d3619cd7e8
2023-10-02 Natalia Kulatova <nkulatova@mozilla.com> * doc/rst/releases/nss_3_94.rst: Documentation: Release notes for NSS 3.94 [8c67d6c2d718] [NSS_3_94_RTM] <NSS_3_94_BRANCH> * .hgtags: Added tag NSS_3_94_RTM for changeset a4d8f6ff9c3b [18307440cfb0] <NSS_3_94_BRANCH> * doc/rst/releases/index.rst: Release notes for NSS 3.94 [a4d8f6ff9c3b] <NSS_3_94_BRANCH> * lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.94 final [0af23c222caf] <NSS_3_94_BRANCH> 2023-09-21 Benjamin Beurdouche <beurdouche@mozilla.com> * .hgtags: Removed tag NSS_3_94_BETA1 [1a3ea35e31a2] 2023-09-20 Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> * automation/taskcluster/scripts/run_hacl.sh, lib/freebl/verified/Hacl_Hash_SHA3.c, lib/freebl/verified/Hacl_IntTypes_Intrinsics.h, lib/freebl/verified/Hacl_IntTypes_Intrinsics_128.h, lib/freebl/verified/Hacl_Krmllib.h, lib/freebl/verified/Hacl_P256.c, lib/freebl/verified/internal/Hacl_Bignum_Base.h, lib/freebl/verified/internal/Hacl_Hash_SHA1.h, lib/freebl/verified/internal/Hacl_Hash_SHA2.h, lib/freebl/verified/internal/Hacl_IntTypes_Intrinsics.h, lib/freebl/verified/internal/Hacl_IntTypes_Intrinsics_128.h, lib/freebl/verified/internal/Hacl_Krmllib.h, lib/freebl/verified/internal/Hacl_P256.h, lib/freebl/verified/internal/lib_intrinsics.h, lib/freebl/verified/karamel/include/krml/internal/target.h, lib/free bl/verified/karamel/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h, lib/freebl/verified/karamel/krmllib/dist/minimal/Makefile.basic, lib/freebl/verified/lib_intrinsics.h: Bug 1853737 - Updated code and commit ID for HACL*. r=jschanck [3501ba1860c3] 2023-09-20 Iaroslav Gridin <iaroslav.gridin@tuni.fi> * tests/acvp/fuzzed/ecdsa.json: Bug 1840510: update ACVP fuzzed test vector: refuzzed with current NSS r=jschanck [da1cde22e844] 2023-09-15 Robert Relyea <rrelyea@redhat.com> * automation/abi-check/expected-report-libnssutil3.so.txt, lib/freebl/nsslowhash.c, lib/freebl/stubs.c, lib/freebl/stubs.h, lib/pk11wrap/pk11util.c, lib/softoken/pkcs11.c, lib/util/nssutil.def, lib/util/secport.c, lib/util/secport.h: Bug 1827303 Softoken C_ calls should use system FIPS setting to select NSC_ or FC_ variants. NSS softoken presents a PKCS #11 API to the NSS low level crypto. This allows NSS to have native support for replacement PKCS #11 libraries, and is also the FIPS boundary, allowing the rest of NSS to change without affecting any FIPS validations. Some applications that need crypto, but have their own higher level implementations of SSL or S/MIME use NSS softoken. Softoken has 2 general APIs: NSC_xxxx calls which implement the normal NSS interface, but does not include any FIPS restrictions, The FC_xxx interfaces which implements FIPS restrictions on the semantics of the calls and additional FIPS requirements (like self-tests and software integrity checks). The official PKCS #11 APIs are C_xxx interfaces, and NSS exports those as aliases for NSC_xxxx calls. Right now applications that use softoken have to know the NSS names if they want to access the FIPS api. This bugs removes this restriction and causes calls to C_xxxx to alias to FC_xxxxx if the system is in FIPS mode. If the system has no system FIPS indicator, or the that indicator is off, the C_xxxx will continue to call NSC_xxxxx. NSS itself will continue to use NSC_xxxx or FC_xxxx according to the NSS internal FIPS settings. ---------------- Currently there are 3 layers in NSS with code that identifies the whether the system is in NSS: nss proper (which is also exported to applications), and freebl for the Freebl hash direct case. This code would add a 3rd (in softoken). Rather than adding a third, this patch relocates the main function to nssutil where softoken, nss, and freebl can all access it. The exception is when building freebl with 'NODEPEND' (freebl can provide hashing without dependencies on NSPR or NSSUTIL), there needs to be a stub implementation. In most platforms and cases this stub is never compiled. [762cb673ca8c] * .hgignore, automation/taskcluster/scripts/split.sh, cmd/Makefile, cmd/dbtool/Makefile, cmd/dbtool/dbtool.c, cmd/dbtool/dbtool.gyp, cmd/dbtool/manifest.mn, cmd/manifest.mn, lib/softoken/sdb.h, nss.gyp: Bug 1774659 NSS needs a database tool that can dump the low level representation of the database. r=jschanck When debugging the database, it would be helpful to know what is in the database is a nicely formated way. certutil dumps a high level view of the certs and keys, sqlite3 can dump the low level tables and raw entries. It would be useful to dump the database as softoken sees the database. This code grabs a copy of the latest sdb.c from softoken and uses it to fetch the database entries, then parses them as necessary. It uses the pkcs11 table in libsec to format the result data into human readable strings. [e52240a4bc62] 2023-09-08 John Schanck <jschanck@mozilla.com> * gtests/mozpkix_gtest/pkixnames_tests.cpp: Bug 1852179 - declare string literals using char in pkixnames_tests.cpp. r=nss-reviewers,nkulatova [dbed9fc0522a] Differential Revision: https://phabricator.services.mozilla.com/D189815 |
||
|---|---|---|
| .. | ||
| automation | ||
| cmd | ||
| coreconf | ||
| cpputil | ||
| doc | ||
| fuzz | ||
| gtests | ||
| lib | ||
| nss/automation/abi-check | ||
| nss-tool | ||
| pkg | ||
| tests | ||
| .arcconfig | ||
| .clang-format | ||
| .gitignore | ||
| .sancov-blacklist | ||
| .taskcluster.yml | ||
| build.sh | ||
| COPYING | ||
| exports.gyp | ||
| help.txt | ||
| mach | ||
| Makefile | ||
| manifest.mn | ||
| nss.gyp | ||
| readme.md | ||
| TAG-INFO | ||
| trademarks.txt | ||
Network Security Services
Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. NSS supports TLS 1.2, TLS 1.3, PKCS #5, PKCS#7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards.
Getting started
In order to get started create a new directory on that you will be uses as your local work area, and check out NSS and NSPR. (Note that there's no git mirror of NSPR and you require mercurial to get the latest NSPR source.)
git clone https://github.com/nss-dev/nss.git
hg clone https://hg.mozilla.org/projects/nspr
NSS can also be cloned with mercurial
hg clone https://hg.mozilla.org/projects/nss
Building NSS
This build system is under development. It does not yet support all the features or platforms that NSS supports. To build on anything other than Mac or Linux please use the legacy build system as described below.
Build requirements:
After changing into the NSS directory a typical build is done as follows
./build.sh
Once the build is done the build output is found in the directory
../dist/Debug for debug builds and ../dist/Release for opt builds.
Exported header files can be found in the include directory, library files in
directory lib, and tools in directory bin. In order to run the tools, set
your system environment to use the libraries of your build from the "lib"
directory, e.g., using the LD_LIBRARY_PATH or DYLD_LIBRARY_PATH.
See help.txt for more information on using build.sh.
Building NSS (legacy build system)
After changing into the NSS directory a typical build of 32-bit NSS is done as follows:
make nss_build_all
The following environment variables might be useful:
-
BUILD_OPT=1to get an optimised build -
USE_64=1to get a 64-bit build (recommended)
The complete list of environment variables can be found here.
To clean the build directory run:
make nss_clean_all
Tests
Setup
Make sure that the address $HOST.$DOMSUF on your computer is available. This
is necessary because NSS tests generate certificates and establish TLS
connections, which requires a fully qualified domain name.
You can test this by
calling ping $HOST.$DOMSUF. If this is working, you're all set. If it's not,
set or export:
HOST=nss
DOMSUF=local
Note that you might have to add nss.local to /etc/hosts if it's not
there. The entry should look something like 127.0.0.1 nss.local nss.
Running tests
Runnning all tests will take a while!
cd tests
./all.sh
Make sure that all environment variables set for the build are set while running
the tests as well. Test results are published in the folder
../../test_results/.
Individual tests can be run with the NSS_TESTS environment variable,
e.g. NSS_TESTS=ssl_gtests ./all.sh or by changing into the according directory
and running the bash script there cd ssl_gtests && ./ssl_gtests.sh. The
following tests are available:
cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests bogo policy
To make tests run faster it's recommended to set NSS_CYCLES=standard to run
only the standard cycle.
Releases
NSS releases can be found at Mozilla's download server. Because NSS depends on the base library NSPR you should download the archive that combines both NSS and NSPR.
Contributing
Bugzilla is used to track NSS development and bugs. File new bugs in the NSS product.
A list with good first bugs to start with are listed here.
NSS Folder Structure
The nss directory contains the following important subdirectories:
-
coreconfcontains the build logic. -
libcontains all library code that is used to create the runtime libraries. -
cmdcontains a set of various tool programs that are built with NSS. Several tools are general purpose and can be used to inspect and manipulate the storage files that software using the NSS library creates and modifies. Other tools are only used for testing purposes. -
testandgtestscontain the NSS test suite. Whiletestcontains shell scripts to drive test programs incmd,gtestsholds a set of gtests.
A more comprehensible overview of the NSS folder structure and API guidelines can be found here.
Build mechanisms related to FIPS compliance
NSS supports build configurations for FIPS-140 compliance, and alternative build configurations that disable functionality specific to FIPS-140 compliance.
This section documents the environment variables and build parameters that control these configurations.
Build FIPS startup tests
The C macro NSS_NO_INIT_SUPPORT controls the FIPS startup self tests. If NSS_NO_INIT_SUPPORT is defined, the startup tests are disabled.
The legacy build system (make) by default disables these tests. To enable these tests, set environment variable NSS_FORCE_FIPS=1 at build time.
The gyp build system by default disables these tests. To enable these tests, pass parameter --enable-fips to build.sh.
Building either FIPS compliant or alternative compliant code
The C macro NSS_FIPS_DISABLED can be used to disable some FIPS compliant code and enable alternative implementations.
The legacy build system (make) never defines NSS_FIPS_DISABLED and always uses the FIPS compliant code.
The gyp build system by default defines NSS_FIPS_DISABLED. To use the FIPS compliant code, pass parameter --enable-fips to build.sh.
Test execution
The NSS test suite may contain tests that are included, excluded, or are different based on the FIPS build configuration. To execute the correct tests, it's necessary to determine which build configuration was used.
The legacy build system (make) uses environment variables to control all aspects of the build configuration, including FIPS build configuration.
Because the gyp build system doesn't use environment variables to control the build configuration, the NSS tests cannot rely on environment variables to determine the build configuration.
A helper binary named nss-build-flags is produced as part of the NSS build, which prints the C macro symbols that were defined at build time, and which are relevant to test execution.