Bug 1539227 - land NSS NSS_3_44_BETA2 UPGRADE_NSS_RELEASE, r=me
authorJ.C. Jones <jc@mozilla.com>
Tue, 07 May 2019 20:39:31 +0000
changeset 531865 e68228c66c551c0e34b6e17454cd6909f910ef22
parent 531864 26b7736f1f870568c867ee28dad3ef8e3a812a84
child 531866 a44f70589c96a0fbcfe065f868393fdec18e0b59
push id11265
push userffxbld-merge
push dateMon, 13 May 2019 10:53:39 +0000
treeherdermozilla-beta@77e0fe8dbdd3 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersme
bugs1539227
milestone68.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1539227 - land NSS NSS_3_44_BETA2 UPGRADE_NSS_RELEASE, r=me
security/nss/TAG-INFO
security/nss/automation/abi-check/expected-report-libnss3.so.txt
security/nss/automation/abi-check/expected-report-libnssutil3.so.txt
security/nss/automation/abi-check/expected-report-libsmime3.so.txt
security/nss/cmd/certutil/certext.c
security/nss/cmd/certutil/certutil.c
security/nss/coreconf/Linux.mk
security/nss/coreconf/config.gypi
security/nss/coreconf/coreconf.dep
security/nss/doc/certutil.xml
security/nss/lib/certdb/certdb.c
security/nss/lib/certdb/certt.h
security/nss/lib/certhigh/certvfy.c
security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
security/nss/lib/util/secoid.c
security/nss/lib/util/secoidt.h
security/nss/nss.gyp
security/nss/tests/chains/scenarios/ipsec.cfg
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_44_BETA1
+NSS_3_44_BETA2
--- a/security/nss/automation/abi-check/expected-report-libnss3.so.txt
+++ b/security/nss/automation/abi-check/expected-report-libnss3.so.txt
@@ -1,5 +1,21 @@
 
 1 Added function:
 
   'function SECStatus CERT_GetCertificateDer(const CERTCertificate*, SECItem*)'    {CERT_GetCertificateDer@@NSS_3.44}
 
+1 function with some indirect sub-type change:
+
+  [C]'function SECStatus CERT_AddOCSPAcceptableResponses(CERTOCSPRequest*, SECOidTag, ...)' at ocsp.c:2203:1 has some indirect sub-type changes:
+    parameter 2 of type 'typedef SECOidTag' has sub-type changes:
+      underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed:
+        type size hasn't changed
+        3 enumerator insertions:
+          '__anonymous_enum__::SEC_OID_EXT_KEY_USAGE_IPSEC_END' value '361'
+          '__anonymous_enum__::SEC_OID_EXT_KEY_USAGE_IPSEC_TUNNEL' value '362'
+          '__anonymous_enum__::SEC_OID_EXT_KEY_USAGE_IPSEC_USER' value '363'
+
+        1 enumerator change:
+          '__anonymous_enum__::SEC_OID_TOTAL' from value '361' to '364' at secoidt.h:34:1
+
+
+
--- a/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt
+++ b/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt
@@ -0,0 +1,17 @@
+
+1 function with some indirect sub-type change:
+
+  [C]'function SECStatus NSS_GetAlgorithmPolicy(SECOidTag, PRUint32*)' at secoid.c:2234:1 has some indirect sub-type changes:
+    parameter 1 of type 'typedef SECOidTag' has sub-type changes:
+      underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed:
+        type size hasn't changed
+        3 enumerator insertions:
+          '__anonymous_enum__::SEC_OID_EXT_KEY_USAGE_IPSEC_END' value '361'
+          '__anonymous_enum__::SEC_OID_EXT_KEY_USAGE_IPSEC_TUNNEL' value '362'
+          '__anonymous_enum__::SEC_OID_EXT_KEY_USAGE_IPSEC_USER' value '363'
+
+        1 enumerator change:
+          '__anonymous_enum__::SEC_OID_TOTAL' from value '361' to '364' at secoidt.h:34:1
+
+
+
--- a/security/nss/automation/abi-check/expected-report-libsmime3.so.txt
+++ b/security/nss/automation/abi-check/expected-report-libsmime3.so.txt
@@ -0,0 +1,47 @@
+
+1 function with some indirect sub-type change:
+
+  [C]'function PK11SymKey* NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo*)' at cmscinfo.c:426:1 has some indirect sub-type changes:
+    parameter 1 of type 'NSSCMSContentInfo*' has sub-type changes:
+      in pointed to type 'typedef NSSCMSContentInfo' at cmst.h:54:1:
+        underlying type 'struct NSSCMSContentInfoStr' at cmst.h:126:1 changed:
+          type size hasn't changed
+          1 data member changes (2 filtered):
+           type of 'NSSCMSContent NSSCMSContentInfoStr::content' changed:
+             underlying type 'union NSSCMSContentUnion' at cmst.h:113:1 changed:
+               type size hasn't changed
+               1 data member changes (3 filtered):
+                type of 'NSSCMSEncryptedData* NSSCMSContentUnion::encryptedData' changed:
+                  in pointed to type 'typedef NSSCMSEncryptedData' at cmst.h:65:1:
+                    underlying type 'struct NSSCMSEncryptedDataStr' at cmst.h:463:1 changed:
+                      type size hasn't changed
+                      1 data member changes (1 filtered):
+                       type of 'NSSCMSAttribute** NSSCMSEncryptedDataStr::unprotectedAttr' changed:
+                         in pointed to type 'NSSCMSAttribute*':
+                           in pointed to type 'typedef NSSCMSAttribute' at cmst.h:69:1:
+                             underlying type 'struct NSSCMSAttributeStr' at cmst.h:482:1 changed:
+                               type size hasn't changed
+                               1 data member change:
+                                type of 'SECOidData* NSSCMSAttributeStr::typeTag' changed:
+                                  in pointed to type 'typedef SECOidData' at secoidt.h:16:1:
+                                    underlying type 'struct SECOidDataStr' at secoidt.h:518:1 changed:
+                                      type size hasn't changed
+                                      1 data member change:
+                                       type of 'SECOidTag SECOidDataStr::offset' changed:
+                                         underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed:
+                                           type size hasn't changed
+                                           3 enumerator insertions:
+                                             '__anonymous_enum__::SEC_OID_EXT_KEY_USAGE_IPSEC_END' value '361'
+                                             '__anonymous_enum__::SEC_OID_EXT_KEY_USAGE_IPSEC_TUNNEL' value '362'
+                                             '__anonymous_enum__::SEC_OID_EXT_KEY_USAGE_IPSEC_USER' value '363'
+
+                                           1 enumerator change:
+                                             '__anonymous_enum__::SEC_OID_TOTAL' from value '361' to '364' at secoidt.h:34:1
+
+
+
+
+
+
+
+
--- a/security/nss/cmd/certutil/certext.c
+++ b/security/nss/cmd/certutil/certext.c
@@ -492,16 +492,23 @@ static const char *const
     extKeyUsageKeyWordArray[] = { "serverAuth",
                                   "clientAuth",
                                   "codeSigning",
                                   "emailProtection",
                                   "timeStamp",
                                   "ocspResponder",
                                   "stepUp",
                                   "msTrustListSigning",
+                                  "x509Any",
+                                  "ipsecIKE",
+                                  "ipsecIKEEnd",
+                                  "ipsecIKEIntermediate",
+                                  "ipsecEnd",
+                                  "ipsecTunnel",
+                                  "ipsecUser",
                                   NULL };
 
 static SECStatus
 AddExtKeyUsage(void *extHandle, const char *userSuppliedValue)
 {
     char buffer[5];
     int value;
     CERTOidSequence *os;
@@ -512,16 +519,20 @@ AddExtKeyUsage(void *extHandle, const ch
 
     os = CreateOidSequence();
     if ((CERTOidSequence *)NULL == os) {
         return SECFailure;
     }
 
     while (1) {
         if (!userSuppliedValue) {
+            /*
+             * none of the 'new' extended key usage options work with the prompted menu. This is so
+             * old scripts can continue to work.
+             */
             if (PrintChoicesAndGetAnswer(
                     "\t\t0 - Server Auth\n"
                     "\t\t1 - Client Auth\n"
                     "\t\t2 - Code Signing\n"
                     "\t\t3 - Email Protection\n"
                     "\t\t4 - Timestamp\n"
                     "\t\t5 - OCSP Responder\n"
                     "\t\t6 - Step-up\n"
@@ -567,16 +578,55 @@ AddExtKeyUsage(void *extHandle, const ch
                 rv = AddOidToSequence(os, SEC_OID_OCSP_RESPONDER);
                 break;
             case 6:
                 rv = AddOidToSequence(os, SEC_OID_NS_KEY_USAGE_GOVT_APPROVED);
                 break;
             case 7:
                 rv = AddOidToSequence(os, SEC_OID_MS_EXT_KEY_USAGE_CTL_SIGNING);
                 break;
+            /*
+             * These new usages can only be added explicitly by the userSuppliedValues. This allows old
+             * scripts which used '>7' as an exit value to continue to work.
+             */
+            case 8:
+                if (!userSuppliedValue)
+                    goto endloop;
+                rv = AddOidToSequence(os, SEC_OID_X509_ANY_EXT_KEY_USAGE);
+                break;
+            case 9:
+                if (!userSuppliedValue)
+                    goto endloop;
+                rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_IPSEC_IKE);
+                break;
+            case 10:
+                if (!userSuppliedValue)
+                    goto endloop;
+                rv = AddOidToSequence(os, SEC_OID_IPSEC_IKE_END);
+                break;
+            case 11:
+                if (!userSuppliedValue)
+                    goto endloop;
+                rv = AddOidToSequence(os, SEC_OID_IPSEC_IKE_INTERMEDIATE);
+                break;
+            case 12:
+                if (!userSuppliedValue)
+                    goto endloop;
+                rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_IPSEC_END);
+                break;
+            case 13:
+                if (!userSuppliedValue)
+                    goto endloop;
+                rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_IPSEC_TUNNEL);
+                break;
+            case 14:
+                if (!userSuppliedValue)
+                    goto endloop;
+                rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_IPSEC_USER);
+                break;
             default:
                 goto endloop;
         }
 
         if (userSuppliedValue && !nextPos)
             break;
         if (SECSuccess != rv)
             goto loser;
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@@ -1357,18 +1357,21 @@ luC(enum usage_level ul, const char *com
               "%-20s Create netscape cert type extension. Possible keywords:\n"
               "%-20s \"sslClient\", \"sslServer\", \"smime\", \"objectSigning\",\n"
               "%-20s \"sslCA\", \"smimeCA\", \"objectSigningCA\", \"critical\".\n",
         "   -5 | --nsCertType keyword,keyword,... ", "", "", "");
     FPS "%-20s \n"
               "%-20s Create extended key usage extension. Possible keywords:\n"
               "%-20s \"serverAuth\", \"clientAuth\",\"codeSigning\",\n"
               "%-20s \"emailProtection\", \"timeStamp\",\"ocspResponder\",\n"
-              "%-20s \"stepUp\", \"msTrustListSign\", \"critical\"\n",
-        "   -6 | --extKeyUsage keyword,keyword,...", "", "", "", "");
+              "%-20s \"stepUp\", \"msTrustListSign\", \"x509Any\",\n"
+              "%-20s \"ipsecIKE\", \"ipsecIKEEnd\", \"ipsecIKEIntermediate\",\n"
+              "%-20s \"ipsecEnd\", \"ipsecTunnel\", \"ipsecUser\",\n"
+              "%-20s \"critical\"\n",
+        "   -6 | --extKeyUsage keyword,keyword,...", "", "", "", "", "", "", "");
     FPS "%-20s Create an email subject alt name extension\n",
         "   -7 emailAddrs");
     FPS "%-20s Create an dns subject alt name extension\n",
         "   -8 dnsNames");
     FPS "%-20s The input certificate request is encoded in ASCII (RFC1113)\n",
         "   -a");
     FPS "\n");
 }
--- a/security/nss/coreconf/Linux.mk
+++ b/security/nss/coreconf/Linux.mk
@@ -130,16 +130,20 @@ OS_PTHREAD = -lpthread
 endif
 
 OS_CFLAGS		= $(DSO_CFLAGS) $(OS_REL_CFLAGS) $(ARCHFLAG) -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR
 ifeq ($(KERNEL),Linux)
 	OS_CFLAGS	+= -DLINUX -Dlinux
 endif
 OS_LIBS			= $(OS_PTHREAD) -ldl -lc
 
+ifeq ($(OS_TARGET),Android)
+	OS_LIBS		+= -llog
+endif
+
 ifdef USE_PTHREADS
 	DEFINES		+= -D_REENTRANT
 endif
 
 DSO_CFLAGS		= -fPIC
 DSO_LDOPTS		= -shared $(ARCHFLAG) -Wl,--gc-sections
 # The linker on Red Hat Linux 7.2 and RHEL 2.1 (GNU ld version 2.11.90.0.8)
 # incorrectly reports undefined references in the libraries we link with, so
--- a/security/nss/coreconf/config.gypi
+++ b/security/nss/coreconf/config.gypi
@@ -161,16 +161,21 @@
         ],
       }],
       [ 'OS=="linux"', {
         'libraries': [
           '-ldl',
           '-lc',
         ],
       }],
+      [ 'OS=="android"', {
+        'libraries': [
+          '-llog',
+        ],
+      }],
       [ 'fuzz==1', {
         'variables': {
           'debug_optimization_level%': '1',
         },
       }],
       [ 'target_arch=="ia32" or target_arch=="x64"', {
         'defines': [
           'NSS_X86_OR_X64',
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,9 +5,8 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
-
--- a/security/nss/doc/certutil.xml
+++ b/security/nss/doc/certutil.xml
@@ -657,16 +657,51 @@ of the attribute codes:
 		msTrustListSign
 	</para>
 	</listitem>
 	<listitem>
 	<para>
 		critical
 	</para>
 	</listitem>
+	<listitem>
+	<para>
+		x509Any
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		ipsecIKE
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		ipsecIKEEnd
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		ipsecIKEIntermediate
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		ipsecEnd
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		ipsecTunnel
+	</para>
+	</listitem>
+	<listitem>
+	<para>
+		ipsecUser
+	</para>
+	</listitem>
 	</itemizedlist>
 <para>X.509 certificate extensions are described in RFC 5280.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-7 emailAddrs</term>
         <listitem><para>Add a comma-separated list of email addresses to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280.</para></listitem>
       </varlistentry>
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -442,105 +442,73 @@ cert_GetCertType(CERTCertificate *cert)
 
     /* Assert that it is safe to cast &cert->nsCertType to "PRInt32 *" */
     PORT_Assert(sizeof(cert->nsCertType) == sizeof(PRInt32));
     PR_ATOMIC_SET((PRInt32 *)&cert->nsCertType, nsCertType);
     return SECSuccess;
 }
 
 PRBool
-cert_EKUAllowsIPsecIKE(CERTCertificate *cert, PRBool *isCritical)
+cert_IsIPsecOID(CERTOidSequence *extKeyUsage)
 {
-    SECStatus rv;
-    SECItem encodedExtKeyUsage;
-    CERTOidSequence *extKeyUsage = NULL;
-    PRBool result = PR_FALSE;
-
-    rv = CERT_GetExtenCriticality(cert->extensions,
-                                  SEC_OID_X509_EXT_KEY_USAGE,
-                                  isCritical);
-    if (rv != SECSuccess) {
-        *isCritical = PR_FALSE;
+    if (findOIDinOIDSeqByTagNum(
+            extKeyUsage, SEC_OID_EXT_KEY_USAGE_IPSEC_IKE) == SECSuccess) {
+        return PR_TRUE;
     }
-
-    encodedExtKeyUsage.data = NULL;
-    rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE,
-                                &encodedExtKeyUsage);
-    if (rv != SECSuccess) {
-        /* EKU not present, allowed. */
-        result = PR_TRUE;
-        goto done;
+    if (findOIDinOIDSeqByTagNum(
+            extKeyUsage, SEC_OID_IPSEC_IKE_END) == SECSuccess) {
+        return PR_TRUE;
     }
-
-    extKeyUsage = CERT_DecodeOidSequence(&encodedExtKeyUsage);
-    if (!extKeyUsage) {
-        /* failure */
-        goto done;
+    if (findOIDinOIDSeqByTagNum(
+            extKeyUsage, SEC_OID_IPSEC_IKE_INTERMEDIATE) == SECSuccess) {
+        return PR_TRUE;
     }
-
-    if (findOIDinOIDSeqByTagNum(extKeyUsage,
-                                SEC_OID_X509_ANY_EXT_KEY_USAGE) ==
-        SECSuccess) {
-        result = PR_TRUE;
-        goto done;
+    /* these are now deprecated, but may show up. Treat them the same as IKE */
+    if (findOIDinOIDSeqByTagNum(
+            extKeyUsage, SEC_OID_EXT_KEY_USAGE_IPSEC_END) == SECSuccess) {
+        return PR_TRUE;
     }
-
-    if (findOIDinOIDSeqByTagNum(extKeyUsage,
-                                SEC_OID_EXT_KEY_USAGE_IPSEC_IKE) ==
-        SECSuccess) {
-        result = PR_TRUE;
-        goto done;
+    if (findOIDinOIDSeqByTagNum(
+            extKeyUsage, SEC_OID_EXT_KEY_USAGE_IPSEC_TUNNEL) == SECSuccess) {
+        return PR_TRUE;
     }
-
-    if (findOIDinOIDSeqByTagNum(extKeyUsage,
-                                SEC_OID_IPSEC_IKE_END) ==
-        SECSuccess) {
-        result = PR_TRUE;
-        goto done;
+    if (findOIDinOIDSeqByTagNum(
+            extKeyUsage, SEC_OID_EXT_KEY_USAGE_IPSEC_USER) == SECSuccess) {
+        return PR_TRUE;
     }
-
-    if (findOIDinOIDSeqByTagNum(extKeyUsage,
-                                SEC_OID_IPSEC_IKE_INTERMEDIATE) ==
-        SECSuccess) {
-        result = PR_TRUE;
-        goto done;
+    /* this one should probably be in cert_ComputeCertType and set all usages? */
+    if (findOIDinOIDSeqByTagNum(
+            extKeyUsage, SEC_OID_X509_ANY_EXT_KEY_USAGE) == SECSuccess) {
+        return PR_TRUE;
     }
-
-done:
-    if (encodedExtKeyUsage.data != NULL) {
-        PORT_Free(encodedExtKeyUsage.data);
-    }
-    if (extKeyUsage != NULL) {
-        CERT_DestroyOidSequence(extKeyUsage);
-    }
-    return result;
+    return PR_FALSE;
 }
 
 PRUint32
 cert_ComputeCertType(CERTCertificate *cert)
 {
     SECStatus rv;
     SECItem tmpitem;
     SECItem encodedExtKeyUsage;
     CERTOidSequence *extKeyUsage = NULL;
-    PRBool basicConstraintPresent = PR_FALSE;
     CERTBasicConstraints basicConstraint;
     PRUint32 nsCertType = 0;
+    PRBool isCA = PR_FALSE;
 
     tmpitem.data = NULL;
     CERT_FindNSCertTypeExtension(cert, &tmpitem);
     encodedExtKeyUsage.data = NULL;
     rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE,
                                 &encodedExtKeyUsage);
     if (rv == SECSuccess) {
         extKeyUsage = CERT_DecodeOidSequence(&encodedExtKeyUsage);
     }
     rv = CERT_FindBasicConstraintExten(cert, &basicConstraint);
     if (rv == SECSuccess) {
-        basicConstraintPresent = PR_TRUE;
+        isCA = basicConstraint.isCA;
     }
     if (tmpitem.data != NULL || extKeyUsage != NULL) {
         if (tmpitem.data == NULL) {
             nsCertType = 0;
         } else {
             nsCertType = tmpitem.data[0];
         }
 
@@ -566,83 +534,74 @@ cert_ComputeCertType(CERTCertificate *ce
         /*
          * allow a cert with the extended key usage of EMail Protect
          * to be used for email or as an email CA, if basic constraints
          * indicates that it is a CA.
          */
         if (findOIDinOIDSeqByTagNum(extKeyUsage,
                                     SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT) ==
             SECSuccess) {
-            if (basicConstraintPresent == PR_TRUE && (basicConstraint.isCA)) {
-                nsCertType |= NS_CERT_TYPE_EMAIL_CA;
-            } else {
-                nsCertType |= NS_CERT_TYPE_EMAIL;
-            }
+            nsCertType |= isCA ? NS_CERT_TYPE_EMAIL_CA : NS_CERT_TYPE_EMAIL;
         }
         if (findOIDinOIDSeqByTagNum(
                 extKeyUsage, SEC_OID_EXT_KEY_USAGE_SERVER_AUTH) == SECSuccess) {
-            if (basicConstraintPresent == PR_TRUE && (basicConstraint.isCA)) {
-                nsCertType |= NS_CERT_TYPE_SSL_CA;
-            } else {
-                nsCertType |= NS_CERT_TYPE_SSL_SERVER;
-            }
+            nsCertType |= isCA ? NS_CERT_TYPE_SSL_CA : NS_CERT_TYPE_SSL_SERVER;
         }
         /*
          * Treat certs with step-up OID as also having SSL server type.
          * COMODO needs this behaviour until June 2020.  See Bug 737802.
          */
         if (findOIDinOIDSeqByTagNum(extKeyUsage,
                                     SEC_OID_NS_KEY_USAGE_GOVT_APPROVED) ==
             SECSuccess) {
-            if (basicConstraintPresent == PR_TRUE && (basicConstraint.isCA)) {
-                nsCertType |= NS_CERT_TYPE_SSL_CA;
-            } else {
-                nsCertType |= NS_CERT_TYPE_SSL_SERVER;
-            }
+            nsCertType |= isCA ? NS_CERT_TYPE_SSL_CA : NS_CERT_TYPE_SSL_SERVER;
         }
         if (findOIDinOIDSeqByTagNum(
                 extKeyUsage, SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH) == SECSuccess) {
-            if (basicConstraintPresent == PR_TRUE && (basicConstraint.isCA)) {
-                nsCertType |= NS_CERT_TYPE_SSL_CA;
-            } else {
-                nsCertType |= NS_CERT_TYPE_SSL_CLIENT;
-            }
+            nsCertType |= isCA ? NS_CERT_TYPE_SSL_CA : NS_CERT_TYPE_SSL_CLIENT;
+        }
+        if (cert_IsIPsecOID(extKeyUsage)) {
+            nsCertType |= isCA ? NS_CERT_TYPE_IPSEC_CA : NS_CERT_TYPE_IPSEC;
         }
         if (findOIDinOIDSeqByTagNum(
                 extKeyUsage, SEC_OID_EXT_KEY_USAGE_CODE_SIGN) == SECSuccess) {
-            if (basicConstraintPresent == PR_TRUE && (basicConstraint.isCA)) {
-                nsCertType |= NS_CERT_TYPE_OBJECT_SIGNING_CA;
-            } else {
-                nsCertType |= NS_CERT_TYPE_OBJECT_SIGNING;
-            }
+            nsCertType |= isCA ? NS_CERT_TYPE_OBJECT_SIGNING_CA : NS_CERT_TYPE_OBJECT_SIGNING;
         }
         if (findOIDinOIDSeqByTagNum(
                 extKeyUsage, SEC_OID_EXT_KEY_USAGE_TIME_STAMP) == SECSuccess) {
             nsCertType |= EXT_KEY_USAGE_TIME_STAMP;
         }
         if (findOIDinOIDSeqByTagNum(extKeyUsage, SEC_OID_OCSP_RESPONDER) ==
             SECSuccess) {
             nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER;
         }
     } else {
         /* If no NS Cert Type extension and no EKU extension, then */
         nsCertType = 0;
         if (CERT_IsCACert(cert, &nsCertType))
             nsCertType |= EXT_KEY_USAGE_STATUS_RESPONDER;
         /* if the basic constraint extension says the cert is a CA, then
            allow SSL CA and EMAIL CA and Status Responder */
-        if (basicConstraintPresent && basicConstraint.isCA) {
+        if (isCA) {
             nsCertType |= (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA |
                            EXT_KEY_USAGE_STATUS_RESPONDER);
         }
         /* allow any ssl or email (no ca or object signing. */
         nsCertType |= NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER |
                       NS_CERT_TYPE_EMAIL;
     }
 
+    /* IPSEC is allowed to use SSL client and server certs as well as email certs */
+    if (nsCertType & (NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL)) {
+        nsCertType |= NS_CERT_TYPE_IPSEC;
+    }
+    if (nsCertType & (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA)) {
+        nsCertType |= NS_CERT_TYPE_IPSEC_CA;
+    }
+
     if (encodedExtKeyUsage.data != NULL) {
         PORT_Free(encodedExtKeyUsage.data);
     }
     if (extKeyUsage != NULL) {
         CERT_DestroyOidSequence(extKeyUsage);
     }
     return nsCertType;
 }
@@ -1148,17 +1107,17 @@ CERT_KeyUsageAndTypeForCertUsage(SECCert
                 requiredCertType = NS_CERT_TYPE_SSL_CA;
                 break;
             case certUsageSSLServer:
                 requiredKeyUsage = KU_KEY_CERT_SIGN;
                 requiredCertType = NS_CERT_TYPE_SSL_CA;
                 break;
             case certUsageIPsec:
                 requiredKeyUsage = KU_KEY_CERT_SIGN;
-                requiredCertType = NS_CERT_TYPE_SSL_CA;
+                requiredCertType = NS_CERT_TYPE_IPSEC_CA;
                 break;
             case certUsageSSLCA:
                 requiredKeyUsage = KU_KEY_CERT_SIGN;
                 requiredCertType = NS_CERT_TYPE_SSL_CA;
                 break;
             case certUsageEmailSigner:
                 requiredKeyUsage = KU_KEY_CERT_SIGN;
                 requiredCertType = NS_CERT_TYPE_EMAIL_CA;
@@ -1195,17 +1154,17 @@ CERT_KeyUsageAndTypeForCertUsage(SECCert
                 break;
             case certUsageSSLServer:
                 requiredKeyUsage = KU_KEY_AGREEMENT_OR_ENCIPHERMENT;
                 requiredCertType = NS_CERT_TYPE_SSL_SERVER;
                 break;
             case certUsageIPsec:
                 /* RFC 4945 Section 5.1.3.2 */
                 requiredKeyUsage = KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION;
-                requiredCertType = 0;
+                requiredCertType = NS_CERT_TYPE_IPSEC;
                 break;
             case certUsageSSLServerWithStepUp:
                 requiredKeyUsage =
                     KU_KEY_AGREEMENT_OR_ENCIPHERMENT | KU_NS_GOVT_APPROVED;
                 requiredCertType = NS_CERT_TYPE_SSL_SERVER;
                 break;
             case certUsageSSLCA:
                 requiredKeyUsage = KU_KEY_CERT_SIGN;
--- a/security/nss/lib/certdb/certt.h
+++ b/security/nss/lib/certdb/certt.h
@@ -411,35 +411,49 @@ struct CERTCrlNodeStr {
  */
 struct CERTDistNamesStr {
     PLArenaPool *arena;
     int nnames;
     SECItem *names;
     void *head; /* private */
 };
 
+/*
+ * NS_CERT_TYPE defines are used in two areas:
+ * 1) The old NSS Cert Type Extension, which is a certificate extension in the
+ * actual cert. It was created before the x509 Extended Key Usage Extension,
+ * which has now taken over it's function. This field is only 8 bits wide
+ * 2) The nsCertType entry in the CERTCertificate structure. This field is
+ * 32 bits wide.
+ * Any entries in this table greater than 0x80 will not be able to be encoded
+ * in an NSS Cert Type Extension, but can still be represented internally in
+ * the nsCertType field.
+ */
+#define NS_CERT_TYPE_IPSEC_CA (0x200)         /* outside the NS Cert Type Extenstion */
+#define NS_CERT_TYPE_IPSEC (0x100)            /* outside the NS Cert Type Extenstion */
 #define NS_CERT_TYPE_SSL_CLIENT (0x80)        /* bit 0 */
 #define NS_CERT_TYPE_SSL_SERVER (0x40)        /* bit 1 */
 #define NS_CERT_TYPE_EMAIL (0x20)             /* bit 2 */
 #define NS_CERT_TYPE_OBJECT_SIGNING (0x10)    /* bit 3 */
 #define NS_CERT_TYPE_RESERVED (0x08)          /* bit 4 */
 #define NS_CERT_TYPE_SSL_CA (0x04)            /* bit 5 */
 #define NS_CERT_TYPE_EMAIL_CA (0x02)          /* bit 6 */
 #define NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */
 
 #define EXT_KEY_USAGE_TIME_STAMP (0x8000)
 #define EXT_KEY_USAGE_STATUS_RESPONDER (0x4000)
 
 #define NS_CERT_TYPE_APP                                                      \
     (NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \
-     NS_CERT_TYPE_OBJECT_SIGNING)
+     NS_CERT_TYPE_IPSEC | NS_CERT_TYPE_OBJECT_SIGNING)
 
-#define NS_CERT_TYPE_CA                            \
-    (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA | \
-     NS_CERT_TYPE_OBJECT_SIGNING_CA | EXT_KEY_USAGE_STATUS_RESPONDER)
+#define NS_CERT_TYPE_CA                                                \
+    (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA |                     \
+     NS_CERT_TYPE_OBJECT_SIGNING_CA | EXT_KEY_USAGE_STATUS_RESPONDER | \
+     NS_CERT_TYPE_IPSEC_CA)
 typedef enum SECCertUsageEnum {
     certUsageSSLClient = 0,
     certUsageSSLServer = 1,
     certUsageSSLServerWithStepUp = 2,
     certUsageSSLCA = 3,
     certUsageEmailSigner = 4,
     certUsageEmailRecipient = 5,
     certUsageObjectSigner = 6,
--- a/security/nss/lib/certhigh/certvfy.c
+++ b/security/nss/lib/certhigh/certvfy.c
@@ -1396,17 +1396,16 @@ CERT_VerifyCertificate(CERTCertDBHandle 
     }
 
     /* check key usage and netscape cert type */
     cert_GetCertType(cert);
     certType = cert->nsCertType;
 
     for (i = 1; i <= certificateUsageHighest &&
                 (SECSuccess == valid || returnedUsages || log);) {
-        PRBool typeAndEKUAllowed = PR_TRUE;
         PRBool requiredUsage = (i & requiredUsages) ? PR_TRUE : PR_FALSE;
         if (PR_FALSE == requiredUsage && PR_FALSE == checkAllUsages) {
             NEXT_USAGE();
         }
         if (returnedUsages) {
             *returnedUsages |= i; /* start off assuming this usage is valid */
         }
         switch (certUsage) {
@@ -1446,29 +1445,17 @@ CERT_VerifyCertificate(CERTCertDBHandle 
         }
         if (CERT_CheckKeyUsage(cert, requiredKeyUsage) != SECSuccess) {
             if (PR_TRUE == requiredUsage) {
                 PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE);
             }
             LOG_ERROR(log, cert, 0, requiredKeyUsage);
             INVALID_USAGE();
         }
-        if (certUsage != certUsageIPsec) {
-            if (!(certType & requiredCertType)) {
-                typeAndEKUAllowed = PR_FALSE;
-            }
-        } else {
-            PRBool isCritical;
-            PRBool allowed = cert_EKUAllowsIPsecIKE(cert, &isCritical);
-            /* If the extension isn't critical, we allow any EKU value. */
-            if (isCritical && !allowed) {
-                typeAndEKUAllowed = PR_FALSE;
-            }
-        }
-        if (!typeAndEKUAllowed) {
+        if (!(certType & requiredCertType)) {
             if (PR_TRUE == requiredUsage) {
                 PORT_SetError(SEC_ERROR_INADEQUATE_CERT_TYPE);
             }
             LOG_ERROR(log, cert, 0, requiredCertType);
             INVALID_USAGE();
         }
 
         rv = cert_CheckLeafTrust(cert, certUsage, &flags, &trusted);
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
@@ -2997,27 +2997,18 @@ PKIX_PL_Cert_VerifyCertAndKeyType(
         /* use this key usage and cert type for certUsageAnyCA and
          * certUsageVerifyCA. */
 	requiredKeyUsage = KU_KEY_CERT_SIGN;
 	requiredCertType = NS_CERT_TYPE_CA;
     }
     if (CERT_CheckKeyUsage(cert->nssCert, requiredKeyUsage) != SECSuccess) {
         PKIX_ERROR(PKIX_CERTCHECKKEYUSAGEFAILED);
     }
-    if (certUsage != certUsageIPsec) {
-        if (!(certType & requiredCertType)) {
-            PKIX_ERROR(PKIX_CERTCHECKCERTTYPEFAILED);
-        }
-    } else {
-        PRBool isCritical;
-        PRBool allowed = cert_EKUAllowsIPsecIKE(cert->nssCert, &isCritical);
-        /* If the extension isn't critical, we allow any EKU value. */
-        if (isCritical && !allowed) {
-            PKIX_ERROR(PKIX_CERTCHECKCERTTYPEFAILED);
-        }
+    if (!(certType & requiredCertType)) {
+        PKIX_ERROR(PKIX_CERTCHECKCERTTYPEFAILED);
     }
 cleanup:
     PKIX_DECREF(basicConstraints);
     PKIX_RETURN(CERT);
 }
 
 /*
  * FUNCTION: PKIX_PL_Cert_VerifyKeyUsage (see comments in pkix_pl_pki.h)
--- a/security/nss/lib/util/secoid.c
+++ b/security/nss/lib/util/secoid.c
@@ -450,16 +450,21 @@ CONST_OID pkixRegCtrlOldCertID[] = { PKI
 CONST_OID pkixRegCtrlProtEncKey[] = { PKIX_ID_REGCTRL, 6 };
 CONST_OID pkixRegInfoUTF8Pairs[] = { PKIX_ID_REGINFO, 1 };
 CONST_OID pkixRegInfoCertReq[] = { PKIX_ID_REGINFO, 2 };
 
 CONST_OID pkixExtendedKeyUsageServerAuth[] = { PKIX_KEY_USAGE, 1 };
 CONST_OID pkixExtendedKeyUsageClientAuth[] = { PKIX_KEY_USAGE, 2 };
 CONST_OID pkixExtendedKeyUsageCodeSign[] = { PKIX_KEY_USAGE, 3 };
 CONST_OID pkixExtendedKeyUsageEMailProtect[] = { PKIX_KEY_USAGE, 4 };
+/* IPsecEnd, IPsecTunnel, and IPsecUser are deprecated, but still in use
+ * (see RFC4945) */
+CONST_OID pkixExtendedKeyUsageIPsecEnd[] = { PKIX_KEY_USAGE, 5 };
+CONST_OID pkixExtendedKeyUsageIPsecTunnel[] = { PKIX_KEY_USAGE, 6 };
+CONST_OID pkixExtendedKeyUsageIPsecUser[] = { PKIX_KEY_USAGE, 7 };
 CONST_OID pkixExtendedKeyUsageTimeStamp[] = { PKIX_KEY_USAGE, 8 };
 CONST_OID pkixOCSPResponderExtendedKeyUsage[] = { PKIX_KEY_USAGE, 9 };
 /* 17 replaces 5 + 6 + 7 (declared obsolete in RFC 4945) */
 CONST_OID pkixExtendedKeyUsageIPsecIKE[] = { PKIX_KEY_USAGE, 17 };
 CONST_OID msExtendedKeyUsageTrustListSigning[] = { MS_CRYPTO_EKU, 1 };
 
 CONST_OID ipsecIKEEnd[] = { INTERNET_SECURITY_MECH, 0x08, 0x02, 0x01 };
 CONST_OID ipsecIKEIntermediate[] = { INTERNET_SECURITY_MECH, 0x08, 0x02, 0x02 };
@@ -1773,16 +1778,28 @@ const static SECOidData oids[SEC_OID_TOT
     OD(ipsecIKEEnd,
        SEC_OID_IPSEC_IKE_END,
        "IPsec IKE End",
        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
     OD(ipsecIKEIntermediate,
        SEC_OID_IPSEC_IKE_INTERMEDIATE,
        "IPsec IKE Intermediate",
        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+    OD(pkixExtendedKeyUsageIPsecEnd,
+       SEC_OID_EXT_KEY_USAGE_IPSEC_END,
+       "IPsec Tunnel",
+       CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+    OD(pkixExtendedKeyUsageIPsecTunnel,
+       SEC_OID_EXT_KEY_USAGE_IPSEC_TUNNEL,
+       "IPsec Tunnel",
+       CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+    OD(pkixExtendedKeyUsageIPsecUser,
+       SEC_OID_EXT_KEY_USAGE_IPSEC_USER,
+       "IPsec User",
+       CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
 };
 
 /* PRIVATE EXTENDED SECOID Table
  * This table is private. Its structure is opaque to the outside.
  * It is indexed by the same SECOidTag as the oids table above.
  * Every member of this struct must have accessor functions (set, get)
  * and those functions must operate by value, not by reference.
  * The addresses of the contents of this table must not be exposed
--- a/security/nss/lib/util/secoidt.h
+++ b/security/nss/lib/util/secoidt.h
@@ -493,16 +493,19 @@ typedef enum {
     SEC_OID_CURVE25519 = 355,
 
     SEC_OID_TLS13_KEA_ANY = 356,
 
     SEC_OID_X509_ANY_EXT_KEY_USAGE = 357,
     SEC_OID_EXT_KEY_USAGE_IPSEC_IKE = 358,
     SEC_OID_IPSEC_IKE_END = 359,
     SEC_OID_IPSEC_IKE_INTERMEDIATE = 360,
+    SEC_OID_EXT_KEY_USAGE_IPSEC_END = 361,
+    SEC_OID_EXT_KEY_USAGE_IPSEC_TUNNEL = 362,
+    SEC_OID_EXT_KEY_USAGE_IPSEC_USER = 363,
 
     SEC_OID_TOTAL
 } SECOidTag;
 
 #define SEC_OID_SECG_EC_SECP192R1 SEC_OID_ANSIX962_EC_PRIME192V1
 #define SEC_OID_SECG_EC_SECP256R1 SEC_OID_ANSIX962_EC_PRIME256V1
 #define SEC_OID_PKCS12_KEY_USAGE SEC_OID_X509_KEY_USAGE
 
--- a/security/nss/nss.gyp
+++ b/security/nss/nss.gyp
@@ -262,16 +262,20 @@
                 '<(nss_dist_obj_dir)/lib/<(dll_prefix)nssdbm3.chk',
                 '<(nss_dist_obj_dir)/lib/<(dll_prefix)softokn3.chk'
               ],
               'conditions': [
                 ['OS!="linux"', {
                   'inputs/': [['exclude', 'freeblpriv']],
                   'outputs/': [['exclude', 'freeblpriv']]
                 }],
+                ['disable_dbm==1', {
+                  'inputs/': [['exclude', 'nssdbm3']],
+                  'outputs/': [['exclude', 'nssdbm3']]
+                }],
               ],
               'action': ['<(python)', '<(DEPTH)/coreconf/shlibsign.py', '<@(_inputs)']
             }
           ],
         },
       ],
     }],
     [ 'fuzz_tls==1', {
--- a/security/nss/tests/chains/scenarios/ipsec.cfg
+++ b/security/nss/tests/chains/scenarios/ipsec.cfg
@@ -30,16 +30,68 @@ entity DigSigNonRepAndExtra
   issuer CA1
     ku digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
 
 entity NoMatch
   type EE
   issuer CA1
     ku keyEncipherment,dataEncipherment,keyAgreement
 
+entity NonCriticalServerAuthEKU
+  type EE
+  issuer CA1
+    eku serverAuth
+
+entity NonIPSECEKU
+  type EE
+  issuer CA1
+    eku codeSigning
+
+entity CriticalServerAuthEKU
+  type EE
+  issuer CA1
+    ku digitalSignature
+    eku critical,serverAuth
+
+entity EKUIPsecIKE
+  type EE
+  issuer CA1
+    ku digitalSignature
+    eku critical,ipsecIKE
+
+entity EKUIPsecIKEEnd
+  type EE
+  issuer CA1
+    ku digitalSignature
+    eku ipsecIKEEnd
+
+entity EKUIPsecIKEIntermediate
+  type EE
+  issuer CA1
+    ku digitalSignature
+    eku codeSigning,serverAuth,ipsecIKEIntermediate
+
+entity EKUAny
+  type EE
+  issuer CA1
+    ku digitalSignature
+    eku x509Any
+
+entity EKUEmail
+  type EE
+  issuer CA1
+    ku digitalSignature
+    eku emailProtection
+
+entity EKUIPsecUser
+  type EE
+  issuer CA1
+    ku digitalSignature
+    eku ipsecUser
+
 db All
 
 import Root::C,,
 import CA1:Root:
 
 verify NoKU:CA1
   usage 12
   result pass
@@ -54,8 +106,44 @@ verify NonRep:CA1
 
 verify DigSigNonRepAndExtra:CA1
   usage 12
   result pass
 
 verify NoMatch:CA1
   usage 12
   result fail
+
+verify NonIPSECEKU:CA1
+  usage 12
+  result fail
+
+verify NonCriticalServerAuthEKU:CA1
+  usage 12
+  result pass
+
+verify CriticalServerAuthEKU:CA1
+  usage 12
+  result pass
+
+verify EKUIPsecIKE:CA1
+  usage 12
+  result pass
+
+verify EKUIPsecIKEEnd:CA1
+  usage 12
+  result pass
+
+verify EKUIPsecIKEIntermediate:CA1
+  usage 12
+  result pass
+
+verify EKUAny:CA1
+  usage 12
+  result pass
+
+verify EKUEmail:CA1
+  usage 12
+  result pass
+
+verify EKUIPsecUser:CA1
+  usage 12
+  result pass