| Age | Commit message (Collapse) | Author | Files |
|---|
|
Rpm use nss as digest crypto library and which will cause an error as follows:
error: test-manual-1.2.3-20181012.noarch.rpm: Header SHA1 digest: BAD (Expected
f1deb7dc4a10742d88ccd1e967dbc62ae45095a5 !=4ad9d7dad6d70d6086eefec62612ad5d77f2fe81) => this value is wrong
error: test-manual-1.2.3-20181012.noarch.rpm: not an rpm package (or package manifest)
The error is caused by SHA_HTONL in nss, for there is no need to reverse the host value for arm 32be, so fix it.
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
see: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.39_release_notes
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
|
It uses certutil from nss to create a blank certificate. But the
checksum of database file key4.db changes every time:
$ certutil -N -d sql:. --empty-password
$ md5sum *
f9dac2cfcb07cc8ca6db442a9a570906 cert9.db
b892c5ff7c1977d4728240b0cf628377 key4.db
7b9136cb03f07ae62eb213a5239fda71 pkcs11.txt
$ rm *
$ certutil -N -d sql:. --empty-password
$ md5sum *
f9dac2cfcb07cc8ca6db442a9a570906 cert9.db
405d55178e866a115c1aa975fccfa764 key4.db
7b9136cb03f07ae62eb213a5239fda71 pkcs11.txt
Provide pre-created databases with a blank certificate to fix
non-determinism issue. And these database files are from nss qemux86-64
build.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
- Explicitly requests the newer database `sql:' rather than
retrieved from NSS_DEFAULT_DB_TYPE
- Removes build path prefix from pkcs11.txt
Refers certutil manual:
[certutil manual]
-d [prefix]directory
Specify the database directory containing the certificate and key database files.
certutil supports two types of databases: the legacy security databases (cert8.db,
key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt).
NSS recognizes the following prefixes:
sql: requests the newer database
dbm: requests the legacy database
If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE.
If NSS_DEFAULT_DB_TYPE is not set then dbm: is the default.
[certutil manual]
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
remove patch now included in release.
includes: CVE-2018-0495
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
remove Fix-compilation-for-X32.patch as a solution simular is included in update.
notable changes:
The TLS 1.3 implementation was updated to Draft 28.
The CA certificates list was updated to version 2.24.
refresh patches
fix 32 bit build error nss bug: https://bugzilla.mozilla.org/show_bug.cgi?format=default&id=1459739
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
removed patches included in update:
0001-Bug-1437734-Use-snprintf-in-sign.c-r-ttaubert.patch
nss-build-hacl-poly1305-aarch64.patch
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Fies security warnings
| sign.c:86:31: error: 'sprintf' may write a terminating nul past the end of the destination [-Werror=format-overflow=]
| sprintf(fullfn, "%s/%s", tree, tempfn);
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The following CA certificate was Re-Added. It was removed in NSS 3.34, but has been re-added with only the Email trust bit set. (bug 1418678)
CN = Certum CA, O=Unizeto Sp. z o.o.
SHA-256 Fingerprint: D8:E0:FE:BC:1D:B2:E3:8D:00:94:0F:37:D2:7D:41:34:4D:99:3E:73:4B:99:D5:65:6D:97:78:D4:D8:14:36:24
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
for more info see:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.34_release_notes
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
nss ignores CFLAGS so we suggest them via CC.
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.33_release_notes
* TLS compression is no longer supported. API calls that attempt to enable compression are accepted without failure. However, TLS compression will remain disabled.
* This version of NSS uses a formally verified implementation of Curve25519 on 64-bit systems.
* The compile time flag DISABLE_ECC has been removed.
* When NSS is compiled without NSS_FORCE_FIPS=1 startup checks are not performed anymore.
* Fixes CVE-2017-7805, a potential use-after-free in TLS 1.2 server when verifying client authentication
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.32_release_notes
The Websites (TLS/SSL) trust bit was turned off for the following root certificates.
* CN = AddTrust Class 1 CA Root
SHA-256 Fingerprint: 8C:72:09:27:9A:C0:4E:27:5E:16:D0:7F:D3:B7:75:E8:01:54:B5:96:80:46:E3:1F:52:DD:25:76:63:24:E9:A7
* CN = Swisscom Root CA 2
SHA-256 Fingerprint: F0:9B:12:2C:71:14:F4:A0:9B:D4:EA:4F:4A:99:D5:58:B4:6E:4C:25:CD:81:14:0D:29:C0:56:13:91:4C:38:41
The following CA certificates were Removed:
* CN = AddTrust Public CA Root
SHA-256 Fingerprint: 07:91:CA:07:49:B2:07:82:AA:D3:C7:D7:BD:0C:DF:C9:48:58:35:84:3E:B2:D7:99:60:09:CE:43:AB:6C:69:27
* CN = AddTrust Qualified CA Root
SHA-256 Fingerprint: 80:95:21:08:05:DB:4B:BC:35:5E:44:28:D8:FD:6E:C2:CD:E3:AB:5F:B9:7A:99:42:98:8E:B8:F4:DC:D0:60:16
* CN = China Internet Network Information Center EV Certificates Root
SHA-256 Fingerprint: 1C:01:C6:F4:DB:B2:FE:FC:22:55:8B:2B:CA:32:56:3F:49:84:4A:CF:C3:2B:7B:E4:B0:FF:59:9F:9E:8C:7A:F7
* CN = CNNIC ROOT
SHA-256 Fingerprint: E2:83:93:77:3D:A8:45:A6:79:F2:08:0C:C7:FB:44:A3:B7:A1:C3:79:2C:B7:EB:77:29:FD:CB:6A:8D:99:AE:A7
* CN = ComSign Secured CA
SHA-256 Fingerprint: 50:79:41:C7:44:60:A0:B4:70:86:22:0D:4E:99:32:57:2A:B5:D1:B5:BB:CB:89:80:AB:1C:B1:76:51:A8:44:D2
* CN = GeoTrust Global CA 2
SHA-256 Fingerprint: CA:2D:82:A0:86:77:07:2F:8A:B6:76:4F:F0:35:67:6C:FE:3E:5E:32:5E:01:21:72:DF:3F:92:09:6D:B7:9B:85
* CN = Secure Certificate Services
SHA-256 Fingerprint: BD:81:CE:3B:4F:65:91:D1:1A:67:B5:FC:7A:47:FD:EF:25:52:1B:F9:AA:4E:18:B9:E3:DF:2E:34:A7:80:3B:E8
* CN = Swisscom Root CA 1
SHA-256 Fingerprint: 21:DB:20:12:36:60:BB:2E:D4:18:20:5D:A1:1E:E7:A8:5A:65:E2:BC:6E:55:B5:AF:7E:78:99:C8:A2:66:D9:2E
* CN = Swisscom Root EV CA 2
SHA-256 Fingerprint: D9:5F:EA:3C:A4:EE:DC:E7:4C:D7:6E:75:FC:6D:1F:F6:2C:44:1F:0F:A8:BC:77:F0:34:B1:9E:5D:B2:58:01:5D
* CN = Trusted Certificate Services
SHA-256 Fingerprint: 3F:06:E5:56:81:D4:96:F5:BE:16:9E:B5:38:9F:9F:2B:8F:F6:1E:17:08:DF:68:81:72:48:49:CD:5D:27:CB:69
* CN = UTN-USERFirst-Hardware
SHA-256 Fingerprint: 6E:A5:47:41:D0:04:66:7E:ED:1B:48:16:63:4A:A3:A7:9E:6E:4B:96:95:0F:82:79:DA:FC:8D:9B:D8:81:21:37
* CN = UTN-USERFirst-Object
SHA-256 Fingerprint: 6F:FF:78:E4:00:A7:0C:11:01:1C:D8:59:77:C4:59:FB:5A:F9:6A:3D:F0:54:08:20:D0:F4:B8:60:78:75:E5:8F
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Recipes nspr_4.16.bb and nss_3.31.1.bb ignored BUILD_CC and it's
BUILD_CFLAGS and tried to compile with hardcoded "gcc" instead. As
result build for this recipes will fail if host use different name for
compiler or require any flags.
Signed-off-by: Nikolay Merinov <n.merinov@inango-systems.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Upgrade nss from 3.30.2 to latest stable version 3.31.1.
* remove 0001-Fix-warnings-found-with-gcc7.patch which is not needed now
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This adds or fixes the Upstream-Status for all remaining patches missing it
in OE-Core.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Upgrade nss from 3.29.1 to 3.30.2
Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Also fix build with gcc7 along
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Rebase nss-fix-support-cross-compiling.patch
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Switching between 32 and 64 bit BUILD_ARCH shows:
$ bitbake-diffsigs tmp-sstatesamehash*/stamps/*/nss-native/3.27.1-r0.do_compile.sigdata.*
basehash changed from 944cc4554a823ba966aeda0ac3d33b79 to 2475db3659c248d81d0e4dadb3c1b4cd
Variable SITEINFO_BITS value changed from '32' to '64'
We shouldn't have this dependency and it would fail oe-selftest test_sstate_32_64_same_hash
if nss-native were included, therefore exclude it.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
nss-native is required in postinst. It's also needed during
build so not removed from DEPENDS.
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
|
|
This was casting to a pointer, and the pointer sizes are 32-bit on X32, not
64-bit. Adjust as appropriate.
Signed-off-by: Christopher Larson <chris_larson@mentor.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
When installing NSS on a read-only rootfs, the current postinstall
scriptlet exits after having run the signing part. This causes an error
when appending the task because the rest of the script is simply ignored
and therefore never run.
Signed-off-by: David Vincent <freesilicon@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This issue is also reported here
https://trac.macports.org/ticket/51709
Patch is also from same ticket
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Add a patch to disable a clang specific warning
and avoid passing clang options to gcc when we have
cross compiler is clang but host compiler is gcc
We do not need to use target cflags when building
native pieces and hence avoid the inter-mixing of
compiler options
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Drop merged 0001-Fix-build-failure-on-opensuse-13.1.patch
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Disable Werror on native builds. This helps
in building nss-native on build hosts which have
gcc < 4.9 eg. ubuntu 14.04
The real issue is that we use headers from native
staging sysroot and it has the updated glibc headers
which then ends up with errors e.g.
| In function 'memset',
| inlined from 'sec_PKCS7Encrypt' at p7local.c:715:14:
| /usr/include/x86_64-linux-gnu/bits/string3.h:81:30: error: call to '__warn_memset_zero_len' declared with attribute warning: memset used with constant zero length parameter; this could be due to transposed parameters [-Werror]
| __warn_memset_zero_len ();
| ^
| cc1: all warnings being treated as errors
| make[2]: *** [Linux3.4_x86_64_glibc_PTH_64_OPT.OBJ/p7local.o] Error 1
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Otherwise the nss libs do not get any RPATH/RUNPATH. Consequently, the
.so dependencies of nss libs are always searched from the base lib
directories of the host (i.e. /lib/ and /usr/lib). This causes problems
with nss-native where the .so's should be searched from the base lib
directories of the sysroot instead of the host file system.
This particular problem has probably been unnoticed as most users are
likely to have nss libraries installed on their host system. In this
case everything most likely work as expected.
[YOCTO #9041]
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
nss's build system assumes that cdefs.h is always available on linux
which is not the case with musl
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Explicitly disable tests (they were previously implicitly disabled upstream),
as they cause various architecture-specific build failures.
Add 0001-Fix-build-failure-on-opensuse-13.1.patch that fixes compilation using gcc 4.8.
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
In some recipes overly-split -dbg packages were merged into PN-dbg. Unless
there's a very good reason, recipes should have a single -dev and -dbg package.
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
This is a bug fix release.
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Picks up fixes for CVE-2015-2721 and CVE-2015-2730. Specify previously
overlooked license file COPYING. Fold nss.inc into recipe.
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The *.chk files are installed in ${libdir} by nss,
which is already known, no need to 'find' to get the
file list, and 'ls' is more faster than 'find'.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
When try to build nss with x32 ABI enabled fails because
it need to be specified USE_X32 env var.
[YOCTO #7420]
Signed-off-by: Aníbal Limón <anibal.limon@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Because the build of nss seems to ignore CFLAGS, we never
have put source code in the -dbg package. We do not address
the CFLAGS issue, but we do add -g to the definition of CC
so that we will generate debug info.
We also let package.bbclass populate the -dbg package instead
of forcing the contents locally.
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
* remove perl runtime dependency from main package
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Update includes:
CVE-2014-1569
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1569
for changelog information see
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17.3_release_notes
We had a build failure on 32 bit hosts so including a patch from:
http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=mhatle/dora-misc
Wenzong Fan (1):
nss: workaround multilib build on 32bit host
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
CVE patches removed since they have been implemented upstream
Rename patch dir (files) to generic PN name
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
RPM4 requires an nss-native component
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
From reading the COPYING and various license headers, the nss
LICENSE was incorrect. It's actually MPL-2.0 (not 1.1) with a
few different Or instances.
Signed-off-by: Elizabeth Flanagan <elizabeth.flanagan@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
the patch comes from:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-1544
https://hg.mozilla.org/projects/nss/rev/204f22c527f8
author Robert Relyea <rrelyea@redhat.com>
https://bugzilla.mozilla.org/show_bug.cgi?id=963150
Bug 963150: Add nssCertificate_AddRef and nssCertificate_Destroy calls
to PK11_ImportCert to prevent nssTrustDomain_AddCertsToCache from
freeing the CERTCertificate associated with the NSSCertificate. r=wtc.
Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
the patch comes from:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5606
https://bugzilla.mozilla.org/show_bug.cgi?id=910438
http://hg.mozilla.org/projects/nss/rev/d29898e0981c
The CERT_VerifyCert function in lib/certhigh/certvfy.c in
Mozilla Network Security Services (NSS) 3.15 before 3.15.3 provides
an unexpected return value for an incompatible key-usage certificate
when the CERTVerifyLog argument is valid, which might allow remote
attackers to bypass intended access restrictions via a crafted certificate.
Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Mozilla Network Security Services (NSS) before 3.15.2 does
not ensure that data structures are initialized before
read operations, which allows remote attackers to cause a
denial of service or possibly have unspecified other
impact via vectors that trigger a decryption failure.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1739
Signed-off-by: yzhu1 <yanjun.zhu@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
