| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D72011
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D73322
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D71648
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
syntactically invalid as DNS name r=mt
This patch makes libpkix treat name contraints the same the NSS cert verifier.
This proposal available for review for 9 months without objection.
Time to make this official
Differential Revision: https://phabricator.services.mozilla.com/D72457
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D72715
|
| |
|
|
| |
Fix possible free before alloc error found by kjacobs
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We found another KDF function in libreswan that is not using the NSS KDF API.
Unfortunately, it seems the existing IKE KDF's in NSS are not usable for the
Quick Mode use.
The libreswan code is in compute_proto_keymat() and the specification is in https://tools.ietf.org/html/rfc2409#section-5.5
It needs:
KEYMAT = prf(SKEYID_d, [g(qm)^xy ] | protocol | SPI | Ni_b | Nr_b).
which an be thought of as:
KEYMAT = prf(KEY, [KEY] | BYTES)
but with the kicker that it also does multiple rounds aka key expansion:
KEYMAT = K1 | K2 | K3 | ...
where
K1 = prf(KEY, [KEY] | BYTES)
K2 = prf(KEY, K1 | [KEY] | BYTES)
K3 = prf(KEY, K1 | [KEY] | BYTES)
etc.
to generate the needed keying material >PRF size
This patch implements this by extendind the Appendix B Mechanism to take
and optional key and data in a new Mechanism parameter structure. Which
flavor is used (old CK_MECHANISM_TYPE or the new parameter) is determined by
the mechanism parameter lengths. Application which try to use this new feature
on old versions of NSS will get an error (rather than invalid data).
Differential Revision: https://phabricator.services.mozilla.com/D71813
|
| |
|
|
|
|
|
|
|
|
| |
that lack NSS database columns r=keeler,rrelyea
`sdb_GetAttributeValueNoLock` builds a query string from a list of attributes in the input template. Unfortunately, `sqlite3_prepare_v2` will fail the entire query if one of the attributes is missing from the underlying table. The PKCS #11 spec [[ https://www.cryptsoft.com/pkcs11doc/v220/pkcs11__all_8h.html#aC_GetAttributeValue | requires ]] setting the output `ulValueLen` field to -1 for such invalid attributes.
This patch reads and stores the columns of nssPublic/nssPrivate when opened, then filters an input template in `sdb_GetAttributeValueNoLock` for unbacked/invalid attributes, removing them from the query and setting their template output lengths to -1.
Differential Revision: https://phabricator.services.mozilla.com/D71622
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
evicted or externally-cached sids. r=mt
This patch relaxes an overzealous assertion for the case where:
1) Two sockets start connections with a shared SID.
2) One receives an empty session ticket in the SH, and evicts the SID from cache.
3) The second socket receives a new session ticket, and attempts to set it in the SID.
We currently assert that the sid is `in_client_cache` at 3), but clearly it cannot be. The outstanding reference remains valid despite the eviction.
This also solves a related assertion failure after https://hg.mozilla.org/mozilla-central/rev/c5a8b641d905 where the same scenario occurs, but instead of being `in_client_cache` or evicted, the SID is `in_external_cache`.
Differential Revision: https://phabricator.services.mozilla.com/D72214
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For FIPS we need the following:
1. NIST official Key padding for AES Key Wrap.
2. Combined Hash/Sign mechanisms for DSA and ECDSA.
In the first case our AES_KEY_WRAP_PAD function addes pkcs8 padding to the
normal AES_KEY_WRAP, which is a different algorithm then the padded key wrap
specified by NIST. PKCS #11 recognized this and created a special mechanism to
handle NIST padding. That is why we don't have industry test vectors for
CKM_NSS_AES_KEY_WRAP_PAD. This patch implements that NIST version (while
maintaining our own). Also PKCS #11 v3.0 specified PKCS #11 mechanism for
AES_KEY_WRAP which are compatible (semantically) with the NSS vendor specific
versions, but with non-vendor specific numbers. Softoken now accepts both
numbers.
This patch also updates softoken to handle DSA and ECDSA combined hash
algorithms other than just SHA1 (which is no longer validated).
Finally this patch uses the NIST KWP test vectors in new gtests for the
AES_KEY_WRAP_KWP wrapping algorithm.
As part of the AES_KEY_WRAP_KWP code, the Constant time macros have been
generalized and moved to secport. Old macros scattered throughout the code
have been deleted and existing contant time code has been updated to use
the new macros.
Differential Revision: https://phabricator.services.mozilla.com/D71225
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D70519
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As implemented, when sdb_measureAccess() runs it creates up to 10,000 negative
dcache entries (cached nonexistent filenames).
There is no advantage to leaving these particular filenames in the cache; they
will never be searched again. Subsequent runs will run a new test with an
intentionally different set of filenames. This can have detrimental effects on
some systems; a massive negative dcache can lead to memory or performance
problems.
Since not all platforms have a problem with negative dcache entries, this patch
is limitted to those platforms that request it at compilie time (Linux is
current the only patch that does.)
Differential Revision: https://phabricator.services.mozilla.com/D59652
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D71125
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
libckfw needs to create temporary objects whose space will to be freed after
use (rather than at token shutdown). Currently only token objects are supported
and they are allocated out of a global arena owned by the slot, so the objects
only go away when the slot is closed.
This patch sets the arena to NULL in nssCKFWObject_Create() if the object is
a session object. This tells nssCKFWObject_Create() to create a new arena
specifically for this object. That arena is stored in localArena. When the
object is destroyed, any localArena's will be freed.
Differential Revision: https://phabricator.services.mozilla.com/D70916
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
initialized. r=mt
NSS has several config functions that multiprocess servers must call before NSS is initialized to set up shared memory caches between the processes. These functions call ssl_init(), which initializes the ssl policy. The ssl policy initialization, however needs to happen after NSS itself is initialized. Doing so before hand causes (in the best case) policy to be ignored by these servers, and crashes (in the worst case).
Instead, these cache functions should just initialize those things it needs (that is the NSPR ssl error codes).
This patch does:
1) fixes the cache init code to only initialize error codes.
2) fixes the selfserv MP code to 1) be compatible with ssl.sh's selfserv management (at least on Unix), and 2) mimic the way real servers handle the MP_Cache init code (calling NSS_Init after the cache set up).
3) update ssl.sh server policy test to test policy usage on an MP server. This
is only done for non-windows like OS's because they can't catch the kill signal
to force their children to shutdown.
I've verified that the test fails if 2 and 3 are included but 1 is not
(and succeeds if all three are included).
Differential Revision: https://phabricator.services.mozilla.com/D70948
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D70582
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
distrust certificates issued after a certain date for a specified root cert r=jcj
I've been trying to run down an issue I've been having, and I think this bug is the source. Whenever I build ('gmake' build), I get the following untracted files:
? lib/ckfw/builtins/testlib/anchor.o
? lib/ckfw/builtins/testlib/bfind.o
? lib/ckfw/builtins/testlib/binst.o
? lib/ckfw/builtins/testlib/bobject.o
? lib/ckfw/builtins/testlib/bsession.o
? lib/ckfw/builtins/testlib/bslot.o
? lib/ckfw/builtins/testlib/btoken.o
? lib/ckfw/builtins/testlib/ckbiver.o
? lib/ckfw/builtins/testlib/constants.o
This is because of the way lib/ckfw/builtins/testlib works, it uses the sources from the directory below, and explicitly reference them with ../{source_name}.c. The object file then becomes lib/ckfw/builtins/testlib/{OBJDIR}/../{source_name}.o.
The simple fix would be to paper over the issue and just add these to .hgignore, but that would break our ability to build multiple platforms on a single source directory. I'll include a patch that fixes this issue.
bob
Differential Revision: https://phabricator.services.mozilla.com/D70077
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
and ChaCha Poly r=mt
Update ssl to use the new PK11_AEADOp() interface.
1. We restore the use of PK11Context_Create() for AEAD operations.
2. AES GCM and CHACHA/Poly specific functions are no longer needed as
PK11_AEADOp() handles all the mechanism specific processing.
3. TLS semantic differences between the two algorithms is handled by their
parameters:
1. Nonce length is the length of the nonce counter. If it's zero, then
XOR_Counter is used (and the nonce length is the
sizeof(sslSequenceNumber)).
2. IV length is the full IV length - nonce length.
3. TLS 1.3 always uses XOR_Counter.
4. The IV is returned from the token in the encrypt case. Only in the explict
nonce case is it examined. (The code depends on the fact that the count in
the token will match sslSequenceNumber). I did have assert code to verify
this was happening for testing, but it's removed from this patch it can be
added back.
5. All the decrypt instances of XOR_Counter IV creation have been colapsed
into tls13_WriteNonce().
6. Even tough PK11_AEADOp returns and accepts the tag separately (for encrypt
and decrypt respectively). The SSL code still returns the values as
buffer||tag.
7. tls13_AEAD() has been enhanced so all uses of AEAD outside of the TLS
stream can use it instead of their own wrapped version. It can handle streams
(CreateContext() tls13_AEAD() tls13_AEAD() DestroyContext()) or single shot
tls13_AEAD(context=NULL). In the later case, the keys for the single shot
operation should not be resued.
8. libssl_internals.c in the gtests directory has been updated to handle
advancing the internal iv counter when we artifically advance the seqNum.
Since we don't have access to any token iv counter (including softoken),
The code switches to simulated message mode, and updates the simulated state
as appropriate. (obviously this is for testing only code as it reaches into
normally private data structures).
Differential Revision: https://phabricator.services.mozilla.com/D68480
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Part 2 of 2
Use the official PKCS #11 HKDF mechanism to implement tls 1.3.
1) The new mechanism is a single derive mechanism, so we no longer need to
pick it based on the underlying hmac (Note, we still need to know the
underlying hmac, which is passed in as a mechanism parameter).
2) Use the new keygen to generate CKK_HKDF keys rather than doing it by hand
with the random number generator (never was really the best way of doing this).
3) modify tls13hkdf.c to use the new mechanisms:
1) Extract: use the new key handle in the mechanism parameters to pass the
salt when the salt is a key handle.
Extract: use the explicit NULL salt parameter if for the hash len salt of
zeros.
2) Expand: Expand is mostly a helper function which takes a mechanism. For
regular expand, the mechanism is the normal _Derive, for the Raw version
its the _Data function. That creates a data object, which is extractable
in FIPS mode.
4) update slot handling in tls13hkdf.c:
1) we need to make sure that the key and the salt key are in the same
slot. Provide a PK11wrap function to make that guarrentee (and use that
function in PK11_WrapKey, which already has to do the same function).
2) When importing a 'data' key for the zero key case, make sure we import
into the salt key's slot. If there is no salt key, use PK11_GetBestSlot()
rather than PK11_GetInternal slot.
Differential Revision: https://phabricator.services.mozilla.com/D69899
|
| |
|
|
|
|
|
|
| |
and OEAP decryption. r=bbeurdouche
This patch updates the Wycheproof script to build RSA test vectors (covering PKCS1 decryption/verification, as well as PSS and OAEP) and adds the appropriate test drivers.
Differential Revision: https://phabricator.services.mozilla.com/D69847
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Patch 1 of 2.
This patch updates softoken and helper functions with the new PKCS #11 v3 HKDF,
which handles all the correct key management so that we can work in FIPS mode
1) Salts can be passed in as data, as and explicit NULL (which per spec means
a zero filled buffer of length of the underlying HMAC), or through a key handle
2) A Data object can be used as a key (explicitly allowed for this mechanism by
the spec).
3) A special mechansism produces a data object rather than a key, the latter
which can be exported. Softoken does not do the optional validation on the pInfo
to verify that the requested values are supposed to be data rather than keys.
Some other tokens may.
The old hkdf mechanism has been retained for compatibility (well namely until
patch 2 is created, tls is still using it). The hkdf function has been broken
off into it's own function rather than inline in the derive function.
Note: because the base key and/or the export key could really be a data object,
our explicit handling of sensitive and extractable are adjusted to take into
account that those flags do not exist in data objects.
Differential Revision: https://phabricator.services.mozilla.com/D68940
|
| | |
|
| |
|
|
|
|
| |
We already install these packages on the image_builder image itself. It seems they're now required on the fuzz32 image as well.
Differential Revision: https://phabricator.services.mozilla.com/D69274
|
| | |
|
| |
|
|
|
|
|
| |
Only some Arm32 supports neon, so let's introduce NSS_DISABLE_ARM32_NEON
to allow disabling Neon acceleration when building for Arm32.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
|
| |
|
|
| |
r=me
|
| | |
|
| | |
|
| |
|
|
|
|
| |
supported by older compilers r=kjacobs
Differential Revision: https://phabricator.services.mozilla.com/D68407
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
and ChaCha Poly
PKCS #11 defines a new interface for handling AEAD type ciphers that allow
multiple AEAD operations without repeating the key schedule. It also allows
tokens to keep track of the number of operations, and generate IVs (depending
on the cipher).
This patch:
1. implement those new functions in softoken.
With the addition of CKF_MESSAGE_* flags to various mechanism, we need
to strip them when using the version 2 API of softoken (since there are
no C_Message* function in version 2). For that we need a separate
C_GetMechanismInfo function. We use the same trick we used to have
a separate version function for the V2 interface.
Also now that the new message functions are in their own file, they
still need access to the common Session state processing functions.
those have gone from static to exported within softoken to accomidate
that. Same with sftk_MapDecryptError() (sftk_MapVerifyError() was also
made global, though nothing else is yet using it).
Only C_MessageEncrptInit(), C_EncryptMessage(), C_MessageEncryptFinal,
C_MessageDecryptInit(), C_DecryptMessage(), and C_MessageDecryptFinal
are implemented. C_EncryptMessageBegin(), C_EncryptMessageNext(),
C_DecryptMessageBegin(), and C_DecryptMessageNext() are all
part of the multi-part withing a multi-part operation and
are only necessary for things like S/MIME (potentially). If we wanted
to implement them, we would need more functions exported from freebl
(and initaead, updateaead, finalaead for each mechanism type).
2. make those interfaces call aes_gcm and chacha20_poly1503
(and make adjustments for those ciphers).
For AES, I added a new function AES_AEAD, which handles both encrypt
and decrypt. Internally, the gcm functions (both the generic gcm and
the intel gcm wrapper) had their init functions split into key scheduling
and counter mode/tag initialization. The latter is still called from
init, but the former is now for each update call. IV generation is
handled by a single function in gcm.c, and shared with intel_gcm_wrapper.c
Since the AES functions already know about the underlying PKCS #11
mechanism parameters, the new AEAD functions also parse the PKCS #11 GCM
parameters.
For Chacha/Poly new aead update functions were created called
ChaChaPoly1305_Encrypt and ChaChaChaPoly1305_Decrypt. There was no
Message specific initialization in the existing chacha_init, so no
changes were needed there. The primary difference between
_Encrypt/_Decrypt and _Seal/_Open is the fact that the tag is put at
the end of the encrypted data buffer in the latter, and in a generic
buffer in the former.
3. create new pk11wrap interfaces that also squash the api differences
between the various mechanisms for aead (similiar to the way we do it for
CBC and ECB crypto today).
To accomplish this I added PK11_AEADOp() and PK11_AEADRawOp(). Both
functions handle the case where the token only supports the single shot
interface, by using the single short interface to simulate the
Message interface. The PK11_AEADOp() also smooths out the
differences in the parameters and symantics of the various mechanism
so the application does not need to worry about the PKCS #11 differences
in the mechanism. Both use contexts from the standard
PK11_CreateContext(), so key schedules are done once for each key rather
than once for each message. MESSAGE/AEAD operations are selected by adding
the psuedo attribute flag CKA_NSS_MESSAGE to the requested operation
(CKA_ENCRYPT, CKA_DECRYPT, CKA_SIGN, CKA_VERIFY).
4. write tests for the new interfaces
Tests were added to make sure the PK11_AEADRawOp interface works,
The single shot interface is used to test output of the message interface
we also use two test only functions to force the connection to use
the simulation interface, which is also compared to the non-simulate
inteface. The AES_GCM also tests various IV generators.
Differential Revision: https://phabricator.services.mozilla.com/D67552
|
| |
|
|
|
|
| |
defined r=rrelyea
Differential Revision: https://phabricator.services.mozilla.com/D67911
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D67741
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update to PKCS #11 v3.0 part 2.
Create the functions and switch to the C_Interface() function to fetch the PKCS #11 function table. Also PKCS #11 v3.0 uses a new fork safe interface. NSS can already handle the case if the PKCS #11 module happens to be fork safe (when asked by the application to refresh the tokens in the child process, NSS can detect that such a refresh is not necessary and continue. Softoken could also be put in fork_safe mode with an environment variable. With this patch it's the default, and NSS asks for the fork safe API by default. Technically softoken should implement the old non-fork safe interface when PKCS #11 v2.0 is called, but NSS no longer needs it, and doing so would double the number of PKCS #11 interfaces are needed. You can still compile with fork unsafe semantics, and the PKCS #11 V3.0 module will do the right thing and not include the fork safe flag. Firefox does not fork(), so for firefox this is simply code that is no longer compilied.
We now use C_GetInterface, which allows us to specify what kind of interface we want (PKCS #11 v3.0, PKCS #11 v2.0, fork safe, etc.). Vendor specific functions can now be accessed through the C_GetInterface. If the C_GetInterface function does not exists, we fall bak to the old C_GetFunctionList.
There are 24 new functions in PKCS #11 v3.0:
C_GetInterfaceList - return a table of all the supported interfaces
C_GetInterface - return a specific interface. You can specify interface name, version and flags separately. You can leave off any of these and you will get what the token thinks is the best match of the interfaces that meet the criteria. We do this in softoken by the order of the interface list.
C_SessionCancel - Cancel one or more multipart operation
C_LoginUser - Supply a user name to C_Login(). This function has no meaning for softoken, so it just returns CKR_OPERATION_NOT_INITIALIZED under the theory that if we in the future want to support usernames, the NSS db would need special initialization to make that happen.
C_Message* and C_*Message* (20 functions in all) are the new AEAD interface (they are written generally so that it can be used for things other than AEAD). In this patch they are unimplemented (see the next patch).
This patch adds regular (NSC_) and FIPS (FC_) versions of these functions.
Also when creating the PKCS #11 v2.0 interface, we had to create a 2.0 specific version of C_GetInfo so that it can return a 2.40 in the CK_VERSION field rather than 3.00. We do this with #defines since all the function tables are generated automagically with pkcs11f.h.
Differential Revision: https://phabricator.services.mozilla.com/D67240
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
r=bbeurdouche
While trying to benchmark the recent HACL* AVX2 code, I noticed that it was not being called on two machines (that both support AVX2), instead using only the AVX version.
In order to query for Extended Features (cpuid with EAX=7), we also need to set ECX to 0: https://www.intel.com/content/www/us/en/architecture-and-technology/64-ia-32-architectures-software-developer-vol-2a-manual.html. The current code fails to do this, resulting in flags that show no support.
Initially, I wrote a separate `freebl_cpuid_ex` function that accepted a value for ECX as a separate input argument. However, some definitions of `freebl_cpuid` already zero ECX, so making this consistent is the simplest way to get the desired behavior.
With this patch, the two test machines (MacOS and Linux x64) correctly use the AVX2 ChaCha20Poly1305 code.
Differential Revision: https://phabricator.services.mozilla.com/D67235
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://phabricator.services.mozilla.com/D63241
This patch implements the first phase: updating the headers.
lib/util/pkcs11.h
lib/util/pkcs11f.h
lib/util/pkcs11t.h
Were updated using the released OASIS PKCS #11 v3.0 header files.
lib/util/pkcs11n.h was updated to finally deprecate all uses of CK?_NETSCAPE_?.
A new define as added: NSS_PKCS11_2_0_COMPAT. If it's defined, the small
semantic changes (including the removal of deprecated defines) between the
NSS PKCS #11 v2 header file and the new PKCS #11 v3 are reverted in favor of
the PKCS #11 v2 definitions. This include the removal of CK?_NETSCAPE_? in
favor of CK?_NSS_?.
One notable change was caused by an inconsistancy between the spec and the
released headers in PKCS #11 v2.40. CK_GCM_PARAMS had an extra field in
the header that was not in the spec. OASIS considers the header file to be
normative, so PKCS #11 v3.0 resolved the issue in favor of the header file
definition. NSS had the spec definition, so now there are 2 defines for this
structure:
CK_NSS_GCM_PARAMS - the old nss define. Still used internally in freebl.
CK_GCM_PARAMS_V3 - the new define.
CK_GCM_PARAMS - no longer referenced in NSS itself. It's defined as
CK_GCM_PARAMS_V3 if NSS_PKCS11_2_0_COMPAT is *not* defined, and it's defined as
CKM_NSS_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is defined.
Softoken has been updated to accept either CK_NSS_GCM_PARAMS or
CK_GCM_PARAMS_V3. In a future patch NSS will be updated to use
CK_GCM_PARAMS_V3 and fall back to CK_NSS_GMC_PARAMS.
One other semantic difference between the 3.0 version of pkcs11f.h and the
version here: In the oasis version of the header, you must define
CK_PKCS11_2_0_ONLY to get just the PKCS #11 v2 defines. In our version you
must define CK_PKCS11_3 to get the PCKS #11 v3 defines.
Most of this patch is to handle changing the deprecated defines that have been
removed in PCKS #11 v3 from NSS.
Differential Revision: https://phabricator.services.mozilla.com/D63241
|
| |
|
|
|
|
| |
Remove support for RSAE in delegated credentials (both in DC signatures and SPKIs), add SignatureScheme list functionality to initial DC extension.
Differential Revision: https://phabricator.services.mozilla.com/D65252
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
https://phabricator.services.mozilla.com/D59412
When testing Bug 1608245, I realized that I had inadvertently broken
fipstest.c's handling of KI and KI_len. This lead to it passing bogus
keys (with unusually large lengths exceeding the bounds of sizeof KI)
to kbkdf_Dispatch(...).
This uses Bob Relyea's suggestion on how to handle this: detect the
size of KI when processing the mech selection, storing KI_len there.
This simplifies reading of the KI value in later code.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Patch by cipherboy, review by kjacobs.
https://phabricator.services.mozilla.com/D59409
Per Bug 1607955, the KBKDF code introduced in Bug 1599603 confused
Coverity with a elided NULL check on sftk_SlotFromSessionHandle(...).
While Coverity is incorrect (and the behavior is fine as-is), it isn't
consistent with the KBKDF code's handling of sftk_SessionFromHandle(...)
(which is NULL checked).
This brings these two call sites into internal consistency.
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D66130
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D66122
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D64863
|
| |
|
|
|
|
|
|
| |
DTLS supported_versions. r=mt
Add an experimental function for enabling a DTLS 1.3 supported_versions compatibility workaround.
Differential Revision: https://phabricator.services.mozilla.com/D65735
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D65945
|
| | |
|
