Bug 1715772 - land NSS NSS_3_68_BETA1 UPGRADE_NSS_RELEASE, r=beurdouche

```
2021-07-01  Benjamin Beurdouche  <[email protected]>

	* automation/release/nspr-version.txt:
	Bug 1717452 - NSS 3.68 should depend on NSPR 4.32. r=kaie

	[352fca8a348e] [NSS_3_68_BETA1]

2021-06-30  Robert Relyea  <[email protected]>

	* gtests/pk11_gtest/pk11_aeskeywrappad_unittest.cc,
	gtests/pk11_gtest/pk11_ecdsa_unittest.cc,
	gtests/pk11_gtest/pk11_keygen.cc, gtests/pk11_gtest/pk11_keygen.h,
	gtests/pk11_gtest/pk11_signature_test.cc,
	gtests/pk11_gtest/pk11_signature_test.h,
	gtests/ssl_gtest/libssl_internals.c, lib/pk11wrap/pk11pk12.c:
	Bug 1693206 - Implement PKCS8 export of ECDSA keys patch by
	Christoph Walcher r=rrelyea, bbeurdouche
	[9343c18b4df7]

2021-06-25  Martin Thomson  <[email protected]>

	* gtests/ssl_gtest/ssl_extension_unittest.cc, lib/ssl/ssl3prot.h,
	lib/ssl/sslproto.h, lib/ssl/tls13con.c:
	Bug 1712883 - DTLS 1.3 draft-43 r=bbeurdouche

	[b2178fe9d27b]

2021-06-25  Makoto Kato  <[email protected]>

	* automation/taskcluster/graph/src/extend.js, coreconf/WIN32.mk,
	coreconf/config.gypi, lib/freebl/Makefile, lib/freebl/freebl.gyp,
	lib/freebl/sha256-x86.c, lib/freebl/sha512.c:
	Bug 1655493 - Support SHA2 HW acceleration using Intel SHA
	Extension. r=bbeurdouche

	Before applying (on Ryzen 9 3900X) ``` # mode in opreps cxreps
	context op time(sec) thrgput sha256_e 1Gb 208Mb 23M 0 0.000
	10000.000 10.000 123Mb 301Kb ```

	After applying ``` # mode in opreps cxreps context op time(sec)
	thrgput sha256_e 5Gb 797Mb 110M 0 0.000 10000.000 10.000 591Mb 769Kb
	```

	[65a7c7b3f182]

2021-05-31  Martin Thomson  <[email protected]>

	* gtests/ssl_gtest/libssl_internals.c,
	gtests/ssl_gtest/libssl_internals.h,
	gtests/ssl_gtest/tls_ech_unittest.cc, lib/ssl/manifest.mn,
	lib/ssl/ssl.gyp, lib/ssl/tls13ech.c, lib/ssl/tls13ech.h,
	lib/ssl/tls13echv.c, lib/util/seccomon.h:
	Bug 1713562 - Validate ECH public names, r=bbeurdouche

	This validates that they are LDH (with underscore because we don't
	hate freedom), but that they are not IP addresses. This invokes the
	horrible WhatWG IP parsing routines, so that it recognizes a vast
	array of crazy address formats (thanks 1980s design).

	[ac81f721cbbf]
```

Differential Revision: https://phabricator.services.mozilla.com/D119026

security/nss/TAG-INFO

@@ -1 +1 @@
-0262a919f909
+NSS_3_68_BETA1

security/nss/automation/release/nspr-version.txt

@@ -1,4 +1,4 @@
-4.30
+4.32
 
 # The first line of this file must contain the human readable NSPR
 # version number, which is the minimum required version of NSPR

security/nss/automation/taskcluster/graph/src/extend.js

@@ -567,6 +567,13 @@ async function scheduleLinux(name, overrides, args = "") {
       CC: "gcc-4.8",
       CCC: "g++-4.8"
     },
+    // Use -Ddisable-intelhw_sha=1, GYP doesn't have a proper GCC version
+    // check for Intel SHA support.
+    command: [
+      "/bin/bash",
+      "-c",
+      "bin/checkout.sh && nss/automation/taskcluster/scripts/build_gyp.sh -Ddisable_intel_hw_sha=1"
+    ],
     symbol: "gcc-4.8"
   }));
 

security/nss/coreconf/WIN32.mk

@@ -56,6 +56,8 @@ else
 	_MSC_VER_GE_11 := $(shell expr $(_MSC_VER) \>= 1700)
 	# VC12 (2013).
 	_MSC_VER_GE_12 := $(shell expr $(_MSC_VER) \>= 1800)
+	# VC14 (2015).
+	_MSC_VER_GE_14 := $(shell expr $(_MSC_VER) \>= 1900)
 	ifeq ($(_CC_VMAJOR),14)
 	    # -DYNAMICBASE is only supported on VC8SP1 or newer,
 	    # so be very specific here!

security/nss/coreconf/config.gypi

@@ -99,6 +99,7 @@
     'disable_arm_hw_aes%': 0,
     'disable_arm_hw_sha1%': 0,
     'disable_arm_hw_sha2%': 0,
+    'disable_intel_hw_sha%': 0,
     'disable_tests%': 0,
     'disable_chachapoly%': 0,
     'disable_deprecated_seed%': 0,

security/nss/coreconf/coreconf.dep

@@ -10,4 +10,3 @@
  */
 
 #error "Do not include this header file."
-

security/nss/gtests/pk11_gtest/pk11_aeskeywrappad_unittest.cc

@@ -420,4 +420,4 @@ TEST_F(Pkcs11AESKeyWrapPadTest, WrapUnwrapRandom_ShortValidPadding) {
   ASSERT_EQ(0, memcmp(buf, unwrapped_key.data(), out_len));
 }
 
-} /* nss_test */
+}  // namespace nss_test

security/nss/gtests/pk11_gtest/pk11_ecdsa_unittest.cc

@@ -14,6 +14,7 @@
 
 #include "pk11_ecdsa_vectors.h"
 #include "pk11_signature_test.h"
+#include "pk11_keygen.h"
 #include "testvectors/p256ecdsa-sha256-vectors.h"
 #include "testvectors/p384ecdsa-sha384-vectors.h"
 #include "testvectors/p521ecdsa-sha512-vectors.h"
@@ -63,6 +64,10 @@ TEST_P(Pkcs11EcdsaTest, SignAndVerify) {
   SignAndVerify(GetParam().sig_params_);
 }
 
+TEST_P(Pkcs11EcdsaTest, ImportExport) {
+  ImportExport(GetParam().sig_params_.pkcs8_);
+}
+
 static const Pkcs11EcdsaTestParams kEcdsaVectors[] = {
     {SEC_OID_SHA256,
      {DataBuffer(kP256Pkcs8, sizeof(kP256Pkcs8)),
@@ -243,4 +248,41 @@ INSTANTIATE_TEST_SUITE_P(WycheproofP521SignatureSha512Test,
                          Pkcs11EcdsaWycheproofTest,
                          ::testing::ValuesIn(kP521EcdsaSha512Vectors));
 
+class Pkcs11EcdsaRoundtripTest
+    : public Pkcs11EcdsaTestBase,
+      public ::testing::WithParamInterface<SECOidTag> {
+ public:
+  Pkcs11EcdsaRoundtripTest() : Pkcs11EcdsaTestBase(SEC_OID_SHA256) {}
+
+ protected:
+  void GenerateExportImportSignVerify(SECOidTag tag) {
+    Pkcs11KeyPairGenerator generator(CKM_EC_KEY_PAIR_GEN, tag);
+    ScopedSECKEYPrivateKey priv;
+    ScopedSECKEYPublicKey pub;
+    generator.GenerateKey(&priv, &pub, false);
+
+    DataBuffer exported;
+    ExportPrivateKey(&priv, exported);
+
+    if (tag != SEC_OID_CURVE25519) {
+      DataBuffer sig;
+      DataBuffer sig2;
+      DataBuffer data(kP256Data, sizeof(kP256Data));
+      ASSERT_TRUE(
+          ImportPrivateKeyAndSignHashedData(exported, data, &sig, &sig2));
+
+      Verify(pub, data, sig);
+    }
+  }
+};
+
+TEST_P(Pkcs11EcdsaRoundtripTest, GenerateExportImportSignVerify) {
+  GenerateExportImportSignVerify(GetParam());
+}
+INSTANTIATE_TEST_SUITE_P(Pkcs11EcdsaRoundtripTest, Pkcs11EcdsaRoundtripTest,
+                         ::testing::Values(SEC_OID_SECG_EC_SECP256R1,
+                                           SEC_OID_SECG_EC_SECP384R1,
+                                           SEC_OID_SECG_EC_SECP521R1,
+                                           SEC_OID_CURVE25519));
+
 }  // namespace nss_test

security/nss/gtests/pk11_gtest/pk11_keygen.cc

@@ -22,7 +22,8 @@ class ParamHolder {
 };
 
 void Pkcs11KeyPairGenerator::GenerateKey(ScopedSECKEYPrivateKey* priv_key,
-                                         ScopedSECKEYPublicKey* pub_key) const {
+                                         ScopedSECKEYPublicKey* pub_key,
+                                         bool sensitive) const {
   // This function returns if an assertion fails, so don't leak anything.
   priv_key->reset(nullptr);
   pub_key->reset(nullptr);
@@ -34,8 +35,9 @@ void Pkcs11KeyPairGenerator::GenerateKey(ScopedSECKEYPrivateKey* priv_key,
   ASSERT_TRUE(slot);
 
   SECKEYPublicKey* pub_tmp;
-  ScopedSECKEYPrivateKey priv_tmp(PK11_GenerateKeyPair(
-      slot.get(), mech_, params->get(), &pub_tmp, PR_FALSE, PR_TRUE, nullptr));
+  ScopedSECKEYPrivateKey priv_tmp(
+      PK11_GenerateKeyPair(slot.get(), mech_, params->get(), &pub_tmp, PR_FALSE,
+                           sensitive ? PR_TRUE : PR_FALSE, nullptr));
   ASSERT_NE(nullptr, priv_tmp) << "PK11_GenerateKeyPair failed: "
                                << PORT_ErrorToName(PORT_GetError());
   ASSERT_NE(nullptr, pub_tmp);

security/nss/gtests/pk11_gtest/pk11_keygen.h

@@ -22,7 +22,7 @@ class Pkcs11KeyPairGenerator {
   SECOidTag curve() const { return curve_; }
 
   void GenerateKey(ScopedSECKEYPrivateKey* priv_key,
-                   ScopedSECKEYPublicKey* pub_key) const;
+                   ScopedSECKEYPublicKey* pub_key, bool sensitive = true) const;
 
  private:
   std::unique_ptr<ParamHolder> MakeParams() const;

security/nss/gtests/pk11_gtest/pk11_signature_test.cc

@@ -134,11 +134,9 @@ bool Pk11SignatureTest::ImportPrivateKeyAndSignHashedData(
   return true;
 }
 
-void Pk11SignatureTest::Verify(const Pkcs11SignatureTestParams& params,
-                               const DataBuffer& sig, bool valid) {
-  ScopedSECKEYPublicKey pubKey(ImportPublicKey(params.spki_));
-  ASSERT_TRUE(pubKey);
-
+void Pk11SignatureTest::Verify(ScopedSECKEYPublicKey& pubKey,
+                               const DataBuffer& data, const DataBuffer& sig,
+                               bool valid) {
   SECStatus rv;
   DataBuffer hash;
 
@@ -150,7 +148,7 @@ void Pk11SignatureTest::Verify(const Pkcs11SignatureTestParams& params,
    * with the VFY_ interface, so just do the combined hash/Verify
    * in that case */
   if (!skip_raw_) {
-    ASSERT_TRUE(ComputeHash(params.data_, &hash));
+    ASSERT_TRUE(ComputeHash(data, &hash));
 
     // Verify.
     SECItem hashItem = {siBuffer, toUcharPtr(hash.data()),
@@ -168,7 +166,7 @@ void Pk11SignatureTest::Verify(const Pkcs11SignatureTestParams& params,
   ASSERT_NE((void*)context, (void*)NULL)
       << "CreateContext failed Error:" << PORT_ErrorToString(PORT_GetError())
       << "\n";
-  rv = PK11_DigestOp(context, params.data_.data(), params.data_.len());
+  rv = PK11_DigestOp(context, data.data(), data.len());
   /* expect success unconditionally here */
   EXPECT_EQ(rv, SECSuccess);
   unsigned int len;

security/nss/gtests/pk11_gtest/pk11_signature_test.h

@@ -34,6 +34,16 @@ class Pk11SignatureTest : public ::testing::Test {
   CK_MECHANISM_TYPE mechanism() const { return mechanism_; }
   void setSkipRaw(bool skip_raw) { skip_raw_ = true; }
 
+  bool ExportPrivateKey(ScopedSECKEYPrivateKey* key, DataBuffer& pkcs8) {
+    SECItem* pkcs8Item = PK11_ExportDERPrivateKeyInfo(key->get(), nullptr);
+    if (!pkcs8Item) {
+      return false;
+    }
+    pkcs8.Assign(pkcs8Item->data, pkcs8Item->len);
+    SECITEM_ZfreeItem(pkcs8Item, PR_TRUE);
+    return true;
+  }
+
   ScopedSECKEYPrivateKey ImportPrivateKey(const DataBuffer& pkcs8);
   ScopedSECKEYPublicKey ImportPublicKey(const DataBuffer& spki);
 
@@ -51,8 +61,23 @@ class Pk11SignatureTest : public ::testing::Test {
   bool ImportPrivateKeyAndSignHashedData(const DataBuffer& pkcs8,
                                          const DataBuffer& data,
                                          DataBuffer* sig, DataBuffer* sig2);
+
+  /* most primitive verify implemented in pk11_signature_test.cpp */
+  void Verify(ScopedSECKEYPublicKey& pubKey, const DataBuffer& data,
+              const DataBuffer& sig, bool valid);
+
+  /* quick helper functions that use the primitive verify */
+  void Verify(ScopedSECKEYPublicKey& pubKey, const DataBuffer& data,
+              const DataBuffer& sig) {
+    Verify(pubKey, data, sig, true);
+  }
+
   void Verify(const Pkcs11SignatureTestParams& params, const DataBuffer& sig,
-              bool valid);
+              bool valid) {
+    ScopedSECKEYPublicKey pubKey(ImportPublicKey(params.spki_));
+    ASSERT_TRUE(pubKey);
+    Verify(pubKey, params.data_, sig, valid);
+  }
 
   void Verify(const Pkcs11SignatureTestParams& params, bool valid) {
     Verify(params, params.signature_, valid);
@@ -71,6 +96,15 @@ class Pk11SignatureTest : public ::testing::Test {
     Verify(params, sig2, true);
   }
 
+  // Importing a private key in PKCS#8 format and reexporting it should
+  // result in the same binary representation.
+  void ImportExport(const DataBuffer& k) {
+    DataBuffer exported;
+    ScopedSECKEYPrivateKey key = ImportPrivateKey(k);
+    ExportPrivateKey(&key, exported);
+    EXPECT_EQ(k, exported);
+  }
+
  private:
   CK_MECHANISM_TYPE mechanism_;
   SECOidTag hash_oid_;

security/nss/gtests/ssl_gtest/libssl_internals.c

@@ -497,3 +497,5 @@ SECStatus SSLInt_SetRawEchConfigForRetry(PRFileDesc *fd, const uint8_t *buf,
   PORT_Memcpy(cfg->raw.data, buf, len);
   return SECSuccess;
 }
+
+PRBool SSLInt_IsIp(PRUint8 *s, unsigned int len) { return tls13_IsIp(s, len); }

security/nss/gtests/ssl_gtest/libssl_internals.h

@@ -51,4 +51,6 @@ SECStatus SSLInt_SetDCAdvertisedSigSchemes(PRFileDesc *fd,
 SECStatus SSLInt_RemoveServerCertificates(PRFileDesc *fd);
 SECStatus SSLInt_SetRawEchConfigForRetry(PRFileDesc *fd, const uint8_t *buf,
                                          size_t len);
+PRBool SSLInt_IsIp(PRUint8 *s, unsigned int len);
+
 #endif  // ifndef libssl_internals_h_

security/nss/gtests/ssl_gtest/ssl_extension_unittest.cc

@@ -174,11 +174,13 @@ class TlsExtensionTest13
     // Convert the version encoding for DTLS, if needed.
     if (variant_ == ssl_variant_datagram) {
       switch (version) {
-#ifdef DTLS_1_3_DRAFT_VERSION
         case SSL_LIBRARY_VERSION_TLS_1_3:
+#ifdef DTLS_1_3_DRAFT_VERSION
           version = 0x7f00 | DTLS_1_3_DRAFT_VERSION;
-          break;
+#else
+          version = SSL_LIBRARY_VERSION_DTLS_1_3_WIRE;
 #endif
+          break;
         case SSL_LIBRARY_VERSION_TLS_1_2:
           version = SSL_LIBRARY_VERSION_DTLS_1_2_WIRE;
           break;
@@ -1120,13 +1122,25 @@ TEST_P(TlsExtensionTest13, HrrThenRemoveSupportedGroups) {
 }
 
 TEST_P(TlsExtensionTest13, EmptyVersionList) {
-  static const uint8_t ext[] = {0x00, 0x00};
-  ConnectWithBogusVersionList(ext, sizeof(ext));
+  static const uint8_t kExt[] = {0x00, 0x00};
+  ConnectWithBogusVersionList(kExt, sizeof(kExt));
 }
 
 TEST_P(TlsExtensionTest13, OddVersionList) {
-  static const uint8_t ext[] = {0x00, 0x01, 0x00};
-  ConnectWithBogusVersionList(ext, sizeof(ext));
+  static const uint8_t kExt[] = {0x00, 0x01, 0x00};
+  ConnectWithBogusVersionList(kExt, sizeof(kExt));
+}
+
+// Use the stream version number for TLS 1.3 (0x0304) in DTLS.
+TEST_F(TlsConnectDatagram13, TlsVersionInDtls) {
+  static const uint8_t kExt[] = {0x02, 0x03, 0x04};
+
+  DataBuffer versions_buf(kExt, sizeof(kExt));
+  MakeTlsFilter<TlsExtensionReplacer>(client_, ssl_tls13_supported_versions_xtn,
+                                      versions_buf);
+  ConnectExpectAlert(server_, kTlsAlertProtocolVersion);
+  client_->CheckErrorCode(SSL_ERROR_PROTOCOL_VERSION_ALERT);
+  server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_VERSION);
 }
 
 // TODO: this only tests extensions in server messages.  The client can extend