[packages/nss] disable hacl curve25519_64 entirely as it's broken on so many levels; rel 2

atler atler at pld-linux.org
Fri Jun 16 21:45:02 CEST 2023 

commit 105a1d809157e25049d1ea3b43dd5d8247cf3c9e
Author: Jan Palus <atler at pld-linux.org>
Date:   Fri Jun 16 21:42:05 2023 +0200

    disable hacl curve25519_64 entirely as it's broken on so many levels; rel 2
    
    see https://bugzilla.mozilla.org/show_bug.cgi?id=1836925

 disable-hacl-curve25519.patch | 124 ++++++++++++++++++++++++++++++++++++++++++
 non-x86-64b-archs.patch       |  35 ------------
 nss.spec                      |   4 +-
 3 files changed, 126 insertions(+), 37 deletions(-)
---
diff --git a/nss.spec b/nss.spec
index e5667e6..165b88d 100644
--- a/nss.spec
+++ b/nss.spec
@@ -8,7 +8,7 @@ Summary:	NSS - Network Security Services
 Summary(pl.UTF-8):	NSS - Network Security Services
 Name:		nss
 Version:	3.90
-Release:	1
+Release:	2
 Epoch:		1
 License:	MPL v2.0
 Group:		Libraries
@@ -20,7 +20,7 @@ Source3:	https://www.cacert.org/certs/root.der
 # Source3-md5:	a61b375e390d9c3654eebd2031461f6b
 Source4:	nss-softokn.pc.in
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1083900
-Patch0:		non-x86-64b-archs.patch
+Patch0:		disable-hacl-curve25519.patch
 URL:		https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS
 BuildRequires:	nspr-devel >= %{nspr_ver}
 %{!?with_bootstrap:BuildRequires:	nss-tools}
diff --git a/disable-hacl-curve25519.patch b/disable-hacl-curve25519.patch
new file mode 100644
index 0000000..367fdb4
--- /dev/null
+++ b/disable-hacl-curve25519.patch
@@ -0,0 +1,124 @@
+
+# HG changeset patch
+# User Natalia Kulatova <nkulatova at mozilla.com>
+# Date 1685981398 0
+# Node ID 52a5d8fe37410d940e7d3ca244146ebc46a7d52a
+# Parent  52969cff7db635e0ee10fad66eed2c0cfdcf999b
+Bug 1836781 - Disabling ASM C25519 for A but X86_64 r=bbeurdouche,nss-reviewers
+
+Differential Revision: https://phabricator.services.mozilla.com/D179969
+
+diff --git a/lib/freebl/Makefile b/lib/freebl/Makefile
+--- a/lib/freebl/Makefile
++++ b/lib/freebl/Makefile
+@@ -563,17 +563,19 @@ endif # target == SunO
+ ifdef USE_64
+ # no __int128 at least up to lcc 1.23 (pretending to be gcc5)
+ # NB: CC_NAME is not defined here
+ ifneq ($(shell $(CC) -? 2>&1 >/dev/null </dev/null | sed -e 's/:.*//;1q'),lcc)
+     ifdef CC_IS_CLANG
+             HAVE_INT128_SUPPORT = 1
+             DEFINES += -DHAVE_INT128_SUPPORT
+     else ifeq (1,$(CC_IS_GCC))
+-        SUPPORTS_VALE_CURVE25519 = 1
++        ifeq ($(CPU_ARCH),x86_64)
++            SUPPORTS_VALE_CURVE25519 = 1
++        endif
+         ifneq (,$(filter 4.6 4.7 4.8 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION))))
+             HAVE_INT128_SUPPORT = 1
+             DEFINES += -DHAVE_INT128_SUPPORT
+         endif
+         ifneq (,$(filter 0 1 2 3 4,$(word 1,$(GCC_VERSION))))
+             NSS_DISABLE_AVX2 = 1
+         endif
+         ifeq (,$(filter 0 1 2 3 4,$(word 1,$(GCC_VERSION))))
+
+diff --git a/lib/freebl/Makefile b/lib/freebl/Makefile
+--- a/lib/freebl/Makefile
++++ b/lib/freebl/Makefile
+@@ -566,13 +566,10 @@
+ ifneq ($(shell $(CC) -? 2>&1 >/dev/null </dev/null | sed -e 's/:.*//;1q'),lcc)
+     ifdef CC_IS_CLANG
+             HAVE_INT128_SUPPORT = 1
+             DEFINES += -DHAVE_INT128_SUPPORT
+     else ifeq (1,$(CC_IS_GCC))
+-        ifeq ($(CPU_ARCH),x86_64)
+-            SUPPORTS_VALE_CURVE25519 = 1
+-        endif
+         ifneq (,$(filter 4.6 4.7 4.8 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION))))
+             HAVE_INT128_SUPPORT = 1
+             DEFINES += -DHAVE_INT128_SUPPORT
+         endif
+         ifneq (,$(filter 0 1 2 3 4,$(word 1,$(GCC_VERSION))))
+@@ -593,15 +590,10 @@
+ 
+ ifndef HAVE_INT128_SUPPORT
+     DEFINES += -DKRML_VERIFIED_UINT128
+ endif
+ 
+-ifdef SUPPORTS_VALE_CURVE25519
+-    VERIFIED_SRCS += Hacl_Curve25519_64.c
+-    DEFINES += -DHACL_CAN_COMPILE_INLINE_ASM
+-endif
+-
+ ifndef NSS_DISABLE_CHACHAPOLY
+     ifeq ($(CPU_ARCH),x86_64)
+         ifndef NSS_DISABLE_AVX2
+             EXTRA_SRCS += Hacl_Poly1305_256.c Hacl_Chacha20_Vec256.c Hacl_Chacha20Poly1305_256.c
+             DEFINES += -DHACL_CAN_COMPILE_VEC256
+diff --git a/lib/freebl/freebl.gyp b/lib/freebl/freebl.gyp
+--- a/lib/freebl/freebl.gyp
++++ b/lib/freebl/freebl.gyp
+@@ -864,16 +864,10 @@
+               'PPC_GCM',
+             ],
+           }],
+         ],
+       }],
+-      [ 'supports_vale_curve25519==1', {
+-        'defines': [
+-          # The Makefile does version-tests on GCC, but we're not doing that here.
+-          'HACL_CAN_COMPILE_INLINE_ASM',
+-        ],
+-      }],
+       [ 'OS=="linux" or OS=="android"', {
+         'conditions': [
+           [ 'target_arch=="x64"', {
+             'defines': [
+               'MP_IS_LITTLE_ENDIAN',
+@@ -932,15 +926,10 @@
+     ],
+   },
+   'variables': {
+     'module': 'nss',
+     'conditions': [
+-      [ 'target_arch=="x64" and cc_is_gcc==1', {
+-        'supports_vale_curve25519%': 1,
+-      }, {
+-        'supports_vale_curve25519%': 0,
+-      }],
+       [ 'target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64"', {
+         'have_int128_support%': 1,
+       }, {
+         'have_int128_support%': 0,
+       }],
+diff --git a/lib/freebl/freebl_base.gypi b/lib/freebl/freebl_base.gypi
+--- a/lib/freebl/freebl_base.gypi
++++ b/lib/freebl/freebl_base.gypi
+@@ -149,15 +149,10 @@
+       'sources': [
+         # All other architectures get the generic 32 bit implementation.
+         'ecl/curve25519_32.c',
+       ],
+     }],
+-    ['supports_vale_curve25519==1', {
+-      'sources': [
+-        'verified/Hacl_Curve25519_64.c',
+-      ],
+-    }],
+     ['(target_arch!="ppc64" and target_arch!="ppc64le") or disable_altivec==1', {
+       'sources': [
+         # Gyp does not support per-file cflags, so working around like this.
+         # ppc performance greatly benefits from specific flags.
+         'sha512.c',
+
diff --git a/non-x86-64b-archs.patch b/non-x86-64b-archs.patch
deleted file mode 100644
index e576930..0000000
--- a/non-x86-64b-archs.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-
-# HG changeset patch
-# User Natalia Kulatova <nkulatova at mozilla.com>
-# Date 1685981398 0
-# Node ID 52a5d8fe37410d940e7d3ca244146ebc46a7d52a
-# Parent  52969cff7db635e0ee10fad66eed2c0cfdcf999b
-Bug 1836781 - Disabling ASM C25519 for A but X86_64 r=bbeurdouche,nss-reviewers
-
-Differential Revision: https://phabricator.services.mozilla.com/D179969
-
-diff --git a/lib/freebl/Makefile b/lib/freebl/Makefile
---- a/lib/freebl/Makefile
-+++ b/lib/freebl/Makefile
-@@ -563,17 +563,19 @@ endif # target == SunO
- ifdef USE_64
- # no __int128 at least up to lcc 1.23 (pretending to be gcc5)
- # NB: CC_NAME is not defined here
- ifneq ($(shell $(CC) -? 2>&1 >/dev/null </dev/null | sed -e 's/:.*//;1q'),lcc)
-     ifdef CC_IS_CLANG
-             HAVE_INT128_SUPPORT = 1
-             DEFINES += -DHAVE_INT128_SUPPORT
-     else ifeq (1,$(CC_IS_GCC))
--        SUPPORTS_VALE_CURVE25519 = 1
-+        ifeq ($(CPU_ARCH),x86_64)
-+            SUPPORTS_VALE_CURVE25519 = 1
-+        endif
-         ifneq (,$(filter 4.6 4.7 4.8 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION))))
-             HAVE_INT128_SUPPORT = 1
-             DEFINES += -DHAVE_INT128_SUPPORT
-         endif
-         ifneq (,$(filter 0 1 2 3 4,$(word 1,$(GCC_VERSION))))
-             NSS_DISABLE_AVX2 = 1
-         endif
-         ifeq (,$(filter 0 1 2 3 4,$(word 1,$(GCC_VERSION))))
-
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/nss.git/commitdiff/105a1d809157e25049d1ea3b43dd5d8247cf3c9e

More information about the pld-cvs-commit mailing list