| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r=nss-reviewers,bbeurdouche
NSS tasks using LSAN seem to run into frequent failures due to ptrace(2)
failing with EACCES (Permission Denied), apparently coming from the
apparmor profile for docker on the VM.
Until now Linux tests tasks were using the nss-{1,3}/linux-gcp pools,
which use the same base image as gecko builders. This switches them to
a new pool using the same base image as used by gecko's test tasks,
where ptrace appears to work reliably.
Differential Revision: https://phabricator.services.mozilla.com/D177037
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D153944
|
|
|
|
|
|
| |
r=nss-reviewers,jschanck
Differential Revision: https://phabricator.services.mozilla.com/D158327
|
|
|
|
|
|
| |
changes r=nkulatova
Differential Revision: https://phabricator.services.mozilla.com/D170903
|
|
|
|
|
|
| |
whitespace in ECCKiila files r=nss-reviewers,nkulatova
Differential Revision: https://phabricator.services.mozilla.com/D169262
|
| |
|
| |
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D170225
|
|
|
|
|
|
| |
task. r=nkulatova
Differential Revision: https://phabricator.services.mozilla.com/D169317
|
|
|
|
|
|
|
|
|
| |
images r=nkulatova
As of the images dated 20230126, our docker-in-docker-based image build
process dies trying to retrieve the base images.
Differential Revision: https://phabricator.services.mozilla.com/D169316
|
|
|
|
|
|
| |
r=nss-reviewers,bbeurdouche
Differential Revision: https://phabricator.services.mozilla.com/D164770
|
|
|
|
|
|
|
| |
Adding: clang-10.
Removing: gcc-6, gcc-9, gcc-10.
Differential Revision: https://phabricator.services.mozilla.com/D162545
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D163369
|
|
|
|
|
|
|
| |
Clean up problemantic terms are master, slave, whitelist, blacklist.
These are usually easily changes to main/server, client, allowlist, and blocklist (or other similiar terms, which are often more descriptive anyway). Things related to the tls/ssl master key, which part of the tls spec and needs to first be handled by the tls ietf working group.
Differential Revision: https://phabricator.services.mozilla.com/D163522
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r=nss-reviewers,releng-reviewers,jlorenzo,bbeurdouche
When we moved tasks to run on GCP from AWS in bug 1799315, we started
using a newer version of docker-worker including the changes from bug
1637302; as a result, artifacts are compressed with gzip before upload
to s3, and downloads now come with a "content-encoding: gzip" header and
compressed content, regardless of the client's "accept-encoding".
Unfortunately docker-worker doesn't handle that encoding and expects an
artifact called image.tar to be uncompressed. To work around that
issue, we now compress docker images in image_builder with zstd before
upload.
[Ideally we'd install the zstd package in the nssdev/image_builder
docker image itself instead of doing it in every task, however I'm not
sure who owns that or how it's built so this might be good enough for
right now.]
Differential Revision: https://phabricator.services.mozilla.com/D163306
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D161376
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D162252
|
|
|
|
|
|
| |
r=nss-reviewers,jschanck
Differential Revision: https://phabricator.services.mozilla.com/D160237
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D158323
|
|
|
|
|
|
|
|
|
|
| |
It was required to update docker-interop image to ubuntu 20.04 since a newer Go release was required for the BoGo tests to run.
See nss/gtests/nss_bogo_shim/config.json for a list of disabled BoGo test, including short descriptions/bug links.
A -loose-local-errors falg was added to Bogo (runner.go) to allow usage of more tests by ignoring differences in local errors on the Go side of test connections, similar to the remote error 'suppression' used. The code is patched to the BoGo runner after cloning in nss/tests/bogo/bogo.sh and can be found in nss/gtests/nss_bogo_shim/nss_loose_local_errors.patch.
Differential Revision: https://phabricator.services.mozilla.com/D147675
|
|
|
|
|
|
| |
Depends on D141764
Differential Revision: https://phabricator.services.mozilla.com/D141765
|
|
|
|
|
|
| |
Depends on D131425
Differential Revision: https://phabricator.services.mozilla.com/D141764
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D131425
|
|
|
|
|
|
| |
r=nss-reviewers,bbeurdouche
Differential Revision: https://phabricator.services.mozilla.com/D135377
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D129982
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
with AES_CBC
When we added support for AES, we also added support for integrity checks on the encrypted components.
It turns out the code that verifies the integrity checks was broken in 2 ways:
1. it wasn't accurately operating when AES was being used (the if statement wasn't actually triggering for AES_CBC because we were looking for AES in the wrong field).
2. password update did not update the integrity checks in the correct location, meaning any database which AES encrypted keys, and which had their password updated will not be able to validate their keys.
While we found this in a previous rebase, the patch had not been pushed upstream.
The attached patch needs sqlite3 to run the tests.
Differential Revision: https://phabricator.services.mozilla.com/D120011
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r=bbeurdouche
Before applying (on Ryzen 9 3900X)
```
# mode in opreps cxreps context op time(sec) thrgput
sha256_e 1Gb 208Mb 23M 0 0.000 10000.000 10.000 123Mb 301Kb
```
After applying
```
# mode in opreps cxreps context op time(sec) thrgput
sha256_e 5Gb 797Mb 110M 0 0.000 10000.000 10.000 591Mb 769Kb
```
Differential Revision: https://phabricator.services.mozilla.com/D116962
|
|
|
|
|
|
| |
c95ab70fcb2bc21025d8845281bc4bc8987ca683 r=beurdouche
Differential Revision: https://phabricator.services.mozilla.com/D107387
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D103849
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D101648
|
|
|
|
|
|
|
|
|
|
|
|
| |
(draft-irtf-cfrg-hpke-05). r=mt
This patch adds support for Hybrid Public Key Encryption (draft-irtf-cfrg-hpke-05).
Because the draft number (and the eventual RFC number) is an input to the key schedule, future updates will *not* be backwards compatible in terms of key material or encryption/decryption. For this reason, a default compilation will produce stubs that simply return an "Invalid Algorithm" error. To opt into using the HPKE functionality , compile with `NSS_ENABLE_DRAFT_HPKE` defined. Once finalized, this flag will not be required to access the functions.
Lastly, the `DeriveKeyPair` API is not implemented as it adds complextiy around PKCS #11 and is unnecessary for ECH.
Differential Revision: https://phabricator.services.mozilla.com/D73947
|
|
|
|
|
|
|
|
|
|
|
| |
Actually, we have the implementation of ARM Crypto extension, so CI is always
run with this extension. It means that we don't run CI without ARM Crypto
extension. So I would like to add NoAES and NoSHA for aarch64 CI.
Also, we still run NoSSE4_1 on aarch64 CI, so we shouldn't run this on aarch64
hardware.
Differential Revision: https://phabricator.services.mozilla.com/D93062
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This build can be tested by running
NSS_BUILD_MODULAR=1 nss/automation/taskcluster/scripts/build.sh
from a directory containing the nss and nspr repositories.
To make this build's make conditionals easier to handle, it also
merges the manifest.mn into the Makefile, because parts of the
conditionals depends on $(OS_ARCH) setting.
In the end, the goal is just to set the correct build $(DIRS).
This also drops the freebl dependeny of ssl, which seems not to be
needed, even if it's declared in /lib/ssl/ssl.gyp.
Differential Revision: https://phabricator.services.mozilla.com/D75074
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D74268
|
|
|
|
|
|
| |
r=kjacobs
Differential Revision: https://phabricator.services.mozilla.com/D74211
|
|
|
|
|
|
| |
We already install these packages on the image_builder image itself. It seems they're now required on the fuzz32 image as well.
Differential Revision: https://phabricator.services.mozilla.com/D69274
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D65945
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Chacha20Poly1305. r=kjacobs
***
Bug 1612493 - Import AVX2 code from HACL*
***
Bug 1612493 - Add CPU detection for AVX2, BMI1, BMI2, FMA, MOVBE
***
Bug 1612493 - New flag NSS_DISABLE_AVX2 for freebl/Makefile and freebl.gyp
***
Bug 1612493 - Disable use of AVX2 on GCC 4.4 which doesn’t support -mavx2
***
Bug 1612493 - Disable tests when the platform doesn't have support for AVX2
Differential Revision: https://phabricator.services.mozilla.com/D64718
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r=kjacobs
***
Bug 1617533 - Clang format
***
Bug 1617533 - Update HACL* commit for job in Taskcluster
***
Bug 1617533 - Update HACL* Kremlin code
Differential Revision: https://phabricator.services.mozilla.com/D63829
|
|
|
|
|
|
|
|
|
|
| |
This patch contains the changes in NSS, necessary to pick up HACL*v2 in D55413. It has a couple of TODOs:
* The chacha20 saw verification fails for some reason; it's disabled pending Bug 1604130.
* The hacl task on CI requires Bug 1593647 to get fixed.
Depends on D55413.
Differential Revision: https://phabricator.services.mozilla.com/D55414
|
|
|
|
|
|
|
|
|
|
| |
python3 r=jcj
[[ https://setuptools.readthedocs.io/en/latest/history.html#v45-0-0 | Setuptools 45.0.0 ]] drops support for Python2, which our Windows workers are running.
This patch installs the prior version during build, in order to unblock CI until the workers can be upgraded.
Differential Revision: https://phabricator.services.mozilla.com/D59756
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch contains the changes in NSS, necessary to pick up HACL*v2 in D55413. It has a couple of TODOs:
* The chacha20 saw verification fails for some reason; it's disabled pending Bug 1604130.
* The hacl task on CI requires Bug 1593647 to get fixed.
Depends on D55413.
Differential Revision: https://phabricator.services.mozilla.com/D55414
|
|
|
|
|
|
|
|
|
| |
Disale libnssdbm by default and add flag to enable it in builds.
On CI a build and certs test with enabled legacy DB are added.
Note that for some reason the coverage build fails. I have no idea why. I'm open for ideas.
Differential Revision: https://phabricator.services.mozilla.com/D54673
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D52469
|
| |
|
|
|
|
|
|
|
|
|
| |
* Update the Taskcluster client used in the decision task to one that
understands Taskcluster rootUrls.
* Update scripts that fetch content to use the TASKCLUSTER_ROOT_URL
* the absence of this variale signals an "old" worker so we use an "old" URL
Differential Revision: https://phabricator.services.mozilla.com/D52287
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D51952
|
|
|
|
| |
integration tests. r=mt
|
| |
|