes-support/nss/nss_3.98.bb
index 4923f68685..01501362e2 100644
--- a/meta-oe/recipes-support/nss/nss_3.54.bb
+++ b/meta-oe/recipes-support/nss/nss_3.98.bb
@@ -9,19 +9,19 @@ HOMEPAGE = "http://www.mozilla.org/projects/security/pki/nss/"
 SECTION = "libs"
 
 DEPENDS = "sqlite3 nspr zlib nss-native"
-DEPENDS_class-native = "sqlite3-native nspr-native zlib-native"
+DEPENDS:class-native = "sqlite3-native nspr-native zlib-native"
 
-LICENSE = "MPL-2.0 | (MPL-2.0 & GPL-2.0+) | (MPL-2.0 & LGPL-2.1+)"
+LICENSE = "(MPL-2.0 & MIT) | (MPL-2.0 & GPL-2.0-or-later & MIT) | (MPL-2.0 & LGPL-2.1-or-later & MIT)"
 
 LIC_FILES_CHKSUM = "file://nss/COPYING;md5=3b1e88e1b9c0b5a4b2881d46cce06a18 \
                     file://nss/lib/freebl/mpi/doc/LICENSE;md5=491f158d09d948466afce85d6f1fe18f \
-                    file://nss/lib/freebl/mpi/doc/LICENSE-MPL;md5=5d425c8f3157dbf212db2ec53d9e5132"
+                    file://nss/lib/freebl/mpi/doc/LICENSE-MPL;md5=5d425c8f3157dbf212db2ec53d9e5132 \
+                    file://nss/lib/freebl/verified/Hacl_Poly1305_256.c;beginline=1;endline=22;md5=cc22f07b95d28d56baeb757df46ee7c8"
 
 VERSION_DIR = "${@d.getVar('BP').upper().replace('-', '_').replace('.', '_') + '_RTM'}"
 
-SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSION_DIR}/src/${BP}.tar.gz \
+SRC_URI = "http://ftp.mozilla.org/pub/security/nss/releases/${VERSION_DIR}/src/${BP}.tar.gz \
            file://nss.pc.in \
-           file://signlibs.sh \
            file://0001-nss-fix-support-cross-compiling.patch \
            file://nss-no-rpath-for-cross-compiling.patch \
            file://nss-fix-incorrect-shebang-of-perl.patch \
@@ -33,8 +33,7 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO
            file://nss-fix-nsinstall-build.patch \
            file://0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch \
            "
-
-SRC_URI[sha256sum] = "dab18bbfcf5e347934cda664df75ce9fd912a5772686c40d3c805e53c08d6e43"
+SRC_URI[sha256sum] = "f549cc33d35c0601674bfacf7c6ad683c187595eb4125b423238d3e9aa4209ce"
 
 UPSTREAM_CHECK_URI = "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Releases"
 UPSTREAM_CHECK_REGEX = "NSS_(?P<pver>.+)_release_notes"
@@ -44,27 +43,32 @@ inherit siteinfo
 TD = "${S}/tentative-dist"
 TDS = "${S}/tentative-dist-staging"
 
-# cortex-a55 is ARMv8.2-a based but libatomic explicitly asks for -march=armv8.1-a
-# which caused -march conflicts in gcc
-TUNE_CCARGS_remove = "-mcpu=cortex-a55+crc -mcpu=cortex-a55 -mcpu=cortex-a55+crc+crypto"
-
 TARGET_CC_ARCH += "${LDFLAGS}"
 
-do_configure_prepend_libc-musl () {
+CFLAGS:append:class-native = " -D_XOPEN_SOURCE "
+
+do_configure:prepend:libc-musl () {
     sed -i -e '/-DHAVE_SYS_CDEFS_H/d' ${S}/nss/lib/dbm/config/config.mk
 }
 
-do_compile_prepend_class-native() {
+do_configure:prepend:powerpc64le:toolchain-clang () {
+    sed -i -e 's/\-std=c99/\-std=gnu99/g' ${S}/nss/coreconf/command.mk
+}
+
+do_configure:prepend:powerpc64:toolchain-clang () {
+    sed -i -e 's/\-std=c99/\-std=gnu99/g' ${S}/nss/coreconf/command.mk
+}
+
+do_compile:prepend:class-native() {
     export NSPR_INCLUDE_DIR=${STAGING_INCDIR_NATIVE}/nspr
     export NSPR_LIB_DIR=${STAGING_LIBDIR_NATIVE}
-    export NSS_ENABLE_WERROR=0
 }
 
-do_compile_prepend_class-nativesdk() {
+do_compile:prepend:class-nativesdk() {
     export LDFLAGS=""
 }
 
-do_compile_prepend_class-native() {
+do_compile:prepend:class-native() {
     # Need to set RPATH so that chrpath will do its job correctly
     RPATH="-Wl,-rpath-link,${STAGING_LIBDIR_NATIVE} -Wl,-rpath-link,${STAGING_BASE_LIBDIR_NATIVE} -Wl,-rpath,${STAGING_LIBDIR_NATIVE} -Wl,-rpath,${STAGING_BASE_LIBDIR_NATIVE}"
 }
@@ -78,6 +82,10 @@ do_compile() {
     export NATIVE_FLAGS="${BUILD_CFLAGS} -DLINUX -Dlinux"
     export BUILD_OPT=1
 
+    # POSIX.1-2001 states that the behaviour of getcwd() when passing a null
+    # pointer as the buf argument, is unspecified.
+    export NATIVE_FLAGS="${NATIVE_FLAGS} -DGETCWD_CANT_MALLOC"
+
     export FREEBL_NO_DEPEND=1
     export FREEBL_LOWHASH=1
 
@@ -86,6 +94,7 @@ do_compile() {
     export NS_USE_GCC=1
     export NSS_USE_SYSTEM_SQLITE=1
     export NSS_ENABLE_ECC=1
+    export NSS_ENABLE_WERROR=0
 
     ${@bb.utils.contains("TUNE_FEATURES", "crypto", "export NSS_USE_ARM_HW_CRYPTO=1", "", d)}
 
@@ -95,7 +104,7 @@ do_compile() {
 
     if [ "${TARGET_ARCH}" = "powerpc" ]; then
         OS_TEST=ppc
-    elif [ "${TARGET_ARCH}" = "powerpc64" ]; then
+    elif [ "${TARGET_ARCH}" = "powerpc64" -o "${TARGET_ARCH}" = "powerpc64le" ]; then
         OS_TEST=ppc64
     elif [ "${TARGET_ARCH}" = "mips" -o "${TARGET_ARCH}" = "mipsel" -o "${TARGET_ARCH}" = "mips64" -o "${TARGET_ARCH}" = "mips64el" ]; then
         OS_TEST=mips
@@ -112,7 +121,6 @@ do_compile() {
     fi
 
     export NSS_DISABLE_GTESTS=1
-
     # We can modify CC in the environment, but if we set it via an
     # argument to make, nsinstall, a host program, will also build with it!
     #
@@ -130,7 +138,7 @@ do_compile() {
 
 do_compile[vardepsexclude] += "SITEINFO_BITS"
 
-do_install_prepend_class-nativesdk() {
+do_install:prepend:class-nativesdk() {
     export LDFLAGS=""
 }
 
@@ -153,7 +161,7 @@ do_install() {
 
     if [ "${TARGET_ARCH}" = "powerpc" ]; then
         OS_TEST=ppc
-    elif [ "${TARGET_ARCH}" = "powerpc64" ]; then
+    elif [ "${TARGET_ARCH}" = "powerpc64" -o "${TARGET_ARCH}" = "powerpc64le" ]; then
         OS_TEST=ppc64
     elif [ "${TARGET_ARCH}" = "mips" -o "${TARGET_ARCH}" = "mipsel" -o "${TARGET_ARCH}" = "mips64" -o "${TARGET_ARCH}" = "mips64el" ]; then
         OS_TEST=mips
@@ -207,14 +215,13 @@ do_install() {
 
 do_install[vardepsexclude] += "SITEINFO_BITS"
 
-do_install_append() {
+do_install:append() {
     # Create empty .chk files for the NSS libraries at build time. They could
     # be regenerated at target's boot time.
     for file in libsoftokn3.chk libfreebl3.chk libnssdbm3.chk; do
         touch ${D}/${libdir}/$file
         chmod 755 ${D}/${libdir}/$file
     done
-    install -D -m 755 ${WORKDIR}/signlibs.sh ${D}/${bindir}/signlibs.sh
 
     install -d ${D}${libdir}/pkgconfig/
     sed 's/%NSS_VERSION%/${PV}/' ${WORKDIR}/nss.pc.in | sed 's/%NSPR_VERSION%/4.9.2/' > ${D}${libdir}/pkgconfig/nss.pc
@@ -224,7 +231,7 @@ do_install_append() {
     sed -i s:OEINCDIR:${includedir}/nss3:g ${D}${libdir}/pkgconfig/nss.pc
 }
 
-do_install_append_class-target() {
+do_install:append:class-target() {
     # It used to call certutil to create a blank certificate with empty password at
     # build time, but the checksum of key4.db changes every time when certutil is called.
     # It causes non-determinism issue, so provide databases with a blank certificate
@@ -238,40 +245,45 @@ do_install_append_class-target() {
 }
 
 PACKAGE_WRITE_DEPS += "nss-native"
-pkg_postinst_${PN} () {
-    if [ -n "$D" ]; then
-        for I in $D${libdir}/lib*.chk; do
-            DN=`dirname $I`
-            BN=`basename $I .chk`
-            FN=$DN/$BN.so
-            shlibsign -i $FN
-            if [ $? -ne 0 ]; then
-                exit 1
-            fi
-        done
-    else
-        signlibs.sh
-    fi
+
+pkg_postinst:${PN} () {
+    for I in $D${libdir}/lib*.chk; do
+        DN=`dirname $I`
+        BN=`basename $I .chk`
+        FN=$DN/$BN.so
+        shlibsign -i $FN
+        if [ $? -ne 0 ]; then
+            echo "shlibsign -i $FN failed"
+        fi
+    done
 }
 
 PACKAGES =+ "${PN}-smime"
-FILES_${PN}-smime = "\
+FILES:${PN}-smime = "\
     ${bindir}/smime \
 "
 
-FILES_${PN} = "\
+FILES:${PN} = "\
     ${sysconfdir} \
     ${bindir} \
     ${libdir}/lib*.chk \
     ${libdir}/lib*.so \
     "
 
-FILES_${PN}-dev = "\
+FILES:${PN}-dev = "\
     ${libdir}/nss \
     ${libdir}/pkgconfig/* \
     ${includedir}/* \
     "
 
-RDEPENDS_${PN}-smime = "perl"
+RDEPENDS:${PN}-smime = "perl"
 
 BBCLASSEXTEND = "native nativesdk"
+
+CVE_PRODUCT += "network_security_services"
+
+CVE_STATUS_GROUPS += "CVE_STATUS_NSS"
+CVE_STATUS_NSS[status] = "not-applicable-config: This only affect the legacy db (libnssdbm), only compiled with --enable-legacy-db"
+CVE_STATUS_NSS = "CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698"
+
+CVE_STATUS[CVE-2022-3479] = "not-applicable-config: vulnerability was introduced in 3.77 and fixed in 3.87"