Closed Bug 1614053 Opened 6 years ago Closed 5 years ago

Upgrade Firefox 75 to use NSS 3.51

Categories

(Core :: Security: PSM, task, P1)

Product:
Core
Component:
Security: PSM
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla75
Tracking Flags:
Tracking Status
firefox75 --- fixed

People

(Reporter: jcj, Assigned: jcj)

References

(Blocks 1 open bug)

Details

(Whiteboard: [psm-assigned][nss])

Attachments

(5 files, 2 obsolete files)

Bug 1614053 - land NSS 735ed2e47040 UPGRADE_NSS_RELEASE, r=kjacobs
47 bytes, text/x-phabricator-request
Details | Review
Bug 1614053 - land NSS 9e0d34a6cf91 UPGRADE_NSS_RELEASE, r=jcj
47 bytes, text/x-phabricator-request
Details | Review
Bug 1614053 - land NSS 52a75c5373ef UPGRADE_NSS_RELEASE, r=jcj
47 bytes, text/x-phabricator-request
Details | Review
Bug 1614053 - land NSS NSS_3_51_BETA2 UPGRADE_NSS_RELEASE, r=jcj
47 bytes, text/x-phabricator-request
Details | Review
Bug 1614053 - land NSS NSS_3_51_RTM UPGRADE_NSS_RELEASE, r=jcj
47 bytes, text/x-phabricator-request
Details | Review

Tracking NSS 3.51 for Firefox 75. Ultimate tag will be NSS_3_51_RTM.

2020-02-10 Robert Relyea <rrelyea@redhat.com>

* lib/freebl/cmac.c:
Bug 1610687 - Crash on unaligned CMACContext.aes.keySchedule when
using AES-NI intrinsics r=kjacobs
[046a6f5bfb27]

* lib/util/pkcs11t.h:
Bug 1611209 - Value of CKM_AES_CMAC and CKM_AES_CMAC_GENERAL are
swapped r=rrelyea
[df142975f4f6]

2020-02-11 Victor Tapia <victor.tapia@canonical.com>

* lib/pk11wrap/pk11util.c, lib/sysinit/nsssysinit.c:
Bug 1582169 - Disable reading /proc/sys/crypto/fips_enabled if FIPS
is not enabled on build r=jcj,rrelyea

[55ba54adfcae] [tip]
Attachment #9125855 - Attachment description: Bug 1614053 - land NSS 55ba54adfcae UPGRADE_NSS_RELEASE, r=kjacobs → Bug 1614053 - land NSS 735ed2e47040 UPGRADE_NSS_RELEASE, r=kjacobs
Pushed by jjones@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/0b8589ddbacf land NSS 735ed2e47040 UPGRADE_NSS_RELEASE, r=kjacobs

Is there any chance this would be applied to the beta branch (firefox 74) too?

(In reply to Olivier Tilloy from comment #4)

Is there any chance this would be applied to the beta branch (firefox 74) too?

That would be a separate point release of NSS 3.50. If there's a fix in this list that you think needs to go into Firefox 74, please comment on the individual fixed bug - thanks!

Ack, I commented on bug 1582169. Thanks.

2020-02-18 Kevin Jacobs <kjacobs@mozilla.com>

* gtests/ssl_gtest/ssl_extension_unittest.cc,
gtests/ssl_gtest/ssl_version_unittest.cc, lib/ssl/dtlscon.c,
lib/ssl/tls13con.c, lib/ssl/tls13con.h, lib/ssl/tls13exthandle.c:
Bug 1615208 - Send DTLS version numbers in DTLS 1.3
supported_versions extension r=mt

This patch modifies `supported_versions` encodings to reflect DTLS
versions when DTLS1.3 is use. Previously, a DTLS1.3 CH would include
`[0x7f1e, 0x303, 0x302]` instead of the expected `[0x7f1e, 0xfefd,
0xfeff]`, causing compatibility issues.

[9e0d34a6cf91] [tip]

2020-02-12 Mikael Urankar <mikael.urankar@gmail.com>

* lib/freebl/Makefile, lib/freebl/freebl.gyp:
Bug 1612177 - Set -march=armv7 when compiling gcm-arm32-neon, in
order to enable NEON code generation.
[4413841bd26d]

2020-02-14 Dmitry Baryshkov <dbaryshkov@gmail.com>

* gtests/freebl_gtest/blake2b_unittest.cc, lib/freebl/blake2b.c:
Bug 1431940 - remove dereference before NULL check in BLAKE2B code.
r=kjacobs

[5e661906698f]

2020-02-12 Kevin Jacobs <kjacobs@mozilla.com>

* gtests/ssl_gtest/ssl_resumption_unittest.cc, lib/ssl/sslnonce.c:
Bug 1614870 - Free sid->peerID before reallocating in
ssl_DecodeResumptionToken. r=mt

This patch adds a missing `PORT_Free()` when reallocating
`sid->PeerID`, and adds a test for a non-empty PeerID.

[1eb4e00b016e]

2020-02-27 Kevin Jacobs <kjacobs@mozilla.com>

* gtests/ssl_gtest/ssl_extension_unittest.cc,
gtests/ssl_gtest/ssl_gtest.gyp,
gtests/ssl_gtest/ssl_masking_unittest.cc,
gtests/ssl_gtest/tls_filter.cc, gtests/ssl_gtest/tls_filter.h,
gtests/ssl_gtest/tls_hkdf_unittest.cc,
gtests/ssl_gtest/tls_protect.cc, lib/ssl/dtls13con.c,
lib/ssl/ssl3con.c, lib/ssl/ssl3prot.h, lib/ssl/sslexp.h,
lib/ssl/sslimpl.h, lib/ssl/sslinfo.c, lib/ssl/sslprimitive.c,
lib/ssl/sslsock.c, lib/ssl/tls13con.c, lib/ssl/tls13esni.c,
lib/ssl/tls13hkdf.c, lib/ssl/tls13hkdf.h, lib/ssl/tls13replay.c:
Bug 1608892 - Update DTLS 1.3 to draft-34 r=mt

This patch updates the DTLS 1.3 implementation to draft-34. Notable
changes:

1) Key separation via `ssl_protocol_variant`. 2) No longer apply
sequence number masking when in `UNSAFE_FUZZER_MODE`. This allowed
removal of workarounds for unpadded (<16B) ciphertexts being used as
input to `SSL_CreateMask`. 3) Compile ssl_gtests in
`UNSAFE_FUZZER_MODE` iff `--fuzz=tls` was specified. Currently all
gtests are compiled this way if `--fuzz`, but lib/ssl only if
`--fuzz=tls`. (See above, we can't have ssl_gtests in fuzzer mode,
but not lib/ssl, since the masking mismatch will break filters). 4)
Parameterize masking tests, as appropriate. 5) Reject non-empty
legacy_cookie, and test. 6) Reject ciphertexts <16B in length in
`dtls13_MaskSequenceNumber` (if not `UNSAFE_FUZZER_MODE`).

[52a75c5373ef] [tip]

2020-02-24 Jean-Luc Bonnafoux <jeanluc.bonnafoux@wanadoo.fr>

* lib/cryptohi/secsign.c:
Bug 1617387 fix compiler warning r=jcj

[ab0e7e272e36]

2020-02-24 Kevin Jacobs <kjacobs@mozilla.com>

* gtests/common/testvectors/p384ecdh-vectors.h,
gtests/common/testvectors/p521ecdh-vectors.h,
gtests/common/wycheproof/genTestVectors.py,
gtests/common/wycheproof/source_vectors/ecdh_secp384r1_test.json,
gtests/common/wycheproof/source_vectors/ecdh_secp521r1_test.json,
gtests/pk11_gtest/pk11_ecdh_unittest.cc:
Bug 1612259 - Add Wycheproof vectors for P384 and P521 ECDH.
r=bbeurdouche

[badb4da1ec85]

2020-02-19 Kevin Jacobs <kjacobs@mozilla.com>

* gtests/freebl_gtest/mpi_unittest.cc, lib/freebl/mpi/mplogic.h:
Bug 1609751 - Additional tests for mp_comba r=mt

Verify that when clamping, the upper 4 bytes of an `mp_digit` is
checked.

[a5e8c14016cd]

2020-02-19 Jean-Luc Bonnafoux <jeanluc.bonnafoux@wanadoo.fr>

* lib/freebl/ecl/ecp_25519.c:
Bug 1561337: fix compiler warning r=jcj

[4c771e6a79db]
Pushed by shindli@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/becbd0592d8b land NSS 52a75c5373ef UPGRADE_NSS_RELEASE, r=jcj

2020-03-02 Kevin Jacobs <kjacobs@mozilla.com>

* lib/freebl/blinit.c:
Bug 1614183 - Fixup, clang-format. r=me
[b17a367b83de] [NSS_3_51_BETA1]

2020-03-02 Giulio Benetti <giulio.benetti@benettiengineering.com>

* lib/freebl/blinit.c:
Bug 1614183 - Check if PPC __has_include(<sys/auxv.h>). r=kjacobs
Some build environment doesn't provide <sys/auxv.h> and this causes
build failure, so let's check if that header exists by using
__has_include() helper.

Signed-off-by: Giulio Benetti
<giulio.benetti@benettiengineering.com>
[bb7c46049f26]

2020-03-02 Kurt Miller <kurt@intricatesoftware.com>

* lib/freebl/blinit.c:
Bug 1618400 - Fix unused variable 'getauxval' on OpenBSD/arm64 r=jcj

https://bugzilla.mozilla.org/show_bug.cgi?id=1618400
[2c989888dee7]

2020-02-28 Benjamin Beurdouche <bbeurdouche@mozilla.com>

* automation/taskcluster/graph/src/extend.js, coreconf/arch.mk,
coreconf/config.mk, lib/freebl/Makefile, lib/freebl/blapii.h,
lib/freebl/blinit.c, lib/freebl/chacha20poly1305.c,
lib/freebl/freebl.gyp,
lib/freebl/verified/Hacl_Chacha20Poly1305_256.c,
lib/freebl/verified/Hacl_Chacha20Poly1305_256.h,
lib/freebl/verified/Hacl_Chacha20_Vec256.c,
lib/freebl/verified/Hacl_Chacha20_Vec256.h,
lib/freebl/verified/Hacl_Poly1305_256.c,
lib/freebl/verified/Hacl_Poly1305_256.h, nss-tool/hw-support.c:
Bug 1612493 - Support for HACL* AVX2 code for Chacha20, Poly1305 and
Chacha20Poly1305. r=kjacobs

*** Bug 1612493 - Import AVX2 code from HACL*
*** Bug 1612493 - Add CPU detection for AVX2, BMI1, BMI2, FMA, MOVBE
*** Bug 1612493 - New flag NSS_DISABLE_AVX2 for freebl/Makefile and
freebl.gyp
*** Bug 1612493 - Disable use of AVX2 on GCC 4.4 which doesn’t
support -mavx2
*** Bug 1612493 - Disable tests when the platform doesn't have
support for AVX2

[d5deac55f543]

* automation/taskcluster/scripts/run_hacl.sh,
lib/freebl/verified/Hacl_Chacha20.c,
lib/freebl/verified/Hacl_Chacha20Poly1305_128.c,
lib/freebl/verified/Hacl_Chacha20Poly1305_32.c,
lib/freebl/verified/Hacl_Chacha20_Vec128.c,
lib/freebl/verified/Hacl_Curve25519_51.c,
lib/freebl/verified/Hacl_Kremlib.h,
lib/freebl/verified/Hacl_Poly1305_128.c,
lib/freebl/verified/Hacl_Poly1305_32.c,
lib/freebl/verified/kremlin/include/kremlin/internal/types.h,
lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128.h, li
b/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128_Verifie
d.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt_8_1
6_32_64.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/LowStar_
Endianness.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar
_uint128_gcc64.h, lib/freebl/verified/libintvector.h:
Bug 1617533 - Update of HACL* after libintvector.h and coding style
changes. r=kjacobs

*** Bug 1617533 - Clang format

*** Bug 1617533 - Update HACL* commit for job in Taskcluster

*** Bug 1617533 - Update HACL* Kremlin code

[b6677ae9067e]
Attachment #9130270 - Attachment is obsolete: true

2020-03-03 Kevin Jacobs <kjacobs@mozilla.com>

* automation/taskcluster/scripts/run_hacl.sh,
lib/freebl/verified/Hacl_Chacha20.c,
lib/freebl/verified/Hacl_Chacha20Poly1305_128.c,
lib/freebl/verified/Hacl_Chacha20Poly1305_32.c,
lib/freebl/verified/Hacl_Chacha20_Vec128.c,
lib/freebl/verified/Hacl_Curve25519_51.c,
lib/freebl/verified/Hacl_Kremlib.h,
lib/freebl/verified/Hacl_Poly1305_128.c,
lib/freebl/verified/Hacl_Poly1305_32.c,
lib/freebl/verified/kremlin/include/kremlin/internal/types.h,
lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128.h, li
b/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128_Verifie
d.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt_8_1
6_32_64.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/LowStar_
Endianness.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar
_uint128_gcc64.h, lib/freebl/verified/libintvector.h:
Backed out changeset b6677ae9067e (Bug 1612493) for Windows build
failures.
[6e610ed9b196] [NSS_3_51_BETA2] <NSS_3_51_BRANCH>

* automation/taskcluster/graph/src/extend.js, coreconf/arch.mk,
coreconf/config.mk, lib/freebl/Makefile, lib/freebl/blapii.h,
lib/freebl/blinit.c, lib/freebl/chacha20poly1305.c,
lib/freebl/freebl.gyp,
lib/freebl/verified/Hacl_Chacha20Poly1305_256.c,
lib/freebl/verified/Hacl_Chacha20Poly1305_256.h,
lib/freebl/verified/Hacl_Chacha20_Vec256.c,
lib/freebl/verified/Hacl_Chacha20_Vec256.h,
lib/freebl/verified/Hacl_Poly1305_256.c,
lib/freebl/verified/Hacl_Poly1305_256.h, nss-tool/hw-support.c:
Backed out changeset d5deac55f543
[4215a0b45a22] <NSS_3_51_BRANCH>

2020-03-02 Kevin Jacobs <kjacobs@mozilla.com>

* .hgtags:
Added tag NSS_3_51_BETA1 for changeset b17a367b83de
[9564790a9cf6] <NSS_3_51_BRANCH>

* lib/freebl/blinit.c:
Bug 1614183 - Fixup, clang-format. r=me
[b17a367b83de] [NSS_3_51_BETA1]

2020-03-02 Giulio Benetti <giulio.benetti@benettiengineering.com>

* lib/freebl/blinit.c:
Bug 1614183 - Check if PPC __has_include(<sys/auxv.h>). r=kjacobs
Some build environment doesn't provide <sys/auxv.h> and this causes
build failure, so let's check if that header exists by using
__has_include() helper.

Signed-off-by: Giulio Benetti
<giulio.benetti@benettiengineering.com>
[bb7c46049f26]

2020-03-02 Kurt Miller <kurt@intricatesoftware.com>

* lib/freebl/blinit.c:
Bug 1618400 - Fix unused variable 'getauxval' on OpenBSD/arm64 r=jcj

https://bugzilla.mozilla.org/show_bug.cgi?id=1618400
[2c989888dee7]

2020-02-28 Benjamin Beurdouche <bbeurdouche@mozilla.com>

* automation/taskcluster/graph/src/extend.js, coreconf/arch.mk,
coreconf/config.mk, lib/freebl/Makefile, lib/freebl/blapii.h,
lib/freebl/blinit.c, lib/freebl/chacha20poly1305.c,
lib/freebl/freebl.gyp,
lib/freebl/verified/Hacl_Chacha20Poly1305_256.c,
lib/freebl/verified/Hacl_Chacha20Poly1305_256.h,
lib/freebl/verified/Hacl_Chacha20_Vec256.c,
lib/freebl/verified/Hacl_Chacha20_Vec256.h,
lib/freebl/verified/Hacl_Poly1305_256.c,
lib/freebl/verified/Hacl_Poly1305_256.h, nss-tool/hw-support.c:
Bug 1612493 - Support for HACL* AVX2 code for Chacha20, Poly1305 and
Chacha20Poly1305. r=kjacobs

*** Bug 1612493 - Import AVX2 code from HACL*
*** Bug 1612493 - Add CPU detection for AVX2, BMI1, BMI2, FMA, MOVBE
*** Bug 1612493 - New flag NSS_DISABLE_AVX2 for freebl/Makefile and
freebl.gyp
*** Bug 1612493 - Disable use of AVX2 on GCC 4.4 which doesn’t
support -mavx2
*** Bug 1612493 - Disable tests when the platform doesn't have
support for AVX2

[d5deac55f543]

* automation/taskcluster/scripts/run_hacl.sh,
lib/freebl/verified/Hacl_Chacha20.c,
lib/freebl/verified/Hacl_Chacha20Poly1305_128.c,
lib/freebl/verified/Hacl_Chacha20Poly1305_32.c,
lib/freebl/verified/Hacl_Chacha20_Vec128.c,
lib/freebl/verified/Hacl_Curve25519_51.c,
lib/freebl/verified/Hacl_Kremlib.h,
lib/freebl/verified/Hacl_Poly1305_128.c,
lib/freebl/verified/Hacl_Poly1305_32.c,
lib/freebl/verified/kremlin/include/kremlin/internal/types.h,
lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128.h, li
b/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128_Verifie
d.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt_8_1
6_32_64.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/LowStar_
Endianness.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar
_uint128_gcc64.h, lib/freebl/verified/libintvector.h:
Bug 1617533 - Update of HACL* after libintvector.h and coding style
changes. r=kjacobs

*** Bug 1617533 - Clang format

*** Bug 1617533 - Update HACL* commit for job in Taskcluster

*** Bug 1617533 - Update HACL* Kremlin code

[b6677ae9067e]
Pushed by shindli@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/cd927df22e1f land NSS NSS_3_51_BETA2 UPGRADE_NSS_RELEASE, r=jcj

2020-03-06 Kevin Jacobs <kjacobs@mozilla.com>

* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.51 final
[d3e6d637eaec] [NSS_3_51_RTM] <NSS_3_51_BRANCH>

2020-03-03 Kevin Jacobs <kjacobs@mozilla.com>

* .hgtags:
Added tag NSS_3_51_BETA2 for changeset 6e610ed9b196
[bea0b3a5d451] <NSS_3_51_BRANCH>
Pushed by jjones@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/9419d7f73473 land NSS NSS_3_51_RTM UPGRADE_NSS_RELEASE, r=jcj
Keywords: leave-open

https://hg.mozilla.org/mozilla-central/rev/9419d7f73473

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox75: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla75

2020-05-01 J.C. Jones <jjones@mozilla.com>

* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.52 final
[befc258c4336] [NSS_3_52_RTM] <NSS_3_52_BRANCH>

2020-04-30 Kevin Jacobs <kjacobs@mozilla.com>

* .hgtags:
Added tag NSS_3_52_BETA2 for changeset bb4462a16de8
[c5d002af1d61]
Pushed by jjones@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ebe0bd6a038c land NSS NSS_3_52_RTM UPGRADE_NSS_RELEASE, r=kjacobs

This is totally incorrect, that bug should have been for Bug 1629594 ... copying there.

Backout by aciure@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a016dadafb0e Backed out changeset ebe0bd6a038c for landing with the wrong bug# UPGRADE_NSS_RELEASE CLOSED TREE

Comment on attachment 9145135 [details]
Bug 1614053 - land NSS NSS_3_52_RTM UPGRADE_NSS_RELEASE, r=kjacobs

Revision D73512 was moved to bug 1629594. Setting attachment 9145135 [details] to obsolete.

Attachment #9145135 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: