Bug 1870290 - land 660735996d77, UPGRADE_NSS_RELEASE, r=nss-reviewers…

…,nkulatova

Differential Revision: https://phabricator.services.mozilla.com/D196845

security/nss/TAG-INFO

@@ -1 +1 @@
-NSS_3_96_RTM
+660735996d77

security/nss/automation/abi-check/previous-nss-release

@@ -1 +1 @@
-NSS_3_95_BRANCH
+NSS_3_96_BRANCH

security/nss/automation/release/nss-release-helper.py

@@ -74,6 +74,7 @@ def inplace_replace(replacements=[], filename=""):
 
         shutil.copystat(filename, tmp_file.name)
         shutil.move(tmp_file.name, filename)
+        os.utime(filename, None)
 
 
 def toggle_beta_status(is_beta):

security/nss/coreconf/coreconf.dep

@@ -10,3 +10,4 @@
  */
 
 #error "Do not include this header file."
+

security/nss/doc/rst/releases/index.rst

@@ -8,6 +8,8 @@ Releases
    :glob:
    :hidden:
 
+   nss_3_96_1.rst
+   nss_3_96.rst
    nss_3_95.rst
    nss_3_94.rst
    nss_3_93.rst
@@ -59,30 +61,18 @@ Releases
 
 .. note::
 
-   **NSS 3.95.0** is the latest version of NSS.
-   Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_95_0_release_notes`
+   **NSS 3.96.1** is the latest version of NSS.
+   Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_96_1_release_notes`
 
    **NSS 3.90.1 (ESR)** is the latest version of NSS.
    Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_90_1_release_notes`
 
 .. container::
 
-   Changes in 3.95 included in this release:
+   Changes in 3.96.1 (from 3.95.0) included in this release:
 
-  - Bug 1842932 - Bump builtins version number.
-  - Bug 1851044: Remove Email trust bit from Autoridad de Certificacion Firmaprofesional CIF A62634068 root cert.
-  - Bug 1855318: Remove 4 DigiCert (Symantec/Verisign) Root Certificates from NSS.
-  - Bug 1851049: Remove 3 TrustCor Root Certificates from NSS.
-  - Bug 1850982 - Remove Camerfirma root certificates from NSS.
-  - Bug 1842935 - Remove old Autoridad de Certificacion Firmaprofesional Certificate.
-  - Bug 1860670 - Add four Commscope root certificates to NSS.
-  - Bug 1850598 - Add TrustAsia Global Root CA G3 and G4 root certificates.
-  - Bug 1863605 - Include P-384 and P-521 Scalar Validation from HACL*
-  - Bug 1861728 - Include P-256 Scalar Validation from HACL*.
-  - Bug 1861265 After the HACL 256 ECC patch, NSS incorrectly encodes 256 ECC without DER wrapping at the softoken level
-  - Bug 1837987:Add means to provide library parameters to C_Initialize
-  - Bug 1573097 - clang format
-  - Bug 1854795 - add OSXSAVE and XCR0 tests to AVX2 detection.
-  - Bug 1858241 - Typo in ssl3_AppendHandshakeNumber
-  - Bug 1858241 - Introducing input check of ssl3_AppendHandshakeNumber
-  - Bug 1573097 - Fix Invalid casts in instance.c
+  - Bug 1869408 - Use pypi dependencies for MacOS worker in ./build_gyp.sh
+  - Bug 1830978 - p7sign: add -a hash and -u certusage (also p7verify cleanups).
+  - Bug 1867408 - add a defensive check for large ssl_DefSend return values.
+  - Bug 1869378 - Add dependency to the taskcluster script for Darwin
+  - Bug 1869378 - Upgrade version of the MacOS worker for the CI

security/nss/doc/rst/releases/nss_3_96.rst

@@ -0,0 +1,17 @@
+.. _mozilla_projects_nss_nss_3_96_release_notes:
+
+NSS 3.96 release notes
+======================
+
+Unfortunately due to issues with the release process we have inconsistent
+source code between the 3.96.0 tag in the NSS repo and the code that is on the FTP.
+The code for 3.96.0 available on the FTP contains some changes planned for the
+next release (namely DTLS 1.3).
+
+As we cannot change what has been published on the FTP easily, and to avoid further
+confusion, we published a dot release...
+
+As part of our roadmap to improve release automation, we will design things to be
+resilient against this divergence in the future.
+
+NSS 3.96.1 is available consistently in the FTP, the repo and Firefox as expected.

security/nss/doc/rst/releases/nss_3_96_1.rst

@@ -0,0 +1,58 @@
+.. _mozilla_projects_nss_nss_3_96_1_release_notes:
+
+NSS 3.96.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+   Network Security Services (NSS) 3.96.1 was released on *18th December 2023**.
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+   The HG tag is NSS_3_96_1_RTM. NSS 3.96.1 requires NSPR 4.35 or newer.
+
+   NSS 3.96.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+   -  Source tarballs:
+      https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_96_1_RTM/src/
+
+   Other releases are available :ref:`mozilla_projects_nss_releases`.
+
+.. _changes_in_nss_3.96.1:
+
+`Changes in NSS 3.96.1 (from NSS 3.95) <#changes_in_nss_3.96.1>`__
+------------------------------------------------------------------
+
+.. container::
+
+  - Bug 1869408 - Use pypi dependencies for MacOS worker in ./build_gyp.sh
+  - Bug 1830978 - p7sign: add -a hash and -u certusage (also p7verify cleanups).
+  - Bug 1867408 - add a defensive check for large ssl_DefSend return values.
+  - Bug 1869378 - Add dependency to the taskcluster script for Darwin
+  - Bug 1869378 - Upgrade version of the MacOS worker for the CI
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+   NSS 3.96.1 shared libraries are backwards-compatible with all older NSS 3.x shared
+   libraries. A program linked with older NSS 3.x shared libraries will work with
+   this new version of the shared libraries without recompiling or
+   relinking. Furthermore, applications that restrict their use of NSS APIs to the
+   functions listed in NSS Public Functions will remain compatible with future
+   versions of the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+   Bugs discovered should be reported by filing a bug report on
+   `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).

security/nss/gtests/ssl_gtest/libssl_internals.c

@@ -222,6 +222,17 @@ SECStatus SSLInt_ShiftDtlsTimers(PRFileDesc *fd, PRIntervalTime shift) {
   return SECSuccess;
 }
 
+/* Instead of waiting the ACK timer to expire, we send the ack immediately*/
+SECStatus SSLInt_SendImmediateACK(PRFileDesc *fd) {
+  sslSocket *ss = ssl_FindSocket(fd);
+  if (!ss) {
+    return SECFailure;
+  }
+  PORT_Assert(IS_DTLS(ss));
+  dtls13_SendAck(ss);
+  return SECSuccess;
+}
+
 #define CHECK_SECRET(secret)                  \
   if (ss->ssl3.hs.secret) {                   \
     fprintf(stderr, "%s != NULL\n", #secret); \
@@ -397,8 +408,8 @@ SECStatus SSLInt_AdvanceWriteSeqNum(PRFileDesc *fd, PRUint64 to) {
       pk11ctxt->ivFixedBits = cipher_def->iv_size * BPB;
       pk11ctxt->ivGen = CKG_GENERATE_COUNTER;
     }
-    /* DTLS included the epoch in the fixed portion of the IV */
-    if (IS_DTLS(ss)) {
+    /* DTLS1.2 and below included the epoch in the fixed portion of the IV */
+    if (IS_DTLS_1_OR_12(ss)) {
       pk11ctxt->ivFixedBits += 2 * BPB;
     }
   }
@@ -410,6 +421,50 @@ SECStatus SSLInt_AdvanceWriteSeqNum(PRFileDesc *fd, PRUint64 to) {
   return SECSuccess;
 }
 
+/* The next two functions are responsible for replacing the epoch count with the
+  one given as the parameter. Important: It does not modify any other data, i.e.
+  keys. Used in ssl_keyupdate_unittests.cc,
+  DTLSKeyUpdateClient_KeyUpdateMaxEpoch TV.
+   */
+SECStatus SSLInt_AdvanceWriteEpochNum(PRFileDesc *fd, PRUint64 to) {
+  sslSocket *ss;
+  ss = ssl_FindSocket(fd);
+  if (!ss) {
+    return SECFailure;
+  }
+  // As currently the epoch is presented as a uint16, the max_epoch is the
+  // maximum value of the type
+  PRUint64 max_epoch = UINT16_MAX;
+  if (to > max_epoch) {
+    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+    return SECFailure;
+  }
+
+  ssl_GetSpecWriteLock(ss);
+  ss->ssl3.cwSpec->epoch = to;
+  ssl_ReleaseSpecWriteLock(ss);
+  return SECSuccess;
+}
+
+SECStatus SSLInt_AdvanceReadEpochNum(PRFileDesc *fd, PRUint64 to) {
+  sslSocket *ss;
+  ss = ssl_FindSocket(fd);
+  if (!ss) {
+    return SECFailure;
+  }
+
+  PRUint64 max_epoch = UINT16_MAX;
+  if (to > max_epoch) {
+    PORT_SetError(SEC_ERROR_INVALID_ARGS);
+    return SECFailure;
+  }
+
+  ssl_GetSpecReadLock(ss);
+  ss->ssl3.crSpec->epoch = to;
+  ssl_ReleaseSpecReadLock(ss);
+  return SECSuccess;
+}
+
 SECStatus SSLInt_AdvanceWriteSeqByAWindow(PRFileDesc *fd, PRInt32 extra) {
   sslSocket *ss;
   sslSequenceNumber to;
@@ -498,4 +553,4 @@ SECStatus SSLInt_SetRawEchConfigForRetry(PRFileDesc *fd, const uint8_t *buf,
   return SECSuccess;
 }
 
-PRBool SSLInt_IsIp(PRUint8 *s, unsigned int len) { return tls13_IsIp(s, len); }
+PRBool SSLInt_IsIp(PRUint8 *s, unsigned int len) { return tls13_IsIp(s, len); }

security/nss/gtests/ssl_gtest/libssl_internals.h

@@ -28,6 +28,7 @@ void SSLInt_SetSelfEncryptMacKey(PK11SymKey *key);
 PRInt32 SSLInt_CountCipherSpecs(PRFileDesc *fd);
 void SSLInt_PrintCipherSpecs(const char *label, PRFileDesc *fd);
 SECStatus SSLInt_ShiftDtlsTimers(PRFileDesc *fd, PRIntervalTime shift);
+SECStatus SSLInt_SendImmediateACK(PRFileDesc *fd);
 SECStatus SSLInt_SetMTU(PRFileDesc *fd, PRUint16 mtu);
 PRBool SSLInt_CheckSecretsDestroyed(PRFileDesc *fd);
 PRBool SSLInt_DamageClientHsTrafficSecret(PRFileDesc *fd);
@@ -39,6 +40,8 @@ PRBool SSLInt_SendAlert(PRFileDesc *fd, uint8_t level, uint8_t type);
 SECStatus SSLInt_AdvanceDtls13DecryptFailures(PRFileDesc *fd, PRUint64 to);
 SECStatus SSLInt_AdvanceWriteSeqNum(PRFileDesc *fd, PRUint64 to);
 SECStatus SSLInt_AdvanceReadSeqNum(PRFileDesc *fd, PRUint64 to);
+SECStatus SSLInt_AdvanceWriteEpochNum(PRFileDesc *fd, PRUint64 to);
+SECStatus SSLInt_AdvanceReadEpochNum(PRFileDesc *fd, PRUint64 to);
 SECStatus SSLInt_AdvanceWriteSeqByAWindow(PRFileDesc *fd, PRInt32 extra);
 SSLKEAType SSLInt_GetKEAType(SSLNamedGroup group);
 SECStatus SSLInt_HasPendingHandshakeData(PRFileDesc *fd, PRBool *pending);

security/nss/gtests/ssl_gtest/ssl_auth_unittest.cc

@@ -921,6 +921,9 @@ TEST_P(TlsConnectClientAuth, ClientAuthEcdsa) {
 }
 
 TEST_P(TlsConnectClientAuth, ClientAuthWithEch) {
+  if (variant_ == ssl_variant_datagram) {
+    GTEST_SKIP();
+  }
   Reset(TlsAgent::kServerEcdsa256);
   EnsureTlsSetup();
   SetupEch(client_, server_);

security/nss/gtests/ssl_gtest/ssl_drop_unittest.cc

@@ -72,11 +72,12 @@ static void CheckAcks(const std::shared_ptr<TlsRecordRecorder>& acks,
   const DataBuffer& buf = acks->record(index).buffer;
   size_t offset = 2;
   uint64_t len;
-
-  EXPECT_EQ(2 + expected.size() * 8, buf.len());
+  // RFC 9147 -  7. ACK Message.
+  // 16 bytes correspond to the length of the epoch and the length of the seqNum
+  EXPECT_EQ(2 + expected.size() * 16, buf.len());
   ASSERT_TRUE(buf.Read(0, 2, &len));
   ASSERT_EQ(static_cast<size_t>(len + 2), buf.len());
-  if ((2 + expected.size() * 8) != buf.len()) {
+  if ((2 + expected.size() * 16) != buf.len()) {
     while (offset < buf.len()) {
       uint64_t ack;
       ASSERT_TRUE(buf.Read(offset, 8, &ack));
@@ -88,9 +89,13 @@ static void CheckAcks(const std::shared_ptr<TlsRecordRecorder>& acks,
 
   for (size_t i = 0; i < expected.size(); ++i) {
     uint64_t a = expected[i];
-    uint64_t ack;
-    ASSERT_TRUE(buf.Read(offset, 8, &ack));
+    uint64_t ackEpoch;
+    uint64_t ackSeq;
+    ASSERT_TRUE(buf.Read(offset, 8, &ackEpoch));
+    offset += 8;
+    ASSERT_TRUE(buf.Read(offset, 8, &ackSeq));
     offset += 8;
+    uint64_t ack = (ackEpoch << 48) | ackSeq;
     if (a != ack) {
       ADD_FAILURE() << "Wrong ack " << i << " expected=0x" << std::hex << a
                     << " got=0x" << ack << std::dec;

security/nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc

@@ -72,6 +72,35 @@ TEST_P(TlsConnectGeneric, ConnectEcdheP384Client) {
             ssl_sig_rsa_pss_rsae_sha256);
 }
 
+// The bug https://bugzilla.mozilla.org/show_bug.cgi?id=1818487 updates the
+// generation of transcript for DTLS1.3
+// The following three tests are used to check the correctness of the
+// transcript.
+TEST_P(TlsConnectGeneric,
+       ClientOfferTls11_Tls13ServerNegotiateEachVersionOneByOne_HRR) {
+  EnsureTlsSetup();
+  auto hrr_capture = MakeTlsFilter<TlsHandshakeRecorder>(
+      server_, kTlsHandshakeHelloRetryRequest);
+  const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1,
+                                             ssl_grp_ffdhe_2048};
+  server_->ConfigNamedGroups(groups);
+  // DTLS does not support 1.0
+  if (variant_ == ssl_variant_datagram) {
+    client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
+                             SSL_LIBRARY_VERSION_TLS_1_3);
+  } else {
+    client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0,
+                             SSL_LIBRARY_VERSION_TLS_1_3);
+  }
+  server_->SetVersionRange(version_, version_);
+  Connect();
+  CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp384r1, ssl_auth_rsa_sign,
+            ssl_sig_rsa_pss_rsae_sha256);
+
+  EXPECT_EQ(version_ == SSL_LIBRARY_VERSION_TLS_1_3,
+            hrr_capture->buffer().len() != 0);
+}
+
 // This causes a HelloRetryRequest in TLS 1.3.  Earlier versions don't care.
 TEST_P(TlsConnectGeneric, ConnectEcdheP384Server) {
   EnsureTlsSetup();

security/nss/gtests/ssl_gtest/ssl_extension_unittest.cc

@@ -9,9 +9,6 @@
 #include "sslerr.h"
 #include "sslproto.h"
 
-// This is only to get DTLS_1_3_DRAFT_VERSION
-#include "ssl3prot.h"
-
 #include <memory>
 
 #include "tls_connect.h"
@@ -175,11 +172,7 @@ class TlsExtensionTest13
     if (variant_ == ssl_variant_datagram) {
       switch (version) {
         case SSL_LIBRARY_VERSION_TLS_1_3:
-#ifdef DTLS_1_3_DRAFT_VERSION
-          version = 0x7f00 | DTLS_1_3_DRAFT_VERSION;
-#else
           version = SSL_LIBRARY_VERSION_DTLS_1_3_WIRE;
-#endif
           break;
         case SSL_LIBRARY_VERSION_TLS_1_2:
           version = SSL_LIBRARY_VERSION_DTLS_1_2_WIRE;
@@ -1097,27 +1090,12 @@ TEST_P(TlsExtensionTest13, RemoveTls13FromVersionListBothV12) {
                            SSL_LIBRARY_VERSION_TLS_1_3);
   server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
                            SSL_LIBRARY_VERSION_TLS_1_3);
-// The downgrade check is disabled in DTLS 1.3, so all that happens when we
-// tamper with the supported versions is that the Finished check fails.
-#ifdef DTLS_1_3_DRAFT_VERSION
-  if (variant_ == ssl_variant_datagram) {
-    ExpectAlert(server_, kTlsAlertDecryptError);
-  } else
-#endif
-  {
-    ExpectAlert(client_, kTlsAlertIllegalParameter);
-  }
+  // The downgrade check is disabled in DTLS 1.3, so all that happens when we
+  // tamper with the supported versions is that the Finished check fails.
+  ExpectAlert(client_, kTlsAlertIllegalParameter);
   ConnectWithReplacementVersionList(SSL_LIBRARY_VERSION_TLS_1_2);
-#ifdef DTLS_1_3_DRAFT_VERSION
-  if (variant_ == ssl_variant_datagram) {
-    client_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT);
-    server_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
-  } else
-#endif
-  {
-    client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
-    server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
-  }
+  client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
+  server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
 }
 
 TEST_P(TlsExtensionTest13, HrrThenRemoveSignatureAlgorithms) {