Bug 1641480 (CVE-2020-25648) - Tighten CCS handling when the client doesn't indicate middlebox compatibility mode.

But current FF won't compile against it (for me, tried atop nixpkgs master):

/build/firefox-81.0.2/security/ct/CTLogVerifier.cpp:41:10: error: 'mozilla::ct::Result mozilla::ct::SignaturePa
   41 |   Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration,
      |          ^~~~~~~~~~~~~~~
In file included from /nix/store/420c27i4d1lvvmqw0wr619mydlwacdmi-nss-3.58-dev/include/nss/mozpkix/pkixder.h:41
                 from /build/firefox-81.0.2/security/ct/BTVerifier.h:13,
                 from /build/firefox-81.0.2/security/ct/BTVerifier.cpp:7,
                 from Unified_cpp_security_ct0.cpp:2:
/nix/store/420c27i4d1lvvmqw0wr619mydlwacdmi-nss-3.58-dev/include/nss/mozpkix/pkixtypes.h:279:18: warning: 'virt
  279 |   virtual Result CheckRevocation(EndEntityOrCA endEntityOrCA,
      |                  ^~~~~~~~~~~~~~~
In file included from Unified_cpp_security_ct0.cpp:29:
/build/firefox-81.0.2/security/ct/CTLogVerifier.cpp:41:10: warning:   by 'mozilla::ct::Result mozilla::ct::Sign
   41 |   Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Time, Duration,
      |          ^~~~~~~~~~~~~~~

Same on staging as of 347696a… I thought I tested compiling Firefox, sorry.

There's a major FF release scheduled in two days that should not require this nss version yet and I hope it might fix this error.

I'm working on the firefox 82 package and as of now (it is still building) it doesn't require the newer NSS version. I'll try if it supports being built with this PR later.

Bad "luck":

In file included from Unified_cpp_security_ct0.cpp:29:
/build/firefox-82.0/security/ct/CTLogVerifier.cpp:42:54: error: non-virtual member function marked 'override' h
                         const Input*, const Input*) override {
                                                     ^

EDIT: same for ESR 78.4.0.

ESR-78 still fails with 3.59

As does 82. yay. -.-

Maybe we'll have to downgrade nss for 78? (for FF ESR and TB) Upstream apparently means 78 to be used with 3.53.x: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Releases

I expect 73 to be OK with 3.58 (and maybe even 3.59); it's scheduled for release in two days.

Ok, lets add an older version of NSS for those two? It isn't great but probably not worth blocking this much longer.

Firefox 83 now requires 3.58 and I'd rather pick this instead.

Another thing that we can also do is to change/decouple cacert.src. That should be the only thing causing mass rebuilds, and I don't expect we need to update it so often. Maybe the output doesn't even change often.

lets add an older version of NSS for those two

We still have 3.44, currently used for thunderbird-68.

That's probably too old, though.

I'm looking into the rebuild amounts that NSS vs cacert are causing right now. It could be a nice way to handle this as long as we regulary bump cacert then.

We've had some "nss only" rebuilds a while ago, when I was changing the build system to gyp and didn't get everything right on the first try. AFAIR the amount of rebuilds when just changing nss but not nss.src is at least an order of magnitude smaller.

If my invocations with ./maintainers/scripts/rebuild-amount.sh are correct just NSS is ~100 packages and cacert is 9k+ packages.

I'm trying to decouple cacert in the upcoming Firefox 83 PR. I'll also include this bump as it should then be just a minor rebuild.