Closed Bug 1636656 Opened 4 years ago Closed 4 years ago

Upgrade Firefox 78 to use NSS 3.53


(Core :: Security: PSM, enhancement, P1)

78 Branch



Tracking Status
firefox78 --- fixed


(Reporter: jcj, Assigned: jcj)



(Whiteboard: [psm-assigned][nss])


(9 files)

Tracking NSS 3.53 for Firefox 78. Ultimate tag will be NSS_3_53_RTM.

Pushed by
land NSS e3444f4cc638 UPGRADE_NSS_RELEASE,

2020-05-12 Kevin Jacobs <>

* gtests/freebl_gtest/
Bug 1561331 - Additional modular inverse test r=jcj

[e2061fe522f5] [tip]

2020-05-08 Jan-Marek Glogowski <>

* coreconf/, lib/ckfw/builtins/Makefile,
lib/ckfw/builtins/testlib/Makefile, lib/ckfw/capi/Makefile,
lib/dev/Makefile, lib/freebl/Makefile, lib/pk11wrap/Makefile,
Bug 1629553 Use order-prereq for $(MAKE_OBJDIR) r=rrelyea

Introduces a simple "%/d" rule to create directories using
$(MAKE_OBJDIR) and replace all explicit $(MAKE_OBJDIR) calls with an

To expand the $(@D) prerequisite, this needs .SECONDEXPANSION.


2020-05-05 Jan-Marek Glogowski <>

* coreconf/, coreconf/, coreconf/README,
coreconf/, coreconf/, coreconf/,
coreconf/, coreconf/, coreconf/,
coreconf/mkdepend/Makefile, coreconf/mkdepend/cppsetup.c,
coreconf/mkdepend/def.h, coreconf/mkdepend/ifparser.c,
coreconf/mkdepend/ifparser.h, coreconf/mkdepend/imakemdep.h,
coreconf/mkdepend/include.c, coreconf/mkdepend/main.c,
coreconf/mkdepend/, coreconf/mkdepend/parse.c,
coreconf/mkdepend/pr.c, coreconf/
Bug 1438431 Remove mkdepend tool and targets r=rrelyea


* coreconf/README, coreconf/
Bug 1629553 Drop duplicate header DIR variables r=rrelyea


* coreconf/, coreconf/README, coreconf/,
coreconf/, coreconf/, coreconf/,
coreconf/, coreconf/, coreconf/,
coreconf/, coreconf/, coreconf/,
coreconf/, coreconf/, coreconf/
Bug 1629553 Drop coreconf java support r=rrelyea

There aren't an Java sources in NSS, so just drop all the stuff
referencing java, jars, jni, etc.

I didn't try to remove it from tests.


* cmd/crmf-cgi/Makefile, cmd/crmf-cgi/,
cmd/crmftest/Makefile, cmd/crmftest/, cmd/lib/Makefile,
cmd/lib/, cmd/lib/, cmd/libpkix/,
cmd/libpkix/perf/Makefile, cmd/libpkix/perf/,
cmd/libpkix/pkix/Makefile, cmd/libpkix/pkix/certsel/Makefile,
cmd/libpkix/pkix/store/Makefile, cmd/libpkix/pkix/store/,
cmd/libpkix/pkix/top/Makefile, cmd/libpkix/pkix/top/,
cmd/libpkix/pkix/util/Makefile, cmd/libpkix/pkix/util/,
cmd/libpkix/pkix_pl/Makefile, cmd/libpkix/pkix_pl/module/Makefile,
cmd/libpkix/testutil/, cpputil/Makefile,
cpputil/, cpputil/, lib/base/Makefile,
lib/base/, lib/base/, lib/certdb/Makefile,
lib/certdb/, lib/certdb/, lib/certhigh/Makefile,
lib/certhigh/, lib/certhigh/, lib/ckfw/Makefile,
lib/ckfw/builtins/Makefile, lib/ckfw/builtins/,
lib/ckfw/builtins/, lib/ckfw/builtins/testlib/Makefile,
lib/ckfw/builtins/testlib/, lib/ckfw/capi/Makefile,
lib/ckfw/capi/, lib/ckfw/capi/,
lib/ckfw/, lib/ckfw/dbm/Makefile, lib/ckfw/dbm/,
lib/ckfw/dbm/, lib/ckfw/, lib/crmf/Makefile,
lib/crmf/, lib/crmf/, lib/cryptohi/Makefile,
lib/cryptohi/, lib/cryptohi/,
lib/dbm/src/, lib/dbm/src/, lib/dev/Makefile,
lib/dev/, lib/dev/, lib/jar/Makefile,
lib/jar/, lib/jar/, lib/libpkix/Makefile,
lib/libpkix/, lib/libpkix/include/Makefile,
lib/libpkix/include/, lib/libpkix/pkix/Makefile,
lib/libpkix/pkix/checker/, lib/libpkix/pkix/,
lib/libpkix/pkix/crlsel/Makefile, lib/libpkix/pkix/crlsel/,
lib/libpkix/pkix/params/Makefile, lib/libpkix/pkix/params/,
lib/libpkix/pkix/store/Makefile, lib/libpkix/pkix/store/,
lib/libpkix/pkix/store/, lib/libpkix/pkix/top/Makefile,
lib/libpkix/pkix/top/, lib/libpkix/pkix/top/,
lib/libpkix/pkix/util/Makefile, lib/libpkix/pkix/util/,
lib/libpkix/pkix/util/, lib/libpkix/pkix_pl_nss/Makefile,
lib/libpkix/pkix_pl_nss/system/, lib/pk11wrap/Makefile,
lib/pk11wrap/, lib/pk11wrap/,
lib/pkcs12/Makefile, lib/pkcs12/, lib/pkcs12/,
lib/pkcs7/Makefile, lib/pkcs7/, lib/pkcs7/,
lib/pki/Makefile, lib/pki/, lib/pki/,
lib/sqlite/Makefile, lib/sysinit/Makefile, lib/util/Makefile,
lib/zlib/Makefile, lib/zlib/, lib/zlib/
Bug 1629553 Merge simple files r=rrelyea

There is really no good reason to explicitly change the TARGET
variable. And the empty SHARED_LIBRARY variable should also be in
the to begin with.

All the other empty variables start empty or undefined, so there is
also no need to explicitly set them empty.


* cmd/libpkix/testutil/, coreconf/, coreconf/,
coreconf/, coreconf/, gtests/common/Makefile,
gtests/common/, gtests/google_test/Makefile,
gtests/google_test/, gtests/pkcs11testmodule/Makefile,
gtests/pkcs11testmodule/, lib/ckfw/builtins/,
lib/ckfw/builtins/, lib/ckfw/builtins/testlib/,
lib/ckfw/capi/, lib/ckfw/capi/,
lib/freebl/, lib/nss/, lib/nss/,
lib/smime/, lib/smime/, lib/softoken/,
lib/softoken/legacydb/, lib/softoken/legacydb/,
lib/softoken/, lib/sqlite/,
lib/sqlite/, lib/ssl/, lib/ssl/,
lib/sysinit/, lib/sysinit/, lib/util/,
Bug 1629553 Rework the LIBRARY_NAME ruleset r=rrelyea

* Drop the WIN% "32" default DLL suffix
* Add default resource file handling => drop default RES
SHARED_LIBRARY, so we can drop all the explicit empty IMPORT_LIBRARY

Originally this patch also tried to add a default MAPFILE rule, but
this fails, because the ARCH makefiles set linker flags based on an
existing MAPFILE variable.


* coreconf/
Bug 1629553 Use an eval template for C++ compile rules r=rrelyea

These pattern rules already had a comment to keep both in sync, so
just use an eval template to enforce this.


* lib/freebl/Makefile:
Bug 1629553 Use an eval template for freebl libs r=rrelyea


* coreconf/
Bug 1629553 Use an eval template for export targets r=rrelyea


* lib/pk11wrap/, lib/pk11wrap/pk11load.c,
Bug 1629553 Prefix pk11wrap (SHLIB|LIBRARY)_VERSION with NSS_

In the the LIBRARY_VERSION is normally used to define
the major version of the build shared library. This ust works for
the pk11wrap case, because pk11wrap is a static library. But it's
still very confusing when reading the Also the
referenced define in the code is just named SHLIB_VERSION.

So this prefixes the defines and the variables with NSS_, because it
tries to load the NSS library, just as the SOFTOKEN_.*_VERSION is
used to load the versioned softokn library.


* Makefile, cmd/Makefile, cmd/shlibsign/Makefile,
cmd/smimetools/, coreconf/, gtests/,
lib/freebl/Makefile, lib/,
Bug 290526 Drop double-colon usage and add directory depends

Double-colon rule behaviour isn't really compatible with parallel
build. This gets rid of all of them, so we can codify the directory

This leaves just three problems, which aren't really fixable with
the current build system without completely replacing it:

* everything depends on nsinstall
* everything depends on installed headers
* ckfw child directories depend on the build parent libs

This is handled by the prepare_build target.

Overall this allows most if the build to run in parallel.

P.S. the release_md:: has to stay :-( P.P.S. no clue, why freebl
must use libs: instead of using the TARGETS and .PHONY variables


* coreconf/, gtests/certdb_gtest/,
gtests/common/Makefile, gtests/google_test/Makefile,
gtests/google_test/, gtests/pkcs11testmodule/Makefile:
Bug 290526 Fix gtests build for WIN% targets r=rrelyea

The google_test gtest build doesn't provide any exports for the
shared library on Windows and the gyp build also builds just a
static library. So build gtest and gtestutil libraries as static.

For whatever reason, the Windows linker doesn't find the main
function inside the gtestutil library, if we don't tell it to build
a console executable. But linking works fine, if the object file is
used directly. But since we can have different main() objects based
on build flags, we enforce building console applications binaries.


* cmd/bltest/, cmd/chktest/, cmd/crmf-
cgi/, cmd/crmftest/, cmd/fipstest/,
cmd/lib/Makefile, cmd/libpkix/testutil/Makefile,
cmd/lowhashtest/, cmd/modutil/,
cmd/pk11gcmtest/, cmd/pk11mode/,
cmd/rsapoptst/, cmd/signtool/,
cmd/ssltap/, coreconf/README, coreconf/,
cpputil/, gtests/google_test/,
gtests/pkcs11testmodule/Makefile, lib/base/Makefile,
lib/certdb/Makefile, lib/certhigh/Makefile, lib/ckfw/Makefile,
lib/crmf/Makefile, lib/cryptohi/Makefile, lib/dbm/include/Makefile,
lib/dev/Makefile, lib/dev/, lib/freebl/Makefile,
lib/libpkix/Makefile, lib/libpkix/include/Makefile,
lib/libpkix/include/, lib/libpkix/pkix/Makefile,
lib/libpkix/pkix/store/Makefile, lib/libpkix/pkix/store/,
lib/libpkix/pkix/top/Makefile, lib/libpkix/pkix/top/,
lib/libpkix/pkix/util/Makefile, lib/libpkix/pkix/util/,
lib/libpkix/pkix_pl_nss/system/, lib/nss/Makefile,
lib/pk11wrap/Makefile, lib/pki/Makefile, lib/pki/,
lib/softoken/Makefile, lib/softoken/legacydb/Makefile,
lib/sqlite/Makefile, lib/sqlite/, lib/ssl/Makefile,
lib/util/Makefile, lib/zlib/Makefile:
Bug 290526 Drop recursive private_exports r=rrelyea

Copying private headers is now simply included in the exports
target, as these headers use an extra directory anyway.


* Makefile, cmd/shlibsign/Makefile, coreconf/Makefile,
coreconf/README, coreconf/nsinstall/Makefile, coreconf/,
coreconf/, lib/Makefile, lib/ckfw/Makefile:
Bug 290526 Parallelize part of the NSS build r=rrelyea

This still serializes many targets, but at least these targets
themself run their build in parallel. The main serialization happens
in nss/Makefile and nss/coreconf/'s all target.

We can't add these as real dependencies, as all Makefile snippets
use the same variable names. I tried to always run sub-makes to hack
in the depndencies, but these don't know of each other, so targets
very often run twice, and this breaks the build.

Having a tests:: target and a tests directory leads to misery (and
doesn't work), so it's renamed to check.

This just works with NSS_DISABLE_GTESTS=1 specified and is fixed by
a follow up patch, which removes the double-colon usage and adds the
directory dependencies!


* coreconf/, coreconf/, coreconf/mkdepend/Makefile,
coreconf/nsinstall/Makefile, coreconf/
Bug 290526 Don't delete directories r=rrelyea

If these files exist and aren't directories, there might be other
problems. Trying to "fix" them by removing will break the build.


* coreconf/
Bug 290526 Handle empty install variables r=rrelyea

Originally I added the install commands to the individual build
targets. But this breaks the incremental build, because there is
actually no dependency for the install. But it turns out, that in
the end it's enough to ignore empty defined variables, so just do


* coreconf/
Bug 290526 Handle parallel PROGRAM and PROGRAMS r=rrelyea

I have no real clue, why PROGRAMS is actually working in the
sequence build. There is no special make code really handling it,
except for the install target.

This patches code is inspired by the $(eval ...) example in the GNU
make documentation. It generates a program specific make target and
maps the programs objects based on the defined variables.

Pushed by
land NSS e2061fe522f5 UPGRADE_NSS_RELEASE, r=kjacobs
Regressions: 1639189
Regressions: 1639302

2020-05-19 Robert Relyea <>

* lib/freebl/dsa.c:
Bug 1631576 - Force a fixed length for DSA exponentiation

[daa823a4a29b] [tip]

2020-05-14 Benjamin Beurdouche <>

* lib/freebl/Makefile, lib/freebl/deprecated/seed.c,
lib/freebl/deprecated/seed.h, lib/freebl/freebl.gyp,
lib/freebl/freebl_base.gypi, lib/freebl/seed.c, lib/freebl/seed.h:
Bug 1636389 - Relocate deprecated seed algorithm. r=kjacobs


2020-05-14 Jan-Marek Glogowski <>

* automation/taskcluster/scripts/, lib/Makefile,
Bug 1637083 fix the lib dependencies for the split build

This build can be tested by running NSS_BUILD_MODULAR=1
nss/automation/taskcluster/scripts/ from a directory
containing the nss and nspr repositories.

To make this build's make conditionals easier to handle, it also
merges the into the Makefile, because parts of the
conditionals depends on $(OS_ARCH) setting.

In the end, the goal is just to set the correct build $(DIRS).

This also drops the freebl dependeny of ssl, which seems not to be
needed, even if it's declared in /lib/ssl/ssl.gyp.


2020-05-13 Jan-Marek Glogowski <>

* coreconf/, lib/ckfw/builtins/,
Bug 1637083 Replace pre-dependency with shell hack r=rrelyea

Originally I tried multiple variants using make's conditionals to
limit DIRS and enforce building the parent directory before the sub-
directory. None of them worked for me, most resulting in an infinite
recursion, so I used the current pre-depends workaround to fulfill
the real dependency.

Now I remembered that automake can handle this case for SUBDIRS
specifying "." as a directory. The generated Makefile handles it via
shell scripting; not nice, but it works.

So this gets rid of the workaround, replacing it with a small shell

Pushed by
land NSS daa823a4a29b UPGRADE_NSS_RELEASE, r=kjacobs

Please merge the build fix from bug 1638289 too, thanks.

2020-05-20 Benjamin Beurdouche <>

* lib/freebl/freebl_base.gypi:
Bug 1638289 - Fix multiple definitions of SHA2 on ppc64le. r=kjacobs

[527a1792be4e] [tip]
Pushed by
land NSS 527a1792be4e UPGRADE_NSS_RELEASE, r=kjacobs

2020-05-22 J.C. Jones <>

* lib/freebl/altivec-types.h, lib/freebl/ppc-crypto.h:
Bug 1629414 - Guard USE_PPC_CRYPTO and VSX types with __VSX__ and
__ALTIVEC__ r=kjacobs

This avoids build errors on non-VSX architectures even when not
compiling the POWER accelerated code.

[c7a1c91cd9be] [tip]

2020-05-21 Jeff Walden <>

* lib/freebl/aes-x86.c:
Bug 1639033 - Use unsigned int for a loop counter to eliminate a
signed-unsigned comparison warning in aes-x86.c. r=kjacobs

Depends on D75847


* lib/freebl/ec.c:
Bug 1639033 - Used unsigned int instead of int in a few places in
ec.c to eliminate signed-unsigned comparison warnings. r=kjacobs

Depends on D75846


* lib/freebl/cmac.c:
Bug 1639033 - Use unsigned int rather than int for two variables to
eliminate a bunch of signed-unsigned comparison warnings. r=kjacobs

Depends on D75845


* lib/freebl/mpi/mplogic.c, lib/freebl/mpi/mplogic.h:
Bug 1639033 - Use unsigned int for various count variables in
mplogic.c to eliminate signed-unsigned comparison warnings.

Depends on D75844


* lib/freebl/aeskeywrap.c:
Bug 1639033 - Use size_t for loops up to sizeof(T) in aeskeywrap.c
to eliminate some signed-comparison warnings. r=kjacobs

Depends on D75843


* lib/softoken/pkcs11i.h, lib/softoken/sftkike.c:
Bug 1639033 - Change +sftk_xcbc_mac_pad's block-size argument to be
unsigned int to avoid sign-comparison warnings. r=kjacobs

Depends on D75842


2020-05-22 Jeff Walden <>

* lib/jar/jar.c:
Bug 1639033 - Use the jarType enum type, not int, for certain
variables and arguments in jar.c -- for greater precision, and to
avoid sign-comparison warnings. r=kjacobs

Depends on D75841


2020-05-19 Jeff Walden <>

* lib/softoken/pkcs11.c, lib/softoken/pkcs11i.h:
Bug 1639033 - Make all |moduleIndex| variables in pkcs11.c be
unsigned, to eliminate a -Wsign-compare warning. r=kjacobs

Depends on D75840


* cmd/lib/basicutil.c:
Bug 1639033 - Fix signed-unsigned comparison warning in basicutil.c.


2020-05-22 Martin Thomson <>

* lib/ssl/sslencode.c:
Bug 1640041 - Don't memcpy nothing, r=jcj

Depends on D76421


* lib/ssl/sslsock.c:
Bug 1640042 - Don't memcpy nothing, r=jcj


* gtests/ssl_gtest/,
gtests/ssl_gtest/, lib/ssl/ssl.h, lib/ssl/ssl3gthr.c,
lib/ssl/sslimpl.h, lib/ssl/sslsock.c, lib/ssl/tls13con.c:
Bug 1639413 - Option to disable TLS 1.3 EndOfEarlyData message,

This adds the ability to disable EndOfEarlyData.

On the client this is relatively simple, you just turn the message

The server is complicated because the server uses this to drive the
installation of the right keys. Without it, things get very messy.
Thus, I have decided that this is best left to the
SSL_RecordLayerData interface. That needs an ugly hack in order to
let the new data to pass, but the damage is otherwise relatively
minor, apart from one obvious thing.

We never really built the SSL_RecordLayerData API to take
application data. It only did that to support testing of the
functions. Now that we have to deal with this new wrinkle, adding
support for 0-RTT is necessary. This change does that. That requires
a barrage of new checks to see if application data is acceptable.
And then early data is captured in a completely different way, which
adds another layer of awfulness.

Note that this exposes us to the possibility that Certificate or
Finished are received in early data when using SSL_RecordLayerData
and this option. I don't think that fixing that is worthwhile as it
requires tracking the epoch of handshake messages separate to
ss->ssl3.crSpec and the epoch only really exists on that API so that
applications don't accidentally do bad things. In QUIC, we
specifically block handshake messages in early data, so we have
ample protection.

Pushed by
land NSS c7a1c91cd9be UPGRADE_NSS_RELEASE, r=jcj
Pushed by

2020-05-28 Kevin Jacobs <>

* lib/softoken/pkcs11c.c:
Bug 1640260 - Initialize PBE params r=jcj

[8fe22033a88e] [NSS_3_53_BETA2]

2020-05-27 Benjamin Beurdouche <>

* lib/ckfw/builtins/certdata.txt:
Bug 1618404 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Symantec root
certs. r=jcj


* lib/ckfw/builtins/certdata.txt:
Bug 1621159 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Consorci AOC,
GRCA, and SK ID root certs. r=jcj


2020-05-26 Kevin Jacobs <>

* .hgtags:
Added tag NSS_3_53_BETA1 for changeset c7a1c91cd9be
Pushed by
Keywords: leave-open

2020-05-29 J.C. Jones <>

* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.53 final
[7e453a5afcb4] [NSS_3_53_RTM] <NSS_3_53_BRANCH>

2020-05-28 Kevin Jacobs <>

* .hgtags:
Added tag NSS_3_53_BETA2 for changeset 8fe22033a88e
Pushed by
land NSS NSS_3_53_RTM UPGRADE_NSS_RELEASE, r=kjacobs
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla78
You need to log in before you can comment on or make changes to this bug.