Commit 91246913 authored by Matti Kosola's avatar Matti Kosola

Merge branch 'jb51592' into 'master'

Update to version 3.58

See merge request !14
parents 98e1e7a0 77272537
Subproject commit ffdd7722592e0d0a5e6f15d06876b9c336f8acf2
Subproject commit c27ad2a50710d7111b3d95633824c19bae794549
diff -up ./nss/lib/softoken/pkcs11.c.ike_fix ./nss/lib/softoken/pkcs11.c
--- ./nss/lib/softoken/pkcs11.c.ike_fix 2019-11-04 10:15:08.022176945 -0800
+++ ./nss/lib/softoken/pkcs11.c 2019-11-04 10:17:35.396733750 -0800
@@ -330,7 +330,7 @@ static const struct mechanismList mechan
{ CKM_AES_CTS, { 16, 32, CKF_EN_DE }, PR_TRUE },
{ CKM_AES_CTR, { 16, 32, CKF_EN_DE }, PR_TRUE },
{ CKM_AES_GCM, { 16, 32, CKF_EN_DE }, PR_TRUE },
- { CKM_AES_XCBC_MAC_96, { 16, 16, CKF_SN_VR }, PR_TRUE },
+ { CKM_AES_XCBC_MAC_96, { 12, 12, CKF_SN_VR }, PR_TRUE },
{ CKM_AES_XCBC_MAC, { 16, 16, CKF_SN_VR }, PR_TRUE },
/* ------------------------- Camellia Operations --------------------- */
{ CKM_CAMELLIA_KEY_GEN, { 16, 32, CKF_GENERATE }, PR_TRUE },
@@ -518,7 +518,8 @@ static const struct mechanismList mechan
/* --------------------IPSEC ----------------------- */
{ CKM_NSS_IKE_PRF_PLUS_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE },
{ CKM_NSS_IKE_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE },
- { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE }
+ { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE },
+ { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE }
};
static const CK_ULONG mechanismCount = sizeof(mechanisms) / sizeof(mechanisms[0]);
# HG changeset patch
# User Mike Hommey <mh@glandium.org>
# Date 1578673372 -3600
# Fri Jan 10 17:22:52 2020 +0100
# Node ID 9c359d019d333282476ffeec3dab819cfdcf127e
# Parent 4921046404f197526969a6b79f19c136469e69f8
Bug 1608327 - Fix freebl arm NEON code use on tier3 platforms.
Summary:
Despite the code having runtime detection of NEON and crypto extensions,
the optimized code using those instructions is disabled at build time on
platforms where the compiler doesn't enable NEON by default of with the
flags it's given for the caller code.
In the case of gcm, this goes as far as causing a build error.
What is needed is for the optimized code to be enabled in every case,
letting the caller code choose whether to use that code based on the
existing runtime checks.
But this can't be simply done either, because those optimized parts of
the code need to be built with NEON enabled, unconditionally, but that
is not compatible with platforms using the softfloat ABI. For those,
we need to use the softfp ABI, which is compatible. However, the softfp
ABI is not compatible with the hardfp ABI, so we also can't
unconditionally use the softfp ABI, so we do so only when the compiler
targets the softfloat ABI, which confusingly enough is advertized via
the `__SOFTFP__` define.
Reviewers: jcj!
Bug #: 1608327
Differential Revision: https://phabricator.services.mozilla.com/D59451
diff --git ./nss/lib/freebl/Makefile ./nss/lib/freebl/Makefile
--- ./nss/lib/freebl/Makefile
+++ ./nss/lib/freebl/Makefile
@@ -781,8 +781,12 @@ ifdef INTEL_GCM_CLANG_CL
endif
ifeq ($(CPU_ARCH),arm)
-$(OBJDIR)/$(PROG_PREFIX)aes-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a -mfpu=crypto-neon-fp-armv8
-$(OBJDIR)/$(PROG_PREFIX)gcm-arm32-neon$(OBJ_SUFFIX): CFLAGS += -mfpu=neon
+# When the compiler uses the softfloat ABI, we want to use the compatible softfp ABI when
+# enabling NEON for these objects.
+# Confusingly, __SOFTFP__ is the name of the define for the softfloat ABI, not for the softfp ABI.
+USES_SOFTFLOAT_ABI := $(shell $(CC) -o - -E -dM - $(CFLAGS) < /dev/null | grep __SOFTFP__ > /dev/null && echo 1)
+$(OBJDIR)/$(PROG_PREFIX)aes-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a -mfpu=crypto-neon-fp-armv8$(if $(USES_SOFTFLOAT_ABI), -mfloat-abi=softfp)
+$(OBJDIR)/$(PROG_PREFIX)gcm-arm32-neon$(OBJ_SUFFIX): CFLAGS += -mfpu=neon$(if $(USES_SOFTFLOAT_ABI), -mfloat-abi=softfp)
endif
ifeq ($(CPU_ARCH),aarch64)
$(OBJDIR)/$(PROG_PREFIX)aes-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a+crypto
diff --git ./nss/lib/freebl/aes-armv8.c ./nss/lib/freebl/aes-armv8.c
--- ./nss/lib/freebl/aes-armv8.c
+++ ./nss/lib/freebl/aes-armv8.c
@@ -8,7 +8,7 @@
#if ((defined(__clang__) || \
(defined(__GNUC__) && defined(__GNUC_MINOR__) && \
(__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ > 8)))) && \
- (defined(__ARM_NEON) || defined(__ARM_NEON__)))
+ defined(IS_LITTLE_ENDIAN))
#ifndef __ARM_FEATURE_CRYPTO
#error "Compiler option is invalid"
diff --git ./nss/lib/freebl/freebl.gyp ./nss/lib/freebl/freebl.gyp
--- ./nss/lib/freebl/freebl.gyp
+++ ./nss/lib/freebl/freebl.gyp
@@ -126,10 +126,12 @@
'<(DEPTH)/exports.gyp:nss_exports'
],
'cflags': [
- '-mfpu=neon'
+ '-mfpu=neon',
+ '<@(softfp_cflags)',
],
'cflags_mozilla': [
- '-mfpu=neon'
+ '-mfpu=neon',
+ '<@(softfp_cflags)',
]
},
{
@@ -179,11 +181,13 @@
[ 'target_arch=="arm"', {
'cflags': [
'-march=armv8-a',
- '-mfpu=crypto-neon-fp-armv8'
+ '-mfpu=crypto-neon-fp-armv8',
+ '<@(softfp_cflags)',
],
'cflags_mozilla': [
'-march=armv8-a',
- '-mfpu=crypto-neon-fp-armv8'
+ '-mfpu=crypto-neon-fp-armv8',
+ '<@(softfp_cflags)',
],
}, 'target_arch=="arm64" or target_arch=="aarch64"', {
'cflags': [
@@ -533,6 +537,11 @@
}, {
'have_int128_support%': 0,
}],
+ [ 'target_arch=="arm"', {
+ # When the compiler uses the softfloat ABI, we want to use the compatible softfp ABI when enabling NEON for these objects.
+ # Confusingly, __SOFTFP__ is the name of the define for the softfloat ABI, not for the softfp ABI.
+ 'softfp_cflags': '<!(${CC:-cc} -o - -E -dM - ${CFLAGS} < /dev/null | grep __SOFTFP__ > /dev/null && echo -mfloat-abi=softfp || true)',
+ }],
],
}
}
diff --git ./nss/lib/freebl/gcm-arm32-neon.c ./nss/lib/freebl/gcm-arm32-neon.c
--- ./nss/lib/freebl/gcm-arm32-neon.c
+++ ./nss/lib/freebl/gcm-arm32-neon.c
@@ -11,7 +11,7 @@
#include "secerr.h"
#include "prtypes.h"
-#if defined(__ARM_NEON__) || defined(__ARM_NEON)
+#if defined(IS_LITTLE_ENDIAN)
#include <arm_neon.h>
@@ -199,4 +199,4 @@ gcm_HashZeroX_hw(gcmHashContext *ghash)
return SECSuccess;
}
-#endif /* __ARM_NEON__ || __ARM_NEON */
+#endif /* IS_LITTLE_ENDIAN */
diff --git ./nss/lib/freebl/gcm.c ./nss/lib/freebl/gcm.c
--- ./nss/lib/freebl/gcm.c
+++ ./nss/lib/freebl/gcm.c
@@ -21,11 +21,8 @@
#if defined(__aarch64__) && defined(IS_LITTLE_ENDIAN) && \
(defined(__clang__) || defined(__GNUC__) && __GNUC__ > 6)
#define USE_ARM_GCM
-#elif defined(__arm__) && defined(IS_LITTLE_ENDIAN) && \
- (defined(__ARM_NEON__) || defined(__ARM_NEON))
-/* We don't test on big endian platform, so disable this on big endian.
- * Also, we don't check whether compiler support NEON well, so this uses
- * that compiler uses -mfpu=neon only. */
+#elif defined(__arm__) && defined(IS_LITTLE_ENDIAN)
+/* We don't test on big endian platform, so disable this on big endian. */
#define USE_ARM_GCM
#endif
diff --git ./nss/lib/freebl/rijndael.c ./nss/lib/freebl/rijndael.c
--- ./nss/lib/freebl/rijndael.c
+++ ./nss/lib/freebl/rijndael.c
@@ -20,8 +20,7 @@
#include "gcm.h"
#include "mpi.h"
-#if (!defined(IS_LITTLE_ENDIAN) && !defined(NSS_X86_OR_X64)) || \
- (defined(__arm__) && !defined(__ARM_NEON) && !defined(__ARM_NEON__))
+#if !defined(IS_LITTLE_ENDIAN) && !defined(NSS_X86_OR_X64)
// not test yet on big endian platform of arm
#undef USE_HW_AES
#endif
--- nss/lib/Makefile 2010/11/16 13:55:53 1.1
+++ nss/lib/Makefile 2010/11/16 13:57:29
@@ -62,11 +62,11 @@
ZLIB_SRCDIR = zlib # Add the zlib directory to DIRS.
endif
-ifndef MOZILLA_CLIENT
-ifndef NSS_USE_SYSTEM_SQLITE
-SQLITE_SRCDIR = sqlite # Add the sqlite directory to DIRS.
-endif
-endif
+#ifndef MOZILLA_CLIENT
+#ifndef NSS_USE_SYSTEM_SQLITE
+#SQLITE_SRCDIR = sqlite # Add the sqlite directory to DIRS.
+#endif
+#endif
ifndef MOZILLA_CLIENT
ifeq ($(OS_ARCH),Linux)
--- nss/lib/softoken/manifest.mn 2010/11/16 13:56:14 1.1
+++ nss/lib/softoken/manifest.mn 2010/11/16 13:58:24
@@ -47,9 +47,9 @@
DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" -DSOFTOKEN_LIB_NAME=\"$(notdir $(SHARED_LIBRARY))\" -DSHLIB_VERSION=\"$(LIBRARY_VERSION)\"
-ifdef SQLITE_INCLUDE_DIR
-INCLUDES += -I$(SQLITE_INCLUDE_DIR)
-endif
+#ifdef SQLITE_INCLUDE_DIR
+#INCLUDES += -I$(SQLITE_INCLUDE_DIR)
+#endif
EXPORTS = \
secmodt.h \
%global nspr_version 4.24
%global nspr_version 4.29
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
%global saved_files_dir %{_libdir}/nss/saved
%global dracutlibdir %{_prefix}/lib/dracut
......@@ -30,7 +30,7 @@
Summary: Network Security Services
Name: nss
Version: 3.49
Version: 3.58
Release: 1
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
......@@ -40,13 +40,12 @@ Requires: nss-softokn%{_isa} >= %{version}
Requires: nss-system-init
Requires: p11-kit-trust
BuildRequires: nspr-devel >= %{nspr_version}
BuildRequires: sqlite-devel
BuildRequires: pkgconfig(sqlite3)
BuildRequires: zlib-devel
BuildRequires: pkgconfig
BuildRequires: gawk
BuildRequires: psmisc
BuildRequires: perl
BuildRequires: cmake
Source0: %{name}-%{version}.tar.gz
Source1: nss-util.pc.in
......@@ -75,14 +74,9 @@ Source27: secmod.db.xml
Source28: nss-p11-kit.config
Patch1: nss-nolocalsql.patch
Patch2: add-relro-linker-option.patch
Patch3: renegotiate-transitional.patch
Patch8: nss-sysinit-userdb-first.patch
# add missing ike mechanism to softoken
Patch10: nss-3.47-ike-fix.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1608327
Patch11: nss-3.49-neon-build-fixes.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
Patch16: nss-539183.patch
# TODO remove when we switch to building nss without softoken
......@@ -224,12 +218,9 @@ Header and library files for doing development with Network Security Services.
%prep
%setup -q -n %{name}-%{version}/%{name}
%patch1 -p1 -b .nolocalsql
%patch2 -p1 -b .relro
%patch3 -p1 -b .transitional
%patch8 -p2 -b .sysinit_userdb
%patch10 -p2 -b .ike_fix
%patch11 -p2 -b .neon_build
%patch16 -p2 -b .539183
%patch49 -p2 -b .skip_bltest
%patch50 -p1 -b .iquote
......@@ -238,19 +229,18 @@ Header and library files for doing development with Network Security Services.
%build
FREEBL_NO_DEPEND=1
export FREEBL_NO_DEPEND
# TODO: new build system with gyp & ninja
export FREEBL_NO_DEPEND=1
# Must export FREEBL_LOWHASH=1 for nsslowhash.h so that it gets
# copied to dist and the rpm install phase can find it
# This due of the upstream changes to fix
# https://bugzilla.mozilla.org/show_bug.cgi?id=717906
FREEBL_LOWHASH=1
export FREEBL_LOWHASH
export FREEBL_LOWHASH=1
# Enable FIPS startup test
NSS_FORCE_FIPS=1
export NSS_FORCE_FIPS
export NSS_FORCE_FIPS=1
# Enable compiler optimizations and disable debugging code
export BUILD_OPT=1
......@@ -260,38 +250,28 @@ export BUILD_OPT=1
#export RPM_OPT_FLAGS
# Generate symbolic info for debuggers
XCFLAGS=$RPM_OPT_FLAGS
export XCFLAGS
LDFLAGS=$RPM_LD_FLAGS
export LDFLAGS
PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
export XCFLAGS=$RPM_OPT_FLAGS
export PKG_CONFIG_ALLOW_SYSTEM_LIBS
export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS
export LDFLAGS=$RPM_LD_FLAGS
NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'`
NSPR_LIB_DIR=%{_libdir}
export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
export NSPR_INCLUDE_DIR
export NSPR_LIB_DIR
export NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'`
export NSPR_LIB_DIR=%{_libdir}
export NSSUTIL_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-util | sed 's/-I//'`
export NSSUTIL_LIB_DIR=%{_libdir}
export NSS_USE_SYSTEM_SQLITE=1
NSS_USE_SYSTEM_SQLITE=1
export NSS_USE_SYSTEM_SQLITE
export USE_SYSTEM_ZLIB=1
export ZLIB_LIBS=-lz
export NSS_ALLOW_SSLKEYLOGFILE=1
#export NSS_ALLOW_SSLKEYLOGFILE=1
export NSS_DISABLE_GTESTS=1
%ifnarch noarch
%if 0%{__isa_bits} == 64
USE_64=1
export USE_64
export USE_64=1
%endif
%endif
......@@ -299,10 +279,6 @@ export USE_64
export IN_TREE_FREEBL_HEADERS_FIRST=1
##### phase 2: build the rest of nss
export NSS_BLTEST_NOT_AVAILABLE=1
%{__make} -C coreconf
%{__make} -C lib/dbm
# Set the policy file location
# if set NSS will always check for the policy file and load if it exists
......@@ -310,11 +286,12 @@ export POLICY_FILE="nss.config"
# location of the policy file
export POLICY_PATH="/etc/crypto-policies/back-ends"
%{__make}
%{__make} all
%{__make} latest
# This will copy to dist dir and sign libraries
%{__make} install
unset NSS_BLTEST_NOT_AVAILABLE
# Disable man pages, since make dont find xmlto command.
# build the man pages clean
......@@ -741,6 +718,7 @@ update-crypto-policies &> /dev/null || :
%{_includedir}/nss3/p12plcy.h
%{_includedir}/nss3/p12t.h
%{_includedir}/nss3/pk11func.h
%{_includedir}/nss3/pk11hpke.h
%{_includedir}/nss3/pk11pqg.h
%{_includedir}/nss3/pk11priv.h
%{_includedir}/nss3/pk11pub.h
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment