2020-05-12 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/freebl_gtest/mpi_unittest.cc:
Bug 1561331 - Additional modular inverse test r=jcj
[e2061fe522f5] [tip]
2020-05-08 Jan-Marek Glogowski <glogow@fbihome.de>
* coreconf/rules.mk, lib/ckfw/builtins/Makefile,
lib/ckfw/builtins/testlib/Makefile, lib/ckfw/capi/Makefile,
lib/dev/Makefile, lib/freebl/Makefile, lib/pk11wrap/Makefile,
lib/softoken/Makefile:
Bug 1629553 Use order-prereq for $(MAKE_OBJDIR) r=rrelyea
Introduces a simple "%/d" rule to create directories using
$(MAKE_OBJDIR) and replace all explicit $(MAKE_OBJDIR) calls with an
order-only-prerequisites.
To expand the $(@D) prerequisite, this needs .SECONDEXPANSION.
[c3f11da5acfc]
2020-05-05 Jan-Marek Glogowski <glogow@fbihome.de>
* coreconf/IRIX.mk, coreconf/OS2.mk, coreconf/README,
coreconf/SunOS4.1.3_U1.mk, coreconf/SunOS5.mk, coreconf/UNIX.mk,
coreconf/WIN32.mk, coreconf/config.mk, coreconf/location.mk,
coreconf/mkdepend/Makefile, coreconf/mkdepend/cppsetup.c,
coreconf/mkdepend/def.h, coreconf/mkdepend/ifparser.c,
coreconf/mkdepend/ifparser.h, coreconf/mkdepend/imakemdep.h,
coreconf/mkdepend/include.c, coreconf/mkdepend/main.c,
coreconf/mkdepend/mkdepend.man, coreconf/mkdepend/parse.c,
coreconf/mkdepend/pr.c, coreconf/rules.mk:
Bug 1438431 Remove mkdepend tool and targets r=rrelyea
[6c5f91e098a1]
* coreconf/README, coreconf/rules.mk:
Bug 1629553 Drop duplicate header DIR variables r=rrelyea
[d1f954627260]
* coreconf/OpenUNIX.mk, coreconf/README, coreconf/SCO_SV3.2.mk,
coreconf/config.mk, coreconf/cpdist.pl, coreconf/import.pl,
coreconf/jdk.mk, coreconf/jniregen.pl, coreconf/module.mk,
coreconf/outofdate.pl, coreconf/release.pl, coreconf/rules.mk,
coreconf/ruleset.mk, coreconf/source.mk, coreconf/version.mk:
Bug 1629553 Drop coreconf java support r=rrelyea
There aren't an Java sources in NSS, so just drop all the stuff
referencing java, jars, jni, etc.
I didn't try to remove it from tests.
[7d285fe69c8c]
* cmd/crmf-cgi/Makefile, cmd/crmf-cgi/config.mk,
cmd/crmftest/Makefile, cmd/crmftest/config.mk, cmd/lib/Makefile,
cmd/lib/config.mk, cmd/lib/manifest.mn, cmd/libpkix/config.mk,
cmd/libpkix/perf/Makefile, cmd/libpkix/perf/manifest.mn,
cmd/libpkix/pkix/Makefile, cmd/libpkix/pkix/certsel/Makefile,
cmd/libpkix/pkix/certsel/manifest.mn,
cmd/libpkix/pkix/checker/Makefile,
cmd/libpkix/pkix/checker/manifest.mn,
cmd/libpkix/pkix/crlsel/Makefile,
cmd/libpkix/pkix/crlsel/manifest.mn,
cmd/libpkix/pkix/params/Makefile,
cmd/libpkix/pkix/params/manifest.mn,
cmd/libpkix/pkix/results/Makefile,
cmd/libpkix/pkix/results/manifest.mn,
cmd/libpkix/pkix/store/Makefile, cmd/libpkix/pkix/store/manifest.mn,
cmd/libpkix/pkix/top/Makefile, cmd/libpkix/pkix/top/manifest.mn,
cmd/libpkix/pkix/util/Makefile, cmd/libpkix/pkix/util/manifest.mn,
cmd/libpkix/pkix_pl/Makefile, cmd/libpkix/pkix_pl/module/Makefile,
cmd/libpkix/pkix_pl/module/manifest.mn,
cmd/libpkix/pkix_pl/pki/Makefile,
cmd/libpkix/pkix_pl/pki/manifest.mn,
cmd/libpkix/pkix_pl/system/Makefile,
cmd/libpkix/pkix_pl/system/manifest.mn,
cmd/libpkix/testutil/manifest.mn, cpputil/Makefile,
cpputil/config.mk, cpputil/manifest.mn, lib/base/Makefile,
lib/base/config.mk, lib/base/manifest.mn, lib/certdb/Makefile,
lib/certdb/config.mk, lib/certdb/manifest.mn, lib/certhigh/Makefile,
lib/certhigh/config.mk, lib/certhigh/manifest.mn, lib/ckfw/Makefile,
lib/ckfw/builtins/Makefile, lib/ckfw/builtins/config.mk,
lib/ckfw/builtins/manifest.mn, lib/ckfw/builtins/testlib/Makefile,
lib/ckfw/builtins/testlib/config.mk,
lib/ckfw/builtins/testlib/manifest.mn, lib/ckfw/capi/Makefile,
lib/ckfw/capi/config.mk, lib/ckfw/capi/manifest.mn,
lib/ckfw/config.mk, lib/ckfw/dbm/Makefile, lib/ckfw/dbm/config.mk,
lib/ckfw/dbm/manifest.mn, lib/ckfw/manifest.mn, lib/crmf/Makefile,
lib/crmf/config.mk, lib/crmf/manifest.mn, lib/cryptohi/Makefile,
lib/cryptohi/config.mk, lib/cryptohi/manifest.mn,
lib/dbm/src/config.mk, lib/dbm/src/manifest.mn, lib/dev/Makefile,
lib/dev/config.mk, lib/dev/manifest.mn, lib/jar/Makefile,
lib/jar/config.mk, lib/jar/manifest.mn, lib/libpkix/Makefile,
lib/libpkix/config.mk, lib/libpkix/include/Makefile,
lib/libpkix/include/config.mk, lib/libpkix/pkix/Makefile,
lib/libpkix/pkix/certsel/Makefile,
lib/libpkix/pkix/certsel/config.mk,
lib/libpkix/pkix/certsel/manifest.mn,
lib/libpkix/pkix/checker/Makefile,
lib/libpkix/pkix/checker/config.mk,
lib/libpkix/pkix/checker/manifest.mn, lib/libpkix/pkix/config.mk,
lib/libpkix/pkix/crlsel/Makefile, lib/libpkix/pkix/crlsel/config.mk,
lib/libpkix/pkix/crlsel/manifest.mn,
lib/libpkix/pkix/params/Makefile, lib/libpkix/pkix/params/config.mk,
lib/libpkix/pkix/params/manifest.mn,
lib/libpkix/pkix/results/Makefile,
lib/libpkix/pkix/results/config.mk,
lib/libpkix/pkix/results/manifest.mn,
lib/libpkix/pkix/store/Makefile, lib/libpkix/pkix/store/config.mk,
lib/libpkix/pkix/store/manifest.mn, lib/libpkix/pkix/top/Makefile,
lib/libpkix/pkix/top/config.mk, lib/libpkix/pkix/top/manifest.mn,
lib/libpkix/pkix/util/Makefile, lib/libpkix/pkix/util/config.mk,
lib/libpkix/pkix/util/manifest.mn, lib/libpkix/pkix_pl_nss/Makefile,
lib/libpkix/pkix_pl_nss/config.mk,
lib/libpkix/pkix_pl_nss/module/Makefile,
lib/libpkix/pkix_pl_nss/module/config.mk,
lib/libpkix/pkix_pl_nss/module/manifest.mn,
lib/libpkix/pkix_pl_nss/pki/Makefile,
lib/libpkix/pkix_pl_nss/pki/config.mk,
lib/libpkix/pkix_pl_nss/pki/manifest.mn,
lib/libpkix/pkix_pl_nss/system/Makefile,
lib/libpkix/pkix_pl_nss/system/config.mk,
lib/libpkix/pkix_pl_nss/system/manifest.mn, lib/pk11wrap/Makefile,
lib/pk11wrap/config.mk, lib/pk11wrap/manifest.mn,
lib/pkcs12/Makefile, lib/pkcs12/config.mk, lib/pkcs12/manifest.mn,
lib/pkcs7/Makefile, lib/pkcs7/config.mk, lib/pkcs7/manifest.mn,
lib/pki/Makefile, lib/pki/config.mk, lib/pki/manifest.mn,
lib/sqlite/Makefile, lib/sysinit/Makefile, lib/util/Makefile,
lib/zlib/Makefile, lib/zlib/config.mk, lib/zlib/manifest.mn:
Bug 1629553 Merge simple config.mk files r=rrelyea
There is really no good reason to explicitly change the TARGET
variable. And the empty SHARED_LIBRARY variable should also be in
the manifest.mn to begin with.
All the other empty variables start empty or undefined, so there is
also no need to explicitly set them empty.
[dc1ef0faf4a6]
* cmd/libpkix/testutil/config.mk, coreconf/OS2.mk, coreconf/WIN32.mk,
coreconf/ruleset.mk, coreconf/suffix.mk, gtests/common/Makefile,
gtests/common/manifest.mn, gtests/google_test/Makefile,
gtests/google_test/manifest.mn, gtests/pkcs11testmodule/Makefile,
gtests/pkcs11testmodule/config.mk,
gtests/pkcs11testmodule/manifest.mn, lib/ckfw/builtins/config.mk,
lib/ckfw/builtins/manifest.mn, lib/ckfw/builtins/testlib/config.mk,
lib/ckfw/capi/config.mk, lib/ckfw/capi/manifest.mn,
lib/freebl/config.mk, lib/nss/config.mk, lib/nss/manifest.mn,
lib/smime/config.mk, lib/smime/manifest.mn, lib/softoken/config.mk,
lib/softoken/legacydb/config.mk, lib/softoken/legacydb/manifest.mn,
lib/softoken/manifest.mn, lib/sqlite/config.mk,
lib/sqlite/manifest.mn, lib/ssl/config.mk, lib/ssl/manifest.mn,
lib/sysinit/config.mk, lib/sysinit/manifest.mn, lib/util/config.mk,
lib/util/manifest.mn:
Bug 1629553 Rework the LIBRARY_NAME ruleset r=rrelyea
* Drop the WIN% "32" default DLL suffix
* Add default resource file handling => drop default RES
* Generate IMPORT_LIBRARY based on IMPORT_LIB_SUFFIX and
SHARED_LIBRARY, so we can drop all the explicit empty IMPORT_LIBRARY
lines
Originally this patch also tried to add a default MAPFILE rule, but
this fails, because the ARCH makefiles set linker flags based on an
existing MAPFILE variable.
[877d721d93cd]
* coreconf/rules.mk:
Bug 1629553 Use an eval template for C++ compile rules r=rrelyea
These pattern rules already had a comment to keep both in sync, so
just use an eval template to enforce this.
[9b628d9c57e5]
* lib/freebl/Makefile:
Bug 1629553 Use an eval template for freebl libs r=rrelyea
[71dd05b782e4]
* coreconf/rules.mk:
Bug 1629553 Use an eval template for export targets r=rrelyea
[45db681898be]
* lib/pk11wrap/manifest.mn, lib/pk11wrap/pk11load.c,
lib/pk11wrap/pk11wrap.gyp:
Bug 1629553 Prefix pk11wrap (SHLIB|LIBRARY)_VERSION with NSS_
r=rrelyea
In the manifest.mn the LIBRARY_VERSION is normally used to define
the major version of the build shared library. This ust works for
the pk11wrap case, because pk11wrap is a static library. But it's
still very confusing when reading the manifest.mn. Also the
referenced define in the code is just named SHLIB_VERSION.
So this prefixes the defines and the variables with NSS_, because it
tries to load the NSS library, just as the SOFTOKEN_.*_VERSION is
used to load the versioned softokn library.
[cbb737bc6c0c]
* Makefile, cmd/Makefile, cmd/shlibsign/Makefile,
cmd/smimetools/rules.mk, coreconf/rules.mk, gtests/manifest.mn,
lib/freebl/Makefile, lib/manifest.mn, manifest.mn:
Bug 290526 Drop double-colon usage and add directory depends
r=rrelyea
Double-colon rule behaviour isn't really compatible with parallel
build. This gets rid of all of them, so we can codify the directory
dependencies.
This leaves just three problems, which aren't really fixable with
the current build system without completely replacing it:
* everything depends on nsinstall
* everything depends on installed headers
* ckfw child directories depend on the build parent libs
This is handled by the prepare_build target.
Overall this allows most if the build to run in parallel.
P.S. the release_md:: has to stay :-( P.P.S. no clue, why freebl
must use libs: instead of using the TARGETS and .PHONY variables
[f3a0ef69c056]
* coreconf/WIN32.mk, gtests/certdb_gtest/manifest.mn,
gtests/common/Makefile, gtests/google_test/Makefile,
gtests/google_test/manifest.mn, gtests/pkcs11testmodule/Makefile:
Bug 290526 Fix gtests build for WIN% targets r=rrelyea
The google_test gtest build doesn't provide any exports for the
shared library on Windows and the gyp build also builds just a
static library. So build gtest and gtestutil libraries as static.
For whatever reason, the Windows linker doesn't find the main
function inside the gtestutil library, if we don't tell it to build
a console executable. But linking works fine, if the object file is
used directly. But since we can have different main() objects based
on build flags, we enforce building console applications binaries.
[a82a55886c1d]
* cmd/bltest/manifest.mn, cmd/chktest/manifest.mn, cmd/crmf-
cgi/manifest.mn, cmd/crmftest/manifest.mn, cmd/fipstest/manifest.mn,
cmd/lib/Makefile, cmd/libpkix/testutil/Makefile,
cmd/lowhashtest/manifest.mn, cmd/modutil/manifest.mn,
cmd/pk11gcmtest/manifest.mn, cmd/pk11mode/manifest.mn,
cmd/rsapoptst/manifest.mn, cmd/signtool/manifest.mn,
cmd/ssltap/manifest.mn, coreconf/README, coreconf/rules.mk,
cpputil/manifest.mn, gtests/google_test/manifest.mn,
gtests/pkcs11testmodule/Makefile, lib/base/Makefile,
lib/certdb/Makefile, lib/certhigh/Makefile, lib/ckfw/Makefile,
lib/crmf/Makefile, lib/cryptohi/Makefile, lib/dbm/include/Makefile,
lib/dev/Makefile, lib/dev/manifest.mn, lib/freebl/Makefile,
lib/libpkix/Makefile, lib/libpkix/include/Makefile,
lib/libpkix/include/manifest.mn, lib/libpkix/pkix/Makefile,
lib/libpkix/pkix/certsel/Makefile,
lib/libpkix/pkix/certsel/manifest.mn,
lib/libpkix/pkix/checker/Makefile,
lib/libpkix/pkix/checker/manifest.mn,
lib/libpkix/pkix/crlsel/Makefile,
lib/libpkix/pkix/crlsel/manifest.mn,
lib/libpkix/pkix/params/Makefile,
lib/libpkix/pkix/params/manifest.mn,
lib/libpkix/pkix/results/Makefile,
lib/libpkix/pkix/results/manifest.mn,
lib/libpkix/pkix/store/Makefile, lib/libpkix/pkix/store/manifest.mn,
lib/libpkix/pkix/top/Makefile, lib/libpkix/pkix/top/manifest.mn,
lib/libpkix/pkix/util/Makefile, lib/libpkix/pkix/util/manifest.mn,
lib/libpkix/pkix_pl_nss/Makefile,
lib/libpkix/pkix_pl_nss/module/Makefile,
lib/libpkix/pkix_pl_nss/module/manifest.mn,
lib/libpkix/pkix_pl_nss/pki/Makefile,
lib/libpkix/pkix_pl_nss/pki/manifest.mn,
lib/libpkix/pkix_pl_nss/system/Makefile,
lib/libpkix/pkix_pl_nss/system/manifest.mn, lib/nss/Makefile,
lib/pk11wrap/Makefile, lib/pki/Makefile, lib/pki/manifest.mn,
lib/softoken/Makefile, lib/softoken/legacydb/Makefile,
lib/sqlite/Makefile, lib/sqlite/manifest.mn, lib/ssl/Makefile,
lib/util/Makefile, lib/zlib/Makefile:
Bug 290526 Drop recursive private_exports r=rrelyea
Copying private headers is now simply included in the exports
target, as these headers use an extra directory anyway.
[989ecbd870f3]
* Makefile, cmd/shlibsign/Makefile, coreconf/Makefile,
coreconf/README, coreconf/nsinstall/Makefile, coreconf/rules.mk,
coreconf/ruleset.mk, lib/Makefile, lib/ckfw/Makefile:
Bug 290526 Parallelize part of the NSS build r=rrelyea
This still serializes many targets, but at least these targets
themself run their build in parallel. The main serialization happens
in nss/Makefile and nss/coreconf/rules.mk's all target.
We can't add these as real dependencies, as all Makefile snippets
use the same variable names. I tried to always run sub-makes to hack
in the depndencies, but these don't know of each other, so targets
very often run twice, and this breaks the build.
Having a tests:: target and a tests directory leads to misery (and
doesn't work), so it's renamed to check.
This just works with NSS_DISABLE_GTESTS=1 specified and is fixed by
a follow up patch, which removes the double-colon usage and adds the
directory dependencies!
[5d0bfa092e0f]
* coreconf/UNIX.mk, coreconf/WIN32.mk, coreconf/mkdepend/Makefile,
coreconf/nsinstall/Makefile, coreconf/ruleset.mk:
Bug 290526 Don't delete directories r=rrelyea
If these files exist and aren't directories, there might be other
problems. Trying to "fix" them by removing will break the build.
[fb377d36262d]
* coreconf/rules.mk:
Bug 290526 Handle empty install variables r=rrelyea
Originally I added the install commands to the individual build
targets. But this breaks the incremental build, because there is
actually no dependency for the install. But it turns out, that in
the end it's enough to ignore empty defined variables, so just do
this.
[585942b1d556]
* coreconf/rules.mk:
Bug 290526 Handle parallel PROGRAM and PROGRAMS r=rrelyea
I have no real clue, why PROGRAMS is actually working in the
sequence build. There is no special make code really handling it,
except for the install target.
This patches code is inspired by the $(eval ...) example in the GNU
make documentation. It generates a program specific make target and
maps the programs objects based on the defined variables.
[d30a6953b897]
Differential Revision: https://phabricator.services.mozilla.com/D75385
To implement filtering client certificates by the acceptable CAs list sent by
servers when they request client certificates, we need the CAs that issued the
client certificates. To that end, this change modifies the Windows backend of
the osclientcerts module to also gather issuing CAs while looking for client
certificates. These certificates will not affect trust decisions in gecko.
Differential Revision: https://phabricator.services.mozilla.com/D74719
This removes processing of HTTP Public Key Pinning headers, remotely modifying
pinning information, and using cached pinning information, all of which was
already disabled in bug 1412438. Static pins that ship with the browser are
still enforced.
Differential Revision: https://phabricator.services.mozilla.com/D73352
Passing Cr.ERROR to an Error constructor is incorrect since it just sets the
message of the error to the integer value of the Cr.ERROR. Cr.ERRORs need to be
used as the second argument to Component.Exception to correctly construct an
Exception object with its result property set to the Cr.ERROR value.
This was done automatically by an expansion of the new
mozilla/no-throw-cr-literal eslint rule that will be introduced in the next
commit.
Differential Revision: https://phabricator.services.mozilla.com/D28075
2020-05-01 J.C. Jones <jjones@mozilla.com>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.52 final
[befc258c4336] [NSS_3_52_RTM] <NSS_3_52_BRANCH>
2020-04-30 Kevin Jacobs <kjacobs@mozilla.com>
* .hgtags:
Added tag NSS_3_52_BETA2 for changeset bb4462a16de8
[c5d002af1d61]
Differential Revision: https://phabricator.services.mozilla.com/D73512
2020-05-01 J.C. Jones <jjones@mozilla.com>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.52 final
[befc258c4336] [NSS_3_52_RTM] <NSS_3_52_BRANCH>
2020-04-30 Kevin Jacobs <kjacobs@mozilla.com>
* .hgtags:
Added tag NSS_3_52_BETA2 for changeset bb4462a16de8
[c5d002af1d61]
Differential Revision: https://phabricator.services.mozilla.com/D73512
2020-04-30 zhujianwei7 <zhujianwei7@huawei.com>
* lib/smime/cmssigdata.c:
Bug 1630925 - Guard all instances of NSSCMSSignedData.signerInfos
r=kjacobs
[bb4462a16de8] [NSS_3_52_BETA2]
2020-04-30 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/pk11_gtest/pk11_seed_cbc_unittest.cc, lib/freebl/seed.c,
lib/freebl/seed.h:
Bug 1619959 - Properly handle multi-block SEED ECB inputs.
r=bbeurdouche,jcj
[d67517e92371]
2020-04-28 Kevin Jacobs <kjacobs@mozilla.com>
* .hgtags:
Added tag NSS_3_52_BETA1 for changeset 0b30eb1c3650
[11415c3334ab]
2020-04-24 Robert Relyea <rrelyea@redhat.com>
* lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c:
Bug 1571677 Name Constraints validation: CN treated as DNS name even
when syntactically invalid as DNS name r=mt
This patch makes libpkix treat name contraints the same the NSS cert
verifier. This proposal available for review for 9 months without
objection.
Time to make this official
[0b30eb1c3650] [NSS_3_52_BETA1]
2020-04-27 Edouard Oger <eoger@fastmail.com>
* lib/freebl/blinit.c:
Bug 1633498 - Do not define getauxval on iOS targets. r=jcj
[7b5e3b9fbc7d]
2020-04-27 Robert Relyea <rrelyea@redhat.com>
* lib/softoken/sftkike.c:
Bug 1629663 NSS missing IKEv1 Quick Mode KDF prf r=kjacobs
Fix possible free before alloc error found by kjacobs
[7f91e3dcfb9b]
2020-04-20 Robert Relyea <rrelyea@redhat.com>
* lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c,
lib/softoken/pkcs11i.h, lib/softoken/sftkike.c, lib/util/pkcs11n.h:
Bug 1629663 NSS missing IKEv1 Quick Mode KDF prf r=kjacobs
We found another KDF function in libreswan that is not using the NSS
KDF API.
Unfortunately, it seems the existing IKE KDF's in NSS are not usable
for the Quick Mode use.
The libreswan code is in compute_proto_keymat() and the
specification is in https://tools.ietf.org/html/rfc2409#section-5.5
It needs:
KEYMAT = prf(SKEYID_d, [g(qm)^xy ] | protocol | SPI | Ni_b | Nr_b).
which an be thought of as: KEYMAT = prf(KEY, [KEY] | BYTES)
but with the kicker that it also does multiple rounds aka key
expansion: KEYMAT = K1 | K2 | K3 | ...
where
K1 = prf(KEY, [KEY] | BYTES) K2 = prf(KEY, K1 | [KEY] | BYTES) K3 =
prf(KEY, K1 | [KEY] | BYTES) etc.
to generate the needed keying material >PRF size
This patch implements this by extendind the Appendix B Mechanism to
take and optional key and data in a new Mechanism parameter
structure. Which flavor is used (old CK_MECHANISM_TYPE or the new
parameter) is determined by the mechanism parameter lengths.
Application which try to use this new feature on old versions of NSS
will get an error (rather than invalid data).
[225bb39eade1]
Differential Revision: https://phabricator.services.mozilla.com/D73383
When the browser process starts a sandbox process, we copy the executable's IAT
for ntdll.dll into the new process to prevent DLL injection via IAT tampering as
the launcher process does. However, if IAT has been modified by a module injected
via `SetWindowHookEx`, the browser process cannot copy IAT because a modified IAT
is invalid in a different process, failing to start any sandbox processes.
The proposed fix is to cache IAT before COM initialization which may load
modules via `SetWindowHookEx` for the first time in the process.
Differential Revision: https://phabricator.services.mozilla.com/D73303
mozilla::pkix treats the id-kp-OCSPSigning extended key usage as forbidden
unless specifically required. Client authentication certificate filtering in
gecko uses mozilla::pkix, so before this patch, certificates with this EKU would
be filtered out. Normally this is correct, because client authentication
certificates should never have this EKU. However, there is at least one private
PKI where client certificates have this EKU. For interoperability, this patch
works around this restriction by falling back to requiring id-kp-OCSPSigning if
path building initially fails.
Differential Revision: https://phabricator.services.mozilla.com/D72760
2020-04-24 Kevin Jacobs <kjacobs@mozilla.com>
* automation/abi-check/expected-report-libnss3.so.txt,
gtests/softoken_gtest/softoken_gtest.cc, lib/nss/nss.def,
lib/pk11wrap/pk11obj.c, lib/pk11wrap/pk11pub.h, lib/softoken/sdb.c:
Bug 1612881 - Maintain PKCS11 C_GetAttributeValue semantics on
attributes that lack NSS database columns r=keeler,rrelyea
`sdb_GetAttributeValueNoLock` builds a query string from a list of
attributes in the input template. Unfortunately,
`sqlite3_prepare_v2` will fail the entire query if one of the
attributes is missing from the underlying table. The PKCS #11 spec
[[ https://www.cryptsoft.com/pkcs11doc/v220/pkcs11__all_8h.html#aC_G
etAttributeValue | requires ]] setting the output `ulValueLen` field
to -1 for such invalid attributes.
This patch reads and stores the columns of nssPublic/nssPrivate when
opened, then filters an input template in
`sdb_GetAttributeValueNoLock` for unbacked/invalid attributes,
removing them from the query and setting their template output
lengths to -1.
[aae226c20dfd] [tip]
2020-04-23 Kevin Jacobs <kjacobs@mozilla.com>
* lib/ssl/sslnonce.c:
Bug 1531906 - Relax ssl3_SetSIDSessionTicket assertions to permit
valid, evicted or externally-cached sids. r=mt
This patch relaxes an overzealous assertion for the case where: 1)
Two sockets start connections with a shared SID. 2) One receives an
empty session ticket in the SH, and evicts the SID from cache. 3)
The second socket receives a new session ticket, and attempts to set
it in the SID.
We currently assert that the sid is `in_client_cache` at 3), but
clearly it cannot be. The outstanding reference remains valid
despite the eviction.
This also solves a related assertion failure after
https://hg.mozilla.org/mozilla-central/rev/c5a8b641d905 where the
same scenario occurs, but instead of being `in_client_cache` or
evicted, the SID is `in_external_cache`.
[a68de0859582]
2020-04-16 Robert Relyea <rrelyea@redhat.com>
* gtests/common/testvectors/kwp-vectors.h,
gtests/pk11_gtest/manifest.mn,
gtests/pk11_gtest/pk11_aeskeywrapkwp_unittest.cc,
gtests/pk11_gtest/pk11_gtest.gyp, lib/freebl/aeskeywrap.c,
lib/freebl/blapi.h, lib/freebl/blapit.h, lib/freebl/hmacct.c,
lib/freebl/ldvector.c, lib/freebl/loader.c, lib/freebl/loader.h,
lib/pk11wrap/pk11mech.c, lib/softoken/lowpbe.c,
lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c,
lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c, lib/ssl/ssl3con.c,
lib/util/secport.h:
Bug 1630721 Softoken Functions for FIPS missing r=mt
For FIPS we need the following:
1. NIST official Key padding for AES Key Wrap. 2. Combined
Hash/Sign mechanisms for DSA and ECDSA.
In the first case our AES_KEY_WRAP_PAD function addes pkcs8 padding
to the normal AES_KEY_WRAP, which is a different algorithm then the
padded key wrap specified by NIST. PKCS #11 recognized this and
created a special mechanism to handle NIST padding. That is why we
don't have industry test vectors for CKM_NSS_AES_KEY_WRAP_PAD. This
patch implements that NIST version (while maintaining our own). Also
PKCS #11 v3.0 specified PKCS #11 mechanism for AES_KEY_WRAP which
are compatible (semantically) with the NSS vendor specific versions,
but with non-vendor specific numbers. Softoken now accepts both
numbers.
This patch also updates softoken to handle DSA and ECDSA combined
hash algorithms other than just SHA1 (which is no longer validated).
Finally this patch uses the NIST KWP test vectors in new gtests for
the AES_KEY_WRAP_KWP wrapping algorithm.
As part of the AES_KEY_WRAP_KWP code, the Constant time macros have
been generalized and moved to secport. Old macros scattered
throughout the code have been deleted and existing contant time code
has been updated to use the new macros.
[3682d5ef3db5]
2020-04-21 Lauri Kasanen <cand@gmx.com>
* lib/freebl/Makefile, lib/freebl/freebl.gyp,
lib/freebl/freebl_base.gypi, lib/freebl/gcm.h, lib/freebl/ppc-
crypto.h, lib/freebl/scripts/LICENSE, lib/freebl/scripts/gen.sh,
lib/freebl/scripts/ppc-xlate.pl, lib/freebl/scripts/sha512p8-ppc.pl,
lib/freebl/sha512-p8.s, lib/freebl/sha512.c:
Bug 1613238 - POWER SHA-2 digest vector acceleration. r=jcj,kjacobs
[2d66bd9dcad4]
2020-04-18 Robert Relyea <rrelyea@redhat.com>
* coreconf/Linux.mk, coreconf/config.gypi, lib/softoken/sdb.c:
Bug 1603801 [patch] Avoid dcache pollution from sdb_measureAccess()
r=mt
As implemented, when sdb_measureAccess() runs it creates up to
10,000 negative dcache entries (cached nonexistent filenames).
There is no advantage to leaving these particular filenames in the
cache; they will never be searched again. Subsequent runs will run a
new test with an intentionally different set of filenames. This can
have detrimental effects on some systems; a massive negative dcache
can lead to memory or performance problems.
Since not all platforms have a problem with negative dcache entries,
this patch is limitted to those platforms that request it at
compilie time (Linux is current the only patch that does.)
[928721f70164]
2020-04-16 Kevin Jacobs <kjacobs@mozilla.com>
* coreconf/config.gypi:
Bug 1630458 - Produce debug symbols in GYP/MSVC debug builds. r=mt
[25006e23a777]
2020-04-13 Robert Relyea <rrelyea@redhat.com>
* lib/ckfw/object.c, lib/ckfw/session.c:
Bug 1629655 ckfw needs to support temporary session objects.
r=kjacobs
libckfw needs to create temporary objects whose space will to be
freed after use (rather than at token shutdown). Currently only
token objects are supported and they are allocated out of a global
arena owned by the slot, so the objects only go away when the slot
is closed.
This patch sets the arena to NULL in nssCKFWObject_Create() if the
object is a session object. This tells nssCKFWObject_Create() to
create a new arena specifically for this object. That arena is
stored in localArena. When the object is destroyed, any localArena's
will be freed.
[808ec0e6fd77]
2020-04-14 Robert Relyea <rrelyea@redhat.com>
* cmd/selfserv/selfserv.c, lib/ssl/sslsnce.c, tests/ssl/ssl.sh:
Bug 1629661 MPConfig calls in SSL initializes policy before NSS is
initialized. r=mt
NSS has several config functions that multiprocess servers must call
before NSS is initialized to set up shared memory caches between the
processes. These functions call ssl_init(), which initializes the
ssl policy. The ssl policy initialization, however needs to happen
after NSS itself is initialized. Doing so before hand causes (in the
best case) policy to be ignored by these servers, and crashes (in
the worst case).
Instead, these cache functions should just initialize those things
it needs (that is the NSPR ssl error codes).
This patch does: 1) fixes the cache init code to only initialize
error codes. 2) fixes the selfserv MP code to 1) be compatible with
ssl.sh's selfserv management (at least on Unix), and 2) mimic the
way real servers handle the MP_Cache init code (calling NSS_Init
after the cache set up). 3) update ssl.sh server policy test to test
policy usage on an MP server. This is only done for non-windows like
OS's because they can't catch the kill signal to force their
children to shutdown.
I've verified that the test fails if 2 and 3 are included but 1 is
not (and succeeds if all three are included).
[a252957a3805]
Differential Revision: https://phabricator.services.mozilla.com/D72409