Andrew Geissler | 7e0e3c0 | 2022-02-25 20:34:39 +0000 | [diff] [blame] | 1 | SUMMARY = "Mozilla's SSL and TLS implementation" |
| 2 | DESCRIPTION = "Network Security Services (NSS) is a set of libraries \ |
| 3 | designed to support cross-platform development of \ |
| 4 | security-enabled client and server applications. \ |
| 5 | Applications built with NSS can support SSL v2 and v3, \ |
| 6 | TLS, PKCS 5, PKCS 7, PKCS 11, PKCS 12, S/MIME, X.509 \ |
| 7 | v3 certificates, and other security standards." |
| 8 | HOMEPAGE = "http://www.mozilla.org/projects/security/pki/nss/" |
| 9 | SECTION = "libs" |
| 10 | |
| 11 | DEPENDS = "sqlite3 nspr zlib nss-native" |
| 12 | DEPENDS:class-native = "sqlite3-native nspr-native zlib-native" |
| 13 | |
Andrew Geissler | 9aee500 | 2022-03-30 16:27:02 +0000 | [diff] [blame] | 14 | LICENSE = "(MPL-2.0 & MIT) | (MPL-2.0 & GPL-2.0-or-later & MIT) | (MPL-2.0 & LGPL-2.1-or-later & MIT)" |
Andrew Geissler | 7e0e3c0 | 2022-02-25 20:34:39 +0000 | [diff] [blame] | 15 | |
| 16 | LIC_FILES_CHKSUM = "file://nss/COPYING;md5=3b1e88e1b9c0b5a4b2881d46cce06a18 \ |
| 17 | file://nss/lib/freebl/mpi/doc/LICENSE;md5=491f158d09d948466afce85d6f1fe18f \ |
| 18 | file://nss/lib/freebl/mpi/doc/LICENSE-MPL;md5=5d425c8f3157dbf212db2ec53d9e5132 \ |
| 19 | file://nss/lib/freebl/verified/Hacl_Poly1305_256.c;beginline=1;endline=22;md5=d4096c1e4421ee56e9e0f441a8161f78" |
| 20 | |
| 21 | VERSION_DIR = "${@d.getVar('BP').upper().replace('-', '_').replace('.', '_') + '_RTM'}" |
| 22 | |
Andrew Geissler | 517393d | 2023-01-13 08:55:19 -0600 | [diff] [blame] | 23 | SRC_URI = "http://ftp.mozilla.org/pub/security/nss/releases/${VERSION_DIR}/src/${BP}.tar.gz \ |
Andrew Geissler | 7e0e3c0 | 2022-02-25 20:34:39 +0000 | [diff] [blame] | 24 | file://nss.pc.in \ |
| 25 | file://0001-nss-fix-support-cross-compiling.patch \ |
| 26 | file://nss-no-rpath-for-cross-compiling.patch \ |
| 27 | file://nss-fix-incorrect-shebang-of-perl.patch \ |
| 28 | file://disable-Wvarargs-with-clang.patch \ |
| 29 | file://pqg.c-ULL_addend.patch \ |
| 30 | file://blank-cert9.db \ |
| 31 | file://blank-key4.db \ |
| 32 | file://system-pkcs11.txt \ |
| 33 | file://nss-fix-nsinstall-build.patch \ |
| 34 | file://0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch \ |
Patrick Williams | 8e7b46e | 2023-05-01 14:19:06 -0500 | [diff] [blame] | 35 | file://0001-Bug-1750624-Pin-validation-date-for-PayPalEE-test-ce.patch \ |
Andrew Geissler | 7e0e3c0 | 2022-02-25 20:34:39 +0000 | [diff] [blame] | 36 | " |
| 37 | SRC_URI[sha256sum] = "88928811f9f40f87d42e2eaccdf6e454562e51486067f2ddbe90aa47ea6cd056" |
| 38 | |
| 39 | UPSTREAM_CHECK_URI = "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Releases" |
| 40 | UPSTREAM_CHECK_REGEX = "NSS_(?P<pver>.+)_release_notes" |
| 41 | |
| 42 | inherit siteinfo |
| 43 | |
| 44 | TD = "${S}/tentative-dist" |
| 45 | TDS = "${S}/tentative-dist-staging" |
| 46 | |
| 47 | TARGET_CC_ARCH += "${LDFLAGS}" |
| 48 | |
| 49 | CFLAGS:append:class-native = " -D_XOPEN_SOURCE " |
| 50 | |
| 51 | do_configure:prepend:libc-musl () { |
| 52 | sed -i -e '/-DHAVE_SYS_CDEFS_H/d' ${S}/nss/lib/dbm/config/config.mk |
| 53 | } |
| 54 | |
| 55 | do_configure:prepend:powerpc64le:toolchain-clang () { |
| 56 | sed -i -e 's/\-std=c99/\-std=gnu99/g' ${S}/nss/coreconf/command.mk |
| 57 | } |
| 58 | |
| 59 | do_configure:prepend:powerpc64:toolchain-clang () { |
| 60 | sed -i -e 's/\-std=c99/\-std=gnu99/g' ${S}/nss/coreconf/command.mk |
| 61 | } |
| 62 | |
| 63 | do_compile:prepend:class-native() { |
| 64 | export NSPR_INCLUDE_DIR=${STAGING_INCDIR_NATIVE}/nspr |
| 65 | export NSPR_LIB_DIR=${STAGING_LIBDIR_NATIVE} |
| 66 | } |
| 67 | |
| 68 | do_compile:prepend:class-nativesdk() { |
| 69 | export LDFLAGS="" |
| 70 | } |
| 71 | |
| 72 | do_compile:prepend:class-native() { |
| 73 | # Need to set RPATH so that chrpath will do its job correctly |
| 74 | RPATH="-Wl,-rpath-link,${STAGING_LIBDIR_NATIVE} -Wl,-rpath-link,${STAGING_BASE_LIBDIR_NATIVE} -Wl,-rpath,${STAGING_LIBDIR_NATIVE} -Wl,-rpath,${STAGING_BASE_LIBDIR_NATIVE}" |
| 75 | } |
| 76 | |
| 77 | do_compile() { |
| 78 | export NSPR_INCLUDE_DIR=${STAGING_INCDIR}/nspr |
| 79 | |
| 80 | export CROSS_COMPILE=1 |
| 81 | export NATIVE_CC="${BUILD_CC}" |
| 82 | # Additional defines needed on Centos 7 |
| 83 | export NATIVE_FLAGS="${BUILD_CFLAGS} -DLINUX -Dlinux" |
| 84 | export BUILD_OPT=1 |
| 85 | |
| 86 | # POSIX.1-2001 states that the behaviour of getcwd() when passing a null |
| 87 | # pointer as the buf argument, is unspecified. |
| 88 | export NATIVE_FLAGS="${NATIVE_FLAGS} -DGETCWD_CANT_MALLOC" |
| 89 | |
| 90 | export FREEBL_NO_DEPEND=1 |
| 91 | export FREEBL_LOWHASH=1 |
| 92 | |
| 93 | export LIBDIR=${libdir} |
| 94 | export MOZILLA_CLIENT=1 |
| 95 | export NS_USE_GCC=1 |
| 96 | export NSS_USE_SYSTEM_SQLITE=1 |
| 97 | export NSS_ENABLE_ECC=1 |
| 98 | export NSS_ENABLE_WERROR=0 |
| 99 | |
| 100 | ${@bb.utils.contains("TUNE_FEATURES", "crypto", "export NSS_USE_ARM_HW_CRYPTO=1", "", d)} |
| 101 | |
| 102 | export OS_RELEASE=3.4 |
| 103 | export OS_TARGET=Linux |
| 104 | export OS_ARCH=Linux |
| 105 | |
| 106 | if [ "${TARGET_ARCH}" = "powerpc" ]; then |
| 107 | OS_TEST=ppc |
| 108 | elif [ "${TARGET_ARCH}" = "powerpc64" -o "${TARGET_ARCH}" = "powerpc64le" ]; then |
| 109 | OS_TEST=ppc64 |
| 110 | elif [ "${TARGET_ARCH}" = "mips" -o "${TARGET_ARCH}" = "mipsel" -o "${TARGET_ARCH}" = "mips64" -o "${TARGET_ARCH}" = "mips64el" ]; then |
| 111 | OS_TEST=mips |
| 112 | elif [ "${TARGET_ARCH}" = "aarch64_be" ]; then |
| 113 | OS_TEST="aarch64" |
| 114 | else |
| 115 | OS_TEST="${TARGET_ARCH}" |
| 116 | fi |
| 117 | |
| 118 | if [ "${SITEINFO_BITS}" = "64" ]; then |
| 119 | export USE_64=1 |
| 120 | elif [ "${TARGET_ARCH}" = "x86_64" -a "${SITEINFO_BITS}" = "32" ]; then |
| 121 | export USE_X32=1 |
| 122 | fi |
| 123 | |
| 124 | export NSS_DISABLE_GTESTS=1 |
| 125 | # We can modify CC in the environment, but if we set it via an |
| 126 | # argument to make, nsinstall, a host program, will also build with it! |
| 127 | # |
| 128 | # nss pretty much does its own thing with CFLAGS, so we put them into CC. |
| 129 | # Optimization will get clobbered, but most of the stuff will survive. |
| 130 | # The motivation for this is to point to the correct place for debug |
| 131 | # source files and CFLAGS does that. Nothing uses CCC. |
| 132 | # |
| 133 | export CC="${CC} ${CFLAGS}" |
| 134 | make -C ./nss CCC="${CXX} -g" \ |
| 135 | OS_TEST=${OS_TEST} \ |
| 136 | RPATH="${RPATH}" \ |
| 137 | autobuild |
| 138 | } |
| 139 | |
| 140 | do_compile[vardepsexclude] += "SITEINFO_BITS" |
| 141 | |
| 142 | do_install:prepend:class-nativesdk() { |
| 143 | export LDFLAGS="" |
| 144 | } |
| 145 | |
| 146 | do_install() { |
| 147 | export CROSS_COMPILE=1 |
| 148 | export NATIVE_CC="${BUILD_CC}" |
| 149 | export BUILD_OPT=1 |
| 150 | |
| 151 | export FREEBL_NO_DEPEND=1 |
| 152 | |
| 153 | export LIBDIR=${libdir} |
| 154 | export MOZILLA_CLIENT=1 |
| 155 | export NS_USE_GCC=1 |
| 156 | export NSS_USE_SYSTEM_SQLITE=1 |
| 157 | export NSS_ENABLE_ECC=1 |
| 158 | |
| 159 | export OS_RELEASE=3.4 |
| 160 | export OS_TARGET=Linux |
| 161 | export OS_ARCH=Linux |
| 162 | |
| 163 | if [ "${TARGET_ARCH}" = "powerpc" ]; then |
| 164 | OS_TEST=ppc |
| 165 | elif [ "${TARGET_ARCH}" = "powerpc64" -o "${TARGET_ARCH}" = "powerpc64le" ]; then |
| 166 | OS_TEST=ppc64 |
| 167 | elif [ "${TARGET_ARCH}" = "mips" -o "${TARGET_ARCH}" = "mipsel" -o "${TARGET_ARCH}" = "mips64" -o "${TARGET_ARCH}" = "mips64el" ]; then |
| 168 | OS_TEST=mips |
| 169 | elif [ "${TARGET_ARCH}" = "aarch64_be" ]; then |
| 170 | CPU_ARCH=aarch64 |
| 171 | OS_TEST="aarch64" |
| 172 | else |
| 173 | OS_TEST="${TARGET_ARCH}" |
| 174 | fi |
| 175 | if [ "${SITEINFO_BITS}" = "64" ]; then |
| 176 | export USE_64=1 |
| 177 | elif [ "${TARGET_ARCH}" = "x86_64" -a "${SITEINFO_BITS}" = "32" ]; then |
| 178 | export USE_X32=1 |
| 179 | fi |
| 180 | |
| 181 | export NSS_DISABLE_GTESTS=1 |
| 182 | |
| 183 | make -C ./nss \ |
| 184 | CCC="${CXX}" \ |
| 185 | OS_TEST=${OS_TEST} \ |
| 186 | SOURCE_LIB_DIR="${TD}/${libdir}" \ |
| 187 | SOURCE_BIN_DIR="${TD}/${bindir}" \ |
| 188 | install |
| 189 | |
| 190 | install -d ${D}/${libdir}/ |
| 191 | for file in ${S}/dist/*.OBJ/lib/*.so; do |
| 192 | echo "Installing `basename $file`..." |
| 193 | cp $file ${D}/${libdir}/ |
| 194 | done |
| 195 | |
| 196 | for shared_lib in ${TD}/${libdir}/*.so.*; do |
| 197 | if [ -f $shared_lib ]; then |
| 198 | cp $shared_lib ${D}/${libdir} |
| 199 | ln -sf $(basename $shared_lib) ${D}/${libdir}/$(basename $shared_lib .1oe) |
| 200 | fi |
| 201 | done |
| 202 | for shared_lib in ${TD}/${libdir}/*.so; do |
| 203 | if [ -f $shared_lib -a ! -e ${D}/${libdir}/$shared_lib ]; then |
| 204 | cp $shared_lib ${D}/${libdir} |
| 205 | fi |
| 206 | done |
| 207 | |
| 208 | install -d ${D}/${includedir}/nss3 |
| 209 | install -m 644 -t ${D}/${includedir}/nss3 dist/public/nss/* |
| 210 | |
| 211 | install -d ${D}/${bindir} |
| 212 | for binary in ${TD}/${bindir}/*; do |
| 213 | install -m 755 -t ${D}/${bindir} $binary |
| 214 | done |
| 215 | } |
| 216 | |
| 217 | do_install[vardepsexclude] += "SITEINFO_BITS" |
| 218 | |
| 219 | do_install:append() { |
| 220 | # Create empty .chk files for the NSS libraries at build time. They could |
| 221 | # be regenerated at target's boot time. |
| 222 | for file in libsoftokn3.chk libfreebl3.chk libnssdbm3.chk; do |
| 223 | touch ${D}/${libdir}/$file |
| 224 | chmod 755 ${D}/${libdir}/$file |
| 225 | done |
| 226 | |
| 227 | install -d ${D}${libdir}/pkgconfig/ |
| 228 | sed 's/%NSS_VERSION%/${PV}/' ${WORKDIR}/nss.pc.in | sed 's/%NSPR_VERSION%/4.9.2/' > ${D}${libdir}/pkgconfig/nss.pc |
| 229 | sed -i s:OEPREFIX:${prefix}:g ${D}${libdir}/pkgconfig/nss.pc |
| 230 | sed -i s:OEEXECPREFIX:${exec_prefix}:g ${D}${libdir}/pkgconfig/nss.pc |
| 231 | sed -i s:OELIBDIR:${libdir}:g ${D}${libdir}/pkgconfig/nss.pc |
| 232 | sed -i s:OEINCDIR:${includedir}/nss3:g ${D}${libdir}/pkgconfig/nss.pc |
| 233 | } |
| 234 | |
| 235 | do_install:append:class-target() { |
| 236 | # It used to call certutil to create a blank certificate with empty password at |
| 237 | # build time, but the checksum of key4.db changes every time when certutil is called. |
| 238 | # It causes non-determinism issue, so provide databases with a blank certificate |
| 239 | # which are originally from output of nss in qemux86-64 build. You can get these |
| 240 | # databases by: |
| 241 | # certutil -N -d sql:/database/path/ --empty-password |
| 242 | install -d ${D}${sysconfdir}/pki/nssdb/ |
| 243 | install -m 0644 ${WORKDIR}/blank-cert9.db ${D}${sysconfdir}/pki/nssdb/cert9.db |
| 244 | install -m 0644 ${WORKDIR}/blank-key4.db ${D}${sysconfdir}/pki/nssdb/key4.db |
| 245 | install -m 0644 ${WORKDIR}/system-pkcs11.txt ${D}${sysconfdir}/pki/nssdb/pkcs11.txt |
| 246 | } |
| 247 | |
| 248 | PACKAGE_WRITE_DEPS += "nss-native" |
| 249 | |
| 250 | pkg_postinst:${PN} () { |
| 251 | for I in $D${libdir}/lib*.chk; do |
| 252 | DN=`dirname $I` |
| 253 | BN=`basename $I .chk` |
| 254 | FN=$DN/$BN.so |
| 255 | shlibsign -i $FN |
| 256 | if [ $? -ne 0 ]; then |
| 257 | echo "shlibsign -i $FN failed" |
| 258 | fi |
| 259 | done |
| 260 | } |
| 261 | |
| 262 | PACKAGES =+ "${PN}-smime" |
| 263 | FILES:${PN}-smime = "\ |
| 264 | ${bindir}/smime \ |
| 265 | " |
| 266 | |
| 267 | FILES:${PN} = "\ |
| 268 | ${sysconfdir} \ |
| 269 | ${bindir} \ |
| 270 | ${libdir}/lib*.chk \ |
| 271 | ${libdir}/lib*.so \ |
| 272 | " |
| 273 | |
| 274 | FILES:${PN}-dev = "\ |
| 275 | ${libdir}/nss \ |
| 276 | ${libdir}/pkgconfig/* \ |
| 277 | ${includedir}/* \ |
| 278 | " |
| 279 | |
| 280 | RDEPENDS:${PN}-smime = "perl" |
| 281 | |
| 282 | BBCLASSEXTEND = "native nativesdk" |
| 283 | |
Andrew Geissler | 517393d | 2023-01-13 08:55:19 -0600 | [diff] [blame] | 284 | CVE_PRODUCT += "network_security_services" |
| 285 | |
Andrew Geissler | 7e0e3c0 | 2022-02-25 20:34:39 +0000 | [diff] [blame] | 286 | # CVE-2006-5201 affects only Sun Solaris |
| 287 | CVE_CHECK_IGNORE += "CVE-2006-5201" |
Andrew Geissler | 517393d | 2023-01-13 08:55:19 -0600 | [diff] [blame] | 288 | |
| 289 | # CVES CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698 only affect |
| 290 | # the legacy db (libnssdbm), only compiled with --enable-legacy-db. |
| 291 | CVE_CHECK_IGNORE += "CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698" |
Patrick Williams | b542dec | 2023-06-09 01:26:37 -0500 | [diff] [blame] | 292 | |
| 293 | # vulnerability was introduced in 3.77 and fixed in 3.87 |
| 294 | CVE_CHECK_IGNORE += "CVE-2022-3479" |