mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-20 00:35:44 +00:00
685c607058
2019-10-11 Kai Engert <kaie@kuix.de> * automation/release/nspr-version.txt: Bug 1583068 - Require NSPR version 4.23 r=jcj [93245f5733b3] [NSS_3_47_BETA1] 2019-10-11 Kevin Jacobs <kjacobs@mozilla.com> * coreconf/config.gypi, lib/freebl/freebl.gyp: Bug 1152625 - Add gyp flag for disabling ARM HW AES r=jcj Adds an option to disable ARMv8 HW AES, if `-Ddisable_arm_hw_aes=1` is passed to build.sh. Depends on D34473 [9abcea09fdd4] 2019-10-11 Makoto Kato <m_kato@ga2.so-net.ne.jp> * lib/freebl/aes-armv8.c: Bug 1152625 - Part 2. Remove __builtin_assume to avoid crash on PGO. r=kjacobs,mt `AESContext->iv` doesn't align to 16 bytes on PGO build, so we should remove __builtin_assume. Also, I guess that `expandedKey` has same problem. [1b0f5c5335ee] * lib/freebl/Makefile, lib/freebl/aes-armv8.c, lib/freebl/aes-armv8.h, lib/freebl/freebl.gyp, lib/freebl/intel-aes.h, lib/freebl/rijndael.c: Bug 1152625 - Support AES HW acceleration on ARMv8. r=kjacobs,jcj [efb895a43899] 2019-09-06 Martin Thomson <mt@lowentropy.net> * gtests/ssl_gtest/ssl_auth_unittest.cc, gtests/ssl_gtest/ssl_ciphersuite_unittest.cc, gtests/ssl_gtest/ssl_extension_unittest.cc, gtests/ssl_gtest/ssl_fuzz_unittest.cc, gtests/ssl_gtest/tls_esni_unittest.cc, lib/ssl/ssl3con.c, lib/ssl/ssl3exthandle.c, lib/ssl/sslimpl.h, lib/ssl/tls13con.c: Bug 1549225 - Up front Signature Scheme validation, r=ueno Summary: This patch started as an attempt to ensure that a DSA signature scheme would not be advertised if we weren't willing to negotiate versions less than TLS 1.3. Then I realized that we didn't do the same for PKCS#1 RSA. Then I realized that we were still willing to try to establish connections when we had a certificate that we couldn't use. Then I realized that ssl3_config_match_init() wasn't being run consistently. On resumption, we only ran it when we were PARANOID. That's silly because we weren't checking policies. Then I realized that we were allowing ECDSA certificates to be used when the named group in the certificate was disabled. We weren't enforcing that consistently either. However, I also discovered that the check we have wouldn't work without a tweak because in TLS 1.3 the named group is part of the signature scheme; the configured named groups are only used prior to TLS 1.3 when selecting ECDSA/ECDH certificates. So that sounds like a lot of changes but what it boils down to is more robust checking of the configuration prior to starting a connection. As a result, we should be offering fewer options that we're unwilling or unable to follow through on. A good number of tests needed tweaking as a result because we were relying on getting past the checks in those tests. No real problems were found as a result; this just moves failures that might arise from misconfiguration a little earlier in the process. [9b418f0a4912] 2019-10-08 Kevin Jacobs <kjacobs@mozilla.com> * gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc, lib/pk11wrap/pk11pk12.c: Bug 1586947 - Store nickname during EC key import. r=jcj This patch stores the nickname (if specified) during EC key import. This was already done for all other key types. [c319019aee75] 2019-10-08 Marcus Burghardt <mburghardt@mozilla.com> * lib/certdb/stanpcertdb.c, lib/pk11wrap/pk11load.c, lib/pki/pki3hack.c: Bug 1586456 - Unnecessary conditional in pki3hack, pk11load and stanpcertdb. r=jcj Some conditionals that are always true were removed. [b34061c3a377] Differential Revision: https://phabricator.services.mozilla.com/D49030 --HG-- extra : moz-landing-system : lando |
||
---|---|---|
.. | ||
apps | ||
certverifier | ||
ct | ||
mac/hardenedruntime | ||
manager | ||
nss | ||
sandbox | ||
.eslintrc.js | ||
generate_certdata.py | ||
generate_mapfile.py | ||
moz.build | ||
nss.symbols |