| author | Franziskus Kiefer <franziskuskiefer@gmail.com> |
| Fri, 03 Mar 2017 11:44:57 +0100 | |
| changeset 345895 | bcb46d32449b7f9b53af8bc9512ec373c557c23a |
| parent 345894 | 4e196d802c7be7f3a3c147cc6c5b6406656584b1 |
| child 345896 | 654820d0aed7afe1c47a6b60dd6b261e54b493ca |
| push id | 38337 |
| push user | kwierso@gmail.com |
| push date | Sat, 04 Mar 2017 01:30:14 +0000 |
| treeherder | autoland@b691557cb7a3 [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| reviewers | me |
| bugs | 1334127 |
| milestone | 54.0a1 |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
--- a/security/nss/coreconf/coreconf.dep +++ b/security/nss/coreconf/coreconf.dep @@ -5,8 +5,9 @@ /* * A dummy header file that is a dependency for all the object files. * Used to force a full recompilation of NSS in Mozilla's Tinderbox * depend builds. See comments in rules.mk. */ #error "Do not include this header file." +
--- a/security/nss/gtests/ssl_gtest/ssl_agent_unittest.cc +++ b/security/nss/gtests/ssl_gtest/ssl_agent_unittest.cc @@ -62,43 +62,39 @@ TEST_P(TlsAgentTest, EarlyFinished) { TEST_P(TlsAgentTest, EarlyCertificateVerify) { DataBuffer buffer; MakeTrivialHandshakeRecord(kTlsHandshakeCertificateVerify, 0, &buffer); ProcessMessage(buffer, TlsAgent::STATE_ERROR, SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY); } -TEST_P(TlsAgentTestClient, CannedHello) { +TEST_P(TlsAgentTestClient13, CannedHello) { DataBuffer buffer; EnsureInit(); - agent_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_3, - SSL_LIBRARY_VERSION_TLS_1_3); DataBuffer server_hello; MakeHandshakeMessage(kTlsHandshakeServerHello, kCannedTls13ServerHello, sizeof(kCannedTls13ServerHello), &server_hello); MakeRecord(kTlsHandshakeType, SSL_LIBRARY_VERSION_TLS_1_3, server_hello.data(), server_hello.len(), &buffer); ProcessMessage(buffer, TlsAgent::STATE_CONNECTING); } -TEST_P(TlsAgentTestClient, EncryptedExtensionsInClear) { +TEST_P(TlsAgentTestClient13, EncryptedExtensionsInClear) { DataBuffer server_hello; MakeHandshakeMessage(kTlsHandshakeServerHello, kCannedTls13ServerHello, sizeof(kCannedTls13ServerHello), &server_hello); DataBuffer encrypted_extensions; MakeHandshakeMessage(kTlsHandshakeEncryptedExtensions, nullptr, 0, &encrypted_extensions, 1); server_hello.Append(encrypted_extensions); DataBuffer buffer; MakeRecord(kTlsHandshakeType, SSL_LIBRARY_VERSION_TLS_1_3, server_hello.data(), server_hello.len(), &buffer); EnsureInit(); - agent_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_3, - SSL_LIBRARY_VERSION_TLS_1_3); ProcessMessage(buffer, TlsAgent::STATE_ERROR, SSL_ERROR_RX_UNEXPECTED_HANDSHAKE); } TEST_F(TlsAgentStreamTestClient, EncryptedExtensionsInClearTwoPieces) { DataBuffer server_hello; MakeHandshakeMessage(kTlsHandshakeServerHello, kCannedTls13ServerHello, sizeof(kCannedTls13ServerHello), &server_hello); @@ -196,15 +192,19 @@ TEST_F(TlsAgentStreamTestServer, Set0Rtt kCannedTls13ClientHello, sizeof(kCannedTls13ClientHello), &buffer); ProcessMessage(buffer, TlsAgent::STATE_CONNECTING); MakeRecord(kTlsApplicationDataType, SSL_LIBRARY_VERSION_TLS_1_3, reinterpret_cast<const uint8_t *>(k0RttData), strlen(k0RttData), &buffer); ProcessMessage(buffer, TlsAgent::STATE_ERROR, SSL_ERROR_BAD_MAC_READ); } -INSTANTIATE_TEST_CASE_P( - AgentTests, TlsAgentTest, - ::testing::Combine(TlsAgentTestBase::kTlsRolesAll, - TlsConnectTestBase::kTlsModesStream)); +INSTANTIATE_TEST_CASE_P(AgentTests, TlsAgentTest, + ::testing::Combine(TlsAgentTestBase::kTlsRolesAll, + TlsConnectTestBase::kTlsModesStream, + TlsConnectTestBase::kTlsVAll)); INSTANTIATE_TEST_CASE_P(ClientTests, TlsAgentTestClient, - TlsConnectTestBase::kTlsModesAll); + ::testing::Combine(TlsConnectTestBase::kTlsModesAll, + TlsConnectTestBase::kTlsVAll)); +INSTANTIATE_TEST_CASE_P(ClientTests13, TlsAgentTestClient13, + ::testing::Combine(TlsConnectTestBase::kTlsModesAll, + TlsConnectTestBase::kTlsV13)); } // namespace nss_test
--- a/security/nss/gtests/ssl_gtest/ssl_hrr_unittest.cc +++ b/security/nss/gtests/ssl_gtest/ssl_hrr_unittest.cc @@ -263,18 +263,16 @@ TEST_F(TlsConnectTest, Select12AfterHell EXPECT_EQ(SSL_ERROR_RX_MALFORMED_SERVER_HELLO, client_->error_code()); } class HelloRetryRequestAgentTest : public TlsAgentTestClient { protected: void SetUp() override { TlsAgentTestClient::SetUp(); EnsureInit(); - agent_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_3, - SSL_LIBRARY_VERSION_TLS_1_3); agent_->StartConnect(); } void MakeCannedHrr(const uint8_t* body, size_t len, DataBuffer* hrr_record, uint32_t seq_num = 0) const { DataBuffer hrr_data; hrr_data.Allocate(len + 4); size_t i = 0; @@ -349,16 +347,17 @@ TEST_P(HelloRetryRequestAgentTest, Handl ProcessMessage(hrr, TlsAgent::STATE_CONNECTING); const size_t cookie_pos = 2 + 2; // cookie_xtn, extension len DataBuffer cookie(canned_cookie_hrr + cookie_pos, sizeof(canned_cookie_hrr) - cookie_pos); EXPECT_EQ(cookie, capture->extension()); } INSTANTIATE_TEST_CASE_P(HelloRetryRequestAgentTests, HelloRetryRequestAgentTest, - TlsConnectTestBase::kTlsModesAll); + ::testing::Combine(TlsConnectTestBase::kTlsModesAll, + TlsConnectTestBase::kTlsV13)); #ifndef NSS_DISABLE_TLS_1_3 INSTANTIATE_TEST_CASE_P(HelloRetryRequestKeyExchangeTests, TlsKeyExchange13, ::testing::Combine(TlsConnectTestBase::kTlsModesAll, TlsConnectTestBase::kTlsV13)); #endif } // namespace nss_test
--- a/security/nss/gtests/ssl_gtest/tls_agent.cc +++ b/security/nss/gtests/ssl_gtest/tls_agent.cc @@ -901,16 +901,19 @@ void TlsAgentTestBase::TearDown() { SSL_ClearSessionCache(); SSL_ShutdownServerSessionIDCache(); } void TlsAgentTestBase::Reset(const std::string& server_name) { agent_.reset( new TlsAgent(role_ == TlsAgent::CLIENT ? TlsAgent::kClient : server_name, role_, mode_)); + if (version_) { + agent_->SetVersionRange(version_, version_); + } agent_->adapter()->SetPeer(sink_adapter_); agent_->StartConnect(); } void TlsAgentTestBase::EnsureInit() { if (!agent_) { Reset(); }
--- a/security/nss/gtests/ssl_gtest/tls_agent.h +++ b/security/nss/gtests/ssl_gtest/tls_agent.h @@ -374,20 +374,21 @@ inline std::ostream& operator<<(std::ost const TlsAgent::State& state) { return stream << TlsAgent::state_str(state); } class TlsAgentTestBase : public ::testing::Test { public: static ::testing::internal::ParamGenerator<std::string> kTlsRolesAll; - TlsAgentTestBase(TlsAgent::Role role, Mode mode) + TlsAgentTestBase(TlsAgent::Role role, Mode mode, uint16_t version = 0) : agent_(nullptr), role_(role), mode_(mode), + version_(version), sink_adapter_(new DummyPrSocket("sink", mode)) {} virtual ~TlsAgentTestBase() {} void SetUp(); void TearDown(); static void MakeRecord(Mode mode, uint8_t type, uint16_t version, const uint8_t* buf, size_t len, DataBuffer* out, @@ -416,36 +417,42 @@ class TlsAgentTestBase : public ::testin protected: void EnsureInit(); void ProcessMessage(const DataBuffer& buffer, TlsAgent::State expected_state, int32_t error_code = 0); std::unique_ptr<TlsAgent> agent_; TlsAgent::Role role_; Mode mode_; + uint16_t version_; // This adapter is here just to accept packets from this agent. std::shared_ptr<DummyPrSocket> sink_adapter_; }; class TlsAgentTest : public TlsAgentTestBase, public ::testing::WithParamInterface< - std::tuple<std::string, std::string>> { + std::tuple<std::string, std::string, uint16_t>> { public: TlsAgentTest() : TlsAgentTestBase(ToRole(std::get<0>(GetParam())), - ToMode(std::get<1>(GetParam()))) {} + ToMode(std::get<1>(GetParam())), + std::get<2>(GetParam())) {} }; -class TlsAgentTestClient : public TlsAgentTestBase, - public ::testing::WithParamInterface<std::string> { +class TlsAgentTestClient + : public TlsAgentTestBase, + public ::testing::WithParamInterface<std::tuple<std::string, uint16_t>> { public: TlsAgentTestClient() - : TlsAgentTestBase(TlsAgent::CLIENT, ToMode(GetParam())) {} + : TlsAgentTestBase(TlsAgent::CLIENT, ToMode(std::get<0>(GetParam())), + std::get<1>(GetParam())) {} }; +class TlsAgentTestClient13 : public TlsAgentTestClient {}; + class TlsAgentStreamTestClient : public TlsAgentTestBase { public: TlsAgentStreamTestClient() : TlsAgentTestBase(TlsAgent::CLIENT, STREAM) {} }; class TlsAgentStreamTestServer : public TlsAgentTestBase { public: TlsAgentStreamTestServer() : TlsAgentTestBase(TlsAgent::SERVER, STREAM) {}
--- a/security/nss/lib/pk11wrap/pk11akey.c +++ b/security/nss/lib/pk11wrap/pk11akey.c @@ -881,16 +881,20 @@ PK11_GetPrivateModulusLen(SECKEYPrivateK switch (key->keyType) { case rsaKey: crv = PK11_GetAttributes(NULL, slot, key->pkcs11ID, &theTemplate, 1); if (crv != CKR_OK) { PORT_SetError(PK11_MapError(crv)); return -1; } + if (theTemplate.pValue == NULL) { + PORT_SetError(PK11_MapError(CKR_ATTRIBUTE_VALUE_INVALID)); + return -1; + } length = theTemplate.ulValueLen; if (*(unsigned char *)theTemplate.pValue == 0) { length--; } PORT_Free(theTemplate.pValue); return (int)length; case fortezzaKey:
--- a/security/nss/lib/ssl/ssl3con.c +++ b/security/nss/lib/ssl/ssl3con.c @@ -9789,27 +9789,25 @@ ssl3_HandleCertificateVerify(sslSocket * SSL3Hashes localHashes; SSL3Hashes *hashesForVerify = NULL; SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_verify handshake", SSL_GETPID(), ss->fd)); PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); - /* TLS 1.3 is handled by tls13_HandleCertificateVerify */ - PORT_Assert(ss->ssl3.prSpec->version <= SSL_LIBRARY_VERSION_TLS_1_2); - - isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); - if (ss->ssl3.hs.ws != wait_cert_verify) { desc = unexpected_message; errCode = SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY; goto alert_loser; } + /* TLS 1.3 is handled by tls13_HandleCertificateVerify */ + PORT_Assert(ss->ssl3.prSpec->version <= SSL_LIBRARY_VERSION_TLS_1_2); + if (!hashes) { PORT_Assert(0); desc = internal_error; errCode = SEC_ERROR_LIBRARY_FAILURE; goto alert_loser; } if (ss->ssl3.hs.hashType == handshake_hash_record) { @@ -9847,16 +9845,18 @@ ssl3_HandleCertificateVerify(sslSocket * sigScheme = ssl_sig_none; } rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length); if (rv != SECSuccess) { goto loser; /* malformed. */ } + isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); + /* XXX verify that the key & kea match */ rv = ssl3_VerifySignedHashes(ss, sigScheme, hashesForVerify, &signed_hash); if (rv != SECSuccess) { errCode = PORT_GetError(); desc = isTLS ? decrypt_error : handshake_failure; goto alert_loser; } @@ -13342,18 +13342,16 @@ ssl3_DestroySSL3Info(sslSocket *ss) if (ss->ssl3.hs.exporterSecret) PK11_FreeSymKey(ss->ssl3.hs.exporterSecret); ss->ssl3.hs.zeroRttState = ssl_0rtt_none; /* Destroy TLS 1.3 buffered early data. */ tls13_DestroyEarlyData(&ss->ssl3.hs.bufferedEarlyData); ss->ssl3.initialized = PR_FALSE; - - SECITEM_FreeItem(&ss->xtnData.nextProto, PR_FALSE); } #define MAP_NULL(x) (((x) != 0) ? (x) : SEC_OID_NULL_CIPHER) SECStatus ssl3_ApplyNSSPolicy(void) { unsigned i;
--- a/security/nss/lib/ssl/sslsock.c +++ b/security/nss/lib/ssl/sslsock.c @@ -3699,28 +3699,28 @@ ssl_NewSocket(PRBool makeLocks, SSLProto for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) { ss->namedGroupPreferences[i] = &ssl_named_groups[i]; } ss->additionalShares = 0; PR_INIT_CLIST(&ss->ssl3.hs.remoteExtensions); PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight); PR_INIT_CLIST(&ss->ssl3.hs.cipherSpecs); PR_INIT_CLIST(&ss->ssl3.hs.bufferedEarlyData); + ssl3_InitExtensionData(&ss->xtnData); if (makeLocks) { rv = ssl_MakeLocks(ss); if (rv != SECSuccess) goto loser; } rv = ssl_CreateSecurityInfo(ss); if (rv != SECSuccess) goto loser; rv = ssl3_InitGather(&ss->gs); if (rv != SECSuccess) goto loser; - ssl3_InitExtensionData(&ss->xtnData); return ss; loser: ssl_DestroySocketContents(ss); ssl_DestroyLocks(ss); PORT_Free(ss); return NULL; }
--- a/security/nss/lib/ssl/tls13con.c +++ b/security/nss/lib/ssl/tls13con.c @@ -2872,16 +2872,19 @@ tls13_DestroyKeyShareEntry(TLS13KeyShare PORT_ZFree(offer, sizeof(*offer)); } void tls13_DestroyKeyShares(PRCList *list) { PRCList *cur_p; + /* The list must be initialized. */ + PORT_Assert(PR_LIST_HEAD(list)); + while (!PR_CLIST_IS_EMPTY(list)) { cur_p = PR_LIST_TAIL(list); PR_REMOVE_LINK(cur_p); tls13_DestroyKeyShareEntry((TLS13KeyShareEntry *)cur_p); } } void