Adapt patch 0007-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch
to new version of the code. Remove code which not exist and adapt to
new code.
Changelog:
v3.121:
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_121.html
Bugs:
- update vendored zlib to v1.3.2.
- Revert the unnecessary changes to intel-gcm-wrap.gyp.
- Use C fallback for AES-GCM on MinGW builds.
- fix ML-KEM PCT.
- Extend NSS Fuzzing docs.
- avoid integer overflow in platform-independent ghash.
- Fix errant whitespace in OISTE Server Root RSA G1 nickname.
- fix build with glibc-2.43 assignment discards ‘const’ qualifier from pointer.
- add gcm.gyp dependency for Solaris SPARC builds.
- Set nssckbi version to 2.84.
- Add e-Szigno TLS Root CA 2023 to NSS.
- allow manual selection of CPU_ARCH=x86_64 and ppc64 in coreconf/Darwin.mk.
- Update cryptofuzz version.
- Paranoia assert.
- Darwin compatibility for intel-aes.S and intel-gcm.S.
- rename intel-{aes,gcm}.s to .S.
- rename C files for platform-specific ghash implementations.
- simplify compilation of platform-specific GCM and GHASH.
- FORWARD_NULL null deref of worker in p7decode.c (sec_pkcs7_decoder_abort_digests).
- Out-of-Bounds Read in ML-DSA Private Key Parsing (zero-length privateKey).
v3.120:
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_120.html
Bugs:
- Fix docs generation bug.
- CID 1678226: Dereferencing null pointer plaintext.data().
- Run PKCS12 fuzz target with –fuzz=tls in CI.
- Allowing RT be started several times.
- move linux decision and build tasks to d2g worker pools.
v3.119.1:
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_119_1.html
Bugs:
- restore coreconf/Darwin.mk behavior for intel archs.
Signed-off-by: Andrej Kozemcak <andrej.kozemcak@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
When using clang cross compiler, nss make system adds
some clang specific options e.g. Qunused-options to CFLAGS
which is fine for cross/target compile but some portions e.g.
nsinstall is build natively so it uses NATIVE_CC to compile this
utility, its is set to BUILD_CC rightly but when using clang for CC
and gcc for BUILD_CC, nss build system is confused because its
trying to use the computed set of warnings for both native and cross
compile and they may not match between clang and gcc. So here we
explicitly use clang for NATIVE_CC when TOOLCHAIN is clang
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Modifying existing UPSTREAM_CHECK_URI and UPSTREAM_CHECK_REGEX
fix UNKNOWN_BROKEN status from running devtool check-upgrade-status.
The next version of the package can be found from upstream
sources.
Signed-off-by: Alexandre Truong <alexandre.truong@smile.fr>
Reviewed-by: Yoann Congal <yoann.congal@smile.fr>
Replace references of WORKDIR with UNPACKDIR where it makes sense to do
so in preparation for changing the default value of UNPACKDIR.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* Remove one backported patch and rebase two patches to the new version.
* License update:
Copyright year updated to 2023
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
- Try to add convert and apply statuses for old CVEs
- Drop some obsolete ignores, while they are not relevant for current
version
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The expiration date of the "PayPalEE.cert" test certificate in the nss package
is Jan 12 2022 and causing a test failure.
Signed-off-by: Wentao Zhang <wentao.zhang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Change OS_TEST to be soft assignment so that the cross-compilation
doens't fail with the errors like (note the difference in CPU tags):
| make[4]: *** No rule to make target
'../certhigh/Linux3.4_x86_64_glibc_PTH_64_OPT.OBJ/certhtml.o', needed by
'Linux3.4_aarch64_glibc_PTH_64_OPT.OBJ/libnss3.so'. Stop.
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is the result of automated script (0.9.1) conversion:
oe-core/scripts/contrib/convert-overrides.py .
converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
CVE-2006-5201 affects only using an RSA key with exponent 3 on Sun Solaris.
Signed-off-by: Masaki Ambai <ambai.masaki@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Centos 7 has glibc 2.18 and nss-native build fails due to implicit
declaration of function putenv during build. This is because of the
Feature Test Macro Requirements for glibc (see feature_test_macros(7)):
putenv(): _XOPEN_SOURCE
|| /* Glibc since 2.19: */ _DEFAULT_SOURCE
|| /* Glibc versions <= 2.19: */ _SVID_SOURCE
and because nss coreconf/Linux.mk only defines
-D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE
So on such system with glibc 2.18, neither macro makes putenv()
available. Add -D_XOPEN_SOURCE for the Centos 7 and glibc 2.18
native build case.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Armin Kuster <akuster808@gmail.com>
Cc: Armin Kuster <akuster@mvista.com>
Cc: Khem Raj <raj.khem@gmail.com>
Cc: Richard Purdie <richard.purdie@linuxfoundation.org>
Cc: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
NSS's build tries to be clever and passes for example -march=armv8-a+crypto
explicitly, instead of relying on the person doing the compilation to
set the right flags.
This conflicts with our compiler flags which typically pass the ideal
tune for the target, for example -mcpu=cortex-a55+crc+crypto.
When this happens GCC warns that the flags conflict (which was promoted
to an error, now fixed) and -march takes precedence over -mcpu.
As there's a huge number of potential tune flags to remove to avoid the
conflict, now that warnings are not fatal we can stop removing the flags
and let GCC warn as the generated code is the same.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
-Werror should be used by developers and not packagers, because new
compiler flags or GCC versions can use new warnings.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The patch: nss-fix-nsinstall-build.patch is embedded specific
so set it's Upstream-Status to inappropriate.
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
with newer compilers we are seeing new warnings, e.g.
error: argument 1 of type 'int[1]' with mismatched bound [-Werror=array-parameter=]
8 | extern void pr_static_assert(int arg[(((long unsigned int)-1) > (long unsigned int)1) ? 1 : -1]);
| ~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
with gcc11 and clang has its own set which triggers here as well, its
better to disable werror therefore, we still have warnings if someone
wants to fix them but they wont break the builds
Signed-off-by: Khem Raj <raj.khem@gmail.com>
getcwd() conforms to POSIX.1-2001 which leaves the behaviour when the
buf argument is NULL, undefined. This makes gcc 10+ throw the following
warning:
argument 1 is null but the corresponding size argument 2 value is 4096
Initially, this was fixed by disabling NSS_ENABLE_WERROR. This patch
re-enables NSS_ENABLE_WERROR (by leaving it to its default value) and
takes advantage of the existing functionality in nss that wraps the
getcwd call into a function making sure that the buf argument is always
properly allocated.
Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>