diff options
Diffstat (limited to 'poky/meta/recipes-support/nss')
| -rw-r--r-- | poky/meta/recipes-support/nss/nss/0001-Bug-1437734-Use-snprintf-in-sign.c-r-ttaubert.patch | 119 | ||||
| -rw-r--r-- | poky/meta/recipes-support/nss/nss/Fix-compilation-for-X32.patch | 33 | ||||
| -rw-r--r-- | poky/meta/recipes-support/nss/nss/blank-cert9.db | bin | 0 -> 28672 bytes | |||
| -rw-r--r-- | poky/meta/recipes-support/nss/nss/blank-key4.db | bin | 0 -> 36864 bytes | |||
| -rw-r--r-- | poky/meta/recipes-support/nss/nss/disable-Wvarargs-with-clang.patch | 8 | ||||
| -rw-r--r-- | poky/meta/recipes-support/nss/nss/nss-build-hacl-poly1305-aarch64.patch | 30 | ||||
| -rw-r--r-- | poky/meta/recipes-support/nss/nss/pqg.c-ULL_addend.patch | 8 | ||||
| -rw-r--r-- | poky/meta/recipes-support/nss/nss/system-pkcs11.txt | 5 | ||||
| -rw-r--r-- | poky/meta/recipes-support/nss/nss_3.39.bb (renamed from poky/meta/recipes-support/nss/nss_3.35.bb) | 31 |
9 files changed, 33 insertions, 201 deletions
diff --git a/poky/meta/recipes-support/nss/nss/0001-Bug-1437734-Use-snprintf-in-sign.c-r-ttaubert.patch b/poky/meta/recipes-support/nss/nss/0001-Bug-1437734-Use-snprintf-in-sign.c-r-ttaubert.patch deleted file mode 100644 index bc10f3385..000000000 --- a/poky/meta/recipes-support/nss/nss/0001-Bug-1437734-Use-snprintf-in-sign.c-r-ttaubert.patch +++ /dev/null @@ -1,119 +0,0 @@ -From 6f7d7be9997ba6727a5ad7c3800df9051160dc12 Mon Sep 17 00:00:00 2001 -From: Martin Thomson <martin.thomson@gmail.com> -Date: Tue, 13 Feb 2018 12:30:58 +1100 -Subject: [PATCH] Bug 1437734 - Use snprintf in sign.c, r=ttaubert - ---HG-- -extra : rebase_source : 97921ece71ff86b18d32b891591608290eed4d83 ---- -Signed-off-by: Khem Raj <raj.khem@gmail.com> -Upstream-Status: Backport [https://github.com/nss-dev/nss/commit/0a9078b3cde97add7c825c9d13467a8401ad0c88#diff-b42512151dc137537091f823f7701804.patch] - - nss/cmd/signtool/sign.c | 58 ++++++++++++++++++++++++++++++++++++++++--------- - 1 file changed, 48 insertions(+), 10 deletions(-) - -diff --git a/nss/cmd/signtool/sign.c b/nss/cmd/signtool/sign.c -index 6e776069a..6f8e43946 100644 ---- a/nss/cmd/signtool/sign.c -+++ b/nss/cmd/signtool/sign.c -@@ -43,6 +43,7 @@ SignArchive(char *tree, char *keyName, char *zip_file, int javascript, - int status; - char tempfn[FNSIZE], fullfn[FNSIZE]; - int keyType = rsaKey; -+ int count; - - metafile = meta_file; - optimize = _optimize; -@@ -81,9 +82,18 @@ SignArchive(char *tree, char *keyName, char *zip_file, int javascript, - } - - /* rsa/dsa to zip */ -- sprintf(tempfn, "META-INF/%s.%s", base, (keyType == dsaKey ? "dsa" -- : "rsa")); -- sprintf(fullfn, "%s/%s", tree, tempfn); -+ count = snprintf(tempfn, sizeof(tempfn), "META-INF/%s.%s", base, (keyType == dsaKey ? "dsa" : "rsa")); -+ if (count >= sizeof(tempfn)) { -+ PR_fprintf(errorFD, "unable to write key metadata\n"); -+ errorCount++; -+ exit(ERRX); -+ } -+ count = snprintf(fullfn, sizeof(fullfn), "%s/%s", tree, tempfn); -+ if (count >= sizeof(fullfn)) { -+ PR_fprintf(errorFD, "unable to write key metadata\n"); -+ errorCount++; -+ exit(ERRX); -+ } - JzipAdd(fullfn, tempfn, zipfile, compression_level); - - /* Loop through all files & subdirectories, add to archive */ -@@ -93,20 +103,44 @@ SignArchive(char *tree, char *keyName, char *zip_file, int javascript, - } - /* mf to zip */ - strcpy(tempfn, "META-INF/manifest.mf"); -- sprintf(fullfn, "%s/%s", tree, tempfn); -+ count = snprintf(fullfn, sizeof(fullfn), "%s/%s", tree, tempfn); -+ if (count >= sizeof(fullfn)) { -+ PR_fprintf(errorFD, "unable to write manifest\n"); -+ errorCount++; -+ exit(ERRX); -+ } - JzipAdd(fullfn, tempfn, zipfile, compression_level); - - /* sf to zip */ -- sprintf(tempfn, "META-INF/%s.sf", base); -- sprintf(fullfn, "%s/%s", tree, tempfn); -+ count = snprintf(tempfn, sizeof(tempfn), "META-INF/%s.sf", base); -+ if (count >= sizeof(tempfn)) { -+ PR_fprintf(errorFD, "unable to write sf metadata\n"); -+ errorCount++; -+ exit(ERRX); -+ } -+ count = snprintf(fullfn, sizeof(fullfn), "%s/%s", tree, tempfn); -+ if (count >= sizeof(fullfn)) { -+ PR_fprintf(errorFD, "unable to write sf metadata\n"); -+ errorCount++; -+ exit(ERRX); -+ } - JzipAdd(fullfn, tempfn, zipfile, compression_level); - - /* Add the rsa/dsa file to the zip archive normally */ - if (!xpi_arc) { - /* rsa/dsa to zip */ -- sprintf(tempfn, "META-INF/%s.%s", base, (keyType == dsaKey ? "dsa" -- : "rsa")); -- sprintf(fullfn, "%s/%s", tree, tempfn); -+ count = snprintf(tempfn, sizeof(tempfn), "META-INF/%s.%s", base, (keyType == dsaKey ? "dsa" : "rsa")); -+ if (count >= sizeof(tempfn)) { -+ PR_fprintf(errorFD, "unable to write key metadata\n"); -+ errorCount++; -+ exit(ERRX); -+ } -+ count = snprintf(fullfn, sizeof(fullfn), "%s/%s", tree, tempfn); -+ if (count >= sizeof(fullfn)) { -+ PR_fprintf(errorFD, "unable to write key metadata\n"); -+ errorCount++; -+ exit(ERRX); -+ } - JzipAdd(fullfn, tempfn, zipfile, compression_level); - } - -@@ -408,6 +442,7 @@ static int - manifesto_xpi_fn(char *relpath, char *basedir, char *reldir, char *filename, void *arg) - { - char fullname[FNSIZE]; -+ int count; - - if (verbosity >= 0) { - PR_fprintf(outputFD, "--> %s\n", relpath); -@@ -421,7 +456,10 @@ manifesto_xpi_fn(char *relpath, char *basedir, char *reldir, char *filename, voi - if (!PL_HashTableLookup(extensions, ext)) - return 0; - } -- sprintf(fullname, "%s/%s", basedir, relpath); -+ count = snprintf(fullname, sizeof(fullname), "%s/%s", basedir, relpath); -+ if (count >= sizeof(fullname)) { -+ return 1; -+ } - JzipAdd(fullname, relpath, zipfile, compression_level); - - return 0; diff --git a/poky/meta/recipes-support/nss/nss/Fix-compilation-for-X32.patch b/poky/meta/recipes-support/nss/nss/Fix-compilation-for-X32.patch deleted file mode 100644 index 80b86908e..000000000 --- a/poky/meta/recipes-support/nss/nss/Fix-compilation-for-X32.patch +++ /dev/null @@ -1,33 +0,0 @@ -From c8eadfcdfbc1d5a4799e9a264b0f859cb5954c05 Mon Sep 17 00:00:00 2001 -From: Christopher Larson <chris_larson@mentor.com> -Date: Tue, 13 Dec 2016 11:40:47 -0700 -Subject: [PATCH 7/7] Fix compilation for X32 - -X32 uses 32-bit pointers, not 64-bit. - -Signed-off-by: Christopher Larson <chris_larson@mentor.com> - -Upstream-Status: Pending ---- - nss/lib/freebl/poly1305-donna-x64-sse2-incremental-source.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/nss/lib/freebl/poly1305-donna-x64-sse2-incremental-source.c b/nss/lib/freebl/poly1305-donna-x64-sse2-incremental-source.c -index 2a3301e..d4ade41 100644 ---- a/nss/lib/freebl/poly1305-donna-x64-sse2-incremental-source.c -+++ b/nss/lib/freebl/poly1305-donna-x64-sse2-incremental-source.c -@@ -87,7 +87,11 @@ static poly1305_state_internal INLINE - * - poly1305_aligned_state(poly1305_state *state) - { -+#ifdef __ILP32__ -+ return (poly1305_state_internal *)(((uint32_t)state + 63) & ~63); -+#else - return (poly1305_state_internal *)(((uint64_t)state + 63) & ~63); -+#endif - } - - /* copy 0-63 bytes */ --- -2.8.0 - diff --git a/poky/meta/recipes-support/nss/nss/blank-cert9.db b/poky/meta/recipes-support/nss/nss/blank-cert9.db Binary files differnew file mode 100644 index 000000000..7d4bcf258 --- /dev/null +++ b/poky/meta/recipes-support/nss/nss/blank-cert9.db diff --git a/poky/meta/recipes-support/nss/nss/blank-key4.db b/poky/meta/recipes-support/nss/nss/blank-key4.db Binary files differnew file mode 100644 index 000000000..d47f08d04 --- /dev/null +++ b/poky/meta/recipes-support/nss/nss/blank-key4.db diff --git a/poky/meta/recipes-support/nss/nss/disable-Wvarargs-with-clang.patch b/poky/meta/recipes-support/nss/nss/disable-Wvarargs-with-clang.patch index 86b1b6055..de812d27b 100644 --- a/poky/meta/recipes-support/nss/nss/disable-Wvarargs-with-clang.patch +++ b/poky/meta/recipes-support/nss/nss/disable-Wvarargs-with-clang.patch @@ -18,11 +18,11 @@ for more details Signed-off-by: Khem Raj <raj.khem@gmail.com> Upstream-Status: Pending -Index: nss-3.24/nss/coreconf/Werror.mk +Index: nss-3.37.1/nss/coreconf/Werror.mk =================================================================== ---- nss-3.24.orig/nss/coreconf/Werror.mk -+++ nss-3.24/nss/coreconf/Werror.mk -@@ -54,7 +54,7 @@ ifndef WARNING_CFLAGS +--- nss-3.37.1.orig/nss/coreconf/Werror.mk ++++ nss-3.37.1/nss/coreconf/Werror.mk +@@ -56,7 +56,7 @@ ifndef WARNING_CFLAGS ifdef CC_IS_CLANG # -Qunused-arguments : clang objects to arguments that it doesn't understand # and fixing this would require rearchitecture diff --git a/poky/meta/recipes-support/nss/nss/nss-build-hacl-poly1305-aarch64.patch b/poky/meta/recipes-support/nss/nss/nss-build-hacl-poly1305-aarch64.patch deleted file mode 100644 index 8276f89e8..000000000 --- a/poky/meta/recipes-support/nss/nss/nss-build-hacl-poly1305-aarch64.patch +++ /dev/null @@ -1,30 +0,0 @@ -# HG changeset patch -# User Daiki Ueno <dueno@redhat.com> -# Date 1516710574 -3600 -# Tue Jan 23 13:29:34 2018 +0100 -# Node ID 27f27ce21c2c6ff5a47fa9e17c438b000366c9c9 -# Parent be1dca5ac80541d3b81a8da9d42854d8b1cceefb -Build Hacl_Poly1305_64.o on aarch64 even with make - -Upstream-Status: Backport -https://bug1432455.bmoattachments.org/attachment.cgi?id=8944691 -Signed-off-by: Armin Kuster <akuster@mvista.com> - -Index: nss-3.35/nss/lib/freebl/Makefile -=================================================================== ---- nss-3.35.orig/nss/lib/freebl/Makefile -+++ nss-3.35/nss/lib/freebl/Makefile -@@ -533,7 +533,12 @@ ifndef NSS_DISABLE_CHACHAPOLY - EXTRA_SRCS += chacha20_vec.c - endif - else -- EXTRA_SRCS += poly1305.c -+ ifeq ($(CPU_ARCH),aarch64) -+ EXTRA_SRCS += Hacl_Poly1305_64.c -+ else -+ EXTRA_SRCS += poly1305.c -+ endif -+ - EXTRA_SRCS += chacha20.c - VERIFIED_SRCS += Hacl_Chacha20.c - endif # x86_64 diff --git a/poky/meta/recipes-support/nss/nss/pqg.c-ULL_addend.patch b/poky/meta/recipes-support/nss/nss/pqg.c-ULL_addend.patch index 9942bf192..3a817faaa 100644 --- a/poky/meta/recipes-support/nss/nss/pqg.c-ULL_addend.patch +++ b/poky/meta/recipes-support/nss/nss/pqg.c-ULL_addend.patch @@ -6,11 +6,11 @@ pqg.c:339:16: error: comparison of constant 18446744073709551615 with expression Signed-off-by: Khem Raj <raj.khem@gmail.com> Upstream-Status: Pending -Index: nss-3.24/nss/lib/freebl/pqg.c +Index: nss-3.37.1/nss/lib/freebl/pqg.c =================================================================== ---- nss-3.24.orig/nss/lib/freebl/pqg.c -+++ nss-3.24/nss/lib/freebl/pqg.c -@@ -322,8 +322,8 @@ generate_h_candidate(SECItem *hit, mp_in +--- nss-3.37.1.orig/nss/lib/freebl/pqg.c ++++ nss-3.37.1/nss/lib/freebl/pqg.c +@@ -326,8 +326,8 @@ generate_h_candidate(SECItem *hit, mp_in static SECStatus addToSeed(const SECItem *seed, diff --git a/poky/meta/recipes-support/nss/nss/system-pkcs11.txt b/poky/meta/recipes-support/nss/nss/system-pkcs11.txt new file mode 100644 index 000000000..1a264e9cc --- /dev/null +++ b/poky/meta/recipes-support/nss/nss/system-pkcs11.txt @@ -0,0 +1,5 @@ +library= +name=NSS Internal PKCS #11 Module +parameters=configdir='sql:/etc/pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) + diff --git a/poky/meta/recipes-support/nss/nss_3.35.bb b/poky/meta/recipes-support/nss/nss_3.39.bb index 84f1916f3..cdc95c621 100644 --- a/poky/meta/recipes-support/nss/nss_3.35.bb +++ b/poky/meta/recipes-support/nss/nss_3.39.bb @@ -25,13 +25,13 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO file://nss-fix-nsinstall-build.patch \ file://disable-Wvarargs-with-clang.patch \ file://pqg.c-ULL_addend.patch \ - file://Fix-compilation-for-X32.patch \ - file://nss-build-hacl-poly1305-aarch64.patch \ - file://0001-Bug-1437734-Use-snprintf-in-sign.c-r-ttaubert.patch \ + file://blank-cert9.db \ + file://blank-key4.db \ + file://system-pkcs11.txt \ " -SRC_URI[md5sum] = "9467ec9e65c5aeb3254a50250490f5f7" -SRC_URI[sha256sum] = "f4127de09bede39f5fd0f789d33c3504c5d261e69ea03022d46b319b3e32f6fa" +SRC_URI[md5sum] = "10720fc70fd483de1b085402fb10ed59" +SRC_URI[sha256sum] = "6be64dd76f212415cc8bc34343ac1e7389048db4db9a023a84873c411dc5864b" UPSTREAM_CHECK_URI = "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Releases" UPSTREAM_CHECK_REGEX = "NSS_(?P<pver>.+)_release_notes" @@ -91,6 +91,8 @@ do_compile() { OS_TEST=ppc64 elif [ "${TARGET_ARCH}" = "mips" -o "${TARGET_ARCH}" = "mipsel" -o "${TARGET_ARCH}" = "mips64" -o "${TARGET_ARCH}" = "mips64el" ]; then OS_TEST=mips + elif [ "${TARGET_ARCH}" = "aarch64_be" ]; then + OS_TEST="aarch64" else OS_TEST="${TARGET_ARCH}" fi @@ -146,6 +148,9 @@ do_install() { OS_TEST=ppc64 elif [ "${TARGET_ARCH}" = "mips" -o "${TARGET_ARCH}" = "mipsel" -o "${TARGET_ARCH}" = "mips64" -o "${TARGET_ARCH}" = "mips64el" ]; then OS_TEST=mips + elif [ "${TARGET_ARCH}" = "aarch64_be" ]; then + CPU_ARCH=aarch64 + OS_TEST="aarch64" else OS_TEST="${TARGET_ARCH}" fi @@ -210,12 +215,16 @@ do_install_append() { } do_install_append_class-target() { - # Create a blank certificate - mkdir -p ${D}${sysconfdir}/pki/nssdb/ - touch ./empty_password - certutil -N -d ${D}${sysconfdir}/pki/nssdb/ -f ./empty_password - chmod 644 ${D}${sysconfdir}/pki/nssdb/*.db - rm ./empty_password + # It used to call certutil to create a blank certificate with empty password at + # build time, but the checksum of key4.db changes every time when certutil is called. + # It causes non-determinism issue, so provide databases with a blank certificate + # which are originally from output of nss in qemux86-64 build. You can get these + # databases by: + # certutil -N -d sql:/database/path/ --empty-password + install -d ${D}${sysconfdir}/pki/nssdb/ + install -m 0644 ${WORKDIR}/blank-cert9.db ${D}${sysconfdir}/pki/nssdb/cert9.db + install -m 0644 ${WORKDIR}/blank-key4.db ${D}${sysconfdir}/pki/nssdb/key4.db + install -m 0644 ${WORKDIR}/system-pkcs11.txt ${D}${sysconfdir}/pki/nssdb/pkcs11.txt } PACKAGE_WRITE_DEPS += "nss-native" |
