From f65596ce3ee7b90a88c87a68ac75d29c8a0625e8 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Tue, 31 Dec 2024 12:23:10 +0800 Subject: nss: upgrade 3.103 -> 3.107 * Refresh patches. Signed-off-by: Yi Zhao Signed-off-by: Khem Raj --- ...a-configure-option-to-disable-ARM-HW-cryp.patch | 57 ---- .../nss/0001-nss-fix-support-cross-compiling.patch | 13 +- .../0002-nss-no-rpath-for-cross-compiling.patch | 31 +++ .../0003-nss-fix-incorrect-shebang-of-perl.patch | 94 +++++++ .../nss/0004-nss-disable-Wvarargs-with-clang.patch | 45 ++++ ...t-build-on-mips-with-clang-because-wrong-.patch | 35 +++ ...nss-multilib-build-on-openSUSE-11.x-32bit.patch | 45 ++++ ...a-configure-option-to-disable-ARM-HW-cryp.patch | 60 +++++ .../nss/nss/disable-Wvarargs-with-clang.patch | 42 --- .../nss/nss-fix-incorrect-shebang-of-perl.patch | 91 ------- .../nss/nss/nss-fix-nsinstall-build.patch | 44 ---- .../nss/nss/nss-no-rpath-for-cross-compiling.patch | 28 -- .../recipes-support/nss/nss/pqg.c-ULL_addend.patch | 32 --- meta-oe/recipes-support/nss/nss_3.103.bb | 289 --------------------- meta-oe/recipes-support/nss/nss_3.107.bb | 289 +++++++++++++++++++++ 15 files changed, 607 insertions(+), 588 deletions(-) delete mode 100644 meta-oe/recipes-support/nss/nss/0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch create mode 100644 meta-oe/recipes-support/nss/nss/0002-nss-no-rpath-for-cross-compiling.patch create mode 100644 meta-oe/recipes-support/nss/nss/0003-nss-fix-incorrect-shebang-of-perl.patch create mode 100644 meta-oe/recipes-support/nss/nss/0004-nss-disable-Wvarargs-with-clang.patch create mode 100644 meta-oe/recipes-support/nss/nss/0005-nss-does-not-build-on-mips-with-clang-because-wrong-.patch create mode 100644 meta-oe/recipes-support/nss/nss/0006-Fix-nss-multilib-build-on-openSUSE-11.x-32bit.patch create mode 100644 meta-oe/recipes-support/nss/nss/0007-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch delete mode 100644 meta-oe/recipes-support/nss/nss/disable-Wvarargs-with-clang.patch delete mode 100644 meta-oe/recipes-support/nss/nss/nss-fix-incorrect-shebang-of-perl.patch delete mode 100644 meta-oe/recipes-support/nss/nss/nss-fix-nsinstall-build.patch delete mode 100644 meta-oe/recipes-support/nss/nss/nss-no-rpath-for-cross-compiling.patch delete mode 100644 meta-oe/recipes-support/nss/nss/pqg.c-ULL_addend.patch delete mode 100644 meta-oe/recipes-support/nss/nss_3.103.bb create mode 100644 meta-oe/recipes-support/nss/nss_3.107.bb diff --git a/meta-oe/recipes-support/nss/nss/0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch b/meta-oe/recipes-support/nss/nss/0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch deleted file mode 100644 index b7f1b01a14..0000000000 --- a/meta-oe/recipes-support/nss/nss/0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 7c8f367faf8848a43a414079189e10270d6c0fcc Mon Sep 17 00:00:00 2001 -From: Alexander Kanavin -Date: Wed, 18 Dec 2019 12:29:50 +0100 -Subject: [PATCH] freebl: add a configure option to disable ARM HW crypto - -Not all current hardware supports it, particularly anything -prior to armv8 does not. - -Upstream-Status: Pending -Signed-off-by: Alexander Kanavin - ---- - nss/lib/freebl/Makefile | 3 +++ - nss/lib/freebl/gcm.c | 2 ++ - 2 files changed, 5 insertions(+) - -diff --git a/nss/lib/freebl/Makefile b/nss/lib/freebl/Makefile -index 7ee8736..f9b4925 100644 ---- a/nss/lib/freebl/Makefile -+++ b/nss/lib/freebl/Makefile -@@ -142,6 +142,8 @@ endif - endif - endif - endif -+ifdef NSS_USE_ARM_HW_CRYPTO -+ DEFINES += -DNSS_USE_ARM_HW_CRYPTO - ifeq ($(CPU_ARCH),aarch64) - ifdef CC_IS_CLANG - DEFINES += -DUSE_HW_AES -DUSE_HW_SHA1 -DUSE_HW_SHA2 -@@ -183,6 +185,7 @@ endif - endif - endif - endif -+endif - - ifeq (OS2,$(OS_TARGET)) - ASFILES = mpi_x86_os2.s -diff --git a/nss/lib/freebl/gcm.c b/nss/lib/freebl/gcm.c -index 2dae724..9ee7fc8 100644 ---- a/nss/lib/freebl/gcm.c -+++ b/nss/lib/freebl/gcm.c -@@ -18,6 +18,7 @@ - - #include - -+#ifdef NSS_USE_ARM_HW_CRYPTO - /* old gcc doesn't support some poly64x2_t intrinsic */ - #if defined(__aarch64__) && defined(IS_LITTLE_ENDIAN) && \ - (defined(__clang__) || defined(__GNUC__) && __GNUC__ > 6) -@@ -27,6 +28,7 @@ - /* We don't test on big endian platform, so disable this on big endian. */ - #define USE_ARM_GCM - #endif -+#endif - - /* Forward declarations */ - SECStatus gcm_HashInit_hw(gcmHashContext *ghash); diff --git a/meta-oe/recipes-support/nss/nss/0001-nss-fix-support-cross-compiling.patch b/meta-oe/recipes-support/nss/nss/0001-nss-fix-support-cross-compiling.patch index 2385fd3b9d..5733bb068f 100644 --- a/meta-oe/recipes-support/nss/nss/0001-nss-fix-support-cross-compiling.patch +++ b/meta-oe/recipes-support/nss/nss/0001-nss-fix-support-cross-compiling.patch @@ -1,21 +1,21 @@ -From 46ab1ca6e6fb8e1196e0665a54506dff370f8f2a Mon Sep 17 00:00:00 2001 +From c15470d6b52986a8e41f9be4579c88ed80413b44 Mon Sep 17 00:00:00 2001 From: Alexander Kanavin Date: Wed, 22 Feb 2017 11:36:11 +0200 Subject: [PATCH] nss: fix support cross compiling Let some make variables be assigned from outside makefile. -Upstream-Status: Inappropriate [configuration] +Upstream-Status: Inappropriate [oe specific] + Signed-off-by: Hongxu Jia Signed-off-by: Alexander Kanavin - --- nss/coreconf/arch.mk | 4 ++-- nss/lib/freebl/Makefile | 6 ++++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/nss/coreconf/arch.mk b/nss/coreconf/arch.mk -index 17e9fae..bc4180a 100644 +index 711d19d..a163d24 100644 --- a/nss/coreconf/arch.mk +++ b/nss/coreconf/arch.mk @@ -26,11 +26,11 @@ OS_ARCH := $(subst /,_,$(shell uname -s)) @@ -33,7 +33,7 @@ index 17e9fae..bc4180a 100644 diff --git a/nss/lib/freebl/Makefile b/nss/lib/freebl/Makefile -index eeee90a..7ee8736 100644 +index e744314..0ebfc92 100644 --- a/nss/lib/freebl/Makefile +++ b/nss/lib/freebl/Makefile @@ -36,6 +36,12 @@ ifdef USE_64 @@ -49,3 +49,6 @@ index eeee90a..7ee8736 100644 ifdef USE_ABI32_FPU DEFINES += -DNSS_USE_ABI32_FPU endif +-- +2.25.1 + diff --git a/meta-oe/recipes-support/nss/nss/0002-nss-no-rpath-for-cross-compiling.patch b/meta-oe/recipes-support/nss/nss/0002-nss-no-rpath-for-cross-compiling.patch new file mode 100644 index 0000000000..19fa5a7261 --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/0002-nss-no-rpath-for-cross-compiling.patch @@ -0,0 +1,31 @@ +From 621023bc696d3d26a4179dbbafb42d79bef1faf9 Mon Sep 17 00:00:00 2001 +From: Hongxu Jia +Date: Sat, 7 Mar 2020 08:34:02 -0800 +Subject: [PATCH] nss:no rpath for cross compiling + +Upstream-Status: Inappropriate [oe specific] + +Signed-off-by: Hongxu Jia +--- + nss/cmd/platlibs.mk | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/nss/cmd/platlibs.mk b/nss/cmd/platlibs.mk +index 6401778..e5c4e16 100644 +--- a/nss/cmd/platlibs.mk ++++ b/nss/cmd/platlibs.mk +@@ -18,9 +18,9 @@ endif + + ifeq ($(OS_ARCH), Linux) + ifeq ($(USE_64), 1) +-EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib' ++#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib' + else +-EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib' ++#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib' + endif + endif + +-- +2.25.1 + diff --git a/meta-oe/recipes-support/nss/nss/0003-nss-fix-incorrect-shebang-of-perl.patch b/meta-oe/recipes-support/nss/nss/0003-nss-fix-incorrect-shebang-of-perl.patch new file mode 100644 index 0000000000..61b7565739 --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/0003-nss-fix-incorrect-shebang-of-perl.patch @@ -0,0 +1,94 @@ +From 6aec640342088498cb1b0a2e395eb3da297a48b4 Mon Sep 17 00:00:00 2001 +From: Ovidiu Panait +Date: Mon, 13 Jul 2020 12:12:31 +0300 +Subject: [PATCH] nss: fix incorrect shebang of perl + +Replace incorrect shebang of perl with `#!/usr/bin/env perl'. + +Upstream-Status: Pending + +Signed-off-by: Hongxu Jia +Signed-off-by: Ovidiu Panait +--- + nss/cmd/signver/examples/1/form.pl | 2 +- + nss/cmd/signver/examples/1/signedForm.pl | 2 +- + nss/cmd/smimetools/smime | 2 +- + nss/coreconf/version.pl | 2 +- + nss/tests/clean_tbx | 2 +- + nss/tests/iopr/server_scr/client.cgi | 2 +- + nss/tests/path_uniq | 2 +- + 7 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/nss/cmd/signver/examples/1/form.pl b/nss/cmd/signver/examples/1/form.pl +index f2cfddc..af58d54 100755 +--- a/nss/cmd/signver/examples/1/form.pl ++++ b/nss/cmd/signver/examples/1/form.pl +@@ -1,4 +1,4 @@ +-#! /usr/bin/perl ++#!/usr/bin/env perl + # This Source Code Form is subject to the terms of the Mozilla Public + # License, v. 2.0. If a copy of the MPL was not distributed with this + # file, You can obtain one at http://mozilla.org/MPL/2.0/. +diff --git a/nss/cmd/signver/examples/1/signedForm.pl b/nss/cmd/signver/examples/1/signedForm.pl +index 847814c..64a31ff 100755 +--- a/nss/cmd/signver/examples/1/signedForm.pl ++++ b/nss/cmd/signver/examples/1/signedForm.pl +@@ -1,4 +1,4 @@ +-#! /usr/bin/perl ++#!/usr/bin/env perl + # This Source Code Form is subject to the terms of the Mozilla Public + # License, v. 2.0. If a copy of the MPL was not distributed with this + # file, You can obtain one at http://mozilla.org/MPL/2.0/. +diff --git a/nss/cmd/smimetools/smime b/nss/cmd/smimetools/smime +index e67f6be..6cd85e6 100755 +--- a/nss/cmd/smimetools/smime ++++ b/nss/cmd/smimetools/smime +@@ -1,4 +1,4 @@ +-#!/usr/local/bin/perl ++#!/usr/bin/env perl + + # This Source Code Form is subject to the terms of the Mozilla Public + # License, v. 2.0. If a copy of the MPL was not distributed with this +diff --git a/nss/coreconf/version.pl b/nss/coreconf/version.pl +index d2a4942..3ba7323 100644 +--- a/nss/coreconf/version.pl ++++ b/nss/coreconf/version.pl +@@ -1,4 +1,4 @@ +-#!/usr/sbin/perl ++#!/usr/bin/env perl + # + # This Source Code Form is subject to the terms of the Mozilla Public + # License, v. 2.0. If a copy of the MPL was not distributed with this +diff --git a/nss/tests/clean_tbx b/nss/tests/clean_tbx +index 4de9555..c15a069 100755 +--- a/nss/tests/clean_tbx ++++ b/nss/tests/clean_tbx +@@ -1,4 +1,4 @@ +-#! /bin/perl ++#!/usr/bin/env perl + + ####################################################################### + # +diff --git a/nss/tests/iopr/server_scr/client.cgi b/nss/tests/iopr/server_scr/client.cgi +index 581ad06..34ea170 100644 +--- a/nss/tests/iopr/server_scr/client.cgi ++++ b/nss/tests/iopr/server_scr/client.cgi +@@ -1,4 +1,4 @@ +-#!/usr/bin/perl ++#!/usr/bin/env perl + + # This Source Code Form is subject to the terms of the Mozilla Public + # License, v. 2.0. If a copy of the MPL was not distributed with this +diff --git a/nss/tests/path_uniq b/nss/tests/path_uniq +index f29f60a..850332a 100755 +--- a/nss/tests/path_uniq ++++ b/nss/tests/path_uniq +@@ -1,4 +1,4 @@ +-#! /bin/perl ++#!/usr/bin/env perl + + ######################################################################## + # +-- +2.25.1 + diff --git a/meta-oe/recipes-support/nss/nss/0004-nss-disable-Wvarargs-with-clang.patch b/meta-oe/recipes-support/nss/nss/0004-nss-disable-Wvarargs-with-clang.patch new file mode 100644 index 0000000000..fa4c5bacbf --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/0004-nss-disable-Wvarargs-with-clang.patch @@ -0,0 +1,45 @@ +From 72c3150300975524bb0001b5a731f077852c95ab Mon Sep 17 00:00:00 2001 +From: Khem Raj +Date: Sat, 7 Mar 2020 08:34:02 -0800 +Subject: [PATCH] nss: disable Wvarargs with clang + +clang 3.9 add this warning to rightly flag undefined +behavior, we relegate this to be just a warning instead +of error and keep the behavior as it was. Right fix would +be to not pass enum to the function with variadic arguments +as last named argument + +Fixes errors like +ocsp.c:2220:22: error: passing an object that undergoes default argument promotion to 'va_start' has undefined behavior [-Werror,-Wvarargs] + va_start(ap, responseType0); + ^ +ocsp.c:2200:43: note: parameter of type 'SECOidTag' is declared here + SECOidTag responseType0, ...) + +see +https://www.securecoding.cert.org/confluence/display/cplusplus/EXP58-CPP.+Pass+an+object+of+the+correct+type+to+va_start +for more details + +Upstream-Status: Pending + +Signed-off-by: Khem Raj +--- + nss/coreconf/Werror.mk | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/nss/coreconf/Werror.mk b/nss/coreconf/Werror.mk +index a569a49..687fe58 100644 +--- a/nss/coreconf/Werror.mk ++++ b/nss/coreconf/Werror.mk +@@ -56,7 +56,7 @@ ifndef WARNING_CFLAGS + ifdef CC_IS_CLANG + # -Qunused-arguments : clang objects to arguments that it doesn't understand + # and fixing this would require rearchitecture +- WARNING_CFLAGS += -Qunused-arguments ++ WARNING_CFLAGS += -Qunused-arguments -Wno-error=varargs + # -Wno-parentheses-equality : because clang warns about macro expansions + WARNING_CFLAGS += $(call disable_warning,parentheses-equality) + ifdef BUILD_OPT +-- +2.25.1 + diff --git a/meta-oe/recipes-support/nss/nss/0005-nss-does-not-build-on-mips-with-clang-because-wrong-.patch b/meta-oe/recipes-support/nss/nss/0005-nss-does-not-build-on-mips-with-clang-because-wrong-.patch new file mode 100644 index 0000000000..f12a278ef2 --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/0005-nss-does-not-build-on-mips-with-clang-because-wrong-.patch @@ -0,0 +1,35 @@ +From 5935755eef43ac7cb8f4567e7bed5892180f954c Mon Sep 17 00:00:00 2001 +From: Khem Raj +Date: Sat, 7 Mar 2020 08:34:02 -0800 +Subject: [PATCH] nss: does not build on mips with clang because wrong types + are used + +pqg.c:339:16: error: comparison of constant 18446744073709551615 with expression of type 'unsigned long' is always true [-Werror,-Wtautological-constant-out-of-range-compare] + if (addend < MP_DIGIT_MAX) { + ~~~~~~ ^ ~~~~~~~~~~~~ + +Upstream-Status: Pending + +Signed-off-by: Khem Raj +--- + nss/lib/freebl/pqg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/nss/lib/freebl/pqg.c b/nss/lib/freebl/pqg.c +index 62d46b5..8c8665d 100644 +--- a/nss/lib/freebl/pqg.c ++++ b/nss/lib/freebl/pqg.c +@@ -326,8 +326,8 @@ generate_h_candidate(SECItem *hit, mp_int *H) + + static SECStatus + addToSeed(const SECItem *seed, +- unsigned long addend, +- int seedlen, /* g in 186-1 */ ++ unsigned long long addend, ++ int seedlen, /* g in 186-1 */ + SECItem *seedout) + { + mp_int s, sum, modulus, tmp; +-- +2.25.1 + diff --git a/meta-oe/recipes-support/nss/nss/0006-Fix-nss-multilib-build-on-openSUSE-11.x-32bit.patch b/meta-oe/recipes-support/nss/nss/0006-Fix-nss-multilib-build-on-openSUSE-11.x-32bit.patch new file mode 100644 index 0000000000..afe11821af --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/0006-Fix-nss-multilib-build-on-openSUSE-11.x-32bit.patch @@ -0,0 +1,45 @@ +From 895e76e75dbb993a8f445072c190a9db4ee50d15 Mon Sep 17 00:00:00 2001 +From: Wenzong Fan +Date: Sat, 7 Mar 2020 08:34:02 -0800 +Subject: [PATCH] Fix nss multilib build on openSUSE 11.x 32bit + +While building lib64-nss on openSUSE 11.x 32bit, the nsinstall will +fail with error: + +* nsinstall.c:1:0: sorry, unimplemented: 64-bit mode not compiled + +It caused by the '-m64' option which passed to host gcc. + +The nsinstall was built first while nss starting to build, it only runs +on host to install built files, it doesn't need any cross-compling or +multilib build options. Just clean the ARCHFLAG and LDFLAGS to fix this +error. + +Upstream-Status: Inappropriate [oe specific] + +Signed-off-by: Wenzong Fan +--- + nss/coreconf/nsinstall/Makefile | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/nss/coreconf/nsinstall/Makefile b/nss/coreconf/nsinstall/Makefile +index 337cbeb..dd77fbe 100644 +--- a/nss/coreconf/nsinstall/Makefile ++++ b/nss/coreconf/nsinstall/Makefile +@@ -18,6 +18,13 @@ INTERNAL_TOOLS = 1 + + include $(DEPTH)/coreconf/config.mk + ++# nsinstall is unfit for cross-compiling/multilib-build since it was ++# always run on local host to install built files. This change intends ++# to clean the '-m64' from ARCHFLAG and LDFLAGS. ++ARCHFLAG = ++LDFLAGS = ++# CFLAGS = ++ + ifeq (,$(filter-out WIN%,$(OS_TARGET))) + PROGRAM = + TARGETS = +-- +2.25.1 + diff --git a/meta-oe/recipes-support/nss/nss/0007-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch b/meta-oe/recipes-support/nss/nss/0007-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch new file mode 100644 index 0000000000..5debd13488 --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/0007-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch @@ -0,0 +1,60 @@ +From 781a21fa9b0d8d8d6df0de45e3c9dc3f3e74be8f Mon Sep 17 00:00:00 2001 +From: Alexander Kanavin +Date: Wed, 18 Dec 2019 12:29:50 +0100 +Subject: [PATCH] freebl: add a configure option to disable ARM HW crypto + +Not all current hardware supports it, particularly anything +prior to armv8 does not. + +Upstream-Status: Pending + +Signed-off-by: Alexander Kanavin +--- + nss/lib/freebl/Makefile | 3 +++ + nss/lib/freebl/gcm.c | 2 ++ + 2 files changed, 5 insertions(+) + +diff --git a/nss/lib/freebl/Makefile b/nss/lib/freebl/Makefile +index 0ebfc92..3ee7623 100644 +--- a/nss/lib/freebl/Makefile ++++ b/nss/lib/freebl/Makefile +@@ -142,6 +142,8 @@ endif + endif + endif + endif ++ifdef NSS_USE_ARM_HW_CRYPTO ++ DEFINES += -DNSS_USE_ARM_HW_CRYPTO + ifeq ($(CPU_ARCH),aarch64) + ifdef CC_IS_CLANG + DEFINES += -DUSE_HW_AES -DUSE_HW_SHA1 -DUSE_HW_SHA2 +@@ -183,6 +185,7 @@ endif + endif + endif + endif ++endif + + ifeq (,$(filter-out WINNT,$(OS_TARGET))) + ifndef USE_64 +diff --git a/nss/lib/freebl/gcm.c b/nss/lib/freebl/gcm.c +index d728867..8b4de1d 100644 +--- a/nss/lib/freebl/gcm.c ++++ b/nss/lib/freebl/gcm.c +@@ -18,6 +18,7 @@ + + #include + ++#ifdef NSS_USE_ARM_HW_CRYPTO + /* old gcc doesn't support some poly64x2_t intrinsic */ + #if defined(__aarch64__) && defined(IS_LITTLE_ENDIAN) && \ + (defined(__clang__) || defined(__GNUC__) && __GNUC__ > 6) +@@ -27,6 +28,7 @@ + /* We don't test on big endian platform, so disable this on big endian. */ + #define USE_ARM_GCM + #endif ++#endif + + /* Forward declarations */ + SECStatus gcm_HashInit_hw(gcmHashContext *ghash); +-- +2.25.1 + diff --git a/meta-oe/recipes-support/nss/nss/disable-Wvarargs-with-clang.patch b/meta-oe/recipes-support/nss/nss/disable-Wvarargs-with-clang.patch deleted file mode 100644 index 4c9bea30c0..0000000000 --- a/meta-oe/recipes-support/nss/nss/disable-Wvarargs-with-clang.patch +++ /dev/null @@ -1,42 +0,0 @@ -From f613c9a9107435a40d91329f33f12cfb16927f07 Mon Sep 17 00:00:00 2001 -From: Khem Raj -Date: Sat, 7 Mar 2020 08:34:02 -0800 -Subject: [PATCH] nss,nspr: Add recipes - -clang 3.9 add this warning to rightly flag undefined -behavior, we relegate this to be just a warning instead -of error and keep the behavior as it was. Right fix would -be to not pass enum to the function with variadic arguments -as last named argument - -Fixes errors like -ocsp.c:2220:22: error: passing an object that undergoes default argument promotion to 'va_start' has undefined behavior [-Werror,-Wvarargs] - va_start(ap, responseType0); - ^ -ocsp.c:2200:43: note: parameter of type 'SECOidTag' is declared here - SECOidTag responseType0, ...) - -see -https://www.securecoding.cert.org/confluence/display/cplusplus/EXP58-CPP.+Pass+an+object+of+the+correct+type+to+va_start -for more details - -Signed-off-by: Khem Raj -Upstream-Status: Pending - ---- - nss/coreconf/Werror.mk | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/nss/coreconf/Werror.mk b/nss/coreconf/Werror.mk -index a569a49..687fe58 100644 ---- a/nss/coreconf/Werror.mk -+++ b/nss/coreconf/Werror.mk -@@ -56,7 +56,7 @@ ifndef WARNING_CFLAGS - ifdef CC_IS_CLANG - # -Qunused-arguments : clang objects to arguments that it doesn't understand - # and fixing this would require rearchitecture -- WARNING_CFLAGS += -Qunused-arguments -+ WARNING_CFLAGS += -Qunused-arguments -Wno-error=varargs - # -Wno-parentheses-equality : because clang warns about macro expansions - WARNING_CFLAGS += $(call disable_warning,parentheses-equality) - ifdef BUILD_OPT diff --git a/meta-oe/recipes-support/nss/nss/nss-fix-incorrect-shebang-of-perl.patch b/meta-oe/recipes-support/nss/nss/nss-fix-incorrect-shebang-of-perl.patch deleted file mode 100644 index 735b06b5ca..0000000000 --- a/meta-oe/recipes-support/nss/nss/nss-fix-incorrect-shebang-of-perl.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 2ce67b1f4b1f582d556ae058da10698bbaa0edc1 Mon Sep 17 00:00:00 2001 -From: Ovidiu Panait -Date: Mon, 13 Jul 2020 12:12:31 +0300 -Subject: [PATCH] nss: fix incorrect shebang of perl - -Replace incorrect shebang of perl with `#!/usr/bin/env perl'. - -Signed-off-by: Hongxu Jia -Upstream-Status: Pending -Signed-off-by: Ovidiu Panait - ---- - nss/cmd/signver/examples/1/form.pl | 2 +- - nss/cmd/signver/examples/1/signedForm.pl | 2 +- - nss/cmd/smimetools/smime | 2 +- - nss/coreconf/version.pl | 2 +- - nss/tests/clean_tbx | 2 +- - nss/tests/iopr/server_scr/client.cgi | 2 +- - nss/tests/path_uniq | 2 +- - 7 files changed, 7 insertions(+), 7 deletions(-) - -diff --git a/nss/cmd/signver/examples/1/form.pl b/nss/cmd/signver/examples/1/form.pl -index f2cfddc..af58d54 100755 ---- a/nss/cmd/signver/examples/1/form.pl -+++ b/nss/cmd/signver/examples/1/form.pl -@@ -1,4 +1,4 @@ --#! /usr/bin/perl -+#!/usr/bin/env perl - # This Source Code Form is subject to the terms of the Mozilla Public - # License, v. 2.0. If a copy of the MPL was not distributed with this - # file, You can obtain one at http://mozilla.org/MPL/2.0/. -diff --git a/nss/cmd/signver/examples/1/signedForm.pl b/nss/cmd/signver/examples/1/signedForm.pl -index 847814c..64a31ff 100755 ---- a/nss/cmd/signver/examples/1/signedForm.pl -+++ b/nss/cmd/signver/examples/1/signedForm.pl -@@ -1,4 +1,4 @@ --#! /usr/bin/perl -+#!/usr/bin/env perl - # This Source Code Form is subject to the terms of the Mozilla Public - # License, v. 2.0. If a copy of the MPL was not distributed with this - # file, You can obtain one at http://mozilla.org/MPL/2.0/. -diff --git a/nss/cmd/smimetools/smime b/nss/cmd/smimetools/smime -index e67f6be..6cd85e6 100755 ---- a/nss/cmd/smimetools/smime -+++ b/nss/cmd/smimetools/smime -@@ -1,4 +1,4 @@ --#!/usr/local/bin/perl -+#!/usr/bin/env perl - - # This Source Code Form is subject to the terms of the Mozilla Public - # License, v. 2.0. If a copy of the MPL was not distributed with this -diff --git a/nss/coreconf/version.pl b/nss/coreconf/version.pl -index d2a4942..3ba7323 100644 ---- a/nss/coreconf/version.pl -+++ b/nss/coreconf/version.pl -@@ -1,4 +1,4 @@ --#!/usr/sbin/perl -+#!/usr/bin/env perl - # - # This Source Code Form is subject to the terms of the Mozilla Public - # License, v. 2.0. If a copy of the MPL was not distributed with this -diff --git a/nss/tests/clean_tbx b/nss/tests/clean_tbx -index 4de9555..c15a069 100755 ---- a/nss/tests/clean_tbx -+++ b/nss/tests/clean_tbx -@@ -1,4 +1,4 @@ --#! /bin/perl -+#!/usr/bin/env perl - - ####################################################################### - # -diff --git a/nss/tests/iopr/server_scr/client.cgi b/nss/tests/iopr/server_scr/client.cgi -index 581ad06..34ea170 100644 ---- a/nss/tests/iopr/server_scr/client.cgi -+++ b/nss/tests/iopr/server_scr/client.cgi -@@ -1,4 +1,4 @@ --#!/usr/bin/perl -+#!/usr/bin/env perl - - # This Source Code Form is subject to the terms of the Mozilla Public - # License, v. 2.0. If a copy of the MPL was not distributed with this -diff --git a/nss/tests/path_uniq b/nss/tests/path_uniq -index f29f60a..850332a 100755 ---- a/nss/tests/path_uniq -+++ b/nss/tests/path_uniq -@@ -1,4 +1,4 @@ --#! /bin/perl -+#!/usr/bin/env perl - - ######################################################################## - # diff --git a/meta-oe/recipes-support/nss/nss/nss-fix-nsinstall-build.patch b/meta-oe/recipes-support/nss/nss/nss-fix-nsinstall-build.patch deleted file mode 100644 index a1897f88d8..0000000000 --- a/meta-oe/recipes-support/nss/nss/nss-fix-nsinstall-build.patch +++ /dev/null @@ -1,44 +0,0 @@ -From f9b2b1c738576a17460aebd005f511f427aa1974 Mon Sep 17 00:00:00 2001 -From: Wenzong Fan -Date: Sat, 7 Mar 2020 08:34:02 -0800 -Subject: [PATCH] Fix nss multilib build on openSUSE 11.x 32bit - -While building lib64-nss on openSUSE 11.x 32bit, the nsinstall will -fail with error: - -* nsinstall.c:1:0: sorry, unimplemented: 64-bit mode not compiled - -It caused by the '-m64' option which passed to host gcc. - -The nsinstall was built first while nss starting to build, it only runs -on host to install built files, it doesn't need any cross-compling or -multilib build options. Just clean the ARCHFLAG and LDFLAGS to fix this -error. - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Wenzong Fan -=================================================== - ---- - nss/coreconf/nsinstall/Makefile | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/nss/coreconf/nsinstall/Makefile b/nss/coreconf/nsinstall/Makefile -index 08dfbc2..e97fb5f 100644 ---- a/nss/coreconf/nsinstall/Makefile -+++ b/nss/coreconf/nsinstall/Makefile -@@ -18,6 +18,13 @@ INTERNAL_TOOLS = 1 - - include $(DEPTH)/coreconf/config.mk - -+# nsinstall is unfit for cross-compiling/multilib-build since it was -+# always run on local host to install built files. This change intends -+# to clean the '-m64' from ARCHFLAG and LDFLAGS. -+ARCHFLAG = -+LDFLAGS = -+# CFLAGS = -+ - ifeq (,$(filter-out OS2 WIN%,$(OS_TARGET))) - PROGRAM = - TARGETS = diff --git a/meta-oe/recipes-support/nss/nss/nss-no-rpath-for-cross-compiling.patch b/meta-oe/recipes-support/nss/nss/nss-no-rpath-for-cross-compiling.patch deleted file mode 100644 index 8c715cc447..0000000000 --- a/meta-oe/recipes-support/nss/nss/nss-no-rpath-for-cross-compiling.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 73edfbdf33fe4e41724e7e947033d8caeec8f3d0 Mon Sep 17 00:00:00 2001 -From: Hongxu Jia -Date: Sat, 7 Mar 2020 08:34:02 -0800 -Subject: [PATCH] nss:no rpath for cross compiling - -Signed-off-by: Hongxu Jia -Upstream-Status: Inappropriate [configuration] - ---- - nss/cmd/platlibs.mk | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/nss/cmd/platlibs.mk b/nss/cmd/platlibs.mk -index 6401778..e5c4e16 100644 ---- a/nss/cmd/platlibs.mk -+++ b/nss/cmd/platlibs.mk -@@ -18,9 +18,9 @@ endif - - ifeq ($(OS_ARCH), Linux) - ifeq ($(USE_64), 1) --EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib' -+#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib' - else --EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib' -+#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib' - endif - endif - diff --git a/meta-oe/recipes-support/nss/nss/pqg.c-ULL_addend.patch b/meta-oe/recipes-support/nss/nss/pqg.c-ULL_addend.patch deleted file mode 100644 index 589b4d5e7f..0000000000 --- a/meta-oe/recipes-support/nss/nss/pqg.c-ULL_addend.patch +++ /dev/null @@ -1,32 +0,0 @@ -From cbd367160338847b28fc801a12c74f1c8b5b03ee Mon Sep 17 00:00:00 2001 -From: Khem Raj -Date: Sat, 7 Mar 2020 08:34:02 -0800 -Subject: [PATCH] nss does not build on mips with clang because wrong types are - used? - -pqg.c:339:16: error: comparison of constant 18446744073709551615 with expression of type 'unsigned long' is always true [-Werror,-Wtautological-constant-out-of-range-compare] - if (addend < MP_DIGIT_MAX) { - ~~~~~~ ^ ~~~~~~~~~~~~ - -Signed-off-by: Khem Raj -Upstream-Status: Pending - ---- - nss/lib/freebl/pqg.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/nss/lib/freebl/pqg.c b/nss/lib/freebl/pqg.c -index 1b03278..ad895b7 100644 ---- a/nss/lib/freebl/pqg.c -+++ b/nss/lib/freebl/pqg.c -@@ -326,8 +326,8 @@ generate_h_candidate(SECItem *hit, mp_int *H) - - static SECStatus - addToSeed(const SECItem *seed, -- unsigned long addend, -- int seedlen, /* g in 186-1 */ -+ unsigned long long addend, -+ int seedlen, /* g in 186-1 */ - SECItem *seedout) - { - mp_int s, sum, modulus, tmp; diff --git a/meta-oe/recipes-support/nss/nss_3.103.bb b/meta-oe/recipes-support/nss/nss_3.103.bb deleted file mode 100644 index 64141e9383..0000000000 --- a/meta-oe/recipes-support/nss/nss_3.103.bb +++ /dev/null @@ -1,289 +0,0 @@ -SUMMARY = "Mozilla's SSL and TLS implementation" -DESCRIPTION = "Network Security Services (NSS) is a set of libraries \ -designed to support cross-platform development of \ -security-enabled client and server applications. \ -Applications built with NSS can support SSL v2 and v3, \ -TLS, PKCS 5, PKCS 7, PKCS 11, PKCS 12, S/MIME, X.509 \ -v3 certificates, and other security standards." -HOMEPAGE = "http://www.mozilla.org/projects/security/pki/nss/" -SECTION = "libs" - -DEPENDS = "sqlite3 nspr zlib nss-native" -DEPENDS:class-native = "sqlite3-native nspr-native zlib-native" - -LICENSE = "(MPL-2.0 & MIT) | (MPL-2.0 & GPL-2.0-or-later & MIT) | (MPL-2.0 & LGPL-2.1-or-later & MIT)" - -LIC_FILES_CHKSUM = "file://nss/COPYING;md5=3b1e88e1b9c0b5a4b2881d46cce06a18 \ - file://nss/lib/freebl/mpi/doc/LICENSE;md5=491f158d09d948466afce85d6f1fe18f \ - file://nss/lib/freebl/mpi/doc/LICENSE-MPL;md5=5d425c8f3157dbf212db2ec53d9e5132 \ - file://nss/lib/freebl/verified/Hacl_Poly1305_256.c;beginline=1;endline=22;md5=cc22f07b95d28d56baeb757df46ee7c8" - -VERSION_DIR = "${@d.getVar('BP').upper().replace('-', '_').replace('.', '_') + '_RTM'}" - -SRC_URI = "http://ftp.mozilla.org/pub/security/nss/releases/${VERSION_DIR}/src/${BP}.tar.gz \ - file://nss.pc.in \ - file://0001-nss-fix-support-cross-compiling.patch \ - file://nss-no-rpath-for-cross-compiling.patch \ - file://nss-fix-incorrect-shebang-of-perl.patch \ - file://disable-Wvarargs-with-clang.patch \ - file://pqg.c-ULL_addend.patch \ - file://blank-cert9.db \ - file://blank-key4.db \ - file://system-pkcs11.txt \ - file://nss-fix-nsinstall-build.patch \ - file://0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch \ - " -SRC_URI[sha256sum] = "7b4ab657f772dc7520c46e8d481940b292dcfc6a4c90150a7c26672384cee962" - -UPSTREAM_CHECK_URI = "https://ftp.mozilla.org/pub/security/nss/releases/" -UPSTREAM_CHECK_REGEX = "NSS_(?P\d+(\_\d+)+)" - -inherit siteinfo - -TD = "${S}/tentative-dist" -TDS = "${S}/tentative-dist-staging" - -TARGET_CC_ARCH += "${LDFLAGS}" - -CFLAGS:append:class-native = " -D_XOPEN_SOURCE " - -do_configure:prepend:libc-musl () { - sed -i -e '/-DHAVE_SYS_CDEFS_H/d' ${S}/nss/lib/dbm/config/config.mk -} - -do_configure:prepend:powerpc64le:toolchain-clang () { - sed -i -e 's/\-std=c99/\-std=gnu99/g' ${S}/nss/coreconf/command.mk -} - -do_configure:prepend:powerpc64:toolchain-clang () { - sed -i -e 's/\-std=c99/\-std=gnu99/g' ${S}/nss/coreconf/command.mk -} - -do_compile:prepend:class-native() { - export NSPR_INCLUDE_DIR=${STAGING_INCDIR_NATIVE}/nspr - export NSPR_LIB_DIR=${STAGING_LIBDIR_NATIVE} -} - -do_compile:prepend:class-nativesdk() { - export LDFLAGS="" -} - -do_compile:prepend:class-native() { - # Need to set RPATH so that chrpath will do its job correctly - RPATH="-Wl,-rpath-link,${STAGING_LIBDIR_NATIVE} -Wl,-rpath-link,${STAGING_BASE_LIBDIR_NATIVE} -Wl,-rpath,${STAGING_LIBDIR_NATIVE} -Wl,-rpath,${STAGING_BASE_LIBDIR_NATIVE}" -} - -do_compile() { - export NSPR_INCLUDE_DIR=${STAGING_INCDIR}/nspr - - export CROSS_COMPILE=1 - export NATIVE_CC="${BUILD_CC}" - # Additional defines needed on Centos 7 - export NATIVE_FLAGS="${BUILD_CFLAGS} -DLINUX -Dlinux" - export BUILD_OPT=1 - - # POSIX.1-2001 states that the behaviour of getcwd() when passing a null - # pointer as the buf argument, is unspecified. - export NATIVE_FLAGS="${NATIVE_FLAGS} -DGETCWD_CANT_MALLOC" - - export FREEBL_NO_DEPEND=1 - export FREEBL_LOWHASH=1 - - export LIBDIR=${libdir} - export MOZILLA_CLIENT=1 - export NS_USE_GCC=1 - export NSS_USE_SYSTEM_SQLITE=1 - export NSS_ENABLE_ECC=1 - export NSS_ENABLE_WERROR=0 - - ${@bb.utils.contains("TUNE_FEATURES", "crypto", "export NSS_USE_ARM_HW_CRYPTO=1", "", d)} - - export OS_RELEASE=3.4 - export OS_TARGET=Linux - export OS_ARCH=Linux - - if [ "${TARGET_ARCH}" = "powerpc" ]; then - OS_TEST=ppc - elif [ "${TARGET_ARCH}" = "powerpc64" -o "${TARGET_ARCH}" = "powerpc64le" ]; then - OS_TEST=ppc64 - elif [ "${TARGET_ARCH}" = "mips" -o "${TARGET_ARCH}" = "mipsel" -o "${TARGET_ARCH}" = "mips64" -o "${TARGET_ARCH}" = "mips64el" ]; then - OS_TEST=mips - elif [ "${TARGET_ARCH}" = "aarch64_be" ]; then - OS_TEST="aarch64" - else - OS_TEST="${TARGET_ARCH}" - fi - - if [ "${SITEINFO_BITS}" = "64" ]; then - export USE_64=1 - elif [ "${TARGET_ARCH}" = "x86_64" -a "${SITEINFO_BITS}" = "32" ]; then - export USE_X32=1 - fi - - export NSS_DISABLE_GTESTS=1 - # We can modify CC in the environment, but if we set it via an - # argument to make, nsinstall, a host program, will also build with it! - # - # nss pretty much does its own thing with CFLAGS, so we put them into CC. - # Optimization will get clobbered, but most of the stuff will survive. - # The motivation for this is to point to the correct place for debug - # source files and CFLAGS does that. Nothing uses CCC. - # - export CC="${CC} ${CFLAGS}" - make -C ./nss CCC="${CXX} -g" \ - OS_TEST=${OS_TEST} \ - RPATH="${RPATH}" \ - autobuild -} - -do_compile[vardepsexclude] += "SITEINFO_BITS" - -do_install:prepend:class-nativesdk() { - export LDFLAGS="" -} - -do_install() { - export CROSS_COMPILE=1 - export NATIVE_CC="${BUILD_CC}" - export BUILD_OPT=1 - - export FREEBL_NO_DEPEND=1 - - export LIBDIR=${libdir} - export MOZILLA_CLIENT=1 - export NS_USE_GCC=1 - export NSS_USE_SYSTEM_SQLITE=1 - export NSS_ENABLE_ECC=1 - - export OS_RELEASE=3.4 - export OS_TARGET=Linux - export OS_ARCH=Linux - - if [ "${TARGET_ARCH}" = "powerpc" ]; then - OS_TEST=ppc - elif [ "${TARGET_ARCH}" = "powerpc64" -o "${TARGET_ARCH}" = "powerpc64le" ]; then - OS_TEST=ppc64 - elif [ "${TARGET_ARCH}" = "mips" -o "${TARGET_ARCH}" = "mipsel" -o "${TARGET_ARCH}" = "mips64" -o "${TARGET_ARCH}" = "mips64el" ]; then - OS_TEST=mips - elif [ "${TARGET_ARCH}" = "aarch64_be" ]; then - CPU_ARCH=aarch64 - OS_TEST="aarch64" - else - OS_TEST="${TARGET_ARCH}" - fi - if [ "${SITEINFO_BITS}" = "64" ]; then - export USE_64=1 - elif [ "${TARGET_ARCH}" = "x86_64" -a "${SITEINFO_BITS}" = "32" ]; then - export USE_X32=1 - fi - - export NSS_DISABLE_GTESTS=1 - - make -C ./nss \ - CCC="${CXX}" \ - OS_TEST=${OS_TEST} \ - SOURCE_LIB_DIR="${TD}/${libdir}" \ - SOURCE_BIN_DIR="${TD}/${bindir}" \ - install - - install -d ${D}/${libdir}/ - for file in ${S}/dist/*.OBJ/lib/*.so; do - echo "Installing `basename $file`..." - cp $file ${D}/${libdir}/ - done - - for shared_lib in ${TD}/${libdir}/*.so.*; do - if [ -f $shared_lib ]; then - cp $shared_lib ${D}/${libdir} - ln -sf $(basename $shared_lib) ${D}/${libdir}/$(basename $shared_lib .1oe) - fi - done - for shared_lib in ${TD}/${libdir}/*.so; do - if [ -f $shared_lib -a ! -e ${D}/${libdir}/$shared_lib ]; then - cp $shared_lib ${D}/${libdir} - fi - done - - install -d ${D}/${includedir}/nss3 - install -m 644 -t ${D}/${includedir}/nss3 dist/public/nss/* - - install -d ${D}/${bindir} - for binary in ${TD}/${bindir}/*; do - install -m 755 -t ${D}/${bindir} $binary - done -} - -do_install[vardepsexclude] += "SITEINFO_BITS" - -do_install:append() { - # Create empty .chk files for the NSS libraries at build time. They could - # be regenerated at target's boot time. - for file in libsoftokn3.chk libfreebl3.chk libnssdbm3.chk; do - touch ${D}/${libdir}/$file - chmod 755 ${D}/${libdir}/$file - done - - install -d ${D}${libdir}/pkgconfig/ - sed 's/%NSS_VERSION%/${PV}/' ${UNPACKDIR}/nss.pc.in | sed 's/%NSPR_VERSION%/4.9.2/' > ${D}${libdir}/pkgconfig/nss.pc - sed -i s:OEPREFIX:${prefix}:g ${D}${libdir}/pkgconfig/nss.pc - sed -i s:OEEXECPREFIX:${exec_prefix}:g ${D}${libdir}/pkgconfig/nss.pc - sed -i s:OELIBDIR:${libdir}:g ${D}${libdir}/pkgconfig/nss.pc - sed -i s:OEINCDIR:${includedir}/nss3:g ${D}${libdir}/pkgconfig/nss.pc -} - -do_install:append:class-target() { - # It used to call certutil to create a blank certificate with empty password at - # build time, but the checksum of key4.db changes every time when certutil is called. - # It causes non-determinism issue, so provide databases with a blank certificate - # which are originally from output of nss in qemux86-64 build. You can get these - # databases by: - # certutil -N -d sql:/database/path/ --empty-password - install -d ${D}${sysconfdir}/pki/nssdb/ - install -m 0644 ${UNPACKDIR}/blank-cert9.db ${D}${sysconfdir}/pki/nssdb/cert9.db - install -m 0644 ${UNPACKDIR}/blank-key4.db ${D}${sysconfdir}/pki/nssdb/key4.db - install -m 0644 ${UNPACKDIR}/system-pkcs11.txt ${D}${sysconfdir}/pki/nssdb/pkcs11.txt -} - -PACKAGE_WRITE_DEPS += "nss-native" - -pkg_postinst:${PN} () { - for I in $D${libdir}/lib*.chk; do - DN=`dirname $I` - BN=`basename $I .chk` - FN=$DN/$BN.so - shlibsign -i $FN - if [ $? -ne 0 ]; then - echo "shlibsign -i $FN failed" - fi - done -} - -PACKAGES =+ "${PN}-smime" -FILES:${PN}-smime = "\ - ${bindir}/smime \ -" - -FILES:${PN} = "\ - ${sysconfdir} \ - ${bindir} \ - ${libdir}/lib*.chk \ - ${libdir}/lib*.so \ - " - -FILES:${PN}-dev = "\ - ${libdir}/nss \ - ${libdir}/pkgconfig/* \ - ${includedir}/* \ - " - -RDEPENDS:${PN}-smime = "perl" - -BBCLASSEXTEND = "native nativesdk" - -CVE_PRODUCT += "network_security_services" - -CVE_STATUS_GROUPS += "CVE_STATUS_NSS" -CVE_STATUS_NSS[status] = "not-applicable-config: This only affect the legacy db (libnssdbm), only compiled with --enable-legacy-db" -CVE_STATUS_NSS = "CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698" - -CVE_STATUS[CVE-2022-3479] = "not-applicable-config: vulnerability was introduced in 3.77 and fixed in 3.87" diff --git a/meta-oe/recipes-support/nss/nss_3.107.bb b/meta-oe/recipes-support/nss/nss_3.107.bb new file mode 100644 index 0000000000..23e046b0a9 --- /dev/null +++ b/meta-oe/recipes-support/nss/nss_3.107.bb @@ -0,0 +1,289 @@ +SUMMARY = "Mozilla's SSL and TLS implementation" +DESCRIPTION = "Network Security Services (NSS) is a set of libraries \ +designed to support cross-platform development of \ +security-enabled client and server applications. \ +Applications built with NSS can support SSL v2 and v3, \ +TLS, PKCS 5, PKCS 7, PKCS 11, PKCS 12, S/MIME, X.509 \ +v3 certificates, and other security standards." +HOMEPAGE = "http://www.mozilla.org/projects/security/pki/nss/" +SECTION = "libs" + +DEPENDS = "sqlite3 nspr zlib nss-native" +DEPENDS:class-native = "sqlite3-native nspr-native zlib-native" + +LICENSE = "(MPL-2.0 & MIT) | (MPL-2.0 & GPL-2.0-or-later & MIT) | (MPL-2.0 & LGPL-2.1-or-later & MIT)" + +LIC_FILES_CHKSUM = "file://nss/COPYING;md5=3b1e88e1b9c0b5a4b2881d46cce06a18 \ + file://nss/lib/freebl/mpi/doc/LICENSE;md5=491f158d09d948466afce85d6f1fe18f \ + file://nss/lib/freebl/mpi/doc/LICENSE-MPL;md5=5d425c8f3157dbf212db2ec53d9e5132 \ + file://nss/lib/freebl/verified/Hacl_Poly1305_256.c;beginline=1;endline=22;md5=cc22f07b95d28d56baeb757df46ee7c8" + +VERSION_DIR = "${@d.getVar('BP').upper().replace('-', '_').replace('.', '_') + '_RTM'}" + +SRC_URI = "http://ftp.mozilla.org/pub/security/nss/releases/${VERSION_DIR}/src/${BP}.tar.gz \ + file://nss.pc.in \ + file://blank-cert9.db \ + file://blank-key4.db \ + file://system-pkcs11.txt \ + file://0001-nss-fix-support-cross-compiling.patch \ + file://0002-nss-no-rpath-for-cross-compiling.patch \ + file://0003-nss-fix-incorrect-shebang-of-perl.patch \ + file://0004-nss-disable-Wvarargs-with-clang.patch \ + file://0005-nss-does-not-build-on-mips-with-clang-because-wrong-.patch \ + file://0006-Fix-nss-multilib-build-on-openSUSE-11.x-32bit.patch \ + file://0007-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch \ + " +SRC_URI[sha256sum] = "7f7e96473e38150771a615f5d40e8c41ba3a19385301ae0c525091f2fc9d6729" + +UPSTREAM_CHECK_URI = "https://ftp.mozilla.org/pub/security/nss/releases/" +UPSTREAM_CHECK_REGEX = "NSS_(?P\d+(\_\d+)+)" + +inherit siteinfo + +TD = "${S}/tentative-dist" +TDS = "${S}/tentative-dist-staging" + +TARGET_CC_ARCH += "${LDFLAGS}" + +CFLAGS:append:class-native = " -D_XOPEN_SOURCE " + +do_configure:prepend:libc-musl () { + sed -i -e '/-DHAVE_SYS_CDEFS_H/d' ${S}/nss/lib/dbm/config/config.mk +} + +do_configure:prepend:powerpc64le:toolchain-clang () { + sed -i -e 's/\-std=c99/\-std=gnu99/g' ${S}/nss/coreconf/command.mk +} + +do_configure:prepend:powerpc64:toolchain-clang () { + sed -i -e 's/\-std=c99/\-std=gnu99/g' ${S}/nss/coreconf/command.mk +} + +do_compile:prepend:class-native() { + export NSPR_INCLUDE_DIR=${STAGING_INCDIR_NATIVE}/nspr + export NSPR_LIB_DIR=${STAGING_LIBDIR_NATIVE} +} + +do_compile:prepend:class-nativesdk() { + export LDFLAGS="" +} + +do_compile:prepend:class-native() { + # Need to set RPATH so that chrpath will do its job correctly + RPATH="-Wl,-rpath-link,${STAGING_LIBDIR_NATIVE} -Wl,-rpath-link,${STAGING_BASE_LIBDIR_NATIVE} -Wl,-rpath,${STAGING_LIBDIR_NATIVE} -Wl,-rpath,${STAGING_BASE_LIBDIR_NATIVE}" +} + +do_compile() { + export NSPR_INCLUDE_DIR=${STAGING_INCDIR}/nspr + + export CROSS_COMPILE=1 + export NATIVE_CC="${BUILD_CC}" + # Additional defines needed on Centos 7 + export NATIVE_FLAGS="${BUILD_CFLAGS} -DLINUX -Dlinux" + export BUILD_OPT=1 + + # POSIX.1-2001 states that the behaviour of getcwd() when passing a null + # pointer as the buf argument, is unspecified. + export NATIVE_FLAGS="${NATIVE_FLAGS} -DGETCWD_CANT_MALLOC" + + export FREEBL_NO_DEPEND=1 + export FREEBL_LOWHASH=1 + + export LIBDIR=${libdir} + export MOZILLA_CLIENT=1 + export NS_USE_GCC=1 + export NSS_USE_SYSTEM_SQLITE=1 + export NSS_ENABLE_ECC=1 + export NSS_ENABLE_WERROR=0 + + ${@bb.utils.contains("TUNE_FEATURES", "crypto", "export NSS_USE_ARM_HW_CRYPTO=1", "", d)} + + export OS_RELEASE=3.4 + export OS_TARGET=Linux + export OS_ARCH=Linux + + if [ "${TARGET_ARCH}" = "powerpc" ]; then + OS_TEST=ppc + elif [ "${TARGET_ARCH}" = "powerpc64" -o "${TARGET_ARCH}" = "powerpc64le" ]; then + OS_TEST=ppc64 + elif [ "${TARGET_ARCH}" = "mips" -o "${TARGET_ARCH}" = "mipsel" -o "${TARGET_ARCH}" = "mips64" -o "${TARGET_ARCH}" = "mips64el" ]; then + OS_TEST=mips + elif [ "${TARGET_ARCH}" = "aarch64_be" ]; then + OS_TEST="aarch64" + else + OS_TEST="${TARGET_ARCH}" + fi + + if [ "${SITEINFO_BITS}" = "64" ]; then + export USE_64=1 + elif [ "${TARGET_ARCH}" = "x86_64" -a "${SITEINFO_BITS}" = "32" ]; then + export USE_X32=1 + fi + + export NSS_DISABLE_GTESTS=1 + # We can modify CC in the environment, but if we set it via an + # argument to make, nsinstall, a host program, will also build with it! + # + # nss pretty much does its own thing with CFLAGS, so we put them into CC. + # Optimization will get clobbered, but most of the stuff will survive. + # The motivation for this is to point to the correct place for debug + # source files and CFLAGS does that. Nothing uses CCC. + # + export CC="${CC} ${CFLAGS}" + make -C ./nss CCC="${CXX} -g" \ + OS_TEST=${OS_TEST} \ + RPATH="${RPATH}" \ + autobuild +} + +do_compile[vardepsexclude] += "SITEINFO_BITS" + +do_install:prepend:class-nativesdk() { + export LDFLAGS="" +} + +do_install() { + export CROSS_COMPILE=1 + export NATIVE_CC="${BUILD_CC}" + export BUILD_OPT=1 + + export FREEBL_NO_DEPEND=1 + + export LIBDIR=${libdir} + export MOZILLA_CLIENT=1 + export NS_USE_GCC=1 + export NSS_USE_SYSTEM_SQLITE=1 + export NSS_ENABLE_ECC=1 + + export OS_RELEASE=3.4 + export OS_TARGET=Linux + export OS_ARCH=Linux + + if [ "${TARGET_ARCH}" = "powerpc" ]; then + OS_TEST=ppc + elif [ "${TARGET_ARCH}" = "powerpc64" -o "${TARGET_ARCH}" = "powerpc64le" ]; then + OS_TEST=ppc64 + elif [ "${TARGET_ARCH}" = "mips" -o "${TARGET_ARCH}" = "mipsel" -o "${TARGET_ARCH}" = "mips64" -o "${TARGET_ARCH}" = "mips64el" ]; then + OS_TEST=mips + elif [ "${TARGET_ARCH}" = "aarch64_be" ]; then + CPU_ARCH=aarch64 + OS_TEST="aarch64" + else + OS_TEST="${TARGET_ARCH}" + fi + if [ "${SITEINFO_BITS}" = "64" ]; then + export USE_64=1 + elif [ "${TARGET_ARCH}" = "x86_64" -a "${SITEINFO_BITS}" = "32" ]; then + export USE_X32=1 + fi + + export NSS_DISABLE_GTESTS=1 + + make -C ./nss \ + CCC="${CXX}" \ + OS_TEST=${OS_TEST} \ + SOURCE_LIB_DIR="${TD}/${libdir}" \ + SOURCE_BIN_DIR="${TD}/${bindir}" \ + install + + install -d ${D}/${libdir}/ + for file in ${S}/dist/*.OBJ/lib/*.so; do + echo "Installing `basename $file`..." + cp $file ${D}/${libdir}/ + done + + for shared_lib in ${TD}/${libdir}/*.so.*; do + if [ -f $shared_lib ]; then + cp $shared_lib ${D}/${libdir} + ln -sf $(basename $shared_lib) ${D}/${libdir}/$(basename $shared_lib .1oe) + fi + done + for shared_lib in ${TD}/${libdir}/*.so; do + if [ -f $shared_lib -a ! -e ${D}/${libdir}/$shared_lib ]; then + cp $shared_lib ${D}/${libdir} + fi + done + + install -d ${D}/${includedir}/nss3 + install -m 644 -t ${D}/${includedir}/nss3 dist/public/nss/* + + install -d ${D}/${bindir} + for binary in ${TD}/${bindir}/*; do + install -m 755 -t ${D}/${bindir} $binary + done +} + +do_install[vardepsexclude] += "SITEINFO_BITS" + +do_install:append() { + # Create empty .chk files for the NSS libraries at build time. They could + # be regenerated at target's boot time. + for file in libsoftokn3.chk libfreebl3.chk libnssdbm3.chk; do + touch ${D}/${libdir}/$file + chmod 755 ${D}/${libdir}/$file + done + + install -d ${D}${libdir}/pkgconfig/ + sed 's/%NSS_VERSION%/${PV}/' ${UNPACKDIR}/nss.pc.in | sed 's/%NSPR_VERSION%/4.9.2/' > ${D}${libdir}/pkgconfig/nss.pc + sed -i s:OEPREFIX:${prefix}:g ${D}${libdir}/pkgconfig/nss.pc + sed -i s:OEEXECPREFIX:${exec_prefix}:g ${D}${libdir}/pkgconfig/nss.pc + sed -i s:OELIBDIR:${libdir}:g ${D}${libdir}/pkgconfig/nss.pc + sed -i s:OEINCDIR:${includedir}/nss3:g ${D}${libdir}/pkgconfig/nss.pc +} + +do_install:append:class-target() { + # It used to call certutil to create a blank certificate with empty password at + # build time, but the checksum of key4.db changes every time when certutil is called. + # It causes non-determinism issue, so provide databases with a blank certificate + # which are originally from output of nss in qemux86-64 build. You can get these + # databases by: + # certutil -N -d sql:/database/path/ --empty-password + install -d ${D}${sysconfdir}/pki/nssdb/ + install -m 0644 ${UNPACKDIR}/blank-cert9.db ${D}${sysconfdir}/pki/nssdb/cert9.db + install -m 0644 ${UNPACKDIR}/blank-key4.db ${D}${sysconfdir}/pki/nssdb/key4.db + install -m 0644 ${UNPACKDIR}/system-pkcs11.txt ${D}${sysconfdir}/pki/nssdb/pkcs11.txt +} + +PACKAGE_WRITE_DEPS += "nss-native" + +pkg_postinst:${PN} () { + for I in $D${libdir}/lib*.chk; do + DN=`dirname $I` + BN=`basename $I .chk` + FN=$DN/$BN.so + shlibsign -i $FN + if [ $? -ne 0 ]; then + echo "shlibsign -i $FN failed" + fi + done +} + +PACKAGES =+ "${PN}-smime" +FILES:${PN}-smime = "\ + ${bindir}/smime \ +" + +FILES:${PN} = "\ + ${sysconfdir} \ + ${bindir} \ + ${libdir}/lib*.chk \ + ${libdir}/lib*.so \ + " + +FILES:${PN}-dev = "\ + ${libdir}/nss \ + ${libdir}/pkgconfig/* \ + ${includedir}/* \ + " + +RDEPENDS:${PN}-smime = "perl" + +BBCLASSEXTEND = "native nativesdk" + +CVE_PRODUCT += "network_security_services" + +CVE_STATUS_GROUPS += "CVE_STATUS_NSS" +CVE_STATUS_NSS[status] = "not-applicable-config: This only affect the legacy db (libnssdbm), only compiled with --enable-legacy-db" +CVE_STATUS_NSS = "CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698" + +CVE_STATUS[CVE-2022-3479] = "not-applicable-config: vulnerability was introduced in 3.77 and fixed in 3.87" -- cgit v1.2.3-54-g00ecf