2020-12-11 Kevin Jacobs <kjacobs@mozilla.com>
* automation/abi-check/expected-report-libssl3.so.txt, automation/abi-
check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h,
lib/util/nssutil.h:
Set version numbers to 3.61 Beta
[f277d2674c80]
* gtests/<...>
Bug 1677207 - Update Google Test to release-1.10.0 r=bbeurdouche
./gtests/google_test/update.sh release-1.10.0 && hg remove -A && hg
add gtests/google_test/*
[89141382df45]
* gtests/<...>
Bug 1677207 - Replace references to TestCase, which is deprecated,
with TestSuite r=bbeurdouche
grep -rl --exclude-dir=google_test INSTANTIATE_TEST_CASE_P gtests |
xargs sed -i '' s/INSTANTIATE_TEST_CASE_P/INSTANTIATE_TEST_SUITE_P/g
grep -rl --exclude-dir=google_test SetUpTestCase gtests | xargs sed
-i '' s/SetUpTestCase/SetUpTestSuite/g
[e15b78be87fa]
* gtests/ssl_gtest/ssl_ciphersuite_unittest.cc,
gtests/ssl_gtest/ssl_debug_env_unittest.cc,
gtests/ssl_gtest/ssl_extension_unittest.cc,
gtests/ssl_gtest/ssl_loopback_unittest.cc,
gtests/ssl_gtest/ssl_renegotiation_unittest.cc,
gtests/ssl_gtest/ssl_resumption_unittest.cc,
gtests/ssl_gtest/ssl_version_unittest.cc,
gtests/ssl_gtest/tls_ech_unittest.cc:
Bug 1677207 - Use GTEST_SKIP in ssl_gtests. r=bbeurdouche
[0772f1bf5fd6]
2020-12-17 Robert Relyea <rrelyea@redhat.com>
* gtests/common/testvectors/ike-aesxcbc-vectors.h,
gtests/common/testvectors/ike-sha1-vectors.h,
gtests/common/testvectors/ike-sha256-vectors.h,
gtests/common/testvectors/ike-sha384-vectors.h,
gtests/common/testvectors/ike-sha512-vectors.h,
gtests/common/testvectors_base/test-structs.h,
gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp,
gtests/pk11_gtest/pk11_ike_unittest.cc, lib/softoken/sftkike.c:
Bug 1682071 IKE Quick mode IPSEC give you incorrect keys if you are
asking for keys smaller than the hash size.
IKE Appendix B fixes.
This patch fixes 2 problems.
If you run either ike v1 App B or quick mode asking for a key with
length
mod macsize = 0, you will generate an extra block that's not used
and overwrites the end of the buffer.
If you use quick mode, the function incorrectly subsets the
existing key
rather than generating a new key. This is correct behavior for
Appendix B, where appendix B is trying to take a generated key and
create a new longer key (with no diversification, just transform the
key into something that's longer), so if you ask for a key less than
or equal to, then you want to just subset the original key. In quick
mode you are taking a base key and creating a set of new keys based
on additional data, so you want to subset the generated data. This
patch only subsets the original key if you aren't doing quickmode.
Full test vectors have now been added for all ike modes in this
patch as well (previously we depended on the FIPS CAVS tests to test
ike, which covers basic IKEv1, IKEv1_psk, and IKEv2 but not IKEv1
App B and IKE v1 Quick mode).
[f4995c9fa185]
2020-12-18 Robert Relyea <rrelyea@redhat.com>
* gtests/common/testvectors/rsa_pkcs1_2048_test-vectors.h,
gtests/common/testvectors/rsa_pkcs1_3072_test-vectors.h,
gtests/common/testvectors/rsa_pkcs1_4096_test-vectors.h,
gtests/freebl_gtest/Makefile, gtests/freebl_gtest/manifest.mn,
gtests/freebl_gtest/rsa_unittest.cc, gtests/manifest.mn,
gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc,
gtests/pk11_gtest/pk11_rsaoaep_unittest.cc, lib/freebl/alghmac.c,
lib/freebl/alghmac.h, lib/freebl/rsapkcs.c:
Bug 1651411 New tlsfuzzer code can still detect timing issues in RSA
operations.
This patch defeats Bleichenbacher by not trying to hide the size of
the decrypted text, but to hide if the text succeeded for failed.
This is done by generating a fake returned text that's based on the
key and the cipher text, so the fake data is always the same for the
same key and cipher text. Both the length and the plain text are
generated with a prf.
Here's the proposed spec the patch codes to:
1. Use SHA-256 to hash the private exponent encoded as a big-
endian integer to a string the same length as the public modulus.
Keep this value secret. (this is just an optimisation so that the
implementation doesn't have to serialise the key over and over
again) 2. Check the length of input according to step one of
https://tools.ietf.org/html/rfc8017#section-7.2.2 3. When provided
with a ciphertext, use SHA-256 HMAC(key=hash_from_step1,
text=ciphertext) to generate the key derivation key 4. Use SHA-256
HMAC with key derivation key as the key and a two-byte big- endian
iterator concatenated with byte string "length" with the big- endian
representation of 2048 (0x0800) as the bit length of the generated
string.
- Iterate this PRF 8 times to generate a 256 byte string 5. initialise
the length of synthetic message to 0 6. split the PRF output into 2
byte strings, convert into big-endian integers, zero- out high-order
bits so that they have the same bit length as the octet length of
the maximum acceptable message size (k-11), select the last integer
that is no larger than (k-11) or remain at 0 if no integer is
smaller than (k-11); this selection needs to be performed using a
side-channel free operators 7. Use SHA-256 HMAC with key derivation
key as the key and a two-byte big-endian iterator concatenated with
byte string "message" with the big-endian representation of k*8
- use this PRF to generate k bytes of output (right-truncate last HMAC
call if the number of generated bytes is not a multiple of SHA-256
output size) 8. perform the RSA decryption as described in step 2 of
section 7.2.2 of rfc8017 9. Verify the EM message padding as
described in step 3 of section 7.2.2 of rfc8017, but instead of
outputting "decryption error", return the last l bytes of the
"message" PRF, when l is the selected synthetic message length using
the "length" PRF, make this decision and copy using side-channel
free operation
[fc05574c7399]
2020-12-22 Robert Relyea <rrelyea@redhat.com>
* gtests/freebl_gtest/rsa_unittest.cc,
gtests/pk11_gtest/pk11_rsaoaep_unittest.cc, lib/freebl/alghmac.c,
lib/freebl/rsapkcs.c:
Restore lost portion of the bleichenbacher timing batch that
addressed review comments. All the review comments pertained to
actual code comments, so this patch only affects the comments.
[fcebe146314e]
2020-12-22 Kevin Jacobs <kjacobs@mozilla.com>
* lib/dev/devslot.c:
Bug 1682863 - Revert nssSlot_IsTokenPresent to 3.58 after ongoing Fx
hangs with slow PKCS11 devices. r=bbeurdouche
This patch reverts the `nssSlot_IsTokenPresent` changes made in bug
1663661 and bug 1679290, restoring the version used in NSS 3.58 and
earlier. It's not an actual `hg backout` because the comment in
lib/dev/devt.h is worth keeping. While removing the nested locking
did resolve the hang for some (most?) third-party modules, problems
remain with some slower tokens after an even further relaxation of
the locking, which defeats the purpose of addressing the races in
the first place.
The crash addressed by these patches was caused by the Intermediate
Preloading Healer in Firefox, which has been disabled. We clearly
have insufficient test coverage for third-party modules, and now
that osclientcerts is enabled in Fx Nightly, any problems caused by
these and similar changes is unlikely to be reported until Fx Beta,
well after NSS RTM. I think the best option at this point is to
simply revert NSS.
[97ef009f7a78] [tip]
Differential Revision: https://phabricator.services.mozilla.com/D100401
Bug 1583109 introduced new function templates StringJoin and StringJoinAppend.
These are now used to replace several custom loops across the codebase that
implement string-joining algorithms to simplify the code.
Differential Revision: https://phabricator.services.mozilla.com/D98750
Bug 1583109 introduced new function templates StringJoin and StringJoinAppend.
These are now used to replace several custom loops across the codebase that
implement string-joining algorithms to simplify the code.
Differential Revision: https://phabricator.services.mozilla.com/D98750
This patch removes telemetry probes for TLS 1.3 Delegated Credentials. The
probes are expiring soon and we do not plan to run any more experiments that
would justify their renewal. There is no plan to enable this feature in beta or
release until the draft hits RFC stage.
Differential Revision: https://phabricator.services.mozilla.com/D99557
2020-12-11 Kevin Jacobs <kjacobs@mozilla.com>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.60 final
[2015cf6ca323] [NSS_3_60_RTM] <NSS_3_60_BRANCH>
2020-12-08 Kevin Jacobs <kjacobs@mozilla.com>
* .hgtags:
Added tag NSS_3_60_BETA1 for changeset f84fb229842a
[1fe6cb3c3874]
Differential Revision: https://phabricator.services.mozilla.com/D99488
This moves parts of IPCMessageUtils.h to two new header files and adapts
the include directives as necessary. The new header files are:
- EnumSerializer.h, which defines the templates for enum serializers
- IPCMessageUtilsSpecializations.h, which defines template specializations
of ParamTraits with extra dependencies (building upon both IPCMessageUtils.h
and EnumSerializer.h)
This should minimize the dependencies pulled in by every consumer of
IPCMessageUtils.h
Differential Revision: https://phabricator.services.mozilla.com/D94459
This patch removes the hand-rolled shared background thread in favor of
individual background synchronous event targets. Also, the timer configuration
was moved to the main thread. It now dispatches events to the background task
queue, which makes it easier to reason about.
Differential Revision: https://phabricator.services.mozilla.com/D98977
This patch extends the lifetimes of the following telemetry probes to Firefox 92:
CRLITE_RESULT
INTERMEDIATE_PRELOADING_ERRORS
INTERMEDIATE_PRELOADING_UPDATE_TIME_MS
security.intermediate_preloading_num_preloaded
security.intermediate_preloading_num_pending
This patch removes the following telemetry probes:
CRLITE_FASTER_THAN_OCSP_MS
OCSP_FASTER_THAN_CRLITE_MS
Differential Revision: https://phabricator.services.mozilla.com/D98988
32-bit Linux architectures have gained new versions of every system
call handling time values, to allow a transition to 64-bit time_t that
will continue to work after the year 2038; newer versions of glibc will
attempt them and fall back to the 32-bit path (without caching the
failure, so at best we take the overhead of handling SIGSYS).
This patch allows time64 syscalls in the same cases where we allow their
time32 versions, including the restrictions on clockid_t to prevent
interacting with other processes or threads of other processes. (I've
confirmed that the argument types match otherwise, so it's safe to reuse
the same policies.)
Differential Revision: https://phabricator.services.mozilla.com/D98693
Telemetry indicated that setting various security state (in particular, CRLite
state) was causing main thread hangs due to base64 decoding. This patch
rearranges cert_storage slightly to do these decodings off the main thread.
Differential Revision: https://phabricator.services.mozilla.com/D98691
This patch enables PSM and Firefox to use TLS 1.3 Encrypted Client Hello (draft -08). Specifically:
- Compile NSS with NSS_ENABLE_DRAFT_HPKE=1
- Add ECH "public_name" handling in SSLServerCertVerification.cpp (see: https://tools.ietf.org/html/draft-ietf-tls-esni-08#section-6.3.2)
- Adds `mIsAcceptedEch` to TransportSecurityInfo, and xpcshell tests for ECH use cases
- Adds EncryptedClientHelloServer to facilitate the xpcshell tests
- Un-ifdef Set/GetEchConfigs code in nsNSSIOLayer.cpp. Also reverted the Base64 encoding and decoding, as the data returned from DNS is already decoded (wire-format).
Differential Revision: https://phabricator.services.mozilla.com/D92651
This patch enables PSM and Firefox to use TLS 1.3 Encrypted Client Hello (draft -08). Specifically:
- Compile NSS with NSS_ENABLE_DRAFT_HPKE=1
- Add ECH "public_name" handling in SSLServerCertVerification.cpp (see: https://tools.ietf.org/html/draft-ietf-tls-esni-08#section-6.3.2)
- Adds `mIsAcceptedEch` to TransportSecurityInfo, and xpcshell tests for ECH use cases
- Adds EncryptedClientHelloServer to facilitate the xpcshell tests
- Un-ifdef Set/GetEchConfigs code in nsNSSIOLayer.cpp. Also reverted the Base64 encoding and decoding, as the data returned from DNS is already decoded (wire-format).
Differential Revision: https://phabricator.services.mozilla.com/D92651
This patch updates test_sanctions_symantec_apple_google.js to test a chain through an allow-listed Apple intermediate certificate chaining to a Symantec root certificate that is present in NSS.
Differential Revision: https://phabricator.services.mozilla.com/D98511
This patch changes a test referencing //VeriSign Class 3 Public Primary Certification Authority - G4//, which was removed in bug 1670769, with a similar VeriSign root CA that still exists and meets the same requirements for the test.
Differential Revision: https://phabricator.services.mozilla.com/D98510
2020-12-01 Kevin Jacobs <kjacobs@mozilla.com>
* lib/ckfw/builtins/nssckbi.h:
Bug 1678189 - December 2020 batch of root changes,
NSS_BUILTINS_LIBRARY_VERSION 2.46. r=bbeurdouche
[f8c49b334e51] [tip]
* lib/ckfw/builtins/certdata.txt:
Bug 1678166 - Add NAVER Global Root Certification Authority root
cert to NSS. r=bbeurdouche,KathleenWilson
[b9742b439a81]
2020-12-01 Benjamin Beurdouche <benjamin.beurdouche@inria.fr>
* lib/ckfw/builtins/certdata.txt:
Bug 1670769 - Remove 10 GeoTrust, thawte, and VeriSign root certs
from NSS. r=kjacobs,KathleenWilson
[4c69d6d0cf21]
2020-12-01 Kevin Jacobs <kjacobs@mozilla.com>
* lib/ssl/ssl3exthandle.c:
Bug 1674819 - Fix undefined shift when fuzzing r=bbeurdouche
In fuzzer mode, session tickets are serialized without any
encryption or integrity protection. This leads to a post-deserialize
UBSAN error when shifting by a fuzzed (large) authType value. A real
NSS server will not produce these values.
[a51fae403328]
2020-11-30 Benjamin Beurdouche <benjamin.beurdouche@inria.fr>
* build.sh, coreconf/config.gypi, lib/ckfw/builtins/testlib/builtins-
testlib.gyp, lib/ckfw/builtins/testlib/nssckbi-testlib.def, nss.gyp:
Bug 1678384 - Add a build flag to allow building nssckbi-testlib in
m-c r=kjacobs
[22bf7c680b60]
2020-12-01 Kevin Jacobs <kjacobs@mozilla.com>
* lib/dev/devslot.c:
Bug 1679290 - Don't hold slot lock when taking session lock
r=bbeurdouche
[[ https://hg.mozilla.org/projects/nss/rev/0ed11a5835ac1556ff978362c
d61069d48f4c5db | 0ed11a5835ac1556ff978362cd61069d48f4c5db ]] fixed
a number of race conditions related to NSSSlot member accesses.
Unfortunately the locking order that was imposed by that patch has
been found to cause problems for at least one PKCS11 module,
libnsspem.
This patch drops nested locking in favor of unlocking/re-locking.
While this isn't perfect, the original problem in bug 1663661 was
that `slot->token` could become NULL, which we can easily check
after reacquiring.
[19585ccc7a1f]
2020-11-25 Makoto Kato <m_kato@ga2.so-net.ne.jp>
* lib/freebl/blinit.c:
Bug 1678990 - Use __ARM_FEATURE_CRYPTO for feature detection.
r=bbeurdouche
Actually, we have CPU feature detection for Linux and FreeBSD on
aarch64 platform. But others don't.
macOS doesn't has any CPU feature detection for ARM Crypto
Extension, but toolchain default is turned on. So we should respect
__ARM_FEATURE_CRYPTO.
[f1e48fbead3d]
2020-11-19 Lauri Kasanen <cand@gmx.com>
* lib/freebl/Makefile:
Bug 1642174 - Resolve sha512-p8.o: ABI version 2 is not compatible
with ABI version 1 output. r=jcj Don't try to build the SHA-2
accelerated asm on old-ABI ppc.
Currently make only, I don't have enough gyp-fu to do that side.
However, the reporters of 1642174 and 1635625 both used make, not
gyp.
Signed-off-by: Lauri Kasanen <cand@gmx.com>
[d806f7992b10]
Differential Revision: https://phabricator.services.mozilla.com/D98509
Before this patch, when RemoteSecuritySettings would download multiple new
stashes, it would add the first one to cert_storage, which would reconstruct
the in-memory representation of all of the issuer/serial hashmaps/sets
(including preexisting ones), and then RemoteSecuritySettings would add the
second one, and cert_storage would reconstruct the entire in-memory
representation of the issuer/serial hashmaps/sets again, and so on, re-doing
all of the work each time. This is essentially O(n^2) work. This patch improves
both RemoteSecuritySettings and cert_storage to minimize this work, reducing it
to O(n).
Differential Revision: https://phabricator.services.mozilla.com/D97829
It's a common way to check the existence of system calls. Glibc may fall
back to fstatat when statx is called, passing down the null path.
Since we handle fstatat, let's return -EFAULT the same way the real
fstatat syscall would do.
This is needed for the sandbox not to constantly crash due to this statx
call in rustc:
09c9c9f7da/library/std/src/sys/unix/fs.rs (L119-L123)
Differential Revision: https://phabricator.services.mozilla.com/D98414
This allows us to avoid calling any NSSCertificateDB methods on the main
thread or allocating memory for xpconnect wrappers of cert objects.
Differential Revision: https://phabricator.services.mozilla.com/D97970
The RDD process can no longer work without having access to win32k ; enabling this pref would lead to a crash on Nightly and failure to work elsewhere.
Differential Revision: https://phabricator.services.mozilla.com/D97753
This patch enables pre-spawn CIG in the RDD process.
If CIG prevents a module in the executable's Import Directory Table, Windows totally
fails to launch a process. So we add a policy rule of `SUBSYS_SIGNED_BINARY` for
all files under the directory containing the executable such as mozglue.dll, and
modules injected via Import Directory Table. The latter ones will be blocked by our
blocklist with `REDIRECT_TO_NOOP_ENTRYPOINT` (bug 1659438).
Differential Revision: https://phabricator.services.mozilla.com/D96933
This removes telemetry regarding baseline requirements sections 9.2.1 and 9.2.2
(subject alternative name and subject common name) that is no longer necessary.
More specifically, this removes the histogram categories
BR_9_2_1_SUBJECT_ALT_NAMES and BR_9_2_2_SUBJECT_COMMON_NAME.
Differential Revision: https://phabricator.services.mozilla.com/D97507
2020-11-18 Kevin Jacobs <kjacobs@mozilla.com>
* lib/ssl/ssl3con.c, lib/ssl/tls13con.c, lib/ssl/tls13ech.c:
Bug 1654332 - Fixup a10493dcfcc9: copy ECHConfig.config_id with
socket r=jcj
A late review change for ECH was for the server to compute each
ECHConfig `config_id` when set to the socket, rather than on each
connection. This works, but now we also need to copy that config_id
when copying a socket, else the server won't find a matching
ECHConfig to use for decryption.
[3eacb92e9adf] [tip]
2020-11-17 Kevin Jacobs <kjacobs@mozilla.com>
* automation/abi-check/expected-report-libssl3.so.txt,
cmd/tstclnt/tstclnt.c, cpputil/tls_parser.h,
gtests/ssl_gtest/libssl_internals.c,
gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/manifest.mn,
gtests/ssl_gtest/ssl_auth_unittest.cc,
gtests/ssl_gtest/ssl_custext_unittest.cc,
gtests/ssl_gtest/ssl_extension_unittest.cc,
gtests/ssl_gtest/ssl_gtest.gyp,
gtests/ssl_gtest/ssl_tls13compat_unittest.cc,
gtests/ssl_gtest/tls_agent.cc, gtests/ssl_gtest/tls_agent.h,
gtests/ssl_gtest/tls_connect.cc, gtests/ssl_gtest/tls_connect.h,
gtests/ssl_gtest/tls_ech_unittest.cc,
gtests/ssl_gtest/tls_esni_unittest.cc,
gtests/ssl_gtest/tls_filter.cc, gtests/ssl_gtest/tls_filter.h,
lib/ssl/SSLerrs.h, lib/ssl/manifest.mn, lib/ssl/ssl.gyp,
lib/ssl/ssl3con.c, lib/ssl/ssl3ext.c, lib/ssl/ssl3ext.h,
lib/ssl/ssl3exthandle.c, lib/ssl/ssl3exthandle.h,
lib/ssl/ssl3prot.h, lib/ssl/sslencode.c, lib/ssl/sslencode.h,
lib/ssl/sslerr.h, lib/ssl/sslexp.h, lib/ssl/sslimpl.h,
lib/ssl/sslinfo.c, lib/ssl/sslsecur.c, lib/ssl/sslsock.c,
lib/ssl/sslt.h, lib/ssl/tls13con.c, lib/ssl/tls13con.h,
lib/ssl/tls13ech.c, lib/ssl/tls13ech.h, lib/ssl/tls13esni.c,
lib/ssl/tls13esni.h, lib/ssl/tls13exthandle.c,
lib/ssl/tls13exthandle.h, lib/ssl/tls13hashstate.c,
lib/ssl/tls13hashstate.h:
Bug 1654332 - Update ESNI to draft-08 (ECH). r=mt
This patch adds support for Encrypted Client Hello (draft-ietf-tls-
esni-08), replacing the existing ESNI (draft -02) support.
There are five new experimental functions to enable this:
- SSL_EncodeEchConfig: Generates an encoded (not BASE64) ECHConfig
given a set of parameters.
- SSL_SetClientEchConfigs: Configures the provided ECHConfig to the
given socket. When configured, an ephemeral HPKE keypair will be
generated for the CH encryption.
- SSL_SetServerEchConfigs: Configures the provided ECHConfig and
keypair to the socket. The keypair specified will be used for HPKE
operations in order to decrypt encrypted Client Hellos as they are
received.
- SSL_GetEchRetryConfigs: If ECH is rejected by the server and
compatible retry_configs are provided, this API allows the
application to extract those retry_configs for use in a new
connection.
- SSL_EnableTls13GreaseEch: When enabled, non-ECH Client Hellos will
have a "GREASE ECH" (i.e. fake) extension appended. GREASE ECH is
disabled by default, as there are known compatibility issues that
will be addressed in a subsequent draft.
The following ESNI experimental functions are deprecated by this
update:
- SSL_EncodeESNIKeys
- SSL_EnableESNI
- SSL_SetESNIKeyPair
In order to be used, NSS must be compiled with
`NSS_ENABLE_DRAFT_HPKE` defined.
[a10493dcfcc9]
* lib/ssl/ssl3con.c, lib/ssl/sslencode.c, lib/ssl/sslencode.h,
lib/ssl/tls13con.c, lib/ssl/tls13con.h:
Bug 1654332 - Buffered ClientHello construction. r=mt
This patch refactors construction of Client Hello messages. Instead
of each component of the message being written separately into
`ss->sec.ci.sendBuf`, we now construct the message in its own
sslBuffer. Once complete, the entire message is added to the sendBuf
via `ssl3_AppendHandshake`.
`ssl3_SendServerHello` already uses this approach and it becomes
necessary for ECH, where we use the constructed ClientHello to
create an inner ClientHello.
[d40121ba59ba]
2020-11-13 J.C. Jones <jjones@mozilla.com>
* automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
check/expected-report-libnssutil3.so.txt, automation/abi-check
/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h,
lib/util/nssutil.h:
Set version numbers to 3.60 Beta
[5e7b37609f22]
Differential Revision: https://phabricator.services.mozilla.com/D97492
This patch uses nsICertStorage.hasPriorData() and a new local field on the
CRLite filter Remote Settings collection to avoid re-downloading and
re-processing CRLite filters and stashes that have already been put into
cert_storage.
Differential Revision: https://phabricator.services.mozilla.com/D97381
Some PSM services need to be initialized on the main thread. Before this patch,
this was achieved by dispatching a synchronous task to the main thread in the
event that a different thread was attempting to acquire a given service for the
first time. However, with the upcoming removal of the nested event loop in the
XPCOM service instantiation code (see other patches in this bug), this can
cause a deadlock. This patch avoids the deadlock by removing the synchronous
dispatch and ensuring that these services get initialized on the main thread
relatively early, when PSM itself is initialized.
Differential Revision: https://phabricator.services.mozilla.com/D94145
This method only is async in order to allow callers to wait for a process switch
triggered by the call to `loadURI` to be finished before resolving. With
DocumentChannel, we should never trigger a process switch eagerly like this
again, so we don't need any of the async behaviour here anymore.
This part is largely mechanical changes to tests, removing the `await` calls on
`loadURI`, and a follow-up part will remove the actual async logic from
`BrowserTestUtils.loadURI`.
Differential Revision: https://phabricator.services.mozilla.com/D94641
2020-11-13 J.C. Jones <jjones@mozilla.com>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.59 final
[c5d760cbe8d0] [NSS_3_59_RTM] <NSS_3_59_BRANCH>
2020-11-10 J.C. Jones <jjones@mozilla.com>
* .hgtags:
Added tag NSS_3_59_BETA1 for changeset c3cb09a7d087
[06e965656f08]
Differential Revision: https://phabricator.services.mozilla.com/D97041
The new infrastructure consists of a separate bridge between the content and the
parent process and a separate local storage database in the parent process.
The new infrastructure can be used for storing and sharing of private browsing
data across content processes.
This patch only creates necessary infrastructure, actual enabling of storing and
sharing of data across content processes will be done in a follow-up patch.
Differential Revision: https://phabricator.services.mozilla.com/D96562
Eventually it needs to be possible for osclientcerts to differentiate between
keys that can and can't perform modern cryptography (RSA-PSS being the main
issue). This is because PSM and NSS need to know not to offer to use a key that
can't actually perform the signing operation in question. However, the current
implementation can be very slow if the user has slow hardware with a number of
keys on it. Since PSM and NSS changes are required to make use of this
differentiation anyway, the best approach for now seems to be to skip this step.
Differential Revision: https://phabricator.services.mozilla.com/D96148
Bug 1634065 will involve changing when nsCertOverrideService gets initialized.
It turns out that doing this causes
services/crypto/tests/unit/test_crypto_random.js to fail various assertions in
the JS engine. It's unclear what the underlying issue is, but the failures
happen as a result of marking nsCertOverrideService as a shutdown blocker
unconditionally in its initialization. This patch works around this by marking
the service as a blocker only when there's a write event happening, which is
arguably more correct anyway.
Differential Revision: https://phabricator.services.mozilla.com/D95899
2020-11-03 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/common/testvectors/hmac-sha256-vectors.h,
gtests/common/testvectors/hmac-sha384-vectors.h,
gtests/common/testvectors/hmac-sha512-vectors.h,
gtests/common/testvectors_base/test-structs.h,
gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp,
gtests/pk11_gtest/pk11_hmac_unittest.cc:
Bug 1672823 - Add Wycheproof HMAC test cases. r=jcj
[97751cd6d553] [tip]
* gtests/common/testvectors/hkdf-sha1-vectors.h,
gtests/common/testvectors/hkdf-sha256-vectors.h,
gtests/common/testvectors/hkdf-sha384-vectors.h,
gtests/common/testvectors/hkdf-sha512-vectors.h,
gtests/common/testvectors/hkdf-vectors.h,
gtests/common/testvectors_base/test-structs.h,
gtests/common/wycheproof/genTestVectors.py,
gtests/pk11_gtest/manifest.mn,
gtests/pk11_gtest/pk11_hkdf_unittest.cc:
Bug 1672823 - Add Wycheproof HKDF test cases. r=bbeurdouche
[5a02ca2617cf]
* gtests/common/testvectors/dsa-vectors.h,
gtests/common/testvectors_base/test-structs.h,
gtests/common/wycheproof/genTestVectors.py,
gtests/common/wycheproof/source_vectors/dsa_test.json,
gtests/pk11_gtest/manifest.mn,
gtests/pk11_gtest/pk11_dsa_unittest.cc,
gtests/pk11_gtest/pk11_gtest.gyp:
Bug 1672823 - Add Wycheproof DSA test cases. r=jcj
[3ce42ead87f9]
* lib/dev/devslot.c, lib/dev/devt.h:
Bug 1663661 - Guard against NULL token in nssSlot_IsTokenPresent.
r=jcj
This patch addresses locking inconsistency in
`nssSlot_IsTokenPresent` by retaining the slot lock for the duration
of accesses to `slot->token`. This is already done correctly
elsewhere. As a side effect, this introduces an ordering
requirement: we take `slot->lock` followed by `session->lock`.
[0ed11a5835ac]
2020-10-30 Kevin Jacobs <kjacobs@mozilla.com>
* lib/pk11wrap/pk11pars.c:
Bug 1670835 - Fixup for 6f79a7695812, add missing return value
check. r=rrelyea
[424974716ef0]
Differential Revision: https://phabricator.services.mozilla.com/D96073
Do not use SPDY or HTTP3 for internal security operations. It could result
in the silent upgrade to ssl, which in turn could require an SSL
operation to fulfill something like an OCSP fetch, which is an
endless loop.
Differential Revision: https://phabricator.services.mozilla.com/D95295
This method only is async in order to allow callers to wait for a process switch
triggered by the call to `loadURI` to be finished before resolving. With
DocumentChannel, we should never trigger a process switch eagerly like this
again, so we don't need any of the async behaviour here anymore.
This part is largely mechanical changes to tests, removing the `await` calls on
`loadURI`, and a follow-up part will remove the actual async logic from
`BrowserTestUtils.loadURI`.
Differential Revision: https://phabricator.services.mozilla.com/D94641
2020-10-26 Robert Relyea <rrelyea@redhat.com>
* lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c,
tests/ssl/ssl.sh:
Bug 1672291 libpkix OCSP failures on SHA1 self-signed root certs
when SHA1 signatures are disabled. r=mt
When libpkix is checking an OCSP cert, it can't use the passed in
set of trust anchors as a base because only the single root that
signed the leaf can sign the OCSP request. As a result it actually
checks the signature of the self-signed root when processing an OCSP
request. This fails of the root cert signature is invalid for any
reason (including it's a sha1 self-signed root cert and we've
disabled sha1 signatures (say, by policy)).
Further investigation indicates the difference between our classic
code and the current code is the classic code only checks OCSP
responses on leaf certs. In the real world, those responses are
signed by intermediate certificates (who won't have sha1 signed
certificates anymore), so our signature processing works just fine.
pkix checks OCSP on the intermediate certificates as well, which are
signed by the root cert. In this case the root cert is a chain of 1,
and is effectively a leaf. This patch updates the OCSP response code
to not check the signatures on the single cert if that cert is a
selfsigned root cert. This requires bug 391476 so we still do the
other validation checking on the certs (making sure it's trusted as
a CA).
[035110dfa0b9] [tip]
2020-10-23 Robert Relyea <rrelyea@redhat.com>
* lib/certhigh/certvfypkix.c,
lib/libpkix/pkix_pl_nss/module/pkix_pl_nsscontext.c,
lib/libpkix/pkix_pl_nss/module/pkix_pl_nsscontext.h,
lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c,
lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c,
tests/ssl/ssl.sh:
Bug 1672291 libpkix OCSP failures on SHA1 self-signed root certs
when SHA1 signatures are disabled.
When libpkix is checking an OCSP cert, it can't use the passed in
set of trust anchors as a base because only the single root that
signed the leaf can sign the OCSP request. As a result it actually
checks the signature of the self-signed root when processing an OCSP
request. This fails of the root cert signature is invalid for any
reason (including it's a sha1 self-signed root cert and we've
disabled sha1 signatures (say, by policy)).
Further investigation indicates the difference between our classic
code and the current code is the classic code only checks OCSP
responses on leaf certs. In the real world, those responses are
signed by intermediate certificates (who won't have sha1 signed
certificates anymore), so our signature processing works just fine.
pkix checks OCSP on the intermediate certificates as well, which are
signed by the root cert. In this case the root cert is a chain of 1,
and is effectively a leaf. This patch updates the OCSP response code
to not check the signatures on the single cert if that cert is a
selfsigned root cert. This requires bug 391476 so we still do the
other validation checking on the certs (making sure it's trusted as
a CA).
[97f69f7a89a1]
2020-10-26 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/ssl_gtest/tls_filter.cc:
Bug 1644209 - Fix broken SelectedCipherSuiteReplacer filter. r=mt
This patch corrects the `SelectedCipherSuiteReplacer`filter to
always parse the `session_id` variable (`legacy_session_id` for TLS
1.3+). The previous code attempted to skip it in 1.3+ but did not
account for DTLS wire versions, resulting in intermittent failures.
[a79d14b06b4a]
2020-10-26 Daiki Ueno <dueno@redhat.com>
* gtests/ssl_gtest/ssl_tls13compat_unittest.cc, lib/ssl/ssl3con.c,
lib/ssl/sslimpl.h:
Bug 1672703, always tolerate the first CCS in TLS 1.3, r=mt
Summary: This flips the meaning of the flag for checking excessive
CCS messages, so it only rejects multiple CCS messages while the
first CCS message is always accepted.
Reviewers: mt
Reviewed By: mt
Bug #: 1672703
[b03a4fc5b902]
2020-10-23 Robert Relyea <rrelyea@redhat.com>
* automation/abi-check/expected-report-libnssutil3.so.txt,
gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp,
lib/nss/nss.h, lib/ssl/ssl3con.c, lib/util/SECerrs.h,
lib/util/nssutil.def, lib/util/secerr.h, tests/policy/policy.sh:
Bug 1670835 Crypto Policy Support needs to be updated with
disable/enable support
Policy update
Current state of the nss policy system:
The initial policy patch focused on getting policy working well in
handling ssl. The policy infrastructure used two existing NSS
infrastructure: 1) Algorithm policies tied the OIDS and 2) the ssl
policy constraints first created to handle export policy
restrictions. To make loadable policies work, we added a couple of
new things: 1) a policy parser to the secmod infrastructure which
allows us to set algorithm policies based on a config file. This
file had two sections: disallow= and allow=. Disallow turned off
policy bits, and allow turned them on. Disallow was always parsed
first, so you could very strictly control your policy map by saying
disallow=all allow={exclusive list of allowed algorithms} 2) a new
NSS_Option() value that allowed the policy parser to set integer
values (like minimum tls version) based on the data in the policy
parser. 3) SSL code which is run at ssl_init time that reads the
algorithm policies and maps the results to SSL policies.
The resulting loaded policy code, in general, sets the boundaries of
what it possible, actually enable/disable of ssl cipher suites are
still under program control, and the builtin NSS default values. The
only consession to configuration is if a cipher is disallowed by
policy, it is also disabled. Allowing a cipher suite by policy that
wasn't already enabled, however, doesn't enable that policy by
default. Inside the policy restrictions, applications can still make
their own decisions on configuration and preference.
At the time the policy system was designed, there were 3 additional
features, which were designed, but not specified: disable, enable,
and lock.
disable and enable work just like disallow and allow, except the
specify what the default settings are. This would allow the policy
file to change the underlying default in the case where the
application doesn't try to configure ssl on it's own.
lock would make either the policy or configuration 'locked' meaning
once the lock has been executed, no further changes to those
configurations would be allowed.
What is needed:
We have a need for the following additional features:
1) we want to turn more of the sha-1 hash function off by default.
We still need sha-1 digest because it's used in many non-secure
cases, but we do want to disable more sha-1 signature usage.
Currently only CERT-SIGNATURE and various hmac usages in SSL ciphers
can be controlled by policy. We want to disallow a greater range of
signature (that is signature use in general).
2) we want to disable more ciphers by default, but need a way to
have certain policies (like LEGACY) turn them back on, so that our
shipped system is more secure by default.
What this patch provides:
1) A new policy flag NSS_USE_ALG_IN_ANY_SIGNATURE was added. The
cryptohi code which exports the NSS sign/verify high level code now
checks the hash and signing algorithm against this new policy flag
and fails if the policy isn't available. New key words were added to
the policy parser for 'all-signature', which implies all signature
flags at once, and 'signature', which maps to NSS_USE_ANY_SIGNATURE.
NOTE: disable=all/signature and disable=all/all-signature are
effective equivalent because cert-signatures eventually call the low
level signature functions, but disable=all allow=rsa-pss/all-
signature and disable=all allow=rsa-pss/signature are different in
that the latter allows all rsa-pss signature and the latter allows
rsa-pss signatures, but no on certificates (or on smime in the
future) Also new keywords were added for rsa-pkcs, rsa-pss, and
ecdsa for signature algorithms (along with dsa).
2) This patch implements disable and enable. These functions only
work on SSL configuration. In the future SMIME/CMS configuration
could also be added. Because the policy system is parsed and handled
by NSS, and SSL configuration is handled in SSL, we use the same
Apply code we used to apply ssl policy to set the inital
configuration. The configured enable/disable state is configured in
the ALGORTHIM policy system, where one bit says the enable/disable
value is active and another bit which gives it's state.
3) two locks have been implented, policy-lock and ssl-lock. These
are specified in the parser as flags (flags=policy-lock,ssl-lock).
The policy locks all the policy changes: ssl_policy, algorithm
policy, and options. It is implemented by two new exported
functions: NSS_IsPolicyLocked() and NSS_LockPolicy(). The first
allows applications to test if the policy is locked without having
to try changing the policy. The various policy set functions check
the NSS_IsPolicyLocked() function and returns SEC_ERROR_POLICY_LOCK
if it's true. The ssl-lock changes the state of the policy to
locked, and the state cannot be changed back without shutting down
NSS. The second is implemented by setting a new Option called
NSS_DEFAULT_LOCKS and the NSS_DEFAULT_SSL_LOCK flag. The idea is we
can add an SMIME lock in the future. SSL checks the
NSS_DEFAULT_SSL_LOCK flag before trying to set the cipher suite
value, and blocks the change if it's set.
4) sslpolicy tests were updated to test the enable, disable, flags
=policy-lock, flags=ssl-lock and the new signature primitives.
5) policy tests were updated to be able to run standalone (like all
the other all.sh tests), as well as new tests to detect when no
signing algorithms have been enabled.
What is not in the patch
1) S/MIME signature policy has been defined for a while, but never
hooked up. 2) S/MIME export policy needs to be connected back to the
algorithm policy system just like the ssl cipher suites already are.
3) S/MIME default configuration needs to be connected back to the
policy system. 4) ECC Curve policy needs to be hooked up with the
signature policy (probably should create a generic 'key meets
policy' function and have every call it).
[6f79a7695812]
* automation/abi-check/expected-report-libnss3.so.txt,
gtests/pk11_gtest/pk11_rsaoaep_unittest.cc, lib/nss/nss.def,
lib/pk11wrap/pk11pub.h, lib/pk11wrap/pk11skey.c:
Bug 1666891 - Add PK11_Pub{Wrap,Unwrap}SymKeyWithMechanism
r=mt,rrelyea
Summary
This is useful for RSA-OAEP support.
The CKM_RSA_PKCS_OAEP mechanism requires a CK_RSA_PKCS_OAEP_PARAMS
be present for PKCS#11 calls. This provides required context for
OAEP. However, PK11_PubWrapSymKey lacks a way of providing this
context and historically silently converted CKM_RSA_PKCS_OAEP to
CKM_RSA_PKCS when a RSA key is provided. Introducing a new call will
let us indicate parameters and potentially support other mechanisms
in the future. This call mirrors the earlier calls introduced for
RSA-PSS: PK11_SignWithMechanism and PK11_VerifyWithMechanism.
The CKM_RSA_PKCS_OAEP mechanism requires a CK_RSA_PKCS_OAEP_PARAMS
be present for PKCS#11 calls. This provides required context for
OAEP. However, PK11_PubUnwrapSymKey lacks a way of providing this
context, and additionally lacked a way of indicating which mechanism
type to use for the unwrap operation (instead detecting it by key
type). Introducing a new call will let us indicate parameters and
potentially support other mechanisms in the future.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
[33f920fcd175]
2020-10-23 Petr Sumbera <petr.sumbera@oracle.com>
* coreconf/config.gypi:
Bug 1667989 - coreconf/config.gypi should allow correct linking on
Solaris r=kjacobs,bbeurdouche
[e3bd9c2f9259]
2020-10-23 Kevin Jacobs <kjacobs@mozilla.com>
* automation/abi-check/expected-report-libnss3.so.txt,
gtests/pk11_gtest/pk11_find_certs_unittest.cc, lib/nss/nss.def:
Bug 1668123 - Export CERT_AddCertToListHeadWithData and
CERT_AddCertToListTailWithData. r=jcj
[0f15b05daeed]
2020-07-30 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* lib/ckfw/builtins/certdata.txt:
Bug 1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root
CA. r=kjacobs
[7076e78ddafe]
2020-10-14 J.C. Jones <jjones@mozilla.com>
* lib/util/secasn1d.c:
Bug 1663091 - Remove unnecessary assertions in the streaming ASN.1
decoder r=kjacobs
The streaming ASN.1 decoder had assertions that, on debug builds,
blocked embedding indefinite-length fields inside of definite-length
fields/contexts, however that behavior does work correctly, and is
valid ASN.1: it tends to happen when wrapping a signature around
existing ASN.1-encoded data, if that already-encoded data had an
indefinite length.
Really these two assertion were just overzealous. The conditional
after the asserts handle the case well, and memory sanitizers have
not found issue here either.
[d0153cc0c464]
Differential Revision: https://phabricator.services.mozilla.com/D95093
The fix for bug 1660901, to handle the subset of fstatat that is
equivalent to fstat, was incomplete: it was added to the existing
hook for the file broker, so processes that don't use a broker (like
GMP) didn't get the fix. That wasn't a problem when the only use of
that feature was in content processes via GTK, but now that glibc has
reimplemented fstat that way, it's necessary for all processes.
Differential Revision: https://phabricator.services.mozilla.com/D95108
Sandbox policies handle the case of `fstatat(fd, "", AT_EMPTY_PATH|...)`
by invoking the SIGSYS handler (because seccomp-bpf can't tell if the
string will be empty when the syscall would use it), which makes the
equivalent call to `fstat`.
Unfortunately, recent development versions of glibc implement `fstat` by
calling `fstatat`, which causes unbounded recursion and stack overflow.
(This depends on the headers present at build time; see the bug for more
details.) This patch switches it to use the `fstat` (or `fstat64` on
32-bit) syscall directly.
Differential Revision: https://phabricator.services.mozilla.com/D94798
This patch introduces a class `CrossExecTransferManager` to manage the data
transfer from the current process to a remote process via `WriteProcessMemory`.
The class also encapsulates a logic to bridge the gap between two executable's
imagebase.
Differential Revision: https://phabricator.services.mozilla.com/D94652
Allow-list all Python code in tree for use with the black linter, and re-format all code in-tree accordingly.
To produce this patch I did all of the following:
1. Make changes to tools/lint/black.yml to remove include: stanza and update list of source extensions.
2. Run ./mach lint --linter black --fix
3. Make some ad-hoc manual updates to python/mozbuild/mozbuild/test/configure/test_configure.py -- it has some hard-coded line numbers that the reformat breaks.
4. Make some ad-hoc manual updates to `testing/marionette/client/setup.py`, `testing/marionette/harness/setup.py`, and `testing/firefox-ui/harness/setup.py`, which have hard-coded regexes that break after the reformat.
5. Add a set of exclusions to black.yml. These will be deleted in a follow-up bug (1672023).
# ignore-this-changeset
Differential Revision: https://phabricator.services.mozilla.com/D94045
Allow-list all Python code in tree for use with the black linter, and re-format all code in-tree accordingly.
To produce this patch I did all of the following:
1. Make changes to tools/lint/black.yml to remove include: stanza and update list of source extensions.
2. Run ./mach lint --linter black --fix
3. Make some ad-hoc manual updates to python/mozbuild/mozbuild/test/configure/test_configure.py -- it has some hard-coded line numbers that the reformat breaks.
4. Make some ad-hoc manual updates to `testing/marionette/client/setup.py`, `testing/marionette/harness/setup.py`, and `testing/firefox-ui/harness/setup.py`, which have hard-coded regexes that break after the reformat.
5. Add a set of exclusions to black.yml. These will be deleted in a follow-up bug (1672023).
# ignore-this-changeset
Differential Revision: https://phabricator.services.mozilla.com/D94045
When the CRLite mode is "enforce" and a certificate is found to be covered by
CRLite, this patch makes it so the implementation will not fall back to
processing OCSP (whether stapled, cached, or fetched). This also updates
test_crlite_filters.js to use a more recent, realistic filter and stash.
Differential Revision: https://phabricator.services.mozilla.com/D94499
I think since it takes an FD this might be ok, but let me know if this
somehow doesn't cut it and a more nuanced fix is needed.
Since stuff like PR_GetNumberOfProcessors() uses it with some glibc
versions, which is pretty basic functionality, we probably need to make
it work in all processes.
Differential Revision: https://phabricator.services.mozilla.com/D94358
This commit also allows `memfd_create` in the seccomp-bpf policy for all
process types.
`memfd_create` is an API added in Linux 3.17 (and adopted by FreeBSD
for the upcoming version 13) for creating anonymous shared memory
not connected to any filesystem. Supporting it means that sandboxed
child processes on Linux can create shared memory directly instead of
messaging a broker, which is unavoidably slower, and it should avoid
the problems we'd been seeing with overly small `/dev/shm` in container
environments (which were causing serious problems for using Firefox for
automated testing of frontend projects).
`memfd_create` also introduces the related operation of file seals:
irrevocably preventing types of modifications to a file. Unfortunately,
the most useful one, `F_SEAL_WRITE`, can't be relied on; see the large
comment in `SharedMemory:ReadOnlyCopy` for details. So we still use
the applicable seals as defense in depth, but read-only copies are
implemented on Linux by using procfs (and see the comments on the
`ReadOnlyCopy` function in `shared_memory_posix.cc` for the subtleties
there).
There's also a FreeBSD implementation, using `cap_rights_limit` for
read-only copies, if the build host is new enough to have the
`memfd_create` function.
The support code for Android, which doesn't support shm_open and can't
use the memfd backend because of issues with its SELinux policy (see bug
1670277), has been reorganized to reflect that we'll always use its own
API, ashmem, in that case.
Differential Revision: https://phabricator.services.mozilla.com/D90605
This commit also allows `memfd_create` in the seccomp-bpf policy for all
process types.
`memfd_create` is an API added in Linux 3.17 (and adopted by FreeBSD
for the upcoming version 13) for creating anonymous shared memory
not connected to any filesystem. Supporting it means that sandboxed
child processes on Linux can create shared memory directly instead of
messaging a broker, which is unavoidably slower, and it should avoid
the problems we'd been seeing with overly small `/dev/shm` in container
environments (which were causing serious problems for using Firefox for
automated testing of frontend projects).
`memfd_create` also introduces the related operation of file seals:
irrevocably preventing types of modifications to a file. Unfortunately,
the most useful one, `F_SEAL_WRITE`, can't be relied on; see the large
comment in `SharedMemory:ReadOnlyCopy` for details. So we still use
the applicable seals as defense in depth, but read-only copies are
implemented on Linux by using procfs (and see the comments on the
`ReadOnlyCopy` function in `shared_memory_posix.cc` for the subtleties
there).
There's also a FreeBSD implementation, using `cap_rights_limit` for
read-only copies, if the build host is new enough to have the
`memfd_create` function.
The support code for Android, which doesn't support shm_open and can't
use the memfd backend because of issues with its SELinux policy (see bug
1670277), has been reorganized to reflect that we'll always use its own
API, ashmem, in that case.
Differential Revision: https://phabricator.services.mozilla.com/D90605
Allow-list all Python code in tree for use with the black linter, and re-format all code in-tree accordingly.
To produce this patch I did all of the following:
1. Make changes to tools/lint/black.yml to remove include: stanza and update list of source extensions.
2. Run ./mach lint --linter black --fix
3. Make some ad-hoc manual updates to python/mozbuild/mozbuild/test/configure/test_configure.py -- it has some hard-coded line numbers that the reformat breaks.
4. Add a set of exclusions to black.yml. These will be deleted in a follow-up bug (1672023).
# ignore-this-changeset
Differential Revision: https://phabricator.services.mozilla.com/D94045
Ultimately, we should be able to remove everything that got added to the RDD sandbox from the content's one.
Fly-by fix; allow checking if AVX512 is supported in content sandbox.
Splitting sandbox setting from Utility to a new RDD one as per review comment in P12 considering it's no longer an IPC only sandbox.
Depends on D91688
Differential Revision: https://phabricator.services.mozilla.com/D91689
2020-10-13 Mike Hommey <mh@glandium.org>
* lib/freebl/freebl.gyp:
Bug 1670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on
mac. r=kjacobs
AFAICT, the Makefile equivalent already does.
[58dc3216d518] [tip]
* lib/freebl/sha1-armv8.c:
Bug 1670839 - Only build sha1-armv8.c code when USE_HW_SHA1 is
defined. r=kjacobs
This matches what is done in sha256-armv8.c, and avoids
inconsistency with sha1-fast.c, which will define the same functions
in the case USE_HW_SHA1 is not defined.
[54be084e3ba8]
2020-10-16 J.C. Jones <jjones@mozilla.com>
* automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h,
lib/util/nssutil.h:
Set version numbers to 3.59 Beta
[d4b21706e432]
Differential Revision: https://phabricator.services.mozilla.com/D94070
2020-10-16 J.C. Jones <jjones@mozilla.com>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.58 final
[1f3db03bba02] [NSS_3_58_RTM] <NSS_3_58_BRANCH>
2020-10-12 J.C. Jones <jjones@mozilla.com>
* .hgtags:
Added tag NSS_3_58_BETA1 for changeset 57bbefa79323
[a8deadf7adbe]
Differential Revision: https://phabricator.services.mozilla.com/D93813
This renames kTimeFormatSeconds to kTimeFormatLong and kTimeFormatNoSeconds to
kTimeFormatShort. This is consistent with the naming used for date format
selectors.
Differential Revision: https://phabricator.services.mozilla.com/D93011
2020-10-12 Daiki Ueno <dueno@redhat.com>
* gtests/ssl_gtest/ssl_tls13compat_unittest.cc, lib/ssl/ssl3con.c,
lib/ssl/sslimpl.h:
Bug 1641480, TLS 1.3: tighten CCS handling in compatibility mode,
r=mt
This makes the server reject CCS when the client doesn't indicate
the use of the middlebox compatibility mode with a non-empty
ClientHello.legacy_session_id, or it sends multiple CCS in a row.
[57bbefa79323] [NSS_3_58_BETA1]
2020-10-12 Kevin Jacobs <kjacobs@mozilla.com>
* automation/abi-check/expected-report-libnss3.so.txt,
automation/taskcluster/scripts/build_gyp.sh,
automation/taskcluster/windows/build_gyp.sh, coreconf/config.gypi,
coreconf/config.mk, cpputil/nss_scoped_ptrs.h,
gtests/common/testvectors/hpke-vectors.h,
gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp,
gtests/pk11_gtest/pk11_hpke_unittest.cc, lib/nss/nss.def,
lib/pk11wrap/exports.gyp, lib/pk11wrap/manifest.mn,
lib/pk11wrap/pk11hpke.c, lib/pk11wrap/pk11hpke.h,
lib/pk11wrap/pk11pub.h, lib/pk11wrap/pk11wrap.gyp,
lib/util/SECerrs.h, lib/util/secerr.h:
Bug 1631890 - Add support for Hybrid Public Key Encryption (draft-
irtf-cfrg-hpke-05). r=mt
This patch adds support for Hybrid Public Key Encryption (draft-
irtf-cfrg-hpke-05).
Because the draft number (and the eventual RFC number) is an input
to the key schedule, future updates will *not* be backwards
compatible in terms of key material or encryption/decryption. For
this reason, a default compilation will produce stubs that simply
return an "Invalid Algorithm" error. To opt into using the HPKE
functionality , compile with `NSS_ENABLE_DRAFT_HPKE` defined. Once
finalized, this flag will not be required to access the functions.
Lastly, the `DeriveKeyPair` API is not implemented as it adds
complextiy around PKCS #11 and is unnecessary for ECH.
[6e3bc17f0508]
2020-10-12 Makoto Kato <m_kato@ga2.so-net.ne.jp>
* automation/taskcluster/graph/src/extend.js, tests/common/cleanup.sh:
Bug 1657255 - Update CI for aarch64. r=kjacobs
Actually, we have the implementation of ARM Crypto extension, so CI
is always run with this extension. It means that we don't run CI
without ARM Crypto extension. So I would like to add NoAES and NoSHA
for aarch64 CI.
Also, we still run NoSSE4_1 on aarch64 CI, so we shouldn't run this
on aarch64 hardware.
[e8c370a8db13]
Differential Revision: https://phabricator.services.mozilla.com/D93268
This commit also allows `memfd_create` in the seccomp-bpf policy for all
process types.
`memfd_create` is an API added in Linux 3.17 (and adopted by FreeBSD
for the upcoming version 13) for creating anonymous shared memory
not connected to any filesystem. Supporting it means that sandboxed
child processes on Linux can create shared memory directly instead of
messaging a broker, which is unavoidably slower, and it should avoid
the problems we'd been seeing with overly small `/dev/shm` in container
environments (which were causing serious problems for using Firefox for
automated testing of frontend projects).
`memfd_create` also introduces the related operation of file seals:
irrevocably preventing types of modifications to a file. Unfortunately,
the most useful one, `F_SEAL_WRITE`, can't be relied on; see the large
comment in `SharedMemory:ReadOnlyCopy` for details. So we still use
the applicable seals as defense in depth, but read-only copies are
implemented on Linux by using procfs (and see the comments on the
`ReadOnlyCopy` function in `shared_memory_posix.cc` for the subtleties
there).
There's also a FreeBSD implementation, using `cap_rights_limit` for
read-only copies, if the build host is new enough to have the
`memfd_create` function.
Differential Revision: https://phabricator.services.mozilla.com/D90605
This patch reimplements nsNSSCertificate::GetSha256SubjectPublicKeyInfoDigest
to use mozilla::pkix instead of relying on having a CERTCertificate with the
subject public key info parsed out already.
Differential Revision: https://phabricator.services.mozilla.com/D92517
This patch adds the preference "security.pki.crlite_ct_merge_delay_seconds"
that adds a configurable delay between the earliest certificate timestamp and
the filter creation date. This allows the implementation to take into account
CT log merge delays (i.e. when an SCT exists for a certificate but that
certificate hasn't yet been merged into the log).
The default value is 28 hours in seconds. The minimum value is 0 seconds, and
the maximum value is one year in seconds.
Differential Revision: https://phabricator.services.mozilla.com/D92295
This commit also allows `memfd_create` in the seccomp-bpf policy for all
process types.
`memfd_create` is an API added in Linux 3.17 (and adopted by FreeBSD
for the upcoming version 13) for creating anonymous shared memory
not connected to any filesystem. Supporting it means that sandboxed
child processes on Linux can create shared memory directly instead of
messaging a broker, which is unavoidably slower, and it should avoid
the problems we'd been seeing with overly small `/dev/shm` in container
environments (which were causing serious problems for using Firefox for
automated testing of frontend projects).
`memfd_create` also introduces the related operation of file seals:
irrevocably preventing types of modifications to a file. Unfortunately,
the most useful one, `F_SEAL_WRITE`, can't be relied on; see the large
comment in `SharedMemory:ReadOnlyCopy` for details. So we still use
the applicable seals as defense in depth, but read-only copies are
implemented on Linux by using procfs (and see the comments on the
`ReadOnlyCopy` function in `shared_memory_posix.cc` for the subtleties
there).
There's also a FreeBSD implementation, using `cap_rights_limit` for
read-only copies, if the build host is new enough to have the
`memfd_create` function.
Differential Revision: https://phabricator.services.mozilla.com/D90605
2020-10-05 Ricky Stewart <rstewart@mozilla.com>
* coreconf/config.gypi:
Bug 1668328 - Enclose Python paths in `coreconf/config.gypi` in
quotes r=kjacobs,mt
This fixes a breakage if the Python path happens to have a space in
it.
[c7d3b214dd41] [tip]
Differential Revision: https://phabricator.services.mozilla.com/D92516
A large portion of osclientcerts runs on a single thread, but the C API in
lib.rs doesn't. Thus, log lines from different threads can be interlaced,
causing confusion. This patch includes the current thread in those logs so they
can be de-interlaced.
Differential Revision: https://phabricator.services.mozilla.com/D92155
This also adds a diagonstic assert to make sure the code works in all process types.
And it adds another item to the sandbox IOKit property name allowlist, so that
the detection works in content processes.
This landed before, in bug 1649490, but without the sandbox adjustment (so it
didn't work in content processes).
Differential Revision: https://phabricator.services.mozilla.com/D91950
2020-09-24 Kevin Jacobs <kjacobs@mozilla.com>
* automation/abi-check/expected-report-libnss3.so.txt,
gtests/pk11_gtest/pk11_hkdf_unittest.cc, lib/nss/nss.def,
lib/pk11wrap/pk11pub.h, lib/pk11wrap/pk11skey.c,
lib/ssl/tls13hkdf.c:
Bug 1667153 - Add PK11_ImportDataKey API. r=rrelyea
This patch adds and exports `PK11_ImportDataKey`, and refactors the
null PSK TLS 1.3 code to use it.
[8fdbec414ce2] [tip]
Differential Revision: https://phabricator.services.mozilla.com/D91627
Because CAs can back-date a certificate (i.e. set the "notBefore" field to
earlier than when a certificate actually existed), the "notBefore" field can't
be relied on when determining when CRLite information is recent enough to check
a certificate with. To that end, this patch instead uses the earliest timestamp
from the embedded SCTs in the certificate being checked.
Differential Revision: https://phabricator.services.mozilla.com/D90599
2020-09-23 Dana Keeler <dkeeler@mozilla.com>
* gtests/mozpkix_gtest/pkixbuild_tests.cpp,
gtests/mozpkix_gtest/pkixcert_extension_tests.cpp,
gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp,
gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp,
gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp,
gtests/mozpkix_gtest/pkixgtest.h,
lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp:
Bug 1665715 - (2/2) pass encoded signed certificate timestamp
extension (if present) in CheckRevocation r=jcj
This will allow Firefox to make decisions based on the earliest
known time that a certificate exists (with respect to certificate
transparency) that a CA is unlikely to back-date. In particular,
this is essential for CRLite. Note that if the SCT signature isn't
validated, a CA could still make a certificate appear to have
existed for longer than it really has. However, this change is not
an attempt to catch malicious CAs. The aim is to avoid false
positives in CRLite resulting from CAs backdating the notBefore
field on certificates they issue.
Depends on D90595
[8ebee3cec9cf] [tip]
2020-09-18 Dana Keeler <dkeeler@mozilla.com>
* gtests/mozpkix_gtest/pkixbuild_tests.cpp,
gtests/mozpkix_gtest/pkixcert_extension_tests.cpp,
gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp,
gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp,
gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp,
gtests/mozpkix_gtest/pkixgtest.h,
lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp:
Bug 1665715 - (1/2) revert e8f2720c8254 (bug 1593141) because it's
no longer necessary r=jcj
Bug 1593141 added the certificate's notBefore field as an argument
to TrustDomain::CheckRevocation so that Firefox could use it with
CRLite. However, since CAs can backdate that field, we need to use
the earliest embedded SCT timestamp instead.
[c1f4d565ceda]
Differential Revision: https://phabricator.services.mozilla.com/D91211
CLOSED TREE
2020-09-23 Dana Keeler <dkeeler@mozilla.com>
* gtests/mozpkix_gtest/pkixbuild_tests.cpp,
gtests/mozpkix_gtest/pkixcert_extension_tests.cpp,
gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp,
gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp,
gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp,
gtests/mozpkix_gtest/pkixgtest.h,
lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp:
Bug 1665715 - (2/2) pass encoded signed certificate timestamp
extension (if present) in CheckRevocation r=jcj
This will allow Firefox to make decisions based on the earliest
known time that a certificate exists (with respect to certificate
transparency) that a CA is unlikely to back-date. In particular,
this is essential for CRLite. Note that if the SCT signature isn't
validated, a CA could still make a certificate appear to have
existed for longer than it really has. However, this change is not
an attempt to catch malicious CAs. The aim is to avoid false
positives in CRLite resulting from CAs backdating the notBefore
field on certificates they issue.
Depends on D90595
[8ebee3cec9cf] [tip]
2020-09-18 Dana Keeler <dkeeler@mozilla.com>
* gtests/mozpkix_gtest/pkixbuild_tests.cpp,
gtests/mozpkix_gtest/pkixcert_extension_tests.cpp,
gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp,
gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp,
gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp,
gtests/mozpkix_gtest/pkixgtest.h,
lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp:
Bug 1665715 - (1/2) revert e8f2720c8254 (bug 1593141) because it's
no longer necessary r=jcj
Bug 1593141 added the certificate's notBefore field as an argument
to TrustDomain::CheckRevocation so that Firefox could use it with
CRLite. However, since CAs can backdate that field, we need to use
the earliest embedded SCT timestamp instead.
[c1f4d565ceda]
Differential Revision: https://phabricator.services.mozilla.com/D91211
Because CAs can back-date a certificate (i.e. set the "notBefore" field to
earlier than when a certificate actually existed), the "notBefore" field can't
be relied on when determining when CRLite information is recent enough to check
a certificate with. To that end, this patch instead uses the earliest timestamp
from the embedded SCTs in the certificate being checked.
Differential Revision: https://phabricator.services.mozilla.com/D90599
2020-09-23 Dana Keeler <dkeeler@mozilla.com>
* gtests/mozpkix_gtest/pkixbuild_tests.cpp,
gtests/mozpkix_gtest/pkixcert_extension_tests.cpp,
gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp,
gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp,
gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp,
gtests/mozpkix_gtest/pkixgtest.h,
lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp:
Bug 1665715 - (2/2) pass encoded signed certificate timestamp
extension (if present) in CheckRevocation r=jcj
This will allow Firefox to make decisions based on the earliest
known time that a certificate exists (with respect to certificate
transparency) that a CA is unlikely to back-date. In particular,
this is essential for CRLite. Note that if the SCT signature isn't
validated, a CA could still make a certificate appear to have
existed for longer than it really has. However, this change is not
an attempt to catch malicious CAs. The aim is to avoid false
positives in CRLite resulting from CAs backdating the notBefore
field on certificates they issue.
Depends on D90595
[8ebee3cec9cf] [tip]
2020-09-18 Dana Keeler <dkeeler@mozilla.com>
* gtests/mozpkix_gtest/pkixbuild_tests.cpp,
gtests/mozpkix_gtest/pkixcert_extension_tests.cpp,
gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp,
gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp,
gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp,
gtests/mozpkix_gtest/pkixgtest.h,
lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp:
Bug 1665715 - (1/2) revert e8f2720c8254 (bug 1593141) because it's
no longer necessary r=jcj
Bug 1593141 added the certificate's notBefore field as an argument
to TrustDomain::CheckRevocation so that Firefox could use it with
CRLite. However, since CAs can backdate that field, we need to use
the earliest embedded SCT timestamp instead.
[c1f4d565ceda]
Differential Revision: https://phabricator.services.mozilla.com/D91211
The ABI on ARM64 requires 16-byte stack alignment, and that includes the
small temporary stack that exists only so that we can `longjmp` off of
it in the child process after calling `clone`.
Differential Revision: https://phabricator.services.mozilla.com/D90001
In addition to e.g. lacking `open` in favor of `openat`, Linux/arm64
also removes a number of older syscalls along similar lines, like `dup2`
in favor of `dup3`, and all variants of `select` other than `pselect6`.
Differential Revision: https://phabricator.services.mozilla.com/D90000
Linux/arm64 omits syscalls that can be implemented in terms of newer
syscalls by inserting constant arguments; this means that all of the
basic filesystem operations use the `at` versions, like `unlinkat`
replacing both `unlink` and `rmdir`. We've supported some of them when
x86 libcs started using them, but there are several others we were
missing; this patch adds them.
Differential Revision: https://phabricator.services.mozilla.com/D89999
Linux/arm64 seems to exclude any syscalls that were redundant when it was
created (specifically, that can be implemented in terms of another by
inserting constant arguments), which includes all the of the non-`at`
filesystem syscalls --- for example, `open` vs. `openat`.
This patch rearranges ifdefs to handle that case; later patches will
fill in the currently unhandled syscalls in the `at`-only side.
Differential Revision: https://phabricator.services.mozilla.com/D89998
Not strictly part of ARM support, but worth committing, and in
particular printing the `AT_*` flags in hex is helpful for matching them
against headers when `*at` syscalls fail.
Differential Revision: https://phabricator.services.mozilla.com/D89997
We no longer use GConf (bug 1433685), so we can remove the sandbox rule
allowing it to call utime(). That syscall doesn't exist on ARM or ARM64,
so this rule would have to be ifdef'ed if it were re-added.
Differential Revision: https://phabricator.services.mozilla.com/D89996
Chromium's Linux sandboxing code needs some architecture-specific files
for ARM and ARM64 that we don't currently include in our partial import.
These are copied from Chromium tag 81.0.4044.138 (matching the latest
import of the rest of security/sandbox/chromium) without changes.
Differential Revision: https://phabricator.services.mozilla.com/D89994
Bug 1658042 attempted to identify keys that could only handle legacy crypto
using CryptFindCertificateKeyProvInfo. However, it appears that this API can
be incredibly slow and potentially involve network I/O. This patch reworks
the legacy crypto handling by using CryptAcquireCertificatePrivateKey with the
CRYPT_ACQUIRE_SILENT_FLAG flag to avoid showing UI at inopportune times.
Differential Revision: https://phabricator.services.mozilla.com/D90733
2020-09-18 Kevin Jacobs <kjacobs@mozilla.com>
* automation/abi-check/previous-nss-release, lib/nss/nss.h,
lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.58 Beta
[c28e20f61e5d] [tip]
* .hgtags:
Added tag NSS_3_57_RTM for changeset cf7e3e8abd77
[a963849538ca] <NSS_3_57_BRANCH>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.57 final
[cf7e3e8abd77] [NSS_3_57_RTM] <NSS_3_57_BRANCH>
Differential Revision: https://phabricator.services.mozilla.com/D91070
2020-09-18 Kevin Jacobs <kjacobs@mozilla.com>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.57 final
[cf7e3e8abd77] [NSS_3_57_RTM] <NSS_3_57_BRANCH>
2020-09-15 Kevin Jacobs <kjacobs@mozilla.com>
* .hgtags:
Added tag NSS_3_57_BETA1 for changeset 56224882ccc3
[f46f20c58c4f]
Differential Revision: https://phabricator.services.mozilla.com/D90726
The MOZ_MUST_USE macro is defined as clang's and gcc's nonstandard __attribute__((warn_unused_result)). Now that we compile as C++17 by default (bug 1560664), we can replace MOZ_MUST_USE with C++17's standard [[nodiscard]] attribute.
We can also stop #including mozilla/Attributes.h because it was only needed for its MOZ_MUST_USE declaration.
Differential Revision: https://phabricator.services.mozilla.com/D90350
The earlier fix ea452bb92e6a proved the executable's imagebase in a child
process is not always the same as the local imagebase. This patch applies
the new approach to retieve the imagebase from a handle to all channels.
Interestingly, we observed the launcher failures at `VirtualProtectEx` only
when launching a sandboxed process, not when launching the browser process.
In the long term, we may need to take care of all `WriteProcessMemory` calls
for a child process for greater safety, but given that observation, this
patch only updates `RestoreImportDirectory` and `InitializeDllBlocklistOOP`.
Differential Revision: https://phabricator.services.mozilla.com/D90316
2020-09-14 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* coreconf/arch.mk:
Bug 1660735 - Fix typo in coreconfig/arch.mk. r=kjacobs
[2a17c8655a74] [tip]
* coreconf/config.mk:
Bug 1660734 - Fix typo in coreconf/config.mk. r=kjacobs
[4ae56ec2411b]
2020-09-11 Kevin Jacobs <kjacobs@mozilla.com>
* lib/ckfw/builtins/nssckbi.h:
Bug 1663049 - September 2020 batch of root changes,
NSS_BUILTINS_LIBRARY_VERSION 2.44. r=jcj
[141ef83ac10b]
* lib/ckfw/builtins/certdata.txt:
Bug 1663049 - Add SecureTrust's Trustwave Global root certificates
to NSS. r=KathleenWilson,jcj
[7dfc054a983e]
* lib/ckfw/builtins/certdata.txt:
Bug 1656077 - Remove Taiwan Government Root Certification Authority
root cert. r=KathleenWilson,jcj
Depends on D89841
[32a0d8f751ef]
* lib/ckfw/builtins/certdata.txt:
Bug 1653092 - Disable server trust bit for OISTE WISeKey Global Root
GA CA root cert. r=KathleenWilson,jcj
Depends on D89840
[1cdfb26b3220]
* lib/ckfw/builtins/certdata.txt:
Bug 1651211 - Remove EE Certification Centre Root CA root cert.
r=KathleenWilson,jcj
[089aeca370df]
2020-09-11 Danh <congdanhqx@gmail.com>
* coreconf/arch.mk, coreconf/config.mk, lib/freebl/Makefile:
Bug 1659727 - Move makefile avx2 detection to config.mk. r=kjacobs
Summary: Current code base use CPU_ARCH to detect if avx2 is
supported in arch.mk However, when arch.mk included, CPU_ARCH
haven't been initialised, CPU_ARCH will be initialised by the OS
specific code later on.
Move the AVX2 detection to config.mk, after all other initialisation
done.
Reviewers: kjacobs
Reviewed By: kjacobs
Subscribers: kjacobs
Bug #: 1659727
[c6dcb99e6121]
2020-09-08 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/freebl_gtest/mpi_unittest.cc, lib/freebl/mpi/mpi.c:
Bug 1605922 - Account for negative sign in mp_radix_size
r=bbeurdouche
[b64436ecbd79]
2020-09-09 Daiki Ueno <dueno@redhat.com>
* lib/freebl/Makefile:
Bug 1659256, add gcc version check on AArch64 optimization,
r=rrelyea
Summary: As described in https://access.redhat.com/solutions/19458,
gcc version in RHEL-7 is still 4.8.x and cannot compile the newly
added aes-armv8.c. There is a version check already for 32-bit arm,
but not for AArch64. This also removes NS_USE_GCC check added in bug
1652032 in favor of the automatic detection using CC_IS_* macros.
Reviewers: rrelyea
Reviewed By: rrelyea
Subscribers: jmux, kjacobs
Bug #: 1659256
[b971c77c0d68]
2020-09-08 Michael Shigorin <mike@altlinux.org>
* coreconf/config.gypi:
Bug 1663346 - Build e2k architecture as 64-bit r=jcj
[e524a577761d]
2020-09-05 Daiki Ueno <dueno@redhat.com>
* lib/freebl/fipsfreebl.c:
Bug 1662738, run RNG self-tests only if NSPR is linked, r=rrelyea
Summary: After the continuous DRBG test was added, RNG self-tests
have no longer worked standalone. This moves the self-tests to the
DO_REST block so it only runs when the program is also linked to
NSPR.
Reviewers: rrelyea
Reviewed By: rrelyea
Bug #: 1662738
[e03296e73ba6]
2020-09-02 Khem Raj <raj.khem@gmail.com>
* lib/libpkix/pkix/util/pkix_logger.c:
Bug 1661378 - pkix: Do not use NULL where 0 is needed Clang finds
this error
pkix_logger.c:316:32: error: cast to smaller integer type
'PKIX_ERRORCLASS' from 'void *' [-Werror,-Wvoid-pointer-to-enum-
cast] logger->logComponent = (PKIX_ERRORCLASS)NULL;
^~~~~~~~~~~~~~~~~~~~~ pkix_logger.c:617:32: error: cast to smaller
integer type 'PKIX_ERRORCLASS' from 'void *' [-Werror,-Wvoid-
pointer-to-enum-cast] logger->logComponent = (PKIX_ERRORCLASS)NULL;
^~~~~~~~~~~~~~~~~~~~~ 2 errors generated.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
[9213848965f6]
Differential Revision: https://phabricator.services.mozilla.com/D90130
This patch modifies the implementation of nsIX509CertValidity to use
mozilla::pkix to decode notBefore/notAfter values from the given encoded
certificate rather than using a CERTCertificate. This will help in avoiding
CERTCertificate in the implementation of nsIX509Cert.
This patch also renames/moves the previous implementation (which was in
nsNSSCertValidity.{h,cpp} but was called nsX509CertValidity) to be more
consistent and to drop the unnecessary "ns" prefix. It is now in the files
X509CertValidity.{h,cpp} and is called X509CertValidity.
Differential Revision: https://phabricator.services.mozilla.com/D89644
The MOZ_MUST_USE macro is defined as clang's and gcc's nonstandard __attribute__((warn_unused_result)). Now that we compile as C++17 by default (bug 1560664), we can replace MOZ_MUST_USE with C++17's standard [[nodiscard]] attribute.
The [[nodiscard]] attribute must precede a function declaration's declaration specifiers (like static, extern, inline, or virtual). The __attribute__((warn_unused_result)) attribute does not have this order restriction.
Differential Revision: https://phabricator.services.mozilla.com/D89235
Limitations in the NSS PKCS7 API prevent completely avoiding CERTCertificate in
this implementation, but these changes avoid a large number of unnecessary
certificate decoding operations.
Differential Revision: https://phabricator.services.mozilla.com/D87930
Per the manpage "Both stat() and lstat() act as though AT_NO_AUTOMOUNT
was set.", so don't bail if it's set in a call to fstatat.
Differential Revision: https://phabricator.services.mozilla.com/D89121
This patch was generated by running:
```
perl -p -i \
-e 's/^(\s+)([a-zA-Z0-9.]+) = NS_ConvertUTF8toUTF16\((.*)\);/\1CopyUTF8toUTF16(\3, \2);/;' \
-e 's/^(\s+)([a-zA-Z0-9.]+) = NS_ConvertUTF16toUTF8\((.*)\);/\1CopyUTF16toUTF8(\3, \2);/;' \
$FILE
```
against every .cpp and .h in mozilla-central, and then fixing up the
inevitable errors that happen as a result of matching C++ expressions with
regexes. The errors fell into three categories:
1. Calling the convert functions with `std::string::c_str()`; these were
changed to simply pass the string instead, relying on implicit conversion
to `mozilla::Span`.
2. Calling the convert functions with raw pointers, which is not permitted
with the copy functions; these were changed to invoke `MakeStringSpan` first.
3. Other miscellaneous errors resulting from over-eager regexes and/or the
replacement not being type-aware. These changes were reverted.
Differential Revision: https://phabricator.services.mozilla.com/D88903
ffxbld
Kevin Jacobs
Simon Giesecke
Csoregi Natalia
smolnar
Moritz Birghan
Bob Clary
R. Martinho Fernandes
Dana Keeler
Benjamin Beurdouche
Victor Porof
Razvan Maries
Jed Davis
Bogdan Tara
Xidorn Quan
Mihai Alexandru Michis
Andreea Pavel
Emilio Cobos Álvarez
Valentin Gosu
Jean-Yves Avenard
Sylvestre Ledru
Jean-Yves Avenard
Toshihito Kikuchi
Tim Giles
Peter Van der Beken
Nika Layzell
J.C. Jones
Cosmin Sabou
Jan Varga
Philipp Ammann
Dragana Damjanovic
Aaron Klotz
Bob Owen
Ricky Stewart
Dorel Luca
Dan Minor
Marco Bonardo
Kershaw Chang
julianwels
Brindusan Cristian
Bert Peers
Sebastian Hengst
Andrea Marchesini
Narcis Beleuzu
Chris Peterson
Alexis Beingessner
Julien Cristau
Nathan Froyd