Bug 1523175 - land NSS b7713856ebf2 UPGRADE_NSS_RELEASE, r=me

--HG--
extra : rebase_source : 9dbb754fb73fde471308ac331ae445a45c77c870
extra : amend_source : 68c501b209d49f8c5d04c891056dda2a9057fbd9

old-configure.in

@@ -47,7 +47,7 @@ dnl Set the version number of the libs included with mozilla
 dnl ========================================================
 MOZPNG=10635
 NSPR_VERSION=4
-NSPR_MINVER=4.19
+NSPR_MINVER=4.21
 NSS_VERSION=3
 
 dnl Set the minimum version of toolkit libs used by mozilla

security/nss/.taskcluster.yml

@@ -1,47 +1,37 @@
+# This file is rendered via JSON-e in a hook with context:
+#   {
+#     tasks_for: 'hg-push',
+#     push: {owner, pushlog_id, pushdate},
+#     repository: {url, project, level},
+#     now,
+#     ownTaskId: // taskId of the task that will be created
+#   }
 ---
-version: 0
-metadata:
-  name: "NSS Continuous Integration"
-  description: "The Taskcluster task graph for the NSS tree"
-  owner: "mozilla-taskcluster-maintenance@mozilla.com"
-  source: {{{source}}}
-
-scopes:
-  # Note the below scopes are insecure however these get overriden on the server
-  # side to whatever scopes are set by mozilla-taskcluster.
-  - queue:*
-  - docker-worker:*
-  - scheduler:*
-
-# Available mustache parameters (see the mozilla-taskcluster source):
-#
-# - owner:          push user (email address)
-# - source:         URL of this YAML file
-# - url:            repository URL
-# - project:        alias for the destination repository (basename of
-#                   the repo url)
-# - level:          SCM level of the destination repository
-#                   (1 = try, 3 = core)
-# - revision:       (short) hg revision of the head of the push
-# - revision_hash:  (long) hg revision of the head of the push
-# - comment:        comment of the push
-# - pushlog_id:     id in the pushlog table of the repository
-#
-# and functions:
-# - as_slugid:      convert a label into a slugId
-# - from_now:       generate a timestamp at a fixed offset from now
-
+version: 1
 tasks:
-  - taskId: '{{#as_slugid}}decision task{{/as_slugid}}'
-    reruns: 3
-    task:
-      created: '{{now}}'
-      deadline: '{{#from_now}}1 day{{/from_now}}'
-      expires: '{{#from_now}}14 days{{/from_now}}'
+  - $let:
+      # sometimes the push user is just `ffxbld` or the like, but we want an
+      # email-like field..
+      ownerEmail:
+        $if: '"@" in push.owner'
+        then: '${push.owner}'
+        else: '${push.owner}@noreply.mozilla.org'
+      # ensure there's no trailing `/` on the repo URL
+      repoUrl:
+        $if: 'repository.url[-1] == "/"'
+        then: {$eval: 'repository.url[:-1]'}
+        else: {$eval: 'repository.url'}
+    in:
+      taskId: '${ownTaskId}'
+      taskGroupId: '${ownTaskId}'
+      schedulerId: 'gecko-level-nss'
+      created: {$fromNow: ''}
+      deadline: {$fromNow: '1 day'}
+      expires: {$fromNow: '14 days'}
 
       metadata:
         owner: mozilla-taskcluster-maintenance@mozilla.com
-        source: {{{source}}}
+        source: "${repository.url}"
         name: "NSS Decision Task"
         description: |
             The task that creates all of the other tasks in the task graph
@@ -49,24 +39,27 @@ tasks:
       workerType: "hg-worker"
       provisionerId: "aws-provisioner-v1"
 
+      scopes:
+        - 'assume:repo:${repoUrl[8:]}:branch:default'
+        - 'queue:route:notify.email.${ownerEmail}.*'
       tags:
-        createdForUser: {{owner}}
+        createdForUser: "${ownerEmail}"
 
       routes:
-        - "tc-treeherder-stage.v2.{{project}}.{{revision}}.{{pushlog_id}}"
-        - "tc-treeherder.v2.{{project}}.{{revision}}.{{pushlog_id}}"
+        - "tc-treeherder-stage.v2.${repository.project}.${push.revision}.${push.pushlog_id}"
+        - "tc-treeherder.v2.${repository.project}.${push.revision}.${push.pushlog_id}"
 
       payload:
-        image: nssdev/nss-decision:0.0.2
+        # TODO: use nssdev org , not djmitche, once the image is pushed there
+        image: djmitche/nss-decision:0.0.3
 
         env:
-          TC_OWNER: {{owner}}
-          TC_SOURCE: {{{source}}}
-          TC_PROJECT: {{project}}
-          TC_COMMENT: '{{comment}}'
-          NSS_PUSHLOG_ID: '{{pushlog_id}}'
-          NSS_HEAD_REPOSITORY: '{{{url}}}'
-          NSS_HEAD_REVISION: '{{revision}}'
+          TC_OWNER: "${push.owner}"
+          TC_SOURCE: "${repository.url}"
+          TC_PROJECT: ${repository.project}
+          NSS_PUSHLOG_ID: '${push.pushlog_id}'
+          NSS_HEAD_REPOSITORY: '${repository.url}'
+          NSS_HEAD_REVISION: '${push.revision}'
 
         maxRunTime: 1800
 

security/nss/TAG-INFO

@@ -1 +1 @@
-794984bb1169
+b7713856ebf2

security/nss/automation/abi-check/expected-report-libnss3.so.txt

@@ -0,0 +1,5 @@
+
+1 Added function:
+
+  'function SECOidTag HASH_GetHashOidTagByHashType(HASH_HashType)'    {HASH_GetHashOidTagByHashType@@NSS_3.43}
+

security/nss/automation/release/nspr-version.txt

@@ -1,4 +1,4 @@
-4.20
+4.21
 
 # The first line of this file must contain the human readable NSPR
 # version number, which is the minimum required version of NSPR

security/nss/automation/taskcluster/docker-decision/Dockerfile

@@ -9,6 +9,7 @@ RUN apt-get update \
     locales \
     mercurial \
     nodejs \
+    npm \
  && rm -rf /var/lib/apt/lists/* \
  && apt-get autoremove -y && apt-get clean -y
 

security/nss/automation/taskcluster/graph/src/index.js

@@ -5,10 +5,17 @@
 import * as try_syntax from "./try_syntax";
 import extend from "./extend";
 
-// Init try syntax filter.
-if (process.env.TC_PROJECT == "nss-try") {
-  try_syntax.initFilter();
-}
+const main = async () => {
+  // Init try syntax filter.
+  if (process.env.TC_PROJECT == "nss-try") {
+    await try_syntax.initFilter();
+  }
 
-// Extend the task graph.
-extend().catch(console.error);
+  // Extend the task graph.
+  await extend();
+};
+
+main().catch(err => {
+  console.error(err);
+  process.exit(1);
+});

security/nss/automation/taskcluster/graph/src/try_syntax.js

@@ -5,6 +5,10 @@
 import * as queue from "./queue";
 import intersect from "intersect";
 import parse_args from "minimist";
+import util from "util";
+import child_process from 'child_process';
+
+let execFile = util.promisify(child_process.execFile);
 
 function parseOptions(opts) {
   opts = parse_args(opts.split(/\s+/), {
@@ -154,8 +158,13 @@ function filter(opts) {
   }
 }
 
-export function initFilter() {
-  let comment = process.env.TC_COMMENT || "";
+async function getCommitComment() {
+  const res = await execFile('hg', ['log', '-r', '.', '-T', '{desc}']);
+  return res.stdout;
+};
+
+export async function initFilter() {
+  let comment = await getCommitComment();
 
   // Check for try syntax in changeset comment.
   let match = comment.match(/^\s*try:\s*(.*)\s*$/);

security/nss/coreconf/coreconf.dep

@@ -10,3 +10,4 @@
  */
 
 #error "Do not include this header file."
+

security/nss/gtests/ssl_gtest/ssl_recordsize_unittest.cc

@@ -397,6 +397,16 @@ TEST_P(TlsConnectGeneric, RecordSizeServerExtensionInvalid) {
   ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
 }
 
+TEST_P(TlsConnectGeneric, RecordSizeServerExtensionExtra) {
+  EnsureTlsSetup();
+  server_->SetOption(SSL_RECORD_SIZE_LIMIT, 1000);
+  static const uint8_t v[] = {0x01, 0x00, 0x00};
+  auto replace = MakeTlsFilter<TlsExtensionReplacer>(
+      server_, ssl_record_size_limit_xtn, DataBuffer(v, sizeof(v)));
+  replace->EnableDecryption();
+  ConnectExpectAlert(client_, kTlsAlertDecodeError);
+}
+
 class RecordSizeDefaultsTest : public ::testing::Test {
  public:
   void SetUp() {

security/nss/lib/cryptohi/sechash.c

@@ -202,13 +202,46 @@ HASH_GetHashTypeByOidTag(SECOidTag hashOid)
             ht = HASH_AlgSHA512;
             break;
         default:
-            ht = HASH_AlgNULL;
             PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
             break;
     }
     return ht;
 }
 
+SECOidTag
+HASH_GetHashOidTagByHashType(HASH_HashType type)
+{
+    SECOidTag oid = SEC_OID_UNKNOWN;
+
+    switch (type) {
+        case HASH_AlgMD2:
+            oid = SEC_OID_MD2;
+            break;
+        case HASH_AlgMD5:
+            oid = SEC_OID_MD5;
+            break;
+        case HASH_AlgSHA1:
+            oid = SEC_OID_SHA1;
+            break;
+        case HASH_AlgSHA224:
+            oid = SEC_OID_SHA224;
+            break;
+        case HASH_AlgSHA256:
+            oid = SEC_OID_SHA256;
+            break;
+        case HASH_AlgSHA384:
+            oid = SEC_OID_SHA384;
+            break;
+        case HASH_AlgSHA512:
+            oid = SEC_OID_SHA512;
+            break;
+        default:
+            PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+            break;
+    }
+    return oid;
+}
+
 SECOidTag
 HASH_GetHashOidTagByHMACOidTag(SECOidTag hmacOid)
 {

security/nss/lib/cryptohi/sechash.h

@@ -53,6 +53,8 @@ extern HASH_HashType HASH_GetHashTypeByOidTag(SECOidTag hashOid);
 extern SECOidTag HASH_GetHashOidTagByHMACOidTag(SECOidTag hmacOid);
 extern SECOidTag HASH_GetHMACOidTagByHashOidTag(SECOidTag hashOid);
 
+extern SECOidTag HASH_GetHashOidTagByHashType(HASH_HashType type);
+
 SEC_END_PROTOS
 
 #endif /* _HASH_H_ */

security/nss/lib/nss/nss.def

@@ -1139,3 +1139,9 @@ CERT_GetCertKeyType;
 ;+    local:
 ;+       *;
 ;+};
+;+NSS_3.43 { 	# NSS 3.43 release
+;+    global:
+HASH_GetHashOidTagByHashType;
+;+    local:
+;+       *;
+;+};

security/nss/lib/ssl/ssl3exthandle.c

@@ -1927,7 +1927,7 @@ ssl_HandleRecordSizeLimitXtn(const sslSocket *ss, TLSExtensionData *xtnData,
         return SECFailure;
     }
     if (data->len != 0 || limit < 64) {
-        ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter);
+        ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
         PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE);
         return SECFailure;
     }