Bug 1911746 - land NSS NSS_3_104_RTM UPGRADE_NSS_RELEASE, r=nss-reviewers,nkulatova DONTBUILD

Differential Revision: https://phabricator.services.mozilla.com/D220686

security/nss/TAG-INFO

@@ -1 +1 @@
-NSS_3_104_BETA1
+NSS_3_104_RTM

security/nss/coreconf/coreconf.dep

@@ -10,3 +10,4 @@
  */
 
 #error "Do not include this header file."
+

security/nss/doc/rst/releases/index.rst

@@ -8,6 +8,7 @@ Releases
    :glob:
    :hidden:
 
+   nss_3_104.rst
    nss_3_103.rst
    nss_3_102_1.rst
    nss_3_102.rst
@@ -75,34 +76,44 @@ Releases
 
 .. note::
 
-   **NSS 3.103** is the latest version of NSS.
-   Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_103_release_notes`
+   **NSS 3.104** is the latest version of NSS.
+   Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_104_release_notes`
 
    **NSS 3.101.2 (ESR)** is the latest ESR version of NSS.
    Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_101_1_release_notes`
 
 .. container::
 
-   Changes in 3.103 included in this release:
+   Changes in 3.104 included in this release:
+
+   - Bug 1910071 - Copy original corpus to heap-allocated buffer
+   - Bug 1910079 - Fix min ssl version for DTLS client fuzzer
+   - Bug 1908990 - Remove OS2 support just like we did on NSPR
+   - Bug 1910605 - clang-format NSS improvements
+   - Bug 1902078 - Adding basicutil.h to use HexString2SECItem function
+   - Bug 1908990 - removing dirent.c from build
+   - Bug 1902078 - Allow handing in keymaterial to shlibsign to make the output reproducible (
+   - Bug 1908990 - remove nec4.3, sunos4, riscos and SNI references
+   - Bug 1908990 - remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix
+   - Bug 1908990 - remove mentions of WIN95
+   - Bug 1908990 - remove mentions of WIN16
+   - Bug 1913750 - More explicit directory naming
+   - Bug 1913755 - Add more options to TLS server fuzz target
+   - Bug 1913675 - Add more options to TLS client fuzz target
+   - Bug 1835240 - Use OSS-Fuzz corpus in NSS CI
+   - Bug 1908012 - set nssckbi version number to 2.70.
+   - Bug 1914499 - Remove Email Trust bit from ACCVRAIZ1 root cert.
+   - Bug 1908009 - Remove Email Trust bit from certSIGN ROOT CA.
+   - Bug 1908006 - Add Cybertrust Japan Roots to NSS.
+   - Bug 1908004 - Add Taiwan CA Roots to NSS.
+   - Bug 1911354 - remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber.
+   - Bug 1913132 - Fix tstclnt CI build failure
+   - Bug 1913047 - vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow.
+   - Bug 1912427 - Enable all supported protocol versions for UDP
+   - Bug 1910361 - Actually use random PSK hash type
+   - Bug 1911576: Initialize NSS DB once
+   - Bug 1910361 - Additional ECH cipher suites and PSK hash types
+   - Bug 1903604: Automate corpus file generation for TLS client Fuzzer
+   - Bug 1910364 - Fix crash with UNSAFE_FUZZER_MODE
+   - Bug 1910605 - clang-format shlibsign.c
 
-   - Bug 1908623 - move list size check after lock acquisition in sftk_PutObjectToList.
-   - Bug 1899542 - Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH.
-   - Bug 1909638 - Follow-up to fix test for presence of file nspr.patch.
-   - Bug 1903783 - Adjust libFuzzer size limits.
-   - Bug 1899542 - Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk.
-   - Bug 1899542 - Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION.
-   - Bug 1909638 - NSS automation should always cleanup the NSPR tree.
-   - Bug 590806 - Freeing symKey in pk11_PubDeriveECKeyWithKDF when a key_size is 0 and wrong kd.
-   - Bug 1908831 - Don't link zlib where it's not needed.
-   - Bug 1908597 - Removing dead code from X25519 seckey.
-   - Bug 1905691 - ChaChaXor to return after the functio.
-   - Bug 1900416 - NSS Support of X25519 import/export functionalit.
-   - Bug 1890618 - add PeerCertificateChainDER function to libssl.
-   - Bug 1908190 - fix definitions of freeblCipher_native_aes_*_worker on arm.
-   - Bug 1907743 - pk11mode: avoid passing null phKey to C_DeriveKey.
-   - Bug 1902119 - reuse X25519 share when offering both X25519 and Xyber768d00.
-   - Set nssckbi version number to 2.69.
-   - Bug 1904404 - add NSS_DISABLE_NSPR_TESTS option to makefile.
-   - Bug 1905746 - avoid calling functions through pointers of incompatible type.
-   - Bug 1905783 - merge docker-fuzz32 and docker-fuzz images.
-   - Bug 1903373 - fix several scan-build warnings.

security/nss/doc/rst/releases/nss_3_104.rst

@@ -0,0 +1,83 @@
+.. _mozilla_projects_nss_nss_3_104_release_notes:
+
+NSS 3.104 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+   Network Security Services (NSS) 3.104 was released on *1 August 2024**.
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+   The HG tag is NSS_3_104_RTM. NSS 3.104 requires NSPR 4.35 or newer.
+
+   NSS 3.104 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+   -  Source tarballs:
+      https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_104_RTM/src/
+
+   Other releases are available :ref:`mozilla_projects_nss_releases`.
+
+.. _changes_in_nss_3.104:
+
+`Changes in NSS 3.104 <#changes_in_nss_3.104>`__
+------------------------------------------------------------------
+
+.. container::
+
+   - Bug 1910071 - Copy original corpus to heap-allocated buffer
+   - Bug 1910079 - Fix min ssl version for DTLS client fuzzer
+   - Bug 1908990 - Remove OS2 support just like we did on NSPR
+   - Bug 1910605 - clang-format NSS improvements
+   - Bug 1902078 - Adding basicutil.h to use HexString2SECItem function
+   - Bug 1908990 - removing dirent.c from build
+   - Bug 1902078 - Allow handing in keymaterial to shlibsign to make the output reproducible (
+   - Bug 1908990 - remove nec4.3, sunos4, riscos and SNI references
+   - Bug 1908990 - remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix
+   - Bug 1908990 - remove mentions of WIN95
+   - Bug 1908990 - remove mentions of WIN16
+   - Bug 1913750 - More explicit directory naming
+   - Bug 1913755 - Add more options to TLS server fuzz target
+   - Bug 1913675 - Add more options to TLS client fuzz target
+   - Bug 1835240 - Use OSS-Fuzz corpus in NSS CI
+   - Bug 1908012 - set nssckbi version number to 2.70.
+   - Bug 1914499 - Remove Email Trust bit from ACCVRAIZ1 root cert.
+   - Bug 1908009 - Remove Email Trust bit from certSIGN ROOT CA.
+   - Bug 1908006 - Add Cybertrust Japan Roots to NSS.
+   - Bug 1908004 - Add Taiwan CA Roots to NSS.
+   - Bug 1911354 - remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber.
+   - Bug 1913132 - Fix tstclnt CI build failure
+   - Bug 1913047 - vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow.
+   - Bug 1912427 - Enable all supported protocol versions for UDP
+   - Bug 1910361 - Actually use random PSK hash type
+   - Bug 1911576: Initialize NSS DB once
+   - Bug 1910361 - Additional ECH cipher suites and PSK hash types
+   - Bug 1903604: Automate corpus file generation for TLS client Fuzzer
+   - Bug 1910364 - Fix crash with UNSAFE_FUZZER_MODE
+   - Bug 1910605 - clang-format shlibsign.c
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+   NSS 3.104 shared libraries are backwards-compatible with all older NSS 3.x shared
+   libraries. A program linked with older NSS 3.x shared libraries will work with
+   this new version of the shared libraries without recompiling or
+   relinking. Furthermore, applications that restrict their use of NSS APIs to the
+   functions listed in NSS Public Functions will remain compatible with future
+   versions of the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+   Bugs discovered should be reported by filing a bug report on
+   `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).

security/nss/lib/nss/nss.h

@@ -22,12 +22,12 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION "3.104" _NSS_CUSTOMIZED " Beta"
+#define NSS_VERSION "3.104" _NSS_CUSTOMIZED
 #define NSS_VMAJOR 3
 #define NSS_VMINOR 104
 #define NSS_VPATCH 0
 #define NSS_VBUILD 0
-#define NSS_BETA PR_TRUE
+#define NSS_BETA PR_FALSE
 
 #ifndef RC_INVOKED
 

security/nss/lib/softoken/softkver.h

@@ -17,11 +17,11 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define SOFTOKEN_VERSION "3.104" SOFTOKEN_ECC_STRING " Beta"
+#define SOFTOKEN_VERSION "3.104" SOFTOKEN_ECC_STRING
 #define SOFTOKEN_VMAJOR 3
 #define SOFTOKEN_VMINOR 104
 #define SOFTOKEN_VPATCH 0
 #define SOFTOKEN_VBUILD 0
-#define SOFTOKEN_BETA PR_TRUE
+#define SOFTOKEN_BETA PR_FALSE
 
 #endif /* _SOFTKVER_H_ */

security/nss/lib/util/nssutil.h

@@ -19,12 +19,12 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
  */
-#define NSSUTIL_VERSION "3.104 Beta"
+#define NSSUTIL_VERSION "3.104"
 #define NSSUTIL_VMAJOR 3
 #define NSSUTIL_VMINOR 104
 #define NSSUTIL_VPATCH 0
 #define NSSUTIL_VBUILD 0
-#define NSSUTIL_BETA PR_TRUE
+#define NSSUTIL_BETA PR_FALSE
 
 SEC_BEGIN_PROTOS