summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Added tag NSS_3_43_BETA3 for changeset de94039f5c30Kai Engert2019-03-140-0/+0
|
* Bug 1529308, amend earlier commit 68578ca0ba17f205e4f92512157368eaf1694eb3, ↵NSS_3_43_BETA3Kai Engert2019-03-141-2/+0
| | | | which wasn't the reviewed patch. r=jcj
* Added tag NSS_3_43_BETA2 for changeset e611b174c065J.C. Jones2019-03-130-0/+0
|
* Bug 1517714 - Properly handle ESNI with HRR, r=mtNSS_3_43_BETA2Ekr2019-03-145-10/+21
|
* Bug 1535122 - Align TLS 1.3 HKDF trace levels, r=mtEkr2019-03-141-1/+1
|
* Added tag NSS_3_43_BETA1 for changeset 55dfd930f934J.C. Jones2019-03-080-0/+0
|
* Bug 1531074 - SECKEY_SetPublicValue derefs after null checks, r=rrelyeaNSS_3_43_BETA1Martin Thomson2019-02-281-2/+5
| | | | | | | | | | | | Summary: This should help with our coverity analysis. Reviewers: rrelyea Tags: #secure-revision Bug #: 1531074 Differential Revision: https://phabricator.services.mozilla.com/D21423
* Bug 1533087 - March 2019 batch of root changes r=kwilsonJ.C. Jones2019-03-062-2/+677
| | | | | | | | | | | | | | Summary: Additions: eMudhra: Bug 1515457 Hongkong Post: Bug 1532753 Tags: #secure-revision Bug #: 1533087 Differential Revision: https://phabricator.services.mozilla.com/D22357
* Bug 1521174 - Add some initial S/MIME gtests r=mtJ.C. Jones2018-12-108-1/+269
| | | | Differential Revision: https://phabricator.services.mozilla.com/D17014
* Bug 1513909, add manual for nss-policy-check, r=rrelyeaDaiki Ueno2019-03-044-5/+106
|
* Bug 1528262, add -J option to strsclnt to specify sigschemes, r=mtDaiki Ueno2019-03-042-3/+82
| | | | | | | | | | Reviewers: mt Reviewed By: mt Bug #: 1528262 Differential Revision: https://phabricator.services.mozilla.com/D21516
* Bug 1529813 - Expose HKDF-Expand-Label, r=ekrMartin Thomson2019-02-265-45/+56
| | | | | | | | | | | | | Summary: I forgot about packet number encryption. This will help with that. I decided to replace DeriveSecret with this. No point in having that when you have this. Reviewers: ekr Bug #: 1529813 Differential Revision: https://phabricator.services.mozilla.com/D20937
* 1531267, enable FIPS mode if the system FIPS mode flag is set, r=jcj,mtRobert Relyea2019-02-283-2/+38
| | | | | | | | | | This patch forces NSS into FIPS mode if system fips mode bit is set. - If that bit is set, applications trying to switch out of FIPS mode will get and error code. - Applications that check to see if they can change modes (Like Firefox and Thunderbird) will be told it can't, so the firefox <Disable FIPS> button should be grayed out if the sytem fips mode bit is set. If the bit is not set, NSS get's it's FIPS indication it's traditional way, so the Firefox 'Enable FIPS' button will be on as normal. This but does not change NSS behavior WRT non-FIPS algorithms.
* Bug 1529308 - Use a new comm_client flag in nss.gyp, which enables TB to ↵Kai Engert2019-02-282-0/+8
| | | | build cmsutil. r=jcj
* Bug 1530134 - Run clang-format without docker as a fallback, r=jcjMartin Thomson2019-02-261-10/+21
| | | | | | | | | | | | Running clang-format with a bad version is better than not running it at all. Reviewers: jcj Reviewed By: jcj Bug #: 1530134 Differential Revision: https://phabricator.services.mozilla.com/D20938
* Bug 1528669 - Pass -D options directly to gyp, r=jcjMartin Thomson2019-02-262-1/+3
| | | | | | | | | | Reviewers: jcj Reviewed By: jcj Bug #: 1528669 Differential Revision: https://phabricator.services.mozilla.com/D20120
* Backed out changeset d734d20b38d8J.C. Jones2019-02-251-1/+1
| | | | Bustage in m-c due to unexported symbols for cmsutil.
* Bug 1529950, Improve NSS S/MIME tests for Thunderbird, r=jcjKai Engert2019-02-252-21/+178
|
* Bug 1529959, memory leaks in atob/btoa, r=jcjKai Engert2019-02-252-22/+49
|
* Bug 1493936, add a new "DSA" policy keyword, r=kaieDaiki Ueno2019-02-218-17/+142
| | | | | | | | | | | | | | | Summary: This adds a new policy keyword "DSA" to explicitly disable DSA in TLS 1.2 or earlier. We could make this a bit more generic, e.g., by adding "ECDSA", "RSA-PSS" etc. However, considering the current use of policy in [fedora-crypto-policies](https://gitlab.com/redhat-crypto/fedora-crypto-policies), I realized that adding new keywords may cause compatibility problems; because the Fedora configuration has `disallow=ALL`, all new keywords would be disabled by default. I think it's okay for DSA, though. Reviewers: kaie Reviewed By: kaie Bug #: 1493936 Differential Revision: https://phabricator.services.mozilla.com/D6777
* Bug 1530102 - FreeBSD supports getentropy since the 12.x release, r=mtDavid Carlier2019-02-231-1/+1
|
* Bug 1529813 - clang-format, a=bustageMartin Thomson2019-02-231-14/+12
|
* Bug 1529813 - Expose TLS HKDF functions for QUIC, r=ekrMartin Thomson2019-02-216-10/+216
| | | | | | | | | | | | | | | Summary: This just does the two functions that QUIC needs. I reused the tests for HKDF for testing that the exposed function works identically, at least for those cases where DeriveSecret can be used. Reviewers: ekr Tags: #secure-revision Bug #: 1529813 Differential Revision: https://phabricator.services.mozilla.com/D20762
* Bug 1528175 - Include version in SSL_MakeAead arguments, r=ekrMartin Thomson2019-02-216-40/+95
| | | | | | | | | | | | | | | Summary: We should really include version with the ciphersuite in case we decide to reuse the ciphersuite definitions for TLS 1.4, but also change the way they operate. I also included a fixup for the clang4 build error from the last set. Reviewers: ekr Tags: #secure-revision Bug #: 1528175 Differential Revision: https://phabricator.services.mozilla.com/D20761
* Bug 1528175 - Expose an AEAD function, r=ekrMartin Thomson2019-02-1720-278/+588
|
* Bug 1011625, Build cmsutil for Thunderbird, r=jcjKai Engert2019-02-211-1/+1
|
* Bug 1471126 - clang-format, a=bustageMartin Thomson2019-02-201-3/+4
|
* Bug 1471126 - Fix return codes from SSL_ForceHandshake and ↵Martin Thomson2019-02-202-17/+37
| | | | | | | | | | | | | | | | | | | SSL_RecordLayerData, r=ekr Summary: Turns out that there were two errors that made my life using SSL_RecordLayerData hard: * SSL_ForceHandshake was returning SECFailure/PR_WOULD_BLOCK_ERROR when the record layer was replaced, even when the handshake was complete. This was being obscured in the tests by the fact that we mark sockets as complete through both the callback and SSL_ForceHandshake. I didn't change that aspect of the tests because different tests rely on that being the case. I don't have a good strategy for dealing with that, but I will continue to think on it. * SSL_RecordLayerData was returning SECFailure/PR_WOULD_BLOCK_ERROR when it succeeded, but the AuthCertificate callback blocked. The contract for SSL_RecordLayerData is that it returns SECSuccess always. I had explicitly ignored this error in tests, which was just a mistake. Reviewers: ekr Tags: #secure-revision Bug #: 1471126 Differential Revision: https://phabricator.services.mozilla.com/D20528
* Bug 1471970, add support for post-handshake authentication, r=mtDaiki Ueno2019-02-2013-22/+583
| | | | | | | | | | | | Summary: This adds handling of the post_handshake_auth extension in CH and exposes tls13_SendCertificateRequest as an experimental API. For practical use, it might need another function that checks if the post_handshake_auth extension is received. Reviewers: mt Reviewed By: mt Bug #: 1471970 Differential Revision: https://phabricator.services.mozilla.com/D14154
* Bug 1471126 - Provide extra information needed to use record layer ↵Martin Thomson2018-10-2321-423/+621
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | separation, r=ekr This started as an attempt to remove the cipher spec update callback we use for testing. Using the new, public secrets interface should be better for that. In doing so, it became apparent that we needed more interfaces to NSS to support the use of these secrets. In particular: 1. We need to know what the KDF hash function is for a given cipher suite. This allows users of the secret to use the right hash function. 2. We need to know what cipher spec was picked when sending 0-RTT. NSS currently doesn't expose that information. (When receiving 0-RTT you can safely assume that the negotiated cipher suite is good to use.) 3. We need to know what epoch NSS is currently using. Otherwise, we can't be sure which epoch to feed it. Data from a good epoch is saved, whereas data from a bad epoch is lost, so applications need to know. So this patch adds these functions to the appropriate info functions and uses that information in tests to remove and re-add protection. The test changes are considerable. The main effect of the changes is to rely on the new functions for managing secrets, rather than the old interface. But with the changes in the other CLs for this bug, secrets appear before they are used, which complicates things considerably. For that, I've moved more logic into the TlsCipherSpec class, which now tracks per-epoch state, like sequence numbers and record drops. Trial decryption (yep) is used to identify the right cipher spec every time when decrypting, so tests are no longer tolerant of failures to decrypt. It's no longer possible to have a test enable decryption and pass when decryption fails; this is particularly true for some parameterized tests that assumed it was OK to enable decryption even for TLS 1.2 and earlier.
* Bug 1471126 - Record layer separation, r=ekrMartin Thomson2019-02-1719-224/+733
| | | | | | | | | | | | | Summary: Add functions for QUIC that provide the raw content of records to callback functions. Reviewers: ekr Reviewed By: ekr Bug #: 1471126 Differential Revision: https://phabricator.services.mozilla.com/D1874
* Bug 1471126 - Provide a callback for traffic secrets, r=ekrMartin Thomson2019-02-1713-75/+327
| | | | | | | | | | | | | Summary: Provide updated secrets to a callback function as soon as those secrets are available. Reviewers: ekr Reviewed By: ekr Bug #: 1471126 Differential Revision: https://phabricator.services.mozilla.com/D1824
* Bug 1496124 - Populate public values for imported private keys, r=mtRobert Relyea2018-11-0815-22/+653
|
* Bug 1528033 - fix yamllint in .taskcluster.yml r=jcjDustin J. Mitchell2019-02-141-5/+13
| | | | | | | | | | Reviewers: jcj Reviewed By: jcj Bug #: 1528033 Differential Revision: https://phabricator.services.mozilla.com/D19839
* Bug 1525946 - update .taskcluster.yml to modern standards, r=tomprinceDustin J. Mitchell2019-02-141-50/+35
| | | | | | | | | | | | Summary: Bug 1525946 - update .taskcluster.yml to modern standards Reviewers: tomprince Reviewed By: tomprince Bug #: 1525946 Differential Revision: https://phabricator.services.mozilla.com/D19042
* Bug 1525946 - get hg commit message from hg, r=mtDustin J. Mitchell2019-02-144-634/+2061
| | | | | | | | | | | | Summary: Bug 1525946 - update .taskcluster.yml to modern standards Reviewers: mt Reviewed By: mt Bug #: 1525946 Differential Revision: https://phabricator.services.mozilla.com/D19041
* Bug 1520459 - Send decode_error for padded record_size_limit extension, r=jcjMartin Thomson2019-02-132-1/+11
| | | | | | | | | | | | Summary: This is all I plan to do for this bug. Reviewers: jcj Tags: #secure-revision Bug #: 1520459 Differential Revision: https://phabricator.services.mozilla.com/D19576
* Bug 1526336, tell ABI checks about new function, r=bustageKai Engert2019-02-081-0/+5
|
* bustage fixKai Engert2019-02-081-0/+1
|
* Bug 1526336, Implement new HASH_GetHashOidTagByHashType, r=rrelyeaKai Engert2019-02-083-1/+41
|
* Bug 1523175, require NSPR 4.21, r=jcjKai Engert2019-02-081-1/+1
| | | | DONTBUILD
* Bug 1517574 - fix leak in NSC_GenerateKeyPair when rejecting public RSA ↵Dana Keeler2019-02-072-0/+15
| | | | | | | | | | | | | | exponents that are too small r=jcj Reviewers: jcj Reviewed By: jcj Bug #: 1517574 Differential Revision: https://phabricator.services.mozilla.com/D19019 Try: https://treeherder.mozilla.org/#/jobs?repo=nss-try&revision=9b518a646aacc092b81e94421c09aa9b87f2cab1
* Bug 327111 - Remove unnecessary/incomplete copyright notices in Tools output ↵ui.manish2019-02-071-1/+0
| | | | | | r=jcj Differential Revision: https://phabricator.services.mozilla.com//D18655
* Dummy change to trigger a build to test latest NSPR commitsKai Engert2019-02-071-0/+1
|
* Bug 1523484 - do not treat CN as DNS name for non-server certs, r=uenoFraser Tweedale2019-02-064-1/+42
| | | | | | | | | | | | | | libpkix, when validating a leaf certificate against the CAs' name constraints, treats the Subject DN CN attribute as a DNS name. This may be reasonable behaviour for server certificates, but does not make sense for other kinds of certificates (e.g. user certificates, OCSP signing certificates, etc.) Update the libpkix name constraints checker to only treat the CN as a DNS name for server certificates (i.e. when id-kp-serverAuth is asserted in the Extended Key Usage extension). For compatibility, the behaviour is unchanged (i.e. CN is still treated as a DNS name) when the certificate does not have an Extended Key Usage extension.
* Bug 1524902 - Remove extra includes, a=bustageMartin Thomson2019-02-051-4/+0
|
* Bug 1524902 - Reduce dependencies for util_gtests, r=jcjMartin Thomson2019-02-044-29/+367
| | | | | | | | | | | | Summary: util_gtests shouldn't need to link so much of NSS. Reviewers: jcj Tags: #secure-revision Bug #: 1524902 Differential Revision: https://phabricator.services.mozilla.com/D18519
* Backed out changeset fff120e8c1e1Martin Thomson2019-02-041-8/+0
|
* Bug 1519231 - Disable nsssysinit for Firefox builds, r=tedMartin Thomson2019-01-111-1/+9
|
* Bug 1519228 - Remove dead code from nsssysinit.c, r=uenoMartin Thomson2019-01-111-51/+3
|
View Lorry Controller Status