Read-only Git mirror of the Mercurial gecko repositories at https://hg.mozilla.org. How to contribute: https://firefox-source-docs.mozilla.org/contributing/contribution_quickref.html
Go to file
Benjamin Beurdouche a1a5fc3aa9 Bug 1720464 - land NSS e9236397be13 UPGRADE_NSS_RELEASE, r=beurdouche
```
2021-07-24  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* doc/rst/build_artifacts.rst, doc/rst/community.rst,
	doc/rst/getting_started.rst, doc/rst/index.rst, doc/rst/more.rst,
	doc/rst/releases/index.rst, doc/rst/releases/nss_3_64.rst,
	doc/rst/releases/nss_3_65.rst, doc/rst/releases/nss_3_66.rst,
	doc/rst/releases/nss_3_67.rst, doc/rst/releases/nss_3_68.rst:
	Documentation: update and release notes for NSS 3.64 to 3.68
	[e9236397be13] [tip]

2021-07-20  Robert Relyea  <rrelyea@redhat.com>

	* gtests/ssl_gtest/nss_policy.h,
	gtests/ssl_gtest/ssl_auth_unittest.cc,
	gtests/ssl_gtest/ssl_extension_unittest.cc,
	gtests/ssl_gtest/tls_agent.cc, gtests/ssl_gtest/tls_agent.h,
	gtests/ssl_gtest/tls_connect.cc, lib/ssl/ssl3con.c,
	lib/ssl/sslimpl.h:
	Bug 1720235 SSL handling of signature algorithms ignores
	environmental invalid algorithms.

	Our QA is quite extensive on handling of alert corner cases. Our
	code that checks if a signature algorithm is supported ignores the
	role of policy. If SHA1 is turned off by policy, for instance, we
	only detect that late in the game. This shows up in our test cases
	as decrypt_alerts rather than illegal_parameter or handshake_error
	alerts. It also shows up in us apparently accepting a client auth
	request which only has invalid alerts.

	We also don't handle filtering out signature algorithms that are
	illegal in tls 13 mode.

	This patch not only fixes these issues, but also issues where we
	proposing signature algorithms in server mode that we don't support
	by policy.

	This patch includes:

	In gtests: 1) adding support for policy in ssl_gtests. Currently
	both the server an client will run with the same policy. The patch
	allows us to set policy on one and keeping the old policy on the
	other.

	2) Update extension tests which failed in tls 1.3 because the patch
	now correctly rejects illegal tls 1.3 auth values. The test was
	updated to use a legal auth value in tls 1.3 (so we are correctly
	testing the format issue.

	3) Update extension tests to handle the case where we try to use an
	illegal value for tls 1.3.

	4) add tests to ssl_auth_unittests.cc to make sure we can properly
	connect even when several auth methods are turned off by policy
	(make sure we don't advertize them on the client side, and that the
	server doesn't select them when the client doesn't advertize them).

	5) add tests to ssl_auth_unittests.cc to make sure we don't send
	empty client auth requests when the requester only sends invalid
	auth requests.

	patch itself: 1) The handling of policy checks for ssl schemes were
	scattered in various locations. I've consolidated them into a single
	function. That function now checks for NSS_ALG_USE_IN_ANY_SIGNATURE
	as if this is off by policy, we will fail if we try to use the
	algorithm in a signature in any case. NSS now supports policy on all
	signature algorithms, not just DSA, so we need to check the policy
	of all the algorithms.

	2) to support the policy check on the signature algorithms, I added
	a new ssl_AuthTypeToOID, which also replaces our switch in checking
	if the SPKI matches our auth type.

	 3) ssl_SignatureSchemeValid now accepts an spkiOid of
	SEC_OID_UNKNOWN. To allow us to filter signature schemes based on
	version and policy restrictions before we try to select a
	certificate. This prevents us from sending empty client auth
	messages when we are presented with only invalid signature schemes.

	4) We filter supported algorithms against policy early, preventing
	us from sending, or even setting invalid algorithms if they are
	turned off by policy.

	5) ssl ConsumeSignatureScheme was handling alerts inconsistently.
	The Consume could send an allert in it's failure case, but the check
	of scheme validity wouldn't sent an alert. The collers were
	inconstent as well. Now ssl_ConsumeSignatureScheme always sends and
	alert on failure, and the callers do not.

	[c71bb1bedf7d]
```

Differential Revision: https://phabricator.services.mozilla.com/D120787
2021-07-24 17:26:14 +00:00
.cargo Backed out 2 changesets (bug 1687070) for causing failures on cubeb.drain, cubeb.tone. CLOSED TREE 2021-07-16 15:16:05 +03:00
.vscode
accessible Bug 1694571: Replace AccessibleOrProxy's with Accessible's r=Jamie 2021-07-22 17:58:49 +00:00
browser Bug 1719492 - Migrates screenshot icons into the browser/component/screenshots directory. r=emalysz 2021-07-23 18:25:51 +00:00
build Bug 1721755 - Only set EARLY_BETA_OR_EARLIER on beta and earlier. r=firefox-build-system-reviewers,andi,mhentges 2021-07-22 21:28:58 +00:00
caps Bug 1719838 - Assert that OriginAttributes are pristine in PopulateFromSuffix. r=ckerschb 2021-07-21 12:10:58 +00:00
chrome
config Bug 1635327 - Disable __tls_get_addr interception in sanitizer builds. r=firefox-build-system-reviewers,emilio,andi 2021-07-22 22:00:59 +00:00
devtools Bug 1717873 - Move link color styles to ua.css. r=morgan 2021-07-24 12:05:30 +00:00
docs Bug 1717076: Tweak some of the existing documentation r=andi 2021-07-22 19:50:38 +00:00
docshell Bug 1716849: Add crash annotation for error when aborting for failed module import. r=mccr8 2021-07-22 16:58:02 +00:00
dom Bug 1720568: Be more explicit about the WorkerPrivate self-reference. r=dom-worker-reviewers,asuth 2021-07-24 10:04:55 +00:00
editor Bug 1721317 - part 2: Make _pasteToTargetElement() sync r=m_kato 2021-07-21 23:22:04 +00:00
extensions Bug 1713735 - Add the bits necessary to build wasm sandbox libs with wasm2c. r=firefox-build-system-reviewers,mhentges 2021-07-16 02:38:41 +00:00
gfx Bug 1722031 - Fix RelativeLuminanceUtils::Adjust to not choke on blacks / zero components. r=mstange 2021-07-24 13:30:25 +00:00
gradle/wrapper
hal Bug 1720688 - Support extended attribute syntax in protocol declarations, r=mccr8 2021-07-22 02:24:43 +00:00
image Bug 1666222: Cut over a ton of NowUnfuzzed calls -> Now 4/5 r=smaug,extension-reviewers,zombie 2021-07-14 18:18:17 +00:00
intl Bug 1715595 - Use char rather than uint8_t for utf-8 in unified components r=platform-i18n-reviewers,gregtatum 2021-07-23 14:58:00 +00:00
ipc Bug 1687843: PreallocatedProcessManager will return a launching process if one exists r=nika 2021-07-24 03:25:59 +00:00
js Bug 1722010 - Filter reporting of allocation sites by the number of allocations r=sfink 2021-07-24 08:10:24 +00:00
layout Bug 1717873 - Move link color styles to ua.css. r=morgan 2021-07-24 12:05:30 +00:00
media Bug 1720704 - Re-enable libjxl updates every n-weeks; r=saschanaz 2021-07-15 14:33:41 +00:00
memory Bug 1720342: Do not run logalloc tests for the CodeQL build r=glandium 2021-07-23 17:00:46 +00:00
mfbt Bug 1719396: Don't hash sizeof(size_t) in HashBytes r=glandium 2021-07-19 21:35:40 +00:00
mobile Bug 1722076 - stop loading previously-removed GeckoViewPromptChild.js from GeckoViewStartup.jsm, r=agi 2021-07-23 20:07:50 +00:00
modules Bug 1722031 - Tweak accent-color foreground computation and let it ride the trains. r=mstange 2021-07-24 13:30:25 +00:00
mozglue Bug 1635327 - Disable __tls_get_addr interception in sanitizer builds. r=firefox-build-system-reviewers,emilio,andi 2021-07-22 22:00:59 +00:00
netwerk Bug 1716849: Add crash annotation for error when aborting for failed module import. r=mccr8 2021-07-22 16:58:02 +00:00
nsprpub Bug 1715584 - Update to NSPR_4_32_RTM (no code change). r=bbeurdouche UPGRADE_NSPR_RELEASE DONTBUILD 2021-07-01 09:07:04 +00:00
other-licenses Bug 1710751: Create LINKS_TO relation to track anchors and their corresponding elements r=eeejay 2021-05-26 21:31:42 +00:00
parser Bug 1718184 - pt 1. IdleTaskRunner now uses TimeDuration r=nika 2021-07-13 01:42:32 +00:00
python Bug 1718341 - Enable keyboard in Android AVDs. r=nalexander 2021-07-22 17:38:43 +00:00
remote Bug 1721148 - [remote] Report WebSocket handshake failures to the client. r=webdriver-reviewers,jgraham 2021-07-23 16:12:32 +00:00
security Bug 1720464 - land NSS e9236397be13 UPGRADE_NSS_RELEASE, r=beurdouche 2021-07-24 17:26:14 +00:00
services No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=jcristau 2021-07-22 11:55:25 +00:00
servo Bug 1720554 Part 1 - Remove the paper size variant of GenericPageSize and add an implied default to the paper size and orientation variant. r=emilio 2021-07-23 18:11:16 +00:00
startupcache
storage Bug 1720374 - Remove MOZ_GECKO_PROFILER ifdefs that are not useful, r=gerald. 2021-07-15 22:04:23 +00:00
taskcluster Bug 1717540 - add release-partner-attribution config for esr. r=bhearsum DONTBUILD 2021-07-23 14:21:57 +00:00
testing Bug 1722031 - Fix an accent-color test. r=mstange 2021-07-24 12:55:39 +00:00
third_party Backed out 2 changesets (bug 1687070) for causing failures on cubeb.drain, cubeb.tone. CLOSED TREE 2021-07-16 15:16:05 +03:00
toolkit Bug 1693385 - Support manifest.host_permissions for MV3 r=mixedpuppy 2021-07-24 12:44:03 +00:00
tools Bug 1719577 - Part 2: Create mMonitor eagerly in MessageChannel's constructor, r=handyman 2021-07-23 19:14:56 +00:00
uriloader Bug 1720688 - Support extended attribute syntax in protocol declarations, r=mccr8 2021-07-22 02:24:43 +00:00
view Bug 1721537 - Split out WindowRenderer base class from LayerManager. r=miko 2021-07-22 22:58:57 +00:00
widget Bug 1722031 - Tweak accent-color foreground computation and let it ride the trains. r=mstange 2021-07-24 13:30:25 +00:00
xpcom Bug 1715858 - Part3. Add a new category memory_watcher to the event ping. r=KrisWright 2021-07-22 21:15:01 +00:00
xpfe/appshell Bug 1586830 - Part 1: Ensure IsInitialDocument is set earlier and consistently on WindowGlobalParent, r=smaug 2021-07-14 15:51:20 +00:00
.arcconfig
.babel-eslint.rc.js
.clang-format
.clang-format-ignore Bug 1719491 - revert clang-format of tools/profiler/public/GeckoTraceEvent.h. r=ng 2021-07-07 15:57:17 +00:00
.cron.yml Bug 1717540 - Add esr91 support. r=releng-reviewers,taskgraph-reviewers,aki 2021-07-13 10:17:48 +00:00
.eslintignore Bug 1515695 - Remove Task.jsm. r=florian,jdescottes 2021-06-17 08:28:02 +00:00
.eslintrc.js Bug 1716642 - Replaced calls to GlobalManager.extensionMap.get() with WebExtensionPolicy.getByID(). r=Standard8,kmag,robwu 2021-06-24 15:06:17 +00:00
.flake8 Bug 1714641: Remove usages of vendored "wptserve_py2" library r=jgraham,ahal 2021-06-09 15:48:51 +00:00
.git-blame-ignore-revs
.gitattributes
.gitignore
.hg-annotate-ignore-revs
.hg-format-source
.hgignore
.hgtags No bug - tagging 41ae2b104b93c1779db0f34ba1c045e3e696898b with FIREFOX_NIGHTLY_91_END a=release DONTBUILD CLOSED TREE 2021-07-12 12:48:34 +00:00
.lando.ini Bug 1714470: add .lando.ini file r=zeid DONTBUILD 2021-06-08 12:52:25 +00:00
.lldbinit
.mailmap
.prettierignore
.prettierrc
.taskcluster.yml Bug 1721729 - Increase decision task timeout to 60 minutes, r?#taskgraph-reviewers! CLOSED TREE 2021-07-22 17:27:36 +00:00
.trackerignore
.yamllint
.ycm_extra_conf.py
aclocal.m4
AUTHORS
build.gradle
Cargo.lock Bug 1710861 - FOG should depend only on glean not glean-core r=janerik 2021-07-19 15:17:11 +00:00
Cargo.toml Bug 1719674 - Make packed_simd compile with Rust 1.54. r=glandium 2021-07-15 08:42:08 +00:00
client.mk
client.py
CLOBBER Update configs. IGNORE BROKEN CHANGESETS CLOSED TREE NO BUG a=release ba=release 2021-07-12 12:48:42 +00:00
configure.in
configure.py Bug 1720591: Remove unused patch_main() for Python < 3.4 on Windows r=ahal 2021-07-16 16:34:42 +00:00
GNUmakefile
gradle.properties
gradlew
gradlew.bat
LICENSE
mach Bug 1713173 - Add --profile-command flag for profiling mach commands. r=firefox-build-system-reviewers,mhentges 2021-06-02 21:28:56 +00:00
mach.ps1
Makefile.in
moz.build
moz.configure Bug 1721514 - Add a few more debugging logs about configure bootstrap. r=firefox-build-system-reviewers,andi 2021-07-21 21:00:13 +00:00
mozilla-config.h.in
old-configure.in Bug 1709640 - Remove unused variables in android/confvars.sh r=nalexander,aklotz 2021-07-20 22:19:17 +00:00
package-lock.json Bug 1702858 - Update node modules for latest versions, remove obsolete. r=mossop 2021-05-19 16:53:53 +00:00
package.json Bug 1702858 - Update node modules for latest versions, remove obsolete. r=mossop 2021-05-19 16:53:53 +00:00
README.txt
settings.gradle
substitute-local-geckoview.gradle Bug 1709640 - Add GeckoView Lite build variant. r=jmaher,aklotz,mhentges,glandium 2021-07-20 22:19:17 +00:00
test.mozbuild

An explanation of the Firefox Source Code Directory Structure and links to
project pages with documentation can be found at:

    https://firefox-source-docs.mozilla.org/contributing/directory_structure.html

For information on how to build Firefox from the source code and create the patch see:

    https://firefox-source-docs.mozilla.org/contributing/contribution_quickref.html

If you have a question about developing Firefox, and can't find the solution
on https://firefox-source-docs.mozilla.org/, you can try asking your question on Matrix at chat.mozilla.org in `Introduction` (https://chat.mozilla.org/#/room/#introduction:mozilla.org) channel.


Nightly development builds can be downloaded from:

    https://archive.mozilla.org/pub/firefox/nightly/latest-mozilla-central/
            - or -
    https://www.mozilla.org/firefox/channel/desktop/#nightly

Keep in mind that nightly builds, which are used by Firefox developers for
testing, may be buggy.