gecko-dev/security
J.C. Jones 696043affe Bug 1592007 - land NSS 87f35ba4c82f UPGRADE_NSS_RELEASE, r=keeler
2019-11-13  J.C. Jones  <jjones@mozilla.com>

	* lib/softoken/pkcs11c.c:
	Bug 1591363 - Fixup double-free of params in nsc_SetupPBEKeyGen
	r=keeler

	Caused in commit 7ef8d2604494.

	[87f35ba4c82f] [tip]

2019-11-07  Makoto Kato  <m_kato@ga2.so-net.ne.jp>

	* lib/freebl/ctr.c:
	Bug 1592869 - Use NEON for ctr_xor. r=kjacobs

	Using NEON for ctr_xor, aes_ctr can improve 30%-40%i decode/encode
	time on Cortex-A72.

	[d244c7287908]

2019-11-12  Marcus Burghardt  <mburghardt@mozilla.com>

	* gtests/pk11_gtest/pk11_pbkdf2_unittest.cc, lib/pk11wrap/pk11pbe.c,
	lib/pk11wrap/pk11skey.c, lib/softoken/pkcs11c.c:
	Bug 1591363 - PBKDF2 memory leaks in NSC_GenerateKey. r=jcj

	A memory leak was reported and confirmed in this bug. However,
	during the "manual" analysis of the flow, another possible leak was
	found. I created a patch for both leaks, added gtests for unexpected
	keySizes and adjusted the general syntax of the gtest file.

	[7ef8d2604494]

2019-11-11  Tom Prince  <mozilla@hocat.ca>

	* automation/taskcluster/graph/src/extend.js,
	automation/taskcluster/windows/setup.sh:
	Bug 1594891 - Use tc-proxy for nss tooltool; r=dustin,jcj

	[c33b214b2ec8]

2019-11-08  Daiki Ueno  <dueno@redhat.com>

	* gtests/ssl_gtest/ssl_dhe_unittest.cc,
	gtests/ssl_gtest/ssl_ecdh_unittest.cc,
	gtests/ssl_gtest/tls_connect.h, lib/ssl/ssl3con.c:
	Bug 1566131, check policy against hash algorithms used for
	ServerKeyExchange, r=mt

	Summary: This adds necessary policy checks in
	`ssl3_ComputeCommonKeyHash()`, right before calculating hashes. Note
	that it currently doesn't check MD5 as it still needs to be allowed
	in TLS 1.1 or earlier and many tests fail if we change that.

	Reviewers: mt

	Reviewed By: mt

	Bug #: 1566131

	[c08947c6af57]

2019-11-08  Kai Engert  <kaie@kuix.de>

	* coreconf/coreconf.dep:
	Dummy change, trigger a build to test latest NSPR commits.
	[e766899c72a5]

	* automation/taskcluster/graph/src/extend.js:
	Bug 1579836 - Execute NSPR tests as part of NSS continuous
	integration. r=jcj
	[46bfbabf7e75]

2019-11-08  Dustin J. Mitchell  <dustin@mozilla.com>

	* automation/taskcluster/graph/npm-shrinkwrap.json,
	automation/taskcluster/graph/package.json,
	automation/taskcluster/graph/src/image_builder.js,
	automation/taskcluster/graph/src/queue.js,
	automation/taskcluster/scripts/tools.sh,
	automation/taskcluster/windows/gen_certs.sh,
	automation/taskcluster/windows/run_tests.sh:
	Bug 1594891 - Updates to run correctly on the new TC deployment
	r=jcj

	* Update the Taskcluster client used in the decision task to one
	that understands Taskcluster rootUrls.
	* Update scripts that fetch content to use the TASKCLUSTER_ROOT_URL
	  * the absence of this variale signals an "old" worker so we use an
	"old" URL

	[67d630e7cb7c]

2019-11-07  Tom Prince  <mozilla@hocat.ca>

	* .taskcluster.yml, automation/taskcluster/graph/src/extend.js,
	automation/taskcluster/graph/src/queue.js:
	Bug 1591275: Switch workers to use AWS Provder; r=kjacobs

	[a2bebaad41dd]

2019-11-06  Daiki Ueno  <dueno@redhat.com>

	* gtests/pk11_gtest/pk11_module_unittest.cc:
	Bug 1577803, clang-format, a=bustage
	[c9014b2892d5]

	* gtests/pk11_gtest/pk11_module_unittest.cc,
	gtests/pkcs11testmodule/pkcs11testmodule.cpp,
	lib/pk11wrap/debug_module.c, lib/pk11wrap/pk11obj.c,
	lib/pk11wrap/pk11slot.c, lib/pk11wrap/secmodti.h,
	lib/util/pkcs11t.h:
	Bug 1577803, pk11wrap: set friendly flag if token implements
	CKP_PUBLIC_CERTIFICATES_TOKEN, r=rrelyea

	Summary: This makes NSS look for CKO_PROFILE object at token
	initialization time to check if it implements the [[ https://docs
	.oasis-open.org/pkcs11/pkcs11-profiles/v3.0/pkcs11-profiles-v3.0.pdf
	| Public Certificates Token profile ]] as defined in PKCS #11 v3.0.
	If it is found, the token is automatically marked as friendly so no
	authentication attempts will be made when accessing certificates.

	Reviewers: rrelyea

	Reviewed By: rrelyea

	Subscribers: reviewbot

	Bug #: 1577803

	[b39c8eeabe6a]

2019-11-06  Martin Thomson  <mt@lowentropy.net>

	* lib/freebl/blinit.c, lib/freebl/gcm-ppc.c:
	Bug 1566126 - clang-format, a=bustage
	[6125200fbc88]

2019-11-06  Lauri Kasanen  <cand@gmx.com>

	* lib/freebl/Makefile, lib/freebl/altivec-types.h,
	lib/freebl/blapii.h, lib/freebl/blinit.c, lib/freebl/freebl.gyp,
	lib/freebl/gcm-ppc.c, lib/freebl/gcm.c, lib/freebl/gcm.h:
	Bug 1566126 - freebl: POWER GHASH Vector Acceleration, r=mt

	Implementation for POWER8 adapted from the ARM paper:
	https://conradoplg.cryptoland.net/files/2010/12/gcm14.pdf

	Benchmark of `bltest -E -m aes_gcm -i tests/aes_gcm/plaintext10 \
	-v tests/aes_gcm/iv10 -k tests/aes_gcm/key10 -5 10` on POWER8 3.3GHz.

	NSS_DISABLE_HW_CRYPTO=1 mode in symmkey opreps cxreps context op
	time(sec) thrgput aes_gcm_e 309Mb 192 5M 0 0.000 10000.000 10.001
	30Mb

	 mode in symmkey opreps cxreps context op time(sec) thrgput
	aes_gcm_e 829Mb 192 14M 0 0.000 10000.000 10.001 82Mb

	Notable operf results, sw: samples % image name symbol name 226033
	59.3991 libfreeblpriv3.so bmul 80606 21.1824 libfreeblpriv3.so
	rijndael_encryptBlock128 28851 7.5817 libfreeblpriv3.so
	gcm_HashMult_sftw

	hw: 213899 56.2037 libfreeblpriv3.so rijndael_encryptBlock128 45233
	11.8853 libfreeblpriv3.so gcm_HashMult_hw

	So the ghash part is ~5.6x faster.

	Signed-off-by: Lauri Kasanen <cand@gmx.com>
	[3d7e509d6d20]

2019-11-05  Marcus Burghardt  <mburghardt@mozilla.com>

	* lib/certdb/certdb.c, lib/util/secport.h:
	Bug 1589073 - Use of new PR_ASSERT_ARG in certdb.c. r=mt

	Bug 1588015 introduced in NSPR a new way to ASSERT values where the
	arguments are always used avoiding "unused variable" errors. This
	was implemented in NSS, at certdb.c.

	[73c28cad3dbb]

2019-11-05  Daiki Ueno  <dueno@redhat.com>

	* cpputil/nss_scoped_ptrs.h, gtests/manifest.mn,
	gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp,
	gtests/pk11_gtest/pk11_module_unittest.cc,
	gtests/pkcs11testmodule/Makefile, gtests/pkcs11testmodule/config.mk,
	gtests/pkcs11testmodule/manifest.mn,
	gtests/pkcs11testmodule/pkcs11testmodule.cpp,
	gtests/pkcs11testmodule/pkcs11testmodule.def,
	gtests/pkcs11testmodule/pkcs11testmodule.gyp,
	gtests/pkcs11testmodule/pkcs11testmodule.rc, nss.gyp:
	Bug 1577803, gtests: import pkcs11testmodule from Firefox, r=rrelyea

	Summary: This adds a mock PKCS #11 module from Firefox and add basic
	tests around it. This is needed for proper testing of PKCS #11 v3.0
	profile objects (D45669).

	Reviewers: rrelyea

	Reviewed By: rrelyea

	Subscribers: reviewbot

	Bug #: 1577803

	[0a86945adf74]

Differential Revision: https://phabricator.services.mozilla.com/D52779

--HG--
extra : moz-landing-system : lando
2019-11-14 17:32:27 +00:00
..
apps Bug 1586358 - Replace existing instances of GENERATED_FILES with references to the GeneratedFile template r=firefox-build-system-reviewers,mshal 2019-10-07 21:15:19 +00:00
certverifier bug 1592111 - add the preference "security.osclientcerts.autoload" to control auto-loading the OS client certs module r=jcj 2019-11-13 21:19:57 +00:00
ct
mac/hardenedruntime Bug 1593071 - [macOS] Land different entitlement files for parent and child processes r=spohl 2019-11-07 13:26:05 +00:00
manager bug 1592111 - add the preference "security.osclientcerts.autoload" to control auto-loading the OS client certs module r=jcj 2019-11-13 21:19:57 +00:00
nss Bug 1592007 - land NSS 87f35ba4c82f UPGRADE_NSS_RELEASE, r=keeler 2019-11-14 17:32:27 +00:00
sandbox Bug 1591117 - Report ENOSYS on statx, but allow membarrier. r=jld 2019-11-07 09:21:51 +00:00
.eslintrc.js Bug 1558517 - Pre 3.0: Remove conflicting eslint rules, and turn on "curly: all" everywhere, r=standard8 2019-06-28 17:14:01 +02:00
generate_certdata.py
generate_mapfile.py
moz.build
nss.symbols bug 1573542 - be more efficient about finding client certificates r=jcj,kjacobs 2019-09-18 23:28:05 +00:00