Closed Bug 1851092 Opened 11 months ago Closed 10 months ago

Upgrade Firefox 119 to use NSS 3.94


(Core :: Security: PSM, task, P1)

Firefox 119



120 Branch
Tracking Status
firefox119 --- fixed
firefox120 --- fixed


(Reporter: jschanck, Assigned: anna.weine)


(Blocks 1 open bug)



(2 files)

No description provided.
No longer blocks: 1849055
Blocks: clang-18
Attachment #9352120 - Attachment description: Bug 1851092 - land NSS 742eaeb08ab3 UPGRADE_NSS_RELEASE, r=keeler → Bug 1851092 - land NSS ffcd992581 UPGRADE_NSS_RELEASE, r=keeler
Pushed by
land NSS ffcd992581 UPGRADE_NSS_RELEASE, r=keeler
Regressions: 1853275
Depends on: 1853737

same as, 119.0b1 is available on the mirrors, but there's no NSS 3.94 release available so builds using --with-system-nss arent possible:

checking for nss >= 3.94... no
ERROR: Requested 'nss >= 3.94' but version of NSS is 3.93

is it possible to make an nss release available ?

Flags: needinfo?(jschanck)

bah, just saw, should have checked there first..

Flags: needinfo?(jschanck)

2023-10-02 Natalia Kulatova <>

* doc/rst/releases/nss_3_94.rst:
Documentation: Release notes for NSS 3.94
[8c67d6c2d718] [NSS_3_94_RTM] <NSS_3_94_BRANCH>

* .hgtags:
Added tag NSS_3_94_RTM for changeset a4d8f6ff9c3b
[18307440cfb0] <NSS_3_94_BRANCH>

* doc/rst/releases/index.rst:
Release notes for NSS 3.94
[a4d8f6ff9c3b] <NSS_3_94_BRANCH>

* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.94 final
[0af23c222caf] <NSS_3_94_BRANCH>

2023-09-21 Benjamin Beurdouche <>

* .hgtags:
Removed tag NSS_3_94_BETA1

2023-09-20 Karthikeyan Bhargavan <>

* automation/taskcluster/scripts/,
lib/freebl/verified/Hacl_Krmllib.h, lib/freebl/verified/Hacl_P256.c,
lib/freebl/verified/karamel/include/krml/internal/target.h, lib/free
Bug 1853737 - Updated code and commit ID for HACL*. r=jschanck


2023-09-20 Iaroslav Gridin <>

* tests/acvp/fuzzed/ecdsa.json:
Bug 1840510: update ACVP fuzzed test vector: refuzzed with current
NSS r=jschanck


2023-09-15 Robert Relyea <>

* automation/abi-check/,
lib/freebl/nsslowhash.c, lib/freebl/stubs.c, lib/freebl/stubs.h,
lib/pk11wrap/pk11util.c, lib/softoken/pkcs11.c,
lib/util/nssutil.def, lib/util/secport.c, lib/util/secport.h:
Bug 1827303 Softoken C_ calls should use system FIPS setting to
select NSC_ or FC_ variants.

NSS softoken presents a PKCS #11 API to the NSS low level crypto.
This allows NSS to have native support for replacement PKCS #11
libraries, and is also the FIPS boundary, allowing the rest of NSS
to change without affecting any FIPS validations.

Some applications that need crypto, but have their own higher level
implementations of SSL or S/MIME use NSS softoken. Softoken has 2
general APIs: NSC_xxxx calls which implement the normal NSS
interface, but does not include any FIPS restrictions, The FC_xxx
interfaces which implements FIPS restrictions on the semantics of
the calls and additional FIPS requirements (like self-tests and
software integrity checks). The official PKCS #11 APIs are C_xxx
interfaces, and NSS exports those as aliases for NSC_xxxx calls.

Right now applications that use softoken have to know the NSS names
if they want to access the FIPS api. This bugs removes this
restriction and causes calls to C_xxxx to alias to FC_xxxxx if the
system is in FIPS mode. If the system has no system FIPS indicator,
or the that indicator is off, the C_xxxx will continue to call
NSC_xxxxx. NSS itself will continue to use NSC_xxxx or FC_xxxx
according to the NSS internal FIPS settings.

---------------- Currently there are 3 layers in NSS with code that
identifies the whether the system is in NSS: nss proper (which is
also exported to applications), and freebl for the Freebl hash
direct case. This code would add a 3rd (in softoken). Rather than
adding a third, this patch relocates the main function to nssutil
where softoken, nss, and freebl can all access it. The exception is
when building freebl with 'NODEPEND' (freebl can provide hashing
without dependencies on NSPR or NSSUTIL), there needs to be a stub
implementation. In most platforms and cases this stub is never


* .hgignore, automation/taskcluster/scripts/, cmd/Makefile,
cmd/dbtool/Makefile, cmd/dbtool/dbtool.c, cmd/dbtool/dbtool.gyp,
cmd/dbtool/, cmd/, lib/softoken/sdb.h,
Bug 1774659 NSS needs a database tool that can dump the low level
representation of the database. r=jschanck

When debugging the database, it would be helpful to know what is in
the database is a nicely formated way. certutil dumps a high level
view of the certs and keys, sqlite3 can dump the low level tables
and raw entries. It would be useful to dump the database as softoken
sees the database.

This code grabs a copy of the latest sdb.c from softoken and uses it
to fetch the database entries, then parses them as necessary. It
uses the pkcs11 table in libsec to format the result data into human
readable strings.


2023-09-08 John Schanck <>

* gtests/mozpkix_gtest/pkixnames_tests.cpp:
Bug 1852179 - declare string literals using char in
pkixnames_tests.cpp. r=nss-reviewers,nkulatova

Pushed by
land NSS NSS_3_94_RTM UPGRADE_NSS_RELEASE, r=nss-reviewers,jschanck
Closed: 10 months ago
Resolution: --- → FIXED
Assignee: bbeurdouche → nkulatova

Sounds like this needs a Beta approval request.

Flags: needinfo?(nkulatova)
Target Milestone: --- → 120 Branch
Blocks: 1856659
No longer blocks: 1856659

Comment on attachment 9356157 [details]
Bug 1851092 - land NSS NSS_3_94_RTM UPGRADE_NSS_RELEASE, r=#nss-reviewers

Beta/Release Uplift Approval Request

  • User impact if declined: The most important modification in this patch is the updated cryptography. If declined - worse speed of a cryptography primitive (P256).
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): We use a new implementation of a cryptography function.
  • String changes made/needed:
  • Is Android affected?: No
Flags: needinfo?(nkulatova)
Attachment #9356157 - Flags: approval-mozilla-beta?
Attachment #9352120 - Flags: approval-mozilla-beta?

Comment on attachment 9352120 [details]
Bug 1851092 - land NSS ffcd992581 UPGRADE_NSS_RELEASE, r=keeler

Accidentally approved this flag, these patches are still in consideration for the next beta

Attachment #9352120 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #9352120 - Flags: approval-mozilla-beta+ → approval-mozilla-beta?

Comment on attachment 9352120 [details]
Bug 1851092 - land NSS ffcd992581 UPGRADE_NSS_RELEASE, r=keeler

This patch already landed in Fx119 on 2023-09-08 which was prior to merge day (2023-09-25)

Attachment #9352120 - Flags: approval-mozilla-beta? → approval-mozilla-beta-

Comment on attachment 9356157 [details]
Bug 1851092 - land NSS NSS_3_94_RTM UPGRADE_NSS_RELEASE, r=#nss-reviewers

Approved for 119.0b6

Attachment #9356157 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.