2020-01-07 J.C. Jones <jjones@mozilla.com>
* tests/fips/cavs_samples/KBKDF/fax/KBKDFCounter.fax.orig,
tests/fips/cavs_samples/KBKDF/req/KBKDFCounter.req.orig:
Bug 1599603 - Remove .orig files accidentally committed in
4349f611f7b96de63934837d6940095ac1a5db33 r=bustage
[4921046404f1] [tip]
2020-01-07 Giulio Benetti <giulio.benetti@benettiengineering.com>
* cmd/signtool/manifest.mn, lib/ssl/manifest.mn:
Bug 1603438 - Fix native tools build failure due to lack of zlib
include dir if external r=jcj
Add ZLIB_INCLUDE_DIR variable
On Linux platform[1], the build system forces to use zlib from the
system instead of compiling the one located intree.
The following error is raised when the zlib header is installed
somewhere else than in the default system include path:
ssl3con.c:39:18: fatal error: zlib.h: No such file or directory
#include "zlib.h"
The same trick setup for sqlite include directory is reproduced for
zlib. The build system disallows in any manner to give arguments to
the compiler explicity.
The variable ZLIB_INCLUDE_DIR point to the directory where the zlib
header is located.
[1]: https://hg.mozilla.org/projects/nss/file/NSS_3_33_BRANCH/coreco
nf/Linux.mk#l180 [2]: https://hg.mozilla.org/projects/nss/file/NSS_3
_33_BRANCH/lib/softoken/manifest.mn#l17
[477d370d1bab]
2020-01-06 Kevin Jacobs <kjacobs@mozilla.com>
* cpputil/databuffer.h, cpputil/scoped_ptrs_ssl.h,
cpputil/tls_parser.h, gtests/ssl_gtest/manifest.mn,
gtests/ssl_gtest/ssl_aead_unittest.cc,
gtests/ssl_gtest/ssl_ciphersuite_unittest.cc,
gtests/ssl_gtest/ssl_drop_unittest.cc,
gtests/ssl_gtest/ssl_gtest.gyp,
gtests/ssl_gtest/ssl_masking_unittest.cc,
gtests/ssl_gtest/ssl_primitive_unittest.cc,
gtests/ssl_gtest/ssl_record_unittest.cc,
gtests/ssl_gtest/ssl_recordsize_unittest.cc,
gtests/ssl_gtest/ssl_tls13compat_unittest.cc,
gtests/ssl_gtest/tls_agent.cc, gtests/ssl_gtest/tls_filter.cc,
gtests/ssl_gtest/tls_filter.h, gtests/ssl_gtest/tls_protect.cc,
gtests/ssl_gtest/tls_protect.h, lib/ssl/dtls13con.c,
lib/ssl/dtls13con.h, lib/ssl/dtlscon.c, lib/ssl/dtlscon.h,
lib/ssl/ssl3con.c, lib/ssl/ssl3gthr.c, lib/ssl/ssl3prot.h,
lib/ssl/sslexp.h, lib/ssl/sslimpl.h, lib/ssl/sslprimitive.c,
lib/ssl/sslsock.c, lib/ssl/sslspec.c, lib/ssl/sslspec.h,
lib/ssl/tls13con.c, lib/ssl/tls13con.h:
Bug 1599514 - Update DTLS 1.3 support to draft-30 r=mt
This patch updates the DTLS 1.3 implementation to draft version 30,
including unified header format and sequence number encryption.
Also added are new `SSL_CreateMask` experimental functions.
[8b7f0180c5b0]
2020-01-06 Robert Relyea <rrelyea@redhat.com>
* cmd/fipstest/fipstest.c, gtests/pk11_gtest/manifest.mn,
gtests/pk11_gtest/pk11_gtest.gyp, gtests/pk11_gtest/pk11_kbkdf.cc,
lib/softoken/kbkdf.c, lib/softoken/manifest.mn,
lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c,
lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c,
lib/softoken/sftkhmac.c, lib/softoken/softoken.gyp,
lib/util/pkcs11n.h, lib/util/pkcs11t.h,
tests/fips/cavs_samples/KBKDF/fax/KBKDFCounter.fax,
tests/fips/cavs_samples/KBKDF/fax/KBKDFCounter.fax.orig,
tests/fips/cavs_samples/KBKDF/fax/README,
tests/fips/cavs_samples/KBKDF/req/KBKDFCounter.req,
tests/fips/cavs_samples/KBKDF/req/KBKDFCounter.req.orig,
tests/fips/cavs_samples/KBKDF/req/README,
tests/fips/cavs_scripts/README, tests/fips/cavs_scripts/kbkdf.sh,
tests/fips/cavs_scripts/runtest.sh:
This implements NIST SP800-108 Counter, Feedback, and Double
Pipeline mode KDFs suitable for use in SCP03 and other protocols.
These KDFs were introduced in PKCS#11 v3.0.
Resolves: BZ#1599603
[4349f611f7b9]
2020-01-03 J.C. Jones <jjones@mozilla.com>
* automation/abi-check/previous-nss-release, lib/nss/nss.h,
lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.50 Beta
[569ca5b163e7]
Differential Revision: https://phabricator.services.mozilla.com/D59210
--HG--
rename : security/nss/gtests/ssl_gtest/ssl_primitive_unittest.cc => security/nss/gtests/ssl_gtest/ssl_aead_unittest.cc
extra : moz-landing-system : lando
Bug 414641 was marked WONTFIX, so let's remove these comments from configure
Differential Revision: https://phabricator.services.mozilla.com/D55993
--HG--
extra : moz-landing-system : lando
Graphene was a B2G UI runtime (added in bug 1115098) used for the browser.html prototype. The Graphene code has since been removed.
Depends on D58358
Differential Revision: https://phabricator.services.mozilla.com/D58359
--HG--
extra : moz-landing-system : lando
MOZ_PHOENIX was a macro added back in 2002 to differentiate SeaMonkey and Phoenix appshell bits. The earliest references to MOZ_PHOENIX I can find in Gecko's pre-hg history are bug 161448, bug 213228, bug 243091, and 05ef2e9b38.
Differential Revision: https://phabricator.services.mozilla.com/D58358
--HG--
extra : moz-landing-system : lando
2019-12-06 Daiki Ueno <dueno@redhat.com>
* lib/pki/pki3hack.c:
Bug 1593167, certdb: propagate trust information if trust module is
loaded afterwards, r=rrelyea,keeler
Summary: When the builtin trust module is loaded after some temp
certs being created, these temp certs are usually not accompanied by
trust information. This causes a problem in Firefox as it loads the
module from a separate thread while accessing the network cache
which populates temp certs.
This change makes it properly roll up the trust information, if a
temp cert doesn't have trust information.
Reviewers: rrelyea, keeler
Reviewed By: rrelyea, keeler
Subscribers: reviewbot, heftig
Bug #: 1593167
[c46bc59ce7d4] [tip]
2019-11-08 Martin Thomson <mt@lowentropy.net>
* lib/ssl/tls13subcerts.c:
Bug 1594965 - Include saltLength in DC SPKI, r=kjacobs
Summary: I discovered this when validating new additions to our root
store policy. The encodings there didn't line up with what we were
producing with DC.
[661058254ade]
2019-12-04 J.C. Jones <jjones@mozilla.com>
* automation/release/nss-release-helper.py:
Bug 1535787 - Further improvements to the release-helper API r=mt
[7baba392bf8b]
* automation/release/nss-release-helper.py:
Bug 1535787 - flake8 style updates to nss-release-helper.py
r=kjacobs
Depends on D23757
[b31e68a789fa]
* automation/release/nss-release-helper.py:
Bug 1535787 - Use Python for the regexes in nss-release-helper
r=keeler,kjacobs
automation/release/nss-release-helper.py doesn't actually edit the
files correctly on MacOS due to differences between GNU and BSD sed.
It's python, so let's just use python regexes.
[92271739e848]
2019-12-04 Franziskus Kiefer <franziskuskiefer@gmail.com>
* automation/taskcluster/graph/src/extend.js,
automation/taskcluster/graph/src/queue.js,
automation/taskcluster/scripts/check_abi.sh, build.sh,
coreconf/config.gypi, help.txt, lib/freebl/freebl_base.gypi, mach,
tests/all.sh, tests/common/init.sh, tests/remote/Makefile:
Bug 1594933 - disable libnssdbm by default; keep build on CI, r=jcj
Disale libnssdbm by default and add flag to enable it in builds. On
CI a build and certs test with enabled legacy DB are added.
Note that for some reason the coverage build fails. I have no idea
why. I'm open for ideas.
[c1fad130dce2]
2019-12-03 Makoto Kato <m_kato@ga2.so-net.ne.jp>
* lib/freebl/Makefile, lib/freebl/freebl.gyp, lib/freebl/gcm-
arm32-neon.c, lib/freebl/gcm.c:
Bug 1562548 - Improve GCM perfomance on aarch32 using NEON.
r=kjacobs
Optimize GCM perfomance using
https://conradoplg.cryptoland.net/files/2010/12/gcm14.pdf via ARM's
NEON.
[a9ba652046e6]
2019-12-03 J.C. Jones <jjones@mozilla.com>
* automation/abi-check/expected-report-libssl3.so.txt, automation/abi-
check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h,
lib/util/nssutil.h:
Set version numbers to 3.49 beta
[3051793c68fc]
2019-12-02 J.C. Jones <jjones@mozilla.com>
* .hgtags:
Added tag NSS_3_48_BETA1 for changeset 77976f3fefca
[06d5b4f91a9c]
Differential Revision: https://phabricator.services.mozilla.com/D56378
--HG--
extra : moz-landing-system : lando
Turns out we were using the Linux ones. This uses the Windows ones, and
adds _HAS_EXCEPTIONS to the mingw defines so the stl_wrappers behave
correctly.
Differential Revision: https://phabricator.services.mozilla.com/D54530
--HG--
extra : moz-landing-system : lando
Turns out we were using the Linux ones. This uses the Windows ones, and
adds _HAS_EXCEPTIONS to the mingw defines so the stl_wrappers behave
correctly.
Differential Revision: https://phabricator.services.mozilla.com/D54530
--HG--
extra : moz-landing-system : lando
Long term, we want to remove the custom linker (bug 1291377) but without
more effort than where we're at with bug 1598196, it would break using
mozjemalloc.
However, some builds using sanitizers don't use mozjemalloc already,
and in their case, we can already disable the custom linker.
Differential Revision: https://phabricator.services.mozilla.com/D54078
--HG--
extra : moz-landing-system : lando
For now, there is no flag to actually allow it, but this is the
code-side changes to allow the linker being disabled.
Differential Revision: https://phabricator.services.mozilla.com/D54074
--HG--
extra : moz-landing-system : lando
Now that rkv has a new backend, we should be able to let this ride the trains
to early beta at least.
Differential Revision: https://phabricator.services.mozilla.com/D53847
--HG--
extra : moz-landing-system : lando
2019-10-28 Kevin Jacobs <kjacobs@mozilla.com>
* automation/abi-check/expected-report-libssl3.so.txt,
gtests/ssl_gtest/libssl_internals.c,
gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/tls_agent.cc,
gtests/ssl_gtest/tls_agent.h, gtests/ssl_gtest/tls_filter.h,
gtests/ssl_gtest/tls_subcerts_unittest.cc, lib/ssl/ssl3con.c,
lib/ssl/sslimpl.h, lib/ssl/sslinfo.c, lib/ssl/sslt.h,
lib/ssl/tls13con.c:
Bug 1588244 - Store TLS 1.3 peerDelegCred, authKeyBits, and scheme
in SSLPreliminaryChannelInfo. r=mt
This patch adjusts where we set `authKeyBits` (Et al.) for TLS 1.3,
such that `CertVerifier` can check the strength of a delegated
credential keypair.
The corresponding PSM changeset is in D47181.
[fcdda17cdc36] [tip]
2019-10-28 Kai Engert <kaie@kuix.de>
* coreconf/coreconf.dep:
Dummy change, trigger a build after bustage to test latest NSPR
commit
[ec2adf31fb8c]
2019-10-26 Martin Thomson <mt@lowentropy.net>
* lib/ssl/sslauth.c, lib/ssl/sslcon.c, lib/ssl/tls13esni.c:
Bug 1590970 - Use ssl_Time consistently, r=kjacobs
I missed a few places that used PR_Now() before.
[c6021063e64a]
2019-10-22 Deian Stefan <deian@cs.ucsd.edu>
* gtests/pk11_gtest/pk11_cbc_unittest.cc:
Bug 1459141 - A few more CBC padding tests. r=jcj
This patch adds more test vectors for AES-CBC and 3DES-CBC padding.
[38f1c92a5e11]
2019-10-22 Marcus Burghardt <mburghardt@mozilla.com>
* cmd/btoa/btoa.c:
Bug 1590339 - Fix MemoryLeak in btoa.c. r=kjacobs
[5feab64d2d20]
2019-10-21 Marcus Burghardt <mburghardt@mozilla.com>
* lib/ckfw/builtins/testlib/certdata-testlib.txt:
Bug 1589810 - Uninitialized variable warnings from certdata.perl.
r=mt
[3f40060ca7b3]
2019-10-19 Martin Thomson <martin.thomson@gmail.com>
* gtests/ssl_gtest/ssl_version_unittest.cc:
Bug 1573118 - Fix busted unit tests, r=jcj
These unit tests were broken by the change to TLS version defaults.
In retrospect, this shouldn't have been surprising, but now that it
I'm seeing bustage, I'm somewhat surprised that there are so few
failures.
[7e0b8364687b]
* lib/ssl/sslsock.c:
Bug 1573118 - Enable TLS 1.3 by default, r=jcj
As planned for 3.47, but now for 3.48.
[bc77cf318f38]
2019-10-18 J.C. Jones <jjones@mozilla.com>
* automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
check/expected-report-libsmime3.so.txt, automation/abi-check
/expected-report-libssl3.so.txt, automation/abi-check/previous-nss-
release, lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.48 beta
[0e7dd2050d09]
* .hgtags:
Added tag NSS_3_47_RTM for changeset 7ccb4ade5577
[dcadb95b9d77] <NSS_3_47_BRANCH>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.47 final
[7ccb4ade5577] [NSS_3_47_RTM] <NSS_3_47_BRANCH>
Differential Revision: https://phabricator.services.mozilla.com/D50840
--HG--
extra : moz-landing-system : lando
It's nicer to have everything in one place, and because we support
clang-cl, we can have a single definition for the error flag too.
Differential Revision: https://phabricator.services.mozilla.com/D45705
--HG--
extra : moz-landing-system : lando
2019-09-18 Kevin Jacobs <kjacobs@mozilla.com>
* cmd/lib/derprint.c:
Bug 1581024 - Check for pointer wrap in derprint.c. r=jcj
Check for pointer wrap on output-length check in the derdump
utility.
[a3ee4f26b4c1] [tip]
2019-09-18 Giulio Benetti <giulio.benetti@micronovasrl.com>
* lib/freebl/gcm-aarch64.c:
Bug 1580126 - Fix build failure on aarch64_be while building
freebl/gcm r=kjacobs
Build failure is caused by different #ifdef conditions in gcm.c and
gcm-aarch64.c that leads to double declaration of the same gcm_*
functions.
Fix #ifdef condition in gcm-aarch64.c making it the same as the one
in gcm.c.
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
[fa0d958de0c3]
2019-09-17 Kai Engert <kaie@kuix.de>
* automation/taskcluster/graph/src/extend.js:
Bug 1385039 - Build NSPR tests as part of NSS continuous
integration. r=kjacobs
[cc97f1a93038]
2019-09-17 Landry Breuil <landry@openbsd.org>
* lib/freebl/Makefile:
Bug 1581391 - include gcm-aarch64 on all unices, not only linux
r=kjacobs
[e7b4f293fa4e]
2019-09-17 Martin Thomson <mt@lowentropy.net>
* mach:
Bug 1581041 - Rename mach-commands to mach-completion, r=jcj
This means that we can point our completion at the gecko one.
[bc91272fcbdc]
2019-09-16 Jenine <jenine_c@outlook.com>
* cmd/pk11importtest/pk11importtest.c, lib/softoken/pkcs11.c:
Bug 1558313 - Fix clang warnings in pk11importtest.c and pkcs11.c
r=marcusburghardt
[4569b745f74e]
2019-09-13 Daiki Ueno <dueno@redhat.com>
* lib/certhigh/certvfy.c:
Bug 1542207, fix policy check on signature algorithms, r=rrelyea
Reviewers: rrelyea
Reviewed By: rrelyea
Bug #: 1542207
[ed8a41d16c1c]
2019-09-05 Daiki Ueno <dueno@redhat.com>
* lib/freebl/drbg.c:
Bug 1560329, drbg: perform continuous test on entropy source,
r=rrelyea
Summary: FIPS 140-2 section 4.9.2 requires a conditional self test
to check that consecutive entropy blocks from the system are
different. As neither getentropy() nor /dev/urandom provides that
check on the output, this adds the self test at caller side.
Reviewers: rrelyea
Reviewed By: rrelyea
Bug #: 1560329
[c66dd879d16a]
2019-09-06 Martin Thomson <mt@lowentropy.net>
* automation/taskcluster/graph/src/queue.js:
Bug 1579290 - Disable LSAN during builds, r=ueno
Summary: See the bug description for details.
[f28f3d7b7cf0]
2019-09-13 Kai Engert <kaie@kuix.de>
* Makefile, build.sh, coreconf/nspr.sh, help.txt:
Bug 1385061 - Build NSPR tests with NSS make; Add gyp parameters to
build/run NSPR tests. r=jcj
[8b4a226f7d23]
2019-09-11 Kai Engert <kaie@kuix.de>
* nss.gyp:
Bug 1577359 - Build atob and btoa for Thunderbird. r=jcj
[1fe61aadaf57]
2019-09-10 Marcus Burghardt <mburghardt@mozilla.com>
* cmd/pk12util/pk12util.c:
Bug 1579036 - Define error when trying to export non-existent cert
with pk12util. r=jcj
[65ab97f03c89]
2019-09-04 Martin Thomson <mt@lowentropy.net>
* gtests/mozpkix_gtest/pkixder_input_tests.cpp:
Bug 1578626 - Remove undefined nullptr decrement, r=keeler
Summary: This uses uintptr_t to avoid the worst. It still looks
terrible and might trip static analysis warnings, but the
reinterpret_cast should hide that.
This assumes that sizeof(uintptr_t) == sizeof(void*), so I've added
an assertion so that we'll at least fail the test on those systems.
(We could use GTEST_SKIP instead, but we don't have that in the
version of gtest that we use.)
Reviewers: keeler
Tags: #secure-revision
Bug #: 1578626
[d2485b1c997e]
2019-09-05 Marcus Burghardt <mburghardt@mozilla.com>
* gtests/pk11_gtest/pk11_find_certs_unittest.cc:
Bug 1578751 - Ensure a consistent style for
pk11_find_certs_unittest.cc. r=jcj
Adjusted the style and clang-format after the changes in some var
names.
[e95fee7f59e5]
Differential Revision: https://phabricator.services.mozilla.com/D46246
--HG--
extra : moz-landing-system : lando
We always define it to the same thing, and we're inconsistent in whether
we use `CPP_THROW_NEW` or `throw()`, so we might as well just use the
standard C++ thing and get rid of some baggage.
Differential Revision: https://phabricator.services.mozilla.com/D40425
--HG--
extra : moz-landing-system : lando
Since kernel32.lib is a defaultlib we do not need to explicitly include it
in the OS_LIBS list; the linker will implicitly add it to the end of the list.
In fact, its presence interferes with other explicitly added .lib files that
should take precedence.
Differential Revision: https://phabricator.services.mozilla.com/D41806
--HG--
extra : moz-landing-system : lando
We needed these rules and bits for the QT widget port, but there's no
longer a QT port in the tree, so we might as well remove them.
Differential Revision: https://phabricator.services.mozilla.com/D38886
--HG--
extra : moz-landing-system : lando
When we build mar, there is no reason not to build signmar as well. It
used to be optional because not all platforms were supported, but they
are now.
... except when building the newly added tools/update-packaging,
which builds the mar tool as a standalone thing, and building signmar
as well causes complications.
Differential Revision: https://phabricator.services.mozilla.com/D36992
--HG--
extra : moz-landing-system : lando
When we build mar, there is no reason not to build signmar as well. It
used to be optional because not all platforms were supported, but they
are now.
Differential Revision: https://phabricator.services.mozilla.com/D36992
--HG--
extra : moz-landing-system : lando
We've been relying on frame pointers being indirectly enabled via things
like --enable-profiling for some time, but this doesn't scale because
some things may want frame pointers while wanting --disable-profiling.
So we move MOZ_FRAMEPTR_FLAGS to python configure and add a new option
to decide whether to enable frame pointers or not.
Differential Revision: https://phabricator.services.mozilla.com/D34117
--HG--
extra : moz-landing-system : lando
There are ongoing lmdb issues we need to sort out before we can ship
cert_storage (see e.g. bug 1538541 and bug 1550174).
Differential Revision: https://phabricator.services.mozilla.com/D32885
--HG--
extra : moz-landing-system : lando
This also enables using cert_storage for OneCRL, since it and intermediate
preloading both use the same backend.
Differential Revision: https://phabricator.services.mozilla.com/D31345
--HG--
extra : moz-landing-system : lando