certutil is a command-line utility for managing keys and certificate in
both NSS databases and other NSS tokens.
Signed-off-by: Julien Floret <julien.floret@6wind.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Enable parallel building by substituting $(MAKE1) with $(MAKE) in
libnss.mk. Parallel Makefile building has been added after version 3.53
so now it's time to enable it in Buildroot to save building time.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
By mistake seed.o has been added to public library too, but this way its
dependencies are not taken into account(stubs.o), this way build fails
complaining on missing functions from stubs.o file. Let's fix it by
adding upstream patch:
f46fca8ced
Fixes:
http://autobuild.buildroot.net/results/4cb/4cbf4c35549a3bfba06222ba509d0263f23a3a2e/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Current 0001 patch has been committed into buildroot before being
upstreamed. Now that it's been upstreamed it changed a little, so this
makes patch 0002(based on upstream version of patch 0001) impossible to
apply causing build failure while applying patches. So let's update
patch 0001 with upstream one.
Fixes:
http://autobuild.buildroot.net/results/c8a/c8a6776a3e9cec1dc67862e4972e3ca8f4562a50/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
NSS assumes that every neon arm32 build is an armv7, but this is
not always true(i.e. build arm32 for armv8), so let's add a patch to
remove -march=armv7 flag when building gcm-arm32-neon.c
Fixes:
http://autobuild.buildroot.net/results/464/464044fda2850123339de6c8071374e380636ee0/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Release notes:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.51_release_notes
Remove upstreamed patch but add another patch to allow disable Neon
acceleration while building gcm on Arm32. This patch adds
NSS_DISABLE_GCM_ARM32_NEON variable that is set to 1 if
BR2_ARM_CPU_HAS_NEON is not set to y.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
NSS assumes <sys/auvx.h> is always present but that's not true, so add a
patch to check if it exists or not.
Fixes:
http://autobuild.buildroot.net/results/425ba828d30c2bd55ce9f4f00e67bc10d9de2867/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
At the moment there are 2 patches with the same id(0001-xxx.patch) so
let's rename one of them to 0002-xxx.patch.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The libnss patch adding ZLIB_INCLUDE_DIR is added to upstream on
2020-01-07 but the 3.49.1 release on 2020-01-13 does not contain this
patch, so we have actually prematurely removed it from Buildroot.
This only affects host-libnss when libzlib is not installed in the host
system. When building for the target, the toolchain-wrapper already
looks in the target sysroot default include path - where zlib.h is
installed.
Re-add this patch, so that we can build host-libnss 3.49.1.
Signed-off-by: Thomas Preston <thomas.preston@codethink.co.uk>
Reviewed-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
NSS Makefile emits -DLINUX to OS_CFLAGS only if OS_TEST=Linux when
building for Target. But nsinstall.c is a host utility and it uses
NATIVE_FLAGS instead of OS_CFLAGS, this is why -DLINUX is not emitted.
This is necessary for the case one builds for Target OS Linux on a Host
OS that is not Linux.
After discussing upstream [*], it turned out that our current patch,
introduced with commit fe4b47a121 (package/libnss: fix build failure
on RHEL 7) to fix the bug, is wrong. The best way to fix it is to append
-DLINUX to NATIVE_FLAGS in libnss.mk.
[*] https://bugzilla.mozilla.org/show_bug.cgi?id=1603398
So let's append -DLINUX to NATIVE_FLAGS after HOST_CFLAGS to make sure
<getopt.h> is included, since in nsintall.c it is included only if LINUX
macro is defined and this caused the build failure not finding getopt
functions and macros in some build environment(i.e. RHEL 7). On other
build environments getopt.h is indirectly included by unistd.h this is
why it worked on them.
This reverts commit fe4b47a121.
Fixes:
http://autobuild.buildroot.net/results/797/797f07ff757e7972d8c96b6a9f6abe68d17e0808/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[yann.morin.1998@free.fr:
- meld the two commits into one
- update and rearrange the commit log accordingly
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
libnss expects OS_TEST to be set to ppc, ppc64, or ppc64le instead of
the usual values defined by Buildroot, respectively powerpc, powerpc64,
or powerpc64le.
This fixes the inconsistencies where functions would be prototyped and
called, but no implementation would be provided, causing link issues.
Define all the variants (of which the existing aarch64be) in Kconfig.
The latest default uses the usual architecture names as defined by
Buildroot, BR2_ARCH.
Additionally, libnss makes use of Altivec intrinsics which are only
available starting with gcc 8, not gcc 5, so we patch it to fix that
condition.
Fixes:
http://autobuild.buildroot.org/results/579/57928e6cf69d584b430a1d9a99156c57f29b692f/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[yann.morin.1998@free.fr:
- move the arch setting to kconfig (like recently done in e3159cad71)
- add the build failure
- add pointer to upstream bug report and patch sybmission
- reformat and reword commit log
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
NSS_ENABLE_WERROR=0 is already added by default to LIBNSS_BUILD_VARS
previously, so let's remove this check and set.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Remove uClibc fix patch since its change has been upstreamed despite the
comment contained in patch.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add patch to fix build failure on PowerPc without <sys/auxv.h>. The patch
inserts #if statements to include or note <sys/auxv.h> prior it exists.
Fixes:
http://autobuild.buildroot.net/results/8bf95bd8a0aec8c53889308ab1e00d0a94f53d57/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
-DLINUX flag was passed to OS_CFLAGS instead of DEFINES, but OS_CFLAGS
is only used when cross-compiling, not when native building.
Add patch to fix build failure on RHEL 7 host by substituting OS_CFLAGS
with DEFINES.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
NSS 3.48 requires NSPR 4.24 already bumped. It already fixed
CVE-2019-11745 but in version 3.47.1 it's already fixed. Anyway from
3.47 to 3.48 it fixes:
CVE-2019-11745: EncryptUpdate should use maxout, not block size
Remove an upstreamed patch but introduce a new one to fix building with
signal.h include.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issues:
CVE-2019-11745: EncryptUpdate should use maxout, not block size
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
At the moment libnss assumes that every ARM has NEON extension but it's
not that way. So add a patch to make it aware of it and use native
functions in place of NEON optimized ones.
Fixes:
http://autobuild.buildroot.net/results/1342d305d1aeebef7af54a83afc094fda12421e2/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
NSS_ENABLE_ECC is not supported anymore, then remove it from our
libnss.mk file.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fixes the following security issues:
CVE-2019-11756: Remove refcounting from sftk_FreeSession
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes:
http://autobuild.buildroot.net/results/bfd29593bb6c53d3e9e2d02d2ed6bea360d99c00/
In libnss there is a bug leading to build failure due to double declared
functions. This is due to 2 different #ifdef statements treating the
same function-set.
Add patch to fix this by making the 2 #ifdef statements equal.
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
(3.44.1)
CVE-2019-11729: More thorough input checking
CVE-2019-11719: Don't unnecessarily strip leading 0's from key material
during PKCS11 import
CVE-2019-11727: Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3
Note:
This version requires nspr 4.22 or newer provided by the previous patch.
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
With Microblaze Gcc version < 8.x the build hangs due to bug 85862:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85862
To avoid this, the libnss package has a !BR2_TOOLCHAIN_HAS_GCC_BUG_85862
dependency. However, gcc bug 85862 only triggers when optimization is
enabled, so we can work around the issue by passing -O0, which is what
we do in other Buildroot packages to work around this bug.
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Currently libnss is configured with BUILD_OPT=1 and due to that that
it doesn't take into account Buildroot TARGET_CFLAGS nor
TARGET_LDFLAGS resulting in pre-chosen optimizations and debugging
symbols being used.
We can't pass TARGET_CFLAGS through CFLAGS or similar otherwise other
internal libnss one will be overwritten (i.e. -fPIC), so we prefer to
append TARGET_CFLAGS at the end of Linux.mk as well as TARGET_LDFLAGS
according to internal libnss Makefile system's names. And obviously
remove BUILD_OPT=1 from BUILD_VARS.
This reveals hidden bugs when building with -Os due to bogus
uninitialized warnings from gcc turned into errors because of -Werror,
so we explicitly pass NSS_ENABLE_WERROR=0 to avoid the use of -Werror.
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
[Thomas: drop the libnss patches, and pass NSS_ENABLE_WERROR instead]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issues:
(3.41) CVE-2018-12404: Cache side-channel variant of the Bleichenbacher
attack
(3.42.1) CVE-2018-18508: Add additional null checks to several CMS functions
to fix a rare CMS crash. Thanks to Hanno Böck and Damian Poddebniak for the
discovery and fixes
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
CVE-2018-12384: NSS responded to an SSLv2-compatible ClientHello with a
ServerHello that had an all-zero random.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
uClibc implements RTLD_NOLOAD for quite some time now. Remove the patch
adding a dummy definition of RTLD_NOLOAD.
Cc: Joseph Kogut <joseph.kogut@gmail.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
