Bug 1936150 - land NSS NSS_3_101_3_RTM UPGRADE_NSS_RELEASE, r=nss-reviewers,jschanck a=RyanVM

2025-01-23 Dennis Jackson <djackson@mozilla.com> * doc/rst/releases/index.rst: Add release notes for 3.101.3 [60be34d595b6] [NSS_3_101_3_RTM] <NSS_3_101_BRANCH> * lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set verion numbers to 3.101.3 [b799d486b567] <NSS_3_101_BRANCH> 2024-12-09 Maurice Dauer <mdauer@mozilla.com> * lib/pkcs7/certread.c: Bug 1935984 - Ensure zero-initialization of collectArgs.cert, r=djackson,nss-reviewers [0c5bfd138fec] <NSS_3_101_BRANCH> 2024-12-06 Dana Keeler <dkeeler@mozilla.com> * lib/softoken/pkcs11.c, lib/util/utilmod.c: Bug 1927953 - don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set r=jschanck [2c13c7018b61] <NSS_3_101_BRANCH> 2024-11-27 Anna Weine <anna.weine@mozilla.com> * lib/dev/devutil.c: Bug 1926256 - fix build error from 9505f79d r=jschanck [4a2a05674aa3] <NSS_3_101_BRANCH> 2024-11-26 John Schanck <jschanck@mozilla.com> * lib/dev/devutil.c: Bug 1926256 - simplify error handling in get_token_objects_for_cache. r=rrelyea [72dc849de263] <NSS_3_101_BRANCH> 2024-10-21 John Schanck <jschanck@mozilla.com> * cmd/pk12util/pk12util.c: Bug 1923767 - pk12util: improve error handling in p12U_ReadPKCS12File. r=nss-reviewers,nkulatova [23e5b96bfbdb] <NSS_3_101_BRANCH> 2024-09-24 ISHIKAWA, Chiaki <ishikawa@yk.rim.or.jp> * lib/ssl/sslsnce.c: Bug 1909768 - UBSAN fix: applying zero offset to null pointer in sslsnce.c. r=kaie [49a0f03dc97b] <NSS_3_101_BRANCH> 2024-07-25 John Schanck <jschanck@mozilla.com> * lib/softoken/pkcs11u.c: Bug 1908623 - move list size check after lock acquisition in sftk_PutObjectToList. r=rrelyea,nss-reviewers [b936ef0a883b] <NSS_3_101_BRANCH> 2024-09-26 Kai Engert <kaie@kuix.de> * lib/pkcs7/p7decode.c: Bug 1899402 - Correctly destroy bulkkey in error scenario. r=jschanck [3200544b1a70] <NSS_3_101_BRANCH> 2024-07-29 John Schanck <jschanck@mozilla.com> * lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.101.2 [f0fd00e7f8ee] <NSS_3_101_BRANCH> 2024-07-24 John Schanck <jschanck@mozilla.com> * .hgtags: Added tag NSS_3_101_2_RTM for changeset 1204ed03458f [d7839c5f949e] <NSS_3_101_BRANCH> Original Revision: https://phabricator.services.mozilla.com/D235304 Differential Revision: https://phabricator.services.mozilla.com/D235306
2025-01-23 17:59:00 +00:00 · 2025-01-23 17:59:00 +00:00 · dc773eb77d
commit dc773eb77d
parent 73f7a19f05
14 changed files with 51 additions and 28 deletions
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@ -1 +1 @@
-NSS_3_101_2_RTM
+NSS_3_101_3_RTM
--- a/security/nss/cmd/pk12util/pk12util.c
+++ b/security/nss/cmd/pk12util/pk12util.c
@ -449,10 +449,10 @@ p12U_ReadPKCS12File(SECItem *uniPwp, char *in_file, PK11SlotInfo *slot,

    /* revert the option setting */
    if (forceUnicode != pk12uForceUnicode) {
-        rv = NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE, pk12uForceUnicode);
-        if (rv != SECSuccess) {
+        if (SECSuccess != NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE, pk12uForceUnicode)) {
            SECU_PrintError(progName, "PKCS12 decoding failed to set option");
            pk12uErrno = PK12UERR_DECODEVERIFY;
+            rv = SECFailure;
        }
    }
    /* rv has been set at this point */
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@ -10,3 +10,4 @@
 */

 #error "Do not include this header file."
+
--- a/security/nss/doc/rst/releases/index.rst
+++ b/security/nss/doc/rst/releases/index.rst
@ -8,6 +8,8 @@ Releases
   :glob:
   :hidden:

+   nss_3_101_3.rst
+   nss_3_101_2.rst
   nss_3_101_1.rst
   nss_3_101.rst
   nss_3_100.rst
@ -67,12 +69,18 @@ Releases

 .. note::

-   **NSS 3.101.1 (ESR)** is the latest ESR version of NSS.
-   Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_101_1_release_notes`
+   **NSS 3.101.3 (ESR)** is the latest ESR version of NSS.
+   Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_101_3_release_notes`

 .. container::

-   Changes in 3.101.1 included in this release:
+   Changes in 3.101.3 included in this release:

-   - Bug 1901932 - missing sqlite header.
-   - Bug 1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
+   - Bug 1935984 - Ensure zero-initialization of collectArgs.cert
+   - Bug 1927953 - don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set
+   - Bug 1926256 - fix build error from 9505f79d
+   - Bug 1926256 - simplify error handling in get_token_objects_for_cache.
+   - Bug 1923767 - pk12util: improve error handling in p12U_ReadPKCS12File.
+   - Bug 1909768 - UBSAN fix: applying zero offset to null pointer in sslsnce.c.
+   - Bug 1908623 - move list size check after lock acquisition in sftk_PutObjectToList.
+   - Bug 1899402 - Correctly destroy bulkkey in error scenario.
--- a/security/nss/lib/dev/devutil.c
+++ b/security/nss/lib/dev/devutil.c
@ -577,9 +577,11 @@ get_token_objects_for_cache(
    } else {
        PRUint32 j;
        for (j = 0; j < i; j++) {
-            /* Any token references that were removed in successful loop iterations
-             * need to be restored before we call nssCryptokiObjectArray_Destroy */
-            nssToken_AddRef(cache->objects[objectType][j]->object->token);
+            /* Objects that were successfully added to the cache do not own a
+             * token reference (they share a reference with the cache itself).
+             * Nulling out the pointer here prevents the token's refcount
+             * from being decremented in nssCryptokiObject_Destroy */
+            cache->objects[objectType][j]->object->token = NULL;
            nssArena_Destroy(cache->objects[objectType][j]->arena);
        }
        nss_ZFreeIf(cache->objects[objectType]);
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@ -22,10 +22,10 @@
 * The format of the version string should be
 *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
 */
-#define NSS_VERSION "3.101.1" _NSS_CUSTOMIZED
+#define NSS_VERSION "3.101.3" _NSS_CUSTOMIZED
 #define NSS_VMAJOR 3
 #define NSS_VMINOR 101
-#define NSS_VPATCH 1
+#define NSS_VPATCH 3
 #define NSS_VBUILD 0
 #define NSS_BETA PR_FALSE

--- a/security/nss/lib/pkcs7/certread.c
+++ b/security/nss/lib/pkcs7/certread.c
@ -520,6 +520,8 @@ CERT_DecodeCertFromPackage(char *certbuf, int certlen)
    CERTCertificate *cert = NULL;

    collectArgs.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    collectArgs.cert.data = NULL;
+    collectArgs.cert.len = 0;

    rv = CERT_DecodeCertPackage(certbuf, certlen, collect_certs,
                                (void *)&collectArgs);
--- a/security/nss/lib/pkcs7/p7decode.c
+++ b/security/nss/lib/pkcs7/p7decode.c
@ -542,6 +542,7 @@ sec_pkcs7_decoder_start_decrypt(SEC_PKCS7DecoderContext *p7dcx, int depth,
     * We are done with (this) bulkkey now.
     */
    PK11_FreeSymKey(bulkkey);
+    bulkkey = NULL;

    if (decryptobj == NULL) {
        p7dcx->error = PORT_GetError();
--- a/security/nss/lib/softoken/pkcs11.c
+++ b/security/nss/lib/softoken/pkcs11.c
@ -3182,14 +3182,15 @@ SFTK_DestroySlotData(SFTKSlot *slot)
 char **
 NSC_ModuleDBFunc(unsigned long function, char *parameters, void *args)
 {
-#ifndef NSS_DISABLE_DBM
+#ifdef NSS_DISABLE_DBM
+    return NSSUTIL_DoModuleDBFunction(function, parameters, args);
+#else
    char *secmod = NULL;
    char *appName = NULL;
    char *filename = NULL;
    NSSDBType dbType = NSS_DB_TYPE_NONE;
    PRBool rw;
    static char *success = "Success";
-#endif /* NSS_DISABLE_DBM */
    char **rvstr = NULL;

    rvstr = NSSUTIL_DoModuleDBFunction(function, parameters, args);
@ -3201,7 +3202,6 @@ NSC_ModuleDBFunc(unsigned long function, char *parameters, void *args)
        return NULL;
    }

-#ifndef NSS_DISABLE_DBM
    /* The legacy database uses the old dbm, which is only linked with the
     * legacy DB handler, which is only callable from softoken */

@ -3293,8 +3293,8 @@ loser:
        PORT_Free(appName);
    if (filename)
        PORT_Free(filename);
-#endif /* NSS_DISABLE_DBM */
    return rvstr;
+#endif /* NSS_DISABLE_DBM */
 }

 static void
--- a/security/nss/lib/softoken/pkcs11u.c
+++ b/security/nss/lib/softoken/pkcs11u.c
@ -994,13 +994,16 @@ sftk_PutObjectToList(SFTKObject *object, SFTKObjectFreeList *list,
     */
    PRBool optimizeSpace = isSessionObject &&
                           ((SFTKSessionObject *)object)->optimizeSpace;
-    if (object->refLock && !optimizeSpace && (list->count < MAX_OBJECT_LIST_SIZE)) {
+    if (object->refLock && !optimizeSpace) {
        PZ_Lock(list->lock);
-        object->next = list->head;
-        list->head = object;
-        list->count++;
+        if (list->count < MAX_OBJECT_LIST_SIZE) {
+            object->next = list->head;
+            list->head = object;
+            list->count++;
+            PZ_Unlock(list->lock);
+            return;
+        }
        PZ_Unlock(list->lock);
-        return;
    }
    if (isSessionObject) {
        SFTKSessionObject *so = (SFTKSessionObject *)object;
--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@ -17,10 +17,10 @@
 * The format of the version string should be
 *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
 */
-#define SOFTOKEN_VERSION "3.101.1" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION "3.101.3" SOFTOKEN_ECC_STRING
 #define SOFTOKEN_VMAJOR 3
 #define SOFTOKEN_VMINOR 101
-#define SOFTOKEN_VPATCH 1
+#define SOFTOKEN_VPATCH 3
 #define SOFTOKEN_VBUILD 0
 #define SOFTOKEN_BETA PR_FALSE

--- a/security/nss/lib/ssl/sslsnce.c
+++ b/security/nss/lib/ssl/sslsnce.c
@ -1878,8 +1878,6 @@ getSvrWrappingKey(unsigned int symWrapMechIndex,
                  cacheDesc *cache,
                  PRUint32 lockTime)
 {
-    PRUint32 ndx = (wrapKeyIndex * SSL_NUM_WRAP_MECHS) + symWrapMechIndex;
-    SSLWrappedSymWrappingKey *pwswk = cache->keyCacheData + ndx;
    PRUint32 now = 0;
    PRBool rv = SECFailure;

@ -1887,6 +1885,10 @@ getSvrWrappingKey(unsigned int symWrapMechIndex,
        PORT_SetError(SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED);
        return SECFailure;
    }
+
+    PRUint32 ndx = (wrapKeyIndex * SSL_NUM_WRAP_MECHS) + symWrapMechIndex;
+    SSLWrappedSymWrappingKey *pwswk = cache->keyCacheData + ndx;
+
    if (!lockTime) {
        now = LockSidCacheLock(cache->keyCacheLock, 0);
        if (!now) {
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@ -19,10 +19,10 @@
 * The format of the version string should be
 *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
 */
-#define NSSUTIL_VERSION "3.101.1"
+#define NSSUTIL_VERSION "3.101.3"
 #define NSSUTIL_VMAJOR 3
 #define NSSUTIL_VMINOR 101
-#define NSSUTIL_VPATCH 1
+#define NSSUTIL_VPATCH 3
 #define NSSUTIL_VBUILD 0
 #define NSSUTIL_BETA PR_FALSE

--- a/security/nss/lib/util/utilmod.c
+++ b/security/nss/lib/util/utilmod.c
@ -308,6 +308,7 @@ nssutil_growList(char ***pModuleList, int *useCount, int last)
    return SECSuccess;
 }

+#ifndef NSS_DISABLE_DBM
 static char *
 _NSSUTIL_GetOldSecmodName(const char *dbname, const char *filename)
 {
@ -332,6 +333,7 @@ _NSSUTIL_GetOldSecmodName(const char *dbname, const char *filename)
    PORT_Free(dirPath);
    return file;
 }
+#endif // NSS_DISABLE_DBM

 static SECStatus nssutil_AddSecmodDBEntry(const char *appName,
                                          const char *filename,
@ -567,6 +569,7 @@ nssutil_ReadSecmodDB(const char *appName,
        moduleString = NULL;
    }
 done:
+#ifndef NSS_DISABLE_DBM
    /* if we couldn't open a pkcs11 database, look for the old one */
    if (fd == NULL) {
        char *olddbname = _NSSUTIL_GetOldSecmodName(dbname, filename);
@ -591,6 +594,7 @@ done:
            PR_smprintf_free(olddbname);
        }
    }
+#endif // NSS_DISABLE_DBM

 return_default: