In general, PSM caches intermediates from verified certificate chains in the
NSS certdb. Before bug 1619021, this would include preloaded intermediates,
which is unnecessary because cert_storage has a copy of those certificates, and
so they don't need to take up time and space in the NSS certdb. This patch
introduces the intermediate preloading healer, which periodically runs on a
background thread, looks for these duplicate intermediates, and removes them
from the NSS certdb.
Differential Revision: https://phabricator.services.mozilla.com/D77152
2020-06-01 Kevin Jacobs <kjacobs@mozilla.com>
* coreconf/config.gypi, lib/freebl/Makefile, lib/freebl/blinit.c,
lib/freebl/freebl.gyp, lib/freebl/sha256-armv8.c,
lib/freebl/sha256.h, lib/freebl/sha512.c, mach:
Bug 1528113 - Use ARM's crypto extension for SHA256
[ea54fd986036]
2020-04-08 Kevin Jacobs <kjacobs@mozilla.com>
* automation/abi-check/expected-report-libssl3.so.txt,
gtests/ssl_gtest/libssl_internals.c,
gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/manifest.mn,
gtests/ssl_gtest/ssl_0rtt_unittest.cc,
gtests/ssl_gtest/ssl_extension_unittest.cc,
gtests/ssl_gtest/ssl_gtest.gyp, gtests/ssl_gtest/tls_agent.cc,
gtests/ssl_gtest/tls_agent.h, gtests/ssl_gtest/tls_connect.cc,
gtests/ssl_gtest/tls_connect.h,
gtests/ssl_gtest/tls_psk_unittest.cc, lib/ssl/manifest.mn,
lib/ssl/ssl.gyp, lib/ssl/ssl3con.c, lib/ssl/ssl3ext.c,
lib/ssl/ssl3ext.h, lib/ssl/sslerr.h, lib/ssl/sslexp.h,
lib/ssl/sslimpl.h, lib/ssl/sslinfo.c, lib/ssl/sslsecur.c,
lib/ssl/sslsock.c, lib/ssl/sslt.h, lib/ssl/tls13con.c,
lib/ssl/tls13con.h, lib/ssl/tls13exthandle.c, lib/ssl/tls13psk.c,
lib/ssl/tls13psk.h, lib/ssl/tls13replay.c:
Bug 1603042 - TLS 1.3 out-of-band PSK support
[a448d7919077]
2020-06-01 Makoto Kato <m_kato@ga2.so-net.ne.jp>
* coreconf/config.gypi, lib/freebl/Makefile, lib/freebl/blinit.c,
lib/freebl/freebl.gyp, lib/freebl/sha256-armv8.c,
lib/freebl/sha256.h, lib/freebl/sha512.c:
Bug 1528113 - Use ARM's crypto extension for SHA256 r=kjacobs
ARMv8 CPU has accelerated hardware instruction for SHA256 that
supports GCC 4.9+. We should use it if available.
[61c83f79e90c]
2020-06-02 Kevin Jacobs <kjacobs@mozilla.com>
* automation/abi-check/expected-report-libssl3.so.txt,
gtests/ssl_gtest/libssl_internals.c,
gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/manifest.mn,
gtests/ssl_gtest/ssl_0rtt_unittest.cc,
gtests/ssl_gtest/ssl_extension_unittest.cc,
gtests/ssl_gtest/ssl_gtest.gyp, gtests/ssl_gtest/tls_agent.cc,
gtests/ssl_gtest/tls_agent.h, gtests/ssl_gtest/tls_connect.cc,
gtests/ssl_gtest/tls_connect.h,
gtests/ssl_gtest/tls_psk_unittest.cc, lib/ssl/manifest.mn,
lib/ssl/ssl.gyp, lib/ssl/ssl3con.c, lib/ssl/ssl3ext.c,
lib/ssl/ssl3ext.h, lib/ssl/sslerr.h, lib/ssl/sslexp.h,
lib/ssl/sslimpl.h, lib/ssl/sslinfo.c, lib/ssl/sslsecur.c,
lib/ssl/sslsock.c, lib/ssl/sslt.h, lib/ssl/tls13con.c,
lib/ssl/tls13con.h, lib/ssl/tls13exthandle.c, lib/ssl/tls13psk.c,
lib/ssl/tls13psk.h, lib/ssl/tls13replay.c:
Bug 1603042 - TLS 1.3 out-of-band PSK support r=mt
This patch adds support for External (out-of-band) PSKs in TLS 1.3.
An External PSK (EPSK) can be set by calling `SSL_AddExternalPsk`,
and removed with `SSL_RemoveExternalPsk`. `SSL_AddExternalPsk0Rtt`
can be used to add a PSK while also specifying a suite and
max_early_data_size for use with 0-RTT.
As part of handling PSKs more generically, the patch also changes
how resumption PSKs are handled internally, so as to rely on the
same mechanisms where possible.
A socket is currently limited to only one External PSK at a time. If
the server doesn't find the same identity for the configured EPSK,
it will fall back to certificate authentication.
[a2293e897889]
* lib/freebl/mpi/mplogic.c:
cast in LZCNTLOOP
[96e65b2e9531]
* lib/freebl/freebl.gyp:
Use KRML_VERIFIED_UINT128 on MSVC builds
[abd50c862bdb]
2020-06-03 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/ssl_gtest/ssl_exporter_unittest.cc, lib/ssl/sslinfo.c,
lib/ssl/tls13con.c:
Bug 1643123 - Allow External PSKs to be used with Early Export
[46ef0c025cfc]
2020-06-02 Sylvestre Ledru <sledru@mozilla.com>
* lib/ssl/tls13con.c:
Bug 1642809 - Fix an assert (we need a comparison, not assignment)
r=kjacobs
[d0789cb32d8e]
2020-06-03 Mike Hommey <mh@glandium.org>
* cmd/shlibsign/Makefile:
Bug 1642153 - Avoid infinite recursion when CHECKLOC is not set.
r=jcj
[e955ece90b05]
2020-06-03 Martin Thomson <mt@lowentropy.net>
* gtests/ssl_gtest/ssl_auth_unittest.cc,
gtests/ssl_gtest/ssl_resumption_unittest.cc, lib/ssl/tls13con.c:
Bug 1642871 - Allow tickets and PHA after resumption, r=kjacobs
The first part of this is fairly simple: we accidentally disabled
sending of session tickets after resumption.
The second part is much less obvious, because the spec is unclear.
This change takes the interpretation that it is OK to use post-
handshake authentication if the handshake is resumed, but not OK if
the handshake is based on a PSK. (This is based on a first-
principles understanding of resumption being a continuation of a
certificate-based connection rather than a reading of the spec, see
the bug for why the spec appears to be unhelpful on this point.)
This still prohibits the use of post-handshake authentication if an
external PSK was used, but that is more an abundance of caution than
anything principled.
[e9502f71b7fe]
2020-06-04 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/ssl_gtest/ssl_exporter_unittest.cc, lib/ssl/sslinfo.c,
lib/ssl/tls13con.c:
Bug 1643123 - Allow External PSKs to be used with Early Export r=mt
This patch adjusts `tls13_exporter` to pull the hash algorithm from
the first PSK when a suite is not configured yet, which allows early
export with external PSKs.
[d211f3013abb]
Differential Revision: https://phabricator.services.mozilla.com/D78578
In general, PSM caches intermediates from verified certificate chains in the
NSS certdb. Before bug 1619021, this would include preloaded intermediates,
which is unnecessary because cert_storage has a copy of those certificates, and
so they don't need to take up time and space in the NSS certdb. This patch
introduces the intermediate preloading healer, which periodically runs on a
background thread, looks for these duplicate intermediates, and removes them
from the NSS certdb.
Differential Revision: https://phabricator.services.mozilla.com/D77152
Content processes allow a restricted subset of F_{GET,SET}{FD,FL} that
prevents setting unknown or known-unsafe flags, which was copied to the
socket process policy; this patch moves it to the common policy and
removes RDD's copy of GMP's override.
The immediate reason for this is DMD using F_GETFL via fdopen to use a
file descriptor passed over IPC, but in general this should be safe and
it's a reasonable thing to expect to be able to use.
Differential Revision: https://phabricator.services.mozilla.com/D77379
2020-05-29 J.C. Jones <jjones@mozilla.com>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.53 final
[7e453a5afcb4] [NSS_3_53_RTM] <NSS_3_53_BRANCH>
2020-05-28 Kevin Jacobs <kjacobs@mozilla.com>
* .hgtags:
Added tag NSS_3_53_BETA2 for changeset 8fe22033a88e
[90c954f62c9d]
Differential Revision: https://phabricator.services.mozilla.com/D77555
To implement filtering client certificates by the acceptable CAs list sent by
servers when they request client certificates, we need the CAs that issued the
client certificates. To that end, this change modifies the macOS backend of
the osclientcerts module to also gather issuing CAs while looking for client
certificates. These certificates will not affect trust decisions in gecko.
Differential Revision: https://phabricator.services.mozilla.com/D74985
There's no use case for stateful comparators, so they can be just plain
function pointers.
This is used in some hot places like CSS selector matching.
Differential Revision: https://phabricator.services.mozilla.com/D77084
This is mostly changes to handle retrieving the security state asynchronously via the parent process, needing lots of async/await additions.
It also removes the docshell mixed content flag checks (which don't seem to be used in code, only tests), which are mostly still covered by checks of the security UI.
Differential Revision: https://phabricator.services.mozilla.com/D75448
This removes all docshell nsISecureBrowserUI and mixed content properties, and moves them into CanonicalBrowsingContext/WindowGlobalParent. It makes the mixed content blocker just compute the state for the current load, and then send the results to the parent process, where we update the security state accordingly.
I think we could in the future remove onSecurityChange entirely, and instead just fire an event to the <browser> element notifying it of changes to the queryable securityUI.
Unfortunately we have a lot of existing code that depends on specific ordering between onSecurityChange and onLocationChange, so I had to hook into the RemoteWebProgress implementation in BrowserParent to mimic the same timings.
Differential Revision: https://phabricator.services.mozilla.com/D75447
This is mostly changes to handle retrieving the security state asynchronously via the parent process, needing lots of async/await additions.
It also removes the docshell mixed content flag checks (which don't seem to be used in code, only tests), which are mostly still covered by checks of the security UI.
Differential Revision: https://phabricator.services.mozilla.com/D75448
This removes all docshell nsISecureBrowserUI and mixed content properties, and moves them into CanonicalBrowsingContext/WindowGlobalParent. It makes the mixed content blocker just compute the state for the current load, and then send the results to the parent process, where we update the security state accordingly.
I think we could in the future remove onSecurityChange entirely, and instead just fire an event to the <browser> element notifying it of changes to the queryable securityUI.
Unfortunately we have a lot of existing code that depends on specific ordering between onSecurityChange and onLocationChange, so I had to hook into the RemoteWebProgress implementation in BrowserParent to mimic the same timings.
Differential Revision: https://phabricator.services.mozilla.com/D75447
We have evidence that some sites have disabled ciphersuites with SHA-1-based
MACs due to attacks against SHA-1 (disregarding the fact that these attacks
don't necessarily apply to HMAC-SHA-1) while still relying on RSA key exchange.
Before this patch, PSM did not enable any ciphersuites with RSA key exchange
and non-SHA-1-based MACs. Consequently, Firefox would be unable to connect to
these sites while other browsers would.
This patch enables TLS_RSA_WITH_AES_128_GCM_SHA256 and
TLS_RSA_WITH_AES_256_GCM_SHA384, which are the only two ciphersuites (other
than grease) that Chrome enables that Firefox did not (before this patch).
Differential Revision: https://phabricator.services.mozilla.com/D76543
2020-05-22 J.C. Jones <jjones@mozilla.com>
* lib/freebl/altivec-types.h, lib/freebl/ppc-crypto.h:
Bug 1629414 - Guard USE_PPC_CRYPTO and VSX types with __VSX__ and
__ALTIVEC__ r=kjacobs
This avoids build errors on non-VSX architectures even when not
compiling the POWER accelerated code.
[c7a1c91cd9be] [tip]
2020-05-21 Jeff Walden <jwalden@mit.edu>
* lib/freebl/aes-x86.c:
Bug 1639033 - Use unsigned int for a loop counter to eliminate a
signed-unsigned comparison warning in aes-x86.c. r=kjacobs
Depends on D75847
[e23fe363fa05]
* lib/freebl/ec.c:
Bug 1639033 - Used unsigned int instead of int in a few places in
ec.c to eliminate signed-unsigned comparison warnings. r=kjacobs
Depends on D75846
[0d778b0e778f]
* lib/freebl/cmac.c:
Bug 1639033 - Use unsigned int rather than int for two variables to
eliminate a bunch of signed-unsigned comparison warnings. r=kjacobs
Depends on D75845
[df5c8f6430a0]
* lib/freebl/mpi/mplogic.c, lib/freebl/mpi/mplogic.h:
Bug 1639033 - Use unsigned int for various count variables in
mplogic.c to eliminate signed-unsigned comparison warnings.
r=kjacobs
Depends on D75844
[ce5b8b7e010c]
* lib/freebl/aeskeywrap.c:
Bug 1639033 - Use size_t for loops up to sizeof(T) in aeskeywrap.c
to eliminate some signed-comparison warnings. r=kjacobs
Depends on D75843
[563a7cd7484b]
* lib/softoken/pkcs11i.h, lib/softoken/sftkike.c:
Bug 1639033 - Change +sftk_xcbc_mac_pad's block-size argument to be
unsigned int to avoid sign-comparison warnings. r=kjacobs
Depends on D75842
[a5f80d0805ca]
2020-05-22 Jeff Walden <jwalden@mit.edu>
* lib/jar/jar.c:
Bug 1639033 - Use the jarType enum type, not int, for certain
variables and arguments in jar.c -- for greater precision, and to
avoid sign-comparison warnings. r=kjacobs
Depends on D75841
[e65dd5c2cf86]
2020-05-19 Jeff Walden <jwalden@mit.edu>
* lib/softoken/pkcs11.c, lib/softoken/pkcs11i.h:
Bug 1639033 - Make all |moduleIndex| variables in pkcs11.c be
unsigned, to eliminate a -Wsign-compare warning. r=kjacobs
Depends on D75840
[6512178a58f5]
* cmd/lib/basicutil.c:
Bug 1639033 - Fix signed-unsigned comparison warning in basicutil.c.
r=kjacobs
[98390eef50a1]
2020-05-22 Martin Thomson <mt@lowentropy.net>
* lib/ssl/sslencode.c:
Bug 1640041 - Don't memcpy nothing, r=jcj
Depends on D76421
[8d7c96ab80a7]
* lib/ssl/sslsock.c:
Bug 1640042 - Don't memcpy nothing, r=jcj
[1a634da46b87]
* gtests/ssl_gtest/ssl_0rtt_unittest.cc,
gtests/ssl_gtest/ssl_recordsep_unittest.cc,
gtests/ssl_gtest/tls_connect.cc, lib/ssl/ssl.h, lib/ssl/ssl3gthr.c,
lib/ssl/sslimpl.h, lib/ssl/sslsock.c, lib/ssl/tls13con.c:
Bug 1639413 - Option to disable TLS 1.3 EndOfEarlyData message,
r=kjacobs
This adds the ability to disable EndOfEarlyData.
On the client this is relatively simple, you just turn the message
off.
The server is complicated because the server uses this to drive the
installation of the right keys. Without it, things get very messy.
Thus, I have decided that this is best left to the
SSL_RecordLayerData interface. That needs an ugly hack in order to
let the new data to pass, but the damage is otherwise relatively
minor, apart from one obvious thing.
We never really built the SSL_RecordLayerData API to take
application data. It only did that to support testing of the
functions. Now that we have to deal with this new wrinkle, adding
support for 0-RTT is necessary. This change does that. That requires
a barrage of new checks to see if application data is acceptable.
And then early data is captured in a completely different way, which
adds another layer of awfulness.
Note that this exposes us to the possibility that Certificate or
Finished are received in early data when using SSL_RecordLayerData
and this option. I don't think that fixing that is worthwhile as it
requires tracking the epoch of handshake messages separate to
ss->ssl3.crSpec and the epoch only really exists on that API so that
applications don't accidentally do bad things. In QUIC, we
specifically block handshake messages in early data, so we have
ample protection.
[10325739e149]
Differential Revision: https://phabricator.services.mozilla.com/D76572
This matches how the `Dispatch(already_AddRefed<nsIRunnable>)`
overloads work in C++: `Dispatch` takes ownership of the runnable, and
leaks it if dispatch fails—because the thread manager is shutting down,
for instance. This avoids a race where a runnable can be released on
either the owning or target thread.
Rust doesn't allow arbitrary `Self` types yet (see
rust-lang/rust#44874), so we need to change `dispatch` and
`dispatch_with_options` to be associated methods.
Differential Revision: https://phabricator.services.mozilla.com/D75858
This function ought to be declared by `winapi`, but is not, for whatever
reason. However, its definition is stable enough that we can just
declare it inline rather than invoking bindgen every single build (and
unnecessarily compiling a build script on non-windows platforms) to
discover its definition for us.
Differential Revision: https://phabricator.services.mozilla.com/D76015
2020-05-19 Robert Relyea <rrelyea@redhat.com>
* lib/freebl/dsa.c:
Bug 1631576 - Force a fixed length for DSA exponentiation
r=pereida,bbrumley
[daa823a4a29b] [tip]
2020-05-14 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* lib/freebl/Makefile, lib/freebl/deprecated/seed.c,
lib/freebl/deprecated/seed.h, lib/freebl/freebl.gyp,
lib/freebl/freebl_base.gypi, lib/freebl/seed.c, lib/freebl/seed.h:
Bug 1636389 - Relocate deprecated seed algorithm. r=kjacobs
[d2cfb4ccdf16]
2020-05-14 Jan-Marek Glogowski <glogow@fbihome.de>
* automation/taskcluster/scripts/split.sh, lib/Makefile,
lib/manifest.mn:
Bug 1637083 fix the lib dependencies for the split build
r=jcj,rrelyea
This build can be tested by running NSS_BUILD_MODULAR=1
nss/automation/taskcluster/scripts/build.sh from a directory
containing the nss and nspr repositories.
To make this build's make conditionals easier to handle, it also
merges the manifest.mn into the Makefile, because parts of the
conditionals depends on $(OS_ARCH) setting.
In the end, the goal is just to set the correct build $(DIRS).
This also drops the freebl dependeny of ssl, which seems not to be
needed, even if it's declared in /lib/ssl/ssl.gyp.
[789d7241e1f0]
2020-05-13 Jan-Marek Glogowski <glogow@fbihome.de>
* coreconf/rules.mk, lib/ckfw/builtins/manifest.mn,
lib/ckfw/manifest.mn, manifest.mn:
Bug 1637083 Replace pre-dependency with shell hack r=rrelyea
Originally I tried multiple variants using make's conditionals to
limit DIRS and enforce building the parent directory before the sub-
directory. None of them worked for me, most resulting in an infinite
recursion, so I used the current pre-depends workaround to fulfill
the real dependency.
Now I remembered that automake can handle this case for SUBDIRS
specifying "." as a directory. The generated Makefile handles it via
shell scripting; not nice, but it works.
So this gets rid of the workaround, replacing it with a small shell
test.
[744881490c78]
Differential Revision: https://phabricator.services.mozilla.com/D76050
2020-05-12 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/freebl_gtest/mpi_unittest.cc:
Bug 1561331 - Additional modular inverse test r=jcj
[e2061fe522f5] [tip]
2020-05-08 Jan-Marek Glogowski <glogow@fbihome.de>
* coreconf/rules.mk, lib/ckfw/builtins/Makefile,
lib/ckfw/builtins/testlib/Makefile, lib/ckfw/capi/Makefile,
lib/dev/Makefile, lib/freebl/Makefile, lib/pk11wrap/Makefile,
lib/softoken/Makefile:
Bug 1629553 Use order-prereq for $(MAKE_OBJDIR) r=rrelyea
Introduces a simple "%/d" rule to create directories using
$(MAKE_OBJDIR) and replace all explicit $(MAKE_OBJDIR) calls with an
order-only-prerequisites.
To expand the $(@D) prerequisite, this needs .SECONDEXPANSION.
[c3f11da5acfc]
2020-05-05 Jan-Marek Glogowski <glogow@fbihome.de>
* coreconf/IRIX.mk, coreconf/OS2.mk, coreconf/README,
coreconf/SunOS4.1.3_U1.mk, coreconf/SunOS5.mk, coreconf/UNIX.mk,
coreconf/WIN32.mk, coreconf/config.mk, coreconf/location.mk,
coreconf/mkdepend/Makefile, coreconf/mkdepend/cppsetup.c,
coreconf/mkdepend/def.h, coreconf/mkdepend/ifparser.c,
coreconf/mkdepend/ifparser.h, coreconf/mkdepend/imakemdep.h,
coreconf/mkdepend/include.c, coreconf/mkdepend/main.c,
coreconf/mkdepend/mkdepend.man, coreconf/mkdepend/parse.c,
coreconf/mkdepend/pr.c, coreconf/rules.mk:
Bug 1438431 Remove mkdepend tool and targets r=rrelyea
[6c5f91e098a1]
* coreconf/README, coreconf/rules.mk:
Bug 1629553 Drop duplicate header DIR variables r=rrelyea
[d1f954627260]
* coreconf/OpenUNIX.mk, coreconf/README, coreconf/SCO_SV3.2.mk,
coreconf/config.mk, coreconf/cpdist.pl, coreconf/import.pl,
coreconf/jdk.mk, coreconf/jniregen.pl, coreconf/module.mk,
coreconf/outofdate.pl, coreconf/release.pl, coreconf/rules.mk,
coreconf/ruleset.mk, coreconf/source.mk, coreconf/version.mk:
Bug 1629553 Drop coreconf java support r=rrelyea
There aren't an Java sources in NSS, so just drop all the stuff
referencing java, jars, jni, etc.
I didn't try to remove it from tests.
[7d285fe69c8c]
* cmd/crmf-cgi/Makefile, cmd/crmf-cgi/config.mk,
cmd/crmftest/Makefile, cmd/crmftest/config.mk, cmd/lib/Makefile,
cmd/lib/config.mk, cmd/lib/manifest.mn, cmd/libpkix/config.mk,
cmd/libpkix/perf/Makefile, cmd/libpkix/perf/manifest.mn,
cmd/libpkix/pkix/Makefile, cmd/libpkix/pkix/certsel/Makefile,
cmd/libpkix/pkix/certsel/manifest.mn,
cmd/libpkix/pkix/checker/Makefile,
cmd/libpkix/pkix/checker/manifest.mn,
cmd/libpkix/pkix/crlsel/Makefile,
cmd/libpkix/pkix/crlsel/manifest.mn,
cmd/libpkix/pkix/params/Makefile,
cmd/libpkix/pkix/params/manifest.mn,
cmd/libpkix/pkix/results/Makefile,
cmd/libpkix/pkix/results/manifest.mn,
cmd/libpkix/pkix/store/Makefile, cmd/libpkix/pkix/store/manifest.mn,
cmd/libpkix/pkix/top/Makefile, cmd/libpkix/pkix/top/manifest.mn,
cmd/libpkix/pkix/util/Makefile, cmd/libpkix/pkix/util/manifest.mn,
cmd/libpkix/pkix_pl/Makefile, cmd/libpkix/pkix_pl/module/Makefile,
cmd/libpkix/pkix_pl/module/manifest.mn,
cmd/libpkix/pkix_pl/pki/Makefile,
cmd/libpkix/pkix_pl/pki/manifest.mn,
cmd/libpkix/pkix_pl/system/Makefile,
cmd/libpkix/pkix_pl/system/manifest.mn,
cmd/libpkix/testutil/manifest.mn, cpputil/Makefile,
cpputil/config.mk, cpputil/manifest.mn, lib/base/Makefile,
lib/base/config.mk, lib/base/manifest.mn, lib/certdb/Makefile,
lib/certdb/config.mk, lib/certdb/manifest.mn, lib/certhigh/Makefile,
lib/certhigh/config.mk, lib/certhigh/manifest.mn, lib/ckfw/Makefile,
lib/ckfw/builtins/Makefile, lib/ckfw/builtins/config.mk,
lib/ckfw/builtins/manifest.mn, lib/ckfw/builtins/testlib/Makefile,
lib/ckfw/builtins/testlib/config.mk,
lib/ckfw/builtins/testlib/manifest.mn, lib/ckfw/capi/Makefile,
lib/ckfw/capi/config.mk, lib/ckfw/capi/manifest.mn,
lib/ckfw/config.mk, lib/ckfw/dbm/Makefile, lib/ckfw/dbm/config.mk,
lib/ckfw/dbm/manifest.mn, lib/ckfw/manifest.mn, lib/crmf/Makefile,
lib/crmf/config.mk, lib/crmf/manifest.mn, lib/cryptohi/Makefile,
lib/cryptohi/config.mk, lib/cryptohi/manifest.mn,
lib/dbm/src/config.mk, lib/dbm/src/manifest.mn, lib/dev/Makefile,
lib/dev/config.mk, lib/dev/manifest.mn, lib/jar/Makefile,
lib/jar/config.mk, lib/jar/manifest.mn, lib/libpkix/Makefile,
lib/libpkix/config.mk, lib/libpkix/include/Makefile,
lib/libpkix/include/config.mk, lib/libpkix/pkix/Makefile,
lib/libpkix/pkix/certsel/Makefile,
lib/libpkix/pkix/certsel/config.mk,
lib/libpkix/pkix/certsel/manifest.mn,
lib/libpkix/pkix/checker/Makefile,
lib/libpkix/pkix/checker/config.mk,
lib/libpkix/pkix/checker/manifest.mn, lib/libpkix/pkix/config.mk,
lib/libpkix/pkix/crlsel/Makefile, lib/libpkix/pkix/crlsel/config.mk,
lib/libpkix/pkix/crlsel/manifest.mn,
lib/libpkix/pkix/params/Makefile, lib/libpkix/pkix/params/config.mk,
lib/libpkix/pkix/params/manifest.mn,
lib/libpkix/pkix/results/Makefile,
lib/libpkix/pkix/results/config.mk,
lib/libpkix/pkix/results/manifest.mn,
lib/libpkix/pkix/store/Makefile, lib/libpkix/pkix/store/config.mk,
lib/libpkix/pkix/store/manifest.mn, lib/libpkix/pkix/top/Makefile,
lib/libpkix/pkix/top/config.mk, lib/libpkix/pkix/top/manifest.mn,
lib/libpkix/pkix/util/Makefile, lib/libpkix/pkix/util/config.mk,
lib/libpkix/pkix/util/manifest.mn, lib/libpkix/pkix_pl_nss/Makefile,
lib/libpkix/pkix_pl_nss/config.mk,
lib/libpkix/pkix_pl_nss/module/Makefile,
lib/libpkix/pkix_pl_nss/module/config.mk,
lib/libpkix/pkix_pl_nss/module/manifest.mn,
lib/libpkix/pkix_pl_nss/pki/Makefile,
lib/libpkix/pkix_pl_nss/pki/config.mk,
lib/libpkix/pkix_pl_nss/pki/manifest.mn,
lib/libpkix/pkix_pl_nss/system/Makefile,
lib/libpkix/pkix_pl_nss/system/config.mk,
lib/libpkix/pkix_pl_nss/system/manifest.mn, lib/pk11wrap/Makefile,
lib/pk11wrap/config.mk, lib/pk11wrap/manifest.mn,
lib/pkcs12/Makefile, lib/pkcs12/config.mk, lib/pkcs12/manifest.mn,
lib/pkcs7/Makefile, lib/pkcs7/config.mk, lib/pkcs7/manifest.mn,
lib/pki/Makefile, lib/pki/config.mk, lib/pki/manifest.mn,
lib/sqlite/Makefile, lib/sysinit/Makefile, lib/util/Makefile,
lib/zlib/Makefile, lib/zlib/config.mk, lib/zlib/manifest.mn:
Bug 1629553 Merge simple config.mk files r=rrelyea
There is really no good reason to explicitly change the TARGET
variable. And the empty SHARED_LIBRARY variable should also be in
the manifest.mn to begin with.
All the other empty variables start empty or undefined, so there is
also no need to explicitly set them empty.
[dc1ef0faf4a6]
* cmd/libpkix/testutil/config.mk, coreconf/OS2.mk, coreconf/WIN32.mk,
coreconf/ruleset.mk, coreconf/suffix.mk, gtests/common/Makefile,
gtests/common/manifest.mn, gtests/google_test/Makefile,
gtests/google_test/manifest.mn, gtests/pkcs11testmodule/Makefile,
gtests/pkcs11testmodule/config.mk,
gtests/pkcs11testmodule/manifest.mn, lib/ckfw/builtins/config.mk,
lib/ckfw/builtins/manifest.mn, lib/ckfw/builtins/testlib/config.mk,
lib/ckfw/capi/config.mk, lib/ckfw/capi/manifest.mn,
lib/freebl/config.mk, lib/nss/config.mk, lib/nss/manifest.mn,
lib/smime/config.mk, lib/smime/manifest.mn, lib/softoken/config.mk,
lib/softoken/legacydb/config.mk, lib/softoken/legacydb/manifest.mn,
lib/softoken/manifest.mn, lib/sqlite/config.mk,
lib/sqlite/manifest.mn, lib/ssl/config.mk, lib/ssl/manifest.mn,
lib/sysinit/config.mk, lib/sysinit/manifest.mn, lib/util/config.mk,
lib/util/manifest.mn:
Bug 1629553 Rework the LIBRARY_NAME ruleset r=rrelyea
* Drop the WIN% "32" default DLL suffix
* Add default resource file handling => drop default RES
* Generate IMPORT_LIBRARY based on IMPORT_LIB_SUFFIX and
SHARED_LIBRARY, so we can drop all the explicit empty IMPORT_LIBRARY
lines
Originally this patch also tried to add a default MAPFILE rule, but
this fails, because the ARCH makefiles set linker flags based on an
existing MAPFILE variable.
[877d721d93cd]
* coreconf/rules.mk:
Bug 1629553 Use an eval template for C++ compile rules r=rrelyea
These pattern rules already had a comment to keep both in sync, so
just use an eval template to enforce this.
[9b628d9c57e5]
* lib/freebl/Makefile:
Bug 1629553 Use an eval template for freebl libs r=rrelyea
[71dd05b782e4]
* coreconf/rules.mk:
Bug 1629553 Use an eval template for export targets r=rrelyea
[45db681898be]
* lib/pk11wrap/manifest.mn, lib/pk11wrap/pk11load.c,
lib/pk11wrap/pk11wrap.gyp:
Bug 1629553 Prefix pk11wrap (SHLIB|LIBRARY)_VERSION with NSS_
r=rrelyea
In the manifest.mn the LIBRARY_VERSION is normally used to define
the major version of the build shared library. This ust works for
the pk11wrap case, because pk11wrap is a static library. But it's
still very confusing when reading the manifest.mn. Also the
referenced define in the code is just named SHLIB_VERSION.
So this prefixes the defines and the variables with NSS_, because it
tries to load the NSS library, just as the SOFTOKEN_.*_VERSION is
used to load the versioned softokn library.
[cbb737bc6c0c]
* Makefile, cmd/Makefile, cmd/shlibsign/Makefile,
cmd/smimetools/rules.mk, coreconf/rules.mk, gtests/manifest.mn,
lib/freebl/Makefile, lib/manifest.mn, manifest.mn:
Bug 290526 Drop double-colon usage and add directory depends
r=rrelyea
Double-colon rule behaviour isn't really compatible with parallel
build. This gets rid of all of them, so we can codify the directory
dependencies.
This leaves just three problems, which aren't really fixable with
the current build system without completely replacing it:
* everything depends on nsinstall
* everything depends on installed headers
* ckfw child directories depend on the build parent libs
This is handled by the prepare_build target.
Overall this allows most if the build to run in parallel.
P.S. the release_md:: has to stay :-( P.P.S. no clue, why freebl
must use libs: instead of using the TARGETS and .PHONY variables
[f3a0ef69c056]
* coreconf/WIN32.mk, gtests/certdb_gtest/manifest.mn,
gtests/common/Makefile, gtests/google_test/Makefile,
gtests/google_test/manifest.mn, gtests/pkcs11testmodule/Makefile:
Bug 290526 Fix gtests build for WIN% targets r=rrelyea
The google_test gtest build doesn't provide any exports for the
shared library on Windows and the gyp build also builds just a
static library. So build gtest and gtestutil libraries as static.
For whatever reason, the Windows linker doesn't find the main
function inside the gtestutil library, if we don't tell it to build
a console executable. But linking works fine, if the object file is
used directly. But since we can have different main() objects based
on build flags, we enforce building console applications binaries.
[a82a55886c1d]
* cmd/bltest/manifest.mn, cmd/chktest/manifest.mn, cmd/crmf-
cgi/manifest.mn, cmd/crmftest/manifest.mn, cmd/fipstest/manifest.mn,
cmd/lib/Makefile, cmd/libpkix/testutil/Makefile,
cmd/lowhashtest/manifest.mn, cmd/modutil/manifest.mn,
cmd/pk11gcmtest/manifest.mn, cmd/pk11mode/manifest.mn,
cmd/rsapoptst/manifest.mn, cmd/signtool/manifest.mn,
cmd/ssltap/manifest.mn, coreconf/README, coreconf/rules.mk,
cpputil/manifest.mn, gtests/google_test/manifest.mn,
gtests/pkcs11testmodule/Makefile, lib/base/Makefile,
lib/certdb/Makefile, lib/certhigh/Makefile, lib/ckfw/Makefile,
lib/crmf/Makefile, lib/cryptohi/Makefile, lib/dbm/include/Makefile,
lib/dev/Makefile, lib/dev/manifest.mn, lib/freebl/Makefile,
lib/libpkix/Makefile, lib/libpkix/include/Makefile,
lib/libpkix/include/manifest.mn, lib/libpkix/pkix/Makefile,
lib/libpkix/pkix/certsel/Makefile,
lib/libpkix/pkix/certsel/manifest.mn,
lib/libpkix/pkix/checker/Makefile,
lib/libpkix/pkix/checker/manifest.mn,
lib/libpkix/pkix/crlsel/Makefile,
lib/libpkix/pkix/crlsel/manifest.mn,
lib/libpkix/pkix/params/Makefile,
lib/libpkix/pkix/params/manifest.mn,
lib/libpkix/pkix/results/Makefile,
lib/libpkix/pkix/results/manifest.mn,
lib/libpkix/pkix/store/Makefile, lib/libpkix/pkix/store/manifest.mn,
lib/libpkix/pkix/top/Makefile, lib/libpkix/pkix/top/manifest.mn,
lib/libpkix/pkix/util/Makefile, lib/libpkix/pkix/util/manifest.mn,
lib/libpkix/pkix_pl_nss/Makefile,
lib/libpkix/pkix_pl_nss/module/Makefile,
lib/libpkix/pkix_pl_nss/module/manifest.mn,
lib/libpkix/pkix_pl_nss/pki/Makefile,
lib/libpkix/pkix_pl_nss/pki/manifest.mn,
lib/libpkix/pkix_pl_nss/system/Makefile,
lib/libpkix/pkix_pl_nss/system/manifest.mn, lib/nss/Makefile,
lib/pk11wrap/Makefile, lib/pki/Makefile, lib/pki/manifest.mn,
lib/softoken/Makefile, lib/softoken/legacydb/Makefile,
lib/sqlite/Makefile, lib/sqlite/manifest.mn, lib/ssl/Makefile,
lib/util/Makefile, lib/zlib/Makefile:
Bug 290526 Drop recursive private_exports r=rrelyea
Copying private headers is now simply included in the exports
target, as these headers use an extra directory anyway.
[989ecbd870f3]
* Makefile, cmd/shlibsign/Makefile, coreconf/Makefile,
coreconf/README, coreconf/nsinstall/Makefile, coreconf/rules.mk,
coreconf/ruleset.mk, lib/Makefile, lib/ckfw/Makefile:
Bug 290526 Parallelize part of the NSS build r=rrelyea
This still serializes many targets, but at least these targets
themself run their build in parallel. The main serialization happens
in nss/Makefile and nss/coreconf/rules.mk's all target.
We can't add these as real dependencies, as all Makefile snippets
use the same variable names. I tried to always run sub-makes to hack
in the depndencies, but these don't know of each other, so targets
very often run twice, and this breaks the build.
Having a tests:: target and a tests directory leads to misery (and
doesn't work), so it's renamed to check.
This just works with NSS_DISABLE_GTESTS=1 specified and is fixed by
a follow up patch, which removes the double-colon usage and adds the
directory dependencies!
[5d0bfa092e0f]
* coreconf/UNIX.mk, coreconf/WIN32.mk, coreconf/mkdepend/Makefile,
coreconf/nsinstall/Makefile, coreconf/ruleset.mk:
Bug 290526 Don't delete directories r=rrelyea
If these files exist and aren't directories, there might be other
problems. Trying to "fix" them by removing will break the build.
[fb377d36262d]
* coreconf/rules.mk:
Bug 290526 Handle empty install variables r=rrelyea
Originally I added the install commands to the individual build
targets. But this breaks the incremental build, because there is
actually no dependency for the install. But it turns out, that in
the end it's enough to ignore empty defined variables, so just do
this.
[585942b1d556]
* coreconf/rules.mk:
Bug 290526 Handle parallel PROGRAM and PROGRAMS r=rrelyea
I have no real clue, why PROGRAMS is actually working in the
sequence build. There is no special make code really handling it,
except for the install target.
This patches code is inspired by the $(eval ...) example in the GNU
make documentation. It generates a program specific make target and
maps the programs objects based on the defined variables.
[d30a6953b897]
Differential Revision: https://phabricator.services.mozilla.com/D75385
To implement filtering client certificates by the acceptable CAs list sent by
servers when they request client certificates, we need the CAs that issued the
client certificates. To that end, this change modifies the Windows backend of
the osclientcerts module to also gather issuing CAs while looking for client
certificates. These certificates will not affect trust decisions in gecko.
Differential Revision: https://phabricator.services.mozilla.com/D74719
This removes processing of HTTP Public Key Pinning headers, remotely modifying
pinning information, and using cached pinning information, all of which was
already disabled in bug 1412438. Static pins that ship with the browser are
still enforced.
Differential Revision: https://phabricator.services.mozilla.com/D73352
Passing Cr.ERROR to an Error constructor is incorrect since it just sets the
message of the error to the integer value of the Cr.ERROR. Cr.ERRORs need to be
used as the second argument to Component.Exception to correctly construct an
Exception object with its result property set to the Cr.ERROR value.
This was done automatically by an expansion of the new
mozilla/no-throw-cr-literal eslint rule that will be introduced in the next
commit.
Differential Revision: https://phabricator.services.mozilla.com/D28075
2020-05-01 J.C. Jones <jjones@mozilla.com>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.52 final
[befc258c4336] [NSS_3_52_RTM] <NSS_3_52_BRANCH>
2020-04-30 Kevin Jacobs <kjacobs@mozilla.com>
* .hgtags:
Added tag NSS_3_52_BETA2 for changeset bb4462a16de8
[c5d002af1d61]
Differential Revision: https://phabricator.services.mozilla.com/D73512
2020-05-01 J.C. Jones <jjones@mozilla.com>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.52 final
[befc258c4336] [NSS_3_52_RTM] <NSS_3_52_BRANCH>
2020-04-30 Kevin Jacobs <kjacobs@mozilla.com>
* .hgtags:
Added tag NSS_3_52_BETA2 for changeset bb4462a16de8
[c5d002af1d61]
Differential Revision: https://phabricator.services.mozilla.com/D73512
2020-04-30 zhujianwei7 <zhujianwei7@huawei.com>
* lib/smime/cmssigdata.c:
Bug 1630925 - Guard all instances of NSSCMSSignedData.signerInfos
r=kjacobs
[bb4462a16de8] [NSS_3_52_BETA2]
2020-04-30 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/pk11_gtest/pk11_seed_cbc_unittest.cc, lib/freebl/seed.c,
lib/freebl/seed.h:
Bug 1619959 - Properly handle multi-block SEED ECB inputs.
r=bbeurdouche,jcj
[d67517e92371]
2020-04-28 Kevin Jacobs <kjacobs@mozilla.com>
* .hgtags:
Added tag NSS_3_52_BETA1 for changeset 0b30eb1c3650
[11415c3334ab]
2020-04-24 Robert Relyea <rrelyea@redhat.com>
* lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c:
Bug 1571677 Name Constraints validation: CN treated as DNS name even
when syntactically invalid as DNS name r=mt
This patch makes libpkix treat name contraints the same the NSS cert
verifier. This proposal available for review for 9 months without
objection.
Time to make this official
[0b30eb1c3650] [NSS_3_52_BETA1]
2020-04-27 Edouard Oger <eoger@fastmail.com>
* lib/freebl/blinit.c:
Bug 1633498 - Do not define getauxval on iOS targets. r=jcj
[7b5e3b9fbc7d]
2020-04-27 Robert Relyea <rrelyea@redhat.com>
* lib/softoken/sftkike.c:
Bug 1629663 NSS missing IKEv1 Quick Mode KDF prf r=kjacobs
Fix possible free before alloc error found by kjacobs
[7f91e3dcfb9b]
2020-04-20 Robert Relyea <rrelyea@redhat.com>
* lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c,
lib/softoken/pkcs11i.h, lib/softoken/sftkike.c, lib/util/pkcs11n.h:
Bug 1629663 NSS missing IKEv1 Quick Mode KDF prf r=kjacobs
We found another KDF function in libreswan that is not using the NSS
KDF API.
Unfortunately, it seems the existing IKE KDF's in NSS are not usable
for the Quick Mode use.
The libreswan code is in compute_proto_keymat() and the
specification is in https://tools.ietf.org/html/rfc2409#section-5.5
It needs:
KEYMAT = prf(SKEYID_d, [g(qm)^xy ] | protocol | SPI | Ni_b | Nr_b).
which an be thought of as: KEYMAT = prf(KEY, [KEY] | BYTES)
but with the kicker that it also does multiple rounds aka key
expansion: KEYMAT = K1 | K2 | K3 | ...
where
K1 = prf(KEY, [KEY] | BYTES) K2 = prf(KEY, K1 | [KEY] | BYTES) K3 =
prf(KEY, K1 | [KEY] | BYTES) etc.
to generate the needed keying material >PRF size
This patch implements this by extendind the Appendix B Mechanism to
take and optional key and data in a new Mechanism parameter
structure. Which flavor is used (old CK_MECHANISM_TYPE or the new
parameter) is determined by the mechanism parameter lengths.
Application which try to use this new feature on old versions of NSS
will get an error (rather than invalid data).
[225bb39eade1]
Differential Revision: https://phabricator.services.mozilla.com/D73383
When the browser process starts a sandbox process, we copy the executable's IAT
for ntdll.dll into the new process to prevent DLL injection via IAT tampering as
the launcher process does. However, if IAT has been modified by a module injected
via `SetWindowHookEx`, the browser process cannot copy IAT because a modified IAT
is invalid in a different process, failing to start any sandbox processes.
The proposed fix is to cache IAT before COM initialization which may load
modules via `SetWindowHookEx` for the first time in the process.
Differential Revision: https://phabricator.services.mozilla.com/D73303
mozilla::pkix treats the id-kp-OCSPSigning extended key usage as forbidden
unless specifically required. Client authentication certificate filtering in
gecko uses mozilla::pkix, so before this patch, certificates with this EKU would
be filtered out. Normally this is correct, because client authentication
certificates should never have this EKU. However, there is at least one private
PKI where client certificates have this EKU. For interoperability, this patch
works around this restriction by falling back to requiring id-kp-OCSPSigning if
path building initially fails.
Differential Revision: https://phabricator.services.mozilla.com/D72760
2020-04-24 Kevin Jacobs <kjacobs@mozilla.com>
* automation/abi-check/expected-report-libnss3.so.txt,
gtests/softoken_gtest/softoken_gtest.cc, lib/nss/nss.def,
lib/pk11wrap/pk11obj.c, lib/pk11wrap/pk11pub.h, lib/softoken/sdb.c:
Bug 1612881 - Maintain PKCS11 C_GetAttributeValue semantics on
attributes that lack NSS database columns r=keeler,rrelyea
`sdb_GetAttributeValueNoLock` builds a query string from a list of
attributes in the input template. Unfortunately,
`sqlite3_prepare_v2` will fail the entire query if one of the
attributes is missing from the underlying table. The PKCS #11 spec
[[ https://www.cryptsoft.com/pkcs11doc/v220/pkcs11__all_8h.html#aC_G
etAttributeValue | requires ]] setting the output `ulValueLen` field
to -1 for such invalid attributes.
This patch reads and stores the columns of nssPublic/nssPrivate when
opened, then filters an input template in
`sdb_GetAttributeValueNoLock` for unbacked/invalid attributes,
removing them from the query and setting their template output
lengths to -1.
[aae226c20dfd] [tip]
2020-04-23 Kevin Jacobs <kjacobs@mozilla.com>
* lib/ssl/sslnonce.c:
Bug 1531906 - Relax ssl3_SetSIDSessionTicket assertions to permit
valid, evicted or externally-cached sids. r=mt
This patch relaxes an overzealous assertion for the case where: 1)
Two sockets start connections with a shared SID. 2) One receives an
empty session ticket in the SH, and evicts the SID from cache. 3)
The second socket receives a new session ticket, and attempts to set
it in the SID.
We currently assert that the sid is `in_client_cache` at 3), but
clearly it cannot be. The outstanding reference remains valid
despite the eviction.
This also solves a related assertion failure after
https://hg.mozilla.org/mozilla-central/rev/c5a8b641d905 where the
same scenario occurs, but instead of being `in_client_cache` or
evicted, the SID is `in_external_cache`.
[a68de0859582]
2020-04-16 Robert Relyea <rrelyea@redhat.com>
* gtests/common/testvectors/kwp-vectors.h,
gtests/pk11_gtest/manifest.mn,
gtests/pk11_gtest/pk11_aeskeywrapkwp_unittest.cc,
gtests/pk11_gtest/pk11_gtest.gyp, lib/freebl/aeskeywrap.c,
lib/freebl/blapi.h, lib/freebl/blapit.h, lib/freebl/hmacct.c,
lib/freebl/ldvector.c, lib/freebl/loader.c, lib/freebl/loader.h,
lib/pk11wrap/pk11mech.c, lib/softoken/lowpbe.c,
lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c,
lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c, lib/ssl/ssl3con.c,
lib/util/secport.h:
Bug 1630721 Softoken Functions for FIPS missing r=mt
For FIPS we need the following:
1. NIST official Key padding for AES Key Wrap. 2. Combined
Hash/Sign mechanisms for DSA and ECDSA.
In the first case our AES_KEY_WRAP_PAD function addes pkcs8 padding
to the normal AES_KEY_WRAP, which is a different algorithm then the
padded key wrap specified by NIST. PKCS #11 recognized this and
created a special mechanism to handle NIST padding. That is why we
don't have industry test vectors for CKM_NSS_AES_KEY_WRAP_PAD. This
patch implements that NIST version (while maintaining our own). Also
PKCS #11 v3.0 specified PKCS #11 mechanism for AES_KEY_WRAP which
are compatible (semantically) with the NSS vendor specific versions,
but with non-vendor specific numbers. Softoken now accepts both
numbers.
This patch also updates softoken to handle DSA and ECDSA combined
hash algorithms other than just SHA1 (which is no longer validated).
Finally this patch uses the NIST KWP test vectors in new gtests for
the AES_KEY_WRAP_KWP wrapping algorithm.
As part of the AES_KEY_WRAP_KWP code, the Constant time macros have
been generalized and moved to secport. Old macros scattered
throughout the code have been deleted and existing contant time code
has been updated to use the new macros.
[3682d5ef3db5]
2020-04-21 Lauri Kasanen <cand@gmx.com>
* lib/freebl/Makefile, lib/freebl/freebl.gyp,
lib/freebl/freebl_base.gypi, lib/freebl/gcm.h, lib/freebl/ppc-
crypto.h, lib/freebl/scripts/LICENSE, lib/freebl/scripts/gen.sh,
lib/freebl/scripts/ppc-xlate.pl, lib/freebl/scripts/sha512p8-ppc.pl,
lib/freebl/sha512-p8.s, lib/freebl/sha512.c:
Bug 1613238 - POWER SHA-2 digest vector acceleration. r=jcj,kjacobs
[2d66bd9dcad4]
2020-04-18 Robert Relyea <rrelyea@redhat.com>
* coreconf/Linux.mk, coreconf/config.gypi, lib/softoken/sdb.c:
Bug 1603801 [patch] Avoid dcache pollution from sdb_measureAccess()
r=mt
As implemented, when sdb_measureAccess() runs it creates up to
10,000 negative dcache entries (cached nonexistent filenames).
There is no advantage to leaving these particular filenames in the
cache; they will never be searched again. Subsequent runs will run a
new test with an intentionally different set of filenames. This can
have detrimental effects on some systems; a massive negative dcache
can lead to memory or performance problems.
Since not all platforms have a problem with negative dcache entries,
this patch is limitted to those platforms that request it at
compilie time (Linux is current the only patch that does.)
[928721f70164]
2020-04-16 Kevin Jacobs <kjacobs@mozilla.com>
* coreconf/config.gypi:
Bug 1630458 - Produce debug symbols in GYP/MSVC debug builds. r=mt
[25006e23a777]
2020-04-13 Robert Relyea <rrelyea@redhat.com>
* lib/ckfw/object.c, lib/ckfw/session.c:
Bug 1629655 ckfw needs to support temporary session objects.
r=kjacobs
libckfw needs to create temporary objects whose space will to be
freed after use (rather than at token shutdown). Currently only
token objects are supported and they are allocated out of a global
arena owned by the slot, so the objects only go away when the slot
is closed.
This patch sets the arena to NULL in nssCKFWObject_Create() if the
object is a session object. This tells nssCKFWObject_Create() to
create a new arena specifically for this object. That arena is
stored in localArena. When the object is destroyed, any localArena's
will be freed.
[808ec0e6fd77]
2020-04-14 Robert Relyea <rrelyea@redhat.com>
* cmd/selfserv/selfserv.c, lib/ssl/sslsnce.c, tests/ssl/ssl.sh:
Bug 1629661 MPConfig calls in SSL initializes policy before NSS is
initialized. r=mt
NSS has several config functions that multiprocess servers must call
before NSS is initialized to set up shared memory caches between the
processes. These functions call ssl_init(), which initializes the
ssl policy. The ssl policy initialization, however needs to happen
after NSS itself is initialized. Doing so before hand causes (in the
best case) policy to be ignored by these servers, and crashes (in
the worst case).
Instead, these cache functions should just initialize those things
it needs (that is the NSPR ssl error codes).
This patch does: 1) fixes the cache init code to only initialize
error codes. 2) fixes the selfserv MP code to 1) be compatible with
ssl.sh's selfserv management (at least on Unix), and 2) mimic the
way real servers handle the MP_Cache init code (calling NSS_Init
after the cache set up). 3) update ssl.sh server policy test to test
policy usage on an MP server. This is only done for non-windows like
OS's because they can't catch the kill signal to force their
children to shutdown.
I've verified that the test fails if 2 and 3 are included but 1 is
not (and succeeds if all three are included).
[a252957a3805]
Differential Revision: https://phabricator.services.mozilla.com/D72409
Importing security.h introduced namespace collisions so I removed the `using namespace mozilla;` and replaced it with specific names.
Differential Revision: https://phabricator.services.mozilla.com/D72422
One attempt will still be used by the blank password auth attempt. This does not completely fix the problem in this case but will allow a user to continue attempting until their account is locked out now.
Differential Revision: https://phabricator.services.mozilla.com/D71811
Unfortunately, since the new ecdsa library has a different interface and slightly different inner workings compared to the old PyECC library, the changes to support this update are not trivial. Luckily the ecdsa library is extensible enough to allow us to adjust the library's functionality with function parameters rather than monkey-patching, as we were doing with the previous version of the code. All of these interface changes are in addition to the normal rote Python 3 updates. This was tested by running a build with and without this patch and ensuring there were no unexpected diffs.
Differential Revision: https://phabricator.services.mozilla.com/D70117
CHECK_FORK_GETPID was useful back when Android didn't support pthread_atfork, which it has since at least ICS (API 14 or 15), and Fennec has required API 16 for a while now.
Moreover, softoken.h also defines CHECK_FORK_PTHREAD on its own, and pkcs11.c initialization code prioritizes CHECK_FORK_PTHREAD, while the finalization code prioritizes CHECK_FORK_GETPID, such that reinitialization was never possible.
Differential Revision: https://phabricator.services.mozilla.com/D67940
When sending a client certificate to a server in a TLS handshake, one of the
certificates in the chain should be issued by one of the issuers indicated in
the server's certificate_authorities list in the certificate request message.
The client auth data callback doesn't provide a way to specify this chain
directly - NSS builds it itself. This means that certificates known to gecko
but not NSS won't be included in the chain. This patch stashes the necessary
certificates temporarily so that NSS can find them and send them to the server.
Differential Revision: https://phabricator.services.mozilla.com/D71368
'ANDROID means "the linux flavor used by Android, with bionic", while
MOZ_WIDGET_ANDROID identifies the UI toolkit used. Both are defined for
GeckoView, but other products like b2g only define ANDROID because they use
another widget layer.'
Differential Revision: https://phabricator.services.mozilla.com/D71371
This patch initializes the ulIvBits member of CK_GCM_PARAMS, which is new in PKCS11 v3.
For libprio, we instead define NSS_PKCS11_2_0_COMPAT, which yields the old struct definition.
Differential Revision: https://phabricator.services.mozilla.com/D67740
--HG--
extra : moz-landing-system : lando
2020-04-13 Kevin Jacobs <kjacobs@mozilla.com>
* lib/pk11wrap/debug_module.c, lib/pk11wrap/pk11load.c:
Bug 1629105 - Update PKCS11 module debug logger for v3.0 r=rrelyea
Differential Revision:
https://phabricator.services.mozilla.com/D70582
[50dcc34d470d] [tip]
2020-04-07 Robert Relyea <rrelyea@redhat.com>
* lib/ckfw/builtins/testlib/Makefile:
Bug 1465613 Fix gmake issue create by the patch which adds ability
to distrust certificates issued after a certain date for a specified
root cert r=jcj
I've been trying to run down an issue I've been having, and I think
this bug is the source. Whenever I build ('gmake' build), I get the
following untracted files: ? lib/ckfw/builtins/testlib/anchor.o ?
lib/ckfw/builtins/testlib/bfind.o ?
lib/ckfw/builtins/testlib/binst.o ?
lib/ckfw/builtins/testlib/bobject.o ?
lib/ckfw/builtins/testlib/bsession.o ?
lib/ckfw/builtins/testlib/bslot.o ?
lib/ckfw/builtins/testlib/btoken.o ?
lib/ckfw/builtins/testlib/ckbiver.o ?
lib/ckfw/builtins/testlib/constants.o
This is because of the way lib/ckfw/builtins/testlib works, it uses
the sources from the directory below, and explicitly reference them
with ../{source_name}.c. The object file then becomes
lib/ckfw/builtins/testlib/{OBJDIR}/../{source_name}.o.
The simple fix would be to paper over the issue and just add these
to .hgignore, but that would break our ability to build multiple
platforms on a single source directory. I'll include a patch that
fixes this issue.
bob
Differential Revision:
https://phabricator.services.mozilla.com/D70077
[92058f185316]
2020-04-06 Robert Relyea <rrelyea@redhat.com>
* automation/abi-check/expected-report-libnss3.so.txt,
gtests/ssl_gtest/tls_hkdf_unittest.cc, lib/nss/nss.def,
lib/pk11wrap/pk11pub.h, lib/pk11wrap/pk11skey.c,
lib/ssl/sslprimitive.c, lib/ssl/tls13con.c, lib/ssl/tls13con.h,
lib/ssl/tls13hkdf.c, lib/ssl/tls13replay.c, tests/ssl/ssl.sh:
Bug 1561637 TLS 1.3 does not work in FIPS mode r=mt
Part 2 of 2
Use the official PKCS #11 HKDF mechanism to implement tls 1.3.
1) The new mechanism is a single derive mechanism, so we no longer
need to pick it based on the underlying hmac (Note, we still need to
know the underlying hmac, which is passed in as a mechanism
parameter).
2) Use the new keygen to generate CKK_HKDF keys rather than doing it
by hand with the random number generator (never was really the best
way of doing this).
3) modify tls13hkdf.c to use the new mechanisms: 1) Extract: use the
new key handle in the mechanism parameters to pass the salt when the
salt is a key handle. Extract: use the explicit NULL salt parameter
if for the hash len salt of zeros. 2) Expand: Expand is mostly a
helper function which takes a mechanism. For regular expand, the
mechanism is the normal _Derive, for the Raw version its the _Data
function. That creates a data object, which is extractable in FIPS
mode.
4) update slot handling in tls13hkdf.c: 1) we need to make sure that
the key and the salt key are in the same slot. Provide a PK11wrap
function to make that guarrentee (and use that function in
PK11_WrapKey, which already has to do the same function). 2) When
importing a 'data' key for the zero key case, make sure we import
into the salt key's slot. If there is no salt key, use
PK11_GetBestSlot() rather than PK11_GetInternal slot.
Differential Revision:
https://phabricator.services.mozilla.com/D69899
[3d2b1738e064]
2020-04-06 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/common/testvectors/curve25519-vectors.h,
gtests/common/testvectors/p256ecdh-vectors.h,
gtests/common/testvectors/p384ecdh-vectors.h,
gtests/common/testvectors/p521ecdh-vectors.h,
gtests/common/testvectors/rsa_oaep_2048_sha1_mgf1sha1-vectors.h,
gtests/common/testvectors/rsa_oaep_2048_sha256_mgf1sha1-vectors.h,
gtests/common/testvectors/rsa_oaep_2048_sha256_mgf1sha256-vectors.h,
gtests/common/testvectors/rsa_oaep_2048_sha384_mgf1sha1-vectors.h,
gtests/common/testvectors/rsa_oaep_2048_sha384_mgf1sha384-vectors.h,
gtests/common/testvectors/rsa_oaep_2048_sha512_mgf1sha1-vectors.h,
gtests/common/testvectors/rsa_oaep_2048_sha512_mgf1sha512-vectors.h,
gtests/common/testvectors/rsa_pkcs1_2048_test-vectors.h,
gtests/common/testvectors/rsa_pkcs1_3072_test-vectors.h,
gtests/common/testvectors/rsa_pkcs1_4096_test-vectors.h,
gtests/common/testvectors/rsa_pss_2048_sha1_mgf1_20-vectors.h,
gtests/common/testvectors/rsa_pss_2048_sha256_mgf1_0-vectors.h,
gtests/common/testvectors/rsa_pss_2048_sha256_mgf1_32-vectors.h,
gtests/common/testvectors/rsa_pss_3072_sha256_mgf1_32-vectors.h,
gtests/common/testvectors/rsa_pss_4096_sha256_mgf1_32-vectors.h,
gtests/common/testvectors/rsa_pss_4096_sha512_mgf1_32-vectors.h,
gtests/common/testvectors/rsa_pss_misc-vectors.h,
gtests/common/testvectors/rsa_signature-vectors.h,
gtests/common/testvectors/rsa_signature_2048_sha224-vectors.h,
gtests/common/testvectors/rsa_signature_2048_sha256-vectors.h,
gtests/common/testvectors/rsa_signature_2048_sha512-vectors.h,
gtests/common/testvectors/rsa_signature_3072_sha256-vectors.h,
gtests/common/testvectors/rsa_signature_3072_sha384-vectors.h,
gtests/common/testvectors/rsa_signature_3072_sha512-vectors.h,
gtests/common/testvectors/rsa_signature_4096_sha384-vectors.h,
gtests/common/testvectors/rsa_signature_4096_sha512-vectors.h,
gtests/common/testvectors_base/rsa_signature-vectors_base.txt,
gtests/common/testvectors_base/test-structs.h,
gtests/common/wycheproof/genTestVectors.py,
gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp,
gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc,
gtests/pk11_gtest/pk11_rsaoaep_unittest.cc,
gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc,
gtests/pk11_gtest/pk11_rsapss_unittest.cc:
Bug 1612260 - Add Wycheproof vectors for RSA PKCS1 and PSS signing,
PKCS1 and OEAP decryption. r=bbeurdouche
This patch updates the Wycheproof script to build RSA test vectors
(covering PKCS1 decryption/verification, as well as PSS and OAEP)
and adds the appropriate test drivers.
Differential Revision:
https://phabricator.services.mozilla.com/D69847
[469fd8633757]
2020-04-01 Kevin Jacobs <kjacobs@mozilla.com>
* automation/taskcluster/docker-fuzz32/Dockerfile:
Bug 1626751 - Add apt-transport-https & apt-utils to fuzz32 docker
image r=jcj
We already install these packages on the image_builder image itself.
It seems they're now required on the fuzz32 image as well.
Differential Revision:
https://phabricator.services.mozilla.com/D69274
[c7a8195e3072]
2020-04-01 Giulio Benetti <giulio.benetti@benettiengineering.com>
* lib/freebl/Makefile:
Bug 1624864 - Don't force ARMv7 for gcm-arm32-neon r=jcj
[858209235972]
* coreconf/config.gypi, coreconf/config.mk, lib/freebl/Makefile,
lib/freebl/freebl.gyp, lib/freebl/gcm.c:
Bug 1620799 - Introduce NSS_DISABLE_ARM32_NEON r=jcj
Only some Arm32 supports neon, so let's introduce
NSS_DISABLE_ARM32_NEON to allow disabling Neon acceleration when
building for Arm32.
Signed-off-by: Giulio Benetti
<giulio.benetti@benettiengineering.com>
[b47b2c35aa64]
2020-04-01 Kevin Jacobs <kjacobs@mozilla.com>
* automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
check/expected-report-libsoftokn3.so.txt, automation/abi-check
/expected-report-libssl3.so.txt:
Fixup ABI checks after libabigail update and Delegated Credentials
backport. r=me
[7f50f6ca7658]
2020-03-31 hajma <tropikhajma@gmail.com>
* coreconf/SunOS5.mk:
Bug 1625133 - Fix implicit declaration of function 'getopt' on SunOS
r=jcj
[744788dd18dc]
2020-03-30 Robert Relyea <rrelyea@redhat.com>
* automation/abi-check/expected-report-libnss3.so.txt,
gtests/pk11_gtest/pk11_hkdf_unittest.cc, lib/nss/nss.def,
lib/pk11wrap/pk11mech.c, lib/pk11wrap/pk11obj.c,
lib/pk11wrap/pk11pub.h, lib/softoken/pkcs11.c,
lib/softoken/pkcs11c.c:
Bug 1561637 TLS 1.3 does not work in FIPS mode
Patch 1 of 2. This patch updates softoken and helper functions with
the new PKCS #11 v3 HKDF, which handles all the correct key
management so that we can work in FIPS mode
1) Salts can be passed in as data, as and explicit NULL (which per
spec means a zero filled buffer of length of the underlying HMAC),
or through a key handle 2) A Data object can be used as a key
(explicitly allowed for this mechanism by the spec). 3) A special
mechansism produces a data object rather than a key, the latter
which can be exported. Softoken does not do the optional validation
on the pInfo to verify that the requested values are supposed to be
data rather than keys. Some other tokens may.
The old hkdf mechanism has been retained for compatibility (well
namely until patch 2 is created, tls is still using it). The hkdf
function has been broken off into it's own function rather than
inline in the derive function.
Note: because the base key and/or the export key could really be a
data object, our explicit handling of sensitive and extractable are
adjusted to take into account that those flags do not exist in data
objects.
Differential Revision:
https://phabricator.services.mozilla.com/D68940
[e0922aac5267]
2020-03-26 Hans Petter Jansson <hpj@cl.no>
* cmd/lowhashtest/lowhashtest.c:
Bug 1622555 - Fix lowhashtest argument parsing. r=kjacobs
[f3c5ab41c972]
2020-03-26 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* lib/freebl/Makefile, lib/freebl/freebl.gyp:
Bug 1624377 - Replace freebl flag -msse4 by -msse4.1 -msse4.2 which
are supported by older compilers r=kjacobs
Differential Revision:
https://phabricator.services.mozilla.com/D68407
[16ee7cb36fff]
2020-03-26 Robert Relyea <rrelyea@redhat.com>
* gtests/ssl_gtest/libssl_internals.c, lib/pk11wrap/exports.gyp,
lib/pk11wrap/manifest.mn, lib/ssl/ssl3con.c, lib/ssl/sslprimitive.c,
lib/ssl/sslspec.h, lib/ssl/tls13con.c, lib/ssl/tls13con.h,
lib/ssl/tls13esni.c, lib/ssl/tls13exthandle.c:
Bug 1623374 Need to support the new PKCS #11 Message interface for
AES GCM and ChaCha Poly r=mt
Update ssl to use the new PK11_AEADOp() interface. 1. We restore the
use of PK11Context_Create() for AEAD operations. 2. AES GCM and
CHACHA/Poly specific functions are no longer needed as PK11_AEADOp()
handles all the mechanism specific processing. 3. TLS semantic
differences between the two algorithms is handled by their
parameters: 1. Nonce length is the length of the nonce counter. If
it's zero, then XOR_Counter is used (and the nonce length is the
sizeof(sslSequenceNumber)). 2. IV length is the full IV length -
nonce length. 3. TLS 1.3 always uses XOR_Counter. 4. The IV is
returned from the token in the encrypt case. Only in the explict
nonce case is it examined. (The code depends on the fact that the
count in the token will match sslSequenceNumber). I did have assert
code to verify this was happening for testing, but it's removed from
this patch it can be added back. 5. All the decrypt instances of
XOR_Counter IV creation have been colapsed into tls13_WriteNonce().
6. Even tough PK11_AEADOp returns and accepts the tag separately
(for encrypt and decrypt respectively). The SSL code still returns
the values as buffer||tag. 7. tls13_AEAD() has been enhanced so all
uses of AEAD outside of the TLS stream can use it instead of their
own wrapped version. It can handle streams (CreateContext()
tls13_AEAD() tls13_AEAD() DestroyContext()) or single shot
tls13_AEAD(context=NULL). In the later case, the keys for the single
shot operation should not be resued. 8. libssl_internals.c in the
gtests directory has been updated to handle advancing the internal
iv counter when we artifically advance the seqNum. Since we don't
have access to any token iv counter (including softoken), The code
switches to simulated message mode, and updates the simulated state
as appropriate. (obviously this is for testing only code as it
reaches into normally private data structures).
Differential Revision:
https://phabricator.services.mozilla.com/D68480
[e7c7f305078e]
2020-03-26 Robert Relyea <rrelyea@redhat.com>
* gtests/ssl_gtest/libssl_internals.c, lib/pk11wrap/exports.gyp,
lib/pk11wrap/manifest.mn, lib/ssl/ssl3con.c, lib/ssl/sslprimitive.c,
lib/ssl/sslspec.h, lib/ssl/tls13con.c, lib/ssl/tls13con.h,
lib/ssl/tls13esni.c, lib/ssl/tls13exthandle.c:
Bug 1623374 Need to support the new PKCS #11 Message interface for
AES GCM and ChaCha Poly r=mt
Update ssl to use the new PK11_AEADOp() interface. 1. We restore the
use of PK11Context_Create() for AEAD operations. 2. AES GCM and
CHACHA/Poly specific functions are no longer needed as PK11_AEADOp()
handles all the mechanism specific processing. 3. TLS semantic
differences between the two algorithms is handled by their
parameters: 1. Nonce length is the length of the nonce counter. If
it's zero, then XOR_Counter is used (and the nonce length is the
sizeof(sslSequenceNumber)). 2. IV length is the full IV length -
nonce length. 3. TLS 1.3 always uses XOR_Counter. 4. The IV is
returned from the token in the encrypt case. Only in the explict
nonce case is it examined. (The code depends on the fact that the
count in the token will match sslSequenceNumber). I did have assert
code to verify this was happening for testing, but it's removed from
this patch it can be added back. 5. All the decrypt instances of
XOR_Counter IV creation have been colapsed into tls13_WriteNonce().
6. Even tough PK11_AEADOp returns and accepts the tag separately
(for encrypt and decrypt respectively). The SSL code still returns
the values as buffer||tag. 7. tls13_AEAD() has been enhanced so all
uses of AEAD outside of the TLS stream can use it instead of their
own wrapped version. It can handle streams (CreateContext()
tls13_AEAD() tls13_AEAD() DestroyContext()) or single shot
tls13_AEAD(context=NULL). In the later case, the keys for the single
shot operation should not be resued. 8. libssl_internals.c in the
gtests directory has been updated to handle advancing the internal
iv counter when we artifically advance the seqNum. Since we don't
have access to any token iv counter (including softoken), The code
switches to simulated message mode, and updates the simulated state
as appropriate. (obviously this is for testing only code as it
reaches into normally private data structures).
Differential Revision:
https://phabricator.services.mozilla.com/D68480
[e7c7f305078e]
2020-03-23 Kevin Jacobs <kjacobs@mozilla.com>
* lib/softoken/pkcs11.c:
Bug 1624402 - Fix compilation error when NO_FORK_CHECK and
CHECK_FORK_* are defined r=rrelyea
Differential Revision:
https://phabricator.services.mozilla.com/D67911
[0225889e5292]
2020-03-23 Kevin Jacobs <kjacobs@mozilla.com>
* lib/util/pkcs11.h:
Bug 1624130 - Require CK_FUNCTION_LIST structs to be packed.
r=rrelyea
Differential Revision:
https://phabricator.services.mozilla.com/D67741
[7ab62d3d0445]
2020-03-19 Robert Relyea <rrelyea@redhat.com>
* automation/abi-check/expected-report-libnss3.so.txt,
gtests/pk11_gtest/pk11_aes_gcm_unittest.cc,
gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc,
lib/freebl/blapi.h, lib/freebl/blapii.h, lib/freebl/blapit.h,
lib/freebl/chacha20poly1305.c, lib/freebl/gcm.c, lib/freebl/gcm.h,
lib/freebl/intel-gcm-wrap.c, lib/freebl/intel-gcm.h,
lib/freebl/ldvector.c, lib/freebl/loader.c, lib/freebl/loader.h,
lib/freebl/rijndael.c, lib/freebl/rijndael.h, lib/nss/nss.def,
lib/pk11wrap/pk11cxt.c, lib/pk11wrap/pk11mech.c,
lib/pk11wrap/pk11priv.h, lib/pk11wrap/pk11pub.h,
lib/pk11wrap/pk11skey.c, lib/pk11wrap/pk11slot.c,
lib/pk11wrap/secmodti.h, lib/softoken/fipstokn.c,
lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c,
lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c,
lib/softoken/sftkmessage.c, lib/util/pkcs11n.h, lib/util/pkcs11t.h,
lib/util/secport.h:
Bug 1623374 Need to support the new PKCS #11 Message interface for
AES GCM and ChaCha Poly
PKCS #11 defines a new interface for handling AEAD type ciphers that
allow multiple AEAD operations without repeating the key schedule.
It also allows tokens to keep track of the number of operations, and
generate IVs (depending on the cipher).
This patch: 1. implement those new functions in softoken. With the
addition of CKF_MESSAGE_* flags to various mechanism, we need to
strip them when using the version 2 API of softoken (since there are
no C_Message* function in version 2). For that we need a separate
C_GetMechanismInfo function. We use the same trick we used to have a
separate version function for the V2 interface. Also now that the
new message functions are in their own file, they still need access
to the common Session state processing functions. those have gone
from static to exported within softoken to accomidate that. Same
with sftk_MapDecryptError() (sftk_MapVerifyError() was also made
global, though nothing else is yet using it). Only
C_MessageEncrptInit(), C_EncryptMessage(), C_MessageEncryptFinal,
C_MessageDecryptInit(), C_DecryptMessage(), and
C_MessageDecryptFinal are implemented. C_EncryptMessageBegin(),
C_EncryptMessageNext(), C_DecryptMessageBegin(), and
C_DecryptMessageNext() are all part of the multi-part withing a
multi-part operation and are only necessary for things like S/MIME
(potentially). If we wanted to implement them, we would need more
functions exported from freebl (and initaead, updateaead, finalaead
for each mechanism type). 2. make those interfaces call aes_gcm and
chacha20_poly1503 (and make adjustments for those ciphers). For AES,
I added a new function AES_AEAD, which handles both encrypt and
decrypt. Internally, the gcm functions (both the generic gcm and the
intel gcm wrapper) had their init functions split into key
scheduling and counter mode/tag initialization. The latter is still
called from init, but the former is now for each update call. IV
generation is handled by a single function in gcm.c, and shared with
intel_gcm_wrapper.c Since the AES functions already know about the
underlying PKCS #11 mechanism parameters, the new AEAD functions
also parse the PKCS #11 GCM parameters. For Chacha/Poly new aead
update functions were created called ChaChaPoly1305_Encrypt and
ChaChaChaPoly1305_Decrypt. There was no Message specific
initialization in the existing chacha_init, so no changes were
needed there. The primary difference between _Encrypt/_Decrypt and
_Seal/_Open is the fact that the tag is put at the end of the
encrypted data buffer in the latter, and in a generic buffer in the
former. 3. create new pk11wrap interfaces that also squash the api
differences between the various mechanisms for aead (similiar to the
way we do it for CBC and ECB crypto today). To accomplish this I
added PK11_AEADOp() and PK11_AEADRawOp(). Both functions handle the
case where the token only supports the single shot interface, by
using the single short interface to simulate the Message interface.
The PK11_AEADOp() also smooths out the differences in the parameters
and symantics of the various mechanism so the application does not
need to worry about the PKCS #11 differences in the mechanism. Both
use contexts from the standard PK11_CreateContext(), so key
schedules are done once for each key rather than once for each
message. MESSAGE/AEAD operations are selected by adding the psuedo
attribute flag CKA_NSS_MESSAGE to the requested operation
(CKA_ENCRYPT, CKA_DECRYPT, CKA_SIGN, CKA_VERIFY). 4. write tests for
the new interfaces Tests were added to make sure the PK11_AEADRawOp
interface works, The single shot interface is used to test output of
the message interface we also use two test only functions to force
the connection to use the simulation interface, which is also
compared to the non-simulate inteface. The AES_GCM also tests
various IV generators.
Differential Revision:
https://phabricator.services.mozilla.com/D67552
[293ac3688ced]
2020-03-18 Kevin Jacobs <kjacobs@mozilla.com>
* lib/freebl/mpi/mpcpucache.c:
Bug 1623184 - Clear ECX prior to cpuid, fixing query for Extended
Features r=bbeurdouche
While trying to benchmark the recent HACL* AVX2 code, I noticed that
it was not being called on two machines (that both support AVX2),
instead using only the AVX version.
In order to query for Extended Features (cpuid with EAX=7), we also
need to set ECX to 0: https://www.intel.com/content/www/us/en
/architecture-and-technology/64-ia-32-architectures-software-
developer-vol-2a-manual.html. The current code fails to do this,
resulting in flags that show no support.
Initially, I wrote a separate `freebl_cpuid_ex` function that
accepted a value for ECX as a separate input argument. However, some
definitions of `freebl_cpuid` already zero ECX, so making this
consistent is the simplest way to get the desired behavior.
With this patch, the two test machines (MacOS and Linux x64)
correctly use the AVX2 ChaCha20Poly1305 code.
Differential Revision:
https://phabricator.services.mozilla.com/D67235
[06d41fe87c58]
2020-03-17 Robert Relyea <rrelyea@redhat.com>
* automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
check/expected-report-libsoftokn3.so.txt, cmd/pk11mode/pk11mode.c,
lib/pk11wrap/pk11load.c, lib/pk11wrap/secmodi.h,
lib/pk11wrap/secmodt.h, lib/softoken/fipstokn.c,
lib/softoken/manifest.mn, lib/softoken/pkcs11.c,
lib/softoken/pkcs11c.c, lib/softoken/pkcs11i.h,
lib/softoken/sftkmessage.c, lib/softoken/softoken.gyp,
lib/softoken/softoken.h, lib/softoken/softokn.def,
lib/util/pkcs11.h, lib/util/pkcs11f.h, lib/util/pkcs11n.h,
nss/automation/abi-check/new-report-libnss3.so.txt, nss/automation
/abi-check/new-report-libsoftokn3.so.txt:
Bug 1603628 Update NSS to handle PKCS #11 v3.0 r=ueno r=mt
Update to PKCS #11 v3.0 part 2.
Create the functions and switch to the C_Interface() function to
fetch the PKCS #11 function table. Also PKCS #11 v3.0 uses a new
fork safe interface. NSS can already handle the case if the PKCS #11
module happens to be fork safe (when asked by the application to
refresh the tokens in the child process, NSS can detect that such a
refresh is not necessary and continue. Softoken could also be put in
fork_safe mode with an environment variable. With this patch it's
the default, and NSS asks for the fork safe API by default.
Technically softoken should implement the old non-fork safe
interface when PKCS #11 v2.0 is called, but NSS no longer needs it,
and doing so would double the number of PKCS #11 interfaces are
needed. You can still compile with fork unsafe semantics, and the
PKCS #11 V3.0 module will do the right thing and not include the
fork safe flag. Firefox does not fork(), so for firefox this is
simply code that is no longer compilied.
We now use C_GetInterface, which allows us to specify what kind of
interface we want (PKCS #11 v3.0, PKCS #11 v2.0, fork safe, etc.).
Vendor specific functions can now be accessed through the
C_GetInterface. If the C_GetInterface function does not exists, we
fall bak to the old C_GetFunctionList.
There are 24 new functions in PKCS #11 v3.0: C_GetInterfaceList -
return a table of all the supported interfaces C_GetInterface -
return a specific interface. You can specify interface name, version
and flags separately. You can leave off any of these and you will
get what the token thinks is the best match of the interfaces that
meet the criteria. We do this in softoken by the order of the
interface list. C_SessionCancel - Cancel one or more multipart
operation C_LoginUser - Supply a user name to C_Login(). This
function has no meaning for softoken, so it just returns
CKR_OPERATION_NOT_INITIALIZED under the theory that if we in the
future want to support usernames, the NSS db would need special
initialization to make that happen. C_Message* and C_*Message* (20
functions in all) are the new AEAD interface (they are written
generally so that it can be used for things other than AEAD). In
this patch they are unimplemented (see the next patch).
This patch adds regular (NSC_) and FIPS (FC_) versions of these
functions. Also when creating the PKCS #11 v2.0 interface, we had to
create a 2.0 specific version of C_GetInfo so that it can return a
2.40 in the CK_VERSION field rather than 3.00. We do this with
#defines since all the function tables are generated automagically
with pkcs11f.h.
Differential Revision:
https://phabricator.services.mozilla.com/D67240
[2364598f8a36]
2020-03-09 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* automation/taskcluster/scripts/run_hacl.sh,
lib/freebl/verified/Hacl_Poly1305_128.c,
lib/freebl/verified/Hacl_Poly1305_256.c:
Bug 1612493 - Fix Firefox build for Windows 2012 x64. r=kjacobs
Differential Revision:
https://phabricator.services.mozilla.com/D65945
[7e09cdab32d0]
2020-03-02 Kurt Miller <kurt@intricatesoftware.com>
* lib/freebl/blinit.c:
Bug 1618400 - Fix unused variable 'getauxval' on OpenBSD/arm64 r=jcj
https://bugzilla.mozilla.org/show_bug.cgi?id=1618400
[2c989888dee7]
2020-03-02 Giulio Benetti <giulio.benetti@benettiengineering.com>
* lib/freebl/blinit.c:
Bug 1614183 - Check if PPC __has_include(<sys/auxv.h>). r=kjacobs
Some build environment doesn't provide <sys/auxv.h> and this causes
build failure, so let's check if that header exists by using
__has_include() helper.
Signed-off-by: Giulio Benetti
<giulio.benetti@benettiengineering.com>
[bb7c46049f26]
2020-02-28 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* automation/taskcluster/scripts/run_hacl.sh,
lib/freebl/verified/Hacl_Chacha20.c,
lib/freebl/verified/Hacl_Chacha20Poly1305_128.c,
lib/freebl/verified/Hacl_Chacha20Poly1305_32.c,
lib/freebl/verified/Hacl_Chacha20_Vec128.c,
lib/freebl/verified/Hacl_Curve25519_51.c,
lib/freebl/verified/Hacl_Kremlib.h,
lib/freebl/verified/Hacl_Poly1305_128.c,
lib/freebl/verified/Hacl_Poly1305_32.c,
lib/freebl/verified/kremlin/include/kremlin/internal/types.h,
lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128.h, li
b/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128_Verifie
d.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt_8_1
6_32_64.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/LowStar_
Endianness.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar
_uint128_gcc64.h, lib/freebl/verified/libintvector.h:
Bug 1617533 - Update of HACL* after libintvector.h and coding style
changes. r=kjacobs
*** Bug 1617533 - Clang format
*** Bug 1617533 - Update HACL* commit for job in Taskcluster
*** Bug 1617533 - Update HACL* Kremlin code
Differential Revision:
https://phabricator.services.mozilla.com/D63829
[b6677ae9067e]
* automation/taskcluster/graph/src/extend.js, coreconf/arch.mk,
coreconf/config.mk, lib/freebl/Makefile, lib/freebl/blapii.h,
lib/freebl/blinit.c, lib/freebl/chacha20poly1305.c,
lib/freebl/freebl.gyp,
lib/freebl/verified/Hacl_Chacha20Poly1305_256.c,
lib/freebl/verified/Hacl_Chacha20Poly1305_256.h,
lib/freebl/verified/Hacl_Chacha20_Vec256.c,
lib/freebl/verified/Hacl_Chacha20_Vec256.h,
lib/freebl/verified/Hacl_Poly1305_256.c,
lib/freebl/verified/Hacl_Poly1305_256.h, nss-tool/hw-support.c:
Bug 1612493 - Support for HACL* AVX2 code for Chacha20, Poly1305 and
Chacha20Poly1305. r=kjacobs
*** Bug 1612493 - Import AVX2 code from HACL*
*** Bug 1612493 - Add CPU detection for AVX2, BMI1, BMI2, FMA, MOVBE
*** Bug 1612493 - New flag NSS_DISABLE_AVX2 for freebl/Makefile and
freebl.gyp
*** Bug 1612493 - Disable use of AVX2 on GCC 4.4 which doesn’t
support -mavx2
*** Bug 1612493 - Disable tests when the platform doesn't have
support for AVX2
Differential Revision:
https://phabricator.services.mozilla.com/D64718
[d5deac55f543]
2020-02-18 Robert Relyea <rrelyea@redhat.com>
* cmd/bltest/blapitest.c, cmd/fipstest/fipstest.c,
cmd/lib/pk11table.c, cmd/pk11gcmtest/pk11gcmtest.c,
cmd/shlibsign/shlibsign.c,
gtests/pk11_gtest/pk11_aes_gcm_unittest.cc,
gtests/pk11_gtest/pk11_cbc_unittest.cc, lib/certdb/crl.c,
lib/ckfw/dbm/db.c, lib/dev/devslot.c, lib/dev/devtoken.c,
lib/dev/devutil.c, lib/freebl/fipsfreebl.c, lib/freebl/gcm.c,
lib/freebl/intel-gcm-wrap.c, lib/pk11wrap/debug_module.c,
lib/pk11wrap/dev3hack.c, lib/pk11wrap/pk11akey.c,
lib/pk11wrap/pk11auth.c, lib/pk11wrap/pk11cert.c,
lib/pk11wrap/pk11err.c, lib/pk11wrap/pk11load.c,
lib/pk11wrap/pk11mech.c, lib/pk11wrap/pk11merge.c,
lib/pk11wrap/pk11nobj.c, lib/pk11wrap/pk11obj.c,
lib/pk11wrap/pk11pbe.c, lib/pk11wrap/pk11pk12.c,
lib/pk11wrap/pk11pqg.c, lib/pk11wrap/pk11skey.c,
lib/pk11wrap/pk11slot.c, lib/pk11wrap/pk11util.c, lib/pkcs12/p12d.c,
lib/pkcs12/p12e.c, lib/softoken/fipstokn.c,
lib/softoken/legacydb/lgattr.c, lib/softoken/legacydb/lgcreate.c,
lib/softoken/legacydb/lgfind.c, lib/softoken/legacydb/lginit.c,
lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c,
lib/softoken/pkcs11u.c, lib/softoken/sdb.c, lib/softoken/sftkdb.c,
lib/softoken/sftkpwd.c, lib/ssl/ssl3con.c, lib/ssl/sslprimitive.c,
lib/ssl/tls13con.c, lib/util/pkcs11.h, lib/util/pkcs11f.h,
lib/util/pkcs11n.h, lib/util/pkcs11t.h, lib/util/secoid.c, nss-
tool/enc/enctool.cc:
Bug 1603628 Update NSS to handle PKCS #11 v3.0 r=daiki r=mhoye
https://phabricator.services.mozilla.com/D63241
This patch implements the first phase: updating the headers.
lib/util/pkcs11.h lib/util/pkcs11f.h lib/util/pkcs11t.h
Were updated using the released OASIS PKCS #11 v3.0 header files.
lib/util/pkcs11n.h was updated to finally deprecate all uses of
CK?_NETSCAPE_?.
A new define as added: NSS_PKCS11_2_0_COMPAT. If it's defined, the
small semantic changes (including the removal of deprecated defines)
between the NSS PKCS #11 v2 header file and the new PKCS #11 v3 are
reverted in favor of the PKCS #11 v2 definitions. This include the
removal of CK?_NETSCAPE_? in favor of CK?_NSS_?.
One notable change was caused by an inconsistancy between the spec
and the released headers in PKCS #11 v2.40. CK_GCM_PARAMS had an
extra field in the header that was not in the spec. OASIS considers
the header file to be normative, so PKCS #11 v3.0 resolved the issue
in favor of the header file definition. NSS had the spec definition,
so now there are 2 defines for this structure:
CK_NSS_GCM_PARAMS - the old nss define. Still used internally in
freebl. CK_GCM_PARAMS_V3 - the new define. CK_GCM_PARAMS - no longer
referenced in NSS itself. It's defined as CK_GCM_PARAMS_V3 if
NSS_PKCS11_2_0_COMPAT is *not* defined, and it's defined as
CKM_NSS_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is defined.
Softoken has been updated to accept either CK_NSS_GCM_PARAMS or
CK_GCM_PARAMS_V3. In a future patch NSS will be updated to use
CK_GCM_PARAMS_V3 and fall back to CK_NSS_GMC_PARAMS.
One other semantic difference between the 3.0 version of pkcs11f.h
and the version here: In the oasis version of the header, you must
define CK_PKCS11_2_0_ONLY to get just the PKCS #11 v2 defines. In
our version you must define CK_PKCS11_3 to get the PCKS #11 v3
defines.
Most of this patch is to handle changing the deprecated defines that
have been removed in PCKS #11 v3 from NSS.
Differential Revision:
https://phabricator.services.mozilla.com/D63241
[b5d90a7fe217]
Differential Revision: https://phabricator.services.mozilla.com/D70773
--HG--
extra : moz-landing-system : lando
If a third-party application modifies IAT of ntdll.dll in the browser process
after process launch, the browser process fails to launch a sandbox process,
resulting in a situation where a window is opened without any functionality.
This patch is to mitigate that situation by disabling the launcher process
when the browser process fails to launch a sandbox process.
Differential Revision: https://phabricator.services.mozilla.com/D70873
--HG--
extra : moz-landing-system : lando
When a server requests a client certificate, it can include a list of
distinguished names that it considers valid issuers for client certificates
(either as direct issuers or as transitive issuers). Before this patch, the
platform would call CERT_FilterCertListByCANames to filter potential client
certificates by this list of names. This function uses the "classic" NSS
certificate path-building algorithm and thus can't make use of other
certificates that gecko may know about, such as third-party intermediates and
preloaded intermediates.
This patch implements client certificate filtering by re-using the path building
implementation provided by mozilla::pkix to determine if each certificate has an
issuer with a name included in the acceptable list. These issuers include
third-party intermediates, preloaded intermediates, and all certificates known
to NSS. Note that this implementation does not actually verify the client
certificates - no signatures are checked and no particular key usages are
enforced. However, some properties are enforced, such as validity periods.
Differential Revision: https://phabricator.services.mozilla.com/D68101
--HG--
rename : security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem.certspec => security/manager/ssl/tests/mochitest/browser/intermediate.pem.certspec
extra : moz-landing-system : lando
Dana Keeler
ffxbld
Christoph Kerschbaumer
Kevin Jacobs
Narcis Beleuzu
Martin Thomson
Jed Davis
Andrea Marchesini
Csoregi Natalia
Razvan Maries
Kris Maglione
Noemi Erli
Dorel Luca
Sylvestre Ledru
Jared Wein
Mike Hommey
J.C. Jones
Alexis Beingessner
Benjamin Beurdouche
Erica Wright
Emilio Cobos Álvarez
Matt Woodrow
Bogdan Tara
David Major
Kershaw Chang
Butkovits Atila
Moritz Birghan
Gian-Carlo Pascutto
Magnus Melin
Lina Cambridge
Nathan Froyd
Coroiu Cristina
Frederik Braun
Mihai Alexandru Michis
Aaron Klotz
J.C. Jones
Simon Giesecke
Ricky Stewart
Chanhee Cho
Ian Moody
Ciure Andrei
Toshihito Kikuchi
Matthew Noorenberghe
Andreea Pavel
Cameron McCormack
Mike Conley
Jeff Gilbert
Dzmitry Malyshau
Jonathan Kew