diff --git a/nss b/nss index ffdd772..c27ad2a 160000 --- a/nss +++ b/nss @@ -1 +1 @@ -Subproject commit ffdd7722592e0d0a5e6f15d06876b9c336f8acf2 +Subproject commit c27ad2a50710d7111b3d95633824c19bae794549 diff --git a/rpm/nss-3.47-ike-fix.patch b/rpm/nss-3.47-ike-fix.patch deleted file mode 100644 index 2dc0b06..0000000 --- a/rpm/nss-3.47-ike-fix.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff -up ./nss/lib/softoken/pkcs11.c.ike_fix ./nss/lib/softoken/pkcs11.c ---- ./nss/lib/softoken/pkcs11.c.ike_fix 2019-11-04 10:15:08.022176945 -0800 -+++ ./nss/lib/softoken/pkcs11.c 2019-11-04 10:17:35.396733750 -0800 -@@ -330,7 +330,7 @@ static const struct mechanismList mechan - { CKM_AES_CTS, { 16, 32, CKF_EN_DE }, PR_TRUE }, - { CKM_AES_CTR, { 16, 32, CKF_EN_DE }, PR_TRUE }, - { CKM_AES_GCM, { 16, 32, CKF_EN_DE }, PR_TRUE }, -- { CKM_AES_XCBC_MAC_96, { 16, 16, CKF_SN_VR }, PR_TRUE }, -+ { CKM_AES_XCBC_MAC_96, { 12, 12, CKF_SN_VR }, PR_TRUE }, - { CKM_AES_XCBC_MAC, { 16, 16, CKF_SN_VR }, PR_TRUE }, - /* ------------------------- Camellia Operations --------------------- */ - { CKM_CAMELLIA_KEY_GEN, { 16, 32, CKF_GENERATE }, PR_TRUE }, -@@ -518,7 +518,8 @@ static const struct mechanismList mechan - /* --------------------IPSEC ----------------------- */ - { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE }, - { CKM_NSS_IKE_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE }, -- { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE } -+ { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE }, -+ { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE } - }; - static const CK_ULONG mechanismCount = sizeof(mechanisms) / sizeof(mechanisms[0]); - diff --git a/rpm/nss-3.49-neon-build-fixes.patch b/rpm/nss-3.49-neon-build-fixes.patch deleted file mode 100644 index 88e173d..0000000 --- a/rpm/nss-3.49-neon-build-fixes.patch +++ /dev/null @@ -1,159 +0,0 @@ -# HG changeset patch -# User Mike Hommey -# Date 1578673372 -3600 -# Fri Jan 10 17:22:52 2020 +0100 -# Node ID 9c359d019d333282476ffeec3dab819cfdcf127e -# Parent 4921046404f197526969a6b79f19c136469e69f8 -Bug 1608327 - Fix freebl arm NEON code use on tier3 platforms. - -Summary: -Despite the code having runtime detection of NEON and crypto extensions, -the optimized code using those instructions is disabled at build time on -platforms where the compiler doesn't enable NEON by default of with the -flags it's given for the caller code. - -In the case of gcm, this goes as far as causing a build error. - -What is needed is for the optimized code to be enabled in every case, -letting the caller code choose whether to use that code based on the -existing runtime checks. - -But this can't be simply done either, because those optimized parts of -the code need to be built with NEON enabled, unconditionally, but that -is not compatible with platforms using the softfloat ABI. For those, -we need to use the softfp ABI, which is compatible. However, the softfp -ABI is not compatible with the hardfp ABI, so we also can't -unconditionally use the softfp ABI, so we do so only when the compiler -targets the softfloat ABI, which confusingly enough is advertized via -the `__SOFTFP__` define. - -Reviewers: jcj! - -Bug #: 1608327 - -Differential Revision: https://phabricator.services.mozilla.com/D59451 - -diff --git ./nss/lib/freebl/Makefile ./nss/lib/freebl/Makefile ---- ./nss/lib/freebl/Makefile -+++ ./nss/lib/freebl/Makefile -@@ -781,8 +781,12 @@ ifdef INTEL_GCM_CLANG_CL - endif - - ifeq ($(CPU_ARCH),arm) --$(OBJDIR)/$(PROG_PREFIX)aes-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a -mfpu=crypto-neon-fp-armv8 --$(OBJDIR)/$(PROG_PREFIX)gcm-arm32-neon$(OBJ_SUFFIX): CFLAGS += -mfpu=neon -+# When the compiler uses the softfloat ABI, we want to use the compatible softfp ABI when -+# enabling NEON for these objects. -+# Confusingly, __SOFTFP__ is the name of the define for the softfloat ABI, not for the softfp ABI. -+USES_SOFTFLOAT_ABI := $(shell $(CC) -o - -E -dM - $(CFLAGS) < /dev/null | grep __SOFTFP__ > /dev/null && echo 1) -+$(OBJDIR)/$(PROG_PREFIX)aes-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a -mfpu=crypto-neon-fp-armv8$(if $(USES_SOFTFLOAT_ABI), -mfloat-abi=softfp) -+$(OBJDIR)/$(PROG_PREFIX)gcm-arm32-neon$(OBJ_SUFFIX): CFLAGS += -mfpu=neon$(if $(USES_SOFTFLOAT_ABI), -mfloat-abi=softfp) - endif - ifeq ($(CPU_ARCH),aarch64) - $(OBJDIR)/$(PROG_PREFIX)aes-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a+crypto -diff --git ./nss/lib/freebl/aes-armv8.c ./nss/lib/freebl/aes-armv8.c ---- ./nss/lib/freebl/aes-armv8.c -+++ ./nss/lib/freebl/aes-armv8.c -@@ -8,7 +8,7 @@ - #if ((defined(__clang__) || \ - (defined(__GNUC__) && defined(__GNUC_MINOR__) && \ - (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ > 8)))) && \ -- (defined(__ARM_NEON) || defined(__ARM_NEON__))) -+ defined(IS_LITTLE_ENDIAN)) - - #ifndef __ARM_FEATURE_CRYPTO - #error "Compiler option is invalid" -diff --git ./nss/lib/freebl/freebl.gyp ./nss/lib/freebl/freebl.gyp ---- ./nss/lib/freebl/freebl.gyp -+++ ./nss/lib/freebl/freebl.gyp -@@ -126,10 +126,12 @@ - '<(DEPTH)/exports.gyp:nss_exports' - ], - 'cflags': [ -- '-mfpu=neon' -+ '-mfpu=neon', -+ '<@(softfp_cflags)', - ], - 'cflags_mozilla': [ -- '-mfpu=neon' -+ '-mfpu=neon', -+ '<@(softfp_cflags)', - ] - }, - { -@@ -179,11 +181,13 @@ - [ 'target_arch=="arm"', { - 'cflags': [ - '-march=armv8-a', -- '-mfpu=crypto-neon-fp-armv8' -+ '-mfpu=crypto-neon-fp-armv8', -+ '<@(softfp_cflags)', - ], - 'cflags_mozilla': [ - '-march=armv8-a', -- '-mfpu=crypto-neon-fp-armv8' -+ '-mfpu=crypto-neon-fp-armv8', -+ '<@(softfp_cflags)', - ], - }, 'target_arch=="arm64" or target_arch=="aarch64"', { - 'cflags': [ -@@ -533,6 +537,11 @@ - }, { - 'have_int128_support%': 0, - }], -+ [ 'target_arch=="arm"', { -+ # When the compiler uses the softfloat ABI, we want to use the compatible softfp ABI when enabling NEON for these objects. -+ # Confusingly, __SOFTFP__ is the name of the define for the softfloat ABI, not for the softfp ABI. -+ 'softfp_cflags': ' /dev/null && echo -mfloat-abi=softfp || true)', -+ }], - ], - } - } -diff --git ./nss/lib/freebl/gcm-arm32-neon.c ./nss/lib/freebl/gcm-arm32-neon.c ---- ./nss/lib/freebl/gcm-arm32-neon.c -+++ ./nss/lib/freebl/gcm-arm32-neon.c -@@ -11,7 +11,7 @@ - #include "secerr.h" - #include "prtypes.h" - --#if defined(__ARM_NEON__) || defined(__ARM_NEON) -+#if defined(IS_LITTLE_ENDIAN) - - #include - -@@ -199,4 +199,4 @@ gcm_HashZeroX_hw(gcmHashContext *ghash) - return SECSuccess; - } - --#endif /* __ARM_NEON__ || __ARM_NEON */ -+#endif /* IS_LITTLE_ENDIAN */ -diff --git ./nss/lib/freebl/gcm.c ./nss/lib/freebl/gcm.c ---- ./nss/lib/freebl/gcm.c -+++ ./nss/lib/freebl/gcm.c -@@ -21,11 +21,8 @@ - #if defined(__aarch64__) && defined(IS_LITTLE_ENDIAN) && \ - (defined(__clang__) || defined(__GNUC__) && __GNUC__ > 6) - #define USE_ARM_GCM --#elif defined(__arm__) && defined(IS_LITTLE_ENDIAN) && \ -- (defined(__ARM_NEON__) || defined(__ARM_NEON)) --/* We don't test on big endian platform, so disable this on big endian. -- * Also, we don't check whether compiler support NEON well, so this uses -- * that compiler uses -mfpu=neon only. */ -+#elif defined(__arm__) && defined(IS_LITTLE_ENDIAN) -+/* We don't test on big endian platform, so disable this on big endian. */ - #define USE_ARM_GCM - #endif - -diff --git ./nss/lib/freebl/rijndael.c ./nss/lib/freebl/rijndael.c ---- ./nss/lib/freebl/rijndael.c -+++ ./nss/lib/freebl/rijndael.c -@@ -20,8 +20,7 @@ - #include "gcm.h" - #include "mpi.h" - --#if (!defined(IS_LITTLE_ENDIAN) && !defined(NSS_X86_OR_X64)) || \ -- (defined(__arm__) && !defined(__ARM_NEON) && !defined(__ARM_NEON__)) -+#if !defined(IS_LITTLE_ENDIAN) && !defined(NSS_X86_OR_X64) - // not test yet on big endian platform of arm - #undef USE_HW_AES - #endif diff --git a/rpm/nss-nolocalsql.patch b/rpm/nss-nolocalsql.patch deleted file mode 100644 index cc41755..0000000 --- a/rpm/nss-nolocalsql.patch +++ /dev/null @@ -1,34 +0,0 @@ ---- nss/lib/Makefile 2010/11/16 13:55:53 1.1 -+++ nss/lib/Makefile 2010/11/16 13:57:29 -@@ -62,11 +62,11 @@ - ZLIB_SRCDIR = zlib # Add the zlib directory to DIRS. - endif - --ifndef MOZILLA_CLIENT --ifndef NSS_USE_SYSTEM_SQLITE --SQLITE_SRCDIR = sqlite # Add the sqlite directory to DIRS. --endif --endif -+#ifndef MOZILLA_CLIENT -+#ifndef NSS_USE_SYSTEM_SQLITE -+#SQLITE_SRCDIR = sqlite # Add the sqlite directory to DIRS. -+#endif -+#endif - - ifndef MOZILLA_CLIENT - ifeq ($(OS_ARCH),Linux) ---- nss/lib/softoken/manifest.mn 2010/11/16 13:56:14 1.1 -+++ nss/lib/softoken/manifest.mn 2010/11/16 13:58:24 -@@ -47,9 +47,9 @@ - - DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" -DSOFTOKEN_LIB_NAME=\"$(notdir $(SHARED_LIBRARY))\" -DSHLIB_VERSION=\"$(LIBRARY_VERSION)\" - --ifdef SQLITE_INCLUDE_DIR --INCLUDES += -I$(SQLITE_INCLUDE_DIR) --endif -+#ifdef SQLITE_INCLUDE_DIR -+#INCLUDES += -I$(SQLITE_INCLUDE_DIR) -+#endif - - EXPORTS = \ - secmodt.h \ diff --git a/rpm/nss.spec b/rpm/nss.spec index a8fc2b5..32b8b8c 100644 --- a/rpm/nss.spec +++ b/rpm/nss.spec @@ -1,4 +1,4 @@ -%global nspr_version 4.24 +%global nspr_version 4.29 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global saved_files_dir %{_libdir}/nss/saved %global dracutlibdir %{_prefix}/lib/dracut @@ -30,7 +30,7 @@ Summary: Network Security Services Name: nss -Version: 3.49 +Version: 3.58 Release: 1 License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ @@ -40,13 +40,12 @@ Requires: nss-softokn%{_isa} >= %{version} Requires: nss-system-init Requires: p11-kit-trust BuildRequires: nspr-devel >= %{nspr_version} -BuildRequires: sqlite-devel +BuildRequires: pkgconfig(sqlite3) BuildRequires: zlib-devel BuildRequires: pkgconfig BuildRequires: gawk BuildRequires: psmisc BuildRequires: perl -BuildRequires: cmake Source0: %{name}-%{version}.tar.gz Source1: nss-util.pc.in @@ -75,14 +74,9 @@ Source27: secmod.db.xml Source28: nss-p11-kit.config -Patch1: nss-nolocalsql.patch Patch2: add-relro-linker-option.patch Patch3: renegotiate-transitional.patch Patch8: nss-sysinit-userdb-first.patch -# add missing ike mechanism to softoken -Patch10: nss-3.47-ike-fix.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1608327 -Patch11: nss-3.49-neon-build-fixes.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723 Patch16: nss-539183.patch # TODO remove when we switch to building nss without softoken @@ -224,12 +218,9 @@ Header and library files for doing development with Network Security Services. %prep %setup -q -n %{name}-%{version}/%{name} -%patch1 -p1 -b .nolocalsql %patch2 -p1 -b .relro %patch3 -p1 -b .transitional %patch8 -p2 -b .sysinit_userdb -%patch10 -p2 -b .ike_fix -%patch11 -p2 -b .neon_build %patch16 -p2 -b .539183 %patch49 -p2 -b .skip_bltest %patch50 -p1 -b .iquote @@ -238,19 +229,18 @@ Header and library files for doing development with Network Security Services. %build -FREEBL_NO_DEPEND=1 -export FREEBL_NO_DEPEND +# TODO: new build system with gyp & ninja + +export FREEBL_NO_DEPEND=1 # Must export FREEBL_LOWHASH=1 for nsslowhash.h so that it gets # copied to dist and the rpm install phase can find it # This due of the upstream changes to fix # https://bugzilla.mozilla.org/show_bug.cgi?id=717906 -FREEBL_LOWHASH=1 -export FREEBL_LOWHASH +export FREEBL_LOWHASH=1 # Enable FIPS startup test -NSS_FORCE_FIPS=1 -export NSS_FORCE_FIPS +export NSS_FORCE_FIPS=1 # Enable compiler optimizations and disable debugging code export BUILD_OPT=1 @@ -260,38 +250,28 @@ export BUILD_OPT=1 #export RPM_OPT_FLAGS # Generate symbolic info for debuggers -XCFLAGS=$RPM_OPT_FLAGS -export XCFLAGS - -LDFLAGS=$RPM_LD_FLAGS -export LDFLAGS - -PKG_CONFIG_ALLOW_SYSTEM_LIBS=1 -PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1 +export XCFLAGS=$RPM_OPT_FLAGS -export PKG_CONFIG_ALLOW_SYSTEM_LIBS -export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS +export LDFLAGS=$RPM_LD_FLAGS -NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'` -NSPR_LIB_DIR=%{_libdir} +export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1 +export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1 -export NSPR_INCLUDE_DIR -export NSPR_LIB_DIR +export NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'` +export NSPR_LIB_DIR=%{_libdir} -export NSSUTIL_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-util | sed 's/-I//'` -export NSSUTIL_LIB_DIR=%{_libdir} +export NSS_USE_SYSTEM_SQLITE=1 -NSS_USE_SYSTEM_SQLITE=1 -export NSS_USE_SYSTEM_SQLITE +export USE_SYSTEM_ZLIB=1 +export ZLIB_LIBS=-lz -export NSS_ALLOW_SSLKEYLOGFILE=1 +#export NSS_ALLOW_SSLKEYLOGFILE=1 export NSS_DISABLE_GTESTS=1 %ifnarch noarch %if 0%{__isa_bits} == 64 -USE_64=1 -export USE_64 +export USE_64=1 %endif %endif @@ -299,10 +279,6 @@ export USE_64 export IN_TREE_FREEBL_HEADERS_FIRST=1 ##### phase 2: build the rest of nss -export NSS_BLTEST_NOT_AVAILABLE=1 - -%{__make} -C coreconf -%{__make} -C lib/dbm # Set the policy file location # if set NSS will always check for the policy file and load if it exists @@ -310,11 +286,12 @@ export POLICY_FILE="nss.config" # location of the policy file export POLICY_PATH="/etc/crypto-policies/back-ends" -%{__make} +%{__make} all +%{__make} latest + # This will copy to dist dir and sign libraries %{__make} install -unset NSS_BLTEST_NOT_AVAILABLE # Disable man pages, since make dont find xmlto command. # build the man pages clean @@ -741,6 +718,7 @@ update-crypto-policies &> /dev/null || : %{_includedir}/nss3/p12plcy.h %{_includedir}/nss3/p12t.h %{_includedir}/nss3/pk11func.h +%{_includedir}/nss3/pk11hpke.h %{_includedir}/nss3/pk11pqg.h %{_includedir}/nss3/pk11priv.h %{_includedir}/nss3/pk11pub.h