gecko-dev

mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-21 17:25:36 +00:00

History

Kevin Jacobs e4e3559e1b Bug 1629594 - land NSS aae226c20dfd UPGRADE_NSS_RELEASE, r=jcj 2020-04-24 Kevin Jacobs <kjacobs@mozilla.com> * automation/abi-check/expected-report-libnss3.so.txt, gtests/softoken_gtest/softoken_gtest.cc, lib/nss/nss.def, lib/pk11wrap/pk11obj.c, lib/pk11wrap/pk11pub.h, lib/softoken/sdb.c: Bug 1612881 - Maintain PKCS11 C_GetAttributeValue semantics on attributes that lack NSS database columns r=keeler,rrelyea `sdb_GetAttributeValueNoLock` builds a query string from a list of attributes in the input template. Unfortunately, `sqlite3_prepare_v2` will fail the entire query if one of the attributes is missing from the underlying table. The PKCS #11 spec [[ https://www.cryptsoft.com/pkcs11doc/v220/pkcs11__all_8h.html#aC_G etAttributeValue \| requires ]] setting the output `ulValueLen` field to -1 for such invalid attributes. This patch reads and stores the columns of nssPublic/nssPrivate when opened, then filters an input template in `sdb_GetAttributeValueNoLock` for unbacked/invalid attributes, removing them from the query and setting their template output lengths to -1. [aae226c20dfd] [tip] 2020-04-23 Kevin Jacobs <kjacobs@mozilla.com> * lib/ssl/sslnonce.c: Bug 1531906 - Relax ssl3_SetSIDSessionTicket assertions to permit valid, evicted or externally-cached sids. r=mt This patch relaxes an overzealous assertion for the case where: 1) Two sockets start connections with a shared SID. 2) One receives an empty session ticket in the SH, and evicts the SID from cache. 3) The second socket receives a new session ticket, and attempts to set it in the SID. We currently assert that the sid is `in_client_cache` at 3), but clearly it cannot be. The outstanding reference remains valid despite the eviction. This also solves a related assertion failure after https://hg.mozilla.org/mozilla-central/rev/c5a8b641d905 where the same scenario occurs, but instead of being `in_client_cache` or evicted, the SID is `in_external_cache`. [a68de0859582] 2020-04-16 Robert Relyea <rrelyea@redhat.com> * gtests/common/testvectors/kwp-vectors.h, gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_aeskeywrapkwp_unittest.cc, gtests/pk11_gtest/pk11_gtest.gyp, lib/freebl/aeskeywrap.c, lib/freebl/blapi.h, lib/freebl/blapit.h, lib/freebl/hmacct.c, lib/freebl/ldvector.c, lib/freebl/loader.c, lib/freebl/loader.h, lib/pk11wrap/pk11mech.c, lib/softoken/lowpbe.c, lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c, lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c, lib/ssl/ssl3con.c, lib/util/secport.h: Bug 1630721 Softoken Functions for FIPS missing r=mt For FIPS we need the following: 1. NIST official Key padding for AES Key Wrap. 2. Combined Hash/Sign mechanisms for DSA and ECDSA. In the first case our AES_KEY_WRAP_PAD function addes pkcs8 padding to the normal AES_KEY_WRAP, which is a different algorithm then the padded key wrap specified by NIST. PKCS #11 recognized this and created a special mechanism to handle NIST padding. That is why we don't have industry test vectors for CKM_NSS_AES_KEY_WRAP_PAD. This patch implements that NIST version (while maintaining our own). Also PKCS #11 v3.0 specified PKCS #11 mechanism for AES_KEY_WRAP which are compatible (semantically) with the NSS vendor specific versions, but with non-vendor specific numbers. Softoken now accepts both numbers. This patch also updates softoken to handle DSA and ECDSA combined hash algorithms other than just SHA1 (which is no longer validated). Finally this patch uses the NIST KWP test vectors in new gtests for the AES_KEY_WRAP_KWP wrapping algorithm. As part of the AES_KEY_WRAP_KWP code, the Constant time macros have been generalized and moved to secport. Old macros scattered throughout the code have been deleted and existing contant time code has been updated to use the new macros. [3682d5ef3db5] 2020-04-21 Lauri Kasanen <cand@gmx.com> * lib/freebl/Makefile, lib/freebl/freebl.gyp, lib/freebl/freebl_base.gypi, lib/freebl/gcm.h, lib/freebl/ppc- crypto.h, lib/freebl/scripts/LICENSE, lib/freebl/scripts/gen.sh, lib/freebl/scripts/ppc-xlate.pl, lib/freebl/scripts/sha512p8-ppc.pl, lib/freebl/sha512-p8.s, lib/freebl/sha512.c: Bug 1613238 - POWER SHA-2 digest vector acceleration. r=jcj,kjacobs [2d66bd9dcad4] 2020-04-18 Robert Relyea <rrelyea@redhat.com> * coreconf/Linux.mk, coreconf/config.gypi, lib/softoken/sdb.c: Bug `1603801` [patch] Avoid dcache pollution from sdb_measureAccess() r=mt As implemented, when sdb_measureAccess() runs it creates up to 10,000 negative dcache entries (cached nonexistent filenames). There is no advantage to leaving these particular filenames in the cache; they will never be searched again. Subsequent runs will run a new test with an intentionally different set of filenames. This can have detrimental effects on some systems; a massive negative dcache can lead to memory or performance problems. Since not all platforms have a problem with negative dcache entries, this patch is limitted to those platforms that request it at compilie time (Linux is current the only patch that does.) [928721f70164] 2020-04-16 Kevin Jacobs <kjacobs@mozilla.com> * coreconf/config.gypi: Bug 1630458 - Produce debug symbols in GYP/MSVC debug builds. r=mt [25006e23a777] 2020-04-13 Robert Relyea <rrelyea@redhat.com> * lib/ckfw/object.c, lib/ckfw/session.c: Bug 1629655 ckfw needs to support temporary session objects. r=kjacobs libckfw needs to create temporary objects whose space will to be freed after use (rather than at token shutdown). Currently only token objects are supported and they are allocated out of a global arena owned by the slot, so the objects only go away when the slot is closed. This patch sets the arena to NULL in nssCKFWObject_Create() if the object is a session object. This tells nssCKFWObject_Create() to create a new arena specifically for this object. That arena is stored in localArena. When the object is destroyed, any localArena's will be freed. [808ec0e6fd77] 2020-04-14 Robert Relyea <rrelyea@redhat.com> * cmd/selfserv/selfserv.c, lib/ssl/sslsnce.c, tests/ssl/ssl.sh: Bug 1629661 MPConfig calls in SSL initializes policy before NSS is initialized. r=mt NSS has several config functions that multiprocess servers must call before NSS is initialized to set up shared memory caches between the processes. These functions call ssl_init(), which initializes the ssl policy. The ssl policy initialization, however needs to happen after NSS itself is initialized. Doing so before hand causes (in the best case) policy to be ignored by these servers, and crashes (in the worst case). Instead, these cache functions should just initialize those things it needs (that is the NSPR ssl error codes). This patch does: 1) fixes the cache init code to only initialize error codes. 2) fixes the selfserv MP code to 1) be compatible with ssl.sh's selfserv management (at least on Unix), and 2) mimic the way real servers handle the MP_Cache init code (calling NSS_Init after the cache set up). 3) update ssl.sh server policy test to test policy usage on an MP server. This is only done for non-windows like OS's because they can't catch the kill signal to force their children to shutdown. I've verified that the test fails if 2 and 3 are included but 1 is not (and succeeds if all three are included). [a252957a3805] Differential Revision: https://phabricator.services.mozilla.com/D72409		2020-04-27 16:56:13 +00:00
..
bogo
cert
chains
cipher
cmdtests
common
crmf
dbtests
dbupgrade
doc
dummy
ec
fips
gtests
interop
iopr
libpkix
lowhash
memleak
merge
mpi
multinit
ocsp
perf
pkcs11/netscape/suites/security/ssl
pkits
policy
remote
sdr
smime
ssl	Bug 1629594 - land NSS aae226c20dfd UPGRADE_NSS_RELEASE, r=jcj	2020-04-27 16:56:13 +00:00
ssl_gtests
tlsfuzzer
tools
all.sh
clean_tbx
core_watch
dll_version.sh
header
jss_dll_version.sh
jssdir
jssqa
mksymlinks
nssdir
nsspath
nssqa
path_uniq
platformlist
platformlist.tbx
qa_stage
qa_stat
qaclean
README.txt
run_niscc.sh
set_environment

README.txt

Hints for running the NSS test suite:

- all.sh is used to run all tests

- if your host is not registered with DNS you may use:
  HOST=localhost DOMSUF=localdomain ./all.sh