1. 13 May, 2019 1 commit
  2. 15 May, 2019 1 commit
  3. 14 May, 2019 1 commit
  4. 13 May, 2019 1 commit
  5. 03 May, 2019 1 commit
  6. 02 May, 2019 4 commits
  7. 10 Sep, 2018 1 commit
    • Martin Thomson's avatar
      Bug 1487597 - Improve 0-RTT data delivery, r=ekr · e81e0639
      Martin Thomson authored
      Summary:
      This improves the code that delivers 0-RTT.  When the caller provided a read
      buffer to small to hold an entire record, the previous code reported errors.
      Those errors might cause the connection to be dropped by the caller, but the
      socket was still usable.  If the socket was used again, there would be a gap in
      the stream.
      
      This fixes that bug and adds a bunch of tests around 0-RTT delivery.  More tests
      check the order of operations.
      
      For instance, in TLS, we strictly maintain ordering between 0-RTT data delivery
      and handshake completion.  That is not the case for DTLS, where this allows
      0-RTT records that arrive before the handshake completes to be read afterwards.
      We do drop keys as soon as we see EndOfEarlyData (this is going away for DTLS,
      so I assume Certificate/Finished will be the trigger eventually).  The tests
      added here confirm that late arrival causes 0-RTT to be dropped.  Another test
      confirms that any early arrival that is only read late will be delivered.
      
      Reviewers: ekr
      
      Subscribers: mt, ekr
      
      Tags: #secure-revision, PHID-PROJ-ffhf7tdvqze7zrdn6dh3
      
      Bug #: 1487597
      
      Differential Revision: https://phabricator.services.mozilla.com/D4736
      
      --HG--
      extra : rebase_source : 540d790d678828a155457e9d0f5a3e34527391c0
      extra : amend_source : 3856c989ac5b323d6683d33304fa8887d6fd7ac0
      e81e0639
  8. 01 May, 2019 1 commit
  9. 29 Apr, 2019 1 commit
    • Martin Thomson's avatar
      Bug 1543545 - Option to produce static libraries, r=kevinjacobs · 5e56bd97
      Martin Thomson authored
      Summary:
      The fine folks in application services would like to use NSS, but would greatly
      prefer static linking.  Part of that is driven by iOS constraints on performance
      and a possible rejection from the store for dynamic linking (NSS dynamically
      loads softoken).  This provides a build option that produces a fully statically
      linked set of libraries.
      
      Reviewers: KevinJacobs
      
      Tags: #secure-revision
      
      Bug #: 1543545
      
      Differential Revision: https://phabricator.services.mozilla.com/D29303
      
      --HG--
      extra : rebase_source : 8d75b17776ecde38c7350cf70946e0221349e01f
      5e56bd97
  10. 11 Mar, 2019 1 commit
    • Martin Thomson's avatar
      Bug 1534468 - Expose ChaCha20 primitive through PKCS#11, r=ekr · e9fdd32d
      Martin Thomson authored
      Summary:
      This adds a "CTR" mode for ChaCha20.  This takes a composite 16 octet "IV",
      which is internally decomposed into a nonce and counter.
      
      This operates like a CTR mode cipher on arbitrary input, up to the ChaCha20
      limit of 2^32 x 64 octet blocks.  The counter provided is a starting counter and
      it is incremented if more than 64 octets of input is provided.
      
      Reviewers: ekr
      
      Tags: #secure-revision
      
      Bug #: 1534468
      
      Differential Revision: https://phabricator.services.mozilla.com/D23060
      
      --HG--
      extra : rebase_source : 64ebd50bab6111d980569d5127882aa2c8444507
      e9fdd32d
  11. 08 Apr, 2019 3 commits
  12. 29 Mar, 2019 1 commit
  13. 08 Mar, 2019 1 commit
  14. 23 Mar, 2019 1 commit
  15. 28 Feb, 2019 1 commit
    • Martin Thomson's avatar
      Bug 1531236 - Accessor for certificate DER, r=jcj · b7b584f9
      Martin Thomson authored
      Summary:
      Forgot to put this up.  This will make the neqo wrapper considerably more
      hygenic.  Having to explode the entire CERTCertificate struct (which is public
      and never should have been) into the FFI is a complete disaster.  Better to
      treat it as opaque and use an accessor function.
      
      Reviewers: jcj
      
      Tags: #secure-revision
      
      Bug #: 1531236
      
      Differential Revision: https://phabricator.services.mozilla.com/D24129
      
      --HG--
      extra : rebase_source : cc0c75ba0153307ae7138ae6cf1953e3584f8345
      b7b584f9
  16. 20 Mar, 2019 1 commit
  17. 14 Mar, 2019 1 commit
    • Martin Thomson's avatar
      Bug 1529813 - Expose Hkdf-Expand-Label with mechanism, r=ekr · ed5e4c29
      Martin Thomson authored
      Summary:
      It turns out that leaf keys sometimes need to be exposed with different
      mechanisms and sizes.  The default function provides something good enough for
      use with the AEAD functions that were exposed, but if you want to use the key
      directly, that isn't enough.  So here we are: new arguments for specifying the
      mechanism and key size are needed.
      
      Reviewers: ekr
      
      Tags: #secure-revision
      
      Bug #: 1529813
      
      Differential Revision: https://phabricator.services.mozilla.com/D23596
      
      --HG--
      extra : rebase_source : e674a113ae3748f45bd7efbf142b7b3ab7b03273
      ed5e4c29
  18. 13 Mar, 2019 1 commit
  19. 10 Dec, 2018 1 commit
  20. 26 Feb, 2019 1 commit
  21. 21 Feb, 2019 1 commit
  22. 23 Feb, 2019 1 commit
  23. 22 Feb, 2019 2 commits
  24. 17 Feb, 2019 1 commit
  25. 21 Feb, 2019 1 commit
  26. 20 Feb, 2019 2 commits
    • Martin Thomson's avatar
      Bug 1471126 - Fix return codes from SSL_ForceHandshake and SSL_RecordLayerData, r=ekr · f353fbee
      Martin Thomson authored
      Summary:
      Turns out that there were two errors that made my life using SSL_RecordLayerData hard:
      
      * SSL_ForceHandshake was returning SECFailure/PR_WOULD_BLOCK_ERROR when the record layer was replaced, even when the handshake was complete.  This was being obscured in the tests by the fact that we mark sockets as complete through both the callback and SSL_ForceHandshake.  I didn't change that aspect of the tests because different tests rely on that being the case.  I don't have a good strategy for dealing with that, but I will continue to think on it.
      
      * SSL_RecordLayerData was returning SECFailure/PR_WOULD_BLOCK_ERROR when it succeeded, but the AuthCertificate callback blocked.  The contract for SSL_RecordLayerData is that it returns SECSuccess always.  I had explicitly ignored this error in tests, which was just a mistake.
      
      Reviewers: ekr
      
      Tags: #secure-revision
      
      Bug #: 1471126
      
      Differential Revision: https://phabricator.services.mozilla.com/D20528
      
      --HG--
      extra : rebase_source : a5296d4a0bb93b77e5340b13801ec7eb280c2934
      extra : amend_source : 5bf0d8e33c6509229de467343cdd9fdef5144f52
      f353fbee
    • Daiki Ueno's avatar
      Bug 1471970, add support for post-handshake authentication, r=mt · b73a7bd4
      Daiki Ueno authored
      Summary: This adds handling of the post_handshake_auth extension in CH and exposes tls13_SendCertificateRequest as an experimental API. For practical use, it might need another function that checks if the post_handshake_auth extension is received.
      
      Reviewers: mt
      
      Reviewed By: mt
      
      Bug #: 1471970
      
      Differential Revision: https://phabricator.services.mozilla.com/D14154
      
      --HG--
      extra : amend_source : 537d0155477340f2457fb63b88cdf1531c3005f9
      b73a7bd4
  27. 23 Oct, 2018 1 commit
    • Martin Thomson's avatar
      Bug 1471126 - Provide extra information needed to use record layer separation, r=ekr · c88db179
      Martin Thomson authored
      This started as an attempt to remove the cipher spec update callback we use for
      testing.  Using the new, public secrets interface should be better for that.
      
      In doing so, it became apparent that we needed more interfaces to NSS to support
      the use of these secrets.  In particular:
      
      1. We need to know what the KDF hash function is for a given cipher suite.  This
         allows users of the secret to use the right hash function.
      
      2. We need to know what cipher spec was picked when sending 0-RTT.  NSS
         currently doesn't expose that information.  (When receiving 0-RTT you can
         safely assume that the negotiated cipher suite is good to use.)
      
      3. We need to know what epoch NSS is currently using.  Otherwise, we can't be
         sure which epoch to feed it.  Data from a good epoch is saved, whereas data
         from a bad epoch is lost, so applications need to know.
      
      So this patch adds these functions to the appropriate info functions and uses
      that information in tests to remove and re-add protection.
      
      The test changes are considerable.  The main effect of the changes is to rely on
      the new functions for managing secrets, rather than the old interface.  But with
      the changes in the other CLs for this bug, secrets appear before they are used,
      which complicates things considerably.  For that, I've moved more logic into the
      TlsCipherSpec class, which now tracks per-epoch state, like sequence numbers and
      record drops.
      
      Trial decryption (yep) is used to identify the right cipher spec every time when
      decrypting, so tests are no longer tolerant of failures to decrypt.  It's no
      longer possible to have a test enable decryption and pass when decryption fails;
      this is particularly true for some parameterized tests that assumed it was OK to
      enable decryption even for TLS 1.2 and earlier.
      
      --HG--
      extra : rebase_source : 4d5a752d0b9837db2ddee9cef481ed7fb588b62d
      extra : amend_source : 2559f37290e31c70a4591b11f30b84f5640c86e7
      extra : source : 6d5ddd89089058ed7be42a17d92e195a31aec46e
      extra : histedit_source : aa847484ab6b1826d1494052b20f29a2136a3644
      c88db179
  28. 17 Feb, 2019 2 commits
  29. 08 Nov, 2018 1 commit
  30. 12 Feb, 2019 1 commit
  31. 07 Feb, 2019 1 commit
  32. 05 Feb, 2019 1 commit