Upgrade Firefox 72 to use NSS 3.48
Categories
(Core :: Security: PSM, enhancement, P1)
Tracking
()
People
(Reporter: jcj, Assigned: jcj)
References
(Depends on 1 open bug, Blocks 1 open bug, )
Details
Attachments
(9 files)
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-beta+
|
Details | Review |
Tracking NSS 3.48 for Firefox 72. Ultimate tag will be NSS_3_48_RTM.
Assignee | ||
Comment 1•5 years ago
|
||
Pushed by jjones@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/60244e31ea1d land NSS fcdda17cdc36 UPGRADE_NSS_RELEASE, r=kjacobs
Comment 3•5 years ago
|
||
bugherder |
Assignee | ||
Comment 4•5 years ago
|
||
2019-11-04 Marcus Burghardt <mburghardt@mozilla.com>
* lib/pk11wrap/pk11cert.c:
Bug 1590495 - Crash in PK11_MakeCertFromHandle->pk11_fastCert. r=jcj
Fixed controls to avoid crashes caused by slots possibly without a
token in pk11_fastCert. Also, improved arguments controls in
PK11_MakeCertFromHandle.
[dc9552c2aa77] [tip]
2019-11-01 Franziskus Kiefer <franziskuskiefer@gmail.com>
* gtests/pk11_gtest/manifest.mn,
gtests/pk11_gtest/pk11_des_unittest.cc,
gtests/pk11_gtest/pk11_gtest.gyp, lib/softoken/pkcs11c.c:
Bug 1591742 - check des iv length and add test for it, r=jcj,kjacobs
Summary: Let's make sure the DES IV has the length we expect it to
have.
Bug #: 1591742
[35857ae98190]
2019-11-01 Dana Keeler <dkeeler@mozilla.com>
* gtests/mozpkix_gtest/pkixcheck_CheckKeyUsage_tests.cpp, lib/mozpkix
/test-lib/pkixtestnss.cpp, tests/gtests/gtests.sh:
Bug 1588567 - enable mozilla::pkix gtests in NSS r=jcj
[27a29997f598]
2019-11-01 Deian Stefan <deian@cs.ucsd.edu>
* lib/softoken/pkcs11c.c:
Bug 1591315 - Update NSC_Decrypt length in constant time r=kjacobs
Update NSC_Decrypt length in constant time
[7f578a829b29]
2019-11-01 Kai Engert <kaie@kuix.de>
* automation/taskcluster/graph/src/queue.js:
Bug 1562671 - Limit Master Password KDF iterations for NSS
continuous integration tests. r=mt
[c8b490583b86]
* lib/softoken/lgglue.c, lib/softoken/sftkdb.c, lib/softoken/sftkdb.h,
lib/softoken/sftkdbti.h, lib/softoken/sftkpwd.c:
Bug 1562671 - Add environment variables to control Master Password
KDF iteration count. Disable iteration count for legacy DBM storage
by default. r=rrelyea
[ced91a705aa3]
2019-11-01 Bob Relyea <rrelyea@redhat.com>
* lib/softoken/legacydb/keydb.c, lib/softoken/lgglue.c,
lib/softoken/pkcs11.c, lib/softoken/sftkdb.c, lib/softoken/sftkdb.h,
lib/softoken/sftkdbti.h, lib/softoken/sftkpwd.c:
Bug 1562671 - Support higher iteration count for Master Password
KDF. Bob Relyea's base patch. Requires the follow-up patch. r=kaie
[6619bb43d746]
2019-10-28 Martin Thomson <mt@lowentropy.net>
* coreconf/Linux.mk, coreconf/WIN32.mk, coreconf/command.mk,
coreconf/config.gypi, coreconf/rules.mk, lib/freebl/aes-armv8.c,
lib/freebl/aes-x86.c, lib/freebl/config.mk, lib/freebl/freebl.gyp,
lib/freebl/intel-aes.h, lib/freebl/intel-gcm-wrap.c,
lib/freebl/rijndael.c, lib/freebl/rijndael.h, lib/ssl/config.mk,
lib/ssl/ssl.gyp:
Bug 1590972 - Use -std=c99 for all C code, r=jcj
This switches to using -std=c99 for compiling all C code.
Previously, we only enabled this option for lib/freebl and lib/ssl.
For Linux, this means we need to define _DEFAULT_SOURCE to access
some of the functions we use. On glibc 2.12 (our oldest supported
version), we also need to define _BSD_SOURCE to access these
functions.
The only tricky part is dealing with partial C99 implementation in
gcc 4.4. From what I've seen, the only problem is that - in that
mode - it doesn't support nesting of unnamed fields:
https://gcc.gnu.org/onlinedocs/gcc-4.4.7/gcc/Unnamed-Fields.html
This also switches from -std=c++0x to -std=c++11 as the 0x variant,
though identical in meaning, is deprecated.
[dbba7db4b79d]
2019-10-30 Giulio Benetti <giulio.benetti@benettiengineering.com>
* lib/freebl/aes-armv8.c, lib/freebl/rijndael.c:
Bug 1590676 - Fix build if arm doesn't support NEON r=kjacobs
At the moment NSS assumes that ARM supports NEON extension but this
is not true and leads to build failure on ARM without NEON
extension. Add check to assure USE_HW_AES is not defined if ARM
without NEON extension is used.
[58f2471ace3b]
2019-10-30 Martin Thomson <mt@lowentropy.net>
* gtests/ssl_gtest/tls_agent.cc:
Bug 1575411 - Disable EMS for tests, a=bustage
[6e5f69781137]
2019-10-29 J.C. Jones <jjones@mozilla.com>
* gtests/ssl_gtest/tls_esni_unittest.cc:
Bug 1590970 - Fix clang-format from
e7956ee3ba1b6d05e3175bbcd795583fde867720 r=me
[d1e43cb9f227]
2019-10-29 Giulio Benetti <giulio.benetti@benettiengineering.com>
* lib/ssl/tls13esni.c:
Bug 1590678 - Remove -Wmaybe-uninitialized warning in tls13esni.c
r=jcj
[df5e9021809a]
2019-10-29 Martin Thomson <martin.thomson@gmail.com>
* lib/ssl/ssl.h, lib/ssl/sslsock.c:
Bug 1575411 - Enable extended master secret by default,
r=jcj,kjacobs
See the bug for discussion about the implications of this.
[d1c68498610d]
2019-10-29 Martin Thomson <mt@lowentropy.net>
* gtests/ssl_gtest/tls_esni_unittest.cc, lib/ssl/sslexp.h:
Bug 1590970 - Stop using time() for ESNI tests, r=kjacobs
Summary: The ESNI tests were using time() rather than PR_Now(), so
they slipped the net when I went looking for bad time functions. Now
they do the right thing again.
What we were probably seeing in the intermittents was the case where
we set the time for most of the SSL functions to PR_Now(), and that
was just before a second rollover. Then, when time() was called, it
returned t+1 so the ESNI keys that were being generated in the ESNI
tests were given a notBefore time that was in the future relative to
the time being given to the TLS stack. Had the ESNI keys generation
been given time() - 1 for notBefore, as I have done here, this would
never have turned up.
Reviewers: kjacobs
Tags: #secure-revision
Bug #: 1590970
[e7956ee3ba1b]
Pushed by jjones@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/1adbdd45d961 land NSS dc9552c2aa77 UPGRADE_NSS_RELEASE, r=kjacobs
Comment 6•5 years ago
|
||
Backed out for bc failures on browser_masterPassword.js
Backout link: https://hg.mozilla.org/integration/autoland/rev/17bd8eb45ebddd62f5aad6e0755ceb92795ce60a
Log link: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=274745989&repo=autoland&lineNumber=1999
Pushed by jjones@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/56cb51a60564 land NSS dc9552c2aa77 UPGRADE_NSS_RELEASE, r=kjacobs
Comment 9•5 years ago
|
||
bugherder |
Assignee | ||
Comment 10•5 years ago
|
||
2019-11-07 Makoto Kato <m_kato@ga2.so-net.ne.jp>
* lib/freebl/ctr.c:
Bug 1592869 - Use NEON for ctr_xor. r=kjacobs
Using NEON for ctr_xor, aes_ctr can improve 30%-40%i decode/encode
time on Cortex-A72.
[d244c7287908] [tip]
2019-11-12 Marcus Burghardt <mburghardt@mozilla.com>
* gtests/pk11_gtest/pk11_pbkdf2_unittest.cc, lib/pk11wrap/pk11pbe.c,
lib/pk11wrap/pk11skey.c, lib/softoken/pkcs11c.c:
Bug 1591363 - PBKDF2 memory leaks in NSC_GenerateKey. r=jcj
A memory leak was reported and confirmed in this bug. However,
during the "manual" analysis of the flow, another possible leak was
found. I created a patch for both leaks, added gtests for unexpected
keySizes and adjusted the general syntax of the gtest file.
[7ef8d2604494]
2019-11-11 Tom Prince <mozilla@hocat.ca>
* automation/taskcluster/graph/src/extend.js,
automation/taskcluster/windows/setup.sh:
Bug 1594891 - Use tc-proxy for nss tooltool; r=dustin,jcj
[c33b214b2ec8]
2019-11-08 Daiki Ueno <dueno@redhat.com>
* gtests/ssl_gtest/ssl_dhe_unittest.cc,
gtests/ssl_gtest/ssl_ecdh_unittest.cc,
gtests/ssl_gtest/tls_connect.h, lib/ssl/ssl3con.c:
Bug 1566131, check policy against hash algorithms used for
ServerKeyExchange, r=mt
Summary: This adds necessary policy checks in
`ssl3_ComputeCommonKeyHash()`, right before calculating hashes. Note
that it currently doesn't check MD5 as it still needs to be allowed
in TLS 1.1 or earlier and many tests fail if we change that.
Reviewers: mt
Reviewed By: mt
Bug #: 1566131
[c08947c6af57]
2019-11-08 Kai Engert <kaie@kuix.de>
* coreconf/coreconf.dep:
Dummy change, trigger a build to test latest NSPR commits.
[e766899c72a5]
* automation/taskcluster/graph/src/extend.js:
Bug 1579836 - Execute NSPR tests as part of NSS continuous
integration. r=jcj
[46bfbabf7e75]
2019-11-08 Dustin J. Mitchell <dustin@mozilla.com>
* automation/taskcluster/graph/npm-shrinkwrap.json,
automation/taskcluster/graph/package.json,
automation/taskcluster/graph/src/image_builder.js,
automation/taskcluster/graph/src/queue.js,
automation/taskcluster/scripts/tools.sh,
automation/taskcluster/windows/gen_certs.sh,
automation/taskcluster/windows/run_tests.sh:
Bug 1594891 - Updates to run correctly on the new TC deployment
r=jcj
* Update the Taskcluster client used in the decision task to one
that understands Taskcluster rootUrls.
* Update scripts that fetch content to use the TASKCLUSTER_ROOT_URL
* the absence of this variale signals an "old" worker so we use an
"old" URL
[67d630e7cb7c]
2019-11-07 Tom Prince <mozilla@hocat.ca>
* .taskcluster.yml, automation/taskcluster/graph/src/extend.js,
automation/taskcluster/graph/src/queue.js:
Bug 1591275: Switch workers to use AWS Provder; r=kjacobs
[a2bebaad41dd]
2019-11-06 Daiki Ueno <dueno@redhat.com>
* gtests/pk11_gtest/pk11_module_unittest.cc:
Bug 1577803, clang-format, a=bustage
[c9014b2892d5]
* gtests/pk11_gtest/pk11_module_unittest.cc,
gtests/pkcs11testmodule/pkcs11testmodule.cpp,
lib/pk11wrap/debug_module.c, lib/pk11wrap/pk11obj.c,
lib/pk11wrap/pk11slot.c, lib/pk11wrap/secmodti.h,
lib/util/pkcs11t.h:
Bug 1577803, pk11wrap: set friendly flag if token implements
CKP_PUBLIC_CERTIFICATES_TOKEN, r=rrelyea
Summary: This makes NSS look for CKO_PROFILE object at token
initialization time to check if it implements the [[ https://docs
.oasis-open.org/pkcs11/pkcs11-profiles/v3.0/pkcs11-profiles-v3.0.pdf
| Public Certificates Token profile ]] as defined in PKCS #11 v3.0.
If it is found, the token is automatically marked as friendly so no
authentication attempts will be made when accessing certificates.
Reviewers: rrelyea
Reviewed By: rrelyea
Subscribers: reviewbot
Bug #: 1577803
[b39c8eeabe6a]
2019-11-06 Martin Thomson <mt@lowentropy.net>
* lib/freebl/blinit.c, lib/freebl/gcm-ppc.c:
Bug 1566126 - clang-format, a=bustage
[6125200fbc88]
2019-11-06 Lauri Kasanen <cand@gmx.com>
* lib/freebl/Makefile, lib/freebl/altivec-types.h,
lib/freebl/blapii.h, lib/freebl/blinit.c, lib/freebl/freebl.gyp,
lib/freebl/gcm-ppc.c, lib/freebl/gcm.c, lib/freebl/gcm.h:
Bug 1566126 - freebl: POWER GHASH Vector Acceleration, r=mt
Implementation for POWER8 adapted from the ARM paper:
https://conradoplg.cryptoland.net/files/2010/12/gcm14.pdf
Benchmark of `bltest -E -m aes_gcm -i tests/aes_gcm/plaintext10 \
-v tests/aes_gcm/iv10 -k tests/aes_gcm/key10 -5 10` on POWER8 3.3GHz.
NSS_DISABLE_HW_CRYPTO=1 mode in symmkey opreps cxreps context op
time(sec) thrgput aes_gcm_e 309Mb 192 5M 0 0.000 10000.000 10.001
30Mb
mode in symmkey opreps cxreps context op time(sec) thrgput
aes_gcm_e 829Mb 192 14M 0 0.000 10000.000 10.001 82Mb
Notable operf results, sw: samples % image name symbol name 226033
59.3991 libfreeblpriv3.so bmul 80606 21.1824 libfreeblpriv3.so
rijndael_encryptBlock128 28851 7.5817 libfreeblpriv3.so
gcm_HashMult_sftw
hw: 213899 56.2037 libfreeblpriv3.so rijndael_encryptBlock128 45233
11.8853 libfreeblpriv3.so gcm_HashMult_hw
So the ghash part is ~5.6x faster.
Signed-off-by: Lauri Kasanen <cand@gmx.com>
[3d7e509d6d20]
2019-11-05 Marcus Burghardt <mburghardt@mozilla.com>
* lib/certdb/certdb.c, lib/util/secport.h:
Bug 1589073 - Use of new PR_ASSERT_ARG in certdb.c. r=mt
Bug 1588015 introduced in NSPR a new way to ASSERT values where the
arguments are always used avoiding "unused variable" errors. This
was implemented in NSS, at certdb.c.
[73c28cad3dbb]
2019-11-05 Daiki Ueno <dueno@redhat.com>
* cpputil/nss_scoped_ptrs.h, gtests/manifest.mn,
gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp,
gtests/pk11_gtest/pk11_module_unittest.cc,
gtests/pkcs11testmodule/Makefile, gtests/pkcs11testmodule/config.mk,
gtests/pkcs11testmodule/manifest.mn,
gtests/pkcs11testmodule/pkcs11testmodule.cpp,
gtests/pkcs11testmodule/pkcs11testmodule.def,
gtests/pkcs11testmodule/pkcs11testmodule.gyp,
gtests/pkcs11testmodule/pkcs11testmodule.rc, nss.gyp:
Bug 1577803, gtests: import pkcs11testmodule from Firefox, r=rrelyea
Summary: This adds a mock PKCS #11 module from Firefox and add basic
tests around it. This is needed for proper testing of PKCS #11 v3.0
profile objects (D45669).
Reviewers: rrelyea
Reviewed By: rrelyea
Subscribers: reviewbot
Bug #: 1577803
[0a86945adf74]
Updated•5 years ago
|
Comment 11•5 years ago
|
||
Pushed by jjones@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/cbd4aa02eba9 land NSS 87f35ba4c82f UPGRADE_NSS_RELEASE, r=keeler
Comment 12•5 years ago
|
||
Backed out for failures on browser_startup_mainthreadio.js
backout: https://hg.mozilla.org/integration/autoland/rev/3cf4cf89e8ea13ac159ef96d9688d51403ad5994
failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=276086706&repo=autoland&lineNumber=1531
[task 2019-11-13T22:32:54.246Z] 22:32:54 INFO - TEST-PASS | browser/base/content/test/performance/browser_startup_mainthreadio.js | stat on C:\Users\task_1573683722\AppData\Local\Temp\tmptrvfrl.mozrunner\cert9.db as many times as expected before handling user events -
[task 2019-11-13T22:32:54.246Z] 22:32:54 INFO - TEST-PASS | browser/base/content/test/performance/browser_startup_mainthreadio.js | stat on C:\Users\task_1573683722\AppData\Local\Temp\tmptrvfrl.mozrunner\cert9.db allowed 2 more times before handling user events -
[task 2019-11-13T22:32:54.247Z] 22:32:54 INFO - Buffered messages finished
[task 2019-11-13T22:32:54.247Z] 22:32:54 INFO - TEST-UNEXPECTED-FAIL | browser/base/content/test/performance/browser_startup_mainthreadio.js | stat on C:\Users\task_1573683722\AppData\Local\Temp\tmptrvfrl.mozrunner\cert9.db-journal 1 more times than expected before handling user events -
[task 2019-11-13T22:32:54.247Z] 22:32:54 INFO - Stack trace:
[task 2019-11-13T22:32:54.247Z] 22:32:54 INFO - chrome://mochikit/content/browser-test.js:test_ok:1299
[task 2019-11-13T22:32:54.247Z] 22:32:54 INFO - chrome://mochitests/content/browser/browser/base/content/test/performance/browser_startup_mainthreadio.js:null:895
[task 2019-11-13T22:32:54.248Z] 22:32:54 INFO - chrome://mochikit/content/browser-test.js:Tester_execTest/<:1069
[task 2019-11-13T22:32:54.248Z] 22:32:54 INFO - chrome://mochikit/content/browser-test.js:Tester_execTest:1104
[task 2019-11-13T22:32:54.248Z] 22:32:54 INFO - chrome://mochikit/content/browser-test.js:nextTest/<:932
[task 2019-11-13T22:32:54.248Z] 22:32:54 INFO - chrome://mochikit/content/tests/SimpleTest/SimpleTest.js:SimpleTest.waitForFocus/waitForFocusInner/focusedOrLoaded/<:805
[task 2019-11-13T22:32:54.248Z] 22:32:54 INFO - Not taking screenshot here: see the one that was previously logged
[task 2019-11-13T22:32:54.249Z] 22:32:54 INFO - TEST-UNEXPECTED-FAIL | browser/base/content/test/performance/browser_startup_mainthreadio.js | stat on C:\Users\task_1573683722\AppData\Local\Temp\tmptrvfrl.mozrunner\cert9.db-wal 1 more times than expected before handling user events -
[task 2019-11-13T22:32:54.249Z] 22:32:54 INFO - Stack trace:
[task 2019-11-13T22:32:54.249Z] 22:32:54 INFO - chrome://mochikit/content/browser-test.js:test_ok:1299
[task 2019-11-13T22:32:54.249Z] 22:32:54 INFO - chrome://mochitests/content/browser/browser/base/content/test/performance/browser_startup_mainthreadio.js:null:895
[task 2019-11-13T22:32:54.250Z] 22:32:54 INFO - chrome://mochikit/content/browser-test.js:Tester_execTest/<:1069
[task 2019-11-13T22:32:54.250Z] 22:32:54 INFO - chrome://mochikit/content/browser-test.js:Tester_execTest:1104
[task 2019-11-13T22:32:54.250Z] 22:32:54 INFO - chrome://mochikit/content/browser-test.js:nextTest/<:932
[task 2019-11-13T22:32:54.250Z] 22:32:54 INFO - chrome://mochikit/content/tests/SimpleTest/SimpleTest.js:SimpleTest.waitForFocus/waitForFocusInner/focusedOrLoaded/<:805
Comment 13•5 years ago
|
||
Pushed by jjones@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/9ba180fee075 land NSS 87f35ba4c82f UPGRADE_NSS_RELEASE, r=keeler
Comment 14•5 years ago
|
||
bugherder |
Assignee | ||
Comment 15•5 years ago
|
||
2019-11-09 Dana Keeler <dkeeler@mozilla.com>
* gtests/mozpkix_gtest/pkixbuild_tests.cpp,
gtests/mozpkix_gtest/pkixcert_extension_tests.cpp,
gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp,
gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp,
gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp,
gtests/mozpkix_gtest/pkixgtest.h,
lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp:
bug 1593141 - add validity period beginning argument to
mozilla::pkix::TrustDomain::CheckRevocation r=jcj
This allows TrustDomain implementations to make decisions based on
when the validity period of a certificate began. For instance, if an
implementation has revocation information that is valid and complete
as of a particular time, but a certificate's validity period begins
after that time, the implementation may decide to disregard this
revocation information on the basis that the information it has
available cannot possibly apply to that certificate.
[e8f2720c8254] [tip]
Comment 16•5 years ago
|
||
Pushed by archaeopteryx@coole-files.de: https://hg.mozilla.org/integration/autoland/rev/f3ce2609c3f3 land NSS e8f2720c8254 UPGRADE_NSS_RELEASE, r=kjacobs CLOSED TREE
Comment 17•5 years ago
|
||
bugherder |
Assignee | ||
Comment 18•5 years ago
|
||
2019-11-19 Craig Disselkoen <cdisselk@cs.ucsd.edu>
* lib/softoken/pkcs11c.c:
Bug 1586176 - EncryptUpdate should use maxout not block size.
r=franziskus
[1e22a0c93afe]
Comment 19•5 years ago
|
||
Pushed by jjones@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ba91226fa7b9 land NSS 1e22a0c93afe UPGRADE_NSS_RELEASE, r=kjacobs
Comment 20•5 years ago
|
||
bugherder |
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 21•5 years ago
|
||
2019-11-20 Kevin Jacobs <kjacobs@mozilla.com>
* lib/ssl/ssl3con.c, lib/ssl/tls13con.c:
Bug 1590001 - Prevent negotiation of versions lower than 1.3 after
HelloRetryRequest. r=mt
This patch prevents negotiation of TLS versions lower than 1.3 after
an HRR has been sent.
[d64102b76a43] [tip]
2019-11-22 J.C. Jones <jjones@mozilla.com>
* lib/softoken/pkcs11u.c:
Bug 1596450 - Fixup, coverity CID 1455952 r=kjacobs
[46b1355d8765]
* lib/pk11wrap/pk11slot.c:
Bug 1522203 - Remove Pentium Pro workaround for PK11_GetAllTokens
r=kjacobs
The comment indicated the wasted effort was to work around a cache
issue on the Pentium Pro. I think it has served its purpose.
[27d9fb4ac69b]
2019-11-21 Franziskus Kiefer <franziskuskiefer@gmail.com>
* tests/gtests/gtests.sh:
Bug 1592557 - fix prng kat tests, r=jcj
fix for prng kat tests
[474334bb790b]
2019-11-20 Robert Relyea <rrelyea@redhat.com>
* lib/softoken/pkcs11c.c, lib/softoken/pkcs11i.h,
lib/softoken/sftkhmac.c:
Bug 1596450 - softoken: unified MAC implementation patch by Alex
Scheel review by rrelyea
[3147585149f0]
Comment 22•5 years ago
|
||
Pushed by jjones@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8a2358762789 land NSS d64102b76a43 UPGRADE_NSS_RELEASE, r=kjacobs
Comment 23•5 years ago
|
||
bugherder |
Assignee | ||
Comment 24•5 years ago
|
||
2019-11-26 J.C. Jones <jjones@mozilla.com>
* lib/ckfw/builtins/certdata.txt, lib/ckfw/builtins/nssckbi.h:
Bug 1591178 - Add Entrust Root Certification Authority - G4
r=kjacobs
Friendly Name: Entrust Root Certification Authority - G4 Cert
Location:
https://bug1480510.bmoattachments.org/attachment.cgi?id=8997105
SHA-256 Fingerprint:
DB3517D1F6732A2D5AB97C533EC70779EE3270A62FB4AC4238372460E6F01E88
Trust Flags: Email; Websites Test URL: https://validg4.entrust.net/
[10722c590949] [tip]
Comment 25•5 years ago
|
||
Pushed by jjones@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/dc8776ff4759 land NSS 10722c590949 UPGRADE_NSS_RELEASE, r=kjacobs
Comment 26•5 years ago
|
||
bugherder |
Comment 27•5 years ago
|
||
hg blame
points to:
changeset: 502006:9ba180fee075
date: Thu Nov 14 17:32:27 2019 +0000
summary: Bug 1592007 - land NSS 87f35ba4c82f UPGRADE_NSS_RELEASE, r=keeler
as the one having added the PORT_AssertArg
lines which cause compilation error:
8:04.84 ../../../../../../security/nss/lib/certdb/certdb.c:3000: error: undefined reference to 'PR_ASSERT_ARG'
8:04.84 ../../../../../../security/nss/lib/certdb/certdb.c:3011: error: undefined reference to 'PR_ASSERT_ARG'
8:04.88 clang-9: error: linker command failed with exit code 1 (use -v to see invocation)
the command is possibly this(I'm unsure):
7:33.82 /usr/bin/ccache /usr/bin/clang -std=gnu99 -o certdb.o -c -DNDEBUG -DTRIMMED=1 -DNSS_FIPS_DISABLED -DNSS_NO_INIT_SUPPORT -DNSS_X86_OR_X64 -DNSS_X64 -DNSS_USE_64 -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -DLINUX2_1 -DLINUX -Dlinux -D_DEFAULT_SOURCE -D_BSD_SOURCE -DHAVE_STRERROR -DXP_UNIX -D_REENTRANT -DNSS_DISABLE_DBM -DNSS_DISABLE_LIBPKIX -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -include /home/user/build/1packages/4used/firefox-hg/makepkg_pacman/firefox-hg/src/firefox-hg/obj-x86_64-pc-linux-gnu/mozilla-config.h -DMOZILLA_CLIENT -Qunused-arguments -pipe -march=native -Wno-trigraphs -fno-delete-null-pointer-checks -mtune=native -fomit-frame-pointer -O2 -fPIC -D_FORTIFY_SOURCE=2 -fno-plt -fno-strict-aliasing -ffunction-sections -fdata-sections -fno-math-errno -pthread -pipe -I/home/user/build/1packages/4used/firefox-hg/makepkg_pacman/firefox-hg/src/firefox-hg/security/nss/lib/certdb -I/home/user/build/1packages/4used/firefox-hg/makepkg_pacman/firefox-hg/src/firefox-hg/obj-x86_64-pc-linux-gnu/security/nss/lib/certdb/certdb_certdb -I/usr/include/nspr -I/home/user/build/1packages/4used/firefox-hg/makepkg_pacman/firefox-hg/src/firefox-hg/obj-x86_64-pc-linux-gnu/dist/include/private/nss -I/home/user/build/1packages/4used/firefox-hg/makepkg_pacman/firefox-hg/src/firefox-hg/obj-x86_64-pc-linux-gnu/dist/include/nss -I/home/user/build/1packages/4used/firefox-hg/makepkg_pacman/firefox-hg/src/firefox-hg/obj-x86_64-pc-linux-gnu/dist/include -fPIC -g -O2 -fno-omit-frame-pointer -funwind-tables -Qunused-arguments -Wall -Wbitfield-enum-conversion -Wempty-body -Wignored-qualifiers -Wpointer-arith -Wshadow-field-in-constructor-modified -Wsign-compare -Wtype-limits -Wunreachable-code -Wunreachable-code-return -Wclass-varargs -Wfloat-overflow-conversion -Wfloat-zero-conversion -Wloop-analysis -Wstring-conversion -Wtautological-overlap-compare -Wtautological-unsigned-enum-zero-compare -Wtautological-unsigned-zero-compare -Wno-error=tautological-type-limit-compare -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-error=backend-plugin -Wno-error=return-std-move -Wno-error=atomic-alignment -Wformat -Wformat-security -Wno-gnu-zero-variadic-macro-arguments -MD -MP -MF .deps/certdb.o.pp -fcolor-diagnostics /home/user/build/1packages/4used/firefox-hg/makepkg_pacman/firefox-hg/src/firefox-hg/security/nss/lib/certdb/certdb.c
Any idea how to work around it? I tried adding #include "prlog.h"
in security/nss/lib/certdb/certdb.c
already, no effect. The above lines may thus be off by a bit.
Firefox tested:
changeset: 504265:5afa8f03bfed
tag: tip
date: Fri Nov 22 14:46:17 2019 +0000
summary: Bug 1597931 - Add libFuzzer instrumentation to extensions/auth/. r=mayhemer
Comment 28•5 years ago
|
||
thanks to <emilio>
on irc mozilla org #introduction channel, for telling me that the error is because my OS's nspr
package was outdated(4.23-2), and my mozconfig has ac_add_options --with-system-nspr
so my #include "prlog.h"
was using system nspr's prlog.h
not the one that I could clearly see had the right PR_ASSERT_ARG
defines in the firefox-hg repo tree!
Assignee | ||
Comment 29•5 years ago
|
||
[Tracking Requested - why for this release]:
Note that because https://wiki.mozilla.org/NSS:Release_Versions was wrong, since I was not aware of the schedule change on Firefox 72, this (and NSPR in Bug 1591887 ) both missed the merge, and the Beta branch now has prerelease versions. Requesting Beta tracking, as we need to uplift the eventual RTM to not break all Linux distros (as already happened in comment #27).
Assignee | ||
Comment 30•5 years ago
|
||
2019-12-02 Kevin Jacobs <kjacobs@mozilla.com>
* lib/ssl/sslsnce.c:
Bug 1593401 - Fix race condition in self-encrypt functions r=mt,jcj
[77976f3fefca] [NSS_3_48_BETA1]
2019-12-02 J.C. Jones <jjones@mozilla.com>
* automation/release/nspr-version.txt:
Bug 1600775 - Require NSPR 4.24 for NSS 3.48 r=kaie,kjacobs
[b6141fb86799]
* gtests/ssl_gtest/tls_filter.h:
Bug 1599545 - fixup, clang-format r=me
[8ffef87ef51b]
2019-12-02 Kevin Jacobs <kjacobs@mozilla.com>
* cpputil/tls_parser.h, gtests/ssl_gtest/ssl_keyupdate_unittest.cc,
gtests/ssl_gtest/tls_filter.h, lib/ssl/tls13con.c:
Bug 1599545 - Fix assertion and add test for early Key Update
message r=mt
Remove an overzealous assertion when a Key Update message is
received too early, and add a test for the expected alert condition.
Also adds `TlsEncryptedHandshakeMessageReplacer` for replacing TLS
1.3 encrypted handshake messages. This is a simple implementation
where only the first byte of the message is changed to the new type
(so as to trigger the desired handler).
[a5dbf68d182d]
2019-11-27 J.C. Jones <jjones@mozilla.com>
* lib/ckfw/object.c:
Bug 1597799 - Guard against null ptrs in NSSCKFWObject r=kjacobs
There's a bunch of similar code that could use guards in here, but I
wanted to be minimal for this patch.
[eab4d3c8c76d]
Comment 31•5 years ago
|
||
Pushed by jjones@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/529ad04d3eb2 land NSS NSS_3_48_BETA1 UPGRADE_NSS_RELEASE, r=kjacobs
Comment 32•5 years ago
|
||
bugherder |
Updated•5 years ago
|
Updated•5 years ago
|
Assignee | ||
Comment 33•5 years ago
|
||
Comment on attachment 9113077 [details]
Bug 1592007 - land NSS NSS_3_48_BETA1 UPGRADE_NSS_RELEASE, r=kjacobs
Beta/Release Uplift Approval Request
- User impact if declined: Linux distribution inconsistency; potential broken builds; unfixed crashes; unfixed security bugs
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: Bug 1591887
- Risk to taking this patch: Medium
- Why is the change risky/not risky? (and alternatives if risky): This is the final set of security fixes for NSS 3.48 intended for Firefox 72. The fixes are considered safe enough to land late in Nightly, but because my calendar was off, they missed the merge. (This also has at least two crash fixes). Still, these are real code changes.
After this uplift, there will be (at least) one more, marking NSS_3_48_RTM final. Assuming all goes well, that will be only a version number bump uplift.
- String changes made/needed: None
Assignee | ||
Updated•5 years ago
|
Comment 34•5 years ago
|
||
Firefox 72.0b1 can't be build using --with-system-nss since it requires an unreleased version:
DEBUG: configure:8458: checking for NSS - version >= 3.48
DEBUG: configure: error: you don't have NSS installed or your version is too old
so please yes make it final and publish a tarball so that distributions can update their systemwide nss...
See also: bug 1501432, bug 952492, bug 618368 comment 2
Comment 35•5 years ago
|
||
Comment on attachment 9113077 [details]
Bug 1592007 - land NSS NSS_3_48_BETA1 UPGRADE_NSS_RELEASE, r=kjacobs
nss update, approved for 72.0b3
Comment 36•5 years ago
|
||
bugherder uplift |
Comment 37•5 years ago
|
||
We'll have a followup for the final bump, resetting status.
Comment 38•5 years ago
|
||
Comment on attachment 9113077 [details]
Bug 1592007 - land NSS NSS_3_48_BETA1 UPGRADE_NSS_RELEASE, r=kjacobs
And removing the a+ so this doesn't show up on sheriffs' uplift queries
Updated•5 years ago
|
Updated•5 years ago
|
Assignee | ||
Comment 39•5 years ago
|
||
(In reply to Landry Breuil (:gaston) from comment #34)
so please yes make it final and publish a tarball so that distributions can update their systemwide nss...
Yep, will do as soon as seems safe. I wanted at least 48 hours of the most recent changes to bake in Nightly, and preferably in beta (comment 37), but expect to tag and release NSS 3.48 final in 24 hours.
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 40•5 years ago
|
||
2019-12-03 J.C. Jones <jjones@mozilla.com>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.48 final
[65d3150a258e] [NSS_3_48_RTM] <NSS_3_48_BRANCH>
2019-12-02 J.C. Jones <jjones@mozilla.com>
* .hgtags:
Added tag NSS_3_48_BETA1 for changeset 77976f3fefca
[06d5b4f91a9c]
Assignee | ||
Comment 41•5 years ago
|
||
Comment on attachment 9113824 [details]
Bug 1592007 - land NSS NSS_3_48_RTM UPGRADE_NSS_RELEASE, r=kjacobs
Beta/Release Uplift Approval Request
- User impact if declined: Linux distribution consistency issues due to prerelease version numbers
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Just a version bump. The NSS_3_48_BETA1 patch was the risky one.
- String changes made/needed: None
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 42•5 years ago
|
||
oh god, I left that checkbox checked, I am so sorry
Comment 43•5 years ago
|
||
Beta will need 3 changesets: 529ad04d3eb2, 56717f3c4821 and the 'land NSS NSS_3_48_RTM UPGRADE_NSS_RELEASE' which has yet to land. Previous patches got merged to beta on merge day.
Assignee | ||
Comment 44•5 years ago
|
||
I think the only changeset Beta needs is https://bugzilla.mozilla.org/attachment.cgi?id=9113824, the final land NSS NSS_3_48_RTM UPGRADE_NSS_RELEASE
. These others I need to uncheck, but trying not to do 8 separate updates...reading the API documentation for Bugzilla.
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Updated•5 years ago
|
Comment 45•5 years ago
|
||
Pushed by jjones@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/3a71e98c94b2 land NSS NSS_3_48_RTM UPGRADE_NSS_RELEASE, r=kjacobs
Comment 46•5 years ago
|
||
bugherder |
Comment 47•5 years ago
|
||
Comment on attachment 9113824 [details]
Bug 1592007 - land NSS NSS_3_48_RTM UPGRADE_NSS_RELEASE, r=kjacobs
final nss version bump for 72, approved for 72.0b4
Comment 48•5 years ago
|
||
bugherder uplift |
Updated•5 months ago
|
Description
•