mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-12-03 18:47:53 +00:00
d3619cd7e8
2023-10-02 Natalia Kulatova <nkulatova@mozilla.com> * doc/rst/releases/nss_3_94.rst: Documentation: Release notes for NSS 3.94 [8c67d6c2d718] [NSS_3_94_RTM] <NSS_3_94_BRANCH> * .hgtags: Added tag NSS_3_94_RTM for changeset a4d8f6ff9c3b [18307440cfb0] <NSS_3_94_BRANCH> * doc/rst/releases/index.rst: Release notes for NSS 3.94 [a4d8f6ff9c3b] <NSS_3_94_BRANCH> * lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.94 final [0af23c222caf] <NSS_3_94_BRANCH> 2023-09-21 Benjamin Beurdouche <beurdouche@mozilla.com> * .hgtags: Removed tag NSS_3_94_BETA1 [1a3ea35e31a2] 2023-09-20 Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> * automation/taskcluster/scripts/run_hacl.sh, lib/freebl/verified/Hacl_Hash_SHA3.c, lib/freebl/verified/Hacl_IntTypes_Intrinsics.h, lib/freebl/verified/Hacl_IntTypes_Intrinsics_128.h, lib/freebl/verified/Hacl_Krmllib.h, lib/freebl/verified/Hacl_P256.c, lib/freebl/verified/internal/Hacl_Bignum_Base.h, lib/freebl/verified/internal/Hacl_Hash_SHA1.h, lib/freebl/verified/internal/Hacl_Hash_SHA2.h, lib/freebl/verified/internal/Hacl_IntTypes_Intrinsics.h, lib/freebl/verified/internal/Hacl_IntTypes_Intrinsics_128.h, lib/freebl/verified/internal/Hacl_Krmllib.h, lib/freebl/verified/internal/Hacl_P256.h, lib/freebl/verified/internal/lib_intrinsics.h, lib/freebl/verified/karamel/include/krml/internal/target.h, lib/free bl/verified/karamel/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h, lib/freebl/verified/karamel/krmllib/dist/minimal/Makefile.basic, lib/freebl/verified/lib_intrinsics.h: Bug 1853737 - Updated code and commit ID for HACL*. r=jschanck [3501ba1860c3] 2023-09-20 Iaroslav Gridin <iaroslav.gridin@tuni.fi> * tests/acvp/fuzzed/ecdsa.json: Bug 1840510: update ACVP fuzzed test vector: refuzzed with current NSS r=jschanck [da1cde22e844] 2023-09-15 Robert Relyea <rrelyea@redhat.com> * automation/abi-check/expected-report-libnssutil3.so.txt, lib/freebl/nsslowhash.c, lib/freebl/stubs.c, lib/freebl/stubs.h, lib/pk11wrap/pk11util.c, lib/softoken/pkcs11.c, lib/util/nssutil.def, lib/util/secport.c, lib/util/secport.h: Bug 1827303 Softoken C_ calls should use system FIPS setting to select NSC_ or FC_ variants. NSS softoken presents a PKCS #11 API to the NSS low level crypto. This allows NSS to have native support for replacement PKCS #11 libraries, and is also the FIPS boundary, allowing the rest of NSS to change without affecting any FIPS validations. Some applications that need crypto, but have their own higher level implementations of SSL or S/MIME use NSS softoken. Softoken has 2 general APIs: NSC_xxxx calls which implement the normal NSS interface, but does not include any FIPS restrictions, The FC_xxx interfaces which implements FIPS restrictions on the semantics of the calls and additional FIPS requirements (like self-tests and software integrity checks). The official PKCS #11 APIs are C_xxx interfaces, and NSS exports those as aliases for NSC_xxxx calls. Right now applications that use softoken have to know the NSS names if they want to access the FIPS api. This bugs removes this restriction and causes calls to C_xxxx to alias to FC_xxxxx if the system is in FIPS mode. If the system has no system FIPS indicator, or the that indicator is off, the C_xxxx will continue to call NSC_xxxxx. NSS itself will continue to use NSC_xxxx or FC_xxxx according to the NSS internal FIPS settings. ---------------- Currently there are 3 layers in NSS with code that identifies the whether the system is in NSS: nss proper (which is also exported to applications), and freebl for the Freebl hash direct case. This code would add a 3rd (in softoken). Rather than adding a third, this patch relocates the main function to nssutil where softoken, nss, and freebl can all access it. The exception is when building freebl with 'NODEPEND' (freebl can provide hashing without dependencies on NSPR or NSSUTIL), there needs to be a stub implementation. In most platforms and cases this stub is never compiled. [762cb673ca8c] * .hgignore, automation/taskcluster/scripts/split.sh, cmd/Makefile, cmd/dbtool/Makefile, cmd/dbtool/dbtool.c, cmd/dbtool/dbtool.gyp, cmd/dbtool/manifest.mn, cmd/manifest.mn, lib/softoken/sdb.h, nss.gyp: Bug 1774659 NSS needs a database tool that can dump the low level representation of the database. r=jschanck When debugging the database, it would be helpful to know what is in the database is a nicely formated way. certutil dumps a high level view of the certs and keys, sqlite3 can dump the low level tables and raw entries. It would be useful to dump the database as softoken sees the database. This code grabs a copy of the latest sdb.c from softoken and uses it to fetch the database entries, then parses them as necessary. It uses the pkcs11 table in libsec to format the result data into human readable strings. [e52240a4bc62] 2023-09-08 John Schanck <jschanck@mozilla.com> * gtests/mozpkix_gtest/pkixnames_tests.cpp: Bug 1852179 - declare string literals using char in pkixnames_tests.cpp. r=nss-reviewers,nkulatova [dbed9fc0522a] Differential Revision: https://phabricator.services.mozilla.com/D189815
189 lines
6.1 KiB
Python
189 lines
6.1 KiB
Python
# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
|
|
# vim: set filetype=python:
|
|
# This Source Code Form is subject to the terms of the Mozilla Public
|
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
with Files("**"):
|
|
BUG_COMPONENT = ("Core", "Security: PSM")
|
|
|
|
with Files("generate*.py"):
|
|
BUG_COMPONENT = ("Firefox Build System", "General")
|
|
|
|
with Files("nss/**"):
|
|
BUG_COMPONENT = ("NSS", "Libraries")
|
|
|
|
with Files("nss.symbols"):
|
|
BUG_COMPONENT = ("NSS", "Libraries")
|
|
|
|
if CONFIG["MOZ_SYSTEM_NSS"]:
|
|
Library("nss")
|
|
OS_LIBS += CONFIG["NSS_LIBS"]
|
|
|
|
include("/build/gyp_base.mozbuild")
|
|
if CONFIG["MOZ_FOLD_LIBS"]:
|
|
GeckoSharedLibrary("nss", linkage=None)
|
|
# TODO: The library name can be changed when bug 845217 is fixed.
|
|
SHARED_LIBRARY_NAME = "nss3"
|
|
|
|
USE_LIBS += [
|
|
"nspr4",
|
|
"nss3_static",
|
|
"nssutil",
|
|
"plc4",
|
|
"plds4",
|
|
"smime3_static",
|
|
"ssl",
|
|
]
|
|
|
|
OS_LIBS += CONFIG["REALTIME_LIBS"]
|
|
|
|
SYMBOLS_FILE = "nss.symbols"
|
|
# This changes the default targets in the NSS build, among
|
|
# other things.
|
|
gyp_vars["moz_fold_libs"] = 1
|
|
# Some things in NSS need to link against nssutil, which
|
|
# gets folded, so this tells them what to link against.
|
|
gyp_vars["moz_folded_library_name"] = "nss"
|
|
# Force things in NSS that want to link against NSPR to link
|
|
# against the folded library.
|
|
gyp_vars["nspr_libs"] = "nss"
|
|
elif not CONFIG["MOZ_SYSTEM_NSS"]:
|
|
Library("nss")
|
|
USE_LIBS += [
|
|
"nss3",
|
|
"nssutil3",
|
|
"smime3",
|
|
"sqlite",
|
|
"ssl3",
|
|
]
|
|
gyp_vars["nspr_libs"] = "nspr"
|
|
else:
|
|
gyp_vars["nspr_libs"] = "nspr"
|
|
# Bug 1805371: We need a static copy of NSS for the tlsserver test
|
|
# binaries even when building with system NSS. But there's no good
|
|
# way to build NSS that does not pollute dist/bin with shared
|
|
# object files. For now, we have to build mozpkix only and disable
|
|
# the affected tests.
|
|
gyp_vars["mozpkix_only"] = 1
|
|
|
|
# This disables building some NSS tools.
|
|
gyp_vars["mozilla_client"] = 1
|
|
|
|
# This builds NSS tools in COMM applications that Firefox doesn't build.
|
|
if CONFIG["MOZ_BUILD_APP"].startswith("comm/"):
|
|
gyp_vars["comm_client"] = 1
|
|
|
|
# We run shlibsign as part of packaging, not build.
|
|
gyp_vars["sign_libs"] = 0
|
|
gyp_vars["python"] = CONFIG["PYTHON3"]
|
|
# The NSS gyp files do not have a default for this.
|
|
gyp_vars["nss_dist_dir"] = "$PRODUCT_DIR/dist"
|
|
# NSS wants to put public headers in $nss_dist_dir/public/nss by default,
|
|
# which would wind up being mapped to dist/include/public/nss (by
|
|
# gyp_reader's `handle_copies`).
|
|
# This forces it to put them in dist/include/nss.
|
|
gyp_vars["nss_public_dist_dir"] = "$PRODUCT_DIR/dist"
|
|
gyp_vars["nss_dist_obj_dir"] = "$PRODUCT_DIR/dist/bin"
|
|
# We don't currently build NSS tests.
|
|
gyp_vars["disable_tests"] = 1
|
|
gyp_vars["disable_dbm"] = 1
|
|
gyp_vars["disable_libpkix"] = 1
|
|
gyp_vars["enable_sslkeylogfile"] = 1
|
|
# Whether we're using system NSS or Rust nssckbi, we don't need
|
|
# to build C nssckbi
|
|
gyp_vars["disable_ckbi"] = 1
|
|
# pkg-config won't reliably find zlib on our builders, so just force it.
|
|
# System zlib is only used for modutil and signtool unless
|
|
# SSL zlib is enabled, which we are disabling immediately below this.
|
|
gyp_vars["zlib_libs"] = "-lz"
|
|
gyp_vars["ssl_enable_zlib"] = 0
|
|
# System sqlite here is the in-tree mozsqlite.
|
|
gyp_vars["use_system_sqlite"] = 1
|
|
gyp_vars["sqlite_libs"] = "sqlite"
|
|
gyp_vars["enable_draft_hpke"] = 1
|
|
|
|
# Clang can build NSS with its integrated assembler since version 9.
|
|
if (
|
|
CONFIG["CPU_ARCH"] == "x86_64"
|
|
and CONFIG["CC_TYPE"] == "clang"
|
|
and int(CONFIG["CC_VERSION"].split(".")[0]) >= 9
|
|
):
|
|
gyp_vars["force_integrated_as"] = 1
|
|
|
|
|
|
if CONFIG["MOZ_SYSTEM_NSPR"]:
|
|
gyp_vars["nspr_include_dir"] = "%" + CONFIG["NSPR_INCLUDE_DIR"]
|
|
gyp_vars["nspr_lib_dir"] = "%" + CONFIG["NSPR_LIB_DIR"]
|
|
else:
|
|
gyp_vars["nspr_include_dir"] = "!/dist/include/nspr"
|
|
gyp_vars["nspr_lib_dir"] = "" # gyp wants a value, but we don't need
|
|
# it to be valid.
|
|
|
|
# The Python scripts that detect clang need it to be set as CC
|
|
# in the environment, which isn't true here. I don't know that
|
|
# setting that would be harmful, but we already have this information
|
|
# anyway.
|
|
if CONFIG["CC_TYPE"] in ("clang", "clang-cl"):
|
|
gyp_vars["cc_is_clang"] = 1
|
|
if CONFIG["GCC_USE_GNU_LD"]:
|
|
gyp_vars["cc_use_gnu_ld"] = 1
|
|
|
|
GYP_DIRS += ["nss"]
|
|
GYP_DIRS["nss"].input = "nss/nss.gyp"
|
|
GYP_DIRS["nss"].variables = gyp_vars
|
|
|
|
sandbox_vars = {
|
|
# NSS explicitly exports its public symbols
|
|
# with linker scripts.
|
|
"COMPILE_FLAGS": {
|
|
"VISIBILITY": [],
|
|
"WARNINGS_CFLAGS": [
|
|
f for f in CONFIG["WARNINGS_CFLAGS"] if f != "-Wsign-compare"
|
|
],
|
|
},
|
|
# NSS' build system doesn't currently build NSS with PGO.
|
|
# We could probably do so, but not without a lot of
|
|
# careful consideration.
|
|
"NO_PGO": True,
|
|
}
|
|
if CONFIG["OS_TARGET"] == "WINNT":
|
|
# We want to remove XP_WIN32 eventually. See bug 1535219 for details.
|
|
sandbox_vars["CFLAGS"] = [
|
|
"-DXP_WIN32",
|
|
"-Wno-error=unused-function", # bug 1856445
|
|
]
|
|
if CONFIG["CPU_ARCH"] == "x86":
|
|
# This should really be the default.
|
|
sandbox_vars["ASFLAGS"] = ["-safeseh"]
|
|
|
|
DELAYLOAD_DLLS += [
|
|
"winmm.dll",
|
|
]
|
|
|
|
if CONFIG["OS_TARGET"] == "Android":
|
|
sandbox_vars["CFLAGS"] = [
|
|
"-include",
|
|
TOPSRCDIR + "/security/manager/android_stub.h",
|
|
]
|
|
if CONFIG["ANDROID_VERSION"]:
|
|
sandbox_vars["CFLAGS"] += ["-DANDROID_VERSION=" + CONFIG["ANDROID_VERSION"]]
|
|
if CONFIG["MOZ_SYSTEM_NSS"]:
|
|
sandbox_vars["CXXFLAGS"] = CONFIG["NSS_CFLAGS"]
|
|
GYP_DIRS["nss"].sandbox_vars = sandbox_vars
|
|
GYP_DIRS["nss"].no_chromium = True
|
|
GYP_DIRS["nss"].no_unified = True
|
|
# This maps action names from gyp files to
|
|
# Python scripts that can be used in moz.build GENERATED_FILES.
|
|
GYP_DIRS["nss"].action_overrides = {
|
|
"generate_mapfile": "generate_mapfile.py",
|
|
}
|
|
|
|
if CONFIG["NSS_EXTRA_SYMBOLS_FILE"]:
|
|
DEFINES["NSS_EXTRA_SYMBOLS_FILE"] = CONFIG["NSS_EXTRA_SYMBOLS_FILE"]
|
|
|
|
SPHINX_TREES["nss"] = "nss/doc/rst"
|
|
|
|
with Files("nss/doc/rst/**"):
|
|
SCHEDULES.exclusive = ["nss"]
|