summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Set version numbers to 3.26 finalNSS_3_38_RTMFranziskus Kiefer2018-06-213-6/+6
|
* branch for NSS 3.38 releaseFranziskus Kiefer2018-06-150-0/+0
|
* Bug 1451936 - use the correct free function in SignFile; r=fkieferAlex Gaynor2018-06-081-1/+1
| | | | Differential Revision: https://phabricator.services.mozilla.com/D1583
* Bug 1464971 - improve ecdsa and dsa, r=mtFranziskus Kiefer2018-05-292-17/+49
| | | | Differential Revision: https://phabricator.services.mozilla.com/D1441
* Bug 1464616 - make sure arenas are the same, r=mtFranziskus Kiefer2018-06-061-1/+3
| | | | Differential Revision: https://phabricator.services.mozilla.com/D1565
* Bug 1465186 - null earlier in sftkdb_decodeCipherText, r=mtFranziskus Kiefer2018-06-061-2/+4
| | | | Differential Revision: https://phabricator.services.mozilla.com/D1554
* Bug 1464224 - delete nssmkey, r=mtFranziskus Kiefer2018-06-0119-3675/+0
| | | | Differential Revision: https://phabricator.services.mozilla.com/D1486
* Bug 1465241 - always init tmpArena, r=mtFranziskus Kiefer2018-06-051-2/+1
| | | | Differential Revision: https://phabricator.services.mozilla.com/D1552
* Bug 1464618 - null salt, r=mtFranziskus Kiefer2018-06-051-0/+1
| | | | Differential Revision: https://phabricator.services.mozilla.com/D1553
* Bug 1466073 - update hacl* revision and fix image build, r=jcjFranziskus Kiefer2018-06-041-2/+2
| | | | Differential Revision: https://phabricator.services.mozilla.com/D1528
* Bug 1466468 - coverity CID 1435922: Uninitialized members in ↵Franziskus Kiefer2018-06-041-1/+1
| | | | | | RecordSizeDefaultsTest, r=mt Differential Revision: https://phabricator.services.mozilla.com/D1527
* Bug 1466365 - Add a missing test for MAC failure. r=mtEKR2018-06-022-0/+35
| | | | | | | | | Reviewers: mt Tags: #secure-revision Differential Revision: https://phabricator.services.mozilla.com/D1517
* Bug 1396487 - Record size limiting extension, r=ekrMartin Thomson2017-11-2421-27/+638
| | | | | | | | | | Summary: See draft-ietf-tls-record-limit for details. Reviewers: ekr Bug #: 1396487 Differential Revision: https://phabricator.services.mozilla.com/D23
* Bug 1461731 - wait indefinitely in nssSlot_IsTokenPresent; r=rrelyea,fkieferNathan Froyd2018-05-301-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Crashes for a particular hang have been spiking in the last month, and all the crashes are associated with macOS 10.12 and 10.13. The crashes look like this: Thread 1: waiting on a condition variable in nssSlot_IsTokenPresent Thread 2: waiting on the (contended) lock in nssSlot_IsTokenPresent Thread 3: waiting on the (contended) lock in nssSlot_IsTokenPresent Thread 2 and 3 are waiting on the lock associated with the condition variable that thread 1 is holding. One would expect that thread 1 would drop the lock associated with the condition variable when the wait occurs, and enable thread 2 or thread 3 to make progress. But the particular wait in question passes a (relative) timeout of zero (which corresponds to what would be PR_INTERVAL_NO_WAIT), which is unusual in NSS code and condition variable-using programs in general. A relative timeout of zero on macOS needs to be translated to an absolute time for the underlying API, pthread_cond_timedwait. What appears to be happening is that some absolute time, $NOW, is determined before calling pthread_cond_timedwait. We then call into pthread_cond_timedwait and do whatever work we need to do before checking whether the specified time ($NOW) has passed. Of course it has; we are at some time $NOW + epsilon, and so the wait times out. The wait appears to time out without the lock ever being released; if the lock was released, even if ever-so-shortly, presumably one of the other threads would be able to make progress. Since the hang only occurs on macOS 10.12 and 10.13, we are assuming that there was some change in the condition variable code that attempts to optimize extremely short timeouts, or treats timeouts of zero differently (even if inadvertently). The other possibility is this is the way macOS has always worked, and the crash data we have is only for those versions of the operating system. In any event, there's no need to specify a timeout of zero here. We can specify an "infinite" wait instead (PR_INTERVAL_NO_TIMEOUT) and let another thread make progress, waking us up when it is done.
* Bug 1464778 - tstclnt - Check pollset[STDIN_FD] before accessing r=franziskusTim Taubert2018-05-301-2/+2
| | | | | | | | | | Reviewers: franziskus Reviewed By: franziskus Bug #: 1464778 Differential Revision: https://phabricator.services.mozilla.com/D1433
* Bug 1457716 - bustage fix, r=ttaubertFranziskus Kiefer2018-05-292-2/+11
|
* Bug 1457716 - bustage fix for exporting of SECITEM_MakeItem, a=bustageMartin Thomson2018-05-291-5/+5
|
* Bug 1457716 - Fix CertificateRequest processing for TLS 1.3. r=mtEKR2018-04-296-6/+44
| | | | | | | | | | | Reviewers: mt Tags: #secure-revision Bug #: 1457716 Differential Revision: https://phabricator.services.mozilla.com/D1062
* Bug 1432455 - Build FStar.c when not building with int128 support. r=fkieferMike Hommey2018-05-273-14/+25
|
* Bug 1461075 - use getentropy() on OpenBSD, r=franziskusLandry Breuil2018-05-211-1/+1
|
* Bug 430198, bustage fix, Windows doesn't have strncasecmp, use equivalent ↵Kai Engert2018-05-241-1/+1
| | | | NSPR function PL_strncasecmp
* Bug 430198, certutil capability: generate CSR from orphan private key, ↵Kai Engert2018-05-241-0/+26
| | | | adding a test, r=rrelyea
* Bug 430198, certutil capability: generate CSR from orphan private key, r=kaieFraser Tweedale2018-05-241-14/+61
|
* Bug 1462627, add new option --simple-self-signed for certutil -O, r=rrelyeaKai Engert2018-05-241-3/+28
|
* Bug 1423018 - Retain write polling when 0-RTT is enabled, r=ekrMartin Thomson2017-11-283-105/+96
| | | | | | | | | | | | | | | | | | | | | | | This is a nasty one. I was having trouble with tstclnt when testing against other implementations. It would hang. I made similar changes to that for kazuho and picotls, where the input file is read for every connection. So, I did that here too and it also worked nicely. In order to get 0-RTT working though, I needed to teach ssl_Poll about 0-RTT. Luckily, there was code already there for that and it just needed a tweak. The only thing I ran into here was that boringssl (the server I was using to test against here), was too fast. By the time we had written out the ClientHello, it had produced a response and we would complete the handshake before leaving the handshake loop in ssl3_Do1stHandshake(). That meant that we would never actually send any 0-RTT data, either before or after this patch. Adding a sleep(1) to the handshake in boringssl did the trick and I could show that we can send data before the handshake completes. Nothing really actionable here unless you can think of ways to make our handshake more performant. Mostly just information. Separately, people have noticed that tstclnt writes 0-RTT after the first round trip. That's a symptom of not retaining the poll on write.
* Bug 1463379 - [CID 1435689] Dereferencing null pointer "cx" r=jcjTim Taubert2018-05-231-1/+3
| | | | | | | | | | Reviewers: jcj Reviewed By: jcj Bug #: 1463379 Differential Revision: https://phabricator.services.mozilla.com/D1347
* Bug 1460673 - fix clang-formatFranziskus Kiefer2018-05-181-1/+1
|
* Bug 1460673 - handle p12 properly, r=ttaubertFranziskus Kiefer2018-05-167-8/+274
| | | | Differential Revision: https://phabricator.services.mozilla.com/D1295
* Bug 1459456 - make clang-format happyFranziskus Kiefer2018-05-182-5/+5
|
* Bug 1459456 - check maximum DH and RSA key length in TLS, r=mtFranziskus Kiefer2018-05-1512-6/+314
| | | | Differential Revision: https://phabricator.services.mozilla.com/D1212
* Bug 1462303 - Allow TLS 1.3 compat mode when attempting to resume TLS 1.2, ↵Martin Thomson2018-05-182-15/+41
| | | | r=ekr,ttaubert
* Bug 1454367 - Fix TlsExtensionTestGeneric.AlpnZeroLength r=mtTim Taubert2018-05-171-1/+9
| | | | | | | | | | Reviewers: mt Reviewed By: mt Bug #: 1454367 Differential Revision: https://phabricator.services.mozilla.com/D951
* Bug 1462207 - Trivial fix to error codes, r=franziskusMartin Thomson2018-05-172-2/+64
|
* Bug 1461623 - Clear session cache after every (d)tls-client fuzzer run ↵Tim Taubert2018-05-151-4/+4
| | | | | | | | | | | | r=franziskus Reviewers: franziskus Reviewed By: franziskus Bug #: 1461623 Differential Revision: https://phabricator.services.mozilla.com/D1284
* Bug 1460409 - fix blake2b begin, r=ttaubertFranziskus Kiefer2018-05-141-1/+1
| | | | Differential Revision: https://phabricator.services.mozilla.com/D1271
* Bug 1452549 - Discard application data that arrives before DTLS handshake ↵Martin Thomson2018-04-092-25/+75
| | | | completes, r=ekr
* Bug 1458518, added a test for stable nicknames on repeated import, r=rrelyeaKai Engert2018-05-031-0/+50
|
* Bug 1458165 - Fix saw image to 16.04, r=ttaubertMartin Thomson2018-05-011-1/+1
|
* Bug 1458518, Nicknames of existing certificates in NSS SQL DB should remain ↵Robert Relyea2018-05-021-1/+3
| | | | unchanged on repeated import attempts, r=kaie
* Bug 1456888, Use Linux filesystem type to decide about NSS SQL DB caching ↵Kai Engert2018-05-021-3/+46
| | | | and speed measuring, r=rrelyea
* Backed out changeset 7aacbcdb41d1 for interop test failuresMartin Thomson2018-05-014-138/+41
|
* Bug 1423043 - Enable half-close, r=ttaubert,ekrMartin Thomson2018-05-014-41/+138
| | | | | | | | | | | | | | | | | | | | | | | Summary: TLS 1.3 explicitly changed to allow close_notify on one half of the connection. Since SSL, an endpoint was required to send close_notify if it received close_notify. The general agreement was that this was a silly requirement and that we would remove it and allow one side of the connection to be closed. This is critical for some protocols that are being moved to use TLS. NSS was almost perfect here. The only problem was that it suppressed the second close_notify. I've added a test for that. Reviewers: ttaubert, ekr Reviewed By: ttaubert, ekr Subscribers: ekr Bug #: 1423043 Differential Revision: https://phabricator.services.mozilla.com/D797
* Bug 1452855 - Move 0-RTT discard check up, r=franziskusMartin Thomson2018-05-011-12/+8
| | | | | | | | | | | | Summary: Just moving things about. Also, the comment was outdated. Reviewers: franziskus Reviewed By: franziskus Bug #: 1452855 Differential Revision: https://phabricator.services.mozilla.com/D892
* Updated version numbers to 3.38J.C. Jones2018-04-264-7/+7
|
* Bug 1454321 - Add tests for invalid ECDH ↵Tim Taubert2018-04-262-0/+48
| | | | | | | | | | | | ServerKeyExchange.Signature.algorithm values r=mt Reviewers: mt Reviewed By: mt Bug #: 1454321 Differential Revision: https://phabricator.services.mozilla.com/D947
* Bug 1057343, Use Linux getrandom()/getentropy() kernel system call for ↵Kai Engert2018-04-202-0/+37
| | | | obtaining entropy, r=fkiefer
* Bug 1454913, remove trailing whitespace, r=kaieRob Percival2018-04-191-1/+1
| | | | DONTBUILD
* Bug 1455002 - Bump TLS 1.3 version to draft-28, r=ekrMartin Thomson2018-04-171-1/+1
| | | | | | | | | | | | | Summary: I probably messed this one up. Reviewers: ekr Reviewed By: ekr Bug #: 1453586 Differential Revision: https://phabricator.services.mozilla.com/D919
* Bug 1449169, NSS should assume SQlite >= 3.5.0 and support read-only ↵Kai Engert2018-04-161-6/+11
| | | | database opening using the sqlite3_open_v2 API, r=dueno
* Bug 1453920 - Make clang-format happy r=meTim Taubert2018-04-131-11/+13
|
View Lorry Controller Status