Bug 1296266, land NSS_3_27_BETA4, r=franziskus
authorKai Engert <kaie@kuix.de>
Thu, 22 Sep 2016 21:21:30 +0200
changeset 314937 aca64a177c446e4cf4b080115a6569dc347e0df9
parent 314936 3fdb67f309bd4c618fd74b1f39e303bd0d7176e8
child 314938 1a89a84c1b7df7bedb6ae6540f1eaa3fed8f87e2
push id82021
push userkaie@kuix.de
push dateThu, 22 Sep 2016 19:22:12 +0000
treeherdermozilla-inbound@aca64a177c44 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersfranziskus
bugs1296266
milestone52.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1296266, land NSS_3_27_BETA4, r=franziskus
security/nss/TAG-INFO
security/nss/coreconf/coreconf.dep
security/nss/external_tests/ssl_gtest/tls_parser.h
security/nss/lib/ckfw/builtins/certdata.txt
security/nss/lib/ssl/ssl3prot.h
security/nss/lib/ssl/sslt.h
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_27_BRANCH
+NSS_3_27_BETA4
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,8 +5,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
--- a/security/nss/external_tests/ssl_gtest/tls_parser.h
+++ b/security/nss/external_tests/ssl_gtest/tls_parser.h
@@ -43,17 +43,17 @@ const uint8_t kTlsAlertHandshakeFailure 
 const uint8_t kTlsAlertIllegalParameter = 47;
 const uint8_t kTlsAlertDecodeError = 50;
 const uint8_t kTlsAlertDecryptError = 51;
 const uint8_t kTlsAlertMissingExtension = 109;
 const uint8_t kTlsAlertUnsupportedExtension = 110;
 const uint8_t kTlsAlertNoApplicationProtocol = 120;
 
 const uint16_t kTlsSigSchemeRsaPkcs1Sha1 = 0x0201;
-const uint16_t kTlsSigSchemeRsaPssSha256 = 0x0700;
+const uint16_t kTlsSigSchemeRsaPssSha256 = 0x0804;
 
 const uint8_t kTlsFakeChangeCipherSpec[] = {
     kTlsChangeCipherSpecType,  // Type
     0xfe,
     0xff,  // Version
     0x00,
     0x00,
     0x00,
--- a/security/nss/lib/ckfw/builtins/certdata.txt
+++ b/security/nss/lib/ckfw/builtins/certdata.txt
@@ -8742,165 +8742,16 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\102
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
-#
-# Certificate "IGC/A"
-#
-# Issuer: E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR
-# Serial Number:39:11:45:10:94
-# Subject: E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR
-# Not Valid Before: Fri Dec 13 14:29:23 2002
-# Not Valid After : Sat Oct 17 14:29:22 2020
-# Fingerprint (MD5): 0C:7F:DD:6A:F4:2A:B9:C8:9B:BD:20:7E:A9:DB:5C:37
-# Fingerprint (SHA1): 60:D6:89:74:B5:C2:65:9E:8A:0F:C1:88:7C:88:D2:46:69:1B:18:2C
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "IGC/A"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\205\061\013\060\011\006\003\125\004\006\023\002\106\122
-\061\017\060\015\006\003\125\004\010\023\006\106\162\141\156\143
-\145\061\016\060\014\006\003\125\004\007\023\005\120\141\162\151
-\163\061\020\060\016\006\003\125\004\012\023\007\120\115\057\123
-\107\104\116\061\016\060\014\006\003\125\004\013\023\005\104\103
-\123\123\111\061\016\060\014\006\003\125\004\003\023\005\111\107
-\103\057\101\061\043\060\041\006\011\052\206\110\206\367\015\001
-\011\001\026\024\151\147\143\141\100\163\147\144\156\056\160\155
-\056\147\157\165\166\056\146\162
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\205\061\013\060\011\006\003\125\004\006\023\002\106\122
-\061\017\060\015\006\003\125\004\010\023\006\106\162\141\156\143
-\145\061\016\060\014\006\003\125\004\007\023\005\120\141\162\151
-\163\061\020\060\016\006\003\125\004\012\023\007\120\115\057\123
-\107\104\116\061\016\060\014\006\003\125\004\013\023\005\104\103
-\123\123\111\061\016\060\014\006\003\125\004\003\023\005\111\107
-\103\057\101\061\043\060\041\006\011\052\206\110\206\367\015\001
-\011\001\026\024\151\147\143\141\100\163\147\144\156\056\160\155
-\056\147\157\165\166\056\146\162
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\005\071\021\105\020\224
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\002\060\202\002\352\240\003\002\001\002\002\005\071
-\021\105\020\224\060\015\006\011\052\206\110\206\367\015\001\001
-\005\005\000\060\201\205\061\013\060\011\006\003\125\004\006\023
-\002\106\122\061\017\060\015\006\003\125\004\010\023\006\106\162
-\141\156\143\145\061\016\060\014\006\003\125\004\007\023\005\120
-\141\162\151\163\061\020\060\016\006\003\125\004\012\023\007\120
-\115\057\123\107\104\116\061\016\060\014\006\003\125\004\013\023
-\005\104\103\123\123\111\061\016\060\014\006\003\125\004\003\023
-\005\111\107\103\057\101\061\043\060\041\006\011\052\206\110\206
-\367\015\001\011\001\026\024\151\147\143\141\100\163\147\144\156
-\056\160\155\056\147\157\165\166\056\146\162\060\036\027\015\060
-\062\061\062\061\063\061\064\062\071\062\063\132\027\015\062\060
-\061\060\061\067\061\064\062\071\062\062\132\060\201\205\061\013
-\060\011\006\003\125\004\006\023\002\106\122\061\017\060\015\006
-\003\125\004\010\023\006\106\162\141\156\143\145\061\016\060\014
-\006\003\125\004\007\023\005\120\141\162\151\163\061\020\060\016
-\006\003\125\004\012\023\007\120\115\057\123\107\104\116\061\016
-\060\014\006\003\125\004\013\023\005\104\103\123\123\111\061\016
-\060\014\006\003\125\004\003\023\005\111\107\103\057\101\061\043
-\060\041\006\011\052\206\110\206\367\015\001\011\001\026\024\151
-\147\143\141\100\163\147\144\156\056\160\155\056\147\157\165\166
-\056\146\162\060\202\001\042\060\015\006\011\052\206\110\206\367
-\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002
-\202\001\001\000\262\037\321\320\142\305\063\073\300\004\206\210
-\263\334\370\210\367\375\337\103\337\172\215\232\111\134\366\116
-\252\314\034\271\241\353\047\211\362\106\351\073\112\161\325\035
-\216\055\317\346\255\253\143\120\307\124\013\156\022\311\220\066
-\306\330\057\332\221\252\150\305\162\376\027\012\262\027\176\171
-\265\062\210\160\312\160\300\226\112\216\344\125\315\035\047\224
-\277\316\162\052\354\134\371\163\040\376\275\367\056\211\147\270
-\273\107\163\022\367\321\065\151\072\362\012\271\256\377\106\102
-\106\242\277\241\205\032\371\277\344\377\111\205\367\243\160\206
-\062\034\135\237\140\367\251\255\245\377\317\321\064\371\175\133
-\027\306\334\326\016\050\153\302\335\361\365\063\150\235\116\374
-\207\174\066\022\326\243\200\350\103\015\125\141\224\352\144\067
-\107\352\167\312\320\262\130\005\303\135\176\261\250\106\220\061
-\126\316\160\052\226\262\060\270\167\346\171\300\275\051\073\375
-\224\167\114\275\040\315\101\045\340\056\307\033\273\356\244\004
-\101\322\135\255\022\152\212\233\107\373\311\335\106\100\341\235
-\074\063\320\265\002\003\001\000\001\243\167\060\165\060\017\006
-\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\013
-\006\003\125\035\017\004\004\003\002\001\106\060\025\006\003\125
-\035\040\004\016\060\014\060\012\006\010\052\201\172\001\171\001
-\001\001\060\035\006\003\125\035\016\004\026\004\024\243\005\057
-\030\140\120\302\211\012\335\053\041\117\377\216\116\250\060\061
-\066\060\037\006\003\125\035\043\004\030\060\026\200\024\243\005
-\057\030\140\120\302\211\012\335\053\041\117\377\216\116\250\060
-\061\066\060\015\006\011\052\206\110\206\367\015\001\001\005\005
-\000\003\202\001\001\000\005\334\046\330\372\167\025\104\150\374
-\057\146\072\164\340\135\344\051\377\006\007\023\204\112\253\317
-\155\240\037\121\224\370\111\313\164\066\024\274\025\335\333\211
-\057\335\217\240\135\174\365\022\353\237\236\070\244\107\314\263
-\226\331\276\234\045\253\003\176\063\017\225\201\015\375\026\340
-\210\276\067\360\154\135\320\061\233\062\053\135\027\145\223\230
-\140\274\156\217\261\250\074\036\331\034\363\251\046\102\371\144
-\035\302\347\222\366\364\036\132\252\031\122\135\257\350\242\367
-\140\240\366\215\360\211\365\156\340\012\005\001\225\311\213\040
-\012\272\132\374\232\054\074\275\303\267\311\135\170\045\005\077
-\126\024\233\014\332\373\072\110\376\227\151\136\312\020\206\367
-\116\226\004\010\115\354\260\276\135\334\073\216\117\301\375\232
-\066\064\232\114\124\176\027\003\110\225\010\021\034\007\157\205
-\010\176\135\115\304\235\333\373\256\316\262\321\263\270\203\154
-\035\262\263\171\361\330\160\231\176\360\023\002\316\136\335\121
-\323\337\066\201\241\033\170\057\161\263\361\131\114\106\030\050
-\253\205\322\140\126\132
-END
-
-# Trust for Certificate "IGC/A"
-# Issuer: E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR
-# Serial Number:39:11:45:10:94
-# Subject: E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR
-# Not Valid Before: Fri Dec 13 14:29:23 2002
-# Not Valid After : Sat Oct 17 14:29:22 2020
-# Fingerprint (MD5): 0C:7F:DD:6A:F4:2A:B9:C8:9B:BD:20:7E:A9:DB:5C:37
-# Fingerprint (SHA1): 60:D6:89:74:B5:C2:65:9E:8A:0F:C1:88:7C:88:D2:46:69:1B:18:2C
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "IGC/A"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\140\326\211\164\265\302\145\236\212\017\301\210\174\210\322\106
-\151\033\030\054
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\014\177\335\152\364\052\271\310\233\275\040\176\251\333\134\067
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\205\061\013\060\011\006\003\125\004\006\023\002\106\122
-\061\017\060\015\006\003\125\004\010\023\006\106\162\141\156\143
-\145\061\016\060\014\006\003\125\004\007\023\005\120\141\162\151
-\163\061\020\060\016\006\003\125\004\012\023\007\120\115\057\123
-\107\104\116\061\016\060\014\006\003\125\004\013\023\005\104\103
-\123\123\111\061\016\060\014\006\003\125\004\003\023\005\111\107
-\103\057\101\061\043\060\041\006\011\052\206\110\206\367\015\001
-\011\001\026\024\151\147\143\141\100\163\147\144\156\056\160\155
-\056\147\157\165\166\056\146\162
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\005\071\021\105\020\224
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
 # Distrust "Distrusted AC DG Tresor SSL"
 # Issuer: CN=AC DGTPE Signature Authentification,O=DGTPE,C=FR
 # Serial Number: 204199 (0x31da7)
 # Subject: CN=AC DG Tr..sor SSL,O=DG Tr..sor,C=FR
 # Not Valid Before: Thu Jul 18 10:05:28 2013
 # Not Valid After : Fri Jul 18 10:05:28 2014
 # Fingerprint (MD5): 3A:EA:9E:FC:00:0C:E2:06:6C:E0:AC:39:C1:31:DE:C8
 # Fingerprint (SHA1): 5C:E3:39:46:5F:41:A1:E4:23:14:9F:65:54:40:95:40:4D:E6:EB:E2
--- a/security/nss/lib/ssl/ssl3prot.h
+++ b/security/nss/lib/ssl/ssl3prot.h
@@ -338,21 +338,21 @@ typedef enum {
     ssl_sig_rsa_pkcs1_sha256 = 0x0401,
     ssl_sig_rsa_pkcs1_sha384 = 0x0501,
     ssl_sig_rsa_pkcs1_sha512 = 0x0601,
     /* For ECDSA, the pairing of the hash with a specific curve is only enforced
      * in TLS 1.3; in TLS 1.2 any curve can be used with each of these. */
     ssl_sig_ecdsa_secp256r1_sha256 = 0x0403,
     ssl_sig_ecdsa_secp384r1_sha384 = 0x0503,
     ssl_sig_ecdsa_secp521r1_sha512 = 0x0603,
-    ssl_sig_rsa_pss_sha256 = 0x0700,
-    ssl_sig_rsa_pss_sha384 = 0x0701,
-    ssl_sig_rsa_pss_sha512 = 0x0702,
-    ssl_sig_ed25519 = 0x0703,
-    ssl_sig_ed448 = 0x0704,
+    ssl_sig_rsa_pss_sha256 = 0x0804,
+    ssl_sig_rsa_pss_sha384 = 0x0805,
+    ssl_sig_rsa_pss_sha512 = 0x0806,
+    ssl_sig_ed25519 = 0x0807,
+    ssl_sig_ed448 = 0x0808,
 
     ssl_sig_dsa_sha1 = 0x0202,
     ssl_sig_dsa_sha256 = 0x0402,
     ssl_sig_dsa_sha384 = 0x0502,
     ssl_sig_dsa_sha512 = 0x0602,
     ssl_sig_ecdsa_sha1 = 0x0203
 } SignatureScheme;
 
--- a/security/nss/lib/ssl/sslt.h
+++ b/security/nss/lib/ssl/sslt.h
@@ -152,19 +152,20 @@ typedef struct SSLExtraServerCertDataStr
      * used to generate the OCSP stapling answer provided by the server. */
     const SECItemArray* stapledOCSPResponses;
     /* A serialized sign_certificate_timestamp extension, used to answer
      * requests from clients for this data. */
     const SECItem* signedCertTimestamps;
 } SSLExtraServerCertData;
 
 typedef struct SSLChannelInfoStr {
-    /* |length| is obsolete. On return, SSL_GetChannelInfo sets |length| to the
-     * smaller of the |len| argument and the length of the struct. The caller
-     * may ignore |length|. */
+    /* On return, SSL_GetChannelInfo sets |length| to the smaller of
+     * the |len| argument and the length of the struct used by NSS.
+     * Callers must ensure the application uses a version of NSS that
+     * isn't older than the version used at compile time. */
     PRUint32 length;
     PRUint16 protocolVersion;
     PRUint16 cipherSuite;
 
     /* server authentication info */
     PRUint32 authKeyBits;
 
     /* key exchange algorithm info */
@@ -189,41 +190,49 @@ typedef struct SSLChannelInfoStr {
      */
     PRBool extendedMasterSecretUsed;
 
     /* The following fields were added in NSS 3.25.
      * This field only has meaning in TLS >= 1.3, and indicates on the
      * client side that the server accepted early (0-RTT) data.
      */
     PRBool earlyDataAccepted;
+
+    /* When adding new fields to this structure, please document the
+     * NSS version in which they were added. */
 } SSLChannelInfo;
 
 /* Preliminary channel info */
 #define ssl_preinfo_version (1U << 0)
 #define ssl_preinfo_cipher_suite (1U << 1)
 #define ssl_preinfo_all (ssl_preinfo_version | ssl_preinfo_cipher_suite)
 
 typedef struct SSLPreliminaryChannelInfoStr {
-    /* |length| is obsolete. On return, SSL_GetPreliminaryChannelInfo sets
-     * |length| to the smaller of the |len| argument and the length of the
-     * struct. The caller may ignore |length|. */
+    /* On return, SSL_GetPreliminaryChannelInfo sets |length| to the smaller of
+     * the |len| argument and the length of the struct used by NSS.
+     * Callers must ensure the application uses a version of NSS that
+     * isn't older than the version used at compile time. */
     PRUint32 length;
     /* A bitfield over SSLPreliminaryValueSet that describes which
      * preliminary values are set (see ssl_preinfo_*). */
     PRUint32 valuesSet;
     /* Protocol version: test (valuesSet & ssl_preinfo_version) */
     PRUint16 protocolVersion;
     /* Cipher suite: test (valuesSet & ssl_preinfo_cipher_suite) */
     PRUint16 cipherSuite;
+
+    /* When adding new fields to this structure, please document the
+     * NSS version in which they were added. */
 } SSLPreliminaryChannelInfo;
 
 typedef struct SSLCipherSuiteInfoStr {
-    /* |length| is obsolete. On return, SSL_GetCipherSuitelInfo sets |length|
-     * to the smaller of the |len| argument and the length of the struct. The
-     * caller may ignore |length|. */
+    /* On return, SSL_GetCipherSuitelInfo sets |length| to the smaller of
+     * the |len| argument and the length of the struct used by NSS.
+     * Callers must ensure the application uses a version of NSS that
+     * isn't older than the version used at compile time. */
     PRUint16 length;
     PRUint16 cipherSuite;
 
     /* Cipher Suite Name */
     const char* cipherSuiteName;
 
     /* server authentication info */
     const char* authAlgorithmName;
@@ -248,20 +257,23 @@ typedef struct SSLCipherSuiteInfoStr {
     SSLMACAlgorithm macAlgorithm;
     PRUint16 macBits;
 
     PRUintn isFIPS : 1;
     PRUintn isExportable : 1;
     PRUintn nonStandard : 1;
     PRUintn reservedBits : 29;
 
+    /* The following fields were added in NSS 3.24. */
     /* This reports the correct authentication type for the cipher suite, use
      * this instead of |authAlgorithm|. */
     SSLAuthType authType;
 
+    /* When adding new fields to this structure, please document the
+     * NSS version in which they were added. */
 } SSLCipherSuiteInfo;
 
 typedef enum {
     ssl_variant_stream = 0,
     ssl_variant_datagram = 1
 } SSLProtocolVariant;
 
 typedef struct SSLVersionRangeStr {