1SUMMARY = "Mozilla's SSL and TLS implementation"
2DESCRIPTION = "Network Security Services (NSS) is a set of libraries \
3designed to support cross-platform development of \
4security-enabled client and server applications. \
5Applications built with NSS can support SSL v2 and v3, \
6TLS, PKCS 5, PKCS 7, PKCS 11, PKCS 12, S/MIME, X.509 \
7v3 certificates, and other security standards."
8HOMEPAGE = "http://www.mozilla.org/projects/security/pki/nss/"
9SECTION = "libs"
10
11DEPENDS = "sqlite3 nspr zlib nss-native"
12DEPENDS:class-native = "sqlite3-native nspr-native zlib-native"
13
14LICENSE = "(MPL-2.0 & MIT) | (MPL-2.0 & GPL-2.0-or-later & MIT) | (MPL-2.0 & LGPL-2.1-or-later & MIT)"
15
16LIC_FILES_CHKSUM = "file://nss/COPYING;md5=3b1e88e1b9c0b5a4b2881d46cce06a18 \
17                    file://nss/lib/freebl/mpi/doc/LICENSE;md5=491f158d09d948466afce85d6f1fe18f \
18                    file://nss/lib/freebl/mpi/doc/LICENSE-MPL;md5=5d425c8f3157dbf212db2ec53d9e5132 \
19                    file://nss/lib/freebl/verified/Hacl_Poly1305_256.c;beginline=1;endline=22;md5=cc22f07b95d28d56baeb757df46ee7c8"
20
21VERSION_DIR = "${@d.getVar('BP').upper().replace('-', '_').replace('.', '_') + '_RTM'}"
22
23SRC_URI = "http://ftp.mozilla.org/pub/security/nss/releases/${VERSION_DIR}/src/${BP}.tar.gz \
24           file://nss.pc.in \
25           file://0001-nss-fix-support-cross-compiling.patch \
26           file://nss-no-rpath-for-cross-compiling.patch \
27           file://nss-fix-incorrect-shebang-of-perl.patch \
28           file://disable-Wvarargs-with-clang.patch \
29           file://pqg.c-ULL_addend.patch \
30           file://blank-cert9.db \
31           file://blank-key4.db \
32           file://system-pkcs11.txt \
33           file://nss-fix-nsinstall-build.patch \
34           file://0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch \
35           "
36SRC_URI[sha256sum] = "859748f0b4b7bb51e7e600ae5a88ef4d71f93e6964b1beed2727784dd9ed85e7"
37
38UPSTREAM_CHECK_URI = "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Releases"
39UPSTREAM_CHECK_REGEX = "NSS_(?P<pver>.+)_release_notes"
40
41inherit siteinfo
42
43TD = "${S}/tentative-dist"
44TDS = "${S}/tentative-dist-staging"
45
46TARGET_CC_ARCH += "${LDFLAGS}"
47
48CFLAGS:append:class-native = " -D_XOPEN_SOURCE "
49
50do_configure:prepend:libc-musl () {
51    sed -i -e '/-DHAVE_SYS_CDEFS_H/d' ${S}/nss/lib/dbm/config/config.mk
52}
53
54do_configure:prepend:powerpc64le:toolchain-clang () {
55    sed -i -e 's/\-std=c99/\-std=gnu99/g' ${S}/nss/coreconf/command.mk
56}
57
58do_configure:prepend:powerpc64:toolchain-clang () {
59    sed -i -e 's/\-std=c99/\-std=gnu99/g' ${S}/nss/coreconf/command.mk
60}
61
62do_compile:prepend:class-native() {
63    export NSPR_INCLUDE_DIR=${STAGING_INCDIR_NATIVE}/nspr
64    export NSPR_LIB_DIR=${STAGING_LIBDIR_NATIVE}
65}
66
67do_compile:prepend:class-nativesdk() {
68    export LDFLAGS=""
69}
70
71do_compile:prepend:class-native() {
72    # Need to set RPATH so that chrpath will do its job correctly
73    RPATH="-Wl,-rpath-link,${STAGING_LIBDIR_NATIVE} -Wl,-rpath-link,${STAGING_BASE_LIBDIR_NATIVE} -Wl,-rpath,${STAGING_LIBDIR_NATIVE} -Wl,-rpath,${STAGING_BASE_LIBDIR_NATIVE}"
74}
75
76do_compile() {
77    export NSPR_INCLUDE_DIR=${STAGING_INCDIR}/nspr
78
79    export CROSS_COMPILE=1
80    export NATIVE_CC="${BUILD_CC}"
81    # Additional defines needed on Centos 7
82    export NATIVE_FLAGS="${BUILD_CFLAGS} -DLINUX -Dlinux"
83    export BUILD_OPT=1
84
85    # POSIX.1-2001 states that the behaviour of getcwd() when passing a null
86    # pointer as the buf argument, is unspecified.
87    export NATIVE_FLAGS="${NATIVE_FLAGS} -DGETCWD_CANT_MALLOC"
88
89    export FREEBL_NO_DEPEND=1
90    export FREEBL_LOWHASH=1
91
92    export LIBDIR=${libdir}
93    export MOZILLA_CLIENT=1
94    export NS_USE_GCC=1
95    export NSS_USE_SYSTEM_SQLITE=1
96    export NSS_ENABLE_ECC=1
97    export NSS_ENABLE_WERROR=0
98
99    ${@bb.utils.contains("TUNE_FEATURES", "crypto", "export NSS_USE_ARM_HW_CRYPTO=1", "", d)}
100
101    export OS_RELEASE=3.4
102    export OS_TARGET=Linux
103    export OS_ARCH=Linux
104
105    if [ "${TARGET_ARCH}" = "powerpc" ]; then
106        OS_TEST=ppc
107    elif [ "${TARGET_ARCH}" = "powerpc64" -o "${TARGET_ARCH}" = "powerpc64le" ]; then
108        OS_TEST=ppc64
109    elif [ "${TARGET_ARCH}" = "mips" -o "${TARGET_ARCH}" = "mipsel" -o "${TARGET_ARCH}" = "mips64" -o "${TARGET_ARCH}" = "mips64el" ]; then
110        OS_TEST=mips
111    elif [ "${TARGET_ARCH}" = "aarch64_be" ]; then
112        OS_TEST="aarch64"
113    else
114        OS_TEST="${TARGET_ARCH}"
115    fi
116
117    if [ "${SITEINFO_BITS}" = "64" ]; then
118        export USE_64=1
119    elif [ "${TARGET_ARCH}" = "x86_64" -a "${SITEINFO_BITS}" = "32" ]; then
120        export USE_X32=1
121    fi
122
123    export NSS_DISABLE_GTESTS=1
124    # We can modify CC in the environment, but if we set it via an
125    # argument to make, nsinstall, a host program, will also build with it!
126    #
127    # nss pretty much does its own thing with CFLAGS, so we put them into CC.
128    # Optimization will get clobbered, but most of the stuff will survive.
129    # The motivation for this is to point to the correct place for debug
130    # source files and CFLAGS does that.  Nothing uses CCC.
131    #
132    export CC="${CC} ${CFLAGS}"
133    make -C ./nss CCC="${CXX} -g" \
134        OS_TEST=${OS_TEST} \
135        RPATH="${RPATH}" \
136        autobuild
137}
138
139do_compile[vardepsexclude] += "SITEINFO_BITS"
140
141do_install:prepend:class-nativesdk() {
142    export LDFLAGS=""
143}
144
145do_install() {
146    export CROSS_COMPILE=1
147    export NATIVE_CC="${BUILD_CC}"
148    export BUILD_OPT=1
149
150    export FREEBL_NO_DEPEND=1
151
152    export LIBDIR=${libdir}
153    export MOZILLA_CLIENT=1
154    export NS_USE_GCC=1
155    export NSS_USE_SYSTEM_SQLITE=1
156    export NSS_ENABLE_ECC=1
157
158    export OS_RELEASE=3.4
159    export OS_TARGET=Linux
160    export OS_ARCH=Linux
161
162    if [ "${TARGET_ARCH}" = "powerpc" ]; then
163        OS_TEST=ppc
164    elif [ "${TARGET_ARCH}" = "powerpc64" -o "${TARGET_ARCH}" = "powerpc64le" ]; then
165        OS_TEST=ppc64
166    elif [ "${TARGET_ARCH}" = "mips" -o "${TARGET_ARCH}" = "mipsel" -o "${TARGET_ARCH}" = "mips64" -o "${TARGET_ARCH}" = "mips64el" ]; then
167        OS_TEST=mips
168    elif [ "${TARGET_ARCH}" = "aarch64_be" ]; then
169        CPU_ARCH=aarch64
170        OS_TEST="aarch64"
171    else
172        OS_TEST="${TARGET_ARCH}"
173    fi
174    if [ "${SITEINFO_BITS}" = "64" ]; then
175        export USE_64=1
176    elif [ "${TARGET_ARCH}" = "x86_64" -a "${SITEINFO_BITS}" = "32" ]; then
177        export USE_X32=1
178    fi
179
180    export NSS_DISABLE_GTESTS=1
181
182    make -C ./nss \
183        CCC="${CXX}" \
184        OS_TEST=${OS_TEST} \
185        SOURCE_LIB_DIR="${TD}/${libdir}" \
186        SOURCE_BIN_DIR="${TD}/${bindir}" \
187        install
188
189    install -d ${D}/${libdir}/
190    for file in ${S}/dist/*.OBJ/lib/*.so; do
191        echo "Installing `basename $file`..."
192        cp $file  ${D}/${libdir}/
193    done
194
195    for shared_lib in ${TD}/${libdir}/*.so.*; do
196        if [ -f $shared_lib ]; then
197            cp $shared_lib ${D}/${libdir}
198            ln -sf $(basename $shared_lib) ${D}/${libdir}/$(basename $shared_lib .1oe)
199        fi
200    done
201    for shared_lib in ${TD}/${libdir}/*.so; do
202        if [ -f $shared_lib -a ! -e ${D}/${libdir}/$shared_lib ]; then
203            cp $shared_lib ${D}/${libdir}
204        fi
205    done
206
207    install -d ${D}/${includedir}/nss3
208    install -m 644 -t ${D}/${includedir}/nss3 dist/public/nss/*
209
210    install -d ${D}/${bindir}
211    for binary in ${TD}/${bindir}/*; do
212        install -m 755 -t ${D}/${bindir} $binary
213    done
214}
215
216do_install[vardepsexclude] += "SITEINFO_BITS"
217
218do_install:append() {
219    # Create empty .chk files for the NSS libraries at build time. They could
220    # be regenerated at target's boot time.
221    for file in libsoftokn3.chk libfreebl3.chk libnssdbm3.chk; do
222        touch ${D}/${libdir}/$file
223        chmod 755 ${D}/${libdir}/$file
224    done
225
226    install -d ${D}${libdir}/pkgconfig/
227    sed 's/%NSS_VERSION%/${PV}/' ${UNPACKDIR}/nss.pc.in | sed 's/%NSPR_VERSION%/4.9.2/' > ${D}${libdir}/pkgconfig/nss.pc
228    sed -i s:OEPREFIX:${prefix}:g ${D}${libdir}/pkgconfig/nss.pc
229    sed -i s:OEEXECPREFIX:${exec_prefix}:g ${D}${libdir}/pkgconfig/nss.pc
230    sed -i s:OELIBDIR:${libdir}:g ${D}${libdir}/pkgconfig/nss.pc
231    sed -i s:OEINCDIR:${includedir}/nss3:g ${D}${libdir}/pkgconfig/nss.pc
232}
233
234do_install:append:class-target() {
235    # It used to call certutil to create a blank certificate with empty password at
236    # build time, but the checksum of key4.db changes every time when certutil is called.
237    # It causes non-determinism issue, so provide databases with a blank certificate
238    # which are originally from output of nss in qemux86-64 build. You can get these
239    # databases by:
240    # certutil -N -d sql:/database/path/ --empty-password
241    install -d ${D}${sysconfdir}/pki/nssdb/
242    install -m 0644 ${UNPACKDIR}/blank-cert9.db ${D}${sysconfdir}/pki/nssdb/cert9.db
243    install -m 0644 ${UNPACKDIR}/blank-key4.db ${D}${sysconfdir}/pki/nssdb/key4.db
244    install -m 0644 ${UNPACKDIR}/system-pkcs11.txt ${D}${sysconfdir}/pki/nssdb/pkcs11.txt
245}
246
247PACKAGE_WRITE_DEPS += "nss-native"
248
249pkg_postinst:${PN} () {
250    for I in $D${libdir}/lib*.chk; do
251        DN=`dirname $I`
252        BN=`basename $I .chk`
253        FN=$DN/$BN.so
254        shlibsign -i $FN
255        if [ $? -ne 0 ]; then
256            echo "shlibsign -i $FN failed"
257        fi
258    done
259}
260
261PACKAGES =+ "${PN}-smime"
262FILES:${PN}-smime = "\
263    ${bindir}/smime \
264"
265
266FILES:${PN} = "\
267    ${sysconfdir} \
268    ${bindir} \
269    ${libdir}/lib*.chk \
270    ${libdir}/lib*.so \
271    "
272
273FILES:${PN}-dev = "\
274    ${libdir}/nss \
275    ${libdir}/pkgconfig/* \
276    ${includedir}/* \
277    "
278
279RDEPENDS:${PN}-smime = "perl"
280
281BBCLASSEXTEND = "native nativesdk"
282
283CVE_PRODUCT += "network_security_services"
284
285CVE_STATUS_GROUPS += "CVE_STATUS_NSS"
286CVE_STATUS_NSS[status] = "not-applicable-config: This only affect the legacy db (libnssdbm), only compiled with --enable-legacy-db"
287CVE_STATUS_NSS = "CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698"
288
289CVE_STATUS[CVE-2022-3479] = "not-applicable-config: vulnerability was introduced in 3.77 and fixed in 3.87"
290