Bug 1905161 - land NSS NSS_3_101_1_RTM UPGRADE_NSS_RELEASE, r=keeler a=RyanVM

Differential Revision: https://phabricator.services.mozilla.com/D215236

security/manager/ssl/RootHashes.inc

@@ -1167,6 +1167,12 @@ static const struct CertAuthorityHash ROOT_TABLE[] = {
       0x3B, 0xA0, 0x05, 0x66, 0x7C, 0x44, 0x2C, 0x97, 0x62, 0xB4, 0xFB, 0xB7, 0x73, 0xDE, 0x22, 0x8C },
       157 /* Bin Number */
   },
+  {
+    /* FIRMAPROFESIONAL_CA_ROOT_A_WEB */
+    { 0xBE, 0xF2, 0x56, 0xDA, 0xF2, 0x6E, 0x9C, 0x69, 0xBD, 0xEC, 0x16, 0x02, 0x35, 0x97, 0x98, 0xF3,
+      0xCA, 0xF7, 0x18, 0x21, 0xA0, 0x3E, 0x01, 0x82, 0x57, 0xC5, 0x3C, 0x65, 0x61, 0x7F, 0x3D, 0x4A },
+      267 /* Bin Number */
+  },
   {
     /* SecureSign_RootCA11 */
     { 0xBF, 0x0F, 0xEE, 0xFB, 0x9E, 0x3A, 0x58, 0x1A, 0xD5, 0xF9, 0xE9, 0xDB, 0x75, 0x89, 0x98, 0x57,

security/manager/tools/KnownRootHashes.json

@@ -1337,7 +1337,12 @@
       "label": "Telekom_Security_TLS_ECC_Root_2020",
       "binNumber": 266,
       "sha256Fingerprint": "V4r03tCFP05ZmNtK6vnL6o2UX2C2IKONGjwTsrx7qOE="
+    },
+    {
+      "label": "FIRMAPROFESIONAL_CA_ROOT_A_WEB",
+      "binNumber": 267,
+      "sha256Fingerprint": "vvJW2vJunGm97BYCNZeY88r3GCGgPgGCV8U8ZWF/PUo="
     }
   ],
-  "maxBin": 266
+  "maxBin": 267
 }

security/nss/TAG-INFO

@@ -1 +1 @@
-NSS_3_101_RTM
+NSS_3_101_1_RTM

security/nss/coreconf/coreconf.dep

@@ -10,3 +10,4 @@
  */
 
 #error "Do not include this header file."
+

security/nss/coreconf/location.mk

@@ -64,6 +64,10 @@ ifndef SOFTOKEN_LIB_DIR
     SOFTOKEN_LIB_DIR = $(DIST)/lib
 endif
 
+ifdef SQLITE_INCLUDE_DIR
+    INCLUDES += -I$(SQLITE_INCLUDE_DIR)
+endif
+
 ifndef SQLITE_LIB_DIR
     SQLITE_LIB_DIR = $(DIST)/lib
 endif

security/nss/doc/rst/releases/index.rst

@@ -8,6 +8,7 @@ Releases
    :glob:
    :hidden:
 
+   nss_3_101_1.rst
    nss_3_101.rst
    nss_3_100.rst
    nss_3_99.rst
@@ -66,42 +67,12 @@ Releases
 
 .. note::
 
-   **NSS 3.101** is the latest version of NSS.
-   Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_101_release_notes`
-
-   **NSS 3.90.2 (ESR)** is the latest version of NSS.
-   Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_90_2_release_notes`
+   **NSS 3.101.1 (ESR)** is the latest ESR version of NSS.
+   Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_101_1_release_notes`
 
 .. container::
 
-   Changes in 3.101 included in this release:
+   Changes in 3.101.1 included in this release:
 
-   - Bug 1900413 - add diagnostic assertions for SFTKObject refcount. 
-   - Bug 1899759 - freeing the slot in DeleteCertAndKey if authentication failed
-   - Bug 1899883 - fix formatting issues. 
-   - Bug 1889671 - Add Firmaprofesional CA Root-A Web to NSS.
-   - Bug 1899593 - remove invalid acvp fuzz test vectors. 
-   - Bug 1898830 - pad short P-384 and P-521 signatures gtests.
-   - Bug 1898627 - remove unused FreeBL ECC code. r=rrelyea
-   - Bug 1898830 - pad short P-384 and P-521 signatures. 
-   - Bug 1898825 - be less strict about ECDSA private key length. 
-   - Bug 1854439 - Integrate HACL* P-521. 
-   - Bug 1854438 - Integrate HACL* P-384. 
-   - Bug 1898074 - memory leak in create_objects_from_handles. 
-   - Bug 1898858 - ensure all input is consumed in a few places in mozilla::pkix 
-   - Bug 1884444 - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy 
-   - Bug 1748105 - clean up escape handling 
-   - Bug 1896353 - Use lib::pkix as default validator instead of the old-one 
-   - Bug 1827444 - Need to add high level support for PQ signing.
-   - Bug 1548723 - Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation 
-   - Bug 1884444 - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
-   - Bug 1893404 - Allow for non-full length ecdsa signature when using softoken
-   - Bug 1830415 - Modification of .taskcluster.yml due to mozlint indent defects
-   - Bug 1793811 - Implement support for PBMAC1 in PKCS#12 
-   - Bug 1897487 - disable VLA warnings for fuzz builds.
-   - Bug 1895032 - remove redundant AllocItem implementation. 
-   - Bug 1893334 - add PK11_ReadDistrustAfterAttribute. 
-   - Bug 215997  - Clang-formatting of SEC_GetMgfTypeByOidTag update
-   - Bug 1895012 - Set SEC_ERROR_LIBRARY_FAILURE on self-test failure
-   - Bug 1894572 - sftk_getParameters(): Fix fallback to default variable after error with configfile. 
-   - Bug 1830415 - Switch to the mozillareleases/image_builder image
+   - Bug 1901932 - missing sqlite header.
+   - Bug 1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.

security/nss/doc/rst/releases/nss_3_101.rst

@@ -8,7 +8,7 @@ NSS 3.101 release notes
 
 .. container::
 
-   Network Security Services (NSS) 3.101 was released on *6 June 2024**.
+   Network Security Services (NSS) 3.101 was released on *6 June 2024**.  NSS 3.101 is an ESR release.
 
 `Distribution Information <#distribution_information>`__
 --------------------------------------------------------

security/nss/doc/rst/releases/nss_3_101_1.rst

@@ -0,0 +1,56 @@
+.. _mozilla_projects_nss_nss_3_101_1_release_notes:
+
+NSS 3.101.1 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+   Network Security Services (NSS) 3.101.1 was released on *28 June 2024**.  NSS 3.101.1 is an ESR release.
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+   The HG tag is NSS_3_101_1_RTM. NSS 3.101.1 requires NSPR 4.35 or newer.
+
+   NSS 3.101.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+   -  Source tarballs:
+      https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_101_1_RTM/src/
+
+   Other releases are available :ref:`mozilla_projects_nss_releases`.
+
+.. _changes_in_nss_3.101.1:
+
+`Changes in NSS 3.101.1 <#changes_in_nss_3.101.1>`__
+------------------------------------------------------------------
+
+.. container::
+
+   - Bug 1901932 - missing sqlite header.
+   - Bug 1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
+
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+   NSS 3.101.1 shared libraries are backwards-compatible with all older NSS 3.x shared
+   libraries. A program linked with older NSS 3.x shared libraries will work with
+   this new version of the shared libraries without recompiling or
+   relinking. Furthermore, applications that restrict their use of NSS APIs to the
+   functions listed in NSS Public Functions will remain compatible with future
+   versions of the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+   Bugs discovered should be reported by filing a bug report on
+   `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).

security/nss/lib/ckfw/builtins/certdata.txt

@@ -17020,8 +17020,14 @@ CKA_VALUE MULTILINE_OCTAL
 \155\015\277\173\327\222
 END
 CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
-CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
+# For Server Distrust After: Sun Jun 30 00:00:00 2024
+CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
+\062\064\060\066\063\060\060\060\060\060\060\060\132
+END
+# For Email Distrust After: Sun Jun 30 00:00:00 2024
+CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL
+\062\064\060\066\063\060\060\060\060\060\060\060\132
+END
 
 # Trust for "GLOBALTRUST 2020"
 # Issuer: CN=GLOBALTRUST 2020,O=e-commerce monitoring GmbH,C=AT

security/nss/lib/ckfw/builtins/nssckbi.h

@@ -46,8 +46,8 @@
  * It's recommend to switch back to 0 after having reached version 98/99.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 68
-#define NSS_BUILTINS_LIBRARY_VERSION "2.68"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 69
+#define NSS_BUILTINS_LIBRARY_VERSION "2.69"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

security/nss/lib/nss/nss.h

@@ -22,10 +22,10 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION "3.101" _NSS_CUSTOMIZED
+#define NSS_VERSION "3.101.1" _NSS_CUSTOMIZED
 #define NSS_VMAJOR 3
 #define NSS_VMINOR 101
-#define NSS_VPATCH 0
+#define NSS_VPATCH 1
 #define NSS_VBUILD 0
 #define NSS_BETA PR_FALSE
 

security/nss/lib/softoken/softkver.h

@@ -17,10 +17,10 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define SOFTOKEN_VERSION "3.101" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION "3.101.1" SOFTOKEN_ECC_STRING
 #define SOFTOKEN_VMAJOR 3
 #define SOFTOKEN_VMINOR 101
-#define SOFTOKEN_VPATCH 0
+#define SOFTOKEN_VPATCH 1
 #define SOFTOKEN_VBUILD 0
 #define SOFTOKEN_BETA PR_FALSE
 

security/nss/lib/util/nssutil.h

@@ -19,10 +19,10 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
  */
-#define NSSUTIL_VERSION "3.101"
+#define NSSUTIL_VERSION "3.101.1"
 #define NSSUTIL_VMAJOR 3
 #define NSSUTIL_VMINOR 101
-#define NSSUTIL_VPATCH 0
+#define NSSUTIL_VPATCH 1
 #define NSSUTIL_VBUILD 0
 #define NSSUTIL_BETA PR_FALSE