680ec01577b9359f22c0892dae102e9150e83636: Set version numbers to 3.62 Beta default tip
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 22 Jan 2021 09:09:59 -0800 - rev 15838
Push 3905 by kjacobs@mozilla.com at Fri, 22 Jan 2021 17:14:29 +0000
Set version numbers to 3.62 Beta
1f58d2ef5ad776950066d6e9444ff28719df1c07: Added tag NSS_3_61_RTM for changeset b09bdf93e079 NSS_3_61_BRANCH
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 22 Jan 2021 09:08:55 -0800 - rev 15837
Push 3904 by kjacobs@mozilla.com at Fri, 22 Jan 2021 17:13:12 +0000
Added tag NSS_3_61_RTM for changeset b09bdf93e079
b09bdf93e079c4002aba279c2af49eb110745c6a: Set version numbers to 3.61 final NSS_3_61_BRANCH NSS_3_61_RTM
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 22 Jan 2021 09:08:28 -0800 - rev 15836
Push 3904 by kjacobs@mozilla.com at Fri, 22 Jan 2021 17:13:12 +0000
Set version numbers to 3.61 final
3c88f71115947da05d9e0370f1b3015dc9f58157: Added tag NSS_3_61_BETA1 for changeset 68ae9b456b1b
Kevin Jacobs <kjacobs@mozilla.com> - Tue, 19 Jan 2021 14:07:11 -0800 - rev 15835
Push 3903 by kjacobs@mozilla.com at Tue, 19 Jan 2021 22:14:45 +0000
Added tag NSS_3_61_BETA1 for changeset 68ae9b456b1b
68ae9b456b1bfa745b20ddec421ee6fc3688aed9: Bug 1686557 - Support aarch64-make target in nss-try. r=bbeurdouche NSS_3_61_BETA1
Kevin Jacobs <kjacobs@mozilla.com> - Wed, 13 Jan 2021 22:54:50 +0000 - rev 15834
Push 3902 by kjacobs@mozilla.com at Thu, 14 Jan 2021 17:37:41 +0000
Bug 1686557 - Support aarch64-make target in nss-try. r=bbeurdouche Differential Revision: https://phabricator.services.mozilla.com/D101648
a8de35c990e3361b13c82b0ba8e3a0d3aa11c5a6: Bug 1684300 - Define USE_STATIC_LIBS=1 for softoken_gtest make builds. r=bbeurdouche
Kevin Jacobs <kjacobs@mozilla.com> - Wed, 13 Jan 2021 22:57:26 +0000 - rev 15833
Push 3901 by kjacobs@mozilla.com at Wed, 13 Jan 2021 23:00:51 +0000
Bug 1684300 - Define USE_STATIC_LIBS=1 for softoken_gtest make builds. r=bbeurdouche Differential Revision: https://phabricator.services.mozilla.com/D101668
d4991bb56852e86f45494efbdd535ac0ef1558ca: Bug 1684300 - Disable legacy storage when compiled with NSS_DISABLE_DBM. r=mt
Kevin Jacobs <kjacobs@mozilla.com> - Wed, 13 Jan 2021 02:33:06 +0000 - rev 15832
Push 3900 by kjacobs@mozilla.com at Wed, 13 Jan 2021 16:03:50 +0000
Bug 1684300 - Disable legacy storage when compiled with NSS_DISABLE_DBM. r=mt Differential Revision: https://phabricator.services.mozilla.com/D101218
035e0acf265b3c3063ab77940d2a2f02cbe1af7e: Added tag NSS_3_60_1_RTM for changeset 83173cdd72f6 NSS_3_60_BRANCH
Kevin Jacobs <kjacobs@mozilla.com> - Sat, 26 Dec 2020 09:12:37 -0800 - rev 15831
Push 3899 by kjacobs@mozilla.com at Sat, 26 Dec 2020 17:13:58 +0000
Added tag NSS_3_60_1_RTM for changeset 83173cdd72f6
83173cdd72f6d59982a4587a07786b2f8130222c: Set version numbers to 3.60.1 final NSS_3_60_BRANCH NSS_3_60_1_RTM
Kevin Jacobs <kjacobs@mozilla.com> - Sat, 26 Dec 2020 08:43:58 -0800 - rev 15830
Push 3898 by kjacobs@mozilla.com at Sat, 26 Dec 2020 17:08:22 +0000
Set version numbers to 3.60.1 final
b47465be3b6f1152b12446e90812d0d725b4aef9: Bug 1682863 - Revert nssSlot_IsTokenPresent to 3.58 after ongoing Fx hangs with slow PKCS11 devices. r=bbeurdouche NSS_3_60_BRANCH
Kevin Jacobs <kjacobs@mozilla.com> - Tue, 22 Dec 2020 16:56:38 +0000 - rev 15829
Push 3898 by kjacobs@mozilla.com at Sat, 26 Dec 2020 17:08:22 +0000
Bug 1682863 - Revert nssSlot_IsTokenPresent to 3.58 after ongoing Fx hangs with slow PKCS11 devices. r=bbeurdouche This patch reverts the `nssSlot_IsTokenPresent` changes made in bug 1663661 and bug 1679290, restoring the version used in NSS 3.58 and earlier. It's not an actual `hg backout` because the comment in lib/dev/devt.h is worth keeping. While removing the nested locking did resolve the hang for some (most?) third-party modules, problems remain with some slower tokens after an even further relaxation of the locking, which defeats the purpose of addressing the races in the first place. The crash addressed by these patches was caused by the Intermediate Preloading Healer in Firefox, which has been disabled. We clearly have insufficient test coverage for third-party modules, and now that osclientcerts is enabled in Fx Nightly, any problems caused by these and similar changes is unlikely to be reported until Fx Beta, well after NSS RTM. I think the best option at this point is to simply revert NSS. Differential Revision: https://phabricator.services.mozilla.com/D100344
97ef009f7a782ec6e114255e3ca6ec78859d58bc: Bug 1682863 - Revert nssSlot_IsTokenPresent to 3.58 after ongoing Fx hangs with slow PKCS11 devices. r=bbeurdouche
Kevin Jacobs <kjacobs@mozilla.com> - Tue, 22 Dec 2020 16:56:38 +0000 - rev 15828
Push 3897 by kjacobs@mozilla.com at Wed, 23 Dec 2020 16:19:46 +0000
Bug 1682863 - Revert nssSlot_IsTokenPresent to 3.58 after ongoing Fx hangs with slow PKCS11 devices. r=bbeurdouche This patch reverts the `nssSlot_IsTokenPresent` changes made in bug 1663661 and bug 1679290, restoring the version used in NSS 3.58 and earlier. It's not an actual `hg backout` because the comment in lib/dev/devt.h is worth keeping. While removing the nested locking did resolve the hang for some (most?) third-party modules, problems remain with some slower tokens after an even further relaxation of the locking, which defeats the purpose of addressing the races in the first place. The crash addressed by these patches was caused by the Intermediate Preloading Healer in Firefox, which has been disabled. We clearly have insufficient test coverage for third-party modules, and now that osclientcerts is enabled in Fx Nightly, any problems caused by these and similar changes is unlikely to be reported until Fx Beta, well after NSS RTM. I think the best option at this point is to simply revert NSS. Differential Revision: https://phabricator.services.mozilla.com/D100344
fcebe146314e1b6ddc2661802317e071a4d7693c: Restore lost portion of the bleichenbacher timing batch that addressed
Robert Relyea <rrelyea@redhat.com> - Tue, 22 Dec 2020 10:24:52 -0800 - rev 15827
Push 3896 by rrelyea@redhat.com at Tue, 22 Dec 2020 18:24:58 +0000
Restore lost portion of the bleichenbacher timing batch that addressed review comments. All the review comments pertained to actual code comments, so this patch only affects the comments.
fc05574c739947d615ab0b2b2b564f01c922eccd: Bug 1651411 New tlsfuzzer code can still detect timing issues in RSA operations.
Robert Relyea <rrelyea@redhat.com> - Fri, 18 Dec 2020 09:24:50 -0800 - rev 15826
Push 3895 by rrelyea@redhat.com at Fri, 18 Dec 2020 18:08:55 +0000
Bug 1651411 New tlsfuzzer code can still detect timing issues in RSA operations. This patch defeats Bleichenbacher by not trying to hide the size of the decrypted text, but to hide if the text succeeded for failed. This is done by generating a fake returned text that's based on the key and the cipher text, so the fake data is always the same for the same key and cipher text. Both the length and the plain text are generated with a prf. Here's the proposed spec the patch codes to: 1. Use SHA-256 to hash the private exponent encoded as a big-endian integer to a string the same length as the public modulus. Keep this value secret. (this is just an optimisation so that the implementation doesn't have to serialise the key over and over again) 2. Check the length of input according to step one of https://tools.ietf.org/html/rfc8017#section-7.2.2 3. When provided with a ciphertext, use SHA-256 HMAC(key=hash_from_step1, text=ciphertext) to generate the key derivation key 4. Use SHA-256 HMAC with key derivation key as the key and a two-byte big-endian iterator concatenated with byte string "length" with the big-endian representation of 2048 (0x0800) as the bit length of the generated string. - Iterate this PRF 8 times to generate a 256 byte string 5. initialise the length of synthetic message to 0 6. split the PRF output into 2 byte strings, convert into big-endian integers, zero-out high-order bits so that they have the same bit length as the octet length of the maximum acceptable message size (k-11), select the last integer that is no larger than (k-11) or remain at 0 if no integer is smaller than (k-11); this selection needs to be performed using a side-channel free operators 7. Use SHA-256 HMAC with key derivation key as the key and a two-byte big-endian iterator concatenated with byte string "message" with the big-endian representation of k*8 - use this PRF to generate k bytes of output (right-truncate last HMAC call if the number of generated bytes is not a multiple of SHA-256 output size) 8. perform the RSA decryption as described in step 2 of section 7.2.2 of rfc8017 9. Verify the EM message padding as described in step 3 of section 7.2.2 of rfc8017, but instead of outputting "decryption error", return the last l bytes of the "message" PRF, when l is the selected synthetic message length using the "length" PRF, make this decision and copy using side-channel free operation Differential Revision: https://phabricator.services.mozilla.com/D99843
f4995c9fa1854fa550de3337f2fce31f1c94340d: Bug 1682071 IKE Quick mode IPSEC give you incorrect keys if you are asking for keys smaller than the hash size.
Robert Relyea <rrelyea@redhat.com> - Thu, 17 Dec 2020 16:33:35 -0800 - rev 15825
Push 3894 by rrelyea@redhat.com at Fri, 18 Dec 2020 04:15:51 +0000
Bug 1682071 IKE Quick mode IPSEC give you incorrect keys if you are asking for keys smaller than the hash size. IKE Appendix B fixes. This patch fixes 2 problems. If you run either ike v1 App B or quick mode asking for a key with length mod macsize = 0, you will generate an extra block that's not used and overwrites the end of the buffer. If you use quick mode, the function incorrectly subsets the existing key rather than generating a new key. This is correct behavior for Appendix B, where appendix B is trying to take a generated key and create a new longer key (with no diversification, just transform the key into something that's longer), so if you ask for a key less than or equal to, then you want to just subset the original key. In quick mode you are taking a base key and creating a set of new keys based on additional data, so you want to subset the generated data. This patch only subsets the original key if you aren't doing quickmode. Full test vectors have now been added for all ike modes in this patch as well (previously we depended on the FIPS CAVS tests to test ike, which covers basic IKEv1, IKEv1_psk, and IKEv2 but not IKEv1 App B and IKE v1 Quick mode). Differential Revision: https://phabricator.services.mozilla.com/D99569
982a05e55349da711fa1a0431b01a41f25203e1f: Added tag NSS_3_59_1_RTM for changeset 8cb6b2f46a75 NSS_3_59_BRANCH
Kevin Jacobs <kjacobs@mozilla.com> - Wed, 16 Dec 2020 16:32:05 -0800 - rev 15824
Push 3893 by kjacobs@mozilla.com at Thu, 17 Dec 2020 00:33:41 +0000
Added tag NSS_3_59_1_RTM for changeset 8cb6b2f46a75
8cb6b2f46a7561d22b9d4b687861f5214d69c29b: Set version numbers to 3.59.1 final NSS_3_59_BRANCH NSS_3_59_1_RTM
Kevin Jacobs <kjacobs@mozilla.com> - Wed, 16 Dec 2020 16:21:47 -0800 - rev 15823
Push 3892 by kjacobs@mozilla.com at Thu, 17 Dec 2020 00:25:06 +0000
Set version numbers to 3.59.1 final
e8f82b2381bc1109027533ffdc14bfc358f6f549: Bug 1679290 - Don't hold slot lock when taking session lock r=bbeurdouche NSS_3_59_BRANCH
Kevin Jacobs <kjacobs@mozilla.com> - Tue, 01 Dec 2020 09:03:49 +0000 - rev 15822
Push 3892 by kjacobs@mozilla.com at Thu, 17 Dec 2020 00:25:06 +0000
Bug 1679290 - Don't hold slot lock when taking session lock r=bbeurdouche [[ https://hg.mozilla.org/projects/nss/rev/0ed11a5835ac1556ff978362cd61069d48f4c5db | 0ed11a5835ac1556ff978362cd61069d48f4c5db ]] fixed a number of race conditions related to NSSSlot member accesses. Unfortunately the locking order that was imposed by that patch has been found to cause problems for at least one PKCS11 module, libnsspem. This patch drops nested locking in favor of unlocking/re-locking. While this isn't perfect, the original problem in bug 1663661 was that `slot->token` could become NULL, which we can easily check after reacquiring. Differential Revision: https://phabricator.services.mozilla.com/D98247
0772f1bf5fd6b68da79550c1b93fbab1db4f3acc: Bug 1677207 - Use GTEST_SKIP in ssl_gtests. r=bbeurdouche
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 11 Dec 2020 18:20:24 +0000 - rev 15821
Push 3891 by kjacobs@mozilla.com at Fri, 11 Dec 2020 18:36:59 +0000
Bug 1677207 - Use GTEST_SKIP in ssl_gtests. r=bbeurdouche Differential Revision: https://phabricator.services.mozilla.com/D98821
e15b78be87fad78ff262d06c4dd3e09efd59e3d2: Bug 1677207 - Replace references to TestCase, which is deprecated, with TestSuite r=bbeurdouche
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 11 Dec 2020 18:20:50 +0000 - rev 15820
Push 3891 by kjacobs@mozilla.com at Fri, 11 Dec 2020 18:36:59 +0000
Bug 1677207 - Replace references to TestCase, which is deprecated, with TestSuite r=bbeurdouche grep -rl --exclude-dir=google_test INSTANTIATE_TEST_CASE_P gtests | xargs sed -i '' s/INSTANTIATE_TEST_CASE_P/INSTANTIATE_TEST_SUITE_P/g grep -rl --exclude-dir=google_test SetUpTestCase gtests | xargs sed -i '' s/SetUpTestCase/SetUpTestSuite/g Differential Revision: https://phabricator.services.mozilla.com/D98818
89141382df45ab72c8a6300c71f7634034370d18: Bug 1677207 - Update Google Test to release-1.10.0 r=bbeurdouche
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 11 Dec 2020 18:21:02 +0000 - rev 15819
Push 3891 by kjacobs@mozilla.com at Fri, 11 Dec 2020 18:36:59 +0000
Bug 1677207 - Update Google Test to release-1.10.0 r=bbeurdouche ./gtests/google_test/update.sh release-1.10.0 && hg remove -A && hg add gtests/google_test/* Differential Revision: https://phabricator.services.mozilla.com/D98814
f277d2674c80151ce7277fa00027d121b374c08e: Set version numbers to 3.61 Beta
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 11 Dec 2020 07:35:03 -0800 - rev 15818
Push 3890 by kjacobs@mozilla.com at Fri, 11 Dec 2020 15:42:22 +0000
Set version numbers to 3.61 Beta
aefe79ebf8c82b179fa2567d93112c95ec984008: Added tag NSS_3_60_RTM for changeset 2015cf6ca323 NSS_3_60_BRANCH
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 11 Dec 2020 07:32:56 -0800 - rev 15817
Push 3889 by kjacobs@mozilla.com at Fri, 11 Dec 2020 15:38:51 +0000
Added tag NSS_3_60_RTM for changeset 2015cf6ca323
2015cf6ca323b3b324ef4aa81287ac0d1401c903: Set version numbers to 3.60 final NSS_3_60_BRANCH NSS_3_60_RTM
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 11 Dec 2020 07:32:40 -0800 - rev 15816
Push 3889 by kjacobs@mozilla.com at Fri, 11 Dec 2020 15:38:51 +0000
Set version numbers to 3.60 final
1fe6cb3c3874b4152f9ad3a2ebc7fff1ceccd5de: Added tag NSS_3_60_BETA1 for changeset f84fb229842a
Kevin Jacobs <kjacobs@mozilla.com> - Tue, 08 Dec 2020 08:14:15 -0800 - rev 15815
Push 3888 by kjacobs@mozilla.com at Tue, 08 Dec 2020 16:15:57 +0000
Added tag NSS_3_60_BETA1 for changeset f84fb229842a
f84fb229842ab7bba938f943eed9d93c5b1c9189: Bug 1680400 - Fix memory leak in PK11_UnwrapPrivKey. r=bbeurdouche NSS_3_60_BETA1
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 04 Dec 2020 17:29:13 +0000 - rev 15814
Push 3887 by kjacobs@mozilla.com at Mon, 07 Dec 2020 16:39:41 +0000
Bug 1680400 - Fix memory leak in PK11_UnwrapPrivKey. r=bbeurdouche Differential Revision: https://phabricator.services.mozilla.com/D98772
ef9198eb289520f78a0c51526f343ed8b6b6bfba: Bug 1570539 - Removed -X alt-server-hello option from tstclnt r=kjacobs
yogesh <yoyogesh01@gmail.com> - Thu, 03 Dec 2020 19:42:42 +0000 - rev 15813
Push 3886 by kjacobs@mozilla.com at Thu, 03 Dec 2020 19:45:01 +0000
Bug 1570539 - Removed -X alt-server-hello option from tstclnt r=kjacobs Differential Revision: https://phabricator.services.mozilla.com/D98634
f9bcf45ca3bff737adafe2c6521aebdd8c4f2f51: Bug 1675523 - CKR_PUBLIC_KEY_INVALID has an incorrect value r=bbeurdouche
J.C. Jones <jjones@mozilla.com> - Thu, 03 Dec 2020 15:38:17 +0000 - rev 15812
Push 3885 by kjacobs@mozilla.com at Thu, 03 Dec 2020 16:18:05 +0000
Bug 1675523 - CKR_PUBLIC_KEY_INVALID has an incorrect value r=bbeurdouche PKCS#11 v2.40: https://www.cryptsoft.com/pkcs11doc/STANDARD/include/v240/pkcs11t.h line 1150 jdk8u: https://hg.openjdk.java.net/jdk8u/jdk8u/jdk/file/eb7f437285a1/src/share/native/sun/security/pkcs11/wrapper/pkcs11t.h#l1155 Differential Revision: https://phabricator.services.mozilla.com/D97337
f8c49b334e51effe8322448e3ec0bfb9b2d72b79: Bug 1678189 - December 2020 batch of root changes, NSS_BUILTINS_LIBRARY_VERSION 2.46. r=bbeurdouche
Kevin Jacobs <kjacobs@mozilla.com> - Tue, 01 Dec 2020 18:27:29 +0000 - rev 15811
Push 3884 by kjacobs@mozilla.com at Tue, 01 Dec 2020 18:33:04 +0000
Bug 1678189 - December 2020 batch of root changes, NSS_BUILTINS_LIBRARY_VERSION 2.46. r=bbeurdouche Differential Revision: https://phabricator.services.mozilla.com/D98268
b9742b439a8155f3510fbfdb00eb3b148e021128: Bug 1678166 - Add NAVER Global Root Certification Authority root cert to NSS. r=bbeurdouche,KathleenWilson
Kevin Jacobs <kjacobs@mozilla.com> - Tue, 01 Dec 2020 18:30:37 +0000 - rev 15810
Push 3884 by kjacobs@mozilla.com at Tue, 01 Dec 2020 18:33:04 +0000
Bug 1678166 - Add NAVER Global Root Certification Authority root cert to NSS. r=bbeurdouche,KathleenWilson Differential Revision: https://phabricator.services.mozilla.com/D98196
4c69d6d0cf210546bef1eed490712462b9296c62: Bug 1670769 - Remove 10 GeoTrust, thawte, and VeriSign root certs from NSS. r=kjacobs,KathleenWilson
Benjamin Beurdouche <benjamin.beurdouche@inria.fr> - Tue, 01 Dec 2020 18:27:29 +0000 - rev 15809
Push 3884 by kjacobs@mozilla.com at Tue, 01 Dec 2020 18:33:04 +0000
Bug 1670769 - Remove 10 GeoTrust, thawte, and VeriSign root certs from NSS. r=kjacobs,KathleenWilson Differential Revision: https://phabricator.services.mozilla.com/D97956
a51fae403328264e84eab35f55f0226aa6c3532a: Bug 1674819 - Fix undefined shift when fuzzing r=bbeurdouche
Kevin Jacobs <kjacobs@mozilla.com> - Tue, 01 Dec 2020 18:05:33 +0000 - rev 15808
Push 3883 by kjacobs@mozilla.com at Tue, 01 Dec 2020 18:08:22 +0000
Bug 1674819 - Fix undefined shift when fuzzing r=bbeurdouche In fuzzer mode, session tickets are serialized without any encryption or integrity protection. This leads to a post-deserialize UBSAN error when shifting by a fuzzed (large) authType value. A real NSS server will not produce these values. Differential Revision: https://phabricator.services.mozilla.com/D97803
22bf7c680b607b6df1850ef1faf54d45f1567a89: Bug 1678384 - Add a build flag to allow building nssckbi-testlib in m-c r=kjacobs
Benjamin Beurdouche <benjamin.beurdouche@inria.fr> - Mon, 30 Nov 2020 17:48:49 +0000 - rev 15807
Push 3882 by kjacobs@mozilla.com at Tue, 01 Dec 2020 17:40:03 +0000
Bug 1678384 - Add a build flag to allow building nssckbi-testlib in m-c r=kjacobs Differential Revision: https://phabricator.services.mozilla.com/D98154
19585ccc7a1f0f4e9a8d2b9c5ceeb408ea90acb9: Bug 1679290 - Don't hold slot lock when taking session lock r=bbeurdouche
Kevin Jacobs <kjacobs@mozilla.com> - Tue, 01 Dec 2020 09:03:49 +0000 - rev 15806
Push 3881 by kjacobs@mozilla.com at Tue, 01 Dec 2020 15:52:01 +0000
Bug 1679290 - Don't hold slot lock when taking session lock r=bbeurdouche [[ https://hg.mozilla.org/projects/nss/rev/0ed11a5835ac1556ff978362cd61069d48f4c5db | 0ed11a5835ac1556ff978362cd61069d48f4c5db ]] fixed a number of race conditions related to NSSSlot member accesses. Unfortunately the locking order that was imposed by that patch has been found to cause problems for at least one PKCS11 module, libnsspem. This patch drops nested locking in favor of unlocking/re-locking. While this isn't perfect, the original problem in bug 1663661 was that `slot->token` could become NULL, which we can easily check after reacquiring. Differential Revision: https://phabricator.services.mozilla.com/D98247
f1e48fbead3d9e69500d7aedc1ef6e4bf334f41e: Bug 1678990 - Use __ARM_FEATURE_CRYPTO for feature detection. r=bbeurdouche
Makoto Kato <m_kato@ga2.so-net.ne.jp> - Wed, 25 Nov 2020 10:53:42 +0000 - rev 15805
Push 3880 by kjacobs@mozilla.com at Wed, 25 Nov 2020 19:40:56 +0000
Bug 1678990 - Use __ARM_FEATURE_CRYPTO for feature detection. r=bbeurdouche Actually, we have CPU feature detection for Linux and FreeBSD on aarch64 platform. But others don't. macOS doesn't has any CPU feature detection for ARM Crypto Extension, but toolchain default is turned on. So we should respect __ARM_FEATURE_CRYPTO. Differential Revision: https://phabricator.services.mozilla.com/D97909
d806f7992b10aa9a4dd62d8bf1f1248ae1dab008: Bug 1642174 - Resolve sha512-p8.o: ABI version 2 is not compatible with ABI version 1 output. r=jcj
Lauri Kasanen <cand@gmx.com> - Thu, 19 Nov 2020 12:11:45 -0800 - rev 15804
Push 3879 by kjacobs@mozilla.com at Thu, 19 Nov 2020 20:19:03 +0000
Bug 1642174 - Resolve sha512-p8.o: ABI version 2 is not compatible with ABI version 1 output. r=jcj Don't try to build the SHA-2 accelerated asm on old-ABI ppc. Currently make only, I don't have enough gyp-fu to do that side. However, the reporters of 1642174 and 1635625 both used make, not gyp. Signed-off-by: Lauri Kasanen <cand@gmx.com>
3eacb92e9adf0e250eca309690c3f9a8a257da3b: Bug 1654332 - Fixup a10493dcfcc9: copy ECHConfig.config_id with socket r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Wed, 18 Nov 2020 20:08:53 +0000 - rev 15803
Push 3878 by kjacobs@mozilla.com at Wed, 18 Nov 2020 20:15:19 +0000
Bug 1654332 - Fixup a10493dcfcc9: copy ECHConfig.config_id with socket r=jcj A late review change for ECH was for the server to compute each ECHConfig `config_id` when set to the socket, rather than on each connection. This works, but now we also need to copy that config_id when copying a socket, else the server won't find a matching ECHConfig to use for decryption. Differential Revision: https://phabricator.services.mozilla.com/D97475
a10493dcfcc92cb9bad985b151325238b6e38b09: Bug 1654332 - Update ESNI to draft-08 (ECH). r=mt
Kevin Jacobs <kjacobs@mozilla.com> - Tue, 17 Nov 2020 23:43:25 +0000 - rev 15802
Push 3877 by kjacobs@mozilla.com at Tue, 17 Nov 2020 23:56:56 +0000
Bug 1654332 - Update ESNI to draft-08 (ECH). r=mt This patch adds support for Encrypted Client Hello (draft-ietf-tls-esni-08), replacing the existing ESNI (draft -02) support. There are five new experimental functions to enable this: - SSL_EncodeEchConfig: Generates an encoded (not BASE64) ECHConfig given a set of parameters. - SSL_SetClientEchConfigs: Configures the provided ECHConfig to the given socket. When configured, an ephemeral HPKE keypair will be generated for the CH encryption. - SSL_SetServerEchConfigs: Configures the provided ECHConfig and keypair to the socket. The keypair specified will be used for HPKE operations in order to decrypt encrypted Client Hellos as they are received. - SSL_GetEchRetryConfigs: If ECH is rejected by the server and compatible retry_configs are provided, this API allows the application to extract those retry_configs for use in a new connection. - SSL_EnableTls13GreaseEch: When enabled, non-ECH Client Hellos will have a "GREASE ECH" (i.e. fake) extension appended. GREASE ECH is disabled by default, as there are known compatibility issues that will be addressed in a subsequent draft. The following ESNI experimental functions are deprecated by this update: - SSL_EncodeESNIKeys - SSL_EnableESNI - SSL_SetESNIKeyPair In order to be used, NSS must be compiled with `NSS_ENABLE_DRAFT_HPKE` defined. Differential Revision: https://phabricator.services.mozilla.com/D86106
d40121ba59ba02c45fd2736f6e096b3b464916a9: Bug 1654332 - Buffered ClientHello construction. r=mt
Kevin Jacobs <kjacobs@mozilla.com> - Tue, 17 Nov 2020 22:13:40 +0000 - rev 15801
Push 3876 by kjacobs@mozilla.com at Tue, 17 Nov 2020 22:17:33 +0000
Bug 1654332 - Buffered ClientHello construction. r=mt This patch refactors construction of Client Hello messages. Instead of each component of the message being written separately into `ss->sec.ci.sendBuf`, we now construct the message in its own sslBuffer. Once complete, the entire message is added to the sendBuf via `ssl3_AppendHandshake`. `ssl3_SendServerHello` already uses this approach and it becomes necessary for ECH, where we use the constructed ClientHello to create an inner ClientHello. Differential Revision: https://phabricator.services.mozilla.com/D96239
5e7b37609f22370be222686a38c0e12c62c27704: Set version numbers to 3.60 Beta
J.C. Jones <jjones@mozilla.com> - Fri, 13 Nov 2020 12:07:21 -0700 - rev 15800
Push 3875 by jjones@mozilla.com at Fri, 13 Nov 2020 19:32:01 +0000
Set version numbers to 3.60 Beta
69d4b94977f182662b3e9bda1294052c3076e224: Added tag NSS_3_59_RTM for changeset c5d760cbe8d0 NSS_3_59_BRANCH
J.C. Jones <jjones@mozilla.com> - Fri, 13 Nov 2020 12:06:43 -0700 - rev 15799
Push 3874 by jjones@mozilla.com at Fri, 13 Nov 2020 19:31:21 +0000
Added tag NSS_3_59_RTM for changeset c5d760cbe8d0
c5d760cbe8d0c2221a2785db977bd1f1475510ca: Set version numbers to 3.59 final NSS_3_59_BRANCH NSS_3_59_RTM
J.C. Jones <jjones@mozilla.com> - Fri, 13 Nov 2020 12:06:28 -0700 - rev 15798
Push 3874 by jjones@mozilla.com at Fri, 13 Nov 2020 19:31:21 +0000
Set version numbers to 3.59 final
06e965656f085854844e13e72044d29e2f6eb2f1: Added tag NSS_3_59_BETA1 for changeset c3cb09a7d087
J.C. Jones <jjones@mozilla.com> - Tue, 10 Nov 2020 11:57:03 -0700 - rev 15797
Push 3873 by jjones@mozilla.com at Tue, 10 Nov 2020 18:57:33 +0000
Added tag NSS_3_59_BETA1 for changeset c3cb09a7d087
c3cb09a7d08766701c7614879701b22af47543a8: Bug 1607449 - Lock cert->nssCertificate to prevent data race. r=jcj,keeler NSS_3_59_BETA1
Kevin Jacobs <kjacobs@mozilla.com> - Tue, 10 Nov 2020 17:40:07 +0000 - rev 15796
Push 3872 by jjones@mozilla.com at Tue, 10 Nov 2020 17:43:07 +0000
Bug 1607449 - Lock cert->nssCertificate to prevent data race. r=jcj,keeler Differential Revision: https://phabricator.services.mozilla.com/D64233
6ad80d21f30cf0787fddd08d1900ce6199bdeeed: Backed out changeset aa6f29a76cfc for Certificates test failures
J.C. Jones <jjones@mozilla.com> - Mon, 09 Nov 2020 11:26:00 -0700 - rev 15795
Push 3871 by jjones@mozilla.com at Mon, 09 Nov 2020 18:26:51 +0000
Backed out changeset aa6f29a76cfc for Certificates test failures
2bc4260e4ecbd4b8471f0fcd6429fc7ab325527c: Backed out changeset d8df719915f7 for Certificates test failures
J.C. Jones <jjones@mozilla.com> - Mon, 09 Nov 2020 11:25:30 -0700 - rev 15794
Push 3871 by jjones@mozilla.com at Mon, 09 Nov 2020 18:26:51 +0000
Backed out changeset d8df719915f7 for Certificates test failures
d8df719915f7485f82cf0815a4d7e48e676a4604: Added tag NSS_3_59_BETA1 for changeset aa6f29a76cfc
J.C. Jones <jjones@mozilla.com> - Mon, 09 Nov 2020 10:57:04 -0700 - rev 15793
Push 3870 by jjones@mozilla.com at Mon, 09 Nov 2020 18:08:48 +0000
Added tag NSS_3_59_BETA1 for changeset aa6f29a76cfc
aa6f29a76cfca9026b595f3cd52ffc76f18e8508: Bug 1607449 - Lock cert->nssCertificate to prevent data race. r=keeler
Kevin Jacobs <kjacobs@mozilla.com> - Mon, 09 Nov 2020 17:53:21 +0000 - rev 15792
Push 3869 by jjones@mozilla.com at Mon, 09 Nov 2020 17:55:41 +0000
Bug 1607449 - Lock cert->nssCertificate to prevent data race. r=keeler Differential Revision: https://phabricator.services.mozilla.com/D64233
97751cd6d55349944837018475fc3b9e922575fa: Bug 1672823 - Add Wycheproof HMAC test cases. r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Tue, 03 Nov 2020 06:13:37 +0000 - rev 15791
Push 3868 by kjacobs@mozilla.com at Tue, 03 Nov 2020 20:56:15 +0000
Bug 1672823 - Add Wycheproof HMAC test cases. r=jcj Differential Revision: https://phabricator.services.mozilla.com/D94497
5a02ca2617cf7cfa7798cb24d10014f6c761397f: Bug 1672823 - Add Wycheproof HKDF test cases. r=bbeurdouche
Kevin Jacobs <kjacobs@mozilla.com> - Tue, 03 Nov 2020 03:59:34 +0000 - rev 15790
Push 3868 by kjacobs@mozilla.com at Tue, 03 Nov 2020 20:56:15 +0000
Bug 1672823 - Add Wycheproof HKDF test cases. r=bbeurdouche Differential Revision: https://phabricator.services.mozilla.com/D94496
3ce42ead87f9b629de37d91068f65e7006538ebc: Bug 1672823 - Add Wycheproof DSA test cases. r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Tue, 03 Nov 2020 18:25:26 +0000 - rev 15789
Push 3868 by kjacobs@mozilla.com at Tue, 03 Nov 2020 20:56:15 +0000
Bug 1672823 - Add Wycheproof DSA test cases. r=jcj Differential Revision: https://phabricator.services.mozilla.com/D94495
0ed11a5835ac1556ff978362cd61069d48f4c5db: Bug 1663661 - Guard against NULL token in nssSlot_IsTokenPresent. r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Tue, 03 Nov 2020 19:02:15 +0000 - rev 15788
Push 3867 by kjacobs@mozilla.com at Tue, 03 Nov 2020 19:07:41 +0000
Bug 1663661 - Guard against NULL token in nssSlot_IsTokenPresent. r=jcj This patch addresses locking inconsistency in `nssSlot_IsTokenPresent` by retaining the slot lock for the duration of accesses to `slot->token`. This is already done correctly elsewhere. As a side effect, this introduces an ordering requirement: we take `slot->lock` followed by `session->lock`. Differential Revision: https://phabricator.services.mozilla.com/D95636
424974716ef0af19fc1c1c865f4415e64d55dd67: Bug 1670835 - Fixup for 6f79a7695812, add missing return value check. r=rrelyea
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 30 Oct 2020 17:09:49 +0000 - rev 15787
Push 3866 by kjacobs@mozilla.com at Mon, 02 Nov 2020 16:14:24 +0000
Bug 1670835 - Fixup for 6f79a7695812, add missing return value check. r=rrelyea Differential Revision: https://phabricator.services.mozilla.com/D95221
035110dfa0b9a7f755860020fbbb7296c543d63b: Bug 1672291 libpkix OCSP failures on SHA1 self-signed root certs when SHA1 signatures are disabled. r=mt
Robert Relyea <rrelyea@redhat.com> - Mon, 26 Oct 2020 15:50:51 -0700 - rev 15786
Push 3865 by rrelyea@redhat.com at Mon, 26 Oct 2020 22:50:59 +0000
Bug 1672291 libpkix OCSP failures on SHA1 self-signed root certs when SHA1 signatures are disabled. r=mt When libpkix is checking an OCSP cert, it can't use the passed in set of trust anchors as a base because only the single root that signed the leaf can sign the OCSP request. As a result it actually checks the signature of the self-signed root when processing an OCSP request. This fails of the root cert signature is invalid for any reason (including it's a sha1 self-signed root cert and we've disabled sha1 signatures (say, by policy)). Further investigation indicates the difference between our classic code and the current code is the classic code only checks OCSP responses on leaf certs. In the real world, those responses are signed by intermediate certificates (who won't have sha1 signed certificates anymore), so our signature processing works just fine. pkix checks OCSP on the intermediate certificates as well, which are signed by the root cert. In this case the root cert is a chain of 1, and is effectively a leaf. This patch updates the OCSP response code to not check the signatures on the single cert if that cert is a selfsigned root cert. This requires bug 391476 so we still do the other validation checking on the certs (making sure it's trusted as a CA). Differential Revision: https://phabricator.services.mozilla.com/D94661
97f69f7a89a1a31b5acb05a551560e62b65495d4: Bug 1672291 libpkix OCSP failures on SHA1 self-signed root certs when SHA1 signatures are disabled.
Robert Relyea <rrelyea@redhat.com> - Fri, 23 Oct 2020 14:35:52 -0700 - rev 15785
Push 3865 by rrelyea@redhat.com at Mon, 26 Oct 2020 22:50:59 +0000
Bug 1672291 libpkix OCSP failures on SHA1 self-signed root certs when SHA1 signatures are disabled. When libpkix is checking an OCSP cert, it can't use the passed in set of trust anchors as a base because only the single root that signed the leaf can sign the OCSP request. As a result it actually checks the signature of the self-signed root when processing an OCSP request. This fails of the root cert signature is invalid for any reason (including it's a sha1 self-signed root cert and we've disabled sha1 signatures (say, by policy)). Further investigation indicates the difference between our classic code and the current code is the classic code only checks OCSP responses on leaf certs. In the real world, those responses are signed by intermediate certificates (who won't have sha1 signed certificates anymore), so our signature processing works just fine. pkix checks OCSP on the intermediate certificates as well, which are signed by the root cert. In this case the root cert is a chain of 1, and is effectively a leaf. This patch updates the OCSP response code to not check the signatures on the single cert if that cert is a selfsigned root cert. This requires bug 391476 so we still do the other validation checking on the certs (making sure it's trusted as a CA).
a79d14b06b4a3ca19c169a4b0c1f28d5e2f25b35: Bug 1644209 - Fix broken SelectedCipherSuiteReplacer filter. r=mt
Kevin Jacobs <kjacobs@mozilla.com> - Mon, 26 Oct 2020 14:47:41 +0000 - rev 15784
Push 3864 by kjacobs@mozilla.com at Mon, 26 Oct 2020 15:04:35 +0000
Bug 1644209 - Fix broken SelectedCipherSuiteReplacer filter. r=mt This patch corrects the `SelectedCipherSuiteReplacer`filter to always parse the `session_id` variable (`legacy_session_id` for TLS 1.3+). The previous code attempted to skip it in 1.3+ but did not account for DTLS wire versions, resulting in intermittent failures. Differential Revision: https://phabricator.services.mozilla.com/D94632
b03a4fc5b902498414b02640dcb2717dfef9682f: Bug 1672703, always tolerate the first CCS in TLS 1.3, r=mt
Daiki Ueno <dueno@redhat.com> - Mon, 26 Oct 2020 06:46:11 +0100 - rev 15783
Push 3863 by dueno@redhat.com at Mon, 26 Oct 2020 05:47:47 +0000
Bug 1672703, always tolerate the first CCS in TLS 1.3, r=mt Summary: This flips the meaning of the flag for checking excessive CCS messages, so it only rejects multiple CCS messages while the first CCS message is always accepted. Reviewers: mt Reviewed By: mt Bug #: 1672703 Differential Revision: https://phabricator.services.mozilla.com/D94603
6f79a76958129dc09c353c288f115fd9a51ab7d4: Bug 1670835 Crypto Policy Support needs to be updated with disable/enable support
Robert Relyea <rrelyea@redhat.com> - Fri, 23 Oct 2020 16:14:36 -0700 - rev 15782
Push 3862 by rrelyea@redhat.com at Sat, 24 Oct 2020 00:05:56 +0000
Bug 1670835 Crypto Policy Support needs to be updated with disable/enable support Policy update Current state of the nss policy system: The initial policy patch focused on getting policy working well in handling ssl. The policy infrastructure used two existing NSS infrastructure: 1) Algorithm policies tied the OIDS and 2) the ssl policy constraints first created to handle export policy restrictions. To make loadable policies work, we added a couple of new things: 1) a policy parser to the secmod infrastructure which allows us to set algorithm policies based on a config file. This file had two sections: disallow= and allow=. Disallow turned off policy bits, and allow turned them on. Disallow was always parsed first, so you could very strictly control your policy map by saying disallow=all allow={exclusive list of allowed algorithms} 2) a new NSS_Option() value that allowed the policy parser to set integer values (like minimum tls version) based on the data in the policy parser. 3) SSL code which is run at ssl_init time that reads the algorithm policies and maps the results to SSL policies. The resulting loaded policy code, in general, sets the boundaries of what it possible, actually enable/disable of ssl cipher suites are still under program control, and the builtin NSS default values. The only consession to configuration is if a cipher is disallowed by policy, it is also disabled. Allowing a cipher suite by policy that wasn't already enabled, however, doesn't enable that policy by default. Inside the policy restrictions, applications can still make their own decisions on configuration and preference. At the time the policy system was designed, there were 3 additional features, which were designed, but not specified: disable, enable, and lock. disable and enable work just like disallow and allow, except the specify what the default settings are. This would allow the policy file to change the underlying default in the case where the application doesn't try to configure ssl on it's own. lock would make either the policy or configuration 'locked' meaning once the lock has been executed, no further changes to those configurations would be allowed. What is needed: We have a need for the following additional features: 1) we want to turn more of the sha-1 hash function off by default. We still need sha-1 digest because it's used in many non-secure cases, but we do want to disable more sha-1 signature usage. Currently only CERT-SIGNATURE and various hmac usages in SSL ciphers can be controlled by policy. We want to disallow a greater range of signature (that is signature use in general). 2) we want to disable more ciphers by default, but need a way to have certain policies (like LEGACY) turn them back on, so that our shipped system is more secure by default. What this patch provides: 1) A new policy flag NSS_USE_ALG_IN_ANY_SIGNATURE was added. The cryptohi code which exports the NSS sign/verify high level code now checks the hash and signing algorithm against this new policy flag and fails if the policy isn't available. New key words were added to the policy parser for 'all-signature', which implies all signature flags at once, and 'signature', which maps to NSS_USE_ANY_SIGNATURE. NOTE: disable=all/signature and disable=all/all-signature are effective equivalent because cert-signatures eventually call the low level signature functions, but disable=all allow=rsa-pss/all-signature and disable=all allow=rsa-pss/signature are different in that the latter allows all rsa-pss signature and the latter allows rsa-pss signatures, but no on certificates (or on smime in the future) Also new keywords were added for rsa-pkcs, rsa-pss, and ecdsa for signature algorithms (along with dsa). 2) This patch implements disable and enable. These functions only work on SSL configuration. In the future SMIME/CMS configuration could also be added. Because the policy system is parsed and handled by NSS, and SSL configuration is handled in SSL, we use the same Apply code we used to apply ssl policy to set the inital configuration. The configured enable/disable state is configured in the ALGORTHIM policy system, where one bit says the enable/disable value is active and another bit which gives it's state. 3) two locks have been implented, policy-lock and ssl-lock. These are specified in the parser as flags (flags=policy-lock,ssl-lock). The policy locks all the policy changes: ssl_policy, algorithm policy, and options. It is implemented by two new exported functions: NSS_IsPolicyLocked() and NSS_LockPolicy(). The first allows applications to test if the policy is locked without having to try changing the policy. The various policy set functions check the NSS_IsPolicyLocked() function and returns SEC_ERROR_POLICY_LOCK if it's true. The ssl-lock changes the state of the policy to locked, and the state cannot be changed back without shutting down NSS. The second is implemented by setting a new Option called NSS_DEFAULT_LOCKS and the NSS_DEFAULT_SSL_LOCK flag. The idea is we can add an SMIME lock in the future. SSL checks the NSS_DEFAULT_SSL_LOCK flag before trying to set the cipher suite value, and blocks the change if it's set. 4) sslpolicy tests were updated to test the enable, disable, flags=policy-lock, flags=ssl-lock and the new signature primitives. 5) policy tests were updated to be able to run standalone (like all the other all.sh tests), as well as new tests to detect when no signing algorithms have been enabled. What is not in the patch 1) S/MIME signature policy has been defined for a while, but never hooked up. 2) S/MIME export policy needs to be connected back to the algorithm policy system just like the ssl cipher suites already are. 3) S/MIME default configuration needs to be connected back to the policy system. 4) ECC Curve policy needs to be hooked up with the signature policy (probably should create a generic 'key meets policy' function and have every call it). Differential Revision: https://phabricator.services.mozilla.com/D93697
2c791b3afb329faffcaaaf3c752fa54c6f297a2f: Bug 1670835 Crypto Policy Support needs to be updated with disable/enable support
Robert Relyea <rrelyea@redhat.com> - Wed, 14 Oct 2020 11:37:52 -0700 - rev 15781
Push 3862 by rrelyea@redhat.com at Sat, 24 Oct 2020 00:05:56 +0000
Bug 1670835 Crypto Policy Support needs to be updated with disable/enable support Policy update Current state of the nss policy system: The initial policy patch focused on getting policy working well in handling ssl. The policy infrastructure used two existing NSS infrastructure: 1) Algorithm policies tied the OIDS and 2) the ssl policy constraints first created to handle export policy restrictions. To make loadable policies work, we added a couple of new things: 1) a policy parser to the secmod infrastructure which allows us to set algorithm policies based on a config file. This file had two sections: disallow= and allow=. Disallow turned off policy bits, and allow turned them on. Disallow was always parsed first, so you could very strictly control your policy map by saying disallow=all allow={exclusive list of allowed algorithms} 2) a new NSS_Option() value that allowed the policy parser to set integer values (like minimum tls version) based on the data in the policy parser. 3) SSL code which is run at ssl_init time that reads the algorithm policies and maps the results to SSL policies. The resulting loaded policy code, in general, sets the boundaries of what it possible, actually enable/disable of ssl cipher suites are still under program control, and the builtin NSS default values. The only consession to configuration is if a cipher is disallowed by policy, it is also disabled. Allowing a cipher suite by policy that wasn't already enabled, however, doesn't enable that policy by default. Inside the policy restrictions, applications can still make their own decisions on configuration and preference. At the time the policy system was designed, there were 3 additional features, which were designed, but not specified: disable, enable, and lock. disable and enable work just like disallow and allow, except the specify what the default settings are. This would allow the policy file to change the underlying default in the case where the application doesn't try to configure ssl on it's own. lock would make either the policy or configuration 'locked' meaning once the lock has been executed, no further changes to those configurations would be allowed. What is needed: We have a need for the following additional features: 1) we want to turn more of the sha-1 hash function off by default. We still need sha-1 digest because it's used in many non-secure cases, but we do want to disable more sha-1 signature usage. Currently only CERT-SIGNATURE and various hmac usages in SSL ciphers can be controlled by policy. We want to disallow a greater range of signature (that is signature use in general). 2) we want to disable more ciphers by default, but need a way to have certain policies (like LEGACY) turn them back on, so that our shipped system is more secure by default. What this patch provides: 1) A new policy flag NSS_USE_ALG_IN_ANY_SIGNATURE was added. The cryptohi code which exports the NSS sign/verify high level code now checks the hash and signing algorithm against this new policy flag and fails if the policy isn't available. New key words were added to the policy parser for 'all-signature', which implies all signature flags at once, and 'signature', which maps to NSS_USE_ANY_SIGNATURE. NOTE: disable=all/signature and disable=all/all-signature are effective equivalent because cert-signatures eventually call the low level signature functions, but disable=all allow=rsa-pss/all-signature and disable=all allow=rsa-pss/signature are different in that the latter allows all rsa-pss signature and the latter allows rsa-pss signatures, but no on certificates (or on smime in the future) Also new keywords were added for rsa-pkcs, rsa-pss, and ecdsa for signature algorithms (along with dsa). 2) This patch implements disable and enable. These functions only work on SSL configuration. In the future SMIME/CMS configuration could also be added. Because the policy system is parsed and handled by NSS, and SSL configuration is handled in SSL, we use the same Apply code we used to apply ssl policy to set the inital configuration. The configured enable/disable state is configured in the ALGORTHIM policy system, where one bit says the enable/disable value is active and another bit which gives it's state. 3) two locks have been implented, policy-lock and ssl-lock. These are specified in the parser as flags (flags=policy-lock,ssl-lock). The policy locks all the policy changes: ssl_policy, algorithm policy, and options. It is implemented by two new exported functions: NSS_IsPolicyLocked() and NSS_LockPolicy(). The first allows applications to test if the policy is locked without having to try changing the policy. The various policy set functions check the NSS_IsPolicyLocked() function and returns SEC_ERROR_POLICY_LOCK if it's true. The ssl-lock changes the state of the policy to locked, and the state cannot be changed back without shutting down NSS. The second is implemented by setting a new Option called NSS_DEFAULT_LOCKS and the NSS_DEFAULT_SSL_LOCK flag. The idea is we can add an SMIME lock in the future. SSL checks the NSS_DEFAULT_SSL_LOCK flag before trying to set the cipher suite value, and blocks the change if it's set. 4) sslpolicy tests were updated to test the enable, disable, flags=policy-lock, flags=ssl-lock and the new signature primitives. 5) policy tests were updated to be able to run standalone (like all the other all.sh tests), as well as new tests to detect when no signing algorithms have been enabled. What is not in the patch 1) S/MIME signature policy has been defined for a while, but never hooked up. 2) S/MIME export policy needs to be connected back to the algorithm policy system just like the ssl cipher suites already are. 3) S/MIME default configuration needs to be connected back to the policy system. 4) ECC Curve policy needs to be hooked up with the signature policy (probably should create a generic 'key meets policy' function and have every call it).
33f920fcd1753d2b8f4a5e4f31e317c102d8cbfe: Bug 1666891 - Add PK11_Pub{Wrap,Unwrap}SymKeyWithMechanism r=mt,rrelyea
Robert Relyea <rrelyea@redhat.com> - Fri, 23 Oct 2020 15:34:01 -0700 - rev 15780
Push 3861 by rrelyea@redhat.com at Fri, 23 Oct 2020 22:34:27 +0000
Bug 1666891 - Add PK11_Pub{Wrap,Unwrap}SymKeyWithMechanism r=mt,rrelyea Summary This is useful for RSA-OAEP support. The CKM_RSA_PKCS_OAEP mechanism requires a CK_RSA_PKCS_OAEP_PARAMS be present for PKCS#11 calls. This provides required context for OAEP. However, PK11_PubWrapSymKey lacks a way of providing this context and historically silently converted CKM_RSA_PKCS_OAEP to CKM_RSA_PKCS when a RSA key is provided. Introducing a new call will let us indicate parameters and potentially support other mechanisms in the future. This call mirrors the earlier calls introduced for RSA-PSS: PK11_SignWithMechanism and PK11_VerifyWithMechanism. The CKM_RSA_PKCS_OAEP mechanism requires a CK_RSA_PKCS_OAEP_PARAMS be present for PKCS#11 calls. This provides required context for OAEP. However, PK11_PubUnwrapSymKey lacks a way of providing this context, and additionally lacked a way of indicating which mechanism type to use for the unwrap operation (instead detecting it by key type). Introducing a new call will let us indicate parameters and potentially support other mechanisms in the future. Signed-off-by: Alexander Scheel <ascheel@redhat.com> Differential Revision: https://phabricator.services.mozilla.com/D93424
e3bd9c2f925932b301440fb07ea1228f2d4e39ac: Bug 1667989 - coreconf/config.gypi should allow correct linking on Solaris r=kjacobs,bbeurdouche
Petr Sumbera <petr.sumbera@oracle.com> - Fri, 23 Oct 2020 20:34:27 +0000 - rev 15779
Push 3860 by kjacobs@mozilla.com at Fri, 23 Oct 2020 20:36:50 +0000
Bug 1667989 - coreconf/config.gypi should allow correct linking on Solaris r=kjacobs,bbeurdouche Differential Revision: https://phabricator.services.mozilla.com/D26278
0f15b05daeed54e3a52ce476d3011d14b63725df: Bug 1668123 - Export CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData. r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 23 Oct 2020 15:49:49 +0000 - rev 15778
Push 3859 by kjacobs@mozilla.com at Fri, 23 Oct 2020 16:23:13 +0000
Bug 1668123 - Export CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData. r=jcj Differential Revision: https://phabricator.services.mozilla.com/D94524
7076e78ddafe8beed50903106c656facd7e32f3c: Bug 1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA. r=kjacobs
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Thu, 30 Jul 2020 19:08:56 +0000 - rev 15777
Push 3858 by jjones@mozilla.com at Wed, 21 Oct 2020 15:55:40 +0000
Bug 1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA. r=kjacobs Differential Revision: https://phabricator.services.mozilla.com/D85330
d0153cc0c464b257cb6ef87a68e216eb10d501b4: Bug 1663091 - Remove unnecessary assertions in the streaming ASN.1 decoder r=kjacobs
J.C. Jones <jjones@mozilla.com> - Wed, 14 Oct 2020 02:23:44 +0000 - rev 15776
Push 3857 by jjones@mozilla.com at Tue, 20 Oct 2020 15:59:26 +0000
Bug 1663091 - Remove unnecessary assertions in the streaming ASN.1 decoder r=kjacobs The streaming ASN.1 decoder had assertions that, on debug builds, blocked embedding indefinite-length fields inside of definite-length fields/contexts, however that behavior does work correctly, and is valid ASN.1: it tends to happen when wrapping a signature around existing ASN.1-encoded data, if that already-encoded data had an indefinite length. Really these two assertion were just overzealous. The conditional after the asserts handle the case well, and memory sanitizers have not found issue here either. Differential Revision: https://phabricator.services.mozilla.com/D93135
58dc3216d518278f35cf8d9cc7751858c5d019d2: Bug 1670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on mac. r=kjacobs
Mike Hommey <mh@glandium.org> - Tue, 13 Oct 2020 20:29:00 +0000 - rev 15775
Push 3856 by jjones@mozilla.com at Fri, 16 Oct 2020 21:28:43 +0000
Bug 1670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on mac. r=kjacobs AFAICT, the Makefile equivalent already does. Differential Revision: https://phabricator.services.mozilla.com/D93304
54be084e3ba8787580fb50f7cf2e2e979714e5be: Bug 1670839 - Only build sha1-armv8.c code when USE_HW_SHA1 is defined. r=kjacobs
Mike Hommey <mh@glandium.org> - Tue, 13 Oct 2020 20:28:59 +0000 - rev 15774
Push 3856 by jjones@mozilla.com at Fri, 16 Oct 2020 21:28:43 +0000
Bug 1670839 - Only build sha1-armv8.c code when USE_HW_SHA1 is defined. r=kjacobs This matches what is done in sha256-armv8.c, and avoids inconsistency with sha1-fast.c, which will define the same functions in the case USE_HW_SHA1 is not defined. Differential Revision: https://phabricator.services.mozilla.com/D93303
6bfd991020db6b2ce2b8eeabec487d6f12621997: Added tag NSS_3_58_RTM for changeset 1f3db03bba02 NSS_3_58_BRANCH
J.C. Jones <jjones@mozilla.com> - Fri, 16 Oct 2020 07:50:56 -0700 - rev 15773
Push 3855 by jjones@mozilla.com at Fri, 16 Oct 2020 14:54:13 +0000
Added tag NSS_3_58_RTM for changeset 1f3db03bba02
1f3db03bba0212027085e952ab78455784caced6: Set version numbers to 3.58 final NSS_3_58_BRANCH NSS_3_58_RTM
J.C. Jones <jjones@mozilla.com> - Fri, 16 Oct 2020 07:50:49 -0700 - rev 15772
Push 3855 by jjones@mozilla.com at Fri, 16 Oct 2020 14:54:13 +0000
Set version numbers to 3.58 final
d4b21706e432326010e5eabbf8b651edacee7bba: Set version numbers to 3.59 Beta
J.C. Jones <jjones@mozilla.com> - Fri, 16 Oct 2020 07:52:07 -0700 - rev 15771
Push 3854 by jjones@mozilla.com at Fri, 16 Oct 2020 14:53:14 +0000
Set version numbers to 3.59 Beta
a8deadf7adbe0e9ef8f5d4f51d702b7613e2288f: Added tag NSS_3_58_BETA1 for changeset 57bbefa79323
J.C. Jones <jjones@mozilla.com> - Mon, 12 Oct 2020 12:34:35 -0700 - rev 15770
Push 3853 by jjones@mozilla.com at Mon, 12 Oct 2020 19:36:18 +0000
Added tag NSS_3_58_BETA1 for changeset 57bbefa79323
57bbefa793232586d27cee83e74411171e128361: Bug 1641480, TLS 1.3: tighten CCS handling in compatibility mode, r=mt NSS_3_58_BETA1
Daiki Ueno <dueno@redhat.com> - Mon, 12 Oct 2020 17:42:01 +0000 - rev 15769
Push 3852 by kjacobs@mozilla.com at Mon, 12 Oct 2020 17:46:51 +0000
Bug 1641480, TLS 1.3: tighten CCS handling in compatibility mode, r=mt This makes the server reject CCS when the client doesn't indicate the use of the middlebox compatibility mode with a non-empty ClientHello.legacy_session_id, or it sends multiple CCS in a row. Differential Revision: https://phabricator.services.mozilla.com/D79994
6e3bc17f05086854ffd2b06f7fae9371f7a0c174: Bug 1631890 - Add support for Hybrid Public Key Encryption (draft-irtf-cfrg-hpke-05). r=mt
Kevin Jacobs <kjacobs@mozilla.com> - Mon, 12 Oct 2020 17:07:02 +0000 - rev 15768
Push 3851 by kjacobs@mozilla.com at Mon, 12 Oct 2020 17:09:13 +0000
Bug 1631890 - Add support for Hybrid Public Key Encryption (draft-irtf-cfrg-hpke-05). r=mt This patch adds support for Hybrid Public Key Encryption (draft-irtf-cfrg-hpke-05). Because the draft number (and the eventual RFC number) is an input to the key schedule, future updates will *not* be backwards compatible in terms of key material or encryption/decryption. For this reason, a default compilation will produce stubs that simply return an "Invalid Algorithm" error. To opt into using the HPKE functionality , compile with `NSS_ENABLE_DRAFT_HPKE` defined. Once finalized, this flag will not be required to access the functions. Lastly, the `DeriveKeyPair` API is not implemented as it adds complextiy around PKCS #11 and is unnecessary for ECH. Differential Revision: https://phabricator.services.mozilla.com/D73947
e8c370a8db134f5afb50915acc64b8d648ed98c9: Bug 1657255 - Update CI for aarch64. r=kjacobs
Makoto Kato <m_kato@ga2.so-net.ne.jp> - Mon, 12 Oct 2020 15:57:38 +0000 - rev 15767
Push 3850 by kjacobs@mozilla.com at Mon, 12 Oct 2020 16:50:35 +0000
Bug 1657255 - Update CI for aarch64. r=kjacobs Actually, we have the implementation of ARM Crypto extension, so CI is always run with this extension. It means that we don't run CI without ARM Crypto extension. So I would like to add NoAES and NoSHA for aarch64 CI. Also, we still run NoSSE4_1 on aarch64 CI, so we shouldn't run this on aarch64 hardware. Differential Revision: https://phabricator.services.mozilla.com/D93062
ce24171832b550cc70b792ec1782c1fabafda100: Bug 1668328 - Enclose Python paths in `coreconf/config.gypi` in quotes r=kjacobs,mt NSS_3_57_BRANCH
Ricky Stewart <rstewart@mozilla.com> - Mon, 05 Oct 2020 15:15:02 +0000 - rev 15766
Push 3849 by jjones@mozilla.com at Wed, 07 Oct 2020 15:10:31 +0000
Bug 1668328 - Enclose Python paths in `coreconf/config.gypi` in quotes r=kjacobs,mt This fixes a breakage if the Python path happens to have a space in it. Differential Revision: https://phabricator.services.mozilla.com/D92236
c7d3b214dd4199fc7ab6040a9e7ef14149ca2151: Bug 1668328 - Enclose Python paths in `coreconf/config.gypi` in quotes r=kjacobs,mt
Ricky Stewart <rstewart@mozilla.com> - Mon, 05 Oct 2020 15:15:02 +0000 - rev 15765
Push 3848 by kjacobs@mozilla.com at Mon, 05 Oct 2020 15:18:43 +0000
Bug 1668328 - Enclose Python paths in `coreconf/config.gypi` in quotes r=kjacobs,mt This fixes a breakage if the Python path happens to have a space in it. Differential Revision: https://phabricator.services.mozilla.com/D92236
8fdbec414ce239ab243b929df9c0c9724b7daa20: Bug 1667153 - Add PK11_ImportDataKey API. r=rrelyea
Kevin Jacobs <kjacobs@mozilla.com> - Thu, 24 Sep 2020 19:25:32 +0000 - rev 15764
Push 3847 by kjacobs@mozilla.com at Thu, 24 Sep 2020 19:40:49 +0000
Bug 1667153 - Add PK11_ImportDataKey API. r=rrelyea This patch adds and exports `PK11_ImportDataKey`, and refactors the null PSK TLS 1.3 code to use it. Differential Revision: https://phabricator.services.mozilla.com/D91316
8ebee3cec9cfb4d5b4355173f193b8e5f5bb9e73: Bug 1665715 - (2/2) pass encoded signed certificate timestamp extension (if present) in CheckRevocation r=jcj
Dana Keeler <dkeeler@mozilla.com> - Wed, 23 Sep 2020 21:13:40 +0000 - rev 15763
Push 3846 by jjones@mozilla.com at Wed, 23 Sep 2020 21:16:23 +0000
Bug 1665715 - (2/2) pass encoded signed certificate timestamp extension (if present) in CheckRevocation r=jcj This will allow Firefox to make decisions based on the earliest known time that a certificate exists (with respect to certificate transparency) that a CA is unlikely to back-date. In particular, this is essential for CRLite. Note that if the SCT signature isn't validated, a CA could still make a certificate appear to have existed for longer than it really has. However, this change is not an attempt to catch malicious CAs. The aim is to avoid false positives in CRLite resulting from CAs backdating the notBefore field on certificates they issue. Depends on D90595 Differential Revision: https://phabricator.services.mozilla.com/D90596
c1f4d565ceda60defa48c330f9064dc0fa9ccd56: Bug 1665715 - (1/2) revert e8f2720c8254 (bug 1593141) because it's no longer necessary r=jcj
Dana Keeler <dkeeler@mozilla.com> - Fri, 18 Sep 2020 19:54:21 +0000 - rev 15762
Push 3846 by jjones@mozilla.com at Wed, 23 Sep 2020 21:16:23 +0000
Bug 1665715 - (1/2) revert e8f2720c8254 (bug 1593141) because it's no longer necessary r=jcj Bug 1593141 added the certificate's notBefore field as an argument to TrustDomain::CheckRevocation so that Firefox could use it with CRLite. However, since CAs can backdate that field, we need to use the earliest embedded SCT timestamp instead. Differential Revision: https://phabricator.services.mozilla.com/D90595
c28e20f61e5d99f83f2d9060d772bfd6d392b4db: Set version numbers to 3.58 Beta
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 18 Sep 2020 10:04:53 -0700 - rev 15761
Push 3845 by kjacobs@mozilla.com at Fri, 18 Sep 2020 17:05:27 +0000
Set version numbers to 3.58 Beta
a963849538caa493c70aba9c42d6264dac9c3987: Added tag NSS_3_57_RTM for changeset cf7e3e8abd77 NSS_3_57_BRANCH
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 18 Sep 2020 10:00:49 -0700 - rev 15760
Push 3844 by kjacobs@mozilla.com at Fri, 18 Sep 2020 17:03:16 +0000
Added tag NSS_3_57_RTM for changeset cf7e3e8abd77
cf7e3e8abd7762c0820b1ea580e6cc2e049f94ef: Set version numbers to 3.57 final NSS_3_57_BRANCH NSS_3_57_RTM
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 18 Sep 2020 10:00:23 -0700 - rev 15759
Push 3844 by kjacobs@mozilla.com at Fri, 18 Sep 2020 17:03:16 +0000
Set version numbers to 3.57 final
f46f20c58c4f7731cb928b4d1678919fd47cdf07: Added tag NSS_3_57_BETA1 for changeset 56224882ccc3
Kevin Jacobs <kjacobs@mozilla.com> - Tue, 15 Sep 2020 15:08:56 -0700 - rev 15758
Push 3843 by kjacobs@mozilla.com at Tue, 15 Sep 2020 22:11:33 +0000
Added tag NSS_3_57_BETA1 for changeset 56224882ccc3
56224882ccc3c079fb22a8f2afedd1d56a0c199e: Bug 1660372 - NSS 3.57 should depend on NSPR 4.29. r=kaie NSS_3_57_BETA1
Kevin Jacobs <kjacobs@mozilla.com> - Tue, 15 Sep 2020 16:50:35 +0000 - rev 15757
Push 3842 by kjacobs@mozilla.com at Tue, 15 Sep 2020 16:55:35 +0000
Bug 1660372 - NSS 3.57 should depend on NSPR 4.29. r=kaie Differential Revision: https://phabricator.services.mozilla.com/D90178
2a17c8655a746c7cce0278114fc0845209b7d374: Bug 1660735 - Fix typo in coreconfig/arch.mk. r=kjacobs
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Mon, 14 Sep 2020 14:55:56 +0000 - rev 15756
Push 3841 by kjacobs@mozilla.com at Mon, 14 Sep 2020 14:58:08 +0000
Bug 1660735 - Fix typo in coreconfig/arch.mk. r=kjacobs Differential Revision: https://phabricator.services.mozilla.com/D90077
4ae56ec2411b8e274f0c3a0f04a80c549a2c6ea3: Bug 1660734 - Fix typo in coreconf/config.mk. r=kjacobs
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Mon, 14 Sep 2020 14:54:04 +0000 - rev 15755
Push 3840 by kjacobs@mozilla.com at Mon, 14 Sep 2020 14:56:37 +0000
Bug 1660734 - Fix typo in coreconf/config.mk. r=kjacobs Differential Revision: https://phabricator.services.mozilla.com/D90081
141ef83ac10b373598a6dd7d9d842474a52a0ada: Bug 1663049 - September 2020 batch of root changes, NSS_BUILTINS_LIBRARY_VERSION 2.44. r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 11 Sep 2020 22:03:50 +0000 - rev 15754
Push 3839 by kjacobs@mozilla.com at Fri, 11 Sep 2020 22:38:10 +0000
Bug 1663049 - September 2020 batch of root changes, NSS_BUILTINS_LIBRARY_VERSION 2.44. r=jcj Differential Revision: https://phabricator.services.mozilla.com/D89968
7dfc054a983eb72d522f5641ceaaf37a4d81b87f: Bug 1663049 - Add SecureTrust's Trustwave Global root certificates to NSS. r=KathleenWilson,jcj
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 11 Sep 2020 22:17:03 +0000 - rev 15753
Push 3839 by kjacobs@mozilla.com at Fri, 11 Sep 2020 22:38:10 +0000
Bug 1663049 - Add SecureTrust's Trustwave Global root certificates to NSS. r=KathleenWilson,jcj Differential Revision: https://phabricator.services.mozilla.com/D89843
32a0d8f751ef3f70a02e6f2b7396c30e6cfce49a: Bug 1656077 - Remove Taiwan Government Root Certification Authority root cert. r=KathleenWilson,jcj
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 11 Sep 2020 22:06:46 +0000 - rev 15752
Push 3839 by kjacobs@mozilla.com at Fri, 11 Sep 2020 22:38:10 +0000
Bug 1656077 - Remove Taiwan Government Root Certification Authority root cert. r=KathleenWilson,jcj Depends on D89841 Differential Revision: https://phabricator.services.mozilla.com/D89842
1cdfb26b322088856c691c08c2ae0190a28f3dab: Bug 1653092 - Disable server trust bit for OISTE WISeKey Global Root GA CA root cert. r=KathleenWilson,jcj
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 11 Sep 2020 22:06:08 +0000 - rev 15751
Push 3839 by kjacobs@mozilla.com at Fri, 11 Sep 2020 22:38:10 +0000
Bug 1653092 - Disable server trust bit for OISTE WISeKey Global Root GA CA root cert. r=KathleenWilson,jcj Depends on D89840 Differential Revision: https://phabricator.services.mozilla.com/D89841
089aeca370df1ff1d1c7e0dad9237fadd499ae2e: Bug 1651211 - Remove EE Certification Centre Root CA root cert. r=KathleenWilson,jcj
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 11 Sep 2020 22:05:05 +0000 - rev 15750
Push 3839 by kjacobs@mozilla.com at Fri, 11 Sep 2020 22:38:10 +0000
Bug 1651211 - Remove EE Certification Centre Root CA root cert. r=KathleenWilson,jcj Differential Revision: https://phabricator.services.mozilla.com/D89840
c6dcb99e61210c730ca7cae65dc03d83d7cbf7ff: Bug 1659727 - Move makefile avx2 detection to config.mk. r=kjacobs
Danh <congdanhqx@gmail.com> - Fri, 11 Sep 2020 07:40:57 -0700 - rev 15749
Push 3838 by kjacobs@mozilla.com at Fri, 11 Sep 2020 14:47:52 +0000
Bug 1659727 - Move makefile avx2 detection to config.mk. r=kjacobs Summary: Current code base use CPU_ARCH to detect if avx2 is supported in arch.mk However, when arch.mk included, CPU_ARCH haven't been initialised, CPU_ARCH will be initialised by the OS specific code later on. Move the AVX2 detection to config.mk, after all other initialisation done. Reviewers: kjacobs Reviewed By: kjacobs Subscribers: kjacobs Bug #: 1659727 Differential Revision: https://phabricator.services.mozilla.com/D88517
b64436ecbd796ce9912718f2efd01b650faba30f: Bug 1605922 - Account for negative sign in mp_radix_size r=bbeurdouche
Kevin Jacobs <kjacobs@mozilla.com> - Tue, 08 Sep 2020 14:41:46 +0000 - rev 15748
Push 3837 by kjacobs@mozilla.com at Wed, 09 Sep 2020 18:43:19 +0000
Bug 1605922 - Account for negative sign in mp_radix_size r=bbeurdouche Differential Revision: https://phabricator.services.mozilla.com/D86443
b971c77c0d68d76c086a0df21841efb813b78c7b: Bug 1659256, add gcc version check on AArch64 optimization, r=rrelyea
Daiki Ueno <dueno@redhat.com> - Wed, 09 Sep 2020 06:47:08 +0200 - rev 15747
Push 3836 by dueno@redhat.com at Wed, 09 Sep 2020 04:50:40 +0000
Bug 1659256, add gcc version check on AArch64 optimization, r=rrelyea Summary: As described in https://access.redhat.com/solutions/19458, gcc version in RHEL-7 is still 4.8.x and cannot compile the newly added aes-armv8.c. There is a version check already for 32-bit arm, but not for AArch64. This also removes NS_USE_GCC check added in bug 1652032 in favor of the automatic detection using CC_IS_* macros. Reviewers: rrelyea Reviewed By: rrelyea Subscribers: jmux, kjacobs Bug #: 1659256 Differential Revision: https://phabricator.services.mozilla.com/D87174
e524a577761d8d61ff096121a3c00bf22f2cfa94: Bug 1663346 - Build e2k architecture as 64-bit r=jcj
Michael Shigorin <mike@altlinux.org> - Tue, 08 Sep 2020 12:15:51 -0700 - rev 15746
Push 3835 by jjones@mozilla.com at Tue, 08 Sep 2020 19:35:53 +0000
Bug 1663346 - Build e2k architecture as 64-bit r=jcj
e03296e73ba666329bd9c1257038353bc9074466: Bug 1662738, run RNG self-tests only if NSPR is linked, r=rrelyea
Daiki Ueno <dueno@redhat.com> - Sat, 05 Sep 2020 08:53:40 +0200 - rev 15745
Push 3834 by dueno@redhat.com at Sat, 05 Sep 2020 06:54:46 +0000
Bug 1662738, run RNG self-tests only if NSPR is linked, r=rrelyea Summary: After the continuous DRBG test was added, RNG self-tests have no longer worked standalone. This moves the self-tests to the DO_REST block so it only runs when the program is also linked to NSPR. Reviewers: rrelyea Reviewed By: rrelyea Bug #: 1662738 Differential Revision: https://phabricator.services.mozilla.com/D89250
9213848965f624055e3f2147f584e2433c355432: Bug 1661378 - pkix: Do not use NULL where 0 is needed
Khem Raj <raj.khem@gmail.com> - Wed, 02 Sep 2020 10:45:48 -0700 - rev 15744
Push 3833 by kjacobs@mozilla.com at Wed, 02 Sep 2020 18:31:07 +0000
Bug 1661378 - pkix: Do not use NULL where 0 is needed Clang finds this error pkix_logger.c:316:32: error: cast to smaller integer type 'PKIX_ERRORCLASS' from 'void *' [-Werror,-Wvoid-pointer-to-enum-cast] logger->logComponent = (PKIX_ERRORCLASS)NULL; ^~~~~~~~~~~~~~~~~~~~~ pkix_logger.c:617:32: error: cast to smaller integer type 'PKIX_ERRORCLASS' from 'void *' [-Werror,-Wvoid-pointer-to-enum-cast] logger->logComponent = (PKIX_ERRORCLASS)NULL; ^~~~~~~~~~~~~~~~~~~~~ 2 errors generated. Signed-off-by: Khem Raj <raj.khem@gmail.com>
c100e11991f68f60d53b2ebe1975c39ddf8bf784: Bug 1661810 - Define pre_align/post_align based on the compiler. r=jcj
Mike Hommey <mh@glandium.org> - Fri, 28 Aug 2020 21:33:02 +0000 - rev 15743
Push 3832 by mh@glandium.org at Sat, 29 Aug 2020 00:26:47 +0000
Bug 1661810 - Define pre_align/post_align based on the compiler. r=jcj Things worked fine before we upgraded to clang 11 presumably because the stack was always 16-bytes aligned in the first place, or something akin to that, and the lack of pre_align/post_align doing anything didn't matter. The runtime misalignment of the stack may well be a clang > 9 bug, but keeping pre_align/post_align tied to the x86/x64 is a footgun anyways. Differential Revision: https://phabricator.services.mozilla.com/D88667
ab04fd73fd6daef78d3d2932c7295671f75242fa: Bug 1651834 - Fix various static analyzer warnings. r=rrelyea
Kevin Jacobs <kjacobs@mozilla.com> - Mon, 24 Aug 2020 22:52:43 +0000 - rev 15742
Push 3831 by kjacobs@mozilla.com at Tue, 25 Aug 2020 16:48:34 +0000
Bug 1651834 - Fix various static analyzer warnings. r=rrelyea Differential Revision: https://phabricator.services.mozilla.com/D87452
4d55d36ca6efefa97fe1837edbade8f20c7059b9: Bug 1659252, disable building libnssdbm3.so if NSS_DISABLE_DBM=1, r=rrelyea
Daiki Ueno <dueno@redhat.com> - Tue, 25 Aug 2020 15:49:43 +0200 - rev 15741
Push 3830 by dueno@redhat.com at Tue, 25 Aug 2020 13:50:32 +0000
Bug 1659252, disable building libnssdbm3.so if NSS_DISABLE_DBM=1, r=rrelyea Reviewers: rrelyea Reviewed By: rrelyea Bug #: 1659252 Differential Revision: https://phabricator.services.mozilla.com/D87173
5dca54fe61c2916e540129590a40772d5be89a1d: Bug 1660304 New FIPS IG requires self-tests for approved kdfs. r=ueno comments=kjacobs
Robert Relyea <rrelyea@redhat.com> - Mon, 24 Aug 2020 15:46:31 -0700 - rev 15740
Push 3829 by rrelyea@redhat.com at Mon, 24 Aug 2020 22:46:41 +0000
Bug 1660304 New FIPS IG requires self-tests for approved kdfs. r=ueno comments=kjacobs FIPS guidance now requires self-tests for our kdfs. It also requires self-tests for cmac which we didn't have in the cmac patch. Currently only one test per kdf is necessary. Specifially for SP-800-108, only one of the three flavors are needed (counter, feedback, or pipeline). This patch includes more complete testing but it has been turned off the currently extraneous tests under the assumption that NIST guidance may require them in the future. HKDF is currently not included in FIPS, but is on track to be included, so hkdf have been included in this patch. Because the test vectors are const strings, the patch pushes some const definitions that were missing in existing private interfaces. There are three flavors of self-tests: Function implemented in freebl are added to the freebl/fipsfreebl.c Functions implemented in pkcs11c.c have selftests completely implemented in softoken/fipstest.c Functions implemented in their own .c file have their selftest function implemented in that .c file and called by fipstests.c These are consistant with the previous choices for selftests. Some private interfaces that took in keys from pkcs #11 structures or outputted keys to pkcs #11 structures were modified to optionally take keys in by bytes and output keys as bytes so the self-tests can work in just bytes. Differential Revision: https://phabricator.services.mozilla.com/D87812
0e1b5c711cb9d810f8958857fafb5d0349d3c56f: Bug 1653641 - Cleanup inaccurate DTLS comments, code review fixes. r=mt
Kevin Jacobs <kjacobs@mozilla.com> - Mon, 24 Aug 2020 18:04:59 +0000 - rev 15739
Push 3828 by kjacobs@mozilla.com at Mon, 24 Aug 2020 18:42:36 +0000
Bug 1653641 - Cleanup inaccurate DTLS comments, code review fixes. r=mt Differential Revision: https://phabricator.services.mozilla.com/D84255
783f49ae6126cebefd18aae7e035108e9181e39c: Set version numbers to 3.57 Beta
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 21 Aug 2020 08:49:44 -0700 - rev 15738
Push 3827 by kjacobs@mozilla.com at Fri, 21 Aug 2020 15:52:42 +0000
Set version numbers to 3.57 Beta
b5dc40c14e3ae960b4bcdcca67d035377599e580: Added tag NSS_3_56_RTM for changeset 809ff9ff0140 NSS_3_56_BRANCH
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 21 Aug 2020 08:12:08 -0700 - rev 15737
Push 3826 by kjacobs@mozilla.com at Fri, 21 Aug 2020 15:47:02 +0000
Added tag NSS_3_56_RTM for changeset 809ff9ff0140
809ff9ff0140218adaa433ee777abbc7f54c54c8: Set version numbers to 3.56 final NSS_3_56_BRANCH NSS_3_56_RTM
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 21 Aug 2020 08:10:57 -0700 - rev 15736
Push 3826 by kjacobs@mozilla.com at Fri, 21 Aug 2020 15:47:02 +0000
Set version numbers to 3.56 final
0d8ff40479d5a1b27fa632cc95d2774026fe1efc: Added tag NSS_3_56_BETA1 for changeset 52c965eaffa1
Kevin Jacobs <kjacobs@mozilla.com> - Wed, 19 Aug 2020 10:23:05 -0700 - rev 15735
Push 3825 by kjacobs@mozilla.com at Wed, 19 Aug 2020 17:24:41 +0000
Added tag NSS_3_56_BETA1 for changeset 52c965eaffa1
52c965eaffa1272652a4ba765045b5193e586663: Bug 1659792 - Update libpkix tests with unexpired PayPal cert. r=jcj NSS_3_56_BETA1
Kevin Jacobs <kjacobs@mozilla.com> - Wed, 19 Aug 2020 16:26:44 +0000 - rev 15734
Push 3824 by kjacobs@mozilla.com at Wed, 19 Aug 2020 16:39:41 +0000
Bug 1659792 - Update libpkix tests with unexpired PayPal cert. r=jcj The in-tree `PayPalEE.cert `expired today. This patch replaces it with a current copy that expires on 12 Jan 2022. CI breakage before patch: https://treeherder.mozilla.org/#/jobs?repo=nss&revision=2890f342de631bf6774ac747515a8b5736e20d3f CI with the fix applied: https://treeherder.mozilla.org/#/jobs?repo=nss-try&revision=bd28f21d8acbcb15502bd4fc606fc9c0ed09c810 Differential Revision: https://phabricator.services.mozilla.com/D87481
70376af425aefbd385526952d96cfc02618732e1: Bug 1659814 - Pull updated tls-interop for dependency fix. r=jcj
Kevin Jacobs <kjacobs@mozilla.com> - Tue, 18 Aug 2020 20:31:15 +0000 - rev 15733
Push 3823 by jjones@mozilla.com at Tue, 18 Aug 2020 20:33:45 +0000
Bug 1659814 - Pull updated tls-interop for dependency fix. r=jcj Differential Revision: https://phabricator.services.mozilla.com/D87489
2890f342de631bf6774ac747515a8b5736e20d3f: Bug 1656519 - NSS 3.56 should depend on NSPR 4.28. r=kaie
Kevin Jacobs <kjacobs@mozilla.com> - Tue, 18 Aug 2020 15:27:59 +0000 - rev 15732
Push 3822 by kjacobs@mozilla.com at Tue, 18 Aug 2020 17:13:49 +0000
Bug 1656519 - NSS 3.56 should depend on NSPR 4.28. r=kaie Differential Revision: https://phabricator.services.mozilla.com/D87322
c06f22733446c6fb55362b9707fa714c15caf04e: Bug 1625791 - Call STAN_GetCERTCertificate to load CERTCertificate trust before caching. r=jcj,keeler
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 07 Aug 2020 22:15:00 +0000 - rev 15731
Push 3821 by kjacobs@mozilla.com at Fri, 07 Aug 2020 22:18:04 +0000
Bug 1625791 - Call STAN_GetCERTCertificate to load CERTCertificate trust before caching. r=jcj,keeler When caching certificates, `td->cache->lock` must not be held when taking `slot->isPresentLock`. `add_cert_to_cache` holds then former when calling the sort function in `add_subject_entry`, which will [[ https://searchfox.org/mozilla-central/rev/a3b25e347e2c22207c4b369b99246e4aebf861a7/security/nss/lib/pki/certificate.c#266 | call ]] `STAN_GetCERTCertificate` -> `fill_CERTCertificateFields` when `cc->nssCertificate` [[ https://searchfox.org/mozilla-central/rev/a3b25e347e2c22207c4b369b99246e4aebf861a7/security/nss/lib/pki/pki3hack.c#923 | is NULL ]]. There are two problems with this: # `fill_CERTCertificateFields` may end up locking `slot->isPresentLock` (bad ordering, bug 1651564) # The above may happen followed by another attempt to lock `td->cache->lock`(deadlock, this bug). By calling `STAN_GetCERTCertificate` prior to the first lock of `td->cache->lock`, we can prevent the problematic call to `fill_CERTCertificateFields` later on, because `cc->nssCertificate` will already be filled. Differential Revision: https://phabricator.services.mozilla.com/D86423
41ecb7fe55461da66328758a08776f2291ea4d0b: Bug 1588941 - Send empty client cert msg when signature scheme selection fails. r=mt
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 07 Aug 2020 16:36:31 +0000 - rev 15730
Push 3820 by kjacobs@mozilla.com at Fri, 07 Aug 2020 18:11:37 +0000
Bug 1588941 - Send empty client cert msg when signature scheme selection fails. r=mt `ssl3_CompleteHandleCertificateRequest` does essentially two things: 1) Calls the `getClientAuthData` hook for certificate selection, and 2) calls `ssl_PickClientSignatureScheme` to select an appropriate signature scheme when a cert is selected. If the first function returns SECFailure, we default to sending an empty certificate message. If the latter fails, however, this bubbles up as a [[ https://searchfox.org/mozilla-central/rev/56bb74ea8e04bdac57c33cbe9b54d889b9262ade/security/nss/lib/ssl/tls13con.c#2670 | fatal error ]] (and an assertion failure) on the connection. Importantly, the signature scheme selection can fail for reasons that should not be considered fatal - notably when an RSA-PSS cert is selected, but the token on which the key resides does not actually support PSS. This patch treats the failure to find a usable signature scheme as a "no certificate" response, rather than killing the connection entirely. Differential Revision: https://phabricator.services.mozilla.com/D85451
330bdab498a31ddd26d14585e3188aa9d4529d1b: Bug 1656981 - Use 64x64->128 multiply and MP_COMBA on x86_64 Mac. r=mt
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 07 Aug 2020 15:31:25 +0000 - rev 15729
Push 3819 by kjacobs@mozilla.com at Fri, 07 Aug 2020 17:44:20 +0000
Bug 1656981 - Use 64x64->128 multiply and MP_COMBA on x86_64 Mac. r=mt This patch makes two MPI changes for MacOS: 1. Rename `mpi_amd64_gas.s` to `mpi_amd64_common.S` and add defines for macho64, allowing Intel Macs to take advantage of the 64x64->128 multiply code. 2. Define and use `NSS_USE_COMBA` on Intel Macs. Performance results with `rsaperf -n none -p 10 -e -x 65537` (default 2048-bit key): Before: `12629.12 operations/s. one operation every 79 microseconds` With 64x64->128 assembly: `29431.65 operations/s. one operation every 33 microseconds` With MP_COMBA and 64x64->128 assembly: `30332.99 operations/s. one operation every 32 microseconds` Differential Revision: https://phabricator.services.mozilla.com/D85783
07083076fc922da2ea019b72e0a640e343f65ecf: Bug 1656429 - Clang-format fixup, r=bustage
Kevin Jacobs <kjacobs@mozilla.com> - Fri, 07 Aug 2020 08:46:00 -0700 - rev 15728
Push 3818 by kjacobs@mozilla.com at Fri, 07 Aug 2020 15:47:30 +0000
Bug 1656429 - Clang-format fixup, r=bustage
b4a1c57eb569859170ef7b321039404f537f8fb9: Bug 1656429 - Correct RTT estimate used in anti-replay, r=kjacobs
Martin Thomson <mt@lowentropy.net> - Wed, 05 Aug 2020 00:17:52 +0000 - rev 15727
Push 3817 by mthomson@mozilla.com at Wed, 05 Aug 2020 00:20:47 +0000
Bug 1656429 - Correct RTT estimate used in anti-replay, r=kjacobs This was never a security problem, but the more time that passes between the handshake and sending a ticket, the more likely we are to reject 0-RTT. Eventually, 0-RTT only works if it is delayed in the network by a surprising amount. Differential Revision: https://phabricator.services.mozilla.com/D85540
afa38fb2f0b5d491a1bd0c26798ef0bdecd5ac8d: Bug 1656986 - special-case arm64 in detect_host_arch.py; r=jcj
Nathan Froyd <froydnj@mozilla.com> - Mon, 03 Aug 2020 20:43:00 +0000 - rev 15726
Push 3816 by jjones@mozilla.com at Mon, 03 Aug 2020 20:45:41 +0000
Bug 1656986 - special-case arm64 in detect_host_arch.py; r=jcj This case comes up when attempting to build NSS on ARM64 Mac. If we don't do this, we wind up detecting arm64 as "arm", with predictably bad consequences. Differential Revision: https://phabricator.services.mozilla.com/D85786
e6b77a9c417a53e51e6dc2e40e085fa4aa46a83b: Bug 1654142 - Add CPU feature detection for Intel SHA extension. r=kjacobs
Makoto Kato <m_kato@ga2.so-net.ne.jp> - Fri, 31 Jul 2020 11:04:12 +0000 - rev 15725
Push 3815 by kaie@kuix.de at Fri, 31 Jul 2020 11:29:01 +0000
Bug 1654142 - Add CPU feature detection for Intel SHA extension. r=kjacobs Differential Revision: https://phabricator.services.mozilla.com/D84286
eb52747b7000210971b590ad06d041c5f4ef464b: Bug 1653975 - Set "all" as the default Makefile target r=jcj,rrelyea
Jan-Marek Glogowski <glogow@fbihome.de> - Wed, 29 Jul 2020 23:47:05 +0000 - rev 15724
Push 3814 by jjones@mozilla.com at Wed, 29 Jul 2020 23:49:33 +0000
Bug 1653975 - Set "all" as the default Makefile target r=jcj,rrelyea Just reorder the rules in manifest.mn, so all is again the first rule. This restores pre-3.53 Makefile defaults. Differential Revision: https://phabricator.services.mozilla.com/D85195
68b6eb7376897d6db3bb86337a3c99789d9687b8: Bug 1650702 - Use ARM's crypt extension for SHA1. r=kjacobs
Makoto Kato <m_kato@ga2.so-net.ne.jp> - Wed, 29 Jul 2020 21:49:09 +0000 - rev 15723
Push 3813 by kjacobs@mozilla.com at Wed, 29 Jul 2020 21:52:17 +0000
Bug 1650702 - Use ARM's crypt extension for SHA1. r=kjacobs ARM Crypto extension has SHA1 acceleration. Using this, SHA1 is 3 times faster on ARMv8 CPU. The following data is AWS's a1 instance (Cortex-A72). Before ====== ``` # mode in opreps cxreps context op time(sec) thrgput sha1_e 954Mb 31M 0 0.000 10000.000 10.000 95Mb ``` After ===== ``` # mode in opreps cxreps context op time(sec) thrgput sha1_e 2Gb 94M 0 0.000 10000.000 10.000 288Mb ``` Differential Revision: https://phabricator.services.mozilla.com/D84125
4014c075a31b8d076d638d610f99fedc18b53e76: Fix more of the timeout issues on tests. (Drop expensive 4098 dh tests ).
Robert Relyea <rrelyea@redhat.com> - Mon, 27 Jul 2020 14:19:05 -0700 - rev 15722
Push 3812 by rrelyea@redhat.com at Mon, 27 Jul 2020 21:19:12 +0000
Fix more of the timeout issues on tests. (Drop expensive 4098 dh tests ).
0be91fa2217a979feb33f0032957b929dd8831ca: Bug 1648822 Add stricter validation of DH keys when in FIPS mode.
Robert Relyea <rrelyea@redhat.com> - Mon, 27 Jul 2020 11:00:02 -0700 - rev 15721
Push 3811 by rrelyea@redhat.com at Mon, 27 Jul 2020 18:00:08 +0000
Bug 1648822 Add stricter validation of DH keys when in FIPS mode. Update: FIPS now also requires us to do y^q mod p testing on key generation (always). We now do that in FIPS mode only, but in all modes we do full DH verification for DH and ECDH. Because of this, the path has now separated out the prime checks, which are now only done for the DH operation if we aren't using a known prime and the subprime value has been provided. I've also learned we can accept keys that we do full validation on in FIPS mode, so I've added that to this patch, though we still can't generate those kinds of keys without adding the subprime at keygen time. The new FIPS standard is dh operations must use approved primes. Approved primes are those selected in the tls and ike RFCs. Currently tls and ike have modes with checks whether the primes are approved, but the check may not always happen. The safest thing to do in FIPS mode is only allow those primes. In addition, FIPS requires 1< y < p-1 (or technically 2<=y<=p-2, since y is an integer those two tests are identical). While making changes I realized we would want a mode where we can do more strict checks on the prime while not requiring that the prime be an approved prime. We already allow for strict checking if q is supplied with the private key, but there were a couple of issues with that check: 1. there was no way of actually setting q in the current NSS pk11wrap interfaces. 2. If the prime was a safe prime, but g was an actual generator, then we would fail the y^q mod p = 1 tests for 50% of the keys, even though those keys are safe. 3. We weren't checking primality of p and q. So the old code: if (q) { check y^q mod p = 1 if not fail } check 1 <y < p-1 (done in DH_Derive). New code: if (! p is approved prime) { if (FIPS) fail; if (q) { y_test = y if (p,q-> p is a safe prime) { y_test = 1 } check prime is prime Fail if not check subprime is subprime fail if not y_test^q mod p = 1 } } check 1 < y < p-1 (done in DH_Derive) This means: Existing code non-fips without setting the subprime continues to run as before. Non-fips code which sets the subprime now runs slower, but p and q are checked if p or q where not prime, the derive fails (which it should). In FIPS mode only approved primes will succeed now. Non-fips code can now set the subprime to q=(p-1)/2 if it doesn't have an explicit q value (like in tls). If the derive succeeds, we know that p is a safe prime. If p is approved, the checks are skipped because we already know that p is a safe prime. Code can optionally do a test derive on a new p and remember it's safe so that we know longer need to check ever call (though if q is not (p-1)/2, you will need to continue to do the checks each call because y could still be a small subgroup). This patch: gtests/softoken_gtest 1. Added New dh tests to softoken_gtests. The tests were added to softoken_gtests because we need to test both non-FIPS and FIPS mode. Test vectors include a category, so the same test vectors can be used in FIPS and non-FIPS even though each class may have different results. Most of the test vectors where created either by dhparams command in openssl, dsaparams in openssl, and the nss makepqg command. Each vector includes a label, prime, base, optional subprime, optional public key, test type, and key class (basically size). 2. If public key is not supplied, we use a generated public key. 3. If subPrime is supplied to wet it on the private key after generation. lib/freebl/dh.c add primality tests to KEA_VerifyKey(). lib/softokn/ 1. Allow CKA_SUBPRIME to be set after key generation or import. This affects how we test for it's existance, since it is now always there on the key, we check it's length to make sure it's non-zero. 2. We implement the psuedocode above as real code. 3. We create two new functions: sftl_VerifyDH_Prime which return SECSuccess if Prime is an approved prime. sftk_IsSafePrime which returns SECSuess of both prime and subprime look reasonable, and sets a Bool to PR_TRUE is subprime -> prime is safe (subprime = (prime-1)/2. These functions are implemented in sftkdhverify.c 4.Cleanup incorrect nominclature on primes (safe primes are not strong primes).
e6c6f1d2d544918ebc85bfb587c88ad304423948: Bug 1652729 - Add build flag to disable RC2 and relocate to lib/freebl/deprecated. r=kjacobs
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Fri, 24 Jul 2020 17:16:51 +0000 - rev 15720
Push 3810 by kjacobs@mozilla.com at Mon, 27 Jul 2020 14:17:25 +0000
Bug 1652729 - Add build flag to disable RC2 and relocate to lib/freebl/deprecated. r=kjacobs Differential Revision: https://phabricator.services.mozilla.com/D83494
d98bbb6168f4ca2abd534e4c2fce56b7a5d1ad7e: Bug 1652032 Disable all freebl assembler code for MSVC arm64 r=rrelyea,bbeurdouche
Jan-Marek Glogowski <glogow@fbihome.de> - Mon, 27 Jul 2020 12:41:32 +0000 - rev 15719
Push 3809 by kjacobs@mozilla.com at Mon, 27 Jul 2020 14:12:59 +0000
Bug 1652032 Disable all freebl assembler code for MSVC arm64 r=rrelyea,bbeurdouche There are two places, where NSS tries to compile either x86_64 MSVC assembler or GCC aarch64 code, which will fail the build. And also drop the non-MSVC arch build flags for them. AFAI could identify, there isn't any armasm64 compatible asm code in the whole NSS library, so I don't even adapt AS for the build. The cross-build finishes this way. Differential Revision: https://phabricator.services.mozilla.com/D83137
(0) -10000 -3000 -1000 -120 tip