Bug 1720464 - land NSS b1eac8c86e99 UPGRADE_NSS_RELEASE, r=beurdouche

Differential Revision: https://phabricator.services.mozilla.com/D119914

build/moz.configure/nss.configure

@@ -9,7 +9,7 @@ option("--with-system-nss", help="Use system NSS")
 imply_option("--with-system-nspr", True, when="--with-system-nss")
 
 nss_pkg = pkg_check_modules(
-    "NSS", "nss >= 3.68", when="--with-system-nss", config=False
+    "NSS", "nss >= 3.69", when="--with-system-nss", config=False
 )
 
 set_config("MOZ_SYSTEM_NSS", True, when="--with-system-nss")

security/nss/TAG-INFO

@@ -1 +1 @@
-NSS_3_68_RTM
+b1eac8c86e99

security/nss/automation/abi-check/previous-nss-release

@@ -1 +1 @@
-NSS_3_67_BRANCH
+NSS_3_68_BRANCH

security/nss/automation/release/nss-release-helper.py

@@ -301,16 +301,16 @@ def create_nss_release_archive():
     check_call_noisy(["mkdir", "-p", nss_stagedir])
     check_call_noisy(["hg", "archive", "-r", nssreltag, "--prefix=nss-" + nssrel + "/nss",
                       stagedir + "/" + nssreltag + "/src/" + nss_tar, "-X", ".hgtags"])
-    check_call_noisy(["gtar", "-xz", "-C", nss_stagedir, "-f", nsprtar_with_path])
+    check_call_noisy(["tar", "-xz", "-C", nss_stagedir, "-f", nsprtar_with_path])
     print("changing to directory " + nss_stagedir)
     os.chdir(nss_stagedir)
-    check_call_noisy(["gtar", "-xz", "-f", nss_tar])
+    check_call_noisy(["tar", "-xz", "-f", nss_tar])
     check_call_noisy(["mv", "-i", "nspr-" + nsprrel + "/nspr", "nss-" + nssrel + "/"])
     check_call_noisy(["rmdir", "nspr-" + nsprrel])
 
     nss_nspr_tar = "nss-" + nssrel + "-with-nspr-" + nsprrel + ".tar.gz"
 
-    check_call_noisy(["gtar", "-cz", "--remove-files", "-f", nss_nspr_tar, "nss-" + nssrel])
+    check_call_noisy(["tar", "-cz", "--remove-files", "-f", nss_nspr_tar, "nss-" + nssrel])
     check_call("sha1sum " + nss_tar + " " + nss_nspr_tar + " > SHA1SUMS", shell=True)
     check_call("sha256sum " + nss_tar + " " + nss_nspr_tar + " > SHA256SUMS", shell=True)
     print("created directory " + nss_stagedir + " with files:")

security/nss/coreconf/Linux.mk

@@ -21,7 +21,7 @@ ifeq ($(USE_PTHREADS),1)
 endif
 
 DEFAULT_COMPILER = gcc
-DEFINES += -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSQL_MEASURE_USE_TEMP_DIR
+DEFINES += -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR
 
 ifeq ($(OS_TARGET),Android)
 ifndef ANDROID_NDK

security/nss/coreconf/config.gypi

@@ -370,7 +370,7 @@
               '_DEFAULT_SOURCE', # for <endian.h> functions, strdup, realpath, and getentropy
               '_BSD_SOURCE', # for the above in glibc <= 2.19
               '_POSIX_SOURCE', # for <signal.h>
-              'SQL_MEASURE_USE_TEMP_DIR', # use tmpdir for the access calls
+              'SDB_MEASURE_USE_TEMP_DIR', # use tmpdir for the access calls
             ],
           }],
           [ 'OS=="dragonfly" or OS=="freebsd"', {

security/nss/coreconf/coreconf.dep

@@ -10,4 +10,3 @@
  */
 
 #error "Do not include this header file."
-

security/nss/doc/rst/getting_started_with_nss/index.rst

@@ -0,0 +1,106 @@
+.. _mozilla_projects_nss_getting_started_with_nss:
+
+Getting Started With NSS
+========================
+
+.. _how_to_get_involved_with_nss:
+
+`How to get involved with NSS <#how_to_get_involved_with_nss>`__
+----------------------------------------------------------------
+
+.. container::
+
+   | Network Security Services (NSS) is a base library for cryptographic algorithms and secure
+     network protocols used by Mozilla software.
+   | Would you like to get involved and help us to improve the core security of Mozilla Firefox and
+     other applications that make use of NSS? We are looking forward to your contributions!
+   | We have a large list of tasks waiting for attention, and we are happy to assist you in
+     identifying areas that match your interest or skills. You can find us on `Mozilla
+     IRC <https://developer.mozilla.org/en-US/docs/Mozilla/QA/Getting_Started_with_IRC>`__ in
+     channel `#nss <irc://irc.mozilla.org/#nss>`__ or you could ask your questions on the
+     `mozilla.dev.tech.crypto <https://lists.mozilla.org/listinfo/dev-tech-crypto/>`__ newsgroup.
+
+   The NSS library and its supporting command line tools are written in the C programming language.
+   Its build system and the automated tests are based on makefiles and bash scripts.
+
+   Over time, many documents have been produced that describe various aspects of NSS. You can start
+   with:
+
+   -  the current `primary NSS documentation page <https://developer.mozilla.org/en-US/docs/NSS>`__
+      from which we link to other documentation.
+   -  a `General Overview <https://developer.mozilla.org/en-US/docs/Overview_of_NSS>`__ of the
+      applications that use NSS and the features it provides.
+   -  a high level :ref:`mozilla_projects_nss_an_overview_of_nss_internals`.
+   -  learn about getting the :ref:`mozilla_projects_nss_nss_sources_building_testing`
+   -  `Old documentation <https://www-archive.mozilla.org/projects/security/pki/nss/>`__ that is on
+      the archived mozilla.org website.
+
+   (Unfortunately the NSS project doesn't have a technical writer at this time, so our documentation
+   is not as organized as we would like it to be. You could contribute by organizing it in a better
+   way.)
+
+.. _nss_sample_code:
+
+`NSS Sample Code <#nss_sample_code>`__
+--------------------------------------
+
+.. container::
+
+   A good place to start learning how to write NSS applications are the command line tools that are
+   maintained by the NSS developers. You can find them in subdirectory mozilla/security/nss/cmd
+
+   Or have a look at some basic :ref:`mozilla_projects_nss_nss_sample_code`.
+
+   A new set of samples is currently under development and review, see `Create new NSS
+   samples <https://bugzilla.mozilla.org/show_bug.cgi?id=490238>`__.
+
+   You are welcome to download the samples via: hg clone https://hg.mozilla.org/projects/nss; cd
+   nss; hg update SAMPLES_BRANCH
+
+.. _how_to_contribute:
+
+`How to Contribute <#how_to_contribute>`__
+------------------------------------------
+
+.. container::
+
+   ... (this section is still under construction, but there are many contribution opportunities)
+
+   Start by opening a bugzilla account at `bugzilla.mozilla.org <https://bugzilla.mozilla.org/>`__
+   if you don't have one.
+
+   NSS :: Libraries component for issues you'd like to work on. We maintain a list of `NSS bugs
+   marked with a keyword "good-first-bug" that you can
+   view <https://bugzilla.mozilla.org/buglist.cgi?keywords=good-first-bug%2C%20&keywords_type=allwords&classification=Components&query_format=advanced&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&component=Libraries&product=NSS>`__.
+
+.. _creating_your_patch:
+
+`Creating your Patch <#creating_your_patch>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   Seee our section on :ref:`mozilla_projects_nss_nss_sources_building_testing` to get started
+   making your patch. When you're satisfied with it, you'll need code review.
+
+.. _code_review:
+
+`Code Review <#code_review>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+   `http://phabricator.services.mozilla.com/ <https://phabricator.services.mozilla.com>`__ is our
+   code review tool, which uses your Bugzilla account. Use our `Phabricator user instructions to
+   upload patches for
+   review <https://moz-conduit.readthedocs.io/en/latest/phabricator-user.html>`__.
+
+   Some items that will be evaluated during code review are `listed in checklist form on
+   Github. <https://github.com/mozilla/nss-tools/blob/master/nss-code-review-checklist.yaml>`__
+
+   After passing review, your patch can be landed by a member of the NSS team. You can find us on
+   `Mozilla IRC <https://developer.mozilla.org/en-US/docs/Mozilla/QA/Getting_Started_with_IRC>`__ in
+   channel `#nss <irc://irc.mozilla.org/#nss>`__.
+
+   Note that we don't land code that isn't both reviewed and tested. Code only works when it has
+   tests, and tests only work when they're part of the automation.

security/nss/doc/rst/index.rst

@@ -0,0 +1,178 @@
+.. _mozilla_projects_nss:
+
+Network Security Services
+=========================
+
+.. toctree::
+   :maxdepth: 2
+   :glob:
+   :hidden:
+
+   getting_started_with_nss/index.rst
+   introduction_to_network_security_services/index.rst
+   More documentation <more_docs>
+
+`Documentation <#documentation>`__
+----------------------------------
+
+.. container::
+
+   **Network Security Services** (**NSS**) is a set of libraries designed to support cross-platform
+   development of security-enabled client and server applications. Applications built with NSS can
+   support SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and
+   other security standards.
+
+   For detailed information on standards supported, see :ref:`mozilla_projects_nss_overview`. For a
+   list of frequently asked questions, see the :ref:`mozilla_projects_nss_faq`.
+
+   NSS is available under the Mozilla Public License. For information on downloading NSS releases as
+   tar files, see :ref:`mozilla_projects_nss_nss_sources_building_testing`.
+
+   If you're a developer and would like to contribute to NSS, you might want to read the documents
+   :ref:`mozilla_projects_nss_an_overview_of_nss_internals` and
+   :ref:`mozilla_projects_nss_getting_started_with_nss`.
+
+   .. rubric:: Background Information
+      :name: Background_Information
+
+   :ref:`mozilla_projects_nss_overview`
+      Provides a brief summary of NSS and its capabilities.
+   :ref:`mozilla_projects_nss_faq`
+      Answers basic questions about NSS.
+   `Introduction to Public-Key Cryptography <https://developer.mozilla.org/en-US/docs/Archive/Security/Introduction_to_Public-Key_Cryptography>`__
+      Explains the basic concepts of public-key cryptography that underlie NSS.
+   `Introduction to SSL <https://developer.mozilla.org/en-US/docs/Archive/Security/Introduction_to_SSL>`__
+      Introduces the SSL protocol, including information about cryptographic ciphers supported by
+      SSL and the steps involved in the SSL handshake.
+
+   .. rubric:: Getting Started
+      :name: Getting_Started
+
+   :ref:`mozilla_projects_nss_nss_releases`
+      This page contains information about the current and past releases of NSS.
+   :ref:`mozilla_projects_nss_nss_sources_building_testing`
+      Instructions on how to build NSS on the different supported platforms.
+   `Get Mozilla Source Code Using Mercurial <https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Source_Code/Mercurial>`__
+      Information about with working with Mercurial.
+   `Get Mozilla Source Code Using CVS (deprecated) <https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Source_Code/CVS>`__
+      Old deprecated CVS documentation.
+
+   .. rubric:: NSS APIs
+      :name: NSS_APIs
+
+   :ref:`mozilla_projects_nss_introduction_to_network_security_services`
+      Provides an overview of the NSS libraries and what you need to know to use them.
+   :ref:`mozilla_projects_nss_ssl_functions`
+      Summarizes the SSL APIs exported by the NSS shared libraries.
+   :ref:`mozilla_projects_nss_reference`
+      API used to invoke SSL operations.
+   :ref:`mozilla_projects_nss_nss_api_guidelines`
+      Explains how the libraries and code are organized, and guidelines for developing code (naming
+      conventions, error handling, thread safety, etc.)
+   :ref:`mozilla_projects_nss_nss_tech_notes`
+      Links to NSS technical notes, which provide latest information about new NSS features and
+      supplementary documentation for advanced topics in programming with NSS.
+
+   .. rubric:: Tools, testing, and other technical details
+      :name: Tools_testing_and_other_technical_details
+
+   :ref:`mozilla_projects_nss_building`
+      Describe how to check out and build NSS releases.
+
+   :ref:`mozilla_projects_nss_nss_developer_tutorial`
+      How to make changes in NSS. Coding style, maintaining ABI compatibility.
+
+   :ref:`mozilla_projects_nss_tools`
+      Tools for developing, debugging, and managing applications that use NSS.
+   :ref:`mozilla_projects_nss_nss_sample_code`
+      Demonstrates how NSS can be used for cryptographic operations, certificate handling, SSL, etc.
+   :ref:`mozilla_projects_nss_nss_third-party_code`
+      A list of third-party code included in the NSS library.
+   `NSS 3.2 Test Suite <https://www-archive.mozilla.org/projects/security/pki/nss/testnss_32.html>`__
+      **Archived version.** Describes how to run the standard NSS tests.
+   `NSS Performance Reports <https://www-archive.mozilla.org/projects/security/pki/nss/performance_reports.html>`__
+      **Archived version.** Links to performance reports for NSS 3.2 and later releases.
+   `Encryption Technologies Available in NSS 3.11 <https://www-archive.mozilla.org/projects/security/pki/nss/nss-3.11/nss-3.11-algorithms.html>`__
+      **Archived version.** Lists the cryptographic algorithms used by NSS 3.11.
+   `NSS 3.1 Loadable Root Certificates <https://www-archive.mozilla.org/projects/security/pki/nss/loadable_certs.html>`__
+      **Archived version.** Describes the scheme for loading root CA certificates.
+   `cert7.db <https://www-archive.mozilla.org/projects/security/pki/nss/db_formats.html>`__
+      **Archived version.** General format of the cert7.db database.
+
+   .. rubric:: PKCS #11 information
+      :name: PKCS_11_information
+
+   -  :ref:`mozilla_projects_nss_pkcs11`
+   -  :ref:`mozilla_projects_nss_pkcs11_implement`
+   -  :ref:`mozilla_projects_nss_pkcs11_module_specs`
+   -  :ref:`mozilla_projects_nss_pkcs11_faq`
+   -  `Using the JAR Installation Manager to Install a PKCS #11 Cryptographic
+      Module <https://developer.mozilla.org/en-US/docs/PKCS11_Jar_Install>`__
+   -  `PKCS #11 Conformance Testing - Archived
+      version <https://www-archive.mozilla.org/projects/security/pki/pkcs11/>`__
+
+   .. rubric:: CA certificates pre-loaded into NSS
+      :name: CA_certificates_pre-loaded_into_NSS
+
+   -  `Mozilla CA certificate policy <https://www.mozilla.org/projects/security/certs/policy/>`__
+   -  `List of pre-loaded CA certificates <https://wiki.mozilla.org/CA/Included_Certificates>`__
+
+      -  Consumers of this list must consider the trust bit setting for each included root
+         certificate. `More
+         Information <https://www.imperialviolet.org/2012/01/30/mozillaroots.html>`__, `Extracting
+         roots and their trust bits <https://github.com/agl/extract-nss-root-certs>`__
+
+   .. rubric:: NSS is built on top of Netscape Portable Runtime (NSPR)
+      :name: NSS_is_built_on_top_of_Netscape_Portable_Runtime_NSPR
+
+   `Netscape Portable Runtime <NSPR>`__
+      NSPR project page.
+   `NSPR Reference <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR/Reference>`__
+      NSPR API documentation.
+
+   .. rubric:: Additional Information
+      :name: Additional_Information
+
+   -  `Using the window.crypto object from
+      JavaScript <https://developer.mozilla.org/en-US/docs/JavaScript_crypto>`__
+   -  :ref:`mozilla_projects_nss_http_delegation`
+   -  :ref:`mozilla_projects_nss_tls_cipher_suite_discovery`
+   -  :ref:`mozilla_projects_nss_certificate_download_specification`
+   -  :ref:`mozilla_projects_nss_fips_mode_-_an_explanation`
+   -  :ref:`mozilla_projects_nss_key_log_format`
+
+   .. rubric:: Planning
+      :name: Planning
+
+   Information on NSS planning can be found at `wiki.mozilla.org <https://wiki.mozilla.org/NSS>`__,
+   including:
+
+   -  `FIPS Validation <https://wiki.mozilla.org/FIPS_Validation>`__
+   -  `NSS Roadmap page <https://wiki.mozilla.org/NSS:Roadmap>`__
+   -  `NSS Improvement
+      Project <https://fedoraproject.org/wiki/User:Mitr/NSS:DeveloperFriendliness>`__
+
+.. _Community:
+
+Community
+~~~~~~~~~
+
+-  View Mozilla Security forums...
+
+-  `Mailing list <https://lists.mozilla.org/listinfo/dev-security>`__
+-  `Newsgroup <http://groups.google.com/group/mozilla.dev.security>`__
+-  `RSS feed <http://groups.google.com/group/mozilla.dev.security/feeds>`__
+
+-  View Mozilla Cryptography forums...
+
+-  `Mailing list <https://lists.mozilla.org/listinfo/dev-tech-crypto>`__
+-  `Newsgroup <http://groups.google.com/group/mozilla.dev.tech.crypto>`__
+-  `RSS feed <http://groups.google.com/group/mozilla.dev.tech.crypto/feeds>`__
+
+.. _Related_Topics:
+
+Related Topics
+~~~~~~~~~~~~~~
+
+-  `Security <https://developer.mozilla.org/en-US/docs/Security>`__
+