2019-10-18 Deian Stefan <deian@cs.ucsd.edu>
* lib/softoken/pkcs11c.c:
Bug 1459141 - Rewrite softoken CBC pad check to be constant
r=jcj,kjacobs
[d3c8638f85cd] [NSS_3_47_BETA4]
2019-10-17 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/pk11_gtest/pk11_cbc_unittest.cc:
Bug 1589120 - Additional test vectors for CBC padding. r=jcj
This patch adds more test vectors for AES-CBC and 3DES-CBC padding.
[7f17b911ac99]
* gtests/pk11_gtest/manifest.mn,
gtests/pk11_gtest/pk11_aeskeywrappad_unittest.cc,
gtests/pk11_gtest/pk11_gtest.gyp:
Bug 1589120 - Tests for padded AES key wrap r=jcj
This patch adds test vectors for padded AES Key Wrap. AES-CBC and
3DES-CBC ports of the same vectors will be included in a separate
revision.
[fb4d9b6ea2c4]
2019-10-16 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/ssl_gtest/tls_agent.cc, gtests/ssl_gtest/tls_agent.h,
gtests/ssl_gtest/tls_subcerts_unittest.cc, lib/ssl/ssl3con.c,
lib/ssl/sslimpl.h, lib/ssl/tls13subcerts.c,
tests/common/certsetup.sh, tests/ssl_gtests/ssl_gtests.sh:
Bug 1588244 - SSLExp_DelegateCredential to support 'rsaEncryption'
end-entity certs with default scheme override r=mt
If an end-entity cert has an SPKI type of 'rsaEncryption', override
the DC alg to be `ssl_sig_rsa_pss_rsae_sha256`.
[93383e0fb833]
2019-10-16 J.C. Jones <jjones@mozilla.com>
* .hgtags:
Added tag NSS_3_47_BETA3 for changeset f10c3e0757b7
[fa8a67bee2dc]
Differential Revision: https://phabricator.services.mozilla.com/D49774
--HG--
extra : moz-landing-system : lando
The internal representation of certList has been converted to
cert array, and this patch does it for the serialization.
Differential Revision: https://phabricator.services.mozilla.com/D49347
--HG--
extra : moz-landing-system : lando
Adds support for creating and using a PSandboxTesting actor in the GPU process.
Differential Revision: https://phabricator.services.mozilla.com/D42386
--HG--
extra : moz-landing-system : lando
This patch includes a new browser chrome mochitest that uses a new XPCOM service (moxISandboxTest) to create a new top-level actor (PSandboxTesting) between the chrome process and any supported child processes (in later parts of this patch set). The framework is makes it easy to add new C/C++ instructions to be tested for permission under real sandbox conditions. Test results can be conditioned on the type of OS, process, sandbox level, etc.
Differential Revision: https://phabricator.services.mozilla.com/D37706
--HG--
extra : moz-landing-system : lando
2019-10-16 J.C. Jones <jjones@mozilla.com>
* lib/softoken/pkcs11c.c:
Bug 1459141 - Backed out changeset 474d62c9d0db for PK11_Wrap/Unwrap
issues r=me
[f10c3e0757b7] [NSS_3_47_BETA3]
2019-10-15 J.C. Jones <jjones@mozilla.com>
* .hgtags:
Added tag NSS_3_47_BETA2 for changeset f657d65428c6
[3ca8b20b24ee]
* cmd/addbuiltin/addbuiltin.c:
Bug 1465613 - Fixup clang format a=bustage
[f657d65428c6] [NSS_3_47_BETA2]
2019-10-11 Marcus Burghardt <mburghardt@mozilla.com>
* automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
check/expected-report-libsmime3.so.txt, automation/abi-check
/expected-report-libssl3.so.txt, cmd/addbuiltin/addbuiltin.c,
cmd/lib/secutil.c, gtests/softoken_gtest/manifest.mn,
gtests/softoken_gtest/softoken_gtest.gyp,
gtests/softoken_gtest/softoken_nssckbi_testlib_gtest.cc,
lib/certdb/certdb.c, lib/certdb/certt.h, lib/ckfw/builtins/README,
lib/ckfw/builtins/certdata.txt, lib/ckfw/builtins/manifest.mn,
lib/ckfw/builtins/nssckbi.h, lib/ckfw/builtins/testlib/Makefile,
lib/ckfw/builtins/testlib/builtins-testlib.gyp,
lib/ckfw/builtins/testlib/certdata-testlib.txt,
lib/ckfw/builtins/testlib/config.mk,
lib/ckfw/builtins/testlib/manifest.mn, lib/ckfw/builtins/testlib
/nssckbi-testlib.rc,
lib/ckfw/builtins/testlib/testcert_err_distrust.txt,
lib/ckfw/builtins/testlib/testcert_no_distrust.txt,
lib/ckfw/builtins/testlib/testcert_ok_distrust.txt,
lib/ckfw/manifest.mn, lib/nss/nss.def, lib/pki/pki3hack.c,
lib/softoken/sdb.c, lib/util/pkcs11n.h, nss.gyp, tests/cert/cert.sh:
Bug 1465613 - Created two new fields for scheduled distrust from
builtins and updated support commands. r=jcj,kjacobs,mt
Added two new fields do scheduled distrust of CAs in
nssckbi/builtins. Also, created a testlib to validate these fields
with gtests.
[52024949df95]
2019-10-14 Martin Thomson <martin.thomson@gmail.com>
* lib/ssl/tls13con.c:
Bug 1588557 - Fix debug statement, r=jcj
[0f563a2571c3]
2019-10-15 Dana Keeler <dkeeler@mozilla.com>
* gtests/mozpkix_gtest/pkixder_universal_types_tests.cpp,
lib/mozpkix/include/pkix/pkixder.h, lib/mozpkix/lib/pkixcert.cpp:
bug 1579060 - fix handling of issuerUniqueID and subjectUniqueID in
mozilla::pkix::BackCert r=jcj
According to RFC 5280, the definitions of issuerUniqueID and
subjectUniqueID in TBSCertificate are as follows:
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
where UniqueIdentifier is a BIT STRING.
IMPLICIT tags replace the tag of the underlying type. For these
fields, there is no specified class (just a tag number within the
class), and the underlying type of BIT STRING is "primitive" (i.e.
not constructed). Thus, the tags should be of the form CONTEXT
SPECIFIC | [number in class], which comes out to 0x81 and 0x82,
respectively.
When originally implemented, mozilla::pkix incorrectly required that
the CONSTRUCTED bit also be set for these fields. Consequently, the
library would reject any certificate that actually contained these
fields. Evidently such certificates are rare.
[c50f933d37a5]
2019-10-14 Deian Stefan <deian@cs.ucsd.edu>
* lib/softoken/pkcs11c.c:
Bug 1459141 - Rewrite softoken CBC pad check to be constant time.
r=kjacobs,jcj
[474d62c9d0db]
2019-10-11 J.C. Jones <jjones@mozilla.com>
* .hgtags:
Added tag NSS_3_47_BETA1 for changeset 93245f5733b3
[f60dbafbc182]
Differential Revision: https://phabricator.services.mozilla.com/D49470
--HG--
extra : moz-landing-system : lando
2019-10-15 J.C. Jones <jjones@mozilla.com>
* cmd/addbuiltin/addbuiltin.c:
Bug 1465613 - Fixup clang format a=bustage
[f657d65428c6] [NSS_3_47_BETA2]
2019-10-11 Marcus Burghardt <mburghardt@mozilla.com>
* automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
check/expected-report-libsmime3.so.txt, automation/abi-check
/expected-report-libssl3.so.txt, cmd/addbuiltin/addbuiltin.c,
cmd/lib/secutil.c, gtests/softoken_gtest/manifest.mn,
gtests/softoken_gtest/softoken_gtest.gyp,
gtests/softoken_gtest/softoken_nssckbi_testlib_gtest.cc,
lib/certdb/certdb.c, lib/certdb/certt.h, lib/ckfw/builtins/README,
lib/ckfw/builtins/certdata.txt, lib/ckfw/builtins/manifest.mn,
lib/ckfw/builtins/nssckbi.h, lib/ckfw/builtins/testlib/Makefile,
lib/ckfw/builtins/testlib/builtins-testlib.gyp,
lib/ckfw/builtins/testlib/certdata-testlib.txt,
lib/ckfw/builtins/testlib/config.mk,
lib/ckfw/builtins/testlib/manifest.mn, lib/ckfw/builtins/testlib
/nssckbi-testlib.rc,
lib/ckfw/builtins/testlib/testcert_err_distrust.txt,
lib/ckfw/builtins/testlib/testcert_no_distrust.txt,
lib/ckfw/builtins/testlib/testcert_ok_distrust.txt,
lib/ckfw/manifest.mn, lib/nss/nss.def, lib/pki/pki3hack.c,
lib/softoken/sdb.c, lib/util/pkcs11n.h, nss.gyp, tests/cert/cert.sh:
Bug 1465613 - Created two new fields for scheduled distrust from
builtins and updated support commands. r=jcj,kjacobs,mt
Added two new fields do scheduled distrust of CAs in
nssckbi/builtins. Also, created a testlib to validate these fields
with gtests.
[52024949df95]
2019-10-14 Martin Thomson <martin.thomson@gmail.com>
* lib/ssl/tls13con.c:
Bug 1588557 - Fix debug statement, r=jcj
[0f563a2571c3]
2019-10-15 Dana Keeler <dkeeler@mozilla.com>
* gtests/mozpkix_gtest/pkixder_universal_types_tests.cpp,
lib/mozpkix/include/pkix/pkixder.h, lib/mozpkix/lib/pkixcert.cpp:
bug 1579060 - fix handling of issuerUniqueID and subjectUniqueID in
mozilla::pkix::BackCert r=jcj
According to RFC 5280, the definitions of issuerUniqueID and
subjectUniqueID in TBSCertificate are as follows:
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
where UniqueIdentifier is a BIT STRING.
IMPLICIT tags replace the tag of the underlying type. For these
fields, there is no specified class (just a tag number within the
class), and the underlying type of BIT STRING is "primitive" (i.e.
not constructed). Thus, the tags should be of the form CONTEXT
SPECIFIC | [number in class], which comes out to 0x81 and 0x82,
respectively.
When originally implemented, mozilla::pkix incorrectly required that
the CONSTRUCTED bit also be set for these fields. Consequently, the
library would reject any certificate that actually contained these
fields. Evidently such certificates are rare.
[c50f933d37a5]
2019-10-14 Deian Stefan <deian@cs.ucsd.edu>
* lib/softoken/pkcs11c.c:
Bug 1459141 - Rewrite softoken CBC pad check to be constant time.
r=kjacobs,jcj
[474d62c9d0db]
2019-10-11 J.C. Jones <jjones@mozilla.com>
* .hgtags:
Added tag NSS_3_47_BETA1 for changeset 93245f5733b3
[f60dbafbc182]
Differential Revision: https://phabricator.services.mozilla.com/D49365
--HG--
extra : moz-landing-system : lando
This patch intends to change the internal reprensentation of certList
from nsIX509CertList to Array for TransportSecurityInfo.
Differential Revision: https://phabricator.services.mozilla.com/D48744
--HG--
extra : moz-landing-system : lando
2019-10-11 Kai Engert <kaie@kuix.de>
* automation/release/nspr-version.txt:
Bug 1583068 - Require NSPR version 4.23 r=jcj
[93245f5733b3] [NSS_3_47_BETA1]
2019-10-11 Kevin Jacobs <kjacobs@mozilla.com>
* coreconf/config.gypi, lib/freebl/freebl.gyp:
Bug 1152625 - Add gyp flag for disabling ARM HW AES r=jcj
Adds an option to disable ARMv8 HW AES, if `-Ddisable_arm_hw_aes=1`
is passed to build.sh.
Depends on D34473
[9abcea09fdd4]
2019-10-11 Makoto Kato <m_kato@ga2.so-net.ne.jp>
* lib/freebl/aes-armv8.c:
Bug 1152625 - Part 2. Remove __builtin_assume to avoid crash on PGO.
r=kjacobs,mt
`AESContext->iv` doesn't align to 16 bytes on PGO build, so we
should remove __builtin_assume. Also, I guess that `expandedKey` has
same problem.
[1b0f5c5335ee]
* lib/freebl/Makefile, lib/freebl/aes-armv8.c, lib/freebl/aes-armv8.h,
lib/freebl/freebl.gyp, lib/freebl/intel-aes.h,
lib/freebl/rijndael.c:
Bug 1152625 - Support AES HW acceleration on ARMv8. r=kjacobs,jcj
[efb895a43899]
2019-09-06 Martin Thomson <mt@lowentropy.net>
* gtests/ssl_gtest/ssl_auth_unittest.cc,
gtests/ssl_gtest/ssl_ciphersuite_unittest.cc,
gtests/ssl_gtest/ssl_extension_unittest.cc,
gtests/ssl_gtest/ssl_fuzz_unittest.cc,
gtests/ssl_gtest/tls_esni_unittest.cc, lib/ssl/ssl3con.c,
lib/ssl/ssl3exthandle.c, lib/ssl/sslimpl.h, lib/ssl/tls13con.c:
Bug 1549225 - Up front Signature Scheme validation, r=ueno
Summary: This patch started as an attempt to ensure that a DSA
signature scheme would not be advertised if we weren't willing to
negotiate versions less than TLS 1.3. Then I realized that we didn't
do the same for PKCS#1 RSA.
Then I realized that we were still willing to try to establish
connections when we had a certificate that we couldn't use.
Then I realized that ssl3_config_match_init() wasn't being run
consistently. On resumption, we only ran it when we were PARANOID.
That's silly because we weren't checking policies.
Then I realized that we were allowing ECDSA certificates to be used
when the named group in the certificate was disabled. We weren't
enforcing that consistently either. However, I also discovered that
the check we have wouldn't work without a tweak because in TLS 1.3
the named group is part of the signature scheme; the configured
named groups are only used prior to TLS 1.3 when selecting
ECDSA/ECDH certificates.
So that sounds like a lot of changes but what it boils down to is
more robust checking of the configuration prior to starting a
connection. As a result, we should be offering fewer options that
we're unwilling or unable to follow through on. A good number of
tests needed tweaking as a result because we were relying on getting
past the checks in those tests. No real problems were found as a
result; this just moves failures that might arise from
misconfiguration a little earlier in the process.
[9b418f0a4912]
2019-10-08 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc,
lib/pk11wrap/pk11pk12.c:
Bug 1586947 - Store nickname during EC key import. r=jcj
This patch stores the nickname (if specified) during EC key import.
This was already done for all other key types.
[c319019aee75]
2019-10-08 Marcus Burghardt <mburghardt@mozilla.com>
* lib/certdb/stanpcertdb.c, lib/pk11wrap/pk11load.c,
lib/pki/pki3hack.c:
Bug 1586456 - Unnecessary conditional in pki3hack, pk11load and
stanpcertdb. r=jcj
Some conditionals that are always true were removed.
[b34061c3a377]
Differential Revision: https://phabricator.services.mozilla.com/D49030
--HG--
extra : moz-landing-system : lando
During path building, mozilla::pkix filters out candidate certificates provided
by trust domains where the subject distinguished name does not match the issuer
distinguished name of the certificate it's trying to find an issuer for.
However, if there's a problem decoding the candidate issuer certificate,
mozilla::pkix will make a note of this error, regardless of if that certificate
was potentially a suitable issuer. If no trusted path is found, the error from
that unrelated certificate may ultimately be returned by mozilla::pkix,
resulting in confusion.
Before this patch, NSSCertDBTrustDomain could cause this behavior by blithely
passing every known 3rd party certificate to mozilla::pkix (other sources of
certificates already filter on subject distinguished name). This patch adds
filtering to 3rd party certificates as well.
Differential Revision: https://phabricator.services.mozilla.com/D48120
--HG--
extra : moz-landing-system : lando
Allow access to extra services needed to open file pickers from the Flash process on 10.15.
Differential Revision: https://phabricator.services.mozilla.com/D48145
--HG--
extra : moz-landing-system : lando
2019-10-03 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/pk11_gtest/pk11_cbc_unittest.cc, lib/softoken/pkcs11c.c:
Bug 1576307 - Fixup for fips tests, permit NULL iv as necessary.
r=jcj
ECB mode should not require an IV.
[dc86215aea17] [tip]
2019-09-30 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/pk11_gtest/pk11_cbc_unittest.cc, lib/softoken/pkcs11c.c:
Bug 1576307 - Check mechanism param and param length before casting
to mechanism-specific structs. r=jcj
This patch adds missing PKCS11 input parameter checks, which are
needed prior to casting to mechanism-specific structs.
[53d92a324080]
Differential Revision: https://phabricator.services.mozilla.com/D48109
--HG--
extra : moz-landing-system : lando
2019-10-01 Kevin Jacobs <kjacobs@mozilla.com>
* lib/softoken/pkcs11c.c:
Bug 1577953 - Support longer (up to RFC maximum) HKDF outputs r=jcj
HKDF-Expand enforces a maximum output length much shorter than
stated in the RFC. This patch aligns the implementation with the RFC
by allocating more output space when necessary.
[c0913ad7a560] [tip]
2019-09-30 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/common/testvectors/curve25519-vectors.h,
gtests/pk11_gtest/pk11_curve25519_unittest.cc,
gtests/pk11_gtest/pk11_ecdsa_unittest.cc,
gtests/pk11_gtest/pk11_ecdsa_vectors.h,
gtests/pk11_gtest/pk11_signature_test.h:
Bug 1558234 - Additional EC key tests, r=jcj
Adds additional EC key corner case testing.
[c20364849713]
Differential Revision: https://phabricator.services.mozilla.com/D47805
--HG--
extra : moz-landing-system : lando
This patch sets the preference order for `TLS_CHACHA20_POLY1305_SHA256` over `TLS_AES_128_GCM_SHA256` for ARM builds.
As noted in the bug, this is far from an ideal way to do this. The implementation is purposefully simplistic so as to minimize any performance hit. If we want to accept doing this configuration for every new TLS connection, `SSL_CipherSuiteOrderGet` **will** return the pref-filtered (i.e. only the enabled) ciphers, but in the default NSS order. We would have to build a new list by referencing this output with another ordered list defined in PSM. If we want to leave NSS as-is (instead of offering a global reconfiguration API), we should do this.
Differential Revision: https://phabricator.services.mozilla.com/D47485
--HG--
extra : rebase_source : 0252cf321225cd644a463fd94561fd6af38b3837
extra : source : 4836c05dd2eee11bf9d836fb0505e77450b0651b
This patch sets the preference order for `TLS_CHACHA20_POLY1305_SHA256` over `TLS_AES_128_GCM_SHA256` for ARM builds.
As noted in the bug, this is far from an ideal way to do this. The implementation is purposefully simplistic so as to minimize any performance hit. If we want to accept doing this configuration for every new TLS connection, `SSL_CipherSuiteOrderGet` **will** return the pref-filtered (i.e. only the enabled) ciphers, but in the default NSS order. We would have to build a new list by referencing this output with another ordered list defined in PSM. If we want to leave NSS as-is (instead of offering a global reconfiguration API), we should do this.
Differential Revision: https://phabricator.services.mozilla.com/D47485
--HG--
extra : moz-landing-system : lando
2019-09-27 J.C. Jones <jjones@mozilla.com>
* lib/softoken/pkcs11.c, lib/softoken/pkcs11i.h,
lib/softoken/pkcs11u.c:
Bug 1508776 - Remove unneeded refcounting from SFTKSession
r=mt,kjacobs
SFTKSession objects are only ever actually destroyed at PK11 session
closure, as the session is always the final holder -- and asserting
refCount == 1 shows that to be true. Because of that,
NSC_CloseSession can just call `sftk_DestroySession` directly and
leave `sftk_FreeSession` as a no-op to be removed in the future.
[5619cbbca3db] [tip]
Differential Revision: https://phabricator.services.mozilla.com/D47631
--HG--
extra : moz-landing-system : lando
The intent of adding this pref is to allow us to change defaults for
security.tls.version.min for a progressive rollout of a TLS 1.0 and 1.1
deprecation. During that process, we'd like to offer the option to enable these
old TLS versions, without adding a pref override that would cause those versions
to remain enabled once we finish the rollout.
Those people who have triggered the override will be able to access TLS 1.0 and
1.1 sites until we eventually remove the code that respects this pref. What is
likely to happen is that this pref will remain in code past the end of our
rollout for part of a release cycle, plus maybe the next cycle depending on
how timing works out.
This pref is a simple boolean that we'll remove in March 2020.
Differential Revision: https://phabricator.services.mozilla.com/D45798
--HG--
extra : moz-landing-system : lando
The intent of adding this pref is to allow us to change defaults for
security.tls.version.min for a progressive rollout of a TLS 1.0 and 1.1
deprecation. During that process, we'd like to offer the option to enable these
old TLS versions, without adding a pref override that would cause those versions
to remain enabled once we finish the rollout.
Those people who have triggered the override will be able to access TLS 1.0 and
1.1 sites until we eventually remove the code that respects this pref. What is
likely to happen is that this pref will remain in code past the end of our
rollout for part of a release cycle, plus maybe the next cycle depending on
how timing works out.
This pref is a simple boolean that we'll remove in March 2020.
Differential Revision: https://phabricator.services.mozilla.com/D45798
--HG--
extra : moz-landing-system : lando
J.C. Jones
Sean Feng
Marcus Burghardt
ffxbld
Srujana Peddinti
Johann Hofmann
Kevin Jacobs
Ricky Stewart
Kris Maglione
Junior Hsu
Daniel Varga
Sylvestre Ledru
Dana Keeler
Haik Aftandilian
Cameron McCormack
shravanrn@gmail.com
Anny Gakhokidze
Kershaw Chang
Gabriele Svelto
Ciure Andrei
Aaron Klotz
dleblanccyr
Martin Thomson
Coroiu Cristina
Tim Nguyen
Carolina