searching for reviewer(jcj)
3b3b6706f48f5e05a8ad0ce0f4ec74a4a37ccba2: Bug 1641178 - Add NSSCipherStrategy. r=dom-workers-and-storage-reviewers,jcj,janv
Simon Giesecke <sgiesecke@mozilla.com> - Fri, 12 Mar 2021 09:31:57 +0000 - rev 570804
Push 38280 by cbrindusan@mozilla.com at Fri, 12 Mar 2021 15:32:35 +0000
Bug 1641178 - Add NSSCipherStrategy. r=dom-workers-and-storage-reviewers,jcj,janv Differential Revision: https://phabricator.services.mozilla.com/D73290
8f7c25b71590c74b98121eee93e4f5d8137b708c: Bug 1641178 - Add NSSCipherStrategy. r=dom-workers-and-storage-reviewers,jcj,janv
Simon Giesecke <sgiesecke@mozilla.com> - Wed, 24 Feb 2021 13:18:24 +0000 - rev 568590
Push 38235 by ncsoregi@mozilla.com at Wed, 24 Feb 2021 21:51:51 +0000
Bug 1641178 - Add NSSCipherStrategy. r=dom-workers-and-storage-reviewers,jcj,janv Differential Revision: https://phabricator.services.mozilla.com/D73290
39c31ec31cbda6008e612c02bef46650e96ee3c8: Bug 1677548 - land NSS 3eacb92e9adf UPGRADE_NSS_RELEASE, r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Thu, 19 Nov 2020 18:28:18 +0000 - rev 558058
Push 37967 by abutkovits@mozilla.com at Fri, 20 Nov 2020 09:45:11 +0000
Bug 1677548 - land NSS 3eacb92e9adf UPGRADE_NSS_RELEASE, r=jcj 2020-11-18 Kevin Jacobs <kjacobs@mozilla.com> * lib/ssl/ssl3con.c, lib/ssl/tls13con.c, lib/ssl/tls13ech.c: Bug 1654332 - Fixup a10493dcfcc9: copy ECHConfig.config_id with socket r=jcj A late review change for ECH was for the server to compute each ECHConfig `config_id` when set to the socket, rather than on each connection. This works, but now we also need to copy that config_id when copying a socket, else the server won't find a matching ECHConfig to use for decryption. [3eacb92e9adf] [tip] 2020-11-17 Kevin Jacobs <kjacobs@mozilla.com> * automation/abi-check/expected-report-libssl3.so.txt, cmd/tstclnt/tstclnt.c, cpputil/tls_parser.h, gtests/ssl_gtest/libssl_internals.c, gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/manifest.mn, gtests/ssl_gtest/ssl_auth_unittest.cc, gtests/ssl_gtest/ssl_custext_unittest.cc, gtests/ssl_gtest/ssl_extension_unittest.cc, gtests/ssl_gtest/ssl_gtest.gyp, gtests/ssl_gtest/ssl_tls13compat_unittest.cc, gtests/ssl_gtest/tls_agent.cc, gtests/ssl_gtest/tls_agent.h, gtests/ssl_gtest/tls_connect.cc, gtests/ssl_gtest/tls_connect.h, gtests/ssl_gtest/tls_ech_unittest.cc, gtests/ssl_gtest/tls_esni_unittest.cc, gtests/ssl_gtest/tls_filter.cc, gtests/ssl_gtest/tls_filter.h, lib/ssl/SSLerrs.h, lib/ssl/manifest.mn, lib/ssl/ssl.gyp, lib/ssl/ssl3con.c, lib/ssl/ssl3ext.c, lib/ssl/ssl3ext.h, lib/ssl/ssl3exthandle.c, lib/ssl/ssl3exthandle.h, lib/ssl/ssl3prot.h, lib/ssl/sslencode.c, lib/ssl/sslencode.h, lib/ssl/sslerr.h, lib/ssl/sslexp.h, lib/ssl/sslimpl.h, lib/ssl/sslinfo.c, lib/ssl/sslsecur.c, lib/ssl/sslsock.c, lib/ssl/sslt.h, lib/ssl/tls13con.c, lib/ssl/tls13con.h, lib/ssl/tls13ech.c, lib/ssl/tls13ech.h, lib/ssl/tls13esni.c, lib/ssl/tls13esni.h, lib/ssl/tls13exthandle.c, lib/ssl/tls13exthandle.h, lib/ssl/tls13hashstate.c, lib/ssl/tls13hashstate.h: Bug 1654332 - Update ESNI to draft-08 (ECH). r=mt This patch adds support for Encrypted Client Hello (draft-ietf-tls- esni-08), replacing the existing ESNI (draft -02) support. There are five new experimental functions to enable this: - SSL_EncodeEchConfig: Generates an encoded (not BASE64) ECHConfig given a set of parameters. - SSL_SetClientEchConfigs: Configures the provided ECHConfig to the given socket. When configured, an ephemeral HPKE keypair will be generated for the CH encryption. - SSL_SetServerEchConfigs: Configures the provided ECHConfig and keypair to the socket. The keypair specified will be used for HPKE operations in order to decrypt encrypted Client Hellos as they are received. - SSL_GetEchRetryConfigs: If ECH is rejected by the server and compatible retry_configs are provided, this API allows the application to extract those retry_configs for use in a new connection. - SSL_EnableTls13GreaseEch: When enabled, non-ECH Client Hellos will have a "GREASE ECH" (i.e. fake) extension appended. GREASE ECH is disabled by default, as there are known compatibility issues that will be addressed in a subsequent draft. The following ESNI experimental functions are deprecated by this update: - SSL_EncodeESNIKeys - SSL_EnableESNI - SSL_SetESNIKeyPair In order to be used, NSS must be compiled with `NSS_ENABLE_DRAFT_HPKE` defined. [a10493dcfcc9] * lib/ssl/ssl3con.c, lib/ssl/sslencode.c, lib/ssl/sslencode.h, lib/ssl/tls13con.c, lib/ssl/tls13con.h: Bug 1654332 - Buffered ClientHello construction. r=mt This patch refactors construction of Client Hello messages. Instead of each component of the message being written separately into `ss->sec.ci.sendBuf`, we now construct the message in its own sslBuffer. Once complete, the entire message is added to the sendBuf via `ssl3_AppendHandshake`. `ssl3_SendServerHello` already uses this approach and it becomes necessary for ECH, where we use the constructed ClientHello to create an inner ClientHello. [d40121ba59ba] 2020-11-13 J.C. Jones <jjones@mozilla.com> * automation/abi-check/expected-report-libnss3.so.txt, automation/abi- check/expected-report-libnssutil3.so.txt, automation/abi-check /previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.60 Beta [5e7b37609f22] Differential Revision: https://phabricator.services.mozilla.com/D97492
abe0533af22c8afbb163f36f4e2cb491dd792c9b: Bug 1671713 - land NSS 97751cd6d553 UPGRADE_NSS_RELEASE, r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 06 Nov 2020 00:54:30 +0000 - rev 556126
Push 37927 by rmaries@mozilla.com at Fri, 06 Nov 2020 09:34:43 +0000
Bug 1671713 - land NSS 97751cd6d553 UPGRADE_NSS_RELEASE, r=jcj 2020-11-03 Kevin Jacobs <kjacobs@mozilla.com> * gtests/common/testvectors/hmac-sha256-vectors.h, gtests/common/testvectors/hmac-sha384-vectors.h, gtests/common/testvectors/hmac-sha512-vectors.h, gtests/common/testvectors_base/test-structs.h, gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp, gtests/pk11_gtest/pk11_hmac_unittest.cc: Bug 1672823 - Add Wycheproof HMAC test cases. r=jcj [97751cd6d553] [tip] * gtests/common/testvectors/hkdf-sha1-vectors.h, gtests/common/testvectors/hkdf-sha256-vectors.h, gtests/common/testvectors/hkdf-sha384-vectors.h, gtests/common/testvectors/hkdf-sha512-vectors.h, gtests/common/testvectors/hkdf-vectors.h, gtests/common/testvectors_base/test-structs.h, gtests/common/wycheproof/genTestVectors.py, gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_hkdf_unittest.cc: Bug 1672823 - Add Wycheproof HKDF test cases. r=bbeurdouche [5a02ca2617cf] * gtests/common/testvectors/dsa-vectors.h, gtests/common/testvectors_base/test-structs.h, gtests/common/wycheproof/genTestVectors.py, gtests/common/wycheproof/source_vectors/dsa_test.json, gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_dsa_unittest.cc, gtests/pk11_gtest/pk11_gtest.gyp: Bug 1672823 - Add Wycheproof DSA test cases. r=jcj [3ce42ead87f9] * lib/dev/devslot.c, lib/dev/devt.h: Bug 1663661 - Guard against NULL token in nssSlot_IsTokenPresent. r=jcj This patch addresses locking inconsistency in `nssSlot_IsTokenPresent` by retaining the slot lock for the duration of accesses to `slot->token`. This is already done correctly elsewhere. As a side effect, this introduces an ordering requirement: we take `slot->lock` followed by `session->lock`. [0ed11a5835ac] 2020-10-30 Kevin Jacobs <kjacobs@mozilla.com> * lib/pk11wrap/pk11pars.c: Bug 1670835 - Fixup for 6f79a7695812, add missing return value check. r=rrelyea [424974716ef0] Differential Revision: https://phabricator.services.mozilla.com/D96073
11354a8db59be58294133c3f17ffef4644bb5c0b: Bug 1670984 - include CRLite stash revocation hits/library failures in CRLite telemetry r=jcj
Dana Keeler <dkeeler@mozilla.com> - Fri, 23 Oct 2020 20:57:48 +0000 - rev 554295
Push 37890 by ccoroiu@mozilla.com at Sat, 24 Oct 2020 09:41:39 +0000
Bug 1670984 - include CRLite stash revocation hits/library failures in CRLite telemetry r=jcj Differential Revision: https://phabricator.services.mozilla.com/D94189
09cb61c1b3eeba6c5dd3d57767aa5961d796874e: Bug 1670985 - don't fall back to OCSP when the CRLite mode is "enforce" r=jcj
Dana Keeler <dkeeler@mozilla.com> - Fri, 23 Oct 2020 17:04:18 +0000 - rev 554256
Push 37890 by ccoroiu@mozilla.com at Sat, 24 Oct 2020 09:41:39 +0000
Bug 1670985 - don't fall back to OCSP when the CRLite mode is "enforce" r=jcj When the CRLite mode is "enforce" and a certificate is found to be covered by CRLite, this patch makes it so the implementation will not fall back to processing OCSP (whether stapled, cached, or fetched). This also updates test_crlite_filters.js to use a more recent, realistic filter and stash. Differential Revision: https://phabricator.services.mozilla.com/D94499
0b12aef525c184f713a6a1ab20b907edb487750c: Bug 1638396 - Generate keys per database. r=dom-workers-and-storage-reviewers,jcj,janv
Simon Giesecke <sgiesecke@mozilla.com> - Fri, 16 Oct 2020 11:09:36 +0000 - rev 553259
Push 37868 by dluca@mozilla.com at Fri, 16 Oct 2020 21:45:37 +0000
Bug 1638396 - Generate keys per database. r=dom-workers-and-storage-reviewers,jcj,janv Differential Revision: https://phabricator.services.mozilla.com/D77020
1aa2dc4b280e4ac1d5d5742e1923d5d39c04c102: Bug 1667179 - Initialize OneCRL when GeckoView starts. r=snorp,jcj
Agi Sferro <agi@sferro.dev> - Tue, 13 Oct 2020 16:57:32 +0000 - rev 552863
Push 37859 by smolnar@mozilla.com at Wed, 14 Oct 2020 09:52:12 +0000
Bug 1667179 - Initialize OneCRL when GeckoView starts. r=snorp,jcj Differential Revision: https://phabricator.services.mozilla.com/D93250
93743d0782aa5b67f44ab8945f54203f670f376b: Bug 1549418 - Hook up WebAuthn support for GeckoView r=geckoview-reviewers,jcj,agi
James Willcox <snorp@snorp.net> - Mon, 12 Oct 2020 19:22:09 +0000 - rev 552734
Push 37856 by ncsoregi@mozilla.com at Tue, 13 Oct 2020 03:29:28 +0000
Bug 1549418 - Hook up WebAuthn support for GeckoView r=geckoview-reviewers,jcj,agi This mostly just refactors the stuff we had for Fennec. We add a dependency on Google Play Services here, but care is taken to ensure that things will fail gracefully if Play Services are not present at runtime. Differential Revision: https://phabricator.services.mozilla.com/D91446
210f20acab2b9e7e5e7cf7950497eea42fb80918: Bug 1654550 - Update licensing information for Fiat-Crypto and ECCKiila. r=jcj,mhoye
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 09 Oct 2020 01:18:23 +0000 - rev 552329
Push 37848 by ccoroiu@mozilla.com at Fri, 09 Oct 2020 15:35:54 +0000
Bug 1654550 - Update licensing information for Fiat-Crypto and ECCKiila. r=jcj,mhoye Differential Revision: https://phabricator.services.mozilla.com/D84523
6432addb0df4e5f6df402be4fb41b6bdf0e4888e: Bug 1667829 - CRLite: allow taking the log merge delay into account r=jcj
Dana Keeler <dkeeler@mozilla.com> - Wed, 07 Oct 2020 00:16:49 +0000 - rev 551787
Push 37842 by apavel@mozilla.com at Wed, 07 Oct 2020 15:50:36 +0000
Bug 1667829 - CRLite: allow taking the log merge delay into account r=jcj This patch adds the preference "security.pki.crlite_ct_merge_delay_seconds" that adds a configurable delay between the earliest certificate timestamp and the filter creation date. This allows the implementation to take into account CT log merge delays (i.e. when an SCT exists for a certificate but that certificate hasn't yet been merged into the log). The default value is 28 hours in seconds. The minimum value is 0 seconds, and the maximum value is one year in seconds. Differential Revision: https://phabricator.services.mozilla.com/D92295
b2c7cf46430823457190dded0323f73eaf870992: Bug 1549418 - Hook up WebAuthn support for GeckoView r=geckoview-reviewers,jcj,agi
James Willcox <snorp@snorp.net> - Fri, 02 Oct 2020 15:43:41 +0000 - rev 551306
Push 37830 by nbeleuzu@mozilla.com at Sat, 03 Oct 2020 10:23:35 +0000
Bug 1549418 - Hook up WebAuthn support for GeckoView r=geckoview-reviewers,jcj,agi This mostly just refactors the stuff we had for Fennec. We add a dependency on Google Play Services here, but care is taken to ensure that things will fail gracefully if Play Services are not present at runtime. Differential Revision: https://phabricator.services.mozilla.com/D91446
68112bc6b12163894ed527f66d65214b1caeb8a1: Bug 1605273 - only run CRLite on certificates with a CT SCT available r=jcj
Dana Keeler <dkeeler@mozilla.com> - Thu, 24 Sep 2020 18:10:05 +0000 - rev 550200
Push 37809 by apavel@mozilla.com at Fri, 25 Sep 2020 03:37:48 +0000
Bug 1605273 - only run CRLite on certificates with a CT SCT available r=jcj Because CAs can back-date a certificate (i.e. set the "notBefore" field to earlier than when a certificate actually existed), the "notBefore" field can't be relied on when determining when CRLite information is recent enough to check a certificate with. To that end, this patch instead uses the earliest timestamp from the embedded SCTs in the certificate being checked. Differential Revision: https://phabricator.services.mozilla.com/D90599
22753d184de67fc60d8bac0c634d17b67ba1fe73: Bug 1605273 - only run CRLite on certificates with a CT SCT available r=jcj
Dana Keeler <dkeeler@mozilla.com> - Wed, 23 Sep 2020 22:24:39 +0000 - rev 550080
Push 37807 by dluca@mozilla.com at Thu, 24 Sep 2020 09:34:15 +0000
Bug 1605273 - only run CRLite on certificates with a CT SCT available r=jcj Because CAs can back-date a certificate (i.e. set the "notBefore" field to earlier than when a certificate actually existed), the "notBefore" field can't be relied on when determining when CRLite information is recent enough to check a certificate with. To that end, this patch instead uses the earliest timestamp from the embedded SCTs in the certificate being checked. Differential Revision: https://phabricator.services.mozilla.com/D90599
963f87c25ddf0acf529d26f8dd0c90bf638eb3a1: Bug 1660509 - land NSS NSS_3_57_RTM UPGRADE_NSS_RELEASE, r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 18 Sep 2020 19:53:28 +0000 - rev 549341
Push 37795 by ccoroiu@mozilla.com at Sat, 19 Sep 2020 09:34:53 +0000
Bug 1660509 - land NSS NSS_3_57_RTM UPGRADE_NSS_RELEASE, r=jcj 2020-09-18 Kevin Jacobs <kjacobs@mozilla.com> * lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.57 final [cf7e3e8abd77] [NSS_3_57_RTM] <NSS_3_57_BRANCH> 2020-09-15 Kevin Jacobs <kjacobs@mozilla.com> * .hgtags: Added tag NSS_3_57_BETA1 for changeset 56224882ccc3 [f46f20c58c4f] Differential Revision: https://phabricator.services.mozilla.com/D90726
e9b8cd72d354a0ce457106a89fb0c49af0be784f: Bug 1660509 - land NSS NSS_3_57_BETA1 UPGRADE_NSS_RELEASE, r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Thu, 17 Sep 2020 05:29:26 +0000 - rev 549065
Push 37790 by btara@mozilla.com at Thu, 17 Sep 2020 10:09:40 +0000
Bug 1660509 - land NSS NSS_3_57_BETA1 UPGRADE_NSS_RELEASE, r=jcj 2020-09-15 Kevin Jacobs <kjacobs@mozilla.com> * automation/release/nspr-version.txt: Bug 1660372 - NSS 3.57 should depend on NSPR 4.29. r=kaie [56224882ccc3] [NSS_3_57_BETA1] Differential Revision: https://phabricator.services.mozilla.com/D90324
cd3c94fcde3f2eb9ad7c25d3c3fca720d1216dc5: Bug 1660509 - land NSS 2a17c8655a74 UPGRADE_NSS_RELEASE, r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Mon, 14 Sep 2020 17:06:12 +0000 - rev 548570
Push 37783 by rmaries@mozilla.com at Mon, 14 Sep 2020 21:29:41 +0000
Bug 1660509 - land NSS 2a17c8655a74 UPGRADE_NSS_RELEASE, r=jcj 2020-09-14 Benjamin Beurdouche <bbeurdouche@mozilla.com> * coreconf/arch.mk: Bug 1660735 - Fix typo in coreconfig/arch.mk. r=kjacobs [2a17c8655a74] [tip] * coreconf/config.mk: Bug 1660734 - Fix typo in coreconf/config.mk. r=kjacobs [4ae56ec2411b] 2020-09-11 Kevin Jacobs <kjacobs@mozilla.com> * lib/ckfw/builtins/nssckbi.h: Bug 1663049 - September 2020 batch of root changes, NSS_BUILTINS_LIBRARY_VERSION 2.44. r=jcj [141ef83ac10b] * lib/ckfw/builtins/certdata.txt: Bug 1663049 - Add SecureTrust's Trustwave Global root certificates to NSS. r=KathleenWilson,jcj [7dfc054a983e] * lib/ckfw/builtins/certdata.txt: Bug 1656077 - Remove Taiwan Government Root Certification Authority root cert. r=KathleenWilson,jcj Depends on D89841 [32a0d8f751ef] * lib/ckfw/builtins/certdata.txt: Bug 1653092 - Disable server trust bit for OISTE WISeKey Global Root GA CA root cert. r=KathleenWilson,jcj Depends on D89840 [1cdfb26b3220] * lib/ckfw/builtins/certdata.txt: Bug 1651211 - Remove EE Certification Centre Root CA root cert. r=KathleenWilson,jcj [089aeca370df] 2020-09-11 Danh <congdanhqx@gmail.com> * coreconf/arch.mk, coreconf/config.mk, lib/freebl/Makefile: Bug 1659727 - Move makefile avx2 detection to config.mk. r=kjacobs Summary: Current code base use CPU_ARCH to detect if avx2 is supported in arch.mk However, when arch.mk included, CPU_ARCH haven't been initialised, CPU_ARCH will be initialised by the OS specific code later on. Move the AVX2 detection to config.mk, after all other initialisation done. Reviewers: kjacobs Reviewed By: kjacobs Subscribers: kjacobs Bug #: 1659727 [c6dcb99e6121] 2020-09-08 Kevin Jacobs <kjacobs@mozilla.com> * gtests/freebl_gtest/mpi_unittest.cc, lib/freebl/mpi/mpi.c: Bug 1605922 - Account for negative sign in mp_radix_size r=bbeurdouche [b64436ecbd79] 2020-09-09 Daiki Ueno <dueno@redhat.com> * lib/freebl/Makefile: Bug 1659256, add gcc version check on AArch64 optimization, r=rrelyea Summary: As described in https://access.redhat.com/solutions/19458, gcc version in RHEL-7 is still 4.8.x and cannot compile the newly added aes-armv8.c. There is a version check already for 32-bit arm, but not for AArch64. This also removes NS_USE_GCC check added in bug 1652032 in favor of the automatic detection using CC_IS_* macros. Reviewers: rrelyea Reviewed By: rrelyea Subscribers: jmux, kjacobs Bug #: 1659256 [b971c77c0d68] 2020-09-08 Michael Shigorin <mike@altlinux.org> * coreconf/config.gypi: Bug 1663346 - Build e2k architecture as 64-bit r=jcj [e524a577761d] 2020-09-05 Daiki Ueno <dueno@redhat.com> * lib/freebl/fipsfreebl.c: Bug 1662738, run RNG self-tests only if NSPR is linked, r=rrelyea Summary: After the continuous DRBG test was added, RNG self-tests have no longer worked standalone. This moves the self-tests to the DO_REST block so it only runs when the program is also linked to NSPR. Reviewers: rrelyea Reviewed By: rrelyea Bug #: 1662738 [e03296e73ba6] 2020-09-02 Khem Raj <raj.khem@gmail.com> * lib/libpkix/pkix/util/pkix_logger.c: Bug 1661378 - pkix: Do not use NULL where 0 is needed Clang finds this error pkix_logger.c:316:32: error: cast to smaller integer type 'PKIX_ERRORCLASS' from 'void *' [-Werror,-Wvoid-pointer-to-enum- cast] logger->logComponent = (PKIX_ERRORCLASS)NULL; ^~~~~~~~~~~~~~~~~~~~~ pkix_logger.c:617:32: error: cast to smaller integer type 'PKIX_ERRORCLASS' from 'void *' [-Werror,-Wvoid- pointer-to-enum-cast] logger->logComponent = (PKIX_ERRORCLASS)NULL; ^~~~~~~~~~~~~~~~~~~~~ 2 errors generated. Signed-off-by: Khem Raj <raj.khem@gmail.com> [9213848965f6] Differential Revision: https://phabricator.services.mozilla.com/D90130
f39bc2f76fe11615b9f3149b15193a613c9bf0a7: Bug 1660509 - land NSS c100e11991f6 UPGRADE_NSS_RELEASE, r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Mon, 31 Aug 2020 15:56:19 +0000 - rev 547021
Push 37743 by nbeleuzu@mozilla.com at Mon, 31 Aug 2020 21:52:15 +0000
Bug 1660509 - land NSS c100e11991f6 UPGRADE_NSS_RELEASE, r=jcj 2020-08-21 Kevin Jacobs <kjacobs@mozilla.com> * automation/abi-check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.57 Beta [783f49ae6126] 2020-08-24 Kevin Jacobs <kjacobs@mozilla.com> * gtests/ssl_gtest/ssl_auth_unittest.cc, lib/ssl/dtls13con.c, lib/ssl/dtlscon.c, lib/ssl/ssl3con.c, lib/ssl/sslimpl.h, lib/ssl/sslnonce.c: Bug 1653641 - Cleanup inaccurate DTLS comments, code review fixes. r=mt [0e1b5c711cb9] 2020-08-24 Robert Relyea <rrelyea@redhat.com> * lib/freebl/fipsfreebl.c, lib/softoken/fipstest.c, lib/softoken/kbkdf.c, lib/softoken/lowpbe.c, lib/softoken/lowpbe.h, lib/softoken/pkcs11c.c, lib/softoken/pkcs11i.h, lib/softoken/sftkhmac.c, lib/softoken/sftkike.c: Bug 1660304 New FIPS IG requires self-tests for approved kdfs. r=ueno comments=kjacobs FIPS guidance now requires self-tests for our kdfs. It also requires self-tests for cmac which we didn't have in the cmac patch. Currently only one test per kdf is necessary. Specifially for SP-800-108, only one of the three flavors are needed (counter, feedback, or pipeline). This patch includes more complete testing but it has been turned off the currently extraneous tests under the assumption that NIST guidance may require them in the future. HKDF is currently not included in FIPS, but is on track to be included, so hkdf have been included in this patch. Because the test vectors are const strings, the patch pushes some const definitions that were missing in existing private interfaces. There are three flavors of self-tests: Function implemented in freebl are added to the freebl/fipsfreebl.c Functions implemented in pkcs11c.c have selftests completely implemented in softoken/fipstest.c Functions implemented in their own .c file have their selftest function implemented in that .c file and called by fipstests.c These are consistant with the previous choices for selftests. Some private interfaces that took in keys from pkcs #11 structures or outputted keys to pkcs #11 structures were modified to optionally take keys in by bytes and output keys as bytes so the self-tests can work in just bytes. [5dca54fe61c2] 2020-08-25 Daiki Ueno <dueno@redhat.com> * lib/softoken/manifest.mn: Bug 1659252, disable building libnssdbm3.so if NSS_DISABLE_DBM=1, r=rrelyea Reviewers: rrelyea Reviewed By: rrelyea Bug #: 1659252 [4d55d36ca6ef] 2020-08-24 Kevin Jacobs <kjacobs@mozilla.com> * lib/pk11wrap/pk11cxt.c, lib/softoken/pkcs11c.c, lib/softoken/sdb.c, lib/softoken/sftkpwd.c: Bug 1651834 - Fix various static analyzer warnings. r=rrelyea [ab04fd73fd6d] 2020-08-28 Mike Hommey <mh@glandium.org> * lib/freebl/blapii.h: Bug 1661810 - Define pre_align/post_align based on the compiler. r=jcj Things worked fine before we upgraded to clang 11 presumably because the stack was always 16-bytes aligned in the first place, or something akin to that, and the lack of pre_align/post_align doing anything didn't matter. The runtime misalignment of the stack may well be a clang > 9 bug, but keeping pre_align/post_align tied to the x86/x64 is a footgun anyways. [c100e11991f6] [tip] Differential Revision: https://phabricator.services.mozilla.com/D88876
fd24f7b1293577cbcd01260899aca21f900bfca0: Bug 1655105 - land NSS NSS_3_56_RTM UPGRADE_NSS_RELEASE, r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 21 Aug 2020 16:10:59 +0000 - rev 545667
Push 37719 by btara@mozilla.com at Sat, 22 Aug 2020 09:46:59 +0000
Bug 1655105 - land NSS NSS_3_56_RTM UPGRADE_NSS_RELEASE, r=jcj 2020-08-21 Kevin Jacobs <kjacobs@mozilla.com> * lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.56 final [809ff9ff0140] [NSS_3_56_RTM] <NSS_3_56_BRANCH> 2020-08-19 Kevin Jacobs <kjacobs@mozilla.com> * .hgtags: Added tag NSS_3_56_BETA1 for changeset 52c965eaffa1 [0d8ff40479d5] Differential Revision: https://phabricator.services.mozilla.com/D87882
472c546742470cbf78cc794fddd7e5a65a609ace: Bug 1655105 - land NSS NSS_3_56_BETA1 UPGRADE_NSS_RELEASE, r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Wed, 19 Aug 2020 21:02:09 +0000 - rev 545391
Push 37713 by abutkovits@mozilla.com at Thu, 20 Aug 2020 09:32:09 +0000
Bug 1655105 - land NSS NSS_3_56_BETA1 UPGRADE_NSS_RELEASE, r=jcj 2020-08-19 Kevin Jacobs <kjacobs@mozilla.com> * tests/libpkix/certs/PayPalEE.cert: Bug 1659792 - Update libpkix tests with unexpired PayPal cert. r=jcj The in-tree `PayPalEE.cert `expired today. This patch replaces it with a current copy that expires on 12 Jan 2022. CI breakage before patch: https://treeherder.mozilla.org/#/jobs?repo =nss&revision=2890f342de631bf6774ac747515a8b5736e20d3f CI with the fix applied: https://treeherder.mozilla.org/#/jobs?repo=nss- try&revision=bd28f21d8acbcb15502bd4fc606fc9c0ed09c810 [52c965eaffa1] [NSS_3_56_BETA1] 2020-08-18 Kevin Jacobs <kjacobs@mozilla.com> * tests/interop/interop.sh: Bug 1659814 - Pull updated tls-interop for dependency fix. r=jcj [70376af425ae] * automation/release/nspr-version.txt: Bug 1656519 - NSS 3.56 should depend on NSPR 4.28. r=kaie [2890f342de63] Differential Revision: https://phabricator.services.mozilla.com/D87648
3827ca95ecbede8320cdfddebf403387d3012774: Bug 1649472 - Add telemetry for PHA in TLS 1.3 r=jcj,keeler
Moritz Birghan <mbirghan@mozilla.com> - Tue, 11 Aug 2020 11:56:07 +0000 - rev 544267
Push 37691 by malexandru@mozilla.com at Tue, 11 Aug 2020 21:47:38 +0000
Bug 1649472 - Add telemetry for PHA in TLS 1.3 r=jcj,keeler Differential Revision: https://phabricator.services.mozilla.com/D81715
4462bac0fc59f25feab3764f9e2b9226dc2d22d2: Bug 1655105 - land NSS c06f22733446 UPGRADE_NSS_RELEASE, r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Mon, 10 Aug 2020 17:59:40 +0000 - rev 544133
Push 37688 by apavel@mozilla.com at Tue, 11 Aug 2020 03:16:35 +0000
Bug 1655105 - land NSS c06f22733446 UPGRADE_NSS_RELEASE, r=jcj 2020-08-07 Kevin Jacobs <kjacobs@mozilla.com> * lib/pki/tdcache.c: Bug 1625791 - Call STAN_GetCERTCertificate to load CERTCertificate trust before caching. r=jcj,keeler When caching certificates, `td->cache->lock` must not be held when taking `slot->isPresentLock`. `add_cert_to_cache` holds then former when calling the sort function in `add_subject_entry`, which will [[ https://searchfox.org/mozilla-central/rev/a3b25e347e2c22207c4b369b99 246e4aebf861a7/security/nss/lib/pki/certificate.c#266 | call ]] `STAN_GetCERTCertificate` -> `fill_CERTCertificateFields` when `cc->nssCertificate` [[ https://searchfox.org/mozilla-central/rev/a3 b25e347e2c22207c4b369b99246e4aebf861a7/security/nss/lib/pki/pki3hack .c#923 | is NULL ]]. There are two problems with this: # `fill_CERTCertificateFields` may end up locking `slot->isPresentLock` (bad ordering, bug 1651564) # The above may happen followed by another attempt to lock `td->cache->lock`(deadlock, this bug). By calling `STAN_GetCERTCertificate` prior to the first lock of `td->cache->lock`, we can prevent the problematic call to `fill_CERTCertificateFields` later on, because `cc->nssCertificate` will already be filled. [c06f22733446] [tip] * gtests/ssl_gtest/ssl_auth_unittest.cc, lib/ssl/ssl3con.c: Bug 1588941 - Send empty client cert msg when signature scheme selection fails. r=mt `ssl3_CompleteHandleCertificateRequest` does essentially two things: 1) Calls the `getClientAuthData` hook for certificate selection, and 2) calls `ssl_PickClientSignatureScheme` to select an appropriate signature scheme when a cert is selected. If the first function returns SECFailure, we default to sending an empty certificate message. If the latter fails, however, this bubbles up as a [[ https://searchfox.org/mozilla-central/rev/56bb74e a8e04bdac57c33cbe9b54d889b9262ade/security/nss/lib/ssl/tls13con.c#26 70 | fatal error ]] (and an assertion failure) on the connection. Importantly, the signature scheme selection can fail for reasons that should not be considered fatal - notably when an RSA-PSS cert is selected, but the token on which the key resides does not actually support PSS. This patch treats the failure to find a usable signature scheme as a "no certificate" response, rather than killing the connection entirely. [41ecb7fe5546] * lib/freebl/Makefile, lib/freebl/freebl_base.gypi, lib/freebl/mpi/mpi_amd64_common.S, lib/freebl/mpi/mpi_amd64_gas.s: Bug 1656981 - Use 64x64->128 multiply and MP_COMBA on x86_64 Mac. r=mt This patch makes two MPI changes for MacOS: 1. Rename `mpi_amd64_gas.s` to `mpi_amd64_common.S` and add defines for macho64, allowing Intel Macs to take advantage of the 64x64->128 multiply code. 2. Define and use `NSS_USE_COMBA` on Intel Macs. Performance results with `rsaperf -n none -p 10 -e -x 65537` (default 2048-bit key): Before: `12629.12 operations/s. one operation every 79 microseconds` With 64x64->128 assembly: `29431.65 operations/s. one operation every 33 microseconds` With MP_COMBA and 64x64->128 assembly: `30332.99 operations/s. one operation every 32 microseconds` [330bdab498a3] * lib/ssl/sslimpl.h: Bug 1656429 - Clang-format fixup, r=bustage [07083076fc92] 2020-08-05 Martin Thomson <mt@lowentropy.net> * gtests/ssl_gtest/ssl_0rtt_unittest.cc, gtests/ssl_gtest/tls_connect.cc, lib/ssl/ssl3exthandle.c, lib/ssl/sslimpl.h, lib/ssl/tls13con.c, lib/ssl/tls13replay.c: Bug 1656429 - Correct RTT estimate used in anti-replay, r=kjacobs This was never a security problem, but the more time that passes between the handshake and sending a ticket, the more likely we are to reject 0-RTT. Eventually, 0-RTT only works if it is delayed in the network by a surprising amount. [b4a1c57eb569] Differential Revision: https://phabricator.services.mozilla.com/D86454
a76193deda13f8d6dd148a4f65270268b035633e: Bug 1655105 - land NSS afa38fb2f0b5 UPGRADE_NSS_RELEASE, r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Tue, 04 Aug 2020 19:54:56 +0000 - rev 543257
Push 37668 by btara@mozilla.com at Wed, 05 Aug 2020 03:14:17 +0000
Bug 1655105 - land NSS afa38fb2f0b5 UPGRADE_NSS_RELEASE, r=jcj 2020-07-27 Jan-Marek Glogowski <glogow@fbihome.de> * lib/freebl/Makefile: Bug 1652032 Disable all freebl assembler code for MSVC arm64 r=rrelyea,bbeurdouche There are two places, where NSS tries to compile either x86_64 MSVC assembler or GCC aarch64 code, which will fail the build. And also drop the non-MSVC arch build flags for them. AFAI could identify, there isn't any armasm64 compatible asm code in the whole NSS library, so I don't even adapt AS for the build. The cross-build finishes this way. [d98bbb6168f4] 2020-07-24 Benjamin Beurdouche <bbeurdouche@mozilla.com> * cmd/bltest/blapitest.c, coreconf/config.gypi, coreconf/config.mk, lib/freebl/alg2268.c, lib/freebl/deprecated/alg2268.c, lib/freebl/freebl_base.gypi, lib/freebl/ldvector.c, lib/freebl/loader.c, lib/freebl/loader.h, lib/freebl/manifest.mn, lib/softoken/lowpbe.c, lib/softoken/pkcs11c.c: Bug 1652729 - Add build flag to disable RC2 and relocate to lib/freebl/deprecated. r=kjacobs [e6c6f1d2d544] 2020-07-27 Robert Relyea <rrelyea@redhat.com> * gtests/softoken_gtest/manifest.mn, gtests/softoken_gtest/softoken_dh_vectors.h, gtests/softoken_gtest/softoken_gtest.cc, gtests/softoken_gtest/softoken_gtest.gyp, lib/freebl/blapi.h, lib/freebl/dh.c, lib/freebl/ldvector.c, lib/freebl/loader.c, lib/freebl/loader.h, lib/softoken/manifest.mn, lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c, lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c, lib/softoken/sftkdhverify.c, lib/softoken/softoken.gyp: Bug 1648822 Add stricter validation of DH keys when in FIPS mode. Update: FIPS now also requires us to do y^q mod p testing on key generation (always). We now do that in FIPS mode only, but in all modes we do full DH verification for DH and ECDH. Because of this, the path has now separated out the prime checks, which are now only done for the DH operation if we aren't using a known prime and the subprime value has been provided. I've also learned we can accept keys that we do full validation on in FIPS mode, so I've added that to this patch, though we still can't generate those kinds of keys without adding the subprime at keygen time. The new FIPS standard is dh operations must use approved primes. Approved primes are those selected in the tls and ike RFCs. Currently tls and ike have modes with checks whether the primes are approved, but the check may not always happen. The safest thing to do in FIPS mode is only allow those primes. In addition, FIPS requires 1< y < p-1 (or technically 2<=y<=p-2, since y is an integer those two tests are identical). While making changes I realized we would want a mode where we can do more strict checks on the prime while not requiring that the prime be an approved prime. We already allow for strict checking if q is supplied with the private key, but there were a couple of issues with that check: 1. there was no way of actually setting q in the current NSS pk11wrap interfaces. 2. If the prime was a safe prime, but g was an actual generator, then we would fail the y^q mod p = 1 tests for 50% of the keys, even though those keys are safe. 3. We weren't checking primality of p and q. So the old code: if (q) { check y^q mod p = 1 if not fail } check 1 <y < p-1 (done in DH_Derive). New code: if (! p is approved prime) { if (FIPS) fail; if (q) { y_test = y if (p,q-> p is a safe prime) { y_test = 1 } check prime is prime Fail if not check subprime is subprime fail if not y_test^q mod p = 1 } } check 1 < y < p-1 (done in DH_Derive) This means: Existing code non-fips without setting the subprime continues to run as before. Non-fips code which sets the subprime now runs slower, but p and q are checked if p or q where not prime, the derive fails (which it should). In FIPS mode only approved primes will succeed now. Non-fips code can now set the subprime to q=(p-1)/2 if it doesn't have an explicit q value (like in tls). If the derive succeeds, we know that p is a safe prime. If p is approved, the checks are skipped because we already know that p is a safe prime. Code can optionally do a test derive on a new p and remember it's safe so that we know longer need to check ever call (though if q is not (p-1)/2, you will need to continue to do the checks each call because y could still be a small subgroup). This patch: gtests/softoken_gtest 1. Added New dh tests to softoken_gtests. The tests were added to softoken_gtests because we need to test both non-FIPS and FIPS mode. Test vectors include a category, so the same test vectors can be used in FIPS and non-FIPS even though each class may have different results. Most of the test vectors where created either by dhparams command in openssl, dsaparams in openssl, and the nss makepqg command. Each vector includes a label, prime, base, optional subprime, optional public key, test type, and key class (basically size). 2. If public key is not supplied, we use a generated public key. 3. If subPrime is supplied to wet it on the private key after generation. lib/freebl/dh.c add primality tests to KEA_VerifyKey(). lib/softokn/ 1. Allow CKA_SUBPRIME to be set after key generation or import. This affects how we test for it's existance, since it is now always there on the key, we check it's length to make sure it's non-zero. 2. We implement the psuedocode above as real code. 3. We create two new functions: sftl_VerifyDH_Prime which return SECSuccess if Prime is an approved prime. sftk_IsSafePrime which returns SECSuess of both prime and subprime look reasonable, and sets a Bool to PR_TRUE is subprime -> prime is safe (subprime = (prime-1)/2. These functions are implemented in sftkdhverify.c 4.Cleanup incorrect nominclature on primes (safe primes are not strong primes). [0be91fa2217a] * gtests/softoken_gtest/softoken_dh_vectors.h, gtests/softoken_gtest/softoken_gtest.cc: Fix more of the timeout issues on tests. (Drop expensive 4098 dh tests ). [4014c075a31b] 2020-07-29 Makoto Kato <m_kato@ga2.so-net.ne.jp> * coreconf/config.gypi, lib/freebl/Makefile, lib/freebl/blinit.c, lib/freebl/freebl.gyp, lib/freebl/sha1-armv8.c, lib/freebl/sha_fast.c, lib/freebl/sha_fast.h: Bug 1650702 - Use ARM's crypt extension for SHA1. r=kjacobs ARM Crypto extension has SHA1 acceleration. Using this, SHA1 is 3 times faster on ARMv8 CPU. The following data is AWS's a1 instance (Cortex-A72). Before ====== ``` # mode in opreps cxreps context op time(sec) thrgput sha1_e 954Mb 31M 0 0.000 10000.000 10.000 95Mb ``` After ===== ``` # mode in opreps cxreps context op time(sec) thrgput sha1_e 2Gb 94M 0 0.000 10000.000 10.000 288Mb ``` [68b6eb737689] 2020-07-29 Jan-Marek Glogowski <glogow@fbihome.de> * manifest.mn: Bug 1653975 - Set "all" as the default Makefile target r=jcj,rrelyea Just reorder the rules in manifest.mn, so all is again the first rule. This restores pre-3.53 Makefile defaults. [eb52747b7000] 2020-07-31 Makoto Kato <m_kato@ga2.so-net.ne.jp> * lib/freebl/blapii.h, lib/freebl/blinit.c, nss-tool/hw-support.c: Bug 1654142 - Add CPU feature detection for Intel SHA extension. r=kjacobs [e6b77a9c417a] 2020-08-03 Nathan Froyd <froydnj@mozilla.com> * coreconf/detect_host_arch.py: Bug 1656986 - special-case arm64 in detect_host_arch.py; r=jcj This case comes up when attempting to build NSS on ARM64 Mac. If we don't do this, we wind up detecting arm64 as "arm", with predictably bad consequences. [afa38fb2f0b5] [tip] Differential Revision: https://phabricator.services.mozilla.com/D85888
3d57a18caafb08e17ae093d2c2f94faeacc23230: Bug 1654699. Update core-foundation/core-graphics. r=kvark,keeler,jcj,chunmin
Jeff Muizelaar <jmuizelaar@mozilla.com> - Fri, 24 Jul 2020 22:35:25 +0000 - rev 542113
Push 37636 by nbeleuzu@mozilla.com at Sat, 25 Jul 2020 09:40:10 +0000
Bug 1654699. Update core-foundation/core-graphics. r=kvark,keeler,jcj,chunmin This includes updates to authenticator, cubeb-coreaudio, metal, gfx-backend-vulkan, gfx-backend-metal, freetype libloading is duplicated because of ash Differential Revision: https://phabricator.services.mozilla.com/D84688
9702b4a4f53cebd57091f33837c596706e71f069: Bug 1654699. Update core-foundation/core-graphics. r=kvark,keeler,jcj,chunmin
Jeff Muizelaar <jmuizelaar@mozilla.com> - Fri, 24 Jul 2020 15:59:54 +0000 - rev 542054
Push 37636 by nbeleuzu@mozilla.com at Sat, 25 Jul 2020 09:40:10 +0000
Bug 1654699. Update core-foundation/core-graphics. r=kvark,keeler,jcj,chunmin This includes updates to authenticator, cubeb-coreaudio, metal, gfx-backend-vulkan, gfx-backend-metal, freetype libloading is duplicated because of ash Differential Revision: https://phabricator.services.mozilla.com/D84688
ceba0316cf3c3fce540ff8e6217969a3291ea821: Bug 1652330 - NSPR_4_27_RTM. r=jcj UPGRADE_NSPR_RELEASE
Kai Engert <kaie@kuix.de> - Thu, 23 Jul 2020 23:14:24 +0000 - rev 541843
Push 37633 by ccoroiu@mozilla.com at Fri, 24 Jul 2020 09:32:06 +0000
Bug 1652330 - NSPR_4_27_RTM. r=jcj UPGRADE_NSPR_RELEASE Differential Revision: https://phabricator.services.mozilla.com/D84695
d376ee46c0f1a6e3ca6e9f20bd9cccb7641f5952: Bug 1649545 - land NSS NSS_3_55_BETA1 UPGRADE_NSS_RELEASE, r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Tue, 21 Jul 2020 23:37:38 +0000 - rev 541531
Push 37625 by csabou@mozilla.com at Wed, 22 Jul 2020 04:32:41 +0000
Bug 1649545 - land NSS NSS_3_55_BETA1 UPGRADE_NSS_RELEASE, r=jcj 2020-07-21 Benjamin Beurdouche <bbeurdouche@mozilla.com> * cmd/bltest/blapitest.c: Bug 1653202 - Fix issue disabling other mechanisms when SEED is deprecated in cmd/bltest/blapitest.c. r=kjacobs [0768baa431e7] [NSS_3_55_BETA1] 2020-07-21 Kevin Jacobs <kjacobs@mozilla.com> * automation/release/nspr-version.txt: Bug 1652331 - NSS 3.55 should depend on NSPR 4.27. r=kaie [3deefc218cd9] 2020-07-20 Billy Brumley <bbrumley@gmail.com> * lib/freebl/ec.c: Bug 1631573: Remove unnecessary scalar padding in ec.c r=kjacobs,bbeurdouche Subsequent calls to ECPoints_mul and ECPoint_mul remove this padding. Timing attack countermeasures are now applied more generally deeper in the call stack. [aeb2e583ee95] 2020-07-20 Kai Engert <kaie@kuix.de> * lib/nss/nssinit.c: Bug 1653310 - On macOS check if nssckbi exists prior to loading it. r=kjacobs [ca207655b4b7] Differential Revision: https://phabricator.services.mozilla.com/D84420
baf73b70e5c0aaf957e0d72f2e5442c27cf1657e: Bug 1649545 - land NSS 615362dff5ad UPGRADE_NSS_RELEASE, r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Mon, 20 Jul 2020 17:19:03 +0000 - rev 541296
Push 37619 by apavel@mozilla.com at Mon, 20 Jul 2020 21:42:26 +0000
Bug 1649545 - land NSS 615362dff5ad UPGRADE_NSS_RELEASE, r=jcj 2020-07-18 Benjamin Beurdouche <bbeurdouche@mozilla.com> * gtests/pk11_gtest/pk11_cipherop_unittest.cc, lib/softoken/pkcs11c.c: Bug 1636771 - Disable PKCS11 incremental mode for ChaCha20. r=kjacobs,rrelyea Depends on D74801 [615362dff5ad] [tip] * gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc, lib/freebl/chacha20poly1305.c: Bug 1636771 - Fix incorrect call to Chacha20Poly1305 by PKCS11. r=jcj,kjacobs,rrelyea [a5e82e40f03e] 2020-07-16 Benjamin Beurdouche <bbeurdouche@mozilla.com> * lib/softoken/pkcs11c.c: Bug 1637222 - Enforce IV length check for DES. r=kjacobs,jcj [0c70232cb6d3] Differential Revision: https://phabricator.services.mozilla.com/D84043
bfbde1e7984a2c899776f6908eb0a849b3dc3b4d: Bug 1649545 - land NSS ca068f5b5c17 UPGRADE_NSS_RELEASE, r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Thu, 16 Jul 2020 22:37:42 +0000 - rev 540858
Push 37610 by malexandru@mozilla.com at Fri, 17 Jul 2020 09:39:07 +0000
Bug 1649545 - land NSS ca068f5b5c17 UPGRADE_NSS_RELEASE, r=jcj 2020-07-16 Billy Brumley <bbrumley@gmail.com> * lib/freebl/ecl/ecl-priv.h, lib/freebl/ecl/ecl.c, lib/freebl/ecl/ecp_secp521r1.c, lib/freebl/freebl_base.gypi, lib/freebl/manifest.mn: Bug 1631583 - ECC: constant time P-521 r=kjacobs,rrelyea,bbeurdouche This portable code contributed by the Network and Information Security Group (NISEC) at Tampere University comes from: [ECCKiila](https://gitlab.com/nisec/ecckiila) that uses [Fiat](https://github.com/mit-plv/fiat-crypto) for the underlying field arithmetic. Co-authored-by: Luis Rivera-Zamarripa <luis.riverazamarripa@tuni.fi> Co-authored-by: Jesús-Javier Chi-Domínguez <jesus.chidominguez@tuni.fi> [ca068f5b5c17] [tip] * lib/freebl/ecl/ecl-priv.h, lib/freebl/ecl/ecl.c, lib/freebl/ecl/ecp_secp384r1.c, lib/freebl/freebl_base.gypi, lib/freebl/manifest.mn, tests/ec/ectest.sh: Bug 1631583 - ECC: constant time P-384 r=bbeurdouche,rrelyea This portable code contributed by the Network and Information Security Group (NISEC) at Tampere University comes from: [ECCKiila](https://gitlab.com/nisec/ecckiila) that uses [Fiat](https://github.com/mit-plv/fiat-crypto) for the underlying field arithmetic. Co-authored-by: Luis Rivera-Zamarripa <luis.riverazamarripa@tuni.fi> Co-authored-by: Jesús-Javier Chi-Domínguez <jesus.chidominguez@tuni.fi> [d19a3cd451bb] 2020-07-13 Robert Relyea <rrelyea@redhat.com> * lib/pk11wrap/pk11pub.h: Bug 1643528 Cannot compile code with nss headers and -Werror=strict- prototypes r=kjacobs [01ffd8fef7fa] 2020-07-10 Daiki Ueno <dueno@redhat.com> * gtests/ssl_gtest/ssl_auth_unittest.cc, lib/ssl/ssl3con.c, lib/ssl/ssl3exthandle.c, lib/ssl/sslimpl.h, lib/ssl/tls13exthandle.c: Bug 1646324, advertise rsa_pkcs1_* schemes in CH and CR for certs, r=mt Summary: In TLS 1.3, unless "signature_algorithms_cert" is advertised, the "signature_algorithms" extension is used as an indication of supported algorithms for signatures on certificates. While rsa_pkcs1_* signatures schemes cannot be used for signing handshake messages, they should be advertised if the peer wants to to support certificates signed with RSA PKCS#1. This adds a flag to ssl3_EncodeSigAlgs() and ssl3_FilterSigAlgs() to preserve rsa_pkcs1_* schemes in the output. Reviewers: mt Reviewed By: mt Bug #: 1646324 [df1d2695e115] 2020-07-09 Benjamin Beurdouche <bbeurdouche@mozilla.com> * gtests/pk11_gtest/pk11_pbkdf2_unittest.cc, lib/pk11wrap/pk11pbe.c: Bug 1649648 - Fix null pointers passed as argument in pk11wrap/pk11pbe.c:886 r=kjacobs [de661583d467] Differential Revision: https://phabricator.services.mozilla.com/D83824
06be9b59deb034f3ec6ab93c55e3ba4039f690cd: Bug 1649545 - land NSS 58c2abd7404e UPGRADE_NSS_RELEASE, r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Thu, 09 Jul 2020 23:05:48 +0000 - rev 539716
Push 37585 by nbeleuzu@mozilla.com at Fri, 10 Jul 2020 09:48:19 +0000
Bug 1649545 - land NSS 58c2abd7404e UPGRADE_NSS_RELEASE, r=jcj 2020-06-26 Kevin Jacobs <kjacobs@mozilla.com> * automation/abi-check/expected-report-libssl3.so.txt, automation/abi- check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h: Set version numbers to 3.55 beta [332ab7db68ba] 2020-06-25 Kevin Jacobs <kjacobs@mozilla.com> * tests/all.sh: Bug 1649190 - Run cipher, sdr, and ocsp tests under standard test cycle. [f373809abfc0] 2020-06-15 Kevin Jacobs <kjacobs@mozilla.com> * gtests/common/testvectors/p256ecdsa-sha256-vectors.h, gtests/common/testvectors/p384ecdsa-sha384-vectors.h, gtests/common/testvectors/p521ecdsa-sha512-vectors.h, gtests/common/testvectors_base/test-structs.h, gtests/common/wycheproof/genTestVectors.py, gtests/pk11_gtest/pk11_ecdsa_unittest.cc: Bug 1649226 - Add Wycheproof ECDSA tests. [41292ff7f545] 2020-06-30 Benjamin Beurdouche <bbeurdouche@mozilla.com> * lib/pkcs12/p12d.c: Bug 1649322 - Fix null pointer passed as argument in pk11wrap/pk11pbe.c:1246 r=kjacobs [cc43ebf5bf88] 2020-06-30 Danh <congdanhqx@gmail.com> * coreconf/arch.mk, coreconf/config.mk, lib/freebl/Makefile: Bug 1646594 - Enable AVX2 if applicable on x86_64 with make 4.3 r=bbeurdouche [b579895aceb0] 2020-07-02 Benjamin Beurdouche <bbeurdouche@mozilla.com> * lib/ssl/ssl3con.c: Bug 1649316 - Prevent memcmp to be called with a zero length in ssl/ssl3con.c:6621 r=kjacobs [8fe9213d0551] 2020-07-02 Alexander Scheel <ascheel@redhat.com> * lib/cryptohi/secvfy.c: Bug 1649487 - Fix bad assert in VFY_EndWithSignature. r=jcj [c9438b528103] 2020-07-06 Dana Keeler <dkeeler@mozilla.com> * automation/abi-check/expected-report-libnss3.so.txt, gtests/pk11_gtest/pk11_find_certs_unittest.cc, lib/nss/nss.def, lib/pk11wrap/pk11cert.c, lib/pk11wrap/pk11pub.h: Bug 1649633 - add PK11_FindEncodedCertInSlot r=kjacobs,jcj PK11_FindEncodedCertInSlot can be used to determine the PKCS#11 object handle of an encoded certificate in a given slot. If the given certificate does not exist in that slot, CK_INVALID_HANDLE is returned. [32fe710a942f] * gtests/pk11_gtest/pk11_find_certs_unittest.cc: Bug 1649633 - follow-up to make test comparisons in pk11_find_certs_unittest.cc yoda comparisons r=kjacobs [424dae31a1c1] 2020-07-07 Kevin Jacobs <kjacobs@mozilla.com> * gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc, lib/freebl/rsapkcs.c: Bug 1067214 - Check minimum padding in RSA_CheckSignRecover. r=rrelyea This patch adds a check to `RSA_CheckSignRecover` enforcing a minimum padding length of 8 bytes for PKCS #1 v1.5-formatted signatures. In practice, RSA key size requirements already ensure this requirement is met, but smaller (read: broken) key sizes can be used via configuration overrides, and NSS should just follow the spec. [e5324bd5a885] 2020-07-08 Kevin Jacobs <kjacobs@mozilla.com> * gtests/ssl_gtest/libssl_internals.c, gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/ssl_record_unittest.cc, gtests/ssl_gtest/tls_agent.cc, gtests/ssl_gtest/tls_agent.h, lib/ssl/dtls13con.c, lib/ssl/dtls13con.h, lib/ssl/ssl3con.c, lib/ssl/ssl3prot.h, lib/ssl/sslspec.h, lib/ssl/sslt.h, lib/ssl/tls13con.c, lib/ssl/tls13exthandle.c: Bug 1647752 - Update DTLS 1.3 implementation to draft-38. r=mt This patch updates DTLS 1.3 to draft-38. Specifically: # `ssl_ct_ack` value changes from 25 to 26. # AEAD limits in `tls13_UnprotectRecord` enforce a maximum of 2^36-1 (as we only support GCM/ChaCha20 AEADs) decryption failures before the connection is closed. # Post-handshake authentication will no longer be negotiated in DTLS 1.3. This allows us to side-step the more convoluted state machine requirements. [132a87fc8689] 2020-07-09 Benjamin Beurdouche <bbeurdouche@mozilla.com> * lib/pk11wrap/pk11pbe.c, lib/pkcs12/p12d.c: Bug 1649322 - Fix null pointer passed as argument in pk11wrap/pk11pbe.c:1246 r=kjacobs This is a fixup patch that reverts https://hg.mozilla.org/projects/n ss/rev/cc43ebf5bf88355837c5fafa2f3c46e37626707a and adds a null check around the memcpy in question. [80bea0e22b20] 2020-07-09 J.C. Jones <jjones@mozilla.com> * lib/softoken/pkcs11.c: Bug 1651520 - slotLock race in NSC_GetTokenInfo r=kjacobs Basically, NSC_GetTokenInfo doesn't lock slot->slotLock before accessing slot after obtaining it, even though slotLock is defined as its lock. [0] [0] https://searchfox.org/nss/rev/a412e70e55218aaf670f1f10322fa734d8 a9fbde/lib/softoken/pkcs11i.h#320-321 [58c2abd7404e] [tip] Differential Revision: https://phabricator.services.mozilla.com/D82466
66478ccf2daa652836845896665357d0a1ff9421: Bug 1651155 - disable intermediate preloading healer in late beta and release r=jcj
Dana Keeler <dkeeler@mozilla.com> - Wed, 08 Jul 2020 22:41:06 +0000 - rev 539444
Push 37580 by malexandru@mozilla.com at Thu, 09 Jul 2020 04:03:58 +0000
Bug 1651155 - disable intermediate preloading healer in late beta and release r=jcj While we figure out the crashes we're seeing on beta (bug 1650654), this will disable the intermediate preloading healer in late beta and release. Differential Revision: https://phabricator.services.mozilla.com/D82588
3d849329fb68cf026e082f1456005b687b023bba: Bug 1563279 - Add Fiat-Crypto license. r=jcj,mhoye
Kevin Jacobs <kjacobs@mozilla.com> - Wed, 08 Jul 2020 17:50:57 +0000 - rev 539406
Push 37580 by malexandru@mozilla.com at Thu, 09 Jul 2020 04:03:58 +0000
Bug 1563279 - Add Fiat-Crypto license. r=jcj,mhoye Differential Revision: https://phabricator.services.mozilla.com/D80700
41309c812f8fc93bf338d94ed97fb60b1106388d: Bug 1270634 - check usages when generating WebCrypto keys r=keeler,jcj
R. Martinho Fernandes <bugs@rmf.io> - Wed, 08 Jul 2020 16:32:19 +0000 - rev 539388
Push 37579 by dluca@mozilla.com at Wed, 08 Jul 2020 21:49:35 +0000
Bug 1270634 - check usages when generating WebCrypto keys r=keeler,jcj Differential Revision: https://phabricator.services.mozilla.com/D81146
1f8f22ec679292dafdfc7ffd996015b2b298a761: Bug 1649518 - 3/3: enable osclientcerts by default in nightly r=jcj,johannh
Dana Keeler <dkeeler@mozilla.com> - Mon, 06 Jul 2020 19:29:17 +0000 - rev 538949
Push 37576 by ncsoregi@mozilla.com at Tue, 07 Jul 2020 09:47:47 +0000
Bug 1649518 - 3/3: enable osclientcerts by default in nightly r=jcj,johannh Differential Revision: https://phabricator.services.mozilla.com/D81890
888968797a46fe61a6b543fa81a10db8edf9c359: Bug 1270634 - check usages when generating WebCrypto keys r=keeler,jcj
R. Martinho Fernandes <bugs@rmf.io> - Mon, 06 Jul 2020 16:46:51 +0000 - rev 538923
Push 37574 by apavel@mozilla.com at Mon, 06 Jul 2020 21:50:07 +0000
Bug 1270634 - check usages when generating WebCrypto keys r=keeler,jcj Differential Revision: https://phabricator.services.mozilla.com/D81146
d60aa28e996e860bc0ed05e564cdd583192885d6: Bug 1647719: Introduce Pref for HTTS-Only in Private Browsing Mode. r=JulianWels,jcj
Christoph Kerschbaumer <ckerschb@christophkerschbaumer.com> - Mon, 06 Jul 2020 08:52:02 +0000 - rev 538862
Push 37573 by dluca@mozilla.com at Mon, 06 Jul 2020 16:32:20 +0000
Bug 1647719: Introduce Pref for HTTS-Only in Private Browsing Mode. r=JulianWels,jcj Differential Revision: https://phabricator.services.mozilla.com/D80873
b7322e66d77987506ac9be076326148d0a03da3f: Bug 1647505 - update the list of Google roots in PreloadedHPKPins.json DONTBUILD NPOTB r=jcj,kjacobs
Dana Keeler <dkeeler@mozilla.com> - Tue, 30 Jun 2020 16:15:35 +0000 - rev 538035
Push 37557 by abutkovits@mozilla.com at Wed, 01 Jul 2020 03:27:11 +0000
Bug 1647505 - update the list of Google roots in PreloadedHPKPins.json DONTBUILD NPOTB r=jcj,kjacobs Differential Revision: https://phabricator.services.mozilla.com/D81626
300828aa89a3c05d7386a35a3a5e92eef96bdc89: Bug 1647482 - client.py: write bytes when file is opened in binary mode. r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Tue, 30 Jun 2020 03:43:22 +0000 - rev 537919
Push 37555 by cbrindusan@mozilla.com at Tue, 30 Jun 2020 14:45:59 +0000
Bug 1647482 - client.py: write bytes when file is opened in binary mode. r=jcj Differential Revision: https://phabricator.services.mozilla.com/D80552
9df3267d79921b6943eb9e6bfff583ac125f1cef: Bug 1642687 - land NSS NSS_3_54_RTM UPGRADE_NSS_RELEASE, r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 26 Jun 2020 17:46:43 +0000 - rev 537621
Push 37545 by nerli@mozilla.com at Sat, 27 Jun 2020 09:38:32 +0000
Bug 1642687 - land NSS NSS_3_54_RTM UPGRADE_NSS_RELEASE, r=jcj Differential Revision: https://phabricator.services.mozilla.com/D81357
92686b9404714bfc11c6c67bee659b4d9b7b1a5e: Bug 1642687 - land NSS 87fa2f0598ad UPGRADE_NSS_RELEASE, r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Thu, 25 Jun 2020 00:30:56 +0000 - rev 537287
Push 37540 by cbrindusan@mozilla.com at Thu, 25 Jun 2020 09:44:52 +0000
Bug 1642687 - land NSS 87fa2f0598ad UPGRADE_NSS_RELEASE, r=jcj 2020-06-24 Kai Engert <kaie@kuix.de> * automation/release/nspr-version.txt: Bug 1640516 - NSS 3.54 should depend on NSPR 4.26. r=kjacobs [87fa2f0598ad] [tip] 2020-06-23 Kevin Jacobs <kjacobs@mozilla.com> * .hgtags: Added tag NSS_3_54_BETA1 for changeset 2bd2f3267dc5 [fe2ed4384f6a] Differential Revision: https://phabricator.services.mozilla.com/D80989
da52c5a889398897aec4f210b044660f87ae7541: Bug 1642687 - land NSS 2bd2f3267dc5 UPGRADE_NSS_RELEASE, r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Mon, 22 Jun 2020 22:24:10 +0000 - rev 536677
Push 37532 by abutkovits@mozilla.com at Tue, 23 Jun 2020 16:15:06 +0000
Bug 1642687 - land NSS 2bd2f3267dc5 UPGRADE_NSS_RELEASE, r=jcj 2020-06-22 Kevin Jacobs <kjacobs@mozilla.com> * lib/util/quickder.c: Bug 1646520 - Stricter leading-zero checks for ASN.1 INTEGER values. r=jcj This patch adjusts QuickDER to strictly enforce INTEGER encoding with respect to leading zeros: - If the MSB of the first (value) octet is set, a single zero byte MAY be present to make the value positive. This singular pad byte is removed. - Otherwise, the first octet must not be zero. [2bd2f3267dc5] [tip] Differential Revision: https://phabricator.services.mozilla.com/D80543
63a4089362fcee1e8ebd6507523bd525fc1dc2f1: Bug 1642687 - land NSS 699541a7793b UPGRADE_NSS_RELEASE, r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Thu, 18 Jun 2020 15:48:05 +0000 - rev 536323
Push 37520 by dluca@mozilla.com at Fri, 19 Jun 2020 04:04:08 +0000
Bug 1642687 - land NSS 699541a7793b UPGRADE_NSS_RELEASE, r=jcj 2020-06-16 Sohaib ul Hassan <sohaibulhassan@tuni.fi> * lib/freebl/mpi/mpi.c, lib/freebl/mpi/mpi.h, lib/freebl/mpi/mplogic.c: Bug 1631597 - Constant-time GCD and modular inversion r=rrelyea,kjacobs The implementation is based on the work by Bernstein and Yang (https://eprint.iacr.org/2019/266) "Fast constant-time gcd computation and modular inversion". It fixes the old mp_gcd and s_mp_invmod_odd_m functions. The patch also fix mpl_significant_bits s_mp_div_2d and s_mp_mul_2d by having less control flow to reduce side-channel leaks. Co Author : Billy Bob Brumley [699541a7793b] [tip] Differential Revision: https://phabricator.services.mozilla.com/D80120
712412cb974c0392afe31fd9ce974b26ae3993c3: Bug 1642687 - land NSS 6dcd00c13ffc UPGRADE_NSS_RELEASE, r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Wed, 17 Jun 2020 16:10:17 +0000 - rev 536151
Push 37516 by cbrindusan@mozilla.com at Wed, 17 Jun 2020 21:52:06 +0000
Bug 1642687 - land NSS 6dcd00c13ffc UPGRADE_NSS_RELEASE, r=jcj 2020-06-15 J.C. Jones <jjones@mozilla.com> * lib/ckfw/builtins/nssckbi.h: Bug 1618402 - June 2020 batch of root changes, NSS_BUILTINS_LIBRARY_VERSION 2.42 r=bbeurdouche,KathleenWilson All changes: Bug 1618402 - Remove 3 Symantec roots and disable Email trust bit for others Bug 1621151 - Disable Email trust bit for GRCA root Bug 1639987 - Remove expired Staat der Nederlanden Root CA - G2 root cert Bug 1641718 - Remove "LuxTrust Global Root 2" root cert Bug 1641716 - Add Microsoft's non-EV roots Bug 1645174 - Add Microsec's "e-Szigno Root CA 2017" root cert Bug 1645186 - Add "certSIGN Root CA G2" root cert Bug 1645199 - Remove Expired AddTrust root certs Depends on D79373 [6dcd00c13ffc] [tip] 2020-06-12 J.C. Jones <jjones@mozilla.com> * lib/ckfw/builtins/certdata.txt: Bug 1645186 - Add certSIGN Root CA G2 root cert r=KathleenWilson Friendly Name: certSIGN Root CA G2 Cert Location: http://crl.certsign.ro/certsign-rootg2.crt SHA-1 Fingerprint: 26F993B4ED3D2827B0B94BA7E9151DA38D92E532 SHA-256 Fingerprint: 657CFE2FA73FAA38462571F332A2363A46FCE7020951710702CDFBB6EEDA3305 Trust Flags: Websites Test URL: https://testssl-valid- evcp.certsign.ro/ Depends on D79372 [d541eaaca2ef] * lib/ckfw/builtins/certdata.txt: Bug 1645174 - Add e-Szigno Root CA 2017 r=KathleenWilson,kjacobs Depends on D79371 [6d397f2a5f01] * lib/ckfw/builtins/certdata.txt: Bug 1641716 - Add Microsoft non-EV roots r=KathleenWilson,kjacobs Friendly Name: Microsoft ECC Root Certificate Authority 2017 Cert Location: http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Ro ot%20Certificate%20Authority%202017.crt SHA-1 Fingerprint: 999A64C37FF47D9FAB95F14769891460EEC4C3C5 SHA-256 Fingerprint: 358DF39D764AF9E1B766E9C972DF352EE15CFAC227AF6AD1D70E8E4A6EDCBA02 Trust Flags: Websites Test URL: https://acteccroot2017.pki.microsoft.com/ Friendly Name: Microsoft RSA Root Certificate Authority 2017 Cert Location: http://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Ro ot%20Certificate%20Authority%202017.crt SHA-1 Fingerprint: 73A5E64A3BFF8316FF0EDCCC618A906E4EAE4D74 SHA-256 Fingerprint: C741F70F4B2A8D88BF2E71C14122EF53EF10EBA0CFA5E64CFA20F418853073E0 Trust Flags: Websites Test URL: https://actrsaroot2017.pki.microsoft.com/ Depends on D79370 [576f52ca3f02] * lib/ckfw/builtins/certdata.txt: Bug 1645199 - Remove Expired AddTrust root certs r=KathleenWilson,kjacobs Remove the following two expired AddTrust root certs from NSS. Subject/Issuer: CN=AddTrust Class 1 CA Root; OU=AddTrust TTP Network; O=AddTrust AB; C=SE Valid To (GMT): 5/30/2020 SHA-1 Fingerprint: CCAB0EA04C2301D6697BDD379FCD12EB24E3949D SHA-256 Fingerprint: 8C7209279AC04E275E16D07FD3B775E80154B5968046E31F52DD25766324E9A7 Subject/Issuer: CN=AddTrust External CA Root; OU=AddTrust External TTP Network; O=AddTrust AB; C=SE Valid To (GMT): 5/30/2020 SHA-1 Fingerprint: 02FAF3E291435468607857694DF5E45B68851868 SHA-256 Fingerprint: 687FA451382278FFF0C8B11F8D43D576671C6EB2BCEAB413FB83D965D06D2FF2 Mozilla EV Policy OID(s): 1.3.6.1.4.1.6449.1.2.1.5.1 Depends on D79369 [96d0279ef929] * lib/ckfw/builtins/certdata.txt: Bug 1641718 - Remove "LuxTrust Global Root 2" root cert r=KathleenWilson,kjacobs Subject: CN=LuxTrust Global Root 2; O=LuxTrust S.A.; C=LU Valid From (GMT): 3/5/2015 Valid To (GMT): 3/5/2035 Certificate Serial Number: 0A7EA6DF4B449EDA6A24859EE6B815D3167FBBB1 SHA-1 Fingerprint: 1E0E56190AD18B2598B20444FF668A0417995F3F SHA-256 Fingerprint: 54455F7129C20B1447C418F997168F24C58FC5023BF5DA5BE2EB6E1DD8902ED5 Depends on D79368 [cc40386d3958] * lib/ckfw/builtins/certdata.txt: Bug 1639987 - Remove expired Staat der Nederlanden Root CA - G2 root cert r=KathleenWilson,kjacobs Subject: CN=Staat der Nederlanden Root CA - G2; O=Staat der Nederlanden; C=NL Valid From (GMT): 3/26/2008 Valid To (GMT): 3/25/2020 Certificate Serial Number: 0098968C SHA-1 Fingerprint: 59AF82799186C7B47507CBCF035746EB04DDB716 SHA-256 Fingerprint: 668C83947DA63B724BECE1743C31A0E6AED0DB8EC5B31BE377BB784F91B6716F Depends on D79367 [7236f86d8db7] * lib/ckfw/builtins/certdata.txt: Bug 1621151 - Disable email trust bit for TW Government Root Certification Authority root r=kjacobs,KathleenWilson Depends on D79366 [d56b95fc344f] * lib/ckfw/builtins/certdata.txt: Bug 1618402 - Disable email trust bit for several Symantec certs r=KathleenWilson,kjacobs Disable the Email trust bit for the following root certs" Subject: CN=GeoTrust Global CA; O=GeoTrust Inc.; C=US Certificate Serial Number: 023456 SHA-1 Fingerprint: DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212 SHA-256 Fingerprint: FF856A2D251DCD88D36656F450126798CFABAADE40799C722DE4D2B5DB36A73A Subject: CN=GeoTrust Primary Certification Authority - G2; OU=(c) 2007 GeoTrust Inc. - For authorized use only; O=GeoTrust Inc.; C=US Certificate Serial Number: 3CB2F4480A00E2FEEB243B5E603EC36B SHA-1 Fingerprint: 8D1784D537F3037DEC70FE578B519A99E610D7B0 SHA-256 Fingerprint: 5EDB7AC43B82A06A8761E8D7BE4979EBF2611F7DD79BF91C1C6B566A219ED766 Subject: CN=GeoTrust Primary Certification Authority - G3; OU=(c) 2008 GeoTrust Inc. - For authorized use only; O=GeoTrust Inc.; C=US Certificate Serial Number: 15AC6E9419B2794B41F627A9C3180F1F SHA-1 Fingerprint: 039EEDB80BE7A03C6953893B20D2D9323A4C2AFD SHA-256 Fingerprint: B478B812250DF878635C2AA7EC7D155EAA625EE82916E2CD294361886CD1FBD4 Subject: CN=GeoTrust Universal CA; O=GeoTrust Inc.; C=US Certificate Serial Number: 01 SHA-1 Fingerprint: E621F3354379059A4B68309D8A2F74221587EC79 SHA-256 Fingerprint: A0459B9F63B22559F5FA5D4C6DB3F9F72FF19342033578F073BF1D1B46CBB912 Subject: CN=GeoTrust Universal CA 2; O=GeoTrust Inc.; C=US Certificate Serial Number: 01 SHA-1 Fingerprint: 379A197B418545350CA60369F33C2EAF474F2079 SHA-256 Fingerprint: A0234F3BC8527CA5628EEC81AD5D69895DA5680DC91D1CB8477F33F878B95B0B Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G4; OU=VeriSign Trust Network, (c) 2007 VeriSign, Inc. - For authorized use only; O=VeriSign, Inc.; C=US Certificate Serial Number: 2F80FE238C0E220F486712289187ACB3 SHA-1 Fingerprint: 22D5D8DF8F0231D18DF79DB7CF8A2D64C93F6C3A SHA-256 Fingerprint: 69DDD7EA90BB57C93E135DC85EA6FCD5480B603239BDC454FC758B2A26CF7F79 Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5; OU=VeriSign Trust Network, (c) 2006 VeriSign, Inc. - For authorized use only; O=VeriSign, Inc.; C=US Certificate Serial Number: 18DAD19E267DE8BB4A2158CDCC6B3B4A SHA-1 Fingerprint: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 SHA-256 Fingerprint: 9ACFAB7E43C8D880D06B262A94DEEEE4B4659989C3D0CAF19BAF6405E41AB7DF Depends on D79365 [606157f404c2] * lib/ckfw/builtins/certdata.txt: Bug 1618402 - Remove VeriSign CA and associated EgyptTrust distrust entries r=KathleenWilson,kjacobs Remove the VeriSign Class 3 Public Primary Certification Authority - G3 CA: Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3; OU=VeriSign Trust Network, (c) 1999 VeriSign, Inc. - For authorized use only; O=VeriSign, Inc.; C=US Certificate Serial Number: 009B7E0649A33E62B9D5EE90487129EF57 SHA-1 Fingerprint: 132D0D45534B6997CDB2D5C339E25576609B5CC6 SHA-256 Fingerprint: EB04CF5EB1F39AFA762F2BB120F296CBA520C1B97DB1589565B81CB9A17B7244 Because of the removal of VeriSign Class 3 Public Primary Certification Authority - G3, these knock-out entries, signed by that CA, should be removed: cert 1: Serial Number:4c:00:36:1b:e5:08:2b:a9:aa:ce:74:0a:05:3e:fb:34 Subject: CN=Egypt Trust Class 3 Managed PKI Enterprise Administrator CA,OU=Terms of use at https://www.egypttrust.com/epository/rpa (c)08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG Not Valid Before: Sun May 18 00:00:00 2008 Not Valid After : Thu May 17 23:59:59 2018 Fingerprint (MD5): A7:91:05:96:B1:56:01:26:4E:BF:80:80:08:86:1B:4D Fingerprint (SHA1): 6A:2C:5C:B0:94:D5:E0:B7:57:FB:0F:58:42:AA:C8:13:A5:80:2F:E1 cert 2: Serial Number:3e:0c:9e:87:69:aa:95:5c:ea:23:d8:45:9e:d4:5b:51 Subject: CN=Egypt Trust Class 3 Managed PKI Operational Administrator CA,OU=Terms of use at https://www.egypttrust.com/epository/rpa (c)08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG Not Valid Before: Sun May 18 00:00:00 2008 Not Valid After : Thu May 17 23:59:59 2018 Fingerprint (MD5): D0:C3:71:17:3E:39:80:C6:50:4F:04:22:DF:40:E1:34 Fingerprint (SHA1): 9C:65:5E:D5:FA:E3:B8:96:4D:89:72:F6:3A:63:53:59:3F:5E:B4:4E cert 3: Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use nly",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US Serial Number:12:bd:26:a2:ae:33:c0:7f:24:7b:6a:58:69:f2:0a:76 Subject: CN=Egypt Trust Class 3 Managed PKI SCO Administrator CA,OU=Terms of use at https://www.egypttrust.com/repository/rpa c)08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG Not Valid Before: Sun May 18 00:00:00 2008 Not Valid After : Thu May 17 23:59:59 2018 Fingerprint (MD5): C2:13:5E:B2:67:8A:5C:F7:91:EF:8F:29:0F:9B:77:6E Fingerprint (SHA1): 83:23:F1:4F:BC:9F:9B:80:B7:9D:ED:14:CD:01:57:CD:FB:08:95:D2 Depends on D79364 [8cd8fd97f0e7] * lib/ckfw/builtins/certdata.txt: Bug 1618402 - Remove Symantec and VeriSign roots r=KathleenWilson,kjacobs Remove the following root certs: Subject: CN=Symantec Class 2 Public Primary Certification Authority - G4; OU=Symantec Trust Network; O=Symantec Corporation; C=US Certificate Serial Number: 34176512403BB756802D80CB7955A61E SHA-1 Fingerprint: 6724902E4801B02296401046B4B1672CA975FD2B SHA-256 Fingerprint: FE863D0822FE7A2353FA484D5924E875656D3DC9FB58771F6F616F9D571BC592 Subject: CN=Symantec Class 1 Public Primary Certification Authority - G4; OU=Symantec Trust Network; O=Symantec Corporation; C=US Certificate Serial Number: 216E33A5CBD388A46F2907B4273CC4D8 SHA-1 Fingerprint: 84F2E3DD83133EA91D19527F02D729BFC15FE667 SHA-256 Fingerprint: 363F3C849EAB03B0A2A0F636D7B86D04D3AC7FCFE26A0A9121AB9795F6E176DF [06e27f62d77b] 2020-06-15 Mike Hommey <mh@glandium.org> * lib/freebl/Makefile, lib/freebl/manifest.mn: Bug 1642146 - Move seed.o back into freeblpriv3. r=bbeurdouche [f46fca8ced7f] Differential Revision: https://phabricator.services.mozilla.com/D79905
b41a8f8bcf1c30d276883f90b119d9c7fd98f7d5: Bug 1645525 - Remove EV treatment of AddTrust External CA Root. r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Mon, 15 Jun 2020 21:20:47 +0000 - rev 535754
Push 37509 by csabou@mozilla.com at Tue, 16 Jun 2020 03:30:48 +0000
Bug 1645525 - Remove EV treatment of AddTrust External CA Root. r=jcj Differential Revision: https://phabricator.services.mozilla.com/D79738
80b6f21783a324fd2e84e363dc4028e1ccff161e: Bug 1642687 - land NSS cbf75aedf480 UPGRADE_NSS_RELEASE, r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 12 Jun 2020 23:42:37 +0000 - rev 535566
Push 37501 by nbeleuzu@mozilla.com at Sat, 13 Jun 2020 03:21:52 +0000
Bug 1642687 - land NSS cbf75aedf480 UPGRADE_NSS_RELEASE, r=jcj 2020-06-12 Kevin Jacobs <kjacobs@mozilla.com> * cmd/lib/secutil.c: Bug 1645479 - Use SECITEM_CopyItem instead of SECITEM_MakeItem in secutil.c. r=jcj This patch converts a call to `SECITEM_MakeItem` to use `SECITEM_CopyItem` instead. Using the former works fine in NSS CI, but causes build failures in mozilla-central due to differences in how both symbols are exported (i.e. when folding nssutil into nss). [cbf75aedf480] [tip] 2020-06-11 Kevin Jacobs <kjacobs@mozilla.com> * gtests/ssl_gtest/libssl_internals.c, gtests/ssl_gtest/ssl_resumption_unittest.cc: Bug 1644774 - Use ClearServerCache instead of SSLInt_ClearSelfEncryptKey for ticket invalidation. r=mt [7b2413d80ce3] 2020-06-10 Kevin Jacobs <kjacobs@mozilla.com> * cmd/lib/basicutil.c, cmd/lib/secutil.c, cmd/lib/secutil.h, cmd/selfserv/selfserv.c, cmd/tstclnt/tstclnt.c, lib/ssl/tls13psk.c: Bug 1603042 - Support external PSKs in tstclnt/selfserv. r=jcj This patch adds support for TLS 1.3 external PSKs in tstclnt and selfserv with the `-z` option. Command examples: - `selfserv -D -p 4443 -d . -n localhost.localdomain -w nss -V tls1.3: -H 1 -z 0xAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD[:label] -m` - `tstclnt -h 127.0.0.1 -p 4443 -z 0xAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD[:label] -d . -w nss` For OpenSSL interop: - `openssl s_server -nocert -port 4433 -psk AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD [-psk_identity label]` Note: If the optional label is omitted, both NSS tools and OpenSSL default to "Client_identity". [c1b1112af415] 2020-06-09 Kevin Jacobs <kjacobs@mozilla.com> * lib/ssl/tls13con.c: Bug 1642638 - Don't assert sid ciphersuite to be defined in fuzzer mode. r=mt [238bd7912429] 2020-06-08 Kevin Jacobs <kjacobs@mozilla.com> * lib/freebl/freebl.gyp, lib/freebl/freebl_base.gypi: Bug 1642802 - Win64 GYP builds to use HACL* curve25519. r=bbeurdouche This patch causes Windows 64-bit GYP builds to use HACL* curve25519 rather than the 32-bit (fiat-crypto) implementation. For non-clang/GCC Win64 builds, we define `KRML_VERIFIED_UINT128` to workaround an upstream bug that breaks Win32 builds by selecting a 64-bit `__int128` implementation (in types.h). For clang/GCC builds, using the compiler-provided type yields a ~5x speedup on Win64. [566fa62d6522] 2020-06-05 Jeff Walden <jwalden@mit.edu> * lib/pk11wrap/pk11cert.c, lib/pk11wrap/pk11kea.c, lib/pk11wrap/pk11merge.c, lib/pk11wrap/pk11nobj.c, lib/pk11wrap/pk11obj.c, lib/pk11wrap/pk11skey.c, lib/pk11wrap/secmodi.h: Bug 1643557 - Make pk11_FindObjectByTemplate accept a size_t count rather than a signed type to avoid internal signed-unsigned comparison warnings. r=kjacobs Depends on D78454 [5ee293d1a282] * lib/pk11wrap/pk11skey.c: Bug 1643557 - Make PK11_SetWrapKey explicitly handle being passed a negative wrap argument, to avoid a signed-unsigned comparison. r=kjacobs Depends on D78453 [7bb3677a2ed0] * lib/pk11wrap/pk11akey.c, lib/pk11wrap/pk11cert.c, lib/pk11wrap/pk11obj.c, lib/pk11wrap/secmodi.h: Bug 1643557 - Change the type of the size argument to pk11_FindObjectsByTemplate to be size_t, consistent with the type of some (small) numeric values passed to it after the previous revision. r=kjacobs Depends on D78452 [eaf223c2646a] * lib/pk11wrap/pk11slot.c: Bug 1643557 - Use size_t for various counts in pk11slot.c. r=kjacobs Depends on D78451 [465a7954ce0a] * lib/pk11wrap/pk11priv.h, lib/pk11wrap/pk11slot.c: Bug 1643557 - Make pk11_MatchString accept a size_t length rather than an int length (consistent with all callers), and reformulate its internals to avoid a signed-unsigned comparison. r=kjacobs Depends on D78450 [fff8c883ef7d] * lib/pk11wrap/pk11skey.c, lib/ssl/sslsnce.c, lib/util/secport.h: Bug 1643557 - Add PORT_AssertNotReached and use it instead of PORT_Assert(!"str"), which may warn about vacuous string literal to boolean conversions. r=kjacobs Depends on D78449 [c0aa47eb2fdd] * lib/util/secoid.c: Bug 1643557 - Use SECOidTag as the type of a loop variable over all values of that type to avoid a signed-unsigned comparison warning. r=kjacobs Depends on D78448 [d7f1e9975e67] * lib/util/utilpars.c: Bug 1643557 - Use size_t for a parameter-indexing variable to eliminate a signed-unsigned comparison warning. r=kjacobs Depends on D78447 [5d7206908ca7] * lib/freebl/rsapkcs.c: Bug 1643557 - Used unsigned int for two for-loops upper-bounded by unsigned ints in rsa_FormatOneBlock. r=kjacobs Depends on D78446 [ed9a1a41ca1e] * lib/pk11wrap/debug_module.c: Bug 1643557 - Use unsigned int for log level, consistent with PRLogModuleLevel. r=kjacobs [7f89fa701ce3] Differential Revision: https://phabricator.services.mozilla.com/D79566
4fe0ee5156a1fd84c79c6f413c57784d281c3416: Bug 1644421 - bump INTERMEDIATE_PRELOADING_* telemetry to expire in 86 r=jcj
Dana Keeler <dkeeler@mozilla.com> - Thu, 11 Jun 2020 16:50:01 +0000 - rev 535183
Push 37498 by apavel@mozilla.com at Fri, 12 Jun 2020 03:05:25 +0000
Bug 1644421 - bump INTERMEDIATE_PRELOADING_* telemetry to expire in 86 r=jcj Differential Revision: https://phabricator.services.mozilla.com/D78989
988197b0e646b0573a6ff5625b4b51f1957a7c1e: Bug 1642400 - Improve DLL loading. r=jcj
Molly Howell <mhowell@mozilla.com> - Tue, 09 Jun 2020 22:43:59 +0000 - rev 534778
Push 37494 by nbeleuzu@mozilla.com at Wed, 10 Jun 2020 14:02:18 +0000
Bug 1642400 - Improve DLL loading. r=jcj Differential Revision: https://phabricator.services.mozilla.com/D77902
a6d6d50c239a52081f45ed4348868059f3bbe56c: Bug 1642687 - land NSS d211f3013abb UPGRADE_NSS_RELEASE, r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Sat, 06 Jun 2020 00:20:11 +0000 - rev 534239
Push 37484 by dluca@mozilla.com at Sat, 06 Jun 2020 09:46:03 +0000
Bug 1642687 - land NSS d211f3013abb UPGRADE_NSS_RELEASE, r=jcj 2020-06-01 Kevin Jacobs <kjacobs@mozilla.com> * coreconf/config.gypi, lib/freebl/Makefile, lib/freebl/blinit.c, lib/freebl/freebl.gyp, lib/freebl/sha256-armv8.c, lib/freebl/sha256.h, lib/freebl/sha512.c, mach: Bug 1528113 - Use ARM's crypto extension for SHA256 [ea54fd986036] 2020-04-08 Kevin Jacobs <kjacobs@mozilla.com> * automation/abi-check/expected-report-libssl3.so.txt, gtests/ssl_gtest/libssl_internals.c, gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/manifest.mn, gtests/ssl_gtest/ssl_0rtt_unittest.cc, gtests/ssl_gtest/ssl_extension_unittest.cc, gtests/ssl_gtest/ssl_gtest.gyp, gtests/ssl_gtest/tls_agent.cc, gtests/ssl_gtest/tls_agent.h, gtests/ssl_gtest/tls_connect.cc, gtests/ssl_gtest/tls_connect.h, gtests/ssl_gtest/tls_psk_unittest.cc, lib/ssl/manifest.mn, lib/ssl/ssl.gyp, lib/ssl/ssl3con.c, lib/ssl/ssl3ext.c, lib/ssl/ssl3ext.h, lib/ssl/sslerr.h, lib/ssl/sslexp.h, lib/ssl/sslimpl.h, lib/ssl/sslinfo.c, lib/ssl/sslsecur.c, lib/ssl/sslsock.c, lib/ssl/sslt.h, lib/ssl/tls13con.c, lib/ssl/tls13con.h, lib/ssl/tls13exthandle.c, lib/ssl/tls13psk.c, lib/ssl/tls13psk.h, lib/ssl/tls13replay.c: Bug 1603042 - TLS 1.3 out-of-band PSK support [a448d7919077] 2020-06-01 Makoto Kato <m_kato@ga2.so-net.ne.jp> * coreconf/config.gypi, lib/freebl/Makefile, lib/freebl/blinit.c, lib/freebl/freebl.gyp, lib/freebl/sha256-armv8.c, lib/freebl/sha256.h, lib/freebl/sha512.c: Bug 1528113 - Use ARM's crypto extension for SHA256 r=kjacobs ARMv8 CPU has accelerated hardware instruction for SHA256 that supports GCC 4.9+. We should use it if available. [61c83f79e90c] 2020-06-02 Kevin Jacobs <kjacobs@mozilla.com> * automation/abi-check/expected-report-libssl3.so.txt, gtests/ssl_gtest/libssl_internals.c, gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/manifest.mn, gtests/ssl_gtest/ssl_0rtt_unittest.cc, gtests/ssl_gtest/ssl_extension_unittest.cc, gtests/ssl_gtest/ssl_gtest.gyp, gtests/ssl_gtest/tls_agent.cc, gtests/ssl_gtest/tls_agent.h, gtests/ssl_gtest/tls_connect.cc, gtests/ssl_gtest/tls_connect.h, gtests/ssl_gtest/tls_psk_unittest.cc, lib/ssl/manifest.mn, lib/ssl/ssl.gyp, lib/ssl/ssl3con.c, lib/ssl/ssl3ext.c, lib/ssl/ssl3ext.h, lib/ssl/sslerr.h, lib/ssl/sslexp.h, lib/ssl/sslimpl.h, lib/ssl/sslinfo.c, lib/ssl/sslsecur.c, lib/ssl/sslsock.c, lib/ssl/sslt.h, lib/ssl/tls13con.c, lib/ssl/tls13con.h, lib/ssl/tls13exthandle.c, lib/ssl/tls13psk.c, lib/ssl/tls13psk.h, lib/ssl/tls13replay.c: Bug 1603042 - TLS 1.3 out-of-band PSK support r=mt This patch adds support for External (out-of-band) PSKs in TLS 1.3. An External PSK (EPSK) can be set by calling `SSL_AddExternalPsk`, and removed with `SSL_RemoveExternalPsk`. `SSL_AddExternalPsk0Rtt` can be used to add a PSK while also specifying a suite and max_early_data_size for use with 0-RTT. As part of handling PSKs more generically, the patch also changes how resumption PSKs are handled internally, so as to rely on the same mechanisms where possible. A socket is currently limited to only one External PSK at a time. If the server doesn't find the same identity for the configured EPSK, it will fall back to certificate authentication. [a2293e897889] * lib/freebl/mpi/mplogic.c: cast in LZCNTLOOP [96e65b2e9531] * lib/freebl/freebl.gyp: Use KRML_VERIFIED_UINT128 on MSVC builds [abd50c862bdb] 2020-06-03 Kevin Jacobs <kjacobs@mozilla.com> * gtests/ssl_gtest/ssl_exporter_unittest.cc, lib/ssl/sslinfo.c, lib/ssl/tls13con.c: Bug 1643123 - Allow External PSKs to be used with Early Export [46ef0c025cfc] 2020-06-02 Sylvestre Ledru <sledru@mozilla.com> * lib/ssl/tls13con.c: Bug 1642809 - Fix an assert (we need a comparison, not assignment) r=kjacobs [d0789cb32d8e] 2020-06-03 Mike Hommey <mh@glandium.org> * cmd/shlibsign/Makefile: Bug 1642153 - Avoid infinite recursion when CHECKLOC is not set. r=jcj [e955ece90b05] 2020-06-03 Martin Thomson <mt@lowentropy.net> * gtests/ssl_gtest/ssl_auth_unittest.cc, gtests/ssl_gtest/ssl_resumption_unittest.cc, lib/ssl/tls13con.c: Bug 1642871 - Allow tickets and PHA after resumption, r=kjacobs The first part of this is fairly simple: we accidentally disabled sending of session tickets after resumption. The second part is much less obvious, because the spec is unclear. This change takes the interpretation that it is OK to use post- handshake authentication if the handshake is resumed, but not OK if the handshake is based on a PSK. (This is based on a first- principles understanding of resumption being a continuation of a certificate-based connection rather than a reading of the spec, see the bug for why the spec appears to be unhelpful on this point.) This still prohibits the use of post-handshake authentication if an external PSK was used, but that is more an abundance of caution than anything principled. [e9502f71b7fe] 2020-06-04 Kevin Jacobs <kjacobs@mozilla.com> * gtests/ssl_gtest/ssl_exporter_unittest.cc, lib/ssl/sslinfo.c, lib/ssl/tls13con.c: Bug 1643123 - Allow External PSKs to be used with Early Export r=mt This patch adjusts `tls13_exporter` to pull the hash algorithm from the first PSK when a suite is not configured yet, which allows early export with external PSKs. [d211f3013abb] Differential Revision: https://phabricator.services.mozilla.com/D78578
4f0b2cc28b1482e285bcfceec472a568f3843299: Bug 1636656 - land NSS NSS_3_53_BETA2 UPGRADE_NSS_RELEASE, r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 29 May 2020 06:40:34 +0000 - rev 532936
Push 37460 by btara@mozilla.com at Fri, 29 May 2020 15:59:09 +0000
Bug 1636656 - land NSS NSS_3_53_BETA2 UPGRADE_NSS_RELEASE, r=jcj 2020-05-28 Kevin Jacobs <kjacobs@mozilla.com> * lib/softoken/pkcs11c.c: Bug 1640260 - Initialize PBE params r=jcj [8fe22033a88e] [NSS_3_53_BETA2] 2020-05-27 Benjamin Beurdouche <bbeurdouche@mozilla.com> * lib/ckfw/builtins/certdata.txt: Bug 1618404 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Symantec root certs. r=jcj [8bfb386f459f] * lib/ckfw/builtins/certdata.txt: Bug 1621159 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Consorci AOC, GRCA, and SK ID root certs. r=jcj [4d1b7bbeebfe] 2020-05-26 Kevin Jacobs <kjacobs@mozilla.com> * .hgtags: Added tag NSS_3_53_BETA1 for changeset c7a1c91cd9be [661e3e3f6ba5] Differential Revision: https://phabricator.services.mozilla.com/D77388
b7dde75146918ad375be120eaa9317a96cf66bc8: Bug 1636656 - land NSS NSS_3_53_BETA1 UPGRADE_NSS_RELEASE, r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Wed, 27 May 2020 03:26:56 +0000 - rev 532313
Push 37453 by abutkovits@mozilla.com at Wed, 27 May 2020 09:35:27 +0000
Bug 1636656 - land NSS NSS_3_53_BETA1 UPGRADE_NSS_RELEASE, r=jcj Differential Revision: https://phabricator.services.mozilla.com/D76940