Closed Bug 1660509 Opened 9 months ago Closed 8 months ago

Upgrade Firefox 82 to use NSS 3.57


(Core :: Security: PSM, enhancement, P1)

Firefox 82



82 Branch
Tracking Status
firefox81 --- wontfix
firefox82 --- fixed


(Reporter: kjacobs, Assigned: kjacobs)


(Whiteboard: [psm-assigned][nss])


(4 files)

Tracking NSS 3.57 for Firefox 82. Ultimate tag will be NSS_3_57_RTM.

Version: Firefox 81 → Firefox 82

2020-08-21 Kevin Jacobs <>

* automation/abi-check/previous-nss-release, lib/nss/nss.h,
lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.57 Beta

2020-08-24 Kevin Jacobs <>

* gtests/ssl_gtest/, lib/ssl/dtls13con.c,
lib/ssl/dtlscon.c, lib/ssl/ssl3con.c, lib/ssl/sslimpl.h,
Bug 1653641 - Cleanup inaccurate DTLS comments, code review fixes.


2020-08-24 Robert Relyea <>

* lib/freebl/fipsfreebl.c, lib/softoken/fipstest.c,
lib/softoken/kbkdf.c, lib/softoken/lowpbe.c, lib/softoken/lowpbe.h,
lib/softoken/pkcs11c.c, lib/softoken/pkcs11i.h,
lib/softoken/sftkhmac.c, lib/softoken/sftkike.c:
Bug 1660304 New FIPS IG requires self-tests for approved kdfs.
r=ueno comments=kjacobs

FIPS guidance now requires self-tests for our kdfs. It also requires
self-tests for cmac which we didn't have in the cmac patch.

Currently only one test per kdf is necessary. Specifially for
SP-800-108, only one of the three flavors are needed (counter,
feedback, or pipeline). This patch includes more complete testing
but it has been turned off the currently extraneous tests under the
assumption that NIST guidance may require them in the future. HKDF
is currently not included in FIPS, but is on track to be included,
so hkdf have been included in this patch.

Because the test vectors are const strings, the patch pushes some
const definitions that were missing in existing private interfaces.

There are three flavors of self-tests: Function implemented in
freebl are added to the freebl/fipsfreebl.c Functions implemented in
pkcs11c.c have selftests completely implemented in
softoken/fipstest.c Functions implemented in their own .c file have
their selftest function implemented in that .c file and called by
fipstests.c These are consistant with the previous choices for

Some private interfaces that took in keys from pkcs #11 structures
or outputted keys to pkcs #11 structures were modified to optionally
take keys in by bytes and output keys as bytes so the self-tests can
work in just bytes.


2020-08-25 Daiki Ueno <>

* lib/softoken/
Bug 1659252, disable building if NSS_DISABLE_DBM=1,

Reviewers: rrelyea

Reviewed By: rrelyea

Bug #: 1659252


2020-08-24 Kevin Jacobs <>

* lib/pk11wrap/pk11cxt.c, lib/softoken/pkcs11c.c, lib/softoken/sdb.c,
Bug 1651834 - Fix various static analyzer warnings. r=rrelyea


2020-08-28 Mike Hommey <>

* lib/freebl/blapii.h:
Bug 1661810 - Define pre_align/post_align based on the compiler.

Things worked fine before we upgraded to clang 11 presumably because
the stack was always 16-bytes aligned in the first place, or
something akin to that, and the lack of pre_align/post_align doing
anything didn't matter. The runtime misalignment of the stack may
well be a clang > 9 bug, but keeping pre_align/post_align tied to
the x86/x64 is a footgun anyways.

[c100e11991f6] [tip]
Pushed by
land NSS c100e11991f6 UPGRADE_NSS_RELEASE, r=jcj
Blocks: 1660340

2020-09-14 Benjamin Beurdouche <>

* coreconf/
Bug 1660735 - Fix typo in coreconfig/ r=kjacobs

[2a17c8655a74] [tip]

* coreconf/
Bug 1660734 - Fix typo in coreconf/ r=kjacobs


2020-09-11 Kevin Jacobs <>

* lib/ckfw/builtins/nssckbi.h:
Bug 1663049 - September 2020 batch of root changes,


* lib/ckfw/builtins/certdata.txt:
Bug 1663049 - Add SecureTrust's Trustwave Global root certificates
to NSS. r=KathleenWilson,jcj


* lib/ckfw/builtins/certdata.txt:
Bug 1656077 - Remove Taiwan Government Root Certification Authority
root cert. r=KathleenWilson,jcj

Depends on D89841


* lib/ckfw/builtins/certdata.txt:
Bug 1653092 - Disable server trust bit for OISTE WISeKey Global Root
GA CA root cert. r=KathleenWilson,jcj

Depends on D89840


* lib/ckfw/builtins/certdata.txt:
Bug 1651211 - Remove EE Certification Centre Root CA root cert.


2020-09-11 Danh <>

* coreconf/, coreconf/, lib/freebl/Makefile:
Bug 1659727 - Move makefile avx2 detection to r=kjacobs

Summary: Current code base use CPU_ARCH to detect if avx2 is
supported in However, when included, CPU_ARCH
haven't been initialised, CPU_ARCH will be initialised by the OS
specific code later on.

Move the AVX2 detection to, after all other initialisation

Reviewers: kjacobs

Reviewed By: kjacobs

Subscribers: kjacobs

Bug #: 1659727


2020-09-08 Kevin Jacobs <>

* gtests/freebl_gtest/, lib/freebl/mpi/mpi.c:
Bug 1605922 - Account for negative sign in mp_radix_size


2020-09-09 Daiki Ueno <>

* lib/freebl/Makefile:
Bug 1659256, add gcc version check on AArch64 optimization,

Summary: As described in,
gcc version in RHEL-7 is still 4.8.x and cannot compile the newly
added aes-armv8.c. There is a version check already for 32-bit arm,
but not for AArch64. This also removes NS_USE_GCC check added in bug
1652032 in favor of the automatic detection using CC_IS_* macros.

Reviewers: rrelyea

Reviewed By: rrelyea

Subscribers: jmux, kjacobs

Bug #: 1659256


2020-09-08 Michael Shigorin <>

* coreconf/config.gypi:
Bug 1663346 - Build e2k architecture as 64-bit r=jcj

2020-09-05 Daiki Ueno <>

* lib/freebl/fipsfreebl.c:
Bug 1662738, run RNG self-tests only if NSPR is linked, r=rrelyea

Summary: After the continuous DRBG test was added, RNG self-tests
have no longer worked standalone. This moves the self-tests to the
DO_REST block so it only runs when the program is also linked to

Reviewers: rrelyea

Reviewed By: rrelyea

Bug #: 1662738


2020-09-02 Khem Raj <>

* lib/libpkix/pkix/util/pkix_logger.c:
Bug 1661378 - pkix: Do not use NULL where 0 is needed Clang finds
this error

pkix_logger.c:316:32: error: cast to smaller integer type
'PKIX_ERRORCLASS' from 'void *' [-Werror,-Wvoid-pointer-to-enum-
cast] logger->logComponent = (PKIX_ERRORCLASS)NULL;
^~~~~~~~~~~~~~~~~~~~~ pkix_logger.c:617:32: error: cast to smaller
integer type 'PKIX_ERRORCLASS' from 'void *' [-Werror,-Wvoid-
pointer-to-enum-cast] logger->logComponent = (PKIX_ERRORCLASS)NULL;
^~~~~~~~~~~~~~~~~~~~~ 2 errors generated.

Signed-off-by: Khem Raj <>
Pushed by
land NSS 2a17c8655a74 UPGRADE_NSS_RELEASE, r=jcj

2020-09-15 Kevin Jacobs <>

* automation/release/nspr-version.txt:
Bug 1660372 - NSS 3.57 should depend on NSPR 4.29. r=kaie

[56224882ccc3] [NSS_3_57_BETA1]

Since this is a leave-open representing multiple landings, I'm going to remove the blocker for 1660340 since the desired piece has already landed and stuck.

No longer blocks: 1660340
Pushed by

2020-09-18 Kevin Jacobs <>

* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.57 final
[cf7e3e8abd77] [NSS_3_57_RTM] <NSS_3_57_BRANCH>

2020-09-15 Kevin Jacobs <>

* .hgtags:
Added tag NSS_3_57_BETA1 for changeset 56224882ccc3
Keywords: leave-open
Pushed by
Closed: 8 months ago
Resolution: --- → FIXED
Target Milestone: --- → 82 Branch
You need to log in before you can comment on or make changes to this bug.