Bug 1564499 - land NSS 8c6fad5544a6 UPGRADE_NSS_RELEASE, r=me
authorJ.C. Jones <jc@mozilla.com>
Mon, 15 Jul 2019 21:40:37 +0000
changeset 543367 4d719512b650570bcb67c44ee6cdbdd17d1ad12a
parent 543312 c0bcda96a954fe7a3700466bda256aea58189ac9
child 543368 64af83fa5586ed42ff59d8c645edaec9b28e3c88
push id11848
push userffxbld-merge
push dateMon, 26 Aug 2019 19:26:25 +0000
treeherdermozilla-beta@9b31bfdfac10 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersme
bugs1564499
milestone70.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1564499 - land NSS 8c6fad5544a6 UPGRADE_NSS_RELEASE, r=me
security/nss/.taskcluster.yml
security/nss/TAG-INFO
security/nss/automation/taskcluster/docker-hacl/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc
security/nss/automation/taskcluster/docker-hacl/Dockerfile
security/nss/automation/taskcluster/docker-hacl/setup.sh
security/nss/automation/taskcluster/graph/src/extend.js
security/nss/build.sh
security/nss/cmd/httpserv/httpserv.c
security/nss/cmd/tstclnt/tstclnt.c
security/nss/coreconf/UNIX.mk
security/nss/coreconf/WIN32.mk
security/nss/coreconf/coreconf.dep
security/nss/help.txt
security/nss/lib/freebl/Makefile
security/nss/lib/freebl/ec.c
security/nss/lib/freebl/verified/FStar.c
security/nss/lib/freebl/verified/FStar.h
security/nss/lib/freebl/verified/Hacl_Chacha20.c
security/nss/lib/freebl/verified/Hacl_Chacha20.h
security/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c
security/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.h
security/nss/lib/freebl/verified/Hacl_Curve25519.c
security/nss/lib/freebl/verified/Hacl_Curve25519.h
security/nss/lib/freebl/verified/Hacl_Poly1305_32.c
security/nss/lib/freebl/verified/Hacl_Poly1305_32.h
security/nss/lib/freebl/verified/Hacl_Poly1305_64.c
security/nss/lib/freebl/verified/Hacl_Poly1305_64.h
security/nss/lib/freebl/verified/kremlib.h
security/nss/lib/freebl/verified/kremlib_base.h
security/nss/lib/freebl/verified/vec128.h
security/nss/lib/mozpkix/test-lib/pkixtestnss.cpp
security/nss/lib/softoken/legacydb/lgattr.c
security/nss/lib/ssl/tls13esni.c
security/nss/tests/common/certsetup.sh
--- a/security/nss/.taskcluster.yml
+++ b/security/nss/.taskcluster.yml
@@ -50,17 +50,17 @@ tasks:
         - "tc-treeherder-stage.v2.${repository.project}.${push.revision}.${push.pushlog_id}"
         - "tc-treeherder.v2.${repository.project}.${push.revision}.${push.pushlog_id}"
 
       payload:
         # TODO: use nssdev org , not djmitche, once the image is pushed there
         image: djmitche/nss-decision:0.0.3
 
         env:
-          TC_OWNER: "${push.owner}"
+          TC_OWNER: "${ownerEmail}"
           TC_SOURCE: "${repository.url}"
           TC_PROJECT: ${repository.project}
           TC_SCHEDULER_ID: "${schedulerId}"
           NSS_PUSHLOG_ID: '${push.pushlog_id}'
           NSS_HEAD_REPOSITORY: '${repository.url}'
           NSS_HEAD_REVISION: '${push.revision}'
 
         maxRunTime: 1800
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-264f19e7ede7
+8c6fad5544a6
new file mode 100644
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-hacl/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc
@@ -0,0 +1,143 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFS+1SABEACnmkESkY7eZq0GhDjbkWpKmURGk9+ycsfAhA44NqUvf4tk1GPM
+5SkJ/fYedYZJaDVhIp98fHgucD0O+vjOzghtgwtITusYjiPHPFBd/MN+MQqSEAP+
+LUa/kjHLjgyXxKhFUIDGVaDWL5tKOA7/AQKl1TyJ8lz89NHQoUHFsF/hu10+qhJe
+V65d32MXFehIUSvegh8DrPuExrliSiORO4HOhuc6151dWA4YBWVg4rX5kfKrGMMT
+pTWnSSZtgoRhkKW2Ey8cmZUqPuUJIfWyeNVu1e4SFtAivLvu/Ymz2WBJcNA1ZlTr
+RCOR5SIRgZ453pQnI/Bzna2nnJ/TV1gGJIGRahj/ini0cs2x1CILfS/YJQ3rWGGo
+OxwG0BVmPk0cmLVtyTq8gUPwxcPUd6WcBKhot3TDMlrffZACnQwQjlVjk5S1dEEz
+atUfpEuNitU9WOM4jr/gjv36ZNCOWm95YwLhsuci/NddBN8HXhyvs+zYTVZEXa2W
+l/FqOdQsQqZBcJjjWckGKhESdd7934+cesGD3O8KaeSGxww7slJrS0+6QJ8oBoAB
+P/WCn/y2AiY2syEKp3wYIGJyAbsm542zMZ4nc7pYfSu49mcyhQQICmqN5QvOyYUx
+OSqwbAOUNtlOyeRLZNIKoXtTqWDEu5aEiDROTw6Rkq+dIcxPNgOLdeQ3HwARAQAB
+tCFIYW5zIFdlbm5ib3JnIDxoYW5zQGNocm9taXVtLm9yZz6JARwEEAECAAYFAlT2
+MQAACgkQVfXNcLtaBWnDKgf/fjusXk+kh1zuyn5eOCe16+2vV1lmXZrDIGdJtXDW
+ZtHKele1Yv1BA3kUi5tKQi+VOOrvHL0+TMjFWFiCy1sYJS9qgkS08kReI2nAnhZ7
+INdqEVxtVk1TTOhtYjOPy6txwujoICuPv5F4rHVhn1LPKGTLtYD2LOwf/8eKYQox
+51gaJ8dNxpcHE/iFOIDXdebJPufo3EhqDRihchxb8AVLhrNss7pGGG/tVfichmHK
+djPT2KfSh14pq1ahFOz0zH4nmTu7CCLnLAdRBHuhL8HVDbi0vKBtCiSmQggdxvoj
+u+hpXiiDFQoCjLh0zVCwtFqWDZbnKMTBNNF26aTmQ+2fiYkBMwQQAQgAHRYhBB/m
+NI7eqCWiKXDlxI3TBA8SPMP0BQJbcLU1AAoJEI3TBA8SPMP021sH/jD1m7azNCN6
+DVL1iDJT6uIIYCTylygH5XI46CRoWaz/LwdFnUqWHHTcQxJ5pIkWV9KF+SIgMT42
+brdZZmNvvSdX0odjFKqj5UR6w+wDN+uZ6Q40zu4pNoNzbk7pRpbFf1XIfGB1liyu
+m28EJ58IXu/0AV7FiDAHGGBqppK/cwQN8pGLwmz1n6YELtXeFmtOGnusO6iLYOE7
+3ByFCCqJB6twT5+7dDqFYqqQJgQ6jDTy19dDZ1vDhDttL+2Rn0OYXqPw7gy/1D2p
+Y1cM9PgPBsR4EXhbtV0uKUNomk8tM/HnGMFT0KirI/tSwEP3v9g5YH992mrvNuIV
+TkyQn0jGeMeJATMEEAEIAB0WIQRswFHTwdmkr54mDFjT45SsdE4uuwUCW3haCQAK
+CRDT45SsdE4uu4JjCACppkreiMrpJSREKbUscdOvFxFRYzkTFeSCwX9Ih7r5ENpa
+zjczfIqCCfWzioV6y4K0V04y8CXt/5S5a9vfW801pBUdF9nG4X8YbUn/xSe+8A9m
+MsfDjMNcF7Cp5czVoSS4/4oHm9mQUMYQsn3AwwCPDKFORRRv5Eb0om9JawKtt++7
+ZW0fOgDkvOCm14SN0UtVc4mxTx6iyxdMDgrKinBZVjxEh5oeqUyXh5TYM+XyWFVh
+/gDUvUWwLI0GUWNTyOyUQU1oPVp+sWqrEe1BXLVCKFVWaSTtgJtJ5FyP+z2uzRcv
+aanPOj/ohHAo8VBq9QbefYVAkShNBEuJkATnXhcGiQEzBBABCAAdFiEEvlzFWRM6
+4JjNAb2a+j2ZL9Cqr7wFAlkBCcIACgkQ+j2ZL9Cqr7yB9AgArj+0+i0DCo1nm4MF
+TLnW1Y9GF/Hq/mBva1MhkT0j3BzENK3xgqrqac8KqupsporNEmJ0ZbZzilJdZImb
+o4X5BFdmmnjMiGaH6GAiPqRBBHGvLV2r2pG467J4tOMWO3XipFRf7FibbfhAU1lV
+/GLWYTSwLqwWwBE8u5rriEvDngWUJw2Yd4Yqwduef7O6F+JfsGPRXFomR3387II0
+8AXo/C+P5cl64llaxV6BmkJhQ6ydL0/KwSkHVdlXugk1sPtV/qOyPQ5L1Ibqbsvh
+lLq/jhHlUUNLFjlQ2lrS9bhHGw9OIHTMJvS8RDrk0yAmoHAyRWNgbFN7aA62vBhq
+pcUVzokBMwQQAQgAHRYhBPZ+fW6ADyQOg+vIZ/9qyaZGTfCcBQJa+ZAwAAoJEP9q
+yaZGTfCcKMgH/jRxGfYhhGnlMnDLAEpYC+TGSDLMgmg9cOZbonqyMv+7Kts+pV03
+KUr9SPV+VtGtOxRNiqwFt6V2MHcwPJfTXuH/bBW/HCCpr6UlOVWqIiCNK0Gnpcj5
+rRt5unjG9CwsgyaK9QPI8bGin/c6m8BjwmEdfJ01ATLiUb8WuDHQy9OCyrEAnzSq
+FD5ZtFmAFxvzm2x1nwb5HPuqkOqbRatp8aRJzTxIeSJPpgLw0PawHKGN3Ckp7REc
+g26P1spkPe7SIVRsobH3al4uw7mgs7wiDWN3t8CdmuHAzmB2UrsR84JMTb45GboO
+Bc1CX8xZcHyNaDEpyWHav+P8nZqwfBm+cLiJAjMEEAEIAB0WIQSawVDb4dGOtiX0
++gWyD0lU8+/LPwUCW/4O9QAKCRCyD0lU8+/LPyI7EACWtj0GEb1VT02gKwtKwgFn
+RJ2pz8vYm188wgJwCJaL04d2D/VwE0jMvmfH80hSKgSLPAVMG06RIOb/tGhHsQKU
+zBlHiAFmfjlJo1FC/Mp44RrERRsFAWBg0/URIs4vP8+5Vl+5m70sZrQpKeq+6TLM
+1dQ0Ohz+QkQ04Z+DTroChWU8/7Uw0E3CqGGKYqPvDh54T1q4s8FoN0no8ZUlt/O+
+r/3c7awr85ZnxqtnHIcuMbVyIZ+gOqXdrLa85yZITsh4zQrjYuyTEg7dpziReyiZ
++rkpdIdFKl8YeD+d0JWzVm7kq9D4K3+x9C509z0IgJUT3bhsX/N0Yf/QUtUW5oxI
+T7fod86B/Q2M7zBTttFhd1vAjiSjEalK48SjTzWqTDYVIkea1+f1kZK5A0QlthqG
+P2zy5GUjZVzOiCSOhyEOvAorU3zKD2s84VFKlayZEqlHJh8u5U59TWBdkW3qZUJd
+ewW31xt0s8IovYSgOwX3wbsClQs6eVwNuCZT2yQAgAyXA5iFztBvDRQ0qmetvzV2
+Ay9SrjvkQ3qr/eZmbMErEwEUxIO4b1rctCQ6jcbyVxMTAZAfaDoVKWEMXNiF2KSw
+F9SSzGPIZDgiEXUlgaJBlUIYSFxrPuE+da0CM5RixyYIinU6AER6crl9C4C9XL6a
+u3jf+5MTGxviRGn2oQzSCYkCMwQQAQgAHRYhBKeHFU4z7cw4HFbYuaxFYRTTj42I
+BQJboq6kAAoJEKxFYRTTj42IWIAP/3rc9GjDTM4nI6Oi4OzLkwm/I2Vr7LUKG8oX
+8E4Nj3amvNGupzGySjB+vrM6APrMSScXunvM0f19LV84EnNrUQ3KFZcSC6r5WC0B
+2+TVRYGpY+6R9AQpqnuxicW0sa/AlV9WSEb4fDavCel2nW0arH4wkkCzTThUxoBB
+X4I9nf4ZzGoUnnDAwTD9rN0gpI6Td/7faa3t99dRLb6AHJ1KhvyiiV3lr0xtTssD
+xVHo0SpzQTnOcRJnYf/2rTny8bVfROPWieh6HuEiP7SxT1HyeTr4WSAjSCoG95O2
+b3OgSMl0Z82FRMoJYmxID/V5YqH7015SjCxKdYhEZVp9YwWruEJIH8r6MGbWYNAl
+REnyDvfGzAF0L0+gAUymDRmtp1jeXLo+HmLgVEUWegafs1TPfCWS/H9n10Upjmuq
+akituzacz6Kjleq9qbnl81Xmh4AKmOILRwE7Pmcbl8HATOrmi5EaKffjMdWFzOWh
+3U4/VsNDujqSTXD88EjGcpLiIiYefGy0sURJbIMTkfXVt3ruHLyuvhsRE/2QEAi7
+gWB0zuBV8iGBaag+6RQkxGdpemPiogzuDijqZHoUXlp7Q6IYLanXeweyivdrSyTB
+4HOECDbWEPZwk6tCxnuklW5iJndxBmxjSxefIMGU7G2JS9quppCVFCrKUjIWnf7b
+gXnNji5JiQIzBBABCAAdFiEExZuSbLy7rtFhdiOuHt8NuZ2LeoQFAluirpUACgkQ
+Ht8NuZ2LeoR/gQ/6A71JxUavzyBlCXlMy2Hx2+gOfy68b8UWl7DwKTOBSoZOzPC7
+dVCSTzoK8dRELqsp7CkFImWcEwLJWMptuH2I1nK+Ua8bvxJSMJnOlPxYE8Wz5EK3
+SQ2mQvifRezQTe8zjdpxEDSR6xocSiigvJow4X+Mivrxxj8sMgu1KA1ud2VGX/IR
+wMbwuBTH9YydgvzmFzTxdlJHEYmsI8koHrVWPHm//QqqPBn+qz2z9uAzDmGAiDYg
+qtQijo5IJC8ZjxgdcTfCkN6he+GhHtOhyP/KF/FcRHY83DoNCtqexQZWGuKtbd8o
+nQYtmemRFob5kR7GxuNdAqF74oQfXcvXZNtHSuN3VtLqkB4fzW+21JBJCsP3XCzd
+nKjR4erXNrQycmp3shSoJbnVvdbDwaVlWhDen1DvJb0Lj2sO3PQPcwVQbf5XHWR/
+ZCf2OQTfVgwFEB4/0Twv70XwYIui2Ry9hmTPbD4Nn+UXbMQ3SOp90tj/e2yY/MFt
+FvcIYcJTk9LM5IsnKgh+fSWDmdS3HD5Kjv2EPUHTNalruwwfmhS+ScJwM4XqHTJY
+JkB16j/Xv2FTF+6KlbA1zdOVycPzoFKjAENYccQBVo2B+WQac7dFDqGEVNal9z66
+DyU4ciAHl6PsbuN7DWeuScLoqq5jwx61bZgn71mUOYC1/47ypat2BKCOXZ2JAjME
+EgEIAB0WIQSm5op4O95BdGcqQkHwXKpE5VGK/wUCWie53AAKCRDwXKpE5VGK/3rM
+D/9jcYKOjYaPJh3Q7wNC1HjjUa73eo5GvJqyXbsXufIh/RAYgQkD08P5JgzfXvQ0
+zOQTtDlDTVG8VMFoBYeMJVDd0k9LBbaljxcttMPfOll+AlQGAL7iQIqTAndknkJL
+CFdl0ypa5GVsl1tzqmNC5fuMJ3vBoRtYbMitlHQkO0vLjZ7yl9fz+7YkREpEo/d5
+Ya8t4+L6el6lrETYaiGCTxHcbYD7VdiJxpxFQlpgl+XKtobrj70RocGQ5JwUNilC
+nRJKUb33lbmntwDwQ1y1AjCnhB++3GHjJDXBPgYFDCSZPCndKeOXhxmB2psFf41i
+8foJPJXuh1vWOqArdwseFCRM6W2deF1utZmROMSkUo6IC8dYlucO/hjpjhG+C8Zv
+QiM5uLylD3IPMX9wCz1tAhMNs3v4pEPo/4A//1cdLkor9cQVLFj3+TkS888EWZdj
+Y8mUTIXU6yL1DXcj8CfDPS29fMpDorDpK1swl4pN5qgGfsL5BSAXUf1AZDWbxnEY
+xf5rakfHDzrfbtbTSSfrBxS8gdW2vBKM+3nL21BeP8hQ0tkLA7bn2fNGz3aCOw46
+XeVJdBk1gVTwazspylqrh1ljr0hQEN4gs/8kM645BRdD0IyAFFcI44VmuVwd8+2g
+5miAGmVKSqN77w2cgMRnF7xpUsanv+3zKzaTnG+2liTeCokCPgQTAQIAKAUCVL7V
+IAIbAwUJBaOagAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQD8MELjRa0F1m
+RhAAj9X+/4iiQsN888dNW/H1wEFFTd/1vqb2j0sHP3t02LkEPN5Ii9u71TSD2gSD
+WTu1Eb46nRDcapFNv5M0vXcWrEt7PK9b51Kuj4KpP5IjJHpTl2g7umaYQWC8fqcY
+TJTH0guMSCzZlsP0xGLbAj3cG6X5OPzCO+IxEafXmE//SfS9w46n1OC57ca1Y0Fp
+WXfjA0sJrcozgNchsptu3jg/oEteYJoxDAzNO45O4geNONq5D9PUQPb+H5Vv5zpy
+MI7iUJhVnTOFvnoUgRS7v6pWiA3flh5FelK8tYPCzEfvxfe7EB5GO7MaJEO3ZLni
+COaAZ3Nfn6Tt28tCOgd052W4FeGWow7iYCS1Wgd30bq/FNgnl+tKv2woxmWt4jJv
+ioBHQ4PbUnap2RCmBFaG7llRkrKP8nhWSUdwSS3OmDwAfxTTXjPaESK9EX9OV9Xo
+or07thq+7OMs+2cyiy2jSfIau0SELy/tVioZBhoB7hzAJUB8sGHOxMPlVDFdUr3x
+F/cgCclWANhw2xvgPim1wQ0XpeZe6w9RpmjZR7ReMYwxn8APBDP/e9R5aLDUQAep
+2hrJUPK38D0L69RnpWQsR9hZ2hEOrMV2M6ChlvhwHbGSdJ2CcqG5Jx4ZAP23DK3A
+N26TB88H9F7IMrM0REZeu7KzvYwCWlpg0zMXXKQ/2vovoe2JAlUEEwECAD8CGwMG
+CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAFiEEtsj5goK5ROOw1cJTD8MELjRa0F0F
+Alpd+i0FCQ8FJo0ACgkQD8MELjRa0F3X3A//dBQLm6GmXlQFjxZbukTw0lZsevFR
+M/6ljZTxp7bsC+HFzYoaCKv6rikaWzytxk//SOaLKrB4Z9HjAlpBMtyLl2Hk7tcZ
+bPpFafNmQ+4KgWNjLXCvt9se8BGrQvGQUrbE6YowbXa2YIgxIVEncFzIECAsp/+N
+xbMcZN5/X1PJxKi/N22gP4nn47muN6L3pKez3CXgWnhGYSc7BuD5ALWYH7yMYUem
+d4jlXfu5xkBIqirj1arIYC9wmF4ldbLNDPuracc8LmXcSqa5Rpao0s4iVzAD+tkX
+vE/73m3rhepwBXxrfk0McXuI9aucf5h4/KkIBzZsaJ6JM1tzlrJzzjaBKJF9OI5T
+jA0qTxdGzdPztS8gPaPcMkRFfh9ti0ZDx4VeF3s8sOtmMRHeGEWfxqUAbBUbwFsa
+JDu/+8/VO4KijfcuUi8tqJ/JHeosCuGE7TM93LwJu6ZcqMYOPDROE/hsnGm0ZU92
+xedu+07/X1ESHkSFPoaSHD5/DCNa/tXIyJZ8X7gF3eoDP5mSmrJqIqsOBR9WOVYv
+dI8i0GHTXbrZj8WXdoS+N8wlyMLLbAS2jvTe7M5RoqbLz4ABOUUnLVoEE0CiccVZ
+bW75BPxOfaD0szbinAeX6HDPI7St0MbKrRPjuDXjD0JVkLqFINtZfYLGMLss4tgn
+suefr0Bo9ISwG3u5Ag0EVL7VIAEQAOxBxrQesChjrCqKjY5PnSsSYpeb4froucrC
+898AFw2DgN/Zz+W7wtSTbtz/GRcCurjzZvN7o2rCuNk0j0+s1sgZZm2BdldlabLy
++UF/kSW1rb5qhfXcGGubu48OMdtSfok9lOc0Q1L4HNlGE4lUBkZzmI7Ykqfl+Bwr
+m9rpi54g4ua9PIiiHIAmMoZIcbtOG1KaDr6CoXRk/3g2ZiGUwhq3jFGroiBsKEap
+2FJ1bh5NJk2Eg8pV7fMOF7hUQKBZrNOtIPu8hA5WEgku3U3VYjRSI3SDi6QXnDL+
+xHxajiWpKtF3JjZh8y/CCTD8PyP34YjfZuFmkdske5cdx6H0V2UCiH453ncgFVdQ
+DXkY4n+0MTzhy2xu0IVVnBxYDYNhi+3MjTHJd9C4xMi9t+5IuEvDAPhgfZjDpQak
+EPz6hVmgj0mlKIgRilBRK9/kOxky9utBpGk3jEJGru/hKNloFNspoYtY6zATAr8E
+cOgoCFQE0nIktcg3wF9+OCEnV28/a7XZwUZ7Gl/qfOHtdr374wo8kd8R3V8d2G9q
+5w0/uCV9NNQ0fGWZDPDoYt6wnPL6gZv/nJM8oZY+u0rC24WwScZIniaryC4JHDas
+Ahr2S2CtgCvBgslK6f3gD16KHxPZMBpX73TzOYIhMEP/vXgVJbUD6dYht+U9c4Oh
+EDJown0dABEBAAGJAjwEGAECACYCGwwWIQS2yPmCgrlE47DVwlMPwwQuNFrQXQUC
+Wl36SwUJDwUmqwAKCRAPwwQuNFrQXT1/D/9YpRDNgaJl3YVDtVZoeQwh7BQ6ULZT
+eXFPogYkF2j3VWg8s9UmAs4sg/4a+9KLSantXjX+JFsRv0lQe5Gr/Vl8VQ4LKEXB
+fiGmSivjIZ7eopdd3YP2w6G5T3SA4d2CQfsg4rnJPnXIjzKNiSOi368ybnt9fL0Y
+2r2aqLTmP6Y7issDUO+J1TW1XHm349JPR0Hl4cTuNnWm4JuX2m2CJEc5XBlDAha9
+pUVs+J5C2D0UFFkyeOzeJPwy6x5ApWHm84n8AjhQSpu1qRKxKXdwei6tkQWWMHui
++TgSY/zCkmD9/oY15Ei5avJ4WgIbTLJUoZMi70riPmU8ThjpzA7S+Nk0g7rMPq+X
+l1whjKU/u0udlsrIJjzkh6ftqKUmIkbxYTpjhnEujNrEr5m2S6Z6x3y9E5QagBMR
+dxRhfk+HbyACcP/p9rXOzl4M291DoKeAAH70GHniGxyNs9rAoMr/hD5XW/Wrz3dc
+KMc2s555E6MZILE2ZiolcRn+bYOMPZtWlbx98t8uqMf49gY4FGQBZAwPglMrx7mr
+m7HTIiXahThQGOJg6izJDAD5RwSEGlAcL28T8KAuM6CLLkhlBfQwiKsUBNnh9r8w
+V3lB+pV0GhL+3i077gTYfZBRwLzjFdhm9xUKEaZ6rN1BX9lzix4eSNK5nln0jUq1
+67H2IH//2sf8dw==
+=fTDu
+-----END PGP PUBLIC KEY BLOCK-----
\ No newline at end of file
--- a/security/nss/automation/taskcluster/docker-hacl/Dockerfile
+++ b/security/nss/automation/taskcluster/docker-hacl/Dockerfile
@@ -4,19 +4,20 @@ MAINTAINER Franziskus Kiefer <franziskus
 # Based on the HACL* image from Benjamin Beurdouche and
 # the original F* formula with Daniel Fabian
 
 # Pinned versions of HACL* (F* and KreMLin are pinned as submodules)
 ENV haclrepo https://github.com/mitls/hacl-star.git
 
 # Define versions of dependencies
 ENV opamv 4.05.0
-ENV haclversion 1da331f9ef30e13269e45ae73bbe4a4bca679ae6
+ENV haclversion 1442c015dab97cdf203ae238b1f3aeccf511bd1e
 
 # Install required packages and set versions
+ADD B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc /tmp/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc
 ADD setup.sh /tmp/setup.sh
 RUN bash /tmp/setup.sh
 
 # Create user, add scripts.
 RUN useradd -ms /bin/bash worker
 WORKDIR /home/worker
 ADD bin /home/worker/bin
 RUN chmod +x /home/worker/bin/*
--- a/security/nss/automation/taskcluster/docker-hacl/setup.sh
+++ b/security/nss/automation/taskcluster/docker-hacl/setup.sh
@@ -7,19 +7,23 @@ export DEBIAN_FRONTEND=noninteractive
 apt-get -qq update
 apt-get install --yes libssl-dev libsqlite3-dev g++-5 gcc-5 m4 make opam pkg-config python libgmp3-dev cmake curl libtool-bin autoconf wget locales
 update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-5 200
 update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-5 200
 
 # Get clang-format-3.9
 curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz
 curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
-# Verify the signature.
-gpg --keyserver pool.sks-keyservers.net --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D
-gpg --verify *.tar.xz.sig
+
+# Verify the signature. The key used for verification was fetched via:
+#    gpg --keyserver pgp.key-server.io --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D
+# Use a local copy to workaround bug 1565013.
+gpg --no-default-keyring --keyring tmp.keyring --import /tmp/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc
+gpg --no-default-keyring --keyring tmp.keyring --verify clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
+
 # Install into /usr/local/.
 tar xJvf *.tar.xz -C /usr/local --strip-components=1
 # Cleanup.
 rm *.tar.xz*
 
 locale-gen en_US.UTF-8
 dpkg-reconfigure locales
 
--- a/security/nss/automation/taskcluster/graph/src/extend.js
+++ b/security/nss/automation/taskcluster/graph/src/extend.js
@@ -122,24 +122,31 @@ queue.map(task => {
   }
 
   // We don't run FIPS SSL tests
   if (task.tests == "ssl") {
     if (!task.env) {
       task.env = {};
     }
     task.env.NSS_SSL_TESTS = "crl iopr policy";
+
+    if (task.platform == "mac") {
+      task.maxRunTime = 7200;
+    }
   }
 
   // Windows is slow.
   if ((task.platform == "windows2012-32" || task.platform == "windows2012-64") &&
       task.tests == "chains") {
     task.maxRunTime = 7200;
   }
 
+  if (task.platform == "mac" && task.tests == "tools") {
+      task.maxRunTime = 7200;
+  }
   return task;
 });
 
 /*****************************************************************************/
 
 export default async function main() {
   await scheduleLinux("Linux 32 (opt)", {
     platform: "linux32",
--- a/security/nss/build.sh
+++ b/security/nss/build.sh
@@ -8,38 +8,48 @@
 # This script builds NSS with gyp and ninja.
 #
 # This build system is still under development.  It does not yet support all
 # the features or platforms that NSS supports.
 
 set -e
 
 cwd=$(cd $(dirname $0); pwd -P)
-source "$cwd"/coreconf/nspr.sh
-source "$cwd"/coreconf/sanitizers.sh
+dist_dir="$cwd/../dist"
+argsfile="$dist_dir/build_args"
+source "$cwd/coreconf/nspr.sh"
+source "$cwd/coreconf/sanitizers.sh"
 GYP=${GYP:-gyp}
 
 # Usage info
 show_help()
 {
-    cat "$cwd"/help.txt
+    cat "$cwd/help.txt"
 }
 
 run_verbose()
 {
     if [ "$verbose" = 1 ]; then
         echo "$@"
         exec 3>&1
     else
         exec 3>/dev/null
     fi
     "$@" 1>&3 2>&3
     exec 3>&-
 }
 
+# The prehistoric bash on Mac doesn't support @Q quoting.
+# The consequences aren't that serious, unless there are odd arrangements of spaces.
+if /usr/bin/env bash -c 'x=1;echo "${x@Q}"' >/dev/null 2>&1; then
+    Q() { echo "${@@Q}"; }
+else
+    Q() { echo "$@"; }
+fi
+
 if [ -n "$CCC" ] && [ -z "$CXX" ]; then
     export CXX="$CCC"
 fi
 
 opt_build=0
 build_64=0
 clean=0
 rebuild_gyp=0
@@ -51,28 +61,37 @@ fuzz_tls=0
 fuzz_oss=0
 no_local_nspr=0
 sslkeylogfile=1
 
 gyp_params=(--depth="$cwd" --generator-output=".")
 ninja_params=()
 
 # Assume that the target architecture is the same as the host by default.
-host_arch=$(python "$cwd"/coreconf/detect_host_arch.py)
+host_arch=$(python "$cwd/coreconf/detect_host_arch.py")
 target_arch=$host_arch
 
 # Assume that MSVC is wanted if this is running on windows.
 platform=$(uname -s)
 if [ "${platform%-*}" = "MINGW32_NT" -o "${platform%-*}" = "MINGW64_NT" ]; then
     msvc=1
 fi
 
 # Parse command line arguments.
+all_args=("$@")
 while [ $# -gt 0 ]; do
     case "$1" in
+        --rebuild)
+            if [[ ! -e "$argsfile" ]]; then
+                echo "Unable to rebuild" 1>&2
+                exit 2
+            fi
+            IFS=$'\r\n' GLOBIGNORE='*' command eval  'previous_args=($(<"$argsfile"))'
+            exec /usr/bin/env bash -c "$(Q "$0")"' "$@"' "$0" "${previous_args[@]}"
+            ;;
         -c) clean=1 ;;
         -cc) clean_only=1 ;;
         -v) ninja_params+=(-v); verbose=1 ;;
         -j) ninja_params+=(-j "$2"); shift ;;
         --gyp|-g) rebuild_gyp=1 ;;
         --opt|-o) opt_build=1 ;;
         -m32|--m32) target_arch=ia32; echo 'Warning: use -t instead of -m32' 1>&2 ;;
         -t|--target) target_arch="$2"; shift ;;
@@ -100,17 +119,17 @@ while [ $# -gt 0 ]; do
         --nspr) nspr_clean; rebuild_nspr=1 ;;
         --with-nspr=?*) set_nspr_path "${1#*=}"; no_local_nspr=1 ;;
         --system-nspr) set_nspr_path "/usr/include/nspr/:"; no_local_nspr=1 ;;
         --system-sqlite) gyp_params+=(-Duse_system_sqlite=1) ;;
         --enable-fips) gyp_params+=(-Ddisable_fips=0) ;;
         --enable-libpkix) gyp_params+=(-Ddisable_libpkix=0) ;;
         --mozpkix-only) gyp_params+=(-Dmozpkix_only=1 -Ddisable_tests=1 -Dsign_libs=0) ;;
         --disable-keylog) sslkeylogfile=0 ;;
-	-D*) gyp_params+=("$1") ;;
+        -D*) gyp_params+=("$1") ;;
         *) show_help; exit 2 ;;
     esac
     shift
 done
 
 # Set the target architecture and build type.
 gyp_params+=(-Dtarget_arch="$target_arch")
 if [ "$opt_build" = 1 ]; then
@@ -118,119 +137,119 @@ if [ "$opt_build" = 1 ]; then
 else
     target=Debug
 fi
 
 gyp_params+=(-Denable_sslkeylogfile="$sslkeylogfile")
 
 # Do special setup.
 if [ "$fuzz" = 1 ]; then
-    source "$cwd"/coreconf/fuzz.sh
+    source "$cwd/coreconf/fuzz.sh"
 fi
 nspr_set_flags $sanitizer_flags
 if [ ! -z "$sanitizer_flags" ]; then
     gyp_params+=(-Dsanitizer_flags="$sanitizer_flags")
 fi
 
 if [ "$msvc" = 1 ]; then
-    source "$cwd"/coreconf/msvc.sh
+    source "$cwd/coreconf/msvc.sh"
 fi
 
-# Setup build paths.
-target_dir="$cwd"/out/$target
-mkdir -p "$target_dir"
-dist_dir="$cwd"/../dist
-dist_dir=$(mkdir -p "$dist_dir"; cd "$dist_dir"; pwd -P)
-gyp_params+=(-Dnss_dist_dir="$dist_dir")
-
 # -c = clean first
 if [ "$clean" = 1 -o "$clean_only" = 1 ]; then
     nspr_clean
-    rm -rf "$cwd"/out
+    rm -rf "$cwd/out"
     rm -rf "$dist_dir"
     # -cc = only clean, don't build
     if [ "$clean_only" = 1 ]; then
         echo "Cleaned"
         exit 0
     fi
 fi
 
+# Setup build paths.
+target_dir="$cwd/out/$target"
+mkdir -p "$target_dir"
+dist_dir=$(mkdir -p "$dist_dir"; cd "$dist_dir"; pwd -P)
+gyp_params+=(-Dnss_dist_dir="$dist_dir")
+
 # This saves a canonical representation of arguments that we are passing to gyp
 # or the NSPR build so that we can work out if a rebuild is needed.
 # Caveat: This can fail for arguments that are position-dependent.
 # e.g., "-e 2 -f 1" and "-e 1 -f 2" canonicalize the same.
 check_config()
 {
     local newconf="$1".new oldconf="$1"
     shift
     mkdir -p $(dirname "$newconf")
-    echo CC="$CC" >"$newconf"
-    echo CCC="$CCC" >>"$newconf"
-    echo CXX="$CXX" >>"$newconf"
-    echo target_arch="$target_arch" >>"$newconf"
-    for i in "$@"; do echo $i; done | sort >>"$newconf"
+    echo CC="$(Q "$CC")" >"$newconf"
+    echo CCC="$(Q "$CCC")" >>"$newconf"
+    echo CXX="$(Q "$CXX")" >>"$newconf"
+    echo target_arch="$(Q "$target_arch")" >>"$newconf"
+    for i in "$@"; do echo "$i"; done | sort >>"$newconf"
 
     # Note: The following diff fails if $oldconf isn't there as well, which
     # happens if we don't have a previous successful build.
     ! diff -q "$newconf" "$oldconf" >/dev/null 2>&1
 }
 
-gyp_config="$cwd"/out/gyp_config
-nspr_config="$cwd"/out/$target/nspr_config
+gyp_config="$cwd/out/gyp_config"
+nspr_config="$cwd/out/$target/nspr_config"
 
 # Now check what needs to be rebuilt.
 # If we don't have a build directory make sure that we rebuild.
 if [ ! -d "$target_dir" ]; then
     rebuild_nspr=1
     rebuild_gyp=1
-elif [ ! -d "$dist_dir"/$target ]; then
+elif [ ! -d "$dist_dir/$target" ]; then
     rebuild_nspr=1
 fi
 
 if check_config "$nspr_config" \
-                 nspr_cflags="$nspr_cflags" \
-                 nspr_cxxflags="$nspr_cxxflags" \
-                 nspr_ldflags="$nspr_ldflags"; then
+                 nspr_cflags="$(Q "$nspr_cflags")" \
+                 nspr_cxxflags="$(Q "$nspr_cxxflags")" \
+                 nspr_ldflags="$(Q "$nspr_ldflags")"; then
     rebuild_nspr=1
 fi
 
-if check_config "$gyp_config" "${gyp_params[@]}"; then
+if check_config "$gyp_config" "$(Q "${gyp_params[@]}")"; then
     rebuild_gyp=1
 fi
 
 # Save the chosen target.
-mkdir -p "$dist_dir"
-echo $target > "$dist_dir"/latest
+echo "$target" > "$dist_dir/latest"
+for i in "${all_args[@]}"; do echo "$i"; done > "$argsfile"
 
 # Build.
 # NSPR.
 if [[ "$rebuild_nspr" = 1 && "$no_local_nspr" = 0 ]]; then
+    nspr_clean
     nspr_build
-    mv -f "$nspr_config".new "$nspr_config"
+    mv -f "$nspr_config.new" "$nspr_config"
 fi
 # gyp.
 if [ "$rebuild_gyp" = 1 ]; then
-    if ! hash ${GYP} 2> /dev/null; then
-        echo "Please install gyp" 1>&2
-        exit 1
+    if ! hash "$GYP" 2> /dev/null; then
+        echo "Building NSS requires an installation of gyp: https://gyp.gsrc.io/" 1>&2
+        exit 3
     fi
     # These extra arguments aren't used in determining whether to rebuild.
-    obj_dir="$dist_dir"/$target
-    gyp_params+=(-Dnss_dist_obj_dir=$obj_dir)
+    obj_dir="$dist_dir/$target"
+    gyp_params+=(-Dnss_dist_obj_dir="$obj_dir")
     if [ "$no_local_nspr" = 0 ]; then
         set_nspr_path "$obj_dir/include/nspr:$obj_dir/lib"
     fi
 
-    run_verbose run_scanbuild ${GYP} -f ninja "${gyp_params[@]}" "$cwd"/nss.gyp
+    run_verbose run_scanbuild ${GYP} -f ninja "${gyp_params[@]}" "$cwd/nss.gyp"
 
-    mv -f "$gyp_config".new "$gyp_config"
+    mv -f "$gyp_config.new" "$gyp_config"
 fi
 
 # ninja.
 if hash ninja-build 2>/dev/null; then
     ninja=ninja-build
 elif hash ninja 2>/dev/null; then
     ninja=ninja
 else
-    echo "Please install ninja" 1>&2
-    exit 1
+    echo "Building NSS requires an installation of ninja: https://ninja-build.org/" 1>&2
+    exit 3
 fi
-run_scanbuild $ninja -C "$target_dir" "${ninja_params[@]}"
+run_scanbuild "$ninja" -C "$target_dir" "${ninja_params[@]}"
--- a/security/nss/cmd/httpserv/httpserv.c
+++ b/security/nss/cmd/httpserv/httpserv.c
@@ -458,17 +458,17 @@ handle_connection(
     PRSocketOptionData opt;
     PRIOVec iovs[16];
     char msgBuf[160];
     char buf[10240];
     char fileName[513];
     char *getData = NULL; /* inplace conversion */
     SECItem postData;
     PRBool isOcspRequest = PR_FALSE;
-    PRBool isPost;
+    PRBool isPost = PR_FALSE;
 
     postData.data = NULL;
     postData.len = 0;
 
     pBuf = buf;
     bufRem = sizeof buf;
 
     VLOG(("httpserv: handle_connection: starting"));
--- a/security/nss/cmd/tstclnt/tstclnt.c
+++ b/security/nss/cmd/tstclnt/tstclnt.c
@@ -919,17 +919,17 @@ separateReqHeader(const PRFileDesc *outF
     }
 
 static SECStatus
 restartHandshakeAfterServerCertIfNeeded(PRFileDesc *fd,
                                         ServerCertAuth *serverCertAuth,
                                         PRBool override)
 {
     SECStatus rv;
-    PRErrorCode error;
+    PRErrorCode error = 0;
 
     if (!serverCertAuth->isPaused)
         return SECSuccess;
 
     FPRINTF(stderr, "%s: handshake was paused by auth certificate hook\n",
             progName);
 
     serverCertAuth->isPaused = PR_FALSE;
--- a/security/nss/coreconf/UNIX.mk
+++ b/security/nss/coreconf/UNIX.mk
@@ -9,19 +9,17 @@ DLL_SUFFIX  = so
 AR          = ar cr $@
 LDOPTS     += -L$(SOURCE_LIB_DIR)
 
 ifdef BUILD_OPT
 	OPTIMIZER  += -O
 	DEFINES    += -UDEBUG -DNDEBUG
 else
 	OPTIMIZER  += -g
-	USERNAME   := $(shell whoami)
-	USERNAME   := $(subst -,_,$(USERNAME))
-	DEFINES    += -DDEBUG -UNDEBUG -DDEBUG_$(USERNAME)
+	DEFINES    += -DDEBUG -UNDEBUG
 endif
 
 ifdef BUILD_TREE
 NSINSTALL_DIR  = $(BUILD_TREE)/nss
 NSINSTALL      = $(BUILD_TREE)/nss/nsinstall
 else
 NSINSTALL_DIR  = $(CORE_DEPTH)/coreconf/nsinstall
 NSINSTALL      = $(NSINSTALL_DIR)/$(OBJDIR_NAME)/nsinstall
--- a/security/nss/coreconf/WIN32.mk
+++ b/security/nss/coreconf/WIN32.mk
@@ -111,21 +111,17 @@ ifdef NS_USE_GCC
 	ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE))
 		OPTIMIZER += -Os
 	else
 		OPTIMIZER += -O2
 	endif
 	DEFINES    += -UDEBUG -DNDEBUG
     else
 	OPTIMIZER  += -g
-	NULLSTRING :=
-	SPACE      := $(NULLSTRING) # end of the line
-	USERNAME   := $(subst $(SPACE),_,$(USERNAME))
-	USERNAME   := $(subst -,_,$(USERNAME))
-	DEFINES    += -DDEBUG -UNDEBUG -DDEBUG_$(USERNAME)
+	DEFINES    += -DDEBUG -UNDEBUG
     endif
 else # !NS_USE_GCC
     WARNING_CFLAGS = -W3 -nologo -D_CRT_SECURE_NO_WARNINGS \
                       -D_CRT_NONSTDC_NO_WARNINGS
     OS_DLLFLAGS += -nologo -DLL -SUBSYSTEM:WINDOWS
     ifndef NSS_ENABLE_WERROR
         NSS_ENABLE_WERROR = 1
     endif
@@ -174,20 +170,17 @@ else # !NS_USE_GCC
 			OPTIMIZER += -Zi -Fd$(OBJDIR)/
 		endif
 		DLLFLAGS += -DEBUG -OPT:REF
 		LDFLAGS += -DEBUG -OPT:REF
 	endif
     else
 	OPTIMIZER += -Zi -Fd$(OBJDIR)/ -Od
 	NULLSTRING :=
-	SPACE      := $(NULLSTRING) # end of the line
-	USERNAME   := $(subst $(SPACE),_,$(USERNAME))
-	USERNAME   := $(subst -,_,$(USERNAME))
-	DEFINES    += -DDEBUG -UNDEBUG -DDEBUG_$(USERNAME)
+	DEFINES    += -DDEBUG -UNDEBUG
 	DLLFLAGS   += -DEBUG -OUT:$@
 	LDFLAGS    += -DEBUG 
 ifeq ($(_MSC_VER),$(_MSC_VER_6))
 ifndef MOZ_DEBUG_SYMBOLS
 	LDFLAGS    += -PDB:NONE 
 endif
 endif
 	# Purify requires /FIXED:NO when linking EXEs.
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,9 +5,8 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
-
--- a/security/nss/help.txt
+++ b/security/nss/help.txt
@@ -2,16 +2,17 @@ Usage: build.sh [-h] [-c|-cc] [-v] [-j <
                 [-t <x64|ia32|...>|--target=<x64|ia32|...>]
                 [--clang|--gcc|--msvc] [--scan-build[=dir]] [--disable-tests]
                 [--pprof] [--asan] [--msan] [--ubsan[=bool,shift,...]
                 [--fuzz[=tls|oss]] [--sancov[=edge|bb|func|...]]
                 [--emit-llvm] [--no-zdefs] [--static] [--ct-verif]
                 [--nspr|--with-nspr=<include>:<lib>|--system-nspr]
                 [--system-sqlite] [--enable-fips] [--enable-libpkix]
                 [--mozpkix-only] [-D<gyp-option>]
+                [--rebuild]
 
 This script builds NSS with gyp and ninja.
 
 NSS build tool options:
 
     -h               display this help and exit
     -c               clean before build
     -cc              clean without building
@@ -49,8 +50,10 @@ NSS build tool options:
     --system-sqlite  use system sqlite
     --enable-fips    enable FIPS checks
     --enable-libpkix make libpkix part of the build
     --mozpkix-only   build only static mozpkix and mozpkix-test libraries
                      support for this build option is limited
     --disable-keylog disable support for logging key data to a file specified
                      by the SSLKEYLOGFILE environment variable
     -D<gyp-option>   pass an option directly to gyp
+    --rebuild        build again using the last set of options provided
+                     (all other arguments are ignored if --rebuild is used)
--- a/security/nss/lib/freebl/Makefile
+++ b/security/nss/lib/freebl/Makefile
@@ -493,17 +493,17 @@ else
  	endif
     endif
 endif # Solaris for non-sparc family CPUs
 endif # target == SunO
 
 ifdef USE_64
 # no __int128 at least up to lcc 1.23 (pretending to be gcc5)
 # NB: CC_NAME is not defined here
-ifneq ($(shell $(CC) -? 2>&1 >/dev/null | sed -e 's/:.*//;1q'),lcc)
+ifneq ($(shell $(CC) -? 2>&1 >/dev/null </dev/null | sed -e 's/:.*//;1q'),lcc)
     ifdef CC_IS_CLANG
             HAVE_INT128_SUPPORT = 1
             DEFINES += -DHAVE_INT128_SUPPORT
     else ifeq (1,$(CC_IS_GCC))
         ifneq (,$(filter 4.6 4.7 4.8 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION))))
             HAVE_INT128_SUPPORT = 1
             DEFINES += -DHAVE_INT128_SUPPORT
         endif
--- a/security/nss/lib/freebl/ec.c
+++ b/security/nss/lib/freebl/ec.c
@@ -19,17 +19,17 @@ static const ECMethod kMethods[] = {
     { ECCurve25519,
       ec_Curve25519_pt_mul,
       ec_Curve25519_pt_validate }
 };
 
 static const ECMethod *
 ec_get_method_from_name(ECCurveName name)
 {
-    int i;
+    unsigned long i;
     for (i = 0; i < sizeof(kMethods) / sizeof(kMethods[0]); ++i) {
         if (kMethods[i].name == name) {
             return &kMethods[i];
         }
     }
     return NULL;
 }
 
--- a/security/nss/lib/freebl/verified/FStar.c
+++ b/security/nss/lib/freebl/verified/FStar.c
@@ -1,9 +1,9 @@
-/* Copyright 2016-2017 INRIA and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
--- a/security/nss/lib/freebl/verified/FStar.h
+++ b/security/nss/lib/freebl/verified/FStar.h
@@ -1,9 +1,9 @@
-/* Copyright 2016-2017 INRIA and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
--- a/security/nss/lib/freebl/verified/Hacl_Chacha20.c
+++ b/security/nss/lib/freebl/verified/Hacl_Chacha20.c
@@ -1,9 +1,9 @@
-/* Copyright 2016-2017 INRIA and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
--- a/security/nss/lib/freebl/verified/Hacl_Chacha20.h
+++ b/security/nss/lib/freebl/verified/Hacl_Chacha20.h
@@ -1,9 +1,9 @@
-/* Copyright 2016-2017 INRIA and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
--- a/security/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c
+++ b/security/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c
@@ -1,9 +1,9 @@
-/* Copyright 2016-2017 INRIA and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
--- a/security/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.h
+++ b/security/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.h
@@ -1,9 +1,9 @@
-/* Copyright 2016-2017 INRIA and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
--- a/security/nss/lib/freebl/verified/Hacl_Curve25519.c
+++ b/security/nss/lib/freebl/verified/Hacl_Curve25519.c
@@ -1,9 +1,9 @@
-/* Copyright 2016-2017 INRIA and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
--- a/security/nss/lib/freebl/verified/Hacl_Curve25519.h
+++ b/security/nss/lib/freebl/verified/Hacl_Curve25519.h
@@ -1,9 +1,9 @@
-/* Copyright 2016-2017 INRIA and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
--- a/security/nss/lib/freebl/verified/Hacl_Poly1305_32.c
+++ b/security/nss/lib/freebl/verified/Hacl_Poly1305_32.c
@@ -1,9 +1,9 @@
-/* Copyright 2016-2017 INRIA and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
--- a/security/nss/lib/freebl/verified/Hacl_Poly1305_32.h
+++ b/security/nss/lib/freebl/verified/Hacl_Poly1305_32.h
@@ -1,9 +1,9 @@
-/* Copyright 2016-2017 INRIA and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
--- a/security/nss/lib/freebl/verified/Hacl_Poly1305_64.c
+++ b/security/nss/lib/freebl/verified/Hacl_Poly1305_64.c
@@ -1,9 +1,9 @@
-/* Copyright 2016-2017 INRIA and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
--- a/security/nss/lib/freebl/verified/Hacl_Poly1305_64.h
+++ b/security/nss/lib/freebl/verified/Hacl_Poly1305_64.h
@@ -1,9 +1,9 @@
-/* Copyright 2016-2017 INRIA and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
--- a/security/nss/lib/freebl/verified/kremlib.h
+++ b/security/nss/lib/freebl/verified/kremlib.h
@@ -1,9 +1,9 @@
-/* Copyright 2016-2017 INRIA and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
--- a/security/nss/lib/freebl/verified/kremlib_base.h
+++ b/security/nss/lib/freebl/verified/kremlib_base.h
@@ -1,9 +1,9 @@
-/* Copyright 2016-2017 INRIA and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
--- a/security/nss/lib/freebl/verified/vec128.h
+++ b/security/nss/lib/freebl/verified/vec128.h
@@ -1,9 +1,9 @@
-/* Copyright 2016-2017 INRIA and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
--- a/security/nss/lib/mozpkix/test-lib/pkixtestnss.cpp
+++ b/security/nss/lib/mozpkix/test-lib/pkixtestnss.cpp
@@ -229,24 +229,24 @@ namespace {
 
 TestKeyPair*
 GenerateKeyPairInner()
 {
   ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
   if (!slot) {
     abort();
   }
+  PK11RSAGenParams params;
+  params.keySizeInBits = 2048;
+  params.pe = 3;
 
   // Bug 1012786: PK11_GenerateKeyPair can fail if there is insufficient
   // entropy to generate a random key. Attempting to add some entropy and
   // retrying appears to solve this issue.
   for (uint32_t retries = 0; retries < 10; retries++) {
-    PK11RSAGenParams params;
-    params.keySizeInBits = 2048;
-    params.pe = 3;
     SECKEYPublicKey* publicKeyTemp = nullptr;
     ScopedSECKEYPrivateKey
       privateKey(PK11_GenerateKeyPair(slot.get(), CKM_RSA_PKCS_KEY_PAIR_GEN,
                                       &params, &publicKeyTemp, false, true,
                                       nullptr));
     ScopedSECKEYPublicKey publicKey(publicKeyTemp);
     if (privateKey) {
       return CreateTestKeyPair(RSA_PKCS1(), publicKey, privateKey);
@@ -257,18 +257,19 @@ GenerateKeyPairInner()
     if (PR_GetError() != SEC_ERROR_PKCS11_FUNCTION_FAILED) {
       break;
     }
 
     // Since these keys are only for testing, we don't need them to be good,
     // random keys.
     // https://xkcd.com/221/
     static const uint8_t RANDOM_NUMBER[] = { 4, 4, 4, 4, 4, 4, 4, 4 };
-    if (PK11_RandomUpdate((void*) &RANDOM_NUMBER,
-                          sizeof(RANDOM_NUMBER)) != SECSuccess) {
+    if (PK11_RandomUpdate(
+          const_cast<void*>(reinterpret_cast<const void*>(RANDOM_NUMBER)),
+          sizeof(RANDOM_NUMBER)) != SECSuccess) {
       break;
     }
   }
 
   abort();
 }
 
 } // namespace
--- a/security/nss/lib/softoken/legacydb/lgattr.c
+++ b/security/nss/lib/softoken/legacydb/lgattr.c
@@ -1064,17 +1064,17 @@ static CK_RV
 lg_FindTrustAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
                       CK_ATTRIBUTE *attribute)
 {
     NSSLOWCERTTrust *trust;
     NSSLOWCERTCertDBHandle *certHandle;
     NSSLOWCERTCertificate *cert;
     unsigned char hash[SHA1_LENGTH];
     unsigned int trustFlags;
-    CK_RV crv;
+    CK_RV crv = CKR_CANCEL;
 
     switch (type) {
         case CKA_PRIVATE:
             return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr);
         case CKA_MODIFIABLE:
             return LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr);
         case CKA_CERT_SHA1_HASH:
         case CKA_CERT_MD5_HASH:
--- a/security/nss/lib/ssl/tls13esni.c
+++ b/security/nss/lib/ssl/tls13esni.c
@@ -575,17 +575,17 @@ loser:
 SECStatus
 tls13_ClientSetupESNI(sslSocket *ss)
 {
     ssl3CipherSuite suite;
     sslEphemeralKeyPair *keyPair;
     size_t i;
     PRCList *cur;
     SECStatus rv;
-    TLS13KeyShareEntry *share;
+    TLS13KeyShareEntry *share = NULL;
     const sslNamedGroupDef *group = NULL;
     PRTime now = PR_Now() / PR_USEC_PER_SEC;
 
     PORT_Assert(!ss->xtnData.esniPrivateKey);
 
     if (!ss->esniKeys) {
         return SECSuccess;
     }
--- a/security/nss/tests/common/certsetup.sh
+++ b/security/nss/tests/common/certsetup.sh
@@ -50,14 +50,16 @@ make_cert() {
         touch empty.txt
         type_args=(-q nistp256 --extGeneric 1.3.6.1.4.1.44363.44:not-critical:empty.txt)
         type=ec
         ;;
   esac
   msg="create certificate: $@"
   shift 2
   counter=$(($counter + 1))
-  certscript $@ | ${BINDIR}/certutil -S \
+  cmd=(${BINDIR}/certutil -S \
     -z "$R_NOISE_FILE" -d "$PROFILEDIR" \
     -n $name -s "CN=$name" -t "$trust" "${sign[@]}" -m "$counter" \
-    -w -2 -v 120 -k "$type" "${type_args[@]}" "${sighash[@]}" -1 -2
+    -w -2 -v 120 -k "$type" "${type_args[@]}" "${sighash[@]}" -1 -2)
+  echo "${cmd[@]}"
+  certscript $@ | "${cmd[@]}"
   html_msg $? 0 "$msg"
 }