gecko-dev/security
J.C. Jones 5e7e635bc0 Bug 1606927 - land NSS 5f9f410d0b60 UPGRADE_NSS_RELEASE, r=kjacobs
2020-01-15  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/freebl/chacha20poly1305.c:
	Bug 1574643 - Check for AVX support before using vectorized ChaCha20
	decrypt r=jcj

	The addition of an AVX support check in `ChaCha20Poly1305_Seal`
	seems to have stopped the Encrypt crashes on old Intel CPUs, however
	we're seeing new reports from
	`Hacl_Chacha20Poly1305_128_aead_decrypt` (which is called from
	`ChaCha20Poly1305_Open`). This needs an AVX check as well...

	[5f9f410d0b60] [tip]

2020-01-14  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp,
	gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc:
	Bug 1573911 - Add RSA Encryption test r=jcj

	Add a test for various sizes of RSA encryption input.

	[4abc6ff828ab]

2020-01-13  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/common/testvectors/hkdf-vectors.h,
	gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp,
	gtests/pk11_gtest/pk11_hkdf_unittest.cc:
	Bug 1585429 - Add HKDF test vectors r=jcj

	Adds test vectors for SHA1/256/384/512 HKDF. This includes the RFC
	test vectors, as well as upper-bound length checks for the output
	key material.

	[239797efc34b]

2020-01-14  J.C. Jones  <jjones@mozilla.com>

	* coreconf/config.gypi:
	Bug 1608327 - Fixup for dc57fe5d65d4, add a default for
	softfp_cflags r=bustage
	[05b923624b73]

2020-01-14  Sylvestre Ledru  <sledru@mozilla.com>

	* automation/buildbot-slave/bbenv-example.sh, automation/buildbot-
	slave/build.sh, automation/buildbot-slave/reboot.bat, automation
	/buildbot-slave/startbuild.bat:
	Bug 1607099 - Remove the buildbot configuration r=jcj

	[7a87cef808f3]

2020-01-14  Greg V  <greg@unrelenting.technology>

	* lib/freebl/blinit.c:
	Bug 1575843 - Detect AArch64 CPU features on FreeBSD r=jcj

	Environment checks are reogranized to be separate from platform code
	to make it impossible to forget to check disable_FEATURE on one
	platform but not the other.

	[fbde548e8114]

2020-01-14  Mike Hommey  <mh@glandium.org>

	* lib/freebl/Makefile, lib/freebl/aes-armv8.c, lib/freebl/freebl.gyp,
	lib/freebl/gcm-arm32-neon.c, lib/freebl/gcm.c,
	lib/freebl/rijndael.c:
	Bug 1608327 - Fix freebl arm NEON code use on tier3 platforms. r=jcj

	Despite the code having runtime detection of NEON and crypto
	extensions, the optimized code using those instructions is disabled
	at build time on platforms where the compiler doesn't enable NEON by
	default of with the flags it's given for the caller code.

	In the case of gcm, this goes as far as causing a build error.

	What is needed is for the optimized code to be enabled in every
	case, letting the caller code choose whether to use that code based
	on the existing runtime checks.

	But this can't be simply done either, because those optimized parts
	of the code need to be built with NEON enabled, unconditionally, but
	that is not compatible with platforms using the softfloat ABI. For
	those, we need to use the softfp ABI, which is compatible. However,
	the softfp ABI is not compatible with the hardfp ABI, so we also
	can't unconditionally use the softfp ABI, so we do so only when the
	compiler targets the softfloat ABI, which confusingly enough is
	advertized via the `__SOFTFP__` define.

	[dc57fe5d65d4]

2020-01-14  Franziskus Kiefer  <franziskuskiefer@gmail.com>

	* automation/saw/chacha20.saw, automation/taskcluster/docker-
	builds/Dockerfile, automation/taskcluster/docker-
	hacl/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc,
	automation/taskcluster/docker-hacl/Dockerfile,
	automation/taskcluster/docker-hacl/bin/checkout.sh,
	automation/taskcluster/docker-hacl/license.txt,
	automation/taskcluster/docker-hacl/setup-user.sh,
	automation/taskcluster/docker-hacl/setup.sh,
	automation/taskcluster/graph/src/extend.js,
	automation/taskcluster/scripts/run_hacl.sh,
	gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc,
	lib/freebl/Makefile, lib/freebl/blapii.h, lib/freebl/blinit.c,
	lib/freebl/chacha20poly1305.c, lib/freebl/det_rng.c,
	lib/freebl/ecl/curve25519_64.c, lib/freebl/freebl.gyp,
	lib/freebl/freebl_base.gypi, nss-tool/hw-support.c:
	Bug 1574643 - NSS changes for haclv2 r=jcj,kjacobs

	This patch contains the changes in NSS, necessary to pick up HACL*v2
	in D55413. It has a couple of TODOs:
	* The chacha20 saw verification fails for some reason; it's disabled
	pending Bug 1604130.
	* The hacl task on CI requires Bug 1593647 to get fixed.

	Depends on D55413.

	[a8df94132dd3]

2019-12-21  Franziskus Kiefer  <franziskuskiefer@gmail.com>

	* lib/freebl/verified/FStar.c, lib/freebl/verified/FStar.h,
	lib/freebl/verified/Hacl_Chacha20.c,
	lib/freebl/verified/Hacl_Chacha20.h,
	lib/freebl/verified/Hacl_Chacha20Poly1305_128.c,
	lib/freebl/verified/Hacl_Chacha20Poly1305_128.h,
	lib/freebl/verified/Hacl_Chacha20Poly1305_32.c,
	lib/freebl/verified/Hacl_Chacha20Poly1305_32.h,
	lib/freebl/verified/Hacl_Chacha20_Vec128.c,
	lib/freebl/verified/Hacl_Chacha20_Vec128.h,
	lib/freebl/verified/Hacl_Curve25519.c,
	lib/freebl/verified/Hacl_Curve25519.h,
	lib/freebl/verified/Hacl_Curve25519_51.c,
	lib/freebl/verified/Hacl_Curve25519_51.h,
	lib/freebl/verified/Hacl_Kremlib.h,
	lib/freebl/verified/Hacl_Poly1305_128.c,
	lib/freebl/verified/Hacl_Poly1305_128.h,
	lib/freebl/verified/Hacl_Poly1305_32.c,
	lib/freebl/verified/Hacl_Poly1305_32.h,
	lib/freebl/verified/Hacl_Poly1305_64.c,
	lib/freebl/verified/Hacl_Poly1305_64.h,
	lib/freebl/verified/kremlib.h, lib/freebl/verified/kremlib_base.h,
	lib/freebl/verified/kremlin/include/kremlin/internal/callconv.h,
	lib/freebl/verified/kremlin/include/kremlin/internal/compat.h,
	lib/freebl/verified/kremlin/include/kremlin/internal/target.h,
	lib/freebl/verified/kremlin/include/kremlin/internal/types.h,
	lib/freebl/verified/kremlin/include/kremlin/lowstar_endianness.h,
	lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128.h, li
	b/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128_Verifie
	d.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt_8_1
	6_32_64.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/LowStar_
	Endianness.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar
	_uint128_gcc64.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/f
	star_uint128_msvc.h, lib/freebl/verified/libintvector.h,
	lib/freebl/verified/specs/Spec.CTR.fst,
	lib/freebl/verified/specs/Spec.Chacha20.fst,
	lib/freebl/verified/specs/Spec.Curve25519.fst,
	lib/freebl/verified/specs/Spec.Poly1305.fst,
	lib/freebl/verified/vec128.h:
	Bug 1574643 - haclv2 code r=kjacobs

	This updates the in-tree version of our existing HACL* code to v2,
	replacing what we have already. Once this landed NSS can pick up
	more (faster) code from HACL*.

	[5bf2547d671f]

2020-01-13  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/taskcluster/windows/build_gyp.sh:
	Bug 1608895 - Install setuptools<45.0.0 until workers are upgraded
	to python3 r=jcj

	[[ https://setuptools.readthedocs.io/en/latest/history.html#v45-0-0
	| Setuptools 45.0.0 ]] drops support for Python2, which our Windows
	workers are running.

	This patch installs the prior version during build, in order to
	unblock CI until the workers can be upgraded.

	[64c5410f98e0]

Differential Revision: https://phabricator.services.mozilla.com/D60086

--HG--
extra : moz-landing-system : lando
2020-01-16 00:13:09 +00:00
..
apps Bug 1600545 - Remove useless inclusions of header files generated from IDL files in modules/, netwerk/, parser/, security/, startupcache/, storage/, toolkit/, tools/, uriloader/, widget/, xpcom/ and xpfe/ r=Ehsan 2019-12-06 09:17:57 +00:00
certverifier bug 1602641 - add CRLite/OCSP timing comparison telemetry r=jcj 2019-12-10 23:32:51 +00:00
ct bug 1594510 - update all TrustDomain implementations in mozilla-central due to the mozilla::pkix API change in bug 1593141 r=mbirghan 2019-11-15 18:26:45 +00:00
mac/hardenedruntime Bug 1516367 - Move the minidump-analyzer out of the crash reporter application bundle r=spohl,dmajor 2019-11-14 21:11:59 +00:00
manager Bug 1609107 - Update CertBlocklist to use UniquePtr. r=keeler 2020-01-14 17:29:06 +00:00
nss Bug 1606927 - land NSS 5f9f410d0b60 UPGRADE_NSS_RELEASE, r=kjacobs 2020-01-16 00:13:09 +00:00
sandbox Bug 1519636 - Reformat recent changes to the Google coding style r=Ehsan 2020-01-09 21:50:11 +00:00
.eslintrc.js
generate_certdata.py
generate_mapfile.py
moz.build Bug 1594931 - Stop compiling NSS' DBM legacy database r=kjacobs,keeler,mhowell,MattN 2019-12-16 17:35:49 +00:00
nss.symbols bug 1573542 - be more efficient about finding client certificates r=jcj,kjacobs 2019-09-18 23:28:05 +00:00