Bug 1724869 - land NSS 56238350052a UPGRADE_NSS_RELEASE, r=djackson

Differential Revision: https://phabricator.services.mozilla.com/D122202
dothq · Aug 10, 2021 · 46e2563 · 46e2563
1 parent 3095d71
commit 46e2563
Show file tree

Hide file tree

Showing 20 changed files with 689 additions and 22,522 deletions.
diff --git a/security/nss/TAG-INFO b/security/nss/TAG-INFO
@@ -1 +1 @@
-NSS_3_69_RTM
+56238350052a
diff --git a/security/nss/automation/taskcluster/docker-builds/Dockerfile b/security/nss/automation/taskcluster/docker-builds/Dockerfile
@@ -35,6 +35,7 @@ RUN apt-get update \
     valgrind \
     zlib1g-dev \
     clang-format-3.9 \
+    sqlite3 \
  && rm -rf /var/lib/apt/lists/* \
  && apt-get autoremove -y && apt-get clean -y
 

diff --git a/security/nss/automation/taskcluster/docker-gcc-4.4/Dockerfile b/security/nss/automation/taskcluster/docker-gcc-4.4/Dockerfile
@@ -11,6 +11,7 @@ RUN apt-get update \
     make \
     patch \
     mercurial \
+    sqlite3 \
     zlib1g-dev \
  && rm -rf /var/lib/apt/lists/* \
  && apt-get autoremove -y && apt-get clean -y

diff --git a/security/nss/automation/taskcluster/docker/Dockerfile b/security/nss/automation/taskcluster/docker/Dockerfile
@@ -20,6 +20,7 @@ RUN apt-get update \
     mercurial \
     ninja-build \
     pkg-config \
+    sqlite3 \
     zlib1g-dev \
  && rm -rf /var/lib/apt/lists/* \
  && apt-get autoremove -y && apt-get clean -y

diff --git a/security/nss/coreconf/coreconf.dep b/security/nss/coreconf/coreconf.dep
@@ -10,3 +10,4 @@
  */
 
 #error "Do not include this header file."
+
diff --git a/security/nss/doc/rst/releases/index.rst b/security/nss/doc/rst/releases/index.rst
@@ -8,6 +8,7 @@ Releases
    :glob:
    :hidden:
 
+   nss_3_69.rst
    nss_3_68.rst
    nss_3_67.rst
    nss_3_66.rst
@@ -16,22 +17,21 @@ Releases
 
 .. note::
 
-   **NSS 3.68** is the latest version of NSS.
+   **NSS 3.69** is the latest version of NSS.
 
-   Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_68_release_notes`
+   Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_69_release_notes`
 
 .. container::
 
    Changes included in this release:
 
-   -  Bug 1709654 - Update for NetBSD configuration.
-   -  Bug 1709750 - Disable HPKE test when fuzzing.
-   -  Bug 1566124 - Optimize AES-GCM for ppc64le.
-   -  Bug 1699021 - Add AES-256-GCM to HPKE.
-   -  Bug 1698419 - ECH -10 updates.
-   -  Bug 1692930 - Update HPKE to final version.
-   -  Bug 1707130 - NSS should use modern algorithms in PKCS#12 files by default.
-   -  Bug 1703936 - New coverity/cpp scanner errors.
-   -  Bug 1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards.
-   -  Bug 1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms.
-   -  Bug 1705119 - Deadlock when using GCM and non-thread safe tokens.
+   - Bug 1722613 - Disable DTLS 1.0 and 1.1 by default
+   - Bug 1720226 - integrity checks in key4.db not happening on private components with AES_CBC
+   - Bug 1720235 - SSL handling of signature algorithms ignores environmental invalid algorithms.
+   - Bug 1721476 - sqlite 3.34 changed it's open semantics, causing nss failures.
+   - Bug 1720230 - Gtest update changed the gtest reports, losing gtest details in all.sh reports.
+   - Bug 1720228 - NSS incorrectly accepting 1536 bit DH primes in FIPS mode
+   - Bug 1720232 - SQLite calls could timeout in starvation situations.
+   - Bug 1720225 - Coverity/cpp scanner errors found in nss 3.67
+   - Bug 1709817 - Import the NSS documentation from MDN in nss/doc.
+   - Bug 1720227 - NSS using a tempdir to measure sql performance not active
diff --git a/security/nss/doc/rst/releases/nss_3_69.rst b/security/nss/doc/rst/releases/nss_3_69.rst
@@ -0,0 +1,64 @@
+.. _mozilla_projects_nss_nss_3_69_release_notes:
+
+NSS 3.69 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+   Network Security Services (NSS) 3.69 was released on **5 August 2021**.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+   The HG tag is NSS_3_69_RTM. NSS 3.69 requires NSPR 4.32 or newer.
+
+   NSS 3.69 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+   -  Source tarballs:
+      https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_69_RTM/src/
+
+   Other releases are available :ref:`mozilla_projects_nss_releases`.
+
+.. _bugs_fixed_in_nss_3.69:
+
+`Bugs fixed in NSS 3.69 <#bugs_fixed_in_nss_3.69>`__
+----------------------------------------------------
+
+.. container::
+
+   - Bug 1722613 - Disable DTLS 1.0 and 1.1 by default
+   - Bug 1720226 - integrity checks in key4.db not happening on private components with AES_CBC
+   - Bug 1720235 - SSL handling of signature algorithms ignores environmental invalid algorithms.
+   - Bug 1721476 - sqlite 3.34 changed it's open semantics, causing nss failures.
+   - Bug 1720230 - Gtest update changed the gtest reports, losing gtest details in all.sh reports.
+   - Bug 1720228 - NSS incorrectly accepting 1536 bit DH primes in FIPS mode
+   - Bug 1720232 - SQLite calls could timeout in starvation situations.
+   - Bug 1720225 - Coverity/cpp scanner errors found in nss 3.67
+   - Bug 1709817 - Import the NSS documentation from MDN in nss/doc.
+   - Bug 1720227 - NSS using a tempdir to measure sql performance not active
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+   NSS 3.69 shared libraries are backwards-compatible with all older NSS 3.x shared libraries. A
+   program linked with older NSS 3.x shared libraries will work with NSS 3.69 shared libraries
+   without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
+   to the functions listed in NSS Public Functions will remain compatible with future versions of
+   the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+   Bugs discovered should be reported by filing a bug report on
+   `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).
diff --git a/security/nss/gtests/common/gtests.cc b/security/nss/gtests/common/gtests.cc
@@ -6,20 +6,34 @@
 #define GTEST_HAS_RTTI 0
 #include "gtest/gtest.h"
 
+// Tests are passed the location of their source directory
+// so that they can load extra resources from there.
+std::string g_source_dir;
+
+void usage(const char *progname) {
+  PR_fprintf(PR_STDERR, "Usage: %s [-s <dir>] [-d <dir> [-w]]\n", progname);
+  exit(2);
+}
+
 int main(int argc, char **argv) {
   ::testing::InitGoogleTest(&argc, argv);
 
   const char *workdir = "";
   uint32_t flags = NSS_INIT_READONLY;
 
   for (int i = 0; i < argc; i++) {
-    if (!strcmp(argv[i], "-d")) {
+    if (!strcmp(argv[i], "-s")) {
+      if (i + 1 >= argc) {
+        usage(argv[0]);
+      }
+      i++;
+      g_source_dir = argv[i];
+    } else if (!strcmp(argv[i], "-d")) {
       if (i + 1 >= argc) {
-        PR_fprintf(PR_STDERR, "Usage: %s [-d <dir> [-w]]\n", argv[0]);
-        exit(2);
+        usage(argv[0]);
       }
-      workdir = argv[i + 1];
       i++;
+      workdir = argv[i];
     } else if (!strcmp(argv[i], "-w")) {
       flags &= ~NSS_INIT_READONLY;
     }

diff --git a/security/nss/gtests/common/testvectors/hpke-convert.py b/security/nss/gtests/common/testvectors/hpke-convert.py
Original file line number	Diff line number	Diff line change
Expand Up		@@ -10,3 +10,4 @@
		*/

		#error "Do not include this header file."