Update NSS to 3.121

components/as-ohttp-client/build.rs

@@ -4,4 +4,22 @@
 
 fn main() {
     uniffi::generate_scaffolding("./src/as_ohttp_client.udl").unwrap();
+
+    // ohttp's build script (app-svc feature) detects NSS acceleration libraries
+    // by file existence, but only checks for pre-NSS-3.121 names. Supplement
+    // with the renamed/new libraries from NSS 3.121+.
+    if let Ok(nss_dir) = std::env::var("NSS_DIR") {
+        println!("cargo:rerun-if-env-changed=NSS_DIR");
+        let lib_dir = std::path::Path::new(&nss_dir).join("lib");
+        for lib in &[
+            "gcm",
+            "ghash-aes-x86_c_lib",
+            "ghash-aes-arm32-neon_c_lib",
+            "ghash-aes-aarch64_c_lib",
+        ] {
+            if lib_dir.join(format!("lib{lib}.a")).is_file() {
+                println!("cargo:rustc-link-lib=static={lib}");
+            }
+        }
+    }
 }

components/support/rc_crypto/nss/nss_build_common/src/lib.rs

@@ -112,6 +112,7 @@ fn get_nss_libs(kind: LinkingKind) -> Vec<&'static str> {
                 "certhi",
                 "cryptohi",
                 "freebl_static",
+                "gcm",
                 "mozpkix",
                 "nspr4",
                 "nss_static",
@@ -127,32 +128,25 @@ fn get_nss_libs(kind: LinkingKind) -> Vec<&'static str> {
             // Hardware specific libs.
             let target_arch = env::var("CARGO_CFG_TARGET_ARCH").unwrap();
             let target_os = env::var("CARGO_CFG_TARGET_OS").unwrap();
-            // https://searchfox.org/nss/rev/0d5696b3edce5124353f03159d2aa15549db8306/lib/freebl/freebl.gyp#508-542
             if target_arch == "arm" || target_arch == "aarch64" {
                 static_libs.push("armv8_c_lib");
             }
             if target_arch == "x86_64" || target_arch == "x86" {
-                static_libs.push("gcm-aes-x86_c_lib");
+                static_libs.push("ghash-aes-x86_c_lib");
                 static_libs.push("sha-x86_c_lib");
             }
             if target_arch == "arm" {
-                static_libs.push("gcm-aes-arm32-neon_c_lib")
+                static_libs.push("ghash-aes-arm32-neon_c_lib")
             }
             if target_arch == "aarch64" {
-                static_libs.push("gcm-aes-aarch64_c_lib");
+                static_libs.push("ghash-aes-aarch64_c_lib");
             }
             if target_arch == "x86_64" {
                 static_libs.push("hw-acc-crypto-avx");
                 static_libs.push("hw-acc-crypto-avx2");
-            }
-            // https://searchfox.org/nss/rev/08c4d05078d00089f8d7540651b0717a9d66f87e/lib/freebl/freebl.gyp#315-324
-            if ((target_os == "android" || target_os == "linux") && target_arch == "x86_64")
-                || target_os == "windows"
-            {
-                static_libs.push("intel-gcm-wrap_c_lib");
-                // https://searchfox.org/nss/rev/08c4d05078d00089f8d7540651b0717a9d66f87e/lib/freebl/freebl.gyp#43-47
-                if (target_os == "android" || target_os == "linux") && target_arch == "x86_64" {
-                    static_libs.push("intel-gcm-s_lib");
+                // intel-gcm-wrap is not built for iOS simulator targets.
+                if target_os != "ios" {
+                    static_libs.push("intel-gcm-wrap_c_lib");
                 }
             }
             static_libs

libs/build-all-ios.sh

@@ -47,6 +47,7 @@ for i in "${!TARGET_ARCHS[@]}"; do
 done
 universal_lib "nss" "libcertdb.a" "${TARGET_ARCHS[@]}"
 universal_lib "nss" "libfreebl_static.a" "${TARGET_ARCHS[@]}"
+universal_lib "nss" "libgcm.a" "${TARGET_ARCHS[@]}"
 universal_lib "nss" "libnssb.a" "${TARGET_ARCHS[@]}"
 universal_lib "nss" "libnssutil.a" "${TARGET_ARCHS[@]}"
 universal_lib "nss" "libpkcs7.a" "${TARGET_ARCHS[@]}"
@@ -65,9 +66,9 @@ universal_lib "nss" "libplds4.a" "${TARGET_ARCHS[@]}"
 universal_lib "nss" "libssl.a" "${TARGET_ARCHS[@]}"
 universal_lib "nss" "libhw-acc-crypto-avx.a" "x86_64"
 universal_lib "nss" "libhw-acc-crypto-avx2.a" "x86_64"
-universal_lib "nss" "libgcm-aes-x86_c_lib.a" "x86_64"
+universal_lib "nss" "libghash-aes-x86_c_lib.a" "x86_64"
 universal_lib "nss" "libsha-x86_c_lib.a" "x86_64"
-universal_lib "nss" "libgcm-aes-aarch64_c_lib.a" "arm64"
+universal_lib "nss" "libghash-aes-aarch64_c_lib.a" "arm64"
 universal_lib "nss" "libarmv8_c_lib.a" "arm64"
 
 HEADER_DIST_DIR="ios/universal/nss/include/nss"

libs/build-all.sh

@@ -2,10 +2,10 @@
 
 set -euvx
 
-NSS="nss-3.120"
-NSS_ARCHIVE="nss-3.120-with-nspr-4.38.2.tar.gz"
-NSS_URL="https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_120_RTM/src/${NSS_ARCHIVE}"
-NSS_SHA256="fb5aa56fa35d963d4c65278328e2e9c99c2484c86f0e41537412477739dcf997"
+NSS="nss-3.121"
+NSS_ARCHIVE="nss-3.121-with-nspr-4.38.2.tar.gz"
+NSS_URL="https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_121_RTM/src/${NSS_ARCHIVE}"
+NSS_SHA256="76b9a1364bc4522abc652c4d676498d5062f502f64e38b32e9e2c7a3fff530f1"
 
 # End of configuration.
 

libs/build-nss-android.sh

@@ -86,6 +86,7 @@ cp -p -L "${BUILD_DIR}/lib/libcertdb.a" "${DIST_DIR}/lib"
 cp -p -L "${BUILD_DIR}/lib/libcerthi.a" "${DIST_DIR}/lib"
 cp -p -L "${BUILD_DIR}/lib/libcryptohi.a" "${DIST_DIR}/lib"
 cp -p -L "${BUILD_DIR}/lib/libfreebl_static.a" "${DIST_DIR}/lib"
+cp -p -L "${BUILD_DIR}/lib/libgcm.a" "${DIST_DIR}/lib"
 cp -p -L "${BUILD_DIR}/lib/libmozpkix.a" "${DIST_DIR}/lib"
 cp -p -L "${BUILD_DIR}/lib/libnss_static.a" "${DIST_DIR}/lib"
 cp -p -L "${BUILD_DIR}/lib/libnssb.a" "${DIST_DIR}/lib"
@@ -99,13 +100,9 @@ cp -p -L "${BUILD_DIR}/lib/libsmime.a" "${DIST_DIR}/lib"
 cp -p -L "${BUILD_DIR}/lib/libsoftokn_static.a" "${DIST_DIR}/lib"
 cp -p -L "${BUILD_DIR}/lib/libssl.a" "${DIST_DIR}/lib"
 # HW specific.
-# https://searchfox.org/nss/rev/0d5696b3edce5124353f03159d2aa15549db8306/lib/freebl/freebl.gyp#508-542
-# https://searchfox.org/nss/rev/08c4d05078d00089f8d7540651b0717a9d66f87e/lib/freebl/freebl.gyp#315-324
-# https://searchfox.org/nss/rev/08c4d05078d00089f8d7540651b0717a9d66f87e/lib/freebl/freebl.gyp#43-47
 if [[ "${TOOLCHAIN}" == "x86_64-linux-android" ]]; then
-  cp -p -L "${BUILD_DIR}/lib/libgcm-aes-x86_c_lib.a" "${DIST_DIR}/lib"
+  cp -p -L "${BUILD_DIR}/lib/libghash-aes-x86_c_lib.a" "${DIST_DIR}/lib"
   cp -p -L "${BUILD_DIR}/lib/libintel-gcm-wrap_c_lib.a" "${DIST_DIR}/lib"
-  cp -p -L "${BUILD_DIR}/lib/libintel-gcm-s_lib.a" "${DIST_DIR}/lib"
   cp -p -L "${BUILD_DIR}/lib/libhw-acc-crypto-avx.a" "${DIST_DIR}/lib"
   cp -p -L "${BUILD_DIR}/lib/libhw-acc-crypto-avx2.a" "${DIST_DIR}/lib"
   cp -p -L "${BUILD_DIR}/lib/libsha-x86_c_lib.a" "${DIST_DIR}/lib"
@@ -114,10 +111,10 @@ if [[ "${TOOLCHAIN}" == "aarch64-linux-android" ]] || [[ "${TOOLCHAIN}" == "arm-
   cp -p -L "${BUILD_DIR}/lib/libarmv8_c_lib.a" "${DIST_DIR}/lib"
 fi
 if [[ "${TOOLCHAIN}" == "aarch64-linux-android" ]]; then
-  cp -p -L "${BUILD_DIR}/lib/libgcm-aes-aarch64_c_lib.a" "${DIST_DIR}/lib"
+  cp -p -L "${BUILD_DIR}/lib/libghash-aes-aarch64_c_lib.a" "${DIST_DIR}/lib"
 fi
 if [[ "${TOOLCHAIN}" == "arm-linux-androideabi" ]]; then
-  cp -p -L "${BUILD_DIR}/lib/libgcm-aes-arm32-neon_c_lib.a" "${DIST_DIR}/lib"
+  cp -p -L "${BUILD_DIR}/lib/libghash-aes-arm32-neon_c_lib.a" "${DIST_DIR}/lib"
 fi
 cp -p -L "${NSPR_BUILD_DIR}/dist/lib/libplc4.a" "${DIST_DIR}/lib"
 cp -p -L "${NSPR_BUILD_DIR}/dist/lib/libplds4.a" "${DIST_DIR}/lib"

libs/build-nss-desktop.sh

@@ -26,12 +26,10 @@ fi
 
 if [[ "${CROSS_COMPILE_TARGET}" =~ "darwin" ]]; then
   DIST_DIR=$(abspath "desktop/darwin/nss")
-  TARGET_OS="macos"
 elif [[ -n "${CROSS_COMPILE_TARGET}" ]]; then
   echo "Cannot build NSS for unrecognized target OS ${CROSS_COMPILE_TARGET}"
   exit 1
 elif [[ "$(uname -s)" == "Darwin" ]]; then
-  TARGET_OS="macos"
   # We need to set this variable for switching libs based on different macos archs (M1 vs Intel)
   if [[ "$(uname -m)" == "arm64" ]]; then
     DIST_DIR=$(abspath "desktop/darwin-aarch64/nss")
@@ -43,7 +41,6 @@ elif [[ "$(uname -s)" == "Darwin" ]]; then
 elif [[ "$(uname -s)" == "Linux" ]]; then
   # This is a JNA weirdness: "x86-64" rather than "x86_64".
   DIST_DIR=$(abspath "desktop/linux-x86-64/nss")
-  TARGET_OS="linux"
 else
    echo "Cannot build NSS on unrecognized host OS $(uname -s)"
    exit 1
@@ -63,7 +60,7 @@ if [[ "${CROSS_COMPILE_TARGET}" =~ "darwin" ]]; then
   else
     # From https://firefox-ci-tc.services.mozilla.com/tasks/index/app-services.cache.level-3.content.v1.nss-artifact/latest
     curl -sfSL --retry 5 --retry-delay 10 -O "https://firefox-ci-tc.services.mozilla.com/api/index/v1/task/app-services.cache.level-3.content.v1.nss-artifact.latest/artifacts/public%2Fdist.tar.bz2"
-    SHA256="7468906d4dfadc449b5665f7fd3eeada1929fd6fab51ea75efb50b3c355f7a8a"
+    SHA256="ed6fcf71c774a7aa67a85b6348e2d52ca418d486acfef5d231e085004175a97a"
     echo "${SHA256}  dist.tar.bz2" | shasum -a 256 -c - || exit 2
     tar xvjf dist.tar.bz2 && rm -rf dist.tar.bz2
     NSS_DIST_DIR=$(abspath "dist")
@@ -93,6 +90,7 @@ cp -p -L "${NSS_DIST_OBJ_DIR}/lib/libcertdb.a" "${DIST_DIR}/lib"
 cp -p -L "${NSS_DIST_OBJ_DIR}/lib/libcerthi.a" "${DIST_DIR}/lib"
 cp -p -L "${NSS_DIST_OBJ_DIR}/lib/libcryptohi.a" "${DIST_DIR}/lib"
 cp -p -L "${NSS_DIST_OBJ_DIR}/lib/libfreebl_static.a" "${DIST_DIR}/lib"
+cp -p -L "${NSS_DIST_OBJ_DIR}/lib/libgcm.a" "${DIST_DIR}/lib"
 cp -p -L "${NSS_DIST_OBJ_DIR}/lib/libnss_static.a" "${DIST_DIR}/lib"
 cp -p -L "${NSS_DIST_OBJ_DIR}/lib/libmozpkix.a" "${DIST_DIR}/lib"
 cp -p -L "${NSS_DIST_OBJ_DIR}/lib/libnssb.a" "${DIST_DIR}/lib"
@@ -109,20 +107,15 @@ cp -p -L "${NSS_DIST_OBJ_DIR}/lib/libssl.a" "${DIST_DIR}/lib"
 # Apple M1 need HW specific libs copied over to successfully build
 if [[ "${TARGET_ARCH}" == "aarch64" ]]; then
   cp -p -L "${NSS_DIST_OBJ_DIR}/lib/libarmv8_c_lib.a" "${DIST_DIR}/lib"
-  cp -p -L "${NSS_DIST_OBJ_DIR}/lib/libgcm-aes-aarch64_c_lib.a" "${DIST_DIR}/lib"
+  cp -p -L "${NSS_DIST_OBJ_DIR}/lib/libghash-aes-aarch64_c_lib.a" "${DIST_DIR}/lib"
 else
   # HW specific.
-  # https://searchfox.org/mozilla-central/rev/1eb05019f47069172ba81a6c108a584a409a24ea/security/nss/lib/freebl/freebl.gyp#159-163
   cp -p -L "${NSS_DIST_OBJ_DIR}/lib/libhw-acc-crypto-avx.a" "${DIST_DIR}/lib"
   cp -p -L "${NSS_DIST_OBJ_DIR}/lib/libhw-acc-crypto-avx2.a" "${DIST_DIR}/lib"
-  cp -p -L "${NSS_DIST_OBJ_DIR}/lib/libgcm-aes-x86_c_lib.a" "${DIST_DIR}/lib"
+  cp -p -L "${NSS_DIST_OBJ_DIR}/lib/libghash-aes-x86_c_lib.a" "${DIST_DIR}/lib"
   cp -p -L "${NSS_DIST_OBJ_DIR}/lib/libintel-gcm-wrap_c_lib.a" "${DIST_DIR}/lib"
   cp -p -L "${NSS_DIST_OBJ_DIR}/lib/libsha-x86_c_lib.a" "${DIST_DIR}/lib"
 fi
-# https://searchfox.org/mozilla-central/rev/1eb05019f47069172ba81a6c108a584a409a24ea/security/nss/lib/freebl/freebl.gyp#43-47
-if [[ "${TARGET_OS}" == "linux" ]]; then
-  cp -p -L "${NSS_DIST_OBJ_DIR}/lib/libintel-gcm-s_lib.a" "${DIST_DIR}/lib"
-fi
 
 cp -p -L -R "${NSS_DIST_DIR}/public/nss/"* "${DIST_DIR}/include/nss"
 cp -p -L -R "${NSS_DIST_OBJ_DIR}/include/nspr/"* "${DIST_DIR}/include/nss"

libs/build-nss-ios.sh

@@ -101,6 +101,7 @@ cp -p -L "${BUILD_DIR}/lib/libcertdb.a" "${DIST_DIR}/lib"
 cp -p -L "${BUILD_DIR}/lib/libcerthi.a" "${DIST_DIR}/lib"
 cp -p -L "${BUILD_DIR}/lib/libcryptohi.a" "${DIST_DIR}/lib"
 cp -p -L "${BUILD_DIR}/lib/libfreebl_static.a" "${DIST_DIR}/lib"
+cp -p -L "${BUILD_DIR}/lib/libgcm.a" "${DIST_DIR}/lib"
 cp -p -L "${BUILD_DIR}/lib/libmozpkix.a" "${DIST_DIR}/lib"
 cp -p -L "${BUILD_DIR}/lib/libnss_static.a" "${DIST_DIR}/lib"
 cp -p -L "${BUILD_DIR}/lib/libnssb.a" "${DIST_DIR}/lib"
@@ -115,12 +116,12 @@ cp -p -L "${BUILD_DIR}/lib/libsoftokn_static.a" "${DIST_DIR}/lib"
 cp -p -L "${BUILD_DIR}/lib/libssl.a" "${DIST_DIR}/lib"
 # HW specific.
 if [[ "${ARCH}" == "x86_64" ]]; then
-  cp -p -L "${BUILD_DIR}/lib/libgcm-aes-x86_c_lib.a" "${DIST_DIR}/lib"
+  cp -p -L "${BUILD_DIR}/lib/libghash-aes-x86_c_lib.a" "${DIST_DIR}/lib"
   cp -p -L "${BUILD_DIR}/lib/libhw-acc-crypto-avx.a" "${DIST_DIR}/lib"
   cp -p -L "${BUILD_DIR}/lib/libhw-acc-crypto-avx2.a" "${DIST_DIR}/lib"
   cp -p -L "${BUILD_DIR}/lib/libsha-x86_c_lib.a" "${DIST_DIR}/lib"
 elif [[ "${ARCH}" == "arm64" ]]; then
-  cp -p -L "${BUILD_DIR}/lib/libgcm-aes-aarch64_c_lib.a" "${DIST_DIR}/lib"
+  cp -p -L "${BUILD_DIR}/lib/libghash-aes-aarch64_c_lib.a" "${DIST_DIR}/lib"
   cp -p -L "${BUILD_DIR}/lib/libarmv8_c_lib.a" "${DIST_DIR}/lib"
 fi
 cp -p -L "${NSPR_BUILD_DIR}/dist/lib/libplc4.a" "${DIST_DIR}/lib"

taskcluster/kinds/fetch/kind.yml

@@ -17,6 +17,6 @@ tasks:
         description: fetches the built NSS artifacts from NSS CI
         fetch:
             type: static-url
-            url: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/EGodFlPjRGSveSgW_x9X_g/runs/0/artifacts/public/dist.tar.bz2
-            sha256: 7468906d4dfadc449b5665f7fd3eeada1929fd6fab51ea75efb50b3c355f7a8a
-            size: 24973047
+            url: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/cZ_H7rrqSNWKY6yUSr7vGA/runs/0/artifacts/public/dist.tar.bz2
+            sha256: ed6fcf71c774a7aa67a85b6348e2d52ca418d486acfef5d231e085004175a97a
+            size: 25053533