581fe264710fff3362809fff90bba14c0d94fd19: Bug 1749030 - This patch adds gcc-9 and gcc-10 to the CI. r=nss-reviewers,bbeurdouche default tip
Natalia Kulatova <nkulatova@mozilla.com> - Wed, 19 Jan 2022 14:22:30 +0000 - rev 16108
Push 4070 by bbeurdouche@mozilla.com at Wed, 19 Jan 2022 14:24:35 +0000
Bug 1749030 - This patch adds gcc-9 and gcc-10 to the CI. r=nss-reviewers,bbeurdouche Differential Revision: https://phabricator.services.mozilla.com/D135377
b5eff08becbb982daa5267839fef107886ed6dc4: Bug 1749794 - Make DottedOIDToCode.py compatible with python3. r=nss-reviewers,bbeurdouche.
John M. Schanck <jschanck@mozilla.com> - Wed, 19 Jan 2022 14:14:03 +0000 - rev 16107
Push 4069 by bbeurdouche@mozilla.com at Wed, 19 Jan 2022 14:16:14 +0000
Bug 1749794 - Make DottedOIDToCode.py compatible with python3. r=nss-reviewers,bbeurdouche. Differential Revision: https://phabricator.services.mozilla.com/D135737
c98fc11fb685110f2dde22535e41bb80447eb19e: Bug 1749475 - Avoid undefined shift in SSL_CERT_IS while fuzzing. r=nss-reviewers,mt
John M. Schanck <jschanck@mozilla.com> - Wed, 19 Jan 2022 14:13:38 +0000 - rev 16106
Push 4068 by bbeurdouche@mozilla.com at Wed, 19 Jan 2022 14:15:42 +0000
Bug 1749475 - Avoid undefined shift in SSL_CERT_IS while fuzzing. r=nss-reviewers,mt Differential Revision: https://phabricator.services.mozilla.com/D135731
f9708b22f2f6cdafd2b1ecda572d31828c21b991: Bug 1748386 - Remove redundant key type check, r=rrelyea
Martin Thomson <mt@lowentropy.net> - Thu, 13 Jan 2022 22:55:35 +0000 - rev 16105
Push 4067 by mthomson@mozilla.com at Thu, 13 Jan 2022 22:57:42 +0000
Bug 1748386 - Remove redundant key type check, r=rrelyea Differential Revision: https://phabricator.services.mozilla.com/D135808
4b7cf816142199c85dd1c7fb27df94d6f6a4614e: Bug 1749869 - Update ABI expectations to match ECH changes, r=bbeurdouche
Martin Thomson <mt@lowentropy.net> - Thu, 13 Jan 2022 08:13:12 +0000 - rev 16104
Push 4066 by mthomson@mozilla.com at Thu, 13 Jan 2022 08:15:29 +0000
Bug 1749869 - Update ABI expectations to match ECH changes, r=bbeurdouche Depends on D135808 Differential Revision: https://phabricator.services.mozilla.com/D135809
44e6341be5e829c33bdd72d8f9b22ad6f308f227: Bug 1748386 - Enable CKM_CHACHA20, r=rrelyea
Martin Thomson <mt@lowentropy.net> - Tue, 11 Jan 2022 23:30:17 +0000 - rev 16103
Push 4065 by mthomson@mozilla.com at Tue, 11 Jan 2022 23:32:22 +0000
Bug 1748386 - Enable CKM_CHACHA20, r=rrelyea This change makes a few tiny changes to the code to re-enable the use of Chacha20 ciphers and align their key type. There are a lot more changes in tests, mostly just to factor existing tests and determine that the legacy and final PKCS#11 mechanisms work as expected. Differential Revision: https://phabricator.services.mozilla.com/D135007
3b951f4333023c7214a2955f83ed120ea1fdb508: Bug 1747327 - check return on NSS_NoDB_Init and NSS_Shutdown, r=nss-reviewers,bbeurdouche
Martin Thomson <mt@lowentropy.net> - Fri, 07 Jan 2022 04:43:39 +0000 - rev 16102
Push 4064 by mthomson@mozilla.com at Fri, 07 Jan 2022 04:45:48 +0000
Bug 1747327 - check return on NSS_NoDB_Init and NSS_Shutdown, r=nss-reviewers,bbeurdouche Differential Revision: https://phabricator.services.mozilla.com/D134573
c765572d961b35d7c0e4a33486a661f4e6658495: Release notes for NSS 3.74
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Thu, 06 Jan 2022 14:45:46 +0100 - rev 16101
Push 4063 by bbeurdouche@mozilla.com at Thu, 06 Jan 2022 13:46:08 +0000
Release notes for NSS 3.74
13c491d2ea0619a1e9b0e9aeee2b18d3ac4a0957: Release notes for NSS 3.73.1
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Thu, 06 Jan 2022 14:45:31 +0100 - rev 16100
Push 4063 by bbeurdouche@mozilla.com at Thu, 06 Jan 2022 13:46:08 +0000
Release notes for NSS 3.73.1
fe3d23d39cf1a7ec83a1cc739423d9dff6bebd27: Release notes for NSS 3.72.1
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Thu, 06 Jan 2022 14:45:22 +0100 - rev 16099
Push 4063 by bbeurdouche@mozilla.com at Thu, 06 Jan 2022 13:46:08 +0000
Release notes for NSS 3.72.1
3bb240628b51222584e50431af070a505961e0d9: Release notes for NSS 3.68.2 (ESR)
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Thu, 06 Jan 2022 14:45:00 +0100 - rev 16098
Push 4063 by bbeurdouche@mozilla.com at Thu, 06 Jan 2022 13:46:08 +0000
Release notes for NSS 3.68.2 (ESR)
689f62eb8daac37002a09f9e3e956b12355b80ff: Release notes for NSS 3.73
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Thu, 06 Jan 2022 14:44:38 +0100 - rev 16097
Push 4063 by bbeurdouche@mozilla.com at Thu, 06 Jan 2022 13:46:08 +0000
Release notes for NSS 3.73
41a061ffb0a7b0aa436964005832ead59a322d98: Release notes for NSS 3.68.1
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Thu, 06 Jan 2022 14:44:17 +0100 - rev 16096
Push 4063 by bbeurdouche@mozilla.com at Thu, 06 Jan 2022 13:46:08 +0000
Release notes for NSS 3.68.1
b0cfcff316261733a183e3c4a9e211b479f58a86: Added tag NSS_3_74_RTM for changeset 83d13f65aff5 NSS_3_74_BRANCH
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Thu, 06 Jan 2022 12:39:17 +0100 - rev 16095
Push 4062 by bbeurdouche@mozilla.com at Thu, 06 Jan 2022 11:40:12 +0000
Added tag NSS_3_74_RTM for changeset 83d13f65aff5
83d13f65aff55bba36016fbe81095d02e006dd1f: Set version numbers to 3.74 RTM NSS_3_74_BRANCH NSS_3_74_RTM
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Thu, 06 Jan 2022 12:38:58 +0100 - rev 16094
Push 4062 by bbeurdouche@mozilla.com at Thu, 06 Jan 2022 11:40:12 +0000
Set version numbers to 3.74 RTM
e04f9534a194392a2fced9e4692784429824235c: Fix formatting for gtests/ssl_gtest/tls_filter.cc
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Wed, 05 Jan 2022 17:07:29 +0100 - rev 16093
Push 4061 by bbeurdouche@mozilla.com at Wed, 05 Jan 2022 16:07:57 +0000
Fix formatting for gtests/ssl_gtest/tls_filter.cc
b49989d67356e85d520bb5bfe5aa9b8a3a79d0f8: Set version numbers to 3.75 Beta
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Wed, 05 Jan 2022 15:03:03 +0100 - rev 16092
Push 4060 by bbeurdouche@mozilla.com at Wed, 05 Jan 2022 14:03:13 +0000
Set version numbers to 3.75 Beta
2902346fab195bb18486a502f306d9a0f711d15d: Bug 1747310 - real move assignment operator, r=nss-reviewers,bbeurdouche
Martin Thomson <mt@lowentropy.net> - Wed, 05 Jan 2022 13:45:04 +0000 - rev 16091
Push 4059 by bbeurdouche@mozilla.com at Wed, 05 Jan 2022 13:47:10 +0000
Bug 1747310 - real move assignment operator, r=nss-reviewers,bbeurdouche Differential Revision: https://phabricator.services.mozilla.com/D134818
52ff95ddeeef96656a31712b4367a2c9175ba861: Bug 1748245 - Run ECDSA test vectors from bltest as part of the CI tests. r=nkulatova
Natalia Kulatova <nkulatova@mozilla.com> - Wed, 05 Jan 2022 13:23:33 +0000 - rev 16090
Push 4058 by bbeurdouche@mozilla.com at Wed, 05 Jan 2022 13:25:38 +0000
Bug 1748245 - Run ECDSA test vectors from bltest as part of the CI tests. r=nkulatova Differential Revision: https://phabricator.services.mozilla.com/D134866
3089389aafe4ebc7365bfd31ef629a89f9a8e44f: Bug 1743302 - Add ECDSA test vectors to the bltest command line tool r=nss-reviewers,bbeurdouche
Natalia Kulatova <nkulatova@mozilla.com> - Wed, 05 Jan 2022 13:23:33 +0000 - rev 16089
Push 4058 by bbeurdouche@mozilla.com at Wed, 05 Jan 2022 13:25:38 +0000
Bug 1743302 - Add ECDSA test vectors to the bltest command line tool r=nss-reviewers,bbeurdouche Differential Revision: https://phabricator.services.mozilla.com/D134702
d982efc0e22d3739246786de419e6051f7a5e4a2: Bug 1747772 - Allow to build using clang's integrated assembler. r=bbeurdouche
Mike Hommey <mh@glandium.org> - Tue, 04 Jan 2022 22:50:03 +0000 - rev 16088
Push 4057 by mh@glandium.org at Tue, 04 Jan 2022 22:52:08 +0000
Bug 1747772 - Allow to build using clang's integrated assembler. r=bbeurdouche Since clang 9, NSS can build for x86_64 without the -fno-integrated-as flag. The tricky part is that clang versions are unreliable. For instance, a check for "clang version 9 or more" would break building with Xcode versions between 9.0 and 11.3.1 (because clang in those say it has version >= 9, but they are actually clang versions between 4.0 and 8.0; the clang version reflects the Xcode version, not the real clang version). We do have a complicated version check in Firefox that works around that, but I don't feel like porting this to NSS, so instead, allow to set a gyp variable to force enable it, and let the Firefox build system decide for itself. Differential Revision: https://phabricator.services.mozilla.com/D134741
c468deab26338621ce875bfaaa8cbdb2058761ab: Bug 1321398 - Allow to override python for the build. r=bbeurdouche
Mike Hommey <mh@glandium.org> - Tue, 04 Jan 2022 22:06:19 +0000 - rev 16087
Push 4056 by mh@glandium.org at Tue, 04 Jan 2022 22:08:25 +0000
Bug 1321398 - Allow to override python for the build. r=bbeurdouche Differential Revision: https://phabricator.services.mozilla.com/D134739
a6d0435514b6dc9d0e6974cf0a4fa2ce07402de0: Added tag NSS_3_74_BETA1 for changeset 1831460a6f34 NSS_3_74_BRANCH
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Fri, 31 Dec 2021 13:32:22 +0100 - rev 16086
Push 4055 by bbeurdouche@mozilla.com at Fri, 31 Dec 2021 12:32:45 +0000
Added tag NSS_3_74_BETA1 for changeset 1831460a6f34
fed99dcac37f311fbab373dd6f5ed358123afe57: Bug 1747317 - test HKDF output rather than input, r=nss-reviewers,jschanck
Martin Thomson <mt@lowentropy.net> - Tue, 28 Dec 2021 23:25:50 +0000 - rev 16085
Push 4054 by mthomson@mozilla.com at Tue, 28 Dec 2021 23:27:57 +0000
Bug 1747317 - test HKDF output rather than input, r=nss-reviewers,jschanck Depends on D134557 Differential Revision: https://phabricator.services.mozilla.com/D134558
19d7a09a001c77c454ecd1e29833c6819b0a935b: Bug 1747316 - Use ASSERT_ macros to end failed tests early, r=nss-reviewers,jschanck
Martin Thomson <mt@lowentropy.net> - Tue, 28 Dec 2021 23:25:50 +0000 - rev 16084
Push 4054 by mthomson@mozilla.com at Tue, 28 Dec 2021 23:27:57 +0000
Bug 1747316 - Use ASSERT_ macros to end failed tests early, r=nss-reviewers,jschanck Differential Revision: https://phabricator.services.mozilla.com/D134557
6a6731d4e0a38a4e42060597061606e864aa107d: Bug 1747310 - move assignment operator for DataBuffer r=nss-reviewers,jschanck
Martin Thomson <mt@lowentropy.net> - Tue, 28 Dec 2021 23:25:49 +0000 - rev 16083
Push 4054 by mthomson@mozilla.com at Tue, 28 Dec 2021 23:27:57 +0000
Bug 1747310 - move assignment operator for DataBuffer r=nss-reviewers,jschanck Differential Revision: https://phabricator.services.mozilla.com/D134556
d41c0fcdcf85118f1866880d10ac7bf15d7edc5f: Bug 1712879 - Add test cases for ECH compression and unexpected extensions in SH. r=mt
Dennis Jackson <djackson@mozilla.com> - Fri, 17 Dec 2021 13:21:32 +0000 - rev 16082
Push 4053 by djackson@mozilla.com at Fri, 17 Dec 2021 13:23:39 +0000
Bug 1712879 - Add test cases for ECH compression and unexpected extensions in SH. r=mt * Update the test custom extension injectors to create large (1024 byte) extensions * Update the compression tests to verify that compression ocurrs correctly. * Add tests to ensure that when accepting ECH, the client rejects Xtns which are only valid for the CHO and vice versa Differential Revision: https://phabricator.services.mozilla.com/D130699
ea27fc06556ad8203425bce244b90ff003b75af5: Bug 1725938 - Update tests for ECH-13. r=mt
Dennis Jackson <djackson@mozilla.com> - Fri, 17 Dec 2021 13:21:31 +0000 - rev 16081
Push 4053 by djackson@mozilla.com at Fri, 17 Dec 2021 13:23:39 +0000
Bug 1725938 - Update tests for ECH-13. r=mt * Add a new test helper function for creating an ECH Config/ * Update ECH Config tests to dynamically generate their configs. * Regenerate tests using fixed ClientHello configs for ECH-13. * Add test for recursive ECH Outer Extensions. * Add test for ECH Inner Extension with payload (should be empty). * Add test to ensure AAD covers both before and after ECH extension. Differential Revision: https://phabricator.services.mozilla.com/D130698
dbfeabc22622b027459e3cfd256a3cf7e8ce0fc8: Bug 1725938 - Tidy up error handling r=mt
Dennis Jackson <djackson@mozilla.com> - Fri, 17 Dec 2021 13:21:31 +0000 - rev 16080
Push 4053 by djackson@mozilla.com at Fri, 17 Dec 2021 13:23:39 +0000
Bug 1725938 - Tidy up error handling r=mt Small commit to tidy up the error handling when receiving ECH extensions. Differential Revision: https://phabricator.services.mozilla.com/D130697
28c3375fe2efb6b5821e9fa06a672b4cae90ed8b: Bug 1728281 - Add tests for ECH HRR Changes. r=mt
Dennis Jackson <djackson@mozilla.com> - Fri, 17 Dec 2021 13:21:31 +0000 - rev 16079
Push 4053 by djackson@mozilla.com at Fri, 17 Dec 2021 13:23:39 +0000
Bug 1728281 - Add tests for ECH HRR Changes. r=mt Testcases for HRR ECH Xtns: - Clients reject xtns of the wrong size. - Clients reject mangled xtns. - Clients reject unsolicited xtns. - Servers send ECH HRR Xtns when accepting, rejecting or GREASEing - Clients and Servers do not send xtns if disabled and not GREASEing - Clients alert if servers accept ECH in HRR, then reject in SH. Differential Revision: https://phabricator.services.mozilla.com/D130696
e387d382de4799591436a28cc8cdc4a8cc45e0cd: Bug 1728281 - Server only sends GREASE HRR extension if enabled by preference. r=mt
Dennis Jackson <djackson@mozilla.com> - Fri, 17 Dec 2021 13:21:30 +0000 - rev 16078
Push 4053 by djackson@mozilla.com at Fri, 17 Dec 2021 13:23:39 +0000
Bug 1728281 - Server only sends GREASE HRR extension if enabled by preference. r=mt Draft 13 added an ECH extension for HRR messages. When GREASEing, this should only be sent if the server was configured with ECH support or explicitly opted in. Differential Revision: https://phabricator.services.mozilla.com/D130695
e31c41c04527750434f9f9180b4eb53d50243eea: Bug 1725938 - Update generation of the Associated Data for ECH-13 r=mt
Dennis Jackson <djackson@mozilla.com> - Fri, 17 Dec 2021 13:21:30 +0000 - rev 16077
Push 4053 by djackson@mozilla.com at Fri, 17 Dec 2021 13:23:39 +0000
Bug 1725938 - Update generation of the Associated Data for ECH-13 r=mt In Draft 13, the associated data compromises the entire ClientHelloOuter, with the ECH payload zeroed out. This patch updates the generation of the ClientHelloOuter and associated data and unifies the generation of the ECH Xtn. As a result, tls13_EncryptClientHello now puts the encrypted ClientHelloInner directly into the ClientHelloOuter. Differential Revision: https://phabricator.services.mozilla.com/D124649
beef1385132760879b9b8c9cecd4e0bb9d8b8efe: Bug 1712879 - When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello r=mt
Dennis Jackson <djackson@mozilla.com> - Fri, 17 Dec 2021 13:21:29 +0000 - rev 16076
Push 4053 by djackson@mozilla.com at Fri, 17 Dec 2021 13:23:39 +0000
Bug 1712879 - When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello r=mt Previously, we only tracked whether we'd advertised an extension at all. This change allows us to track the advertisements for both the Outer and Inner Client Hello seperately. If the server accepts ECH but includes an extension we only offered in the Outer Client Hello, we will send an alert. As a side-effect, if the client offers an extension in the ClientHelloInner which is not offered in the ClientHelloOuter and the server accepts, we will send the same alert. It is unclear whether this is desirable behavior or not - since if we did not alert this would allow a network observer to distinguish whether ECH was used. Differential Revision: https://phabricator.services.mozilla.com/D125193
daf5bc69425a16a809c4feeed4f0ab4ecee80400: Bug 1712879 - Allow for compressed, non-contiguous, extensions r=mt
Dennis Jackson <djackson@mozilla.com> - Fri, 17 Dec 2021 13:21:29 +0000 - rev 16075
Push 4053 by djackson@mozilla.com at Fri, 17 Dec 2021 13:23:39 +0000
Bug 1712879 - Allow for compressed, non-contiguous, extensions r=mt In Draft 13, clients can now compress extensions which are non-contiguous but in-order. This changeset removes the logic which ensured only contiguous extensions were compressed. Differential Revision: https://phabricator.services.mozilla.com/D125166
b8623fde307c21bf50e753b36416ad94fe8fd227: Bug 1712879 - Scramble the PSK extension in CHOuter. r=bbeurdouche
Martin Thomson <mt@lowentropy.net> - Fri, 17 Dec 2021 13:21:29 +0000 - rev 16074
Push 4053 by djackson@mozilla.com at Fri, 17 Dec 2021 13:23:39 +0000
Bug 1712879 - Scramble the PSK extension in CHOuter. r=bbeurdouche Depends on D115852 Differential Revision: https://phabricator.services.mozilla.com/D115965
d3c6fa317bca5631e0c2dbe33989a3a18a0ba038: Bug 1712647 - Split custom extension handling for ECH. r=bbeurdouche,mt
Martin Thomson <mt@lowentropy.net> - Fri, 17 Dec 2021 13:21:28 +0000 - rev 16073
Push 4053 by djackson@mozilla.com at Fri, 17 Dec 2021 13:23:39 +0000
Bug 1712647 - Split custom extension handling for ECH. r=bbeurdouche,mt A new function SSL_CallExtensionWriterOnEchInner() allows applications to have custom extension handlers called separately for CHInner and CHOuter. This is a little tricky as ECH needs to construct two versions of CHInner: one compressed and one not. This just calls the write handler twice in that case. The other complication is that a handler might make different choices for CHInner and CHOuter. This forces us to stop compressing that extension and any that follow it when that occurs. In order to ensure that extensions are consistently placed, we need to track what can be compressed during both invocations. I've retained the quirk where the extensions are built twice. That might be something that can be removed in future, but for now it creates a negative externality that I've noted in documentation. Differential Revision: https://phabricator.services.mozilla.com/D115852
ea556051e7456c4ba432e5f98a0ca9a15d97df14: Bug 1728281 - Add ECH-13 HRR Handling. r=mt
Dennis Jackson <djackson@mozilla.com> - Fri, 17 Dec 2021 13:21:28 +0000 - rev 16072
Push 4053 by djackson@mozilla.com at Fri, 17 Dec 2021 13:23:39 +0000
Bug 1728281 - Add ECH-13 HRR Handling. r=mt This changset adds client and server support for ECH extensions in the HelloRetryRequest Message. When Servers respond with a HRR to a ECH advertising ClientHello, servers add an additional 8 byte confirmation value in an ECH extension with their HRR which allows the client to deduce whether ECH was accepted or rejected. The confirmation value is derived from the ClientHelloInner's random value and the transcript up to and including the HRR. If ECH is rejected, the confirmation value is replaced with 8 random bytes. This nessecitates several further changes to the control flow of HRR generation and handling. Firstly, the HRR must be generated in two passes, firstly with a placeholder value of zero bytes instead of the confirmation value, then secondly with the true confirmation value. Further, if the server accepts ECH in the HRR, it cannot change its mind when processing the second client hello. If ECH is rejected and the HRR confirmation value is instead a random value, the (stateless) server must be able to regenerate the correct confirmation value. This patch adds the GREASEd value to the HRR cookie, increasing its size by 8 bytes. In order to prevent a network observer from distinguishing whether ECH was accepted, these 8 bytes are used whether or not ECH is accepted. On the client side, the HRR with zeroed confirmation value must be added to the transcript when calculating the confirmation value. Unlike a PSK extension, the HRR ECH Extension can appear in any position and so the extension handler stores a pointer into the server hello buffer.. Differential Revision: https://phabricator.services.mozilla.com/D124072
eb122ac1965f3fb4d9909b01677c1f756318144a: Bug 1677181 - Client side ECH padding r=mt
Dennis Jackson <djackson@mozilla.com> - Fri, 17 Dec 2021 13:21:28 +0000 - rev 16071
Push 4053 by djackson@mozilla.com at Fri, 17 Dec 2021 13:23:39 +0000
Bug 1677181 - Client side ECH padding r=mt ECH-13 adds an optional padding field to ClientHelloInners prior to encryption. New tests check that clients correctly pad different length SNIs and that servers correctly reject invalid padding. Differential Revision: https://phabricator.services.mozilla.com/D122862
9e1a409b15d30475b8c8e04e242c63c493e0681e: Bug 1725938 - Stricter ClientHelloInner Decompression. r=mt.
Dennis Jackson <djackson@mozilla.com> - Fri, 17 Dec 2021 13:21:27 +0000 - rev 16070
Push 4053 by djackson@mozilla.com at Fri, 17 Dec 2021 13:23:39 +0000
Bug 1725938 - Stricter ClientHelloInner Decompression. r=mt. Decompression is now a linear scan, ensuring the same CHO extension is never considered for inclusion more than once. The added tests check that duplicate or out of order references are now rejected. Differential Revision: https://phabricator.services.mozilla.com/D122752
6da26e8be8c5aba0a503106a159b8d860151b3e5: Bug 1725938 - Remove ECH_inner extension, use new enum format. r=mt
Dennis Jackson <djackson@mozilla.com> - Fri, 17 Dec 2021 13:21:27 +0000 - rev 16069
Push 4053 by djackson@mozilla.com at Fri, 17 Dec 2021 13:23:39 +0000
Bug 1725938 - Remove ECH_inner extension, use new enum format. r=mt Draft-13 removes the ECH_inner extension and instead uses an enum inside the encrypted client hello extension. The handler for the ECH_inner extension is removed and the ECH extension handler is now split into two cases, tls13_ServerHandleInnerEchXtn is called on the ClientHelloInner and checks for the presence of the correct inner extension. tls13_ServerHandleOuterEchXtn is called on the ClientHelloOuter, it either parses the Outer ECH Extension or, if operating in split mode, tolerates the inner extension. Differential Revision: https://phabricator.services.mozilla.com/D125700
6fbfdbf1fe9d989f9d083cf7e0634a2c905dc067: Bug 1725938 - Update the version number for ECH-13 and adjust the ECHConfig size. r=mt
Dennis Jackson <djackson@mozilla.com> - Fri, 17 Dec 2021 13:21:27 +0000 - rev 16068
Push 4053 by djackson@mozilla.com at Fri, 17 Dec 2021 13:23:39 +0000
Bug 1725938 - Update the version number for ECH-13 and adjust the ECHConfig size. r=mt Tests re-enabled in D130698. Differential Revision: https://phabricator.services.mozilla.com/D125697
1831460a6f34324c8a03d78e7f4a4cf2164353c0: Backed out changeset 50f5a60523ca (Bug 1741688 - Update googletest to 1.11.0) due to CI failures NSS_3_74_BETA1
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Thu, 16 Dec 2021 19:40:11 +0100 - rev 16067
Push 4052 by bbeurdouche@mozilla.com at Thu, 16 Dec 2021 18:40:22 +0000
Backed out changeset 50f5a60523ca (Bug 1741688 - Update googletest to 1.11.0) due to CI failures
0ed371bb42ac3a2f25bb3f37c60cb33df7e4cbd0: Set version numbers to 3.74
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Wed, 15 Dec 2021 21:53:39 +0100 - rev 16066
Push 4051 by bbeurdouche@mozilla.com at Wed, 15 Dec 2021 20:53:51 +0000
Set version numbers to 3.74
4d0742c004b22dda08c211952695e482aff9ddf2: Added tag NSS_3_72_1_RTM for changeset e8211cfc2b2d NSS_3_72_1_BRANCH
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Wed, 15 Dec 2021 18:33:55 +0100 - rev 16065
Push 4050 by bbeurdouche@mozilla.com at Wed, 15 Dec 2021 20:23:24 +0000
Added tag NSS_3_72_1_RTM for changeset e8211cfc2b2d
e8211cfc2b2d6f763febcf64c8c3caf6f9fe08d5: Bug 966856 - mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses r=jschanck,djackson NSS_3_72_1_BRANCH NSS_3_72_1_RTM
Dana Keeler <dkeeler@mozilla.com> - Wed, 15 Dec 2021 14:15:36 +0000 - rev 16064
Push 4050 by bbeurdouche@mozilla.com at Wed, 15 Dec 2021 20:23:24 +0000
Bug 966856 - mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses r=jschanck,djackson Differential Revision: https://phabricator.services.mozilla.com/D133706
971d104b2466e7fd44652eb7b335d243561dbc14: Set version numbers to 3.72.1 final NSS_3_72_1_BRANCH
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Wed, 15 Dec 2021 17:34:19 +0100 - rev 16063
Push 4050 by bbeurdouche@mozilla.com at Wed, 15 Dec 2021 20:23:24 +0000
Set version numbers to 3.72.1 final
6b80d2b2bf1ce21e5495a84b4408bc725eeefea6: Added tag NSS_3_73_1_RTM for changeset 69c5a0c748ad NSS_3_73_1_BRANCH
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Wed, 15 Dec 2021 18:15:27 +0100 - rev 16062
Push 4050 by bbeurdouche@mozilla.com at Wed, 15 Dec 2021 20:23:24 +0000
Added tag NSS_3_73_1_RTM for changeset 69c5a0c748ad
69c5a0c748ad36772a3ce03c60f8a1fa353776dc: Bug 966856 - mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses r=jschanck,djackson NSS_3_73_1_BRANCH NSS_3_73_1_RTM
Dana Keeler <dkeeler@mozilla.com> - Wed, 15 Dec 2021 14:15:36 +0000 - rev 16061
Push 4050 by bbeurdouche@mozilla.com at Wed, 15 Dec 2021 20:23:24 +0000
Bug 966856 - mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses r=jschanck,djackson Differential Revision: https://phabricator.services.mozilla.com/D133706
7607e8448d394e7fc5a36f3725794d8360a637a9: Set version numbers to 3.73.1 final NSS_3_73_1_BRANCH
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Wed, 15 Dec 2021 18:15:12 +0100 - rev 16060
Push 4050 by bbeurdouche@mozilla.com at Wed, 15 Dec 2021 20:23:24 +0000
Set version numbers to 3.73.1 final
c55cf4a0cb0e5d9592a1c0ae460197ea1121c48b: Added tag NSS_3_68_2_RTM for changeset 78d2f4a3339f NSS_3_68_2_BRANCH
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Wed, 15 Dec 2021 17:11:39 +0100 - rev 16059
Push 4050 by bbeurdouche@mozilla.com at Wed, 15 Dec 2021 20:23:24 +0000
Added tag NSS_3_68_2_RTM for changeset 78d2f4a3339f
78d2f4a3339fa41c274c5ea189f8060da9d3a463: Bug 966856 - mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses r=jschanck,djackson NSS_3_68_2_BRANCH NSS_3_68_2_RTM
Dana Keeler <dkeeler@mozilla.com> - Wed, 15 Dec 2021 14:15:36 +0000 - rev 16058
Push 4050 by bbeurdouche@mozilla.com at Wed, 15 Dec 2021 20:23:24 +0000
Bug 966856 - mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses r=jschanck,djackson Differential Revision: https://phabricator.services.mozilla.com/D133706
b7f01c3b72856b7a9a6c196dda8ad421ceb0aeef: Set version numbers to 3.68.2 final NSS_3_68_2_BRANCH
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Wed, 15 Dec 2021 17:10:09 +0100 - rev 16057
Push 4050 by bbeurdouche@mozilla.com at Wed, 15 Dec 2021 20:23:24 +0000
Set version numbers to 3.68.2 final
7d4f221b1fffcad72b18175b89e4d310307277ef: Bug 966856 - mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses r=jschanck,djackson
Dana Keeler <dkeeler@mozilla.com> - Wed, 15 Dec 2021 14:15:36 +0000 - rev 16056
Push 4049 by bbeurdouche@mozilla.com at Wed, 15 Dec 2021 14:17:44 +0000
Bug 966856 - mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses r=jschanck,djackson Differential Revision: https://phabricator.services.mozilla.com/D133706
6d4f9e74d8ef804e6a0d9231433c66f36c11343a: Bug 1553612 - Ensure clients offer consistent ciphersuites after HRR. r=mt
Dennis Jackson <djackson@mozilla.com> - Wed, 15 Dec 2021 12:41:12 +0000 - rev 16055
Push 4048 by djackson@mozilla.com at Wed, 15 Dec 2021 12:43:20 +0000
Bug 1553612 - Ensure clients offer consistent ciphersuites after HRR. r=mt Differential Revision: https://phabricator.services.mozilla.com/D132263
59d0003f4bded4ff89cccbd984cef108380b9c14: Bug 1721426 NSS does not properly restrict server keys based on policy
Robert Relyea <rrelyea@redhat.com> - Thu, 09 Dec 2021 21:59:01 -0800 - rev 16054
Push 4047 by rrelyea@redhat.com at Mon, 13 Dec 2021 20:01:04 +0000
Bug 1721426 NSS does not properly restrict server keys based on policy When a server is connecting to a client that has no dh restriction, the server will connect to the client with a weaker dh key even if the server has a restricted dh key length. The issue is the server doesn't look at the dh key policy when selecting a dh group. This patch adds the dh key length policy to the dh group selection code, and also adds test to make sure that policy is enforced. Differential Revision: https://phabricator.services.mozilla.com/D133505
625d290ad2dcd3f1c9049c62ea17049a6417b46e: Bug 1733003 - Set nssckbi version number to 2.54. r=bbeurdouche
John M. Schanck <jschanck@mozilla.com> - Mon, 13 Dec 2021 18:01:40 +0000 - rev 16053
Push 4046 by bbeurdouche@mozilla.com at Mon, 13 Dec 2021 18:03:44 +0000
Bug 1733003 - Set nssckbi version number to 2.54. r=bbeurdouche Depends on D132823 Differential Revision: https://phabricator.services.mozilla.com/D132824
7554fb4e12af7abf01983826b4f8e12946661558: Bug 1735407 - Replace Google Trust Services LLC (GTS) R4 root certificate in NSS. r=KathleenWilson
John M. Schanck <jschanck@mozilla.com> - Mon, 13 Dec 2021 18:01:39 +0000 - rev 16052
Push 4046 by bbeurdouche@mozilla.com at Mon, 13 Dec 2021 18:03:44 +0000
Bug 1735407 - Replace Google Trust Services LLC (GTS) R4 root certificate in NSS. r=KathleenWilson Depends on D132822 Differential Revision: https://phabricator.services.mozilla.com/D132823
47d15f5348ef405ff2fe7d6b9a1a86cdf9c068e3: Bug 1735407 - Replace Google Trust Services LLC (GTS) R3 root certificate in NSS. r=KathleenWilson
John M. Schanck <jschanck@mozilla.com> - Mon, 13 Dec 2021 18:01:39 +0000 - rev 16051
Push 4046 by bbeurdouche@mozilla.com at Mon, 13 Dec 2021 18:03:44 +0000
Bug 1735407 - Replace Google Trust Services LLC (GTS) R3 root certificate in NSS. r=KathleenWilson Depends on D132821 Differential Revision: https://phabricator.services.mozilla.com/D132822
9634edf97c6e9b64fe448999d5f8436d04191fc4: Bug 1735407 - Replace Google Trust Services LLC (GTS) R2 root certificate in NSS. r=KathleenWilson
John M. Schanck <jschanck@mozilla.com> - Mon, 13 Dec 2021 18:01:38 +0000 - rev 16050
Push 4046 by bbeurdouche@mozilla.com at Mon, 13 Dec 2021 18:03:44 +0000
Bug 1735407 - Replace Google Trust Services LLC (GTS) R2 root certificate in NSS. r=KathleenWilson Depends on D132820 Differential Revision: https://phabricator.services.mozilla.com/D132821
6d591d75447b61687b5c72d975c9dbd2fa78de63: Bug 1735407 - Replace Google Trust Services LLC (GTS) R1 root certificate in NSS. r=KathleenWilson
John M. Schanck <jschanck@mozilla.com> - Mon, 13 Dec 2021 18:01:38 +0000 - rev 16049
Push 4046 by bbeurdouche@mozilla.com at Mon, 13 Dec 2021 18:03:44 +0000
Bug 1735407 - Replace Google Trust Services LLC (GTS) R1 root certificate in NSS. r=KathleenWilson Depends on D132819 Differential Revision: https://phabricator.services.mozilla.com/D132820
53f589f17c34276f9c7e81d0aa1677202f8df09e: Bug 1735407 - Replace GlobalSign ECC Root CA R4 in NSS. r=KathleenWilson
John M. Schanck <jschanck@mozilla.com> - Mon, 13 Dec 2021 18:01:37 +0000 - rev 16048
Push 4046 by bbeurdouche@mozilla.com at Mon, 13 Dec 2021 18:03:44 +0000
Bug 1735407 - Replace GlobalSign ECC Root CA R4 in NSS. r=KathleenWilson Depends on D132805 Differential Revision: https://phabricator.services.mozilla.com/D132819
7a917bc990596708652697aba0447cff787f5793: Bug 1733560 - Remove Expired Root Certificates from NSS - DST Root CA X3. r=KathleenWilson
John M. Schanck <jschanck@mozilla.com> - Mon, 13 Dec 2021 18:01:37 +0000 - rev 16047
Push 4046 by bbeurdouche@mozilla.com at Mon, 13 Dec 2021 18:03:44 +0000
Bug 1733560 - Remove Expired Root Certificates from NSS - DST Root CA X3. r=KathleenWilson Depends on D132806 Differential Revision: https://phabricator.services.mozilla.com/D132805
27026e52b449a88131f91d5292c8b18c2eacca54: Bug 1740807 - Remove Expiring Cybertrust Global Root and GlobalSign root certificates from NSS. r=KathleenWilson
John M. Schanck <jschanck@mozilla.com> - Mon, 13 Dec 2021 18:01:37 +0000 - rev 16046
Push 4046 by bbeurdouche@mozilla.com at Mon, 13 Dec 2021 18:03:44 +0000
Bug 1740807 - Remove Expiring Cybertrust Global Root and GlobalSign root certificates from NSS. r=KathleenWilson Depends on D132761 Differential Revision: https://phabricator.services.mozilla.com/D132806
99e80c98603ff3d714fb09b3d34b6a332227bd96: Bug 1741930 - Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate to NSS. r=KathleenWilson
John M. Schanck <jschanck@mozilla.com> - Mon, 13 Dec 2021 18:01:36 +0000 - rev 16045
Push 4046 by bbeurdouche@mozilla.com at Mon, 13 Dec 2021 18:03:44 +0000
Bug 1741930 - Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate to NSS. r=KathleenWilson Depends on D132756 Differential Revision: https://phabricator.services.mozilla.com/D132761
6ef6195adf87eadc2d8e370ac3808bc61a99193b: Bug 1740095 - Add iTrusChina ECC root certificate to NSS. r=KathleenWilson
John M. Schanck <jschanck@mozilla.com> - Mon, 13 Dec 2021 18:01:36 +0000 - rev 16044
Push 4046 by bbeurdouche@mozilla.com at Mon, 13 Dec 2021 18:03:44 +0000
Bug 1740095 - Add iTrusChina ECC root certificate to NSS. r=KathleenWilson Depends on D132755 Differential Revision: https://phabricator.services.mozilla.com/D132756
71350878e12cea83b853750603af13775dc9bd3a: Bug 1740095 - Add iTrusChina RSA root certificate to NSS. r=KathleenWilson
John M. Schanck <jschanck@mozilla.com> - Mon, 13 Dec 2021 18:01:35 +0000 - rev 16043
Push 4046 by bbeurdouche@mozilla.com at Mon, 13 Dec 2021 18:03:44 +0000
Bug 1740095 - Add iTrusChina RSA root certificate to NSS. r=KathleenWilson Depends on D132752 Differential Revision: https://phabricator.services.mozilla.com/D132755
7445fee9bab81281caeed007fa55d5091ca8a85c: Bug 1738805 - Add ISRG Root X2 root certificate to NSS. r=KathleenWilson
John M. Schanck <jschanck@mozilla.com> - Mon, 13 Dec 2021 18:01:35 +0000 - rev 16042
Push 4046 by bbeurdouche@mozilla.com at Mon, 13 Dec 2021 18:03:44 +0000
Bug 1738805 - Add ISRG Root X2 root certificate to NSS. r=KathleenWilson Depends on D132754 Differential Revision: https://phabricator.services.mozilla.com/D132752
08315e90fb1269ae30cbf3d3e8beacd5f827c952: Bug 1733012 - Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate to NSS. r=KathleenWilson
John M. Schanck <jschanck@mozilla.com> - Mon, 13 Dec 2021 18:01:34 +0000 - rev 16041
Push 4046 by bbeurdouche@mozilla.com at Mon, 13 Dec 2021 18:03:44 +0000
Bug 1733012 - Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate to NSS. r=KathleenWilson Differential Revision: https://phabricator.services.mozilla.com/D132754
50f5a60523ca9df2baedacd23b97df9d24ef3a77: Bug 1741688 - Update googletest to 1.11.0 r=nss-reviewers,mt
J08nY <johny@neuromancer.sk> - Mon, 13 Dec 2021 17:52:31 +0000 - rev 16040
Push 4045 by bbeurdouche@mozilla.com at Mon, 13 Dec 2021 17:54:40 +0000
Bug 1741688 - Update googletest to 1.11.0 r=nss-reviewers,mt Differential Revision: https://phabricator.services.mozilla.com/D131425
094dafff1115d7773a65341fc6f03895f6046119: Bug 1738028: avoid a clang 13 unused variable warning in opt build. r=bbeurdouche
John M. Schanck <jschanck@mozilla.com> - Mon, 13 Dec 2021 16:35:17 +0000 - rev 16039
Push 4044 by bbeurdouche@mozilla.com at Mon, 13 Dec 2021 16:37:24 +0000
Bug 1738028: avoid a clang 13 unused variable warning in opt build. r=bbeurdouche Differential Revision: https://phabricator.services.mozilla.com/D130309
7ff99e71f3e37faed12bc3cc90a3eed27e3418d0: Bug 1735028 - check for missing signedData field r=keeler
John M. Schanck <jschanck@mozilla.com> - Mon, 11 Oct 2021 22:09:25 +0000 - rev 16038
Push 4043 by bbeurdouche@mozilla.com at Wed, 01 Dec 2021 16:19:17 +0000
Bug 1735028 - check for missing signedData field r=keeler Differential Revision: https://phabricator.services.mozilla.com/D128112
f80fafd04cf82b4d315c8fe42bb4639703f6ee4f: Bug 1737470 - Ensure DER encoded signatures are within size limits. r=jschanck,mt,bbeurdouche,rrelyea
Dennis Jackson <djackson@mozilla.com> - Mon, 22 Nov 2021 10:40:42 +0000 - rev 16037
Push 4043 by bbeurdouche@mozilla.com at Wed, 01 Dec 2021 16:19:17 +0000
Bug 1737470 - Ensure DER encoded signatures are within size limits. r=jschanck,mt,bbeurdouche,rrelyea Differential Revision: https://phabricator.services.mozilla.com/D129514
9ad7670649540586a8f52d171bafa8484dde4f9b: Added tag NSS_3_68_1_RTM for changeset 6e68b52ee28b NSS_3_68_1_BRANCH
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Wed, 01 Dec 2021 00:32:02 +0100 - rev 16036
Push 4042 by bbeurdouche@mozilla.com at Wed, 01 Dec 2021 16:15:11 +0000
Added tag NSS_3_68_1_RTM for changeset 6e68b52ee28b
6e68b52ee28b3c8a93a108cabe0427a011d8963e: Set version numbers to 3.68.1 final NSS_3_68_1_BRANCH NSS_3_68_1_RTM
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Wed, 01 Dec 2021 00:13:19 +0100 - rev 16035
Push 4042 by bbeurdouche@mozilla.com at Wed, 01 Dec 2021 16:15:11 +0000
Set version numbers to 3.68.1 final
5b2659c39cc7c22f2e403e90fc75189cd5023310: Bug 1735028 - check for missing signedData field r=keeler NSS_3_68_1_BRANCH
John M. Schanck <jschanck@mozilla.com> - Mon, 11 Oct 2021 22:09:25 +0000 - rev 16034
Push 4042 by bbeurdouche@mozilla.com at Wed, 01 Dec 2021 16:15:11 +0000
Bug 1735028 - check for missing signedData field r=keeler Differential Revision: https://phabricator.services.mozilla.com/D128112
dea71cbef9e03636f37c6cb120f8deccce6e17dd: Bug 1737470 - Ensure DER encoded signatures are within size limits. r=jschanck,mt,bbeurdouche,rrelyea NSS_3_68_1_BRANCH
Dennis Jackson <djackson@mozilla.com> - Mon, 22 Nov 2021 10:40:42 +0000 - rev 16033
Push 4042 by bbeurdouche@mozilla.com at Wed, 01 Dec 2021 16:15:11 +0000
Bug 1737470 - Ensure DER encoded signatures are within size limits. r=jschanck,mt,bbeurdouche,rrelyea Differential Revision: https://phabricator.services.mozilla.com/D129514
eec6d559b5b6883d51c09a50a3134a20d1da755a: Added tag NSS_3_73_RTM for changeset a2050bd67f05 NSS_3_73_BRANCH
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Tue, 30 Nov 2021 23:51:25 +0100 - rev 16032
Push 4042 by bbeurdouche@mozilla.com at Wed, 01 Dec 2021 16:15:11 +0000
Added tag NSS_3_73_RTM for changeset a2050bd67f05
a2050bd67f05e8af5984baca03078d69b3874b85: Set version numbers to 3.73 final NSS_3_73_BRANCH NSS_3_73_RTM
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Tue, 30 Nov 2021 23:50:57 +0100 - rev 16031
Push 4042 by bbeurdouche@mozilla.com at Wed, 01 Dec 2021 16:15:11 +0000
Set version numbers to 3.73 final
2adbe73d88e016b6604e1014731d8c22d6e58005: Bug 1735028 - check for missing signedData field r=keeler NSS_3_73_BRANCH
John M. Schanck <jschanck@mozilla.com> - Mon, 11 Oct 2021 22:09:25 +0000 - rev 16030
Push 4042 by bbeurdouche@mozilla.com at Wed, 01 Dec 2021 16:15:11 +0000
Bug 1735028 - check for missing signedData field r=keeler Differential Revision: https://phabricator.services.mozilla.com/D128112
6b3dc97a8767d9dc5c4c181597d1341d0899aa58: Bug 1737470 - Ensure DER encoded signatures are within size limits. r=jschanck,mt,bbeurdouche,rrelyea NSS_3_73_BRANCH
Dennis Jackson <djackson@mozilla.com> - Mon, 22 Nov 2021 10:40:42 +0000 - rev 16029
Push 4042 by bbeurdouche@mozilla.com at Wed, 01 Dec 2021 16:15:11 +0000
Bug 1737470 - Ensure DER encoded signatures are within size limits. r=jschanck,mt,bbeurdouche,rrelyea Differential Revision: https://phabricator.services.mozilla.com/D129514
0ee3564fdb1601e65abd93e888e4cb3ceab5f353: Added tag NSS_3_73_BETA1 for changeset 4b8ce9641338 NSS_3_73_BRANCH
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Mon, 29 Nov 2021 10:09:36 +0100 - rev 16028
Push 4041 by bbeurdouche@mozilla.com at Mon, 29 Nov 2021 09:10:26 +0000
Added tag NSS_3_73_BETA1 for changeset 4b8ce9641338
4b8ce96413381293f42c8034ab4976e2aa9af247: Bug 1729550 NSS needs FiPS 140-3 version indicators. NSS_3_73_BETA1
Robert Relyea <rrelyea@redhat.com> - Tue, 07 Sep 2021 16:18:08 -0700 - rev 16027
Push 4040 by rrelyea@redhat.com at Wed, 17 Nov 2021 19:58:50 +0000
Bug 1729550 NSS needs FiPS 140-3 version indicators. 1. This patch adds a new command, validation, which dumps the validation objects ina given token. It defaults to the softoken. 2. It sets up the infrastructure to allow creation at init time of token specific objects (like validation objects and profile objects) by: 2a. factoring out the code to get the next available object handle to a new function call sftk_getNextHandle(). 2b. The object freelists are now initialized before SFTK_SlotInit, so that SFTK_SlotInit can initialize these new token objects. 2c. A new staticly defined session is created to hand these object on. 2c1. sftk_NewSession and sftk_FreeSession has the initialization and clearing functions factored out from the actual space freeing clearing so they can be used on this staticly allocated session. (NOTE: NSS has two ways it handles this internally: use of Init/New Clear/Free functions as in this patch, or the use of a bool called 'FreeIt' added to the original function. There is no technical reason for why I used Init/New other than I didn't have to go change all the places the currently call them. These are internal private functions, so it's ok to change their signatures. 2c2. The static sessions are initialized on freed when the slot is created and destroyed. 3. For fips slot the validation object is created. The version number is selected at compile time with a build time environment variable. If no version number is provided, a default version number (related to the NSS version) is selected as well as the string 'unvalidated'. 4. The NSS spefic defines for Validation objects are defined in the NSS vendor space (until PKCS #11 v3.2 comes out with the official values). Differential Revision: https://phabricator.services.mozilla.com/D124951
ea6fb7d0d0fc46e0dae98f119d6a457ef758a469: Bug 1692132 pkix_CacheCert_Lookup doesn't return cached certs
Robert Relyea <rrelyea@redhat.com> - Tue, 09 Nov 2021 09:56:33 -0800 - rev 16026
Push 4039 by rrelyea@redhat.com at Tue, 09 Nov 2021 22:23:25 +0000
Bug 1692132 pkix_CacheCert_Lookup doesn't return cached certs patch by kjacobs, r=rrelyea
5a9d56104ad96d4e5de8f3ae1bf9ca5811ec73a3: Bug 1738600 - sunset Coverity from NSS. r=nss-reviewers,bbeurdouche
Andi-Bogdan Postelnicu <bpostelnicu@mozilla.com> - Mon, 08 Nov 2021 12:23:52 +0000 - rev 16025
Push 4038 by bbeurdouche@mozilla.com at Mon, 08 Nov 2021 12:25:58 +0000
Bug 1738600 - sunset Coverity from NSS. r=nss-reviewers,bbeurdouche Differential Revision: https://phabricator.services.mozilla.com/D129982
6287f3af05d0ac4b1c77c4d61f96ebc19e65d2f1: Set version numbers to 3.73 Beta
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Thu, 28 Oct 2021 11:43:27 +0200 - rev 16024
Push 4037 by bbeurdouche@mozilla.com at Thu, 28 Oct 2021 09:43:45 +0000
Set version numbers to 3.73 Beta
2a2fedb28c49de34f9731aa76bb49076526c86dc: Added tag NSS_3_72_RTM for changeset 77b0c937dfaa NSS_3_72_BRANCH
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Thu, 28 Oct 2021 11:22:58 +0200 - rev 16023
Push 4036 by bbeurdouche@mozilla.com at Thu, 28 Oct 2021 09:23:23 +0000
Added tag NSS_3_72_RTM for changeset 77b0c937dfaa
77b0c937dfaac74495cd2b498370b0e2668562bb: Set version numbers to 3.72 final NSS_3_72_BRANCH NSS_3_72_RTM
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Thu, 28 Oct 2021 11:22:38 +0200 - rev 16022
Push 4036 by bbeurdouche@mozilla.com at Thu, 28 Oct 2021 09:23:23 +0000
Set version numbers to 3.72 final
16dd25d509ecf5d6c75260e462b9716f521e9d86: Documentation: release notes for NSS 3.72 NSS_3_72_BRANCH
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Thu, 28 Oct 2021 11:19:40 +0200 - rev 16021
Push 4036 by bbeurdouche@mozilla.com at Thu, 28 Oct 2021 09:23:23 +0000
Documentation: release notes for NSS 3.72
665a9f9bc67707f450c2371c7dbbe4ca8e2c90f1: Documentation: release notes for NSS 3.71 NSS_3_72_BRANCH
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Thu, 28 Oct 2021 11:19:02 +0200 - rev 16020
Push 4036 by bbeurdouche@mozilla.com at Thu, 28 Oct 2021 09:23:23 +0000
Documentation: release notes for NSS 3.71
b7046424e33d6025cbb0a0c0ed41a89e5d87e173: Remove newline at the end of coreconf.dep r=djackson NSS_3_72_BRANCH
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Fri, 22 Oct 2021 11:29:32 +0000 - rev 16019
Push 4036 by bbeurdouche@mozilla.com at Thu, 28 Oct 2021 09:23:23 +0000
Remove newline at the end of coreconf.dep r=djackson Differential Revision: https://phabricator.services.mozilla.com/D129246
8a1827f137fa50635f4065edfe846fba4a9259ce: Documentation: release notes for NSS 3.72
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Thu, 28 Oct 2021 11:19:40 +0200 - rev 16018
Push 4035 by bbeurdouche@mozilla.com at Thu, 28 Oct 2021 09:19:52 +0000
Documentation: release notes for NSS 3.72
a9ec424a102a876619c99f8b643628f8669e3dbc: Documentation: release notes for NSS 3.71
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Thu, 28 Oct 2021 11:19:02 +0200 - rev 16017
Push 4035 by bbeurdouche@mozilla.com at Thu, 28 Oct 2021 09:19:52 +0000
Documentation: release notes for NSS 3.71
ed71098aced14453d31984d7547b39a9a46cf43f: Remove newline at the end of coreconf.dep r=djackson
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Fri, 22 Oct 2021 11:29:32 +0000 - rev 16016
Push 4034 by bbeurdouche@mozilla.com at Fri, 22 Oct 2021 11:31:37 +0000
Remove newline at the end of coreconf.dep r=djackson Differential Revision: https://phabricator.services.mozilla.com/D129246
7d57396fe19859f8770fb012dc5e643213e73af1: Added tag NSS_3_72_BETA1 for changeset f7b146b603f7 NSS_3_72_BRANCH
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Fri, 22 Oct 2021 11:30:49 +0200 - rev 16015
Push 4033 by bbeurdouche@mozilla.com at Fri, 22 Oct 2021 09:31:15 +0000
Added tag NSS_3_72_BETA1 for changeset f7b146b603f7
f7b146b603f76c2754877abd65542b0b571e4b9d: Bug 1731911 - Fix nsinstall parallel failure r=nss-reviewers,djackson NSS_3_72_BETA1
Giulio Benetti <giulio.benetti@benettiengineering.com> - Tue, 19 Oct 2021 16:11:53 +0000 - rev 16014
Push 4032 by bbeurdouche@mozilla.com at Tue, 19 Oct 2021 16:14:05 +0000
Bug 1731911 - Fix nsinstall parallel failure r=nss-reviewers,djackson Differential Revision: https://phabricator.services.mozilla.com/D128906
de3db3a55aef9c03deebee9a4db5b53276a1026d: Bug 1729930 - Increase KDF cache size to mitigate perf regression in about:logins r=bbeurdouche
Dennis Jackson <djackson@mozilla.com> - Mon, 18 Oct 2021 15:12:52 +0000 - rev 16013
Push 4031 by bbeurdouche@mozilla.com at Mon, 18 Oct 2021 15:15:00 +0000
Bug 1729930 - Increase KDF cache size to mitigate perf regression in about:logins r=bbeurdouche Differential Revision: https://phabricator.services.mozilla.com/D128748
5436d0bdfcef1b462d2126f75863d33004542a4a: Set version numbers to 3.72 Beta
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Thu, 30 Sep 2021 15:02:10 +0200 - rev 16012
Push 4030 by bbeurdouche@mozilla.com at Thu, 30 Sep 2021 13:02:27 +0000
Set version numbers to 3.72 Beta
cb265295cd96062c60522f8b60af9d8f961225d4: Added tag NSS_3_71_RTM for changeset 2257d7391ec1 NSS_3_71_BRANCH
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Thu, 30 Sep 2021 14:41:27 +0200 - rev 16011
Push 4029 by bbeurdouche@mozilla.com at Thu, 30 Sep 2021 12:42:12 +0000
Added tag NSS_3_71_RTM for changeset 2257d7391ec1
2257d7391ec119aa14cc4573b234196aefffa33f: Set version numbers to 3.71 final NSS_3_71_BRANCH NSS_3_71_RTM
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Thu, 30 Sep 2021 14:41:14 +0200 - rev 16010
Push 4029 by bbeurdouche@mozilla.com at Thu, 30 Sep 2021 12:42:12 +0000
Set version numbers to 3.71 final
17957377f710c9e86746a7e68402eacf194ddf0b: Added tag NSS_3_71_BETA1 for changeset 2199f01d7f1e NSS_3_71_BRANCH
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Fri, 24 Sep 2021 10:05:05 +0200 - rev 16009
Push 4028 by bbeurdouche@mozilla.com at Fri, 24 Sep 2021 08:05:26 +0000
Added tag NSS_3_71_BETA1 for changeset 2199f01d7f1e
2199f01d7f1e860fb440735386122d3597b95e90: Bug 1717716 - Set nssckbi version number to 2.52. r=rrelyea NSS_3_71_BETA1
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Thu, 16 Sep 2021 20:50:20 +0200 - rev 16008
Push 4027 by bbeurdouche@mozilla.com at Thu, 16 Sep 2021 18:50:40 +0000
Bug 1717716 - Set nssckbi version number to 2.52. r=rrelyea
7e7070e56bf7a3937cd9338a52573c896af07e3f: Bug 1667000: respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py r=nss-reviewers,bbeurdouche
John M. Schanck <jschanck@mozilla.com> - Thu, 16 Sep 2021 18:38:15 +0000 - rev 16007
Push 4026 by bbeurdouche@mozilla.com at Thu, 16 Sep 2021 18:40:19 +0000
Bug 1667000: respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py r=nss-reviewers,bbeurdouche We recently updated tlsfuzzer so that we could enable a test for Bug 1662515. Since that update we've been seeing intermittent failures for tlsfuzzer/test-tls13-signature-algorithms.py, which is a bit surprising as our config labels this test as "exp_pass: false". This patch aligns our selfserv configuration for the tls13-sig-algs test with the requirements of the test, and should fix the issue, but there are clearly some other underlying problems here. Differential Revision: https://phabricator.services.mozilla.com/D124825
6796ae14d413405b09d0e90f8fc206eb9ff14864: Bug 1373716 Import of PKCS#12 files with Camellia encryption is not supported
Robert Relyea <rrelyea@redhat.com> - Thu, 26 Aug 2021 15:45:13 -0700 - rev 16006
Push 4025 by rrelyea@redhat.com at Tue, 07 Sep 2021 19:09:11 +0000
Bug 1373716 Import of PKCS#12 files with Camellia encryption is not supported Bug 1707130 Fixed the base issue with Camellia, but now it has the same issue as AES did which was fixed in Bug 1268141. The fix is to generalize the AES patch, recognizing the issue isn't AES specific but an issue for any case where we encode the keysize into the oid, but the oid maps to the same PKCS #11 mechanism. This patch condenses a lot of the original AES fix, collecting several blocks of common code into single functions, and putting one place where the key sizes of pkcs5v2 algorithms with different oids with keys size specific to those oids, but their mechanism maps to a single PKCS #11 mechanism live. This means future algorithms can be handled easily. bob
ed21a4b608a69c71aeef3e73b68243725c7df47a: Bug 1717707 - Add HARICA Client ECC Root CA 2021. r=KathleenWilson
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Tue, 07 Sep 2021 16:52:41 +0000 - rev 16005
Push 4024 by bbeurdouche@mozilla.com at Tue, 07 Sep 2021 16:54:49 +0000
Bug 1717707 - Add HARICA Client ECC Root CA 2021. r=KathleenWilson Depends on D124568 Differential Revision: https://phabricator.services.mozilla.com/D124569
db050897d9e2cfaf826255a616b255b6f7e7c6bb: Bug 1717707 - Add HARICA Client RSA Root CA 2021. r=KathleenWilson
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Tue, 07 Sep 2021 16:52:41 +0000 - rev 16004
Push 4024 by bbeurdouche@mozilla.com at Tue, 07 Sep 2021 16:54:49 +0000
Bug 1717707 - Add HARICA Client RSA Root CA 2021. r=KathleenWilson Depends on D124567 Differential Revision: https://phabricator.services.mozilla.com/D124568
5041a40c671d013394a91abace16f300f02b1a55: Bug 1717707 - Add HARICA TLS ECC Root CA 2021. r=KathleenWilson
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Tue, 07 Sep 2021 16:52:40 +0000 - rev 16003
Push 4024 by bbeurdouche@mozilla.com at Tue, 07 Sep 2021 16:54:49 +0000
Bug 1717707 - Add HARICA TLS ECC Root CA 2021. r=KathleenWilson Depends on D124566 Differential Revision: https://phabricator.services.mozilla.com/D124567
0c2ed3fee86e6288d207730e07f2ef60aa56011b: Bug 1717707 - Add HARICA TLS RSA Root CA 2021. r=KathleenWilson
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Tue, 07 Sep 2021 16:52:40 +0000 - rev 16002
Push 4024 by bbeurdouche@mozilla.com at Tue, 07 Sep 2021 16:54:49 +0000
Bug 1717707 - Add HARICA TLS RSA Root CA 2021. r=KathleenWilson Depends on D124565 Differential Revision: https://phabricator.services.mozilla.com/D124566
1e49e54696a35584ea28f45d98e5209866e0df0c: Bug 1728394 - Add TunTrust Root CA certificate to NSS. r=KathleenWilson
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Tue, 07 Sep 2021 16:52:39 +0000 - rev 16001
Push 4024 by bbeurdouche@mozilla.com at Tue, 07 Sep 2021 16:54:49 +0000
Bug 1728394 - Add TunTrust Root CA certificate to NSS. r=KathleenWilson Differential Revision: https://phabricator.services.mozilla.com/D124565
a4e9e11705f48f941d53f5f9edd0d657697e0e4e: Set version numbers to 3.71 Beta
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Sat, 04 Sep 2021 20:00:03 +0200 - rev 16000
Push 4023 by bbeurdouche@mozilla.com at Sat, 04 Sep 2021 18:00:22 +0000
Set version numbers to 3.71 Beta
df1e4be25ee6a11a59699bf4c27c0f9727762bdc: Added tag NSS_3_70_RTM for changeset c4e7630cbfec NSS_3_70_BRANCH
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Sat, 04 Sep 2021 19:51:22 +0200 - rev 15999
Push 4022 by bbeurdouche@mozilla.com at Sat, 04 Sep 2021 17:51:47 +0000
Added tag NSS_3_70_RTM for changeset c4e7630cbfec
c4e7630cbfecdcdcdb578c12f9b044d76af15176: Set version numbers to 3.70 final NSS_3_70_BRANCH NSS_3_70_RTM
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Sat, 04 Sep 2021 19:51:10 +0200 - rev 15998
Push 4022 by bbeurdouche@mozilla.com at Sat, 04 Sep 2021 17:51:47 +0000
Set version numbers to 3.70 final
a86217c0ce0d9ada76159c61442ef378a2e708a7: Documentation: release notes for NSS 3.70 NSS_3_70_BRANCH
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Sat, 04 Sep 2021 19:48:45 +0200 - rev 15997
Push 4022 by bbeurdouche@mozilla.com at Sat, 04 Sep 2021 17:51:47 +0000
Documentation: release notes for NSS 3.70
3160cfcbec3b3b23395f23c40d59e8a2b88547a4: Release notes for NSS 3.69.1 NSS_3_70_BRANCH
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Tue, 31 Aug 2021 12:31:06 +0200 - rev 15996
Push 4022 by bbeurdouche@mozilla.com at Sat, 04 Sep 2021 17:51:47 +0000
Release notes for NSS 3.69.1
c222164485d0e19a609b6a8a23ca390744e0140d: Documentation: release notes for NSS 3.70
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Sat, 04 Sep 2021 19:48:45 +0200 - rev 15995
Push 4021 by bbeurdouche@mozilla.com at Sat, 04 Sep 2021 17:48:58 +0000
Documentation: release notes for NSS 3.70
b4d6267990a296785fc7ab090614479e268fcc96: Release notes for NSS 3.69.1
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Tue, 31 Aug 2021 12:31:06 +0200 - rev 15994
Push 4020 by bbeurdouche@mozilla.com at Tue, 31 Aug 2021 10:31:31 +0000
Release notes for NSS 3.69.1
230c7c555a98749b3342b66427c0edcbe24375da: Added tag NSS_3_69_1_RTM for changeset 03c97b1e3239 NSS_3_69_1_BRANCH
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Thu, 26 Aug 2021 21:01:42 +0200 - rev 15993
Push 4019 by bbeurdouche@mozilla.com at Fri, 27 Aug 2021 07:48:17 +0000
Added tag NSS_3_69_1_RTM for changeset 03c97b1e3239
03c97b1e32399ac0b0c2b413be7c1f2f6ef611e5: Backed out changeset 1e86f5cfc1cd NSS_3_69_1_BRANCH NSS_3_69_1_RTM
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Thu, 26 Aug 2021 21:01:21 +0200 - rev 15992
Push 4019 by bbeurdouche@mozilla.com at Fri, 27 Aug 2021 07:48:17 +0000
Backed out changeset 1e86f5cfc1cd
9c053038b27bc24f86ca6805c82ea930b457c5a1: Backed out changeset 60211e7f03ee NSS_3_69_1_BRANCH
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Thu, 26 Aug 2021 21:00:55 +0200 - rev 15991
Push 4019 by bbeurdouche@mozilla.com at Fri, 27 Aug 2021 07:48:17 +0000
Backed out changeset 60211e7f03ee
2298bcf65de9d3f8ea853449de364f7aca9292c8: Set version numbers to 3.69.1 final NSS_3_69_1_BRANCH
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Thu, 26 Aug 2021 21:00:26 +0200 - rev 15990
Push 4019 by bbeurdouche@mozilla.com at Fri, 27 Aug 2021 07:48:17 +0000
Set version numbers to 3.69.1 final
8a2ba28dd68a3ce6560b5cd15ddd3218b2550ee2: Added tag NSS_3_70_BETA1 for changeset e55700ee052e NSS_3_70_BRANCH
Benjamin Beurdouche <bbeurdouche@mozilla.com> - Thu, 26 Aug 2021 19:23:30 +0200 - rev 15989
Push 4018 by bbeurdouche@mozilla.com at Thu, 26 Aug 2021 17:26:02 +0000
Added tag NSS_3_70_BETA1 for changeset e55700ee052e
(0) -10000 -3000 -1000 -120 tip