mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
805 071 коммит 615 Ветки 98 Теги 5,7 GiB
Граф коммитов

226 Коммитов

Автор SHA1 Сообщение Дата
Dennis Jackson 7246d5248d Bug 1779398 - land NSS cafb891ea6ce UPGRADE_NSS_RELEASE, r=nss-reviewers,bbeurdouche 
Differential Revision: https://phabricator.services.mozilla.com/D151714
 2022-07-13 17:29:07 +00:00
John Schanck 208e054844 Bug 1773966 - land NSS NSS_3_80_RTM UPGRADE_NSS_RELEASE, r=bbeurdouche,nss-reviewers 
Differential Revision: https://phabricator.services.mozilla.com/D150161
 2022-06-23 18:47:59 +00:00
Dennis Jackson 549b3f9615 Bug 1773966 - land NSS tip UPGRADE_NSS_RELEASE, r=nss-reviewers,nkulatova 
Differential Revision: https://phabricator.services.mozilla.com/D149276
 2022-06-14 15:47:17 +00:00
Anna Weine f5864cbd70 Bug 1767934 - land NSS 2efccbd85918 UPGRADE_NSS_RELEASE, r=nss-reviewers,djackson 
2022-05-19  John M. Schanck  <jschanck@mozilla.com>

	* lib/ckfw/wrap.c:
	Bug 1766978 - improve error handling after
	nssCKFWInstance_CreateObjectHandle. r=djackson

	[2efccbd85918] [tip]

2022-03-18  Robert Relyea  <rrelyea@redhat.com>

	* cmd/pk12util/pk12util.c, lib/pkcs12/p12local.c,
	tests/common/init.sh, tests/tools/tools.sh:
	Bug 1757075 NSS does not properly import or export pkcs12 files with
	large passwords and pkcs5v2 encoding.

	Don't use NULL when encoding UTF8 with pkcs5v2. Fix a bug here when
	converting from UCS2 to UTF8 we would add a double NULL when adding
	a NULL.

	[0f4664512bd0]

2022-05-17  Dennis Jackson  <djackson@mozilla.com>

	* nspr.patch:
	Remove nspr.patch mistakenly committed in e3ac914bc684
	[99e32fcca1c7]

2022-05-17  Leander Schwarz  <lschwarz@mozilla.com>

	* gtests/ssl_gtest/ssl_record_unittest.cc,
	gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc, lib/ssl/ssl3con.c,
	lib/ssl/ssl3gthr.c, lib/ssl/tls13con.c:
	Bug 1764788 - Correct invalid record inner and outter content type
	alerts. r=djackson

	Added test cases for alerts during and pre handshake as well as TLS
	1.3 only after handshake (application data) cases due to unsupported
	de- and encryption of lower TLS version records in gtest.

	Adjusted some test cases that expect failed connections to the
	updated alerts.

	[7f4b0af3a526]

	* gtests/ssl_gtest/ssl_version_unittest.cc, lib/ssl/ssl3con.c:
	Bug 1765753 - TLS 1.3 Server: Send protocol_version alert on
	unsupported ClientHello.legacy_version. r=djackson

	[bc7bfba47e0a]

	* gtests/ssl_gtest/ssl_extension_unittest.cc, lib/ssl/ssl3exthandle.c:
	Bug 1765753 - Added RFC8422 compliant TLS <= 1.2
	undefined/compressed ECPointFormat extension alerts. r=djackson

	[d06a8831ec84]

2022-05-16  John M. Schanck  <jschanck@mozilla.com>

	* gtests/util_gtest/manifest.mn, gtests/util_gtest/util_gtest.gyp,
	gtests/util_gtest/util_secasn1d_unittest.cc, lib/util/secasn1d.c:
	Bug 1387919 - Fix secasn1d parsing of indefinite SEQUENCE inside
	indefinite GROUP. r=keeler,nss-reviewers,djackson

	In an iteration over elements of an indefinite-length encoded GROUP
	(sec_asn1d_next_in_group), the child of the current state is
	responsible for parsing the GROUP's end-of-contents octets---a call
	to sec_asn1d_parse_end_of_contents(state->child) sets the
	endofcontents flag for state->child and a later call to
	sec_asn1d_next_in_group checks state->child->endofcontents and
	terminates the iteration.

	In an iteration over elements of an indefinite-length encoded
	SEQUENCE (sec_asn1d_next_in_sequence), on the other hand, the
	current state, not its child, handles the end-of-contents octets.

	Prior to this commit, an error would occur when state pointed to an
	indefinite-length encoded GROUP and state->child pointed to an
	indefinite-length encoded SEQUENCE. In this case, state->child would
	be passed to sec_asn1d_parse_end_of_contents to parse the SEQUENCE's
	end-of-contents octets. This would set the endofcontents flag for
	state->child, and this would be misinterpreted as an end-of-
	iteration signal for the surrounding GROUP.

	[1811eec24997]

	* automation/abi-check/expected-report-libnss3.so.txt,
	lib/nss/nss.def, lib/pk11wrap/pk11list.c, lib/pk11wrap/pk11util.c,
	lib/pk11wrap/secmod.h, lib/util/nssrwlk.h:
	Bug 1753315 - Add SECMOD_LockedModuleHasRemovableSlots. r=rrelyea

	[499ae15c18ad]

2022-05-13  Kai Engert  <kaie@kuix.de>

	* automation/abi-check/expected-report-libnspr4.so.txt,
	cmd/selfserv/selfserv.c, cmd/tstclnt/tstclnt.c, nspr.patch:
	Bug 1769295 - selfserv and tstclnt should use
	PR_GetPrefLoopbackAddrInfo. r=rrelyea

	[e3ac914bc684]

2022-05-11  John M. Schanck  <jschanck@mozilla.com>

	* lib/softoken/legacydb/lginit.c:
	Bug 1454072 - Use of uninitialized pointer in lg_init after alloc
	fail. r=nss-reviewers,nkulatova

	[927d47dcc509]

2022-05-06  John M. Schanck  <jschanck@mozilla.com>

	* automation/clang-format/Dockerfile:
	Bug 1766907 - Update mercurial in clang-format docker image. r=mt

	[83a89ed9f527]

Differential Revision: https://phabricator.services.mozilla.com/D146888
 2022-05-20 09:24:42 +00:00
Dennis Jackson 93b3689c90 Bug 1764153 - land NSS NSS_3_78_BETA1 UPGRADE_NSS_RELEASE, r=nss-reviewers,bbeurdouche 
Differential Revision: https://phabricator.services.mozilla.com/D144282
 2022-04-22 12:42:27 +00:00
John Schanck caf282f02b Bug 1758579 - land NSS NSS_3_77_BETA1 UPGRADE_NSS_RELEASE, r=keeler 
2022-03-24  John M. Schanck  <jschanck@mozilla.com>

	* lib/ckfw/builtins/certdata.txt:
	Bug 1754890 - Add two D-TRUST 2020 root certificates.
	r=KathleenWilson

	[f63fb86db692] [NSS_3_77_BETA1]

	* lib/ckfw/builtins/certdata.txt:
	Bug 1751298 - Add Telia Root CA v2 root certificate.
	r=KathleenWilson

	[1fcbbd7e4f5f]

	* lib/ckfw/builtins/certdata.txt:
	Bug 1751305 - Remove expired explicitly distrusted certificates from
	certdata.txt. r=KathleenWilson

	[b722e523d662]

2022-03-23  Dana Keeler  <dkeeler@mozilla.com>

	* gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp,
	gtests/mozpkix_gtest/pkixder_pki_types_tests.cpp,
	gtests/mozpkix_gtest/pkixgtest.h,
	gtests/mozpkix_gtest/pkixnss_tests.cpp,
	lib/mozpkix/include/pkix/pkixder.h,
	lib/mozpkix/include/pkix/pkixnss.h,
	lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixc.cpp,
	lib/mozpkix/lib/pkixcheck.cpp, lib/mozpkix/lib/pkixder.cpp,
	lib/mozpkix/lib/pkixnss.cpp, lib/mozpkix/lib/pkixverify.cpp,
	lib/mozpkix/test-lib/pkixtestnss.cpp:
	Bug 1005084 - support specific RSA-PSS parameters in mozilla::pkix
	r=jschanck

	This patch adds support to mozilla::pkix for certificates signed
	with RSA-PSS using one of the following parameters permitted by the
	CA/Browser Forum Baseline Requirements 1.8.1:

	* SHA-256, MGF-1 with SHA-256, and a salt length of 32 bytes
	* SHA-384, MGF-1 with SHA-384, and a salt length of 48 bytes
	* SHA-512, MGF-1 with SHA-512, and a salt length of 64 bytes

	[853b64626b19]

2022-03-23  John M. Schanck  <jschanck@mozilla.com>

	* lib/util/secasn1d.c:
	Bug 1753535 - Remove obsolete stateEnd check in
	SEC_ASN1DecoderUpdate. r=rrelyea

	The `stateEnd->parent != state` check was added in Bug 95458 to
	avoid a crash in `sec_asn1d_free_child`. The diagnosis in Bug 95458
	is incorrect---the crash was actually due to a `PORT_Assert(0)` that
	was meant to highlight a memory leak when `SEC_ASN1DecoderStart` was
	called with `their_pool==NULL`. The offending assertion was removed
	in Bug 95311, which makes the `stateEnd` check obsolete. In Bug
	1753535 it was observed that the `stateEnd` check could read from a
	poisoned region of an arena when the decoder was used in a streaming
	mode. This read-after-poison could lead to an arena memory leak,
	although this is mitigated by the fact that the read-after-poison is
	on an error-handling path where the caller typically frees the
	entire arena.

	[800111fa3bf8]

	* lib/dev/dev.h, lib/dev/devslot.c, lib/dev/devt.h,
	lib/dev/devtoken.c, lib/pk11wrap/dev3hack.c:
	Bug 1756271 - Remove token member from NSSSlot struct. r=rrelyea

	[55052f78244c]

	* cmd/mpitests/mpi-test.c, lib/freebl/Makefile, lib/freebl/dh.c,
	lib/freebl/freebl_base.gypi, lib/freebl/manifest.mn,
	lib/freebl/mpi/mpprime.c, lib/freebl/mpi/mpprime.h,
	lib/freebl/pqg.c, lib/freebl/rsa.c, lib/freebl/secmpi.c,
	lib/freebl/secmpi.h:
	Bug 1602379 - Provide secure variants of mpp_pprime and
	mpp_make_prime. r=mt

	[b83ad33acd67]

2022-03-22  John M. Schanck  <jschanck@mozilla.com>

	* cmd/mpitests/mpi-test.c, lib/freebl/Makefile, lib/freebl/dh.c,
	lib/freebl/freebl_base.gypi, lib/freebl/manifest.mn,
	lib/freebl/mpi/mpprime.c, lib/freebl/mpi/mpprime.h,
	lib/freebl/pqg.c, lib/freebl/rsa.c, lib/freebl/secmpi.c,
	lib/freebl/secmpi.h:
	Backed out changeset 6c1092f5203f

	Caused Windows gyp build failures for cmd/mpitests
	[ffa1e4ce758a]

2022-03-22  Masatoshi Kimura  <VYV03354@nifty.ne.jp>

	* gtests/pk11_gtest/pk11_module_unittest.cc, lib/pk11wrap/pk11load.c:
	Bug 1757279 - Support UTF-8 library path in the module spec string.
	r=nss-reviewers,jschanck

	[31bce2dae97b]

	* gtests/base_gtest/Makefile, gtests/base_gtest/base_gtest.gyp,
	gtests/base_gtest/manifest.mn, gtests/base_gtest/utf8_unittest.cc,
	gtests/manifest.mn, lib/base/utf8.c, nss.gyp,
	tests/gtests/gtests.sh:
	Bug 1396616 - Update nssUTF8_Length to RFC 3629 and fix buffer
	overrun. r=nss-reviewers,jschanck

	[2f2c85648edb]

2022-03-22  John M. Schanck  <jschanck@mozilla.com>

	* cmd/mpitests/mpi-test.c, lib/freebl/Makefile, lib/freebl/dh.c,
	lib/freebl/freebl_base.gypi, lib/freebl/manifest.mn,
	lib/freebl/mpi/mpprime.c, lib/freebl/mpi/mpprime.h,
	lib/freebl/pqg.c, lib/freebl/rsa.c, lib/freebl/secmpi.c,
	lib/freebl/secmpi.h:
	Bug 1602379 - Provide secure variants of mpp_pprime and
	mpp_make_prime. r=mt

	[6c1092f5203f]

2022-03-22  Dennis Jackson  <djackson@mozilla.com>

	* automation/taskcluster/docker-builds/Dockerfile,
	automation/taskcluster/graph/src/extend.js:
	Bug 1760827 - Add a CI Target for gcc-11. r=nss-reviewers,nkulatova

	[d4a3bb7731b0]

	* automation/taskcluster/graph/src/extend.js:
	Bug 1760828 - Change to makefiles for gcc-4.8. r=nss-reviewers,mt

	[191e838399a6]

2022-03-22  J08nY  <johny@neuromancer.sk>

	* automation/taskcluster/graph/src/extend.js,
	gtests/google_test/VERSION, gtests/google_test/gtest/CMakeLists.txt,
	gtests/google_test/gtest/CONTRIBUTORS,
	gtests/google_test/gtest/README.md,
	gtests/google_test/gtest/cmake/gtest.pc.in,
	gtests/google_test/gtest/cmake/gtest_main.pc.in,
	gtests/google_test/gtest/cmake/internal_utils.cmake,
	gtests/google_test/gtest/docs/Pkgconfig.md,
	gtests/google_test/gtest/docs/README.md,
	gtests/google_test/gtest/docs/advanced.md,
	gtests/google_test/gtest/docs/faq.md,
	gtests/google_test/gtest/docs/primer.md,
	gtests/google_test/gtest/docs/pump_manual.md,
	gtests/google_test/gtest/docs/samples.md,
	gtests/google_test/gtest/include/gtest/gtest-death-test.h,
	gtests/google_test/gtest/include/gtest/gtest-matchers.h,
	gtests/google_test/gtest/include/gtest/gtest-message.h,
	gtests/google_test/gtest/include/gtest/gtest-param-test.h,
	gtests/google_test/gtest/include/gtest/gtest-printers.h,
	gtests/google_test/gtest/include/gtest/gtest-spi.h,
	gtests/google_test/gtest/include/gtest/gtest-test-part.h,
	gtests/google_test/gtest/include/gtest/gtest-typed-test.h,
	gtests/google_test/gtest/include/gtest/gtest.h,
	gtests/google_test/gtest/include/gtest/gtest_pred_impl.h,
	gtests/google_test/gtest/include/gtest/gtest_prod.h,
	gtests/google_test/gtest/include/gtest/internal/custom/gtest-port.h,
	gtests/google_test/gtest/include/gtest/internal/custom/gtest-
	printers.h,
	gtests/google_test/gtest/include/gtest/internal/custom/gtest.h,
	gtests/google_test/gtest/include/gtest/internal/gtest-death-test-
	internal.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	filepath.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	internal.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	param-util.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	port-arch.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	port.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	string.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	type-util.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	type-util.h.pump, gtests/google_test/gtest/samples/prime_tables.h,
	gtests/google_test/gtest/samples/sample1.cc,
	gtests/google_test/gtest/samples/sample1.h,
	gtests/google_test/gtest/samples/sample10_unittest.cc,
	gtests/google_test/gtest/samples/sample2.cc,
	gtests/google_test/gtest/samples/sample2.h,
	gtests/google_test/gtest/samples/sample2_unittest.cc,
	gtests/google_test/gtest/samples/sample3-inl.h,
	gtests/google_test/gtest/samples/sample3_unittest.cc,
	gtests/google_test/gtest/samples/sample4.h,
	gtests/google_test/gtest/samples/sample5_unittest.cc,
	gtests/google_test/gtest/samples/sample6_unittest.cc,
	gtests/google_test/gtest/samples/sample7_unittest.cc,
	gtests/google_test/gtest/samples/sample8_unittest.cc,
	gtests/google_test/gtest/samples/sample9_unittest.cc,
	gtests/google_test/gtest/scripts/README.md,
	gtests/google_test/gtest/scripts/gen_gtest_pred_impl.py,
	gtests/google_test/gtest/scripts/pump.py,
	gtests/google_test/gtest/scripts/release_docs.py,
	gtests/google_test/gtest/scripts/run_with_path.py,
	gtests/google_test/gtest/scripts/upload.py,
	gtests/google_test/gtest/src/gtest-death-test.cc,
	gtests/google_test/gtest/src/gtest-filepath.cc,
	gtests/google_test/gtest/src/gtest-internal-inl.h,
	gtests/google_test/gtest/src/gtest-matchers.cc,
	gtests/google_test/gtest/src/gtest-port.cc,
	gtests/google_test/gtest/src/gtest-printers.cc,
	gtests/google_test/gtest/src/gtest-test-part.cc,
	gtests/google_test/gtest/src/gtest-typed-test.cc,
	gtests/google_test/gtest/src/gtest.cc,
	gtests/google_test/gtest/src/gtest_main.cc,
	gtests/google_test/gtest/test/BUILD.bazel,
	gtests/google_test/gtest/test/googletest-catch-exceptions-test_.cc,
	gtests/google_test/gtest/test/googletest-death-test-test.cc,
	gtests/google_test/gtest/test/googletest-death-test_ex_test.cc,
	gtests/google_test/gtest/test/googletest-env-var-test.py,
	gtests/google_test/gtest/test/googletest-env-var-test_.cc,
	gtests/google_test/gtest/test/googletest-failfast-unittest.py,
	gtests/google_test/gtest/test/googletest-failfast-unittest_.cc,
	gtests/google_test/gtest/test/googletest-filepath-test.cc,
	gtests/google_test/gtest/test/googletest-filter-unittest_.cc,
	gtests/google_test/gtest/test/googletest-global-environment-
	unittest.py, gtests/google_test/gtest/test/googletest-global-
	environment-unittest_.cc, gtests/google_test/gtest/test/googletest-
	json-output-unittest.py, gtests/google_test/gtest/test/googletest-
	list-tests-unittest_.cc, gtests/google_test/gtest/test/googletest-
	listener-test.cc, gtests/google_test/gtest/test/googletest-message-
	test.cc, gtests/google_test/gtest/test/googletest-options-test.cc,
	gtests/google_test/gtest/test/googletest-output-test-golden-lin.txt,
	gtests/google_test/gtest/test/googletest-output-test.py,
	gtests/google_test/gtest/test/googletest-output-test_.cc,
	gtests/google_test/gtest/test/googletest-param-test-invalid-
	name1-test_.cc, gtests/google_test/gtest/test/googletest-param-test-
	invalid-name2-test_.cc, gtests/google_test/gtest/test/googletest-
	param-test-test.cc, gtests/google_test/gtest/test/googletest-param-
	test-test.h, gtests/google_test/gtest/test/googletest-param-
	test2-test.cc, gtests/google_test/gtest/test/googletest-port-
	test.cc, gtests/google_test/gtest/test/googletest-printers-test.cc,
	gtests/google_test/gtest/test/googletest-setuptestsuite-test.py,
	gtests/google_test/gtest/test/googletest-setuptestsuite-test_.cc,
	gtests/google_test/gtest/test/googletest-shuffle-test_.cc,
	gtests/google_test/gtest/test/googletest-test-part-test.cc,
	gtests/google_test/gtest/test/googletest-test2_test.cc,
	gtests/google_test/gtest/test/googletest-throw-on-failure-test_.cc,
	gtests/google_test/gtest/test/gtest-typed-test2_test.cc,
	gtests/google_test/gtest/test/gtest-typed-test_test.cc,
	gtests/google_test/gtest/test/gtest-typed-test_test.h,
	gtests/google_test/gtest/test/gtest-unittest-api_test.cc,
	gtests/google_test/gtest/test/gtest_assert_by_exception_test.cc,
	gtests/google_test/gtest/test/gtest_environment_test.cc,
	gtests/google_test/gtest/test/gtest_help_test.py,
	gtests/google_test/gtest/test/gtest_list_output_unittest.py,
	gtests/google_test/gtest/test/gtest_list_output_unittest_.cc,
	gtests/google_test/gtest/test/gtest_pred_impl_unittest.cc,
	gtests/google_test/gtest/test/gtest_premature_exit_test.cc,
	gtests/google_test/gtest/test/gtest_repeat_test.cc,
	gtests/google_test/gtest/test/gtest_skip_check_output_test.py,
	gtests/google_test/gtest/test/gtest_skip_test.cc,
	gtests/google_test/gtest/test/gtest_stress_test.cc,
	gtests/google_test/gtest/test/gtest_test_utils.py,
	gtests/google_test/gtest/test/gtest_throw_on_failure_ex_test.cc,
	gtests/google_test/gtest/test/gtest_unittest.cc,
	gtests/google_test/gtest/test/gtest_xml_outfiles_test.py,
	gtests/google_test/gtest/test/gtest_xml_output_unittest.py,
	gtests/google_test/gtest/test/gtest_xml_output_unittest_.cc,
	gtests/google_test/gtest/test/gtest_xml_test_utils.py,
	gtests/google_test/gtest/test/production.h,
	gtests/google_test/update.sh,
	gtests/ssl_gtest/ssl_agent_unittest.cc:
	Bug 1741688 - Update googletest to 1.11.0 r=nss-reviewers,mt

	[88249e154a23]

2022-03-22  Dennis Jackson  <djackson@mozilla.com>

	* gtests/ssl_gtest/tls_ech_unittest.cc, lib/ssl/ssl3con.c,
	lib/ssl/sslexp.h, lib/ssl/sslimpl.h, lib/ssl/sslsock.c,
	lib/ssl/tls13ech.c, lib/ssl/tls13ech.h:
	Bug 1759525 - Add SetTls13GreaseEchSize to experimental API. r=mt

	[c2f93669b92c]

2022-03-22  Leander Schwarz  <lschwarz@mozilla.com>

	* gtests/ssl_gtest/ssl_version_unittest.cc,
	gtests/ssl_gtest/tls_filter.cc, gtests/ssl_gtest/tls_filter.h,
	lib/ssl/tls13con.c:
	Bug 1755264 - TLS 1.3 Illegal legacy_version handling/alerts.
	r=djackson

	[7d931c59d09f]

2022-03-22  Dennis Jackson  <djackson@mozilla.com>

	* lib/ssl/tls13ech.c:
	Bug 1755904 - Fix calculation of ECH HRR Transcript. r=mt

	[33c530e653b3]

2022-03-22  Zi Lin  <lziest@chromium.org>

	* coreconf/Linux.mk:
	Bug 1758741 - Allow ld path to be set as environment variable. r=mt

	Submitted on behalf of Zi Lin, the author of the patch.

	[d9368381598f]

2022-03-22  Dennis Jackson  <djackson@mozilla.com>

	* gtests/ssl_gtest/tls_connect.cc:
	Bug 1760653 - Ensure we don't read uninitialized memory in ssl
	gtests. r=mt,nss-reviewers

	[9a7b3c7f4e70]

	* cpputil/databuffer.h:
	Bug 1758478 - Fix DataBuffer Move Assignment. r=mt

	[f12fd43d69c7]

2022-03-18  Robert Relyea  <rrelyea@redhat.com>

	* automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
	check/expected-report-libssl3.so.txt,
	gtests/ssl_gtest/ssl_auth_unittest.cc, lib/certdb/cert.h,
	lib/certdb/certdb.c, lib/nss/nss.def, lib/pk11wrap/pk11obj.c,
	lib/pk11wrap/pk11pub.h, lib/ssl/authcert.c, lib/ssl/ssl.def,
	lib/ssl/ssl.h, lib/ssl/ssl3con.c, lib/ssl/sslimpl.h,
	lib/ssl/sslsock.c, lib/ssl/tls13con.c, lib/ssl/tls13subcerts.c,
	mach, tests/ssl/ssl.sh, tests/ssl/sslauth.txt:
	Bug 1552254 internal_error alert on Certificate Request with
	sha1+ecdsa in TLS 1.3

	We need to be able to select Client certificates based on the
	schemes sent to us from the server. Rather than changing the
	callback function, this patch adds those schemes to the ssl socket
	info as suggested by Dana. In addition, two helpful functions have
	been added to aid User applications in properly selecting the
	Certificate: PRBool SSL_CertIsUsable(PRFileDesc *fd, CERTCertificate
	*cert) - returns true if the given cert matches the schemes of the
	server, the schemes configured on the socket, capability of the
	token the private key resides on, and the current policy. For future
	SSL protocol, additional restrictions may be parsed.
	SSL_FilterCertListBySocket(PRFileDesc *fd, CERTCertList *certlist) -
	removes the certs from the cert list that doesn't pass the
	SSL_CertIsUsable() call.

	In addition the built in cert selection function
	(NSS_GetClientAuthData) uses the above functions to filter the list.
	In order to support the NSS_GetClientAuthData three new functions
	have been added: SECStatus
	CERT_FilterCertListByNickname(CERTCertList *certList, char
	*nickname, void *pwarg) -- removes the certs that don't match the
	'nickname'. SECStatus CERT_FilterCertListByCertList(CERTCertlist
	*certList, const CERTCertlist *filterList ) -- removes all the certs
	on the first cert list that isn't on the second. PRBool
	CERT_IsInList(CERTCertificate *, const CERTCertList *certList) --
	returns true if cert is on certList.

	In addition
	 * PK11_FindObjectForCert() is exported so the token the cert lives on
	can be accessed.
	 * the ssle ssl_PickClientSignatureScheme() function (along with
	several supporing functions) have been modified so it can be used by
	SSL_CertIsUsable()

	[be6a97823bfe]

Differential Revision: https://phabricator.services.mozilla.com/D141995
 2022-03-24 21:34:20 +00:00
John Schanck 5075ae5d88 Bug 1758579 - land NSS be8a62f85be7 UPGRADE_NSS_RELEASE, r=keeler 
Differential Revision: https://phabricator.services.mozilla.com/D140597
 2022-03-10 23:20:59 +00:00
Dennis Jackson ac3025042a Bug 1753980 - land NSS 4a8880ef UPGRADE_NSS_RELEASE, r=bbeurdouche 
```
2022-02-14  Martin Thomson  <mt@lowentropy.net>

	* gtests/common/testvectors/rsa_pss_2048_sha1_mgf1_20-vectors.h,
	gtests/common/testvectors/rsa_pss_2048_sha256_mgf1_0-vectors.h,
	gtests/common/testvectors/rsa_pss_2048_sha256_mgf1_32-vectors.h,
	gtests/common/testvectors/rsa_pss_3072_sha256_mgf1_32-vectors.h,
	gtests/common/testvectors/rsa_pss_4096_sha256_mgf1_32-vectors.h,
	gtests/common/testvectors/rsa_pss_4096_sha512_mgf1_32-vectors.h,
	gtests/common/testvectors/rsa_pss_misc-vectors.h,
	gtests/common/wycheproof/genTestVectors.py, gtests/common/wycheproof
	/source_vectors/rsa_pss_2048_sha1_mgf1_20_test.json, gtests/common/w
	ycheproof/source_vectors/rsa_pss_2048_sha256_mgf1_0_test.json, gtest
	s/common/wycheproof/source_vectors/rsa_pss_2048_sha256_mgf1_32_test.
	json, gtests/common/wycheproof/source_vectors/rsa_pss_3072_sha256_mg
	f1_32_test.json, gtests/common/wycheproof/source_vectors/rsa_pss_409
	6_sha256_mgf1_32_test.json, gtests/common/wycheproof/source_vectors/
	rsa_pss_4096_sha512_mgf1_32_test.json,
	gtests/common/wycheproof/source_vectors/rsa_pss_misc_test.json,
	gtests/pk11_gtest/json.h, gtests/pk11_gtest/pk11_hpke_unittest.cc,
	gtests/pk11_gtest/pk11_rsapss_unittest.cc:
	Bug 1747957 - Use Wycheproof JSON for RSASSA-PSS, r=nss-
	reviewers,bbeurdouche

	[4a8880ef1adc] [tip]

2022-02-10  Leander Schwarz  <lschwarz@mozilla.com>

	* gtests/ssl_gtest/ssl_extension_unittest.cc,
	gtests/ssl_gtest/tls_ech_unittest.cc, lib/ssl/ssl3ext.c:
	Bug 1751157 - Throw illegal_parameter alert for illegal extensions
	in handshake message. r=djackson

	[8fd5ca0cf897]

2022-02-09  John M. Schanck  <jschanck@mozilla.com>

	* automation/release/nss-release-helper.py:
	Bug 1753505 - Avoid truncating files in nss-release-helper.py.
	r=bbeurdouche

	[7876a7255030]

2022-02-08  John M. Schanck  <jschanck@mozilla.com>

	* lib/ckfw/builtins/certdata.txt:
	Bug 1679803 - Add SHA256 fingerprint comments to old certdata.txt
	entries. r=nss-reviewers,bbeurdouche

	The new SHA256 hashes were calculated using the script below, which
	reads certificates out of the builtin token and re-processing them
	with the current version of addbuiltin. One of the "Autoridad de
	Certificacion Firmaprofesional CIF A62634068" certificates had to be
	handled manually because of Bug 456858.

	``` #!/bin/bash

	NSS_LIB=<path to dist/Debug/lib>

	WORK=/tmp/nssdb/ LIST=${WORK}/list.txt OUT=${WORK}/certdata.txt

	rm -rf ${WORK} mkdir -p ${WORK} modutil -force -dbdir "sql:${WORK}"
	-create modutil -force -dbdir "sql:${WORK}" -add "nssckbi" -libfile
	"${NSS_LIB}/libnssckbi.so"

	certutil -d "sql:${WORK}" -L -h "Builtin Object Token" | grep
	Builtin > ${LIST} sed -i 's/\s*\(C\?,C\?,C\?\)\s*$/;\1/' ${LIST}

	while IFS=";" read -r name trust do certutil -d "sql:${WORK}" -L -n
	"${name}" -r 1> "${WORK}/${name}.der" addbuiltin -t "${trust}" -n
	"${name/Builtin Object Token:/}" -i "${WORK}/${name}.der" done <
	${LIST} >> ${OUT} ```

	[7a34cf74b659]
```

Differential Revision: https://phabricator.services.mozilla.com/D138799
 2022-02-15 18:04:14 +00:00
Benjamin Beurdouche 84a342941b Bug 1748820 - land NSS 44e6341be5e8 UPGRADE_NSS_RELEASE, r=beurdouche 
Differential Revision: https://phabricator.services.mozilla.com/D135690
 2022-01-12 10:40:38 +00:00
Benjamin Beurdouche bdd7cdab71 Bug 1743993 - land NSS NSS_3_74_BETA1 UPGRADE_NSS_RELEASE, r=beurdouche 
```
2021-12-16  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* gtests/google_test/VERSION, gtests/google_test/gtest/CMakeLists.txt,
	gtests/google_test/gtest/CONTRIBUTORS,
	gtests/google_test/gtest/README.md,
	gtests/google_test/gtest/cmake/gtest.pc.in,
	gtests/google_test/gtest/cmake/gtest_main.pc.in,
	gtests/google_test/gtest/cmake/internal_utils.cmake,
	gtests/google_test/gtest/docs/Pkgconfig.md,
	gtests/google_test/gtest/docs/README.md,
	gtests/google_test/gtest/docs/advanced.md,
	gtests/google_test/gtest/docs/faq.md,
	gtests/google_test/gtest/docs/primer.md,
	gtests/google_test/gtest/docs/pump_manual.md,
	gtests/google_test/gtest/docs/samples.md,
	gtests/google_test/gtest/include/gtest/gtest-death-test.h,
	gtests/google_test/gtest/include/gtest/gtest-matchers.h,
	gtests/google_test/gtest/include/gtest/gtest-message.h,
	gtests/google_test/gtest/include/gtest/gtest-param-test.h,
	gtests/google_test/gtest/include/gtest/gtest-printers.h,
	gtests/google_test/gtest/include/gtest/gtest-spi.h,
	gtests/google_test/gtest/include/gtest/gtest-test-part.h,
	gtests/google_test/gtest/include/gtest/gtest-typed-test.h,
	gtests/google_test/gtest/include/gtest/gtest.h,
	gtests/google_test/gtest/include/gtest/gtest_pred_impl.h,
	gtests/google_test/gtest/include/gtest/gtest_prod.h,
	gtests/google_test/gtest/include/gtest/internal/custom/gtest-port.h,
	gtests/google_test/gtest/include/gtest/internal/custom/gtest-
	printers.h,
	gtests/google_test/gtest/include/gtest/internal/custom/gtest.h,
	gtests/google_test/gtest/include/gtest/internal/gtest-death-test-
	internal.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	filepath.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	internal.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	param-util.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	port-arch.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	port.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	string.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	type-util.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	type-util.h.pump, gtests/google_test/gtest/samples/prime_tables.h,
	gtests/google_test/gtest/samples/sample1.cc,
	gtests/google_test/gtest/samples/sample1.h,
	gtests/google_test/gtest/samples/sample10_unittest.cc,
	gtests/google_test/gtest/samples/sample2.cc,
	gtests/google_test/gtest/samples/sample2.h,
	gtests/google_test/gtest/samples/sample2_unittest.cc,
	gtests/google_test/gtest/samples/sample3-inl.h,
	gtests/google_test/gtest/samples/sample3_unittest.cc,
	gtests/google_test/gtest/samples/sample4.h,
	gtests/google_test/gtest/samples/sample5_unittest.cc,
	gtests/google_test/gtest/samples/sample6_unittest.cc,
	gtests/google_test/gtest/samples/sample7_unittest.cc,
	gtests/google_test/gtest/samples/sample8_unittest.cc,
	gtests/google_test/gtest/samples/sample9_unittest.cc,
	gtests/google_test/gtest/scripts/README.md,
	gtests/google_test/gtest/scripts/gen_gtest_pred_impl.py,
	gtests/google_test/gtest/scripts/pump.py,
	gtests/google_test/gtest/scripts/release_docs.py,
	gtests/google_test/gtest/scripts/run_with_path.py,
	gtests/google_test/gtest/scripts/upload.py,
	gtests/google_test/gtest/src/gtest-death-test.cc,
	gtests/google_test/gtest/src/gtest-filepath.cc,
	gtests/google_test/gtest/src/gtest-internal-inl.h,
	gtests/google_test/gtest/src/gtest-matchers.cc,
	gtests/google_test/gtest/src/gtest-port.cc,
	gtests/google_test/gtest/src/gtest-printers.cc,
	gtests/google_test/gtest/src/gtest-test-part.cc,
	gtests/google_test/gtest/src/gtest-typed-test.cc,
	gtests/google_test/gtest/src/gtest.cc,
	gtests/google_test/gtest/src/gtest_main.cc,
	gtests/google_test/gtest/test/BUILD.bazel,
	gtests/google_test/gtest/test/googletest-catch-exceptions-test_.cc,
	gtests/google_test/gtest/test/googletest-death-test-test.cc,
	gtests/google_test/gtest/test/googletest-death-test_ex_test.cc,
	gtests/google_test/gtest/test/googletest-env-var-test.py,
	gtests/google_test/gtest/test/googletest-env-var-test_.cc,
	gtests/google_test/gtest/test/googletest-failfast-unittest.py,
	gtests/google_test/gtest/test/googletest-failfast-unittest_.cc,
	gtests/google_test/gtest/test/googletest-filepath-test.cc,
	gtests/google_test/gtest/test/googletest-filter-unittest_.cc,
	gtests/google_test/gtest/test/googletest-global-environment-
	unittest.py, gtests/google_test/gtest/test/googletest-global-
	environment-unittest_.cc, gtests/google_test/gtest/test/googletest-
	json-output-unittest.py, gtests/google_test/gtest/test/googletest-
	list-tests-unittest_.cc, gtests/google_test/gtest/test/googletest-
	listener-test.cc, gtests/google_test/gtest/test/googletest-message-
	test.cc, gtests/google_test/gtest/test/googletest-options-test.cc,
	gtests/google_test/gtest/test/googletest-output-test-golden-lin.txt,
	gtests/google_test/gtest/test/googletest-output-test.py,
	gtests/google_test/gtest/test/googletest-output-test_.cc,
	gtests/google_test/gtest/test/googletest-param-test-invalid-
	name1-test_.cc, gtests/google_test/gtest/test/googletest-param-test-
	invalid-name2-test_.cc, gtests/google_test/gtest/test/googletest-
	param-test-test.cc, gtests/google_test/gtest/test/googletest-param-
	test-test.h, gtests/google_test/gtest/test/googletest-param-
	test2-test.cc, gtests/google_test/gtest/test/googletest-port-
	test.cc, gtests/google_test/gtest/test/googletest-printers-test.cc,
	gtests/google_test/gtest/test/googletest-setuptestsuite-test.py,
	gtests/google_test/gtest/test/googletest-setuptestsuite-test_.cc,
	gtests/google_test/gtest/test/googletest-shuffle-test_.cc,
	gtests/google_test/gtest/test/googletest-test-part-test.cc,
	gtests/google_test/gtest/test/googletest-test2_test.cc,
	gtests/google_test/gtest/test/googletest-throw-on-failure-test_.cc,
	gtests/google_test/gtest/test/gtest-typed-test2_test.cc,
	gtests/google_test/gtest/test/gtest-typed-test_test.cc,
	gtests/google_test/gtest/test/gtest-typed-test_test.h,
	gtests/google_test/gtest/test/gtest-unittest-api_test.cc,
	gtests/google_test/gtest/test/gtest_assert_by_exception_test.cc,
	gtests/google_test/gtest/test/gtest_environment_test.cc,
	gtests/google_test/gtest/test/gtest_help_test.py,
	gtests/google_test/gtest/test/gtest_list_output_unittest.py,
	gtests/google_test/gtest/test/gtest_list_output_unittest_.cc,
	gtests/google_test/gtest/test/gtest_pred_impl_unittest.cc,
	gtests/google_test/gtest/test/gtest_premature_exit_test.cc,
	gtests/google_test/gtest/test/gtest_repeat_test.cc,
	gtests/google_test/gtest/test/gtest_skip_check_output_test.py,
	gtests/google_test/gtest/test/gtest_skip_test.cc,
	gtests/google_test/gtest/test/gtest_stress_test.cc,
	gtests/google_test/gtest/test/gtest_test_utils.py,
	gtests/google_test/gtest/test/gtest_throw_on_failure_ex_test.cc,
	gtests/google_test/gtest/test/gtest_unittest.cc,
	gtests/google_test/gtest/test/gtest_xml_outfiles_test.py,
	gtests/google_test/gtest/test/gtest_xml_output_unittest.py,
	gtests/google_test/gtest/test/gtest_xml_output_unittest_.cc,
	gtests/google_test/gtest/test/gtest_xml_test_utils.py,
	gtests/google_test/gtest/test/production.h,
	gtests/google_test/update.sh:
	Backed out changeset 50f5a60523ca (Bug 1741688 - Update googletest
	to 1.11.0) due to CI failures
	[1831460a6f34] [NSS_3_74_BETA1]

2021-12-15  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* automation/abi-check/previous-nss-release, lib/nss/nss.h,
	lib/softoken/softkver.h, lib/util/nssutil.h:
	Set version numbers to 3.74
	[0ed371bb42ac]
```

Differential Revision: https://phabricator.services.mozilla.com/D134913
 2021-12-31 13:07:06 +00:00
Narcis Beleuzu e74a8e2d1d Backed out changeset ee89101cd0e4 (bug 1743993) for xpcshel failures on test_httpssvc_retry_with_ech.js UPGRADE_NSS_RELEASE 2021-12-27 18:40:39 +02:00
Benjamin Beurdouche e9c3a11359 Bug 1743993 - land NSS d41c0fcdcf85 UPGRADE_NSS_RELEASE, r=nkulatova 
```
2021-12-17  Dennis Jackson  <djackson@mozilla.com>

	* gtests/ssl_gtest/tls_ech_unittest.cc:
	Bug 1712879 - Add test cases for ECH compression and unexpected
	extensions in SH. r=mt

	* Update the test custom extension injectors to create large (1024
	byte) extensions
	* Update the compression tests to verify that compression ocurrs
	correctly.
	* Add tests to ensure that when accepting ECH, the client rejects Xtns
	which are only valid for the CHO and vice versa

	[d41c0fcdcf85] [tip]

	* gtests/ssl_gtest/tls_ech_unittest.cc:
	Bug 1725938 - Update tests for ECH-13. r=mt

	* Add a new test helper function for creating an ECH Config/
	* Update ECH Config tests to dynamically generate their configs.
	* Regenerate tests using fixed ClientHello configs for ECH-13.
	* Add test for recursive ECH Outer Extensions.
	* Add test for ECH Inner Extension with payload (should be empty).
	* Add test to ensure AAD covers both before and after ECH extension.

	[ea27fc06556a]

	* lib/ssl/tls13ech.c:
	Bug 1725938 - Tidy up error handling r=mt

	Small commit to tidy up the error handling when receiving ECH
	extensions.

	[dbfeabc22622]

	* gtests/ssl_gtest/tls_filter.cc, gtests/ssl_gtest/tls_filter.h:
	Bug 1728281 - Add tests for ECH HRR Changes. r=mt

	Testcases for HRR ECH Xtns:
		- Clients reject xtns of the wrong size.
		- Clients reject mangled xtns.
		- Clients reject unsolicited xtns.
		- Servers send ECH HRR Xtns when accepting, rejecting or GREASEing
		- Clients and Servers do not send xtns if disabled and not GREASEing
		- Clients alert if servers accept ECH in HRR, then reject in SH.

	[28c3375fe2ef]

	* lib/ssl/sslexp.h, lib/ssl/tls13exthandle.c:
	Bug 1728281 - Server only sends GREASE HRR extension if enabled by
	preference. r=mt

	Draft 13 added an ECH extension for HRR messages. When GREASEing,
	this should only be sent if the server was configured with ECH
	support or explicitly opted in.

	[e387d382de47]

	* gtests/ssl_gtest/tls_connect.cc, lib/ssl/ssl3con.c,
	lib/ssl/ssl3ext.c, lib/ssl/ssl3ext.h, lib/ssl/sslencode.c,
	lib/ssl/sslencode.h, lib/ssl/tls13ech.c, lib/ssl/tls13ech.h,
	lib/ssl/tls13exthandle.c:
	Bug 1725938 - Update generation of the Associated Data for ECH-13
	r=mt

	In Draft 13, the associated data compromises the entire
	ClientHelloOuter, with the ECH payload zeroed out. This patch
	updates the generation of the ClientHelloOuter and associated data
	and unifies the generation of the ECH Xtn. As a result,
	tls13_EncryptClientHello now puts the encrypted ClientHelloInner
	directly into the ClientHelloOuter.

	[e31c41c04527]

	* gtests/ssl_gtest/tls_connect.cc, lib/ssl/ssl3ext.c,
	lib/ssl/ssl3ext.h, lib/ssl/sslimpl.h, lib/ssl/tls13ech.c:
	Bug 1712879 - When ECH is accepted, reject extensions which were
	only advertised in the Outer Client Hello r=mt

	Previously, we only tracked whether we'd advertised an extension at
	all. This change allows us to track the advertisements for both the
	Outer and Inner Client Hello seperately. If the server accepts ECH
	but includes an extension we only offered in the Outer Client Hello,
	we will send an alert.

	As a side-effect, if the client offers an extension in the
	ClientHelloInner which is not offered in the ClientHelloOuter and
	the server accepts, we will send the same alert. It is unclear
	whether this is desirable behavior or not - since if we did not
	alert this would allow a network observer to distinguish whether ECH
	was used.

	[beef13851327]

	* gtests/ssl_gtest/tls_connect.cc, lib/ssl/tls13ech.c:
	Bug 1712879 - Allow for compressed, non-contiguous, extensions r=mt

	In Draft 13, clients can now compress extensions which are non-
	contiguous but in-order. This changeset removes the logic which
	ensured only contiguous extensions were compressed.

	[daf5bc69425a]

2021-12-17  Martin Thomson  <mt@lowentropy.net>

	* gtests/ssl_gtest/ssl_custext_unittest.cc, lib/ssl/tls13ech.c:
	Bug 1712879 - Scramble the PSK extension in CHOuter. r=bbeurdouche

	Depends on D115852

	[b8623fde307c]

	* gtests/ssl_gtest/ssl_custext_unittest.cc, lib/ssl/ssl3ext.c,
	lib/ssl/ssl3ext.h, lib/ssl/sslencode.c, lib/ssl/sslexp.h,
	lib/ssl/sslimpl.h, lib/ssl/sslsock.c, lib/ssl/tls13ech.c:
	Bug 1712647 - Split custom extension handling for ECH.
	r=bbeurdouche,mt

	A new function SSL_CallExtensionWriterOnEchInner() allows
	applications to have custom extension handlers called separately for
	CHInner and CHOuter.

	This is a little tricky as ECH needs to construct two versions of
	CHInner: one compressed and one not. This just calls the write
	handler twice in that case.

	The other complication is that a handler might make different
	choices for CHInner and CHOuter. This forces us to stop compressing
	that extension and any that follow it when that occurs. In order to
	ensure that extensions are consistently placed, we need to track
	what can be compressed during both invocations.

	I've retained the quirk where the extensions are built twice. That
	might be something that can be removed in future, but for now it
	creates a negative externality that I've noted in documentation.

	[d3c6fa317bca]

2021-12-17  Dennis Jackson  <djackson@mozilla.com>

	* gtests/ssl_gtest/tls_connect.cc, lib/ssl/ssl3con.c,
	lib/ssl/ssl3ext.c, lib/ssl/sslimpl.h, lib/ssl/tls13con.c,
	lib/ssl/tls13ech.c, lib/ssl/tls13ech.h, lib/ssl/tls13exthandle.c,
	lib/ssl/tls13exthandle.h, lib/ssl/tls13hashstate.c,
	lib/ssl/tls13hashstate.h:
	Bug 1728281 - Add ECH-13 HRR Handling. r=mt

	This changset adds client and server support for ECH extensions in
	the HelloRetryRequest Message. When Servers respond with a HRR to a
	ECH advertising ClientHello, servers add an additional 8 byte
	confirmation value in an ECH extension with their HRR which allows
	the client to deduce whether ECH was accepted or rejected. The
	confirmation value is derived from the ClientHelloInner's random
	value and the transcript up to and including the HRR. If ECH is
	rejected, the confirmation value is replaced with 8 random bytes.

	This nessecitates several further changes to the control flow of HRR
	generation and handling. Firstly, the HRR must be generated in two
	passes, firstly with a placeholder value of zero bytes instead of
	the confirmation value, then secondly with the true confirmation
	value. Further, if the server accepts ECH in the HRR, it cannot
	change its mind when processing the second client hello.

	If ECH is rejected and the HRR confirmation value is instead a
	random value, the (stateless) server must be able to regenerate the
	correct confirmation value. This patch adds the GREASEd value to the
	HRR cookie, increasing its size by 8 bytes. In order to prevent a
	network observer from distinguishing whether ECH was accepted, these
	8 bytes are used whether or not ECH is accepted.

	On the client side, the HRR with zeroed confirmation value must be
	added to the transcript when calculating the confirmation value.
	Unlike a PSK extension, the HRR ECH Extension can appear in any
	position and so the extension handler stores a pointer into the
	server hello buffer..

	[ea556051e745]

	* gtests/ssl_gtest/tls_connect.cc, gtests/ssl_gtest/tls_connect.h,
	gtests/ssl_gtest/tls_ech_unittest.cc, lib/ssl/tls13ech.c:
	Bug 1677181 - Client side ECH padding r=mt

	ECH-13 adds an optional padding field to ClientHelloInners prior to
	encryption. New tests check that clients correctly pad different
	length SNIs and that servers correctly reject invalid padding.

	[eb122ac1965f]

	* gtests/ssl_gtest/tls_ech_unittest.cc, lib/ssl/ssl3ext.c,
	lib/ssl/tls13ech.c:
	Bug 1725938 - Stricter ClientHelloInner Decompression. r=mt.

	Decompression is now a linear scan, ensuring the same CHO extension
	is never considered for inclusion more than once. The added tests
	check that duplicate or out of order references are now rejected.

	[9e1a409b15d3]

	* automation/abi-check/expected-report-libssl3.so.txt,
	gtests/ssl_gtest/tls_ech_unittest.cc, lib/ssl/ssl3con.c,
	lib/ssl/ssl3ext.c, lib/ssl/sslexp.h, lib/ssl/tls13con.c,
	lib/ssl/tls13ech.c, lib/ssl/tls13ech.h, lib/ssl/tls13exthandle.c,
	lib/ssl/tls13exthandle.h:
	Bug 1725938 - Remove ECH_inner extension, use new enum format. r=mt

	Draft-13 removes the ECH_inner extension and instead uses an enum
	inside the encrypted client hello extension. The handler for the
	ECH_inner extension is removed and the ECH extension handler is now
	split into two cases, tls13_ServerHandleInnerEchXtn is called on the
	ClientHelloInner and checks for the presence of the correct inner
	extension. tls13_ServerHandleOuterEchXtn is called on the
	ClientHelloOuter, it either parses the Outer ECH Extension or, if
	operating in split mode, tolerates the inner extension.

	[6da26e8be8c5]

	* gtests/ssl_gtest/tls_ech_unittest.cc, lib/ssl/sslt.h,
	lib/ssl/tls13ech.c, lib/ssl/tls13ech.h:
	Bug 1725938 - Update the version number for ECH-13 and adjust the
	ECHConfig size. r=mt

	Tests re-enabled in D130698.

	[6fbfdbf1fe9d]

2021-12-16  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* gtests/google_test/VERSION, gtests/google_test/gtest/CMakeLists.txt,
	gtests/google_test/gtest/CONTRIBUTORS,
	gtests/google_test/gtest/README.md,
	gtests/google_test/gtest/cmake/gtest.pc.in,
	gtests/google_test/gtest/cmake/gtest_main.pc.in,
	gtests/google_test/gtest/cmake/internal_utils.cmake,
	gtests/google_test/gtest/docs/Pkgconfig.md,
	gtests/google_test/gtest/docs/README.md,
	gtests/google_test/gtest/docs/advanced.md,
	gtests/google_test/gtest/docs/faq.md,
	gtests/google_test/gtest/docs/primer.md,
	gtests/google_test/gtest/docs/pump_manual.md,
	gtests/google_test/gtest/docs/samples.md,
	gtests/google_test/gtest/include/gtest/gtest-death-test.h,
	gtests/google_test/gtest/include/gtest/gtest-matchers.h,
	gtests/google_test/gtest/include/gtest/gtest-message.h,
	gtests/google_test/gtest/include/gtest/gtest-param-test.h,
	gtests/google_test/gtest/include/gtest/gtest-printers.h,
	gtests/google_test/gtest/include/gtest/gtest-spi.h,
	gtests/google_test/gtest/include/gtest/gtest-test-part.h,
	gtests/google_test/gtest/include/gtest/gtest-typed-test.h,
	gtests/google_test/gtest/include/gtest/gtest.h,
	gtests/google_test/gtest/include/gtest/gtest_pred_impl.h,
	gtests/google_test/gtest/include/gtest/gtest_prod.h,
	gtests/google_test/gtest/include/gtest/internal/custom/gtest-port.h,
	gtests/google_test/gtest/include/gtest/internal/custom/gtest-
	printers.h,
	gtests/google_test/gtest/include/gtest/internal/custom/gtest.h,
	gtests/google_test/gtest/include/gtest/internal/gtest-death-test-
	internal.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	filepath.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	internal.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	param-util.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	port-arch.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	port.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	string.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	type-util.h, gtests/google_test/gtest/include/gtest/internal/gtest-
	type-util.h.pump, gtests/google_test/gtest/samples/prime_tables.h,
	gtests/google_test/gtest/samples/sample1.cc,
	gtests/google_test/gtest/samples/sample1.h,
	gtests/google_test/gtest/samples/sample10_unittest.cc,
	gtests/google_test/gtest/samples/sample2.cc,
	gtests/google_test/gtest/samples/sample2.h,
	gtests/google_test/gtest/samples/sample2_unittest.cc,
	gtests/google_test/gtest/samples/sample3-inl.h,
	gtests/google_test/gtest/samples/sample3_unittest.cc,
	gtests/google_test/gtest/samples/sample4.h,
	gtests/google_test/gtest/samples/sample5_unittest.cc,
	gtests/google_test/gtest/samples/sample6_unittest.cc,
	gtests/google_test/gtest/samples/sample7_unittest.cc,
	gtests/google_test/gtest/samples/sample8_unittest.cc,
	gtests/google_test/gtest/samples/sample9_unittest.cc,
	gtests/google_test/gtest/scripts/README.md,
	gtests/google_test/gtest/scripts/gen_gtest_pred_impl.py,
	gtests/google_test/gtest/scripts/pump.py,
	gtests/google_test/gtest/scripts/release_docs.py,
	gtests/google_test/gtest/scripts/run_with_path.py,
	gtests/google_test/gtest/scripts/upload.py,
	gtests/google_test/gtest/src/gtest-death-test.cc,
	gtests/google_test/gtest/src/gtest-filepath.cc,
	gtests/google_test/gtest/src/gtest-internal-inl.h,
	gtests/google_test/gtest/src/gtest-matchers.cc,
	gtests/google_test/gtest/src/gtest-port.cc,
	gtests/google_test/gtest/src/gtest-printers.cc,
	gtests/google_test/gtest/src/gtest-test-part.cc,
	gtests/google_test/gtest/src/gtest-typed-test.cc,
	gtests/google_test/gtest/src/gtest.cc,
	gtests/google_test/gtest/src/gtest_main.cc,
	gtests/google_test/gtest/test/BUILD.bazel,
	gtests/google_test/gtest/test/googletest-catch-exceptions-test_.cc,
	gtests/google_test/gtest/test/googletest-death-test-test.cc,
	gtests/google_test/gtest/test/googletest-death-test_ex_test.cc,
	gtests/google_test/gtest/test/googletest-env-var-test.py,
	gtests/google_test/gtest/test/googletest-env-var-test_.cc,
	gtests/google_test/gtest/test/googletest-failfast-unittest.py,
	gtests/google_test/gtest/test/googletest-failfast-unittest_.cc,
	gtests/google_test/gtest/test/googletest-filepath-test.cc,
	gtests/google_test/gtest/test/googletest-filter-unittest_.cc,
	gtests/google_test/gtest/test/googletest-global-environment-
	unittest.py, gtests/google_test/gtest/test/googletest-global-
	environment-unittest_.cc, gtests/google_test/gtest/test/googletest-
	json-output-unittest.py, gtests/google_test/gtest/test/googletest-
	list-tests-unittest_.cc, gtests/google_test/gtest/test/googletest-
	listener-test.cc, gtests/google_test/gtest/test/googletest-message-
	test.cc, gtests/google_test/gtest/test/googletest-options-test.cc,
	gtests/google_test/gtest/test/googletest-output-test-golden-lin.txt,
	gtests/google_test/gtest/test/googletest-output-test.py,
	gtests/google_test/gtest/test/googletest-output-test_.cc,
	gtests/google_test/gtest/test/googletest-param-test-invalid-
	name1-test_.cc, gtests/google_test/gtest/test/googletest-param-test-
	invalid-name2-test_.cc, gtests/google_test/gtest/test/googletest-
	param-test-test.cc, gtests/google_test/gtest/test/googletest-param-
	test-test.h, gtests/google_test/gtest/test/googletest-param-
	test2-test.cc, gtests/google_test/gtest/test/googletest-port-
	test.cc, gtests/google_test/gtest/test/googletest-printers-test.cc,
	gtests/google_test/gtest/test/googletest-setuptestsuite-test.py,
	gtests/google_test/gtest/test/googletest-setuptestsuite-test_.cc,
	gtests/google_test/gtest/test/googletest-shuffle-test_.cc,
	gtests/google_test/gtest/test/googletest-test-part-test.cc,
	gtests/google_test/gtest/test/googletest-test2_test.cc,
	gtests/google_test/gtest/test/googletest-throw-on-failure-test_.cc,
	gtests/google_test/gtest/test/gtest-typed-test2_test.cc,
	gtests/google_test/gtest/test/gtest-typed-test_test.cc,
	gtests/google_test/gtest/test/gtest-typed-test_test.h,
	gtests/google_test/gtest/test/gtest-unittest-api_test.cc,
	gtests/google_test/gtest/test/gtest_assert_by_exception_test.cc,
	gtests/google_test/gtest/test/gtest_environment_test.cc,
	gtests/google_test/gtest/test/gtest_help_test.py,
	gtests/google_test/gtest/test/gtest_list_output_unittest.py,
	gtests/google_test/gtest/test/gtest_list_output_unittest_.cc,
	gtests/google_test/gtest/test/gtest_pred_impl_unittest.cc,
	gtests/google_test/gtest/test/gtest_premature_exit_test.cc,
	gtests/google_test/gtest/test/gtest_repeat_test.cc,
	gtests/google_test/gtest/test/gtest_skip_check_output_test.py,
	gtests/google_test/gtest/test/gtest_skip_test.cc,
	gtests/google_test/gtest/test/gtest_stress_test.cc,
	gtests/google_test/gtest/test/gtest_test_utils.py,
	gtests/google_test/gtest/test/gtest_throw_on_failure_ex_test.cc,
	gtests/google_test/gtest/test/gtest_unittest.cc,
	gtests/google_test/gtest/test/gtest_xml_outfiles_test.py,
	gtests/google_test/gtest/test/gtest_xml_output_unittest.py,
	gtests/google_test/gtest/test/gtest_xml_output_unittest_.cc,
	gtests/google_test/gtest/test/gtest_xml_test_utils.py,
	gtests/google_test/gtest/test/production.h,
	gtests/google_test/update.sh:
	Backed out changeset 50f5a60523ca (Bug 1741688 - Update googletest
	to 1.11.0) due to CI failures
	[1831460a6f34]

2021-12-15  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* automation/abi-check/previous-nss-release, lib/nss/nss.h,
	lib/softoken/softkver.h, lib/util/nssutil.h:
	Set version numbers to 3.74
	[0ed371bb42ac]
```

Differential Revision: https://phabricator.services.mozilla.com/D134705
 2021-12-27 14:32:11 +00:00
Benjamin Beurdouche 6b81551a1f Bug 1743993 - land NSS 7d4f221b1fff UPGRADE_NSS_RELEASE, r=ckerschb 
Differential Revision: https://phabricator.services.mozilla.com/D133905
 2021-12-15 16:29:10 +00:00
Benjamin Beurdouche 2ee234be4b Bug 1738222 - land NSS NSS_3_73_RTM UPGRADE_NSS_RELEASE, r=jschanck 
Differential Revision: https://phabricator.services.mozilla.com/D132621
 2021-12-01 18:24:50 +00:00
Benjamin Beurdouche 9eb74dd71e Bug 1724869 - land NSS NSS_3_70_BETA1 UPGRADE_NSS_RELEASE, r=jschanck 
```
2021-08-26  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/ssl/tls13con.c:
	Backed out changeset fae49696d374
	[e55700ee052e] [NSS_3_70_BETA1] <NSS_3_70_BRANCH>

	* tests/tlsfuzzer/config.json.in, tests/tlsfuzzer/tlsfuzzer.sh:
	Backed out changeset 7c3a0a99f7fa
	[e79531c04e6b] <NSS_3_70_BRANCH>

	* automation/abi-check/previous-nss-release, lib/nss/nss.h,
	lib/softoken/softkver.h, lib/util/nssutil.h:
	Set version numbers to 3.70 Beta
	[cc0d44da6a0e]

2021-08-26  John M. Schanck  <jschanck@mozilla.com>

	* tests/tlsfuzzer/config.json.in, tests/tlsfuzzer/tlsfuzzer.sh:
	Bug 1662515 - Enable tlsfuzzer/test-tls13-zero-content-type.py
	r=bbeurdouche,djackson

	[7c3a0a99f7fa]

2021-08-26  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/ssl/tls13con.c:
	Bug 1662515 - Fix incorrect alert after successful decryption
	r=djackson

	[fae49696d374]

2021-08-24  Robert Relyea  <rrelyea@redhat.com>

	* tests/cert/cert.sh, tests/common/init.sh, tests/sdr/sdr.sh:
	Bug 1726022 Update test case to verify fix.

	Updated test cases to verify pbe caching fix. NOTE: putting
	passwords on databases are key to reproducing the original issue.

	[ff19b674c468]

2021-08-24  John M. Schanck  <jschanck@mozilla.com>

	* gtests/ssl_gtest/tls_ech_unittest.cc:
	Bug 1714579 - Explicitly disable downgrade check in
	TlsConnectStreamTls13.EchOuterWith12Max r=nss-reviewers,bbeurdouche

	Depends on D123535

	[608fd450d499]

	* gtests/ssl_gtest/ssl_version_unittest.cc:
	Bug 1714579 - Explicitly disable downgrade check in
	TlsConnectTest.DisableFalseStartOnFallback r=nss-
	reviewers,bbeurdouche

	Depends on D122988

	[7bd94de62243]

2021-08-24  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/util/nssb64d.c:
	Formatting for lib/util
	[db95b15ce1ff]

2021-08-24  John M. Schanck  <jschanck@mozilla.com>

	* lib/util/nssb64d.c:
	Bug 1681975 - Avoid using a lookup table in nssb64d r=bbeurdouche

	[d454db6ad1fb]

2021-08-24  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/freebl/sha512.c:
	Bug 1724629 - Use HW accelerated SHA2 on AArch64 Big Endian.
	r=jschanck

	[7e31b8f7f741]

2021-08-24  John M. Schanck  <jschanck@mozilla.com>

	* lib/ssl/sslsock.c:
	Bug 1714579 Change default value of enableHelloDowngradeCheck to
	true r=mt

	Firefox sets enableHelloDowngradeCheck to true by default, as of
	[1576790](https://bugzilla.mozilla.org/show_bug.cgi?id=1576790). We
	have a two year old open issue noting some issues with that
	[1590870](https://bugzilla.mozilla.org/show_bug.cgi?id=1590870), but
	I see no reason not to update the default in NSS.

	[52137aa125f5]

2021-08-24  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* gtests/pk11_gtest/pk11_hpke_unittest.cc:
	Formatting for gtests/pk11_gtest/pk11_hpke_unittest.cc r=jschanck

	The clang-format target was failing.
	https://treeherder.mozilla.org/logviewer?job_id=348100377&repo=nss-
	try

	[36bc1c231bf6]
```

Differential Revision: https://phabricator.services.mozilla.com/D123784
 2021-08-26 17:45:23 +00:00
Benjamin Beurdouche 46e2563077 Bug 1724869 - land NSS 56238350052a UPGRADE_NSS_RELEASE, r=djackson 
Differential Revision: https://phabricator.services.mozilla.com/D122202
 2021-08-10 09:52:10 +00:00
Benjamin Beurdouche a1a5fc3aa9 Bug 1720464 - land NSS e9236397be13 UPGRADE_NSS_RELEASE, r=beurdouche 
```
2021-07-24  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* doc/rst/build_artifacts.rst, doc/rst/community.rst,
	doc/rst/getting_started.rst, doc/rst/index.rst, doc/rst/more.rst,
	doc/rst/releases/index.rst, doc/rst/releases/nss_3_64.rst,
	doc/rst/releases/nss_3_65.rst, doc/rst/releases/nss_3_66.rst,
	doc/rst/releases/nss_3_67.rst, doc/rst/releases/nss_3_68.rst:
	Documentation: update and release notes for NSS 3.64 to 3.68
	[e9236397be13] [tip]

2021-07-20  Robert Relyea  <rrelyea@redhat.com>

	* gtests/ssl_gtest/nss_policy.h,
	gtests/ssl_gtest/ssl_auth_unittest.cc,
	gtests/ssl_gtest/ssl_extension_unittest.cc,
	gtests/ssl_gtest/tls_agent.cc, gtests/ssl_gtest/tls_agent.h,
	gtests/ssl_gtest/tls_connect.cc, lib/ssl/ssl3con.c,
	lib/ssl/sslimpl.h:
	Bug 1720235 SSL handling of signature algorithms ignores
	environmental invalid algorithms.

	Our QA is quite extensive on handling of alert corner cases. Our
	code that checks if a signature algorithm is supported ignores the
	role of policy. If SHA1 is turned off by policy, for instance, we
	only detect that late in the game. This shows up in our test cases
	as decrypt_alerts rather than illegal_parameter or handshake_error
	alerts. It also shows up in us apparently accepting a client auth
	request which only has invalid alerts.

	We also don't handle filtering out signature algorithms that are
	illegal in tls 13 mode.

	This patch not only fixes these issues, but also issues where we
	proposing signature algorithms in server mode that we don't support
	by policy.

	This patch includes:

	In gtests: 1) adding support for policy in ssl_gtests. Currently
	both the server an client will run with the same policy. The patch
	allows us to set policy on one and keeping the old policy on the
	other.

	2) Update extension tests which failed in tls 1.3 because the patch
	now correctly rejects illegal tls 1.3 auth values. The test was
	updated to use a legal auth value in tls 1.3 (so we are correctly
	testing the format issue.

	3) Update extension tests to handle the case where we try to use an
	illegal value for tls 1.3.

	4) add tests to ssl_auth_unittests.cc to make sure we can properly
	connect even when several auth methods are turned off by policy
	(make sure we don't advertize them on the client side, and that the
	server doesn't select them when the client doesn't advertize them).

	5) add tests to ssl_auth_unittests.cc to make sure we don't send
	empty client auth requests when the requester only sends invalid
	auth requests.

	patch itself: 1) The handling of policy checks for ssl schemes were
	scattered in various locations. I've consolidated them into a single
	function. That function now checks for NSS_ALG_USE_IN_ANY_SIGNATURE
	as if this is off by policy, we will fail if we try to use the
	algorithm in a signature in any case. NSS now supports policy on all
	signature algorithms, not just DSA, so we need to check the policy
	of all the algorithms.

	2) to support the policy check on the signature algorithms, I added
	a new ssl_AuthTypeToOID, which also replaces our switch in checking
	if the SPKI matches our auth type.

	 3) ssl_SignatureSchemeValid now accepts an spkiOid of
	SEC_OID_UNKNOWN. To allow us to filter signature schemes based on
	version and policy restrictions before we try to select a
	certificate. This prevents us from sending empty client auth
	messages when we are presented with only invalid signature schemes.

	4) We filter supported algorithms against policy early, preventing
	us from sending, or even setting invalid algorithms if they are
	turned off by policy.

	5) ssl ConsumeSignatureScheme was handling alerts inconsistently.
	The Consume could send an allert in it's failure case, but the check
	of scheme validity wouldn't sent an alert. The collers were
	inconstent as well. Now ssl_ConsumeSignatureScheme always sends and
	alert on failure, and the callers do not.

	[c71bb1bedf7d]
```

Differential Revision: https://phabricator.services.mozilla.com/D120787
 2021-07-24 17:26:14 +00:00
Benjamin Beurdouche dde8b5dd22 Bug 1720464 - land NSS 8f41147c2192 UPGRADE_NSS_RELEASE, r=beurdouche 
```
2021-07-22  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* doc/rst/index.rst:
	Display warning on the new NSS documentation
	[8f41147c2192] [tip]

2021-07-20  Robert Relyea  <rrelyea@redhat.com>

	* lib/softoken/sdb.c:
	Bug 1721476 sqlite 3.34 changed it's open semantics, causing nss
	failures.

	https://sqlite.org/forum/info/42cf8e985bb051a2

	sqlite is now permissive on opening a readonly file even if you ask
	for the file to be opened R/W.

	normally sqlite is very conservative in changing it's underlying
	semantics, but evidently they chose convience over compatibility.
	NSS now needs to check the file permissions itself to preserve nss
	semantics.

	[f2d34a957599]

2021-07-15  Robert Relyea  <rrelyea@redhat.com>

	* tests/common/init.sh, tests/common/parsegtestreport.sed,
	tests/common/parsegtestreport.sh, tests/gtests/gtests.sh,
	tests/ssl_gtests/ssl_gtests.sh:
	Bug 1720230 Gtest update changed the gtest reports, losing gtest
	details in all.sh reports.

	This patch includes the updated .sed script, and an experiment using
	bash instead to see how hard it would be to make a more robust
	parser.

	The robust parser generates identical output as sed, but takes about
	30x longer, so instead of subsecond operations, it takes almost half
	a minute. With that result, I think we can stay with sed and
	continue to update when we get new versions of gtests. (sigh).

	time cat report.xml.0 | sed -f parsegtestreport.sed > r1

	real 0m0.710s user 0m0.705s sys 0m0.008s

	time cat report.xml.0 | sh parsegtestreport.sh > r2

	real 0m25.066s user 0m17.759s sys 0m9.506s [rrelyea@localhost
	common]$ diff r1 r2

	updated: with review comments from Martin and move the report
	parsing to the common code so it can be shared with both ssl_gtests
	and gtests shell scripts.

	[f12856d5d2c2]

2021-07-13  Robert Relyea  <rrelyea@redhat.com>

	* gtests/softoken_gtest/softoken_dh_vectors.h, lib/softoken/pkcs11c.c,
	lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c,
	lib/softoken/sftkdhverify.c:
	Bug 1720228 NSS incorrectly accepting 1536 bit DH primes in FIPS
	mode

	When NSS is in FIPS mode, it should reject all primes smaller than
	2048. The ike 1536 prime is in the accepted primes table. In FIPS
	mode it should be rejected.

	[d2ec946e601a]

2021-07-15  Robert Relyea  <rrelyea@redhat.com>

	* cmd/manifest.mn, cmd/sdbthreadtst/Makefile,
	cmd/sdbthreadtst/manifest.mn, cmd/sdbthreadtst/sdbthreadtst.c,
	cmd/sdbthreadtst/sdbthreadtst.gyp, lib/softoken/sdb.c,
	lib/softoken/sftkdb.c, nss.gyp, tests/dbtests/dbtests.sh:
	Bug 1720232 SQLite calls could timeout in starvation situations.

	Some of our servers could cause random failures when trying to
	generate many key pairs from multiple threads. This is caused
	because some threads would starve long enough for them to give up on
	getting a begin transaction on sqlite. sqlite only allows one
	transaction at a time.

	Also, there were some bugs in error handling of the broken
	transaction case where NSS would try to cancel a transation after
	the begin failed (most cases were correct, but one case in
	particular was problematic).

	[b54b0d41e51b]

2021-07-13  Robert Relyea  <rrelyea@redhat.com>

	* lib/pk11wrap/pk11cxt.c, lib/pk11wrap/pk11hpke.c,
	lib/softoken/kbkdf.c, lib/softoken/sftkhmac.c,
	lib/softoken/sftkike.c:
	Bug 1720225 Coverity/cpp scanner errors found in nss 3.67

	A number of coverity/scanner issues were found in the kdf code which
	was added in nss 3.44 and the fixes never upstreamed, as well as
	coverity/scanner errors in nss 3.66. Not all errors were fixed,
	those errors which were determined to be false positives were just
	recorded. No attempt has been made to fix coverity/scanner errors in
	gtests.

	[d1b9709d8861]
```

Differential Revision: https://phabricator.services.mozilla.com/D120624
 2021-07-23 09:23:50 +00:00
Dorel Luca df0ba034a0 Backed out changeset 94ca8dafa006 (bug 1720464) for Browser-chrome failures in browser/base/content/test/performance/browser_startup_mainthreadio.js. UPGRADE_NSS_RELEASE CLOSED TREE 2021-07-22 20:49:30 +03:00
Benjamin Beurdouche 9753f750fd Bug 1720464 - land NSS 8f41147c2192 UPGRADE_NSS_RELEASE, r=beurdouche 
```
2021-07-22  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* doc/rst/index.rst:
	Display warning on the new NSS documentation
	[8f41147c2192] [tip]

2021-07-20  Robert Relyea  <rrelyea@redhat.com>

	* lib/softoken/sdb.c:
	Bug 1721476 sqlite 3.34 changed it's open semantics, causing nss
	failures.

	https://sqlite.org/forum/info/42cf8e985bb051a2

	sqlite is now permissive on opening a readonly file even if you ask
	for the file to be opened R/W.

	normally sqlite is very conservative in changing it's underlying
	semantics, but evidently they chose convience over compatibility.
	NSS now needs to check the file permissions itself to preserve nss
	semantics.

	[f2d34a957599]

2021-07-15  Robert Relyea  <rrelyea@redhat.com>

	* tests/common/init.sh, tests/common/parsegtestreport.sed,
	tests/common/parsegtestreport.sh, tests/gtests/gtests.sh,
	tests/ssl_gtests/ssl_gtests.sh:
	Bug 1720230 Gtest update changed the gtest reports, losing gtest
	details in all.sh reports.

	This patch includes the updated .sed script, and an experiment using
	bash instead to see how hard it would be to make a more robust
	parser.

	The robust parser generates identical output as sed, but takes about
	30x longer, so instead of subsecond operations, it takes almost half
	a minute. With that result, I think we can stay with sed and
	continue to update when we get new versions of gtests. (sigh).

	time cat report.xml.0 | sed -f parsegtestreport.sed > r1

	real 0m0.710s user 0m0.705s sys 0m0.008s

	time cat report.xml.0 | sh parsegtestreport.sh > r2

	real 0m25.066s user 0m17.759s sys 0m9.506s [rrelyea@localhost
	common]$ diff r1 r2

	updated: with review comments from Martin and move the report
	parsing to the common code so it can be shared with both ssl_gtests
	and gtests shell scripts.

	[f12856d5d2c2]

2021-07-13  Robert Relyea  <rrelyea@redhat.com>

	* gtests/softoken_gtest/softoken_dh_vectors.h, lib/softoken/pkcs11c.c,
	lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c,
	lib/softoken/sftkdhverify.c:
	Bug 1720228 NSS incorrectly accepting 1536 bit DH primes in FIPS
	mode

	When NSS is in FIPS mode, it should reject all primes smaller than
	2048. The ike 1536 prime is in the accepted primes table. In FIPS
	mode it should be rejected.

	[d2ec946e601a]

2021-07-15  Robert Relyea  <rrelyea@redhat.com>

	* cmd/manifest.mn, cmd/sdbthreadtst/Makefile,
	cmd/sdbthreadtst/manifest.mn, cmd/sdbthreadtst/sdbthreadtst.c,
	cmd/sdbthreadtst/sdbthreadtst.gyp, lib/softoken/sdb.c,
	lib/softoken/sftkdb.c, nss.gyp, tests/dbtests/dbtests.sh:
	Bug 1720232 SQLite calls could timeout in starvation situations.

	Some of our servers could cause random failures when trying to
	generate many key pairs from multiple threads. This is caused
	because some threads would starve long enough for them to give up on
	getting a begin transaction on sqlite. sqlite only allows one
	transaction at a time.

	Also, there were some bugs in error handling of the broken
	transaction case where NSS would try to cancel a transation after
	the begin failed (most cases were correct, but one case in
	particular was problematic).

	[b54b0d41e51b]

2021-07-13  Robert Relyea  <rrelyea@redhat.com>

	* lib/pk11wrap/pk11cxt.c, lib/pk11wrap/pk11hpke.c,
	lib/softoken/kbkdf.c, lib/softoken/sftkhmac.c,
	lib/softoken/sftkike.c:
	Bug 1720225 Coverity/cpp scanner errors found in nss 3.67

	A number of coverity/scanner issues were found in the kdf code which
	was added in nss 3.44 and the fixes never upstreamed, as well as
	coverity/scanner errors in nss 3.66. Not all errors were fixed,
	those errors which were determined to be false positives were just
	recorded. No attempt has been made to fix coverity/scanner errors in
	gtests.

	[d1b9709d8861]
```

Differential Revision: https://phabricator.services.mozilla.com/D120624
 2021-07-22 13:53:32 +00:00
Benjamin Beurdouche 5227b2bd67 Bug 1715772 - land NSS NSS_3_68_RTM UPGRADE_NSS_RELEASE, r=beurdouche 
Differential Revision: https://phabricator.services.mozilla.com/D119577
 2021-07-11 18:02:26 +00:00
Benjamin Beurdouche e070f79f95 Bug 1715772 - land NSS NSS_3_68_BETA1 UPGRADE_NSS_RELEASE, r=beurdouche 
```
2021-07-01  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* automation/release/nspr-version.txt:
	Bug 1717452 - NSS 3.68 should depend on NSPR 4.32. r=kaie

	[352fca8a348e] [NSS_3_68_BETA1]

2021-06-30  Robert Relyea  <rrelyea@redhat.com>

	* gtests/pk11_gtest/pk11_aeskeywrappad_unittest.cc,
	gtests/pk11_gtest/pk11_ecdsa_unittest.cc,
	gtests/pk11_gtest/pk11_keygen.cc, gtests/pk11_gtest/pk11_keygen.h,
	gtests/pk11_gtest/pk11_signature_test.cc,
	gtests/pk11_gtest/pk11_signature_test.h,
	gtests/ssl_gtest/libssl_internals.c, lib/pk11wrap/pk11pk12.c:
	Bug 1693206 - Implement PKCS8 export of ECDSA keys patch by
	Christoph Walcher r=rrelyea, bbeurdouche
	[9343c18b4df7]

2021-06-25  Martin Thomson  <mt@lowentropy.net>

	* gtests/ssl_gtest/ssl_extension_unittest.cc, lib/ssl/ssl3prot.h,
	lib/ssl/sslproto.h, lib/ssl/tls13con.c:
	Bug 1712883 - DTLS 1.3 draft-43 r=bbeurdouche

	[b2178fe9d27b]

2021-06-25  Makoto Kato  <m_kato@ga2.so-net.ne.jp>

	* automation/taskcluster/graph/src/extend.js, coreconf/WIN32.mk,
	coreconf/config.gypi, lib/freebl/Makefile, lib/freebl/freebl.gyp,
	lib/freebl/sha256-x86.c, lib/freebl/sha512.c:
	Bug 1655493 - Support SHA2 HW acceleration using Intel SHA
	Extension. r=bbeurdouche

	Before applying (on Ryzen 9 3900X) ``` # mode in opreps cxreps
	context op time(sec) thrgput sha256_e 1Gb 208Mb 23M 0 0.000
	10000.000 10.000 123Mb 301Kb ```

	After applying ``` # mode in opreps cxreps context op time(sec)
	thrgput sha256_e 5Gb 797Mb 110M 0 0.000 10000.000 10.000 591Mb 769Kb
	```

	[65a7c7b3f182]

2021-05-31  Martin Thomson  <mt@lowentropy.net>

	* gtests/ssl_gtest/libssl_internals.c,
	gtests/ssl_gtest/libssl_internals.h,
	gtests/ssl_gtest/tls_ech_unittest.cc, lib/ssl/manifest.mn,
	lib/ssl/ssl.gyp, lib/ssl/tls13ech.c, lib/ssl/tls13ech.h,
	lib/ssl/tls13echv.c, lib/util/seccomon.h:
	Bug 1713562 - Validate ECH public names, r=bbeurdouche

	This validates that they are LDH (with underscore because we don't
	hate freedom), but that they are not IP addresses. This invokes the
	horrible WhatWG IP parsing routines, so that it recognizes a vast
	array of crazy address formats (thanks 1980s design).

	[ac81f721cbbf]
```

Differential Revision: https://phabricator.services.mozilla.com/D119026
 2021-07-02 12:56:36 +00:00
Julien Cristau 8376ac4322 Bug 1713766 - land NSS NSS_3_67_RTM UPGRADE_NSS_RELEASE, r=bbeurdouche,aryx 
Differential Revision: https://phabricator.services.mozilla.com/D117422
 2021-06-10 13:25:03 +00:00
Benjamin Beurdouche bde2949605 Bug 1711262 - land NSS 8c299ec6b2bc UPGRADE_NSS_RELEASE, r=beurdouche 
Differential Revision: https://phabricator.services.mozilla.com/D115395
 2021-05-18 18:23:25 +00:00
Benjamin Beurdouche 5a5e62989c Bug 1705477 - land NSS NSS_3_65_RTM UPGRADE_NSS_RELEASE, r=beurdouche 
2021-05-14  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
	Set version numbers to 3.65 final
	[0e785b3a4a10] [NSS_3_65_RTM] <NSS_3_65_BRANCH>

	* .hgtags:
	Added tag NSS_3_65_BETA1 for changeset 1bdb4713e2f0
	[6f4869107d74] <NSS_3_65_BRANCH>

2021-05-11  Robert Relyea  <rrelyea@redhat.com>

	* gtests/pk11_gtest/pk11_hpke_unittest.cc:
	fix clang format error from patch for bug 1709750
	[1bdb4713e2f0] [NSS_3_65_BETA1]

	* coreconf/NetBSD.mk:
	Bug 1709654 Update for NetBSD configuration patch by Thomas Klausner
	r=rrelyea

	In the NetBSD configuration, the symbol hiding flags are not
	defined. This leads to conflicts when openssl and nss are linked
	into the same binary. For a longer discussion on the topic, see
	https://groups.google.com/a/mozilla.org/g/dev-tech-
	crypto/c/Al0Pt0zhARE

	 Match more closely to OpenBSD.mk, and in particular, hide symbols
	(MAPFILE).

	- fix wrong value of CPU_ARCH on NetBSD/evbarm-earmv7f
	- s/aarch64eb/aarch64/
	[a7769615f285]

Differential Revision: https://phabricator.services.mozilla.com/D115135
 2021-05-14 10:46:49 +00:00
Benjamin Beurdouche 6f107407c9 Bug 1705477 - land NSS 1d066793c349 UPGRADE_NSS_RELEASE, r=beurdouche 
2021-05-06  Martin Thomson  <mt@lowentropy.net>

	* gtests/pk11_gtest/pk11_hpke_unittest.cc:
	Bug 1709750 - Disable HPKE test when fuzzing, r=bbeurdouche

	[1d066793c349] [tip]

2021-05-05  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/freebl/ppc-gcm-wrap.c, lib/freebl/ppc-gcm.h:
	Bug 1566124 - Clang format run. r=beurdouche
	[cb714d62058c]

2021-05-05  mamonet  <maamoun.tk@gmail.com>

	* lib/freebl/Makefile, lib/freebl/freebl.gyp, lib/freebl/ppc-gcm-
	wrap.c, lib/freebl/ppc-gcm.h, lib/freebl/ppc-gcm.s,
	lib/freebl/rijndael.c:

	[1133fef2f7ce]

2021-03-17  Martin Thomson  <mt@lowentropy.net>

	* gtests/common/testvectors/hpke-convert.py,
	gtests/common/testvectors/hpke-vectors.h, lib/pk11wrap/pk11hpke.c,
	lib/pk11wrap/pk11hpke.h:
	Bug 1699021 - Add AES-256-GCM to HPKE, r=bbeurdouche

	[9fa53d717386]

	* automation/abi-check/expected-report-libssl3.so.txt,
	cmd/selfserv/selfserv.c, gtests/ssl_gtest/libssl_internals.c,
	gtests/ssl_gtest/libssl_internals.h,
	gtests/ssl_gtest/tls_connect.cc, gtests/ssl_gtest/tls_connect.h,
	gtests/ssl_gtest/tls_ech_unittest.cc, lib/ssl/sslexp.h,
	lib/ssl/sslsock.c, lib/ssl/sslt.h, lib/ssl/tls13ech.c,
	lib/ssl/tls13ech.h, lib/ssl/tls13exthandle.c,
	lib/ssl/tls13hashstate.c, lib/ssl/tls13hashstate.h:
	Bug 1698419 - ECH -10 updates, r=bbeurdouche

	The main changes here are:

	* an update to HPKE -08
	* a move to the single-byte configuration ID
	* reordering of ECHConfig

	The addition of the explicit configuration ID means that the API for
	constructing ECHConfig(List) needs to change. That means a name
	change, unfortunately. I took the opportunity to make further
	changes to the arguments.

	[fa93bd88b690]

2021-03-16  Martin Thomson  <mt@lowentropy.net>

	* coreconf/config.gypi, coreconf/config.mk,
	gtests/common/testvectors/hpke-convert.py,
	gtests/common/testvectors/hpke-vectors.h,
	gtests/pk11_gtest/pk11_hpke_unittest.cc,
	gtests/ssl_gtest/ssl_auth_unittest.cc,
	gtests/ssl_gtest/ssl_tls13compat_unittest.cc,
	gtests/ssl_gtest/tls_ech_unittest.cc, lib/pk11wrap/pk11hpke.c,
	lib/pk11wrap/pk11hpke.h, lib/pk11wrap/pk11pub.h, lib/ssl/tls13ech.c:
	Bug 1692930 - Update HPKE to final version, r=bbeurdouche

	This adds the final HPKE version string.

	This removes the draft version markers from the implementation and
	stops tracking the draft version with the exported syntax.

	I've added the script that I used to convert the JSON test vectors
	from the specification; that should allow us to pick up new tests
	relatively easily, especially if we need to add new algorithms.

	This change breaks several ECH test cases. As fixing those tests is
	extraordinarily fiddly, I'm going to defer making those changes
	until we need to update ECH. As we can't land this code until ECH is
	updated to depend on the final HPKE and until we have coordinated
	with servers on when the ECH update can be deployed, it should be OK
	to defer.

	In short, don't land this without the matching ECH changes.

	[e78141a928f4]

2021-05-04  Robert Relyea  <rrelyea@redhat.com>

	* automation/abi-check/expected-report-libnss3.so.txt,
	cmd/lib/basicutil.h, cmd/lib/secutil.c, cmd/lib/secutil.h,
	cmd/pk12util/pk12util.c, cmd/pp/pp.c, doc/pk12util.xml, doc/pp.xml,
	lib/nss/nss.def, lib/pk11wrap/pk11akey.c, lib/pk11wrap/pk11pub.h,
	lib/pkcs12/p12d.c, lib/pkcs12/p12e.c, lib/pkcs12/p12local.c,
	lib/pkcs12/p12local.h, lib/pkcs12/p12plcy.c, lib/util/secoidt.h,
	tests/tools/tools.sh:
	Bug 1707130 NSS should use modern algorithms in PKCS#12 files by
	default r=mt

	Also fixes: Bug 452464 pk12util -o fails when -C option specifies
	AES or Camellia ciphers

	Related: Bug 1694689 Firefox should use modern algorithms in PKCS#12
	files by default Bug 452471 pk12util -o fails when -c option
	specifies pkcs12v2 PBE ciphers

	 The base of this fix is was a simple 3 line fix in pkcs12.c,
	changing the initial setting of cipher and cert cipher.

	Overview for why this patch is larger than just 3 lines: 1. First
	issue was found in trying to change the mac hashing value. a. While
	the decrypt side knew how to handle SHA2 hashes, the equivalent code
	was not updated on the encrypt side. I refactored that code and
	placed the common function in p12local.c. Now p12e.c and p12d.c
	share common code to find the required function to produce the mac
	key. b. The prf hmac was hard coded to SHA1. I changed the code to
	pass the hmac matching the hashing algorithm for the mac. This
	required changes to p12e.c to calculate and pass the new hmac as
	well and adding new PK11_ExportEncryptedPrivateKey and
	PK11_ExportEncryptedPrivKey to take the PKCS #5 v2 parameters. I
	also corrected an error which prevented pkcs12 encoding of ciphers
	other than AES. 2. Once I've made my changes, I realized we didn't
	have a way of testing them. While we had code that verified that
	particular sets of parameters for pkcs12 worked together and could
	be listed and imported, we didn't have a way to verify what
	algorithms were actually generated by our tools. a. pk12util -l
	doesn't list the encryption used for the certs, so I updated pp to
	take a pkcs12 option. In doing so I had to update pp to handle
	indefinite encoding when decoding blocks. I also factored that
	decoding out in it's own function so the change only needed to be
	placed once. Finally I renabled a function which prints the output
	of an EncryptedPrivate key. This function was disabled long ago when
	the Encrypted Private key info was made private for NSS. It has
	since been exported, so these functions could easily be enabled
	(archeological note: I verified that this disabling was not a recent
	think I found I had done it back when I still have a netscape email
	address;). b. I updated tools.sh to us the new pp -t pkcs12 feature
	to verify that the key encryption, cert encryption, and hash
	functions matched what we expected when we exported a new key. I
	also updated tools.sh to handle the new hash variable option to
	pk12util. c. I discovered several tests commented out with comments
	that the don't work. I enabled those tests and discovered that they
	can now encrypt, but the can't decrypt because of pkcs12 policy. I
	updated the policy code, but I updated it to use the new NSS system
	wide policy mechanism. This enabled all the ciphers to work. There
	is still policy work to do. The pk12 policy currently only prevents
	ciphers from use in decrypting the certificates, not decrypting the
	keys and not encrypting. I left that for future work. 3. New options
	for pp and pk12util were added to the man pages for these tools.

	--------------------------------------------------------------------
	------- With that in mind, here's a file by file description of the
	patch:

	automation/abi-check/expected-report-libnss3.so.txt
	-Add new exported functions. (see lib/nss/nss.def)

	cmd/lib/basicutil.h:
	-Removed the HAVE_EPV_TEMPLATE ifdefs (NSS has exported the Encrypted
	Private Key data structure for a while now.

	cmd/lib/secutil.c: global: Updated several functions to take a const
	char * m (message) rather than a char * m global: Made the various
	PrintPKCS7 return an error code. global: Added a state variable to
	be passed around the various PKCS7 Print functions. It gives the
	proper context to interpret PKCS7 Data Content. PKCS 12 used PKCS7
	to package the various PKCS12 Safes and Bags.
	-Updated SECU_StripTagAndLength to handle indefinite encoding, and to
	set the Error code.
	-Added SECU_ExtractDERAndStep to grab the next DER Tag, Length, and
	Data.
	-Updated secu_PrintRawStringQuotesOptional to remove the inline DER
	parsing and use SECU_ExtractDERAndStep().
	-Updated SECU_PrintEncodedObjectID to return the SECOidTag just like
	SECU_PrintObjectID.
	-Renable SECU_PrintPrivateKey
	-Added secu_PrintPKCS12Attributes to print out the Attributes tied to
	a PKCS #12 Bag
	-Added secu_PrintPKCS12Bag to print out a PKCS #12 Bag
	-Added secu_PrintPKCS7Data, which uses the state to determine what it
	was printing out.
	-Added secu_PrintDERPKCS7ContentInfo which is identical to the global
	function SECU_PrintPKCS7ContentInfo except it takes a state
	variable. The latter function now calls the former.
	-Added secu_PrintPKCS12DigestInfo to print the Hash information of
	the Mac. DigestInfo is the name in the PKCS 12 spec.
	-Added secu_PrintPKCS12MacData to print the Mac portion of the PKCS
	12 file.
	-Added SECU_PrintPKCS12 to print otu the pkcs12 file.

	cmd/lib/secutil.h
	-Added string for pkc12 for the command line of pp reenabled
	SECU_PrintPrivateKey
	-Added SECU_PrintPKCS12 for export.

	cmd/pk12util/pk12util.c
	-Added the -M option to specify a hash algorithm for the mac. updated
	P12U_ExportPKCS12Object: pass the hash algorithm to the
	PasswordIntegrity handler.
	-Added PKCS12U_FindTagFromString: generalized string to SECOidTag
	which only filters based on the oid having a matching PKCS #11
	mechanism. updated PKCS12U_MapCipherFromString to call use
	PKCS12U_FindTagFromString to get the candidate tag before doing it's
	post processing to decide if the tag is really an encryption
	algorithm.
	-Added PKCS12U_MapHashFromString with is like MapCipherFromString
	except it verifies the resulting tag is a hash object.
	-Updated main to 1) change the default cipher, change the default
	certCipher, and process the new hash argument. NOTE: in the old code
	we did not encrypt the certs in FIPS mode. That's because the certs
	were encrypted with RC4 in the default pkcs12 file, which wasn't a
	FIPS algorithm. Since AES is, we can use it independent on whether
	or not we are in FIPS mode.

	cmd/pp/pp.c
	-Added the pkcs12 option which calls SECU_PrintPKCS12 from secutil.c

	lib/nss/nss.def
	-Add exports to the new PK11_ExportEncryptedPrivKeyInfoV2 and
	PK11_ExportEncryptedPrivateKeyInfoV2 (V2 means PKCS 5 v2, not
	Version 2 of ExportEncrypted*Info).
	-Add export for the old HASH_GetHMACOidTagByHashOidTag which should
	have been exported long ago to avoid the proliferation of copies of
	this function in places like ssl.

	lib/pk11wrap/pk11akey.c
	-Add PK11_ExportEncryptedPrivKeyInfoV2 (which the old function now
	calls), which takes the 3 PKCS 5 v2 parameters. The underlying pkcs5
	code can fill in missing tags if necessary, but supplying all three
	gives the caller full control of the underlying pkcs5 PBE used.
	-Add PK11_ExportEncryptedPrivateKeyInfoV2, same as the above function
	except it takes a cert which is used to look up the private key.
	It's the function that pkcs12 actually uses, but the former was
	exported for completeness.

	lib/pk11wrap/pk11pub.h
	-Added the new PK11_ExportEncryptedPriv*KeyInfoV2 functions.

	lib/pkcs12/p12d.c
	-Remove the switch statement and place it in p12local.c so that
	p12e.c can use the same function.

	lib/pkc12/p12e.c
	-Remove the unnecessary privAlg check so we can encode any mechanism
	we support. This only prevented encoding certificates in the pk12
	file, not the keys.
	-add code to get the hmac used in the pbe prf from the integrity
	hash, which is under application control.
	-Do the same for key encryption, then use the new
	PK11_ExportEncryptedPrivateKeyInfo to pass that hash value.
	-Use the new sec_pkcs12_algtag_to_keygen_mech so there is only one
	switch statement to update rather than 2.
	-Update the hash data to old the length of the largest hash rather
	than the length of a SHA1 hash.

	lib/pkcs12/p12local.c
	- Add new function new sec_pkcs12_algtag_to_keygen_mech to factor out
	the common switch statement between p12e and p12d.

	lib/pkcs12/p12local.h
	-Export the new sec_pkcs12_algtag_to_keygen_mech

	lib/pkcs12/p12plcy.c
	-Map the old p12 policy functions to use the new
	NSS_GetAlgorithmPolicy. We keep the old table so that applications
	can change the policy with the old PKCS12 specific defines (so the
	old code keeps working). NOTE: policies now default to true rather
	than false.

	lib/util/secoidt.h
	-Add new NSS_USE_ALG_IN_PKCS12 used by pk11plcy.c NOTE: I have not
	updated the policy table in pk11wrap/pk11pars.c, so we can't yet
	control pkcs12 policy with the nss system policy table. That's a
	patch for another time.

	test/tools/tool.sh
	-global: Remove trailing spaces
	-global: DEFAULT is changed to 'default'
	-Update the PBE mechanism to exactly match the string in secoid.c.
	PKCS #12 does case independent compares, so case doesn't matter
	there, but now I'm comparing to the output of pp, and I didn't want
	to spend the time to figure out case independent compares in bash.
	-Add our defauts and shell variables at the top so there are easy to
	change in the future. export_with_*** have all been colapsed into a
	single export_p12_file which handles taking 'default' and turning
	off that argument.
	-Add for loops for the hash functions.
	-Restore the camellia ciphers back now that they work.
	-Restore the pkcs12V2pbe back now that they work.
	-Collect various pbe types into single variables and use those
	variables in loops
	-Reduce the number of tests ran in optimized mode (which takes 60x
	the time to do a pbe then than debug mode based on a larger
	iterator).
	-Add verify_p12 which dumps out the p12 file and makes sure the
	expected CERT_ENCRYPTION, KEY_ENCRYPTION, and HASH are used.

	doc/pp.xml
	-Add pkcs12 option

	doc/pk12util.xml
	-Add -M option
	-Update synopsis with options in the description but not in the
	synopsis

	[0a1687e1b39e]

Differential Revision: https://phabricator.services.mozilla.com/D114584
 2021-05-07 10:43:16 +00:00
Benjamin Beurdouche 37aa935e43 Bug 1705477 - land NSS c982fb957516 UPGRADE_NSS_RELEASE, r=beurdouche 
Differential Revision: https://phabricator.services.mozilla.com/D114231
 2021-05-04 13:33:25 +00:00
Benjamin Beurdouche 6dfa84bd39 Bug 1688685 - land NSS NSS_3_62_BETA1 UPGRADE_NSS_RELEASE, r=mt 
```
2021-02-05  Danh  <congdanhqx@gmail.com>

	* gtests/manifest.mn:
	Bug 1688374 - Fix parallel build NSS-3.61 with make. r=kjacobs

	[a5c857139b37] [NSS_3_62_BETA1]

2021-02-05  Robert Relyea  <rrelyea@redhat.com>

	* lib/libpkix/pkix/util/pkix_tools.c:
	Bug 1682044 pkix_Build_GatherCerts() + pkix_CacheCert_Add() can
	corrupt "cachedCertTable"

	Patch by Andrew Cagney Preliminary Review by Ryan Sleevie Tested
	against all.sh rrelyea. r=kjacobs

	(this bug is old)

	pkix_Build_GatherCerts() has two code paths for creating the list
	"certsFound":

	 pkix_CacheCert_Lookup() this sets "certsFound" to a new list
	"certsFound" and "cachedCertTable" share items but not the list

	 pkix_CacheCert_Add(pkix_pl_Pk11CertStore_CertQuery()) this sets
	"certsFound" to a new list; and then adds the list to
	"cachedCertTable" "certsFound" and "cachedCertTable" share a linked
	list

	Because the latter doesn't create a separate list, deleting list
	elements from "certsFound" can also delete list elements from within
	"cacheCertTable". And if this happens while pkix_CacheCert_Lookup()
	is trying to update the same element's reference, a core dump can
	result.

	In detail (note that reference counts may occasionally seem off by
	1, its because data is being captured before function local
	variables release their reference):

	pkix_Build_GatherCerts() calls pkix_pl_Pk11CertStore_CertQuery()
	(via a pointer) to sets "certsFound":

	 PKIX_CHECK(getCerts (certStore, state->certSel, state->verifyNode,
	&nbioContext, &certsFound, plContext), PKIX_GETCERTSFAILED);

	it then calls:

	 PKIX_CHECK(pkix_CacheCert_Add (certStore, certSelParams,
	certsFound, plContext), PKIX_CACHECERTADDFAILED);
	[dafda4eee75c]
```

Differential Revision: https://phabricator.services.mozilla.com/D105209
 2021-02-16 10:39:36 +00:00
Benjamin Beurdouche d901b16ba2 Bug 1688685 - land NSS fc3a4c142c16 UPGRADE_NSS_RELEASE, r=kjacobs 
2021-02-04  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/ssl_gtest/ssl_recordsize_unittest.cc, lib/ssl/ssl3ext.c:
	Bug 1690583 - Fix CH padding extension size calculation. r=mt

	Bug 1654332 changed the way that NSS constructs Client Hello
	messages. `ssl_CalculatePaddingExtLen` now receives a
	`clientHelloLength` value that includes the 4B handshake header.
	This looks okay per the inline comment (which states that only the
	record header is omitted from the length), but the function actually
	assumes that the handshake header is also omitted.

	This patch removes the addition of the handshake header length.
	Those bytes are already included in the buffered CH.

	[fc3a4c142c16] [tip]

	* automation/abi-check/expected-report-libnss3.so.txt:
	Bug 1690421 - Adjust 3.62 ABI report formatting for new libabigail.
	r=bbeurdouche

	[a1ed44dba32e]

2021-02-03  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/taskcluster/docker-builds/Dockerfile:
	Bug 1690421 - Install packaged libabigail in docker-builds image
	r=bbeurdouche

	[3c719b620136]

2021-01-31  Kevin Jacobs  <kjacobs@mozilla.com>

	* cmd/selfserv/selfserv.c, cmd/tstclnt/tstclnt.c,
	lib/ssl/tls13hashstate.c, lib/ssl/tls13hashstate.h:
	Bug 1689228 - Minor ECH -09 fixes for interop testing, fuzzing. r=mt

	A few minor ECH -09 fixes for interop testing and fuzzing:
	- selfserv now takes a PKCS8 keypair for ECH. This is more
	maintainable and significantly less terrible than parsing the
	ECHConfigs and cobbling one together within selfserv (e.g. we can
	support other KEMs without modifying the server).
	- Get rid of the newline character in tstclnt retry_configs output.
	- Fuzzer fixes in tls13_HandleHrrCookie:
	 - We shouldn't use internal_error when PK11_HPKE_ImportContext fails.
	Cookies are unprotected in fuzzer mode, so this can be expected to
	occur.
	 - Only restore the application token when recovering hash state,
	otherwise the copy could happen twice, leaking one of the
	allocations.

	[8bbea1902024]

2021-01-25  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/ssl/ssl3exthandle.c:
	Bug 1674819 - Fixup a51fae403328, enum type may be signed.
	r=bbeurdouche

	[2004338a2080]

Differential Revision: https://phabricator.services.mozilla.com/D104258
 2021-02-05 21:13:47 +00:00
Kevin Jacobs f9716bc8ab Bug 1688685 - land NSS 92dcda94c1d4 UPGRADE_NSS_RELEASE, r=bbeurdouche 
2021-01-22  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/abi-check/previous-nss-release, lib/nss/nss.h,
	lib/softoken/softkver.h, lib/util/nssutil.h:
	Set version numbers to 3.62 Beta
	[680ec01577b9]

2021-01-23  Kevin Jacobs  <kjacobs@mozilla.com>

	* tests/chains/scenarios/nameconstraints.cfg,
	tests/libpkix/certs/NameConstraints.ipaca.cert,
	tests/libpkix/certs/NameConstraints.ocsp1.cert:
	Bug 1686134 - Renew two chains libpkix test certificates. r=rrelyea

	[3ddcd845704c]

2021-01-25  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/common/testvectors/hpke-vectors.h,
	gtests/pk11_gtest/pk11_hpke_unittest.cc, lib/pk11wrap/pk11hpke.c,
	lib/pk11wrap/pk11hpke.h, lib/pk11wrap/pk11pub.h:
	Bug 1678398 - Update HPKE to draft-07. r=mt

	This patch updates HPKE to draft-07. A few other minor changes are
	included:
	- Refactor HPKE gtests for increased parameterized testing.
	- Replace memcpy calls with PORT_Memcpy
	- Serialization tweaks to make way for context Export/Import (D99277).

	This should not be landed without an ECH update, as fixed ECH test
	vectors will otherwise fail to decrypt.

	[e0bf8cadadc7]

	* automation/abi-check/expected-report-libnss3.so.txt,
	gtests/pk11_gtest/pk11_hpke_unittest.cc, lib/nss/nss.def,
	lib/pk11wrap/pk11hpke.c, lib/pk11wrap/pk11pub.h:
	Bug 1678398 - Add Export/Import functions for HPKE context. r=mt

	This patch adds and exports two new HPKE functions:
	`PK11_HPKE_ExportContext` and `PK11_HPKE_ImportContext`, which are
	used to export a serialized HPKE context, then later reimport that
	context and resume Open and Export operations. Only receiver
	contexts are currently supported for export (see the rationale in
	pk11pub.h).

	One other change introduced here is that `PK11_HPKE_GetEncapPubKey`
	now works as expected on the receiver side.

	If the `wrapKey` argument is provided to the Export/Import
	functions, then the symmetric keys are wrapped with AES Key Wrap
	with Padding (SP800-38F, 6.3) prior to serialization.

	[8bcd12ab3b34]

	* automation/abi-check/expected-report-libssl3.so.txt,
	gtests/ssl_gtest/libssl_internals.c,
	gtests/ssl_gtest/libssl_internals.h,
	gtests/ssl_gtest/ssl_extension_unittest.cc,
	gtests/ssl_gtest/tls_ech_unittest.cc, lib/ssl/ssl3con.c,
	lib/ssl/ssl3ext.c, lib/ssl/ssl3ext.h, lib/ssl/sslexp.h,
	lib/ssl/sslimpl.h, lib/ssl/sslsecur.c, lib/ssl/sslsock.c,
	lib/ssl/sslt.h, lib/ssl/tls13con.c, lib/ssl/tls13con.h,
	lib/ssl/tls13ech.c, lib/ssl/tls13ech.h, lib/ssl/tls13exthandle.c,
	lib/ssl/tls13exthandle.h, lib/ssl/tls13hashstate.c,
	lib/ssl/tls13hashstate.h:
	Bug 1681585 - Update ECH to Draft-09. r=mt

	This patch updates ECH implementation to draft-09. Changes of note
	are:

	- Acceptance signal derivation is now based on the handshake secret.
	- `config_id` hint changes from 32B to 8B, trial decryption added on
	the server.
	- Duplicate code in HRR cookie handling has been consolidated into
	`tls13_HandleHrrCookie`.
	- `ech_is_inner` extension is added, which causes a server to indicate
	ECH acceptance.
	- Per the above, support signaling ECH acceptance when acting as a
	backend server in split-mode (i.e. when there is no other local
	Encrypted Client Hello state).

	[ed07a2e2a124]

2021-01-24  Kevin Jacobs  <kjacobs@mozilla.com>

	* cmd/selfserv/selfserv.c:
	Bug 1681585 - Add ECH support to selfserv. r=mt

	Usage example: mkdir dbdir && cd dbdir certutil -N -d . certutil -S
	-s "CN=ech-public.com" -n ech-public.com -x -t "C,C,C" -m 1234 -d .
	certutil -S -s "CN=ech-private-backend.com" -n ech-private-
	backend.com -x -t "C,C,C" -m 2345 -d . ../dist/Debug/bin/selfserv -a
	ech-public.com -a ech-private-backend.com -n ech-public.com -n ech-
	private-backend.com -p 8443 -d dbdir/ -X publicname:ech-public.com
	(Copy echconfig from selfserv output and paste into the below
	command) ../dist/Debug/bin/tstclnt -D -p 8443 -v -A
	tests/ssl/sslreq.dat -h ech-private-backend.com -o -N <echconfig> -v

	[92dcda94c1d4]

Differential Revision: https://phabricator.services.mozilla.com/D102982
 2021-01-26 15:30:01 +00:00
Kevin Jacobs 4d02d441fc Bug 1684061 - land NSS a8de35c990e3 UPGRADE_NSS_RELEASE, r=bbeurdouche 
2021-01-13  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/softoken_gtest/manifest.mn:
	Bug 1684300 - Define USE_STATIC_LIBS=1 for softoken_gtest make
	builds. r=bbeurdouche

	[a8de35c990e3] [tip]

	* gtests/softoken_gtest/manifest.mn,
	gtests/softoken_gtest/softoken_gtest.cc,
	gtests/softoken_gtest/softoken_gtest.gyp, lib/softoken/sftkdb.c,
	tests/gtests/gtests.sh:
	Bug 1684300 - Disable legacy storage when compiled with
	NSS_DISABLE_DBM. r=mt

	[d4991bb56852]

Differential Revision: https://phabricator.services.mozilla.com/D101703
 2021-01-14 15:16:11 +00:00
Kevin Jacobs 1eb47f6133 Bug 1684061 - land NSS 97ef009f7a78 UPGRADE_NSS_RELEASE, r=bbeurdouche 
2020-12-11  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/abi-check/expected-report-libssl3.so.txt, automation/abi-
	check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h,
	lib/util/nssutil.h:
	Set version numbers to 3.61 Beta
	[f277d2674c80]

	* gtests/<...>
	Bug 1677207 - Update Google Test to release-1.10.0 r=bbeurdouche

	./gtests/google_test/update.sh release-1.10.0 && hg remove -A && hg
	add gtests/google_test/*

	[89141382df45]

	* gtests/<...>
	Bug 1677207 - Replace references to TestCase, which is deprecated,
	with TestSuite r=bbeurdouche

	grep -rl --exclude-dir=google_test INSTANTIATE_TEST_CASE_P gtests |
	xargs sed -i '' s/INSTANTIATE_TEST_CASE_P/INSTANTIATE_TEST_SUITE_P/g
	grep -rl --exclude-dir=google_test SetUpTestCase gtests | xargs sed
	-i '' s/SetUpTestCase/SetUpTestSuite/g

	[e15b78be87fa]

	* gtests/ssl_gtest/ssl_ciphersuite_unittest.cc,
	gtests/ssl_gtest/ssl_debug_env_unittest.cc,
	gtests/ssl_gtest/ssl_extension_unittest.cc,
	gtests/ssl_gtest/ssl_loopback_unittest.cc,
	gtests/ssl_gtest/ssl_renegotiation_unittest.cc,
	gtests/ssl_gtest/ssl_resumption_unittest.cc,
	gtests/ssl_gtest/ssl_version_unittest.cc,
	gtests/ssl_gtest/tls_ech_unittest.cc:
	Bug 1677207 - Use GTEST_SKIP in ssl_gtests. r=bbeurdouche

	[0772f1bf5fd6]

2020-12-17  Robert Relyea  <rrelyea@redhat.com>

	* gtests/common/testvectors/ike-aesxcbc-vectors.h,
	gtests/common/testvectors/ike-sha1-vectors.h,
	gtests/common/testvectors/ike-sha256-vectors.h,
	gtests/common/testvectors/ike-sha384-vectors.h,
	gtests/common/testvectors/ike-sha512-vectors.h,
	gtests/common/testvectors_base/test-structs.h,
	gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp,
	gtests/pk11_gtest/pk11_ike_unittest.cc, lib/softoken/sftkike.c:
	Bug 1682071 IKE Quick mode IPSEC give you incorrect keys if you are
	asking for keys smaller than the hash size.

	IKE Appendix B fixes.

	This patch fixes 2 problems.

	 If you run either ike v1 App B or quick mode asking for a key with
	length

	mod macsize = 0, you will generate an extra block that's not used
	and overwrites the end of the buffer.

	 If you use quick mode, the function incorrectly subsets the
	existing key

	rather than generating a new key. This is correct behavior for
	Appendix B, where appendix B is trying to take a generated key and
	create a new longer key (with no diversification, just transform the
	key into something that's longer), so if you ask for a key less than
	or equal to, then you want to just subset the original key. In quick
	mode you are taking a base key and creating a set of new keys based
	on additional data, so you want to subset the generated data. This
	patch only subsets the original key if you aren't doing quickmode.

	Full test vectors have now been added for all ike modes in this
	patch as well (previously we depended on the FIPS CAVS tests to test
	ike, which covers basic IKEv1, IKEv1_psk, and IKEv2 but not IKEv1
	App B and IKE v1 Quick mode).

	[f4995c9fa185]

2020-12-18  Robert Relyea  <rrelyea@redhat.com>

	* gtests/common/testvectors/rsa_pkcs1_2048_test-vectors.h,
	gtests/common/testvectors/rsa_pkcs1_3072_test-vectors.h,
	gtests/common/testvectors/rsa_pkcs1_4096_test-vectors.h,
	gtests/freebl_gtest/Makefile, gtests/freebl_gtest/manifest.mn,
	gtests/freebl_gtest/rsa_unittest.cc, gtests/manifest.mn,
	gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc,
	gtests/pk11_gtest/pk11_rsaoaep_unittest.cc, lib/freebl/alghmac.c,
	lib/freebl/alghmac.h, lib/freebl/rsapkcs.c:
	Bug 1651411 New tlsfuzzer code can still detect timing issues in RSA
	operations.

	This patch defeats Bleichenbacher by not trying to hide the size of
	the decrypted text, but to hide if the text succeeded for failed.
	This is done by generating a fake returned text that's based on the
	key and the cipher text, so the fake data is always the same for the
	same key and cipher text. Both the length and the plain text are
	generated with a prf.

	Here's the proposed spec the patch codes to:

	 1. Use SHA-256 to hash the private exponent encoded as a big-
	endian integer to a string the same length as the public modulus.
	Keep this value secret. (this is just an optimisation so that the
	implementation doesn't have to serialise the key over and over
	again) 2. Check the length of input according to step one of
	https://tools.ietf.org/html/rfc8017#section-7.2.2 3. When provided
	with a ciphertext, use SHA-256 HMAC(key=hash_from_step1,
	text=ciphertext) to generate the key derivation key 4. Use SHA-256
	HMAC with key derivation key as the key and a two-byte big- endian
	iterator concatenated with byte string "length" with the big- endian
	representation of 2048 (0x0800) as the bit length of the generated
	string.
	      - Iterate this PRF 8 times to generate a 256 byte string 5. initialise
	the length of synthetic message to 0 6. split the PRF output into 2
	byte strings, convert into big-endian integers, zero- out high-order
	bits so that they have the same bit length as the octet length of
	the maximum acceptable message size (k-11), select the last integer
	that is no larger than (k-11) or remain at 0 if no integer is
	smaller than (k-11); this selection needs to be performed using a
	side-channel free operators 7. Use SHA-256 HMAC with key derivation
	key as the key and a two-byte big-endian iterator concatenated with
	byte string "message" with the big-endian representation of k*8
	      - use this PRF to generate k bytes of output (right-truncate last HMAC
	call if the number of generated bytes is not a multiple of SHA-256
	output size) 8. perform the RSA decryption as described in step 2 of
	section 7.2.2 of rfc8017 9. Verify the EM message padding as
	described in step 3 of section 7.2.2 of rfc8017, but instead of
	outputting "decryption error", return the last l bytes of the
	"message" PRF, when l is the selected synthetic message length using
	the "length" PRF, make this decision and copy using side-channel
	free operation

	[fc05574c7399]

2020-12-22  Robert Relyea  <rrelyea@redhat.com>

	* gtests/freebl_gtest/rsa_unittest.cc,
	gtests/pk11_gtest/pk11_rsaoaep_unittest.cc, lib/freebl/alghmac.c,
	lib/freebl/rsapkcs.c:
	Restore lost portion of the bleichenbacher timing batch that
	addressed review comments. All the review comments pertained to
	actual code comments, so this patch only affects the comments.
	[fcebe146314e]

2020-12-22  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/dev/devslot.c:
	Bug 1682863 - Revert nssSlot_IsTokenPresent to 3.58 after ongoing Fx
	hangs with slow PKCS11 devices. r=bbeurdouche

	This patch reverts the `nssSlot_IsTokenPresent` changes made in bug
	1663661 and bug 1679290, restoring the version used in NSS 3.58 and
	earlier. It's not an actual `hg backout` because the comment in
	lib/dev/devt.h is worth keeping. While removing the nested locking
	did resolve the hang for some (most?) third-party modules, problems
	remain with some slower tokens after an even further relaxation of
	the locking, which defeats the purpose of addressing the races in
	the first place.

	The crash addressed by these patches was caused by the Intermediate
	Preloading Healer in Firefox, which has been disabled. We clearly
	have insufficient test coverage for third-party modules, and now
	that osclientcerts is enabled in Fx Nightly, any problems caused by
	these and similar changes is unlikely to be reported until Fx Beta,
	well after NSS RTM. I think the best option at this point is to
	simply revert NSS.

	[97ef009f7a78] [tip]

Differential Revision: https://phabricator.services.mozilla.com/D100401
 2020-12-23 19:54:31 +00:00
Kevin Jacobs 254f0c7699 Bug 1677548 - land NSS f84fb229842a UPGRADE_NSS_RELEASE, r=bbeurdouche 
2020-12-04  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/pk11_gtest/pk11_aeskeywrappad_unittest.cc,
	lib/pk11wrap/pk11obj.c:
	Bug 1680400 - Fix memory leak in PK11_UnwrapPrivKey. r=bbeurdouche

	[f84fb229842a] [tip]

2020-12-03  yogesh  <yoyogesh01@gmail.com>

	* cmd/tstclnt/tstclnt.c:
	Bug 1570539 - Removed -X alt-server-hello option from tstclnt
	r=kjacobs

	[ef9198eb2895]

2020-12-03  J.C. Jones  <jjones@mozilla.com>

	* lib/util/pkcs11t.h:
	Bug 1675523 - CKR_PUBLIC_KEY_INVALID has an incorrect value
	r=bbeurdouche

	PKCS#11 v2.40:
	https://www.cryptsoft.com/pkcs11doc/STANDARD/include/v240/pkcs11t.h
	line 1150

	jdk8u: https://hg.openjdk.java.net/jdk8u/jdk8u/jdk/file/eb7f437285a1
	/src/share/native/sun/security/pkcs11/wrapper/pkcs11t.h#l1155

	[f9bcf45ca3bf]

Differential Revision: https://phabricator.services.mozilla.com/D98946
 2020-12-07 19:40:13 +00:00
Kevin Jacobs 54a13dccf2 Bug 1677548 - land NSS 3eacb92e9adf UPGRADE_NSS_RELEASE, r=jcj 
2020-11-18  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/ssl/ssl3con.c, lib/ssl/tls13con.c, lib/ssl/tls13ech.c:
	Bug 1654332 - Fixup a10493dcfcc9: copy ECHConfig.config_id with
	socket r=jcj

	A late review change for ECH was for the server to compute each
	ECHConfig `config_id` when set to the socket, rather than on each
	connection. This works, but now we also need to copy that config_id
	when copying a socket, else the server won't find a matching
	ECHConfig to use for decryption.

	[3eacb92e9adf] [tip]

2020-11-17  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/abi-check/expected-report-libssl3.so.txt,
	cmd/tstclnt/tstclnt.c, cpputil/tls_parser.h,
	gtests/ssl_gtest/libssl_internals.c,
	gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/manifest.mn,
	gtests/ssl_gtest/ssl_auth_unittest.cc,
	gtests/ssl_gtest/ssl_custext_unittest.cc,
	gtests/ssl_gtest/ssl_extension_unittest.cc,
	gtests/ssl_gtest/ssl_gtest.gyp,
	gtests/ssl_gtest/ssl_tls13compat_unittest.cc,
	gtests/ssl_gtest/tls_agent.cc, gtests/ssl_gtest/tls_agent.h,
	gtests/ssl_gtest/tls_connect.cc, gtests/ssl_gtest/tls_connect.h,
	gtests/ssl_gtest/tls_ech_unittest.cc,
	gtests/ssl_gtest/tls_esni_unittest.cc,
	gtests/ssl_gtest/tls_filter.cc, gtests/ssl_gtest/tls_filter.h,
	lib/ssl/SSLerrs.h, lib/ssl/manifest.mn, lib/ssl/ssl.gyp,
	lib/ssl/ssl3con.c, lib/ssl/ssl3ext.c, lib/ssl/ssl3ext.h,
	lib/ssl/ssl3exthandle.c, lib/ssl/ssl3exthandle.h,
	lib/ssl/ssl3prot.h, lib/ssl/sslencode.c, lib/ssl/sslencode.h,
	lib/ssl/sslerr.h, lib/ssl/sslexp.h, lib/ssl/sslimpl.h,
	lib/ssl/sslinfo.c, lib/ssl/sslsecur.c, lib/ssl/sslsock.c,
	lib/ssl/sslt.h, lib/ssl/tls13con.c, lib/ssl/tls13con.h,
	lib/ssl/tls13ech.c, lib/ssl/tls13ech.h, lib/ssl/tls13esni.c,
	lib/ssl/tls13esni.h, lib/ssl/tls13exthandle.c,
	lib/ssl/tls13exthandle.h, lib/ssl/tls13hashstate.c,
	lib/ssl/tls13hashstate.h:
	Bug 1654332 - Update ESNI to draft-08 (ECH). r=mt

	This patch adds support for Encrypted Client Hello (draft-ietf-tls-
	esni-08), replacing the existing ESNI (draft -02) support.

	There are five new experimental functions to enable this:

	 - SSL_EncodeEchConfig: Generates an encoded (not BASE64) ECHConfig
	given a set of parameters.
	  - SSL_SetClientEchConfigs: Configures the provided ECHConfig to the
	given socket. When configured, an ephemeral HPKE keypair will be
	generated for the CH encryption.
	  - SSL_SetServerEchConfigs: Configures the provided ECHConfig and
	keypair to the socket. The keypair specified will be used for HPKE
	operations in order to decrypt encrypted Client Hellos as they are
	received.
	  - SSL_GetEchRetryConfigs: If ECH is rejected by the server and
	compatible retry_configs are provided, this API allows the
	application to extract those retry_configs for use in a new
	connection.
	  - SSL_EnableTls13GreaseEch: When enabled, non-ECH Client Hellos will
	have a "GREASE ECH" (i.e. fake) extension appended. GREASE ECH is
	disabled by default, as there are known compatibility issues that
	will be addressed in a subsequent draft.

	The following ESNI experimental functions are deprecated by this
	update:

	 - SSL_EncodeESNIKeys
	  - SSL_EnableESNI
	  - SSL_SetESNIKeyPair

	 In order to be used, NSS must be compiled with
	`NSS_ENABLE_DRAFT_HPKE` defined.

	[a10493dcfcc9]

	* lib/ssl/ssl3con.c, lib/ssl/sslencode.c, lib/ssl/sslencode.h,
	lib/ssl/tls13con.c, lib/ssl/tls13con.h:
	Bug 1654332 - Buffered ClientHello construction. r=mt

	This patch refactors construction of Client Hello messages. Instead
	of each component of the message being written separately into
	`ss->sec.ci.sendBuf`, we now construct the message in its own
	sslBuffer. Once complete, the entire message is added to the sendBuf
	via `ssl3_AppendHandshake`.

	`ssl3_SendServerHello` already uses this approach and it becomes
	necessary for ECH, where we use the constructed ClientHello to
	create an inner ClientHello.

	[d40121ba59ba]

2020-11-13  J.C. Jones  <jjones@mozilla.com>

	* automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
	check/expected-report-libnssutil3.so.txt, automation/abi-check
	/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h,
	lib/util/nssutil.h:
	Set version numbers to 3.60 Beta
	[5e7b37609f22]

Differential Revision: https://phabricator.services.mozilla.com/D97492
 2020-11-19 18:28:18 +00:00
Kevin Jacobs 92af1fd6cc Bug 1671713 - land NSS 97751cd6d553 UPGRADE_NSS_RELEASE, r=jcj 
2020-11-03  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/common/testvectors/hmac-sha256-vectors.h,
	gtests/common/testvectors/hmac-sha384-vectors.h,
	gtests/common/testvectors/hmac-sha512-vectors.h,
	gtests/common/testvectors_base/test-structs.h,
	gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp,
	gtests/pk11_gtest/pk11_hmac_unittest.cc:
	Bug 1672823 - Add Wycheproof HMAC test cases. r=jcj

	[97751cd6d553] [tip]

	* gtests/common/testvectors/hkdf-sha1-vectors.h,
	gtests/common/testvectors/hkdf-sha256-vectors.h,
	gtests/common/testvectors/hkdf-sha384-vectors.h,
	gtests/common/testvectors/hkdf-sha512-vectors.h,
	gtests/common/testvectors/hkdf-vectors.h,
	gtests/common/testvectors_base/test-structs.h,
	gtests/common/wycheproof/genTestVectors.py,
	gtests/pk11_gtest/manifest.mn,
	gtests/pk11_gtest/pk11_hkdf_unittest.cc:
	Bug 1672823 - Add Wycheproof HKDF test cases. r=bbeurdouche

	[5a02ca2617cf]

	* gtests/common/testvectors/dsa-vectors.h,
	gtests/common/testvectors_base/test-structs.h,
	gtests/common/wycheproof/genTestVectors.py,
	gtests/common/wycheproof/source_vectors/dsa_test.json,
	gtests/pk11_gtest/manifest.mn,
	gtests/pk11_gtest/pk11_dsa_unittest.cc,
	gtests/pk11_gtest/pk11_gtest.gyp:
	Bug 1672823 - Add Wycheproof DSA test cases. r=jcj

	[3ce42ead87f9]

	* lib/dev/devslot.c, lib/dev/devt.h:
	Bug 1663661 - Guard against NULL token in nssSlot_IsTokenPresent.
	r=jcj

	This patch addresses locking inconsistency in
	`nssSlot_IsTokenPresent` by retaining the slot lock for the duration
	of accesses to `slot->token`. This is already done correctly
	elsewhere. As a side effect, this introduces an ordering
	requirement: we take `slot->lock` followed by `session->lock`.

	[0ed11a5835ac]

2020-10-30  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/pk11wrap/pk11pars.c:
	Bug 1670835 - Fixup for 6f79a7695812, add missing return value
	check. r=rrelyea

	[424974716ef0]

Differential Revision: https://phabricator.services.mozilla.com/D96073
 2020-11-06 00:54:30 +00:00
Kevin Jacobs b838f38de2 Bug 1671713 - land NSS 035110dfa0b9 UPGRADE_NSS_RELEASE, r=bbeurdouche 
2020-10-26  Robert Relyea  <rrelyea@redhat.com>

	* lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c,
	tests/ssl/ssl.sh:
	Bug 1672291 libpkix OCSP failures on SHA1 self-signed root certs
	when SHA1 signatures are disabled. r=mt

	When libpkix is checking an OCSP cert, it can't use the passed in
	set of trust anchors as a base because only the single root that
	signed the leaf can sign the OCSP request. As a result it actually
	checks the signature of the self-signed root when processing an OCSP
	request. This fails of the root cert signature is invalid for any
	reason (including it's a sha1 self-signed root cert and we've
	disabled sha1 signatures (say, by policy)).

	Further investigation indicates the difference between our classic
	code and the current code is the classic code only checks OCSP
	responses on leaf certs. In the real world, those responses are
	signed by intermediate certificates (who won't have sha1 signed
	certificates anymore), so our signature processing works just fine.
	pkix checks OCSP on the intermediate certificates as well, which are
	signed by the root cert. In this case the root cert is a chain of 1,
	and is effectively a leaf. This patch updates the OCSP response code
	to not check the signatures on the single cert if that cert is a
	selfsigned root cert. This requires bug 391476 so we still do the
	other validation checking on the certs (making sure it's trusted as
	a CA).

	[035110dfa0b9] [tip]

2020-10-23  Robert Relyea  <rrelyea@redhat.com>

	* lib/certhigh/certvfypkix.c,
	lib/libpkix/pkix_pl_nss/module/pkix_pl_nsscontext.c,
	lib/libpkix/pkix_pl_nss/module/pkix_pl_nsscontext.h,
	lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c,
	lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c,
	tests/ssl/ssl.sh:
	Bug 1672291 libpkix OCSP failures on SHA1 self-signed root certs
	when SHA1 signatures are disabled.

	When libpkix is checking an OCSP cert, it can't use the passed in
	set of trust anchors as a base because only the single root that
	signed the leaf can sign the OCSP request. As a result it actually
	checks the signature of the self-signed root when processing an OCSP
	request. This fails of the root cert signature is invalid for any
	reason (including it's a sha1 self-signed root cert and we've
	disabled sha1 signatures (say, by policy)).

	Further investigation indicates the difference between our classic
	code and the current code is the classic code only checks OCSP
	responses on leaf certs. In the real world, those responses are
	signed by intermediate certificates (who won't have sha1 signed
	certificates anymore), so our signature processing works just fine.
	pkix checks OCSP on the intermediate certificates as well, which are
	signed by the root cert. In this case the root cert is a chain of 1,
	and is effectively a leaf. This patch updates the OCSP response code
	to not check the signatures on the single cert if that cert is a
	selfsigned root cert. This requires bug 391476 so we still do the
	other validation checking on the certs (making sure it's trusted as
	a CA).
	[97f69f7a89a1]

2020-10-26  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/ssl_gtest/tls_filter.cc:
	Bug 1644209 - Fix broken SelectedCipherSuiteReplacer filter. r=mt

	This patch corrects the `SelectedCipherSuiteReplacer`filter to
	always parse the `session_id` variable (`legacy_session_id` for TLS
	1.3+). The previous code attempted to skip it in 1.3+ but did not
	account for DTLS wire versions, resulting in intermittent failures.

	[a79d14b06b4a]

2020-10-26  Daiki Ueno  <dueno@redhat.com>

	* gtests/ssl_gtest/ssl_tls13compat_unittest.cc, lib/ssl/ssl3con.c,
	lib/ssl/sslimpl.h:
	Bug 1672703, always tolerate the first CCS in TLS 1.3, r=mt

	Summary: This flips the meaning of the flag for checking excessive
	CCS messages, so it only rejects multiple CCS messages while the
	first CCS message is always accepted.

	Reviewers: mt

	Reviewed By: mt

	Bug #: 1672703

	[b03a4fc5b902]

2020-10-23  Robert Relyea  <rrelyea@redhat.com>

	* automation/abi-check/expected-report-libnssutil3.so.txt,
	gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp,
	lib/nss/nss.h, lib/ssl/ssl3con.c, lib/util/SECerrs.h,
	lib/util/nssutil.def, lib/util/secerr.h, tests/policy/policy.sh:
	Bug 1670835 Crypto Policy Support needs to be updated with
	disable/enable support

	Policy update

	Current state of the nss policy system:

	The initial policy patch focused on getting policy working well in
	handling ssl. The policy infrastructure used two existing NSS
	infrastructure: 1) Algorithm policies tied the OIDS and 2) the ssl
	policy constraints first created to handle export policy
	restrictions. To make loadable policies work, we added a couple of
	new things: 1) a policy parser to the secmod infrastructure which
	allows us to set algorithm policies based on a config file. This
	file had two sections: disallow= and allow=. Disallow turned off
	policy bits, and allow turned them on. Disallow was always parsed
	first, so you could very strictly control your policy map by saying
	disallow=all allow={exclusive list of allowed algorithms} 2) a new
	NSS_Option() value that allowed the policy parser to set integer
	values (like minimum tls version) based on the data in the policy
	parser. 3) SSL code which is run at ssl_init time that reads the
	algorithm policies and maps the results to SSL policies.

	The resulting loaded policy code, in general, sets the boundaries of
	what it possible, actually enable/disable of ssl cipher suites are
	still under program control, and the builtin NSS default values. The
	only consession to configuration is if a cipher is disallowed by
	policy, it is also disabled. Allowing a cipher suite by policy that
	wasn't already enabled, however, doesn't enable that policy by
	default. Inside the policy restrictions, applications can still make
	their own decisions on configuration and preference.

	At the time the policy system was designed, there were 3 additional
	features, which were designed, but not specified: disable, enable,
	and lock.

	disable and enable work just like disallow and allow, except the
	specify what the default settings are. This would allow the policy
	file to change the underlying default in the case where the
	application doesn't try to configure ssl on it's own.

	lock would make either the policy or configuration 'locked' meaning
	once the lock has been executed, no further changes to those
	configurations would be allowed.

	What is needed:

	We have a need for the following additional features:

	1) we want to turn more of the sha-1 hash function off by default.
	We still need sha-1 digest because it's used in many non-secure
	cases, but we do want to disable more sha-1 signature usage.
	Currently only CERT-SIGNATURE and various hmac usages in SSL ciphers
	can be controlled by policy. We want to disallow a greater range of
	signature (that is signature use in general).

	2) we want to disable more ciphers by default, but need a way to
	have certain policies (like LEGACY) turn them back on, so that our
	shipped system is more secure by default.

	What this patch provides:

	1) A new policy flag NSS_USE_ALG_IN_ANY_SIGNATURE was added. The
	cryptohi code which exports the NSS sign/verify high level code now
	checks the hash and signing algorithm against this new policy flag
	and fails if the policy isn't available. New key words were added to
	the policy parser for 'all-signature', which implies all signature
	flags at once, and 'signature', which maps to NSS_USE_ANY_SIGNATURE.
	NOTE: disable=all/signature and disable=all/all-signature are
	effective equivalent because cert-signatures eventually call the low
	level signature functions, but disable=all allow=rsa-pss/all-
	signature and disable=all allow=rsa-pss/signature are different in
	that the latter allows all rsa-pss signature and the latter allows
	rsa-pss signatures, but no on certificates (or on smime in the
	future) Also new keywords were added for rsa-pkcs, rsa-pss, and
	ecdsa for signature algorithms (along with dsa).

	2) This patch implements disable and enable. These functions only
	work on SSL configuration. In the future SMIME/CMS configuration
	could also be added. Because the policy system is parsed and handled
	by NSS, and SSL configuration is handled in SSL, we use the same
	Apply code we used to apply ssl policy to set the inital
	configuration. The configured enable/disable state is configured in
	the ALGORTHIM policy system, where one bit says the enable/disable
	value is active and another bit which gives it's state.

	3) two locks have been implented, policy-lock and ssl-lock. These
	are specified in the parser as flags (flags=policy-lock,ssl-lock).
	The policy locks all the policy changes: ssl_policy, algorithm
	policy, and options. It is implemented by two new exported
	functions: NSS_IsPolicyLocked() and NSS_LockPolicy(). The first
	allows applications to test if the policy is locked without having
	to try changing the policy. The various policy set functions check
	the NSS_IsPolicyLocked() function and returns SEC_ERROR_POLICY_LOCK
	if it's true. The ssl-lock changes the state of the policy to
	locked, and the state cannot be changed back without shutting down
	NSS. The second is implemented by setting a new Option called
	NSS_DEFAULT_LOCKS and the NSS_DEFAULT_SSL_LOCK flag. The idea is we
	can add an SMIME lock in the future. SSL checks the
	NSS_DEFAULT_SSL_LOCK flag before trying to set the cipher suite
	value, and blocks the change if it's set.

	4) sslpolicy tests were updated to test the enable, disable, flags
	=policy-lock, flags=ssl-lock and the new signature primitives.

	5) policy tests were updated to be able to run standalone (like all
	the other all.sh tests), as well as new tests to detect when no
	signing algorithms have been enabled.

	 What is not in the patch

	1) S/MIME signature policy has been defined for a while, but never
	hooked up. 2) S/MIME export policy needs to be connected back to the
	algorithm policy system just like the ssl cipher suites already are.
	3) S/MIME default configuration needs to be connected back to the
	policy system. 4) ECC Curve policy needs to be hooked up with the
	signature policy (probably should create a generic 'key meets
	policy' function and have every call it).

	[6f79a7695812]

	* automation/abi-check/expected-report-libnss3.so.txt,
	gtests/pk11_gtest/pk11_rsaoaep_unittest.cc, lib/nss/nss.def,
	lib/pk11wrap/pk11pub.h, lib/pk11wrap/pk11skey.c:
	Bug 1666891 - Add PK11_Pub{Wrap,Unwrap}SymKeyWithMechanism
	r=mt,rrelyea

	Summary

	This is useful for RSA-OAEP support.

	The CKM_RSA_PKCS_OAEP mechanism requires a CK_RSA_PKCS_OAEP_PARAMS
	be present for PKCS#11 calls. This provides required context for
	OAEP. However, PK11_PubWrapSymKey lacks a way of providing this
	context and historically silently converted CKM_RSA_PKCS_OAEP to
	CKM_RSA_PKCS when a RSA key is provided. Introducing a new call will
	let us indicate parameters and potentially support other mechanisms
	in the future. This call mirrors the earlier calls introduced for
	RSA-PSS: PK11_SignWithMechanism and PK11_VerifyWithMechanism.

	The CKM_RSA_PKCS_OAEP mechanism requires a CK_RSA_PKCS_OAEP_PARAMS
	be present for PKCS#11 calls. This provides required context for
	OAEP. However, PK11_PubUnwrapSymKey lacks a way of providing this
	context, and additionally lacked a way of indicating which mechanism
	type to use for the unwrap operation (instead detecting it by key
	type). Introducing a new call will let us indicate parameters and
	potentially support other mechanisms in the future.

	Signed-off-by: Alexander Scheel <ascheel@redhat.com>

	[33f920fcd175]

2020-10-23  Petr Sumbera  <petr.sumbera@oracle.com>

	* coreconf/config.gypi:
	Bug 1667989 - coreconf/config.gypi should allow correct linking on
	Solaris r=kjacobs,bbeurdouche

	[e3bd9c2f9259]

2020-10-23  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/abi-check/expected-report-libnss3.so.txt,
	gtests/pk11_gtest/pk11_find_certs_unittest.cc, lib/nss/nss.def:
	Bug 1668123 - Export CERT_AddCertToListHeadWithData and
	CERT_AddCertToListTailWithData. r=jcj

	[0f15b05daeed]

2020-07-30  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/ckfw/builtins/certdata.txt:
	Bug 1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root
	CA. r=kjacobs

	[7076e78ddafe]

2020-10-14  J.C. Jones  <jjones@mozilla.com>

	* lib/util/secasn1d.c:
	Bug 1663091 - Remove unnecessary assertions in the streaming ASN.1
	decoder r=kjacobs

	The streaming ASN.1 decoder had assertions that, on debug builds,
	blocked embedding indefinite-length fields inside of definite-length
	fields/contexts, however that behavior does work correctly, and is
	valid ASN.1: it tends to happen when wrapping a signature around
	existing ASN.1-encoded data, if that already-encoded data had an
	indefinite length.

	Really these two assertion were just overzealous. The conditional
	after the asserts handle the case well, and memory sanitizers have
	not found issue here either.

	[d0153cc0c464]

Differential Revision: https://phabricator.services.mozilla.com/D95093
 2020-11-02 18:04:59 +00:00
J.C. Jones 8e222a79cb Bug 1666567 - land NSS NSS_3_58_BETA1 UPGRADE_NSS_RELEASE, r=kjacobs 
2020-10-12  Daiki Ueno  <dueno@redhat.com>

	* gtests/ssl_gtest/ssl_tls13compat_unittest.cc, lib/ssl/ssl3con.c,
	lib/ssl/sslimpl.h:
	Bug 1641480, TLS 1.3: tighten CCS handling in compatibility mode,
	r=mt

	This makes the server reject CCS when the client doesn't indicate
	the use of the middlebox compatibility mode with a non-empty
	ClientHello.legacy_session_id, or it sends multiple CCS in a row.

	[57bbefa79323] [NSS_3_58_BETA1]

2020-10-12  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/abi-check/expected-report-libnss3.so.txt,
	automation/taskcluster/scripts/build_gyp.sh,
	automation/taskcluster/windows/build_gyp.sh, coreconf/config.gypi,
	coreconf/config.mk, cpputil/nss_scoped_ptrs.h,
	gtests/common/testvectors/hpke-vectors.h,
	gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp,
	gtests/pk11_gtest/pk11_hpke_unittest.cc, lib/nss/nss.def,
	lib/pk11wrap/exports.gyp, lib/pk11wrap/manifest.mn,
	lib/pk11wrap/pk11hpke.c, lib/pk11wrap/pk11hpke.h,
	lib/pk11wrap/pk11pub.h, lib/pk11wrap/pk11wrap.gyp,
	lib/util/SECerrs.h, lib/util/secerr.h:
	Bug 1631890 - Add support for Hybrid Public Key Encryption (draft-
	irtf-cfrg-hpke-05). r=mt

	This patch adds support for Hybrid Public Key Encryption (draft-
	irtf-cfrg-hpke-05).

	Because the draft number (and the eventual RFC number) is an input
	to the key schedule, future updates will *not* be backwards
	compatible in terms of key material or encryption/decryption. For
	this reason, a default compilation will produce stubs that simply
	return an "Invalid Algorithm" error. To opt into using the HPKE
	functionality , compile with `NSS_ENABLE_DRAFT_HPKE` defined. Once
	finalized, this flag will not be required to access the functions.

	Lastly, the `DeriveKeyPair` API is not implemented as it adds
	complextiy around PKCS #11 and is unnecessary for ECH.

	[6e3bc17f0508]

2020-10-12  Makoto Kato  <m_kato@ga2.so-net.ne.jp>

	* automation/taskcluster/graph/src/extend.js, tests/common/cleanup.sh:
	Bug 1657255 - Update CI for aarch64. r=kjacobs

	Actually, we have the implementation of ARM Crypto extension, so CI
	is always run with this extension. It means that we don't run CI
	without ARM Crypto extension. So I would like to add NoAES and NoSHA
	for aarch64 CI.

	Also, we still run NoSSE4_1 on aarch64 CI, so we shouldn't run this
	on aarch64 hardware.

	[e8c370a8db13]

Differential Revision: https://phabricator.services.mozilla.com/D93268
 2020-10-12 20:42:51 +00:00
J.C. Jones 3ad29aac6b Bug 1666567 - land NSS 8fdbec414ce2 UPGRADE_NSS_RELEASE, r=kjacobs 
2020-09-24  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/abi-check/expected-report-libnss3.so.txt,
	gtests/pk11_gtest/pk11_hkdf_unittest.cc, lib/nss/nss.def,
	lib/pk11wrap/pk11pub.h, lib/pk11wrap/pk11skey.c,
	lib/ssl/tls13hkdf.c:
	Bug 1667153 - Add PK11_ImportDataKey API. r=rrelyea

	This patch adds and exports `PK11_ImportDataKey`, and refactors the
	null PSK TLS 1.3 code to use it.

	[8fdbec414ce2] [tip]

Differential Revision: https://phabricator.services.mozilla.com/D91627
 2020-09-28 19:24:51 +00:00
J.C. Jones 55cfe61a1d Bug 1666567 - land NSS 8ebee3cec9cf UPGRADE_NSS_RELEASE, r=kjacobs 
2020-09-23  Dana Keeler  <dkeeler@mozilla.com>

	* gtests/mozpkix_gtest/pkixbuild_tests.cpp,
	gtests/mozpkix_gtest/pkixcert_extension_tests.cpp,
	gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp,
	gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp,
	gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp,
	gtests/mozpkix_gtest/pkixgtest.h,
	lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp:
	Bug 1665715 - (2/2) pass encoded signed certificate timestamp
	extension (if present) in CheckRevocation r=jcj

	This will allow Firefox to make decisions based on the earliest
	known time that a certificate exists (with respect to certificate
	transparency) that a CA is unlikely to back-date. In particular,
	this is essential for CRLite. Note that if the SCT signature isn't
	validated, a CA could still make a certificate appear to have
	existed for longer than it really has. However, this change is not
	an attempt to catch malicious CAs. The aim is to avoid false
	positives in CRLite resulting from CAs backdating the notBefore
	field on certificates they issue.

	Depends on D90595

	[8ebee3cec9cf] [tip]

2020-09-18  Dana Keeler  <dkeeler@mozilla.com>

	* gtests/mozpkix_gtest/pkixbuild_tests.cpp,
	gtests/mozpkix_gtest/pkixcert_extension_tests.cpp,
	gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp,
	gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp,
	gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp,
	gtests/mozpkix_gtest/pkixgtest.h,
	lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp:
	Bug 1665715 - (1/2) revert e8f2720c8254 (bug 1593141) because it's
	no longer necessary r=jcj

	Bug 1593141 added the certificate's notBefore field as an argument
	to TrustDomain::CheckRevocation so that Firefox could use it with
	CRLite. However, since CAs can backdate that field, we need to use
	the earliest embedded SCT timestamp instead.

	[c1f4d565ceda]

Differential Revision: https://phabricator.services.mozilla.com/D91211
 2020-09-24 04:00:44 +00:00
Bogdan Tara db9c89dbca Backed out 2 changesets (bug 1666567, bug 1605273) for test_crlite_filters.js failures CLOSED TREE 
UPGRADE_NSS_RELEASE

Backed out changeset 9bc4c7e79cd6 (bug 1666567)
Backed out changeset 22753d184de6 (bug 1605273)
 2020-09-24 06:57:27 +03:00
J.C. Jones e8346094ad Bug 1666567 - land NSS 8ebee3cec9cf UPGRADE_NSS_RELEASE, r=kjacobs 
CLOSED TREE

2020-09-23  Dana Keeler  <dkeeler@mozilla.com>

	* gtests/mozpkix_gtest/pkixbuild_tests.cpp,
	gtests/mozpkix_gtest/pkixcert_extension_tests.cpp,
	gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp,
	gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp,
	gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp,
	gtests/mozpkix_gtest/pkixgtest.h,
	lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp:
	Bug 1665715 - (2/2) pass encoded signed certificate timestamp
	extension (if present) in CheckRevocation r=jcj

	This will allow Firefox to make decisions based on the earliest
	known time that a certificate exists (with respect to certificate
	transparency) that a CA is unlikely to back-date. In particular,
	this is essential for CRLite. Note that if the SCT signature isn't
	validated, a CA could still make a certificate appear to have
	existed for longer than it really has. However, this change is not
	an attempt to catch malicious CAs. The aim is to avoid false
	positives in CRLite resulting from CAs backdating the notBefore
	field on certificates they issue.

	Depends on D90595

	[8ebee3cec9cf] [tip]

2020-09-18  Dana Keeler  <dkeeler@mozilla.com>

	* gtests/mozpkix_gtest/pkixbuild_tests.cpp,
	gtests/mozpkix_gtest/pkixcert_extension_tests.cpp,
	gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp,
	gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp,
	gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp,
	gtests/mozpkix_gtest/pkixgtest.h,
	lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp:
	Bug 1665715 - (1/2) revert e8f2720c8254 (bug 1593141) because it's
	no longer necessary r=jcj

	Bug 1593141 added the certificate's notBefore field as an argument
	to TrustDomain::CheckRevocation so that Firefox could use it with
	CRLite. However, since CAs can backdate that field, we need to use
	the earliest embedded SCT timestamp instead.

	[c1f4d565ceda]

Differential Revision: https://phabricator.services.mozilla.com/D91211
 2020-09-23 23:28:18 +00:00
Bogdan Tara 24d9b1dbae Backed out changeset 7e50f86ea20b (bug 1666567) for security related bustage CLOSED TREE 
UPGRADE_NSS_RELEASE
 2020-09-24 03:57:00 +03:00
J.C. Jones 413b79889f Bug 1666567 - land NSS 8ebee3cec9cf UPGRADE_NSS_RELEASE, r=kjacobs 
2020-09-23  Dana Keeler  <dkeeler@mozilla.com>

	* gtests/mozpkix_gtest/pkixbuild_tests.cpp,
	gtests/mozpkix_gtest/pkixcert_extension_tests.cpp,
	gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp,
	gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp,
	gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp,
	gtests/mozpkix_gtest/pkixgtest.h,
	lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp:
	Bug 1665715 - (2/2) pass encoded signed certificate timestamp
	extension (if present) in CheckRevocation r=jcj

	This will allow Firefox to make decisions based on the earliest
	known time that a certificate exists (with respect to certificate
	transparency) that a CA is unlikely to back-date. In particular,
	this is essential for CRLite. Note that if the SCT signature isn't
	validated, a CA could still make a certificate appear to have
	existed for longer than it really has. However, this change is not
	an attempt to catch malicious CAs. The aim is to avoid false
	positives in CRLite resulting from CAs backdating the notBefore
	field on certificates they issue.

	Depends on D90595

	[8ebee3cec9cf] [tip]

2020-09-18  Dana Keeler  <dkeeler@mozilla.com>

	* gtests/mozpkix_gtest/pkixbuild_tests.cpp,
	gtests/mozpkix_gtest/pkixcert_extension_tests.cpp,
	gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp,
	gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp,
	gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp,
	gtests/mozpkix_gtest/pkixgtest.h,
	lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp:
	Bug 1665715 - (1/2) revert e8f2720c8254 (bug 1593141) because it's
	no longer necessary r=jcj

	Bug 1593141 added the certificate's notBefore field as an argument
	to TrustDomain::CheckRevocation so that Firefox could use it with
	CRLite. However, since CAs can backdate that field, we need to use
	the earliest embedded SCT timestamp instead.

	[c1f4d565ceda]

Differential Revision: https://phabricator.services.mozilla.com/D91211
 2020-09-23 23:28:18 +00:00
Kevin Jacobs 25560bb43a Bug 1660509 - land NSS 2a17c8655a74 UPGRADE_NSS_RELEASE, r=jcj 
2020-09-14  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* coreconf/arch.mk:
	Bug 1660735 - Fix typo in coreconfig/arch.mk. r=kjacobs

	[2a17c8655a74] [tip]

	* coreconf/config.mk:
	Bug 1660734 - Fix typo in coreconf/config.mk. r=kjacobs

	[4ae56ec2411b]

2020-09-11  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/ckfw/builtins/nssckbi.h:
	Bug 1663049 - September 2020 batch of root changes,
	NSS_BUILTINS_LIBRARY_VERSION 2.44. r=jcj

	[141ef83ac10b]

	* lib/ckfw/builtins/certdata.txt:
	Bug 1663049 - Add SecureTrust's Trustwave Global root certificates
	to NSS. r=KathleenWilson,jcj

	[7dfc054a983e]

	* lib/ckfw/builtins/certdata.txt:
	Bug 1656077 - Remove Taiwan Government Root Certification Authority
	root cert. r=KathleenWilson,jcj

	Depends on D89841

	[32a0d8f751ef]

	* lib/ckfw/builtins/certdata.txt:
	Bug 1653092 - Disable server trust bit for OISTE WISeKey Global Root
	GA CA root cert. r=KathleenWilson,jcj

	Depends on D89840

	[1cdfb26b3220]

	* lib/ckfw/builtins/certdata.txt:
	Bug 1651211 - Remove EE Certification Centre Root CA root cert.
	r=KathleenWilson,jcj

	[089aeca370df]

2020-09-11  Danh  <congdanhqx@gmail.com>

	* coreconf/arch.mk, coreconf/config.mk, lib/freebl/Makefile:
	Bug 1659727 - Move makefile avx2 detection to config.mk. r=kjacobs

	Summary: Current code base use CPU_ARCH to detect if avx2 is
	supported in arch.mk However, when arch.mk included, CPU_ARCH
	haven't been initialised, CPU_ARCH will be initialised by the OS
	specific code later on.

	Move the AVX2 detection to config.mk, after all other initialisation
	done.

	Reviewers: kjacobs

	Reviewed By: kjacobs

	Subscribers: kjacobs

	Bug #: 1659727

	[c6dcb99e6121]

2020-09-08  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/freebl_gtest/mpi_unittest.cc, lib/freebl/mpi/mpi.c:
	Bug 1605922 - Account for negative sign in mp_radix_size
	r=bbeurdouche

	[b64436ecbd79]

2020-09-09  Daiki Ueno  <dueno@redhat.com>

	* lib/freebl/Makefile:
	Bug 1659256, add gcc version check on AArch64 optimization,
	r=rrelyea

	Summary: As described in https://access.redhat.com/solutions/19458,
	gcc version in RHEL-7 is still 4.8.x and cannot compile the newly
	added aes-armv8.c. There is a version check already for 32-bit arm,
	but not for AArch64. This also removes NS_USE_GCC check added in bug
	1652032 in favor of the automatic detection using CC_IS_* macros.

	Reviewers: rrelyea

	Reviewed By: rrelyea

	Subscribers: jmux, kjacobs

	Bug #: 1659256

	[b971c77c0d68]

2020-09-08  Michael Shigorin  <mike@altlinux.org>

	* coreconf/config.gypi:
	Bug 1663346 - Build e2k architecture as 64-bit r=jcj
	[e524a577761d]

2020-09-05  Daiki Ueno  <dueno@redhat.com>

	* lib/freebl/fipsfreebl.c:
	Bug 1662738, run RNG self-tests only if NSPR is linked, r=rrelyea

	Summary: After the continuous DRBG test was added, RNG self-tests
	have no longer worked standalone. This moves the self-tests to the
	DO_REST block so it only runs when the program is also linked to
	NSPR.

	Reviewers: rrelyea

	Reviewed By: rrelyea

	Bug #: 1662738

	[e03296e73ba6]

2020-09-02  Khem Raj  <raj.khem@gmail.com>

	* lib/libpkix/pkix/util/pkix_logger.c:
	Bug 1661378 - pkix: Do not use NULL where 0 is needed Clang finds
	this error

	pkix_logger.c:316:32: error: cast to smaller integer type
	'PKIX_ERRORCLASS' from 'void *' [-Werror,-Wvoid-pointer-to-enum-
	cast] logger->logComponent = (PKIX_ERRORCLASS)NULL;
	^~~~~~~~~~~~~~~~~~~~~ pkix_logger.c:617:32: error: cast to smaller
	integer type 'PKIX_ERRORCLASS' from 'void *' [-Werror,-Wvoid-
	pointer-to-enum-cast] logger->logComponent = (PKIX_ERRORCLASS)NULL;
	^~~~~~~~~~~~~~~~~~~~~ 2 errors generated.

	Signed-off-by: Khem Raj <raj.khem@gmail.com>
	[9213848965f6]

Differential Revision: https://phabricator.services.mozilla.com/D90130
 2020-09-14 17:06:12 +00:00
Kevin Jacobs ddc8978d1f Bug 1660509 - land NSS c100e11991f6 UPGRADE_NSS_RELEASE, r=jcj 
2020-08-21  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/abi-check/previous-nss-release, lib/nss/nss.h,
	lib/softoken/softkver.h, lib/util/nssutil.h:
	Set version numbers to 3.57 Beta
	[783f49ae6126]

2020-08-24  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/ssl_gtest/ssl_auth_unittest.cc, lib/ssl/dtls13con.c,
	lib/ssl/dtlscon.c, lib/ssl/ssl3con.c, lib/ssl/sslimpl.h,
	lib/ssl/sslnonce.c:
	Bug 1653641 - Cleanup inaccurate DTLS comments, code review fixes.
	r=mt

	[0e1b5c711cb9]

2020-08-24  Robert Relyea  <rrelyea@redhat.com>

	* lib/freebl/fipsfreebl.c, lib/softoken/fipstest.c,
	lib/softoken/kbkdf.c, lib/softoken/lowpbe.c, lib/softoken/lowpbe.h,
	lib/softoken/pkcs11c.c, lib/softoken/pkcs11i.h,
	lib/softoken/sftkhmac.c, lib/softoken/sftkike.c:
	Bug 1660304 New FIPS IG requires self-tests for approved kdfs.
	r=ueno comments=kjacobs

	FIPS guidance now requires self-tests for our kdfs. It also requires
	self-tests for cmac which we didn't have in the cmac patch.

	Currently only one test per kdf is necessary. Specifially for
	SP-800-108, only one of the three flavors are needed (counter,
	feedback, or pipeline). This patch includes more complete testing
	but it has been turned off the currently extraneous tests under the
	assumption that NIST guidance may require them in the future. HKDF
	is currently not included in FIPS, but is on track to be included,
	so hkdf have been included in this patch.

	Because the test vectors are const strings, the patch pushes some
	const definitions that were missing in existing private interfaces.

	There are three flavors of self-tests: Function implemented in
	freebl are added to the freebl/fipsfreebl.c Functions implemented in
	pkcs11c.c have selftests completely implemented in
	softoken/fipstest.c Functions implemented in their own .c file have
	their selftest function implemented in that .c file and called by
	fipstests.c These are consistant with the previous choices for
	selftests.

	Some private interfaces that took in keys from pkcs #11 structures
	or outputted keys to pkcs #11 structures were modified to optionally
	take keys in by bytes and output keys as bytes so the self-tests can
	work in just bytes.

	[5dca54fe61c2]

2020-08-25  Daiki Ueno  <dueno@redhat.com>

	* lib/softoken/manifest.mn:
	Bug 1659252, disable building libnssdbm3.so if NSS_DISABLE_DBM=1,
	r=rrelyea

	Reviewers: rrelyea

	Reviewed By: rrelyea

	Bug #: 1659252

	[4d55d36ca6ef]

2020-08-24  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/pk11wrap/pk11cxt.c, lib/softoken/pkcs11c.c, lib/softoken/sdb.c,
	lib/softoken/sftkpwd.c:
	Bug 1651834 - Fix various static analyzer warnings. r=rrelyea

	[ab04fd73fd6d]

2020-08-28  Mike Hommey  <mh@glandium.org>

	* lib/freebl/blapii.h:
	Bug 1661810 - Define pre_align/post_align based on the compiler.
	r=jcj

	Things worked fine before we upgraded to clang 11 presumably because
	the stack was always 16-bytes aligned in the first place, or
	something akin to that, and the lack of pre_align/post_align doing
	anything didn't matter. The runtime misalignment of the stack may
	well be a clang > 9 bug, but keeping pre_align/post_align tied to
	the x86/x64 is a footgun anyways.

	[c100e11991f6] [tip]

Differential Revision: https://phabricator.services.mozilla.com/D88876
 2020-08-31 15:56:19 +00:00
Kevin Jacobs 5637d1775c Bug 1655105 - land NSS c06f22733446 UPGRADE_NSS_RELEASE, r=jcj 
2020-08-07  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/pki/tdcache.c:
	Bug 1625791 - Call STAN_GetCERTCertificate to load CERTCertificate
	trust before caching. r=jcj,keeler

	When caching certificates, `td->cache->lock` must not be held when
	taking `slot->isPresentLock`. `add_cert_to_cache` holds then former
	when calling the sort function in `add_subject_entry`, which will [[
	https://searchfox.org/mozilla-central/rev/a3b25e347e2c22207c4b369b99
	246e4aebf861a7/security/nss/lib/pki/certificate.c#266 | call ]]
	`STAN_GetCERTCertificate` -> `fill_CERTCertificateFields` when
	`cc->nssCertificate` [[ https://searchfox.org/mozilla-central/rev/a3
	b25e347e2c22207c4b369b99246e4aebf861a7/security/nss/lib/pki/pki3hack
	.c#923 | is NULL ]].

	There are two problems with this:

	 # `fill_CERTCertificateFields` may end up locking
	`slot->isPresentLock` (bad ordering, bug 1651564) # The above may
	happen followed by another attempt to lock
	`td->cache->lock`(deadlock, this bug).

	By calling `STAN_GetCERTCertificate` prior to the first lock of
	`td->cache->lock`, we can prevent the problematic call to
	`fill_CERTCertificateFields` later on, because `cc->nssCertificate`
	will already be filled.

	[c06f22733446] [tip]

	* gtests/ssl_gtest/ssl_auth_unittest.cc, lib/ssl/ssl3con.c:
	Bug 1588941 - Send empty client cert msg when signature scheme
	selection fails. r=mt

	`ssl3_CompleteHandleCertificateRequest` does essentially two things:
	1) Calls the `getClientAuthData` hook for certificate selection, and
	2) calls `ssl_PickClientSignatureScheme` to select an appropriate
	signature scheme when a cert is selected.

	If the first function returns SECFailure, we default to sending an
	empty certificate message. If the latter fails, however, this
	bubbles up as a [[ https://searchfox.org/mozilla-central/rev/56bb74e
	a8e04bdac57c33cbe9b54d889b9262ade/security/nss/lib/ssl/tls13con.c#26
	70 | fatal error ]] (and an assertion failure) on the connection.
	Importantly, the signature scheme selection can fail for reasons
	that should not be considered fatal - notably when an RSA-PSS cert
	is selected, but the token on which the key resides does not
	actually support PSS.

	This patch treats the failure to find a usable signature scheme as a
	"no certificate" response, rather than killing the connection
	entirely.

	[41ecb7fe5546]

	* lib/freebl/Makefile, lib/freebl/freebl_base.gypi,
	lib/freebl/mpi/mpi_amd64_common.S, lib/freebl/mpi/mpi_amd64_gas.s:
	Bug 1656981 - Use 64x64->128 multiply and MP_COMBA on x86_64 Mac.
	r=mt

	This patch makes two MPI changes for MacOS:

	1. Rename `mpi_amd64_gas.s` to `mpi_amd64_common.S` and add defines
	for macho64, allowing Intel Macs to take advantage of the 64x64->128
	multiply code. 2. Define and use `NSS_USE_COMBA` on Intel Macs.

	Performance results with `rsaperf -n none -p 10 -e -x 65537`
	(default 2048-bit key): Before: `12629.12 operations/s. one
	operation every 79 microseconds` With 64x64->128 assembly: `29431.65
	operations/s. one operation every 33 microseconds` With MP_COMBA and
	64x64->128 assembly: `30332.99 operations/s. one operation every 32
	microseconds`

	[330bdab498a3]

	* lib/ssl/sslimpl.h:
	Bug 1656429 - Clang-format fixup, r=bustage
	[07083076fc92]

2020-08-05  Martin Thomson  <mt@lowentropy.net>

	* gtests/ssl_gtest/ssl_0rtt_unittest.cc,
	gtests/ssl_gtest/tls_connect.cc, lib/ssl/ssl3exthandle.c,
	lib/ssl/sslimpl.h, lib/ssl/tls13con.c, lib/ssl/tls13replay.c:
	Bug 1656429 - Correct RTT estimate used in anti-replay, r=kjacobs

	This was never a security problem, but the more time that passes
	between the handshake and sending a ticket, the more likely we are
	to reject 0-RTT. Eventually, 0-RTT only works if it is delayed in
	the network by a surprising amount.

	[b4a1c57eb569]

Differential Revision: https://phabricator.services.mozilla.com/D86454
 2020-08-10 17:59:40 +00:00
Kevin Jacobs cb86341c99 Bug 1655105 - land NSS afa38fb2f0b5 UPGRADE_NSS_RELEASE, r=jcj 
2020-07-27  Jan-Marek Glogowski  <glogow@fbihome.de>

	* lib/freebl/Makefile:
	Bug 1652032 Disable all freebl assembler code for MSVC arm64
	r=rrelyea,bbeurdouche

	There are two places, where NSS tries to compile either x86_64 MSVC
	assembler or GCC aarch64 code, which will fail the build. And also
	drop the non-MSVC arch build flags for them.

	AFAI could identify, there isn't any armasm64 compatible asm code in
	the whole NSS library, so I don't even adapt AS for the build. The
	cross-build finishes this way.

	[d98bbb6168f4]

2020-07-24  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* cmd/bltest/blapitest.c, coreconf/config.gypi, coreconf/config.mk,
	lib/freebl/alg2268.c, lib/freebl/deprecated/alg2268.c,
	lib/freebl/freebl_base.gypi, lib/freebl/ldvector.c,
	lib/freebl/loader.c, lib/freebl/loader.h, lib/freebl/manifest.mn,
	lib/softoken/lowpbe.c, lib/softoken/pkcs11c.c:
	Bug 1652729 - Add build flag to disable RC2 and relocate to
	lib/freebl/deprecated. r=kjacobs

	[e6c6f1d2d544]

2020-07-27  Robert Relyea  <rrelyea@redhat.com>

	* gtests/softoken_gtest/manifest.mn,
	gtests/softoken_gtest/softoken_dh_vectors.h,
	gtests/softoken_gtest/softoken_gtest.cc,
	gtests/softoken_gtest/softoken_gtest.gyp, lib/freebl/blapi.h,
	lib/freebl/dh.c, lib/freebl/ldvector.c, lib/freebl/loader.c,
	lib/freebl/loader.h, lib/softoken/manifest.mn,
	lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c,
	lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c,
	lib/softoken/sftkdhverify.c, lib/softoken/softoken.gyp:
	Bug 1648822 Add stricter validation of DH keys when in FIPS mode.

	Update: FIPS now also requires us to do y^q mod p testing on key
	generation (always). We now do that in FIPS mode only, but in all
	modes we do full DH verification for DH and ECDH. Because of this,
	the path has now separated out the prime checks, which are now only
	done for the DH operation if we aren't using a known prime and the
	subprime value has been provided. I've also learned we can accept
	keys that we do full validation on in FIPS mode, so I've added that
	to this patch, though we still can't generate those kinds of keys
	without adding the subprime at keygen time.

	The new FIPS standard is dh operations must use approved primes.
	Approved primes are those selected in the tls and ike RFCs.
	Currently tls and ike have modes with checks whether the primes are
	approved, but the check may not always happen. The safest thing to
	do in FIPS mode is only allow those primes. In addition, FIPS
	requires 1< y < p-1 (or technically 2<=y<=p-2, since y is an integer
	those two tests are identical).

	While making changes I realized we would want a mode where we can do
	more strict checks on the prime while not requiring that the prime
	be an approved prime. We already allow for strict checking if q is
	supplied with the private key, but there were a couple of issues
	with that check:

	 1. there was no way of actually setting q in the current NSS
	pk11wrap interfaces. 2. If the prime was a safe prime, but g was an
	actual generator, then we would fail the y^q mod p = 1 tests for 50%
	of the keys, even though those keys are safe. 3. We weren't checking
	primality of p and q.

	So the old code:

	 if (q) { check y^q mod p = 1 if not fail }

	 check 1 <y < p-1 (done in DH_Derive).

	New code:

	 if (! p is approved prime) { if (FIPS) fail; if (q) { y_test = y if
	(p,q-> p is a safe prime) { y_test = 1 } check prime is prime Fail
	if not check subprime is subprime fail if not y_test^q mod p = 1 } }
	check 1 < y < p-1 (done in DH_Derive)

	This means:

	Existing code non-fips without setting the subprime continues to run
	as before. Non-fips code which sets the subprime now runs slower,
	but p and q are checked if p or q where not prime, the derive fails
	(which it should). In FIPS mode only approved primes will succeed
	now. Non-fips code can now set the subprime to q=(p-1)/2 if it
	doesn't have an explicit q value (like in tls). If the derive
	succeeds, we know that p is a safe prime. If p is approved, the
	checks are skipped because we already know that p is a safe prime.
	Code can optionally do a test derive on a new p and remember it's
	safe so that we know longer need to check ever call (though if q is
	not (p-1)/2, you will need to continue to do the checks each call
	because y could still be a small subgroup).

	This patch:

	gtests/softoken_gtest

	 1. Added New dh tests to softoken_gtests. The tests were added to
	softoken_gtests because we need to test both non-FIPS and FIPS mode.
	Test vectors include a category, so the same test vectors can be
	used in FIPS and non-FIPS even though each class may have different
	results. Most of the test vectors where created either by dhparams
	command in openssl, dsaparams in openssl, and the nss makepqg
	command. Each vector includes a label, prime, base, optional
	subprime, optional public key, test type, and key class (basically
	size). 2. If public key is not supplied, we use a generated public
	key. 3. If subPrime is supplied to wet it on the private key after
	generation.

	lib/freebl/dh.c

	 add primality tests to KEA_VerifyKey().

	lib/softokn/

	 1. Allow CKA_SUBPRIME to be set after key generation or import.
	This affects how we test for it's existance, since it is now always
	there on the key, we check it's length to make sure it's non-zero.
	2. We implement the psuedocode above as real code. 3. We create two
	new functions: sftl_VerifyDH_Prime which return SECSuccess if Prime
	is an approved prime. sftk_IsSafePrime which returns SECSuess of
	both prime and subprime look reasonable, and sets a Bool to PR_TRUE
	is subprime -> prime is safe (subprime = (prime-1)/2. These
	functions are implemented in sftkdhverify.c 4.Cleanup incorrect
	nominclature on primes (safe primes are not strong primes).
	[0be91fa2217a]

	* gtests/softoken_gtest/softoken_dh_vectors.h,
	gtests/softoken_gtest/softoken_gtest.cc:
	Fix more of the timeout issues on tests. (Drop expensive 4098 dh
	tests ).
	[4014c075a31b]

2020-07-29  Makoto Kato  <m_kato@ga2.so-net.ne.jp>

	* coreconf/config.gypi, lib/freebl/Makefile, lib/freebl/blinit.c,
	lib/freebl/freebl.gyp, lib/freebl/sha1-armv8.c,
	lib/freebl/sha_fast.c, lib/freebl/sha_fast.h:
	Bug 1650702 - Use ARM's crypt extension for SHA1. r=kjacobs

	ARM Crypto extension has SHA1 acceleration. Using this, SHA1 is 3
	times faster on ARMv8 CPU. The following data is AWS's a1 instance
	(Cortex-A72).

	Before ====== ``` # mode in opreps cxreps context op time(sec)
	thrgput sha1_e 954Mb 31M 0 0.000 10000.000 10.000 95Mb ```

	After ===== ``` # mode in opreps cxreps context op time(sec) thrgput
	sha1_e 2Gb 94M 0 0.000 10000.000 10.000 288Mb ```

	[68b6eb737689]

2020-07-29  Jan-Marek Glogowski  <glogow@fbihome.de>

	* manifest.mn:
	Bug 1653975 - Set "all" as the default Makefile target r=jcj,rrelyea

	Just reorder the rules in manifest.mn, so all is again the first
	rule. This restores pre-3.53 Makefile defaults.

	[eb52747b7000]

2020-07-31  Makoto Kato  <m_kato@ga2.so-net.ne.jp>

	* lib/freebl/blapii.h, lib/freebl/blinit.c, nss-tool/hw-support.c:
	Bug 1654142 - Add CPU feature detection for Intel SHA extension.
	r=kjacobs

	[e6b77a9c417a]

2020-08-03  Nathan Froyd  <froydnj@mozilla.com>

	* coreconf/detect_host_arch.py:
	Bug 1656986 - special-case arm64 in detect_host_arch.py; r=jcj

	This case comes up when attempting to build NSS on ARM64 Mac. If we
	don't do this, we wind up detecting arm64 as "arm", with predictably
	bad consequences.

	[afa38fb2f0b5] [tip]

Differential Revision: https://phabricator.services.mozilla.com/D85888
 2020-08-04 19:54:56 +00:00
Kevin Jacobs e3e0baf90e Bug 1649545 - land NSS 615362dff5ad UPGRADE_NSS_RELEASE, r=jcj 
2020-07-18  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* gtests/pk11_gtest/pk11_cipherop_unittest.cc, lib/softoken/pkcs11c.c:
	Bug 1636771 - Disable PKCS11 incremental mode for ChaCha20.
	r=kjacobs,rrelyea

	Depends on D74801

	[615362dff5ad] [tip]

	* gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc,
	lib/freebl/chacha20poly1305.c:
	Bug 1636771 - Fix incorrect call to Chacha20Poly1305 by PKCS11.
	r=jcj,kjacobs,rrelyea

	[a5e82e40f03e]

2020-07-16  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/softoken/pkcs11c.c:
	Bug 1637222 - Enforce IV length check for DES. r=kjacobs,jcj

	[0c70232cb6d3]

Differential Revision: https://phabricator.services.mozilla.com/D84043
 2020-07-20 17:19:03 +00:00
Kevin Jacobs 4e97e34c45 Bug 1649545 - land NSS ca068f5b5c17 UPGRADE_NSS_RELEASE, r=jcj 
2020-07-16  Billy Brumley  <bbrumley@gmail.com>

	* lib/freebl/ecl/ecl-priv.h, lib/freebl/ecl/ecl.c,
	lib/freebl/ecl/ecp_secp521r1.c, lib/freebl/freebl_base.gypi,
	lib/freebl/manifest.mn:
	Bug 1631583 - ECC: constant time P-521 r=kjacobs,rrelyea,bbeurdouche

	This portable code contributed by the Network and Information
	Security Group (NISEC) at Tampere University comes from:

	[ECCKiila](https://gitlab.com/nisec/ecckiila) that uses
	[Fiat](https://github.com/mit-plv/fiat-crypto) for the underlying
	field arithmetic.

	Co-authored-by: Luis Rivera-Zamarripa <luis.riverazamarripa@tuni.fi>
	Co-authored-by: Jesús-Javier Chi-Domínguez
	<jesus.chidominguez@tuni.fi>

	[ca068f5b5c17] [tip]

	* lib/freebl/ecl/ecl-priv.h, lib/freebl/ecl/ecl.c,
	lib/freebl/ecl/ecp_secp384r1.c, lib/freebl/freebl_base.gypi,
	lib/freebl/manifest.mn, tests/ec/ectest.sh:
	Bug 1631583 - ECC: constant time P-384 r=bbeurdouche,rrelyea

	This portable code contributed by the Network and Information
	Security Group (NISEC) at Tampere University comes from:

	[ECCKiila](https://gitlab.com/nisec/ecckiila) that uses
	[Fiat](https://github.com/mit-plv/fiat-crypto) for the underlying
	field arithmetic.

	Co-authored-by: Luis Rivera-Zamarripa <luis.riverazamarripa@tuni.fi>
	Co-authored-by: Jesús-Javier Chi-Domínguez
	<jesus.chidominguez@tuni.fi>

	[d19a3cd451bb]

2020-07-13  Robert Relyea  <rrelyea@redhat.com>

	* lib/pk11wrap/pk11pub.h:
	Bug 1643528 Cannot compile code with nss headers and -Werror=strict-
	prototypes r=kjacobs
	[01ffd8fef7fa]

2020-07-10  Daiki Ueno  <dueno@redhat.com>

	* gtests/ssl_gtest/ssl_auth_unittest.cc, lib/ssl/ssl3con.c,
	lib/ssl/ssl3exthandle.c, lib/ssl/sslimpl.h,
	lib/ssl/tls13exthandle.c:
	Bug 1646324, advertise rsa_pkcs1_* schemes in CH and CR for certs,
	r=mt

	Summary: In TLS 1.3, unless "signature_algorithms_cert" is
	advertised, the "signature_algorithms" extension is used as an
	indication of supported algorithms for signatures on certificates.
	While rsa_pkcs1_* signatures schemes cannot be used for signing
	handshake messages, they should be advertised if the peer wants to
	to support certificates signed with RSA PKCS#1.

	This adds a flag to ssl3_EncodeSigAlgs() and ssl3_FilterSigAlgs() to
	preserve rsa_pkcs1_* schemes in the output.

	Reviewers: mt

	Reviewed By: mt

	Bug #: 1646324

	[df1d2695e115]

2020-07-09  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* gtests/pk11_gtest/pk11_pbkdf2_unittest.cc, lib/pk11wrap/pk11pbe.c:
	Bug 1649648 - Fix null pointers passed as argument in
	pk11wrap/pk11pbe.c:886 r=kjacobs

	[de661583d467]

Differential Revision: https://phabricator.services.mozilla.com/D83824
 2020-07-16 22:37:42 +00:00
Kevin Jacobs 6a6ed41ab7 Bug 1649545 - land NSS 58c2abd7404e UPGRADE_NSS_RELEASE, r=jcj 
2020-06-26  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/abi-check/expected-report-libssl3.so.txt, automation/abi-
	check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h,
	lib/util/nssutil.h:
	Set version numbers to 3.55 beta
	[332ab7db68ba]

2020-06-25  Kevin Jacobs  <kjacobs@mozilla.com>

	* tests/all.sh:
	Bug 1649190 - Run cipher, sdr, and ocsp tests under standard test
	cycle.
	[f373809abfc0]

2020-06-15  Kevin Jacobs  <kjacobs@mozilla.com>

        * gtests/common/testvectors/p256ecdsa-sha256-vectors.h,
        gtests/common/testvectors/p384ecdsa-sha384-vectors.h,
        gtests/common/testvectors/p521ecdsa-sha512-vectors.h,
        gtests/common/testvectors_base/test-structs.h,
        gtests/common/wycheproof/genTestVectors.py,
        gtests/pk11_gtest/pk11_ecdsa_unittest.cc:
        Bug 1649226 - Add Wycheproof ECDSA tests.
        [41292ff7f545]

2020-06-30  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/pkcs12/p12d.c:
	Bug 1649322 - Fix null pointer passed as argument in
	pk11wrap/pk11pbe.c:1246 r=kjacobs
	[cc43ebf5bf88]

2020-06-30  Danh  <congdanhqx@gmail.com>

	* coreconf/arch.mk, coreconf/config.mk, lib/freebl/Makefile:
	Bug 1646594 - Enable AVX2 if applicable on x86_64 with make 4.3
	r=bbeurdouche
	[b579895aceb0]

2020-07-02  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/ssl/ssl3con.c:
	Bug 1649316 - Prevent memcmp to be called with a zero length in
	ssl/ssl3con.c:6621 r=kjacobs
	[8fe9213d0551]

2020-07-02  Alexander Scheel  <ascheel@redhat.com>

	* lib/cryptohi/secvfy.c:
	Bug 1649487 - Fix bad assert in VFY_EndWithSignature. r=jcj
	[c9438b528103]

2020-07-06  Dana Keeler  <dkeeler@mozilla.com>

	* automation/abi-check/expected-report-libnss3.so.txt,
	gtests/pk11_gtest/pk11_find_certs_unittest.cc, lib/nss/nss.def,
	lib/pk11wrap/pk11cert.c, lib/pk11wrap/pk11pub.h:
	Bug 1649633 - add PK11_FindEncodedCertInSlot r=kjacobs,jcj

	PK11_FindEncodedCertInSlot can be used to determine the PKCS#11
	object handle of an encoded certificate in a given slot. If the
	given certificate does not exist in that slot, CK_INVALID_HANDLE is
	returned.
	[32fe710a942f]

	* gtests/pk11_gtest/pk11_find_certs_unittest.cc:
	Bug 1649633 - follow-up to make test comparisons in
	pk11_find_certs_unittest.cc yoda comparisons r=kjacobs
	[424dae31a1c1]


2020-07-07  Kevin Jacobs  <kjacobs@mozilla.com>

        * gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc, lib/freebl/rsapkcs.c:
        Bug 1067214 - Check minimum padding in RSA_CheckSignRecover.
        r=rrelyea

        This patch adds a check to `RSA_CheckSignRecover` enforcing a
        minimum padding length of 8 bytes for PKCS #1 v1.5-formatted
        signatures. In practice, RSA key size requirements already ensure
        this requirement is met, but smaller (read: broken) key sizes can be
        used via configuration overrides, and NSS should just follow the
        spec.
        [e5324bd5a885]

2020-07-08  Kevin Jacobs  <kjacobs@mozilla.com>

        * gtests/ssl_gtest/libssl_internals.c,
        gtests/ssl_gtest/libssl_internals.h,
        gtests/ssl_gtest/ssl_record_unittest.cc,
        gtests/ssl_gtest/tls_agent.cc, gtests/ssl_gtest/tls_agent.h,
        lib/ssl/dtls13con.c, lib/ssl/dtls13con.h, lib/ssl/ssl3con.c,
        lib/ssl/ssl3prot.h, lib/ssl/sslspec.h, lib/ssl/sslt.h,
        lib/ssl/tls13con.c, lib/ssl/tls13exthandle.c:
        Bug 1647752 - Update DTLS 1.3 implementation to draft-38. r=mt

        This patch updates DTLS 1.3 to draft-38. Specifically:

         # `ssl_ct_ack` value changes from 25 to 26. # AEAD limits in
        `tls13_UnprotectRecord` enforce a maximum of 2^36-1 (as we only
        support GCM/ChaCha20 AEADs) decryption failures before the
        connection is closed. # Post-handshake authentication will no longer
        be negotiated in DTLS 1.3. This allows us to side-step the more
        convoluted state machine requirements.
        [132a87fc8689]

2020-07-09  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

        * lib/pk11wrap/pk11pbe.c, lib/pkcs12/p12d.c:
        Bug 1649322 - Fix null pointer passed as argument in
        pk11wrap/pk11pbe.c:1246 r=kjacobs

        This is a fixup patch that reverts https://hg.mozilla.org/projects/n
        ss/rev/cc43ebf5bf88355837c5fafa2f3c46e37626707a and adds a null
        check around the memcpy in question.
        [80bea0e22b20]

2020-07-09  J.C. Jones  <jjones@mozilla.com>

        * lib/softoken/pkcs11.c:
        Bug 1651520 - slotLock race in NSC_GetTokenInfo r=kjacobs

        Basically, NSC_GetTokenInfo doesn't lock slot->slotLock before
        accessing slot after obtaining it, even though slotLock is defined
        as its lock. [0]

        [0] https://searchfox.org/nss/rev/a412e70e55218aaf670f1f10322fa734d8
        a9fbde/lib/softoken/pkcs11i.h#320-321
        [58c2abd7404e] [tip]

Differential Revision: https://phabricator.services.mozilla.com/D82466
 2020-07-09 23:05:48 +00:00