From 36505c331d5057ddbb0117d5515167c10edffade Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Mon, 27 Jan 2020 10:24:30 +0100 Subject: [PATCH] Update to NSS 3.49.2 --- .gitignore | 1 + nss-3.49-neon-build-fixes.patch | 159 -------------------------------- nss-tls13-default.patch | 12 +++ nss.spec | 13 ++- sources | 2 +- 5 files changed, 24 insertions(+), 163 deletions(-) delete mode 100644 nss-3.49-neon-build-fixes.patch create mode 100644 nss-tls13-default.patch diff --git a/.gitignore b/.gitignore index 0f864ee..484dd7b 100644 --- a/.gitignore +++ b/.gitignore @@ -44,3 +44,4 @@ TestUser51.cert /nss-3.47.1.tar.gz /nss-3.48.tar.gz /nss-3.49.tar.gz +/nss-3.49.2.tar.gz diff --git a/nss-3.49-neon-build-fixes.patch b/nss-3.49-neon-build-fixes.patch deleted file mode 100644 index 7ac5b0f..0000000 --- a/nss-3.49-neon-build-fixes.patch +++ /dev/null @@ -1,159 +0,0 @@ -# HG changeset patch -# User Mike Hommey -# Date 1578673372 -3600 -# Fri Jan 10 17:22:52 2020 +0100 -# Node ID 9c359d019d333282476ffeec3dab819cfdcf127e -# Parent 4921046404f197526969a6b79f19c136469e69f8 -Bug 1608327 - Fix freebl arm NEON code use on tier3 platforms. - -Summary: -Despite the code having runtime detection of NEON and crypto extensions, -the optimized code using those instructions is disabled at build time on -platforms where the compiler doesn't enable NEON by default of with the -flags it's given for the caller code. - -In the case of gcm, this goes as far as causing a build error. - -What is needed is for the optimized code to be enabled in every case, -letting the caller code choose whether to use that code based on the -existing runtime checks. - -But this can't be simply done either, because those optimized parts of -the code need to be built with NEON enabled, unconditionally, but that -is not compatible with platforms using the softfloat ABI. For those, -we need to use the softfp ABI, which is compatible. However, the softfp -ABI is not compatible with the hardfp ABI, so we also can't -unconditionally use the softfp ABI, so we do so only when the compiler -targets the softfloat ABI, which confusingly enough is advertized via -the `__SOFTFP__` define. - -Reviewers: jcj! - -Bug #: 1608327 - -Differential Revision: https://phabricator.services.mozilla.com/D59451 - -diff --git a/lib/freebl/Makefile b/lib/freebl/Makefile ---- a/lib/freebl/Makefile -+++ b/lib/freebl/Makefile -@@ -781,8 +781,12 @@ ifdef INTEL_GCM_CLANG_CL - endif - - ifeq ($(CPU_ARCH),arm) --$(OBJDIR)/$(PROG_PREFIX)aes-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a -mfpu=crypto-neon-fp-armv8 --$(OBJDIR)/$(PROG_PREFIX)gcm-arm32-neon$(OBJ_SUFFIX): CFLAGS += -mfpu=neon -+# When the compiler uses the softfloat ABI, we want to use the compatible softfp ABI when -+# enabling NEON for these objects. -+# Confusingly, __SOFTFP__ is the name of the define for the softfloat ABI, not for the softfp ABI. -+USES_SOFTFLOAT_ABI := $(shell $(CC) -o - -E -dM - $(CFLAGS) < /dev/null | grep __SOFTFP__ > /dev/null && echo 1) -+$(OBJDIR)/$(PROG_PREFIX)aes-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a -mfpu=crypto-neon-fp-armv8$(if $(USES_SOFTFLOAT_ABI), -mfloat-abi=softfp) -+$(OBJDIR)/$(PROG_PREFIX)gcm-arm32-neon$(OBJ_SUFFIX): CFLAGS += -mfpu=neon$(if $(USES_SOFTFLOAT_ABI), -mfloat-abi=softfp) - endif - ifeq ($(CPU_ARCH),aarch64) - $(OBJDIR)/$(PROG_PREFIX)aes-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a+crypto -diff --git a/lib/freebl/aes-armv8.c b/lib/freebl/aes-armv8.c ---- a/lib/freebl/aes-armv8.c -+++ b/lib/freebl/aes-armv8.c -@@ -8,7 +8,7 @@ - #if ((defined(__clang__) || \ - (defined(__GNUC__) && defined(__GNUC_MINOR__) && \ - (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ > 8)))) && \ -- (defined(__ARM_NEON) || defined(__ARM_NEON__))) -+ defined(IS_LITTLE_ENDIAN)) - - #ifndef __ARM_FEATURE_CRYPTO - #error "Compiler option is invalid" -diff --git a/lib/freebl/freebl.gyp b/lib/freebl/freebl.gyp ---- a/lib/freebl/freebl.gyp -+++ b/lib/freebl/freebl.gyp -@@ -126,10 +126,12 @@ - '<(DEPTH)/exports.gyp:nss_exports' - ], - 'cflags': [ -- '-mfpu=neon' -+ '-mfpu=neon', -+ '<@(softfp_cflags)', - ], - 'cflags_mozilla': [ -- '-mfpu=neon' -+ '-mfpu=neon', -+ '<@(softfp_cflags)', - ] - }, - { -@@ -179,11 +181,13 @@ - [ 'target_arch=="arm"', { - 'cflags': [ - '-march=armv8-a', -- '-mfpu=crypto-neon-fp-armv8' -+ '-mfpu=crypto-neon-fp-armv8', -+ '<@(softfp_cflags)', - ], - 'cflags_mozilla': [ - '-march=armv8-a', -- '-mfpu=crypto-neon-fp-armv8' -+ '-mfpu=crypto-neon-fp-armv8', -+ '<@(softfp_cflags)', - ], - }, 'target_arch=="arm64" or target_arch=="aarch64"', { - 'cflags': [ -@@ -533,6 +537,11 @@ - }, { - 'have_int128_support%': 0, - }], -+ [ 'target_arch=="arm"', { -+ # When the compiler uses the softfloat ABI, we want to use the compatible softfp ABI when enabling NEON for these objects. -+ # Confusingly, __SOFTFP__ is the name of the define for the softfloat ABI, not for the softfp ABI. -+ 'softfp_cflags': ' /dev/null && echo -mfloat-abi=softfp || true)', -+ }], - ], - } - } -diff --git a/lib/freebl/gcm-arm32-neon.c b/lib/freebl/gcm-arm32-neon.c ---- a/lib/freebl/gcm-arm32-neon.c -+++ b/lib/freebl/gcm-arm32-neon.c -@@ -11,7 +11,7 @@ - #include "secerr.h" - #include "prtypes.h" - --#if defined(__ARM_NEON__) || defined(__ARM_NEON) -+#if defined(IS_LITTLE_ENDIAN) - - #include - -@@ -199,4 +199,4 @@ gcm_HashZeroX_hw(gcmHashContext *ghash) - return SECSuccess; - } - --#endif /* __ARM_NEON__ || __ARM_NEON */ -+#endif /* IS_LITTLE_ENDIAN */ -diff --git a/lib/freebl/gcm.c b/lib/freebl/gcm.c ---- a/lib/freebl/gcm.c -+++ b/lib/freebl/gcm.c -@@ -21,11 +21,8 @@ - #if defined(__aarch64__) && defined(IS_LITTLE_ENDIAN) && \ - (defined(__clang__) || defined(__GNUC__) && __GNUC__ > 6) - #define USE_ARM_GCM --#elif defined(__arm__) && defined(IS_LITTLE_ENDIAN) && \ -- (defined(__ARM_NEON__) || defined(__ARM_NEON)) --/* We don't test on big endian platform, so disable this on big endian. -- * Also, we don't check whether compiler support NEON well, so this uses -- * that compiler uses -mfpu=neon only. */ -+#elif defined(__arm__) && defined(IS_LITTLE_ENDIAN) -+/* We don't test on big endian platform, so disable this on big endian. */ - #define USE_ARM_GCM - #endif - -diff --git a/lib/freebl/rijndael.c b/lib/freebl/rijndael.c ---- a/lib/freebl/rijndael.c -+++ b/lib/freebl/rijndael.c -@@ -20,8 +20,7 @@ - #include "gcm.h" - #include "mpi.h" - --#if (!defined(IS_LITTLE_ENDIAN) && !defined(NSS_X86_OR_X64)) || \ -- (defined(__arm__) && !defined(__ARM_NEON) && !defined(__ARM_NEON__)) -+#if !defined(IS_LITTLE_ENDIAN) && !defined(NSS_X86_OR_X64) - // not test yet on big endian platform of arm - #undef USE_HW_AES - #endif diff --git a/nss-tls13-default.patch b/nss-tls13-default.patch new file mode 100644 index 0000000..ffdca50 --- /dev/null +++ b/nss-tls13-default.patch @@ -0,0 +1,12 @@ +diff -up nss/lib/ssl/sslsock.c.tls13-default nss/lib/ssl/sslsock.c +--- nss/lib/ssl/sslsock.c.tls13-default 2020-01-27 10:21:44.930830558 +0100 ++++ nss/lib/ssl/sslsock.c 2020-01-27 10:21:47.419852229 +0100 +@@ -97,7 +97,7 @@ static sslOptions ssl_defaults = { + */ + static SSLVersionRange versions_defaults_stream = { + SSL_LIBRARY_VERSION_TLS_1_0, +- SSL_LIBRARY_VERSION_TLS_1_3 ++ SSL_LIBRARY_VERSION_TLS_1_2 + }; + + static SSLVersionRange versions_defaults_datagram = { diff --git a/nss.spec b/nss.spec index 992c111..7b22961 100644 --- a/nss.spec +++ b/nss.spec @@ -1,5 +1,5 @@ %global nspr_version 4.24.0 -%global nss_version 3.49.0 +%global nss_version 3.49.2 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global saved_files_dir %{_libdir}/nss/saved %global dracutlibdir %{_prefix}/lib/dracut @@ -107,8 +107,11 @@ Patch2: nss-539183.patch Patch4: iquote.patch # add missing ike mechanism to softoken Patch10: nss-3.47-ike-fix.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1608327 -Patch11: nss-3.49-neon-build-fixes.patch +# To revert the upstream change: +# https://bugzilla.mozilla.org/show_bug.cgi?id=1573118 +# as it still doesn't work under FIPS mode because of missing HKDF +# support in PKCS #11. +Patch11: nss-tls13-default.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -877,6 +880,10 @@ update-crypto-policies &> /dev/null || : %changelog +* Mon Jan 27 2020 Daiki Ueno - 3.49.2-1 +- Update to NSS 3.49.2 +- Don't enable TLS 1.3 by default (#1794814) + * Fri Jan 10 2020 Daiki Ueno - 3.49.0-1 - Update to NSS 3.49 - Fix build on armv7hl with the patch proposed in upstream diff --git a/sources b/sources index b9615c6..935d8e3 100644 --- a/sources +++ b/sources @@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403 SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310 -SHA512 (nss-3.49.tar.gz) = 7d8df73a2e585585a7cb3f887af3f933854984479531b3dd30316873bdd92c130e2fadb54e7b3b1f0b10675b1bce09112ef39860d74ef6f0df7b57bf430bd072 +SHA512 (nss-3.49.2.tar.gz) = fe0fe032db15853384a50b145dd6f3187a855109f0b81f1846312d33f8c628aededcbca4d199f974ae52530aec3f2312f80afbca3e5b97ed1ff96fcffafd2881