Граф коммитов

929 Коммитов

Автор SHA1 Сообщение Дата
J.C. Jones 638a597baa Bug 1636656 - land NSS e3444f4cc638 UPGRADE_NSS_RELEASE,
Differential Revision: https://phabricator.services.mozilla.com/D74716
2020-05-11 18:20:52 +00:00
Nick Alexander 9c6b68bbb2 Bug 1635271 - Restore CFLAGS to avoid repeat -fPIC flag when running configure after clobber. r=froydnj
If we don't restore CFLAGS, then after a clobber, there's no configure
cache, and therefore the CFLAGS get tweaked.  But running configure
again, the cache steps in and the extra -fPIC isn't added.  Locally
this means fewer sccache hits (but in automation, all builds at this
time are clobber builds, so there's no impact).

Differential Revision: https://phabricator.services.mozilla.com/D73757
2020-05-04 23:13:55 +00:00
Nathan Froyd 795e06301c Bug 1635099 - remove _USE_CPP_INCLUDE_FLAG; r=dmajor
We only set this and never reference it otherwise.  I attempted to
determine when the last use was, but even esr17 (!) only set it, never
used it, and `hg grep` is very slow...

Differential Revision: https://phabricator.services.mozilla.com/D73662
2020-05-04 15:03:17 +00:00
Kevin Jacobs 7d42f279f2 Bug 1629594 - land NSS 50dcc34d470d UPGRADE_NSS_RELEASE, r=jcj
2020-04-13  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/pk11wrap/debug_module.c, lib/pk11wrap/pk11load.c:
	Bug 1629105 - Update PKCS11 module debug logger for v3.0 r=rrelyea

	Differential Revision:
	https://phabricator.services.mozilla.com/D70582
	[50dcc34d470d] [tip]

2020-04-07  Robert Relyea  <rrelyea@redhat.com>

        * lib/ckfw/builtins/testlib/Makefile:
        Bug 1465613 Fix gmake issue create by the patch which adds ability
        to distrust certificates issued after a certain date for a specified
        root cert r=jcj

        I've been trying to run down an issue I've been having, and I think
        this bug is the source. Whenever I build ('gmake' build), I get the
        following untracted files: ? lib/ckfw/builtins/testlib/anchor.o ?
        lib/ckfw/builtins/testlib/bfind.o ?
        lib/ckfw/builtins/testlib/binst.o ?
        lib/ckfw/builtins/testlib/bobject.o ?
        lib/ckfw/builtins/testlib/bsession.o ?
        lib/ckfw/builtins/testlib/bslot.o ?
        lib/ckfw/builtins/testlib/btoken.o ?
        lib/ckfw/builtins/testlib/ckbiver.o ?
        lib/ckfw/builtins/testlib/constants.o

        This is because of the way lib/ckfw/builtins/testlib works, it uses
        the sources from the directory below, and explicitly reference them
        with ../{source_name}.c. The object file then becomes
        lib/ckfw/builtins/testlib/{OBJDIR}/../{source_name}.o.

        The simple fix would be to paper over the issue and just add these
        to .hgignore, but that would break our ability to build multiple
        platforms on a single source directory. I'll include a patch that
        fixes this issue.

        bob

        Differential Revision:
        https://phabricator.services.mozilla.com/D70077
        [92058f185316]

2020-04-06  Robert Relyea  <rrelyea@redhat.com>

	* automation/abi-check/expected-report-libnss3.so.txt,
	gtests/ssl_gtest/tls_hkdf_unittest.cc, lib/nss/nss.def,
	lib/pk11wrap/pk11pub.h, lib/pk11wrap/pk11skey.c,
	lib/ssl/sslprimitive.c, lib/ssl/tls13con.c, lib/ssl/tls13con.h,
	lib/ssl/tls13hkdf.c, lib/ssl/tls13replay.c, tests/ssl/ssl.sh:
	Bug 1561637 TLS 1.3 does not work in FIPS mode r=mt

	Part 2 of 2

	Use the official PKCS #11 HKDF mechanism to implement tls 1.3.

	1) The new mechanism is a single derive mechanism, so we no longer
	need to pick it based on the underlying hmac (Note, we still need to
	know the underlying hmac, which is passed in as a mechanism
	parameter).

	2) Use the new keygen to generate CKK_HKDF keys rather than doing it
	by hand with the random number generator (never was really the best
	way of doing this).

	3) modify tls13hkdf.c to use the new mechanisms: 1) Extract: use the
	new key handle in the mechanism parameters to pass the salt when the
	salt is a key handle. Extract: use the explicit NULL salt parameter
	if for the hash len salt of zeros. 2) Expand: Expand is mostly a
	helper function which takes a mechanism. For regular expand, the
	mechanism is the normal _Derive, for the Raw version its the _Data
	function. That creates a data object, which is extractable in FIPS
	mode.

	4) update slot handling in tls13hkdf.c: 1) we need to make sure that
	the key and the salt key are in the same slot. Provide a PK11wrap
	function to make that guarrentee (and use that function in
	PK11_WrapKey, which already has to do the same function). 2) When
	importing a 'data' key for the zero key case, make sure we import
	into the salt key's slot. If there is no salt key, use
	PK11_GetBestSlot() rather than PK11_GetInternal slot.

	Differential Revision:
	https://phabricator.services.mozilla.com/D69899
	[3d2b1738e064]

2020-04-06  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/common/testvectors/curve25519-vectors.h,
	gtests/common/testvectors/p256ecdh-vectors.h,
	gtests/common/testvectors/p384ecdh-vectors.h,
	gtests/common/testvectors/p521ecdh-vectors.h,
	gtests/common/testvectors/rsa_oaep_2048_sha1_mgf1sha1-vectors.h,
	gtests/common/testvectors/rsa_oaep_2048_sha256_mgf1sha1-vectors.h,
	gtests/common/testvectors/rsa_oaep_2048_sha256_mgf1sha256-vectors.h,
	gtests/common/testvectors/rsa_oaep_2048_sha384_mgf1sha1-vectors.h,
	gtests/common/testvectors/rsa_oaep_2048_sha384_mgf1sha384-vectors.h,
	gtests/common/testvectors/rsa_oaep_2048_sha512_mgf1sha1-vectors.h,
	gtests/common/testvectors/rsa_oaep_2048_sha512_mgf1sha512-vectors.h,
	gtests/common/testvectors/rsa_pkcs1_2048_test-vectors.h,
	gtests/common/testvectors/rsa_pkcs1_3072_test-vectors.h,
	gtests/common/testvectors/rsa_pkcs1_4096_test-vectors.h,
	gtests/common/testvectors/rsa_pss_2048_sha1_mgf1_20-vectors.h,
	gtests/common/testvectors/rsa_pss_2048_sha256_mgf1_0-vectors.h,
	gtests/common/testvectors/rsa_pss_2048_sha256_mgf1_32-vectors.h,
	gtests/common/testvectors/rsa_pss_3072_sha256_mgf1_32-vectors.h,
	gtests/common/testvectors/rsa_pss_4096_sha256_mgf1_32-vectors.h,
	gtests/common/testvectors/rsa_pss_4096_sha512_mgf1_32-vectors.h,
	gtests/common/testvectors/rsa_pss_misc-vectors.h,
	gtests/common/testvectors/rsa_signature-vectors.h,
	gtests/common/testvectors/rsa_signature_2048_sha224-vectors.h,
	gtests/common/testvectors/rsa_signature_2048_sha256-vectors.h,
	gtests/common/testvectors/rsa_signature_2048_sha512-vectors.h,
	gtests/common/testvectors/rsa_signature_3072_sha256-vectors.h,
	gtests/common/testvectors/rsa_signature_3072_sha384-vectors.h,
	gtests/common/testvectors/rsa_signature_3072_sha512-vectors.h,
	gtests/common/testvectors/rsa_signature_4096_sha384-vectors.h,
	gtests/common/testvectors/rsa_signature_4096_sha512-vectors.h,
	gtests/common/testvectors_base/rsa_signature-vectors_base.txt,
	gtests/common/testvectors_base/test-structs.h,
	gtests/common/wycheproof/genTestVectors.py,
	gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp,
	gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc,
	gtests/pk11_gtest/pk11_rsaoaep_unittest.cc,
	gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc,
	gtests/pk11_gtest/pk11_rsapss_unittest.cc:
	Bug 1612260 - Add Wycheproof vectors for RSA PKCS1 and PSS signing,
	PKCS1 and OEAP decryption. r=bbeurdouche

	This patch updates the Wycheproof script to build RSA test vectors
	(covering PKCS1 decryption/verification, as well as PSS and OAEP)
	and adds the appropriate test drivers.

	Differential Revision:
	https://phabricator.services.mozilla.com/D69847
	[469fd8633757]

2020-04-01  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/taskcluster/docker-fuzz32/Dockerfile:
	Bug 1626751 - Add apt-transport-https & apt-utils to fuzz32 docker
	image r=jcj

	We already install these packages on the image_builder image itself.
	It seems they're now required on the fuzz32 image as well.

	Differential Revision:
	https://phabricator.services.mozilla.com/D69274
	[c7a8195e3072]

2020-04-01  Giulio Benetti  <giulio.benetti@benettiengineering.com>

	* lib/freebl/Makefile:
	Bug 1624864 - Don't force ARMv7 for gcm-arm32-neon r=jcj
	[858209235972]

	* coreconf/config.gypi, coreconf/config.mk, lib/freebl/Makefile,
	lib/freebl/freebl.gyp, lib/freebl/gcm.c:
	Bug 1620799 - Introduce NSS_DISABLE_ARM32_NEON r=jcj

	Only some Arm32 supports neon, so let's introduce
	NSS_DISABLE_ARM32_NEON to allow disabling Neon acceleration when
	building for Arm32.

	Signed-off-by: Giulio Benetti
	<giulio.benetti@benettiengineering.com>
	[b47b2c35aa64]

2020-04-01  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
	check/expected-report-libsoftokn3.so.txt, automation/abi-check
	/expected-report-libssl3.so.txt:
	Fixup ABI checks after libabigail update and Delegated Credentials
	backport. r=me
	[7f50f6ca7658]

2020-03-31  hajma  <tropikhajma@gmail.com>

	* coreconf/SunOS5.mk:
	Bug 1625133 - Fix implicit declaration of function 'getopt' on SunOS
	r=jcj
	[744788dd18dc]

2020-03-30  Robert Relyea  <rrelyea@redhat.com>

	* automation/abi-check/expected-report-libnss3.so.txt,
	gtests/pk11_gtest/pk11_hkdf_unittest.cc, lib/nss/nss.def,
	lib/pk11wrap/pk11mech.c, lib/pk11wrap/pk11obj.c,
	lib/pk11wrap/pk11pub.h, lib/softoken/pkcs11.c,
	lib/softoken/pkcs11c.c:
	Bug 1561637 TLS 1.3 does not work in FIPS mode

	Patch 1 of 2. This patch updates softoken and helper functions with
	the new PKCS #11 v3 HKDF, which handles all the correct key
	management so that we can work in FIPS mode

	1) Salts can be passed in as data, as and explicit NULL (which per
	spec means a zero filled buffer of length of the underlying HMAC),
	or through a key handle 2) A Data object can be used as a key
	(explicitly allowed for this mechanism by the spec). 3) A special
	mechansism produces a data object rather than a key, the latter
	which can be exported. Softoken does not do the optional validation
	on the pInfo to verify that the requested values are supposed to be
	data rather than keys. Some other tokens may.

	The old hkdf mechanism has been retained for compatibility (well
	namely until patch 2 is created, tls is still using it). The hkdf
	function has been broken off into it's own function rather than
	inline in the derive function.

	Note: because the base key and/or the export key could really be a
	data object, our explicit handling of sensitive and extractable are
	adjusted to take into account that those flags do not exist in data
	objects.

	Differential Revision:
	https://phabricator.services.mozilla.com/D68940
	[e0922aac5267]

2020-03-26  Hans Petter Jansson  <hpj@cl.no>

	* cmd/lowhashtest/lowhashtest.c:
	Bug 1622555 - Fix lowhashtest argument parsing. r=kjacobs
	[f3c5ab41c972]

2020-03-26  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/freebl/Makefile, lib/freebl/freebl.gyp:
	Bug 1624377 - Replace freebl flag -msse4 by -msse4.1 -msse4.2 which
	are supported by older compilers r=kjacobs

	Differential Revision:
	https://phabricator.services.mozilla.com/D68407
	[16ee7cb36fff]

2020-03-26  Robert Relyea  <rrelyea@redhat.com>

	* gtests/ssl_gtest/libssl_internals.c, lib/pk11wrap/exports.gyp,
	lib/pk11wrap/manifest.mn, lib/ssl/ssl3con.c, lib/ssl/sslprimitive.c,
	lib/ssl/sslspec.h, lib/ssl/tls13con.c, lib/ssl/tls13con.h,
	lib/ssl/tls13esni.c, lib/ssl/tls13exthandle.c:
	Bug 1623374 Need to support the new PKCS #11 Message interface for
	AES GCM and ChaCha Poly r=mt

	Update ssl to use the new PK11_AEADOp() interface. 1. We restore the
	use of PK11Context_Create() for AEAD operations. 2. AES GCM and
	CHACHA/Poly specific functions are no longer needed as PK11_AEADOp()
	handles all the mechanism specific processing. 3. TLS semantic
	differences between the two algorithms is handled by their
	parameters: 1. Nonce length is the length of the nonce counter. If
	it's zero, then XOR_Counter is used (and the nonce length is the
	sizeof(sslSequenceNumber)). 2. IV length is the full IV length -
	nonce length. 3. TLS 1.3 always uses XOR_Counter. 4. The IV is
	returned from the token in the encrypt case. Only in the explict
	nonce case is it examined. (The code depends on the fact that the
	count in the token will match sslSequenceNumber). I did have assert
	code to verify this was happening for testing, but it's removed from
	this patch it can be added back. 5. All the decrypt instances of
	XOR_Counter IV creation have been colapsed into tls13_WriteNonce().
	6. Even tough PK11_AEADOp returns and accepts the tag separately
	(for encrypt and decrypt respectively). The SSL code still returns
	the values as buffer||tag. 7. tls13_AEAD() has been enhanced so all
	uses of AEAD outside of the TLS stream can use it instead of their
	own wrapped version. It can handle streams (CreateContext()
	tls13_AEAD() tls13_AEAD() DestroyContext()) or single shot
	tls13_AEAD(context=NULL). In the later case, the keys for the single
	shot operation should not be resued. 8. libssl_internals.c in the
	gtests directory has been updated to handle advancing the internal
	iv counter when we artifically advance the seqNum. Since we don't
	have access to any token iv counter (including softoken), The code
	switches to simulated message mode, and updates the simulated state
	as appropriate. (obviously this is for testing only code as it
	reaches into normally private data structures).

	Differential Revision:
	https://phabricator.services.mozilla.com/D68480
	[e7c7f305078e]

2020-03-26  Robert Relyea  <rrelyea@redhat.com>

        * gtests/ssl_gtest/libssl_internals.c, lib/pk11wrap/exports.gyp,
        lib/pk11wrap/manifest.mn, lib/ssl/ssl3con.c, lib/ssl/sslprimitive.c,
        lib/ssl/sslspec.h, lib/ssl/tls13con.c, lib/ssl/tls13con.h,
        lib/ssl/tls13esni.c, lib/ssl/tls13exthandle.c:
        Bug 1623374 Need to support the new PKCS #11 Message interface for
        AES GCM and ChaCha Poly r=mt

        Update ssl to use the new PK11_AEADOp() interface. 1. We restore the
        use of PK11Context_Create() for AEAD operations. 2. AES GCM and
        CHACHA/Poly specific functions are no longer needed as PK11_AEADOp()
        handles all the mechanism specific processing. 3. TLS semantic
        differences between the two algorithms is handled by their
        parameters: 1. Nonce length is the length of the nonce counter. If
        it's zero, then XOR_Counter is used (and the nonce length is the
        sizeof(sslSequenceNumber)). 2. IV length is the full IV length -
        nonce length. 3. TLS 1.3 always uses XOR_Counter. 4. The IV is
        returned from the token in the encrypt case. Only in the explict
        nonce case is it examined. (The code depends on the fact that the
        count in the token will match sslSequenceNumber). I did have assert
        code to verify this was happening for testing, but it's removed from
        this patch it can be added back. 5. All the decrypt instances of
        XOR_Counter IV creation have been colapsed into tls13_WriteNonce().
        6. Even tough PK11_AEADOp returns and accepts the tag separately
        (for encrypt and decrypt respectively). The SSL code still returns
        the values as buffer||tag. 7. tls13_AEAD() has been enhanced so all
        uses of AEAD outside of the TLS stream can use it instead of their
        own wrapped version. It can handle streams (CreateContext()
        tls13_AEAD() tls13_AEAD() DestroyContext()) or single shot
        tls13_AEAD(context=NULL). In the later case, the keys for the single
        shot operation should not be resued. 8. libssl_internals.c in the
        gtests directory has been updated to handle advancing the internal
        iv counter when we artifically advance the seqNum. Since we don't
        have access to any token iv counter (including softoken), The code
        switches to simulated message mode, and updates the simulated state
        as appropriate. (obviously this is for testing only code as it
        reaches into normally private data structures).

        Differential Revision:
        https://phabricator.services.mozilla.com/D68480
        [e7c7f305078e]


2020-03-23  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/softoken/pkcs11.c:
	Bug 1624402 - Fix compilation error when NO_FORK_CHECK and
	CHECK_FORK_* are defined r=rrelyea

	Differential Revision:
	https://phabricator.services.mozilla.com/D67911
	[0225889e5292]

2020-03-23  Kevin Jacobs  <kjacobs@mozilla.com>

    * lib/util/pkcs11.h:
    Bug 1624130 - Require CK_FUNCTION_LIST structs to be packed.
    r=rrelyea

    Differential Revision:
    https://phabricator.services.mozilla.com/D67741
    [7ab62d3d0445]

2020-03-19  Robert Relyea  <rrelyea@redhat.com>

	* automation/abi-check/expected-report-libnss3.so.txt,
	gtests/pk11_gtest/pk11_aes_gcm_unittest.cc,
	gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc,
	lib/freebl/blapi.h, lib/freebl/blapii.h, lib/freebl/blapit.h,
	lib/freebl/chacha20poly1305.c, lib/freebl/gcm.c, lib/freebl/gcm.h,
	lib/freebl/intel-gcm-wrap.c, lib/freebl/intel-gcm.h,
	lib/freebl/ldvector.c, lib/freebl/loader.c, lib/freebl/loader.h,
	lib/freebl/rijndael.c, lib/freebl/rijndael.h, lib/nss/nss.def,
	lib/pk11wrap/pk11cxt.c, lib/pk11wrap/pk11mech.c,
	lib/pk11wrap/pk11priv.h, lib/pk11wrap/pk11pub.h,
	lib/pk11wrap/pk11skey.c, lib/pk11wrap/pk11slot.c,
	lib/pk11wrap/secmodti.h, lib/softoken/fipstokn.c,
	lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c,
	lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c,
	lib/softoken/sftkmessage.c, lib/util/pkcs11n.h, lib/util/pkcs11t.h,
	lib/util/secport.h:
	Bug 1623374 Need to support the new PKCS #11 Message interface for
	AES GCM and ChaCha Poly

	PKCS #11 defines a new interface for handling AEAD type ciphers that
	allow multiple AEAD operations without repeating the key schedule.
	It also allows tokens to keep track of the number of operations, and
	generate IVs (depending on the cipher).

	This patch: 1. implement those new functions in softoken. With the
	addition of CKF_MESSAGE_* flags to various mechanism, we need to
	strip them when using the version 2 API of softoken (since there are
	no C_Message* function in version 2). For that we need a separate
	C_GetMechanismInfo function. We use the same trick we used to have a
	separate version function for the V2 interface. Also now that the
	new message functions are in their own file, they still need access
	to the common Session state processing functions. those have gone
	from static to exported within softoken to accomidate that. Same
	with sftk_MapDecryptError() (sftk_MapVerifyError() was also made
	global, though nothing else is yet using it). Only
	C_MessageEncrptInit(), C_EncryptMessage(), C_MessageEncryptFinal,
	C_MessageDecryptInit(), C_DecryptMessage(), and
	C_MessageDecryptFinal are implemented. C_EncryptMessageBegin(),
	C_EncryptMessageNext(), C_DecryptMessageBegin(), and
	C_DecryptMessageNext() are all part of the multi-part withing a
	multi-part operation and are only necessary for things like S/MIME
	(potentially). If we wanted to implement them, we would need more
	functions exported from freebl (and initaead, updateaead, finalaead
	for each mechanism type). 2. make those interfaces call aes_gcm and
	chacha20_poly1503 (and make adjustments for those ciphers). For AES,
	I added a new function AES_AEAD, which handles both encrypt and
	decrypt. Internally, the gcm functions (both the generic gcm and the
	intel gcm wrapper) had their init functions split into key
	scheduling and counter mode/tag initialization. The latter is still
	called from init, but the former is now for each update call. IV
	generation is handled by a single function in gcm.c, and shared with
	intel_gcm_wrapper.c Since the AES functions already know about the
	underlying PKCS #11 mechanism parameters, the new AEAD functions
	also parse the PKCS #11 GCM parameters. For Chacha/Poly new aead
	update functions were created called ChaChaPoly1305_Encrypt and
	ChaChaChaPoly1305_Decrypt. There was no Message specific
	initialization in the existing chacha_init, so no changes were
	needed there. The primary difference between _Encrypt/_Decrypt and
	_Seal/_Open is the fact that the tag is put at the end of the
	encrypted data buffer in the latter, and in a generic buffer in the
	former. 3. create new pk11wrap interfaces that also squash the api
	differences between the various mechanisms for aead (similiar to the
	way we do it for CBC and ECB crypto today). To accomplish this I
	added PK11_AEADOp() and PK11_AEADRawOp(). Both functions handle the
	case where the token only supports the single shot interface, by
	using the single short interface to simulate the Message interface.
	The PK11_AEADOp() also smooths out the differences in the parameters
	and symantics of the various mechanism so the application does not
	need to worry about the PKCS #11 differences in the mechanism. Both
	use contexts from the standard PK11_CreateContext(), so key
	schedules are done once for each key rather than once for each
	message. MESSAGE/AEAD operations are selected by adding the psuedo
	attribute flag CKA_NSS_MESSAGE to the requested operation
	(CKA_ENCRYPT, CKA_DECRYPT, CKA_SIGN, CKA_VERIFY). 4. write tests for
	the new interfaces Tests were added to make sure the PK11_AEADRawOp
	interface works, The single shot interface is used to test output of
	the message interface we also use two test only functions to force
	the connection to use the simulation interface, which is also
	compared to the non-simulate inteface. The AES_GCM also tests
	various IV generators.

	Differential Revision:
	https://phabricator.services.mozilla.com/D67552
	[293ac3688ced]

2020-03-18  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/freebl/mpi/mpcpucache.c:
	Bug 1623184 - Clear ECX prior to cpuid, fixing query for Extended
	Features r=bbeurdouche

	While trying to benchmark the recent HACL* AVX2 code, I noticed that
	it was not being called on two machines (that both support AVX2),
	instead using only the AVX version.

	In order to query for Extended Features (cpuid with EAX=7), we also
	need to set ECX to 0: https://www.intel.com/content/www/us/en
	/architecture-and-technology/64-ia-32-architectures-software-
	developer-vol-2a-manual.html. The current code fails to do this,
	resulting in flags that show no support.

	Initially, I wrote a separate `freebl_cpuid_ex` function that
	accepted a value for ECX as a separate input argument. However, some
	definitions of `freebl_cpuid` already zero ECX, so making this
	consistent is the simplest way to get the desired behavior.

	With this patch, the two test machines (MacOS and Linux x64)
	correctly use the AVX2 ChaCha20Poly1305 code.

	Differential Revision:
	https://phabricator.services.mozilla.com/D67235
	[06d41fe87c58]

2020-03-17  Robert Relyea  <rrelyea@redhat.com>

	* automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
	check/expected-report-libsoftokn3.so.txt, cmd/pk11mode/pk11mode.c,
	lib/pk11wrap/pk11load.c, lib/pk11wrap/secmodi.h,
	lib/pk11wrap/secmodt.h, lib/softoken/fipstokn.c,
	lib/softoken/manifest.mn, lib/softoken/pkcs11.c,
	lib/softoken/pkcs11c.c, lib/softoken/pkcs11i.h,
	lib/softoken/sftkmessage.c, lib/softoken/softoken.gyp,
	lib/softoken/softoken.h, lib/softoken/softokn.def,
	lib/util/pkcs11.h, lib/util/pkcs11f.h, lib/util/pkcs11n.h,
	nss/automation/abi-check/new-report-libnss3.so.txt, nss/automation
	/abi-check/new-report-libsoftokn3.so.txt:
	Bug 1603628 Update NSS to handle PKCS #11 v3.0 r=ueno r=mt

	Update to PKCS #11 v3.0 part 2.

	Create the functions and switch to the C_Interface() function to
	fetch the PKCS #11 function table. Also PKCS #11 v3.0 uses a new
	fork safe interface. NSS can already handle the case if the PKCS #11
	module happens to be fork safe (when asked by the application to
	refresh the tokens in the child process, NSS can detect that such a
	refresh is not necessary and continue. Softoken could also be put in
	fork_safe mode with an environment variable. With this patch it's
	the default, and NSS asks for the fork safe API by default.
	Technically softoken should implement the old non-fork safe
	interface when PKCS #11 v2.0 is called, but NSS no longer needs it,
	and doing so would double the number of PKCS #11 interfaces are
	needed. You can still compile with fork unsafe semantics, and the
	PKCS #11 V3.0 module will do the right thing and not include the
	fork safe flag. Firefox does not fork(), so for firefox this is
	simply code that is no longer compilied.

	We now use C_GetInterface, which allows us to specify what kind of
	interface we want (PKCS #11 v3.0, PKCS #11 v2.0, fork safe, etc.).
	Vendor specific functions can now be accessed through the
	C_GetInterface. If the C_GetInterface function does not exists, we
	fall bak to the old C_GetFunctionList.

	There are 24 new functions in PKCS #11 v3.0: C_GetInterfaceList -
	return a table of all the supported interfaces C_GetInterface -
	return a specific interface. You can specify interface name, version
	and flags separately. You can leave off any of these and you will
	get what the token thinks is the best match of the interfaces that
	meet the criteria. We do this in softoken by the order of the
	interface list. C_SessionCancel - Cancel one or more multipart
	operation C_LoginUser - Supply a user name to C_Login(). This
	function has no meaning for softoken, so it just returns
	CKR_OPERATION_NOT_INITIALIZED under the theory that if we in the
	future want to support usernames, the NSS db would need special
	initialization to make that happen. C_Message* and C_*Message* (20
	functions in all) are the new AEAD interface (they are written
	generally so that it can be used for things other than AEAD). In
	this patch they are unimplemented (see the next patch).

	This patch adds regular (NSC_) and FIPS (FC_) versions of these
	functions. Also when creating the PKCS #11 v2.0 interface, we had to
	create a 2.0 specific version of C_GetInfo so that it can return a
	2.40 in the CK_VERSION field rather than 3.00. We do this with
	#defines since all the function tables are generated automagically
	with pkcs11f.h.

	Differential Revision:
	https://phabricator.services.mozilla.com/D67240
	[2364598f8a36]

2020-03-09  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* automation/taskcluster/scripts/run_hacl.sh,
	lib/freebl/verified/Hacl_Poly1305_128.c,
	lib/freebl/verified/Hacl_Poly1305_256.c:
	Bug 1612493 - Fix Firefox build for Windows 2012 x64. r=kjacobs

	Differential Revision:
	https://phabricator.services.mozilla.com/D65945
	[7e09cdab32d0]

2020-03-02  Kurt Miller  <kurt@intricatesoftware.com>

        * lib/freebl/blinit.c:
        Bug 1618400 - Fix unused variable 'getauxval' on OpenBSD/arm64 r=jcj

        https://bugzilla.mozilla.org/show_bug.cgi?id=1618400
        [2c989888dee7]

2020-03-02  Giulio Benetti  <giulio.benetti@benettiengineering.com>

        * lib/freebl/blinit.c:
        Bug 1614183 - Check if PPC __has_include(<sys/auxv.h>). r=kjacobs
        Some build environment doesn't provide <sys/auxv.h> and this causes
        build failure, so let's check if that header exists by using
        __has_include() helper.

        Signed-off-by: Giulio Benetti
        <giulio.benetti@benettiengineering.com>
        [bb7c46049f26]

2020-02-28  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

        * automation/taskcluster/scripts/run_hacl.sh,
        lib/freebl/verified/Hacl_Chacha20.c,
        lib/freebl/verified/Hacl_Chacha20Poly1305_128.c,
        lib/freebl/verified/Hacl_Chacha20Poly1305_32.c,
        lib/freebl/verified/Hacl_Chacha20_Vec128.c,
        lib/freebl/verified/Hacl_Curve25519_51.c,
        lib/freebl/verified/Hacl_Kremlib.h,
        lib/freebl/verified/Hacl_Poly1305_128.c,
        lib/freebl/verified/Hacl_Poly1305_32.c,
        lib/freebl/verified/kremlin/include/kremlin/internal/types.h,
        lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128.h, li
        b/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128_Verifie
        d.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt_8_1
        6_32_64.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/LowStar_
        Endianness.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar
        _uint128_gcc64.h, lib/freebl/verified/libintvector.h:
        Bug 1617533 - Update of HACL* after libintvector.h and coding style
        changes. r=kjacobs

        *** Bug 1617533 - Clang format

        *** Bug 1617533 - Update HACL* commit for job in Taskcluster

        *** Bug 1617533 - Update HACL* Kremlin code

        Differential Revision:
        https://phabricator.services.mozilla.com/D63829
        [b6677ae9067e]

        * automation/taskcluster/graph/src/extend.js, coreconf/arch.mk,
        coreconf/config.mk, lib/freebl/Makefile, lib/freebl/blapii.h,
        lib/freebl/blinit.c, lib/freebl/chacha20poly1305.c,
        lib/freebl/freebl.gyp,
        lib/freebl/verified/Hacl_Chacha20Poly1305_256.c,
        lib/freebl/verified/Hacl_Chacha20Poly1305_256.h,
        lib/freebl/verified/Hacl_Chacha20_Vec256.c,
        lib/freebl/verified/Hacl_Chacha20_Vec256.h,
        lib/freebl/verified/Hacl_Poly1305_256.c,
        lib/freebl/verified/Hacl_Poly1305_256.h, nss-tool/hw-support.c:
        Bug 1612493 - Support for HACL* AVX2 code for Chacha20, Poly1305 and
        Chacha20Poly1305. r=kjacobs

        *** Bug 1612493 - Import AVX2 code from HACL*
        *** Bug 1612493 - Add CPU detection for AVX2, BMI1, BMI2, FMA, MOVBE
        *** Bug 1612493 - New flag NSS_DISABLE_AVX2 for freebl/Makefile and
        freebl.gyp
        *** Bug 1612493 - Disable use of AVX2 on GCC 4.4 which doesn’t
        support -mavx2
        *** Bug 1612493 - Disable tests when the platform doesn't have
        support for AVX2

        Differential Revision:
        https://phabricator.services.mozilla.com/D64718
        [d5deac55f543]


2020-02-18  Robert Relyea  <rrelyea@redhat.com>

	* cmd/bltest/blapitest.c, cmd/fipstest/fipstest.c,
	cmd/lib/pk11table.c, cmd/pk11gcmtest/pk11gcmtest.c,
	cmd/shlibsign/shlibsign.c,
	gtests/pk11_gtest/pk11_aes_gcm_unittest.cc,
	gtests/pk11_gtest/pk11_cbc_unittest.cc, lib/certdb/crl.c,
	lib/ckfw/dbm/db.c, lib/dev/devslot.c, lib/dev/devtoken.c,
	lib/dev/devutil.c, lib/freebl/fipsfreebl.c, lib/freebl/gcm.c,
	lib/freebl/intel-gcm-wrap.c, lib/pk11wrap/debug_module.c,
	lib/pk11wrap/dev3hack.c, lib/pk11wrap/pk11akey.c,
	lib/pk11wrap/pk11auth.c, lib/pk11wrap/pk11cert.c,
	lib/pk11wrap/pk11err.c, lib/pk11wrap/pk11load.c,
	lib/pk11wrap/pk11mech.c, lib/pk11wrap/pk11merge.c,
	lib/pk11wrap/pk11nobj.c, lib/pk11wrap/pk11obj.c,
	lib/pk11wrap/pk11pbe.c, lib/pk11wrap/pk11pk12.c,
	lib/pk11wrap/pk11pqg.c, lib/pk11wrap/pk11skey.c,
	lib/pk11wrap/pk11slot.c, lib/pk11wrap/pk11util.c, lib/pkcs12/p12d.c,
	lib/pkcs12/p12e.c, lib/softoken/fipstokn.c,
	lib/softoken/legacydb/lgattr.c, lib/softoken/legacydb/lgcreate.c,
	lib/softoken/legacydb/lgfind.c, lib/softoken/legacydb/lginit.c,
	lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c,
	lib/softoken/pkcs11u.c, lib/softoken/sdb.c, lib/softoken/sftkdb.c,
	lib/softoken/sftkpwd.c, lib/ssl/ssl3con.c, lib/ssl/sslprimitive.c,
	lib/ssl/tls13con.c, lib/util/pkcs11.h, lib/util/pkcs11f.h,
	lib/util/pkcs11n.h, lib/util/pkcs11t.h, lib/util/secoid.c, nss-
	tool/enc/enctool.cc:
	Bug 1603628 Update NSS to handle PKCS #11 v3.0 r=daiki r=mhoye

	https://phabricator.services.mozilla.com/D63241

	This patch implements the first phase: updating the headers.

	lib/util/pkcs11.h lib/util/pkcs11f.h lib/util/pkcs11t.h

	Were updated using the released OASIS PKCS #11 v3.0 header files.
	lib/util/pkcs11n.h was updated to finally deprecate all uses of
	CK?_NETSCAPE_?.

	A new define as added: NSS_PKCS11_2_0_COMPAT. If it's defined, the
	small semantic changes (including the removal of deprecated defines)
	between the NSS PKCS #11 v2 header file and the new PKCS #11 v3 are
	reverted in favor of the PKCS #11 v2 definitions. This include the
	removal of CK?_NETSCAPE_? in favor of CK?_NSS_?.

	One notable change was caused by an inconsistancy between the spec
	and the released headers in PKCS #11 v2.40. CK_GCM_PARAMS had an
	extra field in the header that was not in the spec. OASIS considers
	the header file to be normative, so PKCS #11 v3.0 resolved the issue
	in favor of the header file definition. NSS had the spec definition,
	so now there are 2 defines for this structure:

	CK_NSS_GCM_PARAMS - the old nss define. Still used internally in
	freebl. CK_GCM_PARAMS_V3 - the new define. CK_GCM_PARAMS - no longer
	referenced in NSS itself. It's defined as CK_GCM_PARAMS_V3 if
	NSS_PKCS11_2_0_COMPAT is *not* defined, and it's defined as
	CKM_NSS_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is defined.

	Softoken has been updated to accept either CK_NSS_GCM_PARAMS or
	CK_GCM_PARAMS_V3. In a future patch NSS will be updated to use
	CK_GCM_PARAMS_V3 and fall back to CK_NSS_GMC_PARAMS.

	 One other semantic difference between the 3.0 version of pkcs11f.h
	and the version here: In the oasis version of the header, you must
	define CK_PKCS11_2_0_ONLY to get just the PKCS #11 v2 defines. In
	our version you must define CK_PKCS11_3 to get the PCKS #11 v3
	defines.

	Most of this patch is to handle changing the deprecated defines that
	have been removed in PCKS #11 v3 from NSS.

	Differential Revision:
	https://phabricator.services.mozilla.com/D63241
	[b5d90a7fe217]

Differential Revision: https://phabricator.services.mozilla.com/D70773

--HG--
extra : moz-landing-system : lando
2020-04-14 17:53:38 +00:00
Kevin Jacobs d3ee51ff83 Bug 1621350 - land NSS NSS_3_51_1_RTM UPGRADE_NSS_RELEASE, r=jcj
2020-04-03  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
	Set version numbers to 3.51.1 final
	[81a16f9b6562] [NSS_3_51_1_RTM] <NSS_3_51_BRANCH>

2020-04-01  Kevin Jacobs  <kjacobs@mozilla.com>

	* .hgtags:
	Added tag NSS_3_51_1_BETA1 for changeset 581ed41d0a8d
	[99b5a3b50511] <NSS_3_51_BRANCH>

Differential Revision: https://phabricator.services.mozilla.com/D69651

--HG--
extra : moz-landing-system : lando
2020-04-03 22:39:37 +00:00
Julien Cristau fc54bfbe54 Bug 1626344 - switch back to -Oz on android on beta and release. r=froydnj
Make the changes from bug 1591725 conditional so -O2 is not used if
RELEASE_OR_BETA.

Differential Revision: https://phabricator.services.mozilla.com/D69169

--HG--
extra : moz-landing-system : lando
2020-04-01 14:57:10 +00:00
Kevin Jacobs fe5361807e Bug 1621350 - land NSS 581ed41d0a8d UPGRADE_NSS_RELEASE, r=jcj
Differential Revision: https://phabricator.services.mozilla.com/D68665

--HG--
extra : moz-landing-system : lando
2020-03-30 21:06:07 +00:00
Andrea Marchesini d7badaf4fb Bug 1623593 - Get rid of NECKO_COOKIES compilation flag, r=mayhemer
Differential Revision: https://phabricator.services.mozilla.com/D67451

--HG--
extra : moz-landing-system : lando
2020-03-24 16:30:03 +00:00
Kevin Jacobs 24e1ed50fa Bug 1621350 - land NSS 710d10a72934 UPGRADE_NSS_RELEASE, r=jcj
2020-03-10  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/ssl/ssl3exthandle.c:
	Bug 1618915 - Fix UBSAN issue in ssl_ParseSessionTicket
	r=jcj,bbeurdouche

	[710d10a72934] [tip]

2020-03-09  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/ssl/ssl3exthandle.c:
	Bug 1618739 - Don't assert fuzzer behavior in SSL_ParseSessionTicket
	r=jcj

	[12fc91fad84a]

2020-03-03  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* readme.md:
	Bug 1619056 - Update README: TLS 1.3 is not experimental anymore.
	r=jcj

	[08944e50dce0]

2020-03-09  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/ssl_gtest/ssl_version_unittest.cc, lib/ssl/sslexp.h,
	lib/ssl/sslimpl.h, lib/ssl/sslsock.c, lib/ssl/tls13exthandle.c:
	Bug 1619102 - Add workaround option to include both DTLS and TLS
	versions in DTLS supported_versions. r=mt

	Add an experimental function for enabling a DTLS 1.3
	supported_versions compatibility workaround.

	[53803dc4628f]

2020-03-09  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* automation/taskcluster/scripts/run_hacl.sh,
	lib/freebl/verified/Hacl_Poly1305_128.c,
	lib/freebl/verified/Hacl_Poly1305_256.c:
	Bug 1612493 - Fix Firefox build for Windows 2012 x64. r=kjacobs

	[7e09cdab32d0]
2020-03-02  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/freebl/blinit.c:
	Bug 1614183 - Fixup, clang-format. r=me
	[b17a367b83de] [NSS_3_51_BETA1]

2020-03-02  Giulio Benetti  <giulio.benetti@benettiengineering.com>

	* lib/freebl/blinit.c:
	Bug 1614183 - Check if PPC __has_include(<sys/auxv.h>). r=kjacobs
	Some build environment doesn't provide <sys/auxv.h> and this causes
	build failure, so let's check if that header exists by using
	__has_include() helper.

	Signed-off-by: Giulio Benetti
	<giulio.benetti@benettiengineering.com>
	[bb7c46049f26]

2020-03-02  Kurt Miller  <kurt@intricatesoftware.com>

	* lib/freebl/blinit.c:
	Bug 1618400 - Fix unused variable 'getauxval' on OpenBSD/arm64 r=jcj

	https://bugzilla.mozilla.org/show_bug.cgi?id=1618400
	[2c989888dee7]

2020-02-28  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* automation/taskcluster/graph/src/extend.js, coreconf/arch.mk,
	coreconf/config.mk, lib/freebl/Makefile, lib/freebl/blapii.h,
	lib/freebl/blinit.c, lib/freebl/chacha20poly1305.c,
	lib/freebl/freebl.gyp,
	lib/freebl/verified/Hacl_Chacha20Poly1305_256.c,
	lib/freebl/verified/Hacl_Chacha20Poly1305_256.h,
	lib/freebl/verified/Hacl_Chacha20_Vec256.c,
	lib/freebl/verified/Hacl_Chacha20_Vec256.h,
	lib/freebl/verified/Hacl_Poly1305_256.c,
	lib/freebl/verified/Hacl_Poly1305_256.h, nss-tool/hw-support.c:
	Bug 1612493 - Support for HACL* AVX2 code for Chacha20, Poly1305 and
	Chacha20Poly1305. r=kjacobs

	*** Bug 1612493 - Import AVX2 code from HACL*
	*** Bug 1612493 - Add CPU detection for AVX2, BMI1, BMI2, FMA, MOVBE
	*** Bug 1612493 - New flag NSS_DISABLE_AVX2 for freebl/Makefile and
	freebl.gyp
	*** Bug 1612493 - Disable use of AVX2 on GCC 4.4 which doesn’t
	support -mavx2
	*** Bug 1612493 - Disable tests when the platform doesn't have
	support for AVX2

	[d5deac55f543]

	* automation/taskcluster/scripts/run_hacl.sh,
	lib/freebl/verified/Hacl_Chacha20.c,
	lib/freebl/verified/Hacl_Chacha20Poly1305_128.c,
	lib/freebl/verified/Hacl_Chacha20Poly1305_32.c,
	lib/freebl/verified/Hacl_Chacha20_Vec128.c,
	lib/freebl/verified/Hacl_Curve25519_51.c,
	lib/freebl/verified/Hacl_Kremlib.h,
	lib/freebl/verified/Hacl_Poly1305_128.c,
	lib/freebl/verified/Hacl_Poly1305_32.c,
	lib/freebl/verified/kremlin/include/kremlin/internal/types.h,
	lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128.h, li
	b/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128_Verifie
	d.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt_8_1
	6_32_64.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/LowStar_
	Endianness.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar
	_uint128_gcc64.h, lib/freebl/verified/libintvector.h:
	Bug 1617533 - Update of HACL* after libintvector.h and coding style
	changes. r=kjacobs

	*** Bug 1617533 - Clang format

	*** Bug 1617533 - Update HACL* commit for job in Taskcluster

	*** Bug 1617533 - Update HACL* Kremlin code

	[b6677ae9067e]

Differential Revision: https://phabricator.services.mozilla.com/D66264

--HG--
extra : moz-landing-system : lando
2020-03-10 21:35:56 +00:00
Mike Hommey 8041004164 Bug 1618752 - Fix the Windows cross builds so they include MSVC runtime DLLs. r=froydnj
One part is fixing old-configure.in to use `pwd` when `pwd -W` doesn't work
(it errors on Linux), and another part is supporting two additional
system calls in liblowercase:
- chdir used in the same commands as the `pwd -W` fix
- symlink, used by the install manifest processor to create symbolic
links of those DLLs in $MOZ_OBJDIR/dist/bin.

Differential Revision: https://phabricator.services.mozilla.com/D64707

--HG--
extra : moz-landing-system : lando
2020-02-28 12:33:36 +00:00
Dana Keeler 3878240938 bug 1603834 - let cert_storage and intermediate preloading ride the trains r=jcj,froydnj
(intermediate preloading is still disabled on mobile for now)

Differential Revision: https://phabricator.services.mozilla.com/D63560

--HG--
extra : moz-landing-system : lando
2020-02-22 00:54:32 +00:00
Marco Bonardo b5b6473a6d Bug 1611386 - Drop support for --enable-system-sqlite. r=asuth,glandium
Differential Revision: https://phabricator.services.mozilla.com/D63177

--HG--
extra : moz-landing-system : lando
2020-02-20 22:16:03 +00:00
Mike Hommey 89d916fc02 Bug 1615204 - Remove some MSVC-only compiler flags. r=dmajor
- -NOLOGO is used to hide the banner that MSVC displays by default. It's
a no-op with clang-cl, no need to keep it now that we don't support
MSVC.

- -utf-8 is only passed when the compiler is not GCC-ish and not
clang-cl, which used to mean MSVC, but now means no compiler.

Differential Revision: https://phabricator.services.mozilla.com/D62705

--HG--
extra : moz-landing-system : lando
2020-02-13 13:40:15 +00:00
J.C. Jones 982674831d Bug 1614053 - land NSS 735ed2e47040 UPGRADE_NSS_RELEASE, r=kjacobs
2020-02-10  Robert Relyea  <rrelyea@redhat.com>

	* lib/freebl/cmac.c:
	Bug 1610687 - Crash on unaligned CMACContext.aes.keySchedule when
	using AES-NI intrinsics r=kjacobs
	[046a6f5bfb27]

	* lib/util/pkcs11t.h:
	Bug 1611209 - Value of CKM_AES_CMAC and CKM_AES_CMAC_GENERAL are
	swapped r=rrelyea
	[df142975f4f6]

2020-02-11  Victor Tapia  <victor.tapia@canonical.com>

	* lib/pk11wrap/pk11util.c, lib/sysinit/nsssysinit.c:
	Bug 1582169 - Disable reading /proc/sys/crypto/fips_enabled if FIPS
	is not enabled on build r=jcj,rrelyea

	[55ba54adfcae]

2020-02-11  J.C. Jones  <jjones@mozilla.com>

	* lib/sysinit/nsssysinit.c:
	Bug 1614786 - Fixup for ‘getFIPSEnv’ being unused r=kjacobs

	Fixes a regression from Bug 1582169

	../../lib/sysinit/nsssysinit.c:153:1: error: ‘getFIPSEnv’ defined
	but not used [-Werror=unused-function]
	[06925efe306b]

2020-02-11  Dana Keeler  <dkeeler@mozilla.com>

	* cmd/lib/secutil.c,
	lib/libpkix/pkix_pl_nss/module/pkix_pl_colcertstore.c:
	bug 1538980 - null-terminate ascii input in SECU_ReadDERFromFile so
	strstr is safe to call r=jcj,kjacobs

	[735ed2e47040] [tip]

Differential Revision: https://phabricator.services.mozilla.com/D62451

--HG--
extra : moz-landing-system : lando
2020-02-12 16:22:10 +00:00
Marco Bonardo d6f4b8ad5e Bug 1611253 - Upgrade to SQLite 3.31.1. r=asuth
Differential Revision: https://phabricator.services.mozilla.com/D61476

--HG--
extra : moz-landing-system : lando
2020-02-04 01:07:12 +00:00
Tom Ritter 222bcecdb2 Bug 1612423 - Pass --no-insert-timestamp to lld when building the MinGW builds r=froydnj
Differential Revision: https://phabricator.services.mozilla.com/D61322

--HG--
extra : moz-landing-system : lando
2020-01-31 08:18:56 +00:00
Andrew Creskey d2427c4e3f Bug 1591725 - Optimize at -O2 on android, clang r=froydnj,dmajor
For performance improvements to page load and speedometer, optimize at -O2 instead of -Oz.

The previous disabling of the outliner, "-mno-outline", was removed as it is not enabled by default with -O2.
(See Bug 1508547 and https://developer.arm.com/docs/101754/latest/armclang-reference/armclang-command-line-options/-moutline-mno-outline)

Differential Revision: https://phabricator.services.mozilla.com/D60378

--HG--
extra : moz-landing-system : lando
2020-01-20 19:34:10 +00:00
James Willcox 95667b8165 Bug 1608570 - Remove some old Fennec-related build variables r=nalexander
Differential Revision: https://phabricator.services.mozilla.com/D59573

--HG--
extra : moz-landing-system : lando
2020-01-10 22:51:03 +00:00
J.C. Jones 390a1a8923 Bug 1606927 - Bug 1602020 - land NSS 4921046404f1 UPGRADE_NSS_RELEASE, r=kjacobs
2020-01-07  J.C. Jones  <jjones@mozilla.com>

	* tests/fips/cavs_samples/KBKDF/fax/KBKDFCounter.fax.orig,
	tests/fips/cavs_samples/KBKDF/req/KBKDFCounter.req.orig:
	Bug 1599603 - Remove .orig files accidentally committed in
	4349f611f7b96de63934837d6940095ac1a5db33 r=bustage
	[4921046404f1] [tip]

2020-01-07  Giulio Benetti  <giulio.benetti@benettiengineering.com>

	* cmd/signtool/manifest.mn, lib/ssl/manifest.mn:
	Bug 1603438 - Fix native tools build failure due to lack of zlib
	include dir if external r=jcj

	Add ZLIB_INCLUDE_DIR variable

	On Linux platform[1], the build system forces to use zlib from the
	system instead of compiling the one located intree.

	The following error is raised when the zlib header is installed
	somewhere else than in the default system include path:

	 ssl3con.c:39:18: fatal error: zlib.h: No such file or directory
	#include "zlib.h"

	The same trick setup for sqlite include directory is reproduced for
	zlib. The build system disallows in any manner to give arguments to
	the compiler explicity.

	The variable ZLIB_INCLUDE_DIR point to the directory where the zlib
	header is located.

	[1]: https://hg.mozilla.org/projects/nss/file/NSS_3_33_BRANCH/coreco
	nf/Linux.mk#l180 [2]: https://hg.mozilla.org/projects/nss/file/NSS_3
	_33_BRANCH/lib/softoken/manifest.mn#l17
	[477d370d1bab]

2020-01-06  Kevin Jacobs  <kjacobs@mozilla.com>

	* cpputil/databuffer.h, cpputil/scoped_ptrs_ssl.h,
	cpputil/tls_parser.h, gtests/ssl_gtest/manifest.mn,
	gtests/ssl_gtest/ssl_aead_unittest.cc,
	gtests/ssl_gtest/ssl_ciphersuite_unittest.cc,
	gtests/ssl_gtest/ssl_drop_unittest.cc,
	gtests/ssl_gtest/ssl_gtest.gyp,
	gtests/ssl_gtest/ssl_masking_unittest.cc,
	gtests/ssl_gtest/ssl_primitive_unittest.cc,
	gtests/ssl_gtest/ssl_record_unittest.cc,
	gtests/ssl_gtest/ssl_recordsize_unittest.cc,
	gtests/ssl_gtest/ssl_tls13compat_unittest.cc,
	gtests/ssl_gtest/tls_agent.cc, gtests/ssl_gtest/tls_filter.cc,
	gtests/ssl_gtest/tls_filter.h, gtests/ssl_gtest/tls_protect.cc,
	gtests/ssl_gtest/tls_protect.h, lib/ssl/dtls13con.c,
	lib/ssl/dtls13con.h, lib/ssl/dtlscon.c, lib/ssl/dtlscon.h,
	lib/ssl/ssl3con.c, lib/ssl/ssl3gthr.c, lib/ssl/ssl3prot.h,
	lib/ssl/sslexp.h, lib/ssl/sslimpl.h, lib/ssl/sslprimitive.c,
	lib/ssl/sslsock.c, lib/ssl/sslspec.c, lib/ssl/sslspec.h,
	lib/ssl/tls13con.c, lib/ssl/tls13con.h:
	Bug 1599514 - Update DTLS 1.3 support to draft-30 r=mt

	This patch updates the DTLS 1.3 implementation to draft version 30,
	including unified header format and sequence number encryption.

	Also added are new `SSL_CreateMask` experimental functions.

	[8b7f0180c5b0]

2020-01-06  Robert Relyea  <rrelyea@redhat.com>

	* cmd/fipstest/fipstest.c, gtests/pk11_gtest/manifest.mn,
	gtests/pk11_gtest/pk11_gtest.gyp, gtests/pk11_gtest/pk11_kbkdf.cc,
	lib/softoken/kbkdf.c, lib/softoken/manifest.mn,
	lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c,
	lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c,
	lib/softoken/sftkhmac.c, lib/softoken/softoken.gyp,
	lib/util/pkcs11n.h, lib/util/pkcs11t.h,
	tests/fips/cavs_samples/KBKDF/fax/KBKDFCounter.fax,
	tests/fips/cavs_samples/KBKDF/fax/KBKDFCounter.fax.orig,
	tests/fips/cavs_samples/KBKDF/fax/README,
	tests/fips/cavs_samples/KBKDF/req/KBKDFCounter.req,
	tests/fips/cavs_samples/KBKDF/req/KBKDFCounter.req.orig,
	tests/fips/cavs_samples/KBKDF/req/README,
	tests/fips/cavs_scripts/README, tests/fips/cavs_scripts/kbkdf.sh,
	tests/fips/cavs_scripts/runtest.sh:
	This implements NIST SP800-108 Counter, Feedback, and Double
	Pipeline mode KDFs suitable for use in SCP03 and other protocols.
	These KDFs were introduced in PKCS#11 v3.0.

	Resolves: BZ#1599603

	[4349f611f7b9]

2020-01-03  J.C. Jones  <jjones@mozilla.com>

	* automation/abi-check/previous-nss-release, lib/nss/nss.h,
	lib/softoken/softkver.h, lib/util/nssutil.h:
	Set version numbers to 3.50 Beta
	[569ca5b163e7]

Differential Revision: https://phabricator.services.mozilla.com/D59210

--HG--
rename : security/nss/gtests/ssl_gtest/ssl_primitive_unittest.cc => security/nss/gtests/ssl_gtest/ssl_aead_unittest.cc
extra : moz-landing-system : lando
2020-01-08 23:46:00 +00:00
Tom Ritter 8d9af63f7e Bug 1601691 - Remove FIXMEs for strict-alias which is WONTFIX r=firefox-build-system-reviewers,chmanchester
Bug 414641 was marked WONTFIX, so let's remove these comments from configure

Differential Revision: https://phabricator.services.mozilla.com/D55993

--HG--
extra : moz-landing-system : lando
2019-12-07 03:35:28 +00:00
Kai Engert cb9142c60f Bug 1600803 - NSPR_4_25_BETA1 for FF 74. r=jcj UPGRADE_NSPR_RELEASE
Differential Revision: https://phabricator.services.mozilla.com/D55567

--HG--
extra : moz-landing-system : lando
2020-01-07 11:04:03 +00:00
Ben Iofel b92dbf5479 Bug 726479 - Use GTK's support for startup notifications, r=karlt
Original author: Ben Iofel <iofelben@gmail.com>

Differential Revision: https://phabricator.services.mozilla.com/D58594

--HG--
extra : moz-landing-system : lando
2020-01-06 12:03:38 +00:00
Chris Peterson 109c172dd1 Bug 1606274 - Remove always-false MOZ_GRAPHENE macro. r=firefox-build-system-reviewers,rstewart
Graphene was a B2G UI runtime (added in bug 1115098) used for the browser.html prototype. The Graphene code has since been removed.

Depends on D58358

Differential Revision: https://phabricator.services.mozilla.com/D58359

--HG--
extra : moz-landing-system : lando
2019-12-30 15:00:53 +00:00
Chris Peterson 1c077cf213 Bug 1606274 - Remove always-true MOZ_PHOENIX macro. r=firefox-build-system-reviewers,rstewart
MOZ_PHOENIX was a macro added back in 2002 to differentiate SeaMonkey and Phoenix appshell bits. The earliest references to MOZ_PHOENIX I can find in Gecko's pre-hg history are bug 161448, bug 213228, bug 243091, and 05ef2e9b38.

Differential Revision: https://phabricator.services.mozilla.com/D58358

--HG--
extra : moz-landing-system : lando
2019-12-30 15:00:20 +00:00
Mike Hommey e4a8d2ba9f Bug 1597834 - Make EARLY_BETA_OR_EARLIER available to python configure. r=rstewart
Differential Revision: https://phabricator.services.mozilla.com/D58280

--HG--
extra : moz-landing-system : lando
2019-12-27 22:18:32 +00:00
J.C. Jones 5615541267 Bug 1602020 - land NSS c46bc59ce7d4 UPGRADE_NSS_RELEASE, r=kjacobs
2019-12-06  Daiki Ueno  <dueno@redhat.com>

	* lib/pki/pki3hack.c:
	Bug 1593167, certdb: propagate trust information if trust module is
	loaded afterwards, r=rrelyea,keeler

	Summary: When the builtin trust module is loaded after some temp
	certs being created, these temp certs are usually not accompanied by
	trust information. This causes a problem in Firefox as it loads the
	module from a separate thread while accessing the network cache
	which populates temp certs.

	This change makes it properly roll up the trust information, if a
	temp cert doesn't have trust information.

	Reviewers: rrelyea, keeler

	Reviewed By: rrelyea, keeler

	Subscribers: reviewbot, heftig

	Bug #: 1593167

	[c46bc59ce7d4] [tip]

2019-11-08  Martin Thomson  <mt@lowentropy.net>

	* lib/ssl/tls13subcerts.c:
	Bug 1594965 - Include saltLength in DC SPKI, r=kjacobs

	Summary: I discovered this when validating new additions to our root
	store policy. The encodings there didn't line up with what we were
	producing with DC.

	[661058254ade]

2019-12-04  J.C. Jones  <jjones@mozilla.com>

	* automation/release/nss-release-helper.py:
	Bug 1535787 - Further improvements to the release-helper API r=mt

	[7baba392bf8b]

	* automation/release/nss-release-helper.py:
	Bug 1535787 - flake8 style updates to nss-release-helper.py
	r=kjacobs

	Depends on D23757

	[b31e68a789fa]

	* automation/release/nss-release-helper.py:
	Bug 1535787 - Use Python for the regexes in nss-release-helper
	r=keeler,kjacobs

	automation/release/nss-release-helper.py doesn't actually edit the
	files correctly on MacOS due to differences between GNU and BSD sed.
	It's python, so let's just use python regexes.

	[92271739e848]

2019-12-04  Franziskus Kiefer  <franziskuskiefer@gmail.com>

	* automation/taskcluster/graph/src/extend.js,
	automation/taskcluster/graph/src/queue.js,
	automation/taskcluster/scripts/check_abi.sh, build.sh,
	coreconf/config.gypi, help.txt, lib/freebl/freebl_base.gypi, mach,
	tests/all.sh, tests/common/init.sh, tests/remote/Makefile:
	Bug 1594933 - disable libnssdbm by default; keep build on CI, r=jcj

	Disale libnssdbm by default and add flag to enable it in builds. On
	CI a build and certs test with enabled legacy DB are added.

	Note that for some reason the coverage build fails. I have no idea
	why. I'm open for ideas.

	[c1fad130dce2]

2019-12-03  Makoto Kato  <m_kato@ga2.so-net.ne.jp>

	* lib/freebl/Makefile, lib/freebl/freebl.gyp, lib/freebl/gcm-
	arm32-neon.c, lib/freebl/gcm.c:
	Bug 1562548 - Improve GCM perfomance on aarch32 using NEON.
	r=kjacobs

	Optimize GCM perfomance using
	https://conradoplg.cryptoland.net/files/2010/12/gcm14.pdf via ARM's
	NEON.

	[a9ba652046e6]

2019-12-03  J.C. Jones  <jjones@mozilla.com>

	* automation/abi-check/expected-report-libssl3.so.txt, automation/abi-
	check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h,
	lib/util/nssutil.h:
	Set version numbers to 3.49 beta
	[3051793c68fc]

2019-12-02  J.C. Jones  <jjones@mozilla.com>

	* .hgtags:
	Added tag NSS_3_48_BETA1 for changeset 77976f3fefca
	[06d5b4f91a9c]

Differential Revision: https://phabricator.services.mozilla.com/D56378

--HG--
extra : moz-landing-system : lando
2019-12-16 20:53:59 +00:00
Tom Ritter 7725492776 Bug 1590624 - Use windows-style stl_wrappers for mingw build r=glandium
Turns out we were using the Linux ones. This uses the Windows ones, and
adds _HAS_EXCEPTIONS to the mingw defines so the stl_wrappers behave
correctly.

Differential Revision: https://phabricator.services.mozilla.com/D54530

--HG--
extra : moz-landing-system : lando
2019-12-12 06:38:41 +00:00
Andreea Pavel a533b175dd Backed out 4 changesets (bug 1590624) for breaking gecko decision task on a CLOSED TREE
Backed out changeset 2ac8dd1d709d (bug 1590624)
Backed out changeset 8432398c212a (bug 1590624)
Backed out changeset 2b28154aacdb (bug 1590624)
Backed out changeset d305e4160ee4 (bug 1590624)

--HG--
rename : build/build-clang/clang-9-mingw.json => build/build-clang/clang-8-mingw.json
rename : taskcluster/scripts/misc/build-clang-mingw.sh => taskcluster/scripts/misc/build-clang-8-mingw.sh
2019-12-12 08:35:11 +02:00
Tom Ritter 6311ebf459 Bug 1590624 - Use windows-style stl_wrappers for mingw build r=glandium
Turns out we were using the Linux ones. This uses the Windows ones, and
adds _HAS_EXCEPTIONS to the mingw defines so the stl_wrappers behave
correctly.

Differential Revision: https://phabricator.services.mozilla.com/D54530

--HG--
extra : moz-landing-system : lando
2019-12-12 02:06:25 +00:00
Kai Engert 3a7d15a1d8 Bug 1591887 - Uplift NSPR 4.24 RTM, only version number changes. r=jcj
UPGRADE_NSPR_RELEASE

Differential Revision: https://phabricator.services.mozilla.com/D55523

--HG--
extra : moz-landing-system : lando
2019-12-02 18:27:33 +00:00
Mike Hommey 73a0be7d5d Bug 1580234 - Disable the custom linker when mozjemalloc is disabled. r=froydnj
Long term, we want to remove the custom linker (bug 1291377) but without
more effort than where we're at with bug 1598196, it would break using
mozjemalloc.

However, some builds using sanitizers don't use mozjemalloc already,
and in their case, we can already disable the custom linker.

Differential Revision: https://phabricator.services.mozilla.com/D54078

--HG--
extra : moz-landing-system : lando
2019-11-22 01:04:20 +00:00
Mike Hommey b1d0510804 Bug 1598196 - Support disabling the linker on Android in the code. r=froydnj
For now, there is no flag to actually allow it, but this is the
code-side changes to allow the linker being disabled.

Differential Revision: https://phabricator.services.mozilla.com/D54074

--HG--
extra : moz-landing-system : lando
2019-11-21 14:57:24 +00:00
Dana Keeler af9edac0e5 bug 1597743 - re-enable intermediate preloading (cert_storage) on non-nightly builds r=jcj,kjacobs
Now that rkv has a new backend, we should be able to let this ride the trains
to early beta at least.

Differential Revision: https://phabricator.services.mozilla.com/D53847

--HG--
extra : moz-landing-system : lando
2019-11-19 21:50:37 +00:00
Nathan Froyd 1df9c87853 Bug 1596807 - turn off more exception spec mismatch warnings on Windows; r=dmajor
Differential Revision: https://phabricator.services.mozilla.com/D53218

--HG--
extra : moz-landing-system : lando
2019-11-18 13:04:27 +00:00
Ricky Stewart 7a000bc5ca Bug 1595906 - Allow opting out of hardening compile flags on a granular basis r=froydnj
Differential Revision: https://phabricator.services.mozilla.com/D52756

--HG--
extra : moz-landing-system : lando
2019-11-14 17:13:28 +00:00
J.C. Jones e43d7deb4f Bug 1593474 - Require NSPR 4.23 in old-configure.in r=kaie
The patch for bug 1586867 should have updated old-configure.in but didn't.

Differential Revision: https://phabricator.services.mozilla.com/D51670

--HG--
extra : moz-landing-system : lando
2019-11-04 23:41:44 +00:00
J.C. Jones dd40266492 Bug 1592007 - land NSS fcdda17cdc36 UPGRADE_NSS_RELEASE, r=kjacobs
2019-10-28  Kevin Jacobs  <kjacobs@mozilla.com>

        * automation/abi-check/expected-report-libssl3.so.txt,
        gtests/ssl_gtest/libssl_internals.c,
        gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/tls_agent.cc,
        gtests/ssl_gtest/tls_agent.h, gtests/ssl_gtest/tls_filter.h,
        gtests/ssl_gtest/tls_subcerts_unittest.cc, lib/ssl/ssl3con.c,
        lib/ssl/sslimpl.h, lib/ssl/sslinfo.c, lib/ssl/sslt.h,
        lib/ssl/tls13con.c:
        Bug 1588244 - Store TLS 1.3 peerDelegCred, authKeyBits, and scheme
        in SSLPreliminaryChannelInfo. r=mt

        This patch adjusts where we set `authKeyBits` (Et al.) for TLS 1.3,
        such that `CertVerifier` can check the strength of a delegated
        credential keypair.

         The corresponding PSM changeset is in D47181.

        [fcdda17cdc36] [tip]

2019-10-28  Kai Engert  <kaie@kuix.de>

        * coreconf/coreconf.dep:
        Dummy change, trigger a build after bustage to test latest NSPR
        commit
        [ec2adf31fb8c]

2019-10-26  Martin Thomson  <mt@lowentropy.net>

        * lib/ssl/sslauth.c, lib/ssl/sslcon.c, lib/ssl/tls13esni.c:
        Bug 1590970 - Use ssl_Time consistently, r=kjacobs

        I missed a few places that used PR_Now() before.

        [c6021063e64a]

2019-10-22  Deian Stefan  <deian@cs.ucsd.edu>

        * gtests/pk11_gtest/pk11_cbc_unittest.cc:
        Bug 1459141 - A few more CBC padding tests. r=jcj

        This patch adds more test vectors for AES-CBC and 3DES-CBC padding.

        [38f1c92a5e11]

2019-10-22  Marcus Burghardt  <mburghardt@mozilla.com>

        * cmd/btoa/btoa.c:
        Bug 1590339 - Fix MemoryLeak in btoa.c. r=kjacobs

        [5feab64d2d20]

2019-10-21  Marcus Burghardt  <mburghardt@mozilla.com>

        * lib/ckfw/builtins/testlib/certdata-testlib.txt:
        Bug 1589810 - Uninitialized variable warnings from certdata.perl.
        r=mt

        [3f40060ca7b3]

2019-10-19  Martin Thomson  <martin.thomson@gmail.com>

        * gtests/ssl_gtest/ssl_version_unittest.cc:
        Bug 1573118 - Fix busted unit tests, r=jcj

        These unit tests were broken by the change to TLS version defaults.

        In retrospect, this shouldn't have been surprising, but now that it
        I'm seeing bustage, I'm somewhat surprised that there are so few
        failures.

        [7e0b8364687b]

        * lib/ssl/sslsock.c:
        Bug 1573118 - Enable TLS 1.3 by default, r=jcj

        As planned for 3.47, but now for 3.48.

        [bc77cf318f38]

2019-10-18  J.C. Jones  <jjones@mozilla.com>

        * automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
        check/expected-report-libsmime3.so.txt, automation/abi-check
        /expected-report-libssl3.so.txt, automation/abi-check/previous-nss-
        release, lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
        Set version numbers to 3.48 beta
        [0e7dd2050d09]

        * .hgtags:
        Added tag NSS_3_47_RTM for changeset 7ccb4ade5577
        [dcadb95b9d77] <NSS_3_47_BRANCH>

        * lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
        Set version numbers to 3.47 final
        [7ccb4ade5577] [NSS_3_47_RTM] <NSS_3_47_BRANCH>

Differential Revision: https://phabricator.services.mozilla.com/D50840

--HG--
extra : moz-landing-system : lando
2019-10-31 04:14:33 +00:00
Ryan VanderMeulen b8e3d2d381 Bug 1586739 - Upgrade to SQLite 3.30.1. r=mak
Differential Revision: https://phabricator.services.mozilla.com/D48905

--HG--
extra : moz-landing-system : lando
2019-10-15 15:29:31 +00:00
Tom Ritter 40c0ddaa36 Bug 1585355 - Back out (part of) Bug 1443823, removing -fno-keep-inline-dllexport which was only applied to mingw-gcc r=dmajor
Differential Revision: https://phabricator.services.mozilla.com/D48071

--HG--
extra : moz-landing-system : lando
2019-10-03 16:01:26 +00:00
Tom Ritter 7b8567a9f0 Bug 1585700 - Remove unconditional -mwindows from the mingw compilation r=nalexander
Differential Revision: https://phabricator.services.mozilla.com/D47921

--HG--
extra : moz-landing-system : lando
2019-10-03 15:46:04 +00:00
Tom Ritter 2e50f42b7a Bug 1577521 - Update configure to report an error if you try to build with mingw-gcc r=nalexander
Differential Revision: https://phabricator.services.mozilla.com/D47857

--HG--
extra : moz-landing-system : lando
2019-10-03 15:44:36 +00:00
Nathan Froyd 186048921c Bug 1580898 - move warnings-as-errors logic into warnings.configure; r=nalexander
It's nicer to have everything in one place, and because we support
clang-cl, we can have a single definition for the error flag too.

Differential Revision: https://phabricator.services.mozilla.com/D45705

--HG--
extra : moz-landing-system : lando
2019-09-25 21:30:38 +00:00
J.C. Jones 484db3870b Bug 1577822 - land NSS a3ee4f26b4c1 UPGRADE_NSS_RELEASE, r=kjacobs
2019-09-18  Kevin Jacobs  <kjacobs@mozilla.com>

	* cmd/lib/derprint.c:
	Bug 1581024 - Check for pointer wrap in derprint.c. r=jcj

	Check for pointer wrap on output-length check in the derdump
	utility.

	[a3ee4f26b4c1] [tip]

2019-09-18  Giulio Benetti  <giulio.benetti@micronovasrl.com>

	* lib/freebl/gcm-aarch64.c:
	Bug 1580126 - Fix build failure on aarch64_be while building
	freebl/gcm r=kjacobs

	Build failure is caused by different #ifdef conditions in gcm.c and
	gcm-aarch64.c that leads to double declaration of the same gcm_*
	functions.

	Fix #ifdef condition in gcm-aarch64.c making it the same as the one
	in gcm.c.

	Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
	[fa0d958de0c3]

2019-09-17  Kai Engert  <kaie@kuix.de>

	* automation/taskcluster/graph/src/extend.js:
	Bug 1385039 - Build NSPR tests as part of NSS continuous
	integration. r=kjacobs
	[cc97f1a93038]

2019-09-17  Landry Breuil  <landry@openbsd.org>

	* lib/freebl/Makefile:
	Bug 1581391 - include gcm-aarch64 on all unices, not only linux
	r=kjacobs
	[e7b4f293fa4e]

2019-09-17  Martin Thomson  <mt@lowentropy.net>

	* mach:
	Bug 1581041 - Rename mach-commands to mach-completion, r=jcj

	This means that we can point our completion at the gecko one.

	[bc91272fcbdc]

2019-09-16  Jenine  <jenine_c@outlook.com>

	* cmd/pk11importtest/pk11importtest.c, lib/softoken/pkcs11.c:
	Bug 1558313 - Fix clang warnings in pk11importtest.c and pkcs11.c
	r=marcusburghardt

	[4569b745f74e]

2019-09-13  Daiki Ueno  <dueno@redhat.com>

	* lib/certhigh/certvfy.c:
	Bug 1542207, fix policy check on signature algorithms, r=rrelyea

	Reviewers: rrelyea

	Reviewed By: rrelyea

	Bug #: 1542207

	[ed8a41d16c1c]

2019-09-05  Daiki Ueno  <dueno@redhat.com>

	* lib/freebl/drbg.c:
	Bug 1560329, drbg: perform continuous test on entropy source,
	r=rrelyea

	Summary: FIPS 140-2 section 4.9.2 requires a conditional self test
	to check that consecutive entropy blocks from the system are
	different. As neither getentropy() nor /dev/urandom provides that
	check on the output, this adds the self test at caller side.

	Reviewers: rrelyea

	Reviewed By: rrelyea

	Bug #: 1560329

	[c66dd879d16a]

2019-09-06  Martin Thomson  <mt@lowentropy.net>

	* automation/taskcluster/graph/src/queue.js:
	Bug 1579290 - Disable LSAN during builds, r=ueno

	Summary: See the bug description for details.

	[f28f3d7b7cf0]

2019-09-13  Kai Engert  <kaie@kuix.de>

	* Makefile, build.sh, coreconf/nspr.sh, help.txt:
	Bug 1385061 - Build NSPR tests with NSS make; Add gyp parameters to
	build/run NSPR tests. r=jcj
	[8b4a226f7d23]

2019-09-11  Kai Engert  <kaie@kuix.de>

	* nss.gyp:
	Bug 1577359 - Build atob and btoa for Thunderbird. r=jcj
	[1fe61aadaf57]

2019-09-10  Marcus Burghardt  <mburghardt@mozilla.com>

	* cmd/pk12util/pk12util.c:
	Bug 1579036 - Define error when trying to export non-existent cert
	with pk12util. r=jcj

	[65ab97f03c89]

2019-09-04  Martin Thomson  <mt@lowentropy.net>

	* gtests/mozpkix_gtest/pkixder_input_tests.cpp:
	Bug 1578626 - Remove undefined nullptr decrement, r=keeler

	Summary: This uses uintptr_t to avoid the worst. It still looks
	terrible and might trip static analysis warnings, but the
	reinterpret_cast should hide that.

	This assumes that sizeof(uintptr_t) == sizeof(void*), so I've added
	an assertion so that we'll at least fail the test on those systems.
	(We could use GTEST_SKIP instead, but we don't have that in the
	version of gtest that we use.)

	Reviewers: keeler

	Tags: #secure-revision

	Bug #: 1578626

	[d2485b1c997e]

2019-09-05  Marcus Burghardt  <mburghardt@mozilla.com>

	* gtests/pk11_gtest/pk11_find_certs_unittest.cc:
	Bug 1578751 - Ensure a consistent style for
	pk11_find_certs_unittest.cc. r=jcj

	Adjusted the style and clang-format after the changes in some var
	names.

	[e95fee7f59e5]

Differential Revision: https://phabricator.services.mozilla.com/D46246

--HG--
extra : moz-landing-system : lando
2019-09-18 03:27:20 +00:00
Landry Breuil bb44009229 Bug 1579323 - Reenable sandbox by default on OpenBSD r=froydnj
This was broken by bug 1375863

--HG--
extra : histedit_source : 4f4c20c63d0a6337888eb6b21c451d025c72eb1a
2019-09-18 11:21:02 +03:00
Nathan Froyd 7af66c4954 Bug 1579545 - remove unused `NO_PW_GECOS` defines; r=nalexander
They aren't used in our codebase and they aren't used in the NDK.

Differential Revision: https://phabricator.services.mozilla.com/D45085

--HG--
extra : moz-landing-system : lando
2019-09-06 21:35:23 +00:00
Tom Ritter 93683129de Bug 1456544 - Remove mms-bitfields from the MinGW build r=nalexander
Differential Revision: https://phabricator.services.mozilla.com/D43459

--HG--
extra : moz-landing-system : lando
2019-08-26 16:16:36 +00:00
Tom Ritter 19db4f1a50 Bug 1460791 - Turn on -O2 for MinGW as it seems the bug causing problems is fixed r=dmajor
Differential Revision: https://phabricator.services.mozilla.com/D43389

--HG--
extra : moz-landing-system : lando
2019-08-26 13:26:59 +00:00
Tom Ritter 339f505631 Bug 1576474 - Remove a configure option for mingw-gcc which we no longer support r=dmajor
Differential Revision: https://phabricator.services.mozilla.com/D43356

--HG--
extra : moz-landing-system : lando
2019-08-25 19:57:34 +00:00
Mike Hommey 66d7fe943e Bug 1575420 - Replace MOZ_WIDGET_TOOLKIT value of "gtk3" with "gtk". r=froydnj
Differential Revision: https://phabricator.services.mozilla.com/D42765

--HG--
extra : moz-landing-system : lando
2019-08-21 12:25:42 +00:00
Nathan Froyd 87c432d06a Bug 1570982 - remove `CPP_THROW_NEW`; r=glandium
We always define it to the same thing, and we're inconsistent in whether
we use `CPP_THROW_NEW` or `throw()`, so we might as well just use the
standard C++ thing and get rid of some baggage.

Differential Revision: https://phabricator.services.mozilla.com/D40425

--HG--
extra : moz-landing-system : lando
2019-08-14 01:32:41 +00:00