Closed
Bug 1577822
Opened 5 years ago
Closed 5 years ago
Upgrade Firefox 71 to use NSS 3.47
Categories
(Core :: Security: PSM, task, P1)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla71
| Tracking | Status | |
|---|---|---|
| firefox71 | --- | fixed |
People
(Reporter: jcj, Assigned: jcj)
References
(Blocks 1 open bug)
Details
(Whiteboard: [psm-assigned][nss])
Attachments
(12 files, 1 obsolete file)
|
47 bytes,
text/x-phabricator-request
|
Details | Review | |
|
47 bytes,
text/x-phabricator-request
|
Details | Review | |
|
47 bytes,
text/x-phabricator-request
|
Details | Review | |
|
47 bytes,
text/x-phabricator-request
|
Details | Review | |
|
47 bytes,
text/x-phabricator-request
|
Details | Review | |
|
47 bytes,
text/x-phabricator-request
|
Details | Review | |
|
47 bytes,
text/x-phabricator-request
|
Details | Review | |
|
47 bytes,
text/x-phabricator-request
|
Details | Review | |
|
Backed out changeset 3eb63c112f5a (Bug 1577822) for breaking WebAuthn mochitests UPGRADE_NSS_RELEASE
47 bytes,
text/x-phabricator-request
|
Details | Review | |
|
47 bytes,
text/x-phabricator-request
|
Details | Review | |
|
47 bytes,
text/x-phabricator-request
|
Details | Review | |
|
47 bytes,
text/x-phabricator-request
|
Details | Review |
Tracking NSS 3.47 for Firefox 71. Ultimate tag will be NSS_3_47_RTM.
|
Assignee | |
Comment 1•5 years ago
|
||
2019-08-30 Alexander Scheel <ascheel@redhat.com>
* automation/taskcluster/scripts/build_softoken.sh,
cmd/lib/pk11table.c, gtests/pk11_gtest/pk11_aes_cmac_unittest.cc,
gtests/pk11_gtest/pk11_gtest.gyp, lib/pk11wrap/debug_module.c,
lib/pk11wrap/pk11mech.c, lib/softoken/pkcs11.c,
lib/softoken/pkcs11c.c, lib/util/pkcs11t.h:
Bug 1570501 - Expose AES-CMAC in PKCS #11 API, r=mt
[cf0df88aa807] [tip]
* cpputil/freebl_scoped_ptrs.h, gtests/freebl_gtest/cmac_unittests.cc,
gtests/freebl_gtest/freebl_gtest.gyp, lib/freebl/blapi.h,
lib/freebl/cmac.c, lib/freebl/cmac.h, lib/freebl/exports.gyp,
lib/freebl/freebl_base.gypi, lib/freebl/ldvector.c,
lib/freebl/loader.c, lib/freebl/loader.h, lib/freebl/manifest.mn:
Bug 1570501 - Add AES-CMAC implementation to freebl, r=mt
[a42c6882ba1b]
2019-09-05 David Cooper <dcooper16@gmail.com>
* lib/smime/cmssiginfo.c:
Bug 657379 - NSS uses the wrong OID for signatureAlgorithm field of
signerInfo in CMS for DSA and ECDSA. r=rrelyea
[7a83b248de30]
2019-09-05 Daiki Ueno <dueno@redhat.com>
* lib/freebl/drbg.c:
Backed out changeset 934c8d0e7aba
It turned out to cause some new errors in LSan; backing out for now.
[34a254dd1357]
* lib/freebl/drbg.c:
Bug 1560329, drbg: perform continuous test on entropy source,
r=rrelyea
Summary: FIPS 140-2 section 4.9.2 requires a conditional self test
to check that consecutive entropy blocks from the system are
different. As neither getentropy() nor /dev/urandom provides that
check on the output, this adds the self test at caller side.
Reviewers: rrelyea
Reviewed By: rrelyea
Bug #: 1560329
[934c8d0e7aba]
2019-08-30 Kevin Jacobs <kjacobs@mozilla.com>
* coreconf/WIN32.mk:
Bug 1576664 - Remove -mms-bitfields from win32 makefile r=jcj
[bf4de7985f3d]
2019-08-29 Dana Keeler <dkeeler@mozilla.com>
* automation/abi-check/expected-report-libnss3.so.txt,
gtests/pk11_gtest/pk11_find_certs_unittest.cc, lib/nss/nss.def,
lib/pk11wrap/pk11cert.c, lib/pk11wrap/pk11pub.h:
bug 1577038 - add PK11_GetCertsFromPrivateKey r=jcj,kjacobs
PK11_GetCertFromPrivateKey only returns one certificate with a
public key that matches the given private key. This change
introduces PK11_GetCertsFromPrivateKey, which returns a list of all
certificates with public keys that match the given private key.
[9befa8d296c0]
2019-08-30 J.C. Jones <jjones@mozilla.com>
* automation/abi-check/previous-nss-release, lib/nss/nss.h,
lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.47 beta
[685cea0a7b48]
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.46 final
[decbf7bd40fd] [NSS_3_46_RTM]
Pushed by jjones@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/df53ccb59e06 land NSS cf0df88aa807 UPGRADE_NSS_RELEASE, r=kjacobs
|
||
Comment 3•5 years ago
|
||
| bugherder | ||
|
|
Assignee | |
Comment 4•5 years ago
|
||
2019-09-18 Kevin Jacobs <kjacobs@mozilla.com>
* cmd/lib/derprint.c:
Bug 1581024 - Check for pointer wrap in derprint.c. r=jcj
Check for pointer wrap on output-length check in the derdump
utility.
[a3ee4f26b4c1] [tip]
2019-09-18 Giulio Benetti <giulio.benetti@micronovasrl.com>
* lib/freebl/gcm-aarch64.c:
Bug 1580126 - Fix build failure on aarch64_be while building
freebl/gcm r=kjacobs
Build failure is caused by different #ifdef conditions in gcm.c and
gcm-aarch64.c that leads to double declaration of the same gcm_*
functions.
Fix #ifdef condition in gcm-aarch64.c making it the same as the one
in gcm.c.
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
[fa0d958de0c3]
2019-09-17 Kai Engert <kaie@kuix.de>
* automation/taskcluster/graph/src/extend.js:
Bug 1385039 - Build NSPR tests as part of NSS continuous
integration. r=kjacobs
[cc97f1a93038]
2019-09-17 Landry Breuil <landry@openbsd.org>
* lib/freebl/Makefile:
Bug 1581391 - include gcm-aarch64 on all unices, not only linux
r=kjacobs
[e7b4f293fa4e]
2019-09-17 Martin Thomson <mt@lowentropy.net>
* mach:
Bug 1581041 - Rename mach-commands to mach-completion, r=jcj
This means that we can point our completion at the gecko one.
[bc91272fcbdc]
2019-09-16 Jenine <jenine_c@outlook.com>
* cmd/pk11importtest/pk11importtest.c, lib/softoken/pkcs11.c:
Bug 1558313 - Fix clang warnings in pk11importtest.c and pkcs11.c
r=marcusburghardt
[4569b745f74e]
2019-09-13 Daiki Ueno <dueno@redhat.com>
* lib/certhigh/certvfy.c:
Bug 1542207, fix policy check on signature algorithms, r=rrelyea
Reviewers: rrelyea
Reviewed By: rrelyea
Bug #: 1542207
[ed8a41d16c1c]
2019-09-05 Daiki Ueno <dueno@redhat.com>
* lib/freebl/drbg.c:
Bug 1560329, drbg: perform continuous test on entropy source,
r=rrelyea
Summary: FIPS 140-2 section 4.9.2 requires a conditional self test
to check that consecutive entropy blocks from the system are
different. As neither getentropy() nor /dev/urandom provides that
check on the output, this adds the self test at caller side.
Reviewers: rrelyea
Reviewed By: rrelyea
Bug #: 1560329
[c66dd879d16a]
2019-09-06 Martin Thomson <mt@lowentropy.net>
* automation/taskcluster/graph/src/queue.js:
Bug 1579290 - Disable LSAN during builds, r=ueno
Summary: See the bug description for details.
[f28f3d7b7cf0]
2019-09-13 Kai Engert <kaie@kuix.de>
* Makefile, build.sh, coreconf/nspr.sh, help.txt:
Bug 1385061 - Build NSPR tests with NSS make; Add gyp parameters to
build/run NSPR tests. r=jcj
[8b4a226f7d23]
2019-09-11 Kai Engert <kaie@kuix.de>
* nss.gyp:
Bug 1577359 - Build atob and btoa for Thunderbird. r=jcj
[1fe61aadaf57]
2019-09-10 Marcus Burghardt <mburghardt@mozilla.com>
* cmd/pk12util/pk12util.c:
Bug 1579036 - Define error when trying to export non-existent cert
with pk12util. r=jcj
[65ab97f03c89]
2019-09-04 Martin Thomson <mt@lowentropy.net>
* gtests/mozpkix_gtest/pkixder_input_tests.cpp:
Bug 1578626 - Remove undefined nullptr decrement, r=keeler
Summary: This uses uintptr_t to avoid the worst. It still looks
terrible and might trip static analysis warnings, but the
reinterpret_cast should hide that.
This assumes that sizeof(uintptr_t) == sizeof(void*), so I've added
an assertion so that we'll at least fail the test on those systems.
(We could use GTEST_SKIP instead, but we don't have that in the
version of gtest that we use.)
Reviewers: keeler
Tags: #secure-revision
Bug #: 1578626
[d2485b1c997e]
2019-09-05 Marcus Burghardt <mburghardt@mozilla.com>
* gtests/pk11_gtest/pk11_find_certs_unittest.cc:
Bug 1578751 - Ensure a consistent style for
pk11_find_certs_unittest.cc. r=jcj
Adjusted the style and clang-format after the changes in some var
names.
[e95fee7f59e5]
Pushed by jjones@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2f369bea151c land NSS a3ee4f26b4c1 UPGRADE_NSS_RELEASE, r=kjacobs
|
||
Comment 6•5 years ago
|
||
| bugherder | ||
|
||
Comment 7•5 years ago
|
||
This busted Mac builds for Thunderbird, see bug 1577359 comment #5.
|
|
Assignee | |
Comment 8•5 years ago
|
||
2019-09-23 Daiki Ueno <dueno@redhat.com>
* gtests/ssl_gtest/ssl_recordsize_unittest.cc, lib/ssl/ssl3con.c,
tests/tlsfuzzer/config.json.in, tests/tlsfuzzer/tlsfuzzer.sh:
Bug 1580286, account for IV size when checking TLS 1.2 records, r=mt
Summary: This increases the limit of record expansion by 16 so that
it doesn't reject maximum block padding when HMAC-SHA384 is used.
To test this, tlsfuzzer is updated to the latest version (commit
80d7932ead1d8dae6e555cfd2b1c4c5beb2847df).
Reviewers: mt
Reviewed By: mt
Bug #: 1580286
[03039d4fad57] [tip]
2019-09-20 Kai Engert <kaie@kuix.de>
* tests/smime/smime.sh:
Bug 1577448 - Create additional nested S/MIME test messages for
Thunderbird. r=jcj
[57977ceea00e]
2019-09-19 Kai Engert <kaie@kuix.de>
* automation/taskcluster/docker-gcc-4.4/Dockerfile,
automation/taskcluster/graph/src/try_syntax.js,
automation/taskcluster/scripts/build.sh,
automation/taskcluster/scripts/build_gyp.sh,
automation/taskcluster/scripts/build_nspr.sh,
automation/taskcluster/scripts/check_abi.sh,
automation/taskcluster/scripts/gen_coverage_report.sh,
automation/taskcluster/scripts/run_coverity.sh,
automation/taskcluster/scripts/run_scan_build.sh,
automation/taskcluster/windows/build.sh,
automation/taskcluster/windows/build_gyp.sh:
Bug 1399095 - Allow nss-try to be used to test NSPR changes.
r=kjacobs
[6e1a8a7cb469]
2019-09-16 Marcus Burghardt <mburghardt@mozilla.com>
* gtests/ssl_gtest/manifest.mn,
gtests/ssl_gtest/ssl_cipherorder_unittest.cc,
gtests/ssl_gtest/ssl_gtest.gyp, lib/ssl/ssl3con.c, lib/ssl/sslexp.h,
lib/ssl/sslsock.c:
Bug 1267894 - New functions for CipherSuites Ordering and gtests.
r=jcj,kjacobs,mt
Created two new experimental functions which permit the caller
change the default order of CipherSuites used during the handshake.
[2deb38fc1d68]
2019-09-18 Christian Weisgerber <naddy@mips.inka.de>
* tests/policy/policy.sh, tests/ssl/ssl.sh:
Bug 1581507 - Fix unportable grep expression in test scripts
r=marcusburghardt
[edc1e405afa4]
2019-09-18 Franziskus Kiefer <franziskuskiefer@gmail.com>
* lib/jar/jarfile.c:
Bug 1234830 - [CID 1242894][CID 1242852] unused values.
r=kaie,r=kjacobs
[b6d3f5c95aad]
2019-09-18 Kai Engert <kaie@kuix.de>
* cmd/symkeyutil/symkeyutil.c:
Bug 1581759 - fix incorrect if condition in symkeyutil. r=kjacobs
[306550105228]
Pushed by jjones@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/73f2bfcab947 land NSS 03039d4fad57 UPGRADE_NSS_RELEASE, r=kjacobs
|
|
||
Comment 10•5 years ago
|
||
| bugherder | ||
|
|
Assignee | |
Comment 11•5 years ago
|
||
2019-09-27 Daiki Ueno <dueno@redhat.com>
* cmd/lib/Makefile, cmd/lib/lib.gyp, cmd/lib/manifest.mn,
cmd/lib/secutil.c, cmd/lib/secutil.h, cmd/platlibs.mk,
cmd/selfserv/selfserv.c, cmd/tstclnt/tstclnt.c, tests/ssl/ssl.sh:
Bug 1494063, add -x option to tstclnt/selfserv to export keying
material, r=mt
Reviewers: rrelyea, mt
Reviewed By: mt
Subscribers: HubertKario
Bug #: 1494063
[be9c48ad76cb] [tip]
2019-02-25 Martin Thomson <martin.thomson@gmail.com>
* gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp,
gtests/pk11_gtest/pk11_import_unittest.cc,
gtests/pk11_gtest/pk11_key_unittest.cc,
gtests/pk11_gtest/pk11_keygen.cc, gtests/pk11_gtest/pk11_keygen.h:
Bug 1515342 - Tests for invalid DH public keys, r=jcj
Summary: This prevents crashes on invalid, particularly NULL, keys
for DH and ECDH.
I factored out test code already landed for this.
[7e3476b7a912]
2019-09-27 Martin Thomson <martin.thomson@gmail.com>
* cpputil/nss_scoped_ptrs.h, cpputil/scoped_ptrs_util.h,
gtests/common/testvectors/curve25519-vectors.h,
gtests/der_gtest/der_quickder_unittest.cc, lib/util/quickder.c:
Bug 1515342 - Checks for invalid bit strings, r=jcj
[f4fe0da73446]
2019-09-27 Martin Thomson <mt@lowentropy.net>
* cmd/lib/derprint.c:
Bug 1581024 - Fix pointer comparisons, a=bustage
[062bc5e9859a]
2019-09-24 Kevin Jacobs <kjacobs@mozilla.com>
* cmd/lib/derprint.c:
Bug 1581024 - fixup pointer wrap check to prevent it from being
optimized out. r=jcj
[f7fef2487a60]
2019-09-26 Deian Stefan <deian@cs.ucsd.edu>
* lib/softoken/pkcs11c.c, lib/softoken/tlsprf.c:
Bug 1582343 - Use constant time memcmp in more places r=kjacobs,jcj
[86ef6ba1f1d7]
2019-09-26 Marcus Burghardt <mburghardt@mozilla.com>
* gtests/pk11_gtest/pk11_aes_gcm_unittest.cc, lib/freebl/gcm.c,
lib/freebl/intel-gcm-wrap.c:
Bug 1578238 - Validate tag size in AES_GCM. r=kjacobs,jcj
Validate tag size in AES_GCM.
[4e3971fd992c]
* gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp,
gtests/pk11_gtest/pk11_seed_cbc_unittest.cc, lib/freebl/seed.c:
Bug 1576295 - SEED_CBC encryption check input arguments.
r=kjacobs,jcj,mt
Ensure the arguments passed to these functions are valid.
[7580a5a212c7]
|
||
Comment 12•5 years ago
|
||
Pushed by jjones@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/9b944cc72cdc land NSS be9c48ad76cb UPGRADE_NSS_RELEASE, r=kjacobs
|
||
Comment 13•5 years ago
|
||
| bugherder | ||
|
|
Assignee | |
Comment 14•5 years ago
|
||
2019-09-27 J.C. Jones <jjones@mozilla.com>
* lib/softoken/pkcs11.c, lib/softoken/pkcs11i.h,
lib/softoken/pkcs11u.c:
Bug 1508776 - Remove unneeded refcounting from SFTKSession
r=mt,kjacobs
SFTKSession objects are only ever actually destroyed at PK11 session
closure, as the session is always the final holder -- and asserting
refCount == 1 shows that to be true. Because of that,
NSC_CloseSession can just call `sftk_DestroySession` directly and
leave `sftk_FreeSession` as a no-op to be removed in the future.
[5619cbbca3db] [tip]
|
|
||
Comment 15•5 years ago
|
||
Pushed by jjones@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/32eea6049fe7 land NSS 5619cbbca3db UPGRADE_NSS_RELEASE, r=kjacobs
|
||
Comment 16•5 years ago
|
||
| bugherder | ||
|
|
Assignee | |
Comment 17•5 years ago
|
||
2019-10-01 Kevin Jacobs <kjacobs@mozilla.com>
* lib/softoken/pkcs11c.c:
Bug 1577953 - Support longer (up to RFC maximum) HKDF outputs r=jcj
HKDF-Expand enforces a maximum output length much shorter than
stated in the RFC. This patch aligns the implementation with the RFC
by allocating more output space when necessary.
[c0913ad7a560] [tip]
2019-09-30 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/common/testvectors/curve25519-vectors.h,
gtests/pk11_gtest/pk11_curve25519_unittest.cc,
gtests/pk11_gtest/pk11_ecdsa_unittest.cc,
gtests/pk11_gtest/pk11_ecdsa_vectors.h,
gtests/pk11_gtest/pk11_signature_test.h:
Bug 1558234 - Additional EC key tests, r=jcj
Adds additional EC key corner case testing.
[c20364849713]
|
|
||
Comment 18•5 years ago
|
||
Pushed by rgurzau@mozilla.com: https://hg.mozilla.org/mozilla-central/rev/5ad3cfbe42f6 land NSS c0913ad7a560 UPGRADE_NSS_RELEASE, r=kjacobs
|
||
Comment 19•5 years ago
|
||
| bugherder | ||
|
||
Comment 20•5 years ago
|
||
| bugherder | ||
|
|
Assignee | |
Comment 21•5 years ago
|
||
2019-10-03 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/pk11_gtest/pk11_cbc_unittest.cc, lib/softoken/pkcs11c.c:
Bug 1576307 - Fixup for fips tests, permit NULL iv as necessary.
r=jcj
ECB mode should not require an IV.
[dc86215aea17] [tip]
2019-09-30 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/pk11_gtest/pk11_cbc_unittest.cc, lib/softoken/pkcs11c.c:
Bug 1576307 - Check mechanism param and param length before casting
to mechanism-specific structs. r=jcj
This patch adds missing PKCS11 input parameter checks, which are
needed prior to casting to mechanism-specific structs.
[53d92a324080]
|
|
||
Comment 22•5 years ago
|
||
Pushed by jjones@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/cdeda4226ef5 land NSS dc86215aea17 UPGRADE_NSS_RELEASE, r=kjacobs
|
|
||
Comment 23•5 years ago
|
||
| bugherder | ||
|
|
Assignee | |
Comment 24•5 years ago
|
||
2019-10-11 Kai Engert <kaie@kuix.de>
* automation/release/nspr-version.txt:
Bug 1583068 - Require NSPR version 4.23 r=jcj
[93245f5733b3] [NSS_3_47_BETA1]
2019-10-11 Kevin Jacobs <kjacobs@mozilla.com>
* coreconf/config.gypi, lib/freebl/freebl.gyp:
Bug 1152625 - Add gyp flag for disabling ARM HW AES r=jcj
Adds an option to disable ARMv8 HW AES, if `-Ddisable_arm_hw_aes=1`
is passed to build.sh.
Depends on D34473
[9abcea09fdd4]
2019-10-11 Makoto Kato <m_kato@ga2.so-net.ne.jp>
* lib/freebl/aes-armv8.c:
Bug 1152625 - Part 2. Remove __builtin_assume to avoid crash on PGO.
r=kjacobs,mt
`AESContext->iv` doesn't align to 16 bytes on PGO build, so we
should remove __builtin_assume. Also, I guess that `expandedKey` has
same problem.
[1b0f5c5335ee]
* lib/freebl/Makefile, lib/freebl/aes-armv8.c, lib/freebl/aes-armv8.h,
lib/freebl/freebl.gyp, lib/freebl/intel-aes.h,
lib/freebl/rijndael.c:
Bug 1152625 - Support AES HW acceleration on ARMv8. r=kjacobs,jcj
[efb895a43899]
2019-09-06 Martin Thomson <mt@lowentropy.net>
* gtests/ssl_gtest/ssl_auth_unittest.cc,
gtests/ssl_gtest/ssl_ciphersuite_unittest.cc,
gtests/ssl_gtest/ssl_extension_unittest.cc,
gtests/ssl_gtest/ssl_fuzz_unittest.cc,
gtests/ssl_gtest/tls_esni_unittest.cc, lib/ssl/ssl3con.c,
lib/ssl/ssl3exthandle.c, lib/ssl/sslimpl.h, lib/ssl/tls13con.c:
Bug 1549225 - Up front Signature Scheme validation, r=ueno
Summary: This patch started as an attempt to ensure that a DSA
signature scheme would not be advertised if we weren't willing to
negotiate versions less than TLS 1.3. Then I realized that we didn't
do the same for PKCS#1 RSA.
Then I realized that we were still willing to try to establish
connections when we had a certificate that we couldn't use.
Then I realized that ssl3_config_match_init() wasn't being run
consistently. On resumption, we only ran it when we were PARANOID.
That's silly because we weren't checking policies.
Then I realized that we were allowing ECDSA certificates to be used
when the named group in the certificate was disabled. We weren't
enforcing that consistently either. However, I also discovered that
the check we have wouldn't work without a tweak because in TLS 1.3
the named group is part of the signature scheme; the configured
named groups are only used prior to TLS 1.3 when selecting
ECDSA/ECDH certificates.
So that sounds like a lot of changes but what it boils down to is
more robust checking of the configuration prior to starting a
connection. As a result, we should be offering fewer options that
we're unwilling or unable to follow through on. A good number of
tests needed tweaking as a result because we were relying on getting
past the checks in those tests. No real problems were found as a
result; this just moves failures that might arise from
misconfiguration a little earlier in the process.
[9b418f0a4912]
2019-10-08 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc,
lib/pk11wrap/pk11pk12.c:
Bug 1586947 - Store nickname during EC key import. r=jcj
This patch stores the nickname (if specified) during EC key import.
This was already done for all other key types.
[c319019aee75]
2019-10-08 Marcus Burghardt <mburghardt@mozilla.com>
* lib/certdb/stanpcertdb.c, lib/pk11wrap/pk11load.c,
lib/pki/pki3hack.c:
Bug 1586456 - Unnecessary conditional in pki3hack, pk11load and
stanpcertdb. r=jcj
Some conditionals that are always true were removed.
[b34061c3a377]
|
||
Comment 25•5 years ago
|
||
| bugherder | ||
|
|
Assignee | |
Comment 26•5 years ago
|
||
2019-10-15 J.C. Jones <jjones@mozilla.com>
* cmd/addbuiltin/addbuiltin.c:
Bug 1465613 - Fixup clang format a=bustage
[f657d65428c6] [NSS_3_47_BETA2]
2019-10-11 Marcus Burghardt <mburghardt@mozilla.com>
* automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
check/expected-report-libsmime3.so.txt, automation/abi-check
/expected-report-libssl3.so.txt, cmd/addbuiltin/addbuiltin.c,
cmd/lib/secutil.c, gtests/softoken_gtest/manifest.mn,
gtests/softoken_gtest/softoken_gtest.gyp,
gtests/softoken_gtest/softoken_nssckbi_testlib_gtest.cc,
lib/certdb/certdb.c, lib/certdb/certt.h, lib/ckfw/builtins/README,
lib/ckfw/builtins/certdata.txt, lib/ckfw/builtins/manifest.mn,
lib/ckfw/builtins/nssckbi.h, lib/ckfw/builtins/testlib/Makefile,
lib/ckfw/builtins/testlib/builtins-testlib.gyp,
lib/ckfw/builtins/testlib/certdata-testlib.txt,
lib/ckfw/builtins/testlib/config.mk,
lib/ckfw/builtins/testlib/manifest.mn, lib/ckfw/builtins/testlib
/nssckbi-testlib.rc,
lib/ckfw/builtins/testlib/testcert_err_distrust.txt,
lib/ckfw/builtins/testlib/testcert_no_distrust.txt,
lib/ckfw/builtins/testlib/testcert_ok_distrust.txt,
lib/ckfw/manifest.mn, lib/nss/nss.def, lib/pki/pki3hack.c,
lib/softoken/sdb.c, lib/util/pkcs11n.h, nss.gyp, tests/cert/cert.sh:
Bug 1465613 - Created two new fields for scheduled distrust from
builtins and updated support commands. r=jcj,kjacobs,mt
Added two new fields do scheduled distrust of CAs in
nssckbi/builtins. Also, created a testlib to validate these fields
with gtests.
[52024949df95]
2019-10-14 Martin Thomson <martin.thomson@gmail.com>
* lib/ssl/tls13con.c:
Bug 1588557 - Fix debug statement, r=jcj
[0f563a2571c3]
2019-10-15 Dana Keeler <dkeeler@mozilla.com>
* gtests/mozpkix_gtest/pkixder_universal_types_tests.cpp,
lib/mozpkix/include/pkix/pkixder.h, lib/mozpkix/lib/pkixcert.cpp:
bug 1579060 - fix handling of issuerUniqueID and subjectUniqueID in
mozilla::pkix::BackCert r=jcj
According to RFC 5280, the definitions of issuerUniqueID and
subjectUniqueID in TBSCertificate are as follows:
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
where UniqueIdentifier is a BIT STRING.
IMPLICIT tags replace the tag of the underlying type. For these
fields, there is no specified class (just a tag number within the
class), and the underlying type of BIT STRING is "primitive" (i.e.
not constructed). Thus, the tags should be of the form CONTEXT
SPECIFIC | [number in class], which comes out to 0x81 and 0x82,
respectively.
When originally implemented, mozilla::pkix incorrectly required that
the CONSTRUCTED bit also be set for these fields. Consequently, the
library would reject any certificate that actually contained these
fields. Evidently such certificates are rare.
[c50f933d37a5]
2019-10-14 Deian Stefan <deian@cs.ucsd.edu>
* lib/softoken/pkcs11c.c:
Bug 1459141 - Rewrite softoken CBC pad check to be constant time.
r=kjacobs,jcj
[474d62c9d0db]
2019-10-11 J.C. Jones <jjones@mozilla.com>
* .hgtags:
Added tag NSS_3_47_BETA1 for changeset 93245f5733b3
[f60dbafbc182]
|
|
||
Comment 27•5 years ago
|
||
Pushed by jjones@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/3eb63c112f5a land NSS NSS_3_47_BETA2 UPGRADE_NSS_RELEASE, r=kjacobs
|
|
Assignee | |
Comment 28•5 years ago
|
||
|
||
Updated•5 years ago
|
Attachment #9101457 -
Attachment description: Backed out changeset 3eb63c112f5a (Bug 1577822) for breaking WebAuthn mochitests → Backed out changeset 3eb63c112f5a (Bug 1577822) for breaking WebAuthn mochitests UPGRADE_NSS_RELEASE
|
|
||
Comment 29•5 years ago
|
||
Backout by jjones@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d82198f74526 Backed out changeset 3eb63c112f5a for breaking WebAuthn mochitests UPGRADE_NSS_RELEASE
|
|
Assignee | |
Comment 30•5 years ago
|
||
2019-10-16 J.C. Jones <jjones@mozilla.com>
* lib/softoken/pkcs11c.c:
Bug 1459141 - Backed out changeset 474d62c9d0db for PK11_Wrap/Unwrap
issues r=me
[f10c3e0757b7] [NSS_3_47_BETA3]
2019-10-15 J.C. Jones <jjones@mozilla.com>
* .hgtags:
Added tag NSS_3_47_BETA2 for changeset f657d65428c6
[3ca8b20b24ee]
* cmd/addbuiltin/addbuiltin.c:
Bug 1465613 - Fixup clang format a=bustage
[f657d65428c6] [NSS_3_47_BETA2]
2019-10-11 Marcus Burghardt <mburghardt@mozilla.com>
* automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
check/expected-report-libsmime3.so.txt, automation/abi-check
/expected-report-libssl3.so.txt, cmd/addbuiltin/addbuiltin.c,
cmd/lib/secutil.c, gtests/softoken_gtest/manifest.mn,
gtests/softoken_gtest/softoken_gtest.gyp,
gtests/softoken_gtest/softoken_nssckbi_testlib_gtest.cc,
lib/certdb/certdb.c, lib/certdb/certt.h, lib/ckfw/builtins/README,
lib/ckfw/builtins/certdata.txt, lib/ckfw/builtins/manifest.mn,
lib/ckfw/builtins/nssckbi.h, lib/ckfw/builtins/testlib/Makefile,
lib/ckfw/builtins/testlib/builtins-testlib.gyp,
lib/ckfw/builtins/testlib/certdata-testlib.txt,
lib/ckfw/builtins/testlib/config.mk,
lib/ckfw/builtins/testlib/manifest.mn, lib/ckfw/builtins/testlib
/nssckbi-testlib.rc,
lib/ckfw/builtins/testlib/testcert_err_distrust.txt,
lib/ckfw/builtins/testlib/testcert_no_distrust.txt,
lib/ckfw/builtins/testlib/testcert_ok_distrust.txt,
lib/ckfw/manifest.mn, lib/nss/nss.def, lib/pki/pki3hack.c,
lib/softoken/sdb.c, lib/util/pkcs11n.h, nss.gyp, tests/cert/cert.sh:
Bug 1465613 - Created two new fields for scheduled distrust from
builtins and updated support commands. r=jcj,kjacobs,mt
Added two new fields do scheduled distrust of CAs in
nssckbi/builtins. Also, created a testlib to validate these fields
with gtests.
[52024949df95]
2019-10-14 Martin Thomson <martin.thomson@gmail.com>
* lib/ssl/tls13con.c:
Bug 1588557 - Fix debug statement, r=jcj
[0f563a2571c3]
2019-10-15 Dana Keeler <dkeeler@mozilla.com>
* gtests/mozpkix_gtest/pkixder_universal_types_tests.cpp,
lib/mozpkix/include/pkix/pkixder.h, lib/mozpkix/lib/pkixcert.cpp:
bug 1579060 - fix handling of issuerUniqueID and subjectUniqueID in
mozilla::pkix::BackCert r=jcj
According to RFC 5280, the definitions of issuerUniqueID and
subjectUniqueID in TBSCertificate are as follows:
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
where UniqueIdentifier is a BIT STRING.
IMPLICIT tags replace the tag of the underlying type. For these
fields, there is no specified class (just a tag number within the
class), and the underlying type of BIT STRING is "primitive" (i.e.
not constructed). Thus, the tags should be of the form CONTEXT
SPECIFIC | [number in class], which comes out to 0x81 and 0x82,
respectively.
When originally implemented, mozilla::pkix incorrectly required that
the CONSTRUCTED bit also be set for these fields. Consequently, the
library would reject any certificate that actually contained these
fields. Evidently such certificates are rare.
[c50f933d37a5]
2019-10-14 Deian Stefan <deian@cs.ucsd.edu>
* lib/softoken/pkcs11c.c:
Bug 1459141 - Rewrite softoken CBC pad check to be constant time.
r=kjacobs,jcj
[474d62c9d0db]
2019-10-11 J.C. Jones <jjones@mozilla.com>
* .hgtags:
Added tag NSS_3_47_BETA1 for changeset 93245f5733b3
[f60dbafbc182]
|
|
||
Comment 31•5 years ago
|
||
Pushed by jjones@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/98e9a37281b0 land NSS NSS_3_47_BETA3 UPGRADE_NSS_RELEASE, r=kjacobs
|
||
Comment 32•5 years ago
|
||
| bugherder | ||
|
|
Assignee | |
Comment 33•5 years ago
|
||
2019-10-18 Deian Stefan <deian@cs.ucsd.edu>
* lib/softoken/pkcs11c.c:
Bug 1459141 - Rewrite softoken CBC pad check to be constant
r=jcj,kjacobs
[d3c8638f85cd] [NSS_3_47_BETA4]
2019-10-17 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/pk11_gtest/pk11_cbc_unittest.cc:
Bug 1589120 - Additional test vectors for CBC padding. r=jcj
This patch adds more test vectors for AES-CBC and 3DES-CBC padding.
[7f17b911ac99]
* gtests/pk11_gtest/manifest.mn,
gtests/pk11_gtest/pk11_aeskeywrappad_unittest.cc,
gtests/pk11_gtest/pk11_gtest.gyp:
Bug 1589120 - Tests for padded AES key wrap r=jcj
This patch adds test vectors for padded AES Key Wrap. AES-CBC and
3DES-CBC ports of the same vectors will be included in a separate
revision.
[fb4d9b6ea2c4]
2019-10-16 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/ssl_gtest/tls_agent.cc, gtests/ssl_gtest/tls_agent.h,
gtests/ssl_gtest/tls_subcerts_unittest.cc, lib/ssl/ssl3con.c,
lib/ssl/sslimpl.h, lib/ssl/tls13subcerts.c,
tests/common/certsetup.sh, tests/ssl_gtests/ssl_gtests.sh:
Bug 1588244 - SSLExp_DelegateCredential to support 'rsaEncryption'
end-entity certs with default scheme override r=mt
If an end-entity cert has an SPKI type of 'rsaEncryption', override
the DC alg to be `ssl_sig_rsa_pss_rsae_sha256`.
[93383e0fb833]
2019-10-16 J.C. Jones <jjones@mozilla.com>
* .hgtags:
Added tag NSS_3_47_BETA3 for changeset f10c3e0757b7
[fa8a67bee2dc]
|
|
||
Comment 34•5 years ago
|
||
Pushed by jjones@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/27bbc1fba015 land NSS NSS_3_47_BETA4 UPGRADE_NSS_RELEASE, r=kjacobs
|
||
Comment 35•5 years ago
|
||
| bugherder | ||
|
|
Assignee | |
Comment 36•5 years ago
|
||
2019-10-18 J.C. Jones <jjones@mozilla.com>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.47 final
[7ccb4ade5577] [NSS_3_47_RTM] <NSS_3_47_BRANCH>
* .hgtags:
Added tag NSS_3_47_BETA4 for changeset d3c8638f85cd
[d5bd7be1bf2a]
|
|
Assignee | |
Updated•5 years ago
|
Keywords: leave-open
|
|
||
Updated•5 years ago
|
Attachment #9101434 -
Attachment is obsolete: true
|
|
||
Comment 37•5 years ago
|
||
Pushed by jjones@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/55441e5aee45 land NSS NSS_3_47_RTM UPGRADE_NSS_RELEASE, r=kjacobs
|
||
Comment 38•5 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox71:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla71
|
||
Updated•4 months ago
|
Blocks: nss-uplift
You need to log in
before you can comment on or make changes to this bug.
Description
•