mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
gecko-dev/security
История
Kevin Jacobs 54a13dccf2 Bug 1677548 - land NSS 3eacb92e9adf UPGRADE_NSS_RELEASE, r=jcj 
2020-11-18  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/ssl/ssl3con.c, lib/ssl/tls13con.c, lib/ssl/tls13ech.c:
	Bug 1654332 - Fixup a10493dcfcc9: copy ECHConfig.config_id with
	socket r=jcj

	A late review change for ECH was for the server to compute each
	ECHConfig `config_id` when set to the socket, rather than on each
	connection. This works, but now we also need to copy that config_id
	when copying a socket, else the server won't find a matching
	ECHConfig to use for decryption.

	[3eacb92e9adf] [tip]

2020-11-17  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/abi-check/expected-report-libssl3.so.txt,
	cmd/tstclnt/tstclnt.c, cpputil/tls_parser.h,
	gtests/ssl_gtest/libssl_internals.c,
	gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/manifest.mn,
	gtests/ssl_gtest/ssl_auth_unittest.cc,
	gtests/ssl_gtest/ssl_custext_unittest.cc,
	gtests/ssl_gtest/ssl_extension_unittest.cc,
	gtests/ssl_gtest/ssl_gtest.gyp,
	gtests/ssl_gtest/ssl_tls13compat_unittest.cc,
	gtests/ssl_gtest/tls_agent.cc, gtests/ssl_gtest/tls_agent.h,
	gtests/ssl_gtest/tls_connect.cc, gtests/ssl_gtest/tls_connect.h,
	gtests/ssl_gtest/tls_ech_unittest.cc,
	gtests/ssl_gtest/tls_esni_unittest.cc,
	gtests/ssl_gtest/tls_filter.cc, gtests/ssl_gtest/tls_filter.h,
	lib/ssl/SSLerrs.h, lib/ssl/manifest.mn, lib/ssl/ssl.gyp,
	lib/ssl/ssl3con.c, lib/ssl/ssl3ext.c, lib/ssl/ssl3ext.h,
	lib/ssl/ssl3exthandle.c, lib/ssl/ssl3exthandle.h,
	lib/ssl/ssl3prot.h, lib/ssl/sslencode.c, lib/ssl/sslencode.h,
	lib/ssl/sslerr.h, lib/ssl/sslexp.h, lib/ssl/sslimpl.h,
	lib/ssl/sslinfo.c, lib/ssl/sslsecur.c, lib/ssl/sslsock.c,
	lib/ssl/sslt.h, lib/ssl/tls13con.c, lib/ssl/tls13con.h,
	lib/ssl/tls13ech.c, lib/ssl/tls13ech.h, lib/ssl/tls13esni.c,
	lib/ssl/tls13esni.h, lib/ssl/tls13exthandle.c,
	lib/ssl/tls13exthandle.h, lib/ssl/tls13hashstate.c,
	lib/ssl/tls13hashstate.h:
	Bug 1654332 - Update ESNI to draft-08 (ECH). r=mt

	This patch adds support for Encrypted Client Hello (draft-ietf-tls-
	esni-08), replacing the existing ESNI (draft -02) support.

	There are five new experimental functions to enable this:

	 - SSL_EncodeEchConfig: Generates an encoded (not BASE64) ECHConfig
	given a set of parameters.
	  - SSL_SetClientEchConfigs: Configures the provided ECHConfig to the
	given socket. When configured, an ephemeral HPKE keypair will be
	generated for the CH encryption.
	  - SSL_SetServerEchConfigs: Configures the provided ECHConfig and
	keypair to the socket. The keypair specified will be used for HPKE
	operations in order to decrypt encrypted Client Hellos as they are
	received.
	  - SSL_GetEchRetryConfigs: If ECH is rejected by the server and
	compatible retry_configs are provided, this API allows the
	application to extract those retry_configs for use in a new
	connection.
	  - SSL_EnableTls13GreaseEch: When enabled, non-ECH Client Hellos will
	have a "GREASE ECH" (i.e. fake) extension appended. GREASE ECH is
	disabled by default, as there are known compatibility issues that
	will be addressed in a subsequent draft.

	The following ESNI experimental functions are deprecated by this
	update:

	 - SSL_EncodeESNIKeys
	  - SSL_EnableESNI
	  - SSL_SetESNIKeyPair

	 In order to be used, NSS must be compiled with
	`NSS_ENABLE_DRAFT_HPKE` defined.

	[a10493dcfcc9]

	* lib/ssl/ssl3con.c, lib/ssl/sslencode.c, lib/ssl/sslencode.h,
	lib/ssl/tls13con.c, lib/ssl/tls13con.h:
	Bug 1654332 - Buffered ClientHello construction. r=mt

	This patch refactors construction of Client Hello messages. Instead
	of each component of the message being written separately into
	`ss->sec.ci.sendBuf`, we now construct the message in its own
	sslBuffer. Once complete, the entire message is added to the sendBuf
	via `ssl3_AppendHandshake`.

	`ssl3_SendServerHello` already uses this approach and it becomes
	necessary for ECH, where we use the constructed ClientHello to
	create an inner ClientHello.

	[d40121ba59ba]

2020-11-13  J.C. Jones  <jjones@mozilla.com>

	* automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
	check/expected-report-libnssutil3.so.txt, automation/abi-check
	/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h,
	lib/util/nssutil.h:
	Set version numbers to 3.60 Beta
	[5e7b37609f22]

Differential Revision: https://phabricator.services.mozilla.com/D97492
 		2020-11-19 18:28:18 +00:00
..
apps Bug 1272794 - Clean up Digest class API r=keeler,necko-reviewers,valentin 2020-11-11 22:16:38 +00:00
certverifier Bug 1519636 - Reformat with clang-format-11 to the Google coding style r=andi,sg,geckoview-reviewers,snorp 2020-11-18 09:05:59 +00:00
ct Bug 1654103: Standardize on Black for Python code in `mozilla-central`. 2020-10-26 18:34:53 +00:00
mac/hardenedruntime
manager Bug 1677399 - avoid re-downloading and re-processing CRLite filters/stashes that are already in cert_storage r=bbeurdouche 2020-11-19 18:04:22 +00:00
nss Bug 1677548 - land NSS 3eacb92e9adf UPGRADE_NSS_RELEASE, r=jcj 2020-11-19 18:28:18 +00:00
sandbox No bug - Fix typo to trigger mochitest jobs. 2020-11-12 21:18:08 +02:00
.eslintrc.js
generate_certdata.py Bug 1654103: Standardize on Black for Python code in `mozilla-central`. 2020-10-26 18:34:53 +00:00
generate_mapfile.py Bug 1654103: Standardize on Black for Python code in `mozilla-central`. 2020-10-26 18:34:53 +00:00
moz.build Bug 1654103: Standardize on Black for Python code in `mozilla-central`. 2020-10-26 18:34:53 +00:00
nss.symbols Bug 1661543 - Backed out 1 changesets (bug 1651449) for performance regression. a=backout CLOSED TREE 2020-08-27 22:31:36 +02:00