mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-07 18:04:46 +00:00
735ba70f94
4743 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Benjamin Beurdouche
|
8d848a2cbe |
Bug 1694020 - land NSS NSS_3_63_RTM UPGRADE_NSS_RELEASE, r=beurdouche
Differential Revision: https://phabricator.services.mozilla.com/D108957 |
||
|
Benjamin Beurdouche
|
f8d14645f7 |
Bug 1694020 - land NSS 61e70233f80e UPGRADE_NSS_RELEASE, r=beurdouche
2021-03-10 Benjamin Beurdouche <bbeurdouche@mozilla.com> * cmd/bltest/blapitest.c, lib/freebl/blapi.h, lib/freebl/chacha20poly1305-ppc.c, lib/freebl/chacha20poly1305.c, lib/freebl/loader.c: Bug 1613235 - Clang-format for: POWER ChaCha20 stream cipher vector acceleration r=beurdouche Depends on D107221 [61e70233f80e] [tip] 2021-03-10 aoeu <aoeuh@yandex.ru> * cmd/bltest/blapitest.c, lib/freebl/blapi.h, lib/freebl/blapit.h, lib/freebl/chacha20poly1305.c, lib/freebl/chacha20poly1305.h, lib/freebl/ldvector.c, lib/freebl/loader.c, lib/freebl/loader.h: Bug 1613235 - Add POWER ChaCha20 stream cipher vector acceleration. r=bbeurdouche Depends on D107220 [4f7ba08bd991] * lib/freebl/Makefile, lib/freebl/chacha20-ppc64le.S, lib/freebl/chacha20poly1305-ppc.c, lib/freebl/chacha20poly1305.c, lib/freebl/freebl.gyp, lib/freebl/freebl_base.gypi: Bug 1613235 - Add POWER ChaCha20 stream cipher vector acceleration. r=bbeurdouche [764124fddaa2] 2021-03-10 Benjamin Beurdouche <bbeurdouche@mozilla.com> * lib/freebl/ecl/ecp_secp384r1.c, lib/freebl/ecl/ecp_secp521r1.c: Bug 1697380 - Make a clang-format run on top of helpful contributions. r=beurdouche Depends on D106881 [8a9174a78207] * lib/freebl/ecl/ecp_secp384r1.c: Bug 1683520 - ECCKiila P384, change syntax of nested structs initialization to prevent build isses with GCC 4.8. r=bbrumley Depends on D102389 [150cbb169f1e] 2021-03-10 Billy Brumley <bbrumley@gmail.com> * lib/freebl/ecl/ecp_secp384r1.c: Bug 1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual scalar multiplication r=bbeurdouche [76aca2d944ae] 2021-03-10 Benjamin Beurdouche <bbeurdouche@mozilla.com> * lib/freebl/ecl/ecp_secp521r1.c: Bug 1683520 - ECCKiila P521, change syntax of nested structs initialization to prevent build isses with GCC 4.8. r=bbrumley Depends on D102406 [5e7affa3ce43] 2021-03-10 Billy Brumley <bbrumley@gmail.com> * lib/freebl/ecl/ecp_secp521r1.c: Bug 1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual scalar multiplication r=bbeurdouche [a8f4918cd546] 2021-03-08 Benjamin Beurdouche <bbeurdouche@mozilla.com> * automation/taskcluster/scripts/run_hacl.sh, lib/freebl/verified/Hacl_Bignum25519_51.h, lib/freebl/verified/Hacl_Chacha20.c, lib/freebl/verified/Hacl_Chacha20.h, lib/freebl/verified/Hacl_Chacha20Poly1305_128.c, lib/freebl/verified/Hacl_Chacha20Poly1305_128.h, lib/freebl/verified/Hacl_Chacha20Poly1305_256.c, lib/freebl/verified/Hacl_Chacha20Poly1305_256.h, lib/freebl/verified/Hacl_Chacha20Poly1305_32.c, lib/freebl/verified/Hacl_Chacha20Poly1305_32.h, lib/freebl/verified/Hacl_Chacha20_Vec128.c, lib/freebl/verified/Hacl_Chacha20_Vec128.h, lib/freebl/verified/Hacl_Chacha20_Vec256.c, lib/freebl/verified/Hacl_Chacha20_Vec256.h, lib/freebl/verified/Hacl_Curve25519_51.c, lib/freebl/verified/Hacl_Curve25519_51.h, lib/freebl/verified/Hacl_Kremlib.h, lib/freebl/verified/Hacl_Poly1305_128.c, lib/freebl/verified/Hacl_Poly1305_128.h, lib/freebl/verified/Hacl_Poly1305_256.c, lib/freebl/verified/Hacl_Poly1305_256.h, lib/freebl/verified/Hacl_Poly1305_32.c, lib/freebl/verified/Hacl_Poly1305_32.h, lib/freebl/verified/kremlin/include/kremlin/internal/target.h, lib/freebl/verified/kremlin/include/kremlin/internal/types.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128.h, li b/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128_Verifie d.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt_8_1 6_32_64.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/LowStar_ Endianness.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar _uint128_gcc64.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/f star_uint128_msvc.h, lib/freebl/verified/libintvector.h: Bug 1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683 r=beurdouche [3a85b452dbfa] Differential Revision: https://phabricator.services.mozilla.com/D107995 |
||
|
Benjamin Beurdouche
|
590564d9d4 |
Bug 1694020 - land NSS 38a91427d65fffd0d7f7d2b6d0bcee7dc8b77a37 UPGRADE_NSS_RELEASE, r=beurdouche
Differential Revision: https://phabricator.services.mozilla.com/D107084 |
||
|
Butkovits Atila
|
043c0bbe2d | Backed out changeset 40a2cb2f242b (bug 1694020) on request from beurdouche, UPGRADE_NSS_RELEASE CLOSED TREE | ||
|
Benjamin Beurdouche
|
dd75eb4204 |
Bug 1694020 - land NSS 38a91427d65fffd0d7f7d2b6d0bcee7dc8b77a37 UPGRADE_NSS_RELEASE, r=beurdouche
Differential Revision: https://phabricator.services.mozilla.com/D107084 |
||
|
Benjamin Beurdouche
|
76f4cfc3b7 |
Bug 1688685 - land NSS NSS_3_62_RTM UPGRADE_NSS_RELEASE, r=beurdouche
2021-02-19 Benjamin Beurdouche <bbeurdouche@mozilla.com> * lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.62 final [a8e045a9fff6] [NSS_3_62_RTM] <NSS_3_62_BRANCH> 2021-02-15 Benjamin Beurdouche <bbeurdouche@mozilla.com> * .hgtags: Added tag NSS_3_62_BETA1 for changeset a5c857139b37 [145c269c82d6] <NSS_3_62_BRANCH> Differential Revision: https://phabricator.services.mozilla.com/D105739 |
||
|
Benjamin Beurdouche
|
6dfa84bd39 |
Bug 1688685 - land NSS NSS_3_62_BETA1 UPGRADE_NSS_RELEASE, r=mt
``` 2021-02-05 Danh <congdanhqx@gmail.com> * gtests/manifest.mn: Bug 1688374 - Fix parallel build NSS-3.61 with make. r=kjacobs [a5c857139b37] [NSS_3_62_BETA1] 2021-02-05 Robert Relyea <rrelyea@redhat.com> * lib/libpkix/pkix/util/pkix_tools.c: Bug 1682044 pkix_Build_GatherCerts() + pkix_CacheCert_Add() can corrupt "cachedCertTable" Patch by Andrew Cagney Preliminary Review by Ryan Sleevie Tested against all.sh rrelyea. r=kjacobs (this bug is old) pkix_Build_GatherCerts() has two code paths for creating the list "certsFound": pkix_CacheCert_Lookup() this sets "certsFound" to a new list "certsFound" and "cachedCertTable" share items but not the list pkix_CacheCert_Add(pkix_pl_Pk11CertStore_CertQuery()) this sets "certsFound" to a new list; and then adds the list to "cachedCertTable" "certsFound" and "cachedCertTable" share a linked list Because the latter doesn't create a separate list, deleting list elements from "certsFound" can also delete list elements from within "cacheCertTable". And if this happens while pkix_CacheCert_Lookup() is trying to update the same element's reference, a core dump can result. In detail (note that reference counts may occasionally seem off by 1, its because data is being captured before function local variables release their reference): pkix_Build_GatherCerts() calls pkix_pl_Pk11CertStore_CertQuery() (via a pointer) to sets "certsFound": PKIX_CHECK(getCerts (certStore, state->certSel, state->verifyNode, &nbioContext, &certsFound, plContext), PKIX_GETCERTSFAILED); it then calls: PKIX_CHECK(pkix_CacheCert_Add (certStore, certSelParams, certsFound, plContext), PKIX_CACHECERTADDFAILED); [dafda4eee75c] ``` Differential Revision: https://phabricator.services.mozilla.com/D105209 |
||
|
Benjamin Beurdouche
|
d901b16ba2 |
Bug 1688685 - land NSS fc3a4c142c16 UPGRADE_NSS_RELEASE, r=kjacobs
2021-02-04 Kevin Jacobs <kjacobs@mozilla.com> * gtests/ssl_gtest/ssl_recordsize_unittest.cc, lib/ssl/ssl3ext.c: Bug 1690583 - Fix CH padding extension size calculation. r=mt Bug 1654332 changed the way that NSS constructs Client Hello messages. `ssl_CalculatePaddingExtLen` now receives a `clientHelloLength` value that includes the 4B handshake header. This looks okay per the inline comment (which states that only the record header is omitted from the length), but the function actually assumes that the handshake header is also omitted. This patch removes the addition of the handshake header length. Those bytes are already included in the buffered CH. [fc3a4c142c16] [tip] * automation/abi-check/expected-report-libnss3.so.txt: Bug 1690421 - Adjust 3.62 ABI report formatting for new libabigail. r=bbeurdouche [a1ed44dba32e] 2021-02-03 Kevin Jacobs <kjacobs@mozilla.com> * automation/taskcluster/docker-builds/Dockerfile: Bug 1690421 - Install packaged libabigail in docker-builds image r=bbeurdouche [3c719b620136] 2021-01-31 Kevin Jacobs <kjacobs@mozilla.com> * cmd/selfserv/selfserv.c, cmd/tstclnt/tstclnt.c, lib/ssl/tls13hashstate.c, lib/ssl/tls13hashstate.h: Bug 1689228 - Minor ECH -09 fixes for interop testing, fuzzing. r=mt A few minor ECH -09 fixes for interop testing and fuzzing: - selfserv now takes a PKCS8 keypair for ECH. This is more maintainable and significantly less terrible than parsing the ECHConfigs and cobbling one together within selfserv (e.g. we can support other KEMs without modifying the server). - Get rid of the newline character in tstclnt retry_configs output. - Fuzzer fixes in tls13_HandleHrrCookie: - We shouldn't use internal_error when PK11_HPKE_ImportContext fails. Cookies are unprotected in fuzzer mode, so this can be expected to occur. - Only restore the application token when recovering hash state, otherwise the copy could happen twice, leaking one of the allocations. [8bbea1902024] 2021-01-25 Kevin Jacobs <kjacobs@mozilla.com> * lib/ssl/ssl3exthandle.c: Bug 1674819 - Fixup a51fae403328, enum type may be signed. r=bbeurdouche [2004338a2080] Differential Revision: https://phabricator.services.mozilla.com/D104258 |
||
|
Kevin Jacobs
|
f9716bc8ab |
Bug 1688685 - land NSS 92dcda94c1d4 UPGRADE_NSS_RELEASE, r=bbeurdouche
2021-01-22 Kevin Jacobs <kjacobs@mozilla.com> * automation/abi-check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.62 Beta [680ec01577b9] 2021-01-23 Kevin Jacobs <kjacobs@mozilla.com> * tests/chains/scenarios/nameconstraints.cfg, tests/libpkix/certs/NameConstraints.ipaca.cert, tests/libpkix/certs/NameConstraints.ocsp1.cert: Bug 1686134 - Renew two chains libpkix test certificates. r=rrelyea [3ddcd845704c] 2021-01-25 Kevin Jacobs <kjacobs@mozilla.com> * gtests/common/testvectors/hpke-vectors.h, gtests/pk11_gtest/pk11_hpke_unittest.cc, lib/pk11wrap/pk11hpke.c, lib/pk11wrap/pk11hpke.h, lib/pk11wrap/pk11pub.h: Bug 1678398 - Update HPKE to draft-07. r=mt This patch updates HPKE to draft-07. A few other minor changes are included: - Refactor HPKE gtests for increased parameterized testing. - Replace memcpy calls with PORT_Memcpy - Serialization tweaks to make way for context Export/Import (D99277). This should not be landed without an ECH update, as fixed ECH test vectors will otherwise fail to decrypt. [e0bf8cadadc7] * automation/abi-check/expected-report-libnss3.so.txt, gtests/pk11_gtest/pk11_hpke_unittest.cc, lib/nss/nss.def, lib/pk11wrap/pk11hpke.c, lib/pk11wrap/pk11pub.h: Bug 1678398 - Add Export/Import functions for HPKE context. r=mt This patch adds and exports two new HPKE functions: `PK11_HPKE_ExportContext` and `PK11_HPKE_ImportContext`, which are used to export a serialized HPKE context, then later reimport that context and resume Open and Export operations. Only receiver contexts are currently supported for export (see the rationale in pk11pub.h). One other change introduced here is that `PK11_HPKE_GetEncapPubKey` now works as expected on the receiver side. If the `wrapKey` argument is provided to the Export/Import functions, then the symmetric keys are wrapped with AES Key Wrap with Padding (SP800-38F, 6.3) prior to serialization. [8bcd12ab3b34] * automation/abi-check/expected-report-libssl3.so.txt, gtests/ssl_gtest/libssl_internals.c, gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/ssl_extension_unittest.cc, gtests/ssl_gtest/tls_ech_unittest.cc, lib/ssl/ssl3con.c, lib/ssl/ssl3ext.c, lib/ssl/ssl3ext.h, lib/ssl/sslexp.h, lib/ssl/sslimpl.h, lib/ssl/sslsecur.c, lib/ssl/sslsock.c, lib/ssl/sslt.h, lib/ssl/tls13con.c, lib/ssl/tls13con.h, lib/ssl/tls13ech.c, lib/ssl/tls13ech.h, lib/ssl/tls13exthandle.c, lib/ssl/tls13exthandle.h, lib/ssl/tls13hashstate.c, lib/ssl/tls13hashstate.h: Bug 1681585 - Update ECH to Draft-09. r=mt This patch updates ECH implementation to draft-09. Changes of note are: - Acceptance signal derivation is now based on the handshake secret. - `config_id` hint changes from 32B to 8B, trial decryption added on the server. - Duplicate code in HRR cookie handling has been consolidated into `tls13_HandleHrrCookie`. - `ech_is_inner` extension is added, which causes a server to indicate ECH acceptance. - Per the above, support signaling ECH acceptance when acting as a backend server in split-mode (i.e. when there is no other local Encrypted Client Hello state). [ed07a2e2a124] 2021-01-24 Kevin Jacobs <kjacobs@mozilla.com> * cmd/selfserv/selfserv.c: Bug 1681585 - Add ECH support to selfserv. r=mt Usage example: mkdir dbdir && cd dbdir certutil -N -d . certutil -S -s "CN=ech-public.com" -n ech-public.com -x -t "C,C,C" -m 1234 -d . certutil -S -s "CN=ech-private-backend.com" -n ech-private- backend.com -x -t "C,C,C" -m 2345 -d . ../dist/Debug/bin/selfserv -a ech-public.com -a ech-private-backend.com -n ech-public.com -n ech- private-backend.com -p 8443 -d dbdir/ -X publicname:ech-public.com (Copy echconfig from selfserv output and paste into the below command) ../dist/Debug/bin/tstclnt -D -p 8443 -v -A tests/ssl/sslreq.dat -h ech-private-backend.com -o -N <echconfig> -v [92dcda94c1d4] Differential Revision: https://phabricator.services.mozilla.com/D102982 |
||
|
Kevin Jacobs
|
9ff5a5feb0 |
Bug 1684061 - land NSS NSS_3_61_RTM UPGRADE_NSS_RELEASE, r=bbeurdouche
2021-01-22 Kevin Jacobs <kjacobs@mozilla.com> * lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.61 final [b09bdf93e079] [NSS_3_61_RTM] <NSS_3_61_BRANCH> 2021-01-19 Kevin Jacobs <kjacobs@mozilla.com> * .hgtags: Added tag NSS_3_61_BETA1 for changeset 68ae9b456b1b [3c88f7111594] Differential Revision: https://phabricator.services.mozilla.com/D102781 |
||
|
Kevin Jacobs
|
7a93d152d6 |
Bug 1684061 - land NSS NSS_3_61_BETA1 UPGRADE_NSS_RELEASE, r=bbeurdouche
2021-01-13 Kevin Jacobs <kjacobs@mozilla.com> * automation/taskcluster/graph/src/try_syntax.js: Bug 1686557 - Support aarch64-make target in nss-try. r=bbeurdouche [68ae9b456b1b] [NSS_3_61_BETA1] Differential Revision: https://phabricator.services.mozilla.com/D102421 |
||
|
Kevin Jacobs
|
4d02d441fc |
Bug 1684061 - land NSS a8de35c990e3 UPGRADE_NSS_RELEASE, r=bbeurdouche
2021-01-13 Kevin Jacobs <kjacobs@mozilla.com> * gtests/softoken_gtest/manifest.mn: Bug 1684300 - Define USE_STATIC_LIBS=1 for softoken_gtest make builds. r=bbeurdouche [a8de35c990e3] [tip] * gtests/softoken_gtest/manifest.mn, gtests/softoken_gtest/softoken_gtest.cc, gtests/softoken_gtest/softoken_gtest.gyp, lib/softoken/sftkdb.c, tests/gtests/gtests.sh: Bug 1684300 - Disable legacy storage when compiled with NSS_DISABLE_DBM. r=mt [d4991bb56852] Differential Revision: https://phabricator.services.mozilla.com/D101703 |
||
|
Kevin Jacobs
|
1eb47f6133 |
Bug 1684061 - land NSS 97ef009f7a78 UPGRADE_NSS_RELEASE, r=bbeurdouche
2020-12-11 Kevin Jacobs <kjacobs@mozilla.com> * automation/abi-check/expected-report-libssl3.so.txt, automation/abi- check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.61 Beta [f277d2674c80] * gtests/<...> Bug 1677207 - Update Google Test to release-1.10.0 r=bbeurdouche ./gtests/google_test/update.sh release-1.10.0 && hg remove -A && hg add gtests/google_test/* [89141382df45] * gtests/<...> Bug 1677207 - Replace references to TestCase, which is deprecated, with TestSuite r=bbeurdouche grep -rl --exclude-dir=google_test INSTANTIATE_TEST_CASE_P gtests | xargs sed -i '' s/INSTANTIATE_TEST_CASE_P/INSTANTIATE_TEST_SUITE_P/g grep -rl --exclude-dir=google_test SetUpTestCase gtests | xargs sed -i '' s/SetUpTestCase/SetUpTestSuite/g [e15b78be87fa] * gtests/ssl_gtest/ssl_ciphersuite_unittest.cc, gtests/ssl_gtest/ssl_debug_env_unittest.cc, gtests/ssl_gtest/ssl_extension_unittest.cc, gtests/ssl_gtest/ssl_loopback_unittest.cc, gtests/ssl_gtest/ssl_renegotiation_unittest.cc, gtests/ssl_gtest/ssl_resumption_unittest.cc, gtests/ssl_gtest/ssl_version_unittest.cc, gtests/ssl_gtest/tls_ech_unittest.cc: Bug 1677207 - Use GTEST_SKIP in ssl_gtests. r=bbeurdouche [0772f1bf5fd6] 2020-12-17 Robert Relyea <rrelyea@redhat.com> * gtests/common/testvectors/ike-aesxcbc-vectors.h, gtests/common/testvectors/ike-sha1-vectors.h, gtests/common/testvectors/ike-sha256-vectors.h, gtests/common/testvectors/ike-sha384-vectors.h, gtests/common/testvectors/ike-sha512-vectors.h, gtests/common/testvectors_base/test-structs.h, gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp, gtests/pk11_gtest/pk11_ike_unittest.cc, lib/softoken/sftkike.c: Bug 1682071 IKE Quick mode IPSEC give you incorrect keys if you are asking for keys smaller than the hash size. IKE Appendix B fixes. This patch fixes 2 problems. If you run either ike v1 App B or quick mode asking for a key with length mod macsize = 0, you will generate an extra block that's not used and overwrites the end of the buffer. If you use quick mode, the function incorrectly subsets the existing key rather than generating a new key. This is correct behavior for Appendix B, where appendix B is trying to take a generated key and create a new longer key (with no diversification, just transform the key into something that's longer), so if you ask for a key less than or equal to, then you want to just subset the original key. In quick mode you are taking a base key and creating a set of new keys based on additional data, so you want to subset the generated data. This patch only subsets the original key if you aren't doing quickmode. Full test vectors have now been added for all ike modes in this patch as well (previously we depended on the FIPS CAVS tests to test ike, which covers basic IKEv1, IKEv1_psk, and IKEv2 but not IKEv1 App B and IKE v1 Quick mode). [f4995c9fa185] 2020-12-18 Robert Relyea <rrelyea@redhat.com> * gtests/common/testvectors/rsa_pkcs1_2048_test-vectors.h, gtests/common/testvectors/rsa_pkcs1_3072_test-vectors.h, gtests/common/testvectors/rsa_pkcs1_4096_test-vectors.h, gtests/freebl_gtest/Makefile, gtests/freebl_gtest/manifest.mn, gtests/freebl_gtest/rsa_unittest.cc, gtests/manifest.mn, gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc, gtests/pk11_gtest/pk11_rsaoaep_unittest.cc, lib/freebl/alghmac.c, lib/freebl/alghmac.h, lib/freebl/rsapkcs.c: Bug 1651411 New tlsfuzzer code can still detect timing issues in RSA operations. This patch defeats Bleichenbacher by not trying to hide the size of the decrypted text, but to hide if the text succeeded for failed. This is done by generating a fake returned text that's based on the key and the cipher text, so the fake data is always the same for the same key and cipher text. Both the length and the plain text are generated with a prf. Here's the proposed spec the patch codes to: 1. Use SHA-256 to hash the private exponent encoded as a big- endian integer to a string the same length as the public modulus. Keep this value secret. (this is just an optimisation so that the implementation doesn't have to serialise the key over and over again) 2. Check the length of input according to step one of https://tools.ietf.org/html/rfc8017#section-7.2.2 3. When provided with a ciphertext, use SHA-256 HMAC(key=hash_from_step1, text=ciphertext) to generate the key derivation key 4. Use SHA-256 HMAC with key derivation key as the key and a two-byte big- endian iterator concatenated with byte string "length" with the big- endian representation of 2048 (0x0800) as the bit length of the generated string. - Iterate this PRF 8 times to generate a 256 byte string 5. initialise the length of synthetic message to 0 6. split the PRF output into 2 byte strings, convert into big-endian integers, zero- out high-order bits so that they have the same bit length as the octet length of the maximum acceptable message size (k-11), select the last integer that is no larger than (k-11) or remain at 0 if no integer is smaller than (k-11); this selection needs to be performed using a side-channel free operators 7. Use SHA-256 HMAC with key derivation key as the key and a two-byte big-endian iterator concatenated with byte string "message" with the big-endian representation of k*8 - use this PRF to generate k bytes of output (right-truncate last HMAC call if the number of generated bytes is not a multiple of SHA-256 output size) 8. perform the RSA decryption as described in step 2 of section 7.2.2 of rfc8017 9. Verify the EM message padding as described in step 3 of section 7.2.2 of rfc8017, but instead of outputting "decryption error", return the last l bytes of the "message" PRF, when l is the selected synthetic message length using the "length" PRF, make this decision and copy using side-channel free operation [fc05574c7399] 2020-12-22 Robert Relyea <rrelyea@redhat.com> * gtests/freebl_gtest/rsa_unittest.cc, gtests/pk11_gtest/pk11_rsaoaep_unittest.cc, lib/freebl/alghmac.c, lib/freebl/rsapkcs.c: Restore lost portion of the bleichenbacher timing batch that addressed review comments. All the review comments pertained to actual code comments, so this patch only affects the comments. [fcebe146314e] 2020-12-22 Kevin Jacobs <kjacobs@mozilla.com> * lib/dev/devslot.c: Bug 1682863 - Revert nssSlot_IsTokenPresent to 3.58 after ongoing Fx hangs with slow PKCS11 devices. r=bbeurdouche This patch reverts the `nssSlot_IsTokenPresent` changes made in bug 1663661 and bug 1679290, restoring the version used in NSS 3.58 and earlier. It's not an actual `hg backout` because the comment in lib/dev/devt.h is worth keeping. While removing the nested locking did resolve the hang for some (most?) third-party modules, problems remain with some slower tokens after an even further relaxation of the locking, which defeats the purpose of addressing the races in the first place. The crash addressed by these patches was caused by the Intermediate Preloading Healer in Firefox, which has been disabled. We clearly have insufficient test coverage for third-party modules, and now that osclientcerts is enabled in Fx Nightly, any problems caused by these and similar changes is unlikely to be reported until Fx Beta, well after NSS RTM. I think the best option at this point is to simply revert NSS. [97ef009f7a78] [tip] Differential Revision: https://phabricator.services.mozilla.com/D100401 |
||
|
Kevin Jacobs
|
b98935cc63 |
Bug 1677548 - land NSS NSS_3_60_RTM UPGRADE_NSS_RELEASE, r=bbeurdouche
2020-12-11 Kevin Jacobs <kjacobs@mozilla.com> * lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.60 final [2015cf6ca323] [NSS_3_60_RTM] <NSS_3_60_BRANCH> 2020-12-08 Kevin Jacobs <kjacobs@mozilla.com> * .hgtags: Added tag NSS_3_60_BETA1 for changeset f84fb229842a [1fe6cb3c3874] Differential Revision: https://phabricator.services.mozilla.com/D99488 |
||
|
Kevin Jacobs
|
f9f2383ae3 |
Bug 1677548 - land NSS NSS_3_60_BETA1 UPGRADE_NSS_RELEASE, r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D99258 |
||
|
Kevin Jacobs
|
254f0c7699 |
Bug 1677548 - land NSS f84fb229842a UPGRADE_NSS_RELEASE, r=bbeurdouche
2020-12-04 Kevin Jacobs <kjacobs@mozilla.com> * gtests/pk11_gtest/pk11_aeskeywrappad_unittest.cc, lib/pk11wrap/pk11obj.c: Bug 1680400 - Fix memory leak in PK11_UnwrapPrivKey. r=bbeurdouche [f84fb229842a] [tip] 2020-12-03 yogesh <yoyogesh01@gmail.com> * cmd/tstclnt/tstclnt.c: Bug 1570539 - Removed -X alt-server-hello option from tstclnt r=kjacobs [ef9198eb2895] 2020-12-03 J.C. Jones <jjones@mozilla.com> * lib/util/pkcs11t.h: Bug 1675523 - CKR_PUBLIC_KEY_INVALID has an incorrect value r=bbeurdouche PKCS#11 v2.40: https://www.cryptsoft.com/pkcs11doc/STANDARD/include/v240/pkcs11t.h line 1150 jdk8u: https://hg.openjdk.java.net/jdk8u/jdk8u/jdk/file/eb7f437285a1 /src/share/native/sun/security/pkcs11/wrapper/pkcs11t.h#l1155 [f9bcf45ca3bf] Differential Revision: https://phabricator.services.mozilla.com/D98946 |
||
|
Kevin Jacobs
|
5e63427a1b |
Bug 1677548 - land NSS f8c49b334e51 UPGRADE_NSS_RELEASE, r=bbeurdouche
2020-12-01 Kevin Jacobs <kjacobs@mozilla.com> * lib/ckfw/builtins/nssckbi.h: Bug 1678189 - December 2020 batch of root changes, NSS_BUILTINS_LIBRARY_VERSION 2.46. r=bbeurdouche [f8c49b334e51] [tip] * lib/ckfw/builtins/certdata.txt: Bug 1678166 - Add NAVER Global Root Certification Authority root cert to NSS. r=bbeurdouche,KathleenWilson [b9742b439a81] 2020-12-01 Benjamin Beurdouche <benjamin.beurdouche@inria.fr> * lib/ckfw/builtins/certdata.txt: Bug 1670769 - Remove 10 GeoTrust, thawte, and VeriSign root certs from NSS. r=kjacobs,KathleenWilson [4c69d6d0cf21] 2020-12-01 Kevin Jacobs <kjacobs@mozilla.com> * lib/ssl/ssl3exthandle.c: Bug 1674819 - Fix undefined shift when fuzzing r=bbeurdouche In fuzzer mode, session tickets are serialized without any encryption or integrity protection. This leads to a post-deserialize UBSAN error when shifting by a fuzzed (large) authType value. A real NSS server will not produce these values. [a51fae403328] 2020-11-30 Benjamin Beurdouche <benjamin.beurdouche@inria.fr> * build.sh, coreconf/config.gypi, lib/ckfw/builtins/testlib/builtins- testlib.gyp, lib/ckfw/builtins/testlib/nssckbi-testlib.def, nss.gyp: Bug 1678384 - Add a build flag to allow building nssckbi-testlib in m-c r=kjacobs [22bf7c680b60] 2020-12-01 Kevin Jacobs <kjacobs@mozilla.com> * lib/dev/devslot.c: Bug 1679290 - Don't hold slot lock when taking session lock r=bbeurdouche [[ https://hg.mozilla.org/projects/nss/rev/0ed11a5835ac1556ff978362c d61069d48f4c5db | 0ed11a5835ac1556ff978362cd61069d48f4c5db ]] fixed a number of race conditions related to NSSSlot member accesses. Unfortunately the locking order that was imposed by that patch has been found to cause problems for at least one PKCS11 module, libnsspem. This patch drops nested locking in favor of unlocking/re-locking. While this isn't perfect, the original problem in bug 1663661 was that `slot->token` could become NULL, which we can easily check after reacquiring. [19585ccc7a1f] 2020-11-25 Makoto Kato <m_kato@ga2.so-net.ne.jp> * lib/freebl/blinit.c: Bug 1678990 - Use __ARM_FEATURE_CRYPTO for feature detection. r=bbeurdouche Actually, we have CPU feature detection for Linux and FreeBSD on aarch64 platform. But others don't. macOS doesn't has any CPU feature detection for ARM Crypto Extension, but toolchain default is turned on. So we should respect __ARM_FEATURE_CRYPTO. [f1e48fbead3d] 2020-11-19 Lauri Kasanen <cand@gmx.com> * lib/freebl/Makefile: Bug 1642174 - Resolve sha512-p8.o: ABI version 2 is not compatible with ABI version 1 output. r=jcj Don't try to build the SHA-2 accelerated asm on old-ABI ppc. Currently make only, I don't have enough gyp-fu to do that side. However, the reporters of 1642174 and 1635625 both used make, not gyp. Signed-off-by: Lauri Kasanen <cand@gmx.com> [d806f7992b10] Differential Revision: https://phabricator.services.mozilla.com/D98509 |
||
|
Kevin Jacobs
|
54a13dccf2 |
Bug 1677548 - land NSS 3eacb92e9adf UPGRADE_NSS_RELEASE, r=jcj
2020-11-18 Kevin Jacobs <kjacobs@mozilla.com> * lib/ssl/ssl3con.c, lib/ssl/tls13con.c, lib/ssl/tls13ech.c: Bug 1654332 - Fixup a10493dcfcc9: copy ECHConfig.config_id with socket r=jcj A late review change for ECH was for the server to compute each ECHConfig `config_id` when set to the socket, rather than on each connection. This works, but now we also need to copy that config_id when copying a socket, else the server won't find a matching ECHConfig to use for decryption. [3eacb92e9adf] [tip] 2020-11-17 Kevin Jacobs <kjacobs@mozilla.com> * automation/abi-check/expected-report-libssl3.so.txt, cmd/tstclnt/tstclnt.c, cpputil/tls_parser.h, gtests/ssl_gtest/libssl_internals.c, gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/manifest.mn, gtests/ssl_gtest/ssl_auth_unittest.cc, gtests/ssl_gtest/ssl_custext_unittest.cc, gtests/ssl_gtest/ssl_extension_unittest.cc, gtests/ssl_gtest/ssl_gtest.gyp, gtests/ssl_gtest/ssl_tls13compat_unittest.cc, gtests/ssl_gtest/tls_agent.cc, gtests/ssl_gtest/tls_agent.h, gtests/ssl_gtest/tls_connect.cc, gtests/ssl_gtest/tls_connect.h, gtests/ssl_gtest/tls_ech_unittest.cc, gtests/ssl_gtest/tls_esni_unittest.cc, gtests/ssl_gtest/tls_filter.cc, gtests/ssl_gtest/tls_filter.h, lib/ssl/SSLerrs.h, lib/ssl/manifest.mn, lib/ssl/ssl.gyp, lib/ssl/ssl3con.c, lib/ssl/ssl3ext.c, lib/ssl/ssl3ext.h, lib/ssl/ssl3exthandle.c, lib/ssl/ssl3exthandle.h, lib/ssl/ssl3prot.h, lib/ssl/sslencode.c, lib/ssl/sslencode.h, lib/ssl/sslerr.h, lib/ssl/sslexp.h, lib/ssl/sslimpl.h, lib/ssl/sslinfo.c, lib/ssl/sslsecur.c, lib/ssl/sslsock.c, lib/ssl/sslt.h, lib/ssl/tls13con.c, lib/ssl/tls13con.h, lib/ssl/tls13ech.c, lib/ssl/tls13ech.h, lib/ssl/tls13esni.c, lib/ssl/tls13esni.h, lib/ssl/tls13exthandle.c, lib/ssl/tls13exthandle.h, lib/ssl/tls13hashstate.c, lib/ssl/tls13hashstate.h: Bug 1654332 - Update ESNI to draft-08 (ECH). r=mt This patch adds support for Encrypted Client Hello (draft-ietf-tls- esni-08), replacing the existing ESNI (draft -02) support. There are five new experimental functions to enable this: - SSL_EncodeEchConfig: Generates an encoded (not BASE64) ECHConfig given a set of parameters. - SSL_SetClientEchConfigs: Configures the provided ECHConfig to the given socket. When configured, an ephemeral HPKE keypair will be generated for the CH encryption. - SSL_SetServerEchConfigs: Configures the provided ECHConfig and keypair to the socket. The keypair specified will be used for HPKE operations in order to decrypt encrypted Client Hellos as they are received. - SSL_GetEchRetryConfigs: If ECH is rejected by the server and compatible retry_configs are provided, this API allows the application to extract those retry_configs for use in a new connection. - SSL_EnableTls13GreaseEch: When enabled, non-ECH Client Hellos will have a "GREASE ECH" (i.e. fake) extension appended. GREASE ECH is disabled by default, as there are known compatibility issues that will be addressed in a subsequent draft. The following ESNI experimental functions are deprecated by this update: - SSL_EncodeESNIKeys - SSL_EnableESNI - SSL_SetESNIKeyPair In order to be used, NSS must be compiled with `NSS_ENABLE_DRAFT_HPKE` defined. [a10493dcfcc9] * lib/ssl/ssl3con.c, lib/ssl/sslencode.c, lib/ssl/sslencode.h, lib/ssl/tls13con.c, lib/ssl/tls13con.h: Bug 1654332 - Buffered ClientHello construction. r=mt This patch refactors construction of Client Hello messages. Instead of each component of the message being written separately into `ss->sec.ci.sendBuf`, we now construct the message in its own sslBuffer. Once complete, the entire message is added to the sendBuf via `ssl3_AppendHandshake`. `ssl3_SendServerHello` already uses this approach and it becomes necessary for ECH, where we use the constructed ClientHello to create an inner ClientHello. [d40121ba59ba] 2020-11-13 J.C. Jones <jjones@mozilla.com> * automation/abi-check/expected-report-libnss3.so.txt, automation/abi- check/expected-report-libnssutil3.so.txt, automation/abi-check /previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.60 Beta [5e7b37609f22] Differential Revision: https://phabricator.services.mozilla.com/D97492 |
||
|
J.C. Jones
|
b74458d647 |
Bug 1671713 - land NSS NSS_3_59_RTM UPGRADE_NSS_RELEASE, r=kjacobs DONTBUILD
2020-11-13 J.C. Jones <jjones@mozilla.com> * lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.59 final [c5d760cbe8d0] [NSS_3_59_RTM] <NSS_3_59_BRANCH> 2020-11-10 J.C. Jones <jjones@mozilla.com> * .hgtags: Added tag NSS_3_59_BETA1 for changeset c3cb09a7d087 [06e965656f08] Differential Revision: https://phabricator.services.mozilla.com/D97041 |
||
|
J.C. Jones
|
0644349b9b |
Bug 1671713 - land NSS NSS_3_59_BETA1 UPGRADE_NSS_RELEASE, r=kjacobs
2020-11-10 Kevin Jacobs <kjacobs@mozilla.com> * lib/certdb/certdb.c, lib/certdb/stanpcertdb.c, lib/pk11wrap/pk11cert.c, lib/pki/pki3hack.c: Bug 1607449 - Lock cert->nssCertificate to prevent data race. r=jcj,keeler [c3cb09a7d087] [NSS_3_59_BETA1] Differential Revision: https://phabricator.services.mozilla.com/D96652 |
||
|
Kevin Jacobs
|
92af1fd6cc |
Bug 1671713 - land NSS 97751cd6d553 UPGRADE_NSS_RELEASE, r=jcj
2020-11-03 Kevin Jacobs <kjacobs@mozilla.com> * gtests/common/testvectors/hmac-sha256-vectors.h, gtests/common/testvectors/hmac-sha384-vectors.h, gtests/common/testvectors/hmac-sha512-vectors.h, gtests/common/testvectors_base/test-structs.h, gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp, gtests/pk11_gtest/pk11_hmac_unittest.cc: Bug |
||
|
Kevin Jacobs
|
b838f38de2 |
Bug 1671713 - land NSS 035110dfa0b9 UPGRADE_NSS_RELEASE, r=bbeurdouche
2020-10-26 Robert Relyea <rrelyea@redhat.com> * lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c, tests/ssl/ssl.sh: Bug 1672291 libpkix OCSP failures on SHA1 self-signed root certs when SHA1 signatures are disabled. r=mt When libpkix is checking an OCSP cert, it can't use the passed in set of trust anchors as a base because only the single root that signed the leaf can sign the OCSP request. As a result it actually checks the signature of the self-signed root when processing an OCSP request. This fails of the root cert signature is invalid for any reason (including it's a sha1 self-signed root cert and we've disabled sha1 signatures (say, by policy)). Further investigation indicates the difference between our classic code and the current code is the classic code only checks OCSP responses on leaf certs. In the real world, those responses are signed by intermediate certificates (who won't have sha1 signed certificates anymore), so our signature processing works just fine. pkix checks OCSP on the intermediate certificates as well, which are signed by the root cert. In this case the root cert is a chain of 1, and is effectively a leaf. This patch updates the OCSP response code to not check the signatures on the single cert if that cert is a selfsigned root cert. This requires bug 391476 so we still do the other validation checking on the certs (making sure it's trusted as a CA). [035110dfa0b9] [tip] 2020-10-23 Robert Relyea <rrelyea@redhat.com> * lib/certhigh/certvfypkix.c, lib/libpkix/pkix_pl_nss/module/pkix_pl_nsscontext.c, lib/libpkix/pkix_pl_nss/module/pkix_pl_nsscontext.h, lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c, lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c, tests/ssl/ssl.sh: Bug 1672291 libpkix OCSP failures on SHA1 self-signed root certs when SHA1 signatures are disabled. When libpkix is checking an OCSP cert, it can't use the passed in set of trust anchors as a base because only the single root that signed the leaf can sign the OCSP request. As a result it actually checks the signature of the self-signed root when processing an OCSP request. This fails of the root cert signature is invalid for any reason (including it's a sha1 self-signed root cert and we've disabled sha1 signatures (say, by policy)). Further investigation indicates the difference between our classic code and the current code is the classic code only checks OCSP responses on leaf certs. In the real world, those responses are signed by intermediate certificates (who won't have sha1 signed certificates anymore), so our signature processing works just fine. pkix checks OCSP on the intermediate certificates as well, which are signed by the root cert. In this case the root cert is a chain of 1, and is effectively a leaf. This patch updates the OCSP response code to not check the signatures on the single cert if that cert is a selfsigned root cert. This requires bug 391476 so we still do the other validation checking on the certs (making sure it's trusted as a CA). [97f69f7a89a1] 2020-10-26 Kevin Jacobs <kjacobs@mozilla.com> * gtests/ssl_gtest/tls_filter.cc: Bug 1644209 - Fix broken SelectedCipherSuiteReplacer filter. r=mt This patch corrects the `SelectedCipherSuiteReplacer`filter to always parse the `session_id` variable (`legacy_session_id` for TLS 1.3+). The previous code attempted to skip it in 1.3+ but did not account for DTLS wire versions, resulting in intermittent failures. [a79d14b06b4a] 2020-10-26 Daiki Ueno <dueno@redhat.com> * gtests/ssl_gtest/ssl_tls13compat_unittest.cc, lib/ssl/ssl3con.c, lib/ssl/sslimpl.h: Bug |
||
|
J.C. Jones
|
f3f86339c2 |
Bug 1671713 - land NSS 58dc3216d518 UPGRADE_NSS_RELEASE, r=kjacobs
2020-10-13 Mike Hommey <mh@glandium.org> * lib/freebl/freebl.gyp: Bug 1670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on mac. r=kjacobs AFAICT, the Makefile equivalent already does. [58dc3216d518] [tip] * lib/freebl/sha1-armv8.c: Bug 1670839 - Only build sha1-armv8.c code when USE_HW_SHA1 is defined. r=kjacobs This matches what is done in sha256-armv8.c, and avoids inconsistency with sha1-fast.c, which will define the same functions in the case USE_HW_SHA1 is not defined. [54be084e3ba8] 2020-10-16 J.C. Jones <jjones@mozilla.com> * automation/abi-check/expected-report-libnss3.so.txt, automation/abi- check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.59 Beta [d4b21706e432] Differential Revision: https://phabricator.services.mozilla.com/D94070 |
||
|
J.C. Jones
|
cc8fbdccf6 |
Bug 1666567 - land NSS NSS_3_58_RTM UPGRADE_NSS_RELEASE, r=kjacobs
2020-10-16 J.C. Jones <jjones@mozilla.com> * lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.58 final [1f3db03bba02] [NSS_3_58_RTM] <NSS_3_58_BRANCH> 2020-10-12 J.C. Jones <jjones@mozilla.com> * .hgtags: Added tag NSS_3_58_BETA1 for changeset 57bbefa79323 [a8deadf7adbe] Differential Revision: https://phabricator.services.mozilla.com/D93813 |
||
|
J.C. Jones
|
8e222a79cb |
Bug 1666567 - land NSS NSS_3_58_BETA1 UPGRADE_NSS_RELEASE, r=kjacobs
2020-10-12 Daiki Ueno <dueno@redhat.com> * gtests/ssl_gtest/ssl_tls13compat_unittest.cc, lib/ssl/ssl3con.c, lib/ssl/sslimpl.h: Bug 1641480, TLS 1.3: tighten CCS handling in compatibility mode, r=mt This makes the server reject CCS when the client doesn't indicate the use of the middlebox compatibility mode with a non-empty ClientHello.legacy_session_id, or it sends multiple CCS in a row. [57bbefa79323] [NSS_3_58_BETA1] 2020-10-12 Kevin Jacobs <kjacobs@mozilla.com> * automation/abi-check/expected-report-libnss3.so.txt, automation/taskcluster/scripts/build_gyp.sh, automation/taskcluster/windows/build_gyp.sh, coreconf/config.gypi, coreconf/config.mk, cpputil/nss_scoped_ptrs.h, gtests/common/testvectors/hpke-vectors.h, gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp, gtests/pk11_gtest/pk11_hpke_unittest.cc, lib/nss/nss.def, lib/pk11wrap/exports.gyp, lib/pk11wrap/manifest.mn, lib/pk11wrap/pk11hpke.c, lib/pk11wrap/pk11hpke.h, lib/pk11wrap/pk11pub.h, lib/pk11wrap/pk11wrap.gyp, lib/util/SECerrs.h, lib/util/secerr.h: Bug 1631890 - Add support for Hybrid Public Key Encryption (draft- irtf-cfrg-hpke-05). r=mt This patch adds support for Hybrid Public Key Encryption (draft- irtf-cfrg-hpke-05). Because the draft number (and the eventual RFC number) is an input to the key schedule, future updates will *not* be backwards compatible in terms of key material or encryption/decryption. For this reason, a default compilation will produce stubs that simply return an "Invalid Algorithm" error. To opt into using the HPKE functionality , compile with `NSS_ENABLE_DRAFT_HPKE` defined. Once finalized, this flag will not be required to access the functions. Lastly, the `DeriveKeyPair` API is not implemented as it adds complextiy around PKCS #11 and is unnecessary for ECH. [6e3bc17f0508] 2020-10-12 Makoto Kato <m_kato@ga2.so-net.ne.jp> * automation/taskcluster/graph/src/extend.js, tests/common/cleanup.sh: Bug 1657255 - Update CI for aarch64. r=kjacobs Actually, we have the implementation of ARM Crypto extension, so CI is always run with this extension. It means that we don't run CI without ARM Crypto extension. So I would like to add NoAES and NoSHA for aarch64 CI. Also, we still run NoSSE4_1 on aarch64 CI, so we shouldn't run this on aarch64 hardware. [e8c370a8db13] Differential Revision: https://phabricator.services.mozilla.com/D93268 |
||
|
J.C. Jones
|
0a5ff268ea |
Bug 1666567 - land NSS c7d3b214dd41 UPGRADE_NSS_RELEASE, r=kjacobs
2020-10-05 Ricky Stewart <rstewart@mozilla.com> * coreconf/config.gypi: Bug 1668328 - Enclose Python paths in `coreconf/config.gypi` in quotes r=kjacobs,mt This fixes a breakage if the Python path happens to have a space in it. [c7d3b214dd41] [tip] Differential Revision: https://phabricator.services.mozilla.com/D92516 |
||
|
J.C. Jones
|
3ad29aac6b |
Bug 1666567 - land NSS 8fdbec414ce2 UPGRADE_NSS_RELEASE, r=kjacobs
2020-09-24 Kevin Jacobs <kjacobs@mozilla.com> * automation/abi-check/expected-report-libnss3.so.txt, gtests/pk11_gtest/pk11_hkdf_unittest.cc, lib/nss/nss.def, lib/pk11wrap/pk11pub.h, lib/pk11wrap/pk11skey.c, lib/ssl/tls13hkdf.c: Bug 1667153 - Add PK11_ImportDataKey API. r=rrelyea This patch adds and exports `PK11_ImportDataKey`, and refactors the null PSK TLS 1.3 code to use it. [8fdbec414ce2] [tip] Differential Revision: https://phabricator.services.mozilla.com/D91627 |
||
|
J.C. Jones
|
55cfe61a1d |
Bug 1666567 - land NSS 8ebee3cec9cf UPGRADE_NSS_RELEASE, r=kjacobs
2020-09-23 Dana Keeler <dkeeler@mozilla.com> * gtests/mozpkix_gtest/pkixbuild_tests.cpp, gtests/mozpkix_gtest/pkixcert_extension_tests.cpp, gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp, gtests/mozpkix_gtest/pkixgtest.h, lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp: Bug 1665715 - (2/2) pass encoded signed certificate timestamp extension (if present) in CheckRevocation r=jcj This will allow Firefox to make decisions based on the earliest known time that a certificate exists (with respect to certificate transparency) that a CA is unlikely to back-date. In particular, this is essential for CRLite. Note that if the SCT signature isn't validated, a CA could still make a certificate appear to have existed for longer than it really has. However, this change is not an attempt to catch malicious CAs. The aim is to avoid false positives in CRLite resulting from CAs backdating the notBefore field on certificates they issue. Depends on D90595 [8ebee3cec9cf] [tip] 2020-09-18 Dana Keeler <dkeeler@mozilla.com> * gtests/mozpkix_gtest/pkixbuild_tests.cpp, gtests/mozpkix_gtest/pkixcert_extension_tests.cpp, gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp, gtests/mozpkix_gtest/pkixgtest.h, lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp: Bug 1665715 - (1/2) revert e8f2720c8254 (bug 1593141) because it's no longer necessary r=jcj Bug 1593141 added the certificate's notBefore field as an argument to TrustDomain::CheckRevocation so that Firefox could use it with CRLite. However, since CAs can backdate that field, we need to use the earliest embedded SCT timestamp instead. [c1f4d565ceda] Differential Revision: https://phabricator.services.mozilla.com/D91211 |
||
|
Bogdan Tara
|
db9c89dbca |
Backed out 2 changesets (bug 1666567, bug 1605273) for test_crlite_filters.js failures CLOSED TREE
UPGRADE_NSS_RELEASE Backed out changeset 9bc4c7e79cd6 (bug 1666567) Backed out changeset 22753d184de6 (bug 1605273) |
||
|
J.C. Jones
|
e8346094ad |
Bug 1666567 - land NSS 8ebee3cec9cf UPGRADE_NSS_RELEASE, r=kjacobs
CLOSED TREE 2020-09-23 Dana Keeler <dkeeler@mozilla.com> * gtests/mozpkix_gtest/pkixbuild_tests.cpp, gtests/mozpkix_gtest/pkixcert_extension_tests.cpp, gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp, gtests/mozpkix_gtest/pkixgtest.h, lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp: Bug 1665715 - (2/2) pass encoded signed certificate timestamp extension (if present) in CheckRevocation r=jcj This will allow Firefox to make decisions based on the earliest known time that a certificate exists (with respect to certificate transparency) that a CA is unlikely to back-date. In particular, this is essential for CRLite. Note that if the SCT signature isn't validated, a CA could still make a certificate appear to have existed for longer than it really has. However, this change is not an attempt to catch malicious CAs. The aim is to avoid false positives in CRLite resulting from CAs backdating the notBefore field on certificates they issue. Depends on D90595 [8ebee3cec9cf] [tip] 2020-09-18 Dana Keeler <dkeeler@mozilla.com> * gtests/mozpkix_gtest/pkixbuild_tests.cpp, gtests/mozpkix_gtest/pkixcert_extension_tests.cpp, gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp, gtests/mozpkix_gtest/pkixgtest.h, lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp: Bug 1665715 - (1/2) revert e8f2720c8254 (bug 1593141) because it's no longer necessary r=jcj Bug 1593141 added the certificate's notBefore field as an argument to TrustDomain::CheckRevocation so that Firefox could use it with CRLite. However, since CAs can backdate that field, we need to use the earliest embedded SCT timestamp instead. [c1f4d565ceda] Differential Revision: https://phabricator.services.mozilla.com/D91211 |
||
|
Bogdan Tara
|
24d9b1dbae |
Backed out changeset 7e50f86ea20b (bug 1666567) for security related bustage CLOSED TREE
UPGRADE_NSS_RELEASE |
||
|
J.C. Jones
|
413b79889f |
Bug 1666567 - land NSS 8ebee3cec9cf UPGRADE_NSS_RELEASE, r=kjacobs
2020-09-23 Dana Keeler <dkeeler@mozilla.com> * gtests/mozpkix_gtest/pkixbuild_tests.cpp, gtests/mozpkix_gtest/pkixcert_extension_tests.cpp, gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp, gtests/mozpkix_gtest/pkixgtest.h, lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp: Bug 1665715 - (2/2) pass encoded signed certificate timestamp extension (if present) in CheckRevocation r=jcj This will allow Firefox to make decisions based on the earliest known time that a certificate exists (with respect to certificate transparency) that a CA is unlikely to back-date. In particular, this is essential for CRLite. Note that if the SCT signature isn't validated, a CA could still make a certificate appear to have existed for longer than it really has. However, this change is not an attempt to catch malicious CAs. The aim is to avoid false positives in CRLite resulting from CAs backdating the notBefore field on certificates they issue. Depends on D90595 [8ebee3cec9cf] [tip] 2020-09-18 Dana Keeler <dkeeler@mozilla.com> * gtests/mozpkix_gtest/pkixbuild_tests.cpp, gtests/mozpkix_gtest/pkixcert_extension_tests.cpp, gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp, gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp, gtests/mozpkix_gtest/pkixgtest.h, lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp: Bug 1665715 - (1/2) revert e8f2720c8254 (bug 1593141) because it's no longer necessary r=jcj Bug 1593141 added the certificate's notBefore field as an argument to TrustDomain::CheckRevocation so that Firefox could use it with CRLite. However, since CAs can backdate that field, we need to use the earliest embedded SCT timestamp instead. [c1f4d565ceda] Differential Revision: https://phabricator.services.mozilla.com/D91211 |
||
|
J.C. Jones
|
f2b2199636 |
Bug 1666567 - land NSS c28e20f61e5d UPGRADE_NSS_RELEASE, r=kjacobs
2020-09-18 Kevin Jacobs <kjacobs@mozilla.com>
* automation/abi-check/previous-nss-release, lib/nss/nss.h,
lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.58 Beta
[c28e20f61e5d] [tip]
* .hgtags:
Added tag NSS_3_57_RTM for changeset cf7e3e8abd77
[a963849538ca] <NSS_3_57_BRANCH>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.57 final
[cf7e3e8abd77] [NSS_3_57_RTM] <NSS_3_57_BRANCH>
Differential Revision: https://phabricator.services.mozilla.com/D91070
|
||
|
Kevin Jacobs
|
14f9e3ce78 |
Bug 1660509 - land NSS NSS_3_57_RTM UPGRADE_NSS_RELEASE, r=jcj
2020-09-18 Kevin Jacobs <kjacobs@mozilla.com> * lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.57 final [cf7e3e8abd77] [NSS_3_57_RTM] <NSS_3_57_BRANCH> 2020-09-15 Kevin Jacobs <kjacobs@mozilla.com> * .hgtags: Added tag NSS_3_57_BETA1 for changeset 56224882ccc3 [f46f20c58c4f] Differential Revision: https://phabricator.services.mozilla.com/D90726 |
||
|
Kevin Jacobs
|
ed0deeb271 |
Bug 1660509 - land NSS NSS_3_57_BETA1 UPGRADE_NSS_RELEASE, r=jcj
2020-09-15 Kevin Jacobs <kjacobs@mozilla.com> * automation/release/nspr-version.txt: Bug 1660372 - NSS 3.57 should depend on NSPR 4.29. r=kaie [56224882ccc3] [NSS_3_57_BETA1] Differential Revision: https://phabricator.services.mozilla.com/D90324 |
||
|
Kevin Jacobs
|
25560bb43a |
Bug 1660509 - land NSS 2a17c8655a74 UPGRADE_NSS_RELEASE, r=jcj
2020-09-14 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* coreconf/arch.mk:
Bug 1660735 - Fix typo in coreconfig/arch.mk. r=kjacobs
[2a17c8655a74] [tip]
* coreconf/config.mk:
Bug 1660734 - Fix typo in coreconf/config.mk. r=kjacobs
[4ae56ec2411b]
2020-09-11 Kevin Jacobs <kjacobs@mozilla.com>
* lib/ckfw/builtins/nssckbi.h:
Bug 1663049 - September 2020 batch of root changes,
NSS_BUILTINS_LIBRARY_VERSION 2.44. r=jcj
[141ef83ac10b]
* lib/ckfw/builtins/certdata.txt:
Bug 1663049 - Add SecureTrust's Trustwave Global root certificates
to NSS. r=KathleenWilson,jcj
[7dfc054a983e]
* lib/ckfw/builtins/certdata.txt:
Bug 1656077 - Remove Taiwan Government Root Certification Authority
root cert. r=KathleenWilson,jcj
Depends on D89841
[32a0d8f751ef]
* lib/ckfw/builtins/certdata.txt:
Bug 1653092 - Disable server trust bit for OISTE WISeKey Global Root
GA CA root cert. r=KathleenWilson,jcj
Depends on D89840
[1cdfb26b3220]
* lib/ckfw/builtins/certdata.txt:
Bug 1651211 - Remove EE Certification Centre Root CA root cert.
r=KathleenWilson,jcj
[089aeca370df]
2020-09-11 Danh <congdanhqx@gmail.com>
* coreconf/arch.mk, coreconf/config.mk, lib/freebl/Makefile:
Bug 1659727 - Move makefile avx2 detection to config.mk. r=kjacobs
Summary: Current code base use CPU_ARCH to detect if avx2 is
supported in arch.mk However, when arch.mk included, CPU_ARCH
haven't been initialised, CPU_ARCH will be initialised by the OS
specific code later on.
Move the AVX2 detection to config.mk, after all other initialisation
done.
Reviewers: kjacobs
Reviewed By: kjacobs
Subscribers: kjacobs
Bug #: 1659727
[c6dcb99e6121]
2020-09-08 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/freebl_gtest/mpi_unittest.cc, lib/freebl/mpi/mpi.c:
Bug 1605922 - Account for negative sign in mp_radix_size
r=bbeurdouche
[b64436ecbd79]
2020-09-09 Daiki Ueno <dueno@redhat.com>
* lib/freebl/Makefile:
Bug 1659256, add gcc version check on AArch64 optimization,
r=rrelyea
Summary: As described in https://access.redhat.com/solutions/19458,
gcc version in RHEL-7 is still 4.8.x and cannot compile the newly
added aes-armv8.c. There is a version check already for 32-bit arm,
but not for AArch64. This also removes NS_USE_GCC check added in bug
|
||
|
Kevin Jacobs
|
ddc8978d1f |
Bug 1660509 - land NSS c100e11991f6 UPGRADE_NSS_RELEASE, r=jcj
2020-08-21 Kevin Jacobs <kjacobs@mozilla.com> * automation/abi-check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.57 Beta [783f49ae6126] 2020-08-24 Kevin Jacobs <kjacobs@mozilla.com> * gtests/ssl_gtest/ssl_auth_unittest.cc, lib/ssl/dtls13con.c, lib/ssl/dtlscon.c, lib/ssl/ssl3con.c, lib/ssl/sslimpl.h, lib/ssl/sslnonce.c: Bug 1653641 - Cleanup inaccurate DTLS comments, code review fixes. r=mt [0e1b5c711cb9] 2020-08-24 Robert Relyea <rrelyea@redhat.com> * lib/freebl/fipsfreebl.c, lib/softoken/fipstest.c, lib/softoken/kbkdf.c, lib/softoken/lowpbe.c, lib/softoken/lowpbe.h, lib/softoken/pkcs11c.c, lib/softoken/pkcs11i.h, lib/softoken/sftkhmac.c, lib/softoken/sftkike.c: Bug 1660304 New FIPS IG requires self-tests for approved kdfs. r=ueno comments=kjacobs FIPS guidance now requires self-tests for our kdfs. It also requires self-tests for cmac which we didn't have in the cmac patch. Currently only one test per kdf is necessary. Specifially for SP-800-108, only one of the three flavors are needed (counter, feedback, or pipeline). This patch includes more complete testing but it has been turned off the currently extraneous tests under the assumption that NIST guidance may require them in the future. HKDF is currently not included in FIPS, but is on track to be included, so hkdf have been included in this patch. Because the test vectors are const strings, the patch pushes some const definitions that were missing in existing private interfaces. There are three flavors of self-tests: Function implemented in freebl are added to the freebl/fipsfreebl.c Functions implemented in pkcs11c.c have selftests completely implemented in softoken/fipstest.c Functions implemented in their own .c file have their selftest function implemented in that .c file and called by fipstests.c These are consistant with the previous choices for selftests. Some private interfaces that took in keys from pkcs #11 structures or outputted keys to pkcs #11 structures were modified to optionally take keys in by bytes and output keys as bytes so the self-tests can work in just bytes. [5dca54fe61c2] 2020-08-25 Daiki Ueno <dueno@redhat.com> * lib/softoken/manifest.mn: Bug 1659252, disable building libnssdbm3.so if NSS_DISABLE_DBM=1, r=rrelyea Reviewers: rrelyea Reviewed By: rrelyea Bug #: 1659252 [4d55d36ca6ef] 2020-08-24 Kevin Jacobs <kjacobs@mozilla.com> * lib/pk11wrap/pk11cxt.c, lib/softoken/pkcs11c.c, lib/softoken/sdb.c, lib/softoken/sftkpwd.c: Bug 1651834 - Fix various static analyzer warnings. r=rrelyea [ab04fd73fd6d] 2020-08-28 Mike Hommey <mh@glandium.org> * lib/freebl/blapii.h: Bug 1661810 - Define pre_align/post_align based on the compiler. r=jcj Things worked fine before we upgraded to clang 11 presumably because the stack was always 16-bytes aligned in the first place, or something akin to that, and the lack of pre_align/post_align doing anything didn't matter. The runtime misalignment of the stack may well be a clang > 9 bug, but keeping pre_align/post_align tied to the x86/x64 is a footgun anyways. [c100e11991f6] [tip] Differential Revision: https://phabricator.services.mozilla.com/D88876 |
||
|
Kevin Jacobs
|
d1d6b661e3 |
Bug 1655105 - land NSS NSS_3_56_RTM UPGRADE_NSS_RELEASE, r=jcj
2020-08-21 Kevin Jacobs <kjacobs@mozilla.com> * lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.56 final [809ff9ff0140] [NSS_3_56_RTM] <NSS_3_56_BRANCH> 2020-08-19 Kevin Jacobs <kjacobs@mozilla.com> * .hgtags: Added tag NSS_3_56_BETA1 for changeset 52c965eaffa1 [0d8ff40479d5] Differential Revision: https://phabricator.services.mozilla.com/D87882 |
||
|
Kevin Jacobs
|
d343e2c8e6 |
Bug 1655105 - land NSS NSS_3_56_BETA1 UPGRADE_NSS_RELEASE, r=jcj
2020-08-19 Kevin Jacobs <kjacobs@mozilla.com> * tests/libpkix/certs/PayPalEE.cert: Bug 1659792 - Update libpkix tests with unexpired PayPal cert. r=jcj The in-tree `PayPalEE.cert `expired today. This patch replaces it with a current copy that expires on 12 Jan 2022. CI breakage before patch: https://treeherder.mozilla.org/#/jobs?repo =nss&revision=2890f342de631bf6774ac747515a8b5736e20d3f CI with the fix applied: https://treeherder.mozilla.org/#/jobs?repo=nss- try&revision=bd28f21d8acbcb15502bd4fc606fc9c0ed09c810 [52c965eaffa1] [NSS_3_56_BETA1] 2020-08-18 Kevin Jacobs <kjacobs@mozilla.com> * tests/interop/interop.sh: Bug 1659814 - Pull updated tls-interop for dependency fix. r=jcj [70376af425ae] * automation/release/nspr-version.txt: Bug 1656519 - NSS 3.56 should depend on NSPR 4.28. r=kaie [2890f342de63] Differential Revision: https://phabricator.services.mozilla.com/D87648 |
||
|
Kevin Jacobs
|
5637d1775c |
Bug 1655105 - land NSS c06f22733446 UPGRADE_NSS_RELEASE, r=jcj
2020-08-07 Kevin Jacobs <kjacobs@mozilla.com> * lib/pki/tdcache.c: Bug 1625791 - Call STAN_GetCERTCertificate to load CERTCertificate trust before caching. r=jcj,keeler When caching certificates, `td->cache->lock` must not be held when taking `slot->isPresentLock`. `add_cert_to_cache` holds then former when calling the sort function in `add_subject_entry`, which will [[ https://searchfox.org/mozilla-central/rev/a3b25e347e2c22207c4b369b99 246e4aebf861a7/security/nss/lib/pki/certificate.c#266 | call ]] `STAN_GetCERTCertificate` -> `fill_CERTCertificateFields` when `cc->nssCertificate` [[ https://searchfox.org/mozilla-central/rev/a3 b25e347e2c22207c4b369b99246e4aebf861a7/security/nss/lib/pki/pki3hack .c#923 | is NULL ]]. There are two problems with this: # `fill_CERTCertificateFields` may end up locking `slot->isPresentLock` (bad ordering, bug 1651564) # The above may happen followed by another attempt to lock `td->cache->lock`(deadlock, this bug). By calling `STAN_GetCERTCertificate` prior to the first lock of `td->cache->lock`, we can prevent the problematic call to `fill_CERTCertificateFields` later on, because `cc->nssCertificate` will already be filled. [c06f22733446] [tip] * gtests/ssl_gtest/ssl_auth_unittest.cc, lib/ssl/ssl3con.c: Bug 1588941 - Send empty client cert msg when signature scheme selection fails. r=mt `ssl3_CompleteHandleCertificateRequest` does essentially two things: 1) Calls the `getClientAuthData` hook for certificate selection, and 2) calls `ssl_PickClientSignatureScheme` to select an appropriate signature scheme when a cert is selected. If the first function returns SECFailure, we default to sending an empty certificate message. If the latter fails, however, this bubbles up as a [[ https://searchfox.org/mozilla-central/rev/56bb74e a8e04bdac57c33cbe9b54d889b9262ade/security/nss/lib/ssl/tls13con.c#26 70 | fatal error ]] (and an assertion failure) on the connection. Importantly, the signature scheme selection can fail for reasons that should not be considered fatal - notably when an RSA-PSS cert is selected, but the token on which the key resides does not actually support PSS. This patch treats the failure to find a usable signature scheme as a "no certificate" response, rather than killing the connection entirely. [41ecb7fe5546] * lib/freebl/Makefile, lib/freebl/freebl_base.gypi, lib/freebl/mpi/mpi_amd64_common.S, lib/freebl/mpi/mpi_amd64_gas.s: Bug 1656981 - Use 64x64->128 multiply and MP_COMBA on x86_64 Mac. r=mt This patch makes two MPI changes for MacOS: 1. Rename `mpi_amd64_gas.s` to `mpi_amd64_common.S` and add defines for macho64, allowing Intel Macs to take advantage of the 64x64->128 multiply code. 2. Define and use `NSS_USE_COMBA` on Intel Macs. Performance results with `rsaperf -n none -p 10 -e -x 65537` (default 2048-bit key): Before: `12629.12 operations/s. one operation every 79 microseconds` With 64x64->128 assembly: `29431.65 operations/s. one operation every 33 microseconds` With MP_COMBA and 64x64->128 assembly: `30332.99 operations/s. one operation every 32 microseconds` [330bdab498a3] * lib/ssl/sslimpl.h: Bug 1656429 - Clang-format fixup, r=bustage [07083076fc92] 2020-08-05 Martin Thomson <mt@lowentropy.net> * gtests/ssl_gtest/ssl_0rtt_unittest.cc, gtests/ssl_gtest/tls_connect.cc, lib/ssl/ssl3exthandle.c, lib/ssl/sslimpl.h, lib/ssl/tls13con.c, lib/ssl/tls13replay.c: Bug 1656429 - Correct RTT estimate used in anti-replay, r=kjacobs This was never a security problem, but the more time that passes between the handshake and sending a ticket, the more likely we are to reject 0-RTT. Eventually, 0-RTT only works if it is delayed in the network by a surprising amount. [b4a1c57eb569] Differential Revision: https://phabricator.services.mozilla.com/D86454 |
||
|
Kevin Jacobs
|
cb86341c99 |
Bug 1655105 - land NSS afa38fb2f0b5 UPGRADE_NSS_RELEASE, r=jcj
2020-07-27 Jan-Marek Glogowski <glogow@fbihome.de> * lib/freebl/Makefile: Bug |
||
|
J.C. Jones
|
ee419dca67 |
Bug 1649545 - land NSS NSS_3_55_RTM UPGRADE_NSS_RELEASE, r=keeler
2020-07-24 J.C. Jones <jjones@mozilla.com> * lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.55 final [6705eec655c8] [NSS_3_55_RTM] <NSS_3_55_BRANCH> 2020-07-22 Kai Engert <kaie@kuix.de> * lib/nss/nssinit.c: Bug 1653310 - Backed out changeset ca207655b4b7, because with updated NSPR this workaround is no longer required. r=kjacobe [a448fe36e58b] 2020-07-21 Kevin Jacobs <kjacobs@mozilla.com> * .hgtags: Added tag NSS_3_55_BETA1 for changeset 0768baa431e7 [2572e14f17d6] Differential Revision: https://phabricator.services.mozilla.com/D84845 |
||
|
Kevin Jacobs
|
99b3679870 |
Bug 1649545 - land NSS NSS_3_55_BETA1 UPGRADE_NSS_RELEASE, r=jcj
2020-07-21 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* cmd/bltest/blapitest.c:
Bug 1653202 - Fix issue disabling other mechanisms when SEED is
deprecated in cmd/bltest/blapitest.c. r=kjacobs
[0768baa431e7] [NSS_3_55_BETA1]
2020-07-21 Kevin Jacobs <kjacobs@mozilla.com>
* automation/release/nspr-version.txt:
Bug 1652331 - NSS 3.55 should depend on NSPR 4.27. r=kaie
[3deefc218cd9]
2020-07-20 Billy Brumley <bbrumley@gmail.com>
* lib/freebl/ec.c:
Bug
|
||
|
Kevin Jacobs
|
e3e0baf90e |
Bug 1649545 - land NSS 615362dff5ad UPGRADE_NSS_RELEASE, r=jcj
2020-07-18 Benjamin Beurdouche <bbeurdouche@mozilla.com> * gtests/pk11_gtest/pk11_cipherop_unittest.cc, lib/softoken/pkcs11c.c: Bug 1636771 - Disable PKCS11 incremental mode for ChaCha20. r=kjacobs,rrelyea Depends on D74801 [615362dff5ad] [tip] * gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc, lib/freebl/chacha20poly1305.c: Bug 1636771 - Fix incorrect call to Chacha20Poly1305 by PKCS11. r=jcj,kjacobs,rrelyea [a5e82e40f03e] 2020-07-16 Benjamin Beurdouche <bbeurdouche@mozilla.com> * lib/softoken/pkcs11c.c: Bug 1637222 - Enforce IV length check for DES. r=kjacobs,jcj [0c70232cb6d3] Differential Revision: https://phabricator.services.mozilla.com/D84043 |
||
|
Kevin Jacobs
|
4e97e34c45 |
Bug 1649545 - land NSS ca068f5b5c17 UPGRADE_NSS_RELEASE, r=jcj
2020-07-16 Billy Brumley <bbrumley@gmail.com> * lib/freebl/ecl/ecl-priv.h, lib/freebl/ecl/ecl.c, lib/freebl/ecl/ecp_secp521r1.c, lib/freebl/freebl_base.gypi, lib/freebl/manifest.mn: Bug 1631583 - ECC: constant time P-521 r=kjacobs,rrelyea,bbeurdouche This portable code contributed by the Network and Information Security Group (NISEC) at Tampere University comes from: [ECCKiila](https://gitlab.com/nisec/ecckiila) that uses [Fiat](https://github.com/mit-plv/fiat-crypto) for the underlying field arithmetic. Co-authored-by: Luis Rivera-Zamarripa <luis.riverazamarripa@tuni.fi> Co-authored-by: Jesús-Javier Chi-Domínguez <jesus.chidominguez@tuni.fi> [ca068f5b5c17] [tip] * lib/freebl/ecl/ecl-priv.h, lib/freebl/ecl/ecl.c, lib/freebl/ecl/ecp_secp384r1.c, lib/freebl/freebl_base.gypi, lib/freebl/manifest.mn, tests/ec/ectest.sh: Bug 1631583 - ECC: constant time P-384 r=bbeurdouche,rrelyea This portable code contributed by the Network and Information Security Group (NISEC) at Tampere University comes from: [ECCKiila](https://gitlab.com/nisec/ecckiila) that uses [Fiat](https://github.com/mit-plv/fiat-crypto) for the underlying field arithmetic. Co-authored-by: Luis Rivera-Zamarripa <luis.riverazamarripa@tuni.fi> Co-authored-by: Jesús-Javier Chi-Domínguez <jesus.chidominguez@tuni.fi> [d19a3cd451bb] 2020-07-13 Robert Relyea <rrelyea@redhat.com> * lib/pk11wrap/pk11pub.h: Bug 1643528 Cannot compile code with nss headers and -Werror=strict- prototypes r=kjacobs [01ffd8fef7fa] 2020-07-10 Daiki Ueno <dueno@redhat.com> * gtests/ssl_gtest/ssl_auth_unittest.cc, lib/ssl/ssl3con.c, lib/ssl/ssl3exthandle.c, lib/ssl/sslimpl.h, lib/ssl/tls13exthandle.c: Bug 1646324, advertise rsa_pkcs1_* schemes in CH and CR for certs, r=mt Summary: In TLS 1.3, unless "signature_algorithms_cert" is advertised, the "signature_algorithms" extension is used as an indication of supported algorithms for signatures on certificates. While rsa_pkcs1_* signatures schemes cannot be used for signing handshake messages, they should be advertised if the peer wants to to support certificates signed with RSA PKCS#1. This adds a flag to ssl3_EncodeSigAlgs() and ssl3_FilterSigAlgs() to preserve rsa_pkcs1_* schemes in the output. Reviewers: mt Reviewed By: mt Bug #: 1646324 [df1d2695e115] 2020-07-09 Benjamin Beurdouche <bbeurdouche@mozilla.com> * gtests/pk11_gtest/pk11_pbkdf2_unittest.cc, lib/pk11wrap/pk11pbe.c: Bug 1649648 - Fix null pointers passed as argument in pk11wrap/pk11pbe.c:886 r=kjacobs [de661583d467] Differential Revision: https://phabricator.services.mozilla.com/D83824 |
||
|
Kevin Jacobs
|
6a6ed41ab7 |
Bug 1649545 - land NSS 58c2abd7404e UPGRADE_NSS_RELEASE, r=jcj
2020-06-26 Kevin Jacobs <kjacobs@mozilla.com>
* automation/abi-check/expected-report-libssl3.so.txt, automation/abi-
check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h,
lib/util/nssutil.h:
Set version numbers to 3.55 beta
[332ab7db68ba]
2020-06-25 Kevin Jacobs <kjacobs@mozilla.com>
* tests/all.sh:
Bug 1649190 - Run cipher, sdr, and ocsp tests under standard test
cycle.
[f373809abfc0]
2020-06-15 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/common/testvectors/p256ecdsa-sha256-vectors.h,
gtests/common/testvectors/p384ecdsa-sha384-vectors.h,
gtests/common/testvectors/p521ecdsa-sha512-vectors.h,
gtests/common/testvectors_base/test-structs.h,
gtests/common/wycheproof/genTestVectors.py,
gtests/pk11_gtest/pk11_ecdsa_unittest.cc:
Bug 1649226 - Add Wycheproof ECDSA tests.
[41292ff7f545]
2020-06-30 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* lib/pkcs12/p12d.c:
Bug 1649322 - Fix null pointer passed as argument in
pk11wrap/pk11pbe.c:1246 r=kjacobs
[cc43ebf5bf88]
2020-06-30 Danh <congdanhqx@gmail.com>
* coreconf/arch.mk, coreconf/config.mk, lib/freebl/Makefile:
Bug 1646594 - Enable AVX2 if applicable on x86_64 with make 4.3
r=bbeurdouche
[b579895aceb0]
2020-07-02 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* lib/ssl/ssl3con.c:
Bug 1649316 - Prevent memcmp to be called with a zero length in
ssl/ssl3con.c:6621 r=kjacobs
[8fe9213d0551]
2020-07-02 Alexander Scheel <ascheel@redhat.com>
* lib/cryptohi/secvfy.c:
Bug 1649487 - Fix bad assert in VFY_EndWithSignature. r=jcj
[c9438b528103]
2020-07-06 Dana Keeler <dkeeler@mozilla.com>
* automation/abi-check/expected-report-libnss3.so.txt,
gtests/pk11_gtest/pk11_find_certs_unittest.cc, lib/nss/nss.def,
lib/pk11wrap/pk11cert.c, lib/pk11wrap/pk11pub.h:
Bug 1649633 - add PK11_FindEncodedCertInSlot r=kjacobs,jcj
PK11_FindEncodedCertInSlot can be used to determine the PKCS#11
object handle of an encoded certificate in a given slot. If the
given certificate does not exist in that slot, CK_INVALID_HANDLE is
returned.
[32fe710a942f]
* gtests/pk11_gtest/pk11_find_certs_unittest.cc:
Bug 1649633 - follow-up to make test comparisons in
pk11_find_certs_unittest.cc yoda comparisons r=kjacobs
[424dae31a1c1]
2020-07-07 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc, lib/freebl/rsapkcs.c:
Bug 1067214 - Check minimum padding in RSA_CheckSignRecover.
r=rrelyea
This patch adds a check to `RSA_CheckSignRecover` enforcing a
minimum padding length of 8 bytes for PKCS #1 v1.5-formatted
signatures. In practice, RSA key size requirements already ensure
this requirement is met, but smaller (read: broken) key sizes can be
used via configuration overrides, and NSS should just follow the
spec.
[e5324bd5a885]
2020-07-08 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/ssl_gtest/libssl_internals.c,
gtests/ssl_gtest/libssl_internals.h,
gtests/ssl_gtest/ssl_record_unittest.cc,
gtests/ssl_gtest/tls_agent.cc, gtests/ssl_gtest/tls_agent.h,
lib/ssl/dtls13con.c, lib/ssl/dtls13con.h, lib/ssl/ssl3con.c,
lib/ssl/ssl3prot.h, lib/ssl/sslspec.h, lib/ssl/sslt.h,
lib/ssl/tls13con.c, lib/ssl/tls13exthandle.c:
Bug 1647752 - Update DTLS 1.3 implementation to draft-38. r=mt
This patch updates DTLS 1.3 to draft-38. Specifically:
# `ssl_ct_ack` value changes from 25 to 26. # AEAD limits in
`tls13_UnprotectRecord` enforce a maximum of 2^36-1 (as we only
support GCM/ChaCha20 AEADs) decryption failures before the
connection is closed. # Post-handshake authentication will no longer
be negotiated in DTLS 1.3. This allows us to side-step the more
convoluted state machine requirements.
[132a87fc8689]
2020-07-09 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* lib/pk11wrap/pk11pbe.c, lib/pkcs12/p12d.c:
Bug 1649322 - Fix null pointer passed as argument in
pk11wrap/pk11pbe.c:1246 r=kjacobs
This is a fixup patch that reverts https://hg.mozilla.org/projects/n
ss/rev/cc43ebf5bf88355837c5fafa2f3c46e37626707a and adds a null
check around the memcpy in question.
[80bea0e22b20]
2020-07-09 J.C. Jones <jjones@mozilla.com>
* lib/softoken/pkcs11.c:
Bug 1651520 - slotLock race in NSC_GetTokenInfo r=kjacobs
Basically, NSC_GetTokenInfo doesn't lock slot->slotLock before
accessing slot after obtaining it, even though slotLock is defined
as its lock. [0]
[0] https://searchfox.org/nss/rev/a412e70e55218aaf670f1f10322fa734d8
a9fbde/lib/softoken/pkcs11i.h#320-321
[58c2abd7404e] [tip]
Differential Revision: https://phabricator.services.mozilla.com/D82466
|
||
|
Kevin Jacobs
|
5871df542a |
Bug 1642687 - land NSS NSS_3_54_RTM UPGRADE_NSS_RELEASE, r=jcj
Differential Revision: https://phabricator.services.mozilla.com/D81357 |
||
|
Kevin Jacobs
|
669967478e |
Bug 1642687 - land NSS 87fa2f0598ad UPGRADE_NSS_RELEASE, r=jcj
2020-06-24 Kai Engert <kaie@kuix.de> * automation/release/nspr-version.txt: Bug 1640516 - NSS 3.54 should depend on NSPR 4.26. r=kjacobs [87fa2f0598ad] [tip] 2020-06-23 Kevin Jacobs <kjacobs@mozilla.com> * .hgtags: Added tag NSS_3_54_BETA1 for changeset 2bd2f3267dc5 [fe2ed4384f6a] Differential Revision: https://phabricator.services.mozilla.com/D80989 |
||
|
Kevin Jacobs
|
34be3870be |
Bug 1642687 - land NSS 2bd2f3267dc5 UPGRADE_NSS_RELEASE, r=jcj
2020-06-22 Kevin Jacobs <kjacobs@mozilla.com> * lib/util/quickder.c: Bug 1646520 - Stricter leading-zero checks for ASN.1 INTEGER values. r=jcj This patch adjusts QuickDER to strictly enforce INTEGER encoding with respect to leading zeros: - If the MSB of the first (value) octet is set, a single zero byte MAY be present to make the value positive. This singular pad byte is removed. - Otherwise, the first octet must not be zero. [2bd2f3267dc5] [tip] Differential Revision: https://phabricator.services.mozilla.com/D80543 |
||
|
Kevin Jacobs
|
bc02cf3e36 |
Bug 1642687 - land NSS 699541a7793b UPGRADE_NSS_RELEASE, r=jcj
2020-06-16 Sohaib ul Hassan <sohaibulhassan@tuni.fi> * lib/freebl/mpi/mpi.c, lib/freebl/mpi/mpi.h, lib/freebl/mpi/mplogic.c: Bug 1631597 - Constant-time GCD and modular inversion r=rrelyea,kjacobs The implementation is based on the work by Bernstein and Yang (https://eprint.iacr.org/2019/266) "Fast constant-time gcd computation and modular inversion". It fixes the old mp_gcd and s_mp_invmod_odd_m functions. The patch also fix mpl_significant_bits s_mp_div_2d and s_mp_mul_2d by having less control flow to reduce side-channel leaks. Co Author : Billy Bob Brumley [699541a7793b] [tip] Differential Revision: https://phabricator.services.mozilla.com/D80120 |