Update to NSS 3.49.2

2020-01-27 10:24:30 +01:00 · 2020-01-27 10:24:30 +01:00 · c3571bbb3d
commit c3571bbb3d
parent b8de59e750
5 changed files with 24 additions and 163 deletions
--- a/.gitignore
+++ b/.gitignore
@ -43,3 +43,4 @@ TestUser51.cert
 /nss-3.47.1.tar.gz
 /nss-3.48.tar.gz
 /nss-3.49.tar.gz
+/nss-3.49.2.tar.gz
--- a/nss-3.49-neon-build-fixes.patch
+++ b/nss-3.49-neon-build-fixes.patch
@ -1,159 +0,0 @@
-# HG changeset patch
-# User Mike Hommey <mh@glandium.org>
-# Date 1578673372 -3600
-#      Fri Jan 10 17:22:52 2020 +0100
-# Node ID 9c359d019d333282476ffeec3dab819cfdcf127e
-# Parent  4921046404f197526969a6b79f19c136469e69f8
-Bug 1608327 - Fix freebl arm NEON code use on tier3 platforms.
-
-Summary:
-Despite the code having runtime detection of NEON and crypto extensions,
-the optimized code using those instructions is disabled at build time on
-platforms where the compiler doesn't enable NEON by default of with the
-flags it's given for the caller code.
-
-In the case of gcm, this goes as far as causing a build error.
-
-What is needed is for the optimized code to be enabled in every case,
-letting the caller code choose whether to use that code based on the
-existing runtime checks.
-
-But this can't be simply done either, because those optimized parts of
-the code need to be built with NEON enabled, unconditionally, but that
-is not compatible with platforms using the softfloat ABI. For those,
-we need to use the softfp ABI, which is compatible. However, the softfp
-ABI is not compatible with the hardfp ABI, so we also can't
-unconditionally use the softfp ABI, so we do so only when the compiler
-targets the softfloat ABI, which confusingly enough is advertized via
-the `__SOFTFP__` define.
-
-Reviewers: jcj!
-
-Bug #: 1608327
-
-Differential Revision: https://phabricator.services.mozilla.com/D59451
-
-diff --git a/lib/freebl/Makefile b/lib/freebl/Makefile
--- a/lib/freebl/Makefile
-+++ b/lib/freebl/Makefile
-@@ -781,8 +781,12 @@ ifdef INTEL_GCM_CLANG_CL
- endif
- 
- ifeq ($(CPU_ARCH),arm)
-$(OBJDIR)/$(PROG_PREFIX)aes-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a -mfpu=crypto-neon-fp-armv8
-$(OBJDIR)/$(PROG_PREFIX)gcm-arm32-neon$(OBJ_SUFFIX): CFLAGS += -mfpu=neon
-+# When the compiler uses the softfloat ABI, we want to use the compatible softfp ABI when
-+# enabling NEON for these objects.
-+# Confusingly, __SOFTFP__ is the name of the define for the softfloat ABI, not for the softfp ABI.
-+USES_SOFTFLOAT_ABI := $(shell $(CC) -o - -E -dM - $(CFLAGS) < /dev/null | grep __SOFTFP__ > /dev/null && echo 1)
-+$(OBJDIR)/$(PROG_PREFIX)aes-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a -mfpu=crypto-neon-fp-armv8$(if $(USES_SOFTFLOAT_ABI), -mfloat-abi=softfp)
-+$(OBJDIR)/$(PROG_PREFIX)gcm-arm32-neon$(OBJ_SUFFIX): CFLAGS += -mfpu=neon$(if $(USES_SOFTFLOAT_ABI), -mfloat-abi=softfp)
- endif
- ifeq ($(CPU_ARCH),aarch64)
- $(OBJDIR)/$(PROG_PREFIX)aes-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a+crypto
-diff --git a/lib/freebl/aes-armv8.c b/lib/freebl/aes-armv8.c
--- a/lib/freebl/aes-armv8.c
-+++ b/lib/freebl/aes-armv8.c
-@@ -8,7 +8,7 @@
- #if ((defined(__clang__) ||                                         \
-       (defined(__GNUC__) && defined(__GNUC_MINOR__) &&              \
-        (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ > 8)))) && \
-     (defined(__ARM_NEON) || defined(__ARM_NEON__)))
-+     defined(IS_LITTLE_ENDIAN))
- 
- #ifndef __ARM_FEATURE_CRYPTO
- #error "Compiler option is invalid"
-diff --git a/lib/freebl/freebl.gyp b/lib/freebl/freebl.gyp
--- a/lib/freebl/freebl.gyp
-+++ b/lib/freebl/freebl.gyp
-@@ -126,10 +126,12 @@
-         '<(DEPTH)/exports.gyp:nss_exports'
-       ],
-       'cflags': [
-        '-mfpu=neon'
-+        '-mfpu=neon',
-+        '<@(softfp_cflags)',
-       ],
-       'cflags_mozilla': [
-        '-mfpu=neon'
-+        '-mfpu=neon',
-+        '<@(softfp_cflags)',
-       ]
-     },
-     {
-@@ -179,11 +181,13 @@
-         [ 'target_arch=="arm"', {
-           'cflags': [
-             '-march=armv8-a',
-            '-mfpu=crypto-neon-fp-armv8'
-+            '-mfpu=crypto-neon-fp-armv8',
-+            '<@(softfp_cflags)',
-           ],
-           'cflags_mozilla': [
-             '-march=armv8-a',
-            '-mfpu=crypto-neon-fp-armv8'
-+            '-mfpu=crypto-neon-fp-armv8',
-+            '<@(softfp_cflags)',
-           ],
-         }, 'target_arch=="arm64" or target_arch=="aarch64"', {
-           'cflags': [
-@@ -533,6 +537,11 @@
-       }, {
-         'have_int128_support%': 0,
-       }],
-+      [ 'target_arch=="arm"', {
-+        # When the compiler uses the softfloat ABI, we want to use the compatible softfp ABI when enabling NEON for these objects.
-+        # Confusingly, __SOFTFP__ is the name of the define for the softfloat ABI, not for the softfp ABI.
-+        'softfp_cflags': '<!(${CC:-cc} -o - -E -dM - ${CFLAGS} < /dev/null | grep __SOFTFP__ > /dev/null && echo -mfloat-abi=softfp || true)',
-+      }],
-     ],
-   }
- }
-diff --git a/lib/freebl/gcm-arm32-neon.c b/lib/freebl/gcm-arm32-neon.c
--- a/lib/freebl/gcm-arm32-neon.c
-+++ b/lib/freebl/gcm-arm32-neon.c
-@@ -11,7 +11,7 @@
- #include "secerr.h"
- #include "prtypes.h"
- 
-#if defined(__ARM_NEON__) || defined(__ARM_NEON)
-+#if defined(IS_LITTLE_ENDIAN)
- 
- #include <arm_neon.h>
- 
-@@ -199,4 +199,4 @@ gcm_HashZeroX_hw(gcmHashContext *ghash)
-     return SECSuccess;
- }
- 
-#endif /* __ARM_NEON__ || __ARM_NEON */
-+#endif /* IS_LITTLE_ENDIAN */
-diff --git a/lib/freebl/gcm.c b/lib/freebl/gcm.c
--- a/lib/freebl/gcm.c
-+++ b/lib/freebl/gcm.c
-@@ -21,11 +21,8 @@
- #if defined(__aarch64__) && defined(IS_LITTLE_ENDIAN) && \
-     (defined(__clang__) || defined(__GNUC__) && __GNUC__ > 6)
- #define USE_ARM_GCM
-#elif defined(__arm__) && defined(IS_LITTLE_ENDIAN) && \
-    (defined(__ARM_NEON__) || defined(__ARM_NEON))
-/* We don't test on big endian platform, so disable this on big endian.
- * Also, we don't check whether compiler support NEON well, so this uses
- * that compiler uses -mfpu=neon only. */
-+#elif defined(__arm__) && defined(IS_LITTLE_ENDIAN)
-+/* We don't test on big endian platform, so disable this on big endian. */
- #define USE_ARM_GCM
- #endif
- 
-diff --git a/lib/freebl/rijndael.c b/lib/freebl/rijndael.c
--- a/lib/freebl/rijndael.c
-+++ b/lib/freebl/rijndael.c
-@@ -20,8 +20,7 @@
- #include "gcm.h"
- #include "mpi.h"
- 
-#if (!defined(IS_LITTLE_ENDIAN) && !defined(NSS_X86_OR_X64)) || \
-    (defined(__arm__) && !defined(__ARM_NEON) && !defined(__ARM_NEON__))
-+#if !defined(IS_LITTLE_ENDIAN) && !defined(NSS_X86_OR_X64)
- // not test yet on big endian platform of arm
- #undef USE_HW_AES
- #endif
--- a/nss-tls13-default.patch
+++ b/nss-tls13-default.patch
@ -0,0 +1,12 @@
+diff -up nss/lib/ssl/sslsock.c.tls13-default nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.tls13-default	2020-01-27 10:21:44.930830558 +0100
+++ nss/lib/ssl/sslsock.c	2020-01-27 10:21:47.419852229 +0100
+@@ -97,7 +97,7 @@ static sslOptions ssl_defaults = {
+  */
+ static SSLVersionRange versions_defaults_stream = {
+     SSL_LIBRARY_VERSION_TLS_1_0,
+-    SSL_LIBRARY_VERSION_TLS_1_3
+    SSL_LIBRARY_VERSION_TLS_1_2
+ };
+ 
+ static SSLVersionRange versions_defaults_datagram = {
--- a/nss.spec
+++ b/nss.spec
@ -1,5 +1,5 @@
 %global nspr_version 4.24.0
-%global nss_version 3.49.0
+%global nss_version 3.49.2
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global saved_files_dir %{_libdir}/nss/saved
 %global dracutlibdir %{_prefix}/lib/dracut
@ -107,8 +107,11 @@ Patch2:           nss-539183.patch
 Patch4:           iquote.patch
 # add missing ike mechanism to softoken
 Patch10:          nss-3.47-ike-fix.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1608327
-Patch11:          nss-3.49-neon-build-fixes.patch
+# To revert the upstream change:
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1573118
+# as it still doesn't work under FIPS mode because of missing HKDF
+# support in PKCS #11.
+Patch11:	  nss-tls13-default.patch

 %description
 Network Security Services (NSS) is a set of libraries designed to
@ -874,6 +877,10 @@ update-crypto-policies &> /dev/null || :


 %changelog
+* Mon Jan 27 2020 Daiki Ueno <dueno@redhat.com> - 3.49.2-1
+- Update to NSS 3.49.2
+- Don't enable TLS 1.3 by default (#1794814)
+
 * Fri Jan 10 2020 Daiki Ueno <dueno@redhat.com> - 3.49.0-1
 - Update to NSS 3.49
 - Fix build on armv7hl with the patch proposed in upstream
--- a/2
+++ b/2
@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403
 SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
-SHA512 (nss-3.49.tar.gz) = 7d8df73a2e585585a7cb3f887af3f933854984479531b3dd30316873bdd92c130e2fadb54e7b3b1f0b10675b1bce09112ef39860d74ef6f0df7b57bf430bd072
+SHA512 (nss-3.49.2.tar.gz) = fe0fe032db15853384a50b145dd6f3187a855109f0b81f1846312d33f8c628aededcbca4d199f974ae52530aec3f2312f80afbca3e5b97ed1ff96fcffafd2881