зеркало из https://github.com/mozilla/gecko-dev.git
4747 Коммитов
| Автор | SHA1 | Сообщение | Дата |
|---|---|---|---|
Benjamin Beurdouche
|
5a5e62989c |
Bug 1705477 - land NSS NSS_3_65_RTM UPGRADE_NSS_RELEASE, r=beurdouche
2021-05-14 Benjamin Beurdouche <bbeurdouche@mozilla.com> * lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.65 final [0e785b3a4a10] [NSS_3_65_RTM] <NSS_3_65_BRANCH> * .hgtags: Added tag NSS_3_65_BETA1 for changeset 1bdb4713e2f0 [6f4869107d74] <NSS_3_65_BRANCH> 2021-05-11 Robert Relyea <rrelyea@redhat.com> * gtests/pk11_gtest/pk11_hpke_unittest.cc: fix clang format error from patch for bug 1709750 [1bdb4713e2f0] [NSS_3_65_BETA1] * coreconf/NetBSD.mk: Bug 1709654 Update for NetBSD configuration patch by Thomas Klausner r=rrelyea In the NetBSD configuration, the symbol hiding flags are not defined. This leads to conflicts when openssl and nss are linked into the same binary. For a longer discussion on the topic, see https://groups.google.com/a/mozilla.org/g/dev-tech- crypto/c/Al0Pt0zhARE Match more closely to OpenBSD.mk, and in particular, hide symbols (MAPFILE). - fix wrong value of CPU_ARCH on NetBSD/evbarm-earmv7f - s/aarch64eb/aarch64/ [a7769615f285] Differential Revision: https://phabricator.services.mozilla.com/D115135 |
|
|
Benjamin Beurdouche
|
6f107407c9 |
Bug 1705477 - land NSS 1d066793c349 UPGRADE_NSS_RELEASE, r=beurdouche
2021-05-06 Martin Thomson <mt@lowentropy.net> * gtests/pk11_gtest/pk11_hpke_unittest.cc: Bug 1709750 - Disable HPKE test when fuzzing, r=bbeurdouche [1d066793c349] [tip] 2021-05-05 Benjamin Beurdouche <bbeurdouche@mozilla.com> * lib/freebl/ppc-gcm-wrap.c, lib/freebl/ppc-gcm.h: Bug 1566124 - Clang format run. r=beurdouche [cb714d62058c] 2021-05-05 mamonet <maamoun.tk@gmail.com> * lib/freebl/Makefile, lib/freebl/freebl.gyp, lib/freebl/ppc-gcm- wrap.c, lib/freebl/ppc-gcm.h, lib/freebl/ppc-gcm.s, lib/freebl/rijndael.c: [1133fef2f7ce] 2021-03-17 Martin Thomson <mt@lowentropy.net> * gtests/common/testvectors/hpke-convert.py, gtests/common/testvectors/hpke-vectors.h, lib/pk11wrap/pk11hpke.c, lib/pk11wrap/pk11hpke.h: Bug 1699021 - Add AES-256-GCM to HPKE, r=bbeurdouche [9fa53d717386] * automation/abi-check/expected-report-libssl3.so.txt, cmd/selfserv/selfserv.c, gtests/ssl_gtest/libssl_internals.c, gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/tls_connect.cc, gtests/ssl_gtest/tls_connect.h, gtests/ssl_gtest/tls_ech_unittest.cc, lib/ssl/sslexp.h, lib/ssl/sslsock.c, lib/ssl/sslt.h, lib/ssl/tls13ech.c, lib/ssl/tls13ech.h, lib/ssl/tls13exthandle.c, lib/ssl/tls13hashstate.c, lib/ssl/tls13hashstate.h: Bug 1698419 - ECH -10 updates, r=bbeurdouche The main changes here are: * an update to HPKE -08 * a move to the single-byte configuration ID * reordering of ECHConfig The addition of the explicit configuration ID means that the API for constructing ECHConfig(List) needs to change. That means a name change, unfortunately. I took the opportunity to make further changes to the arguments. [fa93bd88b690] 2021-03-16 Martin Thomson <mt@lowentropy.net> * coreconf/config.gypi, coreconf/config.mk, gtests/common/testvectors/hpke-convert.py, gtests/common/testvectors/hpke-vectors.h, gtests/pk11_gtest/pk11_hpke_unittest.cc, gtests/ssl_gtest/ssl_auth_unittest.cc, gtests/ssl_gtest/ssl_tls13compat_unittest.cc, gtests/ssl_gtest/tls_ech_unittest.cc, lib/pk11wrap/pk11hpke.c, lib/pk11wrap/pk11hpke.h, lib/pk11wrap/pk11pub.h, lib/ssl/tls13ech.c: Bug 1692930 - Update HPKE to final version, r=bbeurdouche This adds the final HPKE version string. This removes the draft version markers from the implementation and stops tracking the draft version with the exported syntax. I've added the script that I used to convert the JSON test vectors from the specification; that should allow us to pick up new tests relatively easily, especially if we need to add new algorithms. This change breaks several ECH test cases. As fixing those tests is extraordinarily fiddly, I'm going to defer making those changes until we need to update ECH. As we can't land this code until ECH is updated to depend on the final HPKE and until we have coordinated with servers on when the ECH update can be deployed, it should be OK to defer. In short, don't land this without the matching ECH changes. [e78141a928f4] 2021-05-04 Robert Relyea <rrelyea@redhat.com> * automation/abi-check/expected-report-libnss3.so.txt, cmd/lib/basicutil.h, cmd/lib/secutil.c, cmd/lib/secutil.h, cmd/pk12util/pk12util.c, cmd/pp/pp.c, doc/pk12util.xml, doc/pp.xml, lib/nss/nss.def, lib/pk11wrap/pk11akey.c, lib/pk11wrap/pk11pub.h, lib/pkcs12/p12d.c, lib/pkcs12/p12e.c, lib/pkcs12/p12local.c, lib/pkcs12/p12local.h, lib/pkcs12/p12plcy.c, lib/util/secoidt.h, tests/tools/tools.sh: Bug 1707130 NSS should use modern algorithms in PKCS#12 files by default r=mt Also fixes: Bug 452464 pk12util -o fails when -C option specifies AES or Camellia ciphers Related: Bug 1694689 Firefox should use modern algorithms in PKCS#12 files by default Bug 452471 pk12util -o fails when -c option specifies pkcs12v2 PBE ciphers The base of this fix is was a simple 3 line fix in pkcs12.c, changing the initial setting of cipher and cert cipher. Overview for why this patch is larger than just 3 lines: 1. First issue was found in trying to change the mac hashing value. a. While the decrypt side knew how to handle SHA2 hashes, the equivalent code was not updated on the encrypt side. I refactored that code and placed the common function in p12local.c. Now p12e.c and p12d.c share common code to find the required function to produce the mac key. b. The prf hmac was hard coded to SHA1. I changed the code to pass the hmac matching the hashing algorithm for the mac. This required changes to p12e.c to calculate and pass the new hmac as well and adding new PK11_ExportEncryptedPrivateKey and PK11_ExportEncryptedPrivKey to take the PKCS #5 v2 parameters. I also corrected an error which prevented pkcs12 encoding of ciphers other than AES. 2. Once I've made my changes, I realized we didn't have a way of testing them. While we had code that verified that particular sets of parameters for pkcs12 worked together and could be listed and imported, we didn't have a way to verify what algorithms were actually generated by our tools. a. pk12util -l doesn't list the encryption used for the certs, so I updated pp to take a pkcs12 option. In doing so I had to update pp to handle indefinite encoding when decoding blocks. I also factored that decoding out in it's own function so the change only needed to be placed once. Finally I renabled a function which prints the output of an EncryptedPrivate key. This function was disabled long ago when the Encrypted Private key info was made private for NSS. It has since been exported, so these functions could easily be enabled (archeological note: I verified that this disabling was not a recent think I found I had done it back when I still have a netscape email address;). b. I updated tools.sh to us the new pp -t pkcs12 feature to verify that the key encryption, cert encryption, and hash functions matched what we expected when we exported a new key. I also updated tools.sh to handle the new hash variable option to pk12util. c. I discovered several tests commented out with comments that the don't work. I enabled those tests and discovered that they can now encrypt, but the can't decrypt because of pkcs12 policy. I updated the policy code, but I updated it to use the new NSS system wide policy mechanism. This enabled all the ciphers to work. There is still policy work to do. The pk12 policy currently only prevents ciphers from use in decrypting the certificates, not decrypting the keys and not encrypting. I left that for future work. 3. New options for pp and pk12util were added to the man pages for these tools. -------------------------------------------------------------------- ------- With that in mind, here's a file by file description of the patch: automation/abi-check/expected-report-libnss3.so.txt -Add new exported functions. (see lib/nss/nss.def) cmd/lib/basicutil.h: -Removed the HAVE_EPV_TEMPLATE ifdefs (NSS has exported the Encrypted Private Key data structure for a while now. cmd/lib/secutil.c: global: Updated several functions to take a const char * m (message) rather than a char * m global: Made the various PrintPKCS7 return an error code. global: Added a state variable to be passed around the various PKCS7 Print functions. It gives the proper context to interpret PKCS7 Data Content. PKCS 12 used PKCS7 to package the various PKCS12 Safes and Bags. -Updated SECU_StripTagAndLength to handle indefinite encoding, and to set the Error code. -Added SECU_ExtractDERAndStep to grab the next DER Tag, Length, and Data. -Updated secu_PrintRawStringQuotesOptional to remove the inline DER parsing and use SECU_ExtractDERAndStep(). -Updated SECU_PrintEncodedObjectID to return the SECOidTag just like SECU_PrintObjectID. -Renable SECU_PrintPrivateKey -Added secu_PrintPKCS12Attributes to print out the Attributes tied to a PKCS #12 Bag -Added secu_PrintPKCS12Bag to print out a PKCS #12 Bag -Added secu_PrintPKCS7Data, which uses the state to determine what it was printing out. -Added secu_PrintDERPKCS7ContentInfo which is identical to the global function SECU_PrintPKCS7ContentInfo except it takes a state variable. The latter function now calls the former. -Added secu_PrintPKCS12DigestInfo to print the Hash information of the Mac. DigestInfo is the name in the PKCS 12 spec. -Added secu_PrintPKCS12MacData to print the Mac portion of the PKCS 12 file. -Added SECU_PrintPKCS12 to print otu the pkcs12 file. cmd/lib/secutil.h -Added string for pkc12 for the command line of pp reenabled SECU_PrintPrivateKey -Added SECU_PrintPKCS12 for export. cmd/pk12util/pk12util.c -Added the -M option to specify a hash algorithm for the mac. updated P12U_ExportPKCS12Object: pass the hash algorithm to the PasswordIntegrity handler. -Added PKCS12U_FindTagFromString: generalized string to SECOidTag which only filters based on the oid having a matching PKCS #11 mechanism. updated PKCS12U_MapCipherFromString to call use PKCS12U_FindTagFromString to get the candidate tag before doing it's post processing to decide if the tag is really an encryption algorithm. -Added PKCS12U_MapHashFromString with is like MapCipherFromString except it verifies the resulting tag is a hash object. -Updated main to 1) change the default cipher, change the default certCipher, and process the new hash argument. NOTE: in the old code we did not encrypt the certs in FIPS mode. That's because the certs were encrypted with RC4 in the default pkcs12 file, which wasn't a FIPS algorithm. Since AES is, we can use it independent on whether or not we are in FIPS mode. cmd/pp/pp.c -Added the pkcs12 option which calls SECU_PrintPKCS12 from secutil.c lib/nss/nss.def -Add exports to the new PK11_ExportEncryptedPrivKeyInfoV2 and PK11_ExportEncryptedPrivateKeyInfoV2 (V2 means PKCS 5 v2, not Version 2 of ExportEncrypted*Info). -Add export for the old HASH_GetHMACOidTagByHashOidTag which should have been exported long ago to avoid the proliferation of copies of this function in places like ssl. lib/pk11wrap/pk11akey.c -Add PK11_ExportEncryptedPrivKeyInfoV2 (which the old function now calls), which takes the 3 PKCS 5 v2 parameters. The underlying pkcs5 code can fill in missing tags if necessary, but supplying all three gives the caller full control of the underlying pkcs5 PBE used. -Add PK11_ExportEncryptedPrivateKeyInfoV2, same as the above function except it takes a cert which is used to look up the private key. It's the function that pkcs12 actually uses, but the former was exported for completeness. lib/pk11wrap/pk11pub.h -Added the new PK11_ExportEncryptedPriv*KeyInfoV2 functions. lib/pkcs12/p12d.c -Remove the switch statement and place it in p12local.c so that p12e.c can use the same function. lib/pkc12/p12e.c -Remove the unnecessary privAlg check so we can encode any mechanism we support. This only prevented encoding certificates in the pk12 file, not the keys. -add code to get the hmac used in the pbe prf from the integrity hash, which is under application control. -Do the same for key encryption, then use the new PK11_ExportEncryptedPrivateKeyInfo to pass that hash value. -Use the new sec_pkcs12_algtag_to_keygen_mech so there is only one switch statement to update rather than 2. -Update the hash data to old the length of the largest hash rather than the length of a SHA1 hash. lib/pkcs12/p12local.c - Add new function new sec_pkcs12_algtag_to_keygen_mech to factor out the common switch statement between p12e and p12d. lib/pkcs12/p12local.h -Export the new sec_pkcs12_algtag_to_keygen_mech lib/pkcs12/p12plcy.c -Map the old p12 policy functions to use the new NSS_GetAlgorithmPolicy. We keep the old table so that applications can change the policy with the old PKCS12 specific defines (so the old code keeps working). NOTE: policies now default to true rather than false. lib/util/secoidt.h -Add new NSS_USE_ALG_IN_PKCS12 used by pk11plcy.c NOTE: I have not updated the policy table in pk11wrap/pk11pars.c, so we can't yet control pkcs12 policy with the nss system policy table. That's a patch for another time. test/tools/tool.sh -global: Remove trailing spaces -global: DEFAULT is changed to 'default' -Update the PBE mechanism to exactly match the string in secoid.c. PKCS #12 does case independent compares, so case doesn't matter there, but now I'm comparing to the output of pp, and I didn't want to spend the time to figure out case independent compares in bash. -Add our defauts and shell variables at the top so there are easy to change in the future. export_with_*** have all been colapsed into a single export_p12_file which handles taking 'default' and turning off that argument. -Add for loops for the hash functions. -Restore the camellia ciphers back now that they work. -Restore the pkcs12V2pbe back now that they work. -Collect various pbe types into single variables and use those variables in loops -Reduce the number of tests ran in optimized mode (which takes 60x the time to do a pbe then than debug mode based on a larger iterator). -Add verify_p12 which dumps out the p12 file and makes sure the expected CERT_ENCRYPTION, KEY_ENCRYPTION, and HASH are used. doc/pp.xml -Add pkcs12 option doc/pk12util.xml -Add -M option -Update synopsis with options in the description but not in the synopsis [0a1687e1b39e] Differential Revision: https://phabricator.services.mozilla.com/D114584 |
|
|
Benjamin Beurdouche
|
37aa935e43 |
Bug 1705477 - land NSS c982fb957516 UPGRADE_NSS_RELEASE, r=beurdouche
Differential Revision: https://phabricator.services.mozilla.com/D114231 |
|
Ryan VanderMeulen
|
0853554188 |
Bug 1699657 - land NSS NSS_3_64_RTM UPGRADE_NSS_RELEASE, r=bbeurdouche
Differential Revision: https://phabricator.services.mozilla.com/D112222 |
|
|
Benjamin Beurdouche
|
8d848a2cbe |
Bug 1694020 - land NSS NSS_3_63_RTM UPGRADE_NSS_RELEASE, r=beurdouche
Differential Revision: https://phabricator.services.mozilla.com/D108957 |
|
|
Benjamin Beurdouche
|
f8d14645f7 |
Bug 1694020 - land NSS 61e70233f80e UPGRADE_NSS_RELEASE, r=beurdouche
2021-03-10 Benjamin Beurdouche <bbeurdouche@mozilla.com> * cmd/bltest/blapitest.c, lib/freebl/blapi.h, lib/freebl/chacha20poly1305-ppc.c, lib/freebl/chacha20poly1305.c, lib/freebl/loader.c: Bug 1613235 - Clang-format for: POWER ChaCha20 stream cipher vector acceleration r=beurdouche Depends on D107221 [61e70233f80e] [tip] 2021-03-10 aoeu <aoeuh@yandex.ru> * cmd/bltest/blapitest.c, lib/freebl/blapi.h, lib/freebl/blapit.h, lib/freebl/chacha20poly1305.c, lib/freebl/chacha20poly1305.h, lib/freebl/ldvector.c, lib/freebl/loader.c, lib/freebl/loader.h: Bug 1613235 - Add POWER ChaCha20 stream cipher vector acceleration. r=bbeurdouche Depends on D107220 [4f7ba08bd991] * lib/freebl/Makefile, lib/freebl/chacha20-ppc64le.S, lib/freebl/chacha20poly1305-ppc.c, lib/freebl/chacha20poly1305.c, lib/freebl/freebl.gyp, lib/freebl/freebl_base.gypi: Bug 1613235 - Add POWER ChaCha20 stream cipher vector acceleration. r=bbeurdouche [764124fddaa2] 2021-03-10 Benjamin Beurdouche <bbeurdouche@mozilla.com> * lib/freebl/ecl/ecp_secp384r1.c, lib/freebl/ecl/ecp_secp521r1.c: Bug 1697380 - Make a clang-format run on top of helpful contributions. r=beurdouche Depends on D106881 [8a9174a78207] * lib/freebl/ecl/ecp_secp384r1.c: Bug 1683520 - ECCKiila P384, change syntax of nested structs initialization to prevent build isses with GCC 4.8. r=bbrumley Depends on D102389 [150cbb169f1e] 2021-03-10 Billy Brumley <bbrumley@gmail.com> * lib/freebl/ecl/ecp_secp384r1.c: Bug 1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual scalar multiplication r=bbeurdouche [76aca2d944ae] 2021-03-10 Benjamin Beurdouche <bbeurdouche@mozilla.com> * lib/freebl/ecl/ecp_secp521r1.c: Bug 1683520 - ECCKiila P521, change syntax of nested structs initialization to prevent build isses with GCC 4.8. r=bbrumley Depends on D102406 [5e7affa3ce43] 2021-03-10 Billy Brumley <bbrumley@gmail.com> * lib/freebl/ecl/ecp_secp521r1.c: Bug 1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual scalar multiplication r=bbeurdouche [a8f4918cd546] 2021-03-08 Benjamin Beurdouche <bbeurdouche@mozilla.com> * automation/taskcluster/scripts/run_hacl.sh, lib/freebl/verified/Hacl_Bignum25519_51.h, lib/freebl/verified/Hacl_Chacha20.c, lib/freebl/verified/Hacl_Chacha20.h, lib/freebl/verified/Hacl_Chacha20Poly1305_128.c, lib/freebl/verified/Hacl_Chacha20Poly1305_128.h, lib/freebl/verified/Hacl_Chacha20Poly1305_256.c, lib/freebl/verified/Hacl_Chacha20Poly1305_256.h, lib/freebl/verified/Hacl_Chacha20Poly1305_32.c, lib/freebl/verified/Hacl_Chacha20Poly1305_32.h, lib/freebl/verified/Hacl_Chacha20_Vec128.c, lib/freebl/verified/Hacl_Chacha20_Vec128.h, lib/freebl/verified/Hacl_Chacha20_Vec256.c, lib/freebl/verified/Hacl_Chacha20_Vec256.h, lib/freebl/verified/Hacl_Curve25519_51.c, lib/freebl/verified/Hacl_Curve25519_51.h, lib/freebl/verified/Hacl_Kremlib.h, lib/freebl/verified/Hacl_Poly1305_128.c, lib/freebl/verified/Hacl_Poly1305_128.h, lib/freebl/verified/Hacl_Poly1305_256.c, lib/freebl/verified/Hacl_Poly1305_256.h, lib/freebl/verified/Hacl_Poly1305_32.c, lib/freebl/verified/Hacl_Poly1305_32.h, lib/freebl/verified/kremlin/include/kremlin/internal/target.h, lib/freebl/verified/kremlin/include/kremlin/internal/types.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128.h, li b/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128_Verifie d.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt_8_1 6_32_64.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/LowStar_ Endianness.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar _uint128_gcc64.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/f star_uint128_msvc.h, lib/freebl/verified/libintvector.h: Bug 1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683 r=beurdouche [3a85b452dbfa] Differential Revision: https://phabricator.services.mozilla.com/D107995 |
|
|
Benjamin Beurdouche
|
590564d9d4 |
Bug 1694020 - land NSS 38a91427d65fffd0d7f7d2b6d0bcee7dc8b77a37 UPGRADE_NSS_RELEASE, r=beurdouche
Differential Revision: https://phabricator.services.mozilla.com/D107084 |
|
Butkovits Atila
|
043c0bbe2d | Backed out changeset 40a2cb2f242b (bug 1694020) on request from beurdouche, UPGRADE_NSS_RELEASE CLOSED TREE | |
|
Benjamin Beurdouche
|
dd75eb4204 |
Bug 1694020 - land NSS 38a91427d65fffd0d7f7d2b6d0bcee7dc8b77a37 UPGRADE_NSS_RELEASE, r=beurdouche
Differential Revision: https://phabricator.services.mozilla.com/D107084 |
|
|
Benjamin Beurdouche
|
76f4cfc3b7 |
Bug 1688685 - land NSS NSS_3_62_RTM UPGRADE_NSS_RELEASE, r=beurdouche
2021-02-19 Benjamin Beurdouche <bbeurdouche@mozilla.com> * lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.62 final [a8e045a9fff6] [NSS_3_62_RTM] <NSS_3_62_BRANCH> 2021-02-15 Benjamin Beurdouche <bbeurdouche@mozilla.com> * .hgtags: Added tag NSS_3_62_BETA1 for changeset a5c857139b37 [145c269c82d6] <NSS_3_62_BRANCH> Differential Revision: https://phabricator.services.mozilla.com/D105739 |
|
|
Benjamin Beurdouche
|
6dfa84bd39 |
Bug 1688685 - land NSS NSS_3_62_BETA1 UPGRADE_NSS_RELEASE, r=mt
``` 2021-02-05 Danh <congdanhqx@gmail.com> * gtests/manifest.mn: Bug 1688374 - Fix parallel build NSS-3.61 with make. r=kjacobs [a5c857139b37] [NSS_3_62_BETA1] 2021-02-05 Robert Relyea <rrelyea@redhat.com> * lib/libpkix/pkix/util/pkix_tools.c: Bug 1682044 pkix_Build_GatherCerts() + pkix_CacheCert_Add() can corrupt "cachedCertTable" Patch by Andrew Cagney Preliminary Review by Ryan Sleevie Tested against all.sh rrelyea. r=kjacobs (this bug is old) pkix_Build_GatherCerts() has two code paths for creating the list "certsFound": pkix_CacheCert_Lookup() this sets "certsFound" to a new list "certsFound" and "cachedCertTable" share items but not the list pkix_CacheCert_Add(pkix_pl_Pk11CertStore_CertQuery()) this sets "certsFound" to a new list; and then adds the list to "cachedCertTable" "certsFound" and "cachedCertTable" share a linked list Because the latter doesn't create a separate list, deleting list elements from "certsFound" can also delete list elements from within "cacheCertTable". And if this happens while pkix_CacheCert_Lookup() is trying to update the same element's reference, a core dump can result. In detail (note that reference counts may occasionally seem off by 1, its because data is being captured before function local variables release their reference): pkix_Build_GatherCerts() calls pkix_pl_Pk11CertStore_CertQuery() (via a pointer) to sets "certsFound": PKIX_CHECK(getCerts (certStore, state->certSel, state->verifyNode, &nbioContext, &certsFound, plContext), PKIX_GETCERTSFAILED); it then calls: PKIX_CHECK(pkix_CacheCert_Add (certStore, certSelParams, certsFound, plContext), PKIX_CACHECERTADDFAILED); [dafda4eee75c] ``` Differential Revision: https://phabricator.services.mozilla.com/D105209 |
|
|
Benjamin Beurdouche
|
d901b16ba2 |
Bug 1688685 - land NSS fc3a4c142c16 UPGRADE_NSS_RELEASE, r=kjacobs
2021-02-04 Kevin Jacobs <kjacobs@mozilla.com> * gtests/ssl_gtest/ssl_recordsize_unittest.cc, lib/ssl/ssl3ext.c: Bug 1690583 - Fix CH padding extension size calculation. r=mt Bug 1654332 changed the way that NSS constructs Client Hello messages. `ssl_CalculatePaddingExtLen` now receives a `clientHelloLength` value that includes the 4B handshake header. This looks okay per the inline comment (which states that only the record header is omitted from the length), but the function actually assumes that the handshake header is also omitted. This patch removes the addition of the handshake header length. Those bytes are already included in the buffered CH. [fc3a4c142c16] [tip] * automation/abi-check/expected-report-libnss3.so.txt: Bug 1690421 - Adjust 3.62 ABI report formatting for new libabigail. r=bbeurdouche [a1ed44dba32e] 2021-02-03 Kevin Jacobs <kjacobs@mozilla.com> * automation/taskcluster/docker-builds/Dockerfile: Bug 1690421 - Install packaged libabigail in docker-builds image r=bbeurdouche [3c719b620136] 2021-01-31 Kevin Jacobs <kjacobs@mozilla.com> * cmd/selfserv/selfserv.c, cmd/tstclnt/tstclnt.c, lib/ssl/tls13hashstate.c, lib/ssl/tls13hashstate.h: Bug 1689228 - Minor ECH -09 fixes for interop testing, fuzzing. r=mt A few minor ECH -09 fixes for interop testing and fuzzing: - selfserv now takes a PKCS8 keypair for ECH. This is more maintainable and significantly less terrible than parsing the ECHConfigs and cobbling one together within selfserv (e.g. we can support other KEMs without modifying the server). - Get rid of the newline character in tstclnt retry_configs output. - Fuzzer fixes in tls13_HandleHrrCookie: - We shouldn't use internal_error when PK11_HPKE_ImportContext fails. Cookies are unprotected in fuzzer mode, so this can be expected to occur. - Only restore the application token when recovering hash state, otherwise the copy could happen twice, leaking one of the allocations. [8bbea1902024] 2021-01-25 Kevin Jacobs <kjacobs@mozilla.com> * lib/ssl/ssl3exthandle.c: Bug 1674819 - Fixup a51fae403328, enum type may be signed. r=bbeurdouche [2004338a2080] Differential Revision: https://phabricator.services.mozilla.com/D104258 |
|
Kevin Jacobs
|
f9716bc8ab |
Bug 1688685 - land NSS 92dcda94c1d4 UPGRADE_NSS_RELEASE, r=bbeurdouche
2021-01-22 Kevin Jacobs <kjacobs@mozilla.com> * automation/abi-check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.62 Beta [680ec01577b9] 2021-01-23 Kevin Jacobs <kjacobs@mozilla.com> * tests/chains/scenarios/nameconstraints.cfg, tests/libpkix/certs/NameConstraints.ipaca.cert, tests/libpkix/certs/NameConstraints.ocsp1.cert: Bug 1686134 - Renew two chains libpkix test certificates. r=rrelyea [3ddcd845704c] 2021-01-25 Kevin Jacobs <kjacobs@mozilla.com> * gtests/common/testvectors/hpke-vectors.h, gtests/pk11_gtest/pk11_hpke_unittest.cc, lib/pk11wrap/pk11hpke.c, lib/pk11wrap/pk11hpke.h, lib/pk11wrap/pk11pub.h: Bug 1678398 - Update HPKE to draft-07. r=mt This patch updates HPKE to draft-07. A few other minor changes are included: - Refactor HPKE gtests for increased parameterized testing. - Replace memcpy calls with PORT_Memcpy - Serialization tweaks to make way for context Export/Import (D99277). This should not be landed without an ECH update, as fixed ECH test vectors will otherwise fail to decrypt. [e0bf8cadadc7] * automation/abi-check/expected-report-libnss3.so.txt, gtests/pk11_gtest/pk11_hpke_unittest.cc, lib/nss/nss.def, lib/pk11wrap/pk11hpke.c, lib/pk11wrap/pk11pub.h: Bug 1678398 - Add Export/Import functions for HPKE context. r=mt This patch adds and exports two new HPKE functions: `PK11_HPKE_ExportContext` and `PK11_HPKE_ImportContext`, which are used to export a serialized HPKE context, then later reimport that context and resume Open and Export operations. Only receiver contexts are currently supported for export (see the rationale in pk11pub.h). One other change introduced here is that `PK11_HPKE_GetEncapPubKey` now works as expected on the receiver side. If the `wrapKey` argument is provided to the Export/Import functions, then the symmetric keys are wrapped with AES Key Wrap with Padding (SP800-38F, 6.3) prior to serialization. [8bcd12ab3b34] * automation/abi-check/expected-report-libssl3.so.txt, gtests/ssl_gtest/libssl_internals.c, gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/ssl_extension_unittest.cc, gtests/ssl_gtest/tls_ech_unittest.cc, lib/ssl/ssl3con.c, lib/ssl/ssl3ext.c, lib/ssl/ssl3ext.h, lib/ssl/sslexp.h, lib/ssl/sslimpl.h, lib/ssl/sslsecur.c, lib/ssl/sslsock.c, lib/ssl/sslt.h, lib/ssl/tls13con.c, lib/ssl/tls13con.h, lib/ssl/tls13ech.c, lib/ssl/tls13ech.h, lib/ssl/tls13exthandle.c, lib/ssl/tls13exthandle.h, lib/ssl/tls13hashstate.c, lib/ssl/tls13hashstate.h: Bug 1681585 - Update ECH to Draft-09. r=mt This patch updates ECH implementation to draft-09. Changes of note are: - Acceptance signal derivation is now based on the handshake secret. - `config_id` hint changes from 32B to 8B, trial decryption added on the server. - Duplicate code in HRR cookie handling has been consolidated into `tls13_HandleHrrCookie`. - `ech_is_inner` extension is added, which causes a server to indicate ECH acceptance. - Per the above, support signaling ECH acceptance when acting as a backend server in split-mode (i.e. when there is no other local Encrypted Client Hello state). [ed07a2e2a124] 2021-01-24 Kevin Jacobs <kjacobs@mozilla.com> * cmd/selfserv/selfserv.c: Bug 1681585 - Add ECH support to selfserv. r=mt Usage example: mkdir dbdir && cd dbdir certutil -N -d . certutil -S -s "CN=ech-public.com" -n ech-public.com -x -t "C,C,C" -m 1234 -d . certutil -S -s "CN=ech-private-backend.com" -n ech-private- backend.com -x -t "C,C,C" -m 2345 -d . ../dist/Debug/bin/selfserv -a ech-public.com -a ech-private-backend.com -n ech-public.com -n ech- private-backend.com -p 8443 -d dbdir/ -X publicname:ech-public.com (Copy echconfig from selfserv output and paste into the below command) ../dist/Debug/bin/tstclnt -D -p 8443 -v -A tests/ssl/sslreq.dat -h ech-private-backend.com -o -N <echconfig> -v [92dcda94c1d4] Differential Revision: https://phabricator.services.mozilla.com/D102982 |
|
|
Kevin Jacobs
|
9ff5a5feb0 |
Bug 1684061 - land NSS NSS_3_61_RTM UPGRADE_NSS_RELEASE, r=bbeurdouche
2021-01-22 Kevin Jacobs <kjacobs@mozilla.com> * lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.61 final [b09bdf93e079] [NSS_3_61_RTM] <NSS_3_61_BRANCH> 2021-01-19 Kevin Jacobs <kjacobs@mozilla.com> * .hgtags: Added tag NSS_3_61_BETA1 for changeset 68ae9b456b1b [3c88f7111594] Differential Revision: https://phabricator.services.mozilla.com/D102781 |
|
|
Kevin Jacobs
|
7a93d152d6 |
Bug 1684061 - land NSS NSS_3_61_BETA1 UPGRADE_NSS_RELEASE, r=bbeurdouche
2021-01-13 Kevin Jacobs <kjacobs@mozilla.com> * automation/taskcluster/graph/src/try_syntax.js: Bug 1686557 - Support aarch64-make target in nss-try. r=bbeurdouche [68ae9b456b1b] [NSS_3_61_BETA1] Differential Revision: https://phabricator.services.mozilla.com/D102421 |
|
|
Kevin Jacobs
|
4d02d441fc |
Bug 1684061 - land NSS a8de35c990e3 UPGRADE_NSS_RELEASE, r=bbeurdouche
2021-01-13 Kevin Jacobs <kjacobs@mozilla.com> * gtests/softoken_gtest/manifest.mn: Bug 1684300 - Define USE_STATIC_LIBS=1 for softoken_gtest make builds. r=bbeurdouche [a8de35c990e3] [tip] * gtests/softoken_gtest/manifest.mn, gtests/softoken_gtest/softoken_gtest.cc, gtests/softoken_gtest/softoken_gtest.gyp, lib/softoken/sftkdb.c, tests/gtests/gtests.sh: Bug 1684300 - Disable legacy storage when compiled with NSS_DISABLE_DBM. r=mt [d4991bb56852] Differential Revision: https://phabricator.services.mozilla.com/D101703 |
|
|
Kevin Jacobs
|
1eb47f6133 |
Bug 1684061 - land NSS 97ef009f7a78 UPGRADE_NSS_RELEASE, r=bbeurdouche
2020-12-11 Kevin Jacobs <kjacobs@mozilla.com> * automation/abi-check/expected-report-libssl3.so.txt, automation/abi- check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.61 Beta [f277d2674c80] * gtests/<...> Bug 1677207 - Update Google Test to release-1.10.0 r=bbeurdouche ./gtests/google_test/update.sh release-1.10.0 && hg remove -A && hg add gtests/google_test/* [89141382df45] * gtests/<...> Bug 1677207 - Replace references to TestCase, which is deprecated, with TestSuite r=bbeurdouche grep -rl --exclude-dir=google_test INSTANTIATE_TEST_CASE_P gtests | xargs sed -i '' s/INSTANTIATE_TEST_CASE_P/INSTANTIATE_TEST_SUITE_P/g grep -rl --exclude-dir=google_test SetUpTestCase gtests | xargs sed -i '' s/SetUpTestCase/SetUpTestSuite/g [e15b78be87fa] * gtests/ssl_gtest/ssl_ciphersuite_unittest.cc, gtests/ssl_gtest/ssl_debug_env_unittest.cc, gtests/ssl_gtest/ssl_extension_unittest.cc, gtests/ssl_gtest/ssl_loopback_unittest.cc, gtests/ssl_gtest/ssl_renegotiation_unittest.cc, gtests/ssl_gtest/ssl_resumption_unittest.cc, gtests/ssl_gtest/ssl_version_unittest.cc, gtests/ssl_gtest/tls_ech_unittest.cc: Bug 1677207 - Use GTEST_SKIP in ssl_gtests. r=bbeurdouche [0772f1bf5fd6] 2020-12-17 Robert Relyea <rrelyea@redhat.com> * gtests/common/testvectors/ike-aesxcbc-vectors.h, gtests/common/testvectors/ike-sha1-vectors.h, gtests/common/testvectors/ike-sha256-vectors.h, gtests/common/testvectors/ike-sha384-vectors.h, gtests/common/testvectors/ike-sha512-vectors.h, gtests/common/testvectors_base/test-structs.h, gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp, gtests/pk11_gtest/pk11_ike_unittest.cc, lib/softoken/sftkike.c: Bug 1682071 IKE Quick mode IPSEC give you incorrect keys if you are asking for keys smaller than the hash size. IKE Appendix B fixes. This patch fixes 2 problems. If you run either ike v1 App B or quick mode asking for a key with length mod macsize = 0, you will generate an extra block that's not used and overwrites the end of the buffer. If you use quick mode, the function incorrectly subsets the existing key rather than generating a new key. This is correct behavior for Appendix B, where appendix B is trying to take a generated key and create a new longer key (with no diversification, just transform the key into something that's longer), so if you ask for a key less than or equal to, then you want to just subset the original key. In quick mode you are taking a base key and creating a set of new keys based on additional data, so you want to subset the generated data. This patch only subsets the original key if you aren't doing quickmode. Full test vectors have now been added for all ike modes in this patch as well (previously we depended on the FIPS CAVS tests to test ike, which covers basic IKEv1, IKEv1_psk, and IKEv2 but not IKEv1 App B and IKE v1 Quick mode). [f4995c9fa185] 2020-12-18 Robert Relyea <rrelyea@redhat.com> * gtests/common/testvectors/rsa_pkcs1_2048_test-vectors.h, gtests/common/testvectors/rsa_pkcs1_3072_test-vectors.h, gtests/common/testvectors/rsa_pkcs1_4096_test-vectors.h, gtests/freebl_gtest/Makefile, gtests/freebl_gtest/manifest.mn, gtests/freebl_gtest/rsa_unittest.cc, gtests/manifest.mn, gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc, gtests/pk11_gtest/pk11_rsaoaep_unittest.cc, lib/freebl/alghmac.c, lib/freebl/alghmac.h, lib/freebl/rsapkcs.c: Bug 1651411 New tlsfuzzer code can still detect timing issues in RSA operations. This patch defeats Bleichenbacher by not trying to hide the size of the decrypted text, but to hide if the text succeeded for failed. This is done by generating a fake returned text that's based on the key and the cipher text, so the fake data is always the same for the same key and cipher text. Both the length and the plain text are generated with a prf. Here's the proposed spec the patch codes to: 1. Use SHA-256 to hash the private exponent encoded as a big- endian integer to a string the same length as the public modulus. Keep this value secret. (this is just an optimisation so that the implementation doesn't have to serialise the key over and over again) 2. Check the length of input according to step one of https://tools.ietf.org/html/rfc8017#section-7.2.2 3. When provided with a ciphertext, use SHA-256 HMAC(key=hash_from_step1, text=ciphertext) to generate the key derivation key 4. Use SHA-256 HMAC with key derivation key as the key and a two-byte big- endian iterator concatenated with byte string "length" with the big- endian representation of 2048 (0x0800) as the bit length of the generated string. - Iterate this PRF 8 times to generate a 256 byte string 5. initialise the length of synthetic message to 0 6. split the PRF output into 2 byte strings, convert into big-endian integers, zero- out high-order bits so that they have the same bit length as the octet length of the maximum acceptable message size (k-11), select the last integer that is no larger than (k-11) or remain at 0 if no integer is smaller than (k-11); this selection needs to be performed using a side-channel free operators 7. Use SHA-256 HMAC with key derivation key as the key and a two-byte big-endian iterator concatenated with byte string "message" with the big-endian representation of k*8 - use this PRF to generate k bytes of output (right-truncate last HMAC call if the number of generated bytes is not a multiple of SHA-256 output size) 8. perform the RSA decryption as described in step 2 of section 7.2.2 of rfc8017 9. Verify the EM message padding as described in step 3 of section 7.2.2 of rfc8017, but instead of outputting "decryption error", return the last l bytes of the "message" PRF, when l is the selected synthetic message length using the "length" PRF, make this decision and copy using side-channel free operation [fc05574c7399] 2020-12-22 Robert Relyea <rrelyea@redhat.com> * gtests/freebl_gtest/rsa_unittest.cc, gtests/pk11_gtest/pk11_rsaoaep_unittest.cc, lib/freebl/alghmac.c, lib/freebl/rsapkcs.c: Restore lost portion of the bleichenbacher timing batch that addressed review comments. All the review comments pertained to actual code comments, so this patch only affects the comments. [fcebe146314e] 2020-12-22 Kevin Jacobs <kjacobs@mozilla.com> * lib/dev/devslot.c: Bug 1682863 - Revert nssSlot_IsTokenPresent to 3.58 after ongoing Fx hangs with slow PKCS11 devices. r=bbeurdouche This patch reverts the `nssSlot_IsTokenPresent` changes made in bug 1663661 and bug 1679290, restoring the version used in NSS 3.58 and earlier. It's not an actual `hg backout` because the comment in lib/dev/devt.h is worth keeping. While removing the nested locking did resolve the hang for some (most?) third-party modules, problems remain with some slower tokens after an even further relaxation of the locking, which defeats the purpose of addressing the races in the first place. The crash addressed by these patches was caused by the Intermediate Preloading Healer in Firefox, which has been disabled. We clearly have insufficient test coverage for third-party modules, and now that osclientcerts is enabled in Fx Nightly, any problems caused by these and similar changes is unlikely to be reported until Fx Beta, well after NSS RTM. I think the best option at this point is to simply revert NSS. [97ef009f7a78] [tip] Differential Revision: https://phabricator.services.mozilla.com/D100401 |
|
|
Kevin Jacobs
|
b98935cc63 |
Bug 1677548 - land NSS NSS_3_60_RTM UPGRADE_NSS_RELEASE, r=bbeurdouche
2020-12-11 Kevin Jacobs <kjacobs@mozilla.com> * lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.60 final [2015cf6ca323] [NSS_3_60_RTM] <NSS_3_60_BRANCH> 2020-12-08 Kevin Jacobs <kjacobs@mozilla.com> * .hgtags: Added tag NSS_3_60_BETA1 for changeset f84fb229842a [1fe6cb3c3874] Differential Revision: https://phabricator.services.mozilla.com/D99488 |
|
|
Kevin Jacobs
|
f9f2383ae3 |
Bug 1677548 - land NSS NSS_3_60_BETA1 UPGRADE_NSS_RELEASE, r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D99258 |
|
|
Kevin Jacobs
|
254f0c7699 |
Bug 1677548 - land NSS f84fb229842a UPGRADE_NSS_RELEASE, r=bbeurdouche
2020-12-04 Kevin Jacobs <kjacobs@mozilla.com> * gtests/pk11_gtest/pk11_aeskeywrappad_unittest.cc, lib/pk11wrap/pk11obj.c: Bug 1680400 - Fix memory leak in PK11_UnwrapPrivKey. r=bbeurdouche [f84fb229842a] [tip] 2020-12-03 yogesh <yoyogesh01@gmail.com> * cmd/tstclnt/tstclnt.c: Bug 1570539 - Removed -X alt-server-hello option from tstclnt r=kjacobs [ef9198eb2895] 2020-12-03 J.C. Jones <jjones@mozilla.com> * lib/util/pkcs11t.h: Bug 1675523 - CKR_PUBLIC_KEY_INVALID has an incorrect value r=bbeurdouche PKCS#11 v2.40: https://www.cryptsoft.com/pkcs11doc/STANDARD/include/v240/pkcs11t.h line 1150 jdk8u: https://hg.openjdk.java.net/jdk8u/jdk8u/jdk/file/eb7f437285a1 /src/share/native/sun/security/pkcs11/wrapper/pkcs11t.h#l1155 [f9bcf45ca3bf] Differential Revision: https://phabricator.services.mozilla.com/D98946 |
|
|
Kevin Jacobs
|
5e63427a1b |
Bug 1677548 - land NSS f8c49b334e51 UPGRADE_NSS_RELEASE, r=bbeurdouche
2020-12-01 Kevin Jacobs <kjacobs@mozilla.com> * lib/ckfw/builtins/nssckbi.h: Bug 1678189 - December 2020 batch of root changes, NSS_BUILTINS_LIBRARY_VERSION 2.46. r=bbeurdouche [f8c49b334e51] [tip] * lib/ckfw/builtins/certdata.txt: Bug 1678166 - Add NAVER Global Root Certification Authority root cert to NSS. r=bbeurdouche,KathleenWilson [b9742b439a81] 2020-12-01 Benjamin Beurdouche <benjamin.beurdouche@inria.fr> * lib/ckfw/builtins/certdata.txt: Bug 1670769 - Remove 10 GeoTrust, thawte, and VeriSign root certs from NSS. r=kjacobs,KathleenWilson [4c69d6d0cf21] 2020-12-01 Kevin Jacobs <kjacobs@mozilla.com> * lib/ssl/ssl3exthandle.c: Bug 1674819 - Fix undefined shift when fuzzing r=bbeurdouche In fuzzer mode, session tickets are serialized without any encryption or integrity protection. This leads to a post-deserialize UBSAN error when shifting by a fuzzed (large) authType value. A real NSS server will not produce these values. [a51fae403328] 2020-11-30 Benjamin Beurdouche <benjamin.beurdouche@inria.fr> * build.sh, coreconf/config.gypi, lib/ckfw/builtins/testlib/builtins- testlib.gyp, lib/ckfw/builtins/testlib/nssckbi-testlib.def, nss.gyp: Bug 1678384 - Add a build flag to allow building nssckbi-testlib in m-c r=kjacobs [22bf7c680b60] 2020-12-01 Kevin Jacobs <kjacobs@mozilla.com> * lib/dev/devslot.c: Bug 1679290 - Don't hold slot lock when taking session lock r=bbeurdouche [[ https://hg.mozilla.org/projects/nss/rev/0ed11a5835ac1556ff978362c d61069d48f4c5db | 0ed11a5835ac1556ff978362cd61069d48f4c5db ]] fixed a number of race conditions related to NSSSlot member accesses. Unfortunately the locking order that was imposed by that patch has been found to cause problems for at least one PKCS11 module, libnsspem. This patch drops nested locking in favor of unlocking/re-locking. While this isn't perfect, the original problem in bug 1663661 was that `slot->token` could become NULL, which we can easily check after reacquiring. [19585ccc7a1f] 2020-11-25 Makoto Kato <m_kato@ga2.so-net.ne.jp> * lib/freebl/blinit.c: Bug 1678990 - Use __ARM_FEATURE_CRYPTO for feature detection. r=bbeurdouche Actually, we have CPU feature detection for Linux and FreeBSD on aarch64 platform. But others don't. macOS doesn't has any CPU feature detection for ARM Crypto Extension, but toolchain default is turned on. So we should respect __ARM_FEATURE_CRYPTO. [f1e48fbead3d] 2020-11-19 Lauri Kasanen <cand@gmx.com> * lib/freebl/Makefile: Bug 1642174 - Resolve sha512-p8.o: ABI version 2 is not compatible with ABI version 1 output. r=jcj Don't try to build the SHA-2 accelerated asm on old-ABI ppc. Currently make only, I don't have enough gyp-fu to do that side. However, the reporters of 1642174 and 1635625 both used make, not gyp. Signed-off-by: Lauri Kasanen <cand@gmx.com> [d806f7992b10] Differential Revision: https://phabricator.services.mozilla.com/D98509 |
|
|
Kevin Jacobs
|
54a13dccf2 |
Bug 1677548 - land NSS 3eacb92e9adf UPGRADE_NSS_RELEASE, r=jcj
2020-11-18 Kevin Jacobs <kjacobs@mozilla.com> * lib/ssl/ssl3con.c, lib/ssl/tls13con.c, lib/ssl/tls13ech.c: Bug 1654332 - Fixup a10493dcfcc9: copy ECHConfig.config_id with socket r=jcj A late review change for ECH was for the server to compute each ECHConfig `config_id` when set to the socket, rather than on each connection. This works, but now we also need to copy that config_id when copying a socket, else the server won't find a matching ECHConfig to use for decryption. [3eacb92e9adf] [tip] 2020-11-17 Kevin Jacobs <kjacobs@mozilla.com> * automation/abi-check/expected-report-libssl3.so.txt, cmd/tstclnt/tstclnt.c, cpputil/tls_parser.h, gtests/ssl_gtest/libssl_internals.c, gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/manifest.mn, gtests/ssl_gtest/ssl_auth_unittest.cc, gtests/ssl_gtest/ssl_custext_unittest.cc, gtests/ssl_gtest/ssl_extension_unittest.cc, gtests/ssl_gtest/ssl_gtest.gyp, gtests/ssl_gtest/ssl_tls13compat_unittest.cc, gtests/ssl_gtest/tls_agent.cc, gtests/ssl_gtest/tls_agent.h, gtests/ssl_gtest/tls_connect.cc, gtests/ssl_gtest/tls_connect.h, gtests/ssl_gtest/tls_ech_unittest.cc, gtests/ssl_gtest/tls_esni_unittest.cc, gtests/ssl_gtest/tls_filter.cc, gtests/ssl_gtest/tls_filter.h, lib/ssl/SSLerrs.h, lib/ssl/manifest.mn, lib/ssl/ssl.gyp, lib/ssl/ssl3con.c, lib/ssl/ssl3ext.c, lib/ssl/ssl3ext.h, lib/ssl/ssl3exthandle.c, lib/ssl/ssl3exthandle.h, lib/ssl/ssl3prot.h, lib/ssl/sslencode.c, lib/ssl/sslencode.h, lib/ssl/sslerr.h, lib/ssl/sslexp.h, lib/ssl/sslimpl.h, lib/ssl/sslinfo.c, lib/ssl/sslsecur.c, lib/ssl/sslsock.c, lib/ssl/sslt.h, lib/ssl/tls13con.c, lib/ssl/tls13con.h, lib/ssl/tls13ech.c, lib/ssl/tls13ech.h, lib/ssl/tls13esni.c, lib/ssl/tls13esni.h, lib/ssl/tls13exthandle.c, lib/ssl/tls13exthandle.h, lib/ssl/tls13hashstate.c, lib/ssl/tls13hashstate.h: Bug 1654332 - Update ESNI to draft-08 (ECH). r=mt This patch adds support for Encrypted Client Hello (draft-ietf-tls- esni-08), replacing the existing ESNI (draft -02) support. There are five new experimental functions to enable this: - SSL_EncodeEchConfig: Generates an encoded (not BASE64) ECHConfig given a set of parameters. - SSL_SetClientEchConfigs: Configures the provided ECHConfig to the given socket. When configured, an ephemeral HPKE keypair will be generated for the CH encryption. - SSL_SetServerEchConfigs: Configures the provided ECHConfig and keypair to the socket. The keypair specified will be used for HPKE operations in order to decrypt encrypted Client Hellos as they are received. - SSL_GetEchRetryConfigs: If ECH is rejected by the server and compatible retry_configs are provided, this API allows the application to extract those retry_configs for use in a new connection. - SSL_EnableTls13GreaseEch: When enabled, non-ECH Client Hellos will have a "GREASE ECH" (i.e. fake) extension appended. GREASE ECH is disabled by default, as there are known compatibility issues that will be addressed in a subsequent draft. The following ESNI experimental functions are deprecated by this update: - SSL_EncodeESNIKeys - SSL_EnableESNI - SSL_SetESNIKeyPair In order to be used, NSS must be compiled with `NSS_ENABLE_DRAFT_HPKE` defined. [a10493dcfcc9] * lib/ssl/ssl3con.c, lib/ssl/sslencode.c, lib/ssl/sslencode.h, lib/ssl/tls13con.c, lib/ssl/tls13con.h: Bug 1654332 - Buffered ClientHello construction. r=mt This patch refactors construction of Client Hello messages. Instead of each component of the message being written separately into `ss->sec.ci.sendBuf`, we now construct the message in its own sslBuffer. Once complete, the entire message is added to the sendBuf via `ssl3_AppendHandshake`. `ssl3_SendServerHello` already uses this approach and it becomes necessary for ECH, where we use the constructed ClientHello to create an inner ClientHello. [d40121ba59ba] 2020-11-13 J.C. Jones <jjones@mozilla.com> * automation/abi-check/expected-report-libnss3.so.txt, automation/abi- check/expected-report-libnssutil3.so.txt, automation/abi-check /previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.60 Beta [5e7b37609f22] Differential Revision: https://phabricator.services.mozilla.com/D97492 |
|
J.C. Jones
|
b74458d647 |
Bug 1671713 - land NSS NSS_3_59_RTM UPGRADE_NSS_RELEASE, r=kjacobs DONTBUILD
2020-11-13 J.C. Jones <jjones@mozilla.com> * lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.59 final [c5d760cbe8d0] [NSS_3_59_RTM] <NSS_3_59_BRANCH> 2020-11-10 J.C. Jones <jjones@mozilla.com> * .hgtags: Added tag NSS_3_59_BETA1 for changeset c3cb09a7d087 [06e965656f08] Differential Revision: https://phabricator.services.mozilla.com/D97041 |
|
|
J.C. Jones
|
0644349b9b |
Bug 1671713 - land NSS NSS_3_59_BETA1 UPGRADE_NSS_RELEASE, r=kjacobs
2020-11-10 Kevin Jacobs <kjacobs@mozilla.com> * lib/certdb/certdb.c, lib/certdb/stanpcertdb.c, lib/pk11wrap/pk11cert.c, lib/pki/pki3hack.c: Bug 1607449 - Lock cert->nssCertificate to prevent data race. r=jcj,keeler [c3cb09a7d087] [NSS_3_59_BETA1] Differential Revision: https://phabricator.services.mozilla.com/D96652 |
|
|
Kevin Jacobs
|
92af1fd6cc |
Bug 1671713 - land NSS 97751cd6d553 UPGRADE_NSS_RELEASE, r=jcj
2020-11-03 Kevin Jacobs <kjacobs@mozilla.com> * gtests/common/testvectors/hmac-sha256-vectors.h, gtests/common/testvectors/hmac-sha384-vectors.h, gtests/common/testvectors/hmac-sha512-vectors.h, gtests/common/testvectors_base/test-structs.h, gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp, gtests/pk11_gtest/pk11_hmac_unittest.cc: Bug |
|
|
Kevin Jacobs
|
b838f38de2 |
Bug 1671713 - land NSS 035110dfa0b9 UPGRADE_NSS_RELEASE, r=bbeurdouche
2020-10-26 Robert Relyea <rrelyea@redhat.com> * lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c, tests/ssl/ssl.sh: Bug 1672291 libpkix OCSP failures on SHA1 self-signed root certs when SHA1 signatures are disabled. r=mt When libpkix is checking an OCSP cert, it can't use the passed in set of trust anchors as a base because only the single root that signed the leaf can sign the OCSP request. As a result it actually checks the signature of the self-signed root when processing an OCSP request. This fails of the root cert signature is invalid for any reason (including it's a sha1 self-signed root cert and we've disabled sha1 signatures (say, by policy)). Further investigation indicates the difference between our classic code and the current code is the classic code only checks OCSP responses on leaf certs. In the real world, those responses are signed by intermediate certificates (who won't have sha1 signed certificates anymore), so our signature processing works just fine. pkix checks OCSP on the intermediate certificates as well, which are signed by the root cert. In this case the root cert is a chain of 1, and is effectively a leaf. This patch updates the OCSP response code to not check the signatures on the single cert if that cert is a selfsigned root cert. This requires bug 391476 so we still do the other validation checking on the certs (making sure it's trusted as a CA). [035110dfa0b9] [tip] 2020-10-23 Robert Relyea <rrelyea@redhat.com> * lib/certhigh/certvfypkix.c, lib/libpkix/pkix_pl_nss/module/pkix_pl_nsscontext.c, lib/libpkix/pkix_pl_nss/module/pkix_pl_nsscontext.h, lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c, lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c, tests/ssl/ssl.sh: Bug 1672291 libpkix OCSP failures on SHA1 self-signed root certs when SHA1 signatures are disabled. When libpkix is checking an OCSP cert, it can't use the passed in set of trust anchors as a base because only the single root that signed the leaf can sign the OCSP request. As a result it actually checks the signature of the self-signed root when processing an OCSP request. This fails of the root cert signature is invalid for any reason (including it's a sha1 self-signed root cert and we've disabled sha1 signatures (say, by policy)). Further investigation indicates the difference between our classic code and the current code is the classic code only checks OCSP responses on leaf certs. In the real world, those responses are signed by intermediate certificates (who won't have sha1 signed certificates anymore), so our signature processing works just fine. pkix checks OCSP on the intermediate certificates as well, which are signed by the root cert. In this case the root cert is a chain of 1, and is effectively a leaf. This patch updates the OCSP response code to not check the signatures on the single cert if that cert is a selfsigned root cert. This requires bug 391476 so we still do the other validation checking on the certs (making sure it's trusted as a CA). [97f69f7a89a1] 2020-10-26 Kevin Jacobs <kjacobs@mozilla.com> * gtests/ssl_gtest/tls_filter.cc: Bug 1644209 - Fix broken SelectedCipherSuiteReplacer filter. r=mt This patch corrects the `SelectedCipherSuiteReplacer`filter to always parse the `session_id` variable (`legacy_session_id` for TLS 1.3+). The previous code attempted to skip it in 1.3+ but did not account for DTLS wire versions, resulting in intermittent failures. [a79d14b06b4a] 2020-10-26 Daiki Ueno <dueno@redhat.com> * gtests/ssl_gtest/ssl_tls13compat_unittest.cc, lib/ssl/ssl3con.c, lib/ssl/sslimpl.h: Bug |
|
|
J.C. Jones
|
f3f86339c2 |
Bug 1671713 - land NSS 58dc3216d518 UPGRADE_NSS_RELEASE, r=kjacobs
2020-10-13 Mike Hommey <mh@glandium.org> * lib/freebl/freebl.gyp: Bug 1670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on mac. r=kjacobs AFAICT, the Makefile equivalent already does. [58dc3216d518] [tip] * lib/freebl/sha1-armv8.c: Bug 1670839 - Only build sha1-armv8.c code when USE_HW_SHA1 is defined. r=kjacobs This matches what is done in sha256-armv8.c, and avoids inconsistency with sha1-fast.c, which will define the same functions in the case USE_HW_SHA1 is not defined. [54be084e3ba8] 2020-10-16 J.C. Jones <jjones@mozilla.com> * automation/abi-check/expected-report-libnss3.so.txt, automation/abi- check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.59 Beta [d4b21706e432] Differential Revision: https://phabricator.services.mozilla.com/D94070 |
|
|
J.C. Jones
|
cc8fbdccf6 |
Bug 1666567 - land NSS NSS_3_58_RTM UPGRADE_NSS_RELEASE, r=kjacobs
2020-10-16 J.C. Jones <jjones@mozilla.com> * lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.58 final [1f3db03bba02] [NSS_3_58_RTM] <NSS_3_58_BRANCH> 2020-10-12 J.C. Jones <jjones@mozilla.com> * .hgtags: Added tag NSS_3_58_BETA1 for changeset 57bbefa79323 [a8deadf7adbe] Differential Revision: https://phabricator.services.mozilla.com/D93813 |
|
|
J.C. Jones
|
8e222a79cb |
Bug 1666567 - land NSS NSS_3_58_BETA1 UPGRADE_NSS_RELEASE, r=kjacobs
2020-10-12 Daiki Ueno <dueno@redhat.com> * gtests/ssl_gtest/ssl_tls13compat_unittest.cc, lib/ssl/ssl3con.c, lib/ssl/sslimpl.h: Bug 1641480, TLS 1.3: tighten CCS handling in compatibility mode, r=mt This makes the server reject CCS when the client doesn't indicate the use of the middlebox compatibility mode with a non-empty ClientHello.legacy_session_id, or it sends multiple CCS in a row. [57bbefa79323] [NSS_3_58_BETA1] 2020-10-12 Kevin Jacobs <kjacobs@mozilla.com> * automation/abi-check/expected-report-libnss3.so.txt, automation/taskcluster/scripts/build_gyp.sh, automation/taskcluster/windows/build_gyp.sh, coreconf/config.gypi, coreconf/config.mk, cpputil/nss_scoped_ptrs.h, gtests/common/testvectors/hpke-vectors.h, gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp, gtests/pk11_gtest/pk11_hpke_unittest.cc, lib/nss/nss.def, lib/pk11wrap/exports.gyp, lib/pk11wrap/manifest.mn, lib/pk11wrap/pk11hpke.c, lib/pk11wrap/pk11hpke.h, lib/pk11wrap/pk11pub.h, lib/pk11wrap/pk11wrap.gyp, lib/util/SECerrs.h, lib/util/secerr.h: Bug 1631890 - Add support for Hybrid Public Key Encryption (draft- irtf-cfrg-hpke-05). r=mt This patch adds support for Hybrid Public Key Encryption (draft- irtf-cfrg-hpke-05). Because the draft number (and the eventual RFC number) is an input to the key schedule, future updates will *not* be backwards compatible in terms of key material or encryption/decryption. For this reason, a default compilation will produce stubs that simply return an "Invalid Algorithm" error. To opt into using the HPKE functionality , compile with `NSS_ENABLE_DRAFT_HPKE` defined. Once finalized, this flag will not be required to access the functions. Lastly, the `DeriveKeyPair` API is not implemented as it adds complextiy around PKCS #11 and is unnecessary for ECH. [6e3bc17f0508] 2020-10-12 Makoto Kato <m_kato@ga2.so-net.ne.jp> * automation/taskcluster/graph/src/extend.js, tests/common/cleanup.sh: Bug 1657255 - Update CI for aarch64. r=kjacobs Actually, we have the implementation of ARM Crypto extension, so CI is always run with this extension. It means that we don't run CI without ARM Crypto extension. So I would like to add NoAES and NoSHA for aarch64 CI. Also, we still run NoSSE4_1 on aarch64 CI, so we shouldn't run this on aarch64 hardware. [e8c370a8db13] Differential Revision: https://phabricator.services.mozilla.com/D93268 |
|
|
J.C. Jones
|
0a5ff268ea |
Bug 1666567 - land NSS c7d3b214dd41 UPGRADE_NSS_RELEASE, r=kjacobs
2020-10-05 Ricky Stewart <rstewart@mozilla.com> * coreconf/config.gypi: Bug 1668328 - Enclose Python paths in `coreconf/config.gypi` in quotes r=kjacobs,mt This fixes a breakage if the Python path happens to have a space in it. [c7d3b214dd41] [tip] Differential Revision: https://phabricator.services.mozilla.com/D92516 |
|
|
J.C. Jones
|
3ad29aac6b |
Bug 1666567 - land NSS 8fdbec414ce2 UPGRADE_NSS_RELEASE, r=kjacobs
2020-09-24 Kevin Jacobs <kjacobs@mozilla.com> * automation/abi-check/expected-report-libnss3.so.txt, gtests/pk11_gtest/pk11_hkdf_unittest.cc, lib/nss/nss.def, lib/pk11wrap/pk11pub.h, lib/pk11wrap/pk11skey.c, lib/ssl/tls13hkdf.c: Bug 1667153 - Add PK11_ImportDataKey API. r=rrelyea This patch adds and exports `PK11_ImportDataKey`, and refactors the null PSK TLS 1.3 code to use it. [8fdbec414ce2] [tip] Differential Revision: https://phabricator.services.mozilla.com/D91627 |
|
|
J.C. Jones
|
55cfe61a1d |
Bug 1666567 - land NSS 8ebee3cec9cf UPGRADE_NSS_RELEASE, r=kjacobs
2020-09-23 Dana Keeler <dkeeler@mozilla.com> * gtests/mozpkix_gtest/pkixbuild_tests.cpp, gtests/mozpkix_gtest/pkixcert_extension_tests.cpp, gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp, gtests/mozpkix_gtest/pkixgtest.h, lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp: Bug 1665715 - (2/2) pass encoded signed certificate timestamp extension (if present) in CheckRevocation r=jcj This will allow Firefox to make decisions based on the earliest known time that a certificate exists (with respect to certificate transparency) that a CA is unlikely to back-date. In particular, this is essential for CRLite. Note that if the SCT signature isn't validated, a CA could still make a certificate appear to have existed for longer than it really has. However, this change is not an attempt to catch malicious CAs. The aim is to avoid false positives in CRLite resulting from CAs backdating the notBefore field on certificates they issue. Depends on D90595 [8ebee3cec9cf] [tip] 2020-09-18 Dana Keeler <dkeeler@mozilla.com> * gtests/mozpkix_gtest/pkixbuild_tests.cpp, gtests/mozpkix_gtest/pkixcert_extension_tests.cpp, gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp, gtests/mozpkix_gtest/pkixgtest.h, lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp: Bug 1665715 - (1/2) revert e8f2720c8254 (bug 1593141) because it's no longer necessary r=jcj Bug 1593141 added the certificate's notBefore field as an argument to TrustDomain::CheckRevocation so that Firefox could use it with CRLite. However, since CAs can backdate that field, we need to use the earliest embedded SCT timestamp instead. [c1f4d565ceda] Differential Revision: https://phabricator.services.mozilla.com/D91211 |
|
Bogdan Tara
|
db9c89dbca |
Backed out 2 changesets (bug 1666567, bug 1605273) for test_crlite_filters.js failures CLOSED TREE
UPGRADE_NSS_RELEASE Backed out changeset 9bc4c7e79cd6 (bug 1666567) Backed out changeset 22753d184de6 (bug 1605273) |
|
|
J.C. Jones
|
e8346094ad |
Bug 1666567 - land NSS 8ebee3cec9cf UPGRADE_NSS_RELEASE, r=kjacobs
CLOSED TREE 2020-09-23 Dana Keeler <dkeeler@mozilla.com> * gtests/mozpkix_gtest/pkixbuild_tests.cpp, gtests/mozpkix_gtest/pkixcert_extension_tests.cpp, gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp, gtests/mozpkix_gtest/pkixgtest.h, lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp: Bug 1665715 - (2/2) pass encoded signed certificate timestamp extension (if present) in CheckRevocation r=jcj This will allow Firefox to make decisions based on the earliest known time that a certificate exists (with respect to certificate transparency) that a CA is unlikely to back-date. In particular, this is essential for CRLite. Note that if the SCT signature isn't validated, a CA could still make a certificate appear to have existed for longer than it really has. However, this change is not an attempt to catch malicious CAs. The aim is to avoid false positives in CRLite resulting from CAs backdating the notBefore field on certificates they issue. Depends on D90595 [8ebee3cec9cf] [tip] 2020-09-18 Dana Keeler <dkeeler@mozilla.com> * gtests/mozpkix_gtest/pkixbuild_tests.cpp, gtests/mozpkix_gtest/pkixcert_extension_tests.cpp, gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp, gtests/mozpkix_gtest/pkixgtest.h, lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp: Bug 1665715 - (1/2) revert e8f2720c8254 (bug 1593141) because it's no longer necessary r=jcj Bug 1593141 added the certificate's notBefore field as an argument to TrustDomain::CheckRevocation so that Firefox could use it with CRLite. However, since CAs can backdate that field, we need to use the earliest embedded SCT timestamp instead. [c1f4d565ceda] Differential Revision: https://phabricator.services.mozilla.com/D91211 |
|
|
Bogdan Tara
|
24d9b1dbae |
Backed out changeset 7e50f86ea20b (bug 1666567) for security related bustage CLOSED TREE
UPGRADE_NSS_RELEASE |
|
|
J.C. Jones
|
413b79889f |
Bug 1666567 - land NSS 8ebee3cec9cf UPGRADE_NSS_RELEASE, r=kjacobs
2020-09-23 Dana Keeler <dkeeler@mozilla.com> * gtests/mozpkix_gtest/pkixbuild_tests.cpp, gtests/mozpkix_gtest/pkixcert_extension_tests.cpp, gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp, gtests/mozpkix_gtest/pkixgtest.h, lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp: Bug 1665715 - (2/2) pass encoded signed certificate timestamp extension (if present) in CheckRevocation r=jcj This will allow Firefox to make decisions based on the earliest known time that a certificate exists (with respect to certificate transparency) that a CA is unlikely to back-date. In particular, this is essential for CRLite. Note that if the SCT signature isn't validated, a CA could still make a certificate appear to have existed for longer than it really has. However, this change is not an attempt to catch malicious CAs. The aim is to avoid false positives in CRLite resulting from CAs backdating the notBefore field on certificates they issue. Depends on D90595 [8ebee3cec9cf] [tip] 2020-09-18 Dana Keeler <dkeeler@mozilla.com> * gtests/mozpkix_gtest/pkixbuild_tests.cpp, gtests/mozpkix_gtest/pkixcert_extension_tests.cpp, gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp, gtests/mozpkix_gtest/pkixgtest.h, lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp: Bug 1665715 - (1/2) revert e8f2720c8254 (bug 1593141) because it's no longer necessary r=jcj Bug 1593141 added the certificate's notBefore field as an argument to TrustDomain::CheckRevocation so that Firefox could use it with CRLite. However, since CAs can backdate that field, we need to use the earliest embedded SCT timestamp instead. [c1f4d565ceda] Differential Revision: https://phabricator.services.mozilla.com/D91211 |
|
|
J.C. Jones
|
f2b2199636 |
Bug 1666567 - land NSS c28e20f61e5d UPGRADE_NSS_RELEASE, r=kjacobs
2020-09-18 Kevin Jacobs <kjacobs@mozilla.com>
* automation/abi-check/previous-nss-release, lib/nss/nss.h,
lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.58 Beta
[c28e20f61e5d] [tip]
* .hgtags:
Added tag NSS_3_57_RTM for changeset cf7e3e8abd77
[a963849538ca] <NSS_3_57_BRANCH>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.57 final
[cf7e3e8abd77] [NSS_3_57_RTM] <NSS_3_57_BRANCH>
Differential Revision: https://phabricator.services.mozilla.com/D91070
|
|
|
Kevin Jacobs
|
14f9e3ce78 |
Bug 1660509 - land NSS NSS_3_57_RTM UPGRADE_NSS_RELEASE, r=jcj
2020-09-18 Kevin Jacobs <kjacobs@mozilla.com> * lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.57 final [cf7e3e8abd77] [NSS_3_57_RTM] <NSS_3_57_BRANCH> 2020-09-15 Kevin Jacobs <kjacobs@mozilla.com> * .hgtags: Added tag NSS_3_57_BETA1 for changeset 56224882ccc3 [f46f20c58c4f] Differential Revision: https://phabricator.services.mozilla.com/D90726 |
|
|
Kevin Jacobs
|
ed0deeb271 |
Bug 1660509 - land NSS NSS_3_57_BETA1 UPGRADE_NSS_RELEASE, r=jcj
2020-09-15 Kevin Jacobs <kjacobs@mozilla.com> * automation/release/nspr-version.txt: Bug 1660372 - NSS 3.57 should depend on NSPR 4.29. r=kaie [56224882ccc3] [NSS_3_57_BETA1] Differential Revision: https://phabricator.services.mozilla.com/D90324 |
|
|
Kevin Jacobs
|
25560bb43a |
Bug 1660509 - land NSS 2a17c8655a74 UPGRADE_NSS_RELEASE, r=jcj
2020-09-14 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* coreconf/arch.mk:
Bug 1660735 - Fix typo in coreconfig/arch.mk. r=kjacobs
[2a17c8655a74] [tip]
* coreconf/config.mk:
Bug 1660734 - Fix typo in coreconf/config.mk. r=kjacobs
[4ae56ec2411b]
2020-09-11 Kevin Jacobs <kjacobs@mozilla.com>
* lib/ckfw/builtins/nssckbi.h:
Bug 1663049 - September 2020 batch of root changes,
NSS_BUILTINS_LIBRARY_VERSION 2.44. r=jcj
[141ef83ac10b]
* lib/ckfw/builtins/certdata.txt:
Bug 1663049 - Add SecureTrust's Trustwave Global root certificates
to NSS. r=KathleenWilson,jcj
[7dfc054a983e]
* lib/ckfw/builtins/certdata.txt:
Bug 1656077 - Remove Taiwan Government Root Certification Authority
root cert. r=KathleenWilson,jcj
Depends on D89841
[32a0d8f751ef]
* lib/ckfw/builtins/certdata.txt:
Bug 1653092 - Disable server trust bit for OISTE WISeKey Global Root
GA CA root cert. r=KathleenWilson,jcj
Depends on D89840
[1cdfb26b3220]
* lib/ckfw/builtins/certdata.txt:
Bug 1651211 - Remove EE Certification Centre Root CA root cert.
r=KathleenWilson,jcj
[089aeca370df]
2020-09-11 Danh <congdanhqx@gmail.com>
* coreconf/arch.mk, coreconf/config.mk, lib/freebl/Makefile:
Bug 1659727 - Move makefile avx2 detection to config.mk. r=kjacobs
Summary: Current code base use CPU_ARCH to detect if avx2 is
supported in arch.mk However, when arch.mk included, CPU_ARCH
haven't been initialised, CPU_ARCH will be initialised by the OS
specific code later on.
Move the AVX2 detection to config.mk, after all other initialisation
done.
Reviewers: kjacobs
Reviewed By: kjacobs
Subscribers: kjacobs
Bug #: 1659727
[c6dcb99e6121]
2020-09-08 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/freebl_gtest/mpi_unittest.cc, lib/freebl/mpi/mpi.c:
Bug 1605922 - Account for negative sign in mp_radix_size
r=bbeurdouche
[b64436ecbd79]
2020-09-09 Daiki Ueno <dueno@redhat.com>
* lib/freebl/Makefile:
Bug 1659256, add gcc version check on AArch64 optimization,
r=rrelyea
Summary: As described in https://access.redhat.com/solutions/19458,
gcc version in RHEL-7 is still 4.8.x and cannot compile the newly
added aes-armv8.c. There is a version check already for 32-bit arm,
but not for AArch64. This also removes NS_USE_GCC check added in bug
|
|
|
Kevin Jacobs
|
ddc8978d1f |
Bug 1660509 - land NSS c100e11991f6 UPGRADE_NSS_RELEASE, r=jcj
2020-08-21 Kevin Jacobs <kjacobs@mozilla.com> * automation/abi-check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.57 Beta [783f49ae6126] 2020-08-24 Kevin Jacobs <kjacobs@mozilla.com> * gtests/ssl_gtest/ssl_auth_unittest.cc, lib/ssl/dtls13con.c, lib/ssl/dtlscon.c, lib/ssl/ssl3con.c, lib/ssl/sslimpl.h, lib/ssl/sslnonce.c: Bug 1653641 - Cleanup inaccurate DTLS comments, code review fixes. r=mt [0e1b5c711cb9] 2020-08-24 Robert Relyea <rrelyea@redhat.com> * lib/freebl/fipsfreebl.c, lib/softoken/fipstest.c, lib/softoken/kbkdf.c, lib/softoken/lowpbe.c, lib/softoken/lowpbe.h, lib/softoken/pkcs11c.c, lib/softoken/pkcs11i.h, lib/softoken/sftkhmac.c, lib/softoken/sftkike.c: Bug 1660304 New FIPS IG requires self-tests for approved kdfs. r=ueno comments=kjacobs FIPS guidance now requires self-tests for our kdfs. It also requires self-tests for cmac which we didn't have in the cmac patch. Currently only one test per kdf is necessary. Specifially for SP-800-108, only one of the three flavors are needed (counter, feedback, or pipeline). This patch includes more complete testing but it has been turned off the currently extraneous tests under the assumption that NIST guidance may require them in the future. HKDF is currently not included in FIPS, but is on track to be included, so hkdf have been included in this patch. Because the test vectors are const strings, the patch pushes some const definitions that were missing in existing private interfaces. There are three flavors of self-tests: Function implemented in freebl are added to the freebl/fipsfreebl.c Functions implemented in pkcs11c.c have selftests completely implemented in softoken/fipstest.c Functions implemented in their own .c file have their selftest function implemented in that .c file and called by fipstests.c These are consistant with the previous choices for selftests. Some private interfaces that took in keys from pkcs #11 structures or outputted keys to pkcs #11 structures were modified to optionally take keys in by bytes and output keys as bytes so the self-tests can work in just bytes. [5dca54fe61c2] 2020-08-25 Daiki Ueno <dueno@redhat.com> * lib/softoken/manifest.mn: Bug 1659252, disable building libnssdbm3.so if NSS_DISABLE_DBM=1, r=rrelyea Reviewers: rrelyea Reviewed By: rrelyea Bug #: 1659252 [4d55d36ca6ef] 2020-08-24 Kevin Jacobs <kjacobs@mozilla.com> * lib/pk11wrap/pk11cxt.c, lib/softoken/pkcs11c.c, lib/softoken/sdb.c, lib/softoken/sftkpwd.c: Bug 1651834 - Fix various static analyzer warnings. r=rrelyea [ab04fd73fd6d] 2020-08-28 Mike Hommey <mh@glandium.org> * lib/freebl/blapii.h: Bug 1661810 - Define pre_align/post_align based on the compiler. r=jcj Things worked fine before we upgraded to clang 11 presumably because the stack was always 16-bytes aligned in the first place, or something akin to that, and the lack of pre_align/post_align doing anything didn't matter. The runtime misalignment of the stack may well be a clang > 9 bug, but keeping pre_align/post_align tied to the x86/x64 is a footgun anyways. [c100e11991f6] [tip] Differential Revision: https://phabricator.services.mozilla.com/D88876 |
|
|
Kevin Jacobs
|
d1d6b661e3 |
Bug 1655105 - land NSS NSS_3_56_RTM UPGRADE_NSS_RELEASE, r=jcj
2020-08-21 Kevin Jacobs <kjacobs@mozilla.com> * lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.56 final [809ff9ff0140] [NSS_3_56_RTM] <NSS_3_56_BRANCH> 2020-08-19 Kevin Jacobs <kjacobs@mozilla.com> * .hgtags: Added tag NSS_3_56_BETA1 for changeset 52c965eaffa1 [0d8ff40479d5] Differential Revision: https://phabricator.services.mozilla.com/D87882 |
|
|
Kevin Jacobs
|
d343e2c8e6 |
Bug 1655105 - land NSS NSS_3_56_BETA1 UPGRADE_NSS_RELEASE, r=jcj
2020-08-19 Kevin Jacobs <kjacobs@mozilla.com> * tests/libpkix/certs/PayPalEE.cert: Bug 1659792 - Update libpkix tests with unexpired PayPal cert. r=jcj The in-tree `PayPalEE.cert `expired today. This patch replaces it with a current copy that expires on 12 Jan 2022. CI breakage before patch: https://treeherder.mozilla.org/#/jobs?repo =nss&revision=2890f342de631bf6774ac747515a8b5736e20d3f CI with the fix applied: https://treeherder.mozilla.org/#/jobs?repo=nss- try&revision=bd28f21d8acbcb15502bd4fc606fc9c0ed09c810 [52c965eaffa1] [NSS_3_56_BETA1] 2020-08-18 Kevin Jacobs <kjacobs@mozilla.com> * tests/interop/interop.sh: Bug 1659814 - Pull updated tls-interop for dependency fix. r=jcj [70376af425ae] * automation/release/nspr-version.txt: Bug 1656519 - NSS 3.56 should depend on NSPR 4.28. r=kaie [2890f342de63] Differential Revision: https://phabricator.services.mozilla.com/D87648 |
|
|
Kevin Jacobs
|
5637d1775c |
Bug 1655105 - land NSS c06f22733446 UPGRADE_NSS_RELEASE, r=jcj
2020-08-07 Kevin Jacobs <kjacobs@mozilla.com> * lib/pki/tdcache.c: Bug 1625791 - Call STAN_GetCERTCertificate to load CERTCertificate trust before caching. r=jcj,keeler When caching certificates, `td->cache->lock` must not be held when taking `slot->isPresentLock`. `add_cert_to_cache` holds then former when calling the sort function in `add_subject_entry`, which will [[ https://searchfox.org/mozilla-central/rev/a3b25e347e2c22207c4b369b99 246e4aebf861a7/security/nss/lib/pki/certificate.c#266 | call ]] `STAN_GetCERTCertificate` -> `fill_CERTCertificateFields` when `cc->nssCertificate` [[ https://searchfox.org/mozilla-central/rev/a3 b25e347e2c22207c4b369b99246e4aebf861a7/security/nss/lib/pki/pki3hack .c#923 | is NULL ]]. There are two problems with this: # `fill_CERTCertificateFields` may end up locking `slot->isPresentLock` (bad ordering, bug 1651564) # The above may happen followed by another attempt to lock `td->cache->lock`(deadlock, this bug). By calling `STAN_GetCERTCertificate` prior to the first lock of `td->cache->lock`, we can prevent the problematic call to `fill_CERTCertificateFields` later on, because `cc->nssCertificate` will already be filled. [c06f22733446] [tip] * gtests/ssl_gtest/ssl_auth_unittest.cc, lib/ssl/ssl3con.c: Bug 1588941 - Send empty client cert msg when signature scheme selection fails. r=mt `ssl3_CompleteHandleCertificateRequest` does essentially two things: 1) Calls the `getClientAuthData` hook for certificate selection, and 2) calls `ssl_PickClientSignatureScheme` to select an appropriate signature scheme when a cert is selected. If the first function returns SECFailure, we default to sending an empty certificate message. If the latter fails, however, this bubbles up as a [[ https://searchfox.org/mozilla-central/rev/56bb74e a8e04bdac57c33cbe9b54d889b9262ade/security/nss/lib/ssl/tls13con.c#26 70 | fatal error ]] (and an assertion failure) on the connection. Importantly, the signature scheme selection can fail for reasons that should not be considered fatal - notably when an RSA-PSS cert is selected, but the token on which the key resides does not actually support PSS. This patch treats the failure to find a usable signature scheme as a "no certificate" response, rather than killing the connection entirely. [41ecb7fe5546] * lib/freebl/Makefile, lib/freebl/freebl_base.gypi, lib/freebl/mpi/mpi_amd64_common.S, lib/freebl/mpi/mpi_amd64_gas.s: Bug 1656981 - Use 64x64->128 multiply and MP_COMBA on x86_64 Mac. r=mt This patch makes two MPI changes for MacOS: 1. Rename `mpi_amd64_gas.s` to `mpi_amd64_common.S` and add defines for macho64, allowing Intel Macs to take advantage of the 64x64->128 multiply code. 2. Define and use `NSS_USE_COMBA` on Intel Macs. Performance results with `rsaperf -n none -p 10 -e -x 65537` (default 2048-bit key): Before: `12629.12 operations/s. one operation every 79 microseconds` With 64x64->128 assembly: `29431.65 operations/s. one operation every 33 microseconds` With MP_COMBA and 64x64->128 assembly: `30332.99 operations/s. one operation every 32 microseconds` [330bdab498a3] * lib/ssl/sslimpl.h: Bug 1656429 - Clang-format fixup, r=bustage [07083076fc92] 2020-08-05 Martin Thomson <mt@lowentropy.net> * gtests/ssl_gtest/ssl_0rtt_unittest.cc, gtests/ssl_gtest/tls_connect.cc, lib/ssl/ssl3exthandle.c, lib/ssl/sslimpl.h, lib/ssl/tls13con.c, lib/ssl/tls13replay.c: Bug 1656429 - Correct RTT estimate used in anti-replay, r=kjacobs This was never a security problem, but the more time that passes between the handshake and sending a ticket, the more likely we are to reject 0-RTT. Eventually, 0-RTT only works if it is delayed in the network by a surprising amount. [b4a1c57eb569] Differential Revision: https://phabricator.services.mozilla.com/D86454 |
|
|
Kevin Jacobs
|
cb86341c99 |
Bug 1655105 - land NSS afa38fb2f0b5 UPGRADE_NSS_RELEASE, r=jcj
2020-07-27 Jan-Marek Glogowski <glogow@fbihome.de> * lib/freebl/Makefile: Bug |
|
J.C. Jones
|
ee419dca67 |
Bug 1649545 - land NSS NSS_3_55_RTM UPGRADE_NSS_RELEASE, r=keeler
2020-07-24 J.C. Jones <jjones@mozilla.com> * lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.55 final [6705eec655c8] [NSS_3_55_RTM] <NSS_3_55_BRANCH> 2020-07-22 Kai Engert <kaie@kuix.de> * lib/nss/nssinit.c: Bug 1653310 - Backed out changeset ca207655b4b7, because with updated NSPR this workaround is no longer required. r=kjacobe [a448fe36e58b] 2020-07-21 Kevin Jacobs <kjacobs@mozilla.com> * .hgtags: Added tag NSS_3_55_BETA1 for changeset 0768baa431e7 [2572e14f17d6] Differential Revision: https://phabricator.services.mozilla.com/D84845 |
|
|
Kevin Jacobs
|
99b3679870 |
Bug 1649545 - land NSS NSS_3_55_BETA1 UPGRADE_NSS_RELEASE, r=jcj
2020-07-21 Benjamin Beurdouche <bbeurdouche@mozilla.com> * cmd/bltest/blapitest.c: Bug 1653202 - Fix issue disabling other mechanisms when SEED is deprecated in cmd/bltest/blapitest.c. r=kjacobs [0768baa431e7] [NSS_3_55_BETA1] 2020-07-21 Kevin Jacobs <kjacobs@mozilla.com> * automation/release/nspr-version.txt: Bug 1652331 - NSS 3.55 should depend on NSPR 4.27. r=kaie [3deefc218cd9] 2020-07-20 Billy Brumley <bbrumley@gmail.com> * lib/freebl/ec.c: Bug 1631573: Remove unnecessary scalar padding in ec.c r=kjacobs,bbeurdouche Subsequent calls to ECPoints_mul and ECPoint_mul remove this padding. Timing attack countermeasures are now applied more generally deeper in the call stack. [aeb2e583ee95] 2020-07-20 Kai Engert <kaie@kuix.de> * lib/nss/nssinit.c: Bug 1653310 - On macOS check if nssckbi exists prior to loading it. r=kjacobs [ca207655b4b7] Differential Revision: https://phabricator.services.mozilla.com/D84420 |
|
|
Kevin Jacobs
|
e3e0baf90e |
Bug 1649545 - land NSS 615362dff5ad UPGRADE_NSS_RELEASE, r=jcj
2020-07-18 Benjamin Beurdouche <bbeurdouche@mozilla.com> * gtests/pk11_gtest/pk11_cipherop_unittest.cc, lib/softoken/pkcs11c.c: Bug 1636771 - Disable PKCS11 incremental mode for ChaCha20. r=kjacobs,rrelyea Depends on D74801 [615362dff5ad] [tip] * gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc, lib/freebl/chacha20poly1305.c: Bug 1636771 - Fix incorrect call to Chacha20Poly1305 by PKCS11. r=jcj,kjacobs,rrelyea [a5e82e40f03e] 2020-07-16 Benjamin Beurdouche <bbeurdouche@mozilla.com> * lib/softoken/pkcs11c.c: Bug 1637222 - Enforce IV length check for DES. r=kjacobs,jcj [0c70232cb6d3] Differential Revision: https://phabricator.services.mozilla.com/D84043 |
|
|
Kevin Jacobs
|
4e97e34c45 |
Bug 1649545 - land NSS ca068f5b5c17 UPGRADE_NSS_RELEASE, r=jcj
2020-07-16 Billy Brumley <bbrumley@gmail.com> * lib/freebl/ecl/ecl-priv.h, lib/freebl/ecl/ecl.c, lib/freebl/ecl/ecp_secp521r1.c, lib/freebl/freebl_base.gypi, lib/freebl/manifest.mn: Bug 1631583 - ECC: constant time P-521 r=kjacobs,rrelyea,bbeurdouche This portable code contributed by the Network and Information Security Group (NISEC) at Tampere University comes from: [ECCKiila](https://gitlab.com/nisec/ecckiila) that uses [Fiat](https://github.com/mit-plv/fiat-crypto) for the underlying field arithmetic. Co-authored-by: Luis Rivera-Zamarripa <luis.riverazamarripa@tuni.fi> Co-authored-by: Jesús-Javier Chi-Domínguez <jesus.chidominguez@tuni.fi> [ca068f5b5c17] [tip] * lib/freebl/ecl/ecl-priv.h, lib/freebl/ecl/ecl.c, lib/freebl/ecl/ecp_secp384r1.c, lib/freebl/freebl_base.gypi, lib/freebl/manifest.mn, tests/ec/ectest.sh: Bug 1631583 - ECC: constant time P-384 r=bbeurdouche,rrelyea This portable code contributed by the Network and Information Security Group (NISEC) at Tampere University comes from: [ECCKiila](https://gitlab.com/nisec/ecckiila) that uses [Fiat](https://github.com/mit-plv/fiat-crypto) for the underlying field arithmetic. Co-authored-by: Luis Rivera-Zamarripa <luis.riverazamarripa@tuni.fi> Co-authored-by: Jesús-Javier Chi-Domínguez <jesus.chidominguez@tuni.fi> [d19a3cd451bb] 2020-07-13 Robert Relyea <rrelyea@redhat.com> * lib/pk11wrap/pk11pub.h: Bug 1643528 Cannot compile code with nss headers and -Werror=strict- prototypes r=kjacobs [01ffd8fef7fa] 2020-07-10 Daiki Ueno <dueno@redhat.com> * gtests/ssl_gtest/ssl_auth_unittest.cc, lib/ssl/ssl3con.c, lib/ssl/ssl3exthandle.c, lib/ssl/sslimpl.h, lib/ssl/tls13exthandle.c: Bug 1646324, advertise rsa_pkcs1_* schemes in CH and CR for certs, r=mt Summary: In TLS 1.3, unless "signature_algorithms_cert" is advertised, the "signature_algorithms" extension is used as an indication of supported algorithms for signatures on certificates. While rsa_pkcs1_* signatures schemes cannot be used for signing handshake messages, they should be advertised if the peer wants to to support certificates signed with RSA PKCS#1. This adds a flag to ssl3_EncodeSigAlgs() and ssl3_FilterSigAlgs() to preserve rsa_pkcs1_* schemes in the output. Reviewers: mt Reviewed By: mt Bug #: 1646324 [df1d2695e115] 2020-07-09 Benjamin Beurdouche <bbeurdouche@mozilla.com> * gtests/pk11_gtest/pk11_pbkdf2_unittest.cc, lib/pk11wrap/pk11pbe.c: Bug 1649648 - Fix null pointers passed as argument in pk11wrap/pk11pbe.c:886 r=kjacobs [de661583d467] Differential Revision: https://phabricator.services.mozilla.com/D83824 |
|
|
Kevin Jacobs
|
6a6ed41ab7 |
Bug 1649545 - land NSS 58c2abd7404e UPGRADE_NSS_RELEASE, r=jcj
2020-06-26 Kevin Jacobs <kjacobs@mozilla.com>
* automation/abi-check/expected-report-libssl3.so.txt, automation/abi-
check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h,
lib/util/nssutil.h:
Set version numbers to 3.55 beta
[332ab7db68ba]
2020-06-25 Kevin Jacobs <kjacobs@mozilla.com>
* tests/all.sh:
Bug 1649190 - Run cipher, sdr, and ocsp tests under standard test
cycle.
[f373809abfc0]
2020-06-15 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/common/testvectors/p256ecdsa-sha256-vectors.h,
gtests/common/testvectors/p384ecdsa-sha384-vectors.h,
gtests/common/testvectors/p521ecdsa-sha512-vectors.h,
gtests/common/testvectors_base/test-structs.h,
gtests/common/wycheproof/genTestVectors.py,
gtests/pk11_gtest/pk11_ecdsa_unittest.cc:
Bug 1649226 - Add Wycheproof ECDSA tests.
[41292ff7f545]
2020-06-30 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* lib/pkcs12/p12d.c:
Bug 1649322 - Fix null pointer passed as argument in
pk11wrap/pk11pbe.c:1246 r=kjacobs
[cc43ebf5bf88]
2020-06-30 Danh <congdanhqx@gmail.com>
* coreconf/arch.mk, coreconf/config.mk, lib/freebl/Makefile:
Bug 1646594 - Enable AVX2 if applicable on x86_64 with make 4.3
r=bbeurdouche
[b579895aceb0]
2020-07-02 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* lib/ssl/ssl3con.c:
Bug 1649316 - Prevent memcmp to be called with a zero length in
ssl/ssl3con.c:6621 r=kjacobs
[8fe9213d0551]
2020-07-02 Alexander Scheel <ascheel@redhat.com>
* lib/cryptohi/secvfy.c:
Bug 1649487 - Fix bad assert in VFY_EndWithSignature. r=jcj
[c9438b528103]
2020-07-06 Dana Keeler <dkeeler@mozilla.com>
* automation/abi-check/expected-report-libnss3.so.txt,
gtests/pk11_gtest/pk11_find_certs_unittest.cc, lib/nss/nss.def,
lib/pk11wrap/pk11cert.c, lib/pk11wrap/pk11pub.h:
Bug 1649633 - add PK11_FindEncodedCertInSlot r=kjacobs,jcj
PK11_FindEncodedCertInSlot can be used to determine the PKCS#11
object handle of an encoded certificate in a given slot. If the
given certificate does not exist in that slot, CK_INVALID_HANDLE is
returned.
[32fe710a942f]
* gtests/pk11_gtest/pk11_find_certs_unittest.cc:
Bug 1649633 - follow-up to make test comparisons in
pk11_find_certs_unittest.cc yoda comparisons r=kjacobs
[424dae31a1c1]
2020-07-07 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc, lib/freebl/rsapkcs.c:
Bug 1067214 - Check minimum padding in RSA_CheckSignRecover.
r=rrelyea
This patch adds a check to `RSA_CheckSignRecover` enforcing a
minimum padding length of 8 bytes for PKCS #1 v1.5-formatted
signatures. In practice, RSA key size requirements already ensure
this requirement is met, but smaller (read: broken) key sizes can be
used via configuration overrides, and NSS should just follow the
spec.
[e5324bd5a885]
2020-07-08 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/ssl_gtest/libssl_internals.c,
gtests/ssl_gtest/libssl_internals.h,
gtests/ssl_gtest/ssl_record_unittest.cc,
gtests/ssl_gtest/tls_agent.cc, gtests/ssl_gtest/tls_agent.h,
lib/ssl/dtls13con.c, lib/ssl/dtls13con.h, lib/ssl/ssl3con.c,
lib/ssl/ssl3prot.h, lib/ssl/sslspec.h, lib/ssl/sslt.h,
lib/ssl/tls13con.c, lib/ssl/tls13exthandle.c:
Bug 1647752 - Update DTLS 1.3 implementation to draft-38. r=mt
This patch updates DTLS 1.3 to draft-38. Specifically:
# `ssl_ct_ack` value changes from 25 to 26. # AEAD limits in
`tls13_UnprotectRecord` enforce a maximum of 2^36-1 (as we only
support GCM/ChaCha20 AEADs) decryption failures before the
connection is closed. # Post-handshake authentication will no longer
be negotiated in DTLS 1.3. This allows us to side-step the more
convoluted state machine requirements.
[132a87fc8689]
2020-07-09 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* lib/pk11wrap/pk11pbe.c, lib/pkcs12/p12d.c:
Bug 1649322 - Fix null pointer passed as argument in
pk11wrap/pk11pbe.c:1246 r=kjacobs
This is a fixup patch that reverts https://hg.mozilla.org/projects/n
ss/rev/cc43ebf5bf88355837c5fafa2f3c46e37626707a and adds a null
check around the memcpy in question.
[80bea0e22b20]
2020-07-09 J.C. Jones <jjones@mozilla.com>
* lib/softoken/pkcs11.c:
Bug 1651520 - slotLock race in NSC_GetTokenInfo r=kjacobs
Basically, NSC_GetTokenInfo doesn't lock slot->slotLock before
accessing slot after obtaining it, even though slotLock is defined
as its lock. [0]
[0] https://searchfox.org/nss/rev/a412e70e55218aaf670f1f10322fa734d8
a9fbde/lib/softoken/pkcs11i.h#320-321
[58c2abd7404e] [tip]
Differential Revision: https://phabricator.services.mozilla.com/D82466
|