Bug 1317947 - land NSS 0x0ce009e2303a, r=me

2024-11-28 23:31:56 +00:00 · 2016-11-25 06:01:09 +01:00 · 2016-11-25 06:01:09 +01:00 · 540b0b2753
commit 540b0b2753
parent f58e35a5a9
12 changed files with 26 additions and 39 deletions
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@ -1 +1 @@
-6c26f0cd19ba
+0ce009e2303a
--- a/security/nss/automation/taskcluster/graph/src/extend.js
+++ b/security/nss/automation/taskcluster/graph/src/extend.js
@ -70,10 +70,6 @@ queue.map(task => {
    task.maxRunTime = 7200;
  }

-  // Enable TLS 1.3 for every task.
-  task.env = task.env || {};
-  task.env.NSS_ENABLE_TLS_1_3 = "1";
-
  return task;
 });

--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@ -10,3 +10,4 @@
 */

 #error "Do not include this header file."
+
--- a/security/nss/gtests/ssl_gtest/Makefile
+++ b/security/nss/gtests/ssl_gtest/Makefile
@ -33,11 +33,8 @@ ifdef NSS_SSL_ENABLE_ZLIB
 include $(CORE_DEPTH)/coreconf/zlib.mk
 endif

-ifndef NSS_ENABLE_TLS_1_3
-NSS_DISABLE_TLS_1_3=1
-endif
-
 ifdef NSS_DISABLE_TLS_1_3
+NSS_DISABLE_TLS_1_3=1
 # Run parameterized tests only, for which we can easily exclude TLS 1.3
 CPPSRCS := $(filter-out $(shell grep -l '^TEST_F' $(CPPSRCS)), $(CPPSRCS))
 CFLAGS += -DNSS_DISABLE_TLS_1_3
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@ -22,9 +22,9 @@
 * The format of the version string should be
 *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
 */
-#define NSS_VERSION "3.28" _NSS_CUSTOMIZED " Beta"
+#define NSS_VERSION "3.29" _NSS_CUSTOMIZED " Beta"
 #define NSS_VMAJOR 3
-#define NSS_VMINOR 28
+#define NSS_VMINOR 29
 #define NSS_VPATCH 0
 #define NSS_VBUILD 0
 #define NSS_BETA PR_TRUE
--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@ -21,9 +21,9 @@
 * The format of the version string should be
 *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
 */
-#define SOFTOKEN_VERSION "3.28" SOFTOKEN_ECC_STRING " Beta"
+#define SOFTOKEN_VERSION "3.29" SOFTOKEN_ECC_STRING " Beta"
 #define SOFTOKEN_VMAJOR 3
-#define SOFTOKEN_VMINOR 28
+#define SOFTOKEN_VMINOR 29
 #define SOFTOKEN_VPATCH 0
 #define SOFTOKEN_VBUILD 0
 #define SOFTOKEN_BETA PR_TRUE
--- a/security/nss/lib/ssl/config.mk
+++ b/security/nss/lib/ssl/config.mk
@ -62,10 +62,6 @@ DEFINES += -DNSS_SSL_ENABLE_ZLIB
 include $(CORE_DEPTH)/coreconf/zlib.mk
 endif

-ifndef NSS_ENABLE_TLS_1_3
-NSS_DISABLE_TLS_1_3=1
-endif
-
 ifdef NSS_DISABLE_TLS_1_3
 DEFINES += -DNSS_DISABLE_TLS_1_3
 endif
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@ -1624,10 +1624,6 @@ ssl3_SetupPendingCipherSpec(sslSocket *ss)
    pwSpec->compressContext = NULL;
    pwSpec->decompressContext = NULL;

-    if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) {
-        PORT_Assert(ss->ssl3.hs.kea_def->ephemeral);
-        PORT_Assert(pwSpec->cipher_def->type == type_aead);
-    }
    ssl_ReleaseSpecWriteLock(ss); /*******************************/
    return SECSuccess;
 }
@ -11021,13 +11017,10 @@ ssl3_ComputeTLSFinished(sslSocket *ss, ssl3CipherSpec *spec,
    PK11Context *prf_context;
    unsigned int retLen;

+    PORT_Assert(spec->master_secret);
    if (!spec->master_secret) {
-        const char *label = isServer ? "server finished" : "client finished";
-        unsigned int len = 15;
-        HASH_HashType hashType = ssl3_GetTls12HashType(ss);
-        return ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->u.raw,
-                                           hashes->len, tlsFinished->verify_data,
-                                           sizeof tlsFinished->verify_data, hashType);
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
    }

    if (spec->version < SSL_LIBRARY_VERSION_TLS_1_2) {
@ -11060,9 +11053,10 @@ ssl3_ComputeTLSFinished(sslSocket *ss, ssl3CipherSpec *spec,
 * ss->ssl3.crSpec).
 */
 SECStatus
-ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label,
-                            unsigned int labelLen, const unsigned char *val, unsigned int valLen,
-                            unsigned char *out, unsigned int outLen, HASH_HashType tls12HashType)
+ssl3_TLSPRFWithMasterSecret(sslSocket *ss, ssl3CipherSpec *spec,
+                            const char *label, unsigned int labelLen,
+                            const unsigned char *val, unsigned int valLen,
+                            unsigned char *out, unsigned int outLen)
 {
    SECStatus rv = SECSuccess;

@ -11073,6 +11067,12 @@ ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label,
        unsigned int retLen;

        if (spec->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
+            /* Bug 1312976 non-SHA256 exporters are broken. */
+            if (ssl3_GetPrfHashMechanism(ss) != CKM_SHA256) {
+                PORT_Assert(0);
+                PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+                return SECFailure;
+            }
            mech = CKM_NSS_TLS_PRF_GENERAL_SHA256;
        }
        prf_context = PK11_CreateContextBySymKey(mech, CKA_SIGN,
--- a/security/nss/lib/ssl/sslimpl.h
+++ b/security/nss/lib/ssl/sslimpl.h
@ -1842,11 +1842,10 @@ extern HASH_HashType
 ssl3_GetTls12HashType(sslSocket *ss);

 extern SECStatus
-ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec,
+ssl3_TLSPRFWithMasterSecret(sslSocket *ss, ssl3CipherSpec *spec,
                            const char *label, unsigned int labelLen,
                            const unsigned char *val, unsigned int valLen,
-                            unsigned char *out, unsigned int outLen,
-                            HASH_HashType tls12HashType);
+                            unsigned char *out, unsigned int outLen);

 #ifdef TRACE
 #define SSL_TRACE(msg) ssl_Trace msg
--- a/security/nss/lib/ssl/sslinfo.c
+++ b/security/nss/lib/ssl/sslinfo.c
@ -455,9 +455,8 @@ SSL_ExportKeyingMaterial(PRFileDesc *fd,
        PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED);
        rv = SECFailure;
    } else {
-        HASH_HashType ht = ssl3_GetTls12HashType(ss);
-        rv = ssl3_TLSPRFWithMasterSecret(ss->ssl3.cwSpec, label, labelLen, val,
-                                         valLen, out, outLen, ht);
+        rv = ssl3_TLSPRFWithMasterSecret(ss, ss->ssl3.cwSpec, label, labelLen,
+                                         val, valLen, out, outLen);
    }
    ssl_ReleaseSpecReadLock(ss);

--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@ -19,9 +19,9 @@
 * The format of the version string should be
 *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
 */
-#define NSSUTIL_VERSION "3.28 Beta"
+#define NSSUTIL_VERSION "3.29 Beta"
 #define NSSUTIL_VMAJOR 3
-#define NSSUTIL_VMINOR 28
+#define NSSUTIL_VMINOR 29
 #define NSSUTIL_VPATCH 0
 #define NSSUTIL_VBUILD 0
 #define NSSUTIL_BETA PR_TRUE
--- a/security/nss/readme.md
+++ b/security/nss/readme.md
@ -49,7 +49,6 @@ After changing into the NSS directory a typical build of 32-bit NSS is done as f
 The following environment variables might be useful:
 * `BUILD_OPT=1` to get an optimised build
 * `USE_64=1` to get a 64-bit build (recommended)
-* `NSS_ENABLE_TLS_1_3=1` to enable TLS 1.3 support

 The complete list of environment variables can be found [here](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Reference/NSS_environment_variables).