blob: 38407a7c4231288a751fc112f7fdffd5beee81f6 [file] [log] [blame]
Andrew Geissler7e0e3c02022-02-25 20:34:39 +00001SUMMARY = "Mozilla's SSL and TLS implementation"
2DESCRIPTION = "Network Security Services (NSS) is a set of libraries \
3designed to support cross-platform development of \
4security-enabled client and server applications. \
5Applications built with NSS can support SSL v2 and v3, \
6TLS, PKCS 5, PKCS 7, PKCS 11, PKCS 12, S/MIME, X.509 \
7v3 certificates, and other security standards."
8HOMEPAGE = "http://www.mozilla.org/projects/security/pki/nss/"
9SECTION = "libs"
10
11DEPENDS = "sqlite3 nspr zlib nss-native"
12DEPENDS:class-native = "sqlite3-native nspr-native zlib-native"
13
Andrew Geissler9aee5002022-03-30 16:27:02 +000014LICENSE = "(MPL-2.0 & MIT) | (MPL-2.0 & GPL-2.0-or-later & MIT) | (MPL-2.0 & LGPL-2.1-or-later & MIT)"
Andrew Geissler7e0e3c02022-02-25 20:34:39 +000015
16LIC_FILES_CHKSUM = "file://nss/COPYING;md5=3b1e88e1b9c0b5a4b2881d46cce06a18 \
17 file://nss/lib/freebl/mpi/doc/LICENSE;md5=491f158d09d948466afce85d6f1fe18f \
18 file://nss/lib/freebl/mpi/doc/LICENSE-MPL;md5=5d425c8f3157dbf212db2ec53d9e5132 \
19 file://nss/lib/freebl/verified/Hacl_Poly1305_256.c;beginline=1;endline=22;md5=d4096c1e4421ee56e9e0f441a8161f78"
20
21VERSION_DIR = "${@d.getVar('BP').upper().replace('-', '_').replace('.', '_') + '_RTM'}"
22
Andrew Geissler517393d2023-01-13 08:55:19 -060023SRC_URI = "http://ftp.mozilla.org/pub/security/nss/releases/${VERSION_DIR}/src/${BP}.tar.gz \
Andrew Geissler7e0e3c02022-02-25 20:34:39 +000024 file://nss.pc.in \
25 file://0001-nss-fix-support-cross-compiling.patch \
26 file://nss-no-rpath-for-cross-compiling.patch \
27 file://nss-fix-incorrect-shebang-of-perl.patch \
28 file://disable-Wvarargs-with-clang.patch \
29 file://pqg.c-ULL_addend.patch \
30 file://blank-cert9.db \
31 file://blank-key4.db \
32 file://system-pkcs11.txt \
33 file://nss-fix-nsinstall-build.patch \
34 file://0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch \
Patrick Williams8e7b46e2023-05-01 14:19:06 -050035 file://0001-Bug-1750624-Pin-validation-date-for-PayPalEE-test-ce.patch \
Andrew Geissler7e0e3c02022-02-25 20:34:39 +000036 "
37SRC_URI[sha256sum] = "88928811f9f40f87d42e2eaccdf6e454562e51486067f2ddbe90aa47ea6cd056"
38
39UPSTREAM_CHECK_URI = "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Releases"
40UPSTREAM_CHECK_REGEX = "NSS_(?P<pver>.+)_release_notes"
41
42inherit siteinfo
43
44TD = "${S}/tentative-dist"
45TDS = "${S}/tentative-dist-staging"
46
47TARGET_CC_ARCH += "${LDFLAGS}"
48
49CFLAGS:append:class-native = " -D_XOPEN_SOURCE "
50
51do_configure:prepend:libc-musl () {
52 sed -i -e '/-DHAVE_SYS_CDEFS_H/d' ${S}/nss/lib/dbm/config/config.mk
53}
54
55do_configure:prepend:powerpc64le:toolchain-clang () {
56 sed -i -e 's/\-std=c99/\-std=gnu99/g' ${S}/nss/coreconf/command.mk
57}
58
59do_configure:prepend:powerpc64:toolchain-clang () {
60 sed -i -e 's/\-std=c99/\-std=gnu99/g' ${S}/nss/coreconf/command.mk
61}
62
63do_compile:prepend:class-native() {
64 export NSPR_INCLUDE_DIR=${STAGING_INCDIR_NATIVE}/nspr
65 export NSPR_LIB_DIR=${STAGING_LIBDIR_NATIVE}
66}
67
68do_compile:prepend:class-nativesdk() {
69 export LDFLAGS=""
70}
71
72do_compile:prepend:class-native() {
73 # Need to set RPATH so that chrpath will do its job correctly
74 RPATH="-Wl,-rpath-link,${STAGING_LIBDIR_NATIVE} -Wl,-rpath-link,${STAGING_BASE_LIBDIR_NATIVE} -Wl,-rpath,${STAGING_LIBDIR_NATIVE} -Wl,-rpath,${STAGING_BASE_LIBDIR_NATIVE}"
75}
76
77do_compile() {
78 export NSPR_INCLUDE_DIR=${STAGING_INCDIR}/nspr
79
80 export CROSS_COMPILE=1
81 export NATIVE_CC="${BUILD_CC}"
82 # Additional defines needed on Centos 7
83 export NATIVE_FLAGS="${BUILD_CFLAGS} -DLINUX -Dlinux"
84 export BUILD_OPT=1
85
86 # POSIX.1-2001 states that the behaviour of getcwd() when passing a null
87 # pointer as the buf argument, is unspecified.
88 export NATIVE_FLAGS="${NATIVE_FLAGS} -DGETCWD_CANT_MALLOC"
89
90 export FREEBL_NO_DEPEND=1
91 export FREEBL_LOWHASH=1
92
93 export LIBDIR=${libdir}
94 export MOZILLA_CLIENT=1
95 export NS_USE_GCC=1
96 export NSS_USE_SYSTEM_SQLITE=1
97 export NSS_ENABLE_ECC=1
98 export NSS_ENABLE_WERROR=0
99
100 ${@bb.utils.contains("TUNE_FEATURES", "crypto", "export NSS_USE_ARM_HW_CRYPTO=1", "", d)}
101
102 export OS_RELEASE=3.4
103 export OS_TARGET=Linux
104 export OS_ARCH=Linux
105
106 if [ "${TARGET_ARCH}" = "powerpc" ]; then
107 OS_TEST=ppc
108 elif [ "${TARGET_ARCH}" = "powerpc64" -o "${TARGET_ARCH}" = "powerpc64le" ]; then
109 OS_TEST=ppc64
110 elif [ "${TARGET_ARCH}" = "mips" -o "${TARGET_ARCH}" = "mipsel" -o "${TARGET_ARCH}" = "mips64" -o "${TARGET_ARCH}" = "mips64el" ]; then
111 OS_TEST=mips
112 elif [ "${TARGET_ARCH}" = "aarch64_be" ]; then
113 OS_TEST="aarch64"
114 else
115 OS_TEST="${TARGET_ARCH}"
116 fi
117
118 if [ "${SITEINFO_BITS}" = "64" ]; then
119 export USE_64=1
120 elif [ "${TARGET_ARCH}" = "x86_64" -a "${SITEINFO_BITS}" = "32" ]; then
121 export USE_X32=1
122 fi
123
124 export NSS_DISABLE_GTESTS=1
125 # We can modify CC in the environment, but if we set it via an
126 # argument to make, nsinstall, a host program, will also build with it!
127 #
128 # nss pretty much does its own thing with CFLAGS, so we put them into CC.
129 # Optimization will get clobbered, but most of the stuff will survive.
130 # The motivation for this is to point to the correct place for debug
131 # source files and CFLAGS does that. Nothing uses CCC.
132 #
133 export CC="${CC} ${CFLAGS}"
134 make -C ./nss CCC="${CXX} -g" \
135 OS_TEST=${OS_TEST} \
136 RPATH="${RPATH}" \
137 autobuild
138}
139
140do_compile[vardepsexclude] += "SITEINFO_BITS"
141
142do_install:prepend:class-nativesdk() {
143 export LDFLAGS=""
144}
145
146do_install() {
147 export CROSS_COMPILE=1
148 export NATIVE_CC="${BUILD_CC}"
149 export BUILD_OPT=1
150
151 export FREEBL_NO_DEPEND=1
152
153 export LIBDIR=${libdir}
154 export MOZILLA_CLIENT=1
155 export NS_USE_GCC=1
156 export NSS_USE_SYSTEM_SQLITE=1
157 export NSS_ENABLE_ECC=1
158
159 export OS_RELEASE=3.4
160 export OS_TARGET=Linux
161 export OS_ARCH=Linux
162
163 if [ "${TARGET_ARCH}" = "powerpc" ]; then
164 OS_TEST=ppc
165 elif [ "${TARGET_ARCH}" = "powerpc64" -o "${TARGET_ARCH}" = "powerpc64le" ]; then
166 OS_TEST=ppc64
167 elif [ "${TARGET_ARCH}" = "mips" -o "${TARGET_ARCH}" = "mipsel" -o "${TARGET_ARCH}" = "mips64" -o "${TARGET_ARCH}" = "mips64el" ]; then
168 OS_TEST=mips
169 elif [ "${TARGET_ARCH}" = "aarch64_be" ]; then
170 CPU_ARCH=aarch64
171 OS_TEST="aarch64"
172 else
173 OS_TEST="${TARGET_ARCH}"
174 fi
175 if [ "${SITEINFO_BITS}" = "64" ]; then
176 export USE_64=1
177 elif [ "${TARGET_ARCH}" = "x86_64" -a "${SITEINFO_BITS}" = "32" ]; then
178 export USE_X32=1
179 fi
180
181 export NSS_DISABLE_GTESTS=1
182
183 make -C ./nss \
184 CCC="${CXX}" \
185 OS_TEST=${OS_TEST} \
186 SOURCE_LIB_DIR="${TD}/${libdir}" \
187 SOURCE_BIN_DIR="${TD}/${bindir}" \
188 install
189
190 install -d ${D}/${libdir}/
191 for file in ${S}/dist/*.OBJ/lib/*.so; do
192 echo "Installing `basename $file`..."
193 cp $file ${D}/${libdir}/
194 done
195
196 for shared_lib in ${TD}/${libdir}/*.so.*; do
197 if [ -f $shared_lib ]; then
198 cp $shared_lib ${D}/${libdir}
199 ln -sf $(basename $shared_lib) ${D}/${libdir}/$(basename $shared_lib .1oe)
200 fi
201 done
202 for shared_lib in ${TD}/${libdir}/*.so; do
203 if [ -f $shared_lib -a ! -e ${D}/${libdir}/$shared_lib ]; then
204 cp $shared_lib ${D}/${libdir}
205 fi
206 done
207
208 install -d ${D}/${includedir}/nss3
209 install -m 644 -t ${D}/${includedir}/nss3 dist/public/nss/*
210
211 install -d ${D}/${bindir}
212 for binary in ${TD}/${bindir}/*; do
213 install -m 755 -t ${D}/${bindir} $binary
214 done
215}
216
217do_install[vardepsexclude] += "SITEINFO_BITS"
218
219do_install:append() {
220 # Create empty .chk files for the NSS libraries at build time. They could
221 # be regenerated at target's boot time.
222 for file in libsoftokn3.chk libfreebl3.chk libnssdbm3.chk; do
223 touch ${D}/${libdir}/$file
224 chmod 755 ${D}/${libdir}/$file
225 done
226
227 install -d ${D}${libdir}/pkgconfig/
228 sed 's/%NSS_VERSION%/${PV}/' ${WORKDIR}/nss.pc.in | sed 's/%NSPR_VERSION%/4.9.2/' > ${D}${libdir}/pkgconfig/nss.pc
229 sed -i s:OEPREFIX:${prefix}:g ${D}${libdir}/pkgconfig/nss.pc
230 sed -i s:OEEXECPREFIX:${exec_prefix}:g ${D}${libdir}/pkgconfig/nss.pc
231 sed -i s:OELIBDIR:${libdir}:g ${D}${libdir}/pkgconfig/nss.pc
232 sed -i s:OEINCDIR:${includedir}/nss3:g ${D}${libdir}/pkgconfig/nss.pc
233}
234
235do_install:append:class-target() {
236 # It used to call certutil to create a blank certificate with empty password at
237 # build time, but the checksum of key4.db changes every time when certutil is called.
238 # It causes non-determinism issue, so provide databases with a blank certificate
239 # which are originally from output of nss in qemux86-64 build. You can get these
240 # databases by:
241 # certutil -N -d sql:/database/path/ --empty-password
242 install -d ${D}${sysconfdir}/pki/nssdb/
243 install -m 0644 ${WORKDIR}/blank-cert9.db ${D}${sysconfdir}/pki/nssdb/cert9.db
244 install -m 0644 ${WORKDIR}/blank-key4.db ${D}${sysconfdir}/pki/nssdb/key4.db
245 install -m 0644 ${WORKDIR}/system-pkcs11.txt ${D}${sysconfdir}/pki/nssdb/pkcs11.txt
246}
247
248PACKAGE_WRITE_DEPS += "nss-native"
249
250pkg_postinst:${PN} () {
251 for I in $D${libdir}/lib*.chk; do
252 DN=`dirname $I`
253 BN=`basename $I .chk`
254 FN=$DN/$BN.so
255 shlibsign -i $FN
256 if [ $? -ne 0 ]; then
257 echo "shlibsign -i $FN failed"
258 fi
259 done
260}
261
262PACKAGES =+ "${PN}-smime"
263FILES:${PN}-smime = "\
264 ${bindir}/smime \
265"
266
267FILES:${PN} = "\
268 ${sysconfdir} \
269 ${bindir} \
270 ${libdir}/lib*.chk \
271 ${libdir}/lib*.so \
272 "
273
274FILES:${PN}-dev = "\
275 ${libdir}/nss \
276 ${libdir}/pkgconfig/* \
277 ${includedir}/* \
278 "
279
280RDEPENDS:${PN}-smime = "perl"
281
282BBCLASSEXTEND = "native nativesdk"
283
Andrew Geissler517393d2023-01-13 08:55:19 -0600284CVE_PRODUCT += "network_security_services"
285
Andrew Geissler7e0e3c02022-02-25 20:34:39 +0000286# CVE-2006-5201 affects only Sun Solaris
287CVE_CHECK_IGNORE += "CVE-2006-5201"
Andrew Geissler517393d2023-01-13 08:55:19 -0600288
289# CVES CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698 only affect
290# the legacy db (libnssdbm), only compiled with --enable-legacy-db.
291CVE_CHECK_IGNORE += "CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698"
Patrick Williamsb542dec2023-06-09 01:26:37 -0500292
293# vulnerability was introduced in 3.77 and fixed in 3.87
294CVE_CHECK_IGNORE += "CVE-2022-3479"