688d2a7257586ba8ca7febe46e6ae43c4c1fe04e: Added tag NSS_3_53_1_RTM for changeset fca7a9ba4da2 NSS_3_53_BRANCH
J.C. Jones <jjones@mozilla.com> - Tue, 16 Jun 2020 15:51:02 -0700 - rev 15676
Push 3775 by jjones@mozilla.com at Tue, 16 Jun 2020 23:52:22 +0000
Added tag NSS_3_53_1_RTM for changeset fca7a9ba4da2
fca7a9ba4da2735a3d844aac4411cd5074d456f7: Set version numbers to 3.53.1 final NSS_3_53_BRANCH NSS_3_53_1_RTM
J.C. Jones <jjones@mozilla.com> - Tue, 16 Jun 2020 15:50:59 -0700 - rev 15675
Push 3775 by jjones@mozilla.com at Tue, 16 Jun 2020 23:52:22 +0000
Set version numbers to 3.53.1 final
c5c89b18053aad6147f82abecc568653b78095b4: Bug 1631597 - Constant-time GCD and modular inversion r=rrelyea,kjacobs NSS_3_53_BRANCH
Sohaib ul Hassan <sohaibulhassan@tuni.fi> - Tue, 16 Jun 2020 15:40:57 -0700 - rev 15674
Push 3775 by jjones@mozilla.com at Tue, 16 Jun 2020 23:52:22 +0000
Bug 1631597 - Constant-time GCD and modular inversion r=rrelyea,kjacobs The implementation is based on the work by Bernstein and Yang (https://eprint.iacr.org/2019/266) "Fast constant-time gcd computation and modular inversion". It fixes the old mp_gcd and s_mp_invmod_odd_m functions. The patch also fix mpl_significant_bits s_mp_div_2d and s_mp_mul_2d by having less control flow to reduce side-channel leaks. Co Author : Billy Bob Brumley Differential Revision: https://phabricator.services.mozilla.com/D78668
6dcd00c13ffcee375df1bfc907451b15d31c32f3: Bug 1618402 - June 2020 batch of root changes, NSS_BUILTINS_LIBRARY_VERSION 2.42 r=bbeurdouche,KathleenWilson
J.C. Jones <jjones@mozilla.com> - Mon, 15 Jun 2020 19:04:38 +0000 - rev 15673
Push 3774 by kjacobs@mozilla.com at Mon, 15 Jun 2020 19:11:00 +0000
Bug 1618402 - June 2020 batch of root changes, NSS_BUILTINS_LIBRARY_VERSION 2.42 r=bbeurdouche,KathleenWilson All changes: Bug 1618402 - Remove 3 Symantec roots and disable Email trust bit for others Bug 1621151 - Disable Email trust bit for GRCA root Bug 1639987 - Remove expired Staat der Nederlanden Root CA - G2 root cert Bug 1641718 - Remove "LuxTrust Global Root 2" root cert Bug 1641716 - Add Microsoft's non-EV roots Bug 1645174 - Add Microsec's "e-Szigno Root CA 2017" root cert Bug 1645186 - Add "certSIGN Root CA G2" root cert Bug 1645199 - Remove Expired AddTrust root certs Depends on D79373 Differential Revision: https://phabricator.services.mozilla.com/D79374
d541eaaca2ef4258ddd71413cd47ca2e4764f164: Bug 1645186 - Add certSIGN Root CA G2 root cert r=KathleenWilson
J.C. Jones <jjones@mozilla.com> - Fri, 12 Jun 2020 21:33:13 +0000 - rev 15672
Push 3774 by kjacobs@mozilla.com at Mon, 15 Jun 2020 19:11:00 +0000
Bug 1645186 - Add certSIGN Root CA G2 root cert r=KathleenWilson Friendly Name: certSIGN Root CA G2 Cert Location: http://crl.certsign.ro/certsign-rootg2.crt SHA-1 Fingerprint: 26F993B4ED3D2827B0B94BA7E9151DA38D92E532 SHA-256 Fingerprint: 657CFE2FA73FAA38462571F332A2363A46FCE7020951710702CDFBB6EEDA3305 Trust Flags: Websites Test URL: https://testssl-valid-evcp.certsign.ro/ Depends on D79372 Differential Revision: https://phabricator.services.mozilla.com/D79373
6d397f2a5f01dff6f1a3e74897087315119caa0c: Bug 1645174 - Add e-Szigno Root CA 2017 r=KathleenWilson,kjacobs
J.C. Jones <jjones@mozilla.com> - Fri, 12 Jun 2020 21:31:47 +0000 - rev 15671
Push 3774 by kjacobs@mozilla.com at Mon, 15 Jun 2020 19:11:00 +0000
Bug 1645174 - Add e-Szigno Root CA 2017 r=KathleenWilson,kjacobs Depends on D79371 Differential Revision: https://phabricator.services.mozilla.com/D79372
576f52ca3f02b22a4e0282c01283ff5933cd3d08: Bug 1641716 - Add Microsoft non-EV roots r=KathleenWilson,kjacobs
J.C. Jones <jjones@mozilla.com> - Fri, 12 Jun 2020 21:30:36 +0000 - rev 15670
Push 3774 by kjacobs@mozilla.com at Mon, 15 Jun 2020 19:11:00 +0000
Bug 1641716 - Add Microsoft non-EV roots r=KathleenWilson,kjacobs Friendly Name: Microsoft ECC Root Certificate Authority 2017 Cert Location: http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Root%20Certificate%20Authority%202017.crt SHA-1 Fingerprint: 999A64C37FF47D9FAB95F14769891460EEC4C3C5 SHA-256 Fingerprint: 358DF39D764AF9E1B766E9C972DF352EE15CFAC227AF6AD1D70E8E4A6EDCBA02 Trust Flags: Websites Test URL: https://acteccroot2017.pki.microsoft.com/ Friendly Name: Microsoft RSA Root Certificate Authority 2017 Cert Location: http://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crt SHA-1 Fingerprint: 73A5E64A3BFF8316FF0EDCCC618A906E4EAE4D74 SHA-256 Fingerprint: C741F70F4B2A8D88BF2E71C14122EF53EF10EBA0CFA5E64CFA20F418853073E0 Trust Flags: Websites Test URL: https://actrsaroot2017.pki.microsoft.com/ Depends on D79370 Differential Revision: https://phabricator.services.mozilla.com/D79371
96d0279ef929c97c96c6d1c25781bdbbd563bd76: Bug 1645199 - Remove Expired AddTrust root certs r=KathleenWilson,kjacobs
J.C. Jones <jjones@mozilla.com> - Fri, 12 Jun 2020 21:35:09 +0000 - rev 15669
Push 3774 by kjacobs@mozilla.com at Mon, 15 Jun 2020 19:11:00 +0000
Bug 1645199 - Remove Expired AddTrust root certs r=KathleenWilson,kjacobs Remove the following two expired AddTrust root certs from NSS. Subject/Issuer: CN=AddTrust Class 1 CA Root; OU=AddTrust TTP Network; O=AddTrust AB; C=SE Valid To (GMT): 5/30/2020 SHA-1 Fingerprint: CCAB0EA04C2301D6697BDD379FCD12EB24E3949D SHA-256 Fingerprint: 8C7209279AC04E275E16D07FD3B775E80154B5968046E31F52DD25766324E9A7 Subject/Issuer: CN=AddTrust External CA Root; OU=AddTrust External TTP Network; O=AddTrust AB; C=SE Valid To (GMT): 5/30/2020 SHA-1 Fingerprint: 02FAF3E291435468607857694DF5E45B68851868 SHA-256 Fingerprint: 687FA451382278FFF0C8B11F8D43D576671C6EB2BCEAB413FB83D965D06D2FF2 Mozilla EV Policy OID(s): 1.3.6.1.4.1.6449.1.2.1.5.1 Depends on D79369 Differential Revision: https://phabricator.services.mozilla.com/D79370
cc40386d3958dfcf083b2764967460aeeaaf7b1c: Bug 1641718 - Remove "LuxTrust Global Root 2" root cert r=KathleenWilson,kjacobs
J.C. Jones <jjones@mozilla.com> - Fri, 12 Jun 2020 21:29:05 +0000 - rev 15668
Push 3774 by kjacobs@mozilla.com at Mon, 15 Jun 2020 19:11:00 +0000
Bug 1641718 - Remove "LuxTrust Global Root 2" root cert r=KathleenWilson,kjacobs Subject: CN=LuxTrust Global Root 2; O=LuxTrust S.A.; C=LU Valid From (GMT): 3/5/2015 Valid To (GMT): 3/5/2035 Certificate Serial Number: 0A7EA6DF4B449EDA6A24859EE6B815D3167FBBB1 SHA-1 Fingerprint: 1E0E56190AD18B2598B20444FF668A0417995F3F SHA-256 Fingerprint: 54455F7129C20B1447C418F997168F24C58FC5023BF5DA5BE2EB6E1DD8902ED5 Depends on D79368 Differential Revision: https://phabricator.services.mozilla.com/D79369
7236f86d8db7de6c7db6c1041e61fc0f92d44f40: Bug 1639987 - Remove expired Staat der Nederlanden Root CA - G2 root cert r=KathleenWilson,kjacobs
J.C. Jones <jjones@mozilla.com> - Fri, 12 Jun 2020 21:26:08 +0000 - rev 15667
Push 3774 by kjacobs@mozilla.com at Mon, 15 Jun 2020 19:11:00 +0000
Bug 1639987 - Remove expired Staat der Nederlanden Root CA - G2 root cert r=KathleenWilson,kjacobs Subject: CN=Staat der Nederlanden Root CA - G2; O=Staat der Nederlanden; C=NL Valid From (GMT): 3/26/2008 Valid To (GMT): 3/25/2020 Certificate Serial Number: 0098968C SHA-1 Fingerprint: 59AF82799186C7B47507CBCF035746EB04DDB716 SHA-256 Fingerprint: 668C83947DA63B724BECE1743C31A0E6AED0DB8EC5B31BE377BB784F91B6716F Depends on D79367 Differential Revision: https://phabricator.services.mozilla.com/D79368
d56b95fc344f2f6a16719e7a38eecc08262e6924: Bug 1621151 - Disable email trust bit for TW Government Root Certification Authority root r=kjacobs,KathleenWilson
J.C. Jones <jjones@mozilla.com> - Fri, 12 Jun 2020 21:24:50 +0000 - rev 15666
Push 3774 by kjacobs@mozilla.com at Mon, 15 Jun 2020 19:11:00 +0000
Bug 1621151 - Disable email trust bit for TW Government Root Certification Authority root r=kjacobs,KathleenWilson Depends on D79366 Differential Revision: https://phabricator.services.mozilla.com/D79367
606157f404c2753afe710194b12a11936a6c76b8: Bug 1618402 - Disable email trust bit for several Symantec certs r=KathleenWilson,kjacobs
J.C. Jones <jjones@mozilla.com> - Fri, 12 Jun 2020 21:23:06 +0000 - rev 15665
Push 3774 by kjacobs@mozilla.com at Mon, 15 Jun 2020 19:11:00 +0000
Bug 1618402 - Disable email trust bit for several Symantec certs r=KathleenWilson,kjacobs Disable the Email trust bit for the following root certs" Subject: CN=GeoTrust Global CA; O=GeoTrust Inc.; C=US Certificate Serial Number: 023456 SHA-1 Fingerprint: DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212 SHA-256 Fingerprint: FF856A2D251DCD88D36656F450126798CFABAADE40799C722DE4D2B5DB36A73A Subject: CN=GeoTrust Primary Certification Authority - G2; OU=(c) 2007 GeoTrust Inc. - For authorized use only; O=GeoTrust Inc.; C=US Certificate Serial Number: 3CB2F4480A00E2FEEB243B5E603EC36B SHA-1 Fingerprint: 8D1784D537F3037DEC70FE578B519A99E610D7B0 SHA-256 Fingerprint: 5EDB7AC43B82A06A8761E8D7BE4979EBF2611F7DD79BF91C1C6B566A219ED766 Subject: CN=GeoTrust Primary Certification Authority - G3; OU=(c) 2008 GeoTrust Inc. - For authorized use only; O=GeoTrust Inc.; C=US Certificate Serial Number: 15AC6E9419B2794B41F627A9C3180F1F SHA-1 Fingerprint: 039EEDB80BE7A03C6953893B20D2D9323A4C2AFD SHA-256 Fingerprint: B478B812250DF878635C2AA7EC7D155EAA625EE82916E2CD294361886CD1FBD4 Subject: CN=GeoTrust Universal CA; O=GeoTrust Inc.; C=US Certificate Serial Number: 01 SHA-1 Fingerprint: E621F3354379059A4B68309D8A2F74221587EC79 SHA-256 Fingerprint: A0459B9F63B22559F5FA5D4C6DB3F9F72FF19342033578F073BF1D1B46CBB912 Subject: CN=GeoTrust Universal CA 2; O=GeoTrust Inc.; C=US Certificate Serial Number: 01 SHA-1 Fingerprint: 379A197B418545350CA60369F33C2EAF474F2079 SHA-256 Fingerprint: A0234F3BC8527CA5628EEC81AD5D69895DA5680DC91D1CB8477F33F878B95B0B Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G4; OU=VeriSign Trust Network, (c) 2007 VeriSign, Inc. - For authorized use only; O=VeriSign, Inc.; C=US Certificate Serial Number: 2F80FE238C0E220F486712289187ACB3 SHA-1 Fingerprint: 22D5D8DF8F0231D18DF79DB7CF8A2D64C93F6C3A SHA-256 Fingerprint: 69DDD7EA90BB57C93E135DC85EA6FCD5480B603239BDC454FC758B2A26CF7F79 Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5; OU=VeriSign Trust Network, (c) 2006 VeriSign, Inc. - For authorized use only; O=VeriSign, Inc.; C=US Certificate Serial Number: 18DAD19E267DE8BB4A2158CDCC6B3B4A SHA-1 Fingerprint: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 SHA-256 Fingerprint: 9ACFAB7E43C8D880D06B262A94DEEEE4B4659989C3D0CAF19BAF6405E41AB7DF Depends on D79365 Differential Revision: https://phabricator.services.mozilla.com/D79366
8cd8fd97f0e7509c92915682bd8057e6995a25c4: Bug 1618402 - Remove VeriSign CA and associated EgyptTrust distrust entries r=KathleenWilson,kjacobs
J.C. Jones <jjones@mozilla.com> - Fri, 12 Jun 2020 21:17:07 +0000 - rev 15664
Push 3774 by kjacobs@mozilla.com at Mon, 15 Jun 2020 19:11:00 +0000
Bug 1618402 - Remove VeriSign CA and associated EgyptTrust distrust entries r=KathleenWilson,kjacobs Remove the VeriSign Class 3 Public Primary Certification Authority - G3 CA: Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3; OU=VeriSign Trust Network, (c) 1999 VeriSign, Inc. - For authorized use only; O=VeriSign, Inc.; C=US Certificate Serial Number: 009B7E0649A33E62B9D5EE90487129EF57 SHA-1 Fingerprint: 132D0D45534B6997CDB2D5C339E25576609B5CC6 SHA-256 Fingerprint: EB04CF5EB1F39AFA762F2BB120F296CBA520C1B97DB1589565B81CB9A17B7244 Because of the removal of VeriSign Class 3 Public Primary Certification Authority - G3, these knock-out entries, signed by that CA, should be removed: cert 1: Serial Number:4c:00:36:1b:e5:08:2b:a9:aa:ce:74:0a:05:3e:fb:34 Subject: CN=Egypt Trust Class 3 Managed PKI Enterprise Administrator CA,OU=Terms of use at https://www.egypttrust.com/epository/rpa (c)08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG Not Valid Before: Sun May 18 00:00:00 2008 Not Valid After : Thu May 17 23:59:59 2018 Fingerprint (MD5): A7:91:05:96:B1:56:01:26:4E:BF:80:80:08:86:1B:4D Fingerprint (SHA1): 6A:2C:5C:B0:94:D5:E0:B7:57:FB:0F:58:42:AA:C8:13:A5:80:2F:E1 cert 2: Serial Number:3e:0c:9e:87:69:aa:95:5c:ea:23:d8:45:9e:d4:5b:51 Subject: CN=Egypt Trust Class 3 Managed PKI Operational Administrator CA,OU=Terms of use at https://www.egypttrust.com/epository/rpa (c)08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG Not Valid Before: Sun May 18 00:00:00 2008 Not Valid After : Thu May 17 23:59:59 2018 Fingerprint (MD5): D0:C3:71:17:3E:39:80:C6:50:4F:04:22:DF:40:E1:34 Fingerprint (SHA1): 9C:65:5E:D5:FA:E3:B8:96:4D:89:72:F6:3A:63:53:59:3F:5E:B4:4E cert 3: Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use nly",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US Serial Number:12:bd:26:a2:ae:33:c0:7f:24:7b:6a:58:69:f2:0a:76 Subject: CN=Egypt Trust Class 3 Managed PKI SCO Administrator CA,OU=Terms of use at https://www.egypttrust.com/repository/rpa c)08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG Not Valid Before: Sun May 18 00:00:00 2008 Not Valid After : Thu May 17 23:59:59 2018 Fingerprint (MD5): C2:13:5E:B2:67:8A:5C:F7:91:EF:8F:29:0F:9B:77:6E Fingerprint (SHA1): 83:23:F1:4F:BC:9F:9B:80:B7:9D:ED:14:CD:01:57:CD:FB:08:95:D2 Depends on D79364 Differential Revision: https://phabricator.services.mozilla.com/D79365
06e27f62d77b35099f2033e7e812283f7e1e485f: Bug 1618402 - Remove Symantec and VeriSign roots r=KathleenWilson,kjacobs
J.C. Jones <jjones@mozilla.com> - Fri, 12 Jun 2020 21:15:27 +0000 - rev 15663
Push 3774 by kjacobs@mozilla.com at Mon, 15 Jun 2020 19:11:00 +0000
Bug 1618402 - Remove Symantec and VeriSign roots r=KathleenWilson,kjacobs Remove the following root certs: Subject: CN=Symantec Class 2 Public Primary Certification Authority - G4; OU=Symantec Trust Network; O=Symantec Corporation; C=US Certificate Serial Number: 34176512403BB756802D80CB7955A61E SHA-1 Fingerprint: 6724902E4801B02296401046B4B1672CA975FD2B SHA-256 Fingerprint: FE863D0822FE7A2353FA484D5924E875656D3DC9FB58771F6F616F9D571BC592 Subject: CN=Symantec Class 1 Public Primary Certification Authority - G4; OU=Symantec Trust Network; O=Symantec Corporation; C=US Certificate Serial Number: 216E33A5CBD388A46F2907B4273CC4D8 SHA-1 Fingerprint: 84F2E3DD83133EA91D19527F02D729BFC15FE667 SHA-256 Fingerprint: 363F3C849EAB03B0A2A0F636D7B86D04D3AC7FCFE26A0A9121AB9795F6E176DF Differential Revision: https://phabricator.services.mozilla.com/D79364
f46fca8ced7fca6aa6de60e3170b2a3b6b2df565: Bug 1642146 - Move seed.o back into freeblpriv3. r=bbeurdouche
Mike Hommey <mh@glandium.org> - Mon, 15 Jun 2020 18:12:09 +0000 - rev 15662
Push 3773 by kjacobs@mozilla.com at Mon, 15 Jun 2020 18:15:20 +0000
Bug 1642146 - Move seed.o back into freeblpriv3. r=bbeurdouche Differential Revision: https://phabricator.services.mozilla.com/D77595
cbf75aedf480947b99cca0114a6926549b948551: Bug 1645479 - Use SECITEM_CopyItem instead of SECITEM_MakeItem in secutil.c. r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 12 Jun 2020 20:17:48 +0000 - rev 15661
Push 3772 by kjacobs@mozilla.com at Fri, 12 Jun 2020 20:19:12 +0000
Bug 1645479 - Use SECITEM_CopyItem instead of SECITEM_MakeItem in secutil.c. r=jcj This patch converts a call to `SECITEM_MakeItem` to use `SECITEM_CopyItem` instead. Using the former works fine in NSS CI, but causes build failures in mozilla-central due to differences in how both symbols are exported (i.e. when folding nssutil into nss). Differential Revision: https://phabricator.services.mozilla.com/D79525
7b2413d80ce3f952c58aff03b0e66325bca670fa: Bug 1644774 - Use ClearServerCache instead of SSLInt_ClearSelfEncryptKey for ticket invalidation. r=mt
Kevin Jacobs <kjacobs@mozilla.com> - Thu, 11 Jun 2020 19:40:35 +0000 - rev 15660
Push 3771 by kjacobs@mozilla.com at Thu, 11 Jun 2020 19:41:31 +0000
Bug 1644774 - Use ClearServerCache instead of SSLInt_ClearSelfEncryptKey for ticket invalidation. r=mt Differential Revision: https://phabricator.services.mozilla.com/D79156
c1b1112af415759e73c3219fbfbcc1004cae5bd7: Bug 1603042 - Support external PSKs in tstclnt/selfserv. r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Wed, 10 Jun 2020 16:18:39 +0000 - rev 15659
Push 3770 by kjacobs@mozilla.com at Wed, 10 Jun 2020 16:22:55 +0000
Bug 1603042 - Support external PSKs in tstclnt/selfserv. r=jcj This patch adds support for TLS 1.3 external PSKs in tstclnt and selfserv with the `-z` option. Command examples: - `selfserv -D -p 4443 -d . -n localhost.localdomain -w nss -V tls1.3: -H 1 -z 0xAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD[:label] -m` - `tstclnt -h 127.0.0.1 -p 4443 -z 0xAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD[:label] -d . -w nss` For OpenSSL interop: - `openssl s_server -nocert -port 4433 -psk AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD [-psk_identity label]` Note: If the optional label is omitted, both NSS tools and OpenSSL default to "Client_identity". Differential Revision: https://phabricator.services.mozilla.com/D75836
238bd7912429145d5f3ec2442fb61bb0b5602dfc: Bug 1642638 - Don't assert sid ciphersuite to be defined in fuzzer mode. r=mt
Kevin Jacobs <kjacobs@mozilla.com> - Tue, 09 Jun 2020 04:21:08 +0000 - rev 15658
Push 3769 by kjacobs@mozilla.com at Wed, 10 Jun 2020 14:23:58 +0000
Bug 1642638 - Don't assert sid ciphersuite to be defined in fuzzer mode. r=mt Differential Revision: https://phabricator.services.mozilla.com/D78395
566fa62d65225e98593e2caa58b592b2f1eeb4ba: Bug 1642802 - Win64 GYP builds to use HACL* curve25519. r=bbeurdouche
Kevin Jacobs <kjacobs@mozilla.com> - Mon, 08 Jun 2020 20:14:28 +0000 - rev 15657
Push 3768 by kjacobs@mozilla.com at Mon, 08 Jun 2020 20:15:48 +0000
Bug 1642802 - Win64 GYP builds to use HACL* curve25519. r=bbeurdouche This patch causes Windows 64-bit GYP builds to use HACL* curve25519 rather than the 32-bit (fiat-crypto) implementation. For non-clang/GCC Win64 builds, we define `KRML_VERIFIED_UINT128` to workaround an upstream bug that breaks Win32 builds by selecting a 64-bit `__int128` implementation (in types.h). For clang/GCC builds, using the compiler-provided type yields a ~5x speedup on Win64. Differential Revision: https://phabricator.services.mozilla.com/D78549
(0) -10000 -3000 -1000 -300 -100 -50 -20 +20 +50 tip