2020-06-12 Kevin Jacobs <kjacobs@mozilla.com>
* cmd/lib/secutil.c:
Bug 1645479 - Use SECITEM_CopyItem instead of SECITEM_MakeItem in
secutil.c. r=jcj
This patch converts a call to `SECITEM_MakeItem` to use
`SECITEM_CopyItem` instead. Using the former works fine in NSS CI,
but causes build failures in mozilla-central due to differences in
how both symbols are exported (i.e. when folding nssutil into nss).
[cbf75aedf480] [tip]
2020-06-11 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/ssl_gtest/libssl_internals.c,
gtests/ssl_gtest/ssl_resumption_unittest.cc:
Bug 1644774 - Use ClearServerCache instead of
SSLInt_ClearSelfEncryptKey for ticket invalidation. r=mt
[7b2413d80ce3]
2020-06-10 Kevin Jacobs <kjacobs@mozilla.com>
* cmd/lib/basicutil.c, cmd/lib/secutil.c, cmd/lib/secutil.h,
cmd/selfserv/selfserv.c, cmd/tstclnt/tstclnt.c, lib/ssl/tls13psk.c:
Bug 1603042 - Support external PSKs in tstclnt/selfserv. r=jcj
This patch adds support for TLS 1.3 external PSKs in tstclnt and
selfserv with the `-z` option.
Command examples:
- `selfserv -D -p 4443 -d . -n localhost.localdomain -w nss -V tls1.3:
-H 1 -z 0xAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD[:label] -m`
- `tstclnt -h 127.0.0.1 -p 4443 -z
0xAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD[:label] -d . -w nss`
For OpenSSL interop:
- `openssl s_server -nocert -port 4433 -psk
AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD [-psk_identity label]`
Note: If the optional label is omitted, both NSS tools and OpenSSL
default to "Client_identity".
[c1b1112af415]
2020-06-09 Kevin Jacobs <kjacobs@mozilla.com>
* lib/ssl/tls13con.c:
Bug 1642638 - Don't assert sid ciphersuite to be defined in fuzzer
mode. r=mt
[238bd7912429]
2020-06-08 Kevin Jacobs <kjacobs@mozilla.com>
* lib/freebl/freebl.gyp, lib/freebl/freebl_base.gypi:
Bug 1642802 - Win64 GYP builds to use HACL* curve25519.
r=bbeurdouche
This patch causes Windows 64-bit GYP builds to use HACL* curve25519
rather than the 32-bit (fiat-crypto) implementation.
For non-clang/GCC Win64 builds, we define `KRML_VERIFIED_UINT128` to
workaround an upstream bug that breaks Win32 builds by selecting a
64-bit `__int128` implementation (in types.h).
For clang/GCC builds, using the compiler-provided type yields a ~5x
speedup on Win64.
[566fa62d6522]
2020-06-05 Jeff Walden <jwalden@mit.edu>
* lib/pk11wrap/pk11cert.c, lib/pk11wrap/pk11kea.c,
lib/pk11wrap/pk11merge.c, lib/pk11wrap/pk11nobj.c,
lib/pk11wrap/pk11obj.c, lib/pk11wrap/pk11skey.c,
lib/pk11wrap/secmodi.h:
Bug 1643557 - Make pk11_FindObjectByTemplate accept a size_t count
rather than a signed type to avoid internal signed-unsigned
comparison warnings. r=kjacobs
Depends on D78454
[5ee293d1a282]
* lib/pk11wrap/pk11skey.c:
Bug 1643557 - Make PK11_SetWrapKey explicitly handle being passed a
negative wrap argument, to avoid a signed-unsigned comparison.
r=kjacobs
Depends on D78453
[7bb3677a2ed0]
* lib/pk11wrap/pk11akey.c, lib/pk11wrap/pk11cert.c,
lib/pk11wrap/pk11obj.c, lib/pk11wrap/secmodi.h:
Bug 1643557 - Change the type of the size argument to
pk11_FindObjectsByTemplate to be size_t, consistent with the type of
some (small) numeric values passed to it after the previous
revision. r=kjacobs
Depends on D78452
[eaf223c2646a]
* lib/pk11wrap/pk11slot.c:
Bug 1643557 - Use size_t for various counts in pk11slot.c. r=kjacobs
Depends on D78451
[465a7954ce0a]
* lib/pk11wrap/pk11priv.h, lib/pk11wrap/pk11slot.c:
Bug 1643557 - Make pk11_MatchString accept a size_t length rather
than an int length (consistent with all callers), and reformulate
its internals to avoid a signed-unsigned comparison. r=kjacobs
Depends on D78450
[fff8c883ef7d]
* lib/pk11wrap/pk11skey.c, lib/ssl/sslsnce.c, lib/util/secport.h:
Bug 1643557 - Add PORT_AssertNotReached and use it instead of
PORT_Assert(!"str"), which may warn about vacuous string literal to
boolean conversions. r=kjacobs
Depends on D78449
[c0aa47eb2fdd]
* lib/util/secoid.c:
Bug 1643557 - Use SECOidTag as the type of a loop variable over all
values of that type to avoid a signed-unsigned comparison warning.
r=kjacobs
Depends on D78448
[d7f1e9975e67]
* lib/util/utilpars.c:
Bug 1643557 - Use size_t for a parameter-indexing variable to
eliminate a signed-unsigned comparison warning. r=kjacobs
Depends on D78447
[5d7206908ca7]
* lib/freebl/rsapkcs.c:
Bug 1643557 - Used unsigned int for two for-loops upper-bounded by
unsigned ints in rsa_FormatOneBlock. r=kjacobs
Depends on D78446
[ed9a1a41ca1e]
* lib/pk11wrap/debug_module.c:
Bug 1643557 - Use unsigned int for log level, consistent with
PRLogModuleLevel. r=kjacobs
[7f89fa701ce3]
Differential Revision: https://phabricator.services.mozilla.com/D79566
e9ae922ddc