Bug 1758579 - land NSS NSS_3_77_RTM UPGRADE_NSS_RELEASE, r=djackson

Differential Revision: https://phabricator.services.mozilla.com/D142584

security/nss/TAG-INFO

@@ -1 +1 @@
-NSS_3_77_BETA1
+NSS_3_77_RTM

security/nss/cmd/mpitests/mpitests.gyp

@@ -13,6 +13,9 @@
       'sources': [
         'mpi-test.c',
       ],
+      'defines': [
+        'NSS_USE_STATIC_LIBS'
+      ],
       'dependencies': [
         '<(DEPTH)/exports.gyp:nss_exports',
         '<(DEPTH)/lib/util/util.gyp:nssutil3',
@@ -45,6 +48,7 @@
     ],
   },
   'variables': {
-    'module': 'nss'
+    'module': 'nss',
+    'use_static_libs': 1
   }
 }

security/nss/coreconf/coreconf.dep

@@ -10,3 +10,4 @@
  */
 
 #error "Do not include this header file."
+

security/nss/doc/rst/legacy/key_log_format/index.rst

@@ -58,4 +58,4 @@ NSS Key Log Format
    secret depends on the selected cipher suite. It is 64, 96 or 128 characters for SHA256, SHA384 or
    SHA512 respectively.
 
-   For Wireshark usage, see `SSL - Wireshark Wiki <https://wiki.wireshark.org/SSL>`__.
+   For Wireshark usage, see `TLS - Wireshark Wiki <https://wiki.wireshark.org/TLS>`__.

security/nss/doc/rst/releases/index.rst

@@ -8,10 +8,11 @@ Releases
    :glob:
    :hidden:
 
+   nns_3_77.rst
+   nns_3_76_1.rst
    nns_3_76.rst
    nss_3_75.rst
    nss_3_74.rst
-   nss_3_68_2.rst
    nss_3_73_1.rst
    nss_3_73.rst
    nss_3_72_1.rst
@@ -20,6 +21,7 @@ Releases
    nss_3_70.rst
    nss_3_69_1.rst
    nss_3_69.rst
+   nss_3_68_3.rst
    nss_3_68_2.rst
    nss_3_68_1.rst
    nss_3_68.rst
@@ -30,21 +32,37 @@ Releases
 
 .. note::
 
-   **NSS 3.76** is the latest version of NSS.
-   Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_76_release_notes`
+   **NSS 3.77** is the latest version of NSS.
+   Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_77_release_notes`
 
-   **NSS 3.68.2** is the latest LTS version of NSS.
-   Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_68_2_release_notes`
+   **NSS 3.68.3** is the latest LTS version of NSS.
+   Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_68_3_release_notes`
 
 
 .. container::
 
-   Changes in 3.76 included in this release:
+   Changes in 3.77 included in this release:
 
-   - Bug 1755555 - Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots. r=rrelyea 
-   - Bug 1370866 - Check return value of PK11Slot_GetNSSToken. r=djackson 
-   - Bug 1747957 - Use Wycheproof JSON for RSASSA-PSS, r=nss-reviewers,bbeurdouche 
-   - Bug 1679803 - Add SHA256 fingerprint comments to old certdata.txt entries. r=nss-reviewers,bbeurdouche
-   - Bug 1753505 - Avoid truncating files in nss-release-helper.py. r=bbeurdouche
-   - Bug 1751157 - Throw illegal_parameter alert for illegal extensions in handshake message. r=djackson
+   - Bug 1762244 - resolve mpitests build failure on Windows.
+   - Bug 1761779 - Fix link to TLS page on wireshark wiki
+   - Bug 1754890 - Add two D-TRUST 2020 root certificates.
+   - Bug 1751298 - Add Telia Root CA v2 root certificate.
+   - Bug 1751305 - Remove expired explicitly distrusted certificates from certdata.txt.
+   - Bug 1005084 - support specific RSA-PSS parameters in mozilla::pkix
+   - Bug 1753535 - Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
+   - Bug 1756271 - Remove token member from NSSSlot struct.
+   - Bug 1602379 - Provide secure variants of mpp_pprime and mpp_make_prime.
+   - Bug 1757279 - Support UTF-8 library path in the module spec string.
+   - Bug 1396616 - Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
+   - Bug 1760827 - Add a CI Target for gcc-11.
+   - Bug 1760828 - Change to makefiles for gcc-4.8.
+   - Bug 1741688 - Update googletest to 1.11.0
+   - Bug 1759525 - Add SetTls13GreaseEchSize to experimental API.
+   - Bug 1755264 - TLS 1.3 Illegal legacy_version handling/alerts.
+   - Bug 1755904 - Fix calculation of ECH HRR Transcript.
+   - Bug 1758741 - Allow ld path to be set as environment variable.
+   - Bug 1760653 - Ensure we don't read uninitialized memory in ssl gtests.
+   - Bug 1758478 - Fix DataBuffer Move Assignment.
+   - Bug 1552254 - internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3
+   - Bug 1755092 - rework signature verification in mozilla::pkix
 

security/nss/doc/rst/releases/nss_3_68_3.rst

@@ -0,0 +1,72 @@
+.. _mozilla_projects_nss_nss_3_68_3_release_notes:
+
+NSS 3.68.3 (ESR) release notes
+==============================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+   Network Security Services (NSS) 3.68.3 (ESR) was released on **28 March 2022**.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+   The HG tag is NSS_3_68_3_RTM. NSS 3.68.3 requires NSPR 4.32 or newer.
+
+   NSS 3.68.3 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+   -  Source tarballs:
+      https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_68_3_RTM/src/
+
+   Other releases are available :ref:`mozilla_projects_nss_releases`.
+
+.. _changes_in_nss_3.68.3:
+
+`Changes in NSS 3.68.3 <#changes_in_nss_3.68.3>`__
+----------------------------------------------------
+
+.. container::
+
+   - Bug 1756271 - Remove token member from NSSSlot struct.
+   - Bug 1755555 - Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots.
+   - Bug 1370866 - Check return value of PK11Slot_GetNSSToken.
+
+
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+   NSS 3.68.3 shared libraries are backwards-compatible with all older NSS 3.x shared
+   libraries. A program linked with older NSS 3.x shared libraries will work with
+   this new version of the shared libraries without recompiling or
+   relinking. Furthermore, applications that restrict their use of NSS APIs to the
+   functions listed in NSS Public Functions will remain compatible with future
+   versions of the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+   Bugs discovered should be reported by filing a bug report on
+   `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).
+
+
+`Notes <#notes>`__
+------------------
+
+.. container::
+
+   This release improves the stability of NSS when used in a multi-threaded
+   environment. In particular, it fixes memory safety violations that can occur
+   when PKCS#11 tokens are removed while in use (CVE-2022-1097). We presume
+   that with enough effort these memory safety violations are exploitable.
+

security/nss/doc/rst/releases/nss_3_76_1.rst

@@ -0,0 +1,68 @@
+.. _mozilla_projects_nss_nss_3_76_1_release_notes:
+
+NSS 3.76.1 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+   Network Security Services (NSS) 3.76.1 was released on **28 March 2022**.
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+   The HG tag is NSS_3_76_1_RTM. NSS 3.76.1 requires NSPR 4.32 or newer.
+
+   NSS 3.76.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+   -  Source tarballs:
+      https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_76_1_RTM/src/
+
+   Other releases are available :ref:`mozilla_projects_nss_releases`.
+
+.. _changes_in_nss_3.76.1:
+
+`Changes in NSS 3.76.1 <#changes_in_nss_3.76.1>`__
+----------------------------------------------------
+
+.. container::
+
+   - Bug 1756271 - Remove token member from NSSSlot struct.
+
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+   NSS 3.76.1 shared libraries are backwards-compatible with all older NSS 3.x shared
+   libraries. A program linked with older NSS 3.x shared libraries will work with
+   this new version of the shared libraries without recompiling or
+   relinking. Furthermore, applications that restrict their use of NSS APIs to the
+   functions listed in NSS Public Functions will remain compatible with future
+   versions of the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+   Bugs discovered should be reported by filing a bug report on
+   `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).
+
+`Notes <#notes>`__
+------------------
+
+.. container::
+
+   This release improves the stability of NSS when used in a multi-threaded
+   environment. In particular, it fixes memory safety violations that can occur
+   when PKCS#11 tokens are removed while in use (CVE-2022-1097). We presume
+   that with enough effort these memory safety violations are exploitable.
+

security/nss/doc/rst/releases/nss_3_77.rst

@@ -0,0 +1,92 @@
+.. _mozilla_projects_nss_nss_3_77_release_notes:
+
+NSS 3.77 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+   Network Security Services (NSS) 3.77 was released on **31 March 2022**.
+
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+   The HG tag is NSS_3_77_RTM. NSS 3.77 requires NSPR 4.32 or newer.
+
+   NSS 3.77 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+   -  Source tarballs:
+      https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_77_RTM/src/
+
+   Other releases are available :ref:`mozilla_projects_nss_releases`.
+
+.. _changes_in_nss_3.77:
+
+`Changes in NSS 3.77 <#changes_in_nss_3.77>`__
+----------------------------------------------------
+
+.. container::
+
+   - Bug 1762244 - resolve mpitests build failure on Windows.
+   - Bug 1761779 - Fix link to TLS page on wireshark wiki
+   - Bug 1754890 - Add two D-TRUST 2020 root certificates.
+   - Bug 1751298 - Add Telia Root CA v2 root certificate.
+   - Bug 1751305 - Remove expired explicitly distrusted certificates from certdata.txt.
+   - Bug 1005084 - support specific RSA-PSS parameters in mozilla::pkix
+   - Bug 1753535 - Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
+   - Bug 1756271 - Remove token member from NSSSlot struct.
+   - Bug 1602379 - Provide secure variants of mpp_pprime and mpp_make_prime.
+   - Bug 1757279 - Support UTF-8 library path in the module spec string.
+   - Bug 1396616 - Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
+   - Bug 1760827 - Add a CI Target for gcc-11.
+   - Bug 1760828 - Change to makefiles for gcc-4.8.
+   - Bug 1741688 - Update googletest to 1.11.0
+   - Bug 1759525 - Add SetTls13GreaseEchSize to experimental API.
+   - Bug 1755264 - TLS 1.3 Illegal legacy_version handling/alerts.
+   - Bug 1755904 - Fix calculation of ECH HRR Transcript.
+   - Bug 1758741 - Allow ld path to be set as environment variable.
+   - Bug 1760653 - Ensure we don't read uninitialized memory in ssl gtests.
+   - Bug 1758478 - Fix DataBuffer Move Assignment.
+   - Bug 1552254 - internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3
+   - Bug 1755092 - rework signature verification in mozilla::pkix
+
+
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+   NSS 3.77 shared libraries are backwards-compatible with all older NSS 3.x shared
+   libraries. A program linked with older NSS 3.x shared libraries will work with
+   this new version of the shared libraries without recompiling or
+   relinking. Furthermore, applications that restrict their use of NSS APIs to the
+   functions listed in NSS Public Functions will remain compatible with future
+   versions of the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+   Bugs discovered should be reported by filing a bug report on
+   `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).
+
+`Notes <#notes>`__
+------------------
+
+.. container::
+
+   For users upgrading from NSS < 3.76.1 or NSS < 3.68.3, this release improves
+   the stability of NSS when used in a multi-threaded environment. In
+   particular, it fixes memory safety violations that can occur when PKCS#11
+   tokens are removed while in use (CVE-2022-1097). We presume that with enough
+   effort these memory safety violations are exploitable.
+

security/nss/lib/nss/nss.h

@@ -22,12 +22,12 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION "3.77" _NSS_CUSTOMIZED " Beta"
+#define NSS_VERSION "3.77" _NSS_CUSTOMIZED
 #define NSS_VMAJOR 3
 #define NSS_VMINOR 77
 #define NSS_VPATCH 0
 #define NSS_VBUILD 0
-#define NSS_BETA PR_TRUE
+#define NSS_BETA PR_FALSE
 
 #ifndef RC_INVOKED
 

security/nss/lib/softoken/softkver.h

@@ -17,11 +17,11 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define SOFTOKEN_VERSION "3.77" SOFTOKEN_ECC_STRING " Beta"
+#define SOFTOKEN_VERSION "3.77" SOFTOKEN_ECC_STRING
 #define SOFTOKEN_VMAJOR 3
 #define SOFTOKEN_VMINOR 77
 #define SOFTOKEN_VPATCH 0
 #define SOFTOKEN_VBUILD 0
-#define SOFTOKEN_BETA PR_TRUE
+#define SOFTOKEN_BETA PR_FALSE
 
 #endif /* _SOFTKVER_H_ */

security/nss/lib/util/nssutil.h

@@ -19,12 +19,12 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
  */
-#define NSSUTIL_VERSION "3.77 Beta"
+#define NSSUTIL_VERSION "3.77"
 #define NSSUTIL_VMAJOR 3
 #define NSSUTIL_VMINOR 77
 #define NSSUTIL_VPATCH 0
 #define NSSUTIL_VBUILD 0
-#define NSSUTIL_BETA PR_TRUE
+#define NSSUTIL_BETA PR_FALSE
 
 SEC_BEGIN_PROTOS