summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Added tag NSS_3_64_RTM for changeset ef126608d281NSS_3_64_BRANCHBenjamin Beurdouche2021-04-150-0/+0
|
* Set version numbers to 3.64 finalNSS_3_64_RTMBenjamin Beurdouche2021-04-153-6/+6
|
* Added tag NSS_3_64_BETA1 for changeset 81628e9164ffBenjamin Beurdouche2021-04-150-0/+0
|
* Bug 1705286 - Properly detect mips64. r=bbeurdoucheNSS_3_64_BETA1Mike Hommey2021-04-151-0/+2
| | | | Differential Revision: https://phabricator.services.mozilla.com/D112143
* Bug 1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and disable_crypto_vsx ↵glaubitz2021-04-065-45/+112
| | | | | | | | | | | | r=bbeurdouche Currently, NSS assumes that every PowerPC target supports the crypto and VSX extensions of the PowerPC ABI. However, VSX was only introduced with ISA version 2.06 and the crypto extensions with ISA version 2.07 and enabling them on older PowerPC targets will result in a SIGILL. Thus, make their use configurable and enable them by default on ppc64le only. Differential Revision: https://phabricator.services.mozilla.com/D105354
* Set version numbers to 3.64 BetaBenjamin Beurdouche2021-03-184-7/+7
|
* Bug 1694373, NSS 3.63 should depend on NSPR 4.30. r=bbeurdoucheKai Engert2021-03-161-1/+1
| | | | Differential Revision: https://phabricator.services.mozilla.com/D108638
* Bug 1698320 - replace __builtin_cpu_supports("vsx") with ↵aoeu2021-03-164-14/+146
| | | | | | ppc_crypto_support() for clang. r=bbeurdouche Differential Revision: https://phabricator.services.mozilla.com/D108354
* Bug 1613235 - Clang-format for: POWER ChaCha20 stream cipher vector ↵NSS_3_63_BETA1Benjamin Beurdouche2021-03-105-24/+22
| | | | | | | | acceleration r=beurdouche Depends on D107221 Differential Revision: https://phabricator.services.mozilla.com/D107788
* Bug 1613235 - Add POWER ChaCha20 stream cipher vector acceleration. ↵aoeu2021-03-108-21/+208
| | | | | | | | r=bbeurdouche Depends on D107220 Differential Revision: https://phabricator.services.mozilla.com/D107221
* Bug 1613235 - Add POWER ChaCha20 stream cipher vector acceleration. ↵aoeu2021-03-106-0/+1199
| | | | | | r=bbeurdouche Differential Revision: https://phabricator.services.mozilla.com/D107220
* Bug 1697380 - Make a clang-format run on top of helpful contributions. ↵Benjamin Beurdouche2021-03-102-24/+24
| | | | | | | | r=beurdouche Depends on D106881 Differential Revision: https://phabricator.services.mozilla.com/D107787
* Bug 1683520 - ECCKiila P384, change syntax of nested structs initialization ↵Benjamin Beurdouche2021-03-101-8/+8
| | | | | | | | to prevent build isses with GCC 4.8. r=bbrumley Depends on D102389 Differential Revision: https://phabricator.services.mozilla.com/D106881
* Bug 1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual scalar ↵Billy Brumley2021-03-101-482/+576
| | | | | | multiplication r=bbeurdouche Differential Revision: https://phabricator.services.mozilla.com/D102389
* Bug 1683520 - ECCKiila P521, change syntax of nested structs initialization ↵Benjamin Beurdouche2021-03-101-8/+8
| | | | | | | | to prevent build isses with GCC 4.8. r=bbrumley Depends on D102406 Differential Revision: https://phabricator.services.mozilla.com/D106882
* Bug 1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual scalar ↵Billy Brumley2021-03-101-750/+954
| | | | | | multiplication r=bbeurdouche Differential Revision: https://phabricator.services.mozilla.com/D102406
* Bug 1696800 - HACL* update March 2021 - ↵Benjamin Beurdouche2021-03-0832-814/+1172
| | | | | | c95ab70fcb2bc21025d8845281bc4bc8987ca683 r=beurdouche Differential Revision: https://phabricator.services.mozilla.com/D107387
* Bug 1694214 - tstclnt can't enable middlebox compat mode r=beurdoucheHubert Kario2021-02-271-1/+17
| | | | Differential Revision: https://phabricator.services.mozilla.com/D106617
* Fix clang failure.Robert Relyea2021-02-251-1/+1
|
* Bug 1694392 NSS does not work with PKCS #11 modules not supporting profilesRobert Relyea2021-02-241-4/+3
| | | | | | | | | | | | | | | | | | | | | | r=ueno,bbeurdouche User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0 Steps to reproduce: Using NSS with PKCS #11 library that returns CKR_ATTRIBUTE_VALUE_INVALID when searching for CKA_CLASS = CKO_PROFILE. Actual results: PK11_InitToken calls pk11_ReadProfileList and passes on failures. Thus, if the profiles cannot be read the token cannot be initialized. pk11_ReadProfileList in turn uses pk11_FindObjectsByTemplate to search for CKO_PROFILE objects. This function fails if C_FindObjectsInit fails. However, it should be perfectly ok that C_FindObjectsInit fails if CKO_PROFILE is not known. In fact, CKR_ATTRIBUTE_VALUE_INVALID is a valid return code here since the library does not know (yet) the value CKO_PROFILE for CKA_CLASS and since the CKA_CLASS is a fixed list it the standard allows to return this error code. Expected results: PK11_InitToken should complete successfully. Differential Revision: https://phabricator.services.mozilla.com/D106167
* Bug 1685880 - Minor fix to prevent unused variable on early return. r=beurdoucheBenjamin Beurdouche2021-02-241-4/+2
| | | | | | Depends on D104418 Differential Revision: https://phabricator.services.mozilla.com/D106144
* Bug 1685880 - Fix for the gcc compiler version 7 to support setenv with nss ↵Arora Aashish2021-02-241-3/+10
| | | | | | build. r=rrelyea Differential Revision: https://phabricator.services.mozilla.com/D104418
* Bug 1693217 - Increase nssckbi.h version number for March 2021 batch of root ↵Benjamin Beurdouche2021-02-231-2/+2
| | | | | | CA changes, CA list version 2.48. r=KathleenWilson Differential Revision: https://phabricator.services.mozilla.com/D105451
* Bug 1692094 - Set email distrust after to 21-03-01 for Camerfirma's ↵Benjamin Beurdouche2021-02-231-2/+8
| | | | | | 'Chambers of Commerce' and 'Global Chambersign' roots. r=KathleenWilson Differential Revision: https://phabricator.services.mozilla.com/D105435
* Bug 1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER. r=kjacobsBenjamin Beurdouche2021-02-231-5/+20
| | | | Differential Revision: https://phabricator.services.mozilla.com/D85334
* Bug 1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS. ↵Benjamin Beurdouche2021-02-231-1/+557
| | | | | | | | r=KathleenWilson Depends on D105448 Differential Revision: https://phabricator.services.mozilla.com/D105457
* Bug 1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS. ↵Benjamin Beurdouche2021-02-231-0/+126
| | | | | | r=KathleenWilson Differential Revision: https://phabricator.services.mozilla.com/D105448
* Bug 1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs from ↵Benjamin Beurdouche2021-02-231-316/+0
| | | | | | NSS. r=KathleenWilson Differential Revision: https://phabricator.services.mozilla.com/D105444
* Bug 1687822 - Turn off Websites trust bit for the “Staat der Nederlanden ↵Benjamin Beurdouche2021-02-231-1/+1
| | | | | | Root CA - G3” root cert in NSS. r=KathleenWilson Differential Revision: https://phabricator.services.mozilla.com/D105436
* Bug 1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce Root - ↵Benjamin Beurdouche2021-02-231-2/+2
| | | | | | 2008' and 'Global Chambersign Root - 2008'. r=KathleenWilson Differential Revision: https://phabricator.services.mozilla.com/D105433
* Bug 1694291 - Tracing fixes for ECH, r=mtStephen Farrell2021-02-231-2/+8
|
* Set version numbers to 3.63 BetaBenjamin Beurdouche2021-02-196-23/+7
|
* Bug 1688374 - Fix parallel build NSS-3.61 with make. r=kjacobsNSS_3_62_BETA1Danh2021-02-051-0/+1
| | | | Differential Revision: https://phabricator.services.mozilla.com/D104259
* Bug 1682044 pkix_Build_GatherCerts() + pkix_CacheCert_Add() can corrupt ↵Robert Relyea2021-02-051-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | "cachedCertTable" Patch by Andrew Cagney Preliminary Review by Ryan Sleevie Tested against all.sh rrelyea. r=kjacobs (this bug is old) pkix_Build_GatherCerts() has two code paths for creating the list "certsFound": pkix_CacheCert_Lookup() this sets "certsFound" to a new list "certsFound" and "cachedCertTable" share items but not the list pkix_CacheCert_Add(pkix_pl_Pk11CertStore_CertQuery()) this sets "certsFound" to a new list; and then adds the list to "cachedCertTable" "certsFound" and "cachedCertTable" share a linked list Because the latter doesn't create a separate list, deleting list elements from "certsFound" can also delete list elements from within "cacheCertTable". And if this happens while pkix_CacheCert_Lookup() is trying to update the same element's reference, a core dump can result. In detail (note that reference counts may occasionally seem off by 1, its because data is being captured before function local variables release their reference): pkix_Build_GatherCerts() calls pkix_pl_Pk11CertStore_CertQuery() (via a pointer) to sets "certsFound": PKIX_CHECK(getCerts (certStore, state->certSel, state->verifyNode, &nbioContext, &certsFound, plContext), PKIX_GETCERTSFAILED); it then calls: PKIX_CHECK(pkix_CacheCert_Add (certStore, certSelParams, certsFound, plContext), PKIX_CACHECERTADDFAILED);
* Bug 1690583 - Fix CH padding extension size calculation. r=mtKevin Jacobs2021-02-042-5/+23
| | | | | | | | Bug 1654332 changed the way that NSS constructs Client Hello messages. `ssl_CalculatePaddingExtLen` now receives a `clientHelloLength` value that includes the 4B handshake header. This looks okay per the inline comment (which states that only the record header is omitted from the length), but the function actually assumes that the handshake header is also omitted. This patch removes the addition of the handshake header length. Those bytes are already included in the buffered CH. Differential Revision: https://phabricator.services.mozilla.com/D103934
* Bug 1690421 - Adjust 3.62 ABI report formatting for new libabigail. ↵Kevin Jacobs2021-02-041-2/+2
| | | | | | r=bbeurdouche Differential Revision: https://phabricator.services.mozilla.com/D104067
* Bug 1690421 - Install packaged libabigail in docker-builds image r=bbeurdoucheKevin Jacobs2021-02-031-10/+1
| | | | Differential Revision: https://phabricator.services.mozilla.com/D103849
* Bug 1689228 - Minor ECH -09 fixes for interop testing, fuzzing. r=mtKevin Jacobs2021-01-314-41/+30
| | | | | | | | | | | | | | | A few minor ECH -09 fixes for interop testing and fuzzing: - selfserv now takes a PKCS8 keypair for ECH. This is more maintainable and significantly less terrible than parsing the ECHConfigs and cobbling one together within selfserv (e.g. we can support other KEMs without modifying the server). - Get rid of the newline character in tstclnt retry_configs output. - Fuzzer fixes in tls13_HandleHrrCookie: - We shouldn't use internal_error when PK11_HPKE_ImportContext fails. Cookies are unprotected in fuzzer mode, so this can be expected to occur. - Only restore the application token when recovering hash state, otherwise the copy could happen twice, leaking one of the allocations. Differential Revision: https://phabricator.services.mozilla.com/D103247
* Bug 1674819 - Fixup a51fae403328, enum type may be signed. r=bbeurdoucheKevin Jacobs2021-01-251-1/+1
| | | | Differential Revision: https://phabricator.services.mozilla.com/D102964
* Bug 1681585 - Add ECH support to selfserv. r=mtKevin Jacobs2021-01-241-3/+218
| | | | | | | | | | | | | Usage example: mkdir dbdir && cd dbdir certutil -N -d . certutil -S -s "CN=ech-public.com" -n ech-public.com -x -t "C,C,C" -m 1234 -d . certutil -S -s "CN=ech-private-backend.com" -n ech-private-backend.com -x -t "C,C,C" -m 2345 -d . ../dist/Debug/bin/selfserv -a ech-public.com -a ech-private-backend.com -n ech-public.com -n ech-private-backend.com -p 8443 -d dbdir/ -X publicname:ech-public.com (Copy echconfig from selfserv output and paste into the below command) ../dist/Debug/bin/tstclnt -D -p 8443 -v -A tests/ssl/sslreq.dat -h ech-private-backend.com -o -N <echconfig> -v Differential Revision: https://phabricator.services.mozilla.com/D101050
* Bug 1681585 - Update ECH to Draft-09. r=mtKevin Jacobs2021-01-2521-762/+1241
| | | | | | | | | | | | | This patch updates ECH implementation to draft-09. Changes of note are: - Acceptance signal derivation is now based on the handshake secret. - `config_id` hint changes from 32B to 8B, trial decryption added on the server. - Duplicate code in HRR cookie handling has been consolidated into `tls13_HandleHrrCookie`. - `ech_is_inner` extension is added, which causes a server to indicate ECH acceptance. - Per the above, support signaling ECH acceptance when acting as a backend server in split-mode (i.e. when there is no other local Encrypted Client Hello state). Differential Revision: https://phabricator.services.mozilla.com/D101049
* Bug 1678398 - Add Export/Import functions for HPKE context. r=mtKevin Jacobs2021-01-255-1/+432
| | | | | | | | | | | | | | | | This patch adds and exports two new HPKE functions: `PK11_HPKE_ExportContext` and `PK11_HPKE_ImportContext`, which are used to export a serialized HPKE context, then later reimport that context and resume Open and Export operations. Only receiver contexts are currently supported for export (see the rationale in pk11pub.h). One other change introduced here is that `PK11_HPKE_GetEncapPubKey` now works as expected on the receiver side. If the `wrapKey` argument is provided to the Export/Import functions, then the symmetric keys are wrapped with AES Key Wrap with Padding (SP800-38F, 6.3) prior to serialization. Differential Revision: https://phabricator.services.mozilla.com/D99277
* Bug 1678398 - Update HPKE to draft-07. r=mtKevin Jacobs2021-01-255-446/+487
| | | | | | | | | | | | This patch updates HPKE to draft-07. A few other minor changes are included: - Refactor HPKE gtests for increased parameterized testing. - Replace memcpy calls with PORT_Memcpy - Serialization tweaks to make way for context Export/Import (D99277). This should not be landed without an ECH update, as fixed ECH test vectors will otherwise fail to decrypt. Differential Revision: https://phabricator.services.mozilla.com/D99276
* Bug 1686134 - Renew two chains libpkix test certificates. r=rrelyeaKevin Jacobs2021-01-233-2/+10
| | | | Differential Revision: https://phabricator.services.mozilla.com/D102670
* Set version numbers to 3.62 BetaKevin Jacobs2021-01-224-7/+7
|
* Added tag NSS_3_61_BETA1 for changeset 68ae9b456b1bKevin Jacobs2021-01-190-0/+0
|
* Bug 1686557 - Support aarch64-make target in nss-try. r=bbeurdoucheNSS_3_61_BETA1Kevin Jacobs2021-01-131-2/+4
| | | | Differential Revision: https://phabricator.services.mozilla.com/D101648
* Bug 1684300 - Define USE_STATIC_LIBS=1 for softoken_gtest make builds. ↵Kevin Jacobs2021-01-131-1/+2
| | | | | | r=bbeurdouche Differential Revision: https://phabricator.services.mozilla.com/D101668
* Bug 1684300 - Disable legacy storage when compiled with NSS_DISABLE_DBM. r=mtKevin Jacobs2021-01-135-2/+70
| | | | Differential Revision: https://phabricator.services.mozilla.com/D101218
* Bug 1682863 - Revert nssSlot_IsTokenPresent to 3.58 after ongoing Fx hangs ↵Kevin Jacobs2020-12-221-30/+6
| | | | | | | | | | | | | | | | | | | | with slow PKCS11 devices. r=bbeurdouche This patch reverts the `nssSlot_IsTokenPresent` changes made in bug 1663661 and bug 1679290, restoring the version used in NSS 3.58 and earlier. It's not an actual `hg backout` because the comment in lib/dev/devt.h is worth keeping. While removing the nested locking did resolve the hang for some (most?) third-party modules, problems remain with some slower tokens after an even further relaxation of the locking, which defeats the purpose of addressing the races in the first place. The crash addressed by these patches was caused by the Intermediate Preloading Healer in Firefox, which has been disabled. We clearly have insufficient test coverage for third-party modules, and now that osclientcerts is enabled in Fx Nightly, any problems caused by these and similar changes is unlikely to be reported until Fx Beta, well after NSS RTM. I think the best option at this point is to simply revert NSS. Differential Revision: https://phabricator.services.mozilla.com/D100344
View Lorry Controller Status