On macOS, dynamic libraries with thread-local-storage don't get unloaded. So,
if the osclientcerts library gets "unloaded", it doesn't actually go away. We
stop its background thread, so this isn't a problem, but if the osclientcerts
library gets re-enabled, all of its state comes back the same as before. So,
when NSS calls C_Initialize again, things like the manager proxy will already
be initialized. Before this patch, this situation would be an error. This patch
handles this case by dropping the old manager proxy and creating a new one.
Differential Revision: https://phabricator.services.mozilla.com/D63264
--HG--
extra : moz-landing-system : lando
Before this, every time NSS wanted to open a new session (C_OpenSession),
osclientcerts would look for new client certificates/keys in the OS store. It
turns out, NSS wants to open new sessions often, so this was slow. This patch
adds a timestamp to the manager and ensures that it searches for new objects no
more than once every 3 seconds.
Additionally, this patch adds the optimization that if NSS tries to search for
PKCS#11 objects with attributes that osclientcerts doesn't support,
osclientcerts returns an empty search early, rather than enumerating every
object and finding no matches.
In the future we may need to be smarter about how we match objects during
searches. Rather than iterating through every object, we could build lookup
tables that would be much more time efficient.
Differential Revision: https://phabricator.services.mozilla.com/D62982
--HG--
extra : moz-landing-system : lando
2020-02-18 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/ssl_gtest/ssl_extension_unittest.cc,
gtests/ssl_gtest/ssl_version_unittest.cc, lib/ssl/dtlscon.c,
lib/ssl/tls13con.c, lib/ssl/tls13con.h, lib/ssl/tls13exthandle.c:
Bug 1615208 - Send DTLS version numbers in DTLS 1.3
supported_versions extension r=mt
This patch modifies `supported_versions` encodings to reflect DTLS
versions when DTLS1.3 is use. Previously, a DTLS1.3 CH would include
`[0x7f1e, 0x303, 0x302]` instead of the expected `[0x7f1e, 0xfefd,
0xfeff]`, causing compatibility issues.
[9e0d34a6cf91] [tip]
2020-02-12 Mikael Urankar <mikael.urankar@gmail.com>
* lib/freebl/Makefile, lib/freebl/freebl.gyp:
Bug 1612177 - Set -march=armv7 when compiling gcm-arm32-neon, in
order to enable NEON code generation.
[4413841bd26d]
2020-02-14 Dmitry Baryshkov <dbaryshkov@gmail.com>
* gtests/freebl_gtest/blake2b_unittest.cc, lib/freebl/blake2b.c:
Bug 1431940 - remove dereference before NULL check in BLAKE2B code.
r=kjacobs
[5e661906698f]
2020-02-12 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/ssl_gtest/ssl_resumption_unittest.cc, lib/ssl/sslnonce.c:
Bug 1614870 - Free sid->peerID before reallocating in
ssl_DecodeResumptionToken. r=mt
This patch adds a missing `PORT_Free()` when reallocating
`sid->PeerID`, and adds a test for a non-empty PeerID.
[1eb4e00b016e]
Differential Revision: https://phabricator.services.mozilla.com/D63220
--HG--
extra : moz-landing-system : lando
GENERATED_FILES now defaults to python3 unless py2=True is specified as
an argument. All existing GENERATED_FILES scripts and GeneratedFile
templates have the py2=True attribute added, so this patch should
effectively be a no-op.
Going forward, individual scripts can be converted to python3 and their
corresponding py2=True attribute can be deleted. In effect, this patch
will be backed out in pieces until all scripts run in python3, at which
point the py2 attribute itself can be removed.
Differential Revision: https://phabricator.services.mozilla.com/D60919
--HG--
extra : moz-landing-system : lando
GENERATED_FILES now defaults to python3 unless py2=True is specified as
an argument. All existing GENERATED_FILES scripts and GeneratedFile
templates have the py2=True attribute added, so this patch should
effectively be a no-op.
Going forward, individual scripts can be converted to python3 and their
corresponding py2=True attribute can be deleted. In effect, this patch
will be backed out in pieces until all scripts run in python3, at which
point the py2 attribute itself can be removed.
Differential Revision: https://phabricator.services.mozilla.com/D60919
--HG--
extra : moz-landing-system : lando
See bug 1613275 and bug 1607845. In bug 1607845, the aim was to regenerate all
test certificates that would be expiring. Unfortunately, a few were missed:
* build/pgo/certs/ certificate DBs and mochitest.client are regenerated in a
different way than the rest of the certificates in bug 1607845. These would
probably best be addressed by formally documenting the process of
re-generating all of the certificates.
* security/manager/ssl/tests/unit/test_certDB_import/ certificates were
missed by mistake. It's unclear how this happened.
* security/manager/ssl/tests/unit/test_intermediate_preloads/ were missed
because there was no test_intermediate_preloads entry in the TEST_DIRS
section of security/manager/ssl/tests/unit/moz.build, which means that the
build system never knew to re-generate those certificates, even after
un-commenting-out the contents of
security/manager/ssl/tests/unit/test_intermediate_preloads/moz.build
* security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.der
was DER, not PEM, and we don't have a way to automatically re-generate DER
certificates in the same way. However, it didn't even need to be DER.
Differential Revision: https://phabricator.services.mozilla.com/D61712
--HG--
extra : moz-landing-system : lando
GENERATED_FILES now defaults to python3 unless py2=True is specified as
an argument. All existing GENERATED_FILES scripts and GeneratedFile
templates have the py2=True attribute added, so this patch should
effectively be a no-op.
Going forward, individual scripts can be converted to python3 and their
corresponding py2=True attribute can be deleted. In effect, this patch
will be backed out in pieces until all scripts run in python3, at which
point the py2 attribute itself can be removed.
Differential Revision: https://phabricator.services.mozilla.com/D60919
--HG--
extra : moz-landing-system : lando
2020-02-10 Robert Relyea <rrelyea@redhat.com>
* lib/freebl/cmac.c:
Bug 1610687 - Crash on unaligned CMACContext.aes.keySchedule when
using AES-NI intrinsics r=kjacobs
[046a6f5bfb27]
* lib/util/pkcs11t.h:
Bug 1611209 - Value of CKM_AES_CMAC and CKM_AES_CMAC_GENERAL are
swapped r=rrelyea
[df142975f4f6]
2020-02-11 Victor Tapia <victor.tapia@canonical.com>
* lib/pk11wrap/pk11util.c, lib/sysinit/nsssysinit.c:
Bug 1582169 - Disable reading /proc/sys/crypto/fips_enabled if FIPS
is not enabled on build r=jcj,rrelyea
[55ba54adfcae]
2020-02-11 J.C. Jones <jjones@mozilla.com>
* lib/sysinit/nsssysinit.c:
Bug 1614786 - Fixup for ‘getFIPSEnv’ being unused r=kjacobs
Fixes a regression from Bug 1582169
../../lib/sysinit/nsssysinit.c:153:1: error: ‘getFIPSEnv’ defined
but not used [-Werror=unused-function]
[06925efe306b]
2020-02-11 Dana Keeler <dkeeler@mozilla.com>
* cmd/lib/secutil.c,
lib/libpkix/pkix_pl_nss/module/pkix_pl_colcertstore.c:
bug 1538980 - null-terminate ascii input in SECU_ReadDERFromFile so
strstr is safe to call r=jcj,kjacobs
[735ed2e47040] [tip]
Differential Revision: https://phabricator.services.mozilla.com/D62451
--HG--
extra : moz-landing-system : lando
This patch implements osclientcerts for macOS.
Because the SDK we build with isn't recent enough, some of the functions we
need aren't guaranteed to be available. To handle this, we load the Security
framework at runtime and attempt to locate the symbols we need. If this
succeeds, then operation proceeds as normal. Otherwise, the module will report
that there are no certificates/keys available.
Differential Revision: https://phabricator.services.mozilla.com/D59957
--HG--
extra : moz-landing-system : lando
This patch implements osclientcerts for macOS.
Because the SDK we build with isn't recent enough, some of the functions we
need aren't guaranteed to be available. To handle this, we load the Security
framework at runtime and attempt to locate the symbols we need. If this
succeeds, then operation proceeds as normal. Otherwise, the module will report
that there are no certificates/keys available.
Differential Revision: https://phabricator.services.mozilla.com/D59957
--HG--
extra : moz-landing-system : lando
2020-02-07 J.C. Jones <jjones@mozilla.com>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.50 final
[5bb3927fa234] [NSS_3_50_RTM] <NSS_3_50_BRANCH>
2020-02-05 J.C. Jones <jjones@mozilla.com>
* .hgtags:
Added tag NSS_3_50_BETA2 for changeset b91bbf7a88c9
[a8656c823c1f] <NSS_3_50_BRANCH>
Differential Revision: https://phabricator.services.mozilla.com/D62106
--HG--
extra : moz-landing-system : lando
See bug 1613275 and bug 1607845. In bug 1607845, the aim was to regenerate all
test certificates that would be expiring. Unfortunately, a few were missed:
* build/pgo/certs/ certificate DBs and mochitest.client are regenerated in a
different way than the rest of the certificates in bug 1607845. These would
probably best be addressed by formally documenting the process of
re-generating all of the certificates.
* security/manager/ssl/tests/unit/test_certDB_import/ certificates were
missed by mistake. It's unclear how this happened.
* security/manager/ssl/tests/unit/test_intermediate_preloads/ were missed
because there was no test_intermediate_preloads entry in the TEST_DIRS
section of security/manager/ssl/tests/unit/moz.build, which means that the
build system never knew to re-generate those certificates, even after
un-commenting-out the contents of
security/manager/ssl/tests/unit/test_intermediate_preloads/moz.build
* security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.der
was DER, not PEM, and we don't have a way to automatically re-generate DER
certificates in the same way. However, it didn't even need to be DER.
Differential Revision: https://phabricator.services.mozilla.com/D61712
--HG--
extra : moz-landing-system : lando
Upstream patch:
6bd491daaf%5E%21/#F0
_sifields is a glibc-internal field, and is not available on musl
libc. Instead, use the public-facing fields si_call_addr, si_syscall,
and si_arch, if they are available.
Differential Revision: https://phabricator.services.mozilla.com/D61051
--HG--
extra : moz-landing-system : lando
2020-02-05 J.C. Jones <jjones@mozilla.com>
* lib/softoken/exports.gyp, lib/softoken/manifest.mn,
lib/softoken/pkcs11.c, lib/softoken/sftkdb.c,
lib/softoken/softoken.gyp:
Bug 1609673 - Conditionally compile out all libnssdbm glue if
NSS_DISABLE_DBM is set r=mt
Remove `lgglue` from compilation entirely if DBM is disabled
[b91bbf7a88c9] [NSS_3_50_BETA2] <NSS_3_50_BRANCH>
2020-02-04 Kevin Jacobs <kjacobs@mozilla.com>
* .hgtags:
Added tag NSS_3_50_BETA1 for changeset de6ba04bb1f4
[1201d0d89b72] <NSS_3_50_BRANCH>
Differential Revision: https://phabricator.services.mozilla.com/D61770
--HG--
extra : moz-landing-system : lando
In order to reuse SSLServerCertVerificationJob, this patch exposes SSLServerCertVerificationJob and adds ServerCertVerificationResultCallback for delivering the verification result.
Differential Revision: https://phabricator.services.mozilla.com/D58604
--HG--
extra : moz-landing-system : lando
2020-02-03 Kai Engert <kaie@kuix.de>
* automation/release/nspr-version.txt:
Bug 1612623 - NSS 3.50 should depend on NSPR 4.25. r=kjacobs
[de6ba04bb1f4] [NSS_3_50_BETA1]
2020-01-27 Giulio Benetti <giulio.benetti@benettiengineering.com>
* coreconf/config.gypi, coreconf/config.mk, lib/freebl/Makefile,
lib/freebl/freebl.gyp, lib/freebl/gcm.h:
Bug 1608151 - Introduce NSS_DISABLE_ALTIVEC and disable_altivec
r=jcj
At the moment NSS assumes that every PowerPC64 architecture supports
Altivec but it's not true and this leads to build failure. So add
NSS_DISABLE_ALTIVEC environment variable(and disable_altivec for
gyp) to disable Altivec extension on PowerPC build that don't
support Altivec.
[f2d947817850]
Differential Revision: https://phabricator.services.mozilla.com/D61574
--HG--
extra : moz-landing-system : lando
Dana Keeler
Kershaw Chang
Kevin Jacobs
Mike Shal
ffxbld
Cosmin Sabou
Andy Grover
Brindusan Cristian
Julian
Simon Giesecke
J.C. Jones
shindli
Daniel Varga
Emilio Cobos Álvarez
Philipp Zech
David Major
Gian-Carlo Pascutto
Nika Layzell
Bogdan Tara
Michael Forney
Dorel Luca
J.C. Jones
Christian Holler
Sylvestre Ledru