1660509 - Upgrade Firefox 82 to use NSS 3.57

Status: RESOLVED FIXED

(Core :: Security: PSM, enhancement, P1)

Description

[Kevin Jacobs [:kjacobs]]

Tracking NSS 3.57 for Firefox 82. Ultimate tag will be NSS_3_57_RTM.

Comment 1

[Kevin Jacobs [:kjacobs]]

Attachment: Bug 1660509 - land NSS c100e11991f6 UPGRADE_NSS_RELEASE, r=jcj

2020-08-21 Kevin Jacobs <kjacobs@mozilla.com>

* automation/abi-check/previous-nss-release, lib/nss/nss.h,
lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.57 Beta
[783f49ae6126]

2020-08-24 Kevin Jacobs <kjacobs@mozilla.com>

* gtests/ssl_gtest/ssl_auth_unittest.cc, lib/ssl/dtls13con.c,
lib/ssl/dtlscon.c, lib/ssl/ssl3con.c, lib/ssl/sslimpl.h,
lib/ssl/sslnonce.c:
Bug 1653641 - Cleanup inaccurate DTLS comments, code review fixes.
r=mt

[0e1b5c711cb9]

2020-08-24 Robert Relyea <rrelyea@redhat.com>

* lib/freebl/fipsfreebl.c, lib/softoken/fipstest.c,
lib/softoken/kbkdf.c, lib/softoken/lowpbe.c, lib/softoken/lowpbe.h,
lib/softoken/pkcs11c.c, lib/softoken/pkcs11i.h,
lib/softoken/sftkhmac.c, lib/softoken/sftkike.c:
Bug 1660304 New FIPS IG requires self-tests for approved kdfs.
r=ueno comments=kjacobs

FIPS guidance now requires self-tests for our kdfs. It also requires
self-tests for cmac which we didn't have in the cmac patch.

Currently only one test per kdf is necessary. Specifially for
SP-800-108, only one of the three flavors are needed (counter,
feedback, or pipeline). This patch includes more complete testing
but it has been turned off the currently extraneous tests under the
assumption that NIST guidance may require them in the future. HKDF
is currently not included in FIPS, but is on track to be included,
so hkdf have been included in this patch.

Because the test vectors are const strings, the patch pushes some
const definitions that were missing in existing private interfaces.

There are three flavors of self-tests: Function implemented in
freebl are added to the freebl/fipsfreebl.c Functions implemented in
pkcs11c.c have selftests completely implemented in
softoken/fipstest.c Functions implemented in their own .c file have
their selftest function implemented in that .c file and called by
fipstests.c These are consistant with the previous choices for
selftests.

Some private interfaces that took in keys from pkcs #11 structures
or outputted keys to pkcs #11 structures were modified to optionally
take keys in by bytes and output keys as bytes so the self-tests can
work in just bytes.

[5dca54fe61c2]

2020-08-25 Daiki Ueno <dueno@redhat.com>

* lib/softoken/manifest.mn:
Bug 1659252, disable building libnssdbm3.so if NSS_DISABLE_DBM=1,
r=rrelyea

Reviewers: rrelyea

Reviewed By: rrelyea

Bug #: 1659252

[4d55d36ca6ef]

2020-08-24 Kevin Jacobs <kjacobs@mozilla.com>

* lib/pk11wrap/pk11cxt.c, lib/softoken/pkcs11c.c, lib/softoken/sdb.c,
lib/softoken/sftkpwd.c:
Bug 1651834 - Fix various static analyzer warnings. r=rrelyea

[ab04fd73fd6d]

2020-08-28 Mike Hommey <mh@glandium.org>

* lib/freebl/blapii.h:
Bug 1661810 - Define pre_align/post_align based on the compiler.
r=jcj

Things worked fine before we upgraded to clang 11 presumably because
the stack was always 16-bytes aligned in the first place, or
something akin to that, and the lack of pre_align/post_align doing
anything didn't matter. The runtime misalignment of the stack may
well be a clang > 9 bug, but keeping pre_align/post_align tied to
the x86/x64 is a footgun anyways.

[c100e11991f6] [tip]

Comment 2

[Pulsebot]

Pushed by jjones@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f39bc2f76fe1
land NSS c100e11991f6 UPGRADE_NSS_RELEASE, r=jcj

Comment 3

[Narcis Beleuzu [:NarcisB]]

https://hg.mozilla.org/mozilla-central/rev/f39bc2f76fe1

Comment 4

[Kevin Jacobs [:kjacobs]]

Attachment: Bug 1660509 - land NSS 2a17c8655a74 UPGRADE_NSS_RELEASE, r=jcj

2020-09-14 Benjamin Beurdouche <bbeurdouche@mozilla.com>

* coreconf/arch.mk:
Bug 1660735 - Fix typo in coreconfig/arch.mk. r=kjacobs

[2a17c8655a74] [tip]

* coreconf/config.mk:
Bug 1660734 - Fix typo in coreconf/config.mk. r=kjacobs

[4ae56ec2411b]

2020-09-11 Kevin Jacobs <kjacobs@mozilla.com>

* lib/ckfw/builtins/nssckbi.h:
Bug 1663049 - September 2020 batch of root changes,
NSS_BUILTINS_LIBRARY_VERSION 2.44. r=jcj

[141ef83ac10b]

* lib/ckfw/builtins/certdata.txt:
Bug 1663049 - Add SecureTrust's Trustwave Global root certificates
to NSS. r=KathleenWilson,jcj

[7dfc054a983e]

* lib/ckfw/builtins/certdata.txt:
Bug 1656077 - Remove Taiwan Government Root Certification Authority
root cert. r=KathleenWilson,jcj

Depends on D89841

[32a0d8f751ef]

* lib/ckfw/builtins/certdata.txt:
Bug 1653092 - Disable server trust bit for OISTE WISeKey Global Root
GA CA root cert. r=KathleenWilson,jcj

Depends on D89840

[1cdfb26b3220]

* lib/ckfw/builtins/certdata.txt:
Bug 1651211 - Remove EE Certification Centre Root CA root cert.
r=KathleenWilson,jcj

[089aeca370df]

2020-09-11 Danh <congdanhqx@gmail.com>

* coreconf/arch.mk, coreconf/config.mk, lib/freebl/Makefile:
Bug 1659727 - Move makefile avx2 detection to config.mk. r=kjacobs

Summary: Current code base use CPU_ARCH to detect if avx2 is
supported in arch.mk However, when arch.mk included, CPU_ARCH
haven't been initialised, CPU_ARCH will be initialised by the OS
specific code later on.

Move the AVX2 detection to config.mk, after all other initialisation
done.

Reviewers: kjacobs

Reviewed By: kjacobs

Subscribers: kjacobs

Bug #: 1659727

[c6dcb99e6121]

2020-09-08 Kevin Jacobs <kjacobs@mozilla.com>

* gtests/freebl_gtest/mpi_unittest.cc, lib/freebl/mpi/mpi.c:
Bug 1605922 - Account for negative sign in mp_radix_size
r=bbeurdouche

[b64436ecbd79]

2020-09-09 Daiki Ueno <dueno@redhat.com>

* lib/freebl/Makefile:
Bug 1659256, add gcc version check on AArch64 optimization,
r=rrelyea

Summary: As described in https://access.redhat.com/solutions/19458,
gcc version in RHEL-7 is still 4.8.x and cannot compile the newly
added aes-armv8.c. There is a version check already for 32-bit arm,
but not for AArch64. This also removes NS_USE_GCC check added in bug
1652032 in favor of the automatic detection using CC_IS_* macros.

Reviewers: rrelyea

Reviewed By: rrelyea

Subscribers: jmux, kjacobs

Bug #: 1659256

[b971c77c0d68]

2020-09-08 Michael Shigorin <mike@altlinux.org>

* coreconf/config.gypi:
Bug 1663346 - Build e2k architecture as 64-bit r=jcj
[e524a577761d]

2020-09-05 Daiki Ueno <dueno@redhat.com>

* lib/freebl/fipsfreebl.c:
Bug 1662738, run RNG self-tests only if NSPR is linked, r=rrelyea

Summary: After the continuous DRBG test was added, RNG self-tests
have no longer worked standalone. This moves the self-tests to the
DO_REST block so it only runs when the program is also linked to
NSPR.

Reviewers: rrelyea

Reviewed By: rrelyea

Bug #: 1662738

[e03296e73ba6]

2020-09-02 Khem Raj <raj.khem@gmail.com>

* lib/libpkix/pkix/util/pkix_logger.c:
Bug 1661378 - pkix: Do not use NULL where 0 is needed Clang finds
this error

pkix_logger.c:316:32: error: cast to smaller integer type
'PKIX_ERRORCLASS' from 'void *' [-Werror,-Wvoid-pointer-to-enum-
cast] logger->logComponent = (PKIX_ERRORCLASS)NULL;
^~~~~~~~~~~~~~~~~~~~~ pkix_logger.c:617:32: error: cast to smaller
integer type 'PKIX_ERRORCLASS' from 'void *' [-Werror,-Wvoid-
pointer-to-enum-cast] logger->logComponent = (PKIX_ERRORCLASS)NULL;
^~~~~~~~~~~~~~~~~~~~~ 2 errors generated.

Signed-off-by: Khem Raj <raj.khem@gmail.com>
[9213848965f6]

Comment 5

[Pulsebot]

Pushed by jjones@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/cd3c94fcde3f
land NSS 2a17c8655a74 UPGRADE_NSS_RELEASE, r=jcj

Comment 6

[Razvan Maries]

https://hg.mozilla.org/mozilla-central/rev/cd3c94fcde3f

Comment 7

[Kevin Jacobs [:kjacobs]]

Attachment: Bug 1660509 - land NSS NSS_3_57_BETA1 UPGRADE_NSS_RELEASE, r=jcj

2020-09-15 Kevin Jacobs <kjacobs@mozilla.com>

* automation/release/nspr-version.txt:
Bug 1660372 - NSS 3.57 should depend on NSPR 4.29. r=kaie

[56224882ccc3] [NSS_3_57_BETA1]

Comment 8

[(Away)]

Since this is a leave-open representing multiple landings, I'm going to remove the blocker for 1660340 since the desired piece has already landed and stuck.

Comment 9

[Pulsebot]

Pushed by jjones@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e9b8cd72d354
land NSS NSS_3_57_BETA1 UPGRADE_NSS_RELEASE, r=jcj

Comment 10

[Bogdan Tara[:bogdan_tara | bogdant]]

https://hg.mozilla.org/mozilla-central/rev/e9b8cd72d354

Comment 11

[Kevin Jacobs [:kjacobs]]

Attachment: Bug 1660509 - land NSS NSS_3_57_RTM UPGRADE_NSS_RELEASE, r=jcj

2020-09-18 Kevin Jacobs <kjacobs@mozilla.com>

* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.57 final
[cf7e3e8abd77] [NSS_3_57_RTM] <NSS_3_57_BRANCH>

2020-09-15 Kevin Jacobs <kjacobs@mozilla.com>

* .hgtags:
Added tag NSS_3_57_BETA1 for changeset 56224882ccc3
[f46f20c58c4f]

Comment 12

[Pulsebot]

Pushed by jjones@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/963f87c25ddf
land NSS NSS_3_57_RTM UPGRADE_NSS_RELEASE, r=jcj

Comment 13

[Cristina Coroiu [:ccoroiu]]

https://hg.mozilla.org/mozilla-central/rev/963f87c25ddf