Bug 1840365 - land NSS NSS_3_91_RTM UPGRADE_NSS_RELEASE, r=nss-reviewers,nkulatova

Differential Revision: https://phabricator.services.mozilla.com/D182477

security/nss/TAG-INFO

@@ -1 +1 @@
-NSS_3_91_BETA1
+NSS_3_91_RTM

security/nss/coreconf/coreconf.dep

@@ -10,4 +10,3 @@
  */
 
 #error "Do not include this header file."
-

security/nss/doc/rst/releases/index.rst

@@ -8,6 +8,8 @@ Releases
    :glob:
    :hidden:
 
+   nss_3_91_0.rst
+   nss_3_90_0.rst
    nss_3_89_1.rst
    nss_3_89.rst
    nss_3_88_1.rst
@@ -53,18 +55,27 @@ Releases
 
 .. note::
 
-   **NSS 3.89.1** is the latest version of NSS.
-   Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_89_1_release_notes`
-
-   **NSS 3.79.4** is the latest ESR version of NSS.
-   Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_79_4_release_notes`
+   **NSS 3.91.0** is the latest version of NSS.
+   Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_91_0_release_notes`
 
+   **NSS 3.90.0 (ESR)** is the latest version of NSS.
+   Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_90_0_release_notes`
 
 .. container::
 
-   Changes in 3.89.1 included in this release:
-
-   - Bug 1804505 - Update the technical constraints for KamuSM.
-   - Bug 1822921 - Add BJCA Global Root CA1 and CA2 root certificates.
-
+   Changes in 3.91 included in this release:
 
+ - Bug 1837431 - Implementation of the HW support check for ADX instruction
+ - Bug 1836925 - Removing the support of Curve25519
+ - Bug 1839795 - Fix comment about the addition of ticketSupportsEarlyData.
+ - Bug 1839327 - Adding args to enable-legacy-db build
+ - Bug 1835357 dbtests.sh failure in "certutil dump keys with explicit default trust flags"
+ - Bug 1837617: Initialize flags in slot structures
+ - Bug 1835425: Improve the length check of RSA input to avoid heap overflow
+ - Bug 1829112 - Followup Fixes
+ - Bug 1784253: avoid processing unexpected inputs by checking for m_exptmod base sign
+ - Bug 1826652: add a limit check on order_k to avoid infinite loop
+ - Bug 1834851 - Update HACL* to commit 5f6051d2.
+ - Bug 1753026 - add SHA3 to cryptohi and softoken.
+ - Bug 1753026: HACL SHA3
+ - Bug 1836781 - Disabling ASM C25519 for A but X86_64

security/nss/doc/rst/releases/nss_3_90.rst

@@ -0,0 +1,89 @@
+.. _mozilla_projects_nss_nss_3_90_release_notes:
+
+NSS 3.90 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+   Network Security Services (NSS) 3.90 was released on *4 June 2023**.
+
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+   The HG tag is NSS_3_90_RTM. NSS 3.90 requires NSPR 4.35 or newer.
+
+   NSS 3.90 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+   -  Source tarballs:
+      https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_90_RTM/src/
+
+   Other releases are available :ref:`mozilla_projects_nss_releases`.
+
+.. _changes_in_nss_3.90:
+
+`Changes in NSS 3.90 <#changes_in_nss_3.90>`__
+----------------------------------------------------
+
+.. container::
+
+
+- Bug 1623338 - ride along: remove a duplicated doc page
+- Bug 1623338 - remove a reference to IRC
+- Bug 1831983 - clang-format lib/freebl/stubs.c
+- Bug 1831983 - Add a constant time select function
+- Bug 1774657 - Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access.
+- Bug 1830973 - output early build errors by default
+- Bug 1804505 - Update the technical constraints for KamuSM
+- Bug 1822921 - Add BJCA Global Root CA1 and CA2 root certificates
+- Bug 1790763 - Enable default UBSan Checks
+- Bug 1786018 - Add explicit handling of zero length records
+- Bug 1829391 - Tidy up DTLS ACK Error Handling Path
+- Bug 1786018 - Refactor zero length record tests
+- Bug 1829112 - Fix compiler warning via correct assert
+- Bug 1755267 - run linux tests on nss-t/t-linux-xlarge-gcp
+- Bug 1806496 - In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator
+- Bug 1784163 - Fix reading raw negative numbers
+- Bug 1748237 - Repairing unreachable code in clang built with gyp
+- Bug 1783647 - Integrate Vale Curve25519
+- Bug 1799468 - Removing unused flags for Hacl*
+- Bug 1748237 - Adding a better error message
+- Bug 1727555 - Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6
+- Bug 1782980 - Fall back to the softokn when writing certificate trust
+- Bug 1806010 - FIPS-104-3 requires we restart post programmatically
+- Bug 1826650 - cmd/ecperf: fix dangling pointer warning on gcc 13
+- Bug 1818766 - Update ACVP dockerfile for compatibility with debian package changes
+- Bug 1815796 - Add a CI task for tracking ECCKiila code status, update whitespace in ECCKiila files
+- Bug 1819958 - Removed deprecated sprintf function and replaced with snprintf
+- Bug 1822076 - fix rst warnings in nss doc
+- Bug 1821997 - Fix incorrect pygment style
+- Bug 1821292 - Change GYP directive to apply across platforms
+- Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag
+
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+   NSS 3.90 shared libraries are backwards-compatible with all older NSS 3.x shared
+   libraries. A program linked with older NSS 3.x shared libraries will work with
+   this new version of the shared libraries without recompiling or
+   relinking. Furthermore, applications that restrict their use of NSS APIs to the
+   functions listed in NSS Public Functions will remain compatible with future
+   versions of the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+   Bugs discovered should be reported by filing a bug report on
+   `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).

security/nss/doc/rst/releases/nss_3_91.rst

@@ -0,0 +1,70 @@
+.. _mozilla_projects_nss_nss_3_91_release_notes:
+
+NSS 3.91 release notes
+======================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+   Network Security Services (NSS) 3.91 was released on *9 March 2023**.
+
+
+.. _distribution_information:
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+   The HG tag is NSS_3_91_RTM. NSS 3.91 requires NSPR 4.35 or newer.
+
+   NSS 3.91 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+   -  Source tarballs:
+      https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_91_RTM/src/
+
+   Other releases are available :ref:`mozilla_projects_nss_releases`.
+
+.. _changes_in_nss_3.91:
+
+`Changes in NSS 3.91 <#changes_in_nss_3.91>`__
+----------------------------------------------------
+
+.. container::
+
+ - Bug 1837431 - Implementation of the HW support check for ADX instruction
+ - Bug 1836925 - Removing the support of Curve25519
+ - Bug 1839795 - Fix comment about the addition of ticketSupportsEarlyData.
+ - Bug 1839327 - Adding args to enable-legacy-db build
+ - Bug 1835357 dbtests.sh failure in "certutil dump keys with explicit default trust flags"
+ - Bug 1837617: Initialize flags in slot structures
+ - Bug 1835425: Improve the length check of RSA input to avoid heap overflow
+ - Bug 1829112 - Followup Fixes
+ - Bug 1784253: avoid processing unexpected inputs by checking for m_exptmod base sign
+ - Bug 1826652: add a limit check on order_k to avoid infinite loop
+ - Bug 1834851 - Update HACL* to commit 5f6051d2.
+ - Bug 1753026 - add SHA3 to cryptohi and softoken.
+ - Bug 1753026: HACL SHA3
+ - Bug 1836781 - Disabling ASM C25519 for A but X86_64
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+   NSS 3.91 shared libraries are backwards-compatible with all older NSS 3.x shared
+   libraries. A program linked with older NSS 3.x shared libraries will work with
+   this new version of the shared libraries without recompiling or
+   relinking. Furthermore, applications that restrict their use of NSS APIs to the
+   functions listed in NSS Public Functions will remain compatible with future
+   versions of the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+   Bugs discovered should be reported by filing a bug report on
+   `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).

security/nss/lib/nss/nss.h

@@ -22,12 +22,12 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION "3.91" _NSS_CUSTOMIZED " Beta"
+#define NSS_VERSION "3.91" _NSS_CUSTOMIZED
 #define NSS_VMAJOR 3
 #define NSS_VMINOR 91
 #define NSS_VPATCH 0
 #define NSS_VBUILD 0
-#define NSS_BETA PR_TRUE
+#define NSS_BETA PR_FALSE
 
 #ifndef RC_INVOKED
 

security/nss/lib/softoken/softkver.h

@@ -17,11 +17,11 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define SOFTOKEN_VERSION "3.91" SOFTOKEN_ECC_STRING " Beta"
+#define SOFTOKEN_VERSION "3.91" SOFTOKEN_ECC_STRING
 #define SOFTOKEN_VMAJOR 3
 #define SOFTOKEN_VMINOR 91
 #define SOFTOKEN_VPATCH 0
 #define SOFTOKEN_VBUILD 0
-#define SOFTOKEN_BETA PR_TRUE
+#define SOFTOKEN_BETA PR_FALSE
 
 #endif /* _SOFTKVER_H_ */

security/nss/lib/util/nssutil.h

@@ -19,12 +19,12 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
  */
-#define NSSUTIL_VERSION "3.91 Beta"
+#define NSSUTIL_VERSION "3.91"
 #define NSSUTIL_VMAJOR 3
 #define NSSUTIL_VMINOR 91
 #define NSSUTIL_VPATCH 0
 #define NSSUTIL_VBUILD 0
-#define NSSUTIL_BETA PR_TRUE
+#define NSSUTIL_BETA PR_FALSE
 
 SEC_BEGIN_PROTOS