Closed
Bug 1758579
Opened 2 years ago
Closed 2 years ago
Upgrade Firefox 100 to use NSS 3.77
Categories
(Core :: Security: PSM, task, P1)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox100 | --- | affected |
People
(Reporter: jschanck, Assigned: jschanck)
References
(Blocks 1 open bug)
Details
(Whiteboard: [nss-fx])
Attachments
(3 files, 1 obsolete file)
No description provided.
|
Assignee | |
Comment 1•2 years ago
|
||
Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/6e0c4ad5799d land NSS be8a62f85be7 UPGRADE_NSS_RELEASE, r=keeler
|
||
Comment 3•2 years ago
|
||
| bugherder | ||
|
||
Comment 4•2 years ago
|
||
2022-03-24 John M. Schanck <jschanck@mozilla.com>
* lib/ckfw/builtins/certdata.txt:
Bug 1754890 - Add two D-TRUST 2020 root certificates.
r=KathleenWilson
Depends on D141920
[f63fb86db692] [tip]
* lib/ckfw/builtins/certdata.txt:
Bug 1751298 - Add Telia Root CA v2 root certificate.
r=KathleenWilson
Depends on D141919
[1fcbbd7e4f5f]
* lib/ckfw/builtins/certdata.txt:
Bug 1751305 - Remove expired explicitly distrusted certificates from
certdata.txt. r=KathleenWilson
[b722e523d662]
2022-03-23 Dana Keeler <dkeeler@mozilla.com>
* gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp,
gtests/mozpkix_gtest/pkixder_pki_types_tests.cpp,
gtests/mozpkix_gtest/pkixgtest.h,
gtests/mozpkix_gtest/pkixnss_tests.cpp,
lib/mozpkix/include/pkix/pkixder.h,
lib/mozpkix/include/pkix/pkixnss.h,
lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixc.cpp,
lib/mozpkix/lib/pkixcheck.cpp, lib/mozpkix/lib/pkixder.cpp,
lib/mozpkix/lib/pkixnss.cpp, lib/mozpkix/lib/pkixverify.cpp,
lib/mozpkix/test-lib/pkixtestnss.cpp:
Bug 1005084 - support specific RSA-PSS parameters in mozilla::pkix
r=jschanck
This patch adds support to mozilla::pkix for certificates signed
with RSA-PSS using one of the following parameters permitted by the
CA/Browser Forum Baseline Requirements 1.8.1:
* SHA-256, MGF-1 with SHA-256, and a salt length of 32 bytes
* SHA-384, MGF-1 with SHA-384, and a salt length of 48 bytes
* SHA-512, MGF-1 with SHA-512, and a salt length of 64 bytes
[853b64626b19]
2022-03-23 John M. Schanck <jschanck@mozilla.com>
* lib/util/secasn1d.c:
Bug 1753535 - Remove obsolete stateEnd check in
SEC_ASN1DecoderUpdate. r=rrelyea
The `stateEnd->parent != state` check was added in Bug 95458 to
avoid a crash in `sec_asn1d_free_child`. The diagnosis in Bug 95458
is incorrect---the crash was actually due to a `PORT_Assert(0)` that
was meant to highlight a memory leak when `SEC_ASN1DecoderStart` was
called with `their_pool==NULL`. The offending assertion was removed
in Bug 95311, which makes the `stateEnd` check obsolete. In Bug
1753535 it was observed that the `stateEnd` check could read from a
poisoned region of an arena when the decoder was used in a streaming
mode. This read-after-poison could lead to an arena memory leak,
although this is mitigated by the fact that the read-after-poison is
on an error-handling path where the caller typically frees the
entire arena.
[800111fa3bf8]
* lib/dev/dev.h, lib/dev/devslot.c, lib/dev/devt.h,
lib/dev/devtoken.c, lib/pk11wrap/dev3hack.c:
Bug 1756271 - Remove token member from NSSSlot struct. r=rrelyea
[55052f78244c]
* cmd/mpitests/mpi-test.c, lib/freebl/Makefile, lib/freebl/dh.c,
lib/freebl/freebl_base.gypi, lib/freebl/manifest.mn,
lib/freebl/mpi/mpprime.c, lib/freebl/mpi/mpprime.h,
lib/freebl/pqg.c, lib/freebl/rsa.c, lib/freebl/secmpi.c,
lib/freebl/secmpi.h:
Bug 1602379 - Provide secure variants of mpp_pprime and
mpp_make_prime. r=mt
[b83ad33acd67]
2022-03-22 John M. Schanck <jschanck@mozilla.com>
* cmd/mpitests/mpi-test.c, lib/freebl/Makefile, lib/freebl/dh.c,
lib/freebl/freebl_base.gypi, lib/freebl/manifest.mn,
lib/freebl/mpi/mpprime.c, lib/freebl/mpi/mpprime.h,
lib/freebl/pqg.c, lib/freebl/rsa.c, lib/freebl/secmpi.c,
lib/freebl/secmpi.h:
Backed out changeset 6c1092f5203f
Caused Windows gyp build failures for cmd/mpitests
[ffa1e4ce758a]
2022-03-22 Masatoshi Kimura <VYV03354@nifty.ne.jp>
* gtests/pk11_gtest/pk11_module_unittest.cc, lib/pk11wrap/pk11load.c:
Bug 1757279 - Support UTF-8 library path in the module spec string.
r=nss-reviewers,jschanck
[31bce2dae97b]
* gtests/base_gtest/Makefile, gtests/base_gtest/base_gtest.gyp,
gtests/base_gtest/manifest.mn, gtests/base_gtest/utf8_unittest.cc,
gtests/manifest.mn, lib/base/utf8.c, nss.gyp,
tests/gtests/gtests.sh:
Bug 1396616 - Update nssUTF8_Length to RFC 3629 and fix buffer
overrun. r=nss-reviewers,jschanck
[2f2c85648edb]
2022-03-22 John M. Schanck <jschanck@mozilla.com>
* cmd/mpitests/mpi-test.c, lib/freebl/Makefile, lib/freebl/dh.c,
lib/freebl/freebl_base.gypi, lib/freebl/manifest.mn,
lib/freebl/mpi/mpprime.c, lib/freebl/mpi/mpprime.h,
lib/freebl/pqg.c, lib/freebl/rsa.c, lib/freebl/secmpi.c,
lib/freebl/secmpi.h:
Bug 1602379 - Provide secure variants of mpp_pprime and
mpp_make_prime. r=mt
[6c1092f5203f]
2022-03-22 Dennis Jackson <djackson@mozilla.com>
* automation/taskcluster/docker-builds/Dockerfile,
automation/taskcluster/graph/src/extend.js:
Bug 1760827 - Add a CI Target for gcc-11. r=nss-reviewers,nkulatova
Depends on D141764
[d4a3bb7731b0]
* automation/taskcluster/graph/src/extend.js:
Bug 1760828 - Change to makefiles for gcc-4.8. r=nss-reviewers,mt
Depends on D131425
[191e838399a6]
2022-03-22 J08nY <johny@neuromancer.sk>
* automation/taskcluster/graph/src/extend.js,
gtests/google_test/VERSION, gtests/google_test/gtest/CMakeLists.txt,
gtests/google_test/gtest/CONTRIBUTORS,
gtests/google_test/gtest/README.md,
gtests/google_test/gtest/cmake/gtest.pc.in,
gtests/google_test/gtest/cmake/gtest_main.pc.in,
gtests/google_test/gtest/cmake/internal_utils.cmake,
gtests/google_test/gtest/docs/Pkgconfig.md,
gtests/google_test/gtest/docs/README.md,
gtests/google_test/gtest/docs/advanced.md,
gtests/google_test/gtest/docs/faq.md,
gtests/google_test/gtest/docs/primer.md,
gtests/google_test/gtest/docs/pump_manual.md,
gtests/google_test/gtest/docs/samples.md,
gtests/google_test/gtest/include/gtest/gtest-death-test.h,
gtests/google_test/gtest/include/gtest/gtest-matchers.h,
gtests/google_test/gtest/include/gtest/gtest-message.h,
gtests/google_test/gtest/include/gtest/gtest-param-test.h,
gtests/google_test/gtest/include/gtest/gtest-printers.h,
gtests/google_test/gtest/include/gtest/gtest-spi.h,
gtests/google_test/gtest/include/gtest/gtest-test-part.h,
gtests/google_test/gtest/include/gtest/gtest-typed-test.h,
gtests/google_test/gtest/include/gtest/gtest.h,
gtests/google_test/gtest/include/gtest/gtest_pred_impl.h,
gtests/google_test/gtest/include/gtest/gtest_prod.h,
gtests/google_test/gtest/include/gtest/internal/custom/gtest-port.h,
gtests/google_test/gtest/include/gtest/internal/custom/gtest-
printers.h,
gtests/google_test/gtest/include/gtest/internal/custom/gtest.h,
gtests/google_test/gtest/include/gtest/internal/gtest-death-test-
internal.h, gtests/google_test/gtest/include/gtest/internal/gtest-
filepath.h, gtests/google_test/gtest/include/gtest/internal/gtest-
internal.h, gtests/google_test/gtest/include/gtest/internal/gtest-
param-util.h, gtests/google_test/gtest/include/gtest/internal/gtest-
port-arch.h, gtests/google_test/gtest/include/gtest/internal/gtest-
port.h, gtests/google_test/gtest/include/gtest/internal/gtest-
string.h, gtests/google_test/gtest/include/gtest/internal/gtest-
type-util.h, gtests/google_test/gtest/include/gtest/internal/gtest-
type-util.h.pump, gtests/google_test/gtest/samples/prime_tables.h,
gtests/google_test/gtest/samples/sample1.cc,
gtests/google_test/gtest/samples/sample1.h,
gtests/google_test/gtest/samples/sample10_unittest.cc,
gtests/google_test/gtest/samples/sample2.cc,
gtests/google_test/gtest/samples/sample2.h,
gtests/google_test/gtest/samples/sample2_unittest.cc,
gtests/google_test/gtest/samples/sample3-inl.h,
gtests/google_test/gtest/samples/sample3_unittest.cc,
gtests/google_test/gtest/samples/sample4.h,
gtests/google_test/gtest/samples/sample5_unittest.cc,
gtests/google_test/gtest/samples/sample6_unittest.cc,
gtests/google_test/gtest/samples/sample7_unittest.cc,
gtests/google_test/gtest/samples/sample8_unittest.cc,
gtests/google_test/gtest/samples/sample9_unittest.cc,
gtests/google_test/gtest/scripts/README.md,
gtests/google_test/gtest/scripts/gen_gtest_pred_impl.py,
gtests/google_test/gtest/scripts/pump.py,
gtests/google_test/gtest/scripts/release_docs.py,
gtests/google_test/gtest/scripts/run_with_path.py,
gtests/google_test/gtest/scripts/upload.py,
gtests/google_test/gtest/src/gtest-death-test.cc,
gtests/google_test/gtest/src/gtest-filepath.cc,
gtests/google_test/gtest/src/gtest-internal-inl.h,
gtests/google_test/gtest/src/gtest-matchers.cc,
gtests/google_test/gtest/src/gtest-port.cc,
gtests/google_test/gtest/src/gtest-printers.cc,
gtests/google_test/gtest/src/gtest-test-part.cc,
gtests/google_test/gtest/src/gtest-typed-test.cc,
gtests/google_test/gtest/src/gtest.cc,
gtests/google_test/gtest/src/gtest_main.cc,
gtests/google_test/gtest/test/BUILD.bazel,
gtests/google_test/gtest/test/googletest-catch-exceptions-test_.cc,
gtests/google_test/gtest/test/googletest-death-test-test.cc,
gtests/google_test/gtest/test/googletest-death-test_ex_test.cc,
gtests/google_test/gtest/test/googletest-env-var-test.py,
gtests/google_test/gtest/test/googletest-env-var-test_.cc,
gtests/google_test/gtest/test/googletest-failfast-unittest.py,
gtests/google_test/gtest/test/googletest-failfast-unittest_.cc,
gtests/google_test/gtest/test/googletest-filepath-test.cc,
gtests/google_test/gtest/test/googletest-filter-unittest_.cc,
gtests/google_test/gtest/test/googletest-global-environment-
unittest.py, gtests/google_test/gtest/test/googletest-global-
environment-unittest_.cc, gtests/google_test/gtest/test/googletest-
json-output-unittest.py, gtests/google_test/gtest/test/googletest-
list-tests-unittest_.cc, gtests/google_test/gtest/test/googletest-
listener-test.cc, gtests/google_test/gtest/test/googletest-message-
test.cc, gtests/google_test/gtest/test/googletest-options-test.cc,
gtests/google_test/gtest/test/googletest-output-test-golden-lin.txt,
gtests/google_test/gtest/test/googletest-output-test.py,
gtests/google_test/gtest/test/googletest-output-test_.cc,
gtests/google_test/gtest/test/googletest-param-test-invalid-
name1-test_.cc, gtests/google_test/gtest/test/googletest-param-test-
invalid-name2-test_.cc, gtests/google_test/gtest/test/googletest-
param-test-test.cc, gtests/google_test/gtest/test/googletest-param-
test-test.h, gtests/google_test/gtest/test/googletest-param-
test2-test.cc, gtests/google_test/gtest/test/googletest-port-
test.cc, gtests/google_test/gtest/test/googletest-printers-test.cc,
gtests/google_test/gtest/test/googletest-setuptestsuite-test.py,
gtests/google_test/gtest/test/googletest-setuptestsuite-test_.cc,
gtests/google_test/gtest/test/googletest-shuffle-test_.cc,
gtests/google_test/gtest/test/googletest-test-part-test.cc,
gtests/google_test/gtest/test/googletest-test2_test.cc,
gtests/google_test/gtest/test/googletest-throw-on-failure-test_.cc,
gtests/google_test/gtest/test/gtest-typed-test2_test.cc,
gtests/google_test/gtest/test/gtest-typed-test_test.cc,
gtests/google_test/gtest/test/gtest-typed-test_test.h,
gtests/google_test/gtest/test/gtest-unittest-api_test.cc,
gtests/google_test/gtest/test/gtest_assert_by_exception_test.cc,
gtests/google_test/gtest/test/gtest_environment_test.cc,
gtests/google_test/gtest/test/gtest_help_test.py,
gtests/google_test/gtest/test/gtest_list_output_unittest.py,
gtests/google_test/gtest/test/gtest_list_output_unittest_.cc,
gtests/google_test/gtest/test/gtest_pred_impl_unittest.cc,
gtests/google_test/gtest/test/gtest_premature_exit_test.cc,
gtests/google_test/gtest/test/gtest_repeat_test.cc,
gtests/google_test/gtest/test/gtest_skip_check_output_test.py,
gtests/google_test/gtest/test/gtest_skip_test.cc,
gtests/google_test/gtest/test/gtest_stress_test.cc,
gtests/google_test/gtest/test/gtest_test_utils.py,
gtests/google_test/gtest/test/gtest_throw_on_failure_ex_test.cc,
gtests/google_test/gtest/test/gtest_unittest.cc,
gtests/google_test/gtest/test/gtest_xml_outfiles_test.py,
gtests/google_test/gtest/test/gtest_xml_output_unittest.py,
gtests/google_test/gtest/test/gtest_xml_output_unittest_.cc,
gtests/google_test/gtest/test/gtest_xml_test_utils.py,
gtests/google_test/gtest/test/production.h,
gtests/google_test/update.sh,
gtests/ssl_gtest/ssl_agent_unittest.cc:
Bug 1741688 - Update googletest to 1.11.0 r=nss-reviewers,mt
[88249e154a23]
2022-03-22 Dennis Jackson <djackson@mozilla.com>
* gtests/ssl_gtest/tls_ech_unittest.cc, lib/ssl/ssl3con.c,
lib/ssl/sslexp.h, lib/ssl/sslimpl.h, lib/ssl/sslsock.c,
lib/ssl/tls13ech.c, lib/ssl/tls13ech.h:
Bug 1759525 - Add SetTls13GreaseEchSize to experimental API. r=mt
[c2f93669b92c]
2022-03-22 Leander Schwarz <lschwarz@mozilla.com>
* gtests/ssl_gtest/ssl_version_unittest.cc,
gtests/ssl_gtest/tls_filter.cc, gtests/ssl_gtest/tls_filter.h,
lib/ssl/tls13con.c:
Bug 1755264 - TLS 1.3 Illegal legacy_version handling/alerts.
r=djackson
[7d931c59d09f]
2022-03-22 Dennis Jackson <djackson@mozilla.com>
* lib/ssl/tls13ech.c:
Bug 1755904 - Fix calculation of ECH HRR Transcript. r=mt
[33c530e653b3]
2022-03-22 Zi Lin <lziest@chromium.org>
* coreconf/Linux.mk:
Bug 1758741 - Allow ld path to be set as environment variable. r=mt
Submitted on behalf of Zi Lin, the author of the patch.
[d9368381598f]
2022-03-22 Dennis Jackson <djackson@mozilla.com>
* gtests/ssl_gtest/tls_connect.cc:
Bug 1760653 - Ensure we don't read uninitialized memory in ssl
gtests. r=mt,nss-reviewers
[9a7b3c7f4e70]
* cpputil/databuffer.h:
Bug 1758478 - Fix DataBuffer Move Assignment. r=mt
[f12fd43d69c7]
2022-03-18 Robert Relyea <rrelyea@redhat.com>
* automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
check/expected-report-libssl3.so.txt,
gtests/ssl_gtest/ssl_auth_unittest.cc, lib/certdb/cert.h,
lib/certdb/certdb.c, lib/nss/nss.def, lib/pk11wrap/pk11obj.c,
lib/pk11wrap/pk11pub.h, lib/ssl/authcert.c, lib/ssl/ssl.def,
lib/ssl/ssl.h, lib/ssl/ssl3con.c, lib/ssl/sslimpl.h,
lib/ssl/sslsock.c, lib/ssl/tls13con.c, lib/ssl/tls13subcerts.c,
mach, tests/ssl/ssl.sh, tests/ssl/sslauth.txt:
Bug 1552254 internal_error alert on Certificate Request with
sha1+ecdsa in TLS 1.3
We need to be able to select Client certificates based on the
schemes sent to us from the server. Rather than changing the
callback function, this patch adds those schemes to the ssl socket
info as suggested by Dana. In addition, two helpful functions have
been added to aid User applications in properly selecting the
Certificate: PRBool SSL_CertIsUsable(PRFileDesc *fd, CERTCertificate
*cert) - returns true if the given cert matches the schemes of the
server, the schemes configured on the socket, capability of the
token the private key resides on, and the current policy. For future
SSL protocol, additional restrictions may be parsed.
SSL_FilterCertListBySocket(PRFileDesc *fd, CERTCertList *certlist) -
removes the certs from the cert list that doesn't pass the
SSL_CertIsUsable() call.
In addition the built in cert selection function
(NSS_GetClientAuthData) uses the above functions to filter the list.
In order to support the NSS_GetClientAuthData three new functions
have been added: SECStatus
CERT_FilterCertListByNickname(CERTCertList *certList, char
*nickname, void *pwarg) -- removes the certs that don't match the
'nickname'. SECStatus CERT_FilterCertListByCertList(CERTCertlist
*certList, const CERTCertlist *filterList ) -- removes all the certs
on the first cert list that isn't on the second. PRBool
CERT_IsInList(CERTCertificate *, const CERTCertList *certList) --
returns true if cert is on certList.
In addition
* PK11_FindObjectForCert() is exported so the token the cert lives on
can be accessed.
* the ssle ssl_PickClientSignatureScheme() function (along with
several supporing functions) have been modified so it can be used by
SSL_CertIsUsable()
[be6a97823bfe]
|
|
Assignee | |
Comment 5•2 years ago
|
||
2022-03-24 John M. Schanck <jschanck@mozilla.com>
* lib/ckfw/builtins/certdata.txt:
Bug 1754890 - Add two D-TRUST 2020 root certificates.
r=KathleenWilson
Depends on D141920
[f63fb86db692] [NSS_3_77_BETA1]
* lib/ckfw/builtins/certdata.txt:
Bug 1751298 - Add Telia Root CA v2 root certificate.
r=KathleenWilson
Depends on D141919
[1fcbbd7e4f5f]
* lib/ckfw/builtins/certdata.txt:
Bug 1751305 - Remove expired explicitly distrusted certificates from
certdata.txt. r=KathleenWilson
[b722e523d662]
2022-03-23 Dana Keeler <dkeeler@mozilla.com>
* gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp,
gtests/mozpkix_gtest/pkixder_pki_types_tests.cpp,
gtests/mozpkix_gtest/pkixgtest.h,
gtests/mozpkix_gtest/pkixnss_tests.cpp,
lib/mozpkix/include/pkix/pkixder.h,
lib/mozpkix/include/pkix/pkixnss.h,
lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixc.cpp,
lib/mozpkix/lib/pkixcheck.cpp, lib/mozpkix/lib/pkixder.cpp,
lib/mozpkix/lib/pkixnss.cpp, lib/mozpkix/lib/pkixverify.cpp,
lib/mozpkix/test-lib/pkixtestnss.cpp:
Bug 1005084 - support specific RSA-PSS parameters in mozilla::pkix
r=jschanck
This patch adds support to mozilla::pkix for certificates signed
with RSA-PSS using one of the following parameters permitted by the
CA/Browser Forum Baseline Requirements 1.8.1:
* SHA-256, MGF-1 with SHA-256, and a salt length of 32 bytes
* SHA-384, MGF-1 with SHA-384, and a salt length of 48 bytes
* SHA-512, MGF-1 with SHA-512, and a salt length of 64 bytes
[853b64626b19]
2022-03-23 John M. Schanck <jschanck@mozilla.com>
* lib/util/secasn1d.c:
Bug 1753535 - Remove obsolete stateEnd check in
SEC_ASN1DecoderUpdate. r=rrelyea
The `stateEnd->parent != state` check was added in Bug 95458 to
avoid a crash in `sec_asn1d_free_child`. The diagnosis in Bug 95458
is incorrect---the crash was actually due to a `PORT_Assert(0)` that
was meant to highlight a memory leak when `SEC_ASN1DecoderStart` was
called with `their_pool==NULL`. The offending assertion was removed
in Bug 95311, which makes the `stateEnd` check obsolete. In Bug
1753535 it was observed that the `stateEnd` check could read from a
poisoned region of an arena when the decoder was used in a streaming
mode. This read-after-poison could lead to an arena memory leak,
although this is mitigated by the fact that the read-after-poison is
on an error-handling path where the caller typically frees the
entire arena.
[800111fa3bf8]
* lib/dev/dev.h, lib/dev/devslot.c, lib/dev/devt.h,
lib/dev/devtoken.c, lib/pk11wrap/dev3hack.c:
Bug 1756271 - Remove token member from NSSSlot struct. r=rrelyea
[55052f78244c]
* cmd/mpitests/mpi-test.c, lib/freebl/Makefile, lib/freebl/dh.c,
lib/freebl/freebl_base.gypi, lib/freebl/manifest.mn,
lib/freebl/mpi/mpprime.c, lib/freebl/mpi/mpprime.h,
lib/freebl/pqg.c, lib/freebl/rsa.c, lib/freebl/secmpi.c,
lib/freebl/secmpi.h:
Bug 1602379 - Provide secure variants of mpp_pprime and
mpp_make_prime. r=mt
[b83ad33acd67]
2022-03-22 John M. Schanck <jschanck@mozilla.com>
* cmd/mpitests/mpi-test.c, lib/freebl/Makefile, lib/freebl/dh.c,
lib/freebl/freebl_base.gypi, lib/freebl/manifest.mn,
lib/freebl/mpi/mpprime.c, lib/freebl/mpi/mpprime.h,
lib/freebl/pqg.c, lib/freebl/rsa.c, lib/freebl/secmpi.c,
lib/freebl/secmpi.h:
Backed out changeset 6c1092f5203f
Caused Windows gyp build failures for cmd/mpitests
[ffa1e4ce758a]
2022-03-22 Masatoshi Kimura <VYV03354@nifty.ne.jp>
* gtests/pk11_gtest/pk11_module_unittest.cc, lib/pk11wrap/pk11load.c:
Bug 1757279 - Support UTF-8 library path in the module spec string.
r=nss-reviewers,jschanck
[31bce2dae97b]
* gtests/base_gtest/Makefile, gtests/base_gtest/base_gtest.gyp,
gtests/base_gtest/manifest.mn, gtests/base_gtest/utf8_unittest.cc,
gtests/manifest.mn, lib/base/utf8.c, nss.gyp,
tests/gtests/gtests.sh:
Bug 1396616 - Update nssUTF8_Length to RFC 3629 and fix buffer
overrun. r=nss-reviewers,jschanck
[2f2c85648edb]
2022-03-22 John M. Schanck <jschanck@mozilla.com>
* cmd/mpitests/mpi-test.c, lib/freebl/Makefile, lib/freebl/dh.c,
lib/freebl/freebl_base.gypi, lib/freebl/manifest.mn,
lib/freebl/mpi/mpprime.c, lib/freebl/mpi/mpprime.h,
lib/freebl/pqg.c, lib/freebl/rsa.c, lib/freebl/secmpi.c,
lib/freebl/secmpi.h:
Bug 1602379 - Provide secure variants of mpp_pprime and
mpp_make_prime. r=mt
[6c1092f5203f]
2022-03-22 Dennis Jackson <djackson@mozilla.com>
* automation/taskcluster/docker-builds/Dockerfile,
automation/taskcluster/graph/src/extend.js:
Bug 1760827 - Add a CI Target for gcc-11. r=nss-reviewers,nkulatova
Depends on D141764
[d4a3bb7731b0]
* automation/taskcluster/graph/src/extend.js:
Bug 1760828 - Change to makefiles for gcc-4.8. r=nss-reviewers,mt
Depends on D131425
[191e838399a6]
2022-03-22 J08nY <johny@neuromancer.sk>
* automation/taskcluster/graph/src/extend.js,
gtests/google_test/VERSION, gtests/google_test/gtest/CMakeLists.txt,
gtests/google_test/gtest/CONTRIBUTORS,
gtests/google_test/gtest/README.md,
gtests/google_test/gtest/cmake/gtest.pc.in,
gtests/google_test/gtest/cmake/gtest_main.pc.in,
gtests/google_test/gtest/cmake/internal_utils.cmake,
gtests/google_test/gtest/docs/Pkgconfig.md,
gtests/google_test/gtest/docs/README.md,
gtests/google_test/gtest/docs/advanced.md,
gtests/google_test/gtest/docs/faq.md,
gtests/google_test/gtest/docs/primer.md,
gtests/google_test/gtest/docs/pump_manual.md,
gtests/google_test/gtest/docs/samples.md,
gtests/google_test/gtest/include/gtest/gtest-death-test.h,
gtests/google_test/gtest/include/gtest/gtest-matchers.h,
gtests/google_test/gtest/include/gtest/gtest-message.h,
gtests/google_test/gtest/include/gtest/gtest-param-test.h,
gtests/google_test/gtest/include/gtest/gtest-printers.h,
gtests/google_test/gtest/include/gtest/gtest-spi.h,
gtests/google_test/gtest/include/gtest/gtest-test-part.h,
gtests/google_test/gtest/include/gtest/gtest-typed-test.h,
gtests/google_test/gtest/include/gtest/gtest.h,
gtests/google_test/gtest/include/gtest/gtest_pred_impl.h,
gtests/google_test/gtest/include/gtest/gtest_prod.h,
gtests/google_test/gtest/include/gtest/internal/custom/gtest-port.h,
gtests/google_test/gtest/include/gtest/internal/custom/gtest-
printers.h,
gtests/google_test/gtest/include/gtest/internal/custom/gtest.h,
gtests/google_test/gtest/include/gtest/internal/gtest-death-test-
internal.h, gtests/google_test/gtest/include/gtest/internal/gtest-
filepath.h, gtests/google_test/gtest/include/gtest/internal/gtest-
internal.h, gtests/google_test/gtest/include/gtest/internal/gtest-
param-util.h, gtests/google_test/gtest/include/gtest/internal/gtest-
port-arch.h, gtests/google_test/gtest/include/gtest/internal/gtest-
port.h, gtests/google_test/gtest/include/gtest/internal/gtest-
string.h, gtests/google_test/gtest/include/gtest/internal/gtest-
type-util.h, gtests/google_test/gtest/include/gtest/internal/gtest-
type-util.h.pump, gtests/google_test/gtest/samples/prime_tables.h,
gtests/google_test/gtest/samples/sample1.cc,
gtests/google_test/gtest/samples/sample1.h,
gtests/google_test/gtest/samples/sample10_unittest.cc,
gtests/google_test/gtest/samples/sample2.cc,
gtests/google_test/gtest/samples/sample2.h,
gtests/google_test/gtest/samples/sample2_unittest.cc,
gtests/google_test/gtest/samples/sample3-inl.h,
gtests/google_test/gtest/samples/sample3_unittest.cc,
gtests/google_test/gtest/samples/sample4.h,
gtests/google_test/gtest/samples/sample5_unittest.cc,
gtests/google_test/gtest/samples/sample6_unittest.cc,
gtests/google_test/gtest/samples/sample7_unittest.cc,
gtests/google_test/gtest/samples/sample8_unittest.cc,
gtests/google_test/gtest/samples/sample9_unittest.cc,
gtests/google_test/gtest/scripts/README.md,
gtests/google_test/gtest/scripts/gen_gtest_pred_impl.py,
gtests/google_test/gtest/scripts/pump.py,
gtests/google_test/gtest/scripts/release_docs.py,
gtests/google_test/gtest/scripts/run_with_path.py,
gtests/google_test/gtest/scripts/upload.py,
gtests/google_test/gtest/src/gtest-death-test.cc,
gtests/google_test/gtest/src/gtest-filepath.cc,
gtests/google_test/gtest/src/gtest-internal-inl.h,
gtests/google_test/gtest/src/gtest-matchers.cc,
gtests/google_test/gtest/src/gtest-port.cc,
gtests/google_test/gtest/src/gtest-printers.cc,
gtests/google_test/gtest/src/gtest-test-part.cc,
gtests/google_test/gtest/src/gtest-typed-test.cc,
gtests/google_test/gtest/src/gtest.cc,
gtests/google_test/gtest/src/gtest_main.cc,
gtests/google_test/gtest/test/BUILD.bazel,
gtests/google_test/gtest/test/googletest-catch-exceptions-test_.cc,
gtests/google_test/gtest/test/googletest-death-test-test.cc,
gtests/google_test/gtest/test/googletest-death-test_ex_test.cc,
gtests/google_test/gtest/test/googletest-env-var-test.py,
gtests/google_test/gtest/test/googletest-env-var-test_.cc,
gtests/google_test/gtest/test/googletest-failfast-unittest.py,
gtests/google_test/gtest/test/googletest-failfast-unittest_.cc,
gtests/google_test/gtest/test/googletest-filepath-test.cc,
gtests/google_test/gtest/test/googletest-filter-unittest_.cc,
gtests/google_test/gtest/test/googletest-global-environment-
unittest.py, gtests/google_test/gtest/test/googletest-global-
environment-unittest_.cc, gtests/google_test/gtest/test/googletest-
json-output-unittest.py, gtests/google_test/gtest/test/googletest-
list-tests-unittest_.cc, gtests/google_test/gtest/test/googletest-
listener-test.cc, gtests/google_test/gtest/test/googletest-message-
test.cc, gtests/google_test/gtest/test/googletest-options-test.cc,
gtests/google_test/gtest/test/googletest-output-test-golden-lin.txt,
gtests/google_test/gtest/test/googletest-output-test.py,
gtests/google_test/gtest/test/googletest-output-test_.cc,
gtests/google_test/gtest/test/googletest-param-test-invalid-
name1-test_.cc, gtests/google_test/gtest/test/googletest-param-test-
invalid-name2-test_.cc, gtests/google_test/gtest/test/googletest-
param-test-test.cc, gtests/google_test/gtest/test/googletest-param-
test-test.h, gtests/google_test/gtest/test/googletest-param-
test2-test.cc, gtests/google_test/gtest/test/googletest-port-
test.cc, gtests/google_test/gtest/test/googletest-printers-test.cc,
gtests/google_test/gtest/test/googletest-setuptestsuite-test.py,
gtests/google_test/gtest/test/googletest-setuptestsuite-test_.cc,
gtests/google_test/gtest/test/googletest-shuffle-test_.cc,
gtests/google_test/gtest/test/googletest-test-part-test.cc,
gtests/google_test/gtest/test/googletest-test2_test.cc,
gtests/google_test/gtest/test/googletest-throw-on-failure-test_.cc,
gtests/google_test/gtest/test/gtest-typed-test2_test.cc,
gtests/google_test/gtest/test/gtest-typed-test_test.cc,
gtests/google_test/gtest/test/gtest-typed-test_test.h,
gtests/google_test/gtest/test/gtest-unittest-api_test.cc,
gtests/google_test/gtest/test/gtest_assert_by_exception_test.cc,
gtests/google_test/gtest/test/gtest_environment_test.cc,
gtests/google_test/gtest/test/gtest_help_test.py,
gtests/google_test/gtest/test/gtest_list_output_unittest.py,
gtests/google_test/gtest/test/gtest_list_output_unittest_.cc,
gtests/google_test/gtest/test/gtest_pred_impl_unittest.cc,
gtests/google_test/gtest/test/gtest_premature_exit_test.cc,
gtests/google_test/gtest/test/gtest_repeat_test.cc,
gtests/google_test/gtest/test/gtest_skip_check_output_test.py,
gtests/google_test/gtest/test/gtest_skip_test.cc,
gtests/google_test/gtest/test/gtest_stress_test.cc,
gtests/google_test/gtest/test/gtest_test_utils.py,
gtests/google_test/gtest/test/gtest_throw_on_failure_ex_test.cc,
gtests/google_test/gtest/test/gtest_unittest.cc,
gtests/google_test/gtest/test/gtest_xml_outfiles_test.py,
gtests/google_test/gtest/test/gtest_xml_output_unittest.py,
gtests/google_test/gtest/test/gtest_xml_output_unittest_.cc,
gtests/google_test/gtest/test/gtest_xml_test_utils.py,
gtests/google_test/gtest/test/production.h,
gtests/google_test/update.sh,
gtests/ssl_gtest/ssl_agent_unittest.cc:
Bug 1741688 - Update googletest to 1.11.0 r=nss-reviewers,mt
[88249e154a23]
2022-03-22 Dennis Jackson <djackson@mozilla.com>
* gtests/ssl_gtest/tls_ech_unittest.cc, lib/ssl/ssl3con.c,
lib/ssl/sslexp.h, lib/ssl/sslimpl.h, lib/ssl/sslsock.c,
lib/ssl/tls13ech.c, lib/ssl/tls13ech.h:
Bug 1759525 - Add SetTls13GreaseEchSize to experimental API. r=mt
[c2f93669b92c]
2022-03-22 Leander Schwarz <lschwarz@mozilla.com>
* gtests/ssl_gtest/ssl_version_unittest.cc,
gtests/ssl_gtest/tls_filter.cc, gtests/ssl_gtest/tls_filter.h,
lib/ssl/tls13con.c:
Bug 1755264 - TLS 1.3 Illegal legacy_version handling/alerts.
r=djackson
[7d931c59d09f]
2022-03-22 Dennis Jackson <djackson@mozilla.com>
* lib/ssl/tls13ech.c:
Bug 1755904 - Fix calculation of ECH HRR Transcript. r=mt
[33c530e653b3]
2022-03-22 Zi Lin <lziest@chromium.org>
* coreconf/Linux.mk:
Bug 1758741 - Allow ld path to be set as environment variable. r=mt
Submitted on behalf of Zi Lin, the author of the patch.
[d9368381598f]
2022-03-22 Dennis Jackson <djackson@mozilla.com>
* gtests/ssl_gtest/tls_connect.cc:
Bug 1760653 - Ensure we don't read uninitialized memory in ssl
gtests. r=mt,nss-reviewers
[9a7b3c7f4e70]
* cpputil/databuffer.h:
Bug 1758478 - Fix DataBuffer Move Assignment. r=mt
[f12fd43d69c7]
2022-03-18 Robert Relyea <rrelyea@redhat.com>
* automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
check/expected-report-libssl3.so.txt,
gtests/ssl_gtest/ssl_auth_unittest.cc, lib/certdb/cert.h,
lib/certdb/certdb.c, lib/nss/nss.def, lib/pk11wrap/pk11obj.c,
lib/pk11wrap/pk11pub.h, lib/ssl/authcert.c, lib/ssl/ssl.def,
lib/ssl/ssl.h, lib/ssl/ssl3con.c, lib/ssl/sslimpl.h,
lib/ssl/sslsock.c, lib/ssl/tls13con.c, lib/ssl/tls13subcerts.c,
mach, tests/ssl/ssl.sh, tests/ssl/sslauth.txt:
Bug 1552254 internal_error alert on Certificate Request with
sha1+ecdsa in TLS 1.3
We need to be able to select Client certificates based on the
schemes sent to us from the server. Rather than changing the
callback function, this patch adds those schemes to the ssl socket
info as suggested by Dana. In addition, two helpful functions have
been added to aid User applications in properly selecting the
Certificate: PRBool SSL_CertIsUsable(PRFileDesc *fd, CERTCertificate
*cert) - returns true if the given cert matches the schemes of the
server, the schemes configured on the socket, capability of the
token the private key resides on, and the current policy. For future
SSL protocol, additional restrictions may be parsed.
SSL_FilterCertListBySocket(PRFileDesc *fd, CERTCertList *certlist) -
removes the certs from the cert list that doesn't pass the
SSL_CertIsUsable() call.
In addition the built in cert selection function
(NSS_GetClientAuthData) uses the above functions to filter the list.
In order to support the NSS_GetClientAuthData three new functions
have been added: SECStatus
CERT_FilterCertListByNickname(CERTCertList *certList, char
*nickname, void *pwarg) -- removes the certs that don't match the
'nickname'. SECStatus CERT_FilterCertListByCertList(CERTCertlist
*certList, const CERTCertlist *filterList ) -- removes all the certs
on the first cert list that isn't on the second. PRBool
CERT_IsInList(CERTCertificate *, const CERTCertList *certList) --
returns true if cert is on certList.
In addition
* PK11_FindObjectForCert() is exported so the token the cert lives on
can be accessed.
* the ssle ssl_PickClientSignatureScheme() function (along with
several supporing functions) have been modified so it can be used by
SSL_CertIsUsable()
[be6a97823bfe]
Pushed by jschanck@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8cf7b945601f land NSS NSS_3_77_BETA1 UPGRADE_NSS_RELEASE, r=keeler
|
||
Comment 7•2 years ago
|
||
| bugherder | ||
|
|
Assignee | |
Comment 8•2 years ago
|
||
Pushed by jschanck@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b17826577929 land NSS NSS_3_77_RTM UPGRADE_NSS_RELEASE, r=djackson
|
||
Comment 10•2 years ago
|
||
| bugherder | ||
|
|
Assignee | |
Updated•2 years ago
|
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
|
||
Updated•2 years ago
|
Keywords: leave-open
|
||
Updated•2 years ago
|
Attachment #9269211 -
Attachment is obsolete: true
|
||
Updated•4 months ago
|
Blocks: nss-uplift
You need to log in
before you can comment on or make changes to this bug.
Description
•