Update to NSS 3.49.2
This commit is contained in:
parent
6e689ce0cb
commit
36505c331d
1
.gitignore
vendored
1
.gitignore
vendored
@ -44,3 +44,4 @@ TestUser51.cert
|
|||||||
/nss-3.47.1.tar.gz
|
/nss-3.47.1.tar.gz
|
||||||
/nss-3.48.tar.gz
|
/nss-3.48.tar.gz
|
||||||
/nss-3.49.tar.gz
|
/nss-3.49.tar.gz
|
||||||
|
/nss-3.49.2.tar.gz
|
||||||
|
@ -1,159 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# User Mike Hommey <mh@glandium.org>
|
|
||||||
# Date 1578673372 -3600
|
|
||||||
# Fri Jan 10 17:22:52 2020 +0100
|
|
||||||
# Node ID 9c359d019d333282476ffeec3dab819cfdcf127e
|
|
||||||
# Parent 4921046404f197526969a6b79f19c136469e69f8
|
|
||||||
Bug 1608327 - Fix freebl arm NEON code use on tier3 platforms.
|
|
||||||
|
|
||||||
Summary:
|
|
||||||
Despite the code having runtime detection of NEON and crypto extensions,
|
|
||||||
the optimized code using those instructions is disabled at build time on
|
|
||||||
platforms where the compiler doesn't enable NEON by default of with the
|
|
||||||
flags it's given for the caller code.
|
|
||||||
|
|
||||||
In the case of gcm, this goes as far as causing a build error.
|
|
||||||
|
|
||||||
What is needed is for the optimized code to be enabled in every case,
|
|
||||||
letting the caller code choose whether to use that code based on the
|
|
||||||
existing runtime checks.
|
|
||||||
|
|
||||||
But this can't be simply done either, because those optimized parts of
|
|
||||||
the code need to be built with NEON enabled, unconditionally, but that
|
|
||||||
is not compatible with platforms using the softfloat ABI. For those,
|
|
||||||
we need to use the softfp ABI, which is compatible. However, the softfp
|
|
||||||
ABI is not compatible with the hardfp ABI, so we also can't
|
|
||||||
unconditionally use the softfp ABI, so we do so only when the compiler
|
|
||||||
targets the softfloat ABI, which confusingly enough is advertized via
|
|
||||||
the `__SOFTFP__` define.
|
|
||||||
|
|
||||||
Reviewers: jcj!
|
|
||||||
|
|
||||||
Bug #: 1608327
|
|
||||||
|
|
||||||
Differential Revision: https://phabricator.services.mozilla.com/D59451
|
|
||||||
|
|
||||||
diff --git a/lib/freebl/Makefile b/lib/freebl/Makefile
|
|
||||||
--- a/lib/freebl/Makefile
|
|
||||||
+++ b/lib/freebl/Makefile
|
|
||||||
@@ -781,8 +781,12 @@ ifdef INTEL_GCM_CLANG_CL
|
|
||||||
endif
|
|
||||||
|
|
||||||
ifeq ($(CPU_ARCH),arm)
|
|
||||||
-$(OBJDIR)/$(PROG_PREFIX)aes-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a -mfpu=crypto-neon-fp-armv8
|
|
||||||
-$(OBJDIR)/$(PROG_PREFIX)gcm-arm32-neon$(OBJ_SUFFIX): CFLAGS += -mfpu=neon
|
|
||||||
+# When the compiler uses the softfloat ABI, we want to use the compatible softfp ABI when
|
|
||||||
+# enabling NEON for these objects.
|
|
||||||
+# Confusingly, __SOFTFP__ is the name of the define for the softfloat ABI, not for the softfp ABI.
|
|
||||||
+USES_SOFTFLOAT_ABI := $(shell $(CC) -o - -E -dM - $(CFLAGS) < /dev/null | grep __SOFTFP__ > /dev/null && echo 1)
|
|
||||||
+$(OBJDIR)/$(PROG_PREFIX)aes-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a -mfpu=crypto-neon-fp-armv8$(if $(USES_SOFTFLOAT_ABI), -mfloat-abi=softfp)
|
|
||||||
+$(OBJDIR)/$(PROG_PREFIX)gcm-arm32-neon$(OBJ_SUFFIX): CFLAGS += -mfpu=neon$(if $(USES_SOFTFLOAT_ABI), -mfloat-abi=softfp)
|
|
||||||
endif
|
|
||||||
ifeq ($(CPU_ARCH),aarch64)
|
|
||||||
$(OBJDIR)/$(PROG_PREFIX)aes-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a+crypto
|
|
||||||
diff --git a/lib/freebl/aes-armv8.c b/lib/freebl/aes-armv8.c
|
|
||||||
--- a/lib/freebl/aes-armv8.c
|
|
||||||
+++ b/lib/freebl/aes-armv8.c
|
|
||||||
@@ -8,7 +8,7 @@
|
|
||||||
#if ((defined(__clang__) || \
|
|
||||||
(defined(__GNUC__) && defined(__GNUC_MINOR__) && \
|
|
||||||
(__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ > 8)))) && \
|
|
||||||
- (defined(__ARM_NEON) || defined(__ARM_NEON__)))
|
|
||||||
+ defined(IS_LITTLE_ENDIAN))
|
|
||||||
|
|
||||||
#ifndef __ARM_FEATURE_CRYPTO
|
|
||||||
#error "Compiler option is invalid"
|
|
||||||
diff --git a/lib/freebl/freebl.gyp b/lib/freebl/freebl.gyp
|
|
||||||
--- a/lib/freebl/freebl.gyp
|
|
||||||
+++ b/lib/freebl/freebl.gyp
|
|
||||||
@@ -126,10 +126,12 @@
|
|
||||||
'<(DEPTH)/exports.gyp:nss_exports'
|
|
||||||
],
|
|
||||||
'cflags': [
|
|
||||||
- '-mfpu=neon'
|
|
||||||
+ '-mfpu=neon',
|
|
||||||
+ '<@(softfp_cflags)',
|
|
||||||
],
|
|
||||||
'cflags_mozilla': [
|
|
||||||
- '-mfpu=neon'
|
|
||||||
+ '-mfpu=neon',
|
|
||||||
+ '<@(softfp_cflags)',
|
|
||||||
]
|
|
||||||
},
|
|
||||||
{
|
|
||||||
@@ -179,11 +181,13 @@
|
|
||||||
[ 'target_arch=="arm"', {
|
|
||||||
'cflags': [
|
|
||||||
'-march=armv8-a',
|
|
||||||
- '-mfpu=crypto-neon-fp-armv8'
|
|
||||||
+ '-mfpu=crypto-neon-fp-armv8',
|
|
||||||
+ '<@(softfp_cflags)',
|
|
||||||
],
|
|
||||||
'cflags_mozilla': [
|
|
||||||
'-march=armv8-a',
|
|
||||||
- '-mfpu=crypto-neon-fp-armv8'
|
|
||||||
+ '-mfpu=crypto-neon-fp-armv8',
|
|
||||||
+ '<@(softfp_cflags)',
|
|
||||||
],
|
|
||||||
}, 'target_arch=="arm64" or target_arch=="aarch64"', {
|
|
||||||
'cflags': [
|
|
||||||
@@ -533,6 +537,11 @@
|
|
||||||
}, {
|
|
||||||
'have_int128_support%': 0,
|
|
||||||
}],
|
|
||||||
+ [ 'target_arch=="arm"', {
|
|
||||||
+ # When the compiler uses the softfloat ABI, we want to use the compatible softfp ABI when enabling NEON for these objects.
|
|
||||||
+ # Confusingly, __SOFTFP__ is the name of the define for the softfloat ABI, not for the softfp ABI.
|
|
||||||
+ 'softfp_cflags': '<!(${CC:-cc} -o - -E -dM - ${CFLAGS} < /dev/null | grep __SOFTFP__ > /dev/null && echo -mfloat-abi=softfp || true)',
|
|
||||||
+ }],
|
|
||||||
],
|
|
||||||
}
|
|
||||||
}
|
|
||||||
diff --git a/lib/freebl/gcm-arm32-neon.c b/lib/freebl/gcm-arm32-neon.c
|
|
||||||
--- a/lib/freebl/gcm-arm32-neon.c
|
|
||||||
+++ b/lib/freebl/gcm-arm32-neon.c
|
|
||||||
@@ -11,7 +11,7 @@
|
|
||||||
#include "secerr.h"
|
|
||||||
#include "prtypes.h"
|
|
||||||
|
|
||||||
-#if defined(__ARM_NEON__) || defined(__ARM_NEON)
|
|
||||||
+#if defined(IS_LITTLE_ENDIAN)
|
|
||||||
|
|
||||||
#include <arm_neon.h>
|
|
||||||
|
|
||||||
@@ -199,4 +199,4 @@ gcm_HashZeroX_hw(gcmHashContext *ghash)
|
|
||||||
return SECSuccess;
|
|
||||||
}
|
|
||||||
|
|
||||||
-#endif /* __ARM_NEON__ || __ARM_NEON */
|
|
||||||
+#endif /* IS_LITTLE_ENDIAN */
|
|
||||||
diff --git a/lib/freebl/gcm.c b/lib/freebl/gcm.c
|
|
||||||
--- a/lib/freebl/gcm.c
|
|
||||||
+++ b/lib/freebl/gcm.c
|
|
||||||
@@ -21,11 +21,8 @@
|
|
||||||
#if defined(__aarch64__) && defined(IS_LITTLE_ENDIAN) && \
|
|
||||||
(defined(__clang__) || defined(__GNUC__) && __GNUC__ > 6)
|
|
||||||
#define USE_ARM_GCM
|
|
||||||
-#elif defined(__arm__) && defined(IS_LITTLE_ENDIAN) && \
|
|
||||||
- (defined(__ARM_NEON__) || defined(__ARM_NEON))
|
|
||||||
-/* We don't test on big endian platform, so disable this on big endian.
|
|
||||||
- * Also, we don't check whether compiler support NEON well, so this uses
|
|
||||||
- * that compiler uses -mfpu=neon only. */
|
|
||||||
+#elif defined(__arm__) && defined(IS_LITTLE_ENDIAN)
|
|
||||||
+/* We don't test on big endian platform, so disable this on big endian. */
|
|
||||||
#define USE_ARM_GCM
|
|
||||||
#endif
|
|
||||||
|
|
||||||
diff --git a/lib/freebl/rijndael.c b/lib/freebl/rijndael.c
|
|
||||||
--- a/lib/freebl/rijndael.c
|
|
||||||
+++ b/lib/freebl/rijndael.c
|
|
||||||
@@ -20,8 +20,7 @@
|
|
||||||
#include "gcm.h"
|
|
||||||
#include "mpi.h"
|
|
||||||
|
|
||||||
-#if (!defined(IS_LITTLE_ENDIAN) && !defined(NSS_X86_OR_X64)) || \
|
|
||||||
- (defined(__arm__) && !defined(__ARM_NEON) && !defined(__ARM_NEON__))
|
|
||||||
+#if !defined(IS_LITTLE_ENDIAN) && !defined(NSS_X86_OR_X64)
|
|
||||||
// not test yet on big endian platform of arm
|
|
||||||
#undef USE_HW_AES
|
|
||||||
#endif
|
|
12
nss-tls13-default.patch
Normal file
12
nss-tls13-default.patch
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
diff -up nss/lib/ssl/sslsock.c.tls13-default nss/lib/ssl/sslsock.c
|
||||||
|
--- nss/lib/ssl/sslsock.c.tls13-default 2020-01-27 10:21:44.930830558 +0100
|
||||||
|
+++ nss/lib/ssl/sslsock.c 2020-01-27 10:21:47.419852229 +0100
|
||||||
|
@@ -97,7 +97,7 @@ static sslOptions ssl_defaults = {
|
||||||
|
*/
|
||||||
|
static SSLVersionRange versions_defaults_stream = {
|
||||||
|
SSL_LIBRARY_VERSION_TLS_1_0,
|
||||||
|
- SSL_LIBRARY_VERSION_TLS_1_3
|
||||||
|
+ SSL_LIBRARY_VERSION_TLS_1_2
|
||||||
|
};
|
||||||
|
|
||||||
|
static SSLVersionRange versions_defaults_datagram = {
|
13
nss.spec
13
nss.spec
@ -1,5 +1,5 @@
|
|||||||
%global nspr_version 4.24.0
|
%global nspr_version 4.24.0
|
||||||
%global nss_version 3.49.0
|
%global nss_version 3.49.2
|
||||||
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
|
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
|
||||||
%global saved_files_dir %{_libdir}/nss/saved
|
%global saved_files_dir %{_libdir}/nss/saved
|
||||||
%global dracutlibdir %{_prefix}/lib/dracut
|
%global dracutlibdir %{_prefix}/lib/dracut
|
||||||
@ -107,8 +107,11 @@ Patch2: nss-539183.patch
|
|||||||
Patch4: iquote.patch
|
Patch4: iquote.patch
|
||||||
# add missing ike mechanism to softoken
|
# add missing ike mechanism to softoken
|
||||||
Patch10: nss-3.47-ike-fix.patch
|
Patch10: nss-3.47-ike-fix.patch
|
||||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1608327
|
# To revert the upstream change:
|
||||||
Patch11: nss-3.49-neon-build-fixes.patch
|
# https://bugzilla.mozilla.org/show_bug.cgi?id=1573118
|
||||||
|
# as it still doesn't work under FIPS mode because of missing HKDF
|
||||||
|
# support in PKCS #11.
|
||||||
|
Patch11: nss-tls13-default.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Network Security Services (NSS) is a set of libraries designed to
|
Network Security Services (NSS) is a set of libraries designed to
|
||||||
@ -877,6 +880,10 @@ update-crypto-policies &> /dev/null || :
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jan 27 2020 Daiki Ueno <dueno@redhat.com> - 3.49.2-1
|
||||||
|
- Update to NSS 3.49.2
|
||||||
|
- Don't enable TLS 1.3 by default (#1794814)
|
||||||
|
|
||||||
* Fri Jan 10 2020 Daiki Ueno <dueno@redhat.com> - 3.49.0-1
|
* Fri Jan 10 2020 Daiki Ueno <dueno@redhat.com> - 3.49.0-1
|
||||||
- Update to NSS 3.49
|
- Update to NSS 3.49
|
||||||
- Fix build on armv7hl with the patch proposed in upstream
|
- Fix build on armv7hl with the patch proposed in upstream
|
||||||
|
2
sources
2
sources
@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403
|
|||||||
SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
|
SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
|
||||||
SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
|
SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
|
||||||
SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
|
SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
|
||||||
SHA512 (nss-3.49.tar.gz) = 7d8df73a2e585585a7cb3f887af3f933854984479531b3dd30316873bdd92c130e2fadb54e7b3b1f0b10675b1bce09112ef39860d74ef6f0df7b57bf430bd072
|
SHA512 (nss-3.49.2.tar.gz) = fe0fe032db15853384a50b145dd6f3187a855109f0b81f1846312d33f8c628aededcbca4d199f974ae52530aec3f2312f80afbca3e5b97ed1ff96fcffafd2881
|
||||||
|
Loading…
Reference in New Issue
Block a user