| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
| |
images r=nkulatova
As of the images dated 20230126, our docker-in-docker-based image build
process dies trying to retrieve the base images.
Differential Revision: https://phabricator.services.mozilla.com/D169316
|
| |
|
|
|
|
|
|
|
|
| |
r=firefox-source-docs-reviewers,ahal
These tables are not taken into account by sphinx, appear badly in
html and trigger a problem when you want to build the doc in text
mode.
Differential Revision: https://phabricator.services.mozilla.com/D168766
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D169060
|
| |
|
|
|
|
|
|
| |
r=nss-reviewers,mt
Author of the patch: Bob Relyea <rrelyea@redhat.com>
Differential Revision: https://phabricator.services.mozilla.com/D167983
|
| | |
|
| |
|
|
|
|
|
|
| |
Bogo tests Server-TooLongSessionID-TLS1*. r=djackson
Depends on D147675
Differential Revision: https://phabricator.services.mozilla.com/D147726
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D157290
|
| |
|
|
|
|
| |
if ECH configs are setup. r=djackson
Differential Revision: https://phabricator.services.mozilla.com/D157110
|
| |
|
|
|
|
| |
algorithm. r=djackson
Differential Revision: https://phabricator.services.mozilla.com/D156660
|
| |
|
|
|
|
| |
1.2. Fixed misleading Gtest, enabled corresponding BoGo test. r=djackson
Differential Revision: https://phabricator.services.mozilla.com/D156565
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D154631
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D154209
|
| | |
|
| |
|
|
|
|
| |
Depends on D134922
Differential Revision: https://phabricator.services.mozilla.com/D134923
|
| |
|
|
|
|
| |
Depends on D134921
Differential Revision: https://phabricator.services.mozilla.com/D134922
|
| |
|
|
|
|
| |
Depends on D134920
Differential Revision: https://phabricator.services.mozilla.com/D134921
|
| |
|
|
|
|
| |
Depends on D134886
Differential Revision: https://phabricator.services.mozilla.com/D134920
|
| |
|
|
|
|
| |
Depends on D134853
Differential Revision: https://phabricator.services.mozilla.com/D134886
|
| |
|
|
|
|
| |
Depends on D134846
Differential Revision: https://phabricator.services.mozilla.com/D134853
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D166506
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D166524
|
| | |
|
| |
|
|
|
|
|
|
| |
SHA-384) r=nss-reviewers,bbeurdouche
The patch adds the RSA-PSS + SHA2 test vectors. (Before, there was just the SHA-1 ones).
Differential Revision: https://phabricator.services.mozilla.com/D164811
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r=nss-reviewers,jschanck
When we first added integrity checks to NSS for FIPS compliance, the only signature method allowed was DSA. NIST will be sunsetting DSA in 2023, so we need to update our integrity checks again. Since the time we added these checks, NIST has started accepting HMAC as a valid signature algorithm for integrity checks. HMAC is easier, faster and requires smaller .chk files and openssl and gnutls has been using hmac now for years for this purpose.
Since we need to move off of DSA anyway it's time to move to HMAC.
This patch does this move. shlibsign now produces HMAC_256 by default. It moves the version number up because even though nss includes a type field, previous versions of NSS did not look at the type field when checking integrity. Bumping the version number will cause previous versions of NSS to fail early if presented with a newly generated integrity check file (even though it should fail later anyway). shlibsign now has the ability to generate 'legacy' check files so it can be used to generate check files for older versions of NSS.
NSS can still accept older check files unless NSS_STRICT_INTEGRITY is set at compile time. This means tools which may be using old shlibsign to resign nss shared libraries will continue to work. At some point we can remove all DSA support (maybe after one enterprise release cycle).
While completing this work, we also complete some integrity code cleanup. There are lots of magic numbers defining where things fall in the integrity check header. These are now moved to a structure and defined in the shsign.h header. Both shlibsign and shvfy have been updated to use this header.
New test cases are not needed since fips.sh adequately tests our integrity code (both normal case and against mangled libraries which should fail). Though the lowhash test was updated to catch a particular issue we can run into when we use the LOWHASH code. On RHEL-7, we use the NSSLOWHASH_ interface in freebl in libc, which needs to run independently of nspr and nssutil. This requirement puts a pretty heavy burned on freebl to be self-contained when used for NSSLOWHASH_, including running integrity checks. The previous test program linked with nssutil and nspr (just like all of the rest of the nss tests) and weren't detecting issues when unimplemented stub functions where called. This patch includes fixing those lowhash tests and also implementing the stubs needed by the current integrity check code.
cmd/lowhashtest/Makefile
remove linking lowhashtest with all the libraries except freebl.
cmd/lowhashtest/lowhashtest.c
remove any dependency NSPR or NSSUTIL in the code.
cmd/lowhashtest/manifest.mn
remove spurious requires statements.
cmd/shlibsign/shlibsign.c
add hmac code.
add ability to select the hash type from the command line.
separate signature processing into their own functions for DSA and HMAC
General cleanups.
Use PR_ARRAY_SIZE rather then a custom define.
move error printing outside utility functions (so we don't have to pass around filenames everywhere)
Use NSSSignChkHeader instead of a Buf with magic offsets for the Check file Header.
Add ability to make old style .chk files for old versions of NSS.
Add option to revert to DSA
Add option to use old version numbers: only valid if DSA is set.
lib/freebl/Makefile
All NSS_STRICT_INTEGRITY to be set at build time. Setting NSS_STRICT_INTEGRITY only accepts hmac256, hmac384, hmac512. If it's not set, NSS will accept older .chk file formats (like DSA-2).
lib/freebl/nsslowhash.c
lowhashtest files expect to set NSS_FIPS to force fips mode when testing the lowhash interface, but NSS_FIPS was not being looked at in the nsslow_GetFIPSEnabled. NOTE: setting NSS_FIPS to true will force FIPS mode if the system isn't already in FIPS mode. Setting it to FALSE will not turn it off if the system is already in FIPS mode.
lib/freebl/shsign.h
Update version.
Add new defines for HMAC
add new Header structure to remove magic offsets into a raw buffer in the code.
lib/freebl/shvfy.c
Add HMAC processing.
Turn off DSA processing if NSS_STRICT_INTEGERITY is set.
Refactor the signature processing.
lib/freebl/stubs.c
Add SECITEM_ItemsAreEqual for HMAC shvfy
Add implementations for SECITEM_ItemsAreEqual, SECITEM_ZfreeItem, and PR_GetEnvSecure. The first is new. The second solves and existing bug which is only seen on RHEL7, and the last is needed for the fix to nsslowhash.c above.
PR_GetEnvSecure() calls secure_getenv if _USE_GNU is set, otherwise it falls back to the normal getenv. This should be safe since it's only used in LOWHASH to get the NSS_FIPS environment variable, which only has the effect of making LOWHASH run in fips mode when it otherwise wouldn't.
lib/freebl/stubs.c
Add SECITEM_ItemsAreEqual for HMAC shvfy
tests/lowhash/lowhash.sh
Make the test executable so it can be run on it's own.
Differential Revision: https://phabricator.services.mozilla.com/D164137
|
| |
|
|
|
|
| |
r=nss-reviewers,bbeurdouche
Differential Revision: https://phabricator.services.mozilla.com/D164770
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D165006
|
| | |
|
| | |
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D165677
|
| |
|
|
|
|
|
| |
done with:
$ LC_ALL=C sed -i 's/\xc2\xa0/ /g' $(fd .rst)
Differential Revision: https://phabricator.services.mozilla.com/D165617
|
| |
|
|
|
|
|
|
|
| |
Done with:
find . -type f -name '*.rst' -exec sed --in-place 's/[[:space:]]\+$//' {} \+
Depends on D165615
Differential Revision: https://phabricator.services.mozilla.com/D165616
|
| |
|
|
|
|
|
| |
Done with:
sed -i -e "s|.. code:: eval|.. code::|g" $(fd .rst)
Differential Revision: https://phabricator.services.mozilla.com/D165615
|
| |
|
|
|
|
|
|
| |
done with:
L=$(rg "code:: notranslate"|cut -d: -f1|sort -u)
sed -i -e "s|.. code:: notranslate|.. code::|g" $L
Differential Revision: https://phabricator.services.mozilla.com/D165614
|
| |
|
|
|
|
| |
r=bbeurdouche,nss-reviewers
Differential Revision: https://phabricator.services.mozilla.com/D165019
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D163622
|
| |
|
|
|
|
| |
and failed assertions later r=nss-reviewers,nkulatova,jschanck
Differential Revision: https://phabricator.services.mozilla.com/D162111
|
| |
|
|
|
|
| |
r=nss-reviewers,djackson
Differential Revision: https://phabricator.services.mozilla.com/D142421
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D135765
|
| |
|
|
|
|
| |
sanitizer r=nss-reviewers,mt
Differential Revision: https://phabricator.services.mozilla.com/D135764
|
| |
|
|
|
|
|
|
|
| |
in the database.
The filter functions do not handle NULL CERTCertLists, but CERT_FindUserCertsByUsage can return a NULL cert list. If it returns a NULL list, we should just
fail at the point (there are no certs available).
Differential Revision: https://phabricator.services.mozilla.com/D164273
|
| |
|
|
|
|
|
| |
Adding: clang-10.
Removing: gcc-6, gcc-9, gcc-10.
Differential Revision: https://phabricator.services.mozilla.com/D162545
|
| |
|
|
|
|
|
|
| |
r=nss-reviewers,bbeurdouche
The patch now introduces a new flag for ninja build - cc_is_cc. It states if the compiler we use is cc (that's indeed often stands for gcc, but for some cases the compiler check fails).
Differential Revision: https://phabricator.services.mozilla.com/D163602
|
| |
|
|
|
|
| |
r=nss-reviewers,jschanck
Differential Revision: https://phabricator.services.mozilla.com/D163846
|
| |
|
|
|
|
|
|
| |
The test for adding the unicode null in the null password case was incorrect from Bug 1757075 (https://bugzilla.mozilla.org/show_bug.cgi?id=1757075). The sense of the test was backwards meaning that no null was added.
We didn't notice because NSS and openssl tolerate incorrect null password encoding. It was picked up in gnutls interop testing.
Differential Revision: https://phabricator.services.mozilla.com/D163498
|
| | |
|
| | |
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D163369
|
| | |
|
| |
|
|
|
|
|
| |
Clean up problemantic terms are master, slave, whitelist, blacklist.
These are usually easily changes to main/server, client, allowlist, and blocklist (or other similiar terms, which are often more descriptive anyway). Things related to the tls/ssl master key, which part of the tls spec and needs to first be handled by the tls ietf working group.
Differential Revision: https://phabricator.services.mozilla.com/D163522
|
| |
|
|
|
|
| |
CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates. r=KathleenWilson
Differential Revision: https://phabricator.services.mozilla.com/D163527
|
