Bug 1805486 - land NSS NSS_3_87_BETA1 UPGRADE_NSS_RELEASE, r=nss-reviewers,jschanck

Differential Revision: https://phabricator.services.mozilla.com/D164919
2022-12-16 18:33:28 +00:00 · 2022-12-16 18:33:28 +00:00 · 93d4366b2d
--- a/build/moz.configure/nss.configure
+++ b/build/moz.configure/nss.configure
@ -9,7 +9,7 @@ system_lib_option("--with-system-nss", help="Use system NSS")
 imply_option("--with-system-nspr", True, when="--with-system-nss")

 nss_pkg = pkg_check_modules(
-    "NSS", "nss >= 3.86", when="--with-system-nss", config=False
+    "NSS", "nss >= 3.87", when="--with-system-nss", config=False
 )

 set_config("MOZ_SYSTEM_NSS", True, when="--with-system-nss")
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@ -1 +1 @@
-NSS_3_86_RTM
+NSS_3_87_BETA1
--- a/security/nss/automation/abi-check/previous-nss-release
+++ b/security/nss/automation/abi-check/previous-nss-release
@ -1 +1 @@
-NSS_3_85_BRANCH
+NSS_3_86_BRANCH
--- a/security/nss/automation/taskcluster/docker-builds/Dockerfile
+++ b/security/nss/automation/taskcluster/docker-builds/Dockerfile
@ -11,12 +11,12 @@ RUN apt-get update \
    build-essential \
    ca-certificates \
    clang-4.0 \
+    clang-10 \
    clang \
    cmake \
    curl \
    g++-4.8-multilib \
    g++-5-multilib \
-    g++-6-multilib \
    g++-multilib \
    git \
    gyp \
@ -42,14 +42,6 @@ RUN apt-get update \
 && add-apt-repository ppa:ubuntu-toolchain-r/test -y \ 
 && apt-get update \
 && apt-get install --no-install-recommends -y \ 
-    gcc-9 \ 
-    g++-9 \ 
-    gcc-9-multilib \
-    g++-9-multilib \ 
-    gcc-10 \
-    g++-10 \ 
-    gcc-10-multilib \
-    g++-10-multilib \
    gcc-11-multilib \
    g++-11-multilib \
 && rm -rf /var/lib/apt/lists/* \
--- a/security/nss/automation/taskcluster/graph/src/extend.js
+++ b/security/nss/automation/taskcluster/graph/src/extend.js
@ -319,7 +319,7 @@ export default async function main() {
  );

  await scheduleMac("Mac (opt)", {collection: "opt"}, "--opt");
-  await scheduleMac("Mac Static (opt)", {collection: "opt-static"}, "--opt --static");
+  await scheduleMac("Mac Static (opt)", {collection: "opt-static"}, "--opt --static -Ddisable_libpkix=1");
  await scheduleMac("Mac (debug)", {collection: "debug"});

  // Must be executed after all other tasks are scheduled
@ -542,7 +542,14 @@ async function scheduleLinux(name, overrides, args = "") {
    },
    symbol: "clang-4"
  }));
-
+  queue.scheduleTask(merge(extra_base, {
+    name: `${name} w/ clang-10`,
+    env: {
+      CC: "clang-10",
+      CCC: "clang++-10",
+    },
+    symbol: "clang-10"
+  }));
  queue.scheduleTask(merge(extra_base, {
    name: `${name} w/ gcc-4.4`,
    image: LINUX_GCC44_IMAGE,
@ -590,33 +597,6 @@ async function scheduleLinux(name, overrides, args = "") {
    symbol: "gcc-5"
  }));

-  queue.scheduleTask(merge(extra_base, {
-    name: `${name} w/ gcc-6`,
-    env: {
-      CC: "gcc-6",
-      CCC: "g++-6"
-    },
-    symbol: "gcc-6"
-  }));
-
-  queue.scheduleTask(merge(extra_base, {
-    name: `${name} w/ gcc-9`,
-    env: {
-      CC: "gcc-9",
-      CCC: "g++-9"
-    },
-    symbol: "gcc-9"
-  }));
-
-  queue.scheduleTask(merge(extra_base, {
-    name: `${name} w/ gcc-10`,
-    env: {
-      CC: "gcc-10",
-      CCC: "g++-10",
-    },
-    symbol: "gcc-10"
-  }));
-
  queue.scheduleTask(merge(extra_base, {
    name: `${name} w/ gcc-11`,
    env: {
--- a/security/nss/build.sh
+++ b/security/nss/build.sh
@ -104,6 +104,7 @@ while [ $# -gt 0 ]; do
        --pprof) gyp_params+=(-Duse_pprof=1) ;;
        --asan) enable_sanitizer asan ;;
        --msan) enable_sanitizer msan ;;
+        --sourcecov) enable_sourcecov ;;
        --ubsan) enable_ubsan ;;
        --ubsan=?*) enable_ubsan "${1#*=}" ;;
        --fuzz) fuzz=1 ;;
--- a/security/nss/coreconf/check_cc.py
+++ b/security/nss/coreconf/check_cc.py
@ -10,8 +10,13 @@ def main():
    else:
        cc = os.environ.get('CC', 'cc')
        try:
-            cc_is_arg = sys.argv[1] in subprocess.check_output(
-              [cc, '--version'], universal_newlines=True)
+            if sys.argv[1] == "cc":
+                cc_output = subprocess.check_output(
+                    [cc, '--version'], universal_newlines=True)
+                cc_is_arg = "cc" in cc_output and not ("gcc" in cc_output)
+            else:
+                cc_is_arg = sys.argv[1] in subprocess.check_output(
+                  [cc, '--version'], universal_newlines=True)
        except OSError:
            # We probably just don't have CC/cc.
            cc_is_arg = False
--- a/security/nss/coreconf/config.gypi
+++ b/security/nss/coreconf/config.gypi
@ -75,6 +75,11 @@
        }, {
          'cc_is_gcc%': '0',
        }],
+        ['"<(GENERATOR)"=="ninja"', {
+          'cc_is_cc%': '<!("<(python)" <(DEPTH)/coreconf/check_cc.py cc)',
+        }, {
+          'cc_is_cc%': '0',
+        }],
      ],
    },
    # Copy conditionally-set variables out one scope.
@ -212,7 +217,7 @@
          },
        },
      }],
-      [ 'target_arch=="arm64" or target_arch=="aarch64" or target_arch=="sparc64" or target_arch=="ppc64" or target_arch=="ppc64le" or target_arch=="s390x" or target_arch=="mips64" or target_arch=="e2k" or target_arch=="riscv64"', {
+      [ 'target_arch=="arm64" or target_arch=="aarch64" or target_arch=="sparc64" or target_arch=="ppc64" or target_arch=="ppc64le" or target_arch=="s390x" or target_arch=="mips64" or target_arch=="e2k" or target_arch=="riscv64" or target_arch=="loongarch64"', {
        'defines': [
          'NSS_USE_64',
        ],
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@ -10,3 +10,4 @@
 */

 #error "Do not include this header file."
+
--- a/security/nss/coreconf/sanitizers.py
+++ b/security/nss/coreconf/sanitizers.py
@ -5,7 +5,7 @@ import sys

 def main():
    if len(sys.argv) < 2:
-        raise Exception('Specify either "asan", "msan", "sancov" or "ubsan" as argument.')
+        raise Exception('Specify either "asan", "msan", "sancov", "sourcecov" or "ubsan" as argument.')

    sanitizer = sys.argv[1]
    if sanitizer == "ubsan":
@ -26,8 +26,11 @@ def main():
            raise Exception('sancov requires another argument (edge|bb|func).')
        print('-fsanitize-coverage='+sys.argv[2]+' ', end='')
        return
+    if sanitizer == "sourcecov":
+        print('-fprofile-instr-generate -fcoverage-mapping', end='')
+        return

-    raise Exception('Specify either "asan", "msan", "sancov" or "ubsan" as argument.')
+    raise Exception('Specify either "asan", "msan", "sancov", "sourcecov" or "ubsan" as argument.')

 if __name__ == '__main__':
    main()
--- a/security/nss/coreconf/sanitizers.sh
+++ b/security/nss/coreconf/sanitizers.sh
@ -42,6 +42,11 @@ enable_sancov()
    enable_sanitizer sancov "$sancov"
 }

+enable_sourcecov()
+{
+    enable_sanitizer sourcecov
+}
+
 enable_ubsan()
 {
    local ubsan
--- a/security/nss/help.txt
+++ b/security/nss/help.txt
@ -32,6 +32,7 @@ NSS build tool options:
    --msan           enable memory sanitizer
    --ubsan          enable undefined behavior sanitizer
                     --ubsan=bool,shift,... sets specific UB sanitizers
+    --sourcecov      enable source-based coverage sanitizer
    --fuzz           build fuzzing targets (this always enables static builds)
                     --fuzz=tls to enable TLS fuzzing mode
                     --fuzz=oss to build for OSS-Fuzz
--- a/security/nss/lib/cryptohi/seckey.c
+++ b/security/nss/lib/cryptohi/seckey.c
@ -1044,14 +1044,18 @@ SECKEY_PublicKeyStrengthInBits(const SECKEYPublicKey *pubk)
 unsigned
 SECKEY_SignatureLen(const SECKEYPublicKey *pubk)
 {
-    unsigned char b0;
    unsigned size;

    switch (pubk->keyType) {
        case rsaKey:
        case rsaPssKey:
-            b0 = pubk->u.rsa.modulus.data[0];
-            return b0 ? pubk->u.rsa.modulus.len : pubk->u.rsa.modulus.len - 1;
+            if (pubk->u.rsa.modulus.len == 0) {
+                return 0;
+            }
+            if (pubk->u.rsa.modulus.data[0] == 0) {
+                return pubk->u.rsa.modulus.len - 1;
+            }
+            return pubk->u.rsa.modulus.len;
        case dsaKey:
            return pubk->u.dsa.params.subPrime.len * 2;
        case ecKey:
--- a/security/nss/lib/freebl/det_rng.c
+++ b/security/nss/lib/freebl/det_rng.c
@ -155,7 +155,9 @@ PRNGTEST_RunHealthTests()
 }

 SECStatus
-PRNGTEST_Instantiate_Kat()
+PRNGTEST_Instantiate_Kat(const PRUint8 *entropy, unsigned int entropy_len,
+                         const PRUint8 *nonce, unsigned int nonce_len,
+                         const PRUint8 *personal_string, unsigned int ps_len)
 {
    return SECFailure;
 }
--- a/security/nss/lib/freebl/ecl/ecp_secp384r1.c
+++ b/security/nss/lib/freebl/ecl/ecp_secp384r1.c
--- a/security/nss/lib/freebl/ecl/ecp_secp521r1.c
+++ b/security/nss/lib/freebl/ecl/ecp_secp521r1.c
--- a/security/nss/lib/freebl/rsa.c
+++ b/security/nss/lib/freebl/rsa.c
@ -899,6 +899,9 @@ cleanup:
 static unsigned int
 rsa_modulusLen(SECItem *modulus)
 {
+    if (modulus->len == 0) {
+        return 0;
+    };
    unsigned char byteZero = modulus->data[0];
    unsigned int modLen = modulus->len - !byteZero;
    return modLen;
@ -931,6 +934,13 @@ RSA_PublicKeyOp(RSAPublicKey *key,
    CHECK_MPI_OK(mp_init(&c));
    modLen = rsa_modulusLen(&key->modulus);
    expLen = rsa_modulusLen(&key->publicExponent);
+
+    if (modLen == 0) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        rv = SECFailure;
+        goto cleanup;
+    }
+
    /* 1.  Obtain public key (n, e) */
    if (BAD_RSA_KEY_SIZE(modLen, expLen)) {
        PORT_SetError(SEC_ERROR_INVALID_KEY);
@ -1434,6 +1444,10 @@ rsa_PrivateKeyOp(RSAPrivateKey *key,
    }
    /* check input out of range (needs to be in range [0..n-1]) */
    modLen = rsa_modulusLen(&key->modulus);
+    if (modLen == 0) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
    offset = (key->modulus.data[0] == 0) ? 1 : 0; /* may be leading 0 */
    if (memcmp(input, key->modulus.data + offset, modLen) >= 0) {
        PORT_SetError(SEC_ERROR_INVALID_ARGS);
--- a/security/nss/lib/freebl/rsapkcs.c
+++ b/security/nss/lib/freebl/rsapkcs.c
@ -80,6 +80,10 @@ constantTimeCondition(unsigned int c,
 static unsigned int
 rsa_modulusLen(SECItem *modulus)
 {
+    if (modulus->len == 0) {
+        return 0;
+    }
+
    unsigned char byteZero = modulus->data[0];
    unsigned int modLen = modulus->len - !byteZero;
    return modLen;
@ -88,9 +92,17 @@ rsa_modulusLen(SECItem *modulus)
 static unsigned int
 rsa_modulusBits(SECItem *modulus)
 {
+    if (modulus->len == 0) {
+        return 0;
+    }
+
    unsigned char byteZero = modulus->data[0];
    unsigned int numBits = (modulus->len - 1) * 8;

+    if (byteZero == 0 && modulus->len == 1) {
+        return 0;
+    }
+
    if (byteZero == 0) {
        numBits -= 8;
        byteZero = modulus->data[1];
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@ -22,12 +22,12 @@
 * The format of the version string should be
 *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
 */
-#define NSS_VERSION "3.86" _NSS_CUSTOMIZED
+#define NSS_VERSION "3.87" _NSS_CUSTOMIZED " Beta"
 #define NSS_VMAJOR 3
-#define NSS_VMINOR 86
+#define NSS_VMINOR 87
 #define NSS_VPATCH 0
 #define NSS_VBUILD 0
-#define NSS_BETA PR_FALSE
+#define NSS_BETA PR_TRUE

 #ifndef RC_INVOKED

--- a/security/nss/lib/pkcs12/p12local.c
+++ b/security/nss/lib/pkcs12/p12local.c
@ -968,15 +968,14 @@ sec_pkcs12_convert_item_to_unicode(PLArenaPool *arena, SECItem *dest,
    if (zeroTerm) {
        /* unicode adds two nulls at the end */
        if (toUnicode) {
-            if ((dest->len >= 2) &&
-                (dest->data[dest->len - 1] || dest->data[dest->len - 2])) {
+            if ((dest->len < 2) || dest->data[dest->len - 1] || dest->data[dest->len - 2]) {
                /* we've already allocated space for these new NULLs */
                PORT_Assert(dest->len + 2 <= bufferSize);
                dest->len += 2;
                dest->data[dest->len - 1] = dest->data[dest->len - 2] = 0;
            }
            /* ascii/utf-8 adds just 1 */
-        } else if ((dest->len >= 1) && dest->data[dest->len - 1]) {
+        } else if (!dest->len || dest->data[dest->len - 1]) {
            PORT_Assert(dest->len + 1 <= bufferSize);
            dest->len++;
            dest->data[dest->len - 1] = 0;
--- a/security/nss/lib/softoken/lowkey.c
+++ b/security/nss/lib/softoken/lowkey.c
@ -226,15 +226,18 @@ nsslowkey_DestroyPublicKey(NSSLOWKEYPublicKey *pubk)
 unsigned
 nsslowkey_PublicModulusLen(NSSLOWKEYPublicKey *pubk)
 {
-    unsigned char b0;
-
    /* interpret modulus length as key strength... in
     * fortezza that's the public key length */

    switch (pubk->keyType) {
        case NSSLOWKEYRSAKey:
-            b0 = pubk->u.rsa.modulus.data[0];
-            return b0 ? pubk->u.rsa.modulus.len : pubk->u.rsa.modulus.len - 1;
+            if (pubk->u.rsa.modulus.len == 0) {
+                return 0;
+            }
+            if (pubk->u.rsa.modulus.data[0] == 0) {
+                return pubk->u.rsa.modulus.len - 1;
+            }
+            return pubk->u.rsa.modulus.len;
        default:
            break;
    }
@ -244,13 +247,15 @@ nsslowkey_PublicModulusLen(NSSLOWKEYPublicKey *pubk)
 unsigned
 nsslowkey_PrivateModulusLen(NSSLOWKEYPrivateKey *privk)
 {
-
-    unsigned char b0;
-
    switch (privk->keyType) {
        case NSSLOWKEYRSAKey:
-            b0 = privk->u.rsa.modulus.data[0];
-            return b0 ? privk->u.rsa.modulus.len : privk->u.rsa.modulus.len - 1;
+            if (privk->u.rsa.modulus.len == 0) {
+                return 0;
+            }
+            if (privk->u.rsa.modulus.data[0] == 0) {
+                return privk->u.rsa.modulus.len - 1;
+            }
+            return privk->u.rsa.modulus.len;
        default:
            break;
    }
--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@ -17,11 +17,11 @@
 * The format of the version string should be
 *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
 */
-#define SOFTOKEN_VERSION "3.86" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION "3.87" SOFTOKEN_ECC_STRING " Beta"
 #define SOFTOKEN_VMAJOR 3
-#define SOFTOKEN_VMINOR 86
+#define SOFTOKEN_VMINOR 87
 #define SOFTOKEN_VPATCH 0
 #define SOFTOKEN_VBUILD 0
-#define SOFTOKEN_BETA PR_FALSE
+#define SOFTOKEN_BETA PR_TRUE

 #endif /* _SOFTKVER_H_ */
--- a/security/nss/lib/ssl/authcert.c
+++ b/security/nss/lib/ssl/authcert.c
@ -206,6 +206,9 @@ NSS_GetClientAuthData(void *arg,
                                             certUsageSSLClient,
                                             PR_FALSE, chosenNickName == NULL,
                                             pw_arg);
+        if (certList == NULL) {
+            return SECFailure;
+        }
        /* filter only the certs that meet the nickname requirements */
        if (chosenNickName) {
            rv = CERT_FilterCertListByNickname(certList, chosenNickName,
@ -219,13 +222,10 @@ NSS_GetClientAuthData(void *arg,
        }
        if ((rv != SECSuccess) || CERT_LIST_EMPTY(certList)) {
            CERT_DestroyCertList(certList);
-            certList = NULL;
+            return SECFailure;
        }
    }
-    if (certList == NULL) {
-        /* no user certs meeting the nickname/usage requirements found */
-        return SECFailure;
-    }
+
    /* now remove any certs that can't meet the connection requirements */
    rv = ssl_FilterClientCertListBySSLSocket(ss, certList);
    if ((rv != SECSuccess) || CERT_LIST_EMPTY(certList)) {
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@ -19,12 +19,12 @@
 * The format of the version string should be
 *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
 */
-#define NSSUTIL_VERSION "3.86"
+#define NSSUTIL_VERSION "3.87 Beta"
 #define NSSUTIL_VMAJOR 3
-#define NSSUTIL_VMINOR 86
+#define NSSUTIL_VMINOR 87
 #define NSSUTIL_VPATCH 0
 #define NSSUTIL_VBUILD 0
-#define NSSUTIL_BETA PR_FALSE
+#define NSSUTIL_BETA PR_TRUE

 SEC_BEGIN_PROTOS