gecko-dev/security/nss
J.C. Jones 685c607058 Bug 1577822 - land NSS NSS_3_47_BETA1 UPGRADE_NSS_RELEASE, r=kjacobs
2019-10-11  Kai Engert  <kaie@kuix.de>

	* automation/release/nspr-version.txt:
	Bug 1583068 - Require NSPR version 4.23 r=jcj
	[93245f5733b3] [NSS_3_47_BETA1]

2019-10-11  Kevin Jacobs  <kjacobs@mozilla.com>

	* coreconf/config.gypi, lib/freebl/freebl.gyp:
	Bug 1152625 - Add gyp flag for disabling ARM HW AES r=jcj

	Adds an option to disable ARMv8 HW AES, if `-Ddisable_arm_hw_aes=1`
	is passed to build.sh.

	Depends on D34473

	[9abcea09fdd4]

2019-10-11  Makoto Kato  <m_kato@ga2.so-net.ne.jp>

	* lib/freebl/aes-armv8.c:
	Bug 1152625 - Part 2. Remove __builtin_assume to avoid crash on PGO.
	r=kjacobs,mt

	`AESContext->iv` doesn't align to 16 bytes on PGO build, so we
	should remove __builtin_assume. Also, I guess that `expandedKey` has
	same problem.

	[1b0f5c5335ee]

	* lib/freebl/Makefile, lib/freebl/aes-armv8.c, lib/freebl/aes-armv8.h,
	lib/freebl/freebl.gyp, lib/freebl/intel-aes.h,
	lib/freebl/rijndael.c:
	Bug 1152625 - Support AES HW acceleration on ARMv8. r=kjacobs,jcj

	[efb895a43899]

2019-09-06  Martin Thomson  <mt@lowentropy.net>

	* gtests/ssl_gtest/ssl_auth_unittest.cc,
	gtests/ssl_gtest/ssl_ciphersuite_unittest.cc,
	gtests/ssl_gtest/ssl_extension_unittest.cc,
	gtests/ssl_gtest/ssl_fuzz_unittest.cc,
	gtests/ssl_gtest/tls_esni_unittest.cc, lib/ssl/ssl3con.c,
	lib/ssl/ssl3exthandle.c, lib/ssl/sslimpl.h, lib/ssl/tls13con.c:
	Bug 1549225 - Up front Signature Scheme validation, r=ueno

	Summary: This patch started as an attempt to ensure that a DSA
	signature scheme would not be advertised if we weren't willing to
	negotiate versions less than TLS 1.3. Then I realized that we didn't
	do the same for PKCS#1 RSA.

	Then I realized that we were still willing to try to establish
	connections when we had a certificate that we couldn't use.

	Then I realized that ssl3_config_match_init() wasn't being run
	consistently. On resumption, we only ran it when we were PARANOID.
	That's silly because we weren't checking policies.

	Then I realized that we were allowing ECDSA certificates to be used
	when the named group in the certificate was disabled. We weren't
	enforcing that consistently either. However, I also discovered that
	the check we have wouldn't work without a tweak because in TLS 1.3
	the named group is part of the signature scheme; the configured
	named groups are only used prior to TLS 1.3 when selecting
	ECDSA/ECDH certificates.

	So that sounds like a lot of changes but what it boils down to is
	more robust checking of the configuration prior to starting a
	connection. As a result, we should be offering fewer options that
	we're unwilling or unable to follow through on. A good number of
	tests needed tweaking as a result because we were relying on getting
	past the checks in those tests. No real problems were found as a
	result; this just moves failures that might arise from
	misconfiguration a little earlier in the process.

	[9b418f0a4912]

2019-10-08  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc,
	lib/pk11wrap/pk11pk12.c:
	Bug 1586947 - Store nickname during EC key import. r=jcj

	This patch stores the nickname (if specified) during EC key import.
	This was already done for all other key types.

	[c319019aee75]

2019-10-08  Marcus Burghardt  <mburghardt@mozilla.com>

	* lib/certdb/stanpcertdb.c, lib/pk11wrap/pk11load.c,
	lib/pki/pki3hack.c:
	Bug 1586456 - Unnecessary conditional in pki3hack, pk11load and
	stanpcertdb. r=jcj

	Some conditionals that are always true were removed.

	[b34061c3a377]

Differential Revision: https://phabricator.services.mozilla.com/D49030

--HG--
extra : moz-landing-system : lando
2019-10-12 00:01:25 +00:00
..
automation Bug 1577822 - land NSS NSS_3_47_BETA1 UPGRADE_NSS_RELEASE, r=kjacobs 2019-10-12 00:01:25 +00:00
cmd Bug 1577822 - land NSS be9c48ad76cb UPGRADE_NSS_RELEASE, r=kjacobs 2019-09-27 20:31:22 +00:00
coreconf Bug 1577822 - land NSS NSS_3_47_BETA1 UPGRADE_NSS_RELEASE, r=kjacobs 2019-10-12 00:01:25 +00:00
cpputil Bug 1577822 - land NSS be9c48ad76cb UPGRADE_NSS_RELEASE, r=kjacobs 2019-09-27 20:31:22 +00:00
doc Bug 1550889 - land NSS d17569aa9d56 UPGRADE_NSS_RELEASE, r=me 2019-06-07 17:51:08 +00:00
fuzz Bug 1564499 - land NSS NSS_3_46_BETA2 UPGRADE_NSS_RELEASE, r=kjacobs 2019-08-28 14:30:55 +00:00
gtests Bug 1577822 - land NSS NSS_3_47_BETA1 UPGRADE_NSS_RELEASE, r=kjacobs 2019-10-12 00:01:25 +00:00
lib Bug 1577822 - land NSS NSS_3_47_BETA1 UPGRADE_NSS_RELEASE, r=kjacobs 2019-10-12 00:01:25 +00:00
nss-tool
pkg
tests Bug 1577822 - land NSS be9c48ad76cb UPGRADE_NSS_RELEASE, r=kjacobs 2019-09-27 20:31:22 +00:00
.arcconfig Bug 1512719 - land NSS NSS_3_42_BETA2 UPGRADE_NSS_RELEASE, r=me 2019-01-25 23:38:02 +00:00
.clang-format
.gitignore
.sancov-blacklist
.taskcluster.yml Bug 1564499 - land NSS 8c6fad5544a6 UPGRADE_NSS_RELEASE, r=me 2019-07-15 21:40:37 +00:00
build.sh Bug 1577822 - land NSS a3ee4f26b4c1 UPGRADE_NSS_RELEASE, r=kjacobs 2019-09-18 03:27:20 +00:00
COPYING
exports.gyp
help.txt Bug 1577822 - land NSS a3ee4f26b4c1 UPGRADE_NSS_RELEASE, r=kjacobs 2019-09-18 03:27:20 +00:00
mach Bug 1577822 - land NSS a3ee4f26b4c1 UPGRADE_NSS_RELEASE, r=kjacobs 2019-09-18 03:27:20 +00:00
Makefile Bug 1577822 - land NSS a3ee4f26b4c1 UPGRADE_NSS_RELEASE, r=kjacobs 2019-09-18 03:27:20 +00:00
manifest.mn
nss.gyp Bug 1577822 - land NSS a3ee4f26b4c1 UPGRADE_NSS_RELEASE, r=kjacobs 2019-09-18 03:27:20 +00:00
readme.md
TAG-INFO Bug 1577822 - land NSS NSS_3_47_BETA1 UPGRADE_NSS_RELEASE, r=kjacobs 2019-10-12 00:01:25 +00:00
trademarks.txt

Network Security Services

Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. NSS supports SSL v3-TLS 1.2 (experimental TLS 1.3), PKCS #5, PKCS#7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards.

Getting started

In order to get started create a new directory on that you will be uses as your local work area, and check out NSS and NSPR. (Note that there's no git mirror of NSPR and you require mercurial to get the latest NSPR source.)

git clone https://github.com/nss-dev/nss.git
hg clone https://hg.mozilla.org/projects/nspr

NSS can also be cloned with mercurial

hg clone https://hg.mozilla.org/projects/nss

Building NSS

This build system is under development. It does not yet support all the features or platforms that NSS supports. To build on anything other than Mac or Linux please use the legacy build system as described below.

Build requirements:

After changing into the NSS directory a typical build is done as follows

./build.sh

Once the build is done the build output is found in the directory ../dist/Debug for debug builds and ../dist/Release for opt builds. Exported header files can be found in the include directory, library files in directory lib, and tools in directory bin. In order to run the tools, set your system environment to use the libraries of your build from the "lib" directory, e.g., using the LD_LIBRARY_PATH or DYLD_LIBRARY_PATH.

See help.txt for more information on using build.sh.

Building NSS (legacy build system)

After changing into the NSS directory a typical build of 32-bit NSS is done as follows:

make nss_build_all

The following environment variables might be useful:

  • BUILD_OPT=1 to get an optimised build

  • USE_64=1 to get a 64-bit build (recommended)

The complete list of environment variables can be found here.

To clean the build directory run:

make nss_clean_all

Tests

Setup

Make sure that the address $HOST.$DOMSUF on your computer is available. This is necessary because NSS tests generate certificates and establish TLS connections, which requires a fully qualified domain name. You can test this by calling ping $HOST.$DOMSUF. If this is working, you're all set. If it's not, set or export:

HOST=nss
DOMSUF=local

Note that you might have to add nss.local to /etc/hosts if it's not there. The entry should look something like 127.0.0.1 nss.local nss.

Running tests

Runnning all tests will take a while!

cd tests
./all.sh

Make sure that all environment variables set for the build are set while running the tests as well. Test results are published in the folder ../../test_results/.

Individual tests can be run with the NSS_TESTS environment variable, e.g. NSS_TESTS=ssl_gtests ./all.sh or by changing into the according directory and running the bash script there cd ssl_gtests && ./ssl_gtests.sh. The following tests are available:

cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests bogo policy

To make tests run faster it's recommended to set NSS_CYCLES=standard to run only the standard cycle.

Releases

NSS releases can be found at Mozilla's download server. Because NSS depends on the base library NSPR you should download the archive that combines both NSS and NSPR.

Contributing

Bugzilla is used to track NSS development and bugs. File new bugs in the NSS product.

A list with good first bugs to start with are listed here.

NSS Folder Structure

The nss directory contains the following important subdirectories:

  • coreconf contains the build logic.

  • lib contains all library code that is used to create the runtime libraries.

  • cmd contains a set of various tool programs that are built with NSS. Several tools are general purpose and can be used to inspect and manipulate the storage files that software using the NSS library creates and modifies. Other tools are only used for testing purposes.

  • test and gtests contain the NSS test suite. While test contains shell scripts to drive test programs in cmd, gtests holds a set of gtests.

A more comprehensible overview of the NSS folder structure and API guidelines can be found here.

NSS supports build configurations for FIPS-140 compliance, and alternative build configurations that disable functionality specific to FIPS-140 compliance.

This section documents the environment variables and build parameters that control these configurations.

Build FIPS startup tests

The C macro NSS_NO_INIT_SUPPORT controls the FIPS startup self tests. If NSS_NO_INIT_SUPPORT is defined, the startup tests are disabled.

The legacy build system (make) by default disables these tests. To enable these tests, set environment variable NSS_FORCE_FIPS=1 at build time.

The gyp build system by default disables these tests. To enable these tests, pass parameter --enable-fips to build.sh.

Building either FIPS compliant or alternative compliant code

The C macro NSS_FIPS_DISABLED can be used to disable some FIPS compliant code and enable alternative implementations.

The legacy build system (make) never defines NSS_FIPS_DISABLED and always uses the FIPS compliant code.

The gyp build system by default defines NSS_FIPS_DISABLED. To use the FIPS compliant code, pass parameter --enable-fips to build.sh.

Test execution

The NSS test suite may contain tests that are included, excluded, or are different based on the FIPS build configuration. To execute the correct tests, it's necessary to determine which build configuration was used.

The legacy build system (make) uses environment variables to control all aspects of the build configuration, including FIPS build configuration.

Because the gyp build system doesn't use environment variables to control the build configuration, the NSS tests cannot rely on environment variables to determine the build configuration.

A helper binary named nss-build-flags is produced as part of the NSS build, which prints the C macro symbols that were defined at build time, and which are relevant to test execution.