|
@@ -0,0 +1,615 @@
|
|
|
+# HG changeset patch
|
|
|
+# User John Schanck <jschanck@mozilla.com>
|
|
|
+# Date 1719577097 0
|
|
|
+# Node ID 4da5c2aa3065c7589ad7255344498a497eeea73d
|
|
|
+# Parent 7c85beb46b4680943cd7ab00d52a9b55bdd9a4a3
|
|
|
+Bug 1905160 - land NSS NSS_3_90_3_RTM UPGRADE_NSS_RELEASE, r=keeler a=dmeehan
|
|
|
+
|
|
|
+Differential Revision: https://phabricator.services.mozilla.com/D215174
|
|
|
+
|
|
|
+diff --git a/security/nss/TAG-INFO b/security/nss/TAG-INFO
|
|
|
+--- a/security/nss/TAG-INFO
|
|
|
++++ b/security/nss/TAG-INFO
|
|
|
+@@ -1,1 +1,1 @@
|
|
|
+-NSS_3_90_2_RTM
|
|
|
+\ No newline at end of file
|
|
|
++NSS_3_90_3_RTM
|
|
|
+\ No newline at end of file
|
|
|
+diff --git a/security/nss/coreconf/coreconf.dep b/security/nss/coreconf/coreconf.dep
|
|
|
+--- a/security/nss/coreconf/coreconf.dep
|
|
|
++++ b/security/nss/coreconf/coreconf.dep
|
|
|
+@@ -5,8 +5,9 @@
|
|
|
+
|
|
|
+ /*
|
|
|
+ * A dummy header file that is a dependency for all the object files.
|
|
|
+ * Used to force a full recompilation of NSS in Mozilla's Tinderbox
|
|
|
+ * depend builds. See comments in rules.mk.
|
|
|
+ */
|
|
|
+
|
|
|
+ #error "Do not include this header file."
|
|
|
++
|
|
|
+diff --git a/security/nss/doc/rst/releases/index.rst b/security/nss/doc/rst/releases/index.rst
|
|
|
+--- a/security/nss/doc/rst/releases/index.rst
|
|
|
++++ b/security/nss/doc/rst/releases/index.rst
|
|
|
+@@ -3,16 +3,18 @@
|
|
|
+ Releases
|
|
|
+ ========
|
|
|
+
|
|
|
+ .. toctree::
|
|
|
+ :maxdepth: 0
|
|
|
+ :glob:
|
|
|
+ :hidden:
|
|
|
+
|
|
|
++ nss_3_90_3.rst
|
|
|
++ nss_3_90_2.rst
|
|
|
+ nss_3_90_1.rst
|
|
|
+ nss_3_90_0.rst
|
|
|
+ nss_3_89_1.rst
|
|
|
+ nss_3_89.rst
|
|
|
+ nss_3_88_1.rst
|
|
|
+ nss_3_88.rst
|
|
|
+ nss_3_87_1.rst
|
|
|
+ nss_3_87.rst
|
|
|
+@@ -50,18 +52,21 @@ Releases
|
|
|
+ nss_3_68.rst
|
|
|
+ nss_3_67.rst
|
|
|
+ nss_3_66.rst
|
|
|
+ nss_3_65.rst
|
|
|
+ nss_3_64.rst
|
|
|
+
|
|
|
+ .. note::
|
|
|
+
|
|
|
+- **NSS 3.90.1 (ESR)** is the latest version of NSS.
|
|
|
++ **NSS 3.90.3 (ESR)** is the latest version of NSS.
|
|
|
+ Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_91_0_release_notes`
|
|
|
+
|
|
|
+
|
|
|
+ .. container::
|
|
|
+
|
|
|
+- Changes in 3.90.1 included in this release:
|
|
|
++ Changes in 3.90.3 included in this release:
|
|
|
+
|
|
|
+- - Bug 1813401 - regenerate NameConstraints test certificates.
|
|
|
+- - Bug 1854795 - add OSXSAVE and XCR0 tests to AVX2 detection.
|
|
|
+\ No newline at end of file
|
|
|
++ - Bug 1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
|
|
|
++ - Bug 1748105 - clean up escape handling.
|
|
|
++ - Bug 1895032 - remove redundant AllocItem implementation. r=nss-reviewers,rrelyea
|
|
|
++ - Bug 1836925 - Disable ASM support for Curve25519.
|
|
|
++ - Bug 1836781 - Disable ASM support for Curve25519 for all but X86_64.
|
|
|
+diff --git a/security/nss/doc/rst/releases/nss_3_90_3.rst b/security/nss/doc/rst/releases/nss_3_90_3.rst
|
|
|
+new file mode 100644
|
|
|
+--- /dev/null
|
|
|
++++ b/security/nss/doc/rst/releases/nss_3_90_3.rst
|
|
|
+@@ -0,0 +1,59 @@
|
|
|
++.. _mozilla_projects_nss_nss_3_90_3_release_notes:
|
|
|
++
|
|
|
++NSS 3.90.3 release notes
|
|
|
++========================
|
|
|
++
|
|
|
++`Introduction <#introduction>`__
|
|
|
++--------------------------------
|
|
|
++
|
|
|
++.. container::
|
|
|
++
|
|
|
++ Network Security Services (NSS) 3.90.3 was released on *27th June 2024**.
|
|
|
++
|
|
|
++
|
|
|
++`Distribution Information <#distribution_information>`__
|
|
|
++--------------------------------------------------------
|
|
|
++
|
|
|
++.. container::
|
|
|
++
|
|
|
++ The HG tag is NSS_3_90_3_RTM. NSS 3.90.3 requires NSPR 4.35 or newer.
|
|
|
++
|
|
|
++ NSS 3.90.3 source distributions are available on ftp.mozilla.org for secure HTTPS download:
|
|
|
++
|
|
|
++ - Source tarballs:
|
|
|
++ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_90_3_RTM/src/
|
|
|
++
|
|
|
++ Other releases are available :ref:`mozilla_projects_nss_releases`.
|
|
|
++
|
|
|
++.. _changes_in_nss_3.90.3:
|
|
|
++
|
|
|
++`Changes in NSS 3.90.3 <#changes_in_nss_3.90.3>`__
|
|
|
++--------------------------------------------------
|
|
|
++
|
|
|
++.. container::
|
|
|
++
|
|
|
++ - Bug 1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
|
|
|
++ - Bug 1748105 - clean up escape handling.
|
|
|
++ - Bug 1895032 - remove redundant AllocItem implementation. r=nss-reviewers,rrelyea
|
|
|
++ - Bug 1836925 - Disable ASM support for Curve25519.
|
|
|
++ - Bug 1836781 - Disable ASM support for Curve25519 for all but X86_64.
|
|
|
++
|
|
|
++`Compatibility <#compatibility>`__
|
|
|
++----------------------------------
|
|
|
++
|
|
|
++.. container::
|
|
|
++
|
|
|
++ NSS 3.90.3 shared libraries are backwards-compatible with all older NSS 3.x shared
|
|
|
++ libraries. A program linked with older NSS 3.x shared libraries will work with
|
|
|
++ this new version of the shared libraries without recompiling or
|
|
|
++ relinking. Furthermore, applications that restrict their use of NSS APIs to the
|
|
|
++ functions listed in NSS Public Functions will remain compatible with future
|
|
|
++ versions of the NSS shared libraries.
|
|
|
++
|
|
|
++`Feedback <#feedback>`__
|
|
|
++------------------------
|
|
|
++
|
|
|
++.. container::
|
|
|
++
|
|
|
++ Bugs discovered should be reported by filing a bug report on
|
|
|
++ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).
|
|
|
+diff --git a/security/nss/lib/certdb/alg1485.c b/security/nss/lib/certdb/alg1485.c
|
|
|
+--- a/security/nss/lib/certdb/alg1485.c
|
|
|
++++ b/security/nss/lib/certdb/alg1485.c
|
|
|
+@@ -1,14 +1,15 @@
|
|
|
+ /* alg1485.c - implementation of RFCs 1485, 1779 and 2253.
|
|
|
+ *
|
|
|
+ * This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
+
|
|
|
++#include <limits.h>
|
|
|
+ #include "prprf.h"
|
|
|
+ #include "cert.h"
|
|
|
+ #include "certi.h"
|
|
|
+ #include "xconst.h"
|
|
|
+ #include "genname.h"
|
|
|
+ #include "secitem.h"
|
|
|
+ #include "secerr.h"
|
|
|
+
|
|
|
+@@ -594,25 +595,31 @@ typedef enum {
|
|
|
+ /* Some characters must be escaped as a hex string, e.g. c -> \nn .
|
|
|
+ * Others must be escaped by preceding with a '\', e.g. c -> \c , but
|
|
|
+ * there are certain "special characters" that may be handled by either
|
|
|
+ * escaping them, or by enclosing the entire attribute value in quotes.
|
|
|
+ * A NULL value for pEQMode implies selecting minimalEscape mode.
|
|
|
+ * Some callers will do quoting when needed, others will not.
|
|
|
+ * If a caller selects minimalEscapeAndQuote, and the string does not
|
|
|
+ * need quoting, then this function changes it to minimalEscape.
|
|
|
++ * Limit source to 16K, which avoids any possibility of overflow.
|
|
|
++ * Maximum output size would be 3*srclen+2.
|
|
|
+ */
|
|
|
+ static int
|
|
|
+ cert_RFC1485_GetRequiredLen(const char* src, int srclen, EQMode* pEQMode)
|
|
|
+ {
|
|
|
+ int i, reqLen = 0;
|
|
|
+ EQMode mode = pEQMode ? *pEQMode : minimalEscape;
|
|
|
+ PRBool needsQuoting = PR_FALSE;
|
|
|
+ char lastC = 0;
|
|
|
+
|
|
|
++ /* avoids needing to check for overflow */
|
|
|
++ if (srclen > 16384) {
|
|
|
++ return -1;
|
|
|
++ }
|
|
|
+ /* need to make an initial pass to determine if quoting is needed */
|
|
|
+ for (i = 0; i < srclen; i++) {
|
|
|
+ char c = src[i];
|
|
|
+ reqLen++;
|
|
|
+ if (NEEDS_HEX_ESCAPE(c)) { /* c -> \xx */
|
|
|
+ reqLen += 2;
|
|
|
+ } else if (NEEDS_ESCAPE(c)) { /* c -> \c */
|
|
|
+ reqLen++;
|
|
|
+@@ -632,33 +639,36 @@ cert_RFC1485_GetRequiredLen(const char*
|
|
|
+ (OPTIONAL_SPACE(src[srclen - 1]) || OPTIONAL_SPACE(src[0]))) {
|
|
|
+ needsQuoting = PR_TRUE;
|
|
|
+ }
|
|
|
+
|
|
|
+ if (needsQuoting)
|
|
|
+ reqLen += 2;
|
|
|
+ if (pEQMode && mode == minimalEscapeAndQuote && !needsQuoting)
|
|
|
+ *pEQMode = minimalEscape;
|
|
|
++ /* Maximum output size would be 3*srclen+2 */
|
|
|
+ return reqLen;
|
|
|
+ }
|
|
|
+
|
|
|
+ static const char hexChars[16] = { "0123456789abcdef" };
|
|
|
+
|
|
|
+ static SECStatus
|
|
|
+ escapeAndQuote(char* dst, int dstlen, char* src, int srclen, EQMode* pEQMode)
|
|
|
+ {
|
|
|
+ int i, reqLen = 0;
|
|
|
+ EQMode mode = pEQMode ? *pEQMode : minimalEscape;
|
|
|
+
|
|
|
++ reqLen = cert_RFC1485_GetRequiredLen(src, srclen, &mode);
|
|
|
++ /* reqLen is max 16384*3 + 2 */
|
|
|
+ /* space for terminal null */
|
|
|
+- reqLen = cert_RFC1485_GetRequiredLen(src, srclen, &mode) + 1;
|
|
|
+- if (reqLen > dstlen) {
|
|
|
++ if (reqLen < 0 || reqLen + 1 > dstlen) {
|
|
|
+ PORT_SetError(SEC_ERROR_OUTPUT_LEN);
|
|
|
+ return SECFailure;
|
|
|
+ }
|
|
|
++ reqLen += 1;
|
|
|
+
|
|
|
+ if (mode == minimalEscapeAndQuote)
|
|
|
+ *dst++ = C_DOUBLE_QUOTE;
|
|
|
+ for (i = 0; i < srclen; i++) {
|
|
|
+ char c = src[i];
|
|
|
+ if (NEEDS_HEX_ESCAPE(c)) {
|
|
|
+ *dst++ = C_BACKSLASH;
|
|
|
+ *dst++ = hexChars[(c >> 4) & 0x0f];
|
|
|
+@@ -976,18 +986,32 @@ AppendAVA(stringBuf* bufp, CERTAVA* ava,
|
|
|
+ if (!avaValue) {
|
|
|
+ if (unknownTag)
|
|
|
+ PR_smprintf_free(unknownTag);
|
|
|
+ return SECFailure;
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ nameLen = strlen(tagName);
|
|
|
+- valueLen =
|
|
|
+- (useHex ? avaValue->len : cert_RFC1485_GetRequiredLen((char*)avaValue->data, avaValue->len, &mode));
|
|
|
++
|
|
|
++ if (useHex) {
|
|
|
++ valueLen = avaValue->len;
|
|
|
++ } else {
|
|
|
++ int reqLen = cert_RFC1485_GetRequiredLen((char*)avaValue->data, avaValue->len, &mode);
|
|
|
++ if (reqLen < 0) {
|
|
|
++ SECITEM_FreeItem(avaValue, PR_TRUE);
|
|
|
++ return SECFailure;
|
|
|
++ }
|
|
|
++ valueLen = reqLen;
|
|
|
++ }
|
|
|
++ if (UINT_MAX - nameLen < 2 ||
|
|
|
++ valueLen > UINT_MAX - nameLen - 2) {
|
|
|
++ SECITEM_FreeItem(avaValue, PR_TRUE);
|
|
|
++ return SECFailure;
|
|
|
++ }
|
|
|
+ len = nameLen + valueLen + 2; /* Add 2 for '=' and trailing NUL */
|
|
|
+
|
|
|
+ maxName = nameLen;
|
|
|
+ maxValue = valueLen;
|
|
|
+ if (len <= sizeof(tmpBuf)) {
|
|
|
+ encodedAVA = tmpBuf;
|
|
|
+ } else if (strict != CERT_N2A_READABLE) {
|
|
|
+ encodedAVA = PORT_Alloc(len);
|
|
|
+@@ -1193,30 +1217,33 @@ avaToString(PLArenaPool* arena, CERTAVA*
|
|
|
+ char* buf = NULL;
|
|
|
+ SECItem* avaValue;
|
|
|
+ int valueLen;
|
|
|
+
|
|
|
+ avaValue = CERT_DecodeAVAValue(&ava->value);
|
|
|
+ if (!avaValue) {
|
|
|
+ return buf;
|
|
|
+ }
|
|
|
+- valueLen =
|
|
|
+- cert_RFC1485_GetRequiredLen((char*)avaValue->data, avaValue->len, NULL) + 1;
|
|
|
+- if (arena) {
|
|
|
+- buf = (char*)PORT_ArenaZAlloc(arena, valueLen);
|
|
|
+- } else {
|
|
|
+- buf = (char*)PORT_ZAlloc(valueLen);
|
|
|
+- }
|
|
|
+- if (buf) {
|
|
|
+- SECStatus rv =
|
|
|
+- escapeAndQuote(buf, valueLen, (char*)avaValue->data, avaValue->len, NULL);
|
|
|
+- if (rv != SECSuccess) {
|
|
|
+- if (!arena)
|
|
|
+- PORT_Free(buf);
|
|
|
+- buf = NULL;
|
|
|
++ int reqLen = cert_RFC1485_GetRequiredLen((char*)avaValue->data, avaValue->len, NULL);
|
|
|
++ /* reqLen is max 16384*3 + 2 */
|
|
|
++ if (reqLen >= 0) {
|
|
|
++ valueLen = reqLen + 1;
|
|
|
++ if (arena) {
|
|
|
++ buf = (char*)PORT_ArenaZAlloc(arena, valueLen);
|
|
|
++ } else {
|
|
|
++ buf = (char*)PORT_ZAlloc(valueLen);
|
|
|
++ }
|
|
|
++ if (buf) {
|
|
|
++ SECStatus rv =
|
|
|
++ escapeAndQuote(buf, valueLen, (char*)avaValue->data, avaValue->len, NULL);
|
|
|
++ if (rv != SECSuccess) {
|
|
|
++ if (!arena)
|
|
|
++ PORT_Free(buf);
|
|
|
++ buf = NULL;
|
|
|
++ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+ SECITEM_FreeItem(avaValue, PR_TRUE);
|
|
|
+ return buf;
|
|
|
+ }
|
|
|
+
|
|
|
+ /* RDNs are sorted from most general to most specific.
|
|
|
+ * This code returns the FIRST one found, the most general one found.
|
|
|
+diff --git a/security/nss/lib/ckfw/builtins/certdata.txt b/security/nss/lib/ckfw/builtins/certdata.txt
|
|
|
+--- a/security/nss/lib/ckfw/builtins/certdata.txt
|
|
|
++++ b/security/nss/lib/ckfw/builtins/certdata.txt
|
|
|
+@@ -19426,18 +19426,24 @@ CKA_VALUE MULTILINE_OCTAL
|
|
|
+ \170\112\075\102\173\153\176\376\367\106\352\321\353\216\357\210
|
|
|
+ \150\133\350\301\331\161\176\375\144\357\377\147\107\210\130\045
|
|
|
+ \057\076\206\007\275\373\250\345\202\250\254\245\323\151\103\315
|
|
|
+ \061\210\111\204\123\222\300\261\071\033\071\203\001\060\304\362
|
|
|
+ \251\372\320\003\275\162\067\140\126\037\066\174\275\071\221\365
|
|
|
+ \155\015\277\173\327\222
|
|
|
+ END
|
|
|
+ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
|
|
|
+-CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
|
|
|
+-CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
|
|
|
++# For Server Distrust After: Sun Jun 30 00:00:00 2024
|
|
|
++CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
|
|
|
++\062\064\060\066\063\060\060\060\060\060\060\060\132
|
|
|
++END
|
|
|
++# For Email Distrust After: Sun Jun 30 00:00:00 2024
|
|
|
++CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL
|
|
|
++\062\064\060\066\063\060\060\060\060\060\060\060\132
|
|
|
++END
|
|
|
+
|
|
|
+ # Trust for "GLOBALTRUST 2020"
|
|
|
+ # Issuer: CN=GLOBALTRUST 2020,O=e-commerce monitoring GmbH,C=AT
|
|
|
+ # Serial Number:5a:4b:bd:5a:fb:4f:8a:5b:fa:65:e5
|
|
|
+ # Subject: CN=GLOBALTRUST 2020,O=e-commerce monitoring GmbH,C=AT
|
|
|
+ # Not Valid Before: Mon Feb 10 00:00:00 2020
|
|
|
+ # Not Valid After : Sun Jun 10 00:00:00 2040
|
|
|
+ # Fingerprint (SHA-256): 9A:29:6A:51:82:D1:D4:51:A2:E3:7F:43:9B:74:DA:AF:A2:67:52:33:29:F9:0F:9A:0D:20:07:C3:34:E2:3C:9A
|
|
|
+diff --git a/security/nss/lib/ckfw/builtins/nssckbi.h b/security/nss/lib/ckfw/builtins/nssckbi.h
|
|
|
+--- a/security/nss/lib/ckfw/builtins/nssckbi.h
|
|
|
++++ b/security/nss/lib/ckfw/builtins/nssckbi.h
|
|
|
+@@ -41,18 +41,18 @@
|
|
|
+ * made on that branch.
|
|
|
+ *
|
|
|
+ * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE. It's not clear
|
|
|
+ * whether we may use its full range (0-255) or only 0-99 because
|
|
|
+ * of the comment in the CK_VERSION type definition.
|
|
|
+ * It's recommend to switch back to 0 after having reached version 98/99.
|
|
|
+ */
|
|
|
+ #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
|
|
|
+-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 60
|
|
|
+-#define NSS_BUILTINS_LIBRARY_VERSION "2.60"
|
|
|
++#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 61
|
|
|
++#define NSS_BUILTINS_LIBRARY_VERSION "2.61"
|
|
|
+
|
|
|
+ /* These version numbers detail the semantic changes to the ckfw engine. */
|
|
|
+ #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
|
|
|
+ #define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
|
|
|
+
|
|
|
+ /* These version numbers detail the semantic changes to ckbi itself
|
|
|
+ * (new PKCS #11 objects), etc. */
|
|
|
+ #define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
|
|
|
+diff --git a/security/nss/lib/freebl/Makefile b/security/nss/lib/freebl/Makefile
|
|
|
+--- a/security/nss/lib/freebl/Makefile
|
|
|
++++ b/security/nss/lib/freebl/Makefile
|
|
|
+@@ -563,17 +563,16 @@ endif # target == SunO
|
|
|
+ ifdef USE_64
|
|
|
+ # no __int128 at least up to lcc 1.23 (pretending to be gcc5)
|
|
|
+ # NB: CC_NAME is not defined here
|
|
|
+ ifneq ($(shell $(CC) -? 2>&1 >/dev/null </dev/null | sed -e 's/:.*//;1q'),lcc)
|
|
|
+ ifdef CC_IS_CLANG
|
|
|
+ HAVE_INT128_SUPPORT = 1
|
|
|
+ DEFINES += -DHAVE_INT128_SUPPORT
|
|
|
+ else ifeq (1,$(CC_IS_GCC))
|
|
|
+- SUPPORTS_VALE_CURVE25519 = 1
|
|
|
+ ifneq (,$(filter 4.6 4.7 4.8 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION))))
|
|
|
+ HAVE_INT128_SUPPORT = 1
|
|
|
+ DEFINES += -DHAVE_INT128_SUPPORT
|
|
|
+ endif
|
|
|
+ ifneq (,$(filter 0 1 2 3 4,$(word 1,$(GCC_VERSION))))
|
|
|
+ NSS_DISABLE_AVX2 = 1
|
|
|
+ endif
|
|
|
+ ifeq (,$(filter 0 1 2 3 4,$(word 1,$(GCC_VERSION))))
|
|
|
+@@ -588,21 +587,16 @@ ifneq ($(shell $(CC) -? 2>&1 >/dev/null
|
|
|
+ endif
|
|
|
+ endif # lcc
|
|
|
+ endif # USE_64
|
|
|
+
|
|
|
+ ifndef HAVE_INT128_SUPPORT
|
|
|
+ DEFINES += -DKRML_VERIFIED_UINT128
|
|
|
+ endif
|
|
|
+
|
|
|
+-ifdef SUPPORTS_VALE_CURVE25519
|
|
|
+- VERIFIED_SRCS += Hacl_Curve25519_64.c
|
|
|
+- DEFINES += -DHACL_CAN_COMPILE_INLINE_ASM
|
|
|
+-endif
|
|
|
+-
|
|
|
+ ifndef NSS_DISABLE_CHACHAPOLY
|
|
|
+ ifeq ($(CPU_ARCH),x86_64)
|
|
|
+ ifndef NSS_DISABLE_AVX2
|
|
|
+ EXTRA_SRCS += Hacl_Poly1305_256.c Hacl_Chacha20_Vec256.c Hacl_Chacha20Poly1305_256.c
|
|
|
+ DEFINES += -DHACL_CAN_COMPILE_VEC256
|
|
|
+ endif # NSS_DISABLE_AVX2
|
|
|
+ ifndef NSS_DISABLE_SSE3
|
|
|
+ EXTRA_SRCS += Hacl_Poly1305_128.c Hacl_Chacha20_Vec128.c Hacl_Chacha20Poly1305_128.c
|
|
|
+diff --git a/security/nss/lib/freebl/freebl.gyp b/security/nss/lib/freebl/freebl.gyp
|
|
|
+--- a/security/nss/lib/freebl/freebl.gyp
|
|
|
++++ b/security/nss/lib/freebl/freebl.gyp
|
|
|
+@@ -861,22 +861,16 @@
|
|
|
+ 'conditions': [
|
|
|
+ [ 'disable_altivec==0 and target_arch=="ppc64le"', {
|
|
|
+ 'defines': [
|
|
|
+ 'PPC_GCM',
|
|
|
+ ],
|
|
|
+ }],
|
|
|
+ ],
|
|
|
+ }],
|
|
|
+- [ 'supports_vale_curve25519==1', {
|
|
|
+- 'defines': [
|
|
|
+- # The Makefile does version-tests on GCC, but we're not doing that here.
|
|
|
+- 'HACL_CAN_COMPILE_INLINE_ASM',
|
|
|
+- ],
|
|
|
+- }],
|
|
|
+ [ 'OS=="linux" or OS=="android"', {
|
|
|
+ 'conditions': [
|
|
|
+ [ 'target_arch=="x64"', {
|
|
|
+ 'defines': [
|
|
|
+ 'MP_IS_LITTLE_ENDIAN',
|
|
|
+ 'NSS_BEVAND_ARCFOUR',
|
|
|
+ 'MPI_AMD64',
|
|
|
+ 'MP_ASSEMBLY_MULTIPLY',
|
|
|
+@@ -929,21 +923,16 @@
|
|
|
+ }],
|
|
|
+ ],
|
|
|
+ }],
|
|
|
+ ],
|
|
|
+ },
|
|
|
+ 'variables': {
|
|
|
+ 'module': 'nss',
|
|
|
+ 'conditions': [
|
|
|
+- [ 'target_arch=="x64" and cc_is_gcc==1', {
|
|
|
+- 'supports_vale_curve25519%': 1,
|
|
|
+- }, {
|
|
|
+- 'supports_vale_curve25519%': 0,
|
|
|
+- }],
|
|
|
+ [ 'target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64"', {
|
|
|
+ 'have_int128_support%': 1,
|
|
|
+ }, {
|
|
|
+ 'have_int128_support%': 0,
|
|
|
+ }],
|
|
|
+ [ 'target_arch=="arm"', {
|
|
|
+ # When the compiler uses the softfloat ABI, we want to use the compatible softfp ABI when enabling NEON for these objects.
|
|
|
+ # Confusingly, __SOFTFP__ is the name of the define for the softfloat ABI, not for the softfp ABI.
|
|
|
+diff --git a/security/nss/lib/freebl/freebl_base.gypi b/security/nss/lib/freebl/freebl_base.gypi
|
|
|
+--- a/security/nss/lib/freebl/freebl_base.gypi
|
|
|
++++ b/security/nss/lib/freebl/freebl_base.gypi
|
|
|
+@@ -146,21 +146,16 @@
|
|
|
+ 'verified/Hacl_Curve25519_51.c',
|
|
|
+ ],
|
|
|
+ }, {
|
|
|
+ 'sources': [
|
|
|
+ # All other architectures get the generic 32 bit implementation.
|
|
|
+ 'ecl/curve25519_32.c',
|
|
|
+ ],
|
|
|
+ }],
|
|
|
+- ['supports_vale_curve25519==1', {
|
|
|
+- 'sources': [
|
|
|
+- 'verified/Hacl_Curve25519_64.c',
|
|
|
+- ],
|
|
|
+- }],
|
|
|
+ ['(target_arch!="ppc64" and target_arch!="ppc64le") or disable_altivec==1', {
|
|
|
+ 'sources': [
|
|
|
+ # Gyp does not support per-file cflags, so working around like this.
|
|
|
+ # ppc performance greatly benefits from specific flags.
|
|
|
+ 'sha512.c',
|
|
|
+ ],
|
|
|
+ }],
|
|
|
+ [ 'disable_chachapoly==0', {
|
|
|
+diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h
|
|
|
+--- a/security/nss/lib/nss/nss.h
|
|
|
++++ b/security/nss/lib/nss/nss.h
|
|
|
+@@ -17,20 +17,20 @@
|
|
|
+
|
|
|
+ /*
|
|
|
+ * NSS's major version, minor version, patch level, build number, and whether
|
|
|
+ * this is a beta release.
|
|
|
+ *
|
|
|
+ * The format of the version string should be
|
|
|
+ * "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
|
|
|
+ */
|
|
|
+-#define NSS_VERSION "3.90.2" _NSS_CUSTOMIZED
|
|
|
++#define NSS_VERSION "3.90.3" _NSS_CUSTOMIZED
|
|
|
+ #define NSS_VMAJOR 3
|
|
|
+ #define NSS_VMINOR 90
|
|
|
+-#define NSS_VPATCH 2
|
|
|
++#define NSS_VPATCH 3
|
|
|
+ #define NSS_VBUILD 0
|
|
|
+ #define NSS_BETA PR_FALSE
|
|
|
+
|
|
|
+ #ifndef RC_INVOKED
|
|
|
+
|
|
|
+ #include "seccomon.h"
|
|
|
+
|
|
|
+ typedef struct NSSInitParametersStr NSSInitParameters;
|
|
|
+diff --git a/security/nss/lib/softoken/softkver.h b/security/nss/lib/softoken/softkver.h
|
|
|
+--- a/security/nss/lib/softoken/softkver.h
|
|
|
++++ b/security/nss/lib/softoken/softkver.h
|
|
|
+@@ -12,16 +12,16 @@
|
|
|
+
|
|
|
+ /*
|
|
|
+ * Softoken's major version, minor version, patch level, build number,
|
|
|
+ * and whether this is a beta release.
|
|
|
+ *
|
|
|
+ * The format of the version string should be
|
|
|
+ * "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
|
|
|
+ */
|
|
|
+-#define SOFTOKEN_VERSION "3.90.2" SOFTOKEN_ECC_STRING
|
|
|
++#define SOFTOKEN_VERSION "3.90.3" SOFTOKEN_ECC_STRING
|
|
|
+ #define SOFTOKEN_VMAJOR 3
|
|
|
+ #define SOFTOKEN_VMINOR 90
|
|
|
+-#define SOFTOKEN_VPATCH 2
|
|
|
++#define SOFTOKEN_VPATCH 3
|
|
|
+ #define SOFTOKEN_VBUILD 0
|
|
|
+ #define SOFTOKEN_BETA PR_FALSE
|
|
|
+
|
|
|
+ #endif /* _SOFTKVER_H_ */
|
|
|
+diff --git a/security/nss/lib/util/nssutil.h b/security/nss/lib/util/nssutil.h
|
|
|
+--- a/security/nss/lib/util/nssutil.h
|
|
|
++++ b/security/nss/lib/util/nssutil.h
|
|
|
+@@ -14,20 +14,20 @@
|
|
|
+
|
|
|
+ /*
|
|
|
+ * NSS utilities's major version, minor version, patch level, build number,
|
|
|
+ * and whether this is a beta release.
|
|
|
+ *
|
|
|
+ * The format of the version string should be
|
|
|
+ * "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
|
|
|
+ */
|
|
|
+-#define NSSUTIL_VERSION "3.90.2"
|
|
|
++#define NSSUTIL_VERSION "3.90.3"
|
|
|
+ #define NSSUTIL_VMAJOR 3
|
|
|
+ #define NSSUTIL_VMINOR 90
|
|
|
+-#define NSSUTIL_VPATCH 2
|
|
|
++#define NSSUTIL_VPATCH 3
|
|
|
+ #define NSSUTIL_VBUILD 0
|
|
|
+ #define NSSUTIL_BETA PR_FALSE
|
|
|
+
|
|
|
+ SEC_BEGIN_PROTOS
|
|
|
+
|
|
|
+ /*
|
|
|
+ * Returns a const string of the UTIL library version.
|
|
|
+ */
|
|
|
+diff --git a/security/nss/lib/util/secitem.c b/security/nss/lib/util/secitem.c
|
|
|
+--- a/security/nss/lib/util/secitem.c
|
|
|
++++ b/security/nss/lib/util/secitem.c
|
|
|
+@@ -233,45 +233,30 @@ SECITEM_DupItem(const SECItem *from)
|
|
|
+ }
|
|
|
+
|
|
|
+ SECItem *
|
|
|
+ SECITEM_ArenaDupItem(PLArenaPool *arena, const SECItem *from)
|
|
|
+ {
|
|
|
+ SECItem *to;
|
|
|
+
|
|
|
+ if (from == NULL) {
|
|
|
+- return (NULL);
|
|
|
+- }
|
|
|
+-
|
|
|
+- if (arena != NULL) {
|
|
|
+- to = (SECItem *)PORT_ArenaAlloc(arena, sizeof(SECItem));
|
|
|
+- } else {
|
|
|
+- to = (SECItem *)PORT_Alloc(sizeof(SECItem));
|
|
|
+- }
|
|
|
+- if (to == NULL) {
|
|
|
+- return (NULL);
|
|
|
++ return NULL;
|
|
|
+ }
|
|
|
+
|
|
|
+- if (arena != NULL) {
|
|
|
+- to->data = (unsigned char *)PORT_ArenaAlloc(arena, from->len);
|
|
|
+- } else {
|
|
|
+- to->data = (unsigned char *)PORT_Alloc(from->len);
|
|
|
+- }
|
|
|
+- if (to->data == NULL) {
|
|
|
+- PORT_Free(to);
|
|
|
+- return (NULL);
|
|
|
++ to = SECITEM_AllocItem(arena, NULL, from->len);
|
|
|
++ if (to == NULL) {
|
|
|
++ return NULL;
|
|
|
+ }
|
|
|
+
|
|
|
+- to->len = from->len;
|
|
|
+ to->type = from->type;
|
|
|
+ if (to->len) {
|
|
|
+ PORT_Memcpy(to->data, from->data, to->len);
|
|
|
+ }
|
|
|
+
|
|
|
+- return (to);
|
|
|
++ return to;
|
|
|
+ }
|
|
|
+
|
|
|
+ SECStatus
|
|
|
+ SECITEM_CopyItem(PLArenaPool *arena, SECItem *to, const SECItem *from)
|
|
|
+ {
|
|
|
+ to->type = from->type;
|
|
|
+ if (from->data && from->len) {
|
|
|
+ if (arena) {
|
|
|
+
|