Verified Commit a5ddfedc authored by Dennis Jackson's avatar Dennis Jackson Committed by Pier Angelo Vendrame
Browse files

Bug 1992388 - Release NSS 3.112.2 for ESR. r=jschanck a=RyanVM. UPGRADE_NSS_RELEASE

parent 9eea272c
Loading
Loading
Loading
Loading
Loading
+21 −15
Original line number Diff line number Diff line
.. _mozilla_projects_nss_releases:

Releases
========
Release Notes
=============

.. toctree::
   :maxdepth: 0
   :glob:
   :hidden:

   nss_3_112_2.rst
   nss_3_112_1.rst
   nss_3_112.rst
   nss_3_111.rst
   nss_3_110.rst
   nss_3_109.rst
   nss_3_108.rst
   nss_3_107.rst
   nss_3_106.rst
   nss_3_105.rst
   nss_3_104.rst
   nss_3_103.rst
   nss_3_102_1.rst
   nss_3_102.rst
   nss_3_101_4.rst
   nss_3_101_3.rst
   nss_3_101_2.rst
   nss_3_101_1.rst
@@ -69,18 +84,9 @@ Releases

.. note::

   **NSS 3.101.3 (ESR)** is the latest ESR version of NSS.
   Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_101_3_release_notes`
   **NSS 3.112** is the latest version of NSS.
   Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_112_release_notes`

.. container::
   **NSS 3.112.2 (ESR)** is the latest ESR version of NSS.
   Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_112_2_release_notes`
   Changes in 3.101.3 included in this release:

   - Bug 1935984 - Ensure zero-initialization of collectArgs.cert
   - Bug 1927953 - don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set
   - Bug 1926256 - fix build error from 9505f79d
   - Bug 1926256 - simplify error handling in get_token_objects_for_cache.
   - Bug 1923767 - pk12util: improve error handling in p12U_ReadPKCS12File.
   - Bug 1909768 - UBSAN fix: applying zero offset to null pointer in sslsnce.c.
   - Bug 1908623 - move list size check after lock acquisition in sftk_PutObjectToList.
   - Bug 1899402 - Correctly destroy bulkkey in error scenario.
+72 −0
Original line number Diff line number Diff line
.. _mozilla_projects_nss_nss_3_112_2_release_notes:

NSS 3.112.2 release notes
========================

`Introduction <#introduction>`__
--------------------------------

.. container::

   Network Security Services (NSS) 3.112.2 was released on *3 October 2025**.

`Distribution Information <#distribution_information>`__
--------------------------------------------------------

.. container::

   The HG tag is NSS_3_112_2_RTM. NSS 3.112.2 requires NSPR 4.36 or newer.

   NSS 3.112.2 source distributions are available on ftp.mozilla.org for secure HTTPS download:

   -  Source tarballs:
      https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_112_2_RTM/src/

   Other releases are available :ref:`mozilla_projects_nss_releases`.

.. _changes_in_nss_3.112.2:

`Changes in NSS 3.112.2 <#changes_in_nss_3.112.2>`__
------------------------------------------------------------------

.. container::

   - Bug 1970079 - Prevent leaks during pkcs12 decoding.
   - Bug 1988046 - SEC_ASN1Decode* should ensure it has read as many bytes as each length field indicates.
   - Bug 1992218 - fix memory leak in secasn1decode_unittest.cc.
   - Bug 1988913 - Add OISTE roots.
   - Bug 1976051 - Add runbook for certdata.txt changes.
   - Bug 1991666 - dbtool: close databases before shutdown.
   - Bug 1956754 - don't flush base64 when buffer is null.
   - Bug 1989541 - Set `use_pkcs5_pbkd2_params2_only=1` for fuzzing builds.
   - Bug 1989480 - mozilla::pkix: recognize the qcStatements extension for QWACs.
   - Bug 1980465 - Fix a big-endian-problematic cast in zlib calls.
   - Bug 1962321 - Revert removing out/ directory after ossfuzz build.
   - Bug 1988524 - Add Cryptofuzz to OSS-Fuzz build.
   - Bug 1984704 - Add PKCS#11 trust tests.
   - Bug 1983308 - final disable dsa patch cert.sh.
   - Bug 1983320 - ml-dsa: move tls 1.3 to use streaming signatures.
   - Bug 1983320 - ml-dsa: Prep Create a FindOidTagByString function.
   - Bug 1983320 - ml-dsa: softoken changes.
   - Bug 1983320 - ml-dsa: der key decode.
   - Bug 1983320 - ml-dsa: Prep colapse the overuse of keyType outside of pk11wrap and cryptohi.
   - Bug 1983320 - ml-dsa: Prep Create a CreateSignatureAlgorithmID function.
   - Bug 1983308 - disable DSA in NSS script tests.
   - Bug 1983308 - Disabling of some algorithms: generic cert.sh.
   - Bug 1981046 - Need to update to new mechanisms.
   - Bug 1983320 - Add ML-DSA public key printing support in NSS command-line utilities.
   - Bug 1986802 - note embedded scts before revocation checks are performed.
   - Bug 1983320 - Add support for ML-DSA keys and mechanisms in PKCS#11 interface.
   - Bug 1983320 - Add support for ML-DSA key type and public key structure.
   - Bug 1983320 - Enable ML-DSA integration via OIDs support and SECMOD flag.
   - Bug 1983308 - disable kyber.
   - Bug 1965329 - Implement PKCS #11 v3.2 PQ functions (use verify signature).
   - Bug 1983308 - Disable dsa - gtests.
   - Bug 1983313 - make group and scheme support in test tools generic.
   - Bug 1983770 - Create GH workflow to automatically close PRs.
   - Bug 1983308 - Disable dsa - base code.
   - Bug 1983308 - Disabling of some algorithms: remove dsa from pk11_mode.
   - Bug 1983308 - Disable seed and RC2 bug fixes.
   - Bug 1982742 - restore support for finding certificates by decoded serial number.
   - Bug 1984165 - avoid CKR_BUFFER_TO_SMALL error in trust lookups.
+1 −0
Original line number Diff line number Diff line
@@ -14,6 +14,7 @@
        'der_getint_unittest.cc',
        'der_quickder_unittest.cc',
        'p12_import_unittest.cc',
        'secasn1decode_unittest.cc',
        '<(DEPTH)/gtests/common/gtests.cc'
      ],
      'dependencies': [
+86 −0
Original line number Diff line number Diff line
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this file,
 * You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "gtest/gtest.h"
#include "scoped_ptrs_util.h"

#include "nss.h"
#include "prerror.h"
#include "secasn1.h"
#include "secasn1t.h"
#include "secerr.h"
#include "secport.h"

class SECASN1DecodeTest : public ::testing::Test {};

struct Item {
  SECItem value;
};

const SEC_ASN1Template ItemTemplate[] = {
    {SEC_ASN1_SEQUENCE, 0, NULL, sizeof(struct Item)}, {0}};

static const SEC_ASN1Template ItemsTemplate[] = {
    {SEC_ASN1_SEQUENCE_OF, 0, ItemTemplate}, {0}};

struct Container {
  struct Item** items;
};

const SEC_ASN1Template ContainerTemplate[] = {
    {SEC_ASN1_SEQUENCE, 0, NULL, sizeof(struct Container)},
    {SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_EXPLICIT | 0,
     offsetof(struct Container, items), ItemsTemplate},
    {0}};

// clang-format off
const unsigned char kEndOfContentsInDefiniteLengthContext[] = {
    0x30, 0x06,
      0xa0, 0x04,
        0x30, 0x00,
        0x00, 0x00, // EOC in definite length context
};
// clang-format on

TEST_F(SECASN1DecodeTest, EndOfContentsInDefiniteLengthContext) {
  ScopedPLArenaPool pool(PORT_NewArena(1024));
  struct Container* decoded = reinterpret_cast<struct Container*>(
      PORT_ArenaZAlloc(pool.get(), sizeof(struct Container)));
  SEC_ASN1DecoderContext* ctx =
      SEC_ASN1DecoderStart(pool.get(), decoded, ContainerTemplate);
  ASSERT_TRUE(ctx);
  ASSERT_EQ(
      SEC_ASN1DecoderUpdate(
          ctx,
          reinterpret_cast<const char*>(kEndOfContentsInDefiniteLengthContext),
          sizeof(kEndOfContentsInDefiniteLengthContext)),
      SECFailure);
  ASSERT_EQ(PR_GetError(), SEC_ERROR_BAD_DER);
}

// clang-format off
const unsigned char kContentsTooShort[] = {
    0x30, 0x06,
      0xa0, 0x04,
        0x30, 0x00, // There should be two more bytes after this
};
// clang-format on

TEST_F(SECASN1DecodeTest, ContentsTooShort) {
  ScopedPLArenaPool pool(PORT_NewArena(1024));
  struct Container* decoded = reinterpret_cast<struct Container*>(
      PORT_ArenaZAlloc(pool.get(), sizeof(struct Container)));
  SEC_ASN1DecoderContext* ctx =
      SEC_ASN1DecoderStart(pool.get(), decoded, ContainerTemplate);
  ASSERT_TRUE(ctx);
  ASSERT_EQ(
      SEC_ASN1DecoderUpdate(
          ctx,
          reinterpret_cast<const char*>(kContentsTooShort),
          sizeof(kContentsTooShort)),
      SECFailure);
  ASSERT_EQ(PR_GetError(), SEC_ERROR_BAD_DER);
}
+3 −3
Original line number Diff line number Diff line
@@ -22,10 +22,10 @@
 * The format of the version string should be
 *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
 */
#define NSS_VERSION "3.101.4" _NSS_CUSTOMIZED
#define NSS_VERSION "3.112.2" _NSS_CUSTOMIZED
#define NSS_VMAJOR 3
#define NSS_VMINOR 101
#define NSS_VPATCH 4
#define NSS_VMINOR 112
#define NSS_VPATCH 2
#define NSS_VBUILD 0
#define NSS_BETA PR_FALSE

Loading