791 Коммитов

Автор	SHA1	Сообщение	Дата
John Schanck	caf282f02b	Bug 1758579 - land NSS NSS_3_77_BETA1 UPGRADE_NSS_RELEASE, r=keeler ... 2022-03-24 John M. Schanck <jschanck@mozilla.com> * lib/ckfw/builtins/certdata.txt: Bug 1754890 - Add two D-TRUST 2020 root certificates. r=KathleenWilson [f63fb86db692] [NSS_3_77_BETA1] * lib/ckfw/builtins/certdata.txt: Bug 1751298 - Add Telia Root CA v2 root certificate. r=KathleenWilson [1fcbbd7e4f5f] * lib/ckfw/builtins/certdata.txt: Bug 1751305 - Remove expired explicitly distrusted certificates from certdata.txt. r=KathleenWilson [b722e523d662] 2022-03-23 Dana Keeler <dkeeler@mozilla.com> * gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp, gtests/mozpkix_gtest/pkixder_pki_types_tests.cpp, gtests/mozpkix_gtest/pkixgtest.h, gtests/mozpkix_gtest/pkixnss_tests.cpp, lib/mozpkix/include/pkix/pkixder.h, lib/mozpkix/include/pkix/pkixnss.h, lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixc.cpp, lib/mozpkix/lib/pkixcheck.cpp, lib/mozpkix/lib/pkixder.cpp, lib/mozpkix/lib/pkixnss.cpp, lib/mozpkix/lib/pkixverify.cpp, lib/mozpkix/test-lib/pkixtestnss.cpp: Bug 1005084 - support specific RSA-PSS parameters in mozilla::pkix r=jschanck This patch adds support to mozilla::pkix for certificates signed with RSA-PSS using one of the following parameters permitted by the CA/Browser Forum Baseline Requirements 1.8.1: * SHA-256, MGF-1 with SHA-256, and a salt length of 32 bytes * SHA-384, MGF-1 with SHA-384, and a salt length of 48 bytes * SHA-512, MGF-1 with SHA-512, and a salt length of 64 bytes [853b64626b19] 2022-03-23 John M. Schanck <jschanck@mozilla.com> * lib/util/secasn1d.c: Bug 1753535 - Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate. r=rrelyea The `stateEnd->parent != state` check was added in Bug 95458 to avoid a crash in `sec_asn1d_free_child`. The diagnosis in Bug 95458 is incorrect---the crash was actually due to a `PORT_Assert(0)` that was meant to highlight a memory leak when `SEC_ASN1DecoderStart` was called with `their_pool==NULL`. The offending assertion was removed in Bug 95311, which makes the `stateEnd` check obsolete. In Bug 1753535 it was observed that the `stateEnd` check could read from a poisoned region of an arena when the decoder was used in a streaming mode. This read-after-poison could lead to an arena memory leak, although this is mitigated by the fact that the read-after-poison is on an error-handling path where the caller typically frees the entire arena. [800111fa3bf8] * lib/dev/dev.h, lib/dev/devslot.c, lib/dev/devt.h, lib/dev/devtoken.c, lib/pk11wrap/dev3hack.c: Bug 1756271 - Remove token member from NSSSlot struct. r=rrelyea [55052f78244c] * cmd/mpitests/mpi-test.c, lib/freebl/Makefile, lib/freebl/dh.c, lib/freebl/freebl_base.gypi, lib/freebl/manifest.mn, lib/freebl/mpi/mpprime.c, lib/freebl/mpi/mpprime.h, lib/freebl/pqg.c, lib/freebl/rsa.c, lib/freebl/secmpi.c, lib/freebl/secmpi.h: Bug 1602379 - Provide secure variants of mpp_pprime and mpp_make_prime. r=mt [b83ad33acd67] 2022-03-22 John M. Schanck <jschanck@mozilla.com> * cmd/mpitests/mpi-test.c, lib/freebl/Makefile, lib/freebl/dh.c, lib/freebl/freebl_base.gypi, lib/freebl/manifest.mn, lib/freebl/mpi/mpprime.c, lib/freebl/mpi/mpprime.h, lib/freebl/pqg.c, lib/freebl/rsa.c, lib/freebl/secmpi.c, lib/freebl/secmpi.h: Backed out changeset 6c1092f5203f Caused Windows gyp build failures for cmd/mpitests [ffa1e4ce758a] 2022-03-22 Masatoshi Kimura <VYV03354@nifty.ne.jp> * gtests/pk11_gtest/pk11_module_unittest.cc, lib/pk11wrap/pk11load.c: Bug 1757279 - Support UTF-8 library path in the module spec string. r=nss-reviewers,jschanck [31bce2dae97b] * gtests/base_gtest/Makefile, gtests/base_gtest/base_gtest.gyp, gtests/base_gtest/manifest.mn, gtests/base_gtest/utf8_unittest.cc, gtests/manifest.mn, lib/base/utf8.c, nss.gyp, tests/gtests/gtests.sh: Bug 1396616 - Update nssUTF8_Length to RFC 3629 and fix buffer overrun. r=nss-reviewers,jschanck [2f2c85648edb] 2022-03-22 John M. Schanck <jschanck@mozilla.com> * cmd/mpitests/mpi-test.c, lib/freebl/Makefile, lib/freebl/dh.c, lib/freebl/freebl_base.gypi, lib/freebl/manifest.mn, lib/freebl/mpi/mpprime.c, lib/freebl/mpi/mpprime.h, lib/freebl/pqg.c, lib/freebl/rsa.c, lib/freebl/secmpi.c, lib/freebl/secmpi.h: Bug 1602379 - Provide secure variants of mpp_pprime and mpp_make_prime. r=mt [6c1092f5203f] 2022-03-22 Dennis Jackson <djackson@mozilla.com> * automation/taskcluster/docker-builds/Dockerfile, automation/taskcluster/graph/src/extend.js: Bug 1760827 - Add a CI Target for gcc-11. r=nss-reviewers,nkulatova [d4a3bb7731b0] * automation/taskcluster/graph/src/extend.js: Bug 1760828 - Change to makefiles for gcc-4.8. r=nss-reviewers,mt [191e838399a6] 2022-03-22 J08nY <johny@neuromancer.sk> * automation/taskcluster/graph/src/extend.js, gtests/google_test/VERSION, gtests/google_test/gtest/CMakeLists.txt, gtests/google_test/gtest/CONTRIBUTORS, gtests/google_test/gtest/README.md, gtests/google_test/gtest/cmake/gtest.pc.in, gtests/google_test/gtest/cmake/gtest_main.pc.in, gtests/google_test/gtest/cmake/internal_utils.cmake, gtests/google_test/gtest/docs/Pkgconfig.md, gtests/google_test/gtest/docs/README.md, gtests/google_test/gtest/docs/advanced.md, gtests/google_test/gtest/docs/faq.md, gtests/google_test/gtest/docs/primer.md, gtests/google_test/gtest/docs/pump_manual.md, gtests/google_test/gtest/docs/samples.md, gtests/google_test/gtest/include/gtest/gtest-death-test.h, gtests/google_test/gtest/include/gtest/gtest-matchers.h, gtests/google_test/gtest/include/gtest/gtest-message.h, gtests/google_test/gtest/include/gtest/gtest-param-test.h, gtests/google_test/gtest/include/gtest/gtest-printers.h, gtests/google_test/gtest/include/gtest/gtest-spi.h, gtests/google_test/gtest/include/gtest/gtest-test-part.h, gtests/google_test/gtest/include/gtest/gtest-typed-test.h, gtests/google_test/gtest/include/gtest/gtest.h, gtests/google_test/gtest/include/gtest/gtest_pred_impl.h, gtests/google_test/gtest/include/gtest/gtest_prod.h, gtests/google_test/gtest/include/gtest/internal/custom/gtest-port.h, gtests/google_test/gtest/include/gtest/internal/custom/gtest- printers.h, gtests/google_test/gtest/include/gtest/internal/custom/gtest.h, gtests/google_test/gtest/include/gtest/internal/gtest-death-test- internal.h, gtests/google_test/gtest/include/gtest/internal/gtest- filepath.h, gtests/google_test/gtest/include/gtest/internal/gtest- internal.h, gtests/google_test/gtest/include/gtest/internal/gtest- param-util.h, gtests/google_test/gtest/include/gtest/internal/gtest- port-arch.h, gtests/google_test/gtest/include/gtest/internal/gtest- port.h, gtests/google_test/gtest/include/gtest/internal/gtest- string.h, gtests/google_test/gtest/include/gtest/internal/gtest- type-util.h, gtests/google_test/gtest/include/gtest/internal/gtest- type-util.h.pump, gtests/google_test/gtest/samples/prime_tables.h, gtests/google_test/gtest/samples/sample1.cc, gtests/google_test/gtest/samples/sample1.h, gtests/google_test/gtest/samples/sample10_unittest.cc, gtests/google_test/gtest/samples/sample2.cc, gtests/google_test/gtest/samples/sample2.h, gtests/google_test/gtest/samples/sample2_unittest.cc, gtests/google_test/gtest/samples/sample3-inl.h, gtests/google_test/gtest/samples/sample3_unittest.cc, gtests/google_test/gtest/samples/sample4.h, gtests/google_test/gtest/samples/sample5_unittest.cc, gtests/google_test/gtest/samples/sample6_unittest.cc, gtests/google_test/gtest/samples/sample7_unittest.cc, gtests/google_test/gtest/samples/sample8_unittest.cc, gtests/google_test/gtest/samples/sample9_unittest.cc, gtests/google_test/gtest/scripts/README.md, gtests/google_test/gtest/scripts/gen_gtest_pred_impl.py, gtests/google_test/gtest/scripts/pump.py, gtests/google_test/gtest/scripts/release_docs.py, gtests/google_test/gtest/scripts/run_with_path.py, gtests/google_test/gtest/scripts/upload.py, gtests/google_test/gtest/src/gtest-death-test.cc, gtests/google_test/gtest/src/gtest-filepath.cc, gtests/google_test/gtest/src/gtest-internal-inl.h, gtests/google_test/gtest/src/gtest-matchers.cc, gtests/google_test/gtest/src/gtest-port.cc, gtests/google_test/gtest/src/gtest-printers.cc, gtests/google_test/gtest/src/gtest-test-part.cc, gtests/google_test/gtest/src/gtest-typed-test.cc, gtests/google_test/gtest/src/gtest.cc, gtests/google_test/gtest/src/gtest_main.cc, gtests/google_test/gtest/test/BUILD.bazel, gtests/google_test/gtest/test/googletest-catch-exceptions-test_.cc, gtests/google_test/gtest/test/googletest-death-test-test.cc, gtests/google_test/gtest/test/googletest-death-test_ex_test.cc, gtests/google_test/gtest/test/googletest-env-var-test.py, gtests/google_test/gtest/test/googletest-env-var-test_.cc, gtests/google_test/gtest/test/googletest-failfast-unittest.py, gtests/google_test/gtest/test/googletest-failfast-unittest_.cc, gtests/google_test/gtest/test/googletest-filepath-test.cc, gtests/google_test/gtest/test/googletest-filter-unittest_.cc, gtests/google_test/gtest/test/googletest-global-environment- unittest.py, gtests/google_test/gtest/test/googletest-global- environment-unittest_.cc, gtests/google_test/gtest/test/googletest- json-output-unittest.py, gtests/google_test/gtest/test/googletest- list-tests-unittest_.cc, gtests/google_test/gtest/test/googletest- listener-test.cc, gtests/google_test/gtest/test/googletest-message- test.cc, gtests/google_test/gtest/test/googletest-options-test.cc, gtests/google_test/gtest/test/googletest-output-test-golden-lin.txt, gtests/google_test/gtest/test/googletest-output-test.py, gtests/google_test/gtest/test/googletest-output-test_.cc, gtests/google_test/gtest/test/googletest-param-test-invalid- name1-test_.cc, gtests/google_test/gtest/test/googletest-param-test- invalid-name2-test_.cc, gtests/google_test/gtest/test/googletest- param-test-test.cc, gtests/google_test/gtest/test/googletest-param- test-test.h, gtests/google_test/gtest/test/googletest-param- test2-test.cc, gtests/google_test/gtest/test/googletest-port- test.cc, gtests/google_test/gtest/test/googletest-printers-test.cc, gtests/google_test/gtest/test/googletest-setuptestsuite-test.py, gtests/google_test/gtest/test/googletest-setuptestsuite-test_.cc, gtests/google_test/gtest/test/googletest-shuffle-test_.cc, gtests/google_test/gtest/test/googletest-test-part-test.cc, gtests/google_test/gtest/test/googletest-test2_test.cc, gtests/google_test/gtest/test/googletest-throw-on-failure-test_.cc, gtests/google_test/gtest/test/gtest-typed-test2_test.cc, gtests/google_test/gtest/test/gtest-typed-test_test.cc, gtests/google_test/gtest/test/gtest-typed-test_test.h, gtests/google_test/gtest/test/gtest-unittest-api_test.cc, gtests/google_test/gtest/test/gtest_assert_by_exception_test.cc, gtests/google_test/gtest/test/gtest_environment_test.cc, gtests/google_test/gtest/test/gtest_help_test.py, gtests/google_test/gtest/test/gtest_list_output_unittest.py, gtests/google_test/gtest/test/gtest_list_output_unittest_.cc, gtests/google_test/gtest/test/gtest_pred_impl_unittest.cc, gtests/google_test/gtest/test/gtest_premature_exit_test.cc, gtests/google_test/gtest/test/gtest_repeat_test.cc, gtests/google_test/gtest/test/gtest_skip_check_output_test.py, gtests/google_test/gtest/test/gtest_skip_test.cc, gtests/google_test/gtest/test/gtest_stress_test.cc, gtests/google_test/gtest/test/gtest_test_utils.py, gtests/google_test/gtest/test/gtest_throw_on_failure_ex_test.cc, gtests/google_test/gtest/test/gtest_unittest.cc, gtests/google_test/gtest/test/gtest_xml_outfiles_test.py, gtests/google_test/gtest/test/gtest_xml_output_unittest.py, gtests/google_test/gtest/test/gtest_xml_output_unittest_.cc, gtests/google_test/gtest/test/gtest_xml_test_utils.py, gtests/google_test/gtest/test/production.h, gtests/google_test/update.sh, gtests/ssl_gtest/ssl_agent_unittest.cc: Bug 1741688 - Update googletest to 1.11.0 r=nss-reviewers,mt [88249e154a23] 2022-03-22 Dennis Jackson <djackson@mozilla.com> * gtests/ssl_gtest/tls_ech_unittest.cc, lib/ssl/ssl3con.c, lib/ssl/sslexp.h, lib/ssl/sslimpl.h, lib/ssl/sslsock.c, lib/ssl/tls13ech.c, lib/ssl/tls13ech.h: Bug 1759525 - Add SetTls13GreaseEchSize to experimental API. r=mt [c2f93669b92c] 2022-03-22 Leander Schwarz <lschwarz@mozilla.com> * gtests/ssl_gtest/ssl_version_unittest.cc, gtests/ssl_gtest/tls_filter.cc, gtests/ssl_gtest/tls_filter.h, lib/ssl/tls13con.c: Bug 1755264 - TLS 1.3 Illegal legacy_version handling/alerts. r=djackson [7d931c59d09f] 2022-03-22 Dennis Jackson <djackson@mozilla.com> * lib/ssl/tls13ech.c: Bug 1755904 - Fix calculation of ECH HRR Transcript. r=mt [33c530e653b3] 2022-03-22 Zi Lin <lziest@chromium.org> * coreconf/Linux.mk: Bug 1758741 - Allow ld path to be set as environment variable. r=mt Submitted on behalf of Zi Lin, the author of the patch. [d9368381598f] 2022-03-22 Dennis Jackson <djackson@mozilla.com> * gtests/ssl_gtest/tls_connect.cc: Bug 1760653 - Ensure we don't read uninitialized memory in ssl gtests. r=mt,nss-reviewers [9a7b3c7f4e70] * cpputil/databuffer.h: Bug 1758478 - Fix DataBuffer Move Assignment. r=mt [f12fd43d69c7] 2022-03-18 Robert Relyea <rrelyea@redhat.com> * automation/abi-check/expected-report-libnss3.so.txt, automation/abi- check/expected-report-libssl3.so.txt, gtests/ssl_gtest/ssl_auth_unittest.cc, lib/certdb/cert.h, lib/certdb/certdb.c, lib/nss/nss.def, lib/pk11wrap/pk11obj.c, lib/pk11wrap/pk11pub.h, lib/ssl/authcert.c, lib/ssl/ssl.def, lib/ssl/ssl.h, lib/ssl/ssl3con.c, lib/ssl/sslimpl.h, lib/ssl/sslsock.c, lib/ssl/tls13con.c, lib/ssl/tls13subcerts.c, mach, tests/ssl/ssl.sh, tests/ssl/sslauth.txt: Bug 1552254 internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3 We need to be able to select Client certificates based on the schemes sent to us from the server. Rather than changing the callback function, this patch adds those schemes to the ssl socket info as suggested by Dana. In addition, two helpful functions have been added to aid User applications in properly selecting the Certificate: PRBool SSL_CertIsUsable(PRFileDesc *fd, CERTCertificate *cert) - returns true if the given cert matches the schemes of the server, the schemes configured on the socket, capability of the token the private key resides on, and the current policy. For future SSL protocol, additional restrictions may be parsed. SSL_FilterCertListBySocket(PRFileDesc *fd, CERTCertList *certlist) - removes the certs from the cert list that doesn't pass the SSL_CertIsUsable() call. In addition the built in cert selection function (NSS_GetClientAuthData) uses the above functions to filter the list. In order to support the NSS_GetClientAuthData three new functions have been added: SECStatus CERT_FilterCertListByNickname(CERTCertList *certList, char *nickname, void *pwarg) -- removes the certs that don't match the 'nickname'. SECStatus CERT_FilterCertListByCertList(CERTCertlist *certList, const CERTCertlist *filterList ) -- removes all the certs on the first cert list that isn't on the second. PRBool CERT_IsInList(CERTCertificate *, const CERTCertList *certList) -- returns true if cert is on certList. In addition * PK11_FindObjectForCert() is exported so the token the cert lives on can be accessed. * the ssle ssl_PickClientSignatureScheme() function (along with several supporing functions) have been modified so it can be used by SSL_CertIsUsable() [be6a97823bfe] Differential Revision: https://phabricator.services.mozilla.com/D141995	2022-03-24 21:34:20 +00:00
Benjamin Beurdouche	84a342941b	Bug 1748820 - land NSS 44e6341be5e8 UPGRADE_NSS_RELEASE, r=beurdouche ... Differential Revision: https://phabricator.services.mozilla.com/D135690	2022-01-12 10:40:38 +00:00
Benjamin Beurdouche	6b81551a1f	Bug 1743993 - land NSS 7d4f221b1fff UPGRADE_NSS_RELEASE, r=ckerschb ... Differential Revision: https://phabricator.services.mozilla.com/D133905	2021-12-15 16:29:10 +00:00
Benjamin Beurdouche	9eb74dd71e	Bug 1724869 - land NSS NSS_3_70_BETA1 UPGRADE_NSS_RELEASE, r=jschanck ... ``` 2021-08-26 Benjamin Beurdouche <bbeurdouche@mozilla.com> * lib/ssl/tls13con.c: Backed out changeset fae49696d374 [e55700ee052e] [NSS_3_70_BETA1] <NSS_3_70_BRANCH> * tests/tlsfuzzer/config.json.in, tests/tlsfuzzer/tlsfuzzer.sh: Backed out changeset 7c3a0a99f7fa [e79531c04e6b] <NSS_3_70_BRANCH> * automation/abi-check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.70 Beta [cc0d44da6a0e] 2021-08-26 John M. Schanck <jschanck@mozilla.com> * tests/tlsfuzzer/config.json.in, tests/tlsfuzzer/tlsfuzzer.sh: Bug 1662515 - Enable tlsfuzzer/test-tls13-zero-content-type.py r=bbeurdouche,djackson [7c3a0a99f7fa] 2021-08-26 Benjamin Beurdouche <bbeurdouche@mozilla.com> * lib/ssl/tls13con.c: Bug 1662515 - Fix incorrect alert after successful decryption r=djackson [fae49696d374] 2021-08-24 Robert Relyea <rrelyea@redhat.com> * tests/cert/cert.sh, tests/common/init.sh, tests/sdr/sdr.sh: Bug 1726022 Update test case to verify fix. Updated test cases to verify pbe caching fix. NOTE: putting passwords on databases are key to reproducing the original issue. [ff19b674c468] 2021-08-24 John M. Schanck <jschanck@mozilla.com> * gtests/ssl_gtest/tls_ech_unittest.cc: Bug 1714579 - Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max r=nss-reviewers,bbeurdouche Depends on D123535 [608fd450d499] * gtests/ssl_gtest/ssl_version_unittest.cc: Bug 1714579 - Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback r=nss- reviewers,bbeurdouche Depends on D122988 [7bd94de62243] 2021-08-24 Benjamin Beurdouche <bbeurdouche@mozilla.com> * lib/util/nssb64d.c: Formatting for lib/util [db95b15ce1ff] 2021-08-24 John M. Schanck <jschanck@mozilla.com> * lib/util/nssb64d.c: Bug 1681975 - Avoid using a lookup table in nssb64d r=bbeurdouche [d454db6ad1fb] 2021-08-24 Benjamin Beurdouche <bbeurdouche@mozilla.com> * lib/freebl/sha512.c: Bug 1724629 - Use HW accelerated SHA2 on AArch64 Big Endian. r=jschanck [7e31b8f7f741] 2021-08-24 John M. Schanck <jschanck@mozilla.com> * lib/ssl/sslsock.c: Bug 1714579 Change default value of enableHelloDowngradeCheck to true r=mt Firefox sets enableHelloDowngradeCheck to true by default, as of [1576790](https://bugzilla.mozilla.org/show_bug.cgi?id=1576790). We have a two year old open issue noting some issues with that [1590870](https://bugzilla.mozilla.org/show_bug.cgi?id=1590870), but I see no reason not to update the default in NSS. [52137aa125f5] 2021-08-24 Benjamin Beurdouche <bbeurdouche@mozilla.com> * gtests/pk11_gtest/pk11_hpke_unittest.cc: Formatting for gtests/pk11_gtest/pk11_hpke_unittest.cc r=jschanck The clang-format target was failing. https://treeherder.mozilla.org/logviewer?job_id=348100377&repo=nss- try [36bc1c231bf6] ``` Differential Revision: https://phabricator.services.mozilla.com/D123784	2021-08-26 17:45:23 +00:00
Benjamin Beurdouche	e070f79f95	Bug 1715772 - land NSS NSS_3_68_BETA1 UPGRADE_NSS_RELEASE, r=beurdouche ... ``` 2021-07-01 Benjamin Beurdouche <bbeurdouche@mozilla.com> * automation/release/nspr-version.txt: Bug 1717452 - NSS 3.68 should depend on NSPR 4.32. r=kaie [352fca8a348e] [NSS_3_68_BETA1] 2021-06-30 Robert Relyea <rrelyea@redhat.com> * gtests/pk11_gtest/pk11_aeskeywrappad_unittest.cc, gtests/pk11_gtest/pk11_ecdsa_unittest.cc, gtests/pk11_gtest/pk11_keygen.cc, gtests/pk11_gtest/pk11_keygen.h, gtests/pk11_gtest/pk11_signature_test.cc, gtests/pk11_gtest/pk11_signature_test.h, gtests/ssl_gtest/libssl_internals.c, lib/pk11wrap/pk11pk12.c: Bug 1693206 - Implement PKCS8 export of ECDSA keys patch by Christoph Walcher r=rrelyea, bbeurdouche [9343c18b4df7] 2021-06-25 Martin Thomson <mt@lowentropy.net> * gtests/ssl_gtest/ssl_extension_unittest.cc, lib/ssl/ssl3prot.h, lib/ssl/sslproto.h, lib/ssl/tls13con.c: Bug 1712883 - DTLS 1.3 draft-43 r=bbeurdouche [b2178fe9d27b] 2021-06-25 Makoto Kato <m_kato@ga2.so-net.ne.jp> * automation/taskcluster/graph/src/extend.js, coreconf/WIN32.mk, coreconf/config.gypi, lib/freebl/Makefile, lib/freebl/freebl.gyp, lib/freebl/sha256-x86.c, lib/freebl/sha512.c: Bug 1655493 - Support SHA2 HW acceleration using Intel SHA Extension. r=bbeurdouche Before applying (on Ryzen 9 3900X) ``` # mode in opreps cxreps context op time(sec) thrgput sha256_e 1Gb 208Mb 23M 0 0.000 10000.000 10.000 123Mb 301Kb ``` After applying ``` # mode in opreps cxreps context op time(sec) thrgput sha256_e 5Gb 797Mb 110M 0 0.000 10000.000 10.000 591Mb 769Kb ``` [65a7c7b3f182] 2021-05-31 Martin Thomson <mt@lowentropy.net> * gtests/ssl_gtest/libssl_internals.c, gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/tls_ech_unittest.cc, lib/ssl/manifest.mn, lib/ssl/ssl.gyp, lib/ssl/tls13ech.c, lib/ssl/tls13ech.h, lib/ssl/tls13echv.c, lib/util/seccomon.h: Bug 1713562 - Validate ECH public names, r=bbeurdouche This validates that they are LDH (with underscore because we don't hate freedom), but that they are not IP addresses. This invokes the horrible WhatWG IP parsing routines, so that it recognizes a vast array of crazy address formats (thanks 1980s design). [ac81f721cbbf] ``` Differential Revision: https://phabricator.services.mozilla.com/D119026	2021-07-02 12:56:36 +00:00
Julien Cristau	8376ac4322	Bug 1713766 - land NSS NSS_3_67_RTM UPGRADE_NSS_RELEASE, r=bbeurdouche,aryx ... Differential Revision: https://phabricator.services.mozilla.com/D117422	2021-06-10 13:25:03 +00:00
Benjamin Beurdouche	b3d2b323ab	Bug 1711262 - land NSS ef591b9d25a3 UPGRADE_NSS_RELEASE, r=beurdouche ... 2021-05-25 Benjamin Beurdouche <bbeurdouche@mozilla.com> * lib/ckfw/builtins/certdata.txt: Bug 1710716 - Remove Expired Sonera Class2 CA from NSS. r=bwilson Depends on D115882 [ef591b9d25a3] [tip] * lib/ckfw/builtins/certdata.txt: Bug 1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority. r=bwilson Depends on D115877 [f7ff828026cd] * lib/ckfw/builtins/certdata.txt: Bug 1708307 - Remove Trustis FPS Root CA from NSS. r=bwilson [4ef15c2043cf] * lib/ckfw/builtins/certdata.txt: Bug 1707097 - Add Certum Trusted Root CA to NSS. r=bwilson Depends on D115890 [4f4982362348] * lib/ckfw/builtins/certdata.txt: Bug 1707097 - Add Certum EC-384 CA to NSS. r=bwilson Depends on D115889 [171e74b54ca4] * lib/ckfw/builtins/certdata.txt: Bug 1703942 - Add ANF Secure Server Root CA to NSS. r=bwilson Depends on D115888 [e189b4f85ce5] * lib/ckfw/builtins/certdata.txt: Bug 1697071 - Add GLOBALTRUST 2020 root cert to NSS. r=bwilson [487e89fcb141] 2021-05-20 Robert Relyea <rrelyea@redhat.com> * doc/certutil.xml, doc/html/certutil.html, doc/html/derdump.html, doc/html/modutil.html, doc/html/pk12util.html, doc/html/pp.html, doc/html/signver.html, doc/html/ssltap.html, doc/modutil.xml, doc/nroff/certutil.1, doc/nroff/crlutil.1, doc/nroff/derdump.1, doc/nroff/modutil.1, doc/nroff/pk12util.1, doc/nroff/pp.1, doc/nroff/signtool.1, doc/nroff/signver.1, doc/nroff/ssltap.1, doc/nroff/vfychain.1, doc/nroff/vfyserv.1, doc/pk12util.xml, doc/signver.xml: Bug 1712184 NSS tools manpages need to be updated to reflect that sqlite is the default database. This patch does 2 things: 1) update certutil.xml pk12util.xml modutil.xml and signver.xml to reflect the fact the the sql database is default. Many of these also has examples of specifying sql:dirname which is now the default. I did not replace them with dbm:dirname since we don't want to encourage regressing back. The one exception is in the paragraph explaining how to get to the old database format. 2) I ran make in the diretory to update the .1 and .html files generated from the .xml files. There are a number of old updates to the .xml files which haven't been picked up in their corresponding html or man page files. This updates are included in this patch. It is really only necessary to review the changes to the .xml files, the rest were reviewed when their patches were applied. bob [da25615e92c8] 2021-05-24 Mike Hommey <mh@glandium.org> * lib/freebl/freebl.gyp: Bug 1712230 - Don't build ppc-gcm.s with clang integrated assembler. r=bbeurdouche Like intel-gcm.s. [2300e178c90f] 2021-05-20 Robert Relyea <rrelyea@redhat.com> * lib/freebl/blapi.h: Bug 1712211 Strict prototype error when trying to compile nss code that includes blapi.h in blapi.h, strict prototypes compiles fail on: extern BLAKE2BContext *BLAKE2B_NewContext(); This patch fixes that problem. [207465bda46a] Differential Revision: https://phabricator.services.mozilla.com/D115972	2021-05-26 07:56:40 +00:00
Benjamin Beurdouche	6f107407c9	Bug 1705477 - land NSS 1d066793c349 UPGRADE_NSS_RELEASE, r=beurdouche ... 2021-05-06 Martin Thomson <mt@lowentropy.net> * gtests/pk11_gtest/pk11_hpke_unittest.cc: Bug 1709750 - Disable HPKE test when fuzzing, r=bbeurdouche [1d066793c349] [tip] 2021-05-05 Benjamin Beurdouche <bbeurdouche@mozilla.com> * lib/freebl/ppc-gcm-wrap.c, lib/freebl/ppc-gcm.h: Bug 1566124 - Clang format run. r=beurdouche [cb714d62058c] 2021-05-05 mamonet <maamoun.tk@gmail.com> * lib/freebl/Makefile, lib/freebl/freebl.gyp, lib/freebl/ppc-gcm- wrap.c, lib/freebl/ppc-gcm.h, lib/freebl/ppc-gcm.s, lib/freebl/rijndael.c: [1133fef2f7ce] 2021-03-17 Martin Thomson <mt@lowentropy.net> * gtests/common/testvectors/hpke-convert.py, gtests/common/testvectors/hpke-vectors.h, lib/pk11wrap/pk11hpke.c, lib/pk11wrap/pk11hpke.h: Bug 1699021 - Add AES-256-GCM to HPKE, r=bbeurdouche [9fa53d717386] * automation/abi-check/expected-report-libssl3.so.txt, cmd/selfserv/selfserv.c, gtests/ssl_gtest/libssl_internals.c, gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/tls_connect.cc, gtests/ssl_gtest/tls_connect.h, gtests/ssl_gtest/tls_ech_unittest.cc, lib/ssl/sslexp.h, lib/ssl/sslsock.c, lib/ssl/sslt.h, lib/ssl/tls13ech.c, lib/ssl/tls13ech.h, lib/ssl/tls13exthandle.c, lib/ssl/tls13hashstate.c, lib/ssl/tls13hashstate.h: Bug 1698419 - ECH -10 updates, r=bbeurdouche The main changes here are: * an update to HPKE -08 * a move to the single-byte configuration ID * reordering of ECHConfig The addition of the explicit configuration ID means that the API for constructing ECHConfig(List) needs to change. That means a name change, unfortunately. I took the opportunity to make further changes to the arguments. [fa93bd88b690] 2021-03-16 Martin Thomson <mt@lowentropy.net> * coreconf/config.gypi, coreconf/config.mk, gtests/common/testvectors/hpke-convert.py, gtests/common/testvectors/hpke-vectors.h, gtests/pk11_gtest/pk11_hpke_unittest.cc, gtests/ssl_gtest/ssl_auth_unittest.cc, gtests/ssl_gtest/ssl_tls13compat_unittest.cc, gtests/ssl_gtest/tls_ech_unittest.cc, lib/pk11wrap/pk11hpke.c, lib/pk11wrap/pk11hpke.h, lib/pk11wrap/pk11pub.h, lib/ssl/tls13ech.c: Bug 1692930 - Update HPKE to final version, r=bbeurdouche This adds the final HPKE version string. This removes the draft version markers from the implementation and stops tracking the draft version with the exported syntax. I've added the script that I used to convert the JSON test vectors from the specification; that should allow us to pick up new tests relatively easily, especially if we need to add new algorithms. This change breaks several ECH test cases. As fixing those tests is extraordinarily fiddly, I'm going to defer making those changes until we need to update ECH. As we can't land this code until ECH is updated to depend on the final HPKE and until we have coordinated with servers on when the ECH update can be deployed, it should be OK to defer. In short, don't land this without the matching ECH changes. [e78141a928f4] 2021-05-04 Robert Relyea <rrelyea@redhat.com> * automation/abi-check/expected-report-libnss3.so.txt, cmd/lib/basicutil.h, cmd/lib/secutil.c, cmd/lib/secutil.h, cmd/pk12util/pk12util.c, cmd/pp/pp.c, doc/pk12util.xml, doc/pp.xml, lib/nss/nss.def, lib/pk11wrap/pk11akey.c, lib/pk11wrap/pk11pub.h, lib/pkcs12/p12d.c, lib/pkcs12/p12e.c, lib/pkcs12/p12local.c, lib/pkcs12/p12local.h, lib/pkcs12/p12plcy.c, lib/util/secoidt.h, tests/tools/tools.sh: Bug 1707130 NSS should use modern algorithms in PKCS#12 files by default r=mt Also fixes: Bug 452464 pk12util -o fails when -C option specifies AES or Camellia ciphers Related: Bug 1694689 Firefox should use modern algorithms in PKCS#12 files by default Bug 452471 pk12util -o fails when -c option specifies pkcs12v2 PBE ciphers The base of this fix is was a simple 3 line fix in pkcs12.c, changing the initial setting of cipher and cert cipher. Overview for why this patch is larger than just 3 lines: 1. First issue was found in trying to change the mac hashing value. a. While the decrypt side knew how to handle SHA2 hashes, the equivalent code was not updated on the encrypt side. I refactored that code and placed the common function in p12local.c. Now p12e.c and p12d.c share common code to find the required function to produce the mac key. b. The prf hmac was hard coded to SHA1. I changed the code to pass the hmac matching the hashing algorithm for the mac. This required changes to p12e.c to calculate and pass the new hmac as well and adding new PK11_ExportEncryptedPrivateKey and PK11_ExportEncryptedPrivKey to take the PKCS #5 v2 parameters. I also corrected an error which prevented pkcs12 encoding of ciphers other than AES. 2. Once I've made my changes, I realized we didn't have a way of testing them. While we had code that verified that particular sets of parameters for pkcs12 worked together and could be listed and imported, we didn't have a way to verify what algorithms were actually generated by our tools. a. pk12util -l doesn't list the encryption used for the certs, so I updated pp to take a pkcs12 option. In doing so I had to update pp to handle indefinite encoding when decoding blocks. I also factored that decoding out in it's own function so the change only needed to be placed once. Finally I renabled a function which prints the output of an EncryptedPrivate key. This function was disabled long ago when the Encrypted Private key info was made private for NSS. It has since been exported, so these functions could easily be enabled (archeological note: I verified that this disabling was not a recent think I found I had done it back when I still have a netscape email address;). b. I updated tools.sh to us the new pp -t pkcs12 feature to verify that the key encryption, cert encryption, and hash functions matched what we expected when we exported a new key. I also updated tools.sh to handle the new hash variable option to pk12util. c. I discovered several tests commented out with comments that the don't work. I enabled those tests and discovered that they can now encrypt, but the can't decrypt because of pkcs12 policy. I updated the policy code, but I updated it to use the new NSS system wide policy mechanism. This enabled all the ciphers to work. There is still policy work to do. The pk12 policy currently only prevents ciphers from use in decrypting the certificates, not decrypting the keys and not encrypting. I left that for future work. 3. New options for pp and pk12util were added to the man pages for these tools. -------------------------------------------------------------------- ------- With that in mind, here's a file by file description of the patch: automation/abi-check/expected-report-libnss3.so.txt -Add new exported functions. (see lib/nss/nss.def) cmd/lib/basicutil.h: -Removed the HAVE_EPV_TEMPLATE ifdefs (NSS has exported the Encrypted Private Key data structure for a while now. cmd/lib/secutil.c: global: Updated several functions to take a const char * m (message) rather than a char * m global: Made the various PrintPKCS7 return an error code. global: Added a state variable to be passed around the various PKCS7 Print functions. It gives the proper context to interpret PKCS7 Data Content. PKCS 12 used PKCS7 to package the various PKCS12 Safes and Bags. -Updated SECU_StripTagAndLength to handle indefinite encoding, and to set the Error code. -Added SECU_ExtractDERAndStep to grab the next DER Tag, Length, and Data. -Updated secu_PrintRawStringQuotesOptional to remove the inline DER parsing and use SECU_ExtractDERAndStep(). -Updated SECU_PrintEncodedObjectID to return the SECOidTag just like SECU_PrintObjectID. -Renable SECU_PrintPrivateKey -Added secu_PrintPKCS12Attributes to print out the Attributes tied to a PKCS #12 Bag -Added secu_PrintPKCS12Bag to print out a PKCS #12 Bag -Added secu_PrintPKCS7Data, which uses the state to determine what it was printing out. -Added secu_PrintDERPKCS7ContentInfo which is identical to the global function SECU_PrintPKCS7ContentInfo except it takes a state variable. The latter function now calls the former. -Added secu_PrintPKCS12DigestInfo to print the Hash information of the Mac. DigestInfo is the name in the PKCS 12 spec. -Added secu_PrintPKCS12MacData to print the Mac portion of the PKCS 12 file. -Added SECU_PrintPKCS12 to print otu the pkcs12 file. cmd/lib/secutil.h -Added string for pkc12 for the command line of pp reenabled SECU_PrintPrivateKey -Added SECU_PrintPKCS12 for export. cmd/pk12util/pk12util.c -Added the -M option to specify a hash algorithm for the mac. updated P12U_ExportPKCS12Object: pass the hash algorithm to the PasswordIntegrity handler. -Added PKCS12U_FindTagFromString: generalized string to SECOidTag which only filters based on the oid having a matching PKCS #11 mechanism. updated PKCS12U_MapCipherFromString to call use PKCS12U_FindTagFromString to get the candidate tag before doing it's post processing to decide if the tag is really an encryption algorithm. -Added PKCS12U_MapHashFromString with is like MapCipherFromString except it verifies the resulting tag is a hash object. -Updated main to 1) change the default cipher, change the default certCipher, and process the new hash argument. NOTE: in the old code we did not encrypt the certs in FIPS mode. That's because the certs were encrypted with RC4 in the default pkcs12 file, which wasn't a FIPS algorithm. Since AES is, we can use it independent on whether or not we are in FIPS mode. cmd/pp/pp.c -Added the pkcs12 option which calls SECU_PrintPKCS12 from secutil.c lib/nss/nss.def -Add exports to the new PK11_ExportEncryptedPrivKeyInfoV2 and PK11_ExportEncryptedPrivateKeyInfoV2 (V2 means PKCS 5 v2, not Version 2 of ExportEncrypted*Info). -Add export for the old HASH_GetHMACOidTagByHashOidTag which should have been exported long ago to avoid the proliferation of copies of this function in places like ssl. lib/pk11wrap/pk11akey.c -Add PK11_ExportEncryptedPrivKeyInfoV2 (which the old function now calls), which takes the 3 PKCS 5 v2 parameters. The underlying pkcs5 code can fill in missing tags if necessary, but supplying all three gives the caller full control of the underlying pkcs5 PBE used. -Add PK11_ExportEncryptedPrivateKeyInfoV2, same as the above function except it takes a cert which is used to look up the private key. It's the function that pkcs12 actually uses, but the former was exported for completeness. lib/pk11wrap/pk11pub.h -Added the new PK11_ExportEncryptedPriv*KeyInfoV2 functions. lib/pkcs12/p12d.c -Remove the switch statement and place it in p12local.c so that p12e.c can use the same function. lib/pkc12/p12e.c -Remove the unnecessary privAlg check so we can encode any mechanism we support. This only prevented encoding certificates in the pk12 file, not the keys. -add code to get the hmac used in the pbe prf from the integrity hash, which is under application control. -Do the same for key encryption, then use the new PK11_ExportEncryptedPrivateKeyInfo to pass that hash value. -Use the new sec_pkcs12_algtag_to_keygen_mech so there is only one switch statement to update rather than 2. -Update the hash data to old the length of the largest hash rather than the length of a SHA1 hash. lib/pkcs12/p12local.c - Add new function new sec_pkcs12_algtag_to_keygen_mech to factor out the common switch statement between p12e and p12d. lib/pkcs12/p12local.h -Export the new sec_pkcs12_algtag_to_keygen_mech lib/pkcs12/p12plcy.c -Map the old p12 policy functions to use the new NSS_GetAlgorithmPolicy. We keep the old table so that applications can change the policy with the old PKCS12 specific defines (so the old code keeps working). NOTE: policies now default to true rather than false. lib/util/secoidt.h -Add new NSS_USE_ALG_IN_PKCS12 used by pk11plcy.c NOTE: I have not updated the policy table in pk11wrap/pk11pars.c, so we can't yet control pkcs12 policy with the nss system policy table. That's a patch for another time. test/tools/tool.sh -global: Remove trailing spaces -global: DEFAULT is changed to 'default' -Update the PBE mechanism to exactly match the string in secoid.c. PKCS #12 does case independent compares, so case doesn't matter there, but now I'm comparing to the output of pp, and I didn't want to spend the time to figure out case independent compares in bash. -Add our defauts and shell variables at the top so there are easy to change in the future. export_with_*** have all been colapsed into a single export_p12_file which handles taking 'default' and turning off that argument. -Add for loops for the hash functions. -Restore the camellia ciphers back now that they work. -Restore the pkcs12V2pbe back now that they work. -Collect various pbe types into single variables and use those variables in loops -Reduce the number of tests ran in optimized mode (which takes 60x the time to do a pbe then than debug mode based on a larger iterator). -Add verify_p12 which dumps out the p12 file and makes sure the expected CERT_ENCRYPTION, KEY_ENCRYPTION, and HASH are used. doc/pp.xml -Add pkcs12 option doc/pk12util.xml -Add -M option -Update synopsis with options in the description but not in the synopsis [0a1687e1b39e] Differential Revision: https://phabricator.services.mozilla.com/D114584	2021-05-07 10:43:16 +00:00
Benjamin Beurdouche	37aa935e43	Bug 1705477 - land NSS c982fb957516 UPGRADE_NSS_RELEASE, r=beurdouche ... Differential Revision: https://phabricator.services.mozilla.com/D114231	2021-05-04 13:33:25 +00:00
Ryan VanderMeulen	0853554188	Bug 1699657 - land NSS NSS_3_64_RTM UPGRADE_NSS_RELEASE, r=bbeurdouche ... Differential Revision: https://phabricator.services.mozilla.com/D112222	2021-04-15 16:54:57 +00:00
Benjamin Beurdouche	8d848a2cbe	Bug 1694020 - land NSS NSS_3_63_RTM UPGRADE_NSS_RELEASE, r=beurdouche ... Differential Revision: https://phabricator.services.mozilla.com/D108957	2021-03-19 05:28:36 +00:00
Benjamin Beurdouche	f8d14645f7	Bug 1694020 - land NSS 61e70233f80e UPGRADE_NSS_RELEASE, r=beurdouche ... 2021-03-10 Benjamin Beurdouche <bbeurdouche@mozilla.com> * cmd/bltest/blapitest.c, lib/freebl/blapi.h, lib/freebl/chacha20poly1305-ppc.c, lib/freebl/chacha20poly1305.c, lib/freebl/loader.c: Bug 1613235 - Clang-format for: POWER ChaCha20 stream cipher vector acceleration r=beurdouche Depends on D107221 [61e70233f80e] [tip] 2021-03-10 aoeu <aoeuh@yandex.ru> * cmd/bltest/blapitest.c, lib/freebl/blapi.h, lib/freebl/blapit.h, lib/freebl/chacha20poly1305.c, lib/freebl/chacha20poly1305.h, lib/freebl/ldvector.c, lib/freebl/loader.c, lib/freebl/loader.h: Bug 1613235 - Add POWER ChaCha20 stream cipher vector acceleration. r=bbeurdouche Depends on D107220 [4f7ba08bd991] * lib/freebl/Makefile, lib/freebl/chacha20-ppc64le.S, lib/freebl/chacha20poly1305-ppc.c, lib/freebl/chacha20poly1305.c, lib/freebl/freebl.gyp, lib/freebl/freebl_base.gypi: Bug 1613235 - Add POWER ChaCha20 stream cipher vector acceleration. r=bbeurdouche [764124fddaa2] 2021-03-10 Benjamin Beurdouche <bbeurdouche@mozilla.com> * lib/freebl/ecl/ecp_secp384r1.c, lib/freebl/ecl/ecp_secp521r1.c: Bug 1697380 - Make a clang-format run on top of helpful contributions. r=beurdouche Depends on D106881 [8a9174a78207] * lib/freebl/ecl/ecp_secp384r1.c: Bug 1683520 - ECCKiila P384, change syntax of nested structs initialization to prevent build isses with GCC 4.8. r=bbrumley Depends on D102389 [150cbb169f1e] 2021-03-10 Billy Brumley <bbrumley@gmail.com> * lib/freebl/ecl/ecp_secp384r1.c: Bug 1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual scalar multiplication r=bbeurdouche [76aca2d944ae] 2021-03-10 Benjamin Beurdouche <bbeurdouche@mozilla.com> * lib/freebl/ecl/ecp_secp521r1.c: Bug 1683520 - ECCKiila P521, change syntax of nested structs initialization to prevent build isses with GCC 4.8. r=bbrumley Depends on D102406 [5e7affa3ce43] 2021-03-10 Billy Brumley <bbrumley@gmail.com> * lib/freebl/ecl/ecp_secp521r1.c: Bug 1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual scalar multiplication r=bbeurdouche [a8f4918cd546] 2021-03-08 Benjamin Beurdouche <bbeurdouche@mozilla.com> * automation/taskcluster/scripts/run_hacl.sh, lib/freebl/verified/Hacl_Bignum25519_51.h, lib/freebl/verified/Hacl_Chacha20.c, lib/freebl/verified/Hacl_Chacha20.h, lib/freebl/verified/Hacl_Chacha20Poly1305_128.c, lib/freebl/verified/Hacl_Chacha20Poly1305_128.h, lib/freebl/verified/Hacl_Chacha20Poly1305_256.c, lib/freebl/verified/Hacl_Chacha20Poly1305_256.h, lib/freebl/verified/Hacl_Chacha20Poly1305_32.c, lib/freebl/verified/Hacl_Chacha20Poly1305_32.h, lib/freebl/verified/Hacl_Chacha20_Vec128.c, lib/freebl/verified/Hacl_Chacha20_Vec128.h, lib/freebl/verified/Hacl_Chacha20_Vec256.c, lib/freebl/verified/Hacl_Chacha20_Vec256.h, lib/freebl/verified/Hacl_Curve25519_51.c, lib/freebl/verified/Hacl_Curve25519_51.h, lib/freebl/verified/Hacl_Kremlib.h, lib/freebl/verified/Hacl_Poly1305_128.c, lib/freebl/verified/Hacl_Poly1305_128.h, lib/freebl/verified/Hacl_Poly1305_256.c, lib/freebl/verified/Hacl_Poly1305_256.h, lib/freebl/verified/Hacl_Poly1305_32.c, lib/freebl/verified/Hacl_Poly1305_32.h, lib/freebl/verified/kremlin/include/kremlin/internal/target.h, lib/freebl/verified/kremlin/include/kremlin/internal/types.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128.h, li b/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128_Verifie d.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt_8_1 6_32_64.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/LowStar_ Endianness.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar _uint128_gcc64.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/f star_uint128_msvc.h, lib/freebl/verified/libintvector.h: Bug 1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683 r=beurdouche [3a85b452dbfa] Differential Revision: https://phabricator.services.mozilla.com/D107995	2021-03-11 11:59:55 +00:00
Kevin Jacobs	1eb47f6133	Bug 1684061 - land NSS 97ef009f7a78 UPGRADE_NSS_RELEASE, r=bbeurdouche ... 2020-12-11 Kevin Jacobs <kjacobs@mozilla.com> * automation/abi-check/expected-report-libssl3.so.txt, automation/abi- check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.61 Beta [f277d2674c80] * gtests/<...> Bug 1677207 - Update Google Test to release-1.10.0 r=bbeurdouche ./gtests/google_test/update.sh release-1.10.0 && hg remove -A && hg add gtests/google_test/* [89141382df45] * gtests/<...> Bug 1677207 - Replace references to TestCase, which is deprecated, with TestSuite r=bbeurdouche grep -rl --exclude-dir=google_test INSTANTIATE_TEST_CASE_P gtests | xargs sed -i '' s/INSTANTIATE_TEST_CASE_P/INSTANTIATE_TEST_SUITE_P/g grep -rl --exclude-dir=google_test SetUpTestCase gtests | xargs sed -i '' s/SetUpTestCase/SetUpTestSuite/g [e15b78be87fa] * gtests/ssl_gtest/ssl_ciphersuite_unittest.cc, gtests/ssl_gtest/ssl_debug_env_unittest.cc, gtests/ssl_gtest/ssl_extension_unittest.cc, gtests/ssl_gtest/ssl_loopback_unittest.cc, gtests/ssl_gtest/ssl_renegotiation_unittest.cc, gtests/ssl_gtest/ssl_resumption_unittest.cc, gtests/ssl_gtest/ssl_version_unittest.cc, gtests/ssl_gtest/tls_ech_unittest.cc: Bug 1677207 - Use GTEST_SKIP in ssl_gtests. r=bbeurdouche [0772f1bf5fd6] 2020-12-17 Robert Relyea <rrelyea@redhat.com> * gtests/common/testvectors/ike-aesxcbc-vectors.h, gtests/common/testvectors/ike-sha1-vectors.h, gtests/common/testvectors/ike-sha256-vectors.h, gtests/common/testvectors/ike-sha384-vectors.h, gtests/common/testvectors/ike-sha512-vectors.h, gtests/common/testvectors_base/test-structs.h, gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp, gtests/pk11_gtest/pk11_ike_unittest.cc, lib/softoken/sftkike.c: Bug 1682071 IKE Quick mode IPSEC give you incorrect keys if you are asking for keys smaller than the hash size. IKE Appendix B fixes. This patch fixes 2 problems. If you run either ike v1 App B or quick mode asking for a key with length mod macsize = 0, you will generate an extra block that's not used and overwrites the end of the buffer. If you use quick mode, the function incorrectly subsets the existing key rather than generating a new key. This is correct behavior for Appendix B, where appendix B is trying to take a generated key and create a new longer key (with no diversification, just transform the key into something that's longer), so if you ask for a key less than or equal to, then you want to just subset the original key. In quick mode you are taking a base key and creating a set of new keys based on additional data, so you want to subset the generated data. This patch only subsets the original key if you aren't doing quickmode. Full test vectors have now been added for all ike modes in this patch as well (previously we depended on the FIPS CAVS tests to test ike, which covers basic IKEv1, IKEv1_psk, and IKEv2 but not IKEv1 App B and IKE v1 Quick mode). [f4995c9fa185] 2020-12-18 Robert Relyea <rrelyea@redhat.com> * gtests/common/testvectors/rsa_pkcs1_2048_test-vectors.h, gtests/common/testvectors/rsa_pkcs1_3072_test-vectors.h, gtests/common/testvectors/rsa_pkcs1_4096_test-vectors.h, gtests/freebl_gtest/Makefile, gtests/freebl_gtest/manifest.mn, gtests/freebl_gtest/rsa_unittest.cc, gtests/manifest.mn, gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc, gtests/pk11_gtest/pk11_rsaoaep_unittest.cc, lib/freebl/alghmac.c, lib/freebl/alghmac.h, lib/freebl/rsapkcs.c: Bug 1651411 New tlsfuzzer code can still detect timing issues in RSA operations. This patch defeats Bleichenbacher by not trying to hide the size of the decrypted text, but to hide if the text succeeded for failed. This is done by generating a fake returned text that's based on the key and the cipher text, so the fake data is always the same for the same key and cipher text. Both the length and the plain text are generated with a prf. Here's the proposed spec the patch codes to: 1. Use SHA-256 to hash the private exponent encoded as a big- endian integer to a string the same length as the public modulus. Keep this value secret. (this is just an optimisation so that the implementation doesn't have to serialise the key over and over again) 2. Check the length of input according to step one of https://tools.ietf.org/html/rfc8017#section-7.2.2 3. When provided with a ciphertext, use SHA-256 HMAC(key=hash_from_step1, text=ciphertext) to generate the key derivation key 4. Use SHA-256 HMAC with key derivation key as the key and a two-byte big- endian iterator concatenated with byte string "length" with the big- endian representation of 2048 (0x0800) as the bit length of the generated string. - Iterate this PRF 8 times to generate a 256 byte string 5. initialise the length of synthetic message to 0 6. split the PRF output into 2 byte strings, convert into big-endian integers, zero- out high-order bits so that they have the same bit length as the octet length of the maximum acceptable message size (k-11), select the last integer that is no larger than (k-11) or remain at 0 if no integer is smaller than (k-11); this selection needs to be performed using a side-channel free operators 7. Use SHA-256 HMAC with key derivation key as the key and a two-byte big-endian iterator concatenated with byte string "message" with the big-endian representation of k*8 - use this PRF to generate k bytes of output (right-truncate last HMAC call if the number of generated bytes is not a multiple of SHA-256 output size) 8. perform the RSA decryption as described in step 2 of section 7.2.2 of rfc8017 9. Verify the EM message padding as described in step 3 of section 7.2.2 of rfc8017, but instead of outputting "decryption error", return the last l bytes of the "message" PRF, when l is the selected synthetic message length using the "length" PRF, make this decision and copy using side-channel free operation [fc05574c7399] 2020-12-22 Robert Relyea <rrelyea@redhat.com> * gtests/freebl_gtest/rsa_unittest.cc, gtests/pk11_gtest/pk11_rsaoaep_unittest.cc, lib/freebl/alghmac.c, lib/freebl/rsapkcs.c: Restore lost portion of the bleichenbacher timing batch that addressed review comments. All the review comments pertained to actual code comments, so this patch only affects the comments. [fcebe146314e] 2020-12-22 Kevin Jacobs <kjacobs@mozilla.com> * lib/dev/devslot.c: Bug 1682863 - Revert nssSlot_IsTokenPresent to 3.58 after ongoing Fx hangs with slow PKCS11 devices. r=bbeurdouche This patch reverts the `nssSlot_IsTokenPresent` changes made in bug 1663661 and bug 1679290, restoring the version used in NSS 3.58 and earlier. It's not an actual `hg backout` because the comment in lib/dev/devt.h is worth keeping. While removing the nested locking did resolve the hang for some (most?) third-party modules, problems remain with some slower tokens after an even further relaxation of the locking, which defeats the purpose of addressing the races in the first place. The crash addressed by these patches was caused by the Intermediate Preloading Healer in Firefox, which has been disabled. We clearly have insufficient test coverage for third-party modules, and now that osclientcerts is enabled in Fx Nightly, any problems caused by these and similar changes is unlikely to be reported until Fx Beta, well after NSS RTM. I think the best option at this point is to simply revert NSS. [97ef009f7a78] [tip] Differential Revision: https://phabricator.services.mozilla.com/D100401	2020-12-23 19:54:31 +00:00
Kevin Jacobs	5e63427a1b	Bug 1677548 - land NSS f8c49b334e51 UPGRADE_NSS_RELEASE, r=bbeurdouche ... 2020-12-01 Kevin Jacobs <kjacobs@mozilla.com> * lib/ckfw/builtins/nssckbi.h: Bug 1678189 - December 2020 batch of root changes, NSS_BUILTINS_LIBRARY_VERSION 2.46. r=bbeurdouche [f8c49b334e51] [tip] * lib/ckfw/builtins/certdata.txt: Bug 1678166 - Add NAVER Global Root Certification Authority root cert to NSS. r=bbeurdouche,KathleenWilson [b9742b439a81] 2020-12-01 Benjamin Beurdouche <benjamin.beurdouche@inria.fr> * lib/ckfw/builtins/certdata.txt: Bug 1670769 - Remove 10 GeoTrust, thawte, and VeriSign root certs from NSS. r=kjacobs,KathleenWilson [4c69d6d0cf21] 2020-12-01 Kevin Jacobs <kjacobs@mozilla.com> * lib/ssl/ssl3exthandle.c: Bug 1674819 - Fix undefined shift when fuzzing r=bbeurdouche In fuzzer mode, session tickets are serialized without any encryption or integrity protection. This leads to a post-deserialize UBSAN error when shifting by a fuzzed (large) authType value. A real NSS server will not produce these values. [a51fae403328] 2020-11-30 Benjamin Beurdouche <benjamin.beurdouche@inria.fr> * build.sh, coreconf/config.gypi, lib/ckfw/builtins/testlib/builtins- testlib.gyp, lib/ckfw/builtins/testlib/nssckbi-testlib.def, nss.gyp: Bug 1678384 - Add a build flag to allow building nssckbi-testlib in m-c r=kjacobs [22bf7c680b60] 2020-12-01 Kevin Jacobs <kjacobs@mozilla.com> * lib/dev/devslot.c: Bug 1679290 - Don't hold slot lock when taking session lock r=bbeurdouche [[ https://hg.mozilla.org/projects/nss/rev/0ed11a5835ac1556ff978362c d61069d48f4c5db | 0ed11a5835ac1556ff978362cd61069d48f4c5db ]] fixed a number of race conditions related to NSSSlot member accesses. Unfortunately the locking order that was imposed by that patch has been found to cause problems for at least one PKCS11 module, libnsspem. This patch drops nested locking in favor of unlocking/re-locking. While this isn't perfect, the original problem in bug 1663661 was that `slot->token` could become NULL, which we can easily check after reacquiring. [19585ccc7a1f] 2020-11-25 Makoto Kato <m_kato@ga2.so-net.ne.jp> * lib/freebl/blinit.c: Bug 1678990 - Use __ARM_FEATURE_CRYPTO for feature detection. r=bbeurdouche Actually, we have CPU feature detection for Linux and FreeBSD on aarch64 platform. But others don't. macOS doesn't has any CPU feature detection for ARM Crypto Extension, but toolchain default is turned on. So we should respect __ARM_FEATURE_CRYPTO. [f1e48fbead3d] 2020-11-19 Lauri Kasanen <cand@gmx.com> * lib/freebl/Makefile: Bug 1642174 - Resolve sha512-p8.o: ABI version 2 is not compatible with ABI version 1 output. r=jcj Don't try to build the SHA-2 accelerated asm on old-ABI ppc. Currently make only, I don't have enough gyp-fu to do that side. However, the reporters of 1642174 and 1635625 both used make, not gyp. Signed-off-by: Lauri Kasanen <cand@gmx.com> [d806f7992b10] Differential Revision: https://phabricator.services.mozilla.com/D98509	2020-12-03 10:20:29 +00:00
J.C. Jones	f3f86339c2	Bug 1671713 - land NSS 58dc3216d518 UPGRADE_NSS_RELEASE, r=kjacobs ... 2020-10-13 Mike Hommey <mh@glandium.org> * lib/freebl/freebl.gyp: Bug 1670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on mac. r=kjacobs AFAICT, the Makefile equivalent already does. [58dc3216d518] [tip] * lib/freebl/sha1-armv8.c: Bug 1670839 - Only build sha1-armv8.c code when USE_HW_SHA1 is defined. r=kjacobs This matches what is done in sha256-armv8.c, and avoids inconsistency with sha1-fast.c, which will define the same functions in the case USE_HW_SHA1 is not defined. [54be084e3ba8] 2020-10-16 J.C. Jones <jjones@mozilla.com> * automation/abi-check/expected-report-libnss3.so.txt, automation/abi- check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.59 Beta [d4b21706e432] Differential Revision: https://phabricator.services.mozilla.com/D94070	2020-10-20 14:39:49 +00:00
Kevin Jacobs	25560bb43a	Bug 1660509 - land NSS 2a17c8655a74 UPGRADE_NSS_RELEASE, r=jcj ... 2020-09-14 Benjamin Beurdouche <bbeurdouche@mozilla.com> * coreconf/arch.mk: Bug 1660735 - Fix typo in coreconfig/arch.mk. r=kjacobs [2a17c8655a74] [tip] * coreconf/config.mk: Bug 1660734 - Fix typo in coreconf/config.mk. r=kjacobs [4ae56ec2411b] 2020-09-11 Kevin Jacobs <kjacobs@mozilla.com> * lib/ckfw/builtins/nssckbi.h: Bug 1663049 - September 2020 batch of root changes, NSS_BUILTINS_LIBRARY_VERSION 2.44. r=jcj [141ef83ac10b] * lib/ckfw/builtins/certdata.txt: Bug 1663049 - Add SecureTrust's Trustwave Global root certificates to NSS. r=KathleenWilson,jcj [7dfc054a983e] * lib/ckfw/builtins/certdata.txt: Bug 1656077 - Remove Taiwan Government Root Certification Authority root cert. r=KathleenWilson,jcj Depends on D89841 [32a0d8f751ef] * lib/ckfw/builtins/certdata.txt: Bug 1653092 - Disable server trust bit for OISTE WISeKey Global Root GA CA root cert. r=KathleenWilson,jcj Depends on D89840 [1cdfb26b3220] * lib/ckfw/builtins/certdata.txt: Bug 1651211 - Remove EE Certification Centre Root CA root cert. r=KathleenWilson,jcj [089aeca370df] 2020-09-11 Danh <congdanhqx@gmail.com> * coreconf/arch.mk, coreconf/config.mk, lib/freebl/Makefile: Bug 1659727 - Move makefile avx2 detection to config.mk. r=kjacobs Summary: Current code base use CPU_ARCH to detect if avx2 is supported in arch.mk However, when arch.mk included, CPU_ARCH haven't been initialised, CPU_ARCH will be initialised by the OS specific code later on. Move the AVX2 detection to config.mk, after all other initialisation done. Reviewers: kjacobs Reviewed By: kjacobs Subscribers: kjacobs Bug #: 1659727 [c6dcb99e6121] 2020-09-08 Kevin Jacobs <kjacobs@mozilla.com> * gtests/freebl_gtest/mpi_unittest.cc, lib/freebl/mpi/mpi.c: Bug 1605922 - Account for negative sign in mp_radix_size r=bbeurdouche [b64436ecbd79] 2020-09-09 Daiki Ueno <dueno@redhat.com> * lib/freebl/Makefile: Bug 1659256, add gcc version check on AArch64 optimization, r=rrelyea Summary: As described in https://access.redhat.com/solutions/19458, gcc version in RHEL-7 is still 4.8.x and cannot compile the newly added aes-armv8.c. There is a version check already for 32-bit arm, but not for AArch64. This also removes NS_USE_GCC check added in bug 1652032 in favor of the automatic detection using CC_IS_* macros. Reviewers: rrelyea Reviewed By: rrelyea Subscribers: jmux, kjacobs Bug #: 1659256 [b971c77c0d68] 2020-09-08 Michael Shigorin <mike@altlinux.org> * coreconf/config.gypi: Bug 1663346 - Build e2k architecture as 64-bit r=jcj [e524a577761d] 2020-09-05 Daiki Ueno <dueno@redhat.com> * lib/freebl/fipsfreebl.c: Bug 1662738, run RNG self-tests only if NSPR is linked, r=rrelyea Summary: After the continuous DRBG test was added, RNG self-tests have no longer worked standalone. This moves the self-tests to the DO_REST block so it only runs when the program is also linked to NSPR. Reviewers: rrelyea Reviewed By: rrelyea Bug #: 1662738 [e03296e73ba6] 2020-09-02 Khem Raj <raj.khem@gmail.com> * lib/libpkix/pkix/util/pkix_logger.c: Bug 1661378 - pkix: Do not use NULL where 0 is needed Clang finds this error pkix_logger.c:316:32: error: cast to smaller integer type 'PKIX_ERRORCLASS' from 'void *' [-Werror,-Wvoid-pointer-to-enum- cast] logger->logComponent = (PKIX_ERRORCLASS)NULL; ^~~~~~~~~~~~~~~~~~~~~ pkix_logger.c:617:32: error: cast to smaller integer type 'PKIX_ERRORCLASS' from 'void *' [-Werror,-Wvoid- pointer-to-enum-cast] logger->logComponent = (PKIX_ERRORCLASS)NULL; ^~~~~~~~~~~~~~~~~~~~~ 2 errors generated. Signed-off-by: Khem Raj <raj.khem@gmail.com> [9213848965f6] Differential Revision: https://phabricator.services.mozilla.com/D90130	2020-09-14 17:06:12 +00:00
Kevin Jacobs	ddc8978d1f	Bug 1660509 - land NSS c100e11991f6 UPGRADE_NSS_RELEASE, r=jcj ... 2020-08-21 Kevin Jacobs <kjacobs@mozilla.com> * automation/abi-check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.57 Beta [783f49ae6126] 2020-08-24 Kevin Jacobs <kjacobs@mozilla.com> * gtests/ssl_gtest/ssl_auth_unittest.cc, lib/ssl/dtls13con.c, lib/ssl/dtlscon.c, lib/ssl/ssl3con.c, lib/ssl/sslimpl.h, lib/ssl/sslnonce.c: Bug 1653641 - Cleanup inaccurate DTLS comments, code review fixes. r=mt [0e1b5c711cb9] 2020-08-24 Robert Relyea <rrelyea@redhat.com> * lib/freebl/fipsfreebl.c, lib/softoken/fipstest.c, lib/softoken/kbkdf.c, lib/softoken/lowpbe.c, lib/softoken/lowpbe.h, lib/softoken/pkcs11c.c, lib/softoken/pkcs11i.h, lib/softoken/sftkhmac.c, lib/softoken/sftkike.c: Bug 1660304 New FIPS IG requires self-tests for approved kdfs. r=ueno comments=kjacobs FIPS guidance now requires self-tests for our kdfs. It also requires self-tests for cmac which we didn't have in the cmac patch. Currently only one test per kdf is necessary. Specifially for SP-800-108, only one of the three flavors are needed (counter, feedback, or pipeline). This patch includes more complete testing but it has been turned off the currently extraneous tests under the assumption that NIST guidance may require them in the future. HKDF is currently not included in FIPS, but is on track to be included, so hkdf have been included in this patch. Because the test vectors are const strings, the patch pushes some const definitions that were missing in existing private interfaces. There are three flavors of self-tests: Function implemented in freebl are added to the freebl/fipsfreebl.c Functions implemented in pkcs11c.c have selftests completely implemented in softoken/fipstest.c Functions implemented in their own .c file have their selftest function implemented in that .c file and called by fipstests.c These are consistant with the previous choices for selftests. Some private interfaces that took in keys from pkcs #11 structures or outputted keys to pkcs #11 structures were modified to optionally take keys in by bytes and output keys as bytes so the self-tests can work in just bytes. [5dca54fe61c2] 2020-08-25 Daiki Ueno <dueno@redhat.com> * lib/softoken/manifest.mn: Bug 1659252, disable building libnssdbm3.so if NSS_DISABLE_DBM=1, r=rrelyea Reviewers: rrelyea Reviewed By: rrelyea Bug #: 1659252 [4d55d36ca6ef] 2020-08-24 Kevin Jacobs <kjacobs@mozilla.com> * lib/pk11wrap/pk11cxt.c, lib/softoken/pkcs11c.c, lib/softoken/sdb.c, lib/softoken/sftkpwd.c: Bug 1651834 - Fix various static analyzer warnings. r=rrelyea [ab04fd73fd6d] 2020-08-28 Mike Hommey <mh@glandium.org> * lib/freebl/blapii.h: Bug 1661810 - Define pre_align/post_align based on the compiler. r=jcj Things worked fine before we upgraded to clang 11 presumably because the stack was always 16-bytes aligned in the first place, or something akin to that, and the lack of pre_align/post_align doing anything didn't matter. The runtime misalignment of the stack may well be a clang > 9 bug, but keeping pre_align/post_align tied to the x86/x64 is a footgun anyways. [c100e11991f6] [tip] Differential Revision: https://phabricator.services.mozilla.com/D88876	2020-08-31 15:56:19 +00:00
Kevin Jacobs	5637d1775c	Bug 1655105 - land NSS c06f22733446 UPGRADE_NSS_RELEASE, r=jcj ... 2020-08-07 Kevin Jacobs <kjacobs@mozilla.com> * lib/pki/tdcache.c: Bug 1625791 - Call STAN_GetCERTCertificate to load CERTCertificate trust before caching. r=jcj,keeler When caching certificates, `td->cache->lock` must not be held when taking `slot->isPresentLock`. `add_cert_to_cache` holds then former when calling the sort function in `add_subject_entry`, which will [[ https://searchfox.org/mozilla-central/rev/a3b25e347e2c22207c4b369b99 246e4aebf861a7/security/nss/lib/pki/certificate.c#266 | call ]] `STAN_GetCERTCertificate` -> `fill_CERTCertificateFields` when `cc->nssCertificate` [[ https://searchfox.org/mozilla-central/rev/a3 b25e347e2c22207c4b369b99246e4aebf861a7/security/nss/lib/pki/pki3hack .c#923 | is NULL ]]. There are two problems with this: # `fill_CERTCertificateFields` may end up locking `slot->isPresentLock` (bad ordering, bug 1651564) # The above may happen followed by another attempt to lock `td->cache->lock`(deadlock, this bug). By calling `STAN_GetCERTCertificate` prior to the first lock of `td->cache->lock`, we can prevent the problematic call to `fill_CERTCertificateFields` later on, because `cc->nssCertificate` will already be filled. [c06f22733446] [tip] * gtests/ssl_gtest/ssl_auth_unittest.cc, lib/ssl/ssl3con.c: Bug 1588941 - Send empty client cert msg when signature scheme selection fails. r=mt `ssl3_CompleteHandleCertificateRequest` does essentially two things: 1) Calls the `getClientAuthData` hook for certificate selection, and 2) calls `ssl_PickClientSignatureScheme` to select an appropriate signature scheme when a cert is selected. If the first function returns SECFailure, we default to sending an empty certificate message. If the latter fails, however, this bubbles up as a [[ https://searchfox.org/mozilla-central/rev/56bb74e a8e04bdac57c33cbe9b54d889b9262ade/security/nss/lib/ssl/tls13con.c#26 70 | fatal error ]] (and an assertion failure) on the connection. Importantly, the signature scheme selection can fail for reasons that should not be considered fatal - notably when an RSA-PSS cert is selected, but the token on which the key resides does not actually support PSS. This patch treats the failure to find a usable signature scheme as a "no certificate" response, rather than killing the connection entirely. [41ecb7fe5546] * lib/freebl/Makefile, lib/freebl/freebl_base.gypi, lib/freebl/mpi/mpi_amd64_common.S, lib/freebl/mpi/mpi_amd64_gas.s: Bug 1656981 - Use 64x64->128 multiply and MP_COMBA on x86_64 Mac. r=mt This patch makes two MPI changes for MacOS: 1. Rename `mpi_amd64_gas.s` to `mpi_amd64_common.S` and add defines for macho64, allowing Intel Macs to take advantage of the 64x64->128 multiply code. 2. Define and use `NSS_USE_COMBA` on Intel Macs. Performance results with `rsaperf -n none -p 10 -e -x 65537` (default 2048-bit key): Before: `12629.12 operations/s. one operation every 79 microseconds` With 64x64->128 assembly: `29431.65 operations/s. one operation every 33 microseconds` With MP_COMBA and 64x64->128 assembly: `30332.99 operations/s. one operation every 32 microseconds` [330bdab498a3] * lib/ssl/sslimpl.h: Bug 1656429 - Clang-format fixup, r=bustage [07083076fc92] 2020-08-05 Martin Thomson <mt@lowentropy.net> * gtests/ssl_gtest/ssl_0rtt_unittest.cc, gtests/ssl_gtest/tls_connect.cc, lib/ssl/ssl3exthandle.c, lib/ssl/sslimpl.h, lib/ssl/tls13con.c, lib/ssl/tls13replay.c: Bug 1656429 - Correct RTT estimate used in anti-replay, r=kjacobs This was never a security problem, but the more time that passes between the handshake and sending a ticket, the more likely we are to reject 0-RTT. Eventually, 0-RTT only works if it is delayed in the network by a surprising amount. [b4a1c57eb569] Differential Revision: https://phabricator.services.mozilla.com/D86454	2020-08-10 17:59:40 +00:00
Kevin Jacobs	cb86341c99	Bug 1655105 - land NSS afa38fb2f0b5 UPGRADE_NSS_RELEASE, r=jcj ... 2020-07-27 Jan-Marek Glogowski <glogow@fbihome.de> * lib/freebl/Makefile: Bug 1652032 Disable all freebl assembler code for MSVC arm64 r=rrelyea,bbeurdouche There are two places, where NSS tries to compile either x86_64 MSVC assembler or GCC aarch64 code, which will fail the build. And also drop the non-MSVC arch build flags for them. AFAI could identify, there isn't any armasm64 compatible asm code in the whole NSS library, so I don't even adapt AS for the build. The cross-build finishes this way. [d98bbb6168f4] 2020-07-24 Benjamin Beurdouche <bbeurdouche@mozilla.com> * cmd/bltest/blapitest.c, coreconf/config.gypi, coreconf/config.mk, lib/freebl/alg2268.c, lib/freebl/deprecated/alg2268.c, lib/freebl/freebl_base.gypi, lib/freebl/ldvector.c, lib/freebl/loader.c, lib/freebl/loader.h, lib/freebl/manifest.mn, lib/softoken/lowpbe.c, lib/softoken/pkcs11c.c: Bug 1652729 - Add build flag to disable RC2 and relocate to lib/freebl/deprecated. r=kjacobs [e6c6f1d2d544] 2020-07-27 Robert Relyea <rrelyea@redhat.com> * gtests/softoken_gtest/manifest.mn, gtests/softoken_gtest/softoken_dh_vectors.h, gtests/softoken_gtest/softoken_gtest.cc, gtests/softoken_gtest/softoken_gtest.gyp, lib/freebl/blapi.h, lib/freebl/dh.c, lib/freebl/ldvector.c, lib/freebl/loader.c, lib/freebl/loader.h, lib/softoken/manifest.mn, lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c, lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c, lib/softoken/sftkdhverify.c, lib/softoken/softoken.gyp: Bug 1648822 Add stricter validation of DH keys when in FIPS mode. Update: FIPS now also requires us to do y^q mod p testing on key generation (always). We now do that in FIPS mode only, but in all modes we do full DH verification for DH and ECDH. Because of this, the path has now separated out the prime checks, which are now only done for the DH operation if we aren't using a known prime and the subprime value has been provided. I've also learned we can accept keys that we do full validation on in FIPS mode, so I've added that to this patch, though we still can't generate those kinds of keys without adding the subprime at keygen time. The new FIPS standard is dh operations must use approved primes. Approved primes are those selected in the tls and ike RFCs. Currently tls and ike have modes with checks whether the primes are approved, but the check may not always happen. The safest thing to do in FIPS mode is only allow those primes. In addition, FIPS requires 1< y < p-1 (or technically 2<=y<=p-2, since y is an integer those two tests are identical). While making changes I realized we would want a mode where we can do more strict checks on the prime while not requiring that the prime be an approved prime. We already allow for strict checking if q is supplied with the private key, but there were a couple of issues with that check: 1. there was no way of actually setting q in the current NSS pk11wrap interfaces. 2. If the prime was a safe prime, but g was an actual generator, then we would fail the y^q mod p = 1 tests for 50% of the keys, even though those keys are safe. 3. We weren't checking primality of p and q. So the old code: if (q) { check y^q mod p = 1 if not fail } check 1 <y < p-1 (done in DH_Derive). New code: if (! p is approved prime) { if (FIPS) fail; if (q) { y_test = y if (p,q-> p is a safe prime) { y_test = 1 } check prime is prime Fail if not check subprime is subprime fail if not y_test^q mod p = 1 } } check 1 < y < p-1 (done in DH_Derive) This means: Existing code non-fips without setting the subprime continues to run as before. Non-fips code which sets the subprime now runs slower, but p and q are checked if p or q where not prime, the derive fails (which it should). In FIPS mode only approved primes will succeed now. Non-fips code can now set the subprime to q=(p-1)/2 if it doesn't have an explicit q value (like in tls). If the derive succeeds, we know that p is a safe prime. If p is approved, the checks are skipped because we already know that p is a safe prime. Code can optionally do a test derive on a new p and remember it's safe so that we know longer need to check ever call (though if q is not (p-1)/2, you will need to continue to do the checks each call because y could still be a small subgroup). This patch: gtests/softoken_gtest 1. Added New dh tests to softoken_gtests. The tests were added to softoken_gtests because we need to test both non-FIPS and FIPS mode. Test vectors include a category, so the same test vectors can be used in FIPS and non-FIPS even though each class may have different results. Most of the test vectors where created either by dhparams command in openssl, dsaparams in openssl, and the nss makepqg command. Each vector includes a label, prime, base, optional subprime, optional public key, test type, and key class (basically size). 2. If public key is not supplied, we use a generated public key. 3. If subPrime is supplied to wet it on the private key after generation. lib/freebl/dh.c add primality tests to KEA_VerifyKey(). lib/softokn/ 1. Allow CKA_SUBPRIME to be set after key generation or import. This affects how we test for it's existance, since it is now always there on the key, we check it's length to make sure it's non-zero. 2. We implement the psuedocode above as real code. 3. We create two new functions: sftl_VerifyDH_Prime which return SECSuccess if Prime is an approved prime. sftk_IsSafePrime which returns SECSuess of both prime and subprime look reasonable, and sets a Bool to PR_TRUE is subprime -> prime is safe (subprime = (prime-1)/2. These functions are implemented in sftkdhverify.c 4.Cleanup incorrect nominclature on primes (safe primes are not strong primes). [0be91fa2217a] * gtests/softoken_gtest/softoken_dh_vectors.h, gtests/softoken_gtest/softoken_gtest.cc: Fix more of the timeout issues on tests. (Drop expensive 4098 dh tests ). [4014c075a31b] 2020-07-29 Makoto Kato <m_kato@ga2.so-net.ne.jp> * coreconf/config.gypi, lib/freebl/Makefile, lib/freebl/blinit.c, lib/freebl/freebl.gyp, lib/freebl/sha1-armv8.c, lib/freebl/sha_fast.c, lib/freebl/sha_fast.h: Bug 1650702 - Use ARM's crypt extension for SHA1. r=kjacobs ARM Crypto extension has SHA1 acceleration. Using this, SHA1 is 3 times faster on ARMv8 CPU. The following data is AWS's a1 instance (Cortex-A72). Before ====== ``` # mode in opreps cxreps context op time(sec) thrgput sha1_e 954Mb 31M 0 0.000 10000.000 10.000 95Mb ``` After ===== ``` # mode in opreps cxreps context op time(sec) thrgput sha1_e 2Gb 94M 0 0.000 10000.000 10.000 288Mb ``` [68b6eb737689] 2020-07-29 Jan-Marek Glogowski <glogow@fbihome.de> * manifest.mn: Bug 1653975 - Set "all" as the default Makefile target r=jcj,rrelyea Just reorder the rules in manifest.mn, so all is again the first rule. This restores pre-3.53 Makefile defaults. [eb52747b7000] 2020-07-31 Makoto Kato <m_kato@ga2.so-net.ne.jp> * lib/freebl/blapii.h, lib/freebl/blinit.c, nss-tool/hw-support.c: Bug 1654142 - Add CPU feature detection for Intel SHA extension. r=kjacobs [e6b77a9c417a] 2020-08-03 Nathan Froyd <froydnj@mozilla.com> * coreconf/detect_host_arch.py: Bug 1656986 - special-case arm64 in detect_host_arch.py; r=jcj This case comes up when attempting to build NSS on ARM64 Mac. If we don't do this, we wind up detecting arm64 as "arm", with predictably bad consequences. [afa38fb2f0b5] [tip] Differential Revision: https://phabricator.services.mozilla.com/D85888	2020-08-04 19:54:56 +00:00
Kevin Jacobs	99b3679870	Bug 1649545 - land NSS NSS_3_55_BETA1 UPGRADE_NSS_RELEASE, r=jcj ... 2020-07-21 Benjamin Beurdouche <bbeurdouche@mozilla.com> * cmd/bltest/blapitest.c: Bug 1653202 - Fix issue disabling other mechanisms when SEED is deprecated in cmd/bltest/blapitest.c. r=kjacobs [0768baa431e7] [NSS_3_55_BETA1] 2020-07-21 Kevin Jacobs <kjacobs@mozilla.com> * automation/release/nspr-version.txt: Bug 1652331 - NSS 3.55 should depend on NSPR 4.27. r=kaie [3deefc218cd9] 2020-07-20 Billy Brumley <bbrumley@gmail.com> * lib/freebl/ec.c: Bug 1631573: Remove unnecessary scalar padding in ec.c r=kjacobs,bbeurdouche Subsequent calls to ECPoints_mul and ECPoint_mul remove this padding. Timing attack countermeasures are now applied more generally deeper in the call stack. [aeb2e583ee95] 2020-07-20 Kai Engert <kaie@kuix.de> * lib/nss/nssinit.c: Bug 1653310 - On macOS check if nssckbi exists prior to loading it. r=kjacobs [ca207655b4b7] Differential Revision: https://phabricator.services.mozilla.com/D84420	2020-07-21 23:37:38 +00:00
Kevin Jacobs	e3e0baf90e	Bug 1649545 - land NSS 615362dff5ad UPGRADE_NSS_RELEASE, r=jcj ... 2020-07-18 Benjamin Beurdouche <bbeurdouche@mozilla.com> * gtests/pk11_gtest/pk11_cipherop_unittest.cc, lib/softoken/pkcs11c.c: Bug 1636771 - Disable PKCS11 incremental mode for ChaCha20. r=kjacobs,rrelyea Depends on D74801 [615362dff5ad] [tip] * gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc, lib/freebl/chacha20poly1305.c: Bug 1636771 - Fix incorrect call to Chacha20Poly1305 by PKCS11. r=jcj,kjacobs,rrelyea [a5e82e40f03e] 2020-07-16 Benjamin Beurdouche <bbeurdouche@mozilla.com> * lib/softoken/pkcs11c.c: Bug 1637222 - Enforce IV length check for DES. r=kjacobs,jcj [0c70232cb6d3] Differential Revision: https://phabricator.services.mozilla.com/D84043	2020-07-20 17:19:03 +00:00
Kevin Jacobs	4e97e34c45	Bug 1649545 - land NSS ca068f5b5c17 UPGRADE_NSS_RELEASE, r=jcj ... 2020-07-16 Billy Brumley <bbrumley@gmail.com> * lib/freebl/ecl/ecl-priv.h, lib/freebl/ecl/ecl.c, lib/freebl/ecl/ecp_secp521r1.c, lib/freebl/freebl_base.gypi, lib/freebl/manifest.mn: Bug 1631583 - ECC: constant time P-521 r=kjacobs,rrelyea,bbeurdouche This portable code contributed by the Network and Information Security Group (NISEC) at Tampere University comes from: [ECCKiila](https://gitlab.com/nisec/ecckiila) that uses [Fiat](https://github.com/mit-plv/fiat-crypto) for the underlying field arithmetic. Co-authored-by: Luis Rivera-Zamarripa <luis.riverazamarripa@tuni.fi> Co-authored-by: Jesús-Javier Chi-Domínguez <jesus.chidominguez@tuni.fi> [ca068f5b5c17] [tip] * lib/freebl/ecl/ecl-priv.h, lib/freebl/ecl/ecl.c, lib/freebl/ecl/ecp_secp384r1.c, lib/freebl/freebl_base.gypi, lib/freebl/manifest.mn, tests/ec/ectest.sh: Bug 1631583 - ECC: constant time P-384 r=bbeurdouche,rrelyea This portable code contributed by the Network and Information Security Group (NISEC) at Tampere University comes from: [ECCKiila](https://gitlab.com/nisec/ecckiila) that uses [Fiat](https://github.com/mit-plv/fiat-crypto) for the underlying field arithmetic. Co-authored-by: Luis Rivera-Zamarripa <luis.riverazamarripa@tuni.fi> Co-authored-by: Jesús-Javier Chi-Domínguez <jesus.chidominguez@tuni.fi> [d19a3cd451bb] 2020-07-13 Robert Relyea <rrelyea@redhat.com> * lib/pk11wrap/pk11pub.h: Bug 1643528 Cannot compile code with nss headers and -Werror=strict- prototypes r=kjacobs [01ffd8fef7fa] 2020-07-10 Daiki Ueno <dueno@redhat.com> * gtests/ssl_gtest/ssl_auth_unittest.cc, lib/ssl/ssl3con.c, lib/ssl/ssl3exthandle.c, lib/ssl/sslimpl.h, lib/ssl/tls13exthandle.c: Bug 1646324, advertise rsa_pkcs1_* schemes in CH and CR for certs, r=mt Summary: In TLS 1.3, unless "signature_algorithms_cert" is advertised, the "signature_algorithms" extension is used as an indication of supported algorithms for signatures on certificates. While rsa_pkcs1_* signatures schemes cannot be used for signing handshake messages, they should be advertised if the peer wants to to support certificates signed with RSA PKCS#1. This adds a flag to ssl3_EncodeSigAlgs() and ssl3_FilterSigAlgs() to preserve rsa_pkcs1_* schemes in the output. Reviewers: mt Reviewed By: mt Bug #: 1646324 [df1d2695e115] 2020-07-09 Benjamin Beurdouche <bbeurdouche@mozilla.com> * gtests/pk11_gtest/pk11_pbkdf2_unittest.cc, lib/pk11wrap/pk11pbe.c: Bug 1649648 - Fix null pointers passed as argument in pk11wrap/pk11pbe.c:886 r=kjacobs [de661583d467] Differential Revision: https://phabricator.services.mozilla.com/D83824	2020-07-16 22:37:42 +00:00
Kevin Jacobs	6a6ed41ab7	Bug 1649545 - land NSS 58c2abd7404e UPGRADE_NSS_RELEASE, r=jcj ... 2020-06-26 Kevin Jacobs <kjacobs@mozilla.com> * automation/abi-check/expected-report-libssl3.so.txt, automation/abi- check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.55 beta [332ab7db68ba] 2020-06-25 Kevin Jacobs <kjacobs@mozilla.com> * tests/all.sh: Bug 1649190 - Run cipher, sdr, and ocsp tests under standard test cycle. [f373809abfc0] 2020-06-15 Kevin Jacobs <kjacobs@mozilla.com> * gtests/common/testvectors/p256ecdsa-sha256-vectors.h, gtests/common/testvectors/p384ecdsa-sha384-vectors.h, gtests/common/testvectors/p521ecdsa-sha512-vectors.h, gtests/common/testvectors_base/test-structs.h, gtests/common/wycheproof/genTestVectors.py, gtests/pk11_gtest/pk11_ecdsa_unittest.cc: Bug 1649226 - Add Wycheproof ECDSA tests. [41292ff7f545] 2020-06-30 Benjamin Beurdouche <bbeurdouche@mozilla.com> * lib/pkcs12/p12d.c: Bug 1649322 - Fix null pointer passed as argument in pk11wrap/pk11pbe.c:1246 r=kjacobs [cc43ebf5bf88] 2020-06-30 Danh <congdanhqx@gmail.com> * coreconf/arch.mk, coreconf/config.mk, lib/freebl/Makefile: Bug 1646594 - Enable AVX2 if applicable on x86_64 with make 4.3 r=bbeurdouche [b579895aceb0] 2020-07-02 Benjamin Beurdouche <bbeurdouche@mozilla.com> * lib/ssl/ssl3con.c: Bug 1649316 - Prevent memcmp to be called with a zero length in ssl/ssl3con.c:6621 r=kjacobs [8fe9213d0551] 2020-07-02 Alexander Scheel <ascheel@redhat.com> * lib/cryptohi/secvfy.c: Bug 1649487 - Fix bad assert in VFY_EndWithSignature. r=jcj [c9438b528103] 2020-07-06 Dana Keeler <dkeeler@mozilla.com> * automation/abi-check/expected-report-libnss3.so.txt, gtests/pk11_gtest/pk11_find_certs_unittest.cc, lib/nss/nss.def, lib/pk11wrap/pk11cert.c, lib/pk11wrap/pk11pub.h: Bug 1649633 - add PK11_FindEncodedCertInSlot r=kjacobs,jcj PK11_FindEncodedCertInSlot can be used to determine the PKCS#11 object handle of an encoded certificate in a given slot. If the given certificate does not exist in that slot, CK_INVALID_HANDLE is returned. [32fe710a942f] * gtests/pk11_gtest/pk11_find_certs_unittest.cc: Bug 1649633 - follow-up to make test comparisons in pk11_find_certs_unittest.cc yoda comparisons r=kjacobs [424dae31a1c1] 2020-07-07 Kevin Jacobs <kjacobs@mozilla.com> * gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc, lib/freebl/rsapkcs.c: Bug 1067214 - Check minimum padding in RSA_CheckSignRecover. r=rrelyea This patch adds a check to `RSA_CheckSignRecover` enforcing a minimum padding length of 8 bytes for PKCS #1 v1.5-formatted signatures. In practice, RSA key size requirements already ensure this requirement is met, but smaller (read: broken) key sizes can be used via configuration overrides, and NSS should just follow the spec. [e5324bd5a885] 2020-07-08 Kevin Jacobs <kjacobs@mozilla.com> * gtests/ssl_gtest/libssl_internals.c, gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/ssl_record_unittest.cc, gtests/ssl_gtest/tls_agent.cc, gtests/ssl_gtest/tls_agent.h, lib/ssl/dtls13con.c, lib/ssl/dtls13con.h, lib/ssl/ssl3con.c, lib/ssl/ssl3prot.h, lib/ssl/sslspec.h, lib/ssl/sslt.h, lib/ssl/tls13con.c, lib/ssl/tls13exthandle.c: Bug 1647752 - Update DTLS 1.3 implementation to draft-38. r=mt This patch updates DTLS 1.3 to draft-38. Specifically: # `ssl_ct_ack` value changes from 25 to 26. # AEAD limits in `tls13_UnprotectRecord` enforce a maximum of 2^36-1 (as we only support GCM/ChaCha20 AEADs) decryption failures before the connection is closed. # Post-handshake authentication will no longer be negotiated in DTLS 1.3. This allows us to side-step the more convoluted state machine requirements. [132a87fc8689] 2020-07-09 Benjamin Beurdouche <bbeurdouche@mozilla.com> * lib/pk11wrap/pk11pbe.c, lib/pkcs12/p12d.c: Bug 1649322 - Fix null pointer passed as argument in pk11wrap/pk11pbe.c:1246 r=kjacobs This is a fixup patch that reverts https://hg.mozilla.org/projects/n ss/rev/cc43ebf5bf88355837c5fafa2f3c46e37626707a and adds a null check around the memcpy in question. [80bea0e22b20] 2020-07-09 J.C. Jones <jjones@mozilla.com> * lib/softoken/pkcs11.c: Bug 1651520 - slotLock race in NSC_GetTokenInfo r=kjacobs Basically, NSC_GetTokenInfo doesn't lock slot->slotLock before accessing slot after obtaining it, even though slotLock is defined as its lock. [0] [0] https://searchfox.org/nss/rev/a412e70e55218aaf670f1f10322fa734d8 a9fbde/lib/softoken/pkcs11i.h#320-321 [58c2abd7404e] [tip] Differential Revision: https://phabricator.services.mozilla.com/D82466	2020-07-09 23:05:48 +00:00
Kevin Jacobs	bc02cf3e36	Bug 1642687 - land NSS 699541a7793b UPGRADE_NSS_RELEASE, r=jcj ... 2020-06-16 Sohaib ul Hassan <sohaibulhassan@tuni.fi> * lib/freebl/mpi/mpi.c, lib/freebl/mpi/mpi.h, lib/freebl/mpi/mplogic.c: Bug 1631597 - Constant-time GCD and modular inversion r=rrelyea,kjacobs The implementation is based on the work by Bernstein and Yang (https://eprint.iacr.org/2019/266) "Fast constant-time gcd computation and modular inversion". It fixes the old mp_gcd and s_mp_invmod_odd_m functions. The patch also fix mpl_significant_bits s_mp_div_2d and s_mp_mul_2d by having less control flow to reduce side-channel leaks. Co Author : Billy Bob Brumley [699541a7793b] [tip] Differential Revision: https://phabricator.services.mozilla.com/D80120	2020-06-18 15:48:05 +00:00
Kevin Jacobs	0c2287c77b	Bug 1642687 - land NSS 6dcd00c13ffc UPGRADE_NSS_RELEASE, r=jcj ... 2020-06-15 J.C. Jones <jjones@mozilla.com> * lib/ckfw/builtins/nssckbi.h: Bug 1618402 - June 2020 batch of root changes, NSS_BUILTINS_LIBRARY_VERSION 2.42 r=bbeurdouche,KathleenWilson All changes: Bug 1618402 - Remove 3 Symantec roots and disable Email trust bit for others Bug 1621151 - Disable Email trust bit for GRCA root Bug 1639987 - Remove expired Staat der Nederlanden Root CA - G2 root cert Bug 1641718 - Remove "LuxTrust Global Root 2" root cert Bug 1641716 - Add Microsoft's non-EV roots Bug 1645174 - Add Microsec's "e-Szigno Root CA 2017" root cert Bug 1645186 - Add "certSIGN Root CA G2" root cert Bug 1645199 - Remove Expired AddTrust root certs Depends on D79373 [6dcd00c13ffc] [tip] 2020-06-12 J.C. Jones <jjones@mozilla.com> * lib/ckfw/builtins/certdata.txt: Bug 1645186 - Add certSIGN Root CA G2 root cert r=KathleenWilson Friendly Name: certSIGN Root CA G2 Cert Location: http://crl.certsign.ro/certsign-rootg2.crt SHA-1 Fingerprint: 26F993B4ED3D2827B0B94BA7E9151DA38D92E532 SHA-256 Fingerprint: 657CFE2FA73FAA38462571F332A2363A46FCE7020951710702CDFBB6EEDA3305 Trust Flags: Websites Test URL: https://testssl-valid- evcp.certsign.ro/ Depends on D79372 [d541eaaca2ef] * lib/ckfw/builtins/certdata.txt: Bug 1645174 - Add e-Szigno Root CA 2017 r=KathleenWilson,kjacobs Depends on D79371 [6d397f2a5f01] * lib/ckfw/builtins/certdata.txt: Bug 1641716 - Add Microsoft non-EV roots r=KathleenWilson,kjacobs Friendly Name: Microsoft ECC Root Certificate Authority 2017 Cert Location: http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Ro ot%20Certificate%20Authority%202017.crt SHA-1 Fingerprint: 999A64C37FF47D9FAB95F14769891460EEC4C3C5 SHA-256 Fingerprint: 358DF39D764AF9E1B766E9C972DF352EE15CFAC227AF6AD1D70E8E4A6EDCBA02 Trust Flags: Websites Test URL: https://acteccroot2017.pki.microsoft.com/ Friendly Name: Microsoft RSA Root Certificate Authority 2017 Cert Location: http://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Ro ot%20Certificate%20Authority%202017.crt SHA-1 Fingerprint: 73A5E64A3BFF8316FF0EDCCC618A906E4EAE4D74 SHA-256 Fingerprint: C741F70F4B2A8D88BF2E71C14122EF53EF10EBA0CFA5E64CFA20F418853073E0 Trust Flags: Websites Test URL: https://actrsaroot2017.pki.microsoft.com/ Depends on D79370 [576f52ca3f02] * lib/ckfw/builtins/certdata.txt: Bug 1645199 - Remove Expired AddTrust root certs r=KathleenWilson,kjacobs Remove the following two expired AddTrust root certs from NSS. Subject/Issuer: CN=AddTrust Class 1 CA Root; OU=AddTrust TTP Network; O=AddTrust AB; C=SE Valid To (GMT): 5/30/2020 SHA-1 Fingerprint: CCAB0EA04C2301D6697BDD379FCD12EB24E3949D SHA-256 Fingerprint: 8C7209279AC04E275E16D07FD3B775E80154B5968046E31F52DD25766324E9A7 Subject/Issuer: CN=AddTrust External CA Root; OU=AddTrust External TTP Network; O=AddTrust AB; C=SE Valid To (GMT): 5/30/2020 SHA-1 Fingerprint: 02FAF3E291435468607857694DF5E45B68851868 SHA-256 Fingerprint: 687FA451382278FFF0C8B11F8D43D576671C6EB2BCEAB413FB83D965D06D2FF2 Mozilla EV Policy OID(s): 1.3.6.1.4.1.6449.1.2.1.5.1 Depends on D79369 [96d0279ef929] * lib/ckfw/builtins/certdata.txt: Bug 1641718 - Remove "LuxTrust Global Root 2" root cert r=KathleenWilson,kjacobs Subject: CN=LuxTrust Global Root 2; O=LuxTrust S.A.; C=LU Valid From (GMT): 3/5/2015 Valid To (GMT): 3/5/2035 Certificate Serial Number: 0A7EA6DF4B449EDA6A24859EE6B815D3167FBBB1 SHA-1 Fingerprint: 1E0E56190AD18B2598B20444FF668A0417995F3F SHA-256 Fingerprint: 54455F7129C20B1447C418F997168F24C58FC5023BF5DA5BE2EB6E1DD8902ED5 Depends on D79368 [cc40386d3958] * lib/ckfw/builtins/certdata.txt: Bug 1639987 - Remove expired Staat der Nederlanden Root CA - G2 root cert r=KathleenWilson,kjacobs Subject: CN=Staat der Nederlanden Root CA - G2; O=Staat der Nederlanden; C=NL Valid From (GMT): 3/26/2008 Valid To (GMT): 3/25/2020 Certificate Serial Number: 0098968C SHA-1 Fingerprint: 59AF82799186C7B47507CBCF035746EB04DDB716 SHA-256 Fingerprint: 668C83947DA63B724BECE1743C31A0E6AED0DB8EC5B31BE377BB784F91B6716F Depends on D79367 [7236f86d8db7] * lib/ckfw/builtins/certdata.txt: Bug 1621151 - Disable email trust bit for TW Government Root Certification Authority root r=kjacobs,KathleenWilson Depends on D79366 [d56b95fc344f] * lib/ckfw/builtins/certdata.txt: Bug 1618402 - Disable email trust bit for several Symantec certs r=KathleenWilson,kjacobs Disable the Email trust bit for the following root certs" Subject: CN=GeoTrust Global CA; O=GeoTrust Inc.; C=US Certificate Serial Number: 023456 SHA-1 Fingerprint: DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212 SHA-256 Fingerprint: FF856A2D251DCD88D36656F450126798CFABAADE40799C722DE4D2B5DB36A73A Subject: CN=GeoTrust Primary Certification Authority - G2; OU=(c) 2007 GeoTrust Inc. - For authorized use only; O=GeoTrust Inc.; C=US Certificate Serial Number: 3CB2F4480A00E2FEEB243B5E603EC36B SHA-1 Fingerprint: 8D1784D537F3037DEC70FE578B519A99E610D7B0 SHA-256 Fingerprint: 5EDB7AC43B82A06A8761E8D7BE4979EBF2611F7DD79BF91C1C6B566A219ED766 Subject: CN=GeoTrust Primary Certification Authority - G3; OU=(c) 2008 GeoTrust Inc. - For authorized use only; O=GeoTrust Inc.; C=US Certificate Serial Number: 15AC6E9419B2794B41F627A9C3180F1F SHA-1 Fingerprint: 039EEDB80BE7A03C6953893B20D2D9323A4C2AFD SHA-256 Fingerprint: B478B812250DF878635C2AA7EC7D155EAA625EE82916E2CD294361886CD1FBD4 Subject: CN=GeoTrust Universal CA; O=GeoTrust Inc.; C=US Certificate Serial Number: 01 SHA-1 Fingerprint: E621F3354379059A4B68309D8A2F74221587EC79 SHA-256 Fingerprint: A0459B9F63B22559F5FA5D4C6DB3F9F72FF19342033578F073BF1D1B46CBB912 Subject: CN=GeoTrust Universal CA 2; O=GeoTrust Inc.; C=US Certificate Serial Number: 01 SHA-1 Fingerprint: 379A197B418545350CA60369F33C2EAF474F2079 SHA-256 Fingerprint: A0234F3BC8527CA5628EEC81AD5D69895DA5680DC91D1CB8477F33F878B95B0B Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G4; OU=VeriSign Trust Network, (c) 2007 VeriSign, Inc. - For authorized use only; O=VeriSign, Inc.; C=US Certificate Serial Number: 2F80FE238C0E220F486712289187ACB3 SHA-1 Fingerprint: 22D5D8DF8F0231D18DF79DB7CF8A2D64C93F6C3A SHA-256 Fingerprint: 69DDD7EA90BB57C93E135DC85EA6FCD5480B603239BDC454FC758B2A26CF7F79 Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5; OU=VeriSign Trust Network, (c) 2006 VeriSign, Inc. - For authorized use only; O=VeriSign, Inc.; C=US Certificate Serial Number: 18DAD19E267DE8BB4A2158CDCC6B3B4A SHA-1 Fingerprint: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 SHA-256 Fingerprint: 9ACFAB7E43C8D880D06B262A94DEEEE4B4659989C3D0CAF19BAF6405E41AB7DF Depends on D79365 [606157f404c2] * lib/ckfw/builtins/certdata.txt: Bug 1618402 - Remove VeriSign CA and associated EgyptTrust distrust entries r=KathleenWilson,kjacobs Remove the VeriSign Class 3 Public Primary Certification Authority - G3 CA: Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3; OU=VeriSign Trust Network, (c) 1999 VeriSign, Inc. - For authorized use only; O=VeriSign, Inc.; C=US Certificate Serial Number: 009B7E0649A33E62B9D5EE90487129EF57 SHA-1 Fingerprint: 132D0D45534B6997CDB2D5C339E25576609B5CC6 SHA-256 Fingerprint: EB04CF5EB1F39AFA762F2BB120F296CBA520C1B97DB1589565B81CB9A17B7244 Because of the removal of VeriSign Class 3 Public Primary Certification Authority - G3, these knock-out entries, signed by that CA, should be removed: cert 1: Serial Number:4c:00:36:1b:e5:08:2b:a9:aa:ce:74:0a:05:3e:fb:34 Subject: CN=Egypt Trust Class 3 Managed PKI Enterprise Administrator CA,OU=Terms of use at https://www.egypttrust.com/epository/rpa (c)08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG Not Valid Before: Sun May 18 00:00:00 2008 Not Valid After : Thu May 17 23:59:59 2018 Fingerprint (MD5): A7:91:05:96:B1:56:01:26:4E:BF:80:80:08:86:1B:4D Fingerprint (SHA1): 6A:2C:5C:B0:94:D5:E0:B7:57:FB:0F:58:42:AA:C8:13:A5:80:2F:E1 cert 2: Serial Number:3e:0c:9e:87:69:aa:95:5c:ea:23:d8:45:9e:d4:5b:51 Subject: CN=Egypt Trust Class 3 Managed PKI Operational Administrator CA,OU=Terms of use at https://www.egypttrust.com/epository/rpa (c)08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG Not Valid Before: Sun May 18 00:00:00 2008 Not Valid After : Thu May 17 23:59:59 2018 Fingerprint (MD5): D0:C3:71:17:3E:39:80:C6:50:4F:04:22:DF:40:E1:34 Fingerprint (SHA1): 9C:65:5E:D5:FA:E3:B8:96:4D:89:72:F6:3A:63:53:59:3F:5E:B4:4E cert 3: Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use nly",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US Serial Number:12:bd:26:a2:ae:33:c0:7f:24:7b:6a:58:69:f2:0a:76 Subject: CN=Egypt Trust Class 3 Managed PKI SCO Administrator CA,OU=Terms of use at https://www.egypttrust.com/repository/rpa c)08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG Not Valid Before: Sun May 18 00:00:00 2008 Not Valid After : Thu May 17 23:59:59 2018 Fingerprint (MD5): C2:13:5E:B2:67:8A:5C:F7:91:EF:8F:29:0F:9B:77:6E Fingerprint (SHA1): 83:23:F1:4F:BC:9F:9B:80:B7:9D:ED:14:CD:01:57:CD:FB:08:95:D2 Depends on D79364 [8cd8fd97f0e7] * lib/ckfw/builtins/certdata.txt: Bug 1618402 - Remove Symantec and VeriSign roots r=KathleenWilson,kjacobs Remove the following root certs: Subject: CN=Symantec Class 2 Public Primary Certification Authority - G4; OU=Symantec Trust Network; O=Symantec Corporation; C=US Certificate Serial Number: 34176512403BB756802D80CB7955A61E SHA-1 Fingerprint: 6724902E4801B02296401046B4B1672CA975FD2B SHA-256 Fingerprint: FE863D0822FE7A2353FA484D5924E875656D3DC9FB58771F6F616F9D571BC592 Subject: CN=Symantec Class 1 Public Primary Certification Authority - G4; OU=Symantec Trust Network; O=Symantec Corporation; C=US Certificate Serial Number: 216E33A5CBD388A46F2907B4273CC4D8 SHA-1 Fingerprint: 84F2E3DD83133EA91D19527F02D729BFC15FE667 SHA-256 Fingerprint: 363F3C849EAB03B0A2A0F636D7B86D04D3AC7FCFE26A0A9121AB9795F6E176DF [06e27f62d77b] 2020-06-15 Mike Hommey <mh@glandium.org> * lib/freebl/Makefile, lib/freebl/manifest.mn: Bug 1642146 - Move seed.o back into freeblpriv3. r=bbeurdouche [f46fca8ced7f] Differential Revision: https://phabricator.services.mozilla.com/D79905	2020-06-17 16:10:17 +00:00
Kevin Jacobs	e9ae922ddc	Bug 1642687 - land NSS cbf75aedf480 UPGRADE_NSS_RELEASE, r=jcj ... 2020-06-12 Kevin Jacobs <kjacobs@mozilla.com> * cmd/lib/secutil.c: Bug 1645479 - Use SECITEM_CopyItem instead of SECITEM_MakeItem in secutil.c. r=jcj This patch converts a call to `SECITEM_MakeItem` to use `SECITEM_CopyItem` instead. Using the former works fine in NSS CI, but causes build failures in mozilla-central due to differences in how both symbols are exported (i.e. when folding nssutil into nss). [cbf75aedf480] [tip] 2020-06-11 Kevin Jacobs <kjacobs@mozilla.com> * gtests/ssl_gtest/libssl_internals.c, gtests/ssl_gtest/ssl_resumption_unittest.cc: Bug 1644774 - Use ClearServerCache instead of SSLInt_ClearSelfEncryptKey for ticket invalidation. r=mt [7b2413d80ce3] 2020-06-10 Kevin Jacobs <kjacobs@mozilla.com> * cmd/lib/basicutil.c, cmd/lib/secutil.c, cmd/lib/secutil.h, cmd/selfserv/selfserv.c, cmd/tstclnt/tstclnt.c, lib/ssl/tls13psk.c: Bug 1603042 - Support external PSKs in tstclnt/selfserv. r=jcj This patch adds support for TLS 1.3 external PSKs in tstclnt and selfserv with the `-z` option. Command examples: - `selfserv -D -p 4443 -d . -n localhost.localdomain -w nss -V tls1.3: -H 1 -z 0xAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD[:label] -m` - `tstclnt -h 127.0.0.1 -p 4443 -z 0xAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD[:label] -d . -w nss` For OpenSSL interop: - `openssl s_server -nocert -port 4433 -psk AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD [-psk_identity label]` Note: If the optional label is omitted, both NSS tools and OpenSSL default to "Client_identity". [c1b1112af415] 2020-06-09 Kevin Jacobs <kjacobs@mozilla.com> * lib/ssl/tls13con.c: Bug 1642638 - Don't assert sid ciphersuite to be defined in fuzzer mode. r=mt [238bd7912429] 2020-06-08 Kevin Jacobs <kjacobs@mozilla.com> * lib/freebl/freebl.gyp, lib/freebl/freebl_base.gypi: Bug 1642802 - Win64 GYP builds to use HACL* curve25519. r=bbeurdouche This patch causes Windows 64-bit GYP builds to use HACL* curve25519 rather than the 32-bit (fiat-crypto) implementation. For non-clang/GCC Win64 builds, we define `KRML_VERIFIED_UINT128` to workaround an upstream bug that breaks Win32 builds by selecting a 64-bit `__int128` implementation (in types.h). For clang/GCC builds, using the compiler-provided type yields a ~5x speedup on Win64. [566fa62d6522] 2020-06-05 Jeff Walden <jwalden@mit.edu> * lib/pk11wrap/pk11cert.c, lib/pk11wrap/pk11kea.c, lib/pk11wrap/pk11merge.c, lib/pk11wrap/pk11nobj.c, lib/pk11wrap/pk11obj.c, lib/pk11wrap/pk11skey.c, lib/pk11wrap/secmodi.h: Bug 1643557 - Make pk11_FindObjectByTemplate accept a size_t count rather than a signed type to avoid internal signed-unsigned comparison warnings. r=kjacobs Depends on D78454 [5ee293d1a282] * lib/pk11wrap/pk11skey.c: Bug 1643557 - Make PK11_SetWrapKey explicitly handle being passed a negative wrap argument, to avoid a signed-unsigned comparison. r=kjacobs Depends on D78453 [7bb3677a2ed0] * lib/pk11wrap/pk11akey.c, lib/pk11wrap/pk11cert.c, lib/pk11wrap/pk11obj.c, lib/pk11wrap/secmodi.h: Bug 1643557 - Change the type of the size argument to pk11_FindObjectsByTemplate to be size_t, consistent with the type of some (small) numeric values passed to it after the previous revision. r=kjacobs Depends on D78452 [eaf223c2646a] * lib/pk11wrap/pk11slot.c: Bug 1643557 - Use size_t for various counts in pk11slot.c. r=kjacobs Depends on D78451 [465a7954ce0a] * lib/pk11wrap/pk11priv.h, lib/pk11wrap/pk11slot.c: Bug 1643557 - Make pk11_MatchString accept a size_t length rather than an int length (consistent with all callers), and reformulate its internals to avoid a signed-unsigned comparison. r=kjacobs Depends on D78450 [fff8c883ef7d] * lib/pk11wrap/pk11skey.c, lib/ssl/sslsnce.c, lib/util/secport.h: Bug 1643557 - Add PORT_AssertNotReached and use it instead of PORT_Assert(!"str"), which may warn about vacuous string literal to boolean conversions. r=kjacobs Depends on D78449 [c0aa47eb2fdd] * lib/util/secoid.c: Bug 1643557 - Use SECOidTag as the type of a loop variable over all values of that type to avoid a signed-unsigned comparison warning. r=kjacobs Depends on D78448 [d7f1e9975e67] * lib/util/utilpars.c: Bug 1643557 - Use size_t for a parameter-indexing variable to eliminate a signed-unsigned comparison warning. r=kjacobs Depends on D78447 [5d7206908ca7] * lib/freebl/rsapkcs.c: Bug 1643557 - Used unsigned int for two for-loops upper-bounded by unsigned ints in rsa_FormatOneBlock. r=kjacobs Depends on D78446 [ed9a1a41ca1e] * lib/pk11wrap/debug_module.c: Bug 1643557 - Use unsigned int for log level, consistent with PRLogModuleLevel. r=kjacobs [7f89fa701ce3] Differential Revision: https://phabricator.services.mozilla.com/D79566	2020-06-12 23:42:37 +00:00
Kevin Jacobs	7c45f2a0f0	Bug 1642687 - land NSS d211f3013abb UPGRADE_NSS_RELEASE, r=jcj ... 2020-06-01 Kevin Jacobs <kjacobs@mozilla.com> * coreconf/config.gypi, lib/freebl/Makefile, lib/freebl/blinit.c, lib/freebl/freebl.gyp, lib/freebl/sha256-armv8.c, lib/freebl/sha256.h, lib/freebl/sha512.c, mach: Bug 1528113 - Use ARM's crypto extension for SHA256 [ea54fd986036] 2020-04-08 Kevin Jacobs <kjacobs@mozilla.com> * automation/abi-check/expected-report-libssl3.so.txt, gtests/ssl_gtest/libssl_internals.c, gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/manifest.mn, gtests/ssl_gtest/ssl_0rtt_unittest.cc, gtests/ssl_gtest/ssl_extension_unittest.cc, gtests/ssl_gtest/ssl_gtest.gyp, gtests/ssl_gtest/tls_agent.cc, gtests/ssl_gtest/tls_agent.h, gtests/ssl_gtest/tls_connect.cc, gtests/ssl_gtest/tls_connect.h, gtests/ssl_gtest/tls_psk_unittest.cc, lib/ssl/manifest.mn, lib/ssl/ssl.gyp, lib/ssl/ssl3con.c, lib/ssl/ssl3ext.c, lib/ssl/ssl3ext.h, lib/ssl/sslerr.h, lib/ssl/sslexp.h, lib/ssl/sslimpl.h, lib/ssl/sslinfo.c, lib/ssl/sslsecur.c, lib/ssl/sslsock.c, lib/ssl/sslt.h, lib/ssl/tls13con.c, lib/ssl/tls13con.h, lib/ssl/tls13exthandle.c, lib/ssl/tls13psk.c, lib/ssl/tls13psk.h, lib/ssl/tls13replay.c: Bug 1603042 - TLS 1.3 out-of-band PSK support [a448d7919077] 2020-06-01 Makoto Kato <m_kato@ga2.so-net.ne.jp> * coreconf/config.gypi, lib/freebl/Makefile, lib/freebl/blinit.c, lib/freebl/freebl.gyp, lib/freebl/sha256-armv8.c, lib/freebl/sha256.h, lib/freebl/sha512.c: Bug 1528113 - Use ARM's crypto extension for SHA256 r=kjacobs ARMv8 CPU has accelerated hardware instruction for SHA256 that supports GCC 4.9+. We should use it if available. [61c83f79e90c] 2020-06-02 Kevin Jacobs <kjacobs@mozilla.com> * automation/abi-check/expected-report-libssl3.so.txt, gtests/ssl_gtest/libssl_internals.c, gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/manifest.mn, gtests/ssl_gtest/ssl_0rtt_unittest.cc, gtests/ssl_gtest/ssl_extension_unittest.cc, gtests/ssl_gtest/ssl_gtest.gyp, gtests/ssl_gtest/tls_agent.cc, gtests/ssl_gtest/tls_agent.h, gtests/ssl_gtest/tls_connect.cc, gtests/ssl_gtest/tls_connect.h, gtests/ssl_gtest/tls_psk_unittest.cc, lib/ssl/manifest.mn, lib/ssl/ssl.gyp, lib/ssl/ssl3con.c, lib/ssl/ssl3ext.c, lib/ssl/ssl3ext.h, lib/ssl/sslerr.h, lib/ssl/sslexp.h, lib/ssl/sslimpl.h, lib/ssl/sslinfo.c, lib/ssl/sslsecur.c, lib/ssl/sslsock.c, lib/ssl/sslt.h, lib/ssl/tls13con.c, lib/ssl/tls13con.h, lib/ssl/tls13exthandle.c, lib/ssl/tls13psk.c, lib/ssl/tls13psk.h, lib/ssl/tls13replay.c: Bug 1603042 - TLS 1.3 out-of-band PSK support r=mt This patch adds support for External (out-of-band) PSKs in TLS 1.3. An External PSK (EPSK) can be set by calling `SSL_AddExternalPsk`, and removed with `SSL_RemoveExternalPsk`. `SSL_AddExternalPsk0Rtt` can be used to add a PSK while also specifying a suite and max_early_data_size for use with 0-RTT. As part of handling PSKs more generically, the patch also changes how resumption PSKs are handled internally, so as to rely on the same mechanisms where possible. A socket is currently limited to only one External PSK at a time. If the server doesn't find the same identity for the configured EPSK, it will fall back to certificate authentication. [a2293e897889] * lib/freebl/mpi/mplogic.c: cast in LZCNTLOOP [96e65b2e9531] * lib/freebl/freebl.gyp: Use KRML_VERIFIED_UINT128 on MSVC builds [abd50c862bdb] 2020-06-03 Kevin Jacobs <kjacobs@mozilla.com> * gtests/ssl_gtest/ssl_exporter_unittest.cc, lib/ssl/sslinfo.c, lib/ssl/tls13con.c: Bug 1643123 - Allow External PSKs to be used with Early Export [46ef0c025cfc] 2020-06-02 Sylvestre Ledru <sledru@mozilla.com> * lib/ssl/tls13con.c: Bug 1642809 - Fix an assert (we need a comparison, not assignment) r=kjacobs [d0789cb32d8e] 2020-06-03 Mike Hommey <mh@glandium.org> * cmd/shlibsign/Makefile: Bug 1642153 - Avoid infinite recursion when CHECKLOC is not set. r=jcj [e955ece90b05] 2020-06-03 Martin Thomson <mt@lowentropy.net> * gtests/ssl_gtest/ssl_auth_unittest.cc, gtests/ssl_gtest/ssl_resumption_unittest.cc, lib/ssl/tls13con.c: Bug 1642871 - Allow tickets and PHA after resumption, r=kjacobs The first part of this is fairly simple: we accidentally disabled sending of session tickets after resumption. The second part is much less obvious, because the spec is unclear. This change takes the interpretation that it is OK to use post- handshake authentication if the handshake is resumed, but not OK if the handshake is based on a PSK. (This is based on a first- principles understanding of resumption being a continuation of a certificate-based connection rather than a reading of the spec, see the bug for why the spec appears to be unhelpful on this point.) This still prohibits the use of post-handshake authentication if an external PSK was used, but that is more an abundance of caution than anything principled. [e9502f71b7fe] 2020-06-04 Kevin Jacobs <kjacobs@mozilla.com> * gtests/ssl_gtest/ssl_exporter_unittest.cc, lib/ssl/sslinfo.c, lib/ssl/tls13con.c: Bug 1643123 - Allow External PSKs to be used with Early Export r=mt This patch adjusts `tls13_exporter` to pull the hash algorithm from the first PSK when a suite is not configured yet, which allows early export with external PSKs. [d211f3013abb] Differential Revision: https://phabricator.services.mozilla.com/D78578	2020-06-06 00:20:11 +00:00
Kevin Jacobs	24b7b9ddd6	Bug 1636656 - land NSS c7a1c91cd9be UPGRADE_NSS_RELEASE, r=jcj ... 2020-05-22 J.C. Jones <jjones@mozilla.com> * lib/freebl/altivec-types.h, lib/freebl/ppc-crypto.h: Bug 1629414 - Guard USE_PPC_CRYPTO and VSX types with __VSX__ and __ALTIVEC__ r=kjacobs This avoids build errors on non-VSX architectures even when not compiling the POWER accelerated code. [c7a1c91cd9be] [tip] 2020-05-21 Jeff Walden <jwalden@mit.edu> * lib/freebl/aes-x86.c: Bug 1639033 - Use unsigned int for a loop counter to eliminate a signed-unsigned comparison warning in aes-x86.c. r=kjacobs Depends on D75847 [e23fe363fa05] * lib/freebl/ec.c: Bug 1639033 - Used unsigned int instead of int in a few places in ec.c to eliminate signed-unsigned comparison warnings. r=kjacobs Depends on D75846 [0d778b0e778f] * lib/freebl/cmac.c: Bug 1639033 - Use unsigned int rather than int for two variables to eliminate a bunch of signed-unsigned comparison warnings. r=kjacobs Depends on D75845 [df5c8f6430a0] * lib/freebl/mpi/mplogic.c, lib/freebl/mpi/mplogic.h: Bug 1639033 - Use unsigned int for various count variables in mplogic.c to eliminate signed-unsigned comparison warnings. r=kjacobs Depends on D75844 [ce5b8b7e010c] * lib/freebl/aeskeywrap.c: Bug 1639033 - Use size_t for loops up to sizeof(T) in aeskeywrap.c to eliminate some signed-comparison warnings. r=kjacobs Depends on D75843 [563a7cd7484b] * lib/softoken/pkcs11i.h, lib/softoken/sftkike.c: Bug 1639033 - Change +sftk_xcbc_mac_pad's block-size argument to be unsigned int to avoid sign-comparison warnings. r=kjacobs Depends on D75842 [a5f80d0805ca] 2020-05-22 Jeff Walden <jwalden@mit.edu> * lib/jar/jar.c: Bug 1639033 - Use the jarType enum type, not int, for certain variables and arguments in jar.c -- for greater precision, and to avoid sign-comparison warnings. r=kjacobs Depends on D75841 [e65dd5c2cf86] 2020-05-19 Jeff Walden <jwalden@mit.edu> * lib/softoken/pkcs11.c, lib/softoken/pkcs11i.h: Bug 1639033 - Make all |moduleIndex| variables in pkcs11.c be unsigned, to eliminate a -Wsign-compare warning. r=kjacobs Depends on D75840 [6512178a58f5] * cmd/lib/basicutil.c: Bug 1639033 - Fix signed-unsigned comparison warning in basicutil.c. r=kjacobs [98390eef50a1] 2020-05-22 Martin Thomson <mt@lowentropy.net> * lib/ssl/sslencode.c: Bug 1640041 - Don't memcpy nothing, r=jcj Depends on D76421 [8d7c96ab80a7] * lib/ssl/sslsock.c: Bug 1640042 - Don't memcpy nothing, r=jcj [1a634da46b87] * gtests/ssl_gtest/ssl_0rtt_unittest.cc, gtests/ssl_gtest/ssl_recordsep_unittest.cc, gtests/ssl_gtest/tls_connect.cc, lib/ssl/ssl.h, lib/ssl/ssl3gthr.c, lib/ssl/sslimpl.h, lib/ssl/sslsock.c, lib/ssl/tls13con.c: Bug 1639413 - Option to disable TLS 1.3 EndOfEarlyData message, r=kjacobs This adds the ability to disable EndOfEarlyData. On the client this is relatively simple, you just turn the message off. The server is complicated because the server uses this to drive the installation of the right keys. Without it, things get very messy. Thus, I have decided that this is best left to the SSL_RecordLayerData interface. That needs an ugly hack in order to let the new data to pass, but the damage is otherwise relatively minor, apart from one obvious thing. We never really built the SSL_RecordLayerData API to take application data. It only did that to support testing of the functions. Now that we have to deal with this new wrinkle, adding support for 0-RTT is necessary. This change does that. That requires a barrage of new checks to see if application data is acceptable. And then early data is captured in a completely different way, which adds another layer of awfulness. Note that this exposes us to the possibility that Certificate or Finished are received in early data when using SSL_RecordLayerData and this option. I don't think that fixing that is worthwhile as it requires tracking the epoch of handshake messages separate to ss->ssl3.crSpec and the epoch only really exists on that API so that applications don't accidentally do bad things. In QUIC, we specifically block handshake messages in early data, so we have ample protection. [10325739e149] Differential Revision: https://phabricator.services.mozilla.com/D76572	2020-05-23 01:13:19 +00:00
J.C. Jones	18fcf86435	Bug 1636656 - land NSS 527a1792be4e UPGRADE_NSS_RELEASE, r=kjacobs ... 2020-05-20 Benjamin Beurdouche <bbeurdouche@mozilla.com> * lib/freebl/freebl_base.gypi: Bug 1638289 - Fix multiple definitions of SHA2 on ppc64le. r=kjacobs [527a1792be4e] [tip] Differential Revision: https://phabricator.services.mozilla.com/D76415	2020-05-22 00:48:57 +00:00
J.C. Jones	02cb9eb00d	Bug 1636656 - land NSS daa823a4a29b UPGRADE_NSS_RELEASE, r=kjacobs ... 2020-05-19 Robert Relyea <rrelyea@redhat.com> * lib/freebl/dsa.c: Bug 1631576 - Force a fixed length for DSA exponentiation r=pereida,bbrumley [daa823a4a29b] [tip] 2020-05-14 Benjamin Beurdouche <bbeurdouche@mozilla.com> * lib/freebl/Makefile, lib/freebl/deprecated/seed.c, lib/freebl/deprecated/seed.h, lib/freebl/freebl.gyp, lib/freebl/freebl_base.gypi, lib/freebl/seed.c, lib/freebl/seed.h: Bug 1636389 - Relocate deprecated seed algorithm. r=kjacobs [d2cfb4ccdf16] 2020-05-14 Jan-Marek Glogowski <glogow@fbihome.de> * automation/taskcluster/scripts/split.sh, lib/Makefile, lib/manifest.mn: Bug 1637083 fix the lib dependencies for the split build r=jcj,rrelyea This build can be tested by running NSS_BUILD_MODULAR=1 nss/automation/taskcluster/scripts/build.sh from a directory containing the nss and nspr repositories. To make this build's make conditionals easier to handle, it also merges the manifest.mn into the Makefile, because parts of the conditionals depends on $(OS_ARCH) setting. In the end, the goal is just to set the correct build $(DIRS). This also drops the freebl dependeny of ssl, which seems not to be needed, even if it's declared in /lib/ssl/ssl.gyp. [789d7241e1f0] 2020-05-13 Jan-Marek Glogowski <glogow@fbihome.de> * coreconf/rules.mk, lib/ckfw/builtins/manifest.mn, lib/ckfw/manifest.mn, manifest.mn: Bug 1637083 Replace pre-dependency with shell hack r=rrelyea Originally I tried multiple variants using make's conditionals to limit DIRS and enforce building the parent directory before the sub- directory. None of them worked for me, most resulting in an infinite recursion, so I used the current pre-depends workaround to fulfill the real dependency. Now I remembered that automake can handle this case for SUBDIRS specifying "." as a directory. The generated Makefile handles it via shell scripting; not nice, but it works. So this gets rid of the workaround, replacing it with a small shell test. [744881490c78] Differential Revision: https://phabricator.services.mozilla.com/D76050	2020-05-19 21:55:59 +00:00
J.C. Jones	638a597baa	Bug 1636656 - land NSS e3444f4cc638 UPGRADE_NSS_RELEASE, ... Differential Revision: https://phabricator.services.mozilla.com/D74716	2020-05-11 18:20:52 +00:00
Kevin Jacobs	a1a7ac61e5	Bug 1629594 - land NSS NSS_3_52_BETA2 UPGRADE_NSS_RELEASE, r=jcj ... 2020-04-30 zhujianwei7 <zhujianwei7@huawei.com> * lib/smime/cmssigdata.c: Bug 1630925 - Guard all instances of NSSCMSSignedData.signerInfos r=kjacobs [bb4462a16de8] [NSS_3_52_BETA2] 2020-04-30 Kevin Jacobs <kjacobs@mozilla.com> * gtests/pk11_gtest/pk11_seed_cbc_unittest.cc, lib/freebl/seed.c, lib/freebl/seed.h: Bug 1619959 - Properly handle multi-block SEED ECB inputs. r=bbeurdouche,jcj [d67517e92371] 2020-04-28 Kevin Jacobs <kjacobs@mozilla.com> * .hgtags: Added tag NSS_3_52_BETA1 for changeset 0b30eb1c3650 [11415c3334ab] 2020-04-24 Robert Relyea <rrelyea@redhat.com> * lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c: Bug 1571677 Name Constraints validation: CN treated as DNS name even when syntactically invalid as DNS name r=mt This patch makes libpkix treat name contraints the same the NSS cert verifier. This proposal available for review for 9 months without objection. Time to make this official [0b30eb1c3650] [NSS_3_52_BETA1] 2020-04-27 Edouard Oger <eoger@fastmail.com> * lib/freebl/blinit.c: Bug 1633498 - Do not define getauxval on iOS targets. r=jcj [7b5e3b9fbc7d] 2020-04-27 Robert Relyea <rrelyea@redhat.com> * lib/softoken/sftkike.c: Bug 1629663 NSS missing IKEv1 Quick Mode KDF prf r=kjacobs Fix possible free before alloc error found by kjacobs [7f91e3dcfb9b] 2020-04-20 Robert Relyea <rrelyea@redhat.com> * lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c, lib/softoken/pkcs11i.h, lib/softoken/sftkike.c, lib/util/pkcs11n.h: Bug 1629663 NSS missing IKEv1 Quick Mode KDF prf r=kjacobs We found another KDF function in libreswan that is not using the NSS KDF API. Unfortunately, it seems the existing IKE KDF's in NSS are not usable for the Quick Mode use. The libreswan code is in compute_proto_keymat() and the specification is in https://tools.ietf.org/html/rfc2409#section-5.5 It needs: KEYMAT = prf(SKEYID_d, [g(qm)^xy ] | protocol | SPI | Ni_b | Nr_b). which an be thought of as: KEYMAT = prf(KEY, [KEY] | BYTES) but with the kicker that it also does multiple rounds aka key expansion: KEYMAT = K1 | K2 | K3 | ... where K1 = prf(KEY, [KEY] | BYTES) K2 = prf(KEY, K1 | [KEY] | BYTES) K3 = prf(KEY, K1 | [KEY] | BYTES) etc. to generate the needed keying material >PRF size This patch implements this by extendind the Appendix B Mechanism to take and optional key and data in a new Mechanism parameter structure. Which flavor is used (old CK_MECHANISM_TYPE or the new parameter) is determined by the mechanism parameter lengths. Application which try to use this new feature on old versions of NSS will get an error (rather than invalid data). [225bb39eade1] Differential Revision: https://phabricator.services.mozilla.com/D73383	2020-05-01 01:54:56 +00:00
Kevin Jacobs	e4e3559e1b	Bug 1629594 - land NSS aae226c20dfd UPGRADE_NSS_RELEASE, r=jcj ... 2020-04-24 Kevin Jacobs <kjacobs@mozilla.com> * automation/abi-check/expected-report-libnss3.so.txt, gtests/softoken_gtest/softoken_gtest.cc, lib/nss/nss.def, lib/pk11wrap/pk11obj.c, lib/pk11wrap/pk11pub.h, lib/softoken/sdb.c: Bug 1612881 - Maintain PKCS11 C_GetAttributeValue semantics on attributes that lack NSS database columns r=keeler,rrelyea `sdb_GetAttributeValueNoLock` builds a query string from a list of attributes in the input template. Unfortunately, `sqlite3_prepare_v2` will fail the entire query if one of the attributes is missing from the underlying table. The PKCS #11 spec [[ https://www.cryptsoft.com/pkcs11doc/v220/pkcs11__all_8h.html#aC_G etAttributeValue | requires ]] setting the output `ulValueLen` field to -1 for such invalid attributes. This patch reads and stores the columns of nssPublic/nssPrivate when opened, then filters an input template in `sdb_GetAttributeValueNoLock` for unbacked/invalid attributes, removing them from the query and setting their template output lengths to -1. [aae226c20dfd] [tip] 2020-04-23 Kevin Jacobs <kjacobs@mozilla.com> * lib/ssl/sslnonce.c: Bug 1531906 - Relax ssl3_SetSIDSessionTicket assertions to permit valid, evicted or externally-cached sids. r=mt This patch relaxes an overzealous assertion for the case where: 1) Two sockets start connections with a shared SID. 2) One receives an empty session ticket in the SH, and evicts the SID from cache. 3) The second socket receives a new session ticket, and attempts to set it in the SID. We currently assert that the sid is `in_client_cache` at 3), but clearly it cannot be. The outstanding reference remains valid despite the eviction. This also solves a related assertion failure after https://hg.mozilla.org/mozilla-central/rev/c5a8b641d905 where the same scenario occurs, but instead of being `in_client_cache` or evicted, the SID is `in_external_cache`. [a68de0859582] 2020-04-16 Robert Relyea <rrelyea@redhat.com> * gtests/common/testvectors/kwp-vectors.h, gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_aeskeywrapkwp_unittest.cc, gtests/pk11_gtest/pk11_gtest.gyp, lib/freebl/aeskeywrap.c, lib/freebl/blapi.h, lib/freebl/blapit.h, lib/freebl/hmacct.c, lib/freebl/ldvector.c, lib/freebl/loader.c, lib/freebl/loader.h, lib/pk11wrap/pk11mech.c, lib/softoken/lowpbe.c, lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c, lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c, lib/ssl/ssl3con.c, lib/util/secport.h: Bug 1630721 Softoken Functions for FIPS missing r=mt For FIPS we need the following: 1. NIST official Key padding for AES Key Wrap. 2. Combined Hash/Sign mechanisms for DSA and ECDSA. In the first case our AES_KEY_WRAP_PAD function addes pkcs8 padding to the normal AES_KEY_WRAP, which is a different algorithm then the padded key wrap specified by NIST. PKCS #11 recognized this and created a special mechanism to handle NIST padding. That is why we don't have industry test vectors for CKM_NSS_AES_KEY_WRAP_PAD. This patch implements that NIST version (while maintaining our own). Also PKCS #11 v3.0 specified PKCS #11 mechanism for AES_KEY_WRAP which are compatible (semantically) with the NSS vendor specific versions, but with non-vendor specific numbers. Softoken now accepts both numbers. This patch also updates softoken to handle DSA and ECDSA combined hash algorithms other than just SHA1 (which is no longer validated). Finally this patch uses the NIST KWP test vectors in new gtests for the AES_KEY_WRAP_KWP wrapping algorithm. As part of the AES_KEY_WRAP_KWP code, the Constant time macros have been generalized and moved to secport. Old macros scattered throughout the code have been deleted and existing contant time code has been updated to use the new macros. [3682d5ef3db5] 2020-04-21 Lauri Kasanen <cand@gmx.com> * lib/freebl/Makefile, lib/freebl/freebl.gyp, lib/freebl/freebl_base.gypi, lib/freebl/gcm.h, lib/freebl/ppc- crypto.h, lib/freebl/scripts/LICENSE, lib/freebl/scripts/gen.sh, lib/freebl/scripts/ppc-xlate.pl, lib/freebl/scripts/sha512p8-ppc.pl, lib/freebl/sha512-p8.s, lib/freebl/sha512.c: Bug 1613238 - POWER SHA-2 digest vector acceleration. r=jcj,kjacobs [2d66bd9dcad4] 2020-04-18 Robert Relyea <rrelyea@redhat.com> * coreconf/Linux.mk, coreconf/config.gypi, lib/softoken/sdb.c: Bug 1603801 [patch] Avoid dcache pollution from sdb_measureAccess() r=mt As implemented, when sdb_measureAccess() runs it creates up to 10,000 negative dcache entries (cached nonexistent filenames). There is no advantage to leaving these particular filenames in the cache; they will never be searched again. Subsequent runs will run a new test with an intentionally different set of filenames. This can have detrimental effects on some systems; a massive negative dcache can lead to memory or performance problems. Since not all platforms have a problem with negative dcache entries, this patch is limitted to those platforms that request it at compilie time (Linux is current the only patch that does.) [928721f70164] 2020-04-16 Kevin Jacobs <kjacobs@mozilla.com> * coreconf/config.gypi: Bug 1630458 - Produce debug symbols in GYP/MSVC debug builds. r=mt [25006e23a777] 2020-04-13 Robert Relyea <rrelyea@redhat.com> * lib/ckfw/object.c, lib/ckfw/session.c: Bug 1629655 ckfw needs to support temporary session objects. r=kjacobs libckfw needs to create temporary objects whose space will to be freed after use (rather than at token shutdown). Currently only token objects are supported and they are allocated out of a global arena owned by the slot, so the objects only go away when the slot is closed. This patch sets the arena to NULL in nssCKFWObject_Create() if the object is a session object. This tells nssCKFWObject_Create() to create a new arena specifically for this object. That arena is stored in localArena. When the object is destroyed, any localArena's will be freed. [808ec0e6fd77] 2020-04-14 Robert Relyea <rrelyea@redhat.com> * cmd/selfserv/selfserv.c, lib/ssl/sslsnce.c, tests/ssl/ssl.sh: Bug 1629661 MPConfig calls in SSL initializes policy before NSS is initialized. r=mt NSS has several config functions that multiprocess servers must call before NSS is initialized to set up shared memory caches between the processes. These functions call ssl_init(), which initializes the ssl policy. The ssl policy initialization, however needs to happen after NSS itself is initialized. Doing so before hand causes (in the best case) policy to be ignored by these servers, and crashes (in the worst case). Instead, these cache functions should just initialize those things it needs (that is the NSPR ssl error codes). This patch does: 1) fixes the cache init code to only initialize error codes. 2) fixes the selfserv MP code to 1) be compatible with ssl.sh's selfserv management (at least on Unix), and 2) mimic the way real servers handle the MP_Cache init code (calling NSS_Init after the cache set up). 3) update ssl.sh server policy test to test policy usage on an MP server. This is only done for non-windows like OS's because they can't catch the kill signal to force their children to shutdown. I've verified that the test fails if 2 and 3 are included but 1 is not (and succeeds if all three are included). [a252957a3805] Differential Revision: https://phabricator.services.mozilla.com/D72409	2020-04-27 16:56:13 +00:00
Kevin Jacobs	7d42f279f2	Bug 1629594 - land NSS 50dcc34d470d UPGRADE_NSS_RELEASE, r=jcj ... 2020-04-13 Kevin Jacobs <kjacobs@mozilla.com> * lib/pk11wrap/debug_module.c, lib/pk11wrap/pk11load.c: Bug 1629105 - Update PKCS11 module debug logger for v3.0 r=rrelyea Differential Revision: https://phabricator.services.mozilla.com/D70582 [50dcc34d470d] [tip] 2020-04-07 Robert Relyea <rrelyea@redhat.com> * lib/ckfw/builtins/testlib/Makefile: Bug 1465613 Fix gmake issue create by the patch which adds ability to distrust certificates issued after a certain date for a specified root cert r=jcj I've been trying to run down an issue I've been having, and I think this bug is the source. Whenever I build ('gmake' build), I get the following untracted files: ? lib/ckfw/builtins/testlib/anchor.o ? lib/ckfw/builtins/testlib/bfind.o ? lib/ckfw/builtins/testlib/binst.o ? lib/ckfw/builtins/testlib/bobject.o ? lib/ckfw/builtins/testlib/bsession.o ? lib/ckfw/builtins/testlib/bslot.o ? lib/ckfw/builtins/testlib/btoken.o ? lib/ckfw/builtins/testlib/ckbiver.o ? lib/ckfw/builtins/testlib/constants.o This is because of the way lib/ckfw/builtins/testlib works, it uses the sources from the directory below, and explicitly reference them with ../{source_name}.c. The object file then becomes lib/ckfw/builtins/testlib/{OBJDIR}/../{source_name}.o. The simple fix would be to paper over the issue and just add these to .hgignore, but that would break our ability to build multiple platforms on a single source directory. I'll include a patch that fixes this issue. bob Differential Revision: https://phabricator.services.mozilla.com/D70077 [92058f185316] 2020-04-06 Robert Relyea <rrelyea@redhat.com> * automation/abi-check/expected-report-libnss3.so.txt, gtests/ssl_gtest/tls_hkdf_unittest.cc, lib/nss/nss.def, lib/pk11wrap/pk11pub.h, lib/pk11wrap/pk11skey.c, lib/ssl/sslprimitive.c, lib/ssl/tls13con.c, lib/ssl/tls13con.h, lib/ssl/tls13hkdf.c, lib/ssl/tls13replay.c, tests/ssl/ssl.sh: Bug 1561637 TLS 1.3 does not work in FIPS mode r=mt Part 2 of 2 Use the official PKCS #11 HKDF mechanism to implement tls 1.3. 1) The new mechanism is a single derive mechanism, so we no longer need to pick it based on the underlying hmac (Note, we still need to know the underlying hmac, which is passed in as a mechanism parameter). 2) Use the new keygen to generate CKK_HKDF keys rather than doing it by hand with the random number generator (never was really the best way of doing this). 3) modify tls13hkdf.c to use the new mechanisms: 1) Extract: use the new key handle in the mechanism parameters to pass the salt when the salt is a key handle. Extract: use the explicit NULL salt parameter if for the hash len salt of zeros. 2) Expand: Expand is mostly a helper function which takes a mechanism. For regular expand, the mechanism is the normal _Derive, for the Raw version its the _Data function. That creates a data object, which is extractable in FIPS mode. 4) update slot handling in tls13hkdf.c: 1) we need to make sure that the key and the salt key are in the same slot. Provide a PK11wrap function to make that guarrentee (and use that function in PK11_WrapKey, which already has to do the same function). 2) When importing a 'data' key for the zero key case, make sure we import into the salt key's slot. If there is no salt key, use PK11_GetBestSlot() rather than PK11_GetInternal slot. Differential Revision: https://phabricator.services.mozilla.com/D69899 [3d2b1738e064] 2020-04-06 Kevin Jacobs <kjacobs@mozilla.com> * gtests/common/testvectors/curve25519-vectors.h, gtests/common/testvectors/p256ecdh-vectors.h, gtests/common/testvectors/p384ecdh-vectors.h, gtests/common/testvectors/p521ecdh-vectors.h, gtests/common/testvectors/rsa_oaep_2048_sha1_mgf1sha1-vectors.h, gtests/common/testvectors/rsa_oaep_2048_sha256_mgf1sha1-vectors.h, gtests/common/testvectors/rsa_oaep_2048_sha256_mgf1sha256-vectors.h, gtests/common/testvectors/rsa_oaep_2048_sha384_mgf1sha1-vectors.h, gtests/common/testvectors/rsa_oaep_2048_sha384_mgf1sha384-vectors.h, gtests/common/testvectors/rsa_oaep_2048_sha512_mgf1sha1-vectors.h, gtests/common/testvectors/rsa_oaep_2048_sha512_mgf1sha512-vectors.h, gtests/common/testvectors/rsa_pkcs1_2048_test-vectors.h, gtests/common/testvectors/rsa_pkcs1_3072_test-vectors.h, gtests/common/testvectors/rsa_pkcs1_4096_test-vectors.h, gtests/common/testvectors/rsa_pss_2048_sha1_mgf1_20-vectors.h, gtests/common/testvectors/rsa_pss_2048_sha256_mgf1_0-vectors.h, gtests/common/testvectors/rsa_pss_2048_sha256_mgf1_32-vectors.h, gtests/common/testvectors/rsa_pss_3072_sha256_mgf1_32-vectors.h, gtests/common/testvectors/rsa_pss_4096_sha256_mgf1_32-vectors.h, gtests/common/testvectors/rsa_pss_4096_sha512_mgf1_32-vectors.h, gtests/common/testvectors/rsa_pss_misc-vectors.h, gtests/common/testvectors/rsa_signature-vectors.h, gtests/common/testvectors/rsa_signature_2048_sha224-vectors.h, gtests/common/testvectors/rsa_signature_2048_sha256-vectors.h, gtests/common/testvectors/rsa_signature_2048_sha512-vectors.h, gtests/common/testvectors/rsa_signature_3072_sha256-vectors.h, gtests/common/testvectors/rsa_signature_3072_sha384-vectors.h, gtests/common/testvectors/rsa_signature_3072_sha512-vectors.h, gtests/common/testvectors/rsa_signature_4096_sha384-vectors.h, gtests/common/testvectors/rsa_signature_4096_sha512-vectors.h, gtests/common/testvectors_base/rsa_signature-vectors_base.txt, gtests/common/testvectors_base/test-structs.h, gtests/common/wycheproof/genTestVectors.py, gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp, gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc, gtests/pk11_gtest/pk11_rsaoaep_unittest.cc, gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc, gtests/pk11_gtest/pk11_rsapss_unittest.cc: Bug 1612260 - Add Wycheproof vectors for RSA PKCS1 and PSS signing, PKCS1 and OEAP decryption. r=bbeurdouche This patch updates the Wycheproof script to build RSA test vectors (covering PKCS1 decryption/verification, as well as PSS and OAEP) and adds the appropriate test drivers. Differential Revision: https://phabricator.services.mozilla.com/D69847 [469fd8633757] 2020-04-01 Kevin Jacobs <kjacobs@mozilla.com> * automation/taskcluster/docker-fuzz32/Dockerfile: Bug 1626751 - Add apt-transport-https & apt-utils to fuzz32 docker image r=jcj We already install these packages on the image_builder image itself. It seems they're now required on the fuzz32 image as well. Differential Revision: https://phabricator.services.mozilla.com/D69274 [c7a8195e3072] 2020-04-01 Giulio Benetti <giulio.benetti@benettiengineering.com> * lib/freebl/Makefile: Bug 1624864 - Don't force ARMv7 for gcm-arm32-neon r=jcj [858209235972] * coreconf/config.gypi, coreconf/config.mk, lib/freebl/Makefile, lib/freebl/freebl.gyp, lib/freebl/gcm.c: Bug 1620799 - Introduce NSS_DISABLE_ARM32_NEON r=jcj Only some Arm32 supports neon, so let's introduce NSS_DISABLE_ARM32_NEON to allow disabling Neon acceleration when building for Arm32. Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com> [b47b2c35aa64] 2020-04-01 Kevin Jacobs <kjacobs@mozilla.com> * automation/abi-check/expected-report-libnss3.so.txt, automation/abi- check/expected-report-libsoftokn3.so.txt, automation/abi-check /expected-report-libssl3.so.txt: Fixup ABI checks after libabigail update and Delegated Credentials backport. r=me [7f50f6ca7658] 2020-03-31 hajma <tropikhajma@gmail.com> * coreconf/SunOS5.mk: Bug 1625133 - Fix implicit declaration of function 'getopt' on SunOS r=jcj [744788dd18dc] 2020-03-30 Robert Relyea <rrelyea@redhat.com> * automation/abi-check/expected-report-libnss3.so.txt, gtests/pk11_gtest/pk11_hkdf_unittest.cc, lib/nss/nss.def, lib/pk11wrap/pk11mech.c, lib/pk11wrap/pk11obj.c, lib/pk11wrap/pk11pub.h, lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c: Bug 1561637 TLS 1.3 does not work in FIPS mode Patch 1 of 2. This patch updates softoken and helper functions with the new PKCS #11 v3 HKDF, which handles all the correct key management so that we can work in FIPS mode 1) Salts can be passed in as data, as and explicit NULL (which per spec means a zero filled buffer of length of the underlying HMAC), or through a key handle 2) A Data object can be used as a key (explicitly allowed for this mechanism by the spec). 3) A special mechansism produces a data object rather than a key, the latter which can be exported. Softoken does not do the optional validation on the pInfo to verify that the requested values are supposed to be data rather than keys. Some other tokens may. The old hkdf mechanism has been retained for compatibility (well namely until patch 2 is created, tls is still using it). The hkdf function has been broken off into it's own function rather than inline in the derive function. Note: because the base key and/or the export key could really be a data object, our explicit handling of sensitive and extractable are adjusted to take into account that those flags do not exist in data objects. Differential Revision: https://phabricator.services.mozilla.com/D68940 [e0922aac5267] 2020-03-26 Hans Petter Jansson <hpj@cl.no> * cmd/lowhashtest/lowhashtest.c: Bug 1622555 - Fix lowhashtest argument parsing. r=kjacobs [f3c5ab41c972] 2020-03-26 Benjamin Beurdouche <bbeurdouche@mozilla.com> * lib/freebl/Makefile, lib/freebl/freebl.gyp: Bug 1624377 - Replace freebl flag -msse4 by -msse4.1 -msse4.2 which are supported by older compilers r=kjacobs Differential Revision: https://phabricator.services.mozilla.com/D68407 [16ee7cb36fff] 2020-03-26 Robert Relyea <rrelyea@redhat.com> * gtests/ssl_gtest/libssl_internals.c, lib/pk11wrap/exports.gyp, lib/pk11wrap/manifest.mn, lib/ssl/ssl3con.c, lib/ssl/sslprimitive.c, lib/ssl/sslspec.h, lib/ssl/tls13con.c, lib/ssl/tls13con.h, lib/ssl/tls13esni.c, lib/ssl/tls13exthandle.c: Bug 1623374 Need to support the new PKCS #11 Message interface for AES GCM and ChaCha Poly r=mt Update ssl to use the new PK11_AEADOp() interface. 1. We restore the use of PK11Context_Create() for AEAD operations. 2. AES GCM and CHACHA/Poly specific functions are no longer needed as PK11_AEADOp() handles all the mechanism specific processing. 3. TLS semantic differences between the two algorithms is handled by their parameters: 1. Nonce length is the length of the nonce counter. If it's zero, then XOR_Counter is used (and the nonce length is the sizeof(sslSequenceNumber)). 2. IV length is the full IV length - nonce length. 3. TLS 1.3 always uses XOR_Counter. 4. The IV is returned from the token in the encrypt case. Only in the explict nonce case is it examined. (The code depends on the fact that the count in the token will match sslSequenceNumber). I did have assert code to verify this was happening for testing, but it's removed from this patch it can be added back. 5. All the decrypt instances of XOR_Counter IV creation have been colapsed into tls13_WriteNonce(). 6. Even tough PK11_AEADOp returns and accepts the tag separately (for encrypt and decrypt respectively). The SSL code still returns the values as buffer||tag. 7. tls13_AEAD() has been enhanced so all uses of AEAD outside of the TLS stream can use it instead of their own wrapped version. It can handle streams (CreateContext() tls13_AEAD() tls13_AEAD() DestroyContext()) or single shot tls13_AEAD(context=NULL). In the later case, the keys for the single shot operation should not be resued. 8. libssl_internals.c in the gtests directory has been updated to handle advancing the internal iv counter when we artifically advance the seqNum. Since we don't have access to any token iv counter (including softoken), The code switches to simulated message mode, and updates the simulated state as appropriate. (obviously this is for testing only code as it reaches into normally private data structures). Differential Revision: https://phabricator.services.mozilla.com/D68480 [e7c7f305078e] 2020-03-26 Robert Relyea <rrelyea@redhat.com> * gtests/ssl_gtest/libssl_internals.c, lib/pk11wrap/exports.gyp, lib/pk11wrap/manifest.mn, lib/ssl/ssl3con.c, lib/ssl/sslprimitive.c, lib/ssl/sslspec.h, lib/ssl/tls13con.c, lib/ssl/tls13con.h, lib/ssl/tls13esni.c, lib/ssl/tls13exthandle.c: Bug 1623374 Need to support the new PKCS #11 Message interface for AES GCM and ChaCha Poly r=mt Update ssl to use the new PK11_AEADOp() interface. 1. We restore the use of PK11Context_Create() for AEAD operations. 2. AES GCM and CHACHA/Poly specific functions are no longer needed as PK11_AEADOp() handles all the mechanism specific processing. 3. TLS semantic differences between the two algorithms is handled by their parameters: 1. Nonce length is the length of the nonce counter. If it's zero, then XOR_Counter is used (and the nonce length is the sizeof(sslSequenceNumber)). 2. IV length is the full IV length - nonce length. 3. TLS 1.3 always uses XOR_Counter. 4. The IV is returned from the token in the encrypt case. Only in the explict nonce case is it examined. (The code depends on the fact that the count in the token will match sslSequenceNumber). I did have assert code to verify this was happening for testing, but it's removed from this patch it can be added back. 5. All the decrypt instances of XOR_Counter IV creation have been colapsed into tls13_WriteNonce(). 6. Even tough PK11_AEADOp returns and accepts the tag separately (for encrypt and decrypt respectively). The SSL code still returns the values as buffer||tag. 7. tls13_AEAD() has been enhanced so all uses of AEAD outside of the TLS stream can use it instead of their own wrapped version. It can handle streams (CreateContext() tls13_AEAD() tls13_AEAD() DestroyContext()) or single shot tls13_AEAD(context=NULL). In the later case, the keys for the single shot operation should not be resued. 8. libssl_internals.c in the gtests directory has been updated to handle advancing the internal iv counter when we artifically advance the seqNum. Since we don't have access to any token iv counter (including softoken), The code switches to simulated message mode, and updates the simulated state as appropriate. (obviously this is for testing only code as it reaches into normally private data structures). Differential Revision: https://phabricator.services.mozilla.com/D68480 [e7c7f305078e] 2020-03-23 Kevin Jacobs <kjacobs@mozilla.com> * lib/softoken/pkcs11.c: Bug 1624402 - Fix compilation error when NO_FORK_CHECK and CHECK_FORK_* are defined r=rrelyea Differential Revision: https://phabricator.services.mozilla.com/D67911 [0225889e5292] 2020-03-23 Kevin Jacobs <kjacobs@mozilla.com> * lib/util/pkcs11.h: Bug 1624130 - Require CK_FUNCTION_LIST structs to be packed. r=rrelyea Differential Revision: https://phabricator.services.mozilla.com/D67741 [7ab62d3d0445] 2020-03-19 Robert Relyea <rrelyea@redhat.com> * automation/abi-check/expected-report-libnss3.so.txt, gtests/pk11_gtest/pk11_aes_gcm_unittest.cc, gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc, lib/freebl/blapi.h, lib/freebl/blapii.h, lib/freebl/blapit.h, lib/freebl/chacha20poly1305.c, lib/freebl/gcm.c, lib/freebl/gcm.h, lib/freebl/intel-gcm-wrap.c, lib/freebl/intel-gcm.h, lib/freebl/ldvector.c, lib/freebl/loader.c, lib/freebl/loader.h, lib/freebl/rijndael.c, lib/freebl/rijndael.h, lib/nss/nss.def, lib/pk11wrap/pk11cxt.c, lib/pk11wrap/pk11mech.c, lib/pk11wrap/pk11priv.h, lib/pk11wrap/pk11pub.h, lib/pk11wrap/pk11skey.c, lib/pk11wrap/pk11slot.c, lib/pk11wrap/secmodti.h, lib/softoken/fipstokn.c, lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c, lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c, lib/softoken/sftkmessage.c, lib/util/pkcs11n.h, lib/util/pkcs11t.h, lib/util/secport.h: Bug 1623374 Need to support the new PKCS #11 Message interface for AES GCM and ChaCha Poly PKCS #11 defines a new interface for handling AEAD type ciphers that allow multiple AEAD operations without repeating the key schedule. It also allows tokens to keep track of the number of operations, and generate IVs (depending on the cipher). This patch: 1. implement those new functions in softoken. With the addition of CKF_MESSAGE_* flags to various mechanism, we need to strip them when using the version 2 API of softoken (since there are no C_Message* function in version 2). For that we need a separate C_GetMechanismInfo function. We use the same trick we used to have a separate version function for the V2 interface. Also now that the new message functions are in their own file, they still need access to the common Session state processing functions. those have gone from static to exported within softoken to accomidate that. Same with sftk_MapDecryptError() (sftk_MapVerifyError() was also made global, though nothing else is yet using it). Only C_MessageEncrptInit(), C_EncryptMessage(), C_MessageEncryptFinal, C_MessageDecryptInit(), C_DecryptMessage(), and C_MessageDecryptFinal are implemented. C_EncryptMessageBegin(), C_EncryptMessageNext(), C_DecryptMessageBegin(), and C_DecryptMessageNext() are all part of the multi-part withing a multi-part operation and are only necessary for things like S/MIME (potentially). If we wanted to implement them, we would need more functions exported from freebl (and initaead, updateaead, finalaead for each mechanism type). 2. make those interfaces call aes_gcm and chacha20_poly1503 (and make adjustments for those ciphers). For AES, I added a new function AES_AEAD, which handles both encrypt and decrypt. Internally, the gcm functions (both the generic gcm and the intel gcm wrapper) had their init functions split into key scheduling and counter mode/tag initialization. The latter is still called from init, but the former is now for each update call. IV generation is handled by a single function in gcm.c, and shared with intel_gcm_wrapper.c Since the AES functions already know about the underlying PKCS #11 mechanism parameters, the new AEAD functions also parse the PKCS #11 GCM parameters. For Chacha/Poly new aead update functions were created called ChaChaPoly1305_Encrypt and ChaChaChaPoly1305_Decrypt. There was no Message specific initialization in the existing chacha_init, so no changes were needed there. The primary difference between _Encrypt/_Decrypt and _Seal/_Open is the fact that the tag is put at the end of the encrypted data buffer in the latter, and in a generic buffer in the former. 3. create new pk11wrap interfaces that also squash the api differences between the various mechanisms for aead (similiar to the way we do it for CBC and ECB crypto today). To accomplish this I added PK11_AEADOp() and PK11_AEADRawOp(). Both functions handle the case where the token only supports the single shot interface, by using the single short interface to simulate the Message interface. The PK11_AEADOp() also smooths out the differences in the parameters and symantics of the various mechanism so the application does not need to worry about the PKCS #11 differences in the mechanism. Both use contexts from the standard PK11_CreateContext(), so key schedules are done once for each key rather than once for each message. MESSAGE/AEAD operations are selected by adding the psuedo attribute flag CKA_NSS_MESSAGE to the requested operation (CKA_ENCRYPT, CKA_DECRYPT, CKA_SIGN, CKA_VERIFY). 4. write tests for the new interfaces Tests were added to make sure the PK11_AEADRawOp interface works, The single shot interface is used to test output of the message interface we also use two test only functions to force the connection to use the simulation interface, which is also compared to the non-simulate inteface. The AES_GCM also tests various IV generators. Differential Revision: https://phabricator.services.mozilla.com/D67552 [293ac3688ced] 2020-03-18 Kevin Jacobs <kjacobs@mozilla.com> * lib/freebl/mpi/mpcpucache.c: Bug 1623184 - Clear ECX prior to cpuid, fixing query for Extended Features r=bbeurdouche While trying to benchmark the recent HACL* AVX2 code, I noticed that it was not being called on two machines (that both support AVX2), instead using only the AVX version. In order to query for Extended Features (cpuid with EAX=7), we also need to set ECX to 0: https://www.intel.com/content/www/us/en /architecture-and-technology/64-ia-32-architectures-software- developer-vol-2a-manual.html. The current code fails to do this, resulting in flags that show no support. Initially, I wrote a separate `freebl_cpuid_ex` function that accepted a value for ECX as a separate input argument. However, some definitions of `freebl_cpuid` already zero ECX, so making this consistent is the simplest way to get the desired behavior. With this patch, the two test machines (MacOS and Linux x64) correctly use the AVX2 ChaCha20Poly1305 code. Differential Revision: https://phabricator.services.mozilla.com/D67235 [06d41fe87c58] 2020-03-17 Robert Relyea <rrelyea@redhat.com> * automation/abi-check/expected-report-libnss3.so.txt, automation/abi- check/expected-report-libsoftokn3.so.txt, cmd/pk11mode/pk11mode.c, lib/pk11wrap/pk11load.c, lib/pk11wrap/secmodi.h, lib/pk11wrap/secmodt.h, lib/softoken/fipstokn.c, lib/softoken/manifest.mn, lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c, lib/softoken/pkcs11i.h, lib/softoken/sftkmessage.c, lib/softoken/softoken.gyp, lib/softoken/softoken.h, lib/softoken/softokn.def, lib/util/pkcs11.h, lib/util/pkcs11f.h, lib/util/pkcs11n.h, nss/automation/abi-check/new-report-libnss3.so.txt, nss/automation /abi-check/new-report-libsoftokn3.so.txt: Bug 1603628 Update NSS to handle PKCS #11 v3.0 r=ueno r=mt Update to PKCS #11 v3.0 part 2. Create the functions and switch to the C_Interface() function to fetch the PKCS #11 function table. Also PKCS #11 v3.0 uses a new fork safe interface. NSS can already handle the case if the PKCS #11 module happens to be fork safe (when asked by the application to refresh the tokens in the child process, NSS can detect that such a refresh is not necessary and continue. Softoken could also be put in fork_safe mode with an environment variable. With this patch it's the default, and NSS asks for the fork safe API by default. Technically softoken should implement the old non-fork safe interface when PKCS #11 v2.0 is called, but NSS no longer needs it, and doing so would double the number of PKCS #11 interfaces are needed. You can still compile with fork unsafe semantics, and the PKCS #11 V3.0 module will do the right thing and not include the fork safe flag. Firefox does not fork(), so for firefox this is simply code that is no longer compilied. We now use C_GetInterface, which allows us to specify what kind of interface we want (PKCS #11 v3.0, PKCS #11 v2.0, fork safe, etc.). Vendor specific functions can now be accessed through the C_GetInterface. If the C_GetInterface function does not exists, we fall bak to the old C_GetFunctionList. There are 24 new functions in PKCS #11 v3.0: C_GetInterfaceList - return a table of all the supported interfaces C_GetInterface - return a specific interface. You can specify interface name, version and flags separately. You can leave off any of these and you will get what the token thinks is the best match of the interfaces that meet the criteria. We do this in softoken by the order of the interface list. C_SessionCancel - Cancel one or more multipart operation C_LoginUser - Supply a user name to C_Login(). This function has no meaning for softoken, so it just returns CKR_OPERATION_NOT_INITIALIZED under the theory that if we in the future want to support usernames, the NSS db would need special initialization to make that happen. C_Message* and C_*Message* (20 functions in all) are the new AEAD interface (they are written generally so that it can be used for things other than AEAD). In this patch they are unimplemented (see the next patch). This patch adds regular (NSC_) and FIPS (FC_) versions of these functions. Also when creating the PKCS #11 v2.0 interface, we had to create a 2.0 specific version of C_GetInfo so that it can return a 2.40 in the CK_VERSION field rather than 3.00. We do this with #defines since all the function tables are generated automagically with pkcs11f.h. Differential Revision: https://phabricator.services.mozilla.com/D67240 [2364598f8a36] 2020-03-09 Benjamin Beurdouche <bbeurdouche@mozilla.com> * automation/taskcluster/scripts/run_hacl.sh, lib/freebl/verified/Hacl_Poly1305_128.c, lib/freebl/verified/Hacl_Poly1305_256.c: Bug 1612493 - Fix Firefox build for Windows 2012 x64. r=kjacobs Differential Revision: https://phabricator.services.mozilla.com/D65945 [7e09cdab32d0] 2020-03-02 Kurt Miller <kurt@intricatesoftware.com> * lib/freebl/blinit.c: Bug 1618400 - Fix unused variable 'getauxval' on OpenBSD/arm64 r=jcj https://bugzilla.mozilla.org/show_bug.cgi?id=1618400 [2c989888dee7] 2020-03-02 Giulio Benetti <giulio.benetti@benettiengineering.com> * lib/freebl/blinit.c: Bug 1614183 - Check if PPC __has_include(<sys/auxv.h>). r=kjacobs Some build environment doesn't provide <sys/auxv.h> and this causes build failure, so let's check if that header exists by using __has_include() helper. Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com> [bb7c46049f26] 2020-02-28 Benjamin Beurdouche <bbeurdouche@mozilla.com> * automation/taskcluster/scripts/run_hacl.sh, lib/freebl/verified/Hacl_Chacha20.c, lib/freebl/verified/Hacl_Chacha20Poly1305_128.c, lib/freebl/verified/Hacl_Chacha20Poly1305_32.c, lib/freebl/verified/Hacl_Chacha20_Vec128.c, lib/freebl/verified/Hacl_Curve25519_51.c, lib/freebl/verified/Hacl_Kremlib.h, lib/freebl/verified/Hacl_Poly1305_128.c, lib/freebl/verified/Hacl_Poly1305_32.c, lib/freebl/verified/kremlin/include/kremlin/internal/types.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128.h, li b/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128_Verifie d.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt_8_1 6_32_64.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/LowStar_ Endianness.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar _uint128_gcc64.h, lib/freebl/verified/libintvector.h: Bug 1617533 - Update of HACL* after libintvector.h and coding style changes. r=kjacobs *** Bug 1617533 - Clang format *** Bug 1617533 - Update HACL* commit for job in Taskcluster *** Bug 1617533 - Update HACL* Kremlin code Differential Revision: https://phabricator.services.mozilla.com/D63829 [b6677ae9067e] * automation/taskcluster/graph/src/extend.js, coreconf/arch.mk, coreconf/config.mk, lib/freebl/Makefile, lib/freebl/blapii.h, lib/freebl/blinit.c, lib/freebl/chacha20poly1305.c, lib/freebl/freebl.gyp, lib/freebl/verified/Hacl_Chacha20Poly1305_256.c, lib/freebl/verified/Hacl_Chacha20Poly1305_256.h, lib/freebl/verified/Hacl_Chacha20_Vec256.c, lib/freebl/verified/Hacl_Chacha20_Vec256.h, lib/freebl/verified/Hacl_Poly1305_256.c, lib/freebl/verified/Hacl_Poly1305_256.h, nss-tool/hw-support.c: Bug 1612493 - Support for HACL* AVX2 code for Chacha20, Poly1305 and Chacha20Poly1305. r=kjacobs *** Bug 1612493 - Import AVX2 code from HACL* *** Bug 1612493 - Add CPU detection for AVX2, BMI1, BMI2, FMA, MOVBE *** Bug 1612493 - New flag NSS_DISABLE_AVX2 for freebl/Makefile and freebl.gyp *** Bug 1612493 - Disable use of AVX2 on GCC 4.4 which doesn’t support -mavx2 *** Bug 1612493 - Disable tests when the platform doesn't have support for AVX2 Differential Revision: https://phabricator.services.mozilla.com/D64718 [d5deac55f543] 2020-02-18 Robert Relyea <rrelyea@redhat.com> * cmd/bltest/blapitest.c, cmd/fipstest/fipstest.c, cmd/lib/pk11table.c, cmd/pk11gcmtest/pk11gcmtest.c, cmd/shlibsign/shlibsign.c, gtests/pk11_gtest/pk11_aes_gcm_unittest.cc, gtests/pk11_gtest/pk11_cbc_unittest.cc, lib/certdb/crl.c, lib/ckfw/dbm/db.c, lib/dev/devslot.c, lib/dev/devtoken.c, lib/dev/devutil.c, lib/freebl/fipsfreebl.c, lib/freebl/gcm.c, lib/freebl/intel-gcm-wrap.c, lib/pk11wrap/debug_module.c, lib/pk11wrap/dev3hack.c, lib/pk11wrap/pk11akey.c, lib/pk11wrap/pk11auth.c, lib/pk11wrap/pk11cert.c, lib/pk11wrap/pk11err.c, lib/pk11wrap/pk11load.c, lib/pk11wrap/pk11mech.c, lib/pk11wrap/pk11merge.c, lib/pk11wrap/pk11nobj.c, lib/pk11wrap/pk11obj.c, lib/pk11wrap/pk11pbe.c, lib/pk11wrap/pk11pk12.c, lib/pk11wrap/pk11pqg.c, lib/pk11wrap/pk11skey.c, lib/pk11wrap/pk11slot.c, lib/pk11wrap/pk11util.c, lib/pkcs12/p12d.c, lib/pkcs12/p12e.c, lib/softoken/fipstokn.c, lib/softoken/legacydb/lgattr.c, lib/softoken/legacydb/lgcreate.c, lib/softoken/legacydb/lgfind.c, lib/softoken/legacydb/lginit.c, lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c, lib/softoken/pkcs11u.c, lib/softoken/sdb.c, lib/softoken/sftkdb.c, lib/softoken/sftkpwd.c, lib/ssl/ssl3con.c, lib/ssl/sslprimitive.c, lib/ssl/tls13con.c, lib/util/pkcs11.h, lib/util/pkcs11f.h, lib/util/pkcs11n.h, lib/util/pkcs11t.h, lib/util/secoid.c, nss- tool/enc/enctool.cc: Bug 1603628 Update NSS to handle PKCS #11 v3.0 r=daiki r=mhoye https://phabricator.services.mozilla.com/D63241 This patch implements the first phase: updating the headers. lib/util/pkcs11.h lib/util/pkcs11f.h lib/util/pkcs11t.h Were updated using the released OASIS PKCS #11 v3.0 header files. lib/util/pkcs11n.h was updated to finally deprecate all uses of CK?_NETSCAPE_?. A new define as added: NSS_PKCS11_2_0_COMPAT. If it's defined, the small semantic changes (including the removal of deprecated defines) between the NSS PKCS #11 v2 header file and the new PKCS #11 v3 are reverted in favor of the PKCS #11 v2 definitions. This include the removal of CK?_NETSCAPE_? in favor of CK?_NSS_?. One notable change was caused by an inconsistancy between the spec and the released headers in PKCS #11 v2.40. CK_GCM_PARAMS had an extra field in the header that was not in the spec. OASIS considers the header file to be normative, so PKCS #11 v3.0 resolved the issue in favor of the header file definition. NSS had the spec definition, so now there are 2 defines for this structure: CK_NSS_GCM_PARAMS - the old nss define. Still used internally in freebl. CK_GCM_PARAMS_V3 - the new define. CK_GCM_PARAMS - no longer referenced in NSS itself. It's defined as CK_GCM_PARAMS_V3 if NSS_PKCS11_2_0_COMPAT is *not* defined, and it's defined as CKM_NSS_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is defined. Softoken has been updated to accept either CK_NSS_GCM_PARAMS or CK_GCM_PARAMS_V3. In a future patch NSS will be updated to use CK_GCM_PARAMS_V3 and fall back to CK_NSS_GMC_PARAMS. One other semantic difference between the 3.0 version of pkcs11f.h and the version here: In the oasis version of the header, you must define CK_PKCS11_2_0_ONLY to get just the PKCS #11 v2 defines. In our version you must define CK_PKCS11_3 to get the PCKS #11 v3 defines. Most of this patch is to handle changing the deprecated defines that have been removed in PCKS #11 v3 from NSS. Differential Revision: https://phabricator.services.mozilla.com/D63241 [b5d90a7fe217] Differential Revision: https://phabricator.services.mozilla.com/D70773 --HG-- extra : moz-landing-system : lando	2020-04-14 17:53:38 +00:00
Kevin Jacobs	fe5361807e	Bug 1621350 - land NSS 581ed41d0a8d UPGRADE_NSS_RELEASE, r=jcj ... Differential Revision: https://phabricator.services.mozilla.com/D68665 --HG-- extra : moz-landing-system : lando	2020-03-30 21:06:07 +00:00
Kevin Jacobs	c36703e663	Bug 1621350 - land NSS 0225889e5292 UPGRADE_NSS_RELEASE, r=jcj ... 2020-03-23 Kevin Jacobs <kjacobs@mozilla.com> * lib/softoken/pkcs11.c: Bug 1624402 - Fix compilation error when NO_FORK_CHECK and CHECK_FORK_* are defined r=rrelyea [0225889e5292] [tip] * lib/util/pkcs11.h: Bug 1624130 - Require CK_FUNCTION_LIST structs to be packed. r=rrelyea [7ab62d3d0445] 2020-03-17 Robert Relyea <rrelyea@redhat.com> * automation/abi-check/expected-report-libnss3.so.txt, automation/abi- check/expected-report-libsoftokn3.so.txt, cmd/pk11mode/pk11mode.c, lib/pk11wrap/pk11load.c, lib/pk11wrap/secmodi.h, lib/pk11wrap/secmodt.h, lib/softoken/fipstokn.c, lib/softoken/manifest.mn, lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c, lib/softoken/pkcs11i.h, lib/softoken/sftkmessage.c, lib/softoken/softoken.gyp, lib/softoken/softoken.h, lib/softoken/softokn.def, lib/util/pkcs11.h, lib/util/pkcs11f.h, lib/util/pkcs11n.h, nss/automation/abi-check/new-report-libnss3.so.txt, nss/automation /abi-check/new-report-libsoftokn3.so.txt: Bug 1603628 Update NSS to handle PKCS #11 v3.0 r=ueno r=mt Update to PKCS #11 v3.0 part 2. Create the functions and switch to the C_Interface() function to fetch the PKCS #11 function table. Also PKCS #11 v3.0 uses a new fork safe interface. NSS can already handle the case if the PKCS #11 module happens to be fork safe (when asked by the application to refresh the tokens in the child process, NSS can detect that such a refresh is not necessary and continue. Softoken could also be put in fork_safe mode with an environment variable. With this patch it's the default, and NSS asks for the fork safe API by default. Technically softoken should implement the old non-fork safe interface when PKCS #11 v2.0 is called, but NSS no longer needs it, and doing so would double the number of PKCS #11 interfaces are needed. You can still compile with fork unsafe semantics, and the PKCS #11 V3.0 module will do the right thing and not include the fork safe flag. Firefox does not fork(), so for firefox this is simply code that is no longer compilied. We now use C_GetInterface, which allows us to specify what kind of interface we want (PKCS #11 v3.0, PKCS #11 v2.0, fork safe, etc.). Vendor specific functions can now be accessed through the C_GetInterface. If the C_GetInterface function does not exists, we fall bak to the old C_GetFunctionList. There are 24 new functions in PKCS #11 v3.0: C_GetInterfaceList - return a table of all the supported interfaces C_GetInterface - return a specific interface. You can specify interface name, version and flags separately. You can leave off any of these and you will get what the token thinks is the best match of the interfaces that meet the criteria. We do this in softoken by the order of the interface list. C_SessionCancel - Cancel one or more multipart operation C_LoginUser - Supply a user name to C_Login(). This function has no meaning for softoken, so it just returns CKR_OPERATION_NOT_INITIALIZED under the theory that if we in the future want to support usernames, the NSS db would need special initialization to make that happen. C_Message* and C_*Message* (20 functions in all) are the new AEAD interface (they are written generally so that it can be used for things other than AEAD). In this patch they are unimplemented (see the next patch). This patch adds regular (NSC_) and FIPS (FC_) versions of these functions. Also when creating the PKCS #11 v2.0 interface, we had to create a 2.0 specific version of C_GetInfo so that it can return a 2.40 in the CK_VERSION field rather than 3.00. We do this with #defines since all the function tables are generated automagically with pkcs11f.h. [2364598f8a36] 2020-03-18 Kevin Jacobs <kjacobs@mozilla.com> * lib/freebl/mpi/mpcpucache.c: Bug 1623184 - Clear ECX prior to cpuid, fixing query for Extended Features r=bbeurdouche While trying to benchmark the recent HACL* AVX2 code, I noticed that it was not being called on two machines (that both support AVX2), instead using only the AVX version. In order to query for Extended Features (cpuid with EAX=7), we also need to set ECX to 0: https://www.intel.com/content/www/us/en /architecture-and-technology/64-ia-32-architectures-software- developer-vol-2a-manual.html. The current code fails to do this, resulting in flags that show no support. Initially, I wrote a separate `freebl_cpuid_ex` function that accepted a value for ECX as a separate input argument. However, some definitions of `freebl_cpuid` already zero ECX, so making this consistent is the simplest way to get the desired behavior. With this patch, the two test machines (MacOS and Linux x64) correctly use the AVX2 ChaCha20Poly1305 code. [06d41fe87c58] 2020-02-18 Robert Relyea <rrelyea@redhat.com> * cmd/bltest/blapitest.c, cmd/fipstest/fipstest.c, cmd/lib/pk11table.c, cmd/pk11gcmtest/pk11gcmtest.c, cmd/shlibsign/shlibsign.c, gtests/pk11_gtest/pk11_aes_gcm_unittest.cc, gtests/pk11_gtest/pk11_cbc_unittest.cc, lib/certdb/crl.c, lib/ckfw/dbm/db.c, lib/dev/devslot.c, lib/dev/devtoken.c, lib/dev/devutil.c, lib/freebl/fipsfreebl.c, lib/freebl/gcm.c, lib/freebl/intel-gcm-wrap.c, lib/pk11wrap/debug_module.c, lib/pk11wrap/dev3hack.c, lib/pk11wrap/pk11akey.c, lib/pk11wrap/pk11auth.c, lib/pk11wrap/pk11cert.c, lib/pk11wrap/pk11err.c, lib/pk11wrap/pk11load.c, lib/pk11wrap/pk11mech.c, lib/pk11wrap/pk11merge.c, lib/pk11wrap/pk11nobj.c, lib/pk11wrap/pk11obj.c, lib/pk11wrap/pk11pbe.c, lib/pk11wrap/pk11pk12.c, lib/pk11wrap/pk11pqg.c, lib/pk11wrap/pk11skey.c, lib/pk11wrap/pk11slot.c, lib/pk11wrap/pk11util.c, lib/pkcs12/p12d.c, lib/pkcs12/p12e.c, lib/softoken/fipstokn.c, lib/softoken/legacydb/lgattr.c, lib/softoken/legacydb/lgcreate.c, lib/softoken/legacydb/lgfind.c, lib/softoken/legacydb/lginit.c, lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c, lib/softoken/pkcs11u.c, lib/softoken/sdb.c, lib/softoken/sftkdb.c, lib/softoken/sftkpwd.c, lib/ssl/ssl3con.c, lib/ssl/sslprimitive.c, lib/ssl/tls13con.c, lib/util/pkcs11.h, lib/util/pkcs11f.h, lib/util/pkcs11n.h, lib/util/pkcs11t.h, lib/util/secoid.c, nss- tool/enc/enctool.cc: Bug 1603628 Update NSS to handle PKCS #11 v3.0 r=daiki r=mhoye This patch implements the first phase: updating the headers. lib/util/pkcs11.h lib/util/pkcs11f.h lib/util/pkcs11t.h Were updated using the released OASIS PKCS #11 v3.0 header files. lib/util/pkcs11n.h was updated to finally deprecate all uses of CK?_NETSCAPE_?. A new define as added: NSS_PKCS11_2_0_COMPAT. If it's defined, the small semantic changes (including the removal of deprecated defines) between the NSS PKCS #11 v2 header file and the new PKCS #11 v3 are reverted in favor of the PKCS #11 v2 definitions. This include the removal of CK?_NETSCAPE_? in favor of CK?_NSS_?. One notable change was caused by an inconsistancy between the spec and the released headers in PKCS #11 v2.40. CK_GCM_PARAMS had an extra field in the header that was not in the spec. OASIS considers the header file to be normative, so PKCS #11 v3.0 resolved the issue in favor of the header file definition. NSS had the spec definition, so now there are 2 defines for this structure: CK_NSS_GCM_PARAMS - the old nss define. Still used internally in freebl. CK_GCM_PARAMS_V3 - the new define. CK_GCM_PARAMS - no longer referenced in NSS itself. It's defined as CK_GCM_PARAMS_V3 if NSS_PKCS11_2_0_COMPAT is *not* defined, and it's defined as CKM_NSS_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is defined. Softoken has been updated to accept either CK_NSS_GCM_PARAMS or CK_GCM_PARAMS_V3. In a future patch NSS will be updated to use CK_GCM_PARAMS_V3 and fall back to CK_NSS_GMC_PARAMS. One other semantic difference between the 3.0 version of pkcs11f.h and the version here: In the oasis version of the header, you must define CK_PKCS11_2_0_ONLY to get just the PKCS #11 v2 defines. In our version you must define CK_PKCS11_3 to get the PCKS #11 v3 defines. Most of this patch is to handle changing the deprecated defines that have been removed in PCKS #11 v3 from NSS. [b5d90a7fe217] 2020-03-16 Kevin Jacobs <kjacobs@mozilla.com> * automation/abi-check/expected-report-libssl3.so.txt, gtests/ssl_gtest/libssl_internals.c, gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/tls_agent.cc, gtests/ssl_gtest/tls_agent.h, gtests/ssl_gtest/tls_subcerts_unittest.cc, lib/ssl/SSLerrs.h, lib/ssl/ssl.h, lib/ssl/ssl3con.c, lib/ssl/ssl3ext.c, lib/ssl/ssl3ext.h, lib/ssl/sslerr.h, lib/ssl/sslimpl.h, lib/ssl/sslt.h, lib/ssl/tls13exthandle.c, lib/ssl/tls13subcerts.c, tests/common/certsetup.sh, tests/ssl_gtests/ssl_gtests.sh: Bug 1617968 - Update Delegated Credentials implementation to draft-07 r=mt Remove support for RSAE in delegated credentials (both in DC signatures and SPKIs), add SignatureScheme list functionality to initial DC extension. [44eb9e27d946] 2020-03-13 Robert Relyea <rrelyea@redhat.com> * cmd/fipstest/fipstest.c: Bug 1608250 KBKDF - broken fipstest handling of KI_len r=rrelyea p=cipherboy When testing Bug 1608245, I realized that I had inadvertently broken fipstest.c's handling of KI and KI_len. This lead to it passing bogus keys (with unusually large lengths exceeding the bounds of sizeof KI) to kbkdf_Dispatch(...). This uses Bob Relyea's suggestion on how to handle this: detect the size of KI when processing the mech selection, storing KI_len there. This simplifies reading of the KI value in later code. [d7b12847a650] * lib/softoken/kbkdf.c: Bug 1608245 KBKDF - Consistently handle NULL slot/session r=kjacobs Patch by cipherboy, review by kjacobs. Per Bug 1607955, the KBKDF code introduced in Bug 1599603 confused Coverity with a elided NULL check on sftk_SlotFromSessionHandle(...). While Coverity is incorrect (and the behavior is fine as-is), it isn't consistent with the KBKDF code's handling of sftk_SessionFromHandle(...) (which is NULL checked). This brings these two call sites into internal consistency. [4c43bc0998f3] Differential Revision: https://phabricator.services.mozilla.com/D67966 --HG-- extra : moz-landing-system : lando	2020-03-24 16:39:11 +00:00
Kevin Jacobs	24e1ed50fa	Bug 1621350 - land NSS 710d10a72934 UPGRADE_NSS_RELEASE, r=jcj ... 2020-03-10 Kevin Jacobs <kjacobs@mozilla.com> * lib/ssl/ssl3exthandle.c: Bug 1618915 - Fix UBSAN issue in ssl_ParseSessionTicket r=jcj,bbeurdouche [710d10a72934] [tip] 2020-03-09 Kevin Jacobs <kjacobs@mozilla.com> * lib/ssl/ssl3exthandle.c: Bug 1618739 - Don't assert fuzzer behavior in SSL_ParseSessionTicket r=jcj [12fc91fad84a] 2020-03-03 Benjamin Beurdouche <bbeurdouche@mozilla.com> * readme.md: Bug 1619056 - Update README: TLS 1.3 is not experimental anymore. r=jcj [08944e50dce0] 2020-03-09 Kevin Jacobs <kjacobs@mozilla.com> * gtests/ssl_gtest/ssl_version_unittest.cc, lib/ssl/sslexp.h, lib/ssl/sslimpl.h, lib/ssl/sslsock.c, lib/ssl/tls13exthandle.c: Bug 1619102 - Add workaround option to include both DTLS and TLS versions in DTLS supported_versions. r=mt Add an experimental function for enabling a DTLS 1.3 supported_versions compatibility workaround. [53803dc4628f] 2020-03-09 Benjamin Beurdouche <bbeurdouche@mozilla.com> * automation/taskcluster/scripts/run_hacl.sh, lib/freebl/verified/Hacl_Poly1305_128.c, lib/freebl/verified/Hacl_Poly1305_256.c: Bug 1612493 - Fix Firefox build for Windows 2012 x64. r=kjacobs [7e09cdab32d0] 2020-03-02 Kevin Jacobs <kjacobs@mozilla.com> * lib/freebl/blinit.c: Bug 1614183 - Fixup, clang-format. r=me [b17a367b83de] [NSS_3_51_BETA1] 2020-03-02 Giulio Benetti <giulio.benetti@benettiengineering.com> * lib/freebl/blinit.c: Bug 1614183 - Check if PPC __has_include(<sys/auxv.h>). r=kjacobs Some build environment doesn't provide <sys/auxv.h> and this causes build failure, so let's check if that header exists by using __has_include() helper. Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com> [bb7c46049f26] 2020-03-02 Kurt Miller <kurt@intricatesoftware.com> * lib/freebl/blinit.c: Bug 1618400 - Fix unused variable 'getauxval' on OpenBSD/arm64 r=jcj https://bugzilla.mozilla.org/show_bug.cgi?id=1618400 [2c989888dee7] 2020-02-28 Benjamin Beurdouche <bbeurdouche@mozilla.com> * automation/taskcluster/graph/src/extend.js, coreconf/arch.mk, coreconf/config.mk, lib/freebl/Makefile, lib/freebl/blapii.h, lib/freebl/blinit.c, lib/freebl/chacha20poly1305.c, lib/freebl/freebl.gyp, lib/freebl/verified/Hacl_Chacha20Poly1305_256.c, lib/freebl/verified/Hacl_Chacha20Poly1305_256.h, lib/freebl/verified/Hacl_Chacha20_Vec256.c, lib/freebl/verified/Hacl_Chacha20_Vec256.h, lib/freebl/verified/Hacl_Poly1305_256.c, lib/freebl/verified/Hacl_Poly1305_256.h, nss-tool/hw-support.c: Bug 1612493 - Support for HACL* AVX2 code for Chacha20, Poly1305 and Chacha20Poly1305. r=kjacobs *** Bug 1612493 - Import AVX2 code from HACL* *** Bug 1612493 - Add CPU detection for AVX2, BMI1, BMI2, FMA, MOVBE *** Bug 1612493 - New flag NSS_DISABLE_AVX2 for freebl/Makefile and freebl.gyp *** Bug 1612493 - Disable use of AVX2 on GCC 4.4 which doesn’t support -mavx2 *** Bug 1612493 - Disable tests when the platform doesn't have support for AVX2 [d5deac55f543] * automation/taskcluster/scripts/run_hacl.sh, lib/freebl/verified/Hacl_Chacha20.c, lib/freebl/verified/Hacl_Chacha20Poly1305_128.c, lib/freebl/verified/Hacl_Chacha20Poly1305_32.c, lib/freebl/verified/Hacl_Chacha20_Vec128.c, lib/freebl/verified/Hacl_Curve25519_51.c, lib/freebl/verified/Hacl_Kremlib.h, lib/freebl/verified/Hacl_Poly1305_128.c, lib/freebl/verified/Hacl_Poly1305_32.c, lib/freebl/verified/kremlin/include/kremlin/internal/types.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128.h, li b/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128_Verifie d.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt_8_1 6_32_64.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/LowStar_ Endianness.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar _uint128_gcc64.h, lib/freebl/verified/libintvector.h: Bug 1617533 - Update of HACL* after libintvector.h and coding style changes. r=kjacobs *** Bug 1617533 - Clang format *** Bug 1617533 - Update HACL* commit for job in Taskcluster *** Bug 1617533 - Update HACL* Kremlin code [b6677ae9067e] Differential Revision: https://phabricator.services.mozilla.com/D66264 --HG-- extra : moz-landing-system : lando	2020-03-10 21:35:56 +00:00
Kevin Jacobs	d782507dc9	Bug 1614053 - land NSS NSS_3_51_BETA2 UPGRADE_NSS_RELEASE, r=jcj ... 2020-03-03 Kevin Jacobs <kjacobs@mozilla.com> * automation/taskcluster/scripts/run_hacl.sh, lib/freebl/verified/Hacl_Chacha20.c, lib/freebl/verified/Hacl_Chacha20Poly1305_128.c, lib/freebl/verified/Hacl_Chacha20Poly1305_32.c, lib/freebl/verified/Hacl_Chacha20_Vec128.c, lib/freebl/verified/Hacl_Curve25519_51.c, lib/freebl/verified/Hacl_Kremlib.h, lib/freebl/verified/Hacl_Poly1305_128.c, lib/freebl/verified/Hacl_Poly1305_32.c, lib/freebl/verified/kremlin/include/kremlin/internal/types.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128.h, li b/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128_Verifie d.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt_8_1 6_32_64.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/LowStar_ Endianness.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar _uint128_gcc64.h, lib/freebl/verified/libintvector.h: Backed out changeset b6677ae9067e (Bug 1612493) for Windows build failures. [6e610ed9b196] [NSS_3_51_BETA2] <NSS_3_51_BRANCH> * automation/taskcluster/graph/src/extend.js, coreconf/arch.mk, coreconf/config.mk, lib/freebl/Makefile, lib/freebl/blapii.h, lib/freebl/blinit.c, lib/freebl/chacha20poly1305.c, lib/freebl/freebl.gyp, lib/freebl/verified/Hacl_Chacha20Poly1305_256.c, lib/freebl/verified/Hacl_Chacha20Poly1305_256.h, lib/freebl/verified/Hacl_Chacha20_Vec256.c, lib/freebl/verified/Hacl_Chacha20_Vec256.h, lib/freebl/verified/Hacl_Poly1305_256.c, lib/freebl/verified/Hacl_Poly1305_256.h, nss-tool/hw-support.c: Backed out changeset d5deac55f543 [4215a0b45a22] <NSS_3_51_BRANCH> 2020-03-02 Kevin Jacobs <kjacobs@mozilla.com> * .hgtags: Added tag NSS_3_51_BETA1 for changeset b17a367b83de [9564790a9cf6] <NSS_3_51_BRANCH> * lib/freebl/blinit.c: Bug 1614183 - Fixup, clang-format. r=me [b17a367b83de] [NSS_3_51_BETA1] 2020-03-02 Giulio Benetti <giulio.benetti@benettiengineering.com> * lib/freebl/blinit.c: Bug 1614183 - Check if PPC __has_include(<sys/auxv.h>). r=kjacobs Some build environment doesn't provide <sys/auxv.h> and this causes build failure, so let's check if that header exists by using __has_include() helper. Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com> [bb7c46049f26] 2020-03-02 Kurt Miller <kurt@intricatesoftware.com> * lib/freebl/blinit.c: Bug 1618400 - Fix unused variable 'getauxval' on OpenBSD/arm64 r=jcj https://bugzilla.mozilla.org/show_bug.cgi?id=1618400 [2c989888dee7] 2020-02-28 Benjamin Beurdouche <bbeurdouche@mozilla.com> * automation/taskcluster/graph/src/extend.js, coreconf/arch.mk, coreconf/config.mk, lib/freebl/Makefile, lib/freebl/blapii.h, lib/freebl/blinit.c, lib/freebl/chacha20poly1305.c, lib/freebl/freebl.gyp, lib/freebl/verified/Hacl_Chacha20Poly1305_256.c, lib/freebl/verified/Hacl_Chacha20Poly1305_256.h, lib/freebl/verified/Hacl_Chacha20_Vec256.c, lib/freebl/verified/Hacl_Chacha20_Vec256.h, lib/freebl/verified/Hacl_Poly1305_256.c, lib/freebl/verified/Hacl_Poly1305_256.h, nss-tool/hw-support.c: Bug 1612493 - Support for HACL* AVX2 code for Chacha20, Poly1305 and Chacha20Poly1305. r=kjacobs *** Bug 1612493 - Import AVX2 code from HACL* *** Bug 1612493 - Add CPU detection for AVX2, BMI1, BMI2, FMA, MOVBE *** Bug 1612493 - New flag NSS_DISABLE_AVX2 for freebl/Makefile and freebl.gyp *** Bug 1612493 - Disable use of AVX2 on GCC 4.4 which doesn’t support -mavx2 *** Bug 1612493 - Disable tests when the platform doesn't have support for AVX2 [d5deac55f543] * automation/taskcluster/scripts/run_hacl.sh, lib/freebl/verified/Hacl_Chacha20.c, lib/freebl/verified/Hacl_Chacha20Poly1305_128.c, lib/freebl/verified/Hacl_Chacha20Poly1305_32.c, lib/freebl/verified/Hacl_Chacha20_Vec128.c, lib/freebl/verified/Hacl_Curve25519_51.c, lib/freebl/verified/Hacl_Kremlib.h, lib/freebl/verified/Hacl_Poly1305_128.c, lib/freebl/verified/Hacl_Poly1305_32.c, lib/freebl/verified/kremlin/include/kremlin/internal/types.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128.h, li b/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128_Verifie d.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt_8_1 6_32_64.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/LowStar_ Endianness.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar _uint128_gcc64.h, lib/freebl/verified/libintvector.h: Bug 1617533 - Update of HACL* after libintvector.h and coding style changes. r=kjacobs *** Bug 1617533 - Clang format *** Bug 1617533 - Update HACL* commit for job in Taskcluster *** Bug 1617533 - Update HACL* Kremlin code [b6677ae9067e] Differential Revision: https://phabricator.services.mozilla.com/D65270 --HG-- extra : moz-landing-system : lando	2020-03-04 05:04:32 +00:00
Kevin Jacobs	4d7b3b72ef	Bug 1614053 - land NSS 52a75c5373ef UPGRADE_NSS_RELEASE, r=jcj ... 2020-02-27 Kevin Jacobs <kjacobs@mozilla.com> * gtests/ssl_gtest/ssl_extension_unittest.cc, gtests/ssl_gtest/ssl_gtest.gyp, gtests/ssl_gtest/ssl_masking_unittest.cc, gtests/ssl_gtest/tls_filter.cc, gtests/ssl_gtest/tls_filter.h, gtests/ssl_gtest/tls_hkdf_unittest.cc, gtests/ssl_gtest/tls_protect.cc, lib/ssl/dtls13con.c, lib/ssl/ssl3con.c, lib/ssl/ssl3prot.h, lib/ssl/sslexp.h, lib/ssl/sslimpl.h, lib/ssl/sslinfo.c, lib/ssl/sslprimitive.c, lib/ssl/sslsock.c, lib/ssl/tls13con.c, lib/ssl/tls13esni.c, lib/ssl/tls13hkdf.c, lib/ssl/tls13hkdf.h, lib/ssl/tls13replay.c: Bug 1608892 - Update DTLS 1.3 to draft-34 r=mt This patch updates the DTLS 1.3 implementation to draft-34. Notable changes: 1) Key separation via `ssl_protocol_variant`. 2) No longer apply sequence number masking when in `UNSAFE_FUZZER_MODE`. This allowed removal of workarounds for unpadded (<16B) ciphertexts being used as input to `SSL_CreateMask`. 3) Compile ssl_gtests in `UNSAFE_FUZZER_MODE` iff `--fuzz=tls` was specified. Currently all gtests are compiled this way if `--fuzz`, but lib/ssl only if `--fuzz=tls`. (See above, we can't have ssl_gtests in fuzzer mode, but not lib/ssl, since the masking mismatch will break filters). 4) Parameterize masking tests, as appropriate. 5) Reject non-empty legacy_cookie, and test. 6) Reject ciphertexts <16B in length in `dtls13_MaskSequenceNumber` (if not `UNSAFE_FUZZER_MODE`). [52a75c5373ef] [tip] 2020-02-24 Jean-Luc Bonnafoux <jeanluc.bonnafoux@wanadoo.fr> * lib/cryptohi/secsign.c: Bug 1617387 fix compiler warning r=jcj [ab0e7e272e36] 2020-02-24 Kevin Jacobs <kjacobs@mozilla.com> * gtests/common/testvectors/p384ecdh-vectors.h, gtests/common/testvectors/p521ecdh-vectors.h, gtests/common/wycheproof/genTestVectors.py, gtests/common/wycheproof/source_vectors/ecdh_secp384r1_test.json, gtests/common/wycheproof/source_vectors/ecdh_secp521r1_test.json, gtests/pk11_gtest/pk11_ecdh_unittest.cc: Bug 1612259 - Add Wycheproof vectors for P384 and P521 ECDH. r=bbeurdouche [badb4da1ec85] 2020-02-19 Kevin Jacobs <kjacobs@mozilla.com> * gtests/freebl_gtest/mpi_unittest.cc, lib/freebl/mpi/mplogic.h: Bug 1609751 - Additional tests for mp_comba r=mt Verify that when clamping, the upper 4 bytes of an `mp_digit` is checked. [a5e8c14016cd] 2020-02-19 Jean-Luc Bonnafoux <jeanluc.bonnafoux@wanadoo.fr> * lib/freebl/ecl/ecp_25519.c: Bug 1561337: fix compiler warning r=jcj [4c771e6a79db] Differential Revision: https://phabricator.services.mozilla.com/D64683 --HG-- extra : moz-landing-system : lando	2020-02-28 01:55:48 +00:00
Kevin Jacobs	3ffa3a1cbd	Bug 1606927 - land NSS 9e0d34a6cf91 UPGRADE_NSS_RELEASE, r=jcj ... 2020-02-18 Kevin Jacobs <kjacobs@mozilla.com> * gtests/ssl_gtest/ssl_extension_unittest.cc, gtests/ssl_gtest/ssl_version_unittest.cc, lib/ssl/dtlscon.c, lib/ssl/tls13con.c, lib/ssl/tls13con.h, lib/ssl/tls13exthandle.c: Bug 1615208 - Send DTLS version numbers in DTLS 1.3 supported_versions extension r=mt This patch modifies `supported_versions` encodings to reflect DTLS versions when DTLS1.3 is use. Previously, a DTLS1.3 CH would include `[0x7f1e, 0x303, 0x302]` instead of the expected `[0x7f1e, 0xfefd, 0xfeff]`, causing compatibility issues. [9e0d34a6cf91] [tip] 2020-02-12 Mikael Urankar <mikael.urankar@gmail.com> * lib/freebl/Makefile, lib/freebl/freebl.gyp: Bug 1612177 - Set -march=armv7 when compiling gcm-arm32-neon, in order to enable NEON code generation. [4413841bd26d] 2020-02-14 Dmitry Baryshkov <dbaryshkov@gmail.com> * gtests/freebl_gtest/blake2b_unittest.cc, lib/freebl/blake2b.c: Bug 1431940 - remove dereference before NULL check in BLAKE2B code. r=kjacobs [5e661906698f] 2020-02-12 Kevin Jacobs <kjacobs@mozilla.com> * gtests/ssl_gtest/ssl_resumption_unittest.cc, lib/ssl/sslnonce.c: Bug 1614870 - Free sid->peerID before reallocating in ssl_DecodeResumptionToken. r=mt This patch adds a missing `PORT_Free()` when reallocating `sid->PeerID`, and adds a test for a non-empty PeerID. [1eb4e00b016e] Differential Revision: https://phabricator.services.mozilla.com/D63220 --HG-- extra : moz-landing-system : lando	2020-02-18 20:51:39 +00:00
J.C. Jones	982674831d	Bug 1614053 - land NSS 735ed2e47040 UPGRADE_NSS_RELEASE, r=kjacobs ... 2020-02-10 Robert Relyea <rrelyea@redhat.com> * lib/freebl/cmac.c: Bug 1610687 - Crash on unaligned CMACContext.aes.keySchedule when using AES-NI intrinsics r=kjacobs [046a6f5bfb27] * lib/util/pkcs11t.h: Bug 1611209 - Value of CKM_AES_CMAC and CKM_AES_CMAC_GENERAL are swapped r=rrelyea [df142975f4f6] 2020-02-11 Victor Tapia <victor.tapia@canonical.com> * lib/pk11wrap/pk11util.c, lib/sysinit/nsssysinit.c: Bug 1582169 - Disable reading /proc/sys/crypto/fips_enabled if FIPS is not enabled on build r=jcj,rrelyea [55ba54adfcae] 2020-02-11 J.C. Jones <jjones@mozilla.com> * lib/sysinit/nsssysinit.c: Bug 1614786 - Fixup for ‘getFIPSEnv’ being unused r=kjacobs Fixes a regression from Bug 1582169 ../../lib/sysinit/nsssysinit.c:153:1: error: ‘getFIPSEnv’ defined but not used [-Werror=unused-function] [06925efe306b] 2020-02-11 Dana Keeler <dkeeler@mozilla.com> * cmd/lib/secutil.c, lib/libpkix/pkix_pl_nss/module/pkix_pl_colcertstore.c: bug 1538980 - null-terminate ascii input in SECU_ReadDERFromFile so strstr is safe to call r=jcj,kjacobs [735ed2e47040] [tip] Differential Revision: https://phabricator.services.mozilla.com/D62451 --HG-- extra : moz-landing-system : lando	2020-02-12 16:22:10 +00:00
Kevin Jacobs	d659acd37c	Bug 1606927 - land NSS de6ba04bb1f4 UPGRADE_NSS_RELEASE, r=jcj ... 2020-02-03 Kai Engert <kaie@kuix.de> * automation/release/nspr-version.txt: Bug 1612623 - NSS 3.50 should depend on NSPR 4.25. r=kjacobs [de6ba04bb1f4] [NSS_3_50_BETA1] 2020-01-27 Giulio Benetti <giulio.benetti@benettiengineering.com> * coreconf/config.gypi, coreconf/config.mk, lib/freebl/Makefile, lib/freebl/freebl.gyp, lib/freebl/gcm.h: Bug 1608151 - Introduce NSS_DISABLE_ALTIVEC and disable_altivec r=jcj At the moment NSS assumes that every PowerPC64 architecture supports Altivec but it's not true and this leads to build failure. So add NSS_DISABLE_ALTIVEC environment variable(and disable_altivec for gyp) to disable Altivec extension on PowerPC build that don't support Altivec. [f2d947817850] Differential Revision: https://phabricator.services.mozilla.com/D61574 --HG-- extra : moz-landing-system : lando	2020-02-04 18:09:33 +00:00
J.C. Jones	799f0cd87c	Bug 1606927 - land NSS 4bf79c4d2954 UPGRADE_NSS_RELEASE, r=kjacobs ... 2020-01-27 J.C. Jones <jjones@mozilla.com> * lib/freebl/blinit.c: Bug 1602386 - clang-format r=bustage [4bf79c4d2954] [tip] 2020-01-27 Piotr Kubaj <pkubaj@FreeBSD.org> * lib/freebl/Makefile, lib/freebl/blinit.c: Bug 1602386 - Fix build on FreeBSD/powerpc platforms. r=jcj FreeBSD has elf_aux_info instead of getauxval, but only since FreeBSD 12. Previous versions (11 is still supported) don't have any equivalent and users need to query sysctl manually. [f2ac5e318886] 2020-01-27 Jan Beich <jbeich@FreeBSD.org> * lib/freebl/blinit.c: Bug 1609181 - Detect ARM CPU features on FreeBSD. r=jcj Implement `getauxval` via `elf_aux_info` to avoid code duplication. `AT_HWCAP*` can be used on powerpc* and riscv64 as well. [edb60bae9219] 2020-01-22 Martin Thomson <mt@lowentropy.net> * lib/zlib/README, lib/zlib/README.nss, lib/zlib/adler32.c, lib/zlib/compress.c, lib/zlib/crc32.c, lib/zlib/crc32.h, lib/zlib/deflate.c, lib/zlib/deflate.h, lib/zlib/gzguts.h, lib/zlib/gzlib.c, lib/zlib/gzread.c, lib/zlib/gzwrite.c, lib/zlib/infback.c, lib/zlib/inffast.c, lib/zlib/inffixed.h, lib/zlib/inflate.c, lib/zlib/inflate.h, lib/zlib/inftrees.c, lib/zlib/trees.c, lib/zlib/trees.h, lib/zlib/uncompr.c, lib/zlib/zconf.h, lib/zlib/zlib.h, lib/zlib/zutil.c, lib/zlib/zutil.h: Bug 1547639 - Update zlib to 1.2.11, r=jcj [91f3f0749d0b] * lib/zlib/README.nss, lib/zlib/config.mk, lib/zlib/example.c, lib/zlib/manifest.mn, lib/zlib/minigzip.c, lib/zlib/vendor.sh, lib/zlib/zlib.gyp: Bug 1547639 - Automatic vendoring of zlib, r=jcj [fc128963a9aa] Differential Revision: https://phabricator.services.mozilla.com/D61126 --HG-- extra : moz-landing-system : lando	2020-01-28 06:50:08 +00:00
J.C. Jones	c70fa24ea8	Bug 1606927 - land NSS cd55a3a90502 UPGRADE_NSS_RELEASE, r=kjacobs ... 2020-01-22 Kai Engert <kaie@kuix.de> * lib/softoken/lowpbe.c: Bug 1606992 - Follow-up to also cache most recent PBKDF1 hash (in addition to PBKDF2 hash). r=kjacobs [cd55a3a90502] [tip] 2020-01-22 Kevin Jacobs <kjacobs@mozilla.com> * lib/freebl/aes-x86.c, lib/freebl/rijndael.c, lib/freebl/rijndael.h: Bug 1608493 - Use AES-NI intrinsics for CBC and ECB decrypt when no assembly implementation is available. r=mt AES-NI is currently not used for //CBC// or //ECB decrypt// when an assembly implementation (`intel-aes.s` or `intel- aes-x86/64-masm.asm`) is not available. Concretely, this is the case on MacOS, Linux32, and other non-Linux OSes such as BSD. This patch adds the plumbing to use AES-NI intrinsics when available. Before: ``` mode in symmkey opreps cxreps context op time(sec) thrgput aes_ecb_d 78Mb 256 10T 0 0.000 395.000 0.395 197Mb aes_cbc_e 78Mb 256 10T 0 0.000 392.000 0.393 198Mb aes_cbc_d 78Mb 256 10T 0 0.000 425.000 0.425 183Mb ``` After: ``` mode in symmkey opreps cxreps context op time(sec) thrgput aes_ecb_d 78Mb 256 10T 0 0.000 39.000 0.039 1Gb aes_cbc_e 78Mb 256 10T 0 0.000 94.000 0.094 831Mb aes_cbc_d 78Mb 256 10T 0 0.000 74.000 0.075 1Gb ``` [9804c76e76f3] Differential Revision: https://phabricator.services.mozilla.com/D60763 --HG-- extra : moz-landing-system : lando	2020-01-22 23:13:52 +00:00
J.C. Jones	4cb75803d7	Bug 1606927 - land NSS 124c43a9f768 UPGRADE_NSS_RELEASE, r=kjacobs ... 2020-01-16 Kevin Jacobs <kjacobs@mozilla.com> * gtests/common/testvectors/cbc-vectors.h, gtests/common/testvectors /chachapoly-vectors.h, gtests/common/testvectors/cmac-vectors.h, gtests/common/testvectors/curve25519-vectors.h, gtests/common/testvectors/gcm-vectors.h, gtests/common/testvectors /p256ecdh-vectors.h, gtests/common/testvectors_base/chachapoly- vectors_base.h, gtests/common/testvectors_base/curve25519-vectors_base.h, gtests/common/testvectors_base/gcm-vectors_base.h, gtests/common/testvectors_base/test-structs.h, gtests/common/wycheproof/genTestVectors.py, gtests/common/wycheproof/source_vectors/aes_cbc_pkcs5_test.json, gtests/common/wycheproof/source_vectors/aes_cmac_test.json, gtests/common/wycheproof/source_vectors/aes_gcm_test.json, gtests/common/wycheproof/source_vectors/chacha20_poly1305_test.json, gtests/common/wycheproof/source_vectors/ecdh_secp256r1_test.json, gtests/common/wycheproof/source_vectors/x25519_test.json, gtests/freebl_gtest/ghash_unittest.cc, gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_aes_cmac_unittest.cc, gtests/pk11_gtest/pk11_aes_gcm_unittest.cc, gtests/pk11_gtest/pk11_cbc_unittest.cc, gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc, gtests/pk11_gtest/pk11_curve25519_unittest.cc, gtests/pk11_gtest/pk11_ecdh_unittest.cc, gtests/pk11_gtest/pk11_gtest.gyp, mach: Bug 1604596 - Update Wycheproof vectors and add support for CBC, P256-ECDH, and CMAC tests r=franziskus This patch updates to the latest Wycheproof vectors and adds Wycheproof support for CBC, CMAC, and P256-ECDH: ChaCha20: +141 tests Curve25519: +431 tests GCM: +39 tests CBC (new): +183 tests CMAC (new): +308 tests P256 ECDH (new): +460 tests [124c43a9f768] [tip] 2020-01-17 Kai Engert <kaie@kuix.de> * lib/softoken/lowpbe.c: Bug 1606992 - Permit sftk_PBELockInit being called multiple times. r=kjacobs [9d1ced9ae01e] * lib/softoken/lowpbe.c: Bug 1606992 - follow up to fix clang-format, whitespace only. rs=me DONTBUILD [7c9dcf601c83] 2020-01-15 Kai Engert <kaie@kuix.de> * lib/softoken/lowpbe.c: Bug 1606992 - Follow-up to cleanup PBE cache code. r=kjacobs [1d782fb6eede] 2020-01-03 Kevin Jacobs <kjacobs@mozilla.com> * lib/freebl/mpi/mp_comba_amd64_masm.asm, lib/freebl/mpi/mpi-priv.h: Bug 1605314 - Compare all 8 bytes of an mp_digit when clamping in Windows assembly/mp_comba. r=mt Compare all 8 bytes of an `mp_digit` when clamping in Windows x64 assembly (mp_sqr/mp_mul). Also adds an assertion to ensure that the size of `mp_digit` matches implementation assumptions. [09673f933c6d] Differential Revision: https://phabricator.services.mozilla.com/D60538 --HG-- extra : moz-landing-system : lando	2020-01-21 18:46:42 +00:00
J.C. Jones	5e7e635bc0	Bug 1606927 - land NSS 5f9f410d0b60 UPGRADE_NSS_RELEASE, r=kjacobs ... 2020-01-15 Kevin Jacobs <kjacobs@mozilla.com> * lib/freebl/chacha20poly1305.c: Bug 1574643 - Check for AVX support before using vectorized ChaCha20 decrypt r=jcj The addition of an AVX support check in `ChaCha20Poly1305_Seal` seems to have stopped the Encrypt crashes on old Intel CPUs, however we're seeing new reports from `Hacl_Chacha20Poly1305_128_aead_decrypt` (which is called from `ChaCha20Poly1305_Open`). This needs an AVX check as well... [5f9f410d0b60] [tip] 2020-01-14 Kevin Jacobs <kjacobs@mozilla.com> * gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp, gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc: Bug 1573911 - Add RSA Encryption test r=jcj Add a test for various sizes of RSA encryption input. [4abc6ff828ab] 2020-01-13 Kevin Jacobs <kjacobs@mozilla.com> * gtests/common/testvectors/hkdf-vectors.h, gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp, gtests/pk11_gtest/pk11_hkdf_unittest.cc: Bug 1585429 - Add HKDF test vectors r=jcj Adds test vectors for SHA1/256/384/512 HKDF. This includes the RFC test vectors, as well as upper-bound length checks for the output key material. [239797efc34b] 2020-01-14 J.C. Jones <jjones@mozilla.com> * coreconf/config.gypi: Bug 1608327 - Fixup for dc57fe5d65d4, add a default for softfp_cflags r=bustage [05b923624b73] 2020-01-14 Sylvestre Ledru <sledru@mozilla.com> * automation/buildbot-slave/bbenv-example.sh, automation/buildbot- slave/build.sh, automation/buildbot-slave/reboot.bat, automation /buildbot-slave/startbuild.bat: Bug 1607099 - Remove the buildbot configuration r=jcj [7a87cef808f3] 2020-01-14 Greg V <greg@unrelenting.technology> * lib/freebl/blinit.c: Bug 1575843 - Detect AArch64 CPU features on FreeBSD r=jcj Environment checks are reogranized to be separate from platform code to make it impossible to forget to check disable_FEATURE on one platform but not the other. [fbde548e8114] 2020-01-14 Mike Hommey <mh@glandium.org> * lib/freebl/Makefile, lib/freebl/aes-armv8.c, lib/freebl/freebl.gyp, lib/freebl/gcm-arm32-neon.c, lib/freebl/gcm.c, lib/freebl/rijndael.c: Bug 1608327 - Fix freebl arm NEON code use on tier3 platforms. r=jcj Despite the code having runtime detection of NEON and crypto extensions, the optimized code using those instructions is disabled at build time on platforms where the compiler doesn't enable NEON by default of with the flags it's given for the caller code. In the case of gcm, this goes as far as causing a build error. What is needed is for the optimized code to be enabled in every case, letting the caller code choose whether to use that code based on the existing runtime checks. But this can't be simply done either, because those optimized parts of the code need to be built with NEON enabled, unconditionally, but that is not compatible with platforms using the softfloat ABI. For those, we need to use the softfp ABI, which is compatible. However, the softfp ABI is not compatible with the hardfp ABI, so we also can't unconditionally use the softfp ABI, so we do so only when the compiler targets the softfloat ABI, which confusingly enough is advertized via the `__SOFTFP__` define. [dc57fe5d65d4] 2020-01-14 Franziskus Kiefer <franziskuskiefer@gmail.com> * automation/saw/chacha20.saw, automation/taskcluster/docker- builds/Dockerfile, automation/taskcluster/docker- hacl/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc, automation/taskcluster/docker-hacl/Dockerfile, automation/taskcluster/docker-hacl/bin/checkout.sh, automation/taskcluster/docker-hacl/license.txt, automation/taskcluster/docker-hacl/setup-user.sh, automation/taskcluster/docker-hacl/setup.sh, automation/taskcluster/graph/src/extend.js, automation/taskcluster/scripts/run_hacl.sh, gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc, lib/freebl/Makefile, lib/freebl/blapii.h, lib/freebl/blinit.c, lib/freebl/chacha20poly1305.c, lib/freebl/det_rng.c, lib/freebl/ecl/curve25519_64.c, lib/freebl/freebl.gyp, lib/freebl/freebl_base.gypi, nss-tool/hw-support.c: Bug 1574643 - NSS changes for haclv2 r=jcj,kjacobs This patch contains the changes in NSS, necessary to pick up HACL*v2 in D55413. It has a couple of TODOs: * The chacha20 saw verification fails for some reason; it's disabled pending Bug 1604130. * The hacl task on CI requires Bug 1593647 to get fixed. Depends on D55413. [a8df94132dd3] 2019-12-21 Franziskus Kiefer <franziskuskiefer@gmail.com> * lib/freebl/verified/FStar.c, lib/freebl/verified/FStar.h, lib/freebl/verified/Hacl_Chacha20.c, lib/freebl/verified/Hacl_Chacha20.h, lib/freebl/verified/Hacl_Chacha20Poly1305_128.c, lib/freebl/verified/Hacl_Chacha20Poly1305_128.h, lib/freebl/verified/Hacl_Chacha20Poly1305_32.c, lib/freebl/verified/Hacl_Chacha20Poly1305_32.h, lib/freebl/verified/Hacl_Chacha20_Vec128.c, lib/freebl/verified/Hacl_Chacha20_Vec128.h, lib/freebl/verified/Hacl_Curve25519.c, lib/freebl/verified/Hacl_Curve25519.h, lib/freebl/verified/Hacl_Curve25519_51.c, lib/freebl/verified/Hacl_Curve25519_51.h, lib/freebl/verified/Hacl_Kremlib.h, lib/freebl/verified/Hacl_Poly1305_128.c, lib/freebl/verified/Hacl_Poly1305_128.h, lib/freebl/verified/Hacl_Poly1305_32.c, lib/freebl/verified/Hacl_Poly1305_32.h, lib/freebl/verified/Hacl_Poly1305_64.c, lib/freebl/verified/Hacl_Poly1305_64.h, lib/freebl/verified/kremlib.h, lib/freebl/verified/kremlib_base.h, lib/freebl/verified/kremlin/include/kremlin/internal/callconv.h, lib/freebl/verified/kremlin/include/kremlin/internal/compat.h, lib/freebl/verified/kremlin/include/kremlin/internal/target.h, lib/freebl/verified/kremlin/include/kremlin/internal/types.h, lib/freebl/verified/kremlin/include/kremlin/lowstar_endianness.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128.h, li b/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128_Verifie d.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt_8_1 6_32_64.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/LowStar_ Endianness.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar _uint128_gcc64.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/f star_uint128_msvc.h, lib/freebl/verified/libintvector.h, lib/freebl/verified/specs/Spec.CTR.fst, lib/freebl/verified/specs/Spec.Chacha20.fst, lib/freebl/verified/specs/Spec.Curve25519.fst, lib/freebl/verified/specs/Spec.Poly1305.fst, lib/freebl/verified/vec128.h: Bug 1574643 - haclv2 code r=kjacobs This updates the in-tree version of our existing HACL* code to v2, replacing what we have already. Once this landed NSS can pick up more (faster) code from HACL*. [5bf2547d671f] 2020-01-13 Kevin Jacobs <kjacobs@mozilla.com> * automation/taskcluster/windows/build_gyp.sh: Bug 1608895 - Install setuptools<45.0.0 until workers are upgraded to python3 r=jcj [[ https://setuptools.readthedocs.io/en/latest/history.html#v45-0-0 | Setuptools 45.0.0 ]] drops support for Python2, which our Windows workers are running. This patch installs the prior version during build, in order to unblock CI until the workers can be upgraded. [64c5410f98e0] Differential Revision: https://phabricator.services.mozilla.com/D60086 --HG-- extra : moz-landing-system : lando	2020-01-16 00:13:09 +00:00
Cosmin Sabou	877a36559e	Backed out changeset 3006febc4c38 (bug 1606927) for causing startup crashes in latest nightly version. UPGRADE_NSS_RELEASE a=backout ... --HG-- extra : amend_source : 11f3873c8a2163cdc5ae51f5f54175e07666b8a6	2020-01-15 18:52:15 +02:00
J.C. Jones	3dd40eb5a5	Bug 1606927 - land NSS 239797efc34b UPGRADE_NSS_RELEASE, r=kjacobs ... 2020-01-13 Kevin Jacobs <kjacobs@mozilla.com> * gtests/common/testvectors/hkdf-vectors.h, gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp, gtests/pk11_gtest/pk11_hkdf_unittest.cc: Bug 1585429 - Add HKDF test vectors r=jcj Adds test vectors for SHA1/256/384/512 HKDF. This includes the RFC test vectors, as well as upper-bound length checks for the output key material. [239797efc34b] [tip] 2020-01-14 J.C. Jones <jjones@mozilla.com> * coreconf/config.gypi: Bug 1608327 - Fixup for dc57fe5d65d4, add a default for softfp_cflags r=bustage [05b923624b73] 2020-01-14 Sylvestre Ledru <sledru@mozilla.com> * automation/buildbot-slave/bbenv-example.sh, automation/buildbot- slave/build.sh, automation/buildbot-slave/reboot.bat, automation /buildbot-slave/startbuild.bat: Bug 1607099 - Remove the buildbot configuration r=jcj [7a87cef808f3] 2020-01-14 Greg V <greg@unrelenting.technology> * lib/freebl/blinit.c: Bug 1575843 - Detect AArch64 CPU features on FreeBSD r=jcj Environment checks are reogranized to be separate from platform code to make it impossible to forget to check disable_FEATURE on one platform but not the other. [fbde548e8114] 2020-01-14 Mike Hommey <mh@glandium.org> * lib/freebl/Makefile, lib/freebl/aes-armv8.c, lib/freebl/freebl.gyp, lib/freebl/gcm-arm32-neon.c, lib/freebl/gcm.c, lib/freebl/rijndael.c: Bug 1608327 - Fix freebl arm NEON code use on tier3 platforms. r=jcj Despite the code having runtime detection of NEON and crypto extensions, the optimized code using those instructions is disabled at build time on platforms where the compiler doesn't enable NEON by default of with the flags it's given for the caller code. In the case of gcm, this goes as far as causing a build error. What is needed is for the optimized code to be enabled in every case, letting the caller code choose whether to use that code based on the existing runtime checks. But this can't be simply done either, because those optimized parts of the code need to be built with NEON enabled, unconditionally, but that is not compatible with platforms using the softfloat ABI. For those, we need to use the softfp ABI, which is compatible. However, the softfp ABI is not compatible with the hardfp ABI, so we also can't unconditionally use the softfp ABI, so we do so only when the compiler targets the softfloat ABI, which confusingly enough is advertized via the `__SOFTFP__` define. [dc57fe5d65d4] 2020-01-14 Franziskus Kiefer <franziskuskiefer@gmail.com> * automation/saw/chacha20.saw, automation/taskcluster/docker- builds/Dockerfile, automation/taskcluster/docker- hacl/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc, automation/taskcluster/docker-hacl/Dockerfile, automation/taskcluster/docker-hacl/bin/checkout.sh, automation/taskcluster/docker-hacl/license.txt, automation/taskcluster/docker-hacl/setup-user.sh, automation/taskcluster/docker-hacl/setup.sh, automation/taskcluster/graph/src/extend.js, automation/taskcluster/scripts/run_hacl.sh, gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc, lib/freebl/Makefile, lib/freebl/blapii.h, lib/freebl/blinit.c, lib/freebl/chacha20poly1305.c, lib/freebl/det_rng.c, lib/freebl/ecl/curve25519_64.c, lib/freebl/freebl.gyp, lib/freebl/freebl_base.gypi, nss-tool/hw-support.c: Bug 1574643 - NSS changes for haclv2 r=jcj,kjacobs This patch contains the changes in NSS, necessary to pick up HACL*v2 in D55413. It has a couple of TODOs: * The chacha20 saw verification fails for some reason; it's disabled pending Bug 1604130. * The hacl task on CI requires Bug 1593647 to get fixed. Depends on D55413. [a8df94132dd3] 2019-12-21 Franziskus Kiefer <franziskuskiefer@gmail.com> * lib/freebl/verified/FStar.c, lib/freebl/verified/FStar.h, lib/freebl/verified/Hacl_Chacha20.c, lib/freebl/verified/Hacl_Chacha20.h, lib/freebl/verified/Hacl_Chacha20Poly1305_128.c, lib/freebl/verified/Hacl_Chacha20Poly1305_128.h, lib/freebl/verified/Hacl_Chacha20Poly1305_32.c, lib/freebl/verified/Hacl_Chacha20Poly1305_32.h, lib/freebl/verified/Hacl_Chacha20_Vec128.c, lib/freebl/verified/Hacl_Chacha20_Vec128.h, lib/freebl/verified/Hacl_Curve25519.c, lib/freebl/verified/Hacl_Curve25519.h, lib/freebl/verified/Hacl_Curve25519_51.c, lib/freebl/verified/Hacl_Curve25519_51.h, lib/freebl/verified/Hacl_Kremlib.h, lib/freebl/verified/Hacl_Poly1305_128.c, lib/freebl/verified/Hacl_Poly1305_128.h, lib/freebl/verified/Hacl_Poly1305_32.c, lib/freebl/verified/Hacl_Poly1305_32.h, lib/freebl/verified/Hacl_Poly1305_64.c, lib/freebl/verified/Hacl_Poly1305_64.h, lib/freebl/verified/kremlib.h, lib/freebl/verified/kremlib_base.h, lib/freebl/verified/kremlin/include/kremlin/internal/callconv.h, lib/freebl/verified/kremlin/include/kremlin/internal/compat.h, lib/freebl/verified/kremlin/include/kremlin/internal/target.h, lib/freebl/verified/kremlin/include/kremlin/internal/types.h, lib/freebl/verified/kremlin/include/kremlin/lowstar_endianness.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128.h, li b/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128_Verifie d.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt_8_1 6_32_64.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/LowStar_ Endianness.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar _uint128_gcc64.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/f star_uint128_msvc.h, lib/freebl/verified/libintvector.h, lib/freebl/verified/specs/Spec.CTR.fst, lib/freebl/verified/specs/Spec.Chacha20.fst, lib/freebl/verified/specs/Spec.Curve25519.fst, lib/freebl/verified/specs/Spec.Poly1305.fst, lib/freebl/verified/vec128.h: Bug 1574643 - haclv2 code r=kjacobs This updates the in-tree version of our existing HACL* code to v2, replacing what we have already. Once this landed NSS can pick up more (faster) code from HACL*. [5bf2547d671f] 2020-01-13 Kevin Jacobs <kjacobs@mozilla.com> * automation/taskcluster/windows/build_gyp.sh: Bug 1608895 - Install setuptools<45.0.0 until workers are upgraded to python3 r=jcj [[ https://setuptools.readthedocs.io/en/latest/history.html#v45-0-0 | Setuptools 45.0.0 ]] drops support for Python2, which our Windows workers are running. This patch installs the prior version during build, in order to unblock CI until the workers can be upgraded. [64c5410f98e0] Differential Revision: https://phabricator.services.mozilla.com/D59928 --HG-- extra : moz-landing-system : lando	2020-01-14 21:21:55 +00:00
J.C. Jones	956d95c76c	Bug 1602020 - land NSS NSS_3_49_BETA1 UPGRADE_NSS_RELEASE, r=kjacobs ... 2020-01-02 Giulio Benetti <giulio.benetti@benettiengineering.com> * lib/ssl/sslsnce.c: Bug 1606025 - Remove -Wmaybe-uninitialized warning in sslsnce.c r=jcj (Amended by jcj to also set privKeyCopy to NULL) [9ecd41cd2fa3] [NSS_3_49_BETA1] * lib/freebl/gcm.h: Bug 1606119 - Fix PPC HW Crypto build failure r=jcj All Altivec *_be() functions are supported from gcc version 8.x not 5.x so modify gcc version check that at the moment cause build failure due to missing Altivec *_be() functions. [7ab634a7d772] 2020-01-01 Alex Henrie <alexhenrie24@gmail.com> * cmd/modutil/install-ds.c: Bug 1605545 - Fix memory leak in Pk11Install_Platform_Generate. r=mt [748b308170a4] Differential Revision: https://phabricator.services.mozilla.com/D58541 --HG-- extra : moz-landing-system : lando	2020-01-02 17:54:36 +00:00
J.C. Jones	75b1a5ab89	Bug 1602020 - land NSS b6eb18f04260 UPGRADE_NSS_RELEASE, r=kjacobs ... 2019-12-20 J.C. Jones <jjones@mozilla.com> * lib/freebl/verified/FStar.c, lib/freebl/verified/FStar.h, lib/freebl/verified/Hacl_Chacha20.c, lib/freebl/verified/Hacl_Chacha20.h, lib/freebl/verified/Hacl_Chacha20Poly1305_128.c, lib/freebl/verified/Hacl_Chacha20Poly1305_128.h, lib/freebl/verified/Hacl_Chacha20Poly1305_32.c, lib/freebl/verified/Hacl_Chacha20Poly1305_32.h, lib/freebl/verified/Hacl_Chacha20_Vec128.c, lib/freebl/verified/Hacl_Chacha20_Vec128.h, lib/freebl/verified/Hacl_Curve25519.c, lib/freebl/verified/Hacl_Curve25519.h, lib/freebl/verified/Hacl_Curve25519_51.c, lib/freebl/verified/Hacl_Curve25519_51.h, lib/freebl/verified/Hacl_Kremlib.h, lib/freebl/verified/Hacl_Poly1305_128.c, lib/freebl/verified/Hacl_Poly1305_128.h, lib/freebl/verified/Hacl_Poly1305_32.c, lib/freebl/verified/Hacl_Poly1305_32.h, lib/freebl/verified/Hacl_Poly1305_64.c, lib/freebl/verified/Hacl_Poly1305_64.h, lib/freebl/verified/kremlib.h, lib/freebl/verified/kremlib_base.h, lib/freebl/verified/kremlin/include/kremlin/internal/callconv.h, lib/freebl/verified/kremlin/include/kremlin/internal/compat.h, lib/freebl/verified/kremlin/include/kremlin/internal/target.h, lib/freebl/verified/kremlin/include/kremlin/internal/types.h, lib/freebl/verified/kremlin/include/kremlin/lowstar_endianness.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128.h, li b/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128_Verifie d.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt_8_1 6_32_64.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/LowStar_ Endianness.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar _uint128_gcc64.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/f star_uint128_msvc.h, lib/freebl/verified/libintvector.h, lib/freebl/verified/specs/Spec.CTR.fst, lib/freebl/verified/specs/Spec.Chacha20.fst, lib/freebl/verified/specs/Spec.Curve25519.fst, lib/freebl/verified/specs/Spec.Poly1305.fst, lib/freebl/verified/vec128.h: Backed out changeset c351b2f60b40 (Bug 1574643) for crashes on early SSE4 CPUs [b6eb18f04260] [tip] * automation/saw/chacha20.saw, automation/taskcluster/docker- builds/Dockerfile, automation/taskcluster/docker- hacl/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc, automation/taskcluster/docker-hacl/Dockerfile, automation/taskcluster/docker-hacl/bin/checkout.sh, automation/taskcluster/docker-hacl/license.txt, automation/taskcluster/docker-hacl/setup-user.sh, automation/taskcluster/docker-hacl/setup.sh, automation/taskcluster/graph/src/extend.js, automation/taskcluster/scripts/run_hacl.sh, gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc, lib/freebl/Makefile, lib/freebl/blapii.h, lib/freebl/blinit.c, lib/freebl/chacha20poly1305.c, lib/freebl/det_rng.c, lib/freebl/ecl/curve25519_64.c, lib/freebl/freebl.gyp, lib/freebl/freebl_base.gypi, nss-tool/hw-support.c: Backed out changeset ac51d2490f9c (Bug 1574643) for crashes on early SSE4 CPUs [f6d8c73584e0] 2019-12-19 Giulio Benetti <giulio.benetti@benettiengineering.com> * coreconf/Linux.mk, coreconf/config.gypi: Bug 1602288 - Fix build failure due to missing posix signal.h r=kjacobs [82bae6299c8e] 2019-12-12 Makoto Kato <m_kato@ga2.so-net.ne.jp> * lib/freebl/blinit.c, lib/freebl/ctr.c, lib/freebl/freebl.gyp, lib/freebl/rijndael.c: Bug 1588714 - Implement CheckARMSupport for Win64/aarch64. r=kjacobs aarch64 doesn't have `cpuid` like instruction set. Actually, we use getauxval system call on Linux/aarch64 to check CPU features. Windows has `IsProcessorFeaturePresent` API to get CPU features, so we should use it to check whether current CPU supports ARM Crypto extension. [3ba8a584ddea] Differential Revision: https://phabricator.services.mozilla.com/D58060 --HG-- extra : moz-landing-system : lando	2019-12-20 23:39:43 +00:00