Closed Bug 1564499 Opened 1 year ago Closed 10 months ago

Upgrade Firefox 70 to use NSS 3.46

Categories

(Core :: Security: PSM, task, P1)

task

Tracking

()

RESOLVED FIXED
mozilla70
Tracking Status
firefox70 --- fixed

People

(Reporter: jcj, Assigned: jcj)

References

Details

Attachments

(7 files)

Tracking NSS 3.46 for Firefox 70. Ultimate tag will be NSS_3_46_RTM.

Pushed by jjones@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/2b165cf536ba
land NSS 264f19e7ede7 UPGRADE_NSS_RELEASE, r=me
Pushed by jjones@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/4d719512b650
land NSS 8c6fad5544a6 UPGRADE_NSS_RELEASE, r=me
Pushed by jjones@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/640dad6bfd82
land NSS a31fc0eefc4c UPGRADE_NSS_RELEASE, r=me
Regressions: 1567698
Pushed by jjones@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/f742215abea8
land NSS 009a7163c80a UPGRADE_NSS_RELEASE, r=me
Backout by malexandru@mozilla.com:
https://hg.mozilla.org/mozilla-central/rev/b5f2fa86e696
Backed out changeset f742215abea8 for causing Bug 1570891. UPGRADE_NSS_RELEASE a=backout

Please ignore the commit message here, this was backed out for the failures in comment 9. It was my mistake here for providing Alexandru a wrong bug no.

Thanks, opened a regression bug (Bug 1570991) and investigating there. New uplift is being tested with what I suspect is the offending patch backed out.

Flags: needinfo?(jjones)
Regressions: 1570991
Pushed by jjones@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/7a4031897e6b
land NSS 777b6070fe76 UPGRADE_NSS_RELEASE, r=me
No longer regressions: 1567698
Pushed by jjones@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0a267cdf6a6d
land NSS 89aa19677e37 UPGRADE_NSS_RELEASE, r=jcj

Revset: reverse(89aa19677e37~-1::bbfc55939d75)

2019-08-14 Kevin Jacobs <kjacobs@mozilla.com>

* gtests/ssl_gtest/tls_agent.cc:
Bug 1572593 - Re-revert call to CheckCertReqAgainstDefaultCAs to
avoid memory leak (filed as bug 1573945). r=jcj

Revert back to the changes Franziskus had made. Updated the in-
source bug number to point to the new memleak bug.

Differential Revision:
https://phabricator.services.mozilla.com/D42020
[bbfc55939d75] [tip]

2019-08-12 Kevin Jacobs <kjacobs@mozilla.com>

* gtests/freebl_gtest/freebl_gtest.gyp,
gtests/mozpkix_gtest/mozpkix_gtest.gyp:
Bug 1415118 - Fix --enable-libpkix builds from build.sh r=mt,jcj

Differential Revision:
https://phabricator.services.mozilla.com/D41617
[f8926908be71]

2019-08-14 J.C. Jones <jjones@mozilla.com>

* gtests/ssl_gtest/tls_agent.cc, lib/ssl/ssl3ext.c:
Bug 1572593 - Reset advertised extensions in ssl_ConstructExtensions
r=mt,kjacobs

Reset the list of advertised extensions before sending a new set.

This reverts the changes of https://hg.mozilla.org/projects/nss/rev/
1ca362213631d6edc885b6b965b52ecffcf29afd

Differential Revision:
https://phabricator.services.mozilla.com/D41302
[b03ff661491e]

2019-08-14 Kevin Jacobs <kjacobs@mozilla.com>

* lib/freebl/ctr.c:
Bug 1539788 - UBSAN fixup for 128b counter. r=mt,jcj

Differential Revision:
https://phabricator.services.mozilla.com/D41884
[9d1f5e71773d]

2019-08-13 Kevin Jacobs <kjacobs@mozilla.com>

* lib/freebl/chacha20poly1305.c, lib/freebl/ctr.c, lib/freebl/gcm.c,
lib/freebl/intel-gcm-wrap.c, lib/freebl/rsapkcs.c:
Bug 1539788 - Add length checks for cryptographic primitives
r=mt,jcj

This patch adds additional length checks around cryptographic
primitives.

Differential Revision:
https://phabricator.services.mozilla.com/D36079
[dfd6996fe742]

2019-08-13 Marcus Burghardt <mburghardt@mozilla.com>

* gtests/freebl_gtest/mpi_unittest.cc, lib/freebl/mpi/README,
lib/freebl/mpi/mpi.c, lib/freebl/mpi/mpi.h:
Bug 1542077 - Added extra controls and tests to mp_set_int and
mp_set_ulong. r=jcj,kjacobs

Differential Revision:
https://phabricator.services.mozilla.com/D40649
[9bc47e69613e]

2019-08-13 J.C. Jones <jjones@mozilla.com>

* gtests/ssl_gtest/ssl_resumption_unittest.cc,
gtests/ssl_gtest/tls_agent.cc:
Bug 1572791 - Fixup clang-format r=bustage
[ec113de50cdd]

* gtests/ssl_gtest/tls_agent.cc,
gtests/ssl_gtest/tls_subcerts_unittest.cc, lib/ssl/tls13subcerts.c:
Bug 1572791 - Check for nulls in SSLExp_DelegateCredential and its
tests r=kjacobs

This particularly catches test errors in tls_subcerts_unittest when
the profile is stale.

Differential Revision:
https://phabricator.services.mozilla.com/D41429
[ed5067857563]

2019-08-13 Kevin Jacobs <kjacobs@mozilla.com>

* gtests/ssl_gtest/ssl_auth_unittest.cc,
gtests/ssl_gtest/ssl_cert_ext_unittest.cc,
gtests/ssl_gtest/ssl_resumption_unittest.cc,
gtests/ssl_gtest/tls_agent.cc:
Bug 1572791 - Fix ASAN cert errors when SSL gtests run on empty
profile r=jcj

Differential Revision:
https://phabricator.services.mozilla.com/D41787
[cef2aa7f3b8c]

2019-08-09 Kevin Jacobs <kjacobs@mozilla.com>

* tests/common/cleanup.sh:
Bug 1560593 - Cleanup.sh to treat core dumps as test failures on
optimized builds. r=jcj

Differential Revision:
https://phabricator.services.mozilla.com/D41392
[360010725fdb]
Pushed by jjones@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d3b872e9aca1
land NSS bbfc55939d75 UPGRADE_NSS_RELEASE, r=kjacobs
Pushed by jjones@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8b744f584b3b
land NSS ea8bc9f43de3 UPGRADE_NSS_RELEASE, r=kjacobs

Revset: reverse(bbfc55939d75~-1::ea8bc9f43de3)

2019-08-19 Kai Engert <kaie@kuix.de>

* automation/release/nspr-version.txt:
Bug 1562330 - require NSPR version 4.22 r=jcj
[ea8bc9f43de3] [tip]

2019-08-16 J.C. Jones <jjones@mozilla.com>

* cmd/selfserv/selfserv.c:
Bug 1574220 - Fixup clang-format r=bustage
[165664ff322c]

2019-08-15 Marcus Burghardt <mburghardt@mozilla.com>

* cmd/selfserv/selfserv.c, cmd/tstclnt/tstclnt.c,
cmd/vfyserv/vfyserv.c:
Bug 1574220 - Improve controls after errors in tstcln, selfserv and
vfyserv cmds. r=kjacobs

Differential Revision:
https://phabricator.services.mozilla.com/D42165
[32766e60ffa8]

2019-08-16 Marcus Burghardt <mburghardt@mozilla.com>

* lib/sqlite/README, lib/sqlite/sqlite3.c, lib/sqlite/sqlite3.h:
Bug 1550636 - Upgrade SQLite in NSS to v3.29 (2019-07-10). r=jcj

#define SQLITE_VERSION "3.29.0" #define SQLITE_VERSION_NUMBER
3029000 #define SQLITE_SOURCE_ID "2019-07-10 17:32:03
fc82b73eaac8b36950e527f12c4b5dc1e147e6f4ad2217ae43ad82882a88bfa6"

Differential Revision:
https://phabricator.services.mozilla.com/D42332
[ed55badc848d]

2019-08-15 Marcus Burghardt <mburghardt@mozilla.com>

* lib/ckfw/builtins/certdata.txt, lib/ckfw/builtins/nssckbi.h:
Bug 1566569 - Remove Swisscom Root CA 2 root certificate. r=jcj

Differential Revision:
https://phabricator.services.mozilla.com/D42161
[660d7c210878]

2019-08-20 Marcus Burghardt <mburghardt@mozilla.com>

* lib/ckfw/builtins/certdata.txt:
Bug 1574670 - Remove Expired root certificates - Class 2 Primary,
UTN-USERFirst-Client, Deutsche Telekom Root CA 2.
r=jcj,KathleenWilson

[eeb9a6715a93] [tip]

2019-08-12 Kevin Jacobs <kjacobs@mozilla.com>

* lib/softoken/pkcs11c.c:
Bug 1572164 - Don't unnecessarily free session in NSC_WrapKey r=jcj

[b306ff3d6f4d]
Pushed by jjones@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d2326f350a15
land NSS eeb9a6715a93 UPGRADE_NSS_RELEASE, r=kjacobs

2019-08-23 Kevin Jacobs <kjacobs@mozilla.com>

* tests/common/cleanup.sh:
Bug 1560593 - Check that BUILD_OPT is defined before testing its
value. r=jcj

[44aa330de2aa] [NSS_3_46_BETA1]

* cmd/strsclnt/strsclnt.c:
Bug 1575968 - Add strsclnt option to enforce the use of either IPv4
or IPv6 r=jcj

[da284d8993ea]

2019-08-23 Marcus Burghardt <mburghardt@mozilla.com>

* gtests/softoken_gtest/softoken_gtest.cc:
Bug 1573942 - Gtest for pkcs11.txt with different breaking line
formats. r=kjacobs

[d07a07eb0e40]

2019-08-21 Kevin Jacobs <kjacobs@mozilla.com>

* lib/util/utilmod.c:
Bug 1564284: Added check for CR + LF, r=marcusburghardt,kjacobs

Looks good and it was already tested locally with this gtest patch:

[d1d2e1e320cd]

2019-08-22 Martin Thomson <mt@lowentropy.net>

* lib/ssl/ssl3con.c:
Bug 1528666 - Formatting, a=bustage
[60eeac76c8ec]

2019-08-20 Martin Thomson <martin.thomson@gmail.com>

* gtests/ssl_gtest/ssl_0rtt_unittest.cc,
gtests/ssl_gtest/ssl_resumption_unittest.cc, lib/ssl/ssl3con.c:
Bug 1528666 - Correct resumption validation checks, r=jcj

We allowed cross-suite resumption before, but it didn't work. This
enables that for clients.

As a secondary minor tweak, clients will no longer validate the
availability of a cipher suite based on their configured version
range when attempting resumption. Instead, they will check whether
the suite works for the version in the session that they are
attempting to resume. In theory, this doesn't change anything
because the previous session should not have selected an
incompatible combination of version and cipher suite, but it's worth
being extra precise.

[cab2c8905214]

2019-08-22 Martin Thomson <mt@lowentropy.net>

* gtests/ssl_gtest/ssl_auth_unittest.cc,
gtests/ssl_gtest/ssl_resumption_unittest.cc, lib/ssl/ssl3con.c:
Bug 1568803 - More tests for client certificate authentication,
r=kjacobs

These were previously disabled because of difficulties (at the time)
in writing these tests for TLS 1.3. The framework, and my
understanding of it, has since improved, so these tests can be
restored and expanded. This exposed a minor correctness issue that
is also corrected.

[95f97d31c313]
Pushed by jjones@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2cced2d9a28c
land NSS NSS_3_46_BETA1 UPGRADE_NSS_RELEASE, r=kjacobs

2019-08-27 Kevin Jacobs <kjacobs@mozilla.com>

    * automation/taskcluster/graph/src/extend.js,
    automation/taskcluster/scripts/build_gyp.sh,
    automation/taskcluster/windows/build_gyp.sh, fuzz/fuzz.gyp,
    gtests/pk11_gtest/pk11_gtest.gyp,
    gtests/softoken_gtest/softoken_gtest.gyp, tests/all.sh,
    tests/ssl/ssl.sh:
    Bug 1485533 - Close gaps in taskcluster SSL testing. r=mt

    This patch increases SSL testing on taskcluster, specifically,
    running an additional 395 tests on each SSL cycle (more for FIPS
    targets), and adding a new 'stress' cycle.

    Notable changes:

    1) This patch removes SSL stress tests from the default
    `NSS_SSL_RUN` list in all.sh and ssl.sh. If stress tests are needed,
    this variable must be set to include.

    2) The "normal_normal" case is added to `NSS_SSL_TESTS` for all
    targets. FIPS targets also run "normal_fips", "fips_normal", and
    "fips_fips".

    3) `--enable-libpkix` is now set for all taskcluster "build.sh"
    builds in order to support a number of OCSP tests that were
    previously not run.

    [24b0fc700203] [NSS_3_46_BETA2]

2019-08-23 Edouard Oger <eoger@fastmail.com>

    * lib/sqlite/Makefile, lib/sqlite/sqlite.gyp:
    Bug 1549847 - Ignore sqlite compilation warnings. r=mt

    [7f146eb7adac]

2019-08-23 J.C. Jones <jjones@mozilla.com>

    * .hgtags:
    Added tag NSS_3_46_BETA1 for changeset 44aa330de2aa
    [d3035cc9dc73]
Pushed by jjones@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b74918f6258e
land NSS NSS_3_46_BETA2 UPGRADE_NSS_RELEASE, r=kjacobs

2019-08-30 J.C. Jones <jjones@mozilla.com>

* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.46 final
[decbf7bd40fd] [NSS_3_46_RTM]

2019-08-27 J.C. Jones <jjones@mozilla.com>

* .hgtags:
Added tag NSS_3_46_BETA2 for changeset 24b0fc700203
[29cd579e74e4]
Pushed by jjones@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/86e573da81d1
land NSS NSS_3_46_RTM UPGRADE_NSS_RELEASE, r=kjacobs
Status: ASSIGNED → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
You need to log in before you can comment on or make changes to this bug.