befc258c43369e87fa5f85e6d37efcc82fcb3af3: Set version numbers to 3.52 final NSS_3_52_BRANCH NSS_3_52_RTM
J.C. Jones <jjones@mozilla.com> - Fri, 01 May 2020 14:08:55 -0700 - rev 15583
Push 3734 by jjones@mozilla.com at Fri, 01 May 2020 21:15:54 +0000
Set version numbers to 3.52 final
c5d002af1d61c6fdc35c74bb239a9bc9f02f78eb: Added tag NSS_3_52_BETA2 for changeset bb4462a16de8
Kevin Jacobs <kjacobs@mozilla.com> - Thu, 30 Apr 2020 15:45:46 -0700 - rev 15582
Push 3733 by kjacobs@mozilla.com at Thu, 30 Apr 2020 22:52:01 +0000
Added tag NSS_3_52_BETA2 for changeset bb4462a16de8
bb4462a16de8ca52068ca1e83351b576b60f2410: Bug 1630925 - Guard all instances of NSSCMSSignedData.signerInfos r=kjacobs NSS_3_52_BETA2
zhujianwei7 <zhujianwei7@huawei.com> - Thu, 30 Apr 2020 11:21:14 -0700 - rev 15581
Push 3732 by jjones@mozilla.com at Thu, 30 Apr 2020 22:04:05 +0000
Bug 1630925 - Guard all instances of NSSCMSSignedData.signerInfos r=kjacobs Differential Revision: https://phabricator.services.mozilla.com/D73322
d67517e92371ba798751720f7d21968ab2e25c52: Bug 1619959 - Properly handle multi-block SEED ECB inputs. r=bbeurdouche,jcj
Kevin Jacobs <kjacobs@mozilla.com> - Thu, 30 Apr 2020 19:38:34 +0000 - rev 15580
Push 3731 by kjacobs@mozilla.com at Thu, 30 Apr 2020 19:39:12 +0000
Bug 1619959 - Properly handle multi-block SEED ECB inputs. r=bbeurdouche,jcj Differential Revision: https://phabricator.services.mozilla.com/D71648
11415c3334abfd47ab83537f11f3376406580435: Added tag NSS_3_52_BETA1 for changeset 0b30eb1c3650
Kevin Jacobs <kjacobs@mozilla.com> - Tue, 28 Apr 2020 11:10:10 -0700 - rev 15579
Push 3730 by kjacobs@mozilla.com at Tue, 28 Apr 2020 18:24:49 +0000
Added tag NSS_3_52_BETA1 for changeset 0b30eb1c3650
0b30eb1c365095be6c5bb9bd0aeb60e4a9901e6f: Bug 1571677 Name Constraints validation: CN treated as DNS name even when syntactically invalid as DNS name r=mt NSS_3_52_BETA1
Robert Relyea <rrelyea@redhat.com> - Fri, 24 Apr 2020 11:08:17 -0700 - rev 15578
Push 3729 by rrelyea@redhat.com at Tue, 28 Apr 2020 03:15:57 +0000
Bug 1571677 Name Constraints validation: CN treated as DNS name even when syntactically invalid as DNS name r=mt This patch makes libpkix treat name contraints the same the NSS cert verifier. This proposal available for review for 9 months without objection. Time to make this official Differential Revision: https://phabricator.services.mozilla.com/D72457
7b5e3b9fbc7d656bacf40528b88ba602e63d470f: Bug 1633498 - Do not define getauxval on iOS targets. r=jcj
Edouard Oger <eoger@fastmail.com> - Mon, 27 Apr 2020 17:52:36 +0000 - rev 15577
Push 3728 by jjones@mozilla.com at Mon, 27 Apr 2020 17:53:09 +0000
Bug 1633498 - Do not define getauxval on iOS targets. r=jcj Differential Revision: https://phabricator.services.mozilla.com/D72715
7f91e3dcfb9be40adee0f88ad75e5e061c73b62c: Bug 1629663 NSS missing IKEv1 Quick Mode KDF prf r=kjacobs
Robert Relyea <rrelyea@redhat.com> - Mon, 27 Apr 2020 10:25:28 -0700 - rev 15576
Push 3727 by rrelyea@redhat.com at Mon, 27 Apr 2020 17:25:36 +0000
Bug 1629663 NSS missing IKEv1 Quick Mode KDF prf r=kjacobs Fix possible free before alloc error found by kjacobs
225bb39eade102eef5f3999eae04a7a16da9b330: Bug 1629663 NSS missing IKEv1 Quick Mode KDF prf r=kjacobs
Robert Relyea <rrelyea@redhat.com> - Mon, 20 Apr 2020 16:58:16 -0700 - rev 15575
Push 3726 by rrelyea@redhat.com at Fri, 24 Apr 2020 16:52:50 +0000
Bug 1629663 NSS missing IKEv1 Quick Mode KDF prf r=kjacobs We found another KDF function in libreswan that is not using the NSS KDF API. Unfortunately, it seems the existing IKE KDF's in NSS are not usable for the Quick Mode use. The libreswan code is in compute_proto_keymat() and the specification is in https://tools.ietf.org/html/rfc2409#section-5.5 It needs: KEYMAT = prf(SKEYID_d, [g(qm)^xy ] | protocol | SPI | Ni_b | Nr_b). which an be thought of as: KEYMAT = prf(KEY, [KEY] | BYTES) but with the kicker that it also does multiple rounds aka key expansion: KEYMAT = K1 | K2 | K3 | ... where K1 = prf(KEY, [KEY] | BYTES) K2 = prf(KEY, K1 | [KEY] | BYTES) K3 = prf(KEY, K1 | [KEY] | BYTES) etc. to generate the needed keying material >PRF size This patch implements this by extendind the Appendix B Mechanism to take and optional key and data in a new Mechanism parameter structure. Which flavor is used (old CK_MECHANISM_TYPE or the new parameter) is determined by the mechanism parameter lengths. Application which try to use this new feature on old versions of NSS will get an error (rather than invalid data). Differential Revision: https://phabricator.services.mozilla.com/D71813
aae226c20dfd2189fb395f43269fe06cf1fb9cb1: Bug 1612881 - Maintain PKCS11 C_GetAttributeValue semantics on attributes that lack NSS database columns r=keeler,rrelyea
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 24 Apr 2020 15:50:42 +0000 - rev 15574
Push 3725 by kjacobs@mozilla.com at Fri, 24 Apr 2020 16:15:39 +0000
Bug 1612881 - Maintain PKCS11 C_GetAttributeValue semantics on attributes that lack NSS database columns r=keeler,rrelyea `sdb_GetAttributeValueNoLock` builds a query string from a list of attributes in the input template. Unfortunately, `sqlite3_prepare_v2` will fail the entire query if one of the attributes is missing from the underlying table. The PKCS #11 spec [[ https://www.cryptsoft.com/pkcs11doc/v220/pkcs11__all_8h.html#aC_GetAttributeValue | requires ]] setting the output `ulValueLen` field to -1 for such invalid attributes. This patch reads and stores the columns of nssPublic/nssPrivate when opened, then filters an input template in `sdb_GetAttributeValueNoLock` for unbacked/invalid attributes, removing them from the query and setting their template output lengths to -1. Differential Revision: https://phabricator.services.mozilla.com/D71622
a68de0859582726e63ed6cd83d0898973de70d20: Bug 1531906 - Relax ssl3_SetSIDSessionTicket assertions to permit valid, evicted or externally-cached sids. r=mt
Kevin Jacobs <kjacobs@mozilla.com> - Thu, 23 Apr 2020 23:49:39 +0000 - rev 15573
Push 3724 by kjacobs@mozilla.com at Fri, 24 Apr 2020 15:52:04 +0000
Bug 1531906 - Relax ssl3_SetSIDSessionTicket assertions to permit valid, evicted or externally-cached sids. r=mt This patch relaxes an overzealous assertion for the case where: 1) Two sockets start connections with a shared SID. 2) One receives an empty session ticket in the SH, and evicts the SID from cache. 3) The second socket receives a new session ticket, and attempts to set it in the SID. We currently assert that the sid is `in_client_cache` at 3), but clearly it cannot be. The outstanding reference remains valid despite the eviction. This also solves a related assertion failure after https://hg.mozilla.org/mozilla-central/rev/c5a8b641d905 where the same scenario occurs, but instead of being `in_client_cache` or evicted, the SID is `in_external_cache`. Differential Revision: https://phabricator.services.mozilla.com/D72214
3682d5ef3db54e9c02b5013dd1c3701df9a07985: Bug 1630721 Softoken Functions for FIPS missing r=mt
Robert Relyea <rrelyea@redhat.com> - Thu, 16 Apr 2020 12:32:03 -0700 - rev 15572
Push 3723 by rrelyea@redhat.com at Tue, 21 Apr 2020 20:16:38 +0000
Bug 1630721 Softoken Functions for FIPS missing r=mt For FIPS we need the following: 1. NIST official Key padding for AES Key Wrap. 2. Combined Hash/Sign mechanisms for DSA and ECDSA. In the first case our AES_KEY_WRAP_PAD function addes pkcs8 padding to the normal AES_KEY_WRAP, which is a different algorithm then the padded key wrap specified by NIST. PKCS #11 recognized this and created a special mechanism to handle NIST padding. That is why we don't have industry test vectors for CKM_NSS_AES_KEY_WRAP_PAD. This patch implements that NIST version (while maintaining our own). Also PKCS #11 v3.0 specified PKCS #11 mechanism for AES_KEY_WRAP which are compatible (semantically) with the NSS vendor specific versions, but with non-vendor specific numbers. Softoken now accepts both numbers. This patch also updates softoken to handle DSA and ECDSA combined hash algorithms other than just SHA1 (which is no longer validated). Finally this patch uses the NIST KWP test vectors in new gtests for the AES_KEY_WRAP_KWP wrapping algorithm. As part of the AES_KEY_WRAP_KWP code, the Constant time macros have been generalized and moved to secport. Old macros scattered throughout the code have been deleted and existing contant time code has been updated to use the new macros. Differential Revision: https://phabricator.services.mozilla.com/D71225
2d66bd9dcad4619bb0e85aa1d9e43eb8ec95dc0e: Bug 1613238 - POWER SHA-2 digest vector acceleration. r=jcj,kjacobs
Lauri Kasanen <cand@gmx.com> - Tue, 21 Apr 2020 16:41:54 +0000 - rev 15571
Push 3722 by kjacobs@mozilla.com at Tue, 21 Apr 2020 16:42:29 +0000
Bug 1613238 - POWER SHA-2 digest vector acceleration. r=jcj,kjacobs Differential Revision: https://phabricator.services.mozilla.com/D70519
928721f7016463b6aefef8239ba204bd809416c5: Bug 1603801 [patch] Avoid dcache pollution from sdb_measureAccess() r=mt
Robert Relyea <rrelyea@redhat.com> - Sat, 18 Apr 2020 17:11:20 -0700 - rev 15570
Push 3721 by rrelyea@redhat.com at Mon, 20 Apr 2020 20:32:21 +0000
Bug 1603801 [patch] Avoid dcache pollution from sdb_measureAccess() r=mt As implemented, when sdb_measureAccess() runs it creates up to 10,000 negative dcache entries (cached nonexistent filenames). There is no advantage to leaving these particular filenames in the cache; they will never be searched again. Subsequent runs will run a new test with an intentionally different set of filenames. This can have detrimental effects on some systems; a massive negative dcache can lead to memory or performance problems. Since not all platforms have a problem with negative dcache entries, this patch is limitted to those platforms that request it at compilie time (Linux is current the only patch that does.) Differential Revision: https://phabricator.services.mozilla.com/D59652
25006e23a7773b1b1569c798210d11bf3f3cc7c4: Bug 1630458 - Produce debug symbols in GYP/MSVC debug builds. r=mt
Kevin Jacobs <kjacobs@mozilla.com> - Thu, 16 Apr 2020 15:16:26 +0000 - rev 15569
Push 3720 by kjacobs@mozilla.com at Thu, 16 Apr 2020 15:59:37 +0000
Bug 1630458 - Produce debug symbols in GYP/MSVC debug builds. r=mt Differential Revision: https://phabricator.services.mozilla.com/D71125
808ec0e6fd77f97afc6b4d00aa500b26aa3ef2b3: Bug 1629655 ckfw needs to support temporary session objects. r=kjacobs
Robert Relyea <rrelyea@redhat.com> - Mon, 13 Apr 2020 15:37:43 -0700 - rev 15568
Push 3719 by rrelyea@redhat.com at Thu, 16 Apr 2020 03:15:41 +0000
Bug 1629655 ckfw needs to support temporary session objects. r=kjacobs libckfw needs to create temporary objects whose space will to be freed after use (rather than at token shutdown). Currently only token objects are supported and they are allocated out of a global arena owned by the slot, so the objects only go away when the slot is closed. This patch sets the arena to NULL in nssCKFWObject_Create() if the object is a session object. This tells nssCKFWObject_Create() to create a new arena specifically for this object. That arena is stored in localArena. When the object is destroyed, any localArena's will be freed. Differential Revision: https://phabricator.services.mozilla.com/D70916
a252957a380547bc3e66cf1e5cc45e1d193f63ae: Bug 1629661 MPConfig calls in SSL initializes policy before NSS is initialized. r=mt
Robert Relyea <rrelyea@redhat.com> - Tue, 14 Apr 2020 10:50:06 -0700 - rev 15567
Push 3718 by rrelyea@redhat.com at Wed, 15 Apr 2020 17:09:15 +0000
Bug 1629661 MPConfig calls in SSL initializes policy before NSS is initialized. r=mt NSS has several config functions that multiprocess servers must call before NSS is initialized to set up shared memory caches between the processes. These functions call ssl_init(), which initializes the ssl policy. The ssl policy initialization, however needs to happen after NSS itself is initialized. Doing so before hand causes (in the best case) policy to be ignored by these servers, and crashes (in the worst case). Instead, these cache functions should just initialize those things it needs (that is the NSPR ssl error codes). This patch does: 1) fixes the cache init code to only initialize error codes. 2) fixes the selfserv MP code to 1) be compatible with ssl.sh's selfserv management (at least on Unix), and 2) mimic the way real servers handle the MP_Cache init code (calling NSS_Init after the cache set up). 3) update ssl.sh server policy test to test policy usage on an MP server. This is only done for non-windows like OS's because they can't catch the kill signal to force their children to shutdown. I've verified that the test fails if 2 and 3 are included but 1 is not (and succeeds if all three are included). Differential Revision: https://phabricator.services.mozilla.com/D70948
50dcc34d470d802c2eae0dea81b3cb3a2c81281d: Bug 1629105 - Update PKCS11 module debug logger for v3.0 r=rrelyea
Kevin Jacobs <kjacobs@mozilla.com> - Mon, 13 Apr 2020 16:07:59 +0000 - rev 15566
Push 3717 by kjacobs@mozilla.com at Mon, 13 Apr 2020 17:07:07 +0000
Bug 1629105 - Update PKCS11 module debug logger for v3.0 r=rrelyea Differential Revision: https://phabricator.services.mozilla.com/D70582
92058f185316cf9b6a977a0cc7f7de88be085d06: Bug 1465613 Fix gmake issue create by the patch which adds ability to distrust certificates issued after a certain date for a specified root cert r=jcj
Robert Relyea <rrelyea@redhat.com> - Tue, 07 Apr 2020 10:51:00 -0700 - rev 15565
Push 3716 by rrelyea@redhat.com at Wed, 08 Apr 2020 21:22:24 +0000
Bug 1465613 Fix gmake issue create by the patch which adds ability to distrust certificates issued after a certain date for a specified root cert r=jcj I've been trying to run down an issue I've been having, and I think this bug is the source. Whenever I build ('gmake' build), I get the following untracted files: ? lib/ckfw/builtins/testlib/anchor.o ? lib/ckfw/builtins/testlib/bfind.o ? lib/ckfw/builtins/testlib/binst.o ? lib/ckfw/builtins/testlib/bobject.o ? lib/ckfw/builtins/testlib/bsession.o ? lib/ckfw/builtins/testlib/bslot.o ? lib/ckfw/builtins/testlib/btoken.o ? lib/ckfw/builtins/testlib/ckbiver.o ? lib/ckfw/builtins/testlib/constants.o This is because of the way lib/ckfw/builtins/testlib works, it uses the sources from the directory below, and explicitly reference them with ../{source_name}.c. The object file then becomes lib/ckfw/builtins/testlib/{OBJDIR}/../{source_name}.o. The simple fix would be to paper over the issue and just add these to .hgignore, but that would break our ability to build multiple platforms on a single source directory. I'll include a patch that fixes this issue. bob Differential Revision: https://phabricator.services.mozilla.com/D70077
e7c7f305078ea9c652e9af6f28af3c3eed36c8ab: Bug 1623374 Need to support the new PKCS #11 Message interface for AES GCM and ChaCha Poly r=mt
Robert Relyea <rrelyea@redhat.com> - Thu, 26 Mar 2020 12:53:56 -0700 - rev 15564
Push 3715 by rrelyea@redhat.com at Wed, 08 Apr 2020 00:14:53 +0000
Bug 1623374 Need to support the new PKCS #11 Message interface for AES GCM and ChaCha Poly r=mt Update ssl to use the new PK11_AEADOp() interface. 1. We restore the use of PK11Context_Create() for AEAD operations. 2. AES GCM and CHACHA/Poly specific functions are no longer needed as PK11_AEADOp() handles all the mechanism specific processing. 3. TLS semantic differences between the two algorithms is handled by their parameters: 1. Nonce length is the length of the nonce counter. If it's zero, then XOR_Counter is used (and the nonce length is the sizeof(sslSequenceNumber)). 2. IV length is the full IV length - nonce length. 3. TLS 1.3 always uses XOR_Counter. 4. The IV is returned from the token in the encrypt case. Only in the explict nonce case is it examined. (The code depends on the fact that the count in the token will match sslSequenceNumber). I did have assert code to verify this was happening for testing, but it's removed from this patch it can be added back. 5. All the decrypt instances of XOR_Counter IV creation have been colapsed into tls13_WriteNonce(). 6. Even tough PK11_AEADOp returns and accepts the tag separately (for encrypt and decrypt respectively). The SSL code still returns the values as buffer||tag. 7. tls13_AEAD() has been enhanced so all uses of AEAD outside of the TLS stream can use it instead of their own wrapped version. It can handle streams (CreateContext() tls13_AEAD() tls13_AEAD() DestroyContext()) or single shot tls13_AEAD(context=NULL). In the later case, the keys for the single shot operation should not be resued. 8. libssl_internals.c in the gtests directory has been updated to handle advancing the internal iv counter when we artifically advance the seqNum. Since we don't have access to any token iv counter (including softoken), The code switches to simulated message mode, and updates the simulated state as appropriate. (obviously this is for testing only code as it reaches into normally private data structures). Differential Revision: https://phabricator.services.mozilla.com/D68480
(0) -10000 -3000 -1000 -300 -100 -50 -20 +20 +50 +100 tip