1. 19 Dec, 2018 1 commit
    • Jonas Allmann's avatar
      Bug 1514999 - Add wycheproof Curve25519 testcases to nss, r=franziskus · 69203eee
      Jonas Allmann authored
      Differential Revision: https://phabricator.services.mozilla.com/D14843
      
      --HG--
      rename : gtests/common/chachapoly-vectors.h => gtests/common/testvectors/chachapoly-vectors.h
      rename : gtests/common/gcm-vectors.h => gtests/common/testvectors/gcm-vectors.h
      rename : gtests/common/wycheproof/header_bases/chachapoly-vectors.h => gtests/common/testvectors_base/chachapoly-vectors_base.h
      rename : gtests/common/wycheproof/header_bases/gcm-vectors.h => gtests/common/testvectors_base/gcm-vectors_base.h
      rename : gtests/common/wycheproof/testvectors/aes_gcm_test.json => gtests/common/wycheproof/source_vectors/aes_gcm_test.json
      rename : gtests/common/wycheproof/testvectors/chacha20_poly1305_test.json => gtests/common/wycheproof/source_vectors/chacha20_poly1305_test.json
      extra : amend_source : c6a4e9bc385e669347b13bbe1703eed65e385d6c
      69203eee
  2. 13 Dec, 2018 1 commit
  3. 10 Dec, 2018 1 commit
    • Zheng Ruoqin's avatar
      Bug 1512923 - Fix SHA_HTONL bug for arm 32be r=jcj · c059dbfb
      Zheng Ruoqin authored
      Rpm use nss as digest crypto library and which will cause an error on
      arm 32be platform as follows:
      
      error: test-manual-1.2.3-20181012.noarch.rpm: Header SHA1 digest: BAD
      (Expected
      f1deb7dc4a10742d88ccd1e967dbc62ae45095a5
      !=4ad9d7dad6d70d6086eefec62612ad5d77f2fe81)  => this value is wrong
      error: test-manual-1.2.3-20181012.noarch.rpm: not an rpm package (or
      package manifest)
      
      The error is caused by SHA_HTONL in nss, for there is no need to reverse
      the host value for arm 32be as it is originally big endian, so fix it.
      Signed-off-by: default avatarZheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
      
      --HG--
      extra : rebase_source : f42990c833b0d5c8d4ba08e20d13f96b2708de33
      extra : amend_source : 2781c572e071400f6c9da1cee87f49d4e0890ea9
      c059dbfb
  4. 11 Dec, 2018 1 commit
  5. 04 Dec, 2018 1 commit
  6. 30 Nov, 2018 1 commit
  7. 31 Oct, 2018 1 commit
  8. 26 Oct, 2018 1 commit
  9. 29 Nov, 2018 1 commit
  10. 16 Nov, 2018 2 commits
  11. 22 Nov, 2018 2 commits
  12. 21 Nov, 2018 1 commit
    • Daiki Ueno's avatar
      Bug 1481271, resend the same ticket in ClientHello after HRR, r=mt · 5d49b9e3
      Daiki Ueno authored
      Summary:
      This is an another attempt to fix the issue: store the sent session ticket in `ssl3.hs` until the client receives ServerHello.
      Test is not ready as I couldn't find any easy way to establish multiple connections in gtests to reproduce the scenario described in comment 7.
      
      Reviewers: mt
      
      Reviewed By: mt
      
      Subscribers: franziskus, jcj, mt, ekr, ueno, rrelyea, Alex_Gaynor, mccr8, HubertKario
      
      Tags: #secure-revision, PHID-PROJ-ffhf7tdvqze7zrdn6dh3
      
      Bug #: 1481271
      
      Differential Revision: https://phabricator.services.mozilla.com/D7493
      
      --HG--
      extra : amend_source : e7d34e4b47bc7d495197ef2cdca09876e76676b5
      5d49b9e3
  13. 08 Nov, 2018 1 commit
    • J.C. Jones's avatar
      Bug 1505899 - November 2018 batch of root CA changes r=kwilson · be4da8cb
      J.C. Jones authored
      * Add Google Trust Services LLC (GTS) root certificates to NSS
        (bug 1496204)
      * Add SHECA UCA Global G2 and UCA EV root certificates to NSS
        (bug 1496214)
      * Remove Opentrust and Certplus root certs that currently only have
        the Email trust bit enabled (bug 1499320)
      * Remove Certicámara root (bug 1501457)
      * Add Certigna Root CA root certificate to NSS (bug 1505614)
      
      --HG--
      extra : rebase_source : d9f49cc86034e823d71ac5f08e92d70594175c94
      extra : amend_source : 8b40a4fff984a8f8d92d13607a6bfa16d39c08b6
      be4da8cb
  14. 14 Nov, 2018 1 commit
  15. 12 Nov, 2018 1 commit
  16. 09 Nov, 2018 1 commit
  17. 07 Nov, 2018 1 commit
  18. 25 Oct, 2018 1 commit
    • Martin Thomson's avatar
      Bug 1423043 - Enable half-close, r=ttaubert,ekr · cf9543d2
      Martin Thomson authored
      Summary:
      TLS 1.3 explicitly changed to allow close_notify on one half of the
      connection.  Since SSL, an endpoint was required to send close_notify if it
      received close_notify.  The general agreement was that this was a silly
      requirement and that we would remove it and allow one side of the connection to
      be closed.  This is critical for some protocols that are being moved to use
      TLS.
      
      NSS was almost perfect here.  The only problem was that it suppressed the
      second close_notify.  I've added a test for that.
      
      Differential Revision: https://phabricator.services.mozilla.com/D797
      
      --HG--
      extra : source : f3122e5bfb5e5c9d1c6ca4f37fde170d7e289b77
      extra : amend_source : 3debaa587e2aeda7b7c4440b03cb38952ecc8d41
      cf9543d2
  19. 24 Oct, 2018 1 commit
  20. 23 Oct, 2018 1 commit
  21. 08 Oct, 2018 1 commit
  22. 12 Oct, 2018 1 commit
    • Martin Thomson's avatar
      Bug 1493769 - Set session_id for external resumption tokens, r=franziskus · e533ed60
      Martin Thomson authored
      This also includes some cleanup that I performed when looking into this.
      
      It turns out that the hacks that we were using for managing the reference count
      on sids was unnecessary.  Daiki added a much neater solution in D7493 that I
      stole.
      
      The error handling in SSLExp_SetResumptionToken looks nicer after a
      spring-clean too.
      
      --HG--
      extra : rebase_source : a4aeff32ce0cee61743d98234a21d7726a8dc496
      extra : amend_source : 9b3492f78154ebad6216e9a0dacd7e498d906927
      e533ed60
  23. 23 Oct, 2018 1 commit
  24. 16 Oct, 2018 1 commit
  25. 15 Oct, 2018 1 commit
  26. 12 Oct, 2018 3 commits
    • EKR's avatar
      Bug 1498437 - Require that the server negotiate TLS 1.3 if we sent ESNI. r=mt · b2e3f773
      EKR authored
      Reviewers: mt
      
      Tags: #secure-revision
      
      Bug #: 1498437
      
      Differential Revision: https://phabricator.services.mozilla.com/D8496
      b2e3f773
    • Martin Thomson's avatar
      Bug 1489945 - Handle second ticket with external ticket caching, r=franziskus · 74bce7bb
      Martin Thomson authored
      Summary:
      If we get a second session ticket in TLS 1.3 (as boringssl is wont to
      do, and maybe others) while the external session cache is enabled, we assert.
      The fix is to stop assuming that only in_client_cache sessions have a ticket
      attached.  The bigger fix ensures that sessions are properly labelled so that we
      correctly create a new session in the event that we get multiple tickets from a
      server.
      
      I *think* that this isn't that high a priority.  Michal is apparently working on
      code related to this, but should still be able to make progress by disabling TLS
      1.3 (or avoiding boringSSL servers).
      
      Reviewers: franziskus, ekr
      
      Reviewed By: franziskus
      
      Bug #: 1489945
      
      Differential Revision: https://phabricator.services.mozilla.com/D5740
      
      --HG--
      extra : rebase_source : 5203e4275b86605cf71662c2abd4fe58ec8b560c
      extra : amend_source : ad8290b441bee98fb5fe3615c0c96f4fe2e41d6c
      74bce7bb
    • Martin Thomson's avatar
      Bug 1434943 - Support for MSVC in build.sh, r=jcj · 5bab67bd
      Martin Thomson authored
      Summary:
      This adds basic support for MSVC to build.sh.  It uses the registry and vswhere
      (which is part of the standard mozilla-build setup now) to work out paths and
      set them properly.  It's probably a little fragile, but it's better than the
      shoestring and tape we have in builds right now.
      
      I took the liberty of sanitizing the command-line options a little here.  Mostly
      that is sorting them, but I also deprecated the -m32 option in favour of
      specifying target architecture with -t.  That turned out to be a lot cleaner.
      
      Reviewers: jcj
      
      Reviewed By: jcj
      
      Bug #: 1434943
      
      Differential Revision: https://phabricator.services.mozilla.com/D5125
      
      --HG--
      extra : rebase_source : 54465a06808f1164e31094773930831b8bb7e20b
      extra : amend_source : f89a25ab6ab7b95fa6d54b8d55ebee88ec1dcc65
      5bab67bd
  27. 08 Oct, 2018 1 commit
  28. 02 Oct, 2018 1 commit
  29. 01 Oct, 2018 1 commit
  30. 03 Aug, 2018 3 commits
    • Franziskus Kiefer's avatar
      Bug 1479787 - clang-format, r=mt,keeler · 944915ea
      Franziskus Kiefer authored
      Differential Revision: https://phabricator.services.mozilla.com/D2721
      
      --HG--
      extra : rebase_source : 8b075cdf10c7864c532017d27785644446f4d33f
      944915ea
    • Franziskus Kiefer's avatar
      Bug 1479787 - build mozpkix as part of NSS, r=mt,keeler · 53850b92
      Franziskus Kiefer authored
      Differential Revision: https://phabricator.services.mozilla.com/D2719
      Differential Revision: https://phabricator.services.mozilla.com/D2720
      Differential Revision: https://phabricator.services.mozilla.com/D2861
      
      --HG--
      rename : cpputil/scoped_ptrs.h => cpputil/nss_scoped_ptrs.h
      rename : lib/mozpkix/test/gtest/README.txt => gtests/mozpkix_gtest/README.txt
      rename : lib/mozpkix/test/gtest/pkixbuild_tests.cpp => gtests/mozpkix_gtest/pkixbuild_tests.cpp
      rename : lib/mozpkix/test/gtest/pkixcert_extension_tests.cpp => gtests/mozpkix_gtest/pkixcert_extension_tests.cpp
      rename : lib/mozpkix/test/gtest/pkixcert_signature_algorithm_tests.cpp => gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp
      rename : lib/mozpkix/test/gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp => gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp
      rename : lib/mozpkix/test/gtest/pkixcheck_CheckIssuer_tests.cpp => gtests/mozpkix_gtest/pkixcheck_CheckIssuer_tests.cpp
      rename : lib/mozpkix/test/gtest/pkixcheck_CheckKeyUsage_tests.cpp => gtests/mozpkix_gtest/pkixcheck_CheckKeyUsage_tests.cpp
      rename : lib/mozpkix/test/gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp => gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp
      rename : lib/mozpkix/test/gtest/pkixcheck_CheckValidity_tests.cpp => gtests/mozpkix_gtest/pkixcheck_CheckValidity_tests.cpp
      rename : lib/mozpkix/test/gtest/pkixcheck_ParseValidity_tests.cpp => gtests/mozpkix_gtest/pkixcheck_ParseValidity_tests.cpp
      rename : lib/mozpkix/test/gtest/pkixcheck_TLSFeaturesSatisfiedInternal_tests.cpp => gtests/mozpkix_gtest/pkixcheck_TLSFeaturesSatisfiedInternal_tests.cpp
      rename : lib/mozpkix/test/gtest/pkixder_input_tests.cpp => gtests/mozpkix_gtest/pkixder_input_tests.cpp
      rename : lib/mozpkix/test/gtest/pkixder_pki_types_tests.cpp => gtests/mozpkix_gtest/pkixder_pki_types_tests.cpp
      rename : lib/mozpkix/test/gtest/pkixder_universal_types_tests.cpp => gtests/mozpkix_gtest/pkixder_universal_types_tests.cpp
      rename : lib/mozpkix/test/gtest/pkixgtest.cpp => gtests/mozpkix_gtest/pkixgtest.cpp
      rename : lib/mozpkix/test/gtest/pkixgtest.h => gtests/mozpkix_gtest/pkixgtest.h
      rename : lib/mozpkix/test/gtest/pkixnames_tests.cpp => gtests/mozpkix_gtest/pkixnames_tests.cpp
      rename : lib/mozpkix/test/gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp => gtests/mozpkix_gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp
      rename : lib/mozpkix/test/gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp => gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
      rename : lib/mozpkix/test/lib/pkixtestnss.h => lib/mozpkix/include/pkix-test/pkixtestnss.h
      rename : lib/mozpkix/test/lib/pkixtestutil.h => lib/mozpkix/include/pkix-test/pkixtestutil.h
      rename : lib/mozpkix/lib/pkixcheck.h => lib/mozpkix/include/pkix/pkixcheck.h
      rename : lib/mozpkix/lib/pkixder.h => lib/mozpkix/include/pkix/pkixder.h
      rename : lib/mozpkix/lib/pkixutil.h => lib/mozpkix/include/pkix/pkixutil.h
      rename : lib/mozpkix/test/lib/pkixtestalg.cpp => lib/mozpkix/test-lib/pkixtestalg.cpp
      rename : lib/mozpkix/test/lib/pkixtestnss.cpp => lib/mozpkix/test-lib/pkixtestnss.cpp
      rename : lib/mozpkix/test/lib/pkixtestutil.cpp => lib/mozpkix/test-lib/pkixtestutil.cpp
      extra : rebase_source : 7b1375fef0c8e0c361f44d16f69c31d0bd6d0b41
      53850b92
    • Franziskus Kiefer's avatar
      Bug 1479787 - merge mozpkix from mozilla-central to NSS · bac43587
      Franziskus Kiefer authored
      --HG--
      extra : rebase_source : bbfc60dfad29adf314d5728897a16f36fb156457
      bac43587
  31. 28 Sep, 2018 1 commit
  32. 25 Sep, 2018 1 commit
  33. 05 Sep, 2018 1 commit
    • J.C. Jones's avatar
      Bug 1488967 - Move tls-interop back to mozilla/tls-interop from fork r=mt · f426f00f
      J.C. Jones authored
      The tests/interop/interop.sh script is using a forked repository of tls-interop,
      which is merging back into the mainline. Going forward, we should use the
      mainline repo.
      
      --HG--
      extra : rebase_source : 149f33990b98aca8139ae98aba73f33349a10fd5
      extra : amend_source : 06154df2c56197ceed33b9b95f1aab68656b35b6
      f426f00f
  34. 24 Sep, 2018 1 commit