Upgrade Firefox 82 to use NSS 3.57
Categories
(Core :: Security: PSM, enhancement, P1)
Tracking
()
People
(Reporter: kjacobs, Assigned: kjacobs)
References
(Blocks 1 open bug)
Details
(Whiteboard: [psm-assigned][nss])
Attachments
(4 files)
Tracking NSS 3.57 for Firefox 82. Ultimate tag will be NSS_3_57_RTM.
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 1•4 years ago
|
||
2020-08-21 Kevin Jacobs <kjacobs@mozilla.com>
* automation/abi-check/previous-nss-release, lib/nss/nss.h,
lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.57 Beta
[783f49ae6126]
2020-08-24 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/ssl_gtest/ssl_auth_unittest.cc, lib/ssl/dtls13con.c,
lib/ssl/dtlscon.c, lib/ssl/ssl3con.c, lib/ssl/sslimpl.h,
lib/ssl/sslnonce.c:
Bug 1653641 - Cleanup inaccurate DTLS comments, code review fixes.
r=mt
[0e1b5c711cb9]
2020-08-24 Robert Relyea <rrelyea@redhat.com>
* lib/freebl/fipsfreebl.c, lib/softoken/fipstest.c,
lib/softoken/kbkdf.c, lib/softoken/lowpbe.c, lib/softoken/lowpbe.h,
lib/softoken/pkcs11c.c, lib/softoken/pkcs11i.h,
lib/softoken/sftkhmac.c, lib/softoken/sftkike.c:
Bug 1660304 New FIPS IG requires self-tests for approved kdfs.
r=ueno comments=kjacobs
FIPS guidance now requires self-tests for our kdfs. It also requires
self-tests for cmac which we didn't have in the cmac patch.
Currently only one test per kdf is necessary. Specifially for
SP-800-108, only one of the three flavors are needed (counter,
feedback, or pipeline). This patch includes more complete testing
but it has been turned off the currently extraneous tests under the
assumption that NIST guidance may require them in the future. HKDF
is currently not included in FIPS, but is on track to be included,
so hkdf have been included in this patch.
Because the test vectors are const strings, the patch pushes some
const definitions that were missing in existing private interfaces.
There are three flavors of self-tests: Function implemented in
freebl are added to the freebl/fipsfreebl.c Functions implemented in
pkcs11c.c have selftests completely implemented in
softoken/fipstest.c Functions implemented in their own .c file have
their selftest function implemented in that .c file and called by
fipstests.c These are consistant with the previous choices for
selftests.
Some private interfaces that took in keys from pkcs #11 structures
or outputted keys to pkcs #11 structures were modified to optionally
take keys in by bytes and output keys as bytes so the self-tests can
work in just bytes.
[5dca54fe61c2]
2020-08-25 Daiki Ueno <dueno@redhat.com>
* lib/softoken/manifest.mn:
Bug 1659252, disable building libnssdbm3.so if NSS_DISABLE_DBM=1,
r=rrelyea
Reviewers: rrelyea
Reviewed By: rrelyea
Bug #: 1659252
[4d55d36ca6ef]
2020-08-24 Kevin Jacobs <kjacobs@mozilla.com>
* lib/pk11wrap/pk11cxt.c, lib/softoken/pkcs11c.c, lib/softoken/sdb.c,
lib/softoken/sftkpwd.c:
Bug 1651834 - Fix various static analyzer warnings. r=rrelyea
[ab04fd73fd6d]
2020-08-28 Mike Hommey <mh@glandium.org>
* lib/freebl/blapii.h:
Bug 1661810 - Define pre_align/post_align based on the compiler.
r=jcj
Things worked fine before we upgraded to clang 11 presumably because
the stack was always 16-bytes aligned in the first place, or
something akin to that, and the lack of pre_align/post_align doing
anything didn't matter. The runtime misalignment of the stack may
well be a clang > 9 bug, but keeping pre_align/post_align tied to
the x86/x64 is a footgun anyways.
[c100e11991f6] [tip]
Pushed by jjones@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f39bc2f76fe1 land NSS c100e11991f6 UPGRADE_NSS_RELEASE, r=jcj
Comment 3•4 years ago
|
||
bugherder |
Assignee | ||
Comment 4•4 years ago
|
||
2020-09-14 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* coreconf/arch.mk:
Bug 1660735 - Fix typo in coreconfig/arch.mk. r=kjacobs
[2a17c8655a74] [tip]
* coreconf/config.mk:
Bug 1660734 - Fix typo in coreconf/config.mk. r=kjacobs
[4ae56ec2411b]
2020-09-11 Kevin Jacobs <kjacobs@mozilla.com>
* lib/ckfw/builtins/nssckbi.h:
Bug 1663049 - September 2020 batch of root changes,
NSS_BUILTINS_LIBRARY_VERSION 2.44. r=jcj
[141ef83ac10b]
* lib/ckfw/builtins/certdata.txt:
Bug 1663049 - Add SecureTrust's Trustwave Global root certificates
to NSS. r=KathleenWilson,jcj
[7dfc054a983e]
* lib/ckfw/builtins/certdata.txt:
Bug 1656077 - Remove Taiwan Government Root Certification Authority
root cert. r=KathleenWilson,jcj
Depends on D89841
[32a0d8f751ef]
* lib/ckfw/builtins/certdata.txt:
Bug 1653092 - Disable server trust bit for OISTE WISeKey Global Root
GA CA root cert. r=KathleenWilson,jcj
Depends on D89840
[1cdfb26b3220]
* lib/ckfw/builtins/certdata.txt:
Bug 1651211 - Remove EE Certification Centre Root CA root cert.
r=KathleenWilson,jcj
[089aeca370df]
2020-09-11 Danh <congdanhqx@gmail.com>
* coreconf/arch.mk, coreconf/config.mk, lib/freebl/Makefile:
Bug 1659727 - Move makefile avx2 detection to config.mk. r=kjacobs
Summary: Current code base use CPU_ARCH to detect if avx2 is
supported in arch.mk However, when arch.mk included, CPU_ARCH
haven't been initialised, CPU_ARCH will be initialised by the OS
specific code later on.
Move the AVX2 detection to config.mk, after all other initialisation
done.
Reviewers: kjacobs
Reviewed By: kjacobs
Subscribers: kjacobs
Bug #: 1659727
[c6dcb99e6121]
2020-09-08 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/freebl_gtest/mpi_unittest.cc, lib/freebl/mpi/mpi.c:
Bug 1605922 - Account for negative sign in mp_radix_size
r=bbeurdouche
[b64436ecbd79]
2020-09-09 Daiki Ueno <dueno@redhat.com>
* lib/freebl/Makefile:
Bug 1659256, add gcc version check on AArch64 optimization,
r=rrelyea
Summary: As described in https://access.redhat.com/solutions/19458,
gcc version in RHEL-7 is still 4.8.x and cannot compile the newly
added aes-armv8.c. There is a version check already for 32-bit arm,
but not for AArch64. This also removes NS_USE_GCC check added in bug
1652032 in favor of the automatic detection using CC_IS_* macros.
Reviewers: rrelyea
Reviewed By: rrelyea
Subscribers: jmux, kjacobs
Bug #: 1659256
[b971c77c0d68]
2020-09-08 Michael Shigorin <mike@altlinux.org>
* coreconf/config.gypi:
Bug 1663346 - Build e2k architecture as 64-bit r=jcj
[e524a577761d]
2020-09-05 Daiki Ueno <dueno@redhat.com>
* lib/freebl/fipsfreebl.c:
Bug 1662738, run RNG self-tests only if NSPR is linked, r=rrelyea
Summary: After the continuous DRBG test was added, RNG self-tests
have no longer worked standalone. This moves the self-tests to the
DO_REST block so it only runs when the program is also linked to
NSPR.
Reviewers: rrelyea
Reviewed By: rrelyea
Bug #: 1662738
[e03296e73ba6]
2020-09-02 Khem Raj <raj.khem@gmail.com>
* lib/libpkix/pkix/util/pkix_logger.c:
Bug 1661378 - pkix: Do not use NULL where 0 is needed Clang finds
this error
pkix_logger.c:316:32: error: cast to smaller integer type
'PKIX_ERRORCLASS' from 'void *' [-Werror,-Wvoid-pointer-to-enum-
cast] logger->logComponent = (PKIX_ERRORCLASS)NULL;
^~~~~~~~~~~~~~~~~~~~~ pkix_logger.c:617:32: error: cast to smaller
integer type 'PKIX_ERRORCLASS' from 'void *' [-Werror,-Wvoid-
pointer-to-enum-cast] logger->logComponent = (PKIX_ERRORCLASS)NULL;
^~~~~~~~~~~~~~~~~~~~~ 2 errors generated.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
[9213848965f6]
Pushed by jjones@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/cd3c94fcde3f land NSS 2a17c8655a74 UPGRADE_NSS_RELEASE, r=jcj
Comment 6•4 years ago
|
||
bugherder |
Assignee | ||
Comment 7•4 years ago
|
||
2020-09-15 Kevin Jacobs <kjacobs@mozilla.com>
* automation/release/nspr-version.txt:
Bug 1660372 - NSS 3.57 should depend on NSPR 4.29. r=kaie
[56224882ccc3] [NSS_3_57_BETA1]
Since this is a leave-open representing multiple landings, I'm going to remove the blocker for 1660340 since the desired piece has already landed and stuck.
Pushed by jjones@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e9b8cd72d354 land NSS NSS_3_57_BETA1 UPGRADE_NSS_RELEASE, r=jcj
Comment 10•4 years ago
|
||
bugherder |
Assignee | ||
Comment 11•4 years ago
|
||
2020-09-18 Kevin Jacobs <kjacobs@mozilla.com>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.57 final
[cf7e3e8abd77] [NSS_3_57_RTM] <NSS_3_57_BRANCH>
2020-09-15 Kevin Jacobs <kjacobs@mozilla.com>
* .hgtags:
Added tag NSS_3_57_BETA1 for changeset 56224882ccc3
[f46f20c58c4f]
Assignee | ||
Updated•4 years ago
|
Comment 12•4 years ago
|
||
Pushed by jjones@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/963f87c25ddf land NSS NSS_3_57_RTM UPGRADE_NSS_RELEASE, r=jcj
Comment 13•4 years ago
|
||
bugherder |
Updated•4 years ago
|
Updated•7 months ago
|
Description
•