mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
796 592 коммитов 613 Ветки 98 Теги 5,8 GiB
Граф коммитов

212 Коммитов

Автор SHA1 Сообщение Дата
Anna Weine f5864cbd70 Bug 1767934 - land NSS 2efccbd85918 UPGRADE_NSS_RELEASE, r=nss-reviewers,djackson 
2022-05-19  John M. Schanck  <jschanck@mozilla.com>

	* lib/ckfw/wrap.c:
	Bug 1766978 - improve error handling after
	nssCKFWInstance_CreateObjectHandle. r=djackson

	[2efccbd85918] [tip]

2022-03-18  Robert Relyea  <rrelyea@redhat.com>

	* cmd/pk12util/pk12util.c, lib/pkcs12/p12local.c,
	tests/common/init.sh, tests/tools/tools.sh:
	Bug 1757075 NSS does not properly import or export pkcs12 files with
	large passwords and pkcs5v2 encoding.

	Don't use NULL when encoding UTF8 with pkcs5v2. Fix a bug here when
	converting from UCS2 to UTF8 we would add a double NULL when adding
	a NULL.

	[0f4664512bd0]

2022-05-17  Dennis Jackson  <djackson@mozilla.com>

	* nspr.patch:
	Remove nspr.patch mistakenly committed in e3ac914bc684
	[99e32fcca1c7]

2022-05-17  Leander Schwarz  <lschwarz@mozilla.com>

	* gtests/ssl_gtest/ssl_record_unittest.cc,
	gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc, lib/ssl/ssl3con.c,
	lib/ssl/ssl3gthr.c, lib/ssl/tls13con.c:
	Bug 1764788 - Correct invalid record inner and outter content type
	alerts. r=djackson

	Added test cases for alerts during and pre handshake as well as TLS
	1.3 only after handshake (application data) cases due to unsupported
	de- and encryption of lower TLS version records in gtest.

	Adjusted some test cases that expect failed connections to the
	updated alerts.

	[7f4b0af3a526]

	* gtests/ssl_gtest/ssl_version_unittest.cc, lib/ssl/ssl3con.c:
	Bug 1765753 - TLS 1.3 Server: Send protocol_version alert on
	unsupported ClientHello.legacy_version. r=djackson

	[bc7bfba47e0a]

	* gtests/ssl_gtest/ssl_extension_unittest.cc, lib/ssl/ssl3exthandle.c:
	Bug 1765753 - Added RFC8422 compliant TLS <= 1.2
	undefined/compressed ECPointFormat extension alerts. r=djackson

	[d06a8831ec84]

2022-05-16  John M. Schanck  <jschanck@mozilla.com>

	* gtests/util_gtest/manifest.mn, gtests/util_gtest/util_gtest.gyp,
	gtests/util_gtest/util_secasn1d_unittest.cc, lib/util/secasn1d.c:
	Bug 1387919 - Fix secasn1d parsing of indefinite SEQUENCE inside
	indefinite GROUP. r=keeler,nss-reviewers,djackson

	In an iteration over elements of an indefinite-length encoded GROUP
	(sec_asn1d_next_in_group), the child of the current state is
	responsible for parsing the GROUP's end-of-contents octets---a call
	to sec_asn1d_parse_end_of_contents(state->child) sets the
	endofcontents flag for state->child and a later call to
	sec_asn1d_next_in_group checks state->child->endofcontents and
	terminates the iteration.

	In an iteration over elements of an indefinite-length encoded
	SEQUENCE (sec_asn1d_next_in_sequence), on the other hand, the
	current state, not its child, handles the end-of-contents octets.

	Prior to this commit, an error would occur when state pointed to an
	indefinite-length encoded GROUP and state->child pointed to an
	indefinite-length encoded SEQUENCE. In this case, state->child would
	be passed to sec_asn1d_parse_end_of_contents to parse the SEQUENCE's
	end-of-contents octets. This would set the endofcontents flag for
	state->child, and this would be misinterpreted as an end-of-
	iteration signal for the surrounding GROUP.

	[1811eec24997]

	* automation/abi-check/expected-report-libnss3.so.txt,
	lib/nss/nss.def, lib/pk11wrap/pk11list.c, lib/pk11wrap/pk11util.c,
	lib/pk11wrap/secmod.h, lib/util/nssrwlk.h:
	Bug 1753315 - Add SECMOD_LockedModuleHasRemovableSlots. r=rrelyea

	[499ae15c18ad]

2022-05-13  Kai Engert  <kaie@kuix.de>

	* automation/abi-check/expected-report-libnspr4.so.txt,
	cmd/selfserv/selfserv.c, cmd/tstclnt/tstclnt.c, nspr.patch:
	Bug 1769295 - selfserv and tstclnt should use
	PR_GetPrefLoopbackAddrInfo. r=rrelyea

	[e3ac914bc684]

2022-05-11  John M. Schanck  <jschanck@mozilla.com>

	* lib/softoken/legacydb/lginit.c:
	Bug 1454072 - Use of uninitialized pointer in lg_init after alloc
	fail. r=nss-reviewers,nkulatova

	[927d47dcc509]

2022-05-06  John M. Schanck  <jschanck@mozilla.com>

	* automation/clang-format/Dockerfile:
	Bug 1766907 - Update mercurial in clang-format docker image. r=mt

	[83a89ed9f527]

Differential Revision: https://phabricator.services.mozilla.com/D146888
 2022-05-20 09:24:42 +00:00
Anna Weine 42196a472a Bug 1767934 - land NSS 85bf9240f3e1 UPGRADE_NSS_RELEASE, r=nss-reviewers,djackson 
Differential Revision: https://phabricator.services.mozilla.com/D145546
 2022-05-05 10:56:32 +00:00
Dennis Jackson 93b3689c90 Bug 1764153 - land NSS NSS_3_78_BETA1 UPGRADE_NSS_RELEASE, r=nss-reviewers,bbeurdouche 
Differential Revision: https://phabricator.services.mozilla.com/D144282
 2022-04-22 12:42:27 +00:00
John Schanck caf282f02b Bug 1758579 - land NSS NSS_3_77_BETA1 UPGRADE_NSS_RELEASE, r=keeler 
2022-03-24  John M. Schanck  <jschanck@mozilla.com>

	* lib/ckfw/builtins/certdata.txt:
	Bug 1754890 - Add two D-TRUST 2020 root certificates.
	r=KathleenWilson

	[f63fb86db692] [NSS_3_77_BETA1]

	* lib/ckfw/builtins/certdata.txt:
	Bug 1751298 - Add Telia Root CA v2 root certificate.
	r=KathleenWilson

	[1fcbbd7e4f5f]

	* lib/ckfw/builtins/certdata.txt:
	Bug 1751305 - Remove expired explicitly distrusted certificates from
	certdata.txt. r=KathleenWilson

	[b722e523d662]

2022-03-23  Dana Keeler  <dkeeler@mozilla.com>

	* gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp,
	gtests/mozpkix_gtest/pkixder_pki_types_tests.cpp,
	gtests/mozpkix_gtest/pkixgtest.h,
	gtests/mozpkix_gtest/pkixnss_tests.cpp,
	lib/mozpkix/include/pkix/pkixder.h,
	lib/mozpkix/include/pkix/pkixnss.h,
	lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixc.cpp,
	lib/mozpkix/lib/pkixcheck.cpp, lib/mozpkix/lib/pkixder.cpp,
	lib/mozpkix/lib/pkixnss.cpp, lib/mozpkix/lib/pkixverify.cpp,
	lib/mozpkix/test-lib/pkixtestnss.cpp:
	Bug 1005084 - support specific RSA-PSS parameters in mozilla::pkix
	r=jschanck

	This patch adds support to mozilla::pkix for certificates signed
	with RSA-PSS using one of the following parameters permitted by the
	CA/Browser Forum Baseline Requirements 1.8.1:

	* SHA-256, MGF-1 with SHA-256, and a salt length of 32 bytes
	* SHA-384, MGF-1 with SHA-384, and a salt length of 48 bytes
	* SHA-512, MGF-1 with SHA-512, and a salt length of 64 bytes

	[853b64626b19]

2022-03-23  John M. Schanck  <jschanck@mozilla.com>

	* lib/util/secasn1d.c:
	Bug 1753535 - Remove obsolete stateEnd check in
	SEC_ASN1DecoderUpdate. r=rrelyea

	The `stateEnd->parent != state` check was added in Bug 95458 to
	avoid a crash in `sec_asn1d_free_child`. The diagnosis in Bug 95458
	is incorrect---the crash was actually due to a `PORT_Assert(0)` that
	was meant to highlight a memory leak when `SEC_ASN1DecoderStart` was
	called with `their_pool==NULL`. The offending assertion was removed
	in Bug 95311, which makes the `stateEnd` check obsolete. In Bug
	1753535 it was observed that the `stateEnd` check could read from a
	poisoned region of an arena when the decoder was used in a streaming
	mode. This read-after-poison could lead to an arena memory leak,
	although this is mitigated by the fact that the read-after-poison is
	on an error-handling path where the caller typically frees the
	entire arena.

	[800111fa3bf8]

	* lib/dev/dev.h, lib/dev/devslot.c, lib/dev/devt.h,
	lib/dev/devtoken.c, lib/pk11wrap/dev3hack.c:
	Bug 1756271 - Remove token member from NSSSlot struct. r=rrelyea

	[55052f78244c]

	* cmd/mpitests/mpi-test.c, lib/freebl/Makefile, lib/freebl/dh.c,
	lib/freebl/freebl_base.gypi, lib/freebl/manifest.mn,
	lib/freebl/mpi/mpprime.c, lib/freebl/mpi/mpprime.h,
	lib/freebl/pqg.c, lib/freebl/rsa.c, lib/freebl/secmpi.c,
	lib/freebl/secmpi.h:
	Bug 1602379 - Provide secure variants of mpp_pprime and
	mpp_make_prime. r=mt

	[b83ad33acd67]

2022-03-22  John M. Schanck  <jschanck@mozilla.com>

	* cmd/mpitests/mpi-test.c, lib/freebl/Makefile, lib/freebl/dh.c,
	lib/freebl/freebl_base.gypi, lib/freebl/manifest.mn,
	lib/freebl/mpi/mpprime.c, lib/freebl/mpi/mpprime.h,
	lib/freebl/pqg.c, lib/freebl/rsa.c, lib/freebl/secmpi.c,
	lib/freebl/secmpi.h:
	Backed out changeset 6c1092f5203f

	Caused Windows gyp build failures for cmd/mpitests
	[ffa1e4ce758a]

2022-03-22  Masatoshi Kimura  <VYV03354@nifty.ne.jp>

	* gtests/pk11_gtest/pk11_module_unittest.cc, lib/pk11wrap/pk11load.c:
	Bug 1757279 - Support UTF-8 library path in the module spec string.
	r=nss-reviewers,jschanck

	[31bce2dae97b]

	* gtests/base_gtest/Makefile, gtests/base_gtest/base_gtest.gyp,
	gtests/base_gtest/manifest.mn, gtests/base_gtest/utf8_unittest.cc,
	gtests/manifest.mn, lib/base/utf8.c, nss.gyp,
	tests/gtests/gtests.sh:
	Bug 1396616 - Update nssUTF8_Length to RFC 3629 and fix buffer
	overrun. r=nss-reviewers,jschanck

	[2f2c85648edb]

2022-03-22  John M. Schanck  <jschanck@mozilla.com>

	* cmd/mpitests/mpi-test.c, lib/freebl/Makefile, lib/freebl/dh.c,
	lib/freebl/freebl_base.gypi, lib/freebl/manifest.mn,
	lib/freebl/mpi/mpprime.c, lib/freebl/mpi/mpprime.h,
	lib/freebl/pqg.c, lib/freebl/rsa.c, lib/freebl/secmpi.c,
	lib/freebl/secmpi.h:
	Bug 1602379 - Provide secure variants of mpp_pprime and
	mpp_make_prime. r=mt

	[6c1092f5203f]

2022-03-22  Dennis Jackson  <djackson@mozilla.com>

	* automation/taskcluster/docker-builds/Dockerfile,
	automation/taskcluster/graph/src/extend.js:
	Bug 1760827 - Add a CI Target for gcc-11. r=nss-reviewers,nkulatova

	[d4a3bb7731b0]

	* automation/taskcluster/graph/src/extend.js:
	Bug 1760828 - Change to makefiles for gcc-4.8. r=nss-reviewers,mt

	[191e838399a6]

2022-03-22  J08nY  <johny@neuromancer.sk>

	* automation/taskcluster/graph/src/extend.js,
	gtests/google_test/VERSION, gtests/google_test/gtest/CMakeLists.txt,
	gtests/google_test/gtest/CONTRIBUTORS,
	gtests/google_test/gtest/README.md,
	gtests/google_test/gtest/cmake/gtest.pc.in,
	gtests/google_test/gtest/cmake/gtest_main.pc.in,
	gtests/google_test/gtest/cmake/internal_utils.cmake,
	gtests/google_test/gtest/docs/Pkgconfig.md,
	gtests/google_test/gtest/docs/README.md,
	gtests/google_test/gtest/docs/advanced.md,
	gtests/google_test/gtest/docs/faq.md,
	gtests/google_test/gtest/docs/primer.md,
	gtests/google_test/gtest/docs/pump_manual.md,
	gtests/google_test/gtest/docs/samples.md,
	gtests/google_test/gtest/include/gtest/gtest-death-test.h,
	gtests/google_test/gtest/include/gtest/gtest-matchers.h,
	gtests/google_test/gtest/include/gtest/gtest-message.h,
	gtests/google_test/gtest/include/gtest/gtest-param-test.h,
	gtests/google_test/gtest/include/gtest/gtest-printers.h,
	gtests/google_test/gtest/include/gtest/gtest-spi.h,
	gtests/google_test/gtest/include/gtest/gtest-test-part.h,
	gtests/google_test/gtest/include/gtest/gtest-typed-test.h,
	gtests/google_test/gtest/include/gtest/gtest.h,
	gtests/google_test/gtest/include/gtest/gtest_pred_impl.h,
	gtests/google_test/gtest/include/gtest/gtest_prod.h,
	gtests/google_test/gtest/include/gtest/internal/custom/gtest-port.h,
	gtests/google_test/gtest/include/gtest/internal/custom/gtest-
	printers.h,
	gtests/google_test/gtest/include/gtest/internal/custom/gtest.h,
	gtests/google_test/gtest/include/gtest/internal/gtest-death-test-
	internal.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	filepath.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	internal.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	param-util.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	port-arch.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	port.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	string.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	type-util.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	type-util.h.pump, gtests/google_test/gtest/samples/prime_tables.h,
	gtests/google_test/gtest/samples/sample1.cc,
	gtests/google_test/gtest/samples/sample1.h,
	gtests/google_test/gtest/samples/sample10_unittest.cc,
	gtests/google_test/gtest/samples/sample2.cc,
	gtests/google_test/gtest/samples/sample2.h,
	gtests/google_test/gtest/samples/sample2_unittest.cc,
	gtests/google_test/gtest/samples/sample3-inl.h,
	gtests/google_test/gtest/samples/sample3_unittest.cc,
	gtests/google_test/gtest/samples/sample4.h,
	gtests/google_test/gtest/samples/sample5_unittest.cc,
	gtests/google_test/gtest/samples/sample6_unittest.cc,
	gtests/google_test/gtest/samples/sample7_unittest.cc,
	gtests/google_test/gtest/samples/sample8_unittest.cc,
	gtests/google_test/gtest/samples/sample9_unittest.cc,
	gtests/google_test/gtest/scripts/README.md,
	gtests/google_test/gtest/scripts/gen_gtest_pred_impl.py,
	gtests/google_test/gtest/scripts/pump.py,
	gtests/google_test/gtest/scripts/release_docs.py,
	gtests/google_test/gtest/scripts/run_with_path.py,
	gtests/google_test/gtest/scripts/upload.py,
	gtests/google_test/gtest/src/gtest-death-test.cc,
	gtests/google_test/gtest/src/gtest-filepath.cc,
	gtests/google_test/gtest/src/gtest-internal-inl.h,
	gtests/google_test/gtest/src/gtest-matchers.cc,
	gtests/google_test/gtest/src/gtest-port.cc,
	gtests/google_test/gtest/src/gtest-printers.cc,
	gtests/google_test/gtest/src/gtest-test-part.cc,
	gtests/google_test/gtest/src/gtest-typed-test.cc,
	gtests/google_test/gtest/src/gtest.cc,
	gtests/google_test/gtest/src/gtest_main.cc,
	gtests/google_test/gtest/test/BUILD.bazel,
	gtests/google_test/gtest/test/googletest-catch-exceptions-test_.cc,
	gtests/google_test/gtest/test/googletest-death-test-test.cc,
	gtests/google_test/gtest/test/googletest-death-test_ex_test.cc,
	gtests/google_test/gtest/test/googletest-env-var-test.py,
	gtests/google_test/gtest/test/googletest-env-var-test_.cc,
	gtests/google_test/gtest/test/googletest-failfast-unittest.py,
	gtests/google_test/gtest/test/googletest-failfast-unittest_.cc,
	gtests/google_test/gtest/test/googletest-filepath-test.cc,
	gtests/google_test/gtest/test/googletest-filter-unittest_.cc,
	gtests/google_test/gtest/test/googletest-global-environment-
	unittest.py, gtests/google_test/gtest/test/googletest-global-
	environment-unittest_.cc, gtests/google_test/gtest/test/googletest-
	json-output-unittest.py, gtests/google_test/gtest/test/googletest-
	list-tests-unittest_.cc, gtests/google_test/gtest/test/googletest-
	listener-test.cc, gtests/google_test/gtest/test/googletest-message-
	test.cc, gtests/google_test/gtest/test/googletest-options-test.cc,
	gtests/google_test/gtest/test/googletest-output-test-golden-lin.txt,
	gtests/google_test/gtest/test/googletest-output-test.py,
	gtests/google_test/gtest/test/googletest-output-test_.cc,
	gtests/google_test/gtest/test/googletest-param-test-invalid-
	name1-test_.cc, gtests/google_test/gtest/test/googletest-param-test-
	invalid-name2-test_.cc, gtests/google_test/gtest/test/googletest-
	param-test-test.cc, gtests/google_test/gtest/test/googletest-param-
	test-test.h, gtests/google_test/gtest/test/googletest-param-
	test2-test.cc, gtests/google_test/gtest/test/googletest-port-
	test.cc, gtests/google_test/gtest/test/googletest-printers-test.cc,
	gtests/google_test/gtest/test/googletest-setuptestsuite-test.py,
	gtests/google_test/gtest/test/googletest-setuptestsuite-test_.cc,
	gtests/google_test/gtest/test/googletest-shuffle-test_.cc,
	gtests/google_test/gtest/test/googletest-test-part-test.cc,
	gtests/google_test/gtest/test/googletest-test2_test.cc,
	gtests/google_test/gtest/test/googletest-throw-on-failure-test_.cc,
	gtests/google_test/gtest/test/gtest-typed-test2_test.cc,
	gtests/google_test/gtest/test/gtest-typed-test_test.cc,
	gtests/google_test/gtest/test/gtest-typed-test_test.h,
	gtests/google_test/gtest/test/gtest-unittest-api_test.cc,
	gtests/google_test/gtest/test/gtest_assert_by_exception_test.cc,
	gtests/google_test/gtest/test/gtest_environment_test.cc,
	gtests/google_test/gtest/test/gtest_help_test.py,
	gtests/google_test/gtest/test/gtest_list_output_unittest.py,
	gtests/google_test/gtest/test/gtest_list_output_unittest_.cc,
	gtests/google_test/gtest/test/gtest_pred_impl_unittest.cc,
	gtests/google_test/gtest/test/gtest_premature_exit_test.cc,
	gtests/google_test/gtest/test/gtest_repeat_test.cc,
	gtests/google_test/gtest/test/gtest_skip_check_output_test.py,
	gtests/google_test/gtest/test/gtest_skip_test.cc,
	gtests/google_test/gtest/test/gtest_stress_test.cc,
	gtests/google_test/gtest/test/gtest_test_utils.py,
	gtests/google_test/gtest/test/gtest_throw_on_failure_ex_test.cc,
	gtests/google_test/gtest/test/gtest_unittest.cc,
	gtests/google_test/gtest/test/gtest_xml_outfiles_test.py,
	gtests/google_test/gtest/test/gtest_xml_output_unittest.py,
	gtests/google_test/gtest/test/gtest_xml_output_unittest_.cc,
	gtests/google_test/gtest/test/gtest_xml_test_utils.py,
	gtests/google_test/gtest/test/production.h,
	gtests/google_test/update.sh,
	gtests/ssl_gtest/ssl_agent_unittest.cc:
	Bug 1741688 - Update googletest to 1.11.0 r=nss-reviewers,mt

	[88249e154a23]

2022-03-22  Dennis Jackson  <djackson@mozilla.com>

	* gtests/ssl_gtest/tls_ech_unittest.cc, lib/ssl/ssl3con.c,
	lib/ssl/sslexp.h, lib/ssl/sslimpl.h, lib/ssl/sslsock.c,
	lib/ssl/tls13ech.c, lib/ssl/tls13ech.h:
	Bug 1759525 - Add SetTls13GreaseEchSize to experimental API. r=mt

	[c2f93669b92c]

2022-03-22  Leander Schwarz  <lschwarz@mozilla.com>

	* gtests/ssl_gtest/ssl_version_unittest.cc,
	gtests/ssl_gtest/tls_filter.cc, gtests/ssl_gtest/tls_filter.h,
	lib/ssl/tls13con.c:
	Bug 1755264 - TLS 1.3 Illegal legacy_version handling/alerts.
	r=djackson

	[7d931c59d09f]

2022-03-22  Dennis Jackson  <djackson@mozilla.com>

	* lib/ssl/tls13ech.c:
	Bug 1755904 - Fix calculation of ECH HRR Transcript. r=mt

	[33c530e653b3]

2022-03-22  Zi Lin  <lziest@chromium.org>

	* coreconf/Linux.mk:
	Bug 1758741 - Allow ld path to be set as environment variable. r=mt

	Submitted on behalf of Zi Lin, the author of the patch.

	[d9368381598f]

2022-03-22  Dennis Jackson  <djackson@mozilla.com>

	* gtests/ssl_gtest/tls_connect.cc:
	Bug 1760653 - Ensure we don't read uninitialized memory in ssl
	gtests. r=mt,nss-reviewers

	[9a7b3c7f4e70]

	* cpputil/databuffer.h:
	Bug 1758478 - Fix DataBuffer Move Assignment. r=mt

	[f12fd43d69c7]

2022-03-18  Robert Relyea  <rrelyea@redhat.com>

	* automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
	check/expected-report-libssl3.so.txt,
	gtests/ssl_gtest/ssl_auth_unittest.cc, lib/certdb/cert.h,
	lib/certdb/certdb.c, lib/nss/nss.def, lib/pk11wrap/pk11obj.c,
	lib/pk11wrap/pk11pub.h, lib/ssl/authcert.c, lib/ssl/ssl.def,
	lib/ssl/ssl.h, lib/ssl/ssl3con.c, lib/ssl/sslimpl.h,
	lib/ssl/sslsock.c, lib/ssl/tls13con.c, lib/ssl/tls13subcerts.c,
	mach, tests/ssl/ssl.sh, tests/ssl/sslauth.txt:
	Bug 1552254 internal_error alert on Certificate Request with
	sha1+ecdsa in TLS 1.3

	We need to be able to select Client certificates based on the
	schemes sent to us from the server. Rather than changing the
	callback function, this patch adds those schemes to the ssl socket
	info as suggested by Dana. In addition, two helpful functions have
	been added to aid User applications in properly selecting the
	Certificate: PRBool SSL_CertIsUsable(PRFileDesc *fd, CERTCertificate
	*cert) - returns true if the given cert matches the schemes of the
	server, the schemes configured on the socket, capability of the
	token the private key resides on, and the current policy. For future
	SSL protocol, additional restrictions may be parsed.
	SSL_FilterCertListBySocket(PRFileDesc *fd, CERTCertList *certlist) -
	removes the certs from the cert list that doesn't pass the
	SSL_CertIsUsable() call.

	In addition the built in cert selection function
	(NSS_GetClientAuthData) uses the above functions to filter the list.
	In order to support the NSS_GetClientAuthData three new functions
	have been added: SECStatus
	CERT_FilterCertListByNickname(CERTCertList *certList, char
	*nickname, void *pwarg) -- removes the certs that don't match the
	'nickname'. SECStatus CERT_FilterCertListByCertList(CERTCertlist
	*certList, const CERTCertlist *filterList ) -- removes all the certs
	on the first cert list that isn't on the second. PRBool
	CERT_IsInList(CERTCertificate *, const CERTCertList *certList) --
	returns true if cert is on certList.

	In addition
	 * PK11_FindObjectForCert() is exported so the token the cert lives on
	can be accessed.
	 * the ssle ssl_PickClientSignatureScheme() function (along with
	several supporing functions) have been modified so it can be used by
	SSL_CertIsUsable()

	[be6a97823bfe]

Differential Revision: https://phabricator.services.mozilla.com/D141995
 2022-03-24 21:34:20 +00:00
John Schanck 5075ae5d88 Bug 1758579 - land NSS be8a62f85be7 UPGRADE_NSS_RELEASE, r=keeler 
Differential Revision: https://phabricator.services.mozilla.com/D140597
 2022-03-10 23:20:59 +00:00
Dennis Jackson ac3025042a Bug 1753980 - land NSS 4a8880ef UPGRADE_NSS_RELEASE, r=bbeurdouche 
```
2022-02-14  Martin Thomson  <mt@lowentropy.net>

	* gtests/common/testvectors/rsa_pss_2048_sha1_mgf1_20-vectors.h,
	gtests/common/testvectors/rsa_pss_2048_sha256_mgf1_0-vectors.h,
	gtests/common/testvectors/rsa_pss_2048_sha256_mgf1_32-vectors.h,
	gtests/common/testvectors/rsa_pss_3072_sha256_mgf1_32-vectors.h,
	gtests/common/testvectors/rsa_pss_4096_sha256_mgf1_32-vectors.h,
	gtests/common/testvectors/rsa_pss_4096_sha512_mgf1_32-vectors.h,
	gtests/common/testvectors/rsa_pss_misc-vectors.h,
	gtests/common/wycheproof/genTestVectors.py, gtests/common/wycheproof
	/source_vectors/rsa_pss_2048_sha1_mgf1_20_test.json, gtests/common/w
	ycheproof/source_vectors/rsa_pss_2048_sha256_mgf1_0_test.json, gtest
	s/common/wycheproof/source_vectors/rsa_pss_2048_sha256_mgf1_32_test.
	json, gtests/common/wycheproof/source_vectors/rsa_pss_3072_sha256_mg
	f1_32_test.json, gtests/common/wycheproof/source_vectors/rsa_pss_409
	6_sha256_mgf1_32_test.json, gtests/common/wycheproof/source_vectors/
	rsa_pss_4096_sha512_mgf1_32_test.json,
	gtests/common/wycheproof/source_vectors/rsa_pss_misc_test.json,
	gtests/pk11_gtest/json.h, gtests/pk11_gtest/pk11_hpke_unittest.cc,
	gtests/pk11_gtest/pk11_rsapss_unittest.cc:
	Bug 1747957 - Use Wycheproof JSON for RSASSA-PSS, r=nss-
	reviewers,bbeurdouche

	[4a8880ef1adc] [tip]

2022-02-10  Leander Schwarz  <lschwarz@mozilla.com>

	* gtests/ssl_gtest/ssl_extension_unittest.cc,
	gtests/ssl_gtest/tls_ech_unittest.cc, lib/ssl/ssl3ext.c:
	Bug 1751157 - Throw illegal_parameter alert for illegal extensions
	in handshake message. r=djackson

	[8fd5ca0cf897]

2022-02-09  John M. Schanck  <jschanck@mozilla.com>

	* automation/release/nss-release-helper.py:
	Bug 1753505 - Avoid truncating files in nss-release-helper.py.
	r=bbeurdouche

	[7876a7255030]

2022-02-08  John M. Schanck  <jschanck@mozilla.com>

	* lib/ckfw/builtins/certdata.txt:
	Bug 1679803 - Add SHA256 fingerprint comments to old certdata.txt
	entries. r=nss-reviewers,bbeurdouche

	The new SHA256 hashes were calculated using the script below, which
	reads certificates out of the builtin token and re-processing them
	with the current version of addbuiltin. One of the "Autoridad de
	Certificacion Firmaprofesional CIF A62634068" certificates had to be
	handled manually because of Bug 456858.

	``` #!/bin/bash

	NSS_LIB=<path to dist/Debug/lib>

	WORK=/tmp/nssdb/ LIST=${WORK}/list.txt OUT=${WORK}/certdata.txt

	rm -rf ${WORK} mkdir -p ${WORK} modutil -force -dbdir "sql:${WORK}"
	-create modutil -force -dbdir "sql:${WORK}" -add "nssckbi" -libfile
	"${NSS_LIB}/libnssckbi.so"

	certutil -d "sql:${WORK}" -L -h "Builtin Object Token" | grep
	Builtin > ${LIST} sed -i 's/\s*\(C\?,C\?,C\?\)\s*$/;\1/' ${LIST}

	while IFS=";" read -r name trust do certutil -d "sql:${WORK}" -L -n
	"${name}" -r 1> "${WORK}/${name}.der" addbuiltin -t "${trust}" -n
	"${name/Builtin Object Token:/}" -i "${WORK}/${name}.der" done <
	${LIST} >> ${OUT} ```

	[7a34cf74b659]
```

Differential Revision: https://phabricator.services.mozilla.com/D138799
 2022-02-15 18:04:14 +00:00
Benjamin Beurdouche bf3cd48302 Bug 1753980 - land NSS ac0c37493099 UPGRADE_NSS_RELEASE, r=nkulatova 
Differential Revision: https://phabricator.services.mozilla.com/D138023
 2022-02-07 16:31:57 +00:00
Benjamin Beurdouche 9c5781dbc5 Bug 1748820 - land NSS NSS_3_75_BETA1 UPGRADE_NSS_RELEASE, r=jschanck 
```
2022-01-28  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* doc/rst/releases/index.rst:
	Documentation: update the NSS release page
	[decce8ec4e72] [NSS_3_75_BETA1]

2022-01-19  Natalia Kulatova  <nkulatova@mozilla.com>

	* automation/taskcluster/docker-builds/Dockerfile,
	automation/taskcluster/graph/src/extend.js:
	Bug 1749030 - This patch adds gcc-9 and gcc-10 to the CI. r=nss-
	reviewers,bbeurdouche

	[581fe264710f]

2022-01-19  John M. Schanck  <jschanck@mozilla.com>

	* lib/mozpkix/tools/DottedOIDToCode.py:
	Bug 1749794 - Make DottedOIDToCode.py compatible with python3.
	r=nss-reviewers,bbeurdouche.

	[b5eff08becbb]

	* lib/ssl/sslcert.c:
	Bug 1749475 - Avoid undefined shift in SSL_CERT_IS while fuzzing.
	r=nss-reviewers,mt

	[c98fc11fb685]

2022-01-13  Martin Thomson  <mt@lowentropy.net>

	* lib/softoken/pkcs11c.c:
	Bug 1748386 - Remove redundant key type check, r=rrelyea

	[f9708b22f2f6]

	* automation/abi-check/expected-report-libssl3.so.txt:
	Bug 1749869 - Update ABI expectations to match ECH changes,
	r=bbeurdouche

	Depends on D135808

	[4b7cf8161421]
```

Differential Revision: https://phabricator.services.mozilla.com/D137309
 2022-01-28 18:25:19 +00:00
Benjamin Beurdouche 84a342941b Bug 1748820 - land NSS 44e6341be5e8 UPGRADE_NSS_RELEASE, r=beurdouche 
Differential Revision: https://phabricator.services.mozilla.com/D135690
 2022-01-12 10:40:38 +00:00
Benjamin Beurdouche bdd7cdab71 Bug 1743993 - land NSS NSS_3_74_BETA1 UPGRADE_NSS_RELEASE, r=beurdouche 
```
2021-12-16  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* gtests/google_test/VERSION, gtests/google_test/gtest/CMakeLists.txt,
	gtests/google_test/gtest/CONTRIBUTORS,
	gtests/google_test/gtest/README.md,
	gtests/google_test/gtest/cmake/gtest.pc.in,
	gtests/google_test/gtest/cmake/gtest_main.pc.in,
	gtests/google_test/gtest/cmake/internal_utils.cmake,
	gtests/google_test/gtest/docs/Pkgconfig.md,
	gtests/google_test/gtest/docs/README.md,
	gtests/google_test/gtest/docs/advanced.md,
	gtests/google_test/gtest/docs/faq.md,
	gtests/google_test/gtest/docs/primer.md,
	gtests/google_test/gtest/docs/pump_manual.md,
	gtests/google_test/gtest/docs/samples.md,
	gtests/google_test/gtest/include/gtest/gtest-death-test.h,
	gtests/google_test/gtest/include/gtest/gtest-matchers.h,
	gtests/google_test/gtest/include/gtest/gtest-message.h,
	gtests/google_test/gtest/include/gtest/gtest-param-test.h,
	gtests/google_test/gtest/include/gtest/gtest-printers.h,
	gtests/google_test/gtest/include/gtest/gtest-spi.h,
	gtests/google_test/gtest/include/gtest/gtest-test-part.h,
	gtests/google_test/gtest/include/gtest/gtest-typed-test.h,
	gtests/google_test/gtest/include/gtest/gtest.h,
	gtests/google_test/gtest/include/gtest/gtest_pred_impl.h,
	gtests/google_test/gtest/include/gtest/gtest_prod.h,
	gtests/google_test/gtest/include/gtest/internal/custom/gtest-port.h,
	gtests/google_test/gtest/include/gtest/internal/custom/gtest-
	printers.h,
	gtests/google_test/gtest/include/gtest/internal/custom/gtest.h,
	gtests/google_test/gtest/include/gtest/internal/gtest-death-test-
	internal.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	filepath.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	internal.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	param-util.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	port-arch.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	port.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	string.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	type-util.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	type-util.h.pump, gtests/google_test/gtest/samples/prime_tables.h,
	gtests/google_test/gtest/samples/sample1.cc,
	gtests/google_test/gtest/samples/sample1.h,
	gtests/google_test/gtest/samples/sample10_unittest.cc,
	gtests/google_test/gtest/samples/sample2.cc,
	gtests/google_test/gtest/samples/sample2.h,
	gtests/google_test/gtest/samples/sample2_unittest.cc,
	gtests/google_test/gtest/samples/sample3-inl.h,
	gtests/google_test/gtest/samples/sample3_unittest.cc,
	gtests/google_test/gtest/samples/sample4.h,
	gtests/google_test/gtest/samples/sample5_unittest.cc,
	gtests/google_test/gtest/samples/sample6_unittest.cc,
	gtests/google_test/gtest/samples/sample7_unittest.cc,
	gtests/google_test/gtest/samples/sample8_unittest.cc,
	gtests/google_test/gtest/samples/sample9_unittest.cc,
	gtests/google_test/gtest/scripts/README.md,
	gtests/google_test/gtest/scripts/gen_gtest_pred_impl.py,
	gtests/google_test/gtest/scripts/pump.py,
	gtests/google_test/gtest/scripts/release_docs.py,
	gtests/google_test/gtest/scripts/run_with_path.py,
	gtests/google_test/gtest/scripts/upload.py,
	gtests/google_test/gtest/src/gtest-death-test.cc,
	gtests/google_test/gtest/src/gtest-filepath.cc,
	gtests/google_test/gtest/src/gtest-internal-inl.h,
	gtests/google_test/gtest/src/gtest-matchers.cc,
	gtests/google_test/gtest/src/gtest-port.cc,
	gtests/google_test/gtest/src/gtest-printers.cc,
	gtests/google_test/gtest/src/gtest-test-part.cc,
	gtests/google_test/gtest/src/gtest-typed-test.cc,
	gtests/google_test/gtest/src/gtest.cc,
	gtests/google_test/gtest/src/gtest_main.cc,
	gtests/google_test/gtest/test/BUILD.bazel,
	gtests/google_test/gtest/test/googletest-catch-exceptions-test_.cc,
	gtests/google_test/gtest/test/googletest-death-test-test.cc,
	gtests/google_test/gtest/test/googletest-death-test_ex_test.cc,
	gtests/google_test/gtest/test/googletest-env-var-test.py,
	gtests/google_test/gtest/test/googletest-env-var-test_.cc,
	gtests/google_test/gtest/test/googletest-failfast-unittest.py,
	gtests/google_test/gtest/test/googletest-failfast-unittest_.cc,
	gtests/google_test/gtest/test/googletest-filepath-test.cc,
	gtests/google_test/gtest/test/googletest-filter-unittest_.cc,
	gtests/google_test/gtest/test/googletest-global-environment-
	unittest.py, gtests/google_test/gtest/test/googletest-global-
	environment-unittest_.cc, gtests/google_test/gtest/test/googletest-
	json-output-unittest.py, gtests/google_test/gtest/test/googletest-
	list-tests-unittest_.cc, gtests/google_test/gtest/test/googletest-
	listener-test.cc, gtests/google_test/gtest/test/googletest-message-
	test.cc, gtests/google_test/gtest/test/googletest-options-test.cc,
	gtests/google_test/gtest/test/googletest-output-test-golden-lin.txt,
	gtests/google_test/gtest/test/googletest-output-test.py,
	gtests/google_test/gtest/test/googletest-output-test_.cc,
	gtests/google_test/gtest/test/googletest-param-test-invalid-
	name1-test_.cc, gtests/google_test/gtest/test/googletest-param-test-
	invalid-name2-test_.cc, gtests/google_test/gtest/test/googletest-
	param-test-test.cc, gtests/google_test/gtest/test/googletest-param-
	test-test.h, gtests/google_test/gtest/test/googletest-param-
	test2-test.cc, gtests/google_test/gtest/test/googletest-port-
	test.cc, gtests/google_test/gtest/test/googletest-printers-test.cc,
	gtests/google_test/gtest/test/googletest-setuptestsuite-test.py,
	gtests/google_test/gtest/test/googletest-setuptestsuite-test_.cc,
	gtests/google_test/gtest/test/googletest-shuffle-test_.cc,
	gtests/google_test/gtest/test/googletest-test-part-test.cc,
	gtests/google_test/gtest/test/googletest-test2_test.cc,
	gtests/google_test/gtest/test/googletest-throw-on-failure-test_.cc,
	gtests/google_test/gtest/test/gtest-typed-test2_test.cc,
	gtests/google_test/gtest/test/gtest-typed-test_test.cc,
	gtests/google_test/gtest/test/gtest-typed-test_test.h,
	gtests/google_test/gtest/test/gtest-unittest-api_test.cc,
	gtests/google_test/gtest/test/gtest_assert_by_exception_test.cc,
	gtests/google_test/gtest/test/gtest_environment_test.cc,
	gtests/google_test/gtest/test/gtest_help_test.py,
	gtests/google_test/gtest/test/gtest_list_output_unittest.py,
	gtests/google_test/gtest/test/gtest_list_output_unittest_.cc,
	gtests/google_test/gtest/test/gtest_pred_impl_unittest.cc,
	gtests/google_test/gtest/test/gtest_premature_exit_test.cc,
	gtests/google_test/gtest/test/gtest_repeat_test.cc,
	gtests/google_test/gtest/test/gtest_skip_check_output_test.py,
	gtests/google_test/gtest/test/gtest_skip_test.cc,
	gtests/google_test/gtest/test/gtest_stress_test.cc,
	gtests/google_test/gtest/test/gtest_test_utils.py,
	gtests/google_test/gtest/test/gtest_throw_on_failure_ex_test.cc,
	gtests/google_test/gtest/test/gtest_unittest.cc,
	gtests/google_test/gtest/test/gtest_xml_outfiles_test.py,
	gtests/google_test/gtest/test/gtest_xml_output_unittest.py,
	gtests/google_test/gtest/test/gtest_xml_output_unittest_.cc,
	gtests/google_test/gtest/test/gtest_xml_test_utils.py,
	gtests/google_test/gtest/test/production.h,
	gtests/google_test/update.sh:
	Backed out changeset 50f5a60523ca (Bug 1741688 - Update googletest
	to 1.11.0) due to CI failures
	[1831460a6f34] [NSS_3_74_BETA1]

2021-12-15  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* automation/abi-check/previous-nss-release, lib/nss/nss.h,
	lib/softoken/softkver.h, lib/util/nssutil.h:
	Set version numbers to 3.74
	[0ed371bb42ac]
```

Differential Revision: https://phabricator.services.mozilla.com/D134913
 2021-12-31 13:07:06 +00:00
Narcis Beleuzu e74a8e2d1d Backed out changeset ee89101cd0e4 (bug 1743993) for xpcshel failures on test_httpssvc_retry_with_ech.js UPGRADE_NSS_RELEASE 2021-12-27 18:40:39 +02:00
Benjamin Beurdouche e9c3a11359 Bug 1743993 - land NSS d41c0fcdcf85 UPGRADE_NSS_RELEASE, r=nkulatova 
```
2021-12-17  Dennis Jackson  <djackson@mozilla.com>

	* gtests/ssl_gtest/tls_ech_unittest.cc:
	Bug 1712879 - Add test cases for ECH compression and unexpected
	extensions in SH. r=mt

	* Update the test custom extension injectors to create large (1024
	byte) extensions
	* Update the compression tests to verify that compression ocurrs
	correctly.
	* Add tests to ensure that when accepting ECH, the client rejects Xtns
	which are only valid for the CHO and vice versa

	[d41c0fcdcf85] [tip]

	* gtests/ssl_gtest/tls_ech_unittest.cc:
	Bug 1725938 - Update tests for ECH-13. r=mt

	* Add a new test helper function for creating an ECH Config/
	* Update ECH Config tests to dynamically generate their configs.
	* Regenerate tests using fixed ClientHello configs for ECH-13.
	* Add test for recursive ECH Outer Extensions.
	* Add test for ECH Inner Extension with payload (should be empty).
	* Add test to ensure AAD covers both before and after ECH extension.

	[ea27fc06556a]

	* lib/ssl/tls13ech.c:
	Bug 1725938 - Tidy up error handling r=mt

	Small commit to tidy up the error handling when receiving ECH
	extensions.

	[dbfeabc22622]

	* gtests/ssl_gtest/tls_filter.cc, gtests/ssl_gtest/tls_filter.h:
	Bug 1728281 - Add tests for ECH HRR Changes. r=mt

	Testcases for HRR ECH Xtns:
		- Clients reject xtns of the wrong size.
		- Clients reject mangled xtns.
		- Clients reject unsolicited xtns.
		- Servers send ECH HRR Xtns when accepting, rejecting or GREASEing
		- Clients and Servers do not send xtns if disabled and not GREASEing
		- Clients alert if servers accept ECH in HRR, then reject in SH.

	[28c3375fe2ef]

	* lib/ssl/sslexp.h, lib/ssl/tls13exthandle.c:
	Bug 1728281 - Server only sends GREASE HRR extension if enabled by
	preference. r=mt

	Draft 13 added an ECH extension for HRR messages. When GREASEing,
	this should only be sent if the server was configured with ECH
	support or explicitly opted in.

	[e387d382de47]

	* gtests/ssl_gtest/tls_connect.cc, lib/ssl/ssl3con.c,
	lib/ssl/ssl3ext.c, lib/ssl/ssl3ext.h, lib/ssl/sslencode.c,
	lib/ssl/sslencode.h, lib/ssl/tls13ech.c, lib/ssl/tls13ech.h,
	lib/ssl/tls13exthandle.c:
	Bug 1725938 - Update generation of the Associated Data for ECH-13
	r=mt

	In Draft 13, the associated data compromises the entire
	ClientHelloOuter, with the ECH payload zeroed out. This patch
	updates the generation of the ClientHelloOuter and associated data
	and unifies the generation of the ECH Xtn. As a result,
	tls13_EncryptClientHello now puts the encrypted ClientHelloInner
	directly into the ClientHelloOuter.

	[e31c41c04527]

	* gtests/ssl_gtest/tls_connect.cc, lib/ssl/ssl3ext.c,
	lib/ssl/ssl3ext.h, lib/ssl/sslimpl.h, lib/ssl/tls13ech.c:
	Bug 1712879 - When ECH is accepted, reject extensions which were
	only advertised in the Outer Client Hello r=mt

	Previously, we only tracked whether we'd advertised an extension at
	all. This change allows us to track the advertisements for both the
	Outer and Inner Client Hello seperately. If the server accepts ECH
	but includes an extension we only offered in the Outer Client Hello,
	we will send an alert.

	As a side-effect, if the client offers an extension in the
	ClientHelloInner which is not offered in the ClientHelloOuter and
	the server accepts, we will send the same alert. It is unclear
	whether this is desirable behavior or not - since if we did not
	alert this would allow a network observer to distinguish whether ECH
	was used.

	[beef13851327]

	* gtests/ssl_gtest/tls_connect.cc, lib/ssl/tls13ech.c:
	Bug 1712879 - Allow for compressed, non-contiguous, extensions r=mt

	In Draft 13, clients can now compress extensions which are non-
	contiguous but in-order. This changeset removes the logic which
	ensured only contiguous extensions were compressed.

	[daf5bc69425a]

2021-12-17  Martin Thomson  <mt@lowentropy.net>

	* gtests/ssl_gtest/ssl_custext_unittest.cc, lib/ssl/tls13ech.c:
	Bug 1712879 - Scramble the PSK extension in CHOuter. r=bbeurdouche

	Depends on D115852

	[b8623fde307c]

	* gtests/ssl_gtest/ssl_custext_unittest.cc, lib/ssl/ssl3ext.c,
	lib/ssl/ssl3ext.h, lib/ssl/sslencode.c, lib/ssl/sslexp.h,
	lib/ssl/sslimpl.h, lib/ssl/sslsock.c, lib/ssl/tls13ech.c:
	Bug 1712647 - Split custom extension handling for ECH.
	r=bbeurdouche,mt

	A new function SSL_CallExtensionWriterOnEchInner() allows
	applications to have custom extension handlers called separately for
	CHInner and CHOuter.

	This is a little tricky as ECH needs to construct two versions of
	CHInner: one compressed and one not. This just calls the write
	handler twice in that case.

	The other complication is that a handler might make different
	choices for CHInner and CHOuter. This forces us to stop compressing
	that extension and any that follow it when that occurs. In order to
	ensure that extensions are consistently placed, we need to track
	what can be compressed during both invocations.

	I've retained the quirk where the extensions are built twice. That
	might be something that can be removed in future, but for now it
	creates a negative externality that I've noted in documentation.

	[d3c6fa317bca]

2021-12-17  Dennis Jackson  <djackson@mozilla.com>

	* gtests/ssl_gtest/tls_connect.cc, lib/ssl/ssl3con.c,
	lib/ssl/ssl3ext.c, lib/ssl/sslimpl.h, lib/ssl/tls13con.c,
	lib/ssl/tls13ech.c, lib/ssl/tls13ech.h, lib/ssl/tls13exthandle.c,
	lib/ssl/tls13exthandle.h, lib/ssl/tls13hashstate.c,
	lib/ssl/tls13hashstate.h:
	Bug 1728281 - Add ECH-13 HRR Handling. r=mt

	This changset adds client and server support for ECH extensions in
	the HelloRetryRequest Message. When Servers respond with a HRR to a
	ECH advertising ClientHello, servers add an additional 8 byte
	confirmation value in an ECH extension with their HRR which allows
	the client to deduce whether ECH was accepted or rejected. The
	confirmation value is derived from the ClientHelloInner's random
	value and the transcript up to and including the HRR. If ECH is
	rejected, the confirmation value is replaced with 8 random bytes.

	This nessecitates several further changes to the control flow of HRR
	generation and handling. Firstly, the HRR must be generated in two
	passes, firstly with a placeholder value of zero bytes instead of
	the confirmation value, then secondly with the true confirmation
	value. Further, if the server accepts ECH in the HRR, it cannot
	change its mind when processing the second client hello.

	If ECH is rejected and the HRR confirmation value is instead a
	random value, the (stateless) server must be able to regenerate the
	correct confirmation value. This patch adds the GREASEd value to the
	HRR cookie, increasing its size by 8 bytes. In order to prevent a
	network observer from distinguishing whether ECH was accepted, these
	8 bytes are used whether or not ECH is accepted.

	On the client side, the HRR with zeroed confirmation value must be
	added to the transcript when calculating the confirmation value.
	Unlike a PSK extension, the HRR ECH Extension can appear in any
	position and so the extension handler stores a pointer into the
	server hello buffer..

	[ea556051e745]

	* gtests/ssl_gtest/tls_connect.cc, gtests/ssl_gtest/tls_connect.h,
	gtests/ssl_gtest/tls_ech_unittest.cc, lib/ssl/tls13ech.c:
	Bug 1677181 - Client side ECH padding r=mt

	ECH-13 adds an optional padding field to ClientHelloInners prior to
	encryption. New tests check that clients correctly pad different
	length SNIs and that servers correctly reject invalid padding.

	[eb122ac1965f]

	* gtests/ssl_gtest/tls_ech_unittest.cc, lib/ssl/ssl3ext.c,
	lib/ssl/tls13ech.c:
	Bug 1725938 - Stricter ClientHelloInner Decompression. r=mt.

	Decompression is now a linear scan, ensuring the same CHO extension
	is never considered for inclusion more than once. The added tests
	check that duplicate or out of order references are now rejected.

	[9e1a409b15d3]

	* automation/abi-check/expected-report-libssl3.so.txt,
	gtests/ssl_gtest/tls_ech_unittest.cc, lib/ssl/ssl3con.c,
	lib/ssl/ssl3ext.c, lib/ssl/sslexp.h, lib/ssl/tls13con.c,
	lib/ssl/tls13ech.c, lib/ssl/tls13ech.h, lib/ssl/tls13exthandle.c,
	lib/ssl/tls13exthandle.h:
	Bug 1725938 - Remove ECH_inner extension, use new enum format. r=mt

	Draft-13 removes the ECH_inner extension and instead uses an enum
	inside the encrypted client hello extension. The handler for the
	ECH_inner extension is removed and the ECH extension handler is now
	split into two cases, tls13_ServerHandleInnerEchXtn is called on the
	ClientHelloInner and checks for the presence of the correct inner
	extension. tls13_ServerHandleOuterEchXtn is called on the
	ClientHelloOuter, it either parses the Outer ECH Extension or, if
	operating in split mode, tolerates the inner extension.

	[6da26e8be8c5]

	* gtests/ssl_gtest/tls_ech_unittest.cc, lib/ssl/sslt.h,
	lib/ssl/tls13ech.c, lib/ssl/tls13ech.h:
	Bug 1725938 - Update the version number for ECH-13 and adjust the
	ECHConfig size. r=mt

	Tests re-enabled in D130698.

	[6fbfdbf1fe9d]

2021-12-16  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* gtests/google_test/VERSION, gtests/google_test/gtest/CMakeLists.txt,
	gtests/google_test/gtest/CONTRIBUTORS,
	gtests/google_test/gtest/README.md,
	gtests/google_test/gtest/cmake/gtest.pc.in,
	gtests/google_test/gtest/cmake/gtest_main.pc.in,
	gtests/google_test/gtest/cmake/internal_utils.cmake,
	gtests/google_test/gtest/docs/Pkgconfig.md,
	gtests/google_test/gtest/docs/README.md,
	gtests/google_test/gtest/docs/advanced.md,
	gtests/google_test/gtest/docs/faq.md,
	gtests/google_test/gtest/docs/primer.md,
	gtests/google_test/gtest/docs/pump_manual.md,
	gtests/google_test/gtest/docs/samples.md,
	gtests/google_test/gtest/include/gtest/gtest-death-test.h,
	gtests/google_test/gtest/include/gtest/gtest-matchers.h,
	gtests/google_test/gtest/include/gtest/gtest-message.h,
	gtests/google_test/gtest/include/gtest/gtest-param-test.h,
	gtests/google_test/gtest/include/gtest/gtest-printers.h,
	gtests/google_test/gtest/include/gtest/gtest-spi.h,
	gtests/google_test/gtest/include/gtest/gtest-test-part.h,
	gtests/google_test/gtest/include/gtest/gtest-typed-test.h,
	gtests/google_test/gtest/include/gtest/gtest.h,
	gtests/google_test/gtest/include/gtest/gtest_pred_impl.h,
	gtests/google_test/gtest/include/gtest/gtest_prod.h,
	gtests/google_test/gtest/include/gtest/internal/custom/gtest-port.h,
	gtests/google_test/gtest/include/gtest/internal/custom/gtest-
	printers.h,
	gtests/google_test/gtest/include/gtest/internal/custom/gtest.h,
	gtests/google_test/gtest/include/gtest/internal/gtest-death-test-
	internal.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	filepath.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	internal.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	param-util.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	port-arch.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	port.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	string.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	type-util.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	type-util.h.pump, gtests/google_test/gtest/samples/prime_tables.h,
	gtests/google_test/gtest/samples/sample1.cc,
	gtests/google_test/gtest/samples/sample1.h,
	gtests/google_test/gtest/samples/sample10_unittest.cc,
	gtests/google_test/gtest/samples/sample2.cc,
	gtests/google_test/gtest/samples/sample2.h,
	gtests/google_test/gtest/samples/sample2_unittest.cc,
	gtests/google_test/gtest/samples/sample3-inl.h,
	gtests/google_test/gtest/samples/sample3_unittest.cc,
	gtests/google_test/gtest/samples/sample4.h,
	gtests/google_test/gtest/samples/sample5_unittest.cc,
	gtests/google_test/gtest/samples/sample6_unittest.cc,
	gtests/google_test/gtest/samples/sample7_unittest.cc,
	gtests/google_test/gtest/samples/sample8_unittest.cc,
	gtests/google_test/gtest/samples/sample9_unittest.cc,
	gtests/google_test/gtest/scripts/README.md,
	gtests/google_test/gtest/scripts/gen_gtest_pred_impl.py,
	gtests/google_test/gtest/scripts/pump.py,
	gtests/google_test/gtest/scripts/release_docs.py,
	gtests/google_test/gtest/scripts/run_with_path.py,
	gtests/google_test/gtest/scripts/upload.py,
	gtests/google_test/gtest/src/gtest-death-test.cc,
	gtests/google_test/gtest/src/gtest-filepath.cc,
	gtests/google_test/gtest/src/gtest-internal-inl.h,
	gtests/google_test/gtest/src/gtest-matchers.cc,
	gtests/google_test/gtest/src/gtest-port.cc,
	gtests/google_test/gtest/src/gtest-printers.cc,
	gtests/google_test/gtest/src/gtest-test-part.cc,
	gtests/google_test/gtest/src/gtest-typed-test.cc,
	gtests/google_test/gtest/src/gtest.cc,
	gtests/google_test/gtest/src/gtest_main.cc,
	gtests/google_test/gtest/test/BUILD.bazel,
	gtests/google_test/gtest/test/googletest-catch-exceptions-test_.cc,
	gtests/google_test/gtest/test/googletest-death-test-test.cc,
	gtests/google_test/gtest/test/googletest-death-test_ex_test.cc,
	gtests/google_test/gtest/test/googletest-env-var-test.py,
	gtests/google_test/gtest/test/googletest-env-var-test_.cc,
	gtests/google_test/gtest/test/googletest-failfast-unittest.py,
	gtests/google_test/gtest/test/googletest-failfast-unittest_.cc,
	gtests/google_test/gtest/test/googletest-filepath-test.cc,
	gtests/google_test/gtest/test/googletest-filter-unittest_.cc,
	gtests/google_test/gtest/test/googletest-global-environment-
	unittest.py, gtests/google_test/gtest/test/googletest-global-
	environment-unittest_.cc, gtests/google_test/gtest/test/googletest-
	json-output-unittest.py, gtests/google_test/gtest/test/googletest-
	list-tests-unittest_.cc, gtests/google_test/gtest/test/googletest-
	listener-test.cc, gtests/google_test/gtest/test/googletest-message-
	test.cc, gtests/google_test/gtest/test/googletest-options-test.cc,
	gtests/google_test/gtest/test/googletest-output-test-golden-lin.txt,
	gtests/google_test/gtest/test/googletest-output-test.py,
	gtests/google_test/gtest/test/googletest-output-test_.cc,
	gtests/google_test/gtest/test/googletest-param-test-invalid-
	name1-test_.cc, gtests/google_test/gtest/test/googletest-param-test-
	invalid-name2-test_.cc, gtests/google_test/gtest/test/googletest-
	param-test-test.cc, gtests/google_test/gtest/test/googletest-param-
	test-test.h, gtests/google_test/gtest/test/googletest-param-
	test2-test.cc, gtests/google_test/gtest/test/googletest-port-
	test.cc, gtests/google_test/gtest/test/googletest-printers-test.cc,
	gtests/google_test/gtest/test/googletest-setuptestsuite-test.py,
	gtests/google_test/gtest/test/googletest-setuptestsuite-test_.cc,
	gtests/google_test/gtest/test/googletest-shuffle-test_.cc,
	gtests/google_test/gtest/test/googletest-test-part-test.cc,
	gtests/google_test/gtest/test/googletest-test2_test.cc,
	gtests/google_test/gtest/test/googletest-throw-on-failure-test_.cc,
	gtests/google_test/gtest/test/gtest-typed-test2_test.cc,
	gtests/google_test/gtest/test/gtest-typed-test_test.cc,
	gtests/google_test/gtest/test/gtest-typed-test_test.h,
	gtests/google_test/gtest/test/gtest-unittest-api_test.cc,
	gtests/google_test/gtest/test/gtest_assert_by_exception_test.cc,
	gtests/google_test/gtest/test/gtest_environment_test.cc,
	gtests/google_test/gtest/test/gtest_help_test.py,
	gtests/google_test/gtest/test/gtest_list_output_unittest.py,
	gtests/google_test/gtest/test/gtest_list_output_unittest_.cc,
	gtests/google_test/gtest/test/gtest_pred_impl_unittest.cc,
	gtests/google_test/gtest/test/gtest_premature_exit_test.cc,
	gtests/google_test/gtest/test/gtest_repeat_test.cc,
	gtests/google_test/gtest/test/gtest_skip_check_output_test.py,
	gtests/google_test/gtest/test/gtest_skip_test.cc,
	gtests/google_test/gtest/test/gtest_stress_test.cc,
	gtests/google_test/gtest/test/gtest_test_utils.py,
	gtests/google_test/gtest/test/gtest_throw_on_failure_ex_test.cc,
	gtests/google_test/gtest/test/gtest_unittest.cc,
	gtests/google_test/gtest/test/gtest_xml_outfiles_test.py,
	gtests/google_test/gtest/test/gtest_xml_output_unittest.py,
	gtests/google_test/gtest/test/gtest_xml_output_unittest_.cc,
	gtests/google_test/gtest/test/gtest_xml_test_utils.py,
	gtests/google_test/gtest/test/production.h,
	gtests/google_test/update.sh:
	Backed out changeset 50f5a60523ca (Bug 1741688 - Update googletest
	to 1.11.0) due to CI failures
	[1831460a6f34]

2021-12-15  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* automation/abi-check/previous-nss-release, lib/nss/nss.h,
	lib/softoken/softkver.h, lib/util/nssutil.h:
	Set version numbers to 3.74
	[0ed371bb42ac]
```

Differential Revision: https://phabricator.services.mozilla.com/D134705
 2021-12-27 14:32:11 +00:00
Benjamin Beurdouche 9d4b719a04 Bug 1738222 - land NSS 4b8ce9641338 UPGRADE_NSS_RELEASE, r=jschanck 
Differential Revision: https://phabricator.services.mozilla.com/D131519
 2021-11-18 18:55:20 +00:00
Dennis Jackson 2858bd1345 Bug 1733374 - land NSS de3db3a55aef UPGRADE_NSS_RELEASE, r=bbeurdouche 
Differential Revision: https://phabricator.services.mozilla.com/D128763
 2021-10-18 16:54:04 +00:00
Benjamin Beurdouche 4fcdfbc981 Bug 1729163 - land NSS 2199f01d7f1e UPGRADE_NSS_RELEASE, r=beurdouche 
Differential Revision: https://phabricator.services.mozilla.com/D125872
 2021-09-16 19:27:33 +00:00
Benjamin Beurdouche 9eb74dd71e Bug 1724869 - land NSS NSS_3_70_BETA1 UPGRADE_NSS_RELEASE, r=jschanck 
```
2021-08-26  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/ssl/tls13con.c:
	Backed out changeset fae49696d374
	[e55700ee052e] [NSS_3_70_BETA1] <NSS_3_70_BRANCH>

	* tests/tlsfuzzer/config.json.in, tests/tlsfuzzer/tlsfuzzer.sh:
	Backed out changeset 7c3a0a99f7fa
	[e79531c04e6b] <NSS_3_70_BRANCH>

	* automation/abi-check/previous-nss-release, lib/nss/nss.h,
	lib/softoken/softkver.h, lib/util/nssutil.h:
	Set version numbers to 3.70 Beta
	[cc0d44da6a0e]

2021-08-26  John M. Schanck  <jschanck@mozilla.com>

	* tests/tlsfuzzer/config.json.in, tests/tlsfuzzer/tlsfuzzer.sh:
	Bug 1662515 - Enable tlsfuzzer/test-tls13-zero-content-type.py
	r=bbeurdouche,djackson

	[7c3a0a99f7fa]

2021-08-26  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/ssl/tls13con.c:
	Bug 1662515 - Fix incorrect alert after successful decryption
	r=djackson

	[fae49696d374]

2021-08-24  Robert Relyea  <rrelyea@redhat.com>

	* tests/cert/cert.sh, tests/common/init.sh, tests/sdr/sdr.sh:
	Bug 1726022 Update test case to verify fix.

	Updated test cases to verify pbe caching fix. NOTE: putting
	passwords on databases are key to reproducing the original issue.

	[ff19b674c468]

2021-08-24  John M. Schanck  <jschanck@mozilla.com>

	* gtests/ssl_gtest/tls_ech_unittest.cc:
	Bug 1714579 - Explicitly disable downgrade check in
	TlsConnectStreamTls13.EchOuterWith12Max r=nss-reviewers,bbeurdouche

	Depends on D123535

	[608fd450d499]

	* gtests/ssl_gtest/ssl_version_unittest.cc:
	Bug 1714579 - Explicitly disable downgrade check in
	TlsConnectTest.DisableFalseStartOnFallback r=nss-
	reviewers,bbeurdouche

	Depends on D122988

	[7bd94de62243]

2021-08-24  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/util/nssb64d.c:
	Formatting for lib/util
	[db95b15ce1ff]

2021-08-24  John M. Schanck  <jschanck@mozilla.com>

	* lib/util/nssb64d.c:
	Bug 1681975 - Avoid using a lookup table in nssb64d r=bbeurdouche

	[d454db6ad1fb]

2021-08-24  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/freebl/sha512.c:
	Bug 1724629 - Use HW accelerated SHA2 on AArch64 Big Endian.
	r=jschanck

	[7e31b8f7f741]

2021-08-24  John M. Schanck  <jschanck@mozilla.com>

	* lib/ssl/sslsock.c:
	Bug 1714579 Change default value of enableHelloDowngradeCheck to
	true r=mt

	Firefox sets enableHelloDowngradeCheck to true by default, as of
	[1576790](https://bugzilla.mozilla.org/show_bug.cgi?id=1576790). We
	have a two year old open issue noting some issues with that
	[1590870](https://bugzilla.mozilla.org/show_bug.cgi?id=1590870), but
	I see no reason not to update the default in NSS.

	[52137aa125f5]

2021-08-24  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* gtests/pk11_gtest/pk11_hpke_unittest.cc:
	Formatting for gtests/pk11_gtest/pk11_hpke_unittest.cc r=jschanck

	The clang-format target was failing.
	https://treeherder.mozilla.org/logviewer?job_id=348100377&repo=nss-
	try

	[36bc1c231bf6]
```

Differential Revision: https://phabricator.services.mozilla.com/D123784
 2021-08-26 17:45:23 +00:00
Benjamin Beurdouche 46e2563077 Bug 1724869 - land NSS 56238350052a UPGRADE_NSS_RELEASE, r=djackson 
Differential Revision: https://phabricator.services.mozilla.com/D122202
 2021-08-10 09:52:10 +00:00
Benjamin Beurdouche fbf40a7e56 Bug 1720464 - land NSS b1eac8c86e99 UPGRADE_NSS_RELEASE, r=beurdouche 
Differential Revision: https://phabricator.services.mozilla.com/D119914
 2021-07-14 20:05:21 +00:00
Benjamin Beurdouche e070f79f95 Bug 1715772 - land NSS NSS_3_68_BETA1 UPGRADE_NSS_RELEASE, r=beurdouche 
```
2021-07-01  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* automation/release/nspr-version.txt:
	Bug 1717452 - NSS 3.68 should depend on NSPR 4.32. r=kaie

	[352fca8a348e] [NSS_3_68_BETA1]

2021-06-30  Robert Relyea  <rrelyea@redhat.com>

	* gtests/pk11_gtest/pk11_aeskeywrappad_unittest.cc,
	gtests/pk11_gtest/pk11_ecdsa_unittest.cc,
	gtests/pk11_gtest/pk11_keygen.cc, gtests/pk11_gtest/pk11_keygen.h,
	gtests/pk11_gtest/pk11_signature_test.cc,
	gtests/pk11_gtest/pk11_signature_test.h,
	gtests/ssl_gtest/libssl_internals.c, lib/pk11wrap/pk11pk12.c:
	Bug 1693206 - Implement PKCS8 export of ECDSA keys patch by
	Christoph Walcher r=rrelyea, bbeurdouche
	[9343c18b4df7]

2021-06-25  Martin Thomson  <mt@lowentropy.net>

	* gtests/ssl_gtest/ssl_extension_unittest.cc, lib/ssl/ssl3prot.h,
	lib/ssl/sslproto.h, lib/ssl/tls13con.c:
	Bug 1712883 - DTLS 1.3 draft-43 r=bbeurdouche

	[b2178fe9d27b]

2021-06-25  Makoto Kato  <m_kato@ga2.so-net.ne.jp>

	* automation/taskcluster/graph/src/extend.js, coreconf/WIN32.mk,
	coreconf/config.gypi, lib/freebl/Makefile, lib/freebl/freebl.gyp,
	lib/freebl/sha256-x86.c, lib/freebl/sha512.c:
	Bug 1655493 - Support SHA2 HW acceleration using Intel SHA
	Extension. r=bbeurdouche

	Before applying (on Ryzen 9 3900X) ``` # mode in opreps cxreps
	context op time(sec) thrgput sha256_e 1Gb 208Mb 23M 0 0.000
	10000.000 10.000 123Mb 301Kb ```

	After applying ``` # mode in opreps cxreps context op time(sec)
	thrgput sha256_e 5Gb 797Mb 110M 0 0.000 10000.000 10.000 591Mb 769Kb
	```

	[65a7c7b3f182]

2021-05-31  Martin Thomson  <mt@lowentropy.net>

	* gtests/ssl_gtest/libssl_internals.c,
	gtests/ssl_gtest/libssl_internals.h,
	gtests/ssl_gtest/tls_ech_unittest.cc, lib/ssl/manifest.mn,
	lib/ssl/ssl.gyp, lib/ssl/tls13ech.c, lib/ssl/tls13ech.h,
	lib/ssl/tls13echv.c, lib/util/seccomon.h:
	Bug 1713562 - Validate ECH public names, r=bbeurdouche

	This validates that they are LDH (with underscore because we don't
	hate freedom), but that they are not IP addresses. This invokes the
	horrible WhatWG IP parsing routines, so that it recognizes a vast
	array of crazy address formats (thanks 1980s design).

	[ac81f721cbbf]
```

Differential Revision: https://phabricator.services.mozilla.com/D119026
 2021-07-02 12:56:36 +00:00
Benjamin Beurdouche efe58e9863 Bug 1715772 - land NSS 0262a919f909 UPGRADE_NSS_RELEASE, r=beurdouche 
Differential Revision: https://phabricator.services.mozilla.com/D118702
 2021-06-24 10:56:58 +00:00
Julien Cristau 8376ac4322 Bug 1713766 - land NSS NSS_3_67_RTM UPGRADE_NSS_RELEASE, r=bbeurdouche,aryx 
Differential Revision: https://phabricator.services.mozilla.com/D117422
 2021-06-10 13:25:03 +00:00
Benjamin Beurdouche f3bb5ed250 Bug 1711262 - land NSS 40edc4f4c117 UPGRADE_NSS_RELEASE, r=beurdouche 
2021-05-11  Robert Relyea  <rrelyea@redhat.com>

	* automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
	check/expected-report-libssl3.so.txt, cmd/selfserv/selfserv.c,
	cmd/strsclnt/strsclnt.c, cmd/tstclnt/tstclnt.c, lib/nss/nss.def,
	lib/pk11wrap/pk11cxt.c, lib/pk11wrap/pk11load.c,
	lib/pk11wrap/pk11obj.c, lib/pk11wrap/pk11priv.h,
	lib/pk11wrap/pk11pub.h, lib/pk11wrap/pk11slot.c,
	lib/pk11wrap/secmodt.h, lib/softoken/config.mk,
	lib/softoken/fips_algorithms.h, lib/softoken/fipstokn.c,
	lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c,
	lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c,
	lib/softoken/sftkmessage.c, lib/ssl/ssl3con.c, lib/ssl/sslimpl.h,
	lib/ssl/sslinfo.c, lib/ssl/sslt.h, lib/util/pkcs11n.h,
	tests/ssl/ssl.sh, tests/ssl/sslcov.txt:
	Bug 1710773 NSS needs FIPS 180-3 FIPS indicators. r=mt

	Changes from the review: The while loop was taken out of it's
	subshell pipe, which prevented the selfserv PID from being passed on
	to the final selfserv-kill. This eventally lead to a freeze on
	windows.

	The last paragraph of ISO 19790:2012 section 7.2.4.2 states:

	All services shall [02.24] provide an indicator when the service
	utilises an approved cryptographic algorithm, security function or
	process in an approved manner and those services or processes
	specified in 7.4.3

	This means our libraries need to grow an API or provide some
	additional information via contexts or similar in order for an
	application to be able to query this indicator. This can't be just a
	Security Policy description because ISO 24759:2017 section 6.2.4.2
	states:

	TE02.24.02: The tester shall execute all services and verify that
	the indicator provides an unambiguous indication of whether the
	service utilizes an approved cryptographic algorithm, security
	function or process in an approved manner or not.

	The indicator can't be just a marker over an algorithm either,
	because it needs to show different values based on whether the
	algorithm parameters causes the algorithm to run in approved or non-
	approved mode (ie keys outside of valid range for RSA means RSA is
	being used in non-approved mode ...)

	For NSS, there is a PKCS #11 design: https://docs.google.com/documen
	t/d/1Me9YksPE7K1Suvk9Ls5PqJXPpDmpAboLsrq0z54m_tA/edit?usp=sharing

	This patch implments the above design as well as: 1) NSS proper
	functions to access these indicators from either the pk11wrap layer
	or the ssl layer. 2) Updates to the ssl tests which will output the
	value of the

	Changes decription by file: cmd/selfserv/selfserv.c Add a FIPS
	indicator if the connection was excuted in FIPS mode on a FIPS
	token. cmd/strsclnt/strsclnt.c Add a FIPS indicator if the
	connection was excuted in FIPS mode on a FIPS token.
	cmd/tstclnt/tstclnt.c Add a FIPS indicator if the connection was
	excuted in FIPS mode on a FIPS token. lib/nss/nss.def Add the new
	pk11 functions to access the fips indicator. lib/pk11wrap/pk11cxt.c
	Implement a function to get the FIPS indicator for the current
	PK11Context. lib/pk11wrap/pk11load.c Get the fips indicator function
	from the PKCS #11 module using the vendor function interface from
	PKCS #11 v3.0 lib/pk11wrap/pk11obj.c Implement a function to get the
	FIPS indicator for a specific PKCS #11 object.
	lib/pk11wrap/pk11priv.h Add a generalized helper function to get the
	FIPS indicator used by all the other exported functions to get FIPS
	indicator. lib/pk11wrap/pk11pub.h Add function to get the FIPS
	indicator for the current PK11Context. lib/pk11wrap/pk11slot.c
	Implement a generalized helper function to get the FIPS indicator.
	Implement a function to get the FIPS indicator for the latest single
	shot operation on the slot. lib/pk11wrap/secmodt.h Add a new field
	to hold the fipsIndicator function. lib/softoken/fips_algorithms.h
	New sample header which vendors can replace with their own table. In
	the default NSS case, the table in this header will be empty.
	lib/softoken/fipstokn.c Add Vendor specific interface for the FIPS
	indicator to the FIPS token. lib/softoken/pkcs11.c Add Vendor
	specific interface for the FIPS indicator to the non-FIPS token.
	Factor out the code tha maps an attribute value to a mechanism flag
	to it's own file so it can be used by other parts of softoken. (new
	function is in pkcs11u.c Implement the function that returns the
	FIPS indicator. This function fetches the indicator from either the
	session or the object or both. The session indicator is in the
	crypto context (except the last operation indicator, which is in the
	session itself. The object indicator is in the base object.
	lib/softoken/pkcs11c.c Record the FIPS indicator in the various
	helper function.
	    - sftk_TerminateOp is called when a crypto operation had been
	finalized, so we can store that fips indicator in the lastOpWasFIPS
	field.
	    - sftk_InitGeneric is called when a crypto operation has been
	initialized, so we can make a preliminary determination if the
	operation is within the FIPS policy (could later change bases on
	other operations. For this to work, we need the actual mechanism, so
	pMechanism is now a parameter to sftk_InitGeneric.
	    - sftk_HKDF - HKDF when used in TLS has the unusual characteristic
	that the salt could actually be a key. In this case, usually the
	base key is some known public value which would not be FIPS
	generated, but the security is based on whether the salt is really a
	FIPS generated key. In this case we redo the calculation based on
	the salt key. lib/softoken/pkcs11i.h
	    - add the FIPS indicators to the various structures (crypto contexts,
	sessions, objects).
	    - add the FIPS indicators function list
	    - add pMechanism the the sftkInitGeneric function.
	    - add the helper function to map Attribute Types to Mechanism Flags.
	    - add the function that will look up the current operation in the FIPS
	table to determine that it is allowed by policy.
	lib/softoken/pkcs11u.c
	    - include the new fips_algorithms.h (if NSS_FIPS_DISABLED is not on)
	    - handle the FIPS status for objects and session on creation an copy.
	    - implement the helper function to map Attribute Types to Mechanism
	Flags.
	    - get the key length of a key. This involves getting the key type and
	then using the key type to determin the appropriate attribute to
	fetch. Most keys it's simply the CKA_VALUE. ECC is special, we get
	the key length from the curve. Since only a subset of curves can be
	FIPS Curves, we use key length to return false for other curves.
	    - the handle special function handles any unusal semantics for various
	mechanism types. This function precodes possible mechanism semantics
	we may need to check. The special handling can be selected by the
	mechanism table in fips_algorithms.h
	    - sftk_operationIsFIPS - the actual function to determine if the
	givelib/n operation is in the FIPS table. lib/softoken/sftkmessage.c
	    - just need to update the sftk_InitGeneric function to pass the
	mechanism. lib/ssl/ssl3con.c
	    - and functions to query the underlying crypto contexts to see if the
	current ssl session is running in FIPS approved mode based on the
	security policy. It does so by checking the CipherSpecIsFIPS
	function to verify that both the mac and the encryption algorithm
	FIPS conforms to the ciphers in the security profile (using
	PK11_GetFIPSStatus). We check both the cipher specs for read and
	write. These underlying specs depends on the keys used in these
	specs being generated with FIPS approved algorithms as well, so this
	verifies the kea and kdf functions as well. lib/ssl/sslimpl.h
	   - ass ssl_isFIPS() so it can be used by other files here in the ssl
	directory. lib/ssl/sslinfo.c
	   - set the new isFIPS field in the existing sslinfo structure.
	SSL_GetChannelInfo knows how to handle sslinfo structures that are
	smaller then expected and larger than expected. unknown fields will
	be set to '0' (so new applications running against old versions will
	always get zero for new fields). sslinfo that are smaller will only
	return a the subset the calling application expects (so old
	applications will not get the new fields). lib/ssl/sslt.h
	    - Add the new isFIPS field (must be at the end of the ChannelInfo
	structure). lib/util/pkcs11n.h
	    - add the new FIPS indicator defines. tests/ssl/ssl.h
	    - The main changes was to turn on verbose for the coverage tests so we
	can test the FIPS indicators on various cipher suites. NOTE: this
	only works with either NSS_TEST_FIPS_ALGORIHTMS set, or a vendor
	fips_algorthims.h, so vendors will need to do their own test
	interpretation. While working in ssl.sh I fixed an number of other
	issues:
	    - many tests that were skipped in FIPS mode were skipped not because
	they didn't work in FIPS mode, but because tstclnt requires a
	password when running in FIPS mode. I've now added the password if
	the function is running in fips mode and removed the fips
	restrictions.
	    - dtls had a race condition. the server side needed to come up before
	the client, but couldn't end before the client ran. We already had a
	sleep to guarrentee the former, I added a sleep before sending the
	server it's data to handle the latter.
	    - CURVE25519 is the default ECC curve, but it's not a fiPS curve, so I
	disable it in FIPS mode so we will actually get FIPS indicators when
	using ECDHE.
	    - I added TLS 1.3 to the coverage tests.

	[40edc4f4c117] [tip]

Differential Revision: https://phabricator.services.mozilla.com/D115625
 2021-05-20 17:42:35 +00:00
Benjamin Beurdouche bde2949605 Bug 1711262 - land NSS 8c299ec6b2bc UPGRADE_NSS_RELEASE, r=beurdouche 
Differential Revision: https://phabricator.services.mozilla.com/D115395
 2021-05-18 18:23:25 +00:00
Benjamin Beurdouche 6f107407c9 Bug 1705477 - land NSS 1d066793c349 UPGRADE_NSS_RELEASE, r=beurdouche 
2021-05-06  Martin Thomson  <mt@lowentropy.net>

	* gtests/pk11_gtest/pk11_hpke_unittest.cc:
	Bug 1709750 - Disable HPKE test when fuzzing, r=bbeurdouche

	[1d066793c349] [tip]

2021-05-05  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/freebl/ppc-gcm-wrap.c, lib/freebl/ppc-gcm.h:
	Bug 1566124 - Clang format run. r=beurdouche
	[cb714d62058c]

2021-05-05  mamonet  <maamoun.tk@gmail.com>

	* lib/freebl/Makefile, lib/freebl/freebl.gyp, lib/freebl/ppc-gcm-
	wrap.c, lib/freebl/ppc-gcm.h, lib/freebl/ppc-gcm.s,
	lib/freebl/rijndael.c:

	[1133fef2f7ce]

2021-03-17  Martin Thomson  <mt@lowentropy.net>

	* gtests/common/testvectors/hpke-convert.py,
	gtests/common/testvectors/hpke-vectors.h, lib/pk11wrap/pk11hpke.c,
	lib/pk11wrap/pk11hpke.h:
	Bug 1699021 - Add AES-256-GCM to HPKE, r=bbeurdouche

	[9fa53d717386]

	* automation/abi-check/expected-report-libssl3.so.txt,
	cmd/selfserv/selfserv.c, gtests/ssl_gtest/libssl_internals.c,
	gtests/ssl_gtest/libssl_internals.h,
	gtests/ssl_gtest/tls_connect.cc, gtests/ssl_gtest/tls_connect.h,
	gtests/ssl_gtest/tls_ech_unittest.cc, lib/ssl/sslexp.h,
	lib/ssl/sslsock.c, lib/ssl/sslt.h, lib/ssl/tls13ech.c,
	lib/ssl/tls13ech.h, lib/ssl/tls13exthandle.c,
	lib/ssl/tls13hashstate.c, lib/ssl/tls13hashstate.h:
	Bug 1698419 - ECH -10 updates, r=bbeurdouche

	The main changes here are:

	* an update to HPKE -08
	* a move to the single-byte configuration ID
	* reordering of ECHConfig

	The addition of the explicit configuration ID means that the API for
	constructing ECHConfig(List) needs to change. That means a name
	change, unfortunately. I took the opportunity to make further
	changes to the arguments.

	[fa93bd88b690]

2021-03-16  Martin Thomson  <mt@lowentropy.net>

	* coreconf/config.gypi, coreconf/config.mk,
	gtests/common/testvectors/hpke-convert.py,
	gtests/common/testvectors/hpke-vectors.h,
	gtests/pk11_gtest/pk11_hpke_unittest.cc,
	gtests/ssl_gtest/ssl_auth_unittest.cc,
	gtests/ssl_gtest/ssl_tls13compat_unittest.cc,
	gtests/ssl_gtest/tls_ech_unittest.cc, lib/pk11wrap/pk11hpke.c,
	lib/pk11wrap/pk11hpke.h, lib/pk11wrap/pk11pub.h, lib/ssl/tls13ech.c:
	Bug 1692930 - Update HPKE to final version, r=bbeurdouche

	This adds the final HPKE version string.

	This removes the draft version markers from the implementation and
	stops tracking the draft version with the exported syntax.

	I've added the script that I used to convert the JSON test vectors
	from the specification; that should allow us to pick up new tests
	relatively easily, especially if we need to add new algorithms.

	This change breaks several ECH test cases. As fixing those tests is
	extraordinarily fiddly, I'm going to defer making those changes
	until we need to update ECH. As we can't land this code until ECH is
	updated to depend on the final HPKE and until we have coordinated
	with servers on when the ECH update can be deployed, it should be OK
	to defer.

	In short, don't land this without the matching ECH changes.

	[e78141a928f4]

2021-05-04  Robert Relyea  <rrelyea@redhat.com>

	* automation/abi-check/expected-report-libnss3.so.txt,
	cmd/lib/basicutil.h, cmd/lib/secutil.c, cmd/lib/secutil.h,
	cmd/pk12util/pk12util.c, cmd/pp/pp.c, doc/pk12util.xml, doc/pp.xml,
	lib/nss/nss.def, lib/pk11wrap/pk11akey.c, lib/pk11wrap/pk11pub.h,
	lib/pkcs12/p12d.c, lib/pkcs12/p12e.c, lib/pkcs12/p12local.c,
	lib/pkcs12/p12local.h, lib/pkcs12/p12plcy.c, lib/util/secoidt.h,
	tests/tools/tools.sh:
	Bug 1707130 NSS should use modern algorithms in PKCS#12 files by
	default r=mt

	Also fixes: Bug 452464 pk12util -o fails when -C option specifies
	AES or Camellia ciphers

	Related: Bug 1694689 Firefox should use modern algorithms in PKCS#12
	files by default Bug 452471 pk12util -o fails when -c option
	specifies pkcs12v2 PBE ciphers

	 The base of this fix is was a simple 3 line fix in pkcs12.c,
	changing the initial setting of cipher and cert cipher.

	Overview for why this patch is larger than just 3 lines: 1. First
	issue was found in trying to change the mac hashing value. a. While
	the decrypt side knew how to handle SHA2 hashes, the equivalent code
	was not updated on the encrypt side. I refactored that code and
	placed the common function in p12local.c. Now p12e.c and p12d.c
	share common code to find the required function to produce the mac
	key. b. The prf hmac was hard coded to SHA1. I changed the code to
	pass the hmac matching the hashing algorithm for the mac. This
	required changes to p12e.c to calculate and pass the new hmac as
	well and adding new PK11_ExportEncryptedPrivateKey and
	PK11_ExportEncryptedPrivKey to take the PKCS #5 v2 parameters. I
	also corrected an error which prevented pkcs12 encoding of ciphers
	other than AES. 2. Once I've made my changes, I realized we didn't
	have a way of testing them. While we had code that verified that
	particular sets of parameters for pkcs12 worked together and could
	be listed and imported, we didn't have a way to verify what
	algorithms were actually generated by our tools. a. pk12util -l
	doesn't list the encryption used for the certs, so I updated pp to
	take a pkcs12 option. In doing so I had to update pp to handle
	indefinite encoding when decoding blocks. I also factored that
	decoding out in it's own function so the change only needed to be
	placed once. Finally I renabled a function which prints the output
	of an EncryptedPrivate key. This function was disabled long ago when
	the Encrypted Private key info was made private for NSS. It has
	since been exported, so these functions could easily be enabled
	(archeological note: I verified that this disabling was not a recent
	think I found I had done it back when I still have a netscape email
	address;). b. I updated tools.sh to us the new pp -t pkcs12 feature
	to verify that the key encryption, cert encryption, and hash
	functions matched what we expected when we exported a new key. I
	also updated tools.sh to handle the new hash variable option to
	pk12util. c. I discovered several tests commented out with comments
	that the don't work. I enabled those tests and discovered that they
	can now encrypt, but the can't decrypt because of pkcs12 policy. I
	updated the policy code, but I updated it to use the new NSS system
	wide policy mechanism. This enabled all the ciphers to work. There
	is still policy work to do. The pk12 policy currently only prevents
	ciphers from use in decrypting the certificates, not decrypting the
	keys and not encrypting. I left that for future work. 3. New options
	for pp and pk12util were added to the man pages for these tools.

	--------------------------------------------------------------------
	------- With that in mind, here's a file by file description of the
	patch:

	automation/abi-check/expected-report-libnss3.so.txt
	-Add new exported functions. (see lib/nss/nss.def)

	cmd/lib/basicutil.h:
	-Removed the HAVE_EPV_TEMPLATE ifdefs (NSS has exported the Encrypted
	Private Key data structure for a while now.

	cmd/lib/secutil.c: global: Updated several functions to take a const
	char * m (message) rather than a char * m global: Made the various
	PrintPKCS7 return an error code. global: Added a state variable to
	be passed around the various PKCS7 Print functions. It gives the
	proper context to interpret PKCS7 Data Content. PKCS 12 used PKCS7
	to package the various PKCS12 Safes and Bags.
	-Updated SECU_StripTagAndLength to handle indefinite encoding, and to
	set the Error code.
	-Added SECU_ExtractDERAndStep to grab the next DER Tag, Length, and
	Data.
	-Updated secu_PrintRawStringQuotesOptional to remove the inline DER
	parsing and use SECU_ExtractDERAndStep().
	-Updated SECU_PrintEncodedObjectID to return the SECOidTag just like
	SECU_PrintObjectID.
	-Renable SECU_PrintPrivateKey
	-Added secu_PrintPKCS12Attributes to print out the Attributes tied to
	a PKCS #12 Bag
	-Added secu_PrintPKCS12Bag to print out a PKCS #12 Bag
	-Added secu_PrintPKCS7Data, which uses the state to determine what it
	was printing out.
	-Added secu_PrintDERPKCS7ContentInfo which is identical to the global
	function SECU_PrintPKCS7ContentInfo except it takes a state
	variable. The latter function now calls the former.
	-Added secu_PrintPKCS12DigestInfo to print the Hash information of
	the Mac. DigestInfo is the name in the PKCS 12 spec.
	-Added secu_PrintPKCS12MacData to print the Mac portion of the PKCS
	12 file.
	-Added SECU_PrintPKCS12 to print otu the pkcs12 file.

	cmd/lib/secutil.h
	-Added string for pkc12 for the command line of pp reenabled
	SECU_PrintPrivateKey
	-Added SECU_PrintPKCS12 for export.

	cmd/pk12util/pk12util.c
	-Added the -M option to specify a hash algorithm for the mac. updated
	P12U_ExportPKCS12Object: pass the hash algorithm to the
	PasswordIntegrity handler.
	-Added PKCS12U_FindTagFromString: generalized string to SECOidTag
	which only filters based on the oid having a matching PKCS #11
	mechanism. updated PKCS12U_MapCipherFromString to call use
	PKCS12U_FindTagFromString to get the candidate tag before doing it's
	post processing to decide if the tag is really an encryption
	algorithm.
	-Added PKCS12U_MapHashFromString with is like MapCipherFromString
	except it verifies the resulting tag is a hash object.
	-Updated main to 1) change the default cipher, change the default
	certCipher, and process the new hash argument. NOTE: in the old code
	we did not encrypt the certs in FIPS mode. That's because the certs
	were encrypted with RC4 in the default pkcs12 file, which wasn't a
	FIPS algorithm. Since AES is, we can use it independent on whether
	or not we are in FIPS mode.

	cmd/pp/pp.c
	-Added the pkcs12 option which calls SECU_PrintPKCS12 from secutil.c

	lib/nss/nss.def
	-Add exports to the new PK11_ExportEncryptedPrivKeyInfoV2 and
	PK11_ExportEncryptedPrivateKeyInfoV2 (V2 means PKCS 5 v2, not
	Version 2 of ExportEncrypted*Info).
	-Add export for the old HASH_GetHMACOidTagByHashOidTag which should
	have been exported long ago to avoid the proliferation of copies of
	this function in places like ssl.

	lib/pk11wrap/pk11akey.c
	-Add PK11_ExportEncryptedPrivKeyInfoV2 (which the old function now
	calls), which takes the 3 PKCS 5 v2 parameters. The underlying pkcs5
	code can fill in missing tags if necessary, but supplying all three
	gives the caller full control of the underlying pkcs5 PBE used.
	-Add PK11_ExportEncryptedPrivateKeyInfoV2, same as the above function
	except it takes a cert which is used to look up the private key.
	It's the function that pkcs12 actually uses, but the former was
	exported for completeness.

	lib/pk11wrap/pk11pub.h
	-Added the new PK11_ExportEncryptedPriv*KeyInfoV2 functions.

	lib/pkcs12/p12d.c
	-Remove the switch statement and place it in p12local.c so that
	p12e.c can use the same function.

	lib/pkc12/p12e.c
	-Remove the unnecessary privAlg check so we can encode any mechanism
	we support. This only prevented encoding certificates in the pk12
	file, not the keys.
	-add code to get the hmac used in the pbe prf from the integrity
	hash, which is under application control.
	-Do the same for key encryption, then use the new
	PK11_ExportEncryptedPrivateKeyInfo to pass that hash value.
	-Use the new sec_pkcs12_algtag_to_keygen_mech so there is only one
	switch statement to update rather than 2.
	-Update the hash data to old the length of the largest hash rather
	than the length of a SHA1 hash.

	lib/pkcs12/p12local.c
	- Add new function new sec_pkcs12_algtag_to_keygen_mech to factor out
	the common switch statement between p12e and p12d.

	lib/pkcs12/p12local.h
	-Export the new sec_pkcs12_algtag_to_keygen_mech

	lib/pkcs12/p12plcy.c
	-Map the old p12 policy functions to use the new
	NSS_GetAlgorithmPolicy. We keep the old table so that applications
	can change the policy with the old PKCS12 specific defines (so the
	old code keeps working). NOTE: policies now default to true rather
	than false.

	lib/util/secoidt.h
	-Add new NSS_USE_ALG_IN_PKCS12 used by pk11plcy.c NOTE: I have not
	updated the policy table in pk11wrap/pk11pars.c, so we can't yet
	control pkcs12 policy with the nss system policy table. That's a
	patch for another time.

	test/tools/tool.sh
	-global: Remove trailing spaces
	-global: DEFAULT is changed to 'default'
	-Update the PBE mechanism to exactly match the string in secoid.c.
	PKCS #12 does case independent compares, so case doesn't matter
	there, but now I'm comparing to the output of pp, and I didn't want
	to spend the time to figure out case independent compares in bash.
	-Add our defauts and shell variables at the top so there are easy to
	change in the future. export_with_*** have all been colapsed into a
	single export_p12_file which handles taking 'default' and turning
	off that argument.
	-Add for loops for the hash functions.
	-Restore the camellia ciphers back now that they work.
	-Restore the pkcs12V2pbe back now that they work.
	-Collect various pbe types into single variables and use those
	variables in loops
	-Reduce the number of tests ran in optimized mode (which takes 60x
	the time to do a pbe then than debug mode based on a larger
	iterator).
	-Add verify_p12 which dumps out the p12 file and makes sure the
	expected CERT_ENCRYPTION, KEY_ENCRYPTION, and HASH are used.

	doc/pp.xml
	-Add pkcs12 option

	doc/pk12util.xml
	-Add -M option
	-Update synopsis with options in the description but not in the
	synopsis

	[0a1687e1b39e]

Differential Revision: https://phabricator.services.mozilla.com/D114584
 2021-05-07 10:43:16 +00:00
Benjamin Beurdouche 37aa935e43 Bug 1705477 - land NSS c982fb957516 UPGRADE_NSS_RELEASE, r=beurdouche 
Differential Revision: https://phabricator.services.mozilla.com/D114231
 2021-05-04 13:33:25 +00:00
Ryan VanderMeulen 0853554188 Bug 1699657 - land NSS NSS_3_64_RTM UPGRADE_NSS_RELEASE, r=bbeurdouche 
Differential Revision: https://phabricator.services.mozilla.com/D112222
 2021-04-15 16:54:57 +00:00
Benjamin Beurdouche 8d848a2cbe Bug 1694020 - land NSS NSS_3_63_RTM UPGRADE_NSS_RELEASE, r=beurdouche 
Differential Revision: https://phabricator.services.mozilla.com/D108957
 2021-03-19 05:28:36 +00:00
Benjamin Beurdouche f8d14645f7 Bug 1694020 - land NSS 61e70233f80e UPGRADE_NSS_RELEASE, r=beurdouche 
2021-03-10  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* cmd/bltest/blapitest.c, lib/freebl/blapi.h,
	lib/freebl/chacha20poly1305-ppc.c, lib/freebl/chacha20poly1305.c,
	lib/freebl/loader.c:
	Bug 1613235 - Clang-format for: POWER ChaCha20 stream cipher vector
	acceleration r=beurdouche

	Depends on D107221

	[61e70233f80e] [tip]

2021-03-10  aoeu  <aoeuh@yandex.ru>

	* cmd/bltest/blapitest.c, lib/freebl/blapi.h, lib/freebl/blapit.h,
	lib/freebl/chacha20poly1305.c, lib/freebl/chacha20poly1305.h,
	lib/freebl/ldvector.c, lib/freebl/loader.c, lib/freebl/loader.h:
	Bug 1613235 - Add POWER ChaCha20 stream cipher vector acceleration.
	r=bbeurdouche

	Depends on D107220

	[4f7ba08bd991]

	* lib/freebl/Makefile, lib/freebl/chacha20-ppc64le.S,
	lib/freebl/chacha20poly1305-ppc.c, lib/freebl/chacha20poly1305.c,
	lib/freebl/freebl.gyp, lib/freebl/freebl_base.gypi:
	Bug 1613235 - Add POWER ChaCha20 stream cipher vector acceleration.
	r=bbeurdouche

	[764124fddaa2]

2021-03-10  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/freebl/ecl/ecp_secp384r1.c, lib/freebl/ecl/ecp_secp521r1.c:
	Bug 1697380 - Make a clang-format run on top of helpful
	contributions. r=beurdouche

	Depends on D106881

	[8a9174a78207]

	* lib/freebl/ecl/ecp_secp384r1.c:
	Bug 1683520 - ECCKiila P384, change syntax of nested structs
	initialization to prevent build isses with GCC 4.8. r=bbrumley

	Depends on D102389

	[150cbb169f1e]

2021-03-10  Billy Brumley  <bbrumley@gmail.com>

	* lib/freebl/ecl/ecp_secp384r1.c:
	Bug 1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual
	scalar multiplication r=bbeurdouche

	[76aca2d944ae]

2021-03-10  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/freebl/ecl/ecp_secp521r1.c:
	Bug 1683520 - ECCKiila P521, change syntax of nested structs
	initialization to prevent build isses with GCC 4.8. r=bbrumley

	Depends on D102406

	[5e7affa3ce43]

2021-03-10  Billy Brumley  <bbrumley@gmail.com>

	* lib/freebl/ecl/ecp_secp521r1.c:
	Bug 1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual
	scalar multiplication r=bbeurdouche

	[a8f4918cd546]

2021-03-08  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* automation/taskcluster/scripts/run_hacl.sh,
	lib/freebl/verified/Hacl_Bignum25519_51.h,
	lib/freebl/verified/Hacl_Chacha20.c,
	lib/freebl/verified/Hacl_Chacha20.h,
	lib/freebl/verified/Hacl_Chacha20Poly1305_128.c,
	lib/freebl/verified/Hacl_Chacha20Poly1305_128.h,
	lib/freebl/verified/Hacl_Chacha20Poly1305_256.c,
	lib/freebl/verified/Hacl_Chacha20Poly1305_256.h,
	lib/freebl/verified/Hacl_Chacha20Poly1305_32.c,
	lib/freebl/verified/Hacl_Chacha20Poly1305_32.h,
	lib/freebl/verified/Hacl_Chacha20_Vec128.c,
	lib/freebl/verified/Hacl_Chacha20_Vec128.h,
	lib/freebl/verified/Hacl_Chacha20_Vec256.c,
	lib/freebl/verified/Hacl_Chacha20_Vec256.h,
	lib/freebl/verified/Hacl_Curve25519_51.c,
	lib/freebl/verified/Hacl_Curve25519_51.h,
	lib/freebl/verified/Hacl_Kremlib.h,
	lib/freebl/verified/Hacl_Poly1305_128.c,
	lib/freebl/verified/Hacl_Poly1305_128.h,
	lib/freebl/verified/Hacl_Poly1305_256.c,
	lib/freebl/verified/Hacl_Poly1305_256.h,
	lib/freebl/verified/Hacl_Poly1305_32.c,
	lib/freebl/verified/Hacl_Poly1305_32.h,
	lib/freebl/verified/kremlin/include/kremlin/internal/target.h,
	lib/freebl/verified/kremlin/include/kremlin/internal/types.h,
	lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128.h, li
	b/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128_Verifie
	d.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt_8_1
	6_32_64.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/LowStar_
	Endianness.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar
	_uint128_gcc64.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/f
	star_uint128_msvc.h, lib/freebl/verified/libintvector.h:
	Bug 1696800 - HACL* update March 2021 -
	c95ab70fcb2bc21025d8845281bc4bc8987ca683 r=beurdouche

	[3a85b452dbfa]

Differential Revision: https://phabricator.services.mozilla.com/D107995
 2021-03-11 11:59:55 +00:00
Benjamin Beurdouche 590564d9d4 Bug 1694020 - land NSS 38a91427d65fffd0d7f7d2b6d0bcee7dc8b77a37 UPGRADE_NSS_RELEASE, r=beurdouche 
Differential Revision: https://phabricator.services.mozilla.com/D107084
 2021-03-08 07:43:55 +00:00
Butkovits Atila 043c0bbe2d Backed out changeset 40a2cb2f242b (bug 1694020) on request from beurdouche, UPGRADE_NSS_RELEASE CLOSED TREE 2021-03-03 20:41:33 +02:00
Benjamin Beurdouche dd75eb4204 Bug 1694020 - land NSS 38a91427d65fffd0d7f7d2b6d0bcee7dc8b77a37 UPGRADE_NSS_RELEASE, r=beurdouche 
Differential Revision: https://phabricator.services.mozilla.com/D107084
 2021-03-03 17:24:10 +00:00
Benjamin Beurdouche d901b16ba2 Bug 1688685 - land NSS fc3a4c142c16 UPGRADE_NSS_RELEASE, r=kjacobs 
2021-02-04  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/ssl_gtest/ssl_recordsize_unittest.cc, lib/ssl/ssl3ext.c:
	Bug 1690583 - Fix CH padding extension size calculation. r=mt

	Bug 1654332 changed the way that NSS constructs Client Hello
	messages. `ssl_CalculatePaddingExtLen` now receives a
	`clientHelloLength` value that includes the 4B handshake header.
	This looks okay per the inline comment (which states that only the
	record header is omitted from the length), but the function actually
	assumes that the handshake header is also omitted.

	This patch removes the addition of the handshake header length.
	Those bytes are already included in the buffered CH.

	[fc3a4c142c16] [tip]

	* automation/abi-check/expected-report-libnss3.so.txt:
	Bug 1690421 - Adjust 3.62 ABI report formatting for new libabigail.
	r=bbeurdouche

	[a1ed44dba32e]

2021-02-03  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/taskcluster/docker-builds/Dockerfile:
	Bug 1690421 - Install packaged libabigail in docker-builds image
	r=bbeurdouche

	[3c719b620136]

2021-01-31  Kevin Jacobs  <kjacobs@mozilla.com>

	* cmd/selfserv/selfserv.c, cmd/tstclnt/tstclnt.c,
	lib/ssl/tls13hashstate.c, lib/ssl/tls13hashstate.h:
	Bug 1689228 - Minor ECH -09 fixes for interop testing, fuzzing. r=mt

	A few minor ECH -09 fixes for interop testing and fuzzing:
	- selfserv now takes a PKCS8 keypair for ECH. This is more
	maintainable and significantly less terrible than parsing the
	ECHConfigs and cobbling one together within selfserv (e.g. we can
	support other KEMs without modifying the server).
	- Get rid of the newline character in tstclnt retry_configs output.
	- Fuzzer fixes in tls13_HandleHrrCookie:
	 - We shouldn't use internal_error when PK11_HPKE_ImportContext fails.
	Cookies are unprotected in fuzzer mode, so this can be expected to
	occur.
	 - Only restore the application token when recovering hash state,
	otherwise the copy could happen twice, leaking one of the
	allocations.

	[8bbea1902024]

2021-01-25  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/ssl/ssl3exthandle.c:
	Bug 1674819 - Fixup a51fae403328, enum type may be signed.
	r=bbeurdouche

	[2004338a2080]

Differential Revision: https://phabricator.services.mozilla.com/D104258
 2021-02-05 21:13:47 +00:00
Kevin Jacobs f9716bc8ab Bug 1688685 - land NSS 92dcda94c1d4 UPGRADE_NSS_RELEASE, r=bbeurdouche 
2021-01-22  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/abi-check/previous-nss-release, lib/nss/nss.h,
	lib/softoken/softkver.h, lib/util/nssutil.h:
	Set version numbers to 3.62 Beta
	[680ec01577b9]

2021-01-23  Kevin Jacobs  <kjacobs@mozilla.com>

	* tests/chains/scenarios/nameconstraints.cfg,
	tests/libpkix/certs/NameConstraints.ipaca.cert,
	tests/libpkix/certs/NameConstraints.ocsp1.cert:
	Bug 1686134 - Renew two chains libpkix test certificates. r=rrelyea

	[3ddcd845704c]

2021-01-25  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/common/testvectors/hpke-vectors.h,
	gtests/pk11_gtest/pk11_hpke_unittest.cc, lib/pk11wrap/pk11hpke.c,
	lib/pk11wrap/pk11hpke.h, lib/pk11wrap/pk11pub.h:
	Bug 1678398 - Update HPKE to draft-07. r=mt

	This patch updates HPKE to draft-07. A few other minor changes are
	included:
	- Refactor HPKE gtests for increased parameterized testing.
	- Replace memcpy calls with PORT_Memcpy
	- Serialization tweaks to make way for context Export/Import (D99277).

	This should not be landed without an ECH update, as fixed ECH test
	vectors will otherwise fail to decrypt.

	[e0bf8cadadc7]

	* automation/abi-check/expected-report-libnss3.so.txt,
	gtests/pk11_gtest/pk11_hpke_unittest.cc, lib/nss/nss.def,
	lib/pk11wrap/pk11hpke.c, lib/pk11wrap/pk11pub.h:
	Bug 1678398 - Add Export/Import functions for HPKE context. r=mt

	This patch adds and exports two new HPKE functions:
	`PK11_HPKE_ExportContext` and `PK11_HPKE_ImportContext`, which are
	used to export a serialized HPKE context, then later reimport that
	context and resume Open and Export operations. Only receiver
	contexts are currently supported for export (see the rationale in
	pk11pub.h).

	One other change introduced here is that `PK11_HPKE_GetEncapPubKey`
	now works as expected on the receiver side.

	If the `wrapKey` argument is provided to the Export/Import
	functions, then the symmetric keys are wrapped with AES Key Wrap
	with Padding (SP800-38F, 6.3) prior to serialization.

	[8bcd12ab3b34]

	* automation/abi-check/expected-report-libssl3.so.txt,
	gtests/ssl_gtest/libssl_internals.c,
	gtests/ssl_gtest/libssl_internals.h,
	gtests/ssl_gtest/ssl_extension_unittest.cc,
	gtests/ssl_gtest/tls_ech_unittest.cc, lib/ssl/ssl3con.c,
	lib/ssl/ssl3ext.c, lib/ssl/ssl3ext.h, lib/ssl/sslexp.h,
	lib/ssl/sslimpl.h, lib/ssl/sslsecur.c, lib/ssl/sslsock.c,
	lib/ssl/sslt.h, lib/ssl/tls13con.c, lib/ssl/tls13con.h,
	lib/ssl/tls13ech.c, lib/ssl/tls13ech.h, lib/ssl/tls13exthandle.c,
	lib/ssl/tls13exthandle.h, lib/ssl/tls13hashstate.c,
	lib/ssl/tls13hashstate.h:
	Bug 1681585 - Update ECH to Draft-09. r=mt

	This patch updates ECH implementation to draft-09. Changes of note
	are:

	- Acceptance signal derivation is now based on the handshake secret.
	- `config_id` hint changes from 32B to 8B, trial decryption added on
	the server.
	- Duplicate code in HRR cookie handling has been consolidated into
	`tls13_HandleHrrCookie`.
	- `ech_is_inner` extension is added, which causes a server to indicate
	ECH acceptance.
	- Per the above, support signaling ECH acceptance when acting as a
	backend server in split-mode (i.e. when there is no other local
	Encrypted Client Hello state).

	[ed07a2e2a124]

2021-01-24  Kevin Jacobs  <kjacobs@mozilla.com>

	* cmd/selfserv/selfserv.c:
	Bug 1681585 - Add ECH support to selfserv. r=mt

	Usage example: mkdir dbdir && cd dbdir certutil -N -d . certutil -S
	-s "CN=ech-public.com" -n ech-public.com -x -t "C,C,C" -m 1234 -d .
	certutil -S -s "CN=ech-private-backend.com" -n ech-private-
	backend.com -x -t "C,C,C" -m 2345 -d . ../dist/Debug/bin/selfserv -a
	ech-public.com -a ech-private-backend.com -n ech-public.com -n ech-
	private-backend.com -p 8443 -d dbdir/ -X publicname:ech-public.com
	(Copy echconfig from selfserv output and paste into the below
	command) ../dist/Debug/bin/tstclnt -D -p 8443 -v -A
	tests/ssl/sslreq.dat -h ech-private-backend.com -o -N <echconfig> -v

	[92dcda94c1d4]

Differential Revision: https://phabricator.services.mozilla.com/D102982
 2021-01-26 15:30:01 +00:00
Kevin Jacobs 7a93d152d6 Bug 1684061 - land NSS NSS_3_61_BETA1 UPGRADE_NSS_RELEASE, r=bbeurdouche 
2021-01-13  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/taskcluster/graph/src/try_syntax.js:
	Bug 1686557 - Support aarch64-make target in nss-try. r=bbeurdouche

	[68ae9b456b1b] [NSS_3_61_BETA1]

Differential Revision: https://phabricator.services.mozilla.com/D102421
 2021-01-20 17:17:56 +00:00
Kevin Jacobs 1eb47f6133 Bug 1684061 - land NSS 97ef009f7a78 UPGRADE_NSS_RELEASE, r=bbeurdouche 
2020-12-11  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/abi-check/expected-report-libssl3.so.txt, automation/abi-
	check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h,
	lib/util/nssutil.h:
	Set version numbers to 3.61 Beta
	[f277d2674c80]

	* gtests/<...>
	Bug 1677207 - Update Google Test to release-1.10.0 r=bbeurdouche

	./gtests/google_test/update.sh release-1.10.0 && hg remove -A && hg
	add gtests/google_test/*

	[89141382df45]

	* gtests/<...>
	Bug 1677207 - Replace references to TestCase, which is deprecated,
	with TestSuite r=bbeurdouche

	grep -rl --exclude-dir=google_test INSTANTIATE_TEST_CASE_P gtests |
	xargs sed -i '' s/INSTANTIATE_TEST_CASE_P/INSTANTIATE_TEST_SUITE_P/g
	grep -rl --exclude-dir=google_test SetUpTestCase gtests | xargs sed
	-i '' s/SetUpTestCase/SetUpTestSuite/g

	[e15b78be87fa]

	* gtests/ssl_gtest/ssl_ciphersuite_unittest.cc,
	gtests/ssl_gtest/ssl_debug_env_unittest.cc,
	gtests/ssl_gtest/ssl_extension_unittest.cc,
	gtests/ssl_gtest/ssl_loopback_unittest.cc,
	gtests/ssl_gtest/ssl_renegotiation_unittest.cc,
	gtests/ssl_gtest/ssl_resumption_unittest.cc,
	gtests/ssl_gtest/ssl_version_unittest.cc,
	gtests/ssl_gtest/tls_ech_unittest.cc:
	Bug 1677207 - Use GTEST_SKIP in ssl_gtests. r=bbeurdouche

	[0772f1bf5fd6]

2020-12-17  Robert Relyea  <rrelyea@redhat.com>

	* gtests/common/testvectors/ike-aesxcbc-vectors.h,
	gtests/common/testvectors/ike-sha1-vectors.h,
	gtests/common/testvectors/ike-sha256-vectors.h,
	gtests/common/testvectors/ike-sha384-vectors.h,
	gtests/common/testvectors/ike-sha512-vectors.h,
	gtests/common/testvectors_base/test-structs.h,
	gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp,
	gtests/pk11_gtest/pk11_ike_unittest.cc, lib/softoken/sftkike.c:
	Bug 1682071 IKE Quick mode IPSEC give you incorrect keys if you are
	asking for keys smaller than the hash size.

	IKE Appendix B fixes.

	This patch fixes 2 problems.

	 If you run either ike v1 App B or quick mode asking for a key with
	length

	mod macsize = 0, you will generate an extra block that's not used
	and overwrites the end of the buffer.

	 If you use quick mode, the function incorrectly subsets the
	existing key

	rather than generating a new key. This is correct behavior for
	Appendix B, where appendix B is trying to take a generated key and
	create a new longer key (with no diversification, just transform the
	key into something that's longer), so if you ask for a key less than
	or equal to, then you want to just subset the original key. In quick
	mode you are taking a base key and creating a set of new keys based
	on additional data, so you want to subset the generated data. This
	patch only subsets the original key if you aren't doing quickmode.

	Full test vectors have now been added for all ike modes in this
	patch as well (previously we depended on the FIPS CAVS tests to test
	ike, which covers basic IKEv1, IKEv1_psk, and IKEv2 but not IKEv1
	App B and IKE v1 Quick mode).

	[f4995c9fa185]

2020-12-18  Robert Relyea  <rrelyea@redhat.com>

	* gtests/common/testvectors/rsa_pkcs1_2048_test-vectors.h,
	gtests/common/testvectors/rsa_pkcs1_3072_test-vectors.h,
	gtests/common/testvectors/rsa_pkcs1_4096_test-vectors.h,
	gtests/freebl_gtest/Makefile, gtests/freebl_gtest/manifest.mn,
	gtests/freebl_gtest/rsa_unittest.cc, gtests/manifest.mn,
	gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc,
	gtests/pk11_gtest/pk11_rsaoaep_unittest.cc, lib/freebl/alghmac.c,
	lib/freebl/alghmac.h, lib/freebl/rsapkcs.c:
	Bug 1651411 New tlsfuzzer code can still detect timing issues in RSA
	operations.

	This patch defeats Bleichenbacher by not trying to hide the size of
	the decrypted text, but to hide if the text succeeded for failed.
	This is done by generating a fake returned text that's based on the
	key and the cipher text, so the fake data is always the same for the
	same key and cipher text. Both the length and the plain text are
	generated with a prf.

	Here's the proposed spec the patch codes to:

	 1. Use SHA-256 to hash the private exponent encoded as a big-
	endian integer to a string the same length as the public modulus.
	Keep this value secret. (this is just an optimisation so that the
	implementation doesn't have to serialise the key over and over
	again) 2. Check the length of input according to step one of
	https://tools.ietf.org/html/rfc8017#section-7.2.2 3. When provided
	with a ciphertext, use SHA-256 HMAC(key=hash_from_step1,
	text=ciphertext) to generate the key derivation key 4. Use SHA-256
	HMAC with key derivation key as the key and a two-byte big- endian
	iterator concatenated with byte string "length" with the big- endian
	representation of 2048 (0x0800) as the bit length of the generated
	string.
	      - Iterate this PRF 8 times to generate a 256 byte string 5. initialise
	the length of synthetic message to 0 6. split the PRF output into 2
	byte strings, convert into big-endian integers, zero- out high-order
	bits so that they have the same bit length as the octet length of
	the maximum acceptable message size (k-11), select the last integer
	that is no larger than (k-11) or remain at 0 if no integer is
	smaller than (k-11); this selection needs to be performed using a
	side-channel free operators 7. Use SHA-256 HMAC with key derivation
	key as the key and a two-byte big-endian iterator concatenated with
	byte string "message" with the big-endian representation of k*8
	      - use this PRF to generate k bytes of output (right-truncate last HMAC
	call if the number of generated bytes is not a multiple of SHA-256
	output size) 8. perform the RSA decryption as described in step 2 of
	section 7.2.2 of rfc8017 9. Verify the EM message padding as
	described in step 3 of section 7.2.2 of rfc8017, but instead of
	outputting "decryption error", return the last l bytes of the
	"message" PRF, when l is the selected synthetic message length using
	the "length" PRF, make this decision and copy using side-channel
	free operation

	[fc05574c7399]

2020-12-22  Robert Relyea  <rrelyea@redhat.com>

	* gtests/freebl_gtest/rsa_unittest.cc,
	gtests/pk11_gtest/pk11_rsaoaep_unittest.cc, lib/freebl/alghmac.c,
	lib/freebl/rsapkcs.c:
	Restore lost portion of the bleichenbacher timing batch that
	addressed review comments. All the review comments pertained to
	actual code comments, so this patch only affects the comments.
	[fcebe146314e]

2020-12-22  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/dev/devslot.c:
	Bug 1682863 - Revert nssSlot_IsTokenPresent to 3.58 after ongoing Fx
	hangs with slow PKCS11 devices. r=bbeurdouche

	This patch reverts the `nssSlot_IsTokenPresent` changes made in bug
	1663661 and bug 1679290, restoring the version used in NSS 3.58 and
	earlier. It's not an actual `hg backout` because the comment in
	lib/dev/devt.h is worth keeping. While removing the nested locking
	did resolve the hang for some (most?) third-party modules, problems
	remain with some slower tokens after an even further relaxation of
	the locking, which defeats the purpose of addressing the races in
	the first place.

	The crash addressed by these patches was caused by the Intermediate
	Preloading Healer in Firefox, which has been disabled. We clearly
	have insufficient test coverage for third-party modules, and now
	that osclientcerts is enabled in Fx Nightly, any problems caused by
	these and similar changes is unlikely to be reported until Fx Beta,
	well after NSS RTM. I think the best option at this point is to
	simply revert NSS.

	[97ef009f7a78] [tip]

Differential Revision: https://phabricator.services.mozilla.com/D100401
 2020-12-23 19:54:31 +00:00
Kevin Jacobs 54a13dccf2 Bug 1677548 - land NSS 3eacb92e9adf UPGRADE_NSS_RELEASE, r=jcj 
2020-11-18  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/ssl/ssl3con.c, lib/ssl/tls13con.c, lib/ssl/tls13ech.c:
	Bug 1654332 - Fixup a10493dcfcc9: copy ECHConfig.config_id with
	socket r=jcj

	A late review change for ECH was for the server to compute each
	ECHConfig `config_id` when set to the socket, rather than on each
	connection. This works, but now we also need to copy that config_id
	when copying a socket, else the server won't find a matching
	ECHConfig to use for decryption.

	[3eacb92e9adf] [tip]

2020-11-17  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/abi-check/expected-report-libssl3.so.txt,
	cmd/tstclnt/tstclnt.c, cpputil/tls_parser.h,
	gtests/ssl_gtest/libssl_internals.c,
	gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/manifest.mn,
	gtests/ssl_gtest/ssl_auth_unittest.cc,
	gtests/ssl_gtest/ssl_custext_unittest.cc,
	gtests/ssl_gtest/ssl_extension_unittest.cc,
	gtests/ssl_gtest/ssl_gtest.gyp,
	gtests/ssl_gtest/ssl_tls13compat_unittest.cc,
	gtests/ssl_gtest/tls_agent.cc, gtests/ssl_gtest/tls_agent.h,
	gtests/ssl_gtest/tls_connect.cc, gtests/ssl_gtest/tls_connect.h,
	gtests/ssl_gtest/tls_ech_unittest.cc,
	gtests/ssl_gtest/tls_esni_unittest.cc,
	gtests/ssl_gtest/tls_filter.cc, gtests/ssl_gtest/tls_filter.h,
	lib/ssl/SSLerrs.h, lib/ssl/manifest.mn, lib/ssl/ssl.gyp,
	lib/ssl/ssl3con.c, lib/ssl/ssl3ext.c, lib/ssl/ssl3ext.h,
	lib/ssl/ssl3exthandle.c, lib/ssl/ssl3exthandle.h,
	lib/ssl/ssl3prot.h, lib/ssl/sslencode.c, lib/ssl/sslencode.h,
	lib/ssl/sslerr.h, lib/ssl/sslexp.h, lib/ssl/sslimpl.h,
	lib/ssl/sslinfo.c, lib/ssl/sslsecur.c, lib/ssl/sslsock.c,
	lib/ssl/sslt.h, lib/ssl/tls13con.c, lib/ssl/tls13con.h,
	lib/ssl/tls13ech.c, lib/ssl/tls13ech.h, lib/ssl/tls13esni.c,
	lib/ssl/tls13esni.h, lib/ssl/tls13exthandle.c,
	lib/ssl/tls13exthandle.h, lib/ssl/tls13hashstate.c,
	lib/ssl/tls13hashstate.h:
	Bug 1654332 - Update ESNI to draft-08 (ECH). r=mt

	This patch adds support for Encrypted Client Hello (draft-ietf-tls-
	esni-08), replacing the existing ESNI (draft -02) support.

	There are five new experimental functions to enable this:

	 - SSL_EncodeEchConfig: Generates an encoded (not BASE64) ECHConfig
	given a set of parameters.
	  - SSL_SetClientEchConfigs: Configures the provided ECHConfig to the
	given socket. When configured, an ephemeral HPKE keypair will be
	generated for the CH encryption.
	  - SSL_SetServerEchConfigs: Configures the provided ECHConfig and
	keypair to the socket. The keypair specified will be used for HPKE
	operations in order to decrypt encrypted Client Hellos as they are
	received.
	  - SSL_GetEchRetryConfigs: If ECH is rejected by the server and
	compatible retry_configs are provided, this API allows the
	application to extract those retry_configs for use in a new
	connection.
	  - SSL_EnableTls13GreaseEch: When enabled, non-ECH Client Hellos will
	have a "GREASE ECH" (i.e. fake) extension appended. GREASE ECH is
	disabled by default, as there are known compatibility issues that
	will be addressed in a subsequent draft.

	The following ESNI experimental functions are deprecated by this
	update:

	 - SSL_EncodeESNIKeys
	  - SSL_EnableESNI
	  - SSL_SetESNIKeyPair

	 In order to be used, NSS must be compiled with
	`NSS_ENABLE_DRAFT_HPKE` defined.

	[a10493dcfcc9]

	* lib/ssl/ssl3con.c, lib/ssl/sslencode.c, lib/ssl/sslencode.h,
	lib/ssl/tls13con.c, lib/ssl/tls13con.h:
	Bug 1654332 - Buffered ClientHello construction. r=mt

	This patch refactors construction of Client Hello messages. Instead
	of each component of the message being written separately into
	`ss->sec.ci.sendBuf`, we now construct the message in its own
	sslBuffer. Once complete, the entire message is added to the sendBuf
	via `ssl3_AppendHandshake`.

	`ssl3_SendServerHello` already uses this approach and it becomes
	necessary for ECH, where we use the constructed ClientHello to
	create an inner ClientHello.

	[d40121ba59ba]

2020-11-13  J.C. Jones  <jjones@mozilla.com>

	* automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
	check/expected-report-libnssutil3.so.txt, automation/abi-check
	/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h,
	lib/util/nssutil.h:
	Set version numbers to 3.60 Beta
	[5e7b37609f22]

Differential Revision: https://phabricator.services.mozilla.com/D97492
 2020-11-19 18:28:18 +00:00
Kevin Jacobs b838f38de2 Bug 1671713 - land NSS 035110dfa0b9 UPGRADE_NSS_RELEASE, r=bbeurdouche 
2020-10-26  Robert Relyea  <rrelyea@redhat.com>

	* lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c,
	tests/ssl/ssl.sh:
	Bug 1672291 libpkix OCSP failures on SHA1 self-signed root certs
	when SHA1 signatures are disabled. r=mt

	When libpkix is checking an OCSP cert, it can't use the passed in
	set of trust anchors as a base because only the single root that
	signed the leaf can sign the OCSP request. As a result it actually
	checks the signature of the self-signed root when processing an OCSP
	request. This fails of the root cert signature is invalid for any
	reason (including it's a sha1 self-signed root cert and we've
	disabled sha1 signatures (say, by policy)).

	Further investigation indicates the difference between our classic
	code and the current code is the classic code only checks OCSP
	responses on leaf certs. In the real world, those responses are
	signed by intermediate certificates (who won't have sha1 signed
	certificates anymore), so our signature processing works just fine.
	pkix checks OCSP on the intermediate certificates as well, which are
	signed by the root cert. In this case the root cert is a chain of 1,
	and is effectively a leaf. This patch updates the OCSP response code
	to not check the signatures on the single cert if that cert is a
	selfsigned root cert. This requires bug 391476 so we still do the
	other validation checking on the certs (making sure it's trusted as
	a CA).

	[035110dfa0b9] [tip]

2020-10-23  Robert Relyea  <rrelyea@redhat.com>

	* lib/certhigh/certvfypkix.c,
	lib/libpkix/pkix_pl_nss/module/pkix_pl_nsscontext.c,
	lib/libpkix/pkix_pl_nss/module/pkix_pl_nsscontext.h,
	lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c,
	lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c,
	tests/ssl/ssl.sh:
	Bug 1672291 libpkix OCSP failures on SHA1 self-signed root certs
	when SHA1 signatures are disabled.

	When libpkix is checking an OCSP cert, it can't use the passed in
	set of trust anchors as a base because only the single root that
	signed the leaf can sign the OCSP request. As a result it actually
	checks the signature of the self-signed root when processing an OCSP
	request. This fails of the root cert signature is invalid for any
	reason (including it's a sha1 self-signed root cert and we've
	disabled sha1 signatures (say, by policy)).

	Further investigation indicates the difference between our classic
	code and the current code is the classic code only checks OCSP
	responses on leaf certs. In the real world, those responses are
	signed by intermediate certificates (who won't have sha1 signed
	certificates anymore), so our signature processing works just fine.
	pkix checks OCSP on the intermediate certificates as well, which are
	signed by the root cert. In this case the root cert is a chain of 1,
	and is effectively a leaf. This patch updates the OCSP response code
	to not check the signatures on the single cert if that cert is a
	selfsigned root cert. This requires bug 391476 so we still do the
	other validation checking on the certs (making sure it's trusted as
	a CA).
	[97f69f7a89a1]

2020-10-26  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/ssl_gtest/tls_filter.cc:
	Bug 1644209 - Fix broken SelectedCipherSuiteReplacer filter. r=mt

	This patch corrects the `SelectedCipherSuiteReplacer`filter to
	always parse the `session_id` variable (`legacy_session_id` for TLS
	1.3+). The previous code attempted to skip it in 1.3+ but did not
	account for DTLS wire versions, resulting in intermittent failures.

	[a79d14b06b4a]

2020-10-26  Daiki Ueno  <dueno@redhat.com>

	* gtests/ssl_gtest/ssl_tls13compat_unittest.cc, lib/ssl/ssl3con.c,
	lib/ssl/sslimpl.h:
	Bug 1672703, always tolerate the first CCS in TLS 1.3, r=mt

	Summary: This flips the meaning of the flag for checking excessive
	CCS messages, so it only rejects multiple CCS messages while the
	first CCS message is always accepted.

	Reviewers: mt

	Reviewed By: mt

	Bug #: 1672703

	[b03a4fc5b902]

2020-10-23  Robert Relyea  <rrelyea@redhat.com>

	* automation/abi-check/expected-report-libnssutil3.so.txt,
	gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp,
	lib/nss/nss.h, lib/ssl/ssl3con.c, lib/util/SECerrs.h,
	lib/util/nssutil.def, lib/util/secerr.h, tests/policy/policy.sh:
	Bug 1670835 Crypto Policy Support needs to be updated with
	disable/enable support

	Policy update

	Current state of the nss policy system:

	The initial policy patch focused on getting policy working well in
	handling ssl. The policy infrastructure used two existing NSS
	infrastructure: 1) Algorithm policies tied the OIDS and 2) the ssl
	policy constraints first created to handle export policy
	restrictions. To make loadable policies work, we added a couple of
	new things: 1) a policy parser to the secmod infrastructure which
	allows us to set algorithm policies based on a config file. This
	file had two sections: disallow= and allow=. Disallow turned off
	policy bits, and allow turned them on. Disallow was always parsed
	first, so you could very strictly control your policy map by saying
	disallow=all allow={exclusive list of allowed algorithms} 2) a new
	NSS_Option() value that allowed the policy parser to set integer
	values (like minimum tls version) based on the data in the policy
	parser. 3) SSL code which is run at ssl_init time that reads the
	algorithm policies and maps the results to SSL policies.

	The resulting loaded policy code, in general, sets the boundaries of
	what it possible, actually enable/disable of ssl cipher suites are
	still under program control, and the builtin NSS default values. The
	only consession to configuration is if a cipher is disallowed by
	policy, it is also disabled. Allowing a cipher suite by policy that
	wasn't already enabled, however, doesn't enable that policy by
	default. Inside the policy restrictions, applications can still make
	their own decisions on configuration and preference.

	At the time the policy system was designed, there were 3 additional
	features, which were designed, but not specified: disable, enable,
	and lock.

	disable and enable work just like disallow and allow, except the
	specify what the default settings are. This would allow the policy
	file to change the underlying default in the case where the
	application doesn't try to configure ssl on it's own.

	lock would make either the policy or configuration 'locked' meaning
	once the lock has been executed, no further changes to those
	configurations would be allowed.

	What is needed:

	We have a need for the following additional features:

	1) we want to turn more of the sha-1 hash function off by default.
	We still need sha-1 digest because it's used in many non-secure
	cases, but we do want to disable more sha-1 signature usage.
	Currently only CERT-SIGNATURE and various hmac usages in SSL ciphers
	can be controlled by policy. We want to disallow a greater range of
	signature (that is signature use in general).

	2) we want to disable more ciphers by default, but need a way to
	have certain policies (like LEGACY) turn them back on, so that our
	shipped system is more secure by default.

	What this patch provides:

	1) A new policy flag NSS_USE_ALG_IN_ANY_SIGNATURE was added. The
	cryptohi code which exports the NSS sign/verify high level code now
	checks the hash and signing algorithm against this new policy flag
	and fails if the policy isn't available. New key words were added to
	the policy parser for 'all-signature', which implies all signature
	flags at once, and 'signature', which maps to NSS_USE_ANY_SIGNATURE.
	NOTE: disable=all/signature and disable=all/all-signature are
	effective equivalent because cert-signatures eventually call the low
	level signature functions, but disable=all allow=rsa-pss/all-
	signature and disable=all allow=rsa-pss/signature are different in
	that the latter allows all rsa-pss signature and the latter allows
	rsa-pss signatures, but no on certificates (or on smime in the
	future) Also new keywords were added for rsa-pkcs, rsa-pss, and
	ecdsa for signature algorithms (along with dsa).

	2) This patch implements disable and enable. These functions only
	work on SSL configuration. In the future SMIME/CMS configuration
	could also be added. Because the policy system is parsed and handled
	by NSS, and SSL configuration is handled in SSL, we use the same
	Apply code we used to apply ssl policy to set the inital
	configuration. The configured enable/disable state is configured in
	the ALGORTHIM policy system, where one bit says the enable/disable
	value is active and another bit which gives it's state.

	3) two locks have been implented, policy-lock and ssl-lock. These
	are specified in the parser as flags (flags=policy-lock,ssl-lock).
	The policy locks all the policy changes: ssl_policy, algorithm
	policy, and options. It is implemented by two new exported
	functions: NSS_IsPolicyLocked() and NSS_LockPolicy(). The first
	allows applications to test if the policy is locked without having
	to try changing the policy. The various policy set functions check
	the NSS_IsPolicyLocked() function and returns SEC_ERROR_POLICY_LOCK
	if it's true. The ssl-lock changes the state of the policy to
	locked, and the state cannot be changed back without shutting down
	NSS. The second is implemented by setting a new Option called
	NSS_DEFAULT_LOCKS and the NSS_DEFAULT_SSL_LOCK flag. The idea is we
	can add an SMIME lock in the future. SSL checks the
	NSS_DEFAULT_SSL_LOCK flag before trying to set the cipher suite
	value, and blocks the change if it's set.

	4) sslpolicy tests were updated to test the enable, disable, flags
	=policy-lock, flags=ssl-lock and the new signature primitives.

	5) policy tests were updated to be able to run standalone (like all
	the other all.sh tests), as well as new tests to detect when no
	signing algorithms have been enabled.

	 What is not in the patch

	1) S/MIME signature policy has been defined for a while, but never
	hooked up. 2) S/MIME export policy needs to be connected back to the
	algorithm policy system just like the ssl cipher suites already are.
	3) S/MIME default configuration needs to be connected back to the
	policy system. 4) ECC Curve policy needs to be hooked up with the
	signature policy (probably should create a generic 'key meets
	policy' function and have every call it).

	[6f79a7695812]

	* automation/abi-check/expected-report-libnss3.so.txt,
	gtests/pk11_gtest/pk11_rsaoaep_unittest.cc, lib/nss/nss.def,
	lib/pk11wrap/pk11pub.h, lib/pk11wrap/pk11skey.c:
	Bug 1666891 - Add PK11_Pub{Wrap,Unwrap}SymKeyWithMechanism
	r=mt,rrelyea

	Summary

	This is useful for RSA-OAEP support.

	The CKM_RSA_PKCS_OAEP mechanism requires a CK_RSA_PKCS_OAEP_PARAMS
	be present for PKCS#11 calls. This provides required context for
	OAEP. However, PK11_PubWrapSymKey lacks a way of providing this
	context and historically silently converted CKM_RSA_PKCS_OAEP to
	CKM_RSA_PKCS when a RSA key is provided. Introducing a new call will
	let us indicate parameters and potentially support other mechanisms
	in the future. This call mirrors the earlier calls introduced for
	RSA-PSS: PK11_SignWithMechanism and PK11_VerifyWithMechanism.

	The CKM_RSA_PKCS_OAEP mechanism requires a CK_RSA_PKCS_OAEP_PARAMS
	be present for PKCS#11 calls. This provides required context for
	OAEP. However, PK11_PubUnwrapSymKey lacks a way of providing this
	context, and additionally lacked a way of indicating which mechanism
	type to use for the unwrap operation (instead detecting it by key
	type). Introducing a new call will let us indicate parameters and
	potentially support other mechanisms in the future.

	Signed-off-by: Alexander Scheel <ascheel@redhat.com>

	[33f920fcd175]

2020-10-23  Petr Sumbera  <petr.sumbera@oracle.com>

	* coreconf/config.gypi:
	Bug 1667989 - coreconf/config.gypi should allow correct linking on
	Solaris r=kjacobs,bbeurdouche

	[e3bd9c2f9259]

2020-10-23  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/abi-check/expected-report-libnss3.so.txt,
	gtests/pk11_gtest/pk11_find_certs_unittest.cc, lib/nss/nss.def:
	Bug 1668123 - Export CERT_AddCertToListHeadWithData and
	CERT_AddCertToListTailWithData. r=jcj

	[0f15b05daeed]

2020-07-30  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/ckfw/builtins/certdata.txt:
	Bug 1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root
	CA. r=kjacobs

	[7076e78ddafe]

2020-10-14  J.C. Jones  <jjones@mozilla.com>

	* lib/util/secasn1d.c:
	Bug 1663091 - Remove unnecessary assertions in the streaming ASN.1
	decoder r=kjacobs

	The streaming ASN.1 decoder had assertions that, on debug builds,
	blocked embedding indefinite-length fields inside of definite-length
	fields/contexts, however that behavior does work correctly, and is
	valid ASN.1: it tends to happen when wrapping a signature around
	existing ASN.1-encoded data, if that already-encoded data had an
	indefinite length.

	Really these two assertion were just overzealous. The conditional
	after the asserts handle the case well, and memory sanitizers have
	not found issue here either.

	[d0153cc0c464]

Differential Revision: https://phabricator.services.mozilla.com/D95093
 2020-11-02 18:04:59 +00:00
J.C. Jones f3f86339c2 Bug 1671713 - land NSS 58dc3216d518 UPGRADE_NSS_RELEASE, r=kjacobs 
2020-10-13  Mike Hommey  <mh@glandium.org>

	* lib/freebl/freebl.gyp:
	Bug 1670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on
	mac. r=kjacobs

	AFAICT, the Makefile equivalent already does.

	[58dc3216d518] [tip]

	* lib/freebl/sha1-armv8.c:
	Bug 1670839 - Only build sha1-armv8.c code when USE_HW_SHA1 is
	defined. r=kjacobs

	This matches what is done in sha256-armv8.c, and avoids
	inconsistency with sha1-fast.c, which will define the same functions
	in the case USE_HW_SHA1 is not defined.

	[54be084e3ba8]

2020-10-16  J.C. Jones  <jjones@mozilla.com>

	* automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
	check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h,
	lib/util/nssutil.h:
	Set version numbers to 3.59 Beta
	[d4b21706e432]

Differential Revision: https://phabricator.services.mozilla.com/D94070
 2020-10-20 14:39:49 +00:00
J.C. Jones 8e222a79cb Bug 1666567 - land NSS NSS_3_58_BETA1 UPGRADE_NSS_RELEASE, r=kjacobs 
2020-10-12  Daiki Ueno  <dueno@redhat.com>

	* gtests/ssl_gtest/ssl_tls13compat_unittest.cc, lib/ssl/ssl3con.c,
	lib/ssl/sslimpl.h:
	Bug 1641480, TLS 1.3: tighten CCS handling in compatibility mode,
	r=mt

	This makes the server reject CCS when the client doesn't indicate
	the use of the middlebox compatibility mode with a non-empty
	ClientHello.legacy_session_id, or it sends multiple CCS in a row.

	[57bbefa79323] [NSS_3_58_BETA1]

2020-10-12  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/abi-check/expected-report-libnss3.so.txt,
	automation/taskcluster/scripts/build_gyp.sh,
	automation/taskcluster/windows/build_gyp.sh, coreconf/config.gypi,
	coreconf/config.mk, cpputil/nss_scoped_ptrs.h,
	gtests/common/testvectors/hpke-vectors.h,
	gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp,
	gtests/pk11_gtest/pk11_hpke_unittest.cc, lib/nss/nss.def,
	lib/pk11wrap/exports.gyp, lib/pk11wrap/manifest.mn,
	lib/pk11wrap/pk11hpke.c, lib/pk11wrap/pk11hpke.h,
	lib/pk11wrap/pk11pub.h, lib/pk11wrap/pk11wrap.gyp,
	lib/util/SECerrs.h, lib/util/secerr.h:
	Bug 1631890 - Add support for Hybrid Public Key Encryption (draft-
	irtf-cfrg-hpke-05). r=mt

	This patch adds support for Hybrid Public Key Encryption (draft-
	irtf-cfrg-hpke-05).

	Because the draft number (and the eventual RFC number) is an input
	to the key schedule, future updates will *not* be backwards
	compatible in terms of key material or encryption/decryption. For
	this reason, a default compilation will produce stubs that simply
	return an "Invalid Algorithm" error. To opt into using the HPKE
	functionality , compile with `NSS_ENABLE_DRAFT_HPKE` defined. Once
	finalized, this flag will not be required to access the functions.

	Lastly, the `DeriveKeyPair` API is not implemented as it adds
	complextiy around PKCS #11 and is unnecessary for ECH.

	[6e3bc17f0508]

2020-10-12  Makoto Kato  <m_kato@ga2.so-net.ne.jp>

	* automation/taskcluster/graph/src/extend.js, tests/common/cleanup.sh:
	Bug 1657255 - Update CI for aarch64. r=kjacobs

	Actually, we have the implementation of ARM Crypto extension, so CI
	is always run with this extension. It means that we don't run CI
	without ARM Crypto extension. So I would like to add NoAES and NoSHA
	for aarch64 CI.

	Also, we still run NoSSE4_1 on aarch64 CI, so we shouldn't run this
	on aarch64 hardware.

	[e8c370a8db13]

Differential Revision: https://phabricator.services.mozilla.com/D93268
 2020-10-12 20:42:51 +00:00
J.C. Jones 3ad29aac6b Bug 1666567 - land NSS 8fdbec414ce2 UPGRADE_NSS_RELEASE, r=kjacobs 
2020-09-24  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/abi-check/expected-report-libnss3.so.txt,
	gtests/pk11_gtest/pk11_hkdf_unittest.cc, lib/nss/nss.def,
	lib/pk11wrap/pk11pub.h, lib/pk11wrap/pk11skey.c,
	lib/ssl/tls13hkdf.c:
	Bug 1667153 - Add PK11_ImportDataKey API. r=rrelyea

	This patch adds and exports `PK11_ImportDataKey`, and refactors the
	null PSK TLS 1.3 code to use it.

	[8fdbec414ce2] [tip]

Differential Revision: https://phabricator.services.mozilla.com/D91627
 2020-09-28 19:24:51 +00:00
J.C. Jones f2b2199636 Bug 1666567 - land NSS c28e20f61e5d UPGRADE_NSS_RELEASE, r=kjacobs 
2020-09-18  Kevin Jacobs  <kjacobs@mozilla.com>

        * automation/abi-check/previous-nss-release, lib/nss/nss.h,
        lib/softoken/softkver.h, lib/util/nssutil.h:
        Set version numbers to 3.58 Beta
        [c28e20f61e5d] [tip]

        * .hgtags:
        Added tag NSS_3_57_RTM for changeset cf7e3e8abd77
        [a963849538ca] <NSS_3_57_BRANCH>

        * lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
        Set version numbers to 3.57 final
        [cf7e3e8abd77] [NSS_3_57_RTM] <NSS_3_57_BRANCH>

Differential Revision: https://phabricator.services.mozilla.com/D91070
 2020-09-22 22:31:15 +00:00
Kevin Jacobs ed0deeb271 Bug 1660509 - land NSS NSS_3_57_BETA1 UPGRADE_NSS_RELEASE, r=jcj 
2020-09-15  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/release/nspr-version.txt:
	Bug 1660372 - NSS 3.57 should depend on NSPR 4.29. r=kaie

	[56224882ccc3] [NSS_3_57_BETA1]

Differential Revision: https://phabricator.services.mozilla.com/D90324
 2020-09-17 05:29:26 +00:00
Kevin Jacobs ddc8978d1f Bug 1660509 - land NSS c100e11991f6 UPGRADE_NSS_RELEASE, r=jcj 
2020-08-21  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/abi-check/previous-nss-release, lib/nss/nss.h,
	lib/softoken/softkver.h, lib/util/nssutil.h:
	Set version numbers to 3.57 Beta
	[783f49ae6126]

2020-08-24  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/ssl_gtest/ssl_auth_unittest.cc, lib/ssl/dtls13con.c,
	lib/ssl/dtlscon.c, lib/ssl/ssl3con.c, lib/ssl/sslimpl.h,
	lib/ssl/sslnonce.c:
	Bug 1653641 - Cleanup inaccurate DTLS comments, code review fixes.
	r=mt

	[0e1b5c711cb9]

2020-08-24  Robert Relyea  <rrelyea@redhat.com>

	* lib/freebl/fipsfreebl.c, lib/softoken/fipstest.c,
	lib/softoken/kbkdf.c, lib/softoken/lowpbe.c, lib/softoken/lowpbe.h,
	lib/softoken/pkcs11c.c, lib/softoken/pkcs11i.h,
	lib/softoken/sftkhmac.c, lib/softoken/sftkike.c:
	Bug 1660304 New FIPS IG requires self-tests for approved kdfs.
	r=ueno comments=kjacobs

	FIPS guidance now requires self-tests for our kdfs. It also requires
	self-tests for cmac which we didn't have in the cmac patch.

	Currently only one test per kdf is necessary. Specifially for
	SP-800-108, only one of the three flavors are needed (counter,
	feedback, or pipeline). This patch includes more complete testing
	but it has been turned off the currently extraneous tests under the
	assumption that NIST guidance may require them in the future. HKDF
	is currently not included in FIPS, but is on track to be included,
	so hkdf have been included in this patch.

	Because the test vectors are const strings, the patch pushes some
	const definitions that were missing in existing private interfaces.

	There are three flavors of self-tests: Function implemented in
	freebl are added to the freebl/fipsfreebl.c Functions implemented in
	pkcs11c.c have selftests completely implemented in
	softoken/fipstest.c Functions implemented in their own .c file have
	their selftest function implemented in that .c file and called by
	fipstests.c These are consistant with the previous choices for
	selftests.

	Some private interfaces that took in keys from pkcs #11 structures
	or outputted keys to pkcs #11 structures were modified to optionally
	take keys in by bytes and output keys as bytes so the self-tests can
	work in just bytes.

	[5dca54fe61c2]

2020-08-25  Daiki Ueno  <dueno@redhat.com>

	* lib/softoken/manifest.mn:
	Bug 1659252, disable building libnssdbm3.so if NSS_DISABLE_DBM=1,
	r=rrelyea

	Reviewers: rrelyea

	Reviewed By: rrelyea

	Bug #: 1659252

	[4d55d36ca6ef]

2020-08-24  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/pk11wrap/pk11cxt.c, lib/softoken/pkcs11c.c, lib/softoken/sdb.c,
	lib/softoken/sftkpwd.c:
	Bug 1651834 - Fix various static analyzer warnings. r=rrelyea

	[ab04fd73fd6d]

2020-08-28  Mike Hommey  <mh@glandium.org>

	* lib/freebl/blapii.h:
	Bug 1661810 - Define pre_align/post_align based on the compiler.
	r=jcj

	Things worked fine before we upgraded to clang 11 presumably because
	the stack was always 16-bytes aligned in the first place, or
	something akin to that, and the lack of pre_align/post_align doing
	anything didn't matter. The runtime misalignment of the stack may
	well be a clang > 9 bug, but keeping pre_align/post_align tied to
	the x86/x64 is a footgun anyways.

	[c100e11991f6] [tip]

Differential Revision: https://phabricator.services.mozilla.com/D88876
 2020-08-31 15:56:19 +00:00
Kevin Jacobs d343e2c8e6 Bug 1655105 - land NSS NSS_3_56_BETA1 UPGRADE_NSS_RELEASE, r=jcj 
2020-08-19  Kevin Jacobs  <kjacobs@mozilla.com>

	* tests/libpkix/certs/PayPalEE.cert:
	Bug 1659792 - Update libpkix tests with unexpired PayPal cert. r=jcj

	The in-tree `PayPalEE.cert `expired today. This patch replaces it
	with a current copy that expires on 12 Jan 2022.

	CI breakage before patch: https://treeherder.mozilla.org/#/jobs?repo
	=nss&revision=2890f342de631bf6774ac747515a8b5736e20d3f CI with the
	fix applied: https://treeherder.mozilla.org/#/jobs?repo=nss-
	try&revision=bd28f21d8acbcb15502bd4fc606fc9c0ed09c810

	[52c965eaffa1] [NSS_3_56_BETA1]

2020-08-18  Kevin Jacobs  <kjacobs@mozilla.com>

	* tests/interop/interop.sh:
	Bug 1659814 - Pull updated tls-interop for dependency fix. r=jcj

	[70376af425ae]

	* automation/release/nspr-version.txt:
	Bug 1656519 - NSS 3.56 should depend on NSPR 4.28. r=kaie

	[2890f342de63]

Differential Revision: https://phabricator.services.mozilla.com/D87648
 2020-08-19 21:02:09 +00:00
Kevin Jacobs cb86341c99 Bug 1655105 - land NSS afa38fb2f0b5 UPGRADE_NSS_RELEASE, r=jcj 
2020-07-27  Jan-Marek Glogowski  <glogow@fbihome.de>

	* lib/freebl/Makefile:
	Bug 1652032 Disable all freebl assembler code for MSVC arm64
	r=rrelyea,bbeurdouche

	There are two places, where NSS tries to compile either x86_64 MSVC
	assembler or GCC aarch64 code, which will fail the build. And also
	drop the non-MSVC arch build flags for them.

	AFAI could identify, there isn't any armasm64 compatible asm code in
	the whole NSS library, so I don't even adapt AS for the build. The
	cross-build finishes this way.

	[d98bbb6168f4]

2020-07-24  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* cmd/bltest/blapitest.c, coreconf/config.gypi, coreconf/config.mk,
	lib/freebl/alg2268.c, lib/freebl/deprecated/alg2268.c,
	lib/freebl/freebl_base.gypi, lib/freebl/ldvector.c,
	lib/freebl/loader.c, lib/freebl/loader.h, lib/freebl/manifest.mn,
	lib/softoken/lowpbe.c, lib/softoken/pkcs11c.c:
	Bug 1652729 - Add build flag to disable RC2 and relocate to
	lib/freebl/deprecated. r=kjacobs

	[e6c6f1d2d544]

2020-07-27  Robert Relyea  <rrelyea@redhat.com>

	* gtests/softoken_gtest/manifest.mn,
	gtests/softoken_gtest/softoken_dh_vectors.h,
	gtests/softoken_gtest/softoken_gtest.cc,
	gtests/softoken_gtest/softoken_gtest.gyp, lib/freebl/blapi.h,
	lib/freebl/dh.c, lib/freebl/ldvector.c, lib/freebl/loader.c,
	lib/freebl/loader.h, lib/softoken/manifest.mn,
	lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c,
	lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c,
	lib/softoken/sftkdhverify.c, lib/softoken/softoken.gyp:
	Bug 1648822 Add stricter validation of DH keys when in FIPS mode.

	Update: FIPS now also requires us to do y^q mod p testing on key
	generation (always). We now do that in FIPS mode only, but in all
	modes we do full DH verification for DH and ECDH. Because of this,
	the path has now separated out the prime checks, which are now only
	done for the DH operation if we aren't using a known prime and the
	subprime value has been provided. I've also learned we can accept
	keys that we do full validation on in FIPS mode, so I've added that
	to this patch, though we still can't generate those kinds of keys
	without adding the subprime at keygen time.

	The new FIPS standard is dh operations must use approved primes.
	Approved primes are those selected in the tls and ike RFCs.
	Currently tls and ike have modes with checks whether the primes are
	approved, but the check may not always happen. The safest thing to
	do in FIPS mode is only allow those primes. In addition, FIPS
	requires 1< y < p-1 (or technically 2<=y<=p-2, since y is an integer
	those two tests are identical).

	While making changes I realized we would want a mode where we can do
	more strict checks on the prime while not requiring that the prime
	be an approved prime. We already allow for strict checking if q is
	supplied with the private key, but there were a couple of issues
	with that check:

	 1. there was no way of actually setting q in the current NSS
	pk11wrap interfaces. 2. If the prime was a safe prime, but g was an
	actual generator, then we would fail the y^q mod p = 1 tests for 50%
	of the keys, even though those keys are safe. 3. We weren't checking
	primality of p and q.

	So the old code:

	 if (q) { check y^q mod p = 1 if not fail }

	 check 1 <y < p-1 (done in DH_Derive).

	New code:

	 if (! p is approved prime) { if (FIPS) fail; if (q) { y_test = y if
	(p,q-> p is a safe prime) { y_test = 1 } check prime is prime Fail
	if not check subprime is subprime fail if not y_test^q mod p = 1 } }
	check 1 < y < p-1 (done in DH_Derive)

	This means:

	Existing code non-fips without setting the subprime continues to run
	as before. Non-fips code which sets the subprime now runs slower,
	but p and q are checked if p or q where not prime, the derive fails
	(which it should). In FIPS mode only approved primes will succeed
	now. Non-fips code can now set the subprime to q=(p-1)/2 if it
	doesn't have an explicit q value (like in tls). If the derive
	succeeds, we know that p is a safe prime. If p is approved, the
	checks are skipped because we already know that p is a safe prime.
	Code can optionally do a test derive on a new p and remember it's
	safe so that we know longer need to check ever call (though if q is
	not (p-1)/2, you will need to continue to do the checks each call
	because y could still be a small subgroup).

	This patch:

	gtests/softoken_gtest

	 1. Added New dh tests to softoken_gtests. The tests were added to
	softoken_gtests because we need to test both non-FIPS and FIPS mode.
	Test vectors include a category, so the same test vectors can be
	used in FIPS and non-FIPS even though each class may have different
	results. Most of the test vectors where created either by dhparams
	command in openssl, dsaparams in openssl, and the nss makepqg
	command. Each vector includes a label, prime, base, optional
	subprime, optional public key, test type, and key class (basically
	size). 2. If public key is not supplied, we use a generated public
	key. 3. If subPrime is supplied to wet it on the private key after
	generation.

	lib/freebl/dh.c

	 add primality tests to KEA_VerifyKey().

	lib/softokn/

	 1. Allow CKA_SUBPRIME to be set after key generation or import.
	This affects how we test for it's existance, since it is now always
	there on the key, we check it's length to make sure it's non-zero.
	2. We implement the psuedocode above as real code. 3. We create two
	new functions: sftl_VerifyDH_Prime which return SECSuccess if Prime
	is an approved prime. sftk_IsSafePrime which returns SECSuess of
	both prime and subprime look reasonable, and sets a Bool to PR_TRUE
	is subprime -> prime is safe (subprime = (prime-1)/2. These
	functions are implemented in sftkdhverify.c 4.Cleanup incorrect
	nominclature on primes (safe primes are not strong primes).
	[0be91fa2217a]

	* gtests/softoken_gtest/softoken_dh_vectors.h,
	gtests/softoken_gtest/softoken_gtest.cc:
	Fix more of the timeout issues on tests. (Drop expensive 4098 dh
	tests ).
	[4014c075a31b]

2020-07-29  Makoto Kato  <m_kato@ga2.so-net.ne.jp>

	* coreconf/config.gypi, lib/freebl/Makefile, lib/freebl/blinit.c,
	lib/freebl/freebl.gyp, lib/freebl/sha1-armv8.c,
	lib/freebl/sha_fast.c, lib/freebl/sha_fast.h:
	Bug 1650702 - Use ARM's crypt extension for SHA1. r=kjacobs

	ARM Crypto extension has SHA1 acceleration. Using this, SHA1 is 3
	times faster on ARMv8 CPU. The following data is AWS's a1 instance
	(Cortex-A72).

	Before ====== ``` # mode in opreps cxreps context op time(sec)
	thrgput sha1_e 954Mb 31M 0 0.000 10000.000 10.000 95Mb ```

	After ===== ``` # mode in opreps cxreps context op time(sec) thrgput
	sha1_e 2Gb 94M 0 0.000 10000.000 10.000 288Mb ```

	[68b6eb737689]

2020-07-29  Jan-Marek Glogowski  <glogow@fbihome.de>

	* manifest.mn:
	Bug 1653975 - Set "all" as the default Makefile target r=jcj,rrelyea

	Just reorder the rules in manifest.mn, so all is again the first
	rule. This restores pre-3.53 Makefile defaults.

	[eb52747b7000]

2020-07-31  Makoto Kato  <m_kato@ga2.so-net.ne.jp>

	* lib/freebl/blapii.h, lib/freebl/blinit.c, nss-tool/hw-support.c:
	Bug 1654142 - Add CPU feature detection for Intel SHA extension.
	r=kjacobs

	[e6b77a9c417a]

2020-08-03  Nathan Froyd  <froydnj@mozilla.com>

	* coreconf/detect_host_arch.py:
	Bug 1656986 - special-case arm64 in detect_host_arch.py; r=jcj

	This case comes up when attempting to build NSS on ARM64 Mac. If we
	don't do this, we wind up detecting arm64 as "arm", with predictably
	bad consequences.

	[afa38fb2f0b5] [tip]

Differential Revision: https://phabricator.services.mozilla.com/D85888
 2020-08-04 19:54:56 +00:00
Kevin Jacobs 99b3679870 Bug 1649545 - land NSS NSS_3_55_BETA1 UPGRADE_NSS_RELEASE, r=jcj 
2020-07-21  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* cmd/bltest/blapitest.c:
	Bug 1653202 - Fix issue disabling other mechanisms when SEED is
	deprecated in cmd/bltest/blapitest.c. r=kjacobs

	[0768baa431e7] [NSS_3_55_BETA1]

2020-07-21  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/release/nspr-version.txt:
	Bug 1652331 - NSS 3.55 should depend on NSPR 4.27. r=kaie

	[3deefc218cd9]

2020-07-20  Billy Brumley  <bbrumley@gmail.com>

	* lib/freebl/ec.c:
	Bug 1631573: Remove unnecessary scalar padding in ec.c
	r=kjacobs,bbeurdouche

	Subsequent calls to ECPoints_mul and ECPoint_mul remove this
	padding.

	Timing attack countermeasures are now applied more generally deeper
	in the call stack.

	[aeb2e583ee95]

2020-07-20  Kai Engert  <kaie@kuix.de>

	* lib/nss/nssinit.c:
	Bug 1653310 - On macOS check if nssckbi exists prior to loading it.
	r=kjacobs

	[ca207655b4b7]

Differential Revision: https://phabricator.services.mozilla.com/D84420
 2020-07-21 23:37:38 +00:00
Kevin Jacobs 6a6ed41ab7 Bug 1649545 - land NSS 58c2abd7404e UPGRADE_NSS_RELEASE, r=jcj 
2020-06-26  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/abi-check/expected-report-libssl3.so.txt, automation/abi-
	check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h,
	lib/util/nssutil.h:
	Set version numbers to 3.55 beta
	[332ab7db68ba]

2020-06-25  Kevin Jacobs  <kjacobs@mozilla.com>

	* tests/all.sh:
	Bug 1649190 - Run cipher, sdr, and ocsp tests under standard test
	cycle.
	[f373809abfc0]

2020-06-15  Kevin Jacobs  <kjacobs@mozilla.com>

        * gtests/common/testvectors/p256ecdsa-sha256-vectors.h,
        gtests/common/testvectors/p384ecdsa-sha384-vectors.h,
        gtests/common/testvectors/p521ecdsa-sha512-vectors.h,
        gtests/common/testvectors_base/test-structs.h,
        gtests/common/wycheproof/genTestVectors.py,
        gtests/pk11_gtest/pk11_ecdsa_unittest.cc:
        Bug 1649226 - Add Wycheproof ECDSA tests.
        [41292ff7f545]

2020-06-30  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/pkcs12/p12d.c:
	Bug 1649322 - Fix null pointer passed as argument in
	pk11wrap/pk11pbe.c:1246 r=kjacobs
	[cc43ebf5bf88]

2020-06-30  Danh  <congdanhqx@gmail.com>

	* coreconf/arch.mk, coreconf/config.mk, lib/freebl/Makefile:
	Bug 1646594 - Enable AVX2 if applicable on x86_64 with make 4.3
	r=bbeurdouche
	[b579895aceb0]

2020-07-02  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/ssl/ssl3con.c:
	Bug 1649316 - Prevent memcmp to be called with a zero length in
	ssl/ssl3con.c:6621 r=kjacobs
	[8fe9213d0551]

2020-07-02  Alexander Scheel  <ascheel@redhat.com>

	* lib/cryptohi/secvfy.c:
	Bug 1649487 - Fix bad assert in VFY_EndWithSignature. r=jcj
	[c9438b528103]

2020-07-06  Dana Keeler  <dkeeler@mozilla.com>

	* automation/abi-check/expected-report-libnss3.so.txt,
	gtests/pk11_gtest/pk11_find_certs_unittest.cc, lib/nss/nss.def,
	lib/pk11wrap/pk11cert.c, lib/pk11wrap/pk11pub.h:
	Bug 1649633 - add PK11_FindEncodedCertInSlot r=kjacobs,jcj

	PK11_FindEncodedCertInSlot can be used to determine the PKCS#11
	object handle of an encoded certificate in a given slot. If the
	given certificate does not exist in that slot, CK_INVALID_HANDLE is
	returned.
	[32fe710a942f]

	* gtests/pk11_gtest/pk11_find_certs_unittest.cc:
	Bug 1649633 - follow-up to make test comparisons in
	pk11_find_certs_unittest.cc yoda comparisons r=kjacobs
	[424dae31a1c1]


2020-07-07  Kevin Jacobs  <kjacobs@mozilla.com>

        * gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc, lib/freebl/rsapkcs.c:
        Bug 1067214 - Check minimum padding in RSA_CheckSignRecover.
        r=rrelyea

        This patch adds a check to `RSA_CheckSignRecover` enforcing a
        minimum padding length of 8 bytes for PKCS #1 v1.5-formatted
        signatures. In practice, RSA key size requirements already ensure
        this requirement is met, but smaller (read: broken) key sizes can be
        used via configuration overrides, and NSS should just follow the
        spec.
        [e5324bd5a885]

2020-07-08  Kevin Jacobs  <kjacobs@mozilla.com>

        * gtests/ssl_gtest/libssl_internals.c,
        gtests/ssl_gtest/libssl_internals.h,
        gtests/ssl_gtest/ssl_record_unittest.cc,
        gtests/ssl_gtest/tls_agent.cc, gtests/ssl_gtest/tls_agent.h,
        lib/ssl/dtls13con.c, lib/ssl/dtls13con.h, lib/ssl/ssl3con.c,
        lib/ssl/ssl3prot.h, lib/ssl/sslspec.h, lib/ssl/sslt.h,
        lib/ssl/tls13con.c, lib/ssl/tls13exthandle.c:
        Bug 1647752 - Update DTLS 1.3 implementation to draft-38. r=mt

        This patch updates DTLS 1.3 to draft-38. Specifically:

         # `ssl_ct_ack` value changes from 25 to 26. # AEAD limits in
        `tls13_UnprotectRecord` enforce a maximum of 2^36-1 (as we only
        support GCM/ChaCha20 AEADs) decryption failures before the
        connection is closed. # Post-handshake authentication will no longer
        be negotiated in DTLS 1.3. This allows us to side-step the more
        convoluted state machine requirements.
        [132a87fc8689]

2020-07-09  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

        * lib/pk11wrap/pk11pbe.c, lib/pkcs12/p12d.c:
        Bug 1649322 - Fix null pointer passed as argument in
        pk11wrap/pk11pbe.c:1246 r=kjacobs

        This is a fixup patch that reverts https://hg.mozilla.org/projects/n
        ss/rev/cc43ebf5bf88355837c5fafa2f3c46e37626707a and adds a null
        check around the memcpy in question.
        [80bea0e22b20]

2020-07-09  J.C. Jones  <jjones@mozilla.com>

        * lib/softoken/pkcs11.c:
        Bug 1651520 - slotLock race in NSC_GetTokenInfo r=kjacobs

        Basically, NSC_GetTokenInfo doesn't lock slot->slotLock before
        accessing slot after obtaining it, even though slotLock is defined
        as its lock. [0]

        [0] https://searchfox.org/nss/rev/a412e70e55218aaf670f1f10322fa734d8
        a9fbde/lib/softoken/pkcs11i.h#320-321
        [58c2abd7404e] [tip]

Differential Revision: https://phabricator.services.mozilla.com/D82466
 2020-07-09 23:05:48 +00:00
Kevin Jacobs 669967478e Bug 1642687 - land NSS 87fa2f0598ad UPGRADE_NSS_RELEASE, r=jcj 
2020-06-24  Kai Engert  <kaie@kuix.de>

	* automation/release/nspr-version.txt:
	Bug 1640516 - NSS 3.54 should depend on NSPR 4.26. r=kjacobs

	[87fa2f0598ad] [tip]

2020-06-23  Kevin Jacobs  <kjacobs@mozilla.com>

	* .hgtags:
	Added tag NSS_3_54_BETA1 for changeset 2bd2f3267dc5
	[fe2ed4384f6a]

Differential Revision: https://phabricator.services.mozilla.com/D80989
 2020-06-25 00:30:56 +00:00
Kevin Jacobs 7c45f2a0f0 Bug 1642687 - land NSS d211f3013abb UPGRADE_NSS_RELEASE, r=jcj 
2020-06-01  Kevin Jacobs  <kjacobs@mozilla.com>

	* coreconf/config.gypi, lib/freebl/Makefile, lib/freebl/blinit.c,
	lib/freebl/freebl.gyp, lib/freebl/sha256-armv8.c,
	lib/freebl/sha256.h, lib/freebl/sha512.c, mach:
	Bug 1528113 - Use ARM's crypto extension for SHA256
	[ea54fd986036]

2020-04-08  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/abi-check/expected-report-libssl3.so.txt,
	gtests/ssl_gtest/libssl_internals.c,
	gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/manifest.mn,
	gtests/ssl_gtest/ssl_0rtt_unittest.cc,
	gtests/ssl_gtest/ssl_extension_unittest.cc,
	gtests/ssl_gtest/ssl_gtest.gyp, gtests/ssl_gtest/tls_agent.cc,
	gtests/ssl_gtest/tls_agent.h, gtests/ssl_gtest/tls_connect.cc,
	gtests/ssl_gtest/tls_connect.h,
	gtests/ssl_gtest/tls_psk_unittest.cc, lib/ssl/manifest.mn,
	lib/ssl/ssl.gyp, lib/ssl/ssl3con.c, lib/ssl/ssl3ext.c,
	lib/ssl/ssl3ext.h, lib/ssl/sslerr.h, lib/ssl/sslexp.h,
	lib/ssl/sslimpl.h, lib/ssl/sslinfo.c, lib/ssl/sslsecur.c,
	lib/ssl/sslsock.c, lib/ssl/sslt.h, lib/ssl/tls13con.c,
	lib/ssl/tls13con.h, lib/ssl/tls13exthandle.c, lib/ssl/tls13psk.c,
	lib/ssl/tls13psk.h, lib/ssl/tls13replay.c:
	Bug 1603042 - TLS 1.3 out-of-band PSK support

	[a448d7919077]

2020-06-01  Makoto Kato  <m_kato@ga2.so-net.ne.jp>

	* coreconf/config.gypi, lib/freebl/Makefile, lib/freebl/blinit.c,
	lib/freebl/freebl.gyp, lib/freebl/sha256-armv8.c,
	lib/freebl/sha256.h, lib/freebl/sha512.c:
	Bug 1528113 - Use ARM's crypto extension for SHA256 r=kjacobs

	ARMv8 CPU has accelerated hardware instruction for SHA256 that
	supports GCC 4.9+. We should use it if available.

	[61c83f79e90c]

2020-06-02  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/abi-check/expected-report-libssl3.so.txt,
	gtests/ssl_gtest/libssl_internals.c,
	gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/manifest.mn,
	gtests/ssl_gtest/ssl_0rtt_unittest.cc,
	gtests/ssl_gtest/ssl_extension_unittest.cc,
	gtests/ssl_gtest/ssl_gtest.gyp, gtests/ssl_gtest/tls_agent.cc,
	gtests/ssl_gtest/tls_agent.h, gtests/ssl_gtest/tls_connect.cc,
	gtests/ssl_gtest/tls_connect.h,
	gtests/ssl_gtest/tls_psk_unittest.cc, lib/ssl/manifest.mn,
	lib/ssl/ssl.gyp, lib/ssl/ssl3con.c, lib/ssl/ssl3ext.c,
	lib/ssl/ssl3ext.h, lib/ssl/sslerr.h, lib/ssl/sslexp.h,
	lib/ssl/sslimpl.h, lib/ssl/sslinfo.c, lib/ssl/sslsecur.c,
	lib/ssl/sslsock.c, lib/ssl/sslt.h, lib/ssl/tls13con.c,
	lib/ssl/tls13con.h, lib/ssl/tls13exthandle.c, lib/ssl/tls13psk.c,
	lib/ssl/tls13psk.h, lib/ssl/tls13replay.c:
	Bug 1603042 - TLS 1.3 out-of-band PSK support r=mt

	This patch adds support for External (out-of-band) PSKs in TLS 1.3.
	An External PSK (EPSK) can be set by calling `SSL_AddExternalPsk`,
	and removed with `SSL_RemoveExternalPsk`. `SSL_AddExternalPsk0Rtt`
	can be used to add a PSK while also specifying a suite and
	max_early_data_size for use with 0-RTT.

	As part of handling PSKs more generically, the patch also changes
	how resumption PSKs are handled internally, so as to rely on the
	same mechanisms where possible.

	A socket is currently limited to only one External PSK at a time. If
	the server doesn't find the same identity for the configured EPSK,
	it will fall back to certificate authentication.

	[a2293e897889]

	* lib/freebl/mpi/mplogic.c:
	cast in LZCNTLOOP
	[96e65b2e9531]

	* lib/freebl/freebl.gyp:
	Use KRML_VERIFIED_UINT128 on MSVC builds
	[abd50c862bdb]

2020-06-03  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/ssl_gtest/ssl_exporter_unittest.cc, lib/ssl/sslinfo.c,
	lib/ssl/tls13con.c:
	Bug 1643123 - Allow External PSKs to be used with Early Export
	[46ef0c025cfc]

2020-06-02  Sylvestre Ledru  <sledru@mozilla.com>

	* lib/ssl/tls13con.c:
	Bug 1642809 - Fix an assert (we need a comparison, not assignment)
	r=kjacobs

	[d0789cb32d8e]

2020-06-03  Mike Hommey  <mh@glandium.org>

	* cmd/shlibsign/Makefile:
	Bug 1642153 - Avoid infinite recursion when CHECKLOC is not set.
	r=jcj

	[e955ece90b05]

2020-06-03  Martin Thomson  <mt@lowentropy.net>

	* gtests/ssl_gtest/ssl_auth_unittest.cc,
	gtests/ssl_gtest/ssl_resumption_unittest.cc, lib/ssl/tls13con.c:
	Bug 1642871 - Allow tickets and PHA after resumption, r=kjacobs

	The first part of this is fairly simple: we accidentally disabled
	sending of session tickets after resumption.

	The second part is much less obvious, because the spec is unclear.
	This change takes the interpretation that it is OK to use post-
	handshake authentication if the handshake is resumed, but not OK if
	the handshake is based on a PSK. (This is based on a first-
	principles understanding of resumption being a continuation of a
	certificate-based connection rather than a reading of the spec, see
	the bug for why the spec appears to be unhelpful on this point.)

	This still prohibits the use of post-handshake authentication if an
	external PSK was used, but that is more an abundance of caution than
	anything principled.

	[e9502f71b7fe]

2020-06-04  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/ssl_gtest/ssl_exporter_unittest.cc, lib/ssl/sslinfo.c,
	lib/ssl/tls13con.c:
	Bug 1643123 - Allow External PSKs to be used with Early Export r=mt

	This patch adjusts `tls13_exporter` to pull the hash algorithm from
	the first PSK when a suite is not configured yet, which allows early
	export with external PSKs.

	[d211f3013abb]

Differential Revision: https://phabricator.services.mozilla.com/D78578
 2020-06-06 00:20:11 +00:00
J.C. Jones 02cb9eb00d Bug 1636656 - land NSS daa823a4a29b UPGRADE_NSS_RELEASE, r=kjacobs 
2020-05-19  Robert Relyea  <rrelyea@redhat.com>

	* lib/freebl/dsa.c:
	Bug 1631576 - Force a fixed length for DSA exponentiation
	r=pereida,bbrumley

	[daa823a4a29b] [tip]

2020-05-14  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/freebl/Makefile, lib/freebl/deprecated/seed.c,
	lib/freebl/deprecated/seed.h, lib/freebl/freebl.gyp,
	lib/freebl/freebl_base.gypi, lib/freebl/seed.c, lib/freebl/seed.h:
	Bug 1636389 - Relocate deprecated seed algorithm. r=kjacobs

	[d2cfb4ccdf16]

2020-05-14  Jan-Marek Glogowski  <glogow@fbihome.de>

	* automation/taskcluster/scripts/split.sh, lib/Makefile,
	lib/manifest.mn:
	Bug 1637083 fix the lib dependencies for the split build
	r=jcj,rrelyea

	This build can be tested by running NSS_BUILD_MODULAR=1
	nss/automation/taskcluster/scripts/build.sh from a directory
	containing the nss and nspr repositories.

	To make this build's make conditionals easier to handle, it also
	merges the manifest.mn into the Makefile, because parts of the
	conditionals depends on $(OS_ARCH) setting.

	In the end, the goal is just to set the correct build $(DIRS).

	This also drops the freebl dependeny of ssl, which seems not to be
	needed, even if it's declared in /lib/ssl/ssl.gyp.

	[789d7241e1f0]

2020-05-13  Jan-Marek Glogowski  <glogow@fbihome.de>

	* coreconf/rules.mk, lib/ckfw/builtins/manifest.mn,
	lib/ckfw/manifest.mn, manifest.mn:
	Bug 1637083 Replace pre-dependency with shell hack r=rrelyea

	Originally I tried multiple variants using make's conditionals to
	limit DIRS and enforce building the parent directory before the sub-
	directory. None of them worked for me, most resulting in an infinite
	recursion, so I used the current pre-depends workaround to fulfill
	the real dependency.

	Now I remembered that automake can handle this case for SUBDIRS
	specifying "." as a directory. The generated Makefile handles it via
	shell scripting; not nice, but it works.

	So this gets rid of the workaround, replacing it with a small shell
	test.

	[744881490c78]

Differential Revision: https://phabricator.services.mozilla.com/D76050
 2020-05-19 21:55:59 +00:00