Bug 1448404 - Update NSS to version 3.36.1 for Firefox 60. r=kaie, a=RyanVM
authorKai Engert <kaie@kuix.de>
Mon, 09 Apr 2018 13:04:07 -0400
changeset 463121 83b358633328cc642a2cefc83527854e9b91c23c
parent 463120 784c44089b9e0071f8c172aba9e91237a52ec2fd
child 463122 a0f53fb1ff7b9eb1fe4d62a429898a868944ba06
push id1683
push usersfraser@mozilla.com
push dateThu, 26 Apr 2018 16:43:40 +0000
treeherdermozilla-release@5af6cb21869d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskaie, RyanVM
bugs1448404
milestone60.0
Bug 1448404 - Update NSS to version 3.36.1 for Firefox 60. r=kaie, a=RyanVM UPGRADE_NSS_RELEASE
old-configure.in
security/nss/TAG-INFO
security/nss/coreconf/coreconf.dep
security/nss/lib/dev/devslot.c
security/nss/lib/dev/devt.h
security/nss/lib/freebl/blinit.c
security/nss/lib/nss/nss.h
security/nss/lib/pk11wrap/dev3hack.c
security/nss/lib/pkcs7/p7create.c
security/nss/lib/softoken/softkver.h
security/nss/lib/util/nssutil.h
--- a/old-configure.in
+++ b/old-configure.in
@@ -1755,17 +1755,17 @@ dnl = If NSS was not detected in the sys
 dnl = use the one in the source tree (mozilla/security/nss)
 dnl ========================================================
 
 MOZ_ARG_WITH_BOOL(system-nss,
 [  --with-system-nss       Use system installed NSS],
     _USE_SYSTEM_NSS=1 )
 
 if test -n "$_USE_SYSTEM_NSS"; then
-    AM_PATH_NSS(3.36, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
+    AM_PATH_NSS(3.36.1, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
 fi
 
 if test -n "$MOZ_SYSTEM_NSS"; then
    NSS_LIBS="$NSS_LIBS -lcrmf"
 else
    NSS_CFLAGS="-I${DIST}/include/nss"
    case "${OS_ARCH}" in
         # Only few platforms have been tested with GYP
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_36_RTM
+NSS_3_36_1_RTM
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,9 +5,8 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
-
--- a/security/nss/lib/dev/devslot.c
+++ b/security/nss/lib/dev/devslot.c
@@ -91,20 +91,26 @@ nssSlot_ResetDelay(
     NSSSlot *slot)
 {
     PZ_Lock(slot->isPresentLock);
     slot->lastTokenPingState = nssSlotLastPingState_Reset;
     PZ_Unlock(slot->isPresentLock);
 }
 
 static PRBool
-within_token_delay_period(const NSSSlot *slot)
+token_status_checked(const NSSSlot *slot)
 {
     PRIntervalTime time;
     int lastPingState = slot->lastTokenPingState;
+    /* When called from the same thread, that means
+     * nssSlot_IsTokenPresent() is called recursively through
+     * nssSlot_Refresh(). Return immediately in that case. */
+    if (slot->isPresentThread == PR_GetCurrentThread()) {
+        return PR_TRUE;
+    }
     /* Set the delay time for checking the token presence */
     if (s_token_delay_time == 0) {
         s_token_delay_time = PR_SecondsToInterval(NSSSLOT_TOKEN_DELAY_TIME);
     }
     time = PR_IntervalNow();
     if ((lastPingState == nssSlotLastPingState_Valid) && ((time - slot->lastTokenPingTime) < s_token_delay_time)) {
         return PR_TRUE;
     }
@@ -125,46 +131,46 @@ nssSlot_IsTokenPresent(
 
     /* permanent slots are always present unless they're disabled */
     if (nssSlot_IsPermanent(slot)) {
         return !PK11_IsDisabled(slot->pk11slot);
     }
 
     /* avoid repeated calls to check token status within set interval */
     PZ_Lock(slot->isPresentLock);
-    if (within_token_delay_period(slot)) {
+    if (token_status_checked(slot)) {
         CK_FLAGS ckFlags = slot->ckFlags;
         PZ_Unlock(slot->isPresentLock);
         return ((ckFlags & CKF_TOKEN_PRESENT) != 0);
     }
     PZ_Unlock(slot->isPresentLock);
 
     /* First obtain the slot epv before we set up the condition
      * variable, so we can just return if we couldn't get it. */
     epv = slot->epv;
     if (!epv) {
         return PR_FALSE;
     }
 
     /* set up condition so only one thread is active in this part of the code at a time */
     PZ_Lock(slot->isPresentLock);
-    while (slot->inIsPresent) {
+    while (slot->isPresentThread) {
         PR_WaitCondVar(slot->isPresentCondition, 0);
     }
     /* if we were one of multiple threads here, the first thread will have
      * given us the answer, no need to make more queries of the token. */
-    if (within_token_delay_period(slot)) {
+    if (token_status_checked(slot)) {
         CK_FLAGS ckFlags = slot->ckFlags;
         PZ_Unlock(slot->isPresentLock);
         return ((ckFlags & CKF_TOKEN_PRESENT) != 0);
     }
     /* this is the winning thread, block all others until we've determined
      * if the token is present and that it needs initialization. */
     slot->lastTokenPingState = nssSlotLastPingState_Update;
-    slot->inIsPresent = PR_TRUE;
+    slot->isPresentThread = PR_GetCurrentThread();
 
     PZ_Unlock(slot->isPresentLock);
 
     nssSlot_EnterMonitor(slot);
     ckrv = CKAPI(epv)->C_GetSlotInfo(slot->slotID, &slotInfo);
     nssSlot_ExitMonitor(slot);
     if (ckrv != CKR_OK) {
         slot->token->base.name[0] = 0; /* XXX */
@@ -252,17 +258,17 @@ done:
      */
     PZ_Lock(slot->isPresentLock);
     /* don't update the time if we were reset while we were
      * getting the token state */
     if (slot->lastTokenPingState == nssSlotLastPingState_Update) {
         slot->lastTokenPingTime = PR_IntervalNow();
         slot->lastTokenPingState = nssSlotLastPingState_Valid;
     }
-    slot->inIsPresent = PR_FALSE;
+    slot->isPresentThread = NULL;
     PR_NotifyAllCondVar(slot->isPresentCondition);
     PZ_Unlock(slot->isPresentLock);
     return isPresent;
 }
 
 NSS_IMPLEMENT void *
 nssSlot_GetCryptokiEPV(
     NSSSlot *slot)
--- a/security/nss/lib/dev/devt.h
+++ b/security/nss/lib/dev/devt.h
@@ -87,17 +87,17 @@ struct NSSSlotStr {
     struct nssSlotAuthInfoStr authInfo;
     PRIntervalTime lastTokenPingTime;
     nssSlotLastPingState lastTokenPingState;
     PZLock *lock;
     void *epv;
     PK11SlotInfo *pk11slot;
     PZLock *isPresentLock;
     PRCondVar *isPresentCondition;
-    PRBool inIsPresent;
+    PRThread *isPresentThread;
 };
 
 struct nssSessionStr {
     PZLock *lock;
     CK_SESSION_HANDLE handle;
     NSSSlot *slot;
     PRBool isRW;
     PRBool ownLock;
--- a/security/nss/lib/freebl/blinit.c
+++ b/security/nss/lib/freebl/blinit.c
@@ -86,33 +86,47 @@ CheckX86CPUSupport()
      * as well as XMM and YMM state. */
     avx_support_ = (PRBool)((ecx & AVX_BITS) == AVX_BITS) && check_xcr0_ymm() &&
                    disable_avx == NULL;
     ssse3_support_ = (PRBool)((ecx & ECX_SSSE3) != 0 &&
                               disable_ssse3 == NULL);
 }
 #endif /* NSS_X86_OR_X64 */
 
+/* clang-format off */
 #if (defined(__aarch64__) || defined(__arm__)) && !defined(__ANDROID__)
-#if defined(__GNUC__) && __GNUC__ >= 2 && defined(__ELF__)
+#ifndef __has_include
+#define __has_include(x) 0
+#endif
+#if (__has_include(<sys/auxv.h>) || defined(__linux__)) && \
+    defined(__GNUC__) && __GNUC__ >= 2 && defined(__ELF__)
 #include <sys/auxv.h>
 extern unsigned long getauxval(unsigned long type) __attribute__((weak));
 #else
 static unsigned long (*getauxval)(unsigned long) = NULL;
-#define AT_HWCAP2
-#define AT_HWCAP
+#define AT_HWCAP2 0
+#define AT_HWCAP 0
 #endif /* defined(__GNUC__) && __GNUC__ >= 2 && defined(__ELF__)*/
 #endif /* (defined(__aarch64__) || defined(__arm__)) && !defined(__ANDROID__) */
+/* clang-format on */
 
 #if defined(__aarch64__) && !defined(__ANDROID__)
 // Defines from hwcap.h in Linux kernel - ARM64
+#ifndef HWCAP_AES
 #define HWCAP_AES (1 << 3)
+#endif
+#ifndef HWCAP_PMULL
 #define HWCAP_PMULL (1 << 4)
+#endif
+#ifndef HWCAP_SHA1
 #define HWCAP_SHA1 (1 << 5)
+#endif
+#ifndef HWCAP_SHA2
 #define HWCAP_SHA2 (1 << 6)
+#endif
 
 void
 CheckARMSupport()
 {
     char *disable_arm_neon = PR_GetEnvSecure("NSS_DISABLE_ARM_NEON");
     char *disable_hw_aes = PR_GetEnvSecure("NSS_DISABLE_HW_AES");
     if (getauxval) {
         long hwcaps = getauxval(AT_HWCAP);
@@ -126,25 +140,35 @@ CheckARMSupport()
 }
 #endif /* defined(__aarch64__) && !defined(__ANDROID__) */
 
 #if defined(__arm__) && !defined(__ANDROID__)
 // Defines from hwcap.h in Linux kernel - ARM
 /*
  * HWCAP flags - for elf_hwcap (in kernel) and AT_HWCAP
  */
+#ifndef HWCAP_NEON
 #define HWCAP_NEON (1 << 12)
+#endif
 
 /*
  * HWCAP2 flags - for elf_hwcap2 (in kernel) and AT_HWCAP2
  */
+#ifndef HWCAP2_AES
 #define HWCAP2_AES (1 << 0)
+#endif
+#ifndef HWCAP2_PMULL
 #define HWCAP2_PMULL (1 << 1)
+#endif
+#ifndef HWCAP2_SHA1
 #define HWCAP2_SHA1 (1 << 2)
+#endif
+#ifndef HWCAP2_SHA2
 #define HWCAP2_SHA2 (1 << 3)
+#endif
 
 void
 CheckARMSupport()
 {
     char *disable_arm_neon = PR_GetEnvSecure("NSS_DISABLE_ARM_NEON");
     char *disable_hw_aes = PR_GetEnvSecure("NSS_DISABLE_HW_AES");
     if (getauxval) {
         long hwcaps = getauxval(AT_HWCAP2);
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -17,20 +17,20 @@
 
 /*
  * NSS's major version, minor version, patch level, build number, and whether
  * this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION "3.36" _NSS_CUSTOMIZED
+#define NSS_VERSION "3.36.1" _NSS_CUSTOMIZED
 #define NSS_VMAJOR 3
 #define NSS_VMINOR 36
-#define NSS_VPATCH 0
+#define NSS_VPATCH 1
 #define NSS_VBUILD 0
 #define NSS_BETA PR_FALSE
 
 #ifndef RC_INVOKED
 
 #include "seccomon.h"
 
 typedef struct NSSInitParametersStr NSSInitParameters;
--- a/security/nss/lib/pk11wrap/dev3hack.c
+++ b/security/nss/lib/pk11wrap/dev3hack.c
@@ -117,17 +117,17 @@ nssSlot_CreateFromPK11SlotInfo(NSSTrustD
     rvSlot->pk11slot = PK11_ReferenceSlot(nss3slot);
     rvSlot->epv = nss3slot->functionList;
     rvSlot->slotID = nss3slot->slotID;
     /* Grab the slot name from the PKCS#11 fixed-length buffer */
     rvSlot->base.name = nssUTF8_Duplicate(nss3slot->slot_name, td->arena);
     rvSlot->lock = (nss3slot->isThreadSafe) ? NULL : nss3slot->sessionLock;
     rvSlot->isPresentLock = PZ_NewLock(nssiLockOther);
     rvSlot->isPresentCondition = PR_NewCondVar(rvSlot->isPresentLock);
-    rvSlot->inIsPresent = PR_FALSE;
+    rvSlot->isPresentThread = NULL;
     rvSlot->lastTokenPingState = nssSlotLastPingState_Reset;
     return rvSlot;
 }
 
 NSSToken *
 nssToken_CreateFromPK11SlotInfo(NSSTrustDomain *td, PK11SlotInfo *nss3slot)
 {
     NSSToken *rvToken;
--- a/security/nss/lib/pkcs7/p7create.c
+++ b/security/nss/lib/pkcs7/p7create.c
@@ -17,17 +17,17 @@
 #include "secerr.h"
 #include "secder.h"
 #include "secpkcs5.h"
 
 const int NSS_PBE_DEFAULT_ITERATION_COUNT = /* used in p12e.c too */
 #ifdef DEBUG
     10000
 #else
-    1000000
+    600000
 #endif
     ;
 
 static SECStatus
 sec_pkcs7_init_content_info(SEC_PKCS7ContentInfo *cinfo, PLArenaPool *poolp,
                             SECOidTag kind, PRBool detached)
 {
     void *thing;
--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@@ -12,16 +12,16 @@
 
 /*
  * Softoken's major version, minor version, patch level, build number,
  * and whether this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define SOFTOKEN_VERSION "3.36" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION "3.36.1" SOFTOKEN_ECC_STRING
 #define SOFTOKEN_VMAJOR 3
 #define SOFTOKEN_VMINOR 36
-#define SOFTOKEN_VPATCH 0
+#define SOFTOKEN_VPATCH 1
 #define SOFTOKEN_VBUILD 0
 #define SOFTOKEN_BETA PR_FALSE
 
 #endif /* _SOFTKVER_H_ */
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@@ -14,20 +14,20 @@
 
 /*
  * NSS utilities's major version, minor version, patch level, build number,
  * and whether this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
  */
-#define NSSUTIL_VERSION "3.36"
+#define NSSUTIL_VERSION "3.36.1"
 #define NSSUTIL_VMAJOR 3
 #define NSSUTIL_VMINOR 36
-#define NSSUTIL_VPATCH 0
+#define NSSUTIL_VPATCH 1
 #define NSSUTIL_VBUILD 0
 #define NSSUTIL_BETA PR_FALSE
 
 SEC_BEGIN_PROTOS
 
 /*
  * Returns a const string of the UTIL library version.
  */