mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
gecko-dev/security
История
Kevin Jacobs 7c45f2a0f0 Bug 1642687 - land NSS d211f3013abb UPGRADE_NSS_RELEASE, r=jcj 
2020-06-01  Kevin Jacobs  <kjacobs@mozilla.com>

	* coreconf/config.gypi, lib/freebl/Makefile, lib/freebl/blinit.c,
	lib/freebl/freebl.gyp, lib/freebl/sha256-armv8.c,
	lib/freebl/sha256.h, lib/freebl/sha512.c, mach:
	Bug 1528113 - Use ARM's crypto extension for SHA256
	[ea54fd986036]

2020-04-08  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/abi-check/expected-report-libssl3.so.txt,
	gtests/ssl_gtest/libssl_internals.c,
	gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/manifest.mn,
	gtests/ssl_gtest/ssl_0rtt_unittest.cc,
	gtests/ssl_gtest/ssl_extension_unittest.cc,
	gtests/ssl_gtest/ssl_gtest.gyp, gtests/ssl_gtest/tls_agent.cc,
	gtests/ssl_gtest/tls_agent.h, gtests/ssl_gtest/tls_connect.cc,
	gtests/ssl_gtest/tls_connect.h,
	gtests/ssl_gtest/tls_psk_unittest.cc, lib/ssl/manifest.mn,
	lib/ssl/ssl.gyp, lib/ssl/ssl3con.c, lib/ssl/ssl3ext.c,
	lib/ssl/ssl3ext.h, lib/ssl/sslerr.h, lib/ssl/sslexp.h,
	lib/ssl/sslimpl.h, lib/ssl/sslinfo.c, lib/ssl/sslsecur.c,
	lib/ssl/sslsock.c, lib/ssl/sslt.h, lib/ssl/tls13con.c,
	lib/ssl/tls13con.h, lib/ssl/tls13exthandle.c, lib/ssl/tls13psk.c,
	lib/ssl/tls13psk.h, lib/ssl/tls13replay.c:
	Bug 1603042 - TLS 1.3 out-of-band PSK support

	[a448d7919077]

2020-06-01  Makoto Kato  <m_kato@ga2.so-net.ne.jp>

	* coreconf/config.gypi, lib/freebl/Makefile, lib/freebl/blinit.c,
	lib/freebl/freebl.gyp, lib/freebl/sha256-armv8.c,
	lib/freebl/sha256.h, lib/freebl/sha512.c:
	Bug 1528113 - Use ARM's crypto extension for SHA256 r=kjacobs

	ARMv8 CPU has accelerated hardware instruction for SHA256 that
	supports GCC 4.9+. We should use it if available.

	[61c83f79e90c]

2020-06-02  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/abi-check/expected-report-libssl3.so.txt,
	gtests/ssl_gtest/libssl_internals.c,
	gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/manifest.mn,
	gtests/ssl_gtest/ssl_0rtt_unittest.cc,
	gtests/ssl_gtest/ssl_extension_unittest.cc,
	gtests/ssl_gtest/ssl_gtest.gyp, gtests/ssl_gtest/tls_agent.cc,
	gtests/ssl_gtest/tls_agent.h, gtests/ssl_gtest/tls_connect.cc,
	gtests/ssl_gtest/tls_connect.h,
	gtests/ssl_gtest/tls_psk_unittest.cc, lib/ssl/manifest.mn,
	lib/ssl/ssl.gyp, lib/ssl/ssl3con.c, lib/ssl/ssl3ext.c,
	lib/ssl/ssl3ext.h, lib/ssl/sslerr.h, lib/ssl/sslexp.h,
	lib/ssl/sslimpl.h, lib/ssl/sslinfo.c, lib/ssl/sslsecur.c,
	lib/ssl/sslsock.c, lib/ssl/sslt.h, lib/ssl/tls13con.c,
	lib/ssl/tls13con.h, lib/ssl/tls13exthandle.c, lib/ssl/tls13psk.c,
	lib/ssl/tls13psk.h, lib/ssl/tls13replay.c:
	Bug 1603042 - TLS 1.3 out-of-band PSK support r=mt

	This patch adds support for External (out-of-band) PSKs in TLS 1.3.
	An External PSK (EPSK) can be set by calling `SSL_AddExternalPsk`,
	and removed with `SSL_RemoveExternalPsk`. `SSL_AddExternalPsk0Rtt`
	can be used to add a PSK while also specifying a suite and
	max_early_data_size for use with 0-RTT.

	As part of handling PSKs more generically, the patch also changes
	how resumption PSKs are handled internally, so as to rely on the
	same mechanisms where possible.

	A socket is currently limited to only one External PSK at a time. If
	the server doesn't find the same identity for the configured EPSK,
	it will fall back to certificate authentication.

	[a2293e897889]

	* lib/freebl/mpi/mplogic.c:
	cast in LZCNTLOOP
	[96e65b2e9531]

	* lib/freebl/freebl.gyp:
	Use KRML_VERIFIED_UINT128 on MSVC builds
	[abd50c862bdb]

2020-06-03  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/ssl_gtest/ssl_exporter_unittest.cc, lib/ssl/sslinfo.c,
	lib/ssl/tls13con.c:
	Bug 1643123 - Allow External PSKs to be used with Early Export
	[46ef0c025cfc]

2020-06-02  Sylvestre Ledru  <sledru@mozilla.com>

	* lib/ssl/tls13con.c:
	Bug 1642809 - Fix an assert (we need a comparison, not assignment)
	r=kjacobs

	[d0789cb32d8e]

2020-06-03  Mike Hommey  <mh@glandium.org>

	* cmd/shlibsign/Makefile:
	Bug 1642153 - Avoid infinite recursion when CHECKLOC is not set.
	r=jcj

	[e955ece90b05]

2020-06-03  Martin Thomson  <mt@lowentropy.net>

	* gtests/ssl_gtest/ssl_auth_unittest.cc,
	gtests/ssl_gtest/ssl_resumption_unittest.cc, lib/ssl/tls13con.c:
	Bug 1642871 - Allow tickets and PHA after resumption, r=kjacobs

	The first part of this is fairly simple: we accidentally disabled
	sending of session tickets after resumption.

	The second part is much less obvious, because the spec is unclear.
	This change takes the interpretation that it is OK to use post-
	handshake authentication if the handshake is resumed, but not OK if
	the handshake is based on a PSK. (This is based on a first-
	principles understanding of resumption being a continuation of a
	certificate-based connection rather than a reading of the spec, see
	the bug for why the spec appears to be unhelpful on this point.)

	This still prohibits the use of post-handshake authentication if an
	external PSK was used, but that is more an abundance of caution than
	anything principled.

	[e9502f71b7fe]

2020-06-04  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/ssl_gtest/ssl_exporter_unittest.cc, lib/ssl/sslinfo.c,
	lib/ssl/tls13con.c:
	Bug 1643123 - Allow External PSKs to be used with Early Export r=mt

	This patch adjusts `tls13_exporter` to pull the hash algorithm from
	the first PSK when a suite is not configured yet, which allows early
	export with external PSKs.

	[d211f3013abb]

Differential Revision: https://phabricator.services.mozilla.com/D78578
 		2020-06-06 00:20:11 +00:00
..
apps Bug 1613985 - Use default for equivalent-to-default constructors/destructors in security. r=rrelyea 2020-03-16 10:56:56 +00:00
certverifier Bug 1615438 - Use CKA_NSS_SERVER_DISTRUST_AFTER from NSS for certificate validation. r=keeler 2020-05-28 20:35:48 +00:00
ct Bug 1621441 - Update Python scripts that depend on PyECC to run in Python 3 and to leverage the ecdsa library instead r=glandium,keeler 2020-04-17 20:56:09 +00:00
mac/hardenedruntime
manager Backed out changeset 889d7cd14e4d (bug 1630434) for xpcshell failures on test_intermediate_preloads.js . CLOSED TREE 2020-06-05 11:08:57 +03:00
nss Bug 1642687 - land NSS d211f3013abb UPGRADE_NSS_RELEASE, r=jcj 2020-06-06 00:20:11 +00:00
sandbox Bug 1639181 - Allow a safe subset of fd flag fcntls in the common sandbox policy. r=gcp 2020-05-29 18:18:43 +00:00
.eslintrc.js Bug 1622328 - add license info to all eslintrc files r=Standard8,webcompat-reviewers,miketaylr 2020-03-19 13:47:51 +00:00
generate_certdata.py Bug 1633039 - Don't check for Python 2 in configure r=glandium 2020-05-05 16:02:02 +00:00
generate_mapfile.py Bug 1620744 - Convert generate_mapfile.py to py3; r=firefox-build-system-reviewers,rstewart 2020-03-10 20:19:34 +00:00
moz.build Bug 1641783 - Move MOZ_FOLD_LIBS to python configure. r=froydnj 2020-05-29 12:15:51 +00:00
nss.symbols Bug 1615438 - Use CKA_NSS_SERVER_DISTRUST_AFTER from NSS for certificate validation. r=keeler 2020-05-28 20:35:48 +00:00