trippleflux
commented
1 year ago @timur-davletshin
Could you please try the following : Nss's Makefile :
#
# Copyright (C) 2019 Lucian Cristian
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
include $(TOPDIR)/rules.mk
PKG_NAME:=nss
PKG_VERSION:=3.93
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:= \
https://download.cdn.mozilla.net/pub/security/$(PKG_NAME)/releases/NSS_$(subst .,_,$(PKG_VERSION))_RTM/src \
https://archive.mozilla.org/pub/security/$(PKG_NAME)/releases/NSS_$(subst .,_,$(PKG_VERSION))_RTM/src
PKG_HASH:=15f54bb72048eb105f8c0e936a04b899e74c3db9a19bbc1e00acee2af9476a8a
PKG_MAINTAINER:=Lucian Cristian <lucian.cristian@gmail.com>
PKG_LICENCE:=MPL-2.0
PKG_LICENSE_FILES:=nss/COPYING
PKG_CPE_ID:=cpe:/a:mozilla:network_security_services
PKG_BUILD_PARALLEL:=0
include $(INCLUDE_DIR)/package.mk
define Package/libnss
SECTION:=libs
SUBMENU:=SSL
CATEGORY:=Libraries
TITLE:=Mozilla's SSL and TLS implementation
URL:=https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS
DEPENDS:=+libpthread +libsqlite3 +nspr
endef
define Package/nss-utils
SECTION:=utils
CATEGORY:=Utilities
TITLE:=Utilities for Mozilla's SSL and TLS implementation
URL:=https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS
DEPENDS:=+libnss
endef
define Package/libnss/description
Network Security Services (NSS) is a set of libraries designed to support
cross-platform development of security-enabled client and server applications.
Applications built with NSS can support SSL v2 and v3, TLS, PKCS 5, PKCS 7,
PKCS 11, PKCS 12, S/MIME, X.509 v3 certificates, and other security standards.
endef
CONFIGURE_PATH = ./nss
MAKE_PATH = ./nss
LBITS = $(shell $(TARGET_CC) -dM -E - </dev/null | grep -q "__LP64__" && echo 64 || echo 32)
ifeq ($(LBITS),64)
export USE_64=1
endif
ifeq ($(CONFIG_CPU_TYPE),"xscale")
TARGET_CFLAGS+= -mfloat-abi=softfp
endif
ifeq ($(CONFIG_CPU_TYPE),"geode")
TARGET_CFLAGS+= -DDONT_DEFINE_USE_HW_AES
endif
ifneq ($(findstring arm,$(CONFIG_ARCH)),)
ifeq ($(findstring neon,$(CONFIG_CPU_TYPE)),)
export NSS_DISABLE_ARM32_NEON
endif
endif
export NATIVE_CC=$(HOSTCC)
export NATIVE_FLAGS=$(HOST_CFLAGS)
export NSS_ENABLE_WERROR=0
MAKE_FLAGS += \
CROSS_COMPILE=1 \
BUILD_OPT=1 \
NSDISTMODE=copy \
NSS_DISABLE_GTESTS=1 \
NSS_USE_SYSTEM_SQLITE=1 \
OS_ARCH=Linux \
OS_TEST=$(ARCH) \
fpic="$(FPIC)" \
NSPR_INCLUDE_DIR=$(STAGING_DIR)/usr/include/nspr \
SEED_ONLY_DEV_URANDOM=1 \
NS_USE_GCC=1 \
FREEBL_NO_DEPEND=1 \
NSS_PKIX_NO_LDAP=1 \
ALLOW_OPT_CODE_SIZE=1 \
OPT_CODE_SIZE=1 \
OS_REL_CFLAGS="$(TARGET_CFLAGS)"
#native compile nsinstall
define Build/Configure
USE_NATIVE=1 OS_REL_CFLAGS="$(HOST_CFLAGS)" LDFLAGS="$(HOST_LDFLAGS)" \
CC="$(HOSTCC)" CPU_ARCH="$(HOST_ARCH)" \
$(MAKE) -C $(PKG_BUILD_DIR)/nss/coreconf/nsinstall
endef
define Build/Compile
$(call Build/Compile/Default,nss_build_all)
endef
define Package/libnss/conffiles
/etc/pki/nssdb
endef
define Build/InstallDev
$(INSTALL_DIR) \
$(2)/bin \
$(1)/usr/bin \
$(1)/usr/include/nss \
$(1)/usr/lib \
$(1)/usr/lib/pkgconfig
$(CP) $(PKG_BUILD_DIR)/dist/private/nss/*.h \
$(1)/usr/include/nss/
$(CP) $(PKG_BUILD_DIR)/dist/public/nss/*.h \
$(1)/usr/include/nss/
$(CP) $(PKG_BUILD_DIR)/dist/build_dir/lib/*.so \
$(1)/usr/lib/
$(CP) $(PKG_BUILD_DIR)/nss/config/*.pc \
$(1)/usr/lib/pkgconfig/
$(CP) $(PKG_BUILD_DIR)/nss/config/nss-config \
$(1)/usr/bin/
$(SED) 's,^\(prefix\)=.*,\1=$(STAGING_DIR)/usr,g' \
$(1)/usr/bin/nss-config
$(LN) ../../usr/bin/nss-config \
$(2)/bin/
endef
define Package/nss-utils/install
$(INSTALL_DIR) \
$(1)/usr/bin
$(CP) $(PKG_BUILD_DIR)/dist/build_dir/bin/certutil $(1)/usr/bin
$(CP) $(PKG_BUILD_DIR)/dist/build_dir/bin/pk12util $(1)/usr/bin
endef
#for now pack only libreswan needed libs
define Package/libnss/install
$(INSTALL_DIR) \
$(1)/usr/lib \
$(1)/etc/pki/nssdb \
$(1)/etc/ipsec.d
$(CP) $(PKG_BUILD_DIR)/dist/build_dir/lib/libfreebl3.so $(1)/usr/lib/
$(CP) $(PKG_BUILD_DIR)/dist/build_dir/lib/libnss3.so $(1)/usr/lib/
$(CP) $(PKG_BUILD_DIR)/dist/build_dir/lib/libnssckbi.so $(1)/usr/lib/
$(CP) $(PKG_BUILD_DIR)/dist/build_dir/lib/libnssutil3.so $(1)/usr/lib/
$(CP) $(PKG_BUILD_DIR)/dist/build_dir/lib/libsmime3.so $(1)/usr/lib/
$(CP) $(PKG_BUILD_DIR)/dist/build_dir/lib/libsoftokn3.so $(1)/usr/lib/
$(CP) $(PKG_BUILD_DIR)/dist/build_dir/lib/libssl3.so $(1)/usr/lib/
# Provide databases with a blank certificate
$(CP) ./files/blank-cert9.db $(1)/etc/pki/nssdb/cert9.db
$(CP) ./files/blank-key4.db $(1)/etc/pki/nssdb/key4.db
$(CP) ./files/system-pkcs11.txt $(1)/etc/pki/nssdb/pkcs11.txt
ln -s /etc/pki/nssdb/cert9.db $(1)/etc/ipsec.d/cert9.db
ln -s /etc/pki/nssdb/key4.db $(1)/etc/ipsec.d/key4.db
ln -s /etc/pki/nssdb/pkcs11.txt $(1)/etc/ipsec.d/pkcs11.txt
endef
$(eval $(call BuildPackage,nss-utils))
$(eval $(call BuildPackage,libnss))a patch file insied NSS's patches folder as usual : 001-geode.patch :
diff -Naur a/nss/lib/freebl/ctr.c b/nss/lib/freebl/ctr.c
--- a/nss/lib/freebl/ctr.c 2023-08-25 22:46:59.000000000 +0700
+++ b/nss/lib/freebl/ctr.c 2023-09-27 23:47:19.078967700 +0700
@@ -12,12 +12,14 @@
#include "pkcs11t.h"
#include "secerr.h"
+#ifndef DONT_DEFINE_USE_HW_AES
#ifdef USE_HW_AES
#ifdef NSS_X86_OR_X64
#include "intel-aes.h"
#endif
#include "rijndael.h"
#endif
+#endif
#if defined(__ARM_NEON) || defined(__ARM_NEON__)
#include <arm_neon.h>
@@ -209,6 +211,7 @@
return SECSuccess;
}
+#ifndef DONT_DEFINE_USE_HW_AES
#if defined(USE_HW_AES) && defined(_MSC_VER) && defined(NSS_X86_OR_X64)
SECStatus
CTR_Update_HW_AES(CTRContext *ctr, unsigned char *outbuf,
@@ -274,3 +277,4 @@
return SECSuccess;
}
#endif
+#endif
\ No newline at end of file
diff -Naur a/nss/lib/freebl/ctr.h b/nss/lib/freebl/ctr.h
--- a/nss/lib/freebl/ctr.h 2023-08-25 22:46:59.000000000 +0700
+++ b/nss/lib/freebl/ctr.h 2023-09-27 23:48:03.847965100 +0700
@@ -42,6 +42,7 @@
const unsigned char *inbuf, unsigned int inlen,
unsigned int blocksize);
+#ifndef DONT_DEFINE_USE_HW_AES
#ifdef USE_HW_AES
SECStatus CTR_Update_HW_AES(CTRContext *ctr, unsigned char *outbuf,
unsigned int *outlen, unsigned int maxout,
@@ -50,3 +51,4 @@
#endif
#endif
+#endif
\ No newline at end of file
diff -Naur a/nss/lib/freebl/intel-gcm-wrap.c b/nss/lib/freebl/intel-gcm-wrap.c
--- a/nss/lib/freebl/intel-gcm-wrap.c 2023-08-25 22:46:59.000000000 +0700
+++ b/nss/lib/freebl/intel-gcm-wrap.c 2023-09-27 23:49:42.135698300 +0700
@@ -5,6 +5,7 @@
/* Wrapper functions for Intel optimized implementation of AES-GCM */
+#ifndef DONT_DEFINE_USE_HW_AES
#ifdef USE_HW_AES
#ifdef FREEBL_NO_DEPEND
@@ -473,3 +474,4 @@
return SECSuccess;
}
#endif
+#endif
\ No newline at end of file
diff -Naur a/nss/lib/freebl/rijndael.c b/nss/lib/freebl/rijndael.c
--- a/nss/lib/freebl/rijndael.c 2023-08-25 22:46:59.000000000 +0700
+++ b/nss/lib/freebl/rijndael.c 2023-09-27 23:50:55.551786000 +0700
@@ -29,6 +29,7 @@
#include "ppc-crypto.h"
#endif
+#ifndef DONT_DEFINE_USE_HW_AES
#ifdef USE_HW_AES
#ifdef NSS_X86_OR_X64
#include "intel-aes.h"
@@ -36,6 +37,7 @@
#include "aes-armv8.h"
#endif
#endif /* USE_HW_AES */
+#endif
#ifdef INTEL_GCM
#include "intel-gcm.h"
#endif /* INTEL_GCM */AIO compressed archive : nss-geode-test.zip
Maintainer: @lucize Environment: (
Geode(TM) Integrated Processor by AMD PCS,Alix Board,OpenWrt 22.03.05 and 23.05.0-rc3)Description:
I believe it is related to compilation options of
nss-utilspackage (and those it depends on).Steps to reproduce:
During CA generation it will generate
Illegal instructionwith following lines indmesg:traps: certutil[8135] trap invalid opcode ip:b7b2c5a4 sp:bf8e49d0 error:0 in libfreebl3.so[b7acb000+62000]P.S. I posted it at forum already but I also submit it here in order respect formalities - https://forum.openwrt.org/t/nss-utils-i386-illegal-instruction