gecko-dev/security
Kevin Jacobs 6a6ed41ab7 Bug 1649545 - land NSS 58c2abd7404e UPGRADE_NSS_RELEASE, r=jcj
2020-06-26  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/abi-check/expected-report-libssl3.so.txt, automation/abi-
	check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h,
	lib/util/nssutil.h:
	Set version numbers to 3.55 beta
	[332ab7db68ba]

2020-06-25  Kevin Jacobs  <kjacobs@mozilla.com>

	* tests/all.sh:
	Bug 1649190 - Run cipher, sdr, and ocsp tests under standard test
	cycle.
	[f373809abfc0]

2020-06-15  Kevin Jacobs  <kjacobs@mozilla.com>

        * gtests/common/testvectors/p256ecdsa-sha256-vectors.h,
        gtests/common/testvectors/p384ecdsa-sha384-vectors.h,
        gtests/common/testvectors/p521ecdsa-sha512-vectors.h,
        gtests/common/testvectors_base/test-structs.h,
        gtests/common/wycheproof/genTestVectors.py,
        gtests/pk11_gtest/pk11_ecdsa_unittest.cc:
        Bug 1649226 - Add Wycheproof ECDSA tests.
        [41292ff7f545]

2020-06-30  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/pkcs12/p12d.c:
	Bug 1649322 - Fix null pointer passed as argument in
	pk11wrap/pk11pbe.c:1246 r=kjacobs
	[cc43ebf5bf88]

2020-06-30  Danh  <congdanhqx@gmail.com>

	* coreconf/arch.mk, coreconf/config.mk, lib/freebl/Makefile:
	Bug 1646594 - Enable AVX2 if applicable on x86_64 with make 4.3
	r=bbeurdouche
	[b579895aceb0]

2020-07-02  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/ssl/ssl3con.c:
	Bug 1649316 - Prevent memcmp to be called with a zero length in
	ssl/ssl3con.c:6621 r=kjacobs
	[8fe9213d0551]

2020-07-02  Alexander Scheel  <ascheel@redhat.com>

	* lib/cryptohi/secvfy.c:
	Bug 1649487 - Fix bad assert in VFY_EndWithSignature. r=jcj
	[c9438b528103]

2020-07-06  Dana Keeler  <dkeeler@mozilla.com>

	* automation/abi-check/expected-report-libnss3.so.txt,
	gtests/pk11_gtest/pk11_find_certs_unittest.cc, lib/nss/nss.def,
	lib/pk11wrap/pk11cert.c, lib/pk11wrap/pk11pub.h:
	Bug 1649633 - add PK11_FindEncodedCertInSlot r=kjacobs,jcj

	PK11_FindEncodedCertInSlot can be used to determine the PKCS#11
	object handle of an encoded certificate in a given slot. If the
	given certificate does not exist in that slot, CK_INVALID_HANDLE is
	returned.
	[32fe710a942f]

	* gtests/pk11_gtest/pk11_find_certs_unittest.cc:
	Bug 1649633 - follow-up to make test comparisons in
	pk11_find_certs_unittest.cc yoda comparisons r=kjacobs
	[424dae31a1c1]


2020-07-07  Kevin Jacobs  <kjacobs@mozilla.com>

        * gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc, lib/freebl/rsapkcs.c:
        Bug 1067214 - Check minimum padding in RSA_CheckSignRecover.
        r=rrelyea

        This patch adds a check to `RSA_CheckSignRecover` enforcing a
        minimum padding length of 8 bytes for PKCS #1 v1.5-formatted
        signatures. In practice, RSA key size requirements already ensure
        this requirement is met, but smaller (read: broken) key sizes can be
        used via configuration overrides, and NSS should just follow the
        spec.
        [e5324bd5a885]

2020-07-08  Kevin Jacobs  <kjacobs@mozilla.com>

        * gtests/ssl_gtest/libssl_internals.c,
        gtests/ssl_gtest/libssl_internals.h,
        gtests/ssl_gtest/ssl_record_unittest.cc,
        gtests/ssl_gtest/tls_agent.cc, gtests/ssl_gtest/tls_agent.h,
        lib/ssl/dtls13con.c, lib/ssl/dtls13con.h, lib/ssl/ssl3con.c,
        lib/ssl/ssl3prot.h, lib/ssl/sslspec.h, lib/ssl/sslt.h,
        lib/ssl/tls13con.c, lib/ssl/tls13exthandle.c:
        Bug 1647752 - Update DTLS 1.3 implementation to draft-38. r=mt

        This patch updates DTLS 1.3 to draft-38. Specifically:

         # `ssl_ct_ack` value changes from 25 to 26. # AEAD limits in
        `tls13_UnprotectRecord` enforce a maximum of 2^36-1 (as we only
        support GCM/ChaCha20 AEADs) decryption failures before the
        connection is closed. # Post-handshake authentication will no longer
        be negotiated in DTLS 1.3. This allows us to side-step the more
        convoluted state machine requirements.
        [132a87fc8689]

2020-07-09  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

        * lib/pk11wrap/pk11pbe.c, lib/pkcs12/p12d.c:
        Bug 1649322 - Fix null pointer passed as argument in
        pk11wrap/pk11pbe.c:1246 r=kjacobs

        This is a fixup patch that reverts https://hg.mozilla.org/projects/n
        ss/rev/cc43ebf5bf88355837c5fafa2f3c46e37626707a and adds a null
        check around the memcpy in question.
        [80bea0e22b20]

2020-07-09  J.C. Jones  <jjones@mozilla.com>

        * lib/softoken/pkcs11.c:
        Bug 1651520 - slotLock race in NSC_GetTokenInfo r=kjacobs

        Basically, NSC_GetTokenInfo doesn't lock slot->slotLock before
        accessing slot after obtaining it, even though slotLock is defined
        as its lock. [0]

        [0] https://searchfox.org/nss/rev/a412e70e55218aaf670f1f10322fa734d8
        a9fbde/lib/softoken/pkcs11i.h#320-321
        [58c2abd7404e] [tip]

Differential Revision: https://phabricator.services.mozilla.com/D82466
2020-07-09 23:05:48 +00:00
..
apps Bug 1648010 - Replace uses of NS_LITERAL_STRING/NS_LITERAL_CSTRING macros by _ns literals. r=geckoview-reviewers,jgilbert,agi,hsivonen,froydnj 2020-07-01 08:29:29 +00:00
certverifier Bug 1623943 - Exit from IdleSaveIntermediateCerts if shutting down r=keeler 2020-07-06 17:57:03 +00:00
ct Bug 1649312 - No derogatory language: Remove references to grandfather in comments r=njn,zbraniecki,keeler,jgraham 2020-07-01 15:23:26 +00:00
mac/hardenedruntime
manager No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=RyanVM 2020-07-09 14:21:42 +00:00
nss Bug 1649545 - land NSS 58c2abd7404e UPGRADE_NSS_RELEASE, r=jcj 2020-07-09 23:05:48 +00:00
sandbox Bug 1644917 - Part 2: Cache as much of the content sandbox file policy as possible. r=gcp,Gijs 2020-07-02 11:26:11 +00:00
.eslintrc.js Bug 1622328 - add license info to all eslintrc files r=Standard8,webcompat-reviewers,miketaylr 2020-03-19 13:47:51 +00:00
generate_certdata.py Bug 1633039 - Don't check for Python 2 in configure r=glandium 2020-05-05 16:02:02 +00:00
generate_mapfile.py Bug 1620744 - Convert generate_mapfile.py to py3; r=firefox-build-system-reviewers,rstewart 2020-03-10 20:19:34 +00:00
moz.build Bug 1641783 - Move MOZ_FOLD_LIBS to python configure. r=froydnj 2020-05-29 12:15:51 +00:00
nss.symbols Bug 1615438 - Use CKA_NSS_SERVER_DISTRUST_AFTER from NSS for certificate validation. r=keeler 2020-05-28 20:35:48 +00:00