Loading security/nss/doc/rst/releases/index.rst +21 −15 Original line number Diff line number Diff line .. _mozilla_projects_nss_releases: Releases ======== Release Notes ============= .. toctree:: :maxdepth: 0 :glob: :hidden: nss_3_112_2.rst nss_3_112_1.rst nss_3_112.rst nss_3_111.rst nss_3_110.rst nss_3_109.rst nss_3_108.rst nss_3_107.rst nss_3_106.rst nss_3_105.rst nss_3_104.rst nss_3_103.rst nss_3_102_1.rst nss_3_102.rst nss_3_101_4.rst nss_3_101_3.rst nss_3_101_2.rst nss_3_101_1.rst Loading Loading @@ -69,18 +84,9 @@ Releases .. note:: **NSS 3.101.3 (ESR)** is the latest ESR version of NSS. Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_101_3_release_notes` **NSS 3.112** is the latest version of NSS. Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_112_release_notes` .. container:: **NSS 3.112.2 (ESR)** is the latest ESR version of NSS. Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_112_2_release_notes` Changes in 3.101.3 included in this release: - Bug 1935984 - Ensure zero-initialization of collectArgs.cert - Bug 1927953 - don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set - Bug 1926256 - fix build error from 9505f79d - Bug 1926256 - simplify error handling in get_token_objects_for_cache. - Bug 1923767 - pk12util: improve error handling in p12U_ReadPKCS12File. - Bug 1909768 - UBSAN fix: applying zero offset to null pointer in sslsnce.c. - Bug 1908623 - move list size check after lock acquisition in sftk_PutObjectToList. - Bug 1899402 - Correctly destroy bulkkey in error scenario. security/nss/doc/rst/releases/nss_3_112_2.rst 0 → 100644 +72 −0 Original line number Diff line number Diff line .. _mozilla_projects_nss_nss_3_112_2_release_notes: NSS 3.112.2 release notes ======================== `Introduction <#introduction>`__ -------------------------------- .. container:: Network Security Services (NSS) 3.112.2 was released on *3 October 2025**. `Distribution Information <#distribution_information>`__ -------------------------------------------------------- .. container:: The HG tag is NSS_3_112_2_RTM. NSS 3.112.2 requires NSPR 4.36 or newer. NSS 3.112.2 source distributions are available on ftp.mozilla.org for secure HTTPS download: - Source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_112_2_RTM/src/ Other releases are available :ref:`mozilla_projects_nss_releases`. .. _changes_in_nss_3.112.2: `Changes in NSS 3.112.2 <#changes_in_nss_3.112.2>`__ ------------------------------------------------------------------ .. container:: - Bug 1970079 - Prevent leaks during pkcs12 decoding. - Bug 1988046 - SEC_ASN1Decode* should ensure it has read as many bytes as each length field indicates. - Bug 1992218 - fix memory leak in secasn1decode_unittest.cc. - Bug 1988913 - Add OISTE roots. - Bug 1976051 - Add runbook for certdata.txt changes. - Bug 1991666 - dbtool: close databases before shutdown. - Bug 1956754 - don't flush base64 when buffer is null. - Bug 1989541 - Set `use_pkcs5_pbkd2_params2_only=1` for fuzzing builds. - Bug 1989480 - mozilla::pkix: recognize the qcStatements extension for QWACs. - Bug 1980465 - Fix a big-endian-problematic cast in zlib calls. - Bug 1962321 - Revert removing out/ directory after ossfuzz build. - Bug 1988524 - Add Cryptofuzz to OSS-Fuzz build. - Bug 1984704 - Add PKCS#11 trust tests. - Bug 1983308 - final disable dsa patch cert.sh. - Bug 1983320 - ml-dsa: move tls 1.3 to use streaming signatures. - Bug 1983320 - ml-dsa: Prep Create a FindOidTagByString function. - Bug 1983320 - ml-dsa: softoken changes. - Bug 1983320 - ml-dsa: der key decode. - Bug 1983320 - ml-dsa: Prep colapse the overuse of keyType outside of pk11wrap and cryptohi. - Bug 1983320 - ml-dsa: Prep Create a CreateSignatureAlgorithmID function. - Bug 1983308 - disable DSA in NSS script tests. - Bug 1983308 - Disabling of some algorithms: generic cert.sh. - Bug 1981046 - Need to update to new mechanisms. - Bug 1983320 - Add ML-DSA public key printing support in NSS command-line utilities. - Bug 1986802 - note embedded scts before revocation checks are performed. - Bug 1983320 - Add support for ML-DSA keys and mechanisms in PKCS#11 interface. - Bug 1983320 - Add support for ML-DSA key type and public key structure. - Bug 1983320 - Enable ML-DSA integration via OIDs support and SECMOD flag. - Bug 1983308 - disable kyber. - Bug 1965329 - Implement PKCS #11 v3.2 PQ functions (use verify signature). - Bug 1983308 - Disable dsa - gtests. - Bug 1983313 - make group and scheme support in test tools generic. - Bug 1983770 - Create GH workflow to automatically close PRs. - Bug 1983308 - Disable dsa - base code. - Bug 1983308 - Disabling of some algorithms: remove dsa from pk11_mode. - Bug 1983308 - Disable seed and RC2 bug fixes. - Bug 1982742 - restore support for finding certificates by decoded serial number. - Bug 1984165 - avoid CKR_BUFFER_TO_SMALL error in trust lookups. security/nss/gtests/der_gtest/der_gtest.gyp +1 −0 Original line number Diff line number Diff line Loading @@ -14,6 +14,7 @@ 'der_getint_unittest.cc', 'der_quickder_unittest.cc', 'p12_import_unittest.cc', 'secasn1decode_unittest.cc', '<(DEPTH)/gtests/common/gtests.cc' ], 'dependencies': [ Loading security/nss/gtests/der_gtest/secasn1decode_unittest.cc 0 → 100644 +86 −0 Original line number Diff line number Diff line /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ /* vim: set ts=2 et sw=2 tw=80: */ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this file, * You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "gtest/gtest.h" #include "scoped_ptrs_util.h" #include "nss.h" #include "prerror.h" #include "secasn1.h" #include "secasn1t.h" #include "secerr.h" #include "secport.h" class SECASN1DecodeTest : public ::testing::Test {}; struct Item { SECItem value; }; const SEC_ASN1Template ItemTemplate[] = { {SEC_ASN1_SEQUENCE, 0, NULL, sizeof(struct Item)}, {0}}; static const SEC_ASN1Template ItemsTemplate[] = { {SEC_ASN1_SEQUENCE_OF, 0, ItemTemplate}, {0}}; struct Container { struct Item** items; }; const SEC_ASN1Template ContainerTemplate[] = { {SEC_ASN1_SEQUENCE, 0, NULL, sizeof(struct Container)}, {SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_EXPLICIT | 0, offsetof(struct Container, items), ItemsTemplate}, {0}}; // clang-format off const unsigned char kEndOfContentsInDefiniteLengthContext[] = { 0x30, 0x06, 0xa0, 0x04, 0x30, 0x00, 0x00, 0x00, // EOC in definite length context }; // clang-format on TEST_F(SECASN1DecodeTest, EndOfContentsInDefiniteLengthContext) { ScopedPLArenaPool pool(PORT_NewArena(1024)); struct Container* decoded = reinterpret_cast<struct Container*>( PORT_ArenaZAlloc(pool.get(), sizeof(struct Container))); SEC_ASN1DecoderContext* ctx = SEC_ASN1DecoderStart(pool.get(), decoded, ContainerTemplate); ASSERT_TRUE(ctx); ASSERT_EQ( SEC_ASN1DecoderUpdate( ctx, reinterpret_cast<const char*>(kEndOfContentsInDefiniteLengthContext), sizeof(kEndOfContentsInDefiniteLengthContext)), SECFailure); ASSERT_EQ(PR_GetError(), SEC_ERROR_BAD_DER); } // clang-format off const unsigned char kContentsTooShort[] = { 0x30, 0x06, 0xa0, 0x04, 0x30, 0x00, // There should be two more bytes after this }; // clang-format on TEST_F(SECASN1DecodeTest, ContentsTooShort) { ScopedPLArenaPool pool(PORT_NewArena(1024)); struct Container* decoded = reinterpret_cast<struct Container*>( PORT_ArenaZAlloc(pool.get(), sizeof(struct Container))); SEC_ASN1DecoderContext* ctx = SEC_ASN1DecoderStart(pool.get(), decoded, ContainerTemplate); ASSERT_TRUE(ctx); ASSERT_EQ( SEC_ASN1DecoderUpdate( ctx, reinterpret_cast<const char*>(kContentsTooShort), sizeof(kContentsTooShort)), SECFailure); ASSERT_EQ(PR_GetError(), SEC_ERROR_BAD_DER); } security/nss/lib/nss/nss.h +3 −3 Original line number Diff line number Diff line Loading @@ -22,10 +22,10 @@ * The format of the version string should be * "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]" */ #define NSS_VERSION "3.101.4" _NSS_CUSTOMIZED #define NSS_VERSION "3.112.2" _NSS_CUSTOMIZED #define NSS_VMAJOR 3 #define NSS_VMINOR 101 #define NSS_VPATCH 4 #define NSS_VMINOR 112 #define NSS_VPATCH 2 #define NSS_VBUILD 0 #define NSS_BETA PR_FALSE Loading Loading
security/nss/doc/rst/releases/index.rst +21 −15 Original line number Diff line number Diff line .. _mozilla_projects_nss_releases: Releases ======== Release Notes ============= .. toctree:: :maxdepth: 0 :glob: :hidden: nss_3_112_2.rst nss_3_112_1.rst nss_3_112.rst nss_3_111.rst nss_3_110.rst nss_3_109.rst nss_3_108.rst nss_3_107.rst nss_3_106.rst nss_3_105.rst nss_3_104.rst nss_3_103.rst nss_3_102_1.rst nss_3_102.rst nss_3_101_4.rst nss_3_101_3.rst nss_3_101_2.rst nss_3_101_1.rst Loading Loading @@ -69,18 +84,9 @@ Releases .. note:: **NSS 3.101.3 (ESR)** is the latest ESR version of NSS. Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_101_3_release_notes` **NSS 3.112** is the latest version of NSS. Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_112_release_notes` .. container:: **NSS 3.112.2 (ESR)** is the latest ESR version of NSS. Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_112_2_release_notes` Changes in 3.101.3 included in this release: - Bug 1935984 - Ensure zero-initialization of collectArgs.cert - Bug 1927953 - don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set - Bug 1926256 - fix build error from 9505f79d - Bug 1926256 - simplify error handling in get_token_objects_for_cache. - Bug 1923767 - pk12util: improve error handling in p12U_ReadPKCS12File. - Bug 1909768 - UBSAN fix: applying zero offset to null pointer in sslsnce.c. - Bug 1908623 - move list size check after lock acquisition in sftk_PutObjectToList. - Bug 1899402 - Correctly destroy bulkkey in error scenario.
security/nss/doc/rst/releases/nss_3_112_2.rst 0 → 100644 +72 −0 Original line number Diff line number Diff line .. _mozilla_projects_nss_nss_3_112_2_release_notes: NSS 3.112.2 release notes ======================== `Introduction <#introduction>`__ -------------------------------- .. container:: Network Security Services (NSS) 3.112.2 was released on *3 October 2025**. `Distribution Information <#distribution_information>`__ -------------------------------------------------------- .. container:: The HG tag is NSS_3_112_2_RTM. NSS 3.112.2 requires NSPR 4.36 or newer. NSS 3.112.2 source distributions are available on ftp.mozilla.org for secure HTTPS download: - Source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_112_2_RTM/src/ Other releases are available :ref:`mozilla_projects_nss_releases`. .. _changes_in_nss_3.112.2: `Changes in NSS 3.112.2 <#changes_in_nss_3.112.2>`__ ------------------------------------------------------------------ .. container:: - Bug 1970079 - Prevent leaks during pkcs12 decoding. - Bug 1988046 - SEC_ASN1Decode* should ensure it has read as many bytes as each length field indicates. - Bug 1992218 - fix memory leak in secasn1decode_unittest.cc. - Bug 1988913 - Add OISTE roots. - Bug 1976051 - Add runbook for certdata.txt changes. - Bug 1991666 - dbtool: close databases before shutdown. - Bug 1956754 - don't flush base64 when buffer is null. - Bug 1989541 - Set `use_pkcs5_pbkd2_params2_only=1` for fuzzing builds. - Bug 1989480 - mozilla::pkix: recognize the qcStatements extension for QWACs. - Bug 1980465 - Fix a big-endian-problematic cast in zlib calls. - Bug 1962321 - Revert removing out/ directory after ossfuzz build. - Bug 1988524 - Add Cryptofuzz to OSS-Fuzz build. - Bug 1984704 - Add PKCS#11 trust tests. - Bug 1983308 - final disable dsa patch cert.sh. - Bug 1983320 - ml-dsa: move tls 1.3 to use streaming signatures. - Bug 1983320 - ml-dsa: Prep Create a FindOidTagByString function. - Bug 1983320 - ml-dsa: softoken changes. - Bug 1983320 - ml-dsa: der key decode. - Bug 1983320 - ml-dsa: Prep colapse the overuse of keyType outside of pk11wrap and cryptohi. - Bug 1983320 - ml-dsa: Prep Create a CreateSignatureAlgorithmID function. - Bug 1983308 - disable DSA in NSS script tests. - Bug 1983308 - Disabling of some algorithms: generic cert.sh. - Bug 1981046 - Need to update to new mechanisms. - Bug 1983320 - Add ML-DSA public key printing support in NSS command-line utilities. - Bug 1986802 - note embedded scts before revocation checks are performed. - Bug 1983320 - Add support for ML-DSA keys and mechanisms in PKCS#11 interface. - Bug 1983320 - Add support for ML-DSA key type and public key structure. - Bug 1983320 - Enable ML-DSA integration via OIDs support and SECMOD flag. - Bug 1983308 - disable kyber. - Bug 1965329 - Implement PKCS #11 v3.2 PQ functions (use verify signature). - Bug 1983308 - Disable dsa - gtests. - Bug 1983313 - make group and scheme support in test tools generic. - Bug 1983770 - Create GH workflow to automatically close PRs. - Bug 1983308 - Disable dsa - base code. - Bug 1983308 - Disabling of some algorithms: remove dsa from pk11_mode. - Bug 1983308 - Disable seed and RC2 bug fixes. - Bug 1982742 - restore support for finding certificates by decoded serial number. - Bug 1984165 - avoid CKR_BUFFER_TO_SMALL error in trust lookups.
security/nss/gtests/der_gtest/der_gtest.gyp +1 −0 Original line number Diff line number Diff line Loading @@ -14,6 +14,7 @@ 'der_getint_unittest.cc', 'der_quickder_unittest.cc', 'p12_import_unittest.cc', 'secasn1decode_unittest.cc', '<(DEPTH)/gtests/common/gtests.cc' ], 'dependencies': [ Loading
security/nss/gtests/der_gtest/secasn1decode_unittest.cc 0 → 100644 +86 −0 Original line number Diff line number Diff line /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ /* vim: set ts=2 et sw=2 tw=80: */ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this file, * You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "gtest/gtest.h" #include "scoped_ptrs_util.h" #include "nss.h" #include "prerror.h" #include "secasn1.h" #include "secasn1t.h" #include "secerr.h" #include "secport.h" class SECASN1DecodeTest : public ::testing::Test {}; struct Item { SECItem value; }; const SEC_ASN1Template ItemTemplate[] = { {SEC_ASN1_SEQUENCE, 0, NULL, sizeof(struct Item)}, {0}}; static const SEC_ASN1Template ItemsTemplate[] = { {SEC_ASN1_SEQUENCE_OF, 0, ItemTemplate}, {0}}; struct Container { struct Item** items; }; const SEC_ASN1Template ContainerTemplate[] = { {SEC_ASN1_SEQUENCE, 0, NULL, sizeof(struct Container)}, {SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_EXPLICIT | 0, offsetof(struct Container, items), ItemsTemplate}, {0}}; // clang-format off const unsigned char kEndOfContentsInDefiniteLengthContext[] = { 0x30, 0x06, 0xa0, 0x04, 0x30, 0x00, 0x00, 0x00, // EOC in definite length context }; // clang-format on TEST_F(SECASN1DecodeTest, EndOfContentsInDefiniteLengthContext) { ScopedPLArenaPool pool(PORT_NewArena(1024)); struct Container* decoded = reinterpret_cast<struct Container*>( PORT_ArenaZAlloc(pool.get(), sizeof(struct Container))); SEC_ASN1DecoderContext* ctx = SEC_ASN1DecoderStart(pool.get(), decoded, ContainerTemplate); ASSERT_TRUE(ctx); ASSERT_EQ( SEC_ASN1DecoderUpdate( ctx, reinterpret_cast<const char*>(kEndOfContentsInDefiniteLengthContext), sizeof(kEndOfContentsInDefiniteLengthContext)), SECFailure); ASSERT_EQ(PR_GetError(), SEC_ERROR_BAD_DER); } // clang-format off const unsigned char kContentsTooShort[] = { 0x30, 0x06, 0xa0, 0x04, 0x30, 0x00, // There should be two more bytes after this }; // clang-format on TEST_F(SECASN1DecodeTest, ContentsTooShort) { ScopedPLArenaPool pool(PORT_NewArena(1024)); struct Container* decoded = reinterpret_cast<struct Container*>( PORT_ArenaZAlloc(pool.get(), sizeof(struct Container))); SEC_ASN1DecoderContext* ctx = SEC_ASN1DecoderStart(pool.get(), decoded, ContainerTemplate); ASSERT_TRUE(ctx); ASSERT_EQ( SEC_ASN1DecoderUpdate( ctx, reinterpret_cast<const char*>(kContentsTooShort), sizeof(kContentsTooShort)), SECFailure); ASSERT_EQ(PR_GetError(), SEC_ERROR_BAD_DER); }
security/nss/lib/nss/nss.h +3 −3 Original line number Diff line number Diff line Loading @@ -22,10 +22,10 @@ * The format of the version string should be * "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]" */ #define NSS_VERSION "3.101.4" _NSS_CUSTOMIZED #define NSS_VERSION "3.112.2" _NSS_CUSTOMIZED #define NSS_VMAJOR 3 #define NSS_VMINOR 101 #define NSS_VPATCH 4 #define NSS_VMINOR 112 #define NSS_VPATCH 2 #define NSS_VBUILD 0 #define NSS_BETA PR_FALSE Loading