diff options
Diffstat (limited to 'meta-oe/recipes-support/nss')
-rw-r--r-- | meta-oe/recipes-support/nss/nss/0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch | 27 | ||||
-rw-r--r-- | meta-oe/recipes-support/nss/nss/0001-nss-fix-support-cross-compiling.patch | 19 | ||||
-rw-r--r-- | meta-oe/recipes-support/nss/nss/disable-Wvarargs-with-clang.patch | 2 | ||||
-rw-r--r-- | meta-oe/recipes-support/nss/nss/nss-fix-incorrect-shebang-of-perl.patch | 2 | ||||
-rw-r--r-- | meta-oe/recipes-support/nss/nss/nss-fix-nsinstall-build.patch | 4 | ||||
-rw-r--r-- | meta-oe/recipes-support/nss/nss/nss-no-rpath-for-cross-compiling.patch | 2 | ||||
-rw-r--r-- | meta-oe/recipes-support/nss/nss/pqg.c-ULL_addend.patch | 4 | ||||
-rw-r--r-- | meta-oe/recipes-support/nss/nss/signlibs.sh | 20 | ||||
-rw-r--r-- | meta-oe/recipes-support/nss/nss_3.98.bb (renamed from meta-oe/recipes-support/nss/nss_3.54.bb) | 94 |
9 files changed, 85 insertions, 89 deletions
diff --git a/meta-oe/recipes-support/nss/nss/0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch b/meta-oe/recipes-support/nss/nss/0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch index 1a87a0577f..b7f1b01a14 100644 --- a/meta-oe/recipes-support/nss/nss/0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch +++ b/meta-oe/recipes-support/nss/nss/0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch @@ -1,4 +1,4 @@ -From 8b67c22b057e158f61c9fdd5b01f37195c6f5ca4 Mon Sep 17 00:00:00 2001 +From 7c8f367faf8848a43a414079189e10270d6c0fcc Mon Sep 17 00:00:00 2001 From: Alexander Kanavin <alex.kanavin@gmail.com> Date: Wed, 18 Dec 2019 12:29:50 +0100 Subject: [PATCH] freebl: add a configure option to disable ARM HW crypto @@ -10,34 +10,33 @@ Upstream-Status: Pending Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> --- - nss/lib/freebl/Makefile | 4 ++++ + nss/lib/freebl/Makefile | 3 +++ nss/lib/freebl/gcm.c | 2 ++ - 2 files changed, 6 insertions(+) + 2 files changed, 5 insertions(+) diff --git a/nss/lib/freebl/Makefile b/nss/lib/freebl/Makefile -index f99f769..b0ec81b 100644 +index 7ee8736..f9b4925 100644 --- a/nss/lib/freebl/Makefile +++ b/nss/lib/freebl/Makefile -@@ -125,6 +125,9 @@ else - DEFINES += -DNSS_X86 - endif +@@ -142,6 +142,8 @@ endif + endif + endif endif -+ +ifdef NSS_USE_ARM_HW_CRYPTO + DEFINES += -DNSS_USE_ARM_HW_CRYPTO ifeq ($(CPU_ARCH),aarch64) - DEFINES += -DUSE_HW_AES -DUSE_HW_SHA2 - EXTRA_SRCS += aes-armv8.c gcm-aarch64.c sha256-armv8.c -@@ -148,6 +151,7 @@ endif + ifdef CC_IS_CLANG + DEFINES += -DUSE_HW_AES -DUSE_HW_SHA1 -DUSE_HW_SHA2 +@@ -183,6 +185,7 @@ endif endif endif endif +endif - ifeq ($(OS_TARGET),OSF1) - DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_NO_MP_WORD + ifeq (OS2,$(OS_TARGET)) + ASFILES = mpi_x86_os2.s diff --git a/nss/lib/freebl/gcm.c b/nss/lib/freebl/gcm.c -index c2cc18d..b77f573 100644 +index 2dae724..9ee7fc8 100644 --- a/nss/lib/freebl/gcm.c +++ b/nss/lib/freebl/gcm.c @@ -18,6 +18,7 @@ diff --git a/meta-oe/recipes-support/nss/nss/0001-nss-fix-support-cross-compiling.patch b/meta-oe/recipes-support/nss/nss/0001-nss-fix-support-cross-compiling.patch index 3d90e2d951..2385fd3b9d 100644 --- a/meta-oe/recipes-support/nss/nss/0001-nss-fix-support-cross-compiling.patch +++ b/meta-oe/recipes-support/nss/nss/0001-nss-fix-support-cross-compiling.patch @@ -1,4 +1,4 @@ -From 8cea16e7550ae14494fbb3a8fe9f5452e6bd1407 Mon Sep 17 00:00:00 2001 +From 46ab1ca6e6fb8e1196e0665a54506dff370f8f2a Mon Sep 17 00:00:00 2001 From: Alexander Kanavin <alex.kanavin@gmail.com> Date: Wed, 22 Feb 2017 11:36:11 +0200 Subject: [PATCH] nss: fix support cross compiling @@ -10,15 +10,20 @@ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> --- - nss/coreconf/arch.mk | 2 +- + nss/coreconf/arch.mk | 4 ++-- nss/lib/freebl/Makefile | 6 ++++++ - 2 files changed, 7 insertions(+), 1 deletion(-) + 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/nss/coreconf/arch.mk b/nss/coreconf/arch.mk -index 790372d..2563134 100644 +index 17e9fae..bc4180a 100644 --- a/nss/coreconf/arch.mk +++ b/nss/coreconf/arch.mk -@@ -30,7 +30,7 @@ OS_TEST := $(shell uname -m) +@@ -26,11 +26,11 @@ OS_ARCH := $(subst /,_,$(shell uname -s)) + # Attempt to differentiate between sparc and x86 Solaris + # + +-OS_TEST := $(shell uname -m) ++OS_TEST ?= $(shell uname -m) ifeq ($(OS_TEST),i86pc) OS_RELEASE := $(shell uname -r)_$(OS_TEST) else @@ -26,9 +31,9 @@ index 790372d..2563134 100644 + OS_RELEASE ?= $(shell uname -r) endif - # + diff --git a/nss/lib/freebl/Makefile b/nss/lib/freebl/Makefile -index 52d827c..f99f769 100644 +index eeee90a..7ee8736 100644 --- a/nss/lib/freebl/Makefile +++ b/nss/lib/freebl/Makefile @@ -36,6 +36,12 @@ ifdef USE_64 diff --git a/meta-oe/recipes-support/nss/nss/disable-Wvarargs-with-clang.patch b/meta-oe/recipes-support/nss/nss/disable-Wvarargs-with-clang.patch index e87dc9f76b..4c9bea30c0 100644 --- a/meta-oe/recipes-support/nss/nss/disable-Wvarargs-with-clang.patch +++ b/meta-oe/recipes-support/nss/nss/disable-Wvarargs-with-clang.patch @@ -1,4 +1,4 @@ -From c5b2c6327f3692ed07bf8d212123e0bf08485722 Mon Sep 17 00:00:00 2001 +From f613c9a9107435a40d91329f33f12cfb16927f07 Mon Sep 17 00:00:00 2001 From: Khem Raj <raj.khem@gmail.com> Date: Sat, 7 Mar 2020 08:34:02 -0800 Subject: [PATCH] nss,nspr: Add recipes diff --git a/meta-oe/recipes-support/nss/nss/nss-fix-incorrect-shebang-of-perl.patch b/meta-oe/recipes-support/nss/nss/nss-fix-incorrect-shebang-of-perl.patch index 6f02dbcb4b..735b06b5ca 100644 --- a/meta-oe/recipes-support/nss/nss/nss-fix-incorrect-shebang-of-perl.patch +++ b/meta-oe/recipes-support/nss/nss/nss-fix-incorrect-shebang-of-perl.patch @@ -1,4 +1,4 @@ -From 028ec9c7e9f7a6f083eec987f3ad7e7623398d9d Mon Sep 17 00:00:00 2001 +From 2ce67b1f4b1f582d556ae058da10698bbaa0edc1 Mon Sep 17 00:00:00 2001 From: Ovidiu Panait <ovidiu.panait@windriver.com> Date: Mon, 13 Jul 2020 12:12:31 +0300 Subject: [PATCH] nss: fix incorrect shebang of perl diff --git a/meta-oe/recipes-support/nss/nss/nss-fix-nsinstall-build.patch b/meta-oe/recipes-support/nss/nss/nss-fix-nsinstall-build.patch index fbfa828b23..a1897f88d8 100644 --- a/meta-oe/recipes-support/nss/nss/nss-fix-nsinstall-build.patch +++ b/meta-oe/recipes-support/nss/nss/nss-fix-nsinstall-build.patch @@ -1,4 +1,4 @@ -From 2701905e689cf7c1ee7ca2d116f20b5bbc146431 Mon Sep 17 00:00:00 2001 +From f9b2b1c738576a17460aebd005f511f427aa1974 Mon Sep 17 00:00:00 2001 From: Wenzong Fan <wenzong.fan@windriver.com> Date: Sat, 7 Mar 2020 08:34:02 -0800 Subject: [PATCH] Fix nss multilib build on openSUSE 11.x 32bit @@ -15,7 +15,7 @@ on host to install built files, it doesn't need any cross-compling or multilib build options. Just clean the ARCHFLAG and LDFLAGS to fix this error. -Upstream-Status: Pending +Upstream-Status: Inappropriate [configuration] Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> =================================================== diff --git a/meta-oe/recipes-support/nss/nss/nss-no-rpath-for-cross-compiling.patch b/meta-oe/recipes-support/nss/nss/nss-no-rpath-for-cross-compiling.patch index 7dbc1a3721..8c715cc447 100644 --- a/meta-oe/recipes-support/nss/nss/nss-no-rpath-for-cross-compiling.patch +++ b/meta-oe/recipes-support/nss/nss/nss-no-rpath-for-cross-compiling.patch @@ -1,4 +1,4 @@ -From dc51214895bcd63fc8eb8d1fe7941cd3e5500620 Mon Sep 17 00:00:00 2001 +From 73edfbdf33fe4e41724e7e947033d8caeec8f3d0 Mon Sep 17 00:00:00 2001 From: Hongxu Jia <hongxu.jia@windriver.com> Date: Sat, 7 Mar 2020 08:34:02 -0800 Subject: [PATCH] nss:no rpath for cross compiling diff --git a/meta-oe/recipes-support/nss/nss/pqg.c-ULL_addend.patch b/meta-oe/recipes-support/nss/nss/pqg.c-ULL_addend.patch index 5505ae36ac..589b4d5e7f 100644 --- a/meta-oe/recipes-support/nss/nss/pqg.c-ULL_addend.patch +++ b/meta-oe/recipes-support/nss/nss/pqg.c-ULL_addend.patch @@ -1,4 +1,4 @@ -From a550bdf458f11dff46ebddbac94cf48c27d3471e Mon Sep 17 00:00:00 2001 +From cbd367160338847b28fc801a12c74f1c8b5b03ee Mon Sep 17 00:00:00 2001 From: Khem Raj <raj.khem@gmail.com> Date: Sat, 7 Mar 2020 08:34:02 -0800 Subject: [PATCH] nss does not build on mips with clang because wrong types are @@ -16,7 +16,7 @@ Upstream-Status: Pending 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nss/lib/freebl/pqg.c b/nss/lib/freebl/pqg.c -index 626b2fb..052ad36 100644 +index 1b03278..ad895b7 100644 --- a/nss/lib/freebl/pqg.c +++ b/nss/lib/freebl/pqg.c @@ -326,8 +326,8 @@ generate_h_candidate(SECItem *hit, mp_int *H) diff --git a/meta-oe/recipes-support/nss/nss/signlibs.sh b/meta-oe/recipes-support/nss/nss/signlibs.sh deleted file mode 100644 index a74e499f8c..0000000000 --- a/meta-oe/recipes-support/nss/nss/signlibs.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/sh - -# signlibs.sh -# -# (c)2010 Wind River Systems, Inc. -# -# regenerates the .chk files for the NSS libraries that require it -# since the ones that are built have incorrect checksums that were -# calculated on the host where they really need to be done on the -# target - -CHK_FILES=`ls /lib*/*.chk /usr/lib*/*.chk 2>/dev/null` -SIGN_BINARY=`which shlibsign` -for I in $CHK_FILES -do - DN=`dirname $I` - BN=`basename $I .chk` - FN=$DN/$BN.so - $SIGN_BINARY -i $FN -done diff --git a/meta-oe/recipes-support/nss/nss_3.54.bb b/meta-oe/recipes-support/nss/nss_3.98.bb index 4923f68685..01501362e2 100644 --- a/meta-oe/recipes-support/nss/nss_3.54.bb +++ b/meta-oe/recipes-support/nss/nss_3.98.bb @@ -9,19 +9,19 @@ HOMEPAGE = "http://www.mozilla.org/projects/security/pki/nss/" SECTION = "libs" DEPENDS = "sqlite3 nspr zlib nss-native" -DEPENDS_class-native = "sqlite3-native nspr-native zlib-native" +DEPENDS:class-native = "sqlite3-native nspr-native zlib-native" -LICENSE = "MPL-2.0 | (MPL-2.0 & GPL-2.0+) | (MPL-2.0 & LGPL-2.1+)" +LICENSE = "(MPL-2.0 & MIT) | (MPL-2.0 & GPL-2.0-or-later & MIT) | (MPL-2.0 & LGPL-2.1-or-later & MIT)" LIC_FILES_CHKSUM = "file://nss/COPYING;md5=3b1e88e1b9c0b5a4b2881d46cce06a18 \ file://nss/lib/freebl/mpi/doc/LICENSE;md5=491f158d09d948466afce85d6f1fe18f \ - file://nss/lib/freebl/mpi/doc/LICENSE-MPL;md5=5d425c8f3157dbf212db2ec53d9e5132" + file://nss/lib/freebl/mpi/doc/LICENSE-MPL;md5=5d425c8f3157dbf212db2ec53d9e5132 \ + file://nss/lib/freebl/verified/Hacl_Poly1305_256.c;beginline=1;endline=22;md5=cc22f07b95d28d56baeb757df46ee7c8" VERSION_DIR = "${@d.getVar('BP').upper().replace('-', '_').replace('.', '_') + '_RTM'}" -SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSION_DIR}/src/${BP}.tar.gz \ +SRC_URI = "http://ftp.mozilla.org/pub/security/nss/releases/${VERSION_DIR}/src/${BP}.tar.gz \ file://nss.pc.in \ - file://signlibs.sh \ file://0001-nss-fix-support-cross-compiling.patch \ file://nss-no-rpath-for-cross-compiling.patch \ file://nss-fix-incorrect-shebang-of-perl.patch \ @@ -33,8 +33,7 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO file://nss-fix-nsinstall-build.patch \ file://0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch \ " - -SRC_URI[sha256sum] = "dab18bbfcf5e347934cda664df75ce9fd912a5772686c40d3c805e53c08d6e43" +SRC_URI[sha256sum] = "f549cc33d35c0601674bfacf7c6ad683c187595eb4125b423238d3e9aa4209ce" UPSTREAM_CHECK_URI = "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Releases" UPSTREAM_CHECK_REGEX = "NSS_(?P<pver>.+)_release_notes" @@ -44,27 +43,32 @@ inherit siteinfo TD = "${S}/tentative-dist" TDS = "${S}/tentative-dist-staging" -# cortex-a55 is ARMv8.2-a based but libatomic explicitly asks for -march=armv8.1-a -# which caused -march conflicts in gcc -TUNE_CCARGS_remove = "-mcpu=cortex-a55+crc -mcpu=cortex-a55 -mcpu=cortex-a55+crc+crypto" - TARGET_CC_ARCH += "${LDFLAGS}" -do_configure_prepend_libc-musl () { +CFLAGS:append:class-native = " -D_XOPEN_SOURCE " + +do_configure:prepend:libc-musl () { sed -i -e '/-DHAVE_SYS_CDEFS_H/d' ${S}/nss/lib/dbm/config/config.mk } -do_compile_prepend_class-native() { +do_configure:prepend:powerpc64le:toolchain-clang () { + sed -i -e 's/\-std=c99/\-std=gnu99/g' ${S}/nss/coreconf/command.mk +} + +do_configure:prepend:powerpc64:toolchain-clang () { + sed -i -e 's/\-std=c99/\-std=gnu99/g' ${S}/nss/coreconf/command.mk +} + +do_compile:prepend:class-native() { export NSPR_INCLUDE_DIR=${STAGING_INCDIR_NATIVE}/nspr export NSPR_LIB_DIR=${STAGING_LIBDIR_NATIVE} - export NSS_ENABLE_WERROR=0 } -do_compile_prepend_class-nativesdk() { +do_compile:prepend:class-nativesdk() { export LDFLAGS="" } -do_compile_prepend_class-native() { +do_compile:prepend:class-native() { # Need to set RPATH so that chrpath will do its job correctly RPATH="-Wl,-rpath-link,${STAGING_LIBDIR_NATIVE} -Wl,-rpath-link,${STAGING_BASE_LIBDIR_NATIVE} -Wl,-rpath,${STAGING_LIBDIR_NATIVE} -Wl,-rpath,${STAGING_BASE_LIBDIR_NATIVE}" } @@ -78,6 +82,10 @@ do_compile() { export NATIVE_FLAGS="${BUILD_CFLAGS} -DLINUX -Dlinux" export BUILD_OPT=1 + # POSIX.1-2001 states that the behaviour of getcwd() when passing a null + # pointer as the buf argument, is unspecified. + export NATIVE_FLAGS="${NATIVE_FLAGS} -DGETCWD_CANT_MALLOC" + export FREEBL_NO_DEPEND=1 export FREEBL_LOWHASH=1 @@ -86,6 +94,7 @@ do_compile() { export NS_USE_GCC=1 export NSS_USE_SYSTEM_SQLITE=1 export NSS_ENABLE_ECC=1 + export NSS_ENABLE_WERROR=0 ${@bb.utils.contains("TUNE_FEATURES", "crypto", "export NSS_USE_ARM_HW_CRYPTO=1", "", d)} @@ -95,7 +104,7 @@ do_compile() { if [ "${TARGET_ARCH}" = "powerpc" ]; then OS_TEST=ppc - elif [ "${TARGET_ARCH}" = "powerpc64" ]; then + elif [ "${TARGET_ARCH}" = "powerpc64" -o "${TARGET_ARCH}" = "powerpc64le" ]; then OS_TEST=ppc64 elif [ "${TARGET_ARCH}" = "mips" -o "${TARGET_ARCH}" = "mipsel" -o "${TARGET_ARCH}" = "mips64" -o "${TARGET_ARCH}" = "mips64el" ]; then OS_TEST=mips @@ -112,7 +121,6 @@ do_compile() { fi export NSS_DISABLE_GTESTS=1 - # We can modify CC in the environment, but if we set it via an # argument to make, nsinstall, a host program, will also build with it! # @@ -130,7 +138,7 @@ do_compile() { do_compile[vardepsexclude] += "SITEINFO_BITS" -do_install_prepend_class-nativesdk() { +do_install:prepend:class-nativesdk() { export LDFLAGS="" } @@ -153,7 +161,7 @@ do_install() { if [ "${TARGET_ARCH}" = "powerpc" ]; then OS_TEST=ppc - elif [ "${TARGET_ARCH}" = "powerpc64" ]; then + elif [ "${TARGET_ARCH}" = "powerpc64" -o "${TARGET_ARCH}" = "powerpc64le" ]; then OS_TEST=ppc64 elif [ "${TARGET_ARCH}" = "mips" -o "${TARGET_ARCH}" = "mipsel" -o "${TARGET_ARCH}" = "mips64" -o "${TARGET_ARCH}" = "mips64el" ]; then OS_TEST=mips @@ -207,14 +215,13 @@ do_install() { do_install[vardepsexclude] += "SITEINFO_BITS" -do_install_append() { +do_install:append() { # Create empty .chk files for the NSS libraries at build time. They could # be regenerated at target's boot time. for file in libsoftokn3.chk libfreebl3.chk libnssdbm3.chk; do touch ${D}/${libdir}/$file chmod 755 ${D}/${libdir}/$file done - install -D -m 755 ${WORKDIR}/signlibs.sh ${D}/${bindir}/signlibs.sh install -d ${D}${libdir}/pkgconfig/ sed 's/%NSS_VERSION%/${PV}/' ${WORKDIR}/nss.pc.in | sed 's/%NSPR_VERSION%/4.9.2/' > ${D}${libdir}/pkgconfig/nss.pc @@ -224,7 +231,7 @@ do_install_append() { sed -i s:OEINCDIR:${includedir}/nss3:g ${D}${libdir}/pkgconfig/nss.pc } -do_install_append_class-target() { +do_install:append:class-target() { # It used to call certutil to create a blank certificate with empty password at # build time, but the checksum of key4.db changes every time when certutil is called. # It causes non-determinism issue, so provide databases with a blank certificate @@ -238,40 +245,45 @@ do_install_append_class-target() { } PACKAGE_WRITE_DEPS += "nss-native" -pkg_postinst_${PN} () { - if [ -n "$D" ]; then - for I in $D${libdir}/lib*.chk; do - DN=`dirname $I` - BN=`basename $I .chk` - FN=$DN/$BN.so - shlibsign -i $FN - if [ $? -ne 0 ]; then - exit 1 - fi - done - else - signlibs.sh - fi + +pkg_postinst:${PN} () { + for I in $D${libdir}/lib*.chk; do + DN=`dirname $I` + BN=`basename $I .chk` + FN=$DN/$BN.so + shlibsign -i $FN + if [ $? -ne 0 ]; then + echo "shlibsign -i $FN failed" + fi + done } PACKAGES =+ "${PN}-smime" -FILES_${PN}-smime = "\ +FILES:${PN}-smime = "\ ${bindir}/smime \ " -FILES_${PN} = "\ +FILES:${PN} = "\ ${sysconfdir} \ ${bindir} \ ${libdir}/lib*.chk \ ${libdir}/lib*.so \ " -FILES_${PN}-dev = "\ +FILES:${PN}-dev = "\ ${libdir}/nss \ ${libdir}/pkgconfig/* \ ${includedir}/* \ " -RDEPENDS_${PN}-smime = "perl" +RDEPENDS:${PN}-smime = "perl" BBCLASSEXTEND = "native nativesdk" + +CVE_PRODUCT += "network_security_services" + +CVE_STATUS_GROUPS += "CVE_STATUS_NSS" +CVE_STATUS_NSS[status] = "not-applicable-config: This only affect the legacy db (libnssdbm), only compiled with --enable-legacy-db" +CVE_STATUS_NSS = "CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698" + +CVE_STATUS[CVE-2022-3479] = "not-applicable-config: vulnerability was introduced in 3.77 and fixed in 3.87" |