From c4ae869e287b36f75a2f194ba55ba03b0f4088b5 Mon Sep 17 00:00:00 2001 From: Kai Engert Date: Thu, 22 Sep 2016 21:21:30 +0200 Subject: [PATCH] Bug 1296266, land NSS_3_27_BETA4, r=franziskus --- security/nss/TAG-INFO | 2 +- security/nss/coreconf/coreconf.dep | 1 + .../nss/external_tests/ssl_gtest/tls_parser.h | 2 +- security/nss/lib/ckfw/builtins/certdata.txt | 149 ------------------ security/nss/lib/ssl/ssl3prot.h | 10 +- security/nss/lib/ssl/sslt.h | 30 ++-- 6 files changed, 29 insertions(+), 165 deletions(-) diff --git a/security/nss/TAG-INFO b/security/nss/TAG-INFO index c232b9b40b9b..592817740cef 100644 --- a/security/nss/TAG-INFO +++ b/security/nss/TAG-INFO @@ -1 +1 @@ -NSS_3_27_BRANCH +NSS_3_27_BETA4 diff --git a/security/nss/coreconf/coreconf.dep b/security/nss/coreconf/coreconf.dep index 5182f75552c8..590d1bfaeee3 100644 --- a/security/nss/coreconf/coreconf.dep +++ b/security/nss/coreconf/coreconf.dep @@ -10,3 +10,4 @@ */ #error "Do not include this header file." + diff --git a/security/nss/external_tests/ssl_gtest/tls_parser.h b/security/nss/external_tests/ssl_gtest/tls_parser.h index 743377d4215d..70e2ab5b97eb 100644 --- a/security/nss/external_tests/ssl_gtest/tls_parser.h +++ b/security/nss/external_tests/ssl_gtest/tls_parser.h @@ -48,7 +48,7 @@ const uint8_t kTlsAlertUnsupportedExtension = 110; const uint8_t kTlsAlertNoApplicationProtocol = 120; const uint16_t kTlsSigSchemeRsaPkcs1Sha1 = 0x0201; -const uint16_t kTlsSigSchemeRsaPssSha256 = 0x0700; +const uint16_t kTlsSigSchemeRsaPssSha256 = 0x0804; const uint8_t kTlsFakeChangeCipherSpec[] = { kTlsChangeCipherSpecType, // Type diff --git a/security/nss/lib/ckfw/builtins/certdata.txt b/security/nss/lib/ckfw/builtins/certdata.txt index 6983e5a03c8d..80ad6d89dbb2 100644 --- a/security/nss/lib/ckfw/builtins/certdata.txt +++ b/security/nss/lib/ckfw/builtins/certdata.txt @@ -8747,155 +8747,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -# -# Certificate "IGC/A" -# -# Issuer: E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR -# Serial Number:39:11:45:10:94 -# Subject: E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR -# Not Valid Before: Fri Dec 13 14:29:23 2002 -# Not Valid After : Sat Oct 17 14:29:22 2020 -# Fingerprint (MD5): 0C:7F:DD:6A:F4:2A:B9:C8:9B:BD:20:7E:A9:DB:5C:37 -# Fingerprint (SHA1): 60:D6:89:74:B5:C2:65:9E:8A:0F:C1:88:7C:88:D2:46:69:1B:18:2C -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "IGC/A" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\201\205\061\013\060\011\006\003\125\004\006\023\002\106\122 -\061\017\060\015\006\003\125\004\010\023\006\106\162\141\156\143 -\145\061\016\060\014\006\003\125\004\007\023\005\120\141\162\151 -\163\061\020\060\016\006\003\125\004\012\023\007\120\115\057\123 -\107\104\116\061\016\060\014\006\003\125\004\013\023\005\104\103 -\123\123\111\061\016\060\014\006\003\125\004\003\023\005\111\107 -\103\057\101\061\043\060\041\006\011\052\206\110\206\367\015\001 -\011\001\026\024\151\147\143\141\100\163\147\144\156\056\160\155 -\056\147\157\165\166\056\146\162 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\201\205\061\013\060\011\006\003\125\004\006\023\002\106\122 -\061\017\060\015\006\003\125\004\010\023\006\106\162\141\156\143 -\145\061\016\060\014\006\003\125\004\007\023\005\120\141\162\151 -\163\061\020\060\016\006\003\125\004\012\023\007\120\115\057\123 -\107\104\116\061\016\060\014\006\003\125\004\013\023\005\104\103 -\123\123\111\061\016\060\014\006\003\125\004\003\023\005\111\107 -\103\057\101\061\043\060\041\006\011\052\206\110\206\367\015\001 -\011\001\026\024\151\147\143\141\100\163\147\144\156\056\160\155 -\056\147\157\165\166\056\146\162 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\005\071\021\105\020\224 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\004\002\060\202\002\352\240\003\002\001\002\002\005\071 -\021\105\020\224\060\015\006\011\052\206\110\206\367\015\001\001 -\005\005\000\060\201\205\061\013\060\011\006\003\125\004\006\023 -\002\106\122\061\017\060\015\006\003\125\004\010\023\006\106\162 -\141\156\143\145\061\016\060\014\006\003\125\004\007\023\005\120 -\141\162\151\163\061\020\060\016\006\003\125\004\012\023\007\120 -\115\057\123\107\104\116\061\016\060\014\006\003\125\004\013\023 -\005\104\103\123\123\111\061\016\060\014\006\003\125\004\003\023 -\005\111\107\103\057\101\061\043\060\041\006\011\052\206\110\206 -\367\015\001\011\001\026\024\151\147\143\141\100\163\147\144\156 -\056\160\155\056\147\157\165\166\056\146\162\060\036\027\015\060 -\062\061\062\061\063\061\064\062\071\062\063\132\027\015\062\060 -\061\060\061\067\061\064\062\071\062\062\132\060\201\205\061\013 -\060\011\006\003\125\004\006\023\002\106\122\061\017\060\015\006 -\003\125\004\010\023\006\106\162\141\156\143\145\061\016\060\014 -\006\003\125\004\007\023\005\120\141\162\151\163\061\020\060\016 -\006\003\125\004\012\023\007\120\115\057\123\107\104\116\061\016 -\060\014\006\003\125\004\013\023\005\104\103\123\123\111\061\016 -\060\014\006\003\125\004\003\023\005\111\107\103\057\101\061\043 -\060\041\006\011\052\206\110\206\367\015\001\011\001\026\024\151 -\147\143\141\100\163\147\144\156\056\160\155\056\147\157\165\166 -\056\146\162\060\202\001\042\060\015\006\011\052\206\110\206\367 -\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002 -\202\001\001\000\262\037\321\320\142\305\063\073\300\004\206\210 -\263\334\370\210\367\375\337\103\337\172\215\232\111\134\366\116 -\252\314\034\271\241\353\047\211\362\106\351\073\112\161\325\035 -\216\055\317\346\255\253\143\120\307\124\013\156\022\311\220\066 -\306\330\057\332\221\252\150\305\162\376\027\012\262\027\176\171 -\265\062\210\160\312\160\300\226\112\216\344\125\315\035\047\224 -\277\316\162\052\354\134\371\163\040\376\275\367\056\211\147\270 -\273\107\163\022\367\321\065\151\072\362\012\271\256\377\106\102 -\106\242\277\241\205\032\371\277\344\377\111\205\367\243\160\206 -\062\034\135\237\140\367\251\255\245\377\317\321\064\371\175\133 -\027\306\334\326\016\050\153\302\335\361\365\063\150\235\116\374 -\207\174\066\022\326\243\200\350\103\015\125\141\224\352\144\067 -\107\352\167\312\320\262\130\005\303\135\176\261\250\106\220\061 -\126\316\160\052\226\262\060\270\167\346\171\300\275\051\073\375 -\224\167\114\275\040\315\101\045\340\056\307\033\273\356\244\004 -\101\322\135\255\022\152\212\233\107\373\311\335\106\100\341\235 -\074\063\320\265\002\003\001\000\001\243\167\060\165\060\017\006 -\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\013 -\006\003\125\035\017\004\004\003\002\001\106\060\025\006\003\125 -\035\040\004\016\060\014\060\012\006\010\052\201\172\001\171\001 -\001\001\060\035\006\003\125\035\016\004\026\004\024\243\005\057 -\030\140\120\302\211\012\335\053\041\117\377\216\116\250\060\061 -\066\060\037\006\003\125\035\043\004\030\060\026\200\024\243\005 -\057\030\140\120\302\211\012\335\053\041\117\377\216\116\250\060 -\061\066\060\015\006\011\052\206\110\206\367\015\001\001\005\005 -\000\003\202\001\001\000\005\334\046\330\372\167\025\104\150\374 -\057\146\072\164\340\135\344\051\377\006\007\023\204\112\253\317 -\155\240\037\121\224\370\111\313\164\066\024\274\025\335\333\211 -\057\335\217\240\135\174\365\022\353\237\236\070\244\107\314\263 -\226\331\276\234\045\253\003\176\063\017\225\201\015\375\026\340 -\210\276\067\360\154\135\320\061\233\062\053\135\027\145\223\230 -\140\274\156\217\261\250\074\036\331\034\363\251\046\102\371\144 -\035\302\347\222\366\364\036\132\252\031\122\135\257\350\242\367 -\140\240\366\215\360\211\365\156\340\012\005\001\225\311\213\040 -\012\272\132\374\232\054\074\275\303\267\311\135\170\045\005\077 -\126\024\233\014\332\373\072\110\376\227\151\136\312\020\206\367 -\116\226\004\010\115\354\260\276\135\334\073\216\117\301\375\232 -\066\064\232\114\124\176\027\003\110\225\010\021\034\007\157\205 -\010\176\135\115\304\235\333\373\256\316\262\321\263\270\203\154 -\035\262\263\171\361\330\160\231\176\360\023\002\316\136\335\121 -\323\337\066\201\241\033\170\057\161\263\361\131\114\106\030\050 -\253\205\322\140\126\132 -END - -# Trust for Certificate "IGC/A" -# Issuer: E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR -# Serial Number:39:11:45:10:94 -# Subject: E=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR -# Not Valid Before: Fri Dec 13 14:29:23 2002 -# Not Valid After : Sat Oct 17 14:29:22 2020 -# Fingerprint (MD5): 0C:7F:DD:6A:F4:2A:B9:C8:9B:BD:20:7E:A9:DB:5C:37 -# Fingerprint (SHA1): 60:D6:89:74:B5:C2:65:9E:8A:0F:C1:88:7C:88:D2:46:69:1B:18:2C -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "IGC/A" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\140\326\211\164\265\302\145\236\212\017\301\210\174\210\322\106 -\151\033\030\054 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\014\177\335\152\364\052\271\310\233\275\040\176\251\333\134\067 -END -CKA_ISSUER MULTILINE_OCTAL -\060\201\205\061\013\060\011\006\003\125\004\006\023\002\106\122 -\061\017\060\015\006\003\125\004\010\023\006\106\162\141\156\143 -\145\061\016\060\014\006\003\125\004\007\023\005\120\141\162\151 -\163\061\020\060\016\006\003\125\004\012\023\007\120\115\057\123 -\107\104\116\061\016\060\014\006\003\125\004\013\023\005\104\103 -\123\123\111\061\016\060\014\006\003\125\004\003\023\005\111\107 -\103\057\101\061\043\060\041\006\011\052\206\110\206\367\015\001 -\011\001\026\024\151\147\143\141\100\163\147\144\156\056\160\155 -\056\147\157\165\166\056\146\162 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\005\071\021\105\020\224 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - # Distrust "Distrusted AC DG Tresor SSL" # Issuer: CN=AC DGTPE Signature Authentification,O=DGTPE,C=FR # Serial Number: 204199 (0x31da7) diff --git a/security/nss/lib/ssl/ssl3prot.h b/security/nss/lib/ssl/ssl3prot.h index b4396daefeed..2c503c5fdc0a 100644 --- a/security/nss/lib/ssl/ssl3prot.h +++ b/security/nss/lib/ssl/ssl3prot.h @@ -343,11 +343,11 @@ typedef enum { ssl_sig_ecdsa_secp256r1_sha256 = 0x0403, ssl_sig_ecdsa_secp384r1_sha384 = 0x0503, ssl_sig_ecdsa_secp521r1_sha512 = 0x0603, - ssl_sig_rsa_pss_sha256 = 0x0700, - ssl_sig_rsa_pss_sha384 = 0x0701, - ssl_sig_rsa_pss_sha512 = 0x0702, - ssl_sig_ed25519 = 0x0703, - ssl_sig_ed448 = 0x0704, + ssl_sig_rsa_pss_sha256 = 0x0804, + ssl_sig_rsa_pss_sha384 = 0x0805, + ssl_sig_rsa_pss_sha512 = 0x0806, + ssl_sig_ed25519 = 0x0807, + ssl_sig_ed448 = 0x0808, ssl_sig_dsa_sha1 = 0x0202, ssl_sig_dsa_sha256 = 0x0402, diff --git a/security/nss/lib/ssl/sslt.h b/security/nss/lib/ssl/sslt.h index d3a5c63fc159..2e3eff94fe62 100644 --- a/security/nss/lib/ssl/sslt.h +++ b/security/nss/lib/ssl/sslt.h @@ -157,9 +157,10 @@ typedef struct SSLExtraServerCertDataStr { } SSLExtraServerCertData; typedef struct SSLChannelInfoStr { - /* |length| is obsolete. On return, SSL_GetChannelInfo sets |length| to the - * smaller of the |len| argument and the length of the struct. The caller - * may ignore |length|. */ + /* On return, SSL_GetChannelInfo sets |length| to the smaller of + * the |len| argument and the length of the struct used by NSS. + * Callers must ensure the application uses a version of NSS that + * isn't older than the version used at compile time. */ PRUint32 length; PRUint16 protocolVersion; PRUint16 cipherSuite; @@ -194,6 +195,9 @@ typedef struct SSLChannelInfoStr { * client side that the server accepted early (0-RTT) data. */ PRBool earlyDataAccepted; + + /* When adding new fields to this structure, please document the + * NSS version in which they were added. */ } SSLChannelInfo; /* Preliminary channel info */ @@ -202,9 +206,10 @@ typedef struct SSLChannelInfoStr { #define ssl_preinfo_all (ssl_preinfo_version | ssl_preinfo_cipher_suite) typedef struct SSLPreliminaryChannelInfoStr { - /* |length| is obsolete. On return, SSL_GetPreliminaryChannelInfo sets - * |length| to the smaller of the |len| argument and the length of the - * struct. The caller may ignore |length|. */ + /* On return, SSL_GetPreliminaryChannelInfo sets |length| to the smaller of + * the |len| argument and the length of the struct used by NSS. + * Callers must ensure the application uses a version of NSS that + * isn't older than the version used at compile time. */ PRUint32 length; /* A bitfield over SSLPreliminaryValueSet that describes which * preliminary values are set (see ssl_preinfo_*). */ @@ -213,12 +218,16 @@ typedef struct SSLPreliminaryChannelInfoStr { PRUint16 protocolVersion; /* Cipher suite: test (valuesSet & ssl_preinfo_cipher_suite) */ PRUint16 cipherSuite; + + /* When adding new fields to this structure, please document the + * NSS version in which they were added. */ } SSLPreliminaryChannelInfo; typedef struct SSLCipherSuiteInfoStr { - /* |length| is obsolete. On return, SSL_GetCipherSuitelInfo sets |length| - * to the smaller of the |len| argument and the length of the struct. The - * caller may ignore |length|. */ + /* On return, SSL_GetCipherSuitelInfo sets |length| to the smaller of + * the |len| argument and the length of the struct used by NSS. + * Callers must ensure the application uses a version of NSS that + * isn't older than the version used at compile time. */ PRUint16 length; PRUint16 cipherSuite; @@ -253,10 +262,13 @@ typedef struct SSLCipherSuiteInfoStr { PRUintn nonStandard : 1; PRUintn reservedBits : 29; + /* The following fields were added in NSS 3.24. */ /* This reports the correct authentication type for the cipher suite, use * this instead of |authAlgorithm|. */ SSLAuthType authType; + /* When adding new fields to this structure, please document the + * NSS version in which they were added. */ } SSLCipherSuiteInfo; typedef enum {