gecko-dev/security/nss/cmd
Benjamin Beurdouche dde8b5dd22 Bug 1720464 - land NSS 8f41147c2192 UPGRADE_NSS_RELEASE, r=beurdouche
```
2021-07-22  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* doc/rst/index.rst:
	Display warning on the new NSS documentation
	[8f41147c2192] [tip]

2021-07-20  Robert Relyea  <rrelyea@redhat.com>

	* lib/softoken/sdb.c:
	Bug 1721476 sqlite 3.34 changed it's open semantics, causing nss
	failures.

	https://sqlite.org/forum/info/42cf8e985bb051a2

	sqlite is now permissive on opening a readonly file even if you ask
	for the file to be opened R/W.

	normally sqlite is very conservative in changing it's underlying
	semantics, but evidently they chose convience over compatibility.
	NSS now needs to check the file permissions itself to preserve nss
	semantics.

	[f2d34a957599]

2021-07-15  Robert Relyea  <rrelyea@redhat.com>

	* tests/common/init.sh, tests/common/parsegtestreport.sed,
	tests/common/parsegtestreport.sh, tests/gtests/gtests.sh,
	tests/ssl_gtests/ssl_gtests.sh:
	Bug 1720230 Gtest update changed the gtest reports, losing gtest
	details in all.sh reports.

	This patch includes the updated .sed script, and an experiment using
	bash instead to see how hard it would be to make a more robust
	parser.

	The robust parser generates identical output as sed, but takes about
	30x longer, so instead of subsecond operations, it takes almost half
	a minute. With that result, I think we can stay with sed and
	continue to update when we get new versions of gtests. (sigh).

	time cat report.xml.0 | sed -f parsegtestreport.sed > r1

	real 0m0.710s user 0m0.705s sys 0m0.008s

	time cat report.xml.0 | sh parsegtestreport.sh > r2

	real 0m25.066s user 0m17.759s sys 0m9.506s [rrelyea@localhost
	common]$ diff r1 r2

	updated: with review comments from Martin and move the report
	parsing to the common code so it can be shared with both ssl_gtests
	and gtests shell scripts.

	[f12856d5d2c2]

2021-07-13  Robert Relyea  <rrelyea@redhat.com>

	* gtests/softoken_gtest/softoken_dh_vectors.h, lib/softoken/pkcs11c.c,
	lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c,
	lib/softoken/sftkdhverify.c:
	Bug 1720228 NSS incorrectly accepting 1536 bit DH primes in FIPS
	mode

	When NSS is in FIPS mode, it should reject all primes smaller than
	2048. The ike 1536 prime is in the accepted primes table. In FIPS
	mode it should be rejected.

	[d2ec946e601a]

2021-07-15  Robert Relyea  <rrelyea@redhat.com>

	* cmd/manifest.mn, cmd/sdbthreadtst/Makefile,
	cmd/sdbthreadtst/manifest.mn, cmd/sdbthreadtst/sdbthreadtst.c,
	cmd/sdbthreadtst/sdbthreadtst.gyp, lib/softoken/sdb.c,
	lib/softoken/sftkdb.c, nss.gyp, tests/dbtests/dbtests.sh:
	Bug 1720232 SQLite calls could timeout in starvation situations.

	Some of our servers could cause random failures when trying to
	generate many key pairs from multiple threads. This is caused
	because some threads would starve long enough for them to give up on
	getting a begin transaction on sqlite. sqlite only allows one
	transaction at a time.

	Also, there were some bugs in error handling of the broken
	transaction case where NSS would try to cancel a transation after
	the begin failed (most cases were correct, but one case in
	particular was problematic).

	[b54b0d41e51b]

2021-07-13  Robert Relyea  <rrelyea@redhat.com>

	* lib/pk11wrap/pk11cxt.c, lib/pk11wrap/pk11hpke.c,
	lib/softoken/kbkdf.c, lib/softoken/sftkhmac.c,
	lib/softoken/sftkike.c:
	Bug 1720225 Coverity/cpp scanner errors found in nss 3.67

	A number of coverity/scanner issues were found in the kdf code which
	was added in nss 3.44 and the fixes never upstreamed, as well as
	coverity/scanner errors in nss 3.66. Not all errors were fixed,
	those errors which were determined to be false positives were just
	recorded. No attempt has been made to fix coverity/scanner errors in
	gtests.

	[d1b9709d8861]
```

Differential Revision: https://phabricator.services.mozilla.com/D120624
2021-07-23 09:23:50 +00:00
..
addbuiltin
atob
bltest Bug 1699657 - land NSS NSS_3_64_RTM UPGRADE_NSS_RELEASE, r=bbeurdouche 2021-04-15 16:54:57 +00:00
btoa
certutil
chktest
crlutil Bug 1705477 - land NSS c982fb957516 UPGRADE_NSS_RELEASE, r=beurdouche 2021-05-04 13:33:25 +00:00
crmf-cgi
crmftest
dbck
dbtest
derdump
digest
ecperf
fbectest
fipstest
httpserv
lib Bug 1705477 - land NSS 1d066793c349 UPGRADE_NSS_RELEASE, r=beurdouche 2021-05-07 10:43:16 +00:00
libpkix
listsuites
lowhashtest
makepqg
modutil Bug 1705477 - land NSS c982fb957516 UPGRADE_NSS_RELEASE, r=beurdouche 2021-05-04 13:33:25 +00:00
mpitests
multinit
nss-policy-check
ocspclnt
ocspresp
oidcalc
p7content
p7env
p7sign
p7verify
pk1sign
pk11ectest
pk11gcmtest
pk11importtest
pk11mode
pk11util
pk12util Bug 1705477 - land NSS 1d066793c349 UPGRADE_NSS_RELEASE, r=beurdouche 2021-05-07 10:43:16 +00:00
pkix-errcodes
pp Bug 1705477 - land NSS 1d066793c349 UPGRADE_NSS_RELEASE, r=beurdouche 2021-05-07 10:43:16 +00:00
ppcertdata
pwdecrypt
rsaperf
rsapoptst
samples
sdbthreadtst Bug 1720464 - land NSS 8f41147c2192 UPGRADE_NSS_RELEASE, r=beurdouche 2021-07-23 09:23:50 +00:00
sdrtest
selfserv Bug 1711262 - land NSS 40edc4f4c117 UPGRADE_NSS_RELEASE, r=beurdouche 2021-05-20 17:42:35 +00:00
shlibsign
signtool Bug 1705477 - land NSS c982fb957516 UPGRADE_NSS_RELEASE, r=beurdouche 2021-05-04 13:33:25 +00:00
signver Bug 1705477 - land NSS c982fb957516 UPGRADE_NSS_RELEASE, r=beurdouche 2021-05-04 13:33:25 +00:00
smimetools
ssltap
strsclnt Bug 1711262 - land NSS 40edc4f4c117 UPGRADE_NSS_RELEASE, r=beurdouche 2021-05-20 17:42:35 +00:00
symkeyutil Bug 1705477 - land NSS c982fb957516 UPGRADE_NSS_RELEASE, r=beurdouche 2021-05-04 13:33:25 +00:00
tests
tstclnt Bug 1711262 - land NSS 40edc4f4c117 UPGRADE_NSS_RELEASE, r=beurdouche 2021-05-20 17:42:35 +00:00
vfychain
vfyserv
Makefile
manifest.mn Bug 1720464 - land NSS 8f41147c2192 UPGRADE_NSS_RELEASE, r=beurdouche 2021-07-23 09:23:50 +00:00
platlibs.gypi
platlibs.mk
platrules.mk