mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1592007 - land NSS dc9552c2aa77 UPGRADE_NSS_RELEASE, r=kjacobs 

2019-11-04  Marcus Burghardt  <mburghardt@mozilla.com>

	* lib/pk11wrap/pk11cert.c:
	Bug 1590495 - Crash in PK11_MakeCertFromHandle->pk11_fastCert. r=jcj

	Fixed controls to avoid crashes caused by slots possibly without a
	token in pk11_fastCert. Also, improved arguments controls in
	PK11_MakeCertFromHandle.

	[dc9552c2aa77] [tip]

2019-11-01  Franziskus Kiefer  <franziskuskiefer@gmail.com>

	* gtests/pk11_gtest/manifest.mn,
	gtests/pk11_gtest/pk11_des_unittest.cc,
	gtests/pk11_gtest/pk11_gtest.gyp, lib/softoken/pkcs11c.c:
	Bug 1591742 - check des iv length and add test for it, r=jcj,kjacobs

	Summary: Let's make sure the DES IV has the length we expect it to
	have.

	Bug #: 1591742

	[35857ae98190]

2019-11-01  Dana Keeler  <dkeeler@mozilla.com>

	* gtests/mozpkix_gtest/pkixcheck_CheckKeyUsage_tests.cpp, lib/mozpkix
	/test-lib/pkixtestnss.cpp, tests/gtests/gtests.sh:
	Bug 1588567 - enable mozilla::pkix gtests in NSS r=jcj

	[27a29997f598]

2019-11-01  Deian Stefan  <deian@cs.ucsd.edu>

	* lib/softoken/pkcs11c.c:
	Bug 1591315 - Update NSC_Decrypt length in constant time r=kjacobs

	Update NSC_Decrypt length in constant time

	[7f578a829b29]

2019-11-01  Kai Engert  <kaie@kuix.de>

	* automation/taskcluster/graph/src/queue.js:
	Bug 1562671 - Limit Master Password KDF iterations for NSS
	continuous integration tests. r=mt
	[c8b490583b86]

	* lib/softoken/lgglue.c, lib/softoken/sftkdb.c, lib/softoken/sftkdb.h,
	lib/softoken/sftkdbti.h, lib/softoken/sftkpwd.c:
	Bug 1562671 - Add environment variables to control Master Password
	KDF iteration count. Disable iteration count for legacy DBM storage
	by default. r=rrelyea
	[ced91a705aa3]

2019-11-01  Bob Relyea  <rrelyea@redhat.com>

	* lib/softoken/legacydb/keydb.c, lib/softoken/lgglue.c,
	lib/softoken/pkcs11.c, lib/softoken/sftkdb.c, lib/softoken/sftkdb.h,
	lib/softoken/sftkdbti.h, lib/softoken/sftkpwd.c:
	Bug 1562671 - Support higher iteration count for Master Password
	KDF. Bob Relyea's base patch. Requires the follow-up patch. r=kaie
	[6619bb43d746]

2019-10-28  Martin Thomson  <mt@lowentropy.net>

	* coreconf/Linux.mk, coreconf/WIN32.mk, coreconf/command.mk,
	coreconf/config.gypi, coreconf/rules.mk, lib/freebl/aes-armv8.c,
	lib/freebl/aes-x86.c, lib/freebl/config.mk, lib/freebl/freebl.gyp,
	lib/freebl/intel-aes.h, lib/freebl/intel-gcm-wrap.c,
	lib/freebl/rijndael.c, lib/freebl/rijndael.h, lib/ssl/config.mk,
	lib/ssl/ssl.gyp:
	Bug 1590972 - Use -std=c99 for all C code, r=jcj

	This switches to using -std=c99 for compiling all C code.
	Previously, we only enabled this option for lib/freebl and lib/ssl.

	For Linux, this means we need to define _DEFAULT_SOURCE to access
	some of the functions we use. On glibc 2.12 (our oldest supported
	version), we also need to define _BSD_SOURCE to access these
	functions.

	The only tricky part is dealing with partial C99 implementation in
	gcc 4.4. From what I've seen, the only problem is that - in that
	mode - it doesn't support nesting of unnamed fields:
	https://gcc.gnu.org/onlinedocs/gcc-4.4.7/gcc/Unnamed-Fields.html

	This also switches from -std=c++0x to -std=c++11 as the 0x variant,
	though identical in meaning, is deprecated.

	[dbba7db4b79d]

2019-10-30  Giulio Benetti  <giulio.benetti@benettiengineering.com>

	* lib/freebl/aes-armv8.c, lib/freebl/rijndael.c:
	Bug 1590676 - Fix build if arm doesn't support NEON r=kjacobs

	At the moment NSS assumes that ARM supports NEON extension but this
	is not true and leads to build failure on ARM without NEON
	extension. Add check to assure USE_HW_AES is not defined if ARM
	without NEON extension is used.
	[58f2471ace3b]

2019-10-30  Martin Thomson  <mt@lowentropy.net>

	* gtests/ssl_gtest/tls_agent.cc:
	Bug 1575411 - Disable EMS for tests, a=bustage
	[6e5f69781137]

2019-10-29  J.C. Jones  <jjones@mozilla.com>

	* gtests/ssl_gtest/tls_esni_unittest.cc:
	Bug 1590970 - Fix clang-format from
	e7956ee3ba1b6d05e3175bbcd795583fde867720 r=me
	[d1e43cb9f227]

2019-10-29  Giulio Benetti  <giulio.benetti@benettiengineering.com>

	* lib/ssl/tls13esni.c:
	Bug 1590678 - Remove -Wmaybe-uninitialized warning in tls13esni.c
	r=jcj
	[df5e9021809a]

2019-10-29  Martin Thomson  <martin.thomson@gmail.com>

	* lib/ssl/ssl.h, lib/ssl/sslsock.c:
	Bug 1575411 - Enable extended master secret by default,
	r=jcj,kjacobs

	See the bug for discussion about the implications of this.

	[d1c68498610d]

2019-10-29  Martin Thomson  <mt@lowentropy.net>

	* gtests/ssl_gtest/tls_esni_unittest.cc, lib/ssl/sslexp.h:
	Bug 1590970 - Stop using time() for ESNI tests, r=kjacobs

	Summary: The ESNI tests were using time() rather than PR_Now(), so
	they slipped the net when I went looking for bad time functions. Now
	they do the right thing again.

	What we were probably seeing in the intermittents was the case where
	we set the time for most of the SSL functions to PR_Now(), and that
	was just before a second rollover. Then, when time() was called, it
	returned t+1 so the ESNI keys that were being generated in the ESNI
	tests were given a notBefore time that was in the future relative to
	the time being given to the TLS stack. Had the ESNI keys generation
	been given time() - 1 for notBefore, as I have done here, this would
	never have turned up.

	Reviewers: kjacobs

	Tags: #secure-revision

	Bug #: 1590970

	[e7956ee3ba1b]

Differential Revision: https://phabricator.services.mozilla.com/D51858

--HG--
extra : moz-landing-system : lando
This commit is contained in:
J.C. Jones 2019-11-05 20:29:59 +00:00
Родитель 780c7f0f16
Коммит 07491e58b7
39 изменённых файлов: 536 добавлений и 234 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
security/nss/TAG-INFO
Просмотреть файл

@ -1 +1 @@
fcdda17cdc36
dc9552c2aa77

3
security/nss/automation/taskcluster/graph/src/queue.js
Просмотреть файл

@ -96,7 +96,8 @@ function convertTask(def) {
let env = merge({
NSS_HEAD_REPOSITORY: process.env.NSS_HEAD_REPOSITORY,
NSS_HEAD_REVISION: process.env.NSS_HEAD_REVISION
NSS_HEAD_REVISION: process.env.NSS_HEAD_REVISION,
NSS_MAX_MP_PBE_ITERATION_COUNT: "100",
}, def.env || {});
if (def.parent) {

1
security/nss/coreconf/Linux.mk
Просмотреть файл

@ -21,6 +21,7 @@ ifeq ($(USE_PTHREADS),1)
endif
DEFAULT_COMPILER = gcc
DEFINES += -D_DEFAULT_SOURCE -D_BSD_SOURCE
ifeq ($(OS_TARGET),Android)
ifndef ANDROID_NDK

6
security/nss/coreconf/WIN32.mk
Просмотреть файл

@ -261,6 +261,12 @@ else
endif
endif
# clear any CSTD and CXXSTD unless we're using GCC
ifndef NS_USE_GCC
CSTD =
CXXSTD =
endif
#
# override the definitions of RELEASE_TREE found in tree.mk
#

2
security/nss/coreconf/command.mk
Просмотреть файл

@ -14,6 +14,8 @@ CCF = $(CC) $(CFLAGS)
LINK_DLL = $(LD) $(OS_DLLFLAGS) $(DLLFLAGS) $(XLDFLAGS)
CFLAGS = $(OPTIMIZER) $(OS_CFLAGS) $(WARNING_CFLAGS) $(XP_DEFINE) \
$(DEFINES) $(INCLUDES) $(XCFLAGS)
CSTD = -std=c99
CXXSTD = -std=c++11
PERL = perl
RANLIB = echo
TAR = /bin/tar

7
security/nss/coreconf/config.gypi
Просмотреть файл

@ -355,6 +355,8 @@
'LINUX2_1',
'LINUX',
'linux',
'_DEFAULT_SOURCE', # for <endian.h> functions, strdup, realpath, and getentropy
'_BSD_SOURCE', # for the above in glibc <= 2.19
],
}],
[ 'OS=="dragonfly" or OS=="freebsd"', {
@ -391,8 +393,11 @@
'-ffunction-sections',
'-fdata-sections',
],
'cflags_c': [
'-std=c99',
],
'cflags_cc': [
'-std=c++0x',
'-std=c++11',
],
'ldflags': [
'-z', 'noexecstack',

1
security/nss/coreconf/coreconf.dep
Просмотреть файл

@ -10,3 +10,4 @@
*/
#error "Do not include this header file."

34
security/nss/coreconf/rules.mk
Просмотреть файл

@ -391,23 +391,23 @@ core_abspath = '$(if $(findstring :,$(1)),$(1),$(if $(filter /%,$(1)),$(1),$(PWD
$(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.c
@$(MAKE_OBJDIR)
ifdef USE_NT_C_SYNTAX
$(CC) -Fo$@ -c $(CFLAGS) $(call core_abspath,$<)
$(CC) -Fo$@ -c $(CSTD) $(CFLAGS) $(call core_abspath,$<)
else
ifdef NEED_ABSOLUTE_PATH
$(CC) -o $@ -c $(CFLAGS) $(call core_abspath,$<)
$(CC) -o $@ -c $(CSTD) $(CFLAGS) $(call core_abspath,$<)
else
$(CC) -o $@ -c $(CFLAGS) $<
$(CC) -o $@ -c $(CSTD) $(CFLAGS) $<
endif
endif
$(PROG_PREFIX)%$(OBJ_SUFFIX): %.c
ifdef USE_NT_C_SYNTAX
$(CC) -Fo$@ -c $(CFLAGS) $(call core_abspath,$<)
$(CC) -Fo$@ -c $(CSTD) $(CFLAGS) $(call core_abspath,$<)
else
ifdef NEED_ABSOLUTE_PATH
$(CC) -o $@ -c $(CFLAGS) $(call core_abspath,$<)
$(CC) -o $@ -c $(CSTD) $(CFLAGS) $(call core_abspath,$<)
else
$(CC) -o $@ -c $(CFLAGS) $<
$(CC) -o $@ -c $(CSTD) $(CFLAGS) $<
endif
endif
@ -428,12 +428,12 @@ $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.S
$(OBJDIR)/$(PROG_PREFIX)%: %.cpp
@$(MAKE_OBJDIR)
ifdef USE_NT_C_SYNTAX
$(CCC) -Fo$@ -c $(CFLAGS) $(CXXFLAGS) $(call core_abspath,$<)
$(CCC) -Fo$@ -c $(CXXSTD) $(CFLAGS) $(CXXFLAGS) $(call core_abspath,$<)
else
ifdef NEED_ABSOLUTE_PATH
$(CCC) -o $@ -c $(CFLAGS) $(CXXFLAGS) $(call core_abspath,$<)
$(CCC) -o $@ -c $(CXXSTD) $(CFLAGS) $(CXXFLAGS) $(call core_abspath,$<)
else
$(CCC) -o $@ -c $(CFLAGS) $(CXXFLAGS) $<
$(CCC) -o $@ -c $(CXXSTD) $(CFLAGS) $(CXXFLAGS) $<
endif
endif
@ -444,16 +444,16 @@ $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.cc
$(MAKE_OBJDIR)
ifdef STRICT_CPLUSPLUS_SUFFIX
echo "#line 1 \"$<\"" | cat - $< > $(OBJDIR)/t_$*.cc
$(CCC) -o $@ -c $(CFLAGS) $(CXXFLAGS) $(OBJDIR)/t_$*.cc
$(CCC) -o $@ -c $(CXXSTD) $(CFLAGS) $(CXXFLAGS) $(OBJDIR)/t_$*.cc
rm -f $(OBJDIR)/t_$*.cc
else
ifdef USE_NT_C_SYNTAX
$(CCC) -Fo$@ -c $(CFLAGS) $(CXXFLAGS) $(call core_abspath,$<)
$(CCC) -Fo$@ -c $(CXXSTD) $(CFLAGS) $(CXXFLAGS) $(call core_abspath,$<)
else
ifdef NEED_ABSOLUTE_PATH
$(CCC) -o $@ -c $(CFLAGS) $(CXXFLAGS) $(call core_abspath,$<)
$(CCC) -o $@ -c $(CXXSTD) $(CFLAGS) $(CXXFLAGS) $(call core_abspath,$<)
else
$(CCC) -o $@ -c $(CFLAGS) $(CXXFLAGS) $<
$(CCC) -o $@ -c $(CXXSTD) $(CFLAGS) $(CXXFLAGS) $<
endif
endif
endif #STRICT_CPLUSPLUS_SUFFIX
@ -462,16 +462,16 @@ $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.cpp
@$(MAKE_OBJDIR)
ifdef STRICT_CPLUSPLUS_SUFFIX
echo "#line 1 \"$<\"" | cat - $< > $(OBJDIR)/t_$*.cc
$(CCC) -o $@ -c $(CFLAGS) $(CXXFLAGS) $(OBJDIR)/t_$*.cc
$(CCC) -o $@ -c $(CXXSTD) $(CFLAGS) $(CXXFLAGS) $(OBJDIR)/t_$*.cc
rm -f $(OBJDIR)/t_$*.cc
else
ifdef USE_NT_C_SYNTAX
$(CCC) -Fo$@ -c $(CFLAGS) $(CXXFLAGS) $(call core_abspath,$<)
$(CCC) -Fo$@ -c $(CXXSTD) $(CFLAGS) $(CXXFLAGS) $(call core_abspath,$<)
else
ifdef NEED_ABSOLUTE_PATH
$(CCC) -o $@ -c $(CFLAGS) $(CXXFLAGS) $(call core_abspath,$<)
$(CCC) -o $@ -c $(CXXSTD) $(CFLAGS) $(CXXFLAGS) $(call core_abspath,$<)
else
$(CCC) -o $@ -c $(CFLAGS) $(CXXFLAGS) $<
$(CCC) -o $@ -c $(CXXSTD) $(CFLAGS) $(CXXFLAGS) $<
endif
endif
endif #STRICT_CPLUSPLUS_SUFFIX

4
security/nss/gtests/mozpkix_gtest/pkixcheck_CheckKeyUsage_tests.cpp
Просмотреть файл

@ -166,8 +166,8 @@ void ASSERT_SimpleCase(uint8_t unusedBits, uint8_t bits, KeyUsage usage)
// Test that none of the other non-padding bits are mistaken for the given
// key usage in the single-byte value case.
NAMED_SIMPLE_KU(notGood, unusedBits,
static_cast<uint8_t>((~bits >> unusedBits) << unusedBits));
uint8_t paddingBits = (static_cast<uint8_t>(~bits) >> unusedBits) << unusedBits;
NAMED_SIMPLE_KU(notGood, unusedBits, paddingBits);
ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &notGood, usage));
ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &notGood, usage));

1
security/nss/gtests/pk11_gtest/manifest.mn
Просмотреть файл

@ -14,6 +14,7 @@ CPPSRCS = \
pk11_chacha20poly1305_unittest.cc \
pk11_curve25519_unittest.cc \
pk11_der_private_key_import_unittest.cc \
pk11_des_unittest.cc \
pk11_ecdsa_unittest.cc \
pk11_encrypt_derive_unittest.cc \
pk11_export_unittest.cc \

65
security/nss/gtests/pk11_gtest/pk11_des_unittest.cc Normal file
Просмотреть файл

@ -0,0 +1,65 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#include <memory>
#include "nss.h"
#include "pk11pub.h"
#include "nss_scoped_ptrs.h"
#include "gtest/gtest.h"
namespace nss_test {
class Pkcs11DesTest : public ::testing::Test {
protected:
SECStatus EncryptWithIV(std::vector<uint8_t>& iv,
const CK_MECHANISM_TYPE mech) {
// Generate a random key.
ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
ScopedPK11SymKey sym_key(
PK11_KeyGen(slot.get(), mech, nullptr, 8, nullptr));
EXPECT_TRUE(!!sym_key);
std::vector<uint8_t> data(16);
std::vector<uint8_t> output(16);
SECItem params = {siBuffer, iv.data(),
static_cast<unsigned int>(iv.size())};
// Try to encrypt.
unsigned int output_len = 0;
return PK11_Encrypt(sym_key.get(), mech, &params, output.data(),
&output_len, output.size(), data.data(), data.size());
}
};
TEST_F(Pkcs11DesTest, ZeroLengthIV) {
std::vector<uint8_t> iv(0);
EXPECT_EQ(SECFailure, EncryptWithIV(iv, CKM_DES_CBC));
EXPECT_EQ(SECFailure, EncryptWithIV(iv, CKM_DES3_CBC));
}
TEST_F(Pkcs11DesTest, IVTooShort) {
std::vector<uint8_t> iv(7);
EXPECT_EQ(SECFailure, EncryptWithIV(iv, CKM_DES_CBC));
EXPECT_EQ(SECFailure, EncryptWithIV(iv, CKM_DES3_CBC));
}
TEST_F(Pkcs11DesTest, WrongLengthIV) {
// We tolerate IVs > 8
std::vector<uint8_t> iv(15, 0);
EXPECT_EQ(SECSuccess, EncryptWithIV(iv, CKM_DES_CBC));
EXPECT_EQ(SECSuccess, EncryptWithIV(iv, CKM_DES3_CBC));
}
TEST_F(Pkcs11DesTest, AllGood) {
std::vector<uint8_t> iv(8, 0);
EXPECT_EQ(SECSuccess, EncryptWithIV(iv, CKM_DES_CBC));
EXPECT_EQ(SECSuccess, EncryptWithIV(iv, CKM_DES3_CBC));
}
} // namespace nss_test

1
security/nss/gtests/pk11_gtest/pk11_gtest.gyp
Просмотреть файл

@ -20,6 +20,7 @@
'pk11_cipherop_unittest.cc',
'pk11_curve25519_unittest.cc',
'pk11_der_private_key_import_unittest.cc',
'pk11_des_unittest.cc',
'pk11_ecdsa_unittest.cc',
'pk11_encrypt_derive_unittest.cc',
'pk11_find_certs_unittest.cc',

3
security/nss/gtests/ssl_gtest/tls_agent.cc
Просмотреть файл

@ -286,6 +286,9 @@ bool TlsAgent::EnsureTlsSetup(PRFileDesc* modelSocket) {
EXPECT_EQ(SECSuccess, rv);
if (rv != SECSuccess) return false;
// All these tests depend on having this disabled to start with.
SetOption(SSL_ENABLE_EXTENDED_MASTER_SECRET, PR_FALSE);
return true;
}

159
security/nss/gtests/ssl_gtest/tls_esni_unittest.cc
Просмотреть файл

@ -4,8 +4,6 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#include <ctime>
#include "secerr.h"
#include "ssl.h"
@ -57,7 +55,7 @@ static void UpdateEsniKeysChecksum(DataBuffer* buf) {
buf->Write(2, sha256, 4);
}
static void GenerateEsniKey(time_t windowStart, SSLNamedGroup group,
static void GenerateEsniKey(PRTime now, SSLNamedGroup group,
std::vector<uint16_t>& cipher_suites,
DataBuffer* record,
ScopedSECKEYPublicKey* pubKey = nullptr,
@ -73,8 +71,9 @@ static void GenerateEsniKey(time_t windowStart, SSLNamedGroup group,
unsigned int encoded_len = 0;
SECStatus rv = SSL_EncodeESNIKeys(
&cipher_suites[0], cipher_suites.size(), group, pub, 100, windowStart,
windowStart + 10, encoded, &encoded_len, sizeof(encoded));
&cipher_suites[0], cipher_suites.size(), group, pub, 100,
(now / PR_USEC_PER_SEC) - 1, (now / PR_USEC_PER_SEC) + 10, encoded,
&encoded_len, sizeof(encoded));
ASSERT_EQ(SECSuccess, rv);
ASSERT_GT(encoded_len, 0U);
@ -92,15 +91,15 @@ static void GenerateEsniKey(time_t windowStart, SSLNamedGroup group,
record->Write(0, encoded, encoded_len);
}
static void SetupEsni(const std::shared_ptr<TlsAgent>& client,
static void SetupEsni(PRTime now, const std::shared_ptr<TlsAgent>& client,
const std::shared_ptr<TlsAgent>& server,
SSLNamedGroup group = ssl_grp_ec_curve25519) {
ScopedSECKEYPublicKey pub;
ScopedSECKEYPrivateKey priv;
DataBuffer record;
GenerateEsniKey(time(nullptr), ssl_grp_ec_curve25519, kDefaultSuites, &record,
&pub, &priv);
GenerateEsniKey(now, ssl_grp_ec_curve25519, kDefaultSuites, &record, &pub,
&priv);
SECStatus rv = SSL_SetESNIKeyPair(server->ssl_fd(), priv.get(), record.data(),
record.len());
ASSERT_EQ(SECSuccess, rv);
@ -124,77 +123,87 @@ static void CheckSniExtension(const DataBuffer& data) {
ASSERT_EQ(expected, name);
}
static void ClientInstallEsni(std::shared_ptr<TlsAgent>& agent,
const DataBuffer& record, PRErrorCode err = 0) {
SECStatus rv =
SSL_EnableESNI(agent->ssl_fd(), record.data(), record.len(), kDummySni);
if (err == 0) {
ASSERT_EQ(SECSuccess, rv);
} else {
ASSERT_EQ(SECFailure, rv);
ASSERT_EQ(err, PORT_GetError());
}
}
class TlsAgentEsniTest : public TlsAgentTestClient13 {
public:
void SetUp() override { now_ = PR_Now(); }
TEST_P(TlsAgentTestClient13, EsniInstall) {
protected:
PRTime now() const { return now_; }
void InstallEsni(const DataBuffer& record, PRErrorCode err = 0) {
SECStatus rv = SSL_EnableESNI(agent_->ssl_fd(), record.data(), record.len(),
kDummySni);
if (err == 0) {
ASSERT_EQ(SECSuccess, rv);
} else {
ASSERT_EQ(SECFailure, rv);
ASSERT_EQ(err, PORT_GetError());
}
}
private:
PRTime now_ = 0;
};
TEST_P(TlsAgentEsniTest, EsniInstall) {
EnsureInit();
DataBuffer record;
GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record);
ClientInstallEsni(agent_, record);
GenerateEsniKey(now(), ssl_grp_ec_curve25519, kDefaultSuites, &record);
InstallEsni(record);
}
// The next set of tests fail at setup time.
TEST_P(TlsAgentTestClient13, EsniInvalidHash) {
TEST_P(TlsAgentEsniTest, EsniInvalidHash) {
EnsureInit();
DataBuffer record;
GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record);
record.data()[2]++;
ClientInstallEsni(agent_, record, SSL_ERROR_RX_MALFORMED_ESNI_KEYS);
InstallEsni(record, SSL_ERROR_RX_MALFORMED_ESNI_KEYS);
}
TEST_P(TlsAgentTestClient13, EsniInvalidVersion) {
TEST_P(TlsAgentEsniTest, EsniInvalidVersion) {
EnsureInit();
DataBuffer record;
GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record);
GenerateEsniKey(now(), ssl_grp_ec_curve25519, kDefaultSuites, &record);
record.Write(0, 0xffff, 2);
ClientInstallEsni(agent_, record, SSL_ERROR_UNSUPPORTED_VERSION);
InstallEsni(record, SSL_ERROR_UNSUPPORTED_VERSION);
}
TEST_P(TlsAgentTestClient13, EsniShort) {
TEST_P(TlsAgentEsniTest, EsniShort) {
EnsureInit();
DataBuffer record;
GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record);
GenerateEsniKey(now(), ssl_grp_ec_curve25519, kDefaultSuites, &record);
record.Truncate(record.len() - 1);
UpdateEsniKeysChecksum(&record);
ClientInstallEsni(agent_, record, SSL_ERROR_RX_MALFORMED_ESNI_KEYS);
InstallEsni(record, SSL_ERROR_RX_MALFORMED_ESNI_KEYS);
}
TEST_P(TlsAgentTestClient13, EsniLong) {
TEST_P(TlsAgentEsniTest, EsniLong) {
EnsureInit();
DataBuffer record;
GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record);
GenerateEsniKey(now(), ssl_grp_ec_curve25519, kDefaultSuites, &record);
record.Write(record.len(), 1, 1);
UpdateEsniKeysChecksum(&record);
ClientInstallEsni(agent_, record, SSL_ERROR_RX_MALFORMED_ESNI_KEYS);
InstallEsni(record, SSL_ERROR_RX_MALFORMED_ESNI_KEYS);
}
TEST_P(TlsAgentTestClient13, EsniExtensionMismatch) {
TEST_P(TlsAgentEsniTest, EsniExtensionMismatch) {
EnsureInit();
DataBuffer record;
GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record);
GenerateEsniKey(now(), ssl_grp_ec_curve25519, kDefaultSuites, &record);
record.Write(record.len() - 1, 1, 1);
UpdateEsniKeysChecksum(&record);
ClientInstallEsni(agent_, record, SSL_ERROR_RX_MALFORMED_ESNI_KEYS);
InstallEsni(record, SSL_ERROR_RX_MALFORMED_ESNI_KEYS);
}
// The following tests fail by ignoring the Esni block.
TEST_P(TlsAgentTestClient13, EsniUnknownGroup) {
TEST_P(TlsAgentEsniTest, EsniUnknownGroup) {
EnsureInit();
DataBuffer record;
GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record);
GenerateEsniKey(now(), ssl_grp_ec_curve25519, kDefaultSuites, &record);
record.Write(8, 0xffff, 2); // Fake group
UpdateEsniKeysChecksum(&record);
ClientInstallEsni(agent_, record, 0);
InstallEsni(record, 0);
auto filter =
MakeTlsFilter<TlsExtensionCapture>(agent_, ssl_tls13_encrypted_sni_xtn);
agent_->Handshake();
@ -202,11 +211,11 @@ TEST_P(TlsAgentTestClient13, EsniUnknownGroup) {
ASSERT_TRUE(!filter->captured());
}
TEST_P(TlsAgentTestClient13, EsniUnknownCS) {
TEST_P(TlsAgentEsniTest, EsniUnknownCS) {
EnsureInit();
DataBuffer record;
GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kBogusSuites, &record);
ClientInstallEsni(agent_, record, 0);
GenerateEsniKey(now(), ssl_grp_ec_curve25519, kBogusSuites, &record);
InstallEsni(record, 0);
auto filter =
MakeTlsFilter<TlsExtensionCapture>(agent_, ssl_tls13_encrypted_sni_xtn);
agent_->Handshake();
@ -214,12 +223,12 @@ TEST_P(TlsAgentTestClient13, EsniUnknownCS) {
ASSERT_TRUE(!filter->captured());
}
TEST_P(TlsAgentTestClient13, EsniInvalidCS) {
TEST_P(TlsAgentEsniTest, EsniInvalidCS) {
EnsureInit();
DataBuffer record;
GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kTls12Suites, &record);
GenerateEsniKey(now(), ssl_grp_ec_curve25519, kTls12Suites, &record);
UpdateEsniKeysChecksum(&record);
ClientInstallEsni(agent_, record, 0);
InstallEsni(record, 0);
auto filter =
MakeTlsFilter<TlsExtensionCapture>(agent_, ssl_tls13_encrypted_sni_xtn);
agent_->Handshake();
@ -227,36 +236,34 @@ TEST_P(TlsAgentTestClient13, EsniInvalidCS) {
ASSERT_TRUE(!filter->captured());
}
TEST_P(TlsAgentTestClient13, EsniNotReady) {
TEST_P(TlsAgentEsniTest, EsniNotReady) {
EnsureInit();
DataBuffer record;
GenerateEsniKey(time(0) + 1000, ssl_grp_ec_curve25519, kDefaultSuites,
&record);
ClientInstallEsni(agent_, record, 0);
GenerateEsniKey(now() + 1000, ssl_grp_ec_curve25519, kDefaultSuites, &record);
InstallEsni(record, 0);
auto filter =
MakeTlsFilter<TlsExtensionCapture>(agent_, ssl_tls13_encrypted_sni_xtn);
agent_->Handshake();
ASSERT_TRUE(!filter->captured());
}
TEST_P(TlsAgentTestClient13, EsniExpired) {
TEST_P(TlsAgentEsniTest, EsniExpired) {
EnsureInit();
DataBuffer record;
GenerateEsniKey(time(0) - 1000, ssl_grp_ec_curve25519, kDefaultSuites,
&record);
ClientInstallEsni(agent_, record, 0);
GenerateEsniKey(now() - 1000, ssl_grp_ec_curve25519, kDefaultSuites, &record);
InstallEsni(record, 0);
auto filter =
MakeTlsFilter<TlsExtensionCapture>(agent_, ssl_tls13_encrypted_sni_xtn);
agent_->Handshake();
ASSERT_TRUE(!filter->captured());
}
TEST_P(TlsAgentTestClient13, NoSniSoNoEsni) {
TEST_P(TlsAgentEsniTest, NoSniSoNoEsni) {
EnsureInit();
DataBuffer record;
GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record);
GenerateEsniKey(now(), ssl_grp_ec_curve25519, kDefaultSuites, &record);
SSL_SetURL(agent_->ssl_fd(), "");
ClientInstallEsni(agent_, record, 0);
InstallEsni(record, 0);
auto filter =
MakeTlsFilter<TlsExtensionCapture>(agent_, ssl_tls13_encrypted_sni_xtn);
agent_->Handshake();
@ -275,7 +282,7 @@ static int32_t SniCallback(TlsAgent* agent, const SECItem* srvNameAddr,
TEST_P(TlsConnectTls13, ConnectEsni) {
EnsureTlsSetup();
SetupEsni(client_, server_);
SetupEsni(now(), client_, server_);
auto cFilterSni =
MakeTlsFilter<TlsExtensionCapture>(client_, ssl_server_name_xtn);
auto cFilterEsni =
@ -300,7 +307,7 @@ TEST_P(TlsConnectTls13, ConnectEsniHrr) {
EnsureTlsSetup();
const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1};
server_->ConfigNamedGroups(groups);
SetupEsni(client_, server_);
SetupEsni(now(), client_, server_);
auto hrr_capture = MakeTlsFilter<TlsHandshakeRecorder>(
server_, kTlsHandshakeHelloRetryRequest);
auto filter =
@ -322,8 +329,8 @@ TEST_P(TlsConnectTls13, ConnectEsniNoDummy) {
ScopedSECKEYPrivateKey priv;
DataBuffer record;
GenerateEsniKey(time(nullptr), ssl_grp_ec_curve25519, kDefaultSuites, &record,
&pub, &priv);
GenerateEsniKey(now(), ssl_grp_ec_curve25519, kDefaultSuites, &record, &pub,
&priv);
SECStatus rv = SSL_SetESNIKeyPair(server_->ssl_fd(), priv.get(),
record.data(), record.len());
ASSERT_EQ(SECSuccess, rv);
@ -346,8 +353,8 @@ TEST_P(TlsConnectTls13, ConnectEsniNullDummy) {
ScopedSECKEYPrivateKey priv;
DataBuffer record;
GenerateEsniKey(time(nullptr), ssl_grp_ec_curve25519, kDefaultSuites, &record,
&pub, &priv);
GenerateEsniKey(now(), ssl_grp_ec_curve25519, kDefaultSuites, &record, &pub,
&priv);
SECStatus rv = SSL_SetESNIKeyPair(server_->ssl_fd(), priv.get(),
record.data(), record.len());
ASSERT_EQ(SECSuccess, rv);
@ -372,14 +379,15 @@ TEST_P(TlsConnectTls13, ConnectEsniCSMismatch) {
ScopedSECKEYPrivateKey priv;
DataBuffer record;
GenerateEsniKey(time(nullptr), ssl_grp_ec_curve25519, kDefaultSuites, &record,
&pub, &priv);
GenerateEsniKey(now(), ssl_grp_ec_curve25519, kDefaultSuites, &record, &pub,
&priv);
PRUint8 encoded[1024];
unsigned int encoded_len = 0;
SECStatus rv = SSL_EncodeESNIKeys(
&kChaChaSuite[0], kChaChaSuite.size(), ssl_grp_ec_curve25519, pub.get(),
100, time(0), time(0) + 10, encoded, &encoded_len, sizeof(encoded));
100, (now() / PR_USEC_PER_SEC) - 1, (now() / PR_USEC_PER_SEC) + 10,
encoded, &encoded_len, sizeof(encoded));
ASSERT_EQ(SECSuccess, rv);
ASSERT_LT(0U, encoded_len);
rv = SSL_SetESNIKeyPair(server_->ssl_fd(), priv.get(), encoded, encoded_len);
@ -392,7 +400,7 @@ TEST_P(TlsConnectTls13, ConnectEsniCSMismatch) {
TEST_P(TlsConnectTls13, ConnectEsniP256) {
EnsureTlsSetup();
SetupEsni(client_, server_, ssl_grp_ec_secp256r1);
SetupEsni(now(), client_, server_, ssl_grp_ec_secp256r1);
auto cfilter =
MakeTlsFilter<TlsExtensionCapture>(client_, ssl_server_name_xtn);
auto sfilter =
@ -405,18 +413,21 @@ TEST_P(TlsConnectTls13, ConnectEsniP256) {
TEST_P(TlsConnectTls13, ConnectMismatchedEsniKeys) {
EnsureTlsSetup();
SetupEsni(client_, server_);
SetupEsni(now(), client_, server_);
// Now install a new set of keys on the client, so we have a mismatch.
DataBuffer record;
GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record);
ClientInstallEsni(client_, record, 0);
GenerateEsniKey(now(), ssl_grp_ec_curve25519, kDefaultSuites, &record);
SECStatus rv =
SSL_EnableESNI(client_->ssl_fd(), record.data(), record.len(), kDummySni);
ASSERT_EQ(SECSuccess, rv);
ConnectExpectAlert(server_, illegal_parameter);
server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
}
TEST_P(TlsConnectTls13, ConnectDamagedEsniExtensionCH) {
EnsureTlsSetup();
SetupEsni(client_, server_);
SetupEsni(now(), client_, server_);
auto filter = MakeTlsFilter<TlsExtensionDamager>(
client_, ssl_tls13_encrypted_sni_xtn, 50); // in the ciphertext
ConnectExpectAlert(server_, illegal_parameter);
@ -425,7 +436,7 @@ TEST_P(TlsConnectTls13, ConnectDamagedEsniExtensionCH) {
TEST_P(TlsConnectTls13, ConnectRemoveEsniExtensionEE) {
EnsureTlsSetup();
SetupEsni(client_, server_);
SetupEsni(now(), client_, server_);
auto filter =
MakeTlsFilter<TlsExtensionDropper>(server_, ssl_tls13_encrypted_sni_xtn);
filter->EnableDecryption();
@ -435,7 +446,7 @@ TEST_P(TlsConnectTls13, ConnectRemoveEsniExtensionEE) {
TEST_P(TlsConnectTls13, ConnectShortEsniExtensionEE) {
EnsureTlsSetup();
SetupEsni(client_, server_);
SetupEsni(now(), client_, server_);
DataBuffer shortNonce;
auto filter = MakeTlsFilter<TlsExtensionReplacer>(
server_, ssl_tls13_encrypted_sni_xtn, shortNonce);
@ -446,7 +457,7 @@ TEST_P(TlsConnectTls13, ConnectShortEsniExtensionEE) {
TEST_P(TlsConnectTls13, ConnectBogusEsniExtensionEE) {
EnsureTlsSetup();
SetupEsni(client_, server_);
SetupEsni(now(), client_, server_);
const uint8_t bogusNonceBuf[16] = {0};
DataBuffer bogusNonce(bogusNonceBuf, sizeof(bogusNonceBuf));
auto filter = MakeTlsFilter<TlsExtensionReplacer>(
@ -461,7 +472,7 @@ TEST_P(TlsConnectTls13, ConnectBogusEsniExtensionEE) {
// The client then aborts when it sees the server did TLS 1.2.
TEST_P(TlsConnectTls13, EsniButTLS12Server) {
EnsureTlsSetup();
SetupEsni(client_, server_);
SetupEsni(now(), client_, server_);
client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
SSL_LIBRARY_VERSION_TLS_1_3);
server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,

31
security/nss/lib/freebl/aes-armv8.c
Просмотреть файл

@ -5,9 +5,10 @@
#include "secerr.h"
#include "rijndael.h"
#if (defined(__clang__) || \
(defined(__GNUC__) && defined(__GNUC_MINOR__) && \
(__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ > 8))))
#if ((defined(__clang__) || \
(defined(__GNUC__) && defined(__GNUC_MINOR__) && \
(__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ > 8)))) && \
(defined(__ARM_NEON) || defined(__ARM_NEON__)))
#ifndef __ARM_FEATURE_CRYPTO
#error "Compiler option is invalid"
@ -28,7 +29,7 @@ arm_aes_encrypt_ecb_128(AESContext *cx, unsigned char *output,
#endif
uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10;
uint8x16_t key11;
const PRUint8 *key = (const PRUint8 *)cx->expandedKey;
const PRUint8 *key = (const PRUint8 *)cx->k.expandedKey;
if (!inputLen) {
return SECSuccess;
@ -113,7 +114,7 @@ arm_aes_decrypt_ecb_128(AESContext *cx, unsigned char *output,
#endif
uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10;
uint8x16_t key11;
const PRUint8 *key = (const PRUint8 *)cx->expandedKey;
const PRUint8 *key = (const PRUint8 *)cx->k.expandedKey;
if (inputLen == 0) {
return SECSuccess;
@ -199,7 +200,7 @@ arm_aes_encrypt_cbc_128(AESContext *cx, unsigned char *output,
uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10;
uint8x16_t key11;
uint8x16_t iv;
const PRUint8 *key = (const PRUint8 *)cx->expandedKey;
const PRUint8 *key = (const PRUint8 *)cx->k.expandedKey;
if (!inputLen) {
return SECSuccess;
@ -293,7 +294,7 @@ arm_aes_decrypt_cbc_128(AESContext *cx, unsigned char *output,
uint8x16_t iv;
uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10;
uint8x16_t key11;
const PRUint8 *key = (const PRUint8 *)cx->expandedKey;
const PRUint8 *key = (const PRUint8 *)cx->k.expandedKey;
if (!inputLen) {
return SECSuccess;
@ -388,7 +389,7 @@ arm_aes_encrypt_ecb_192(AESContext *cx, unsigned char *output,
#endif
uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10;
uint8x16_t key11, key12, key13;
PRUint8 *key = (PRUint8 *)cx->expandedKey;
PRUint8 *key = (PRUint8 *)cx->k.expandedKey;
if (!inputLen) {
return SECSuccess;
@ -479,7 +480,7 @@ arm_aes_decrypt_ecb_192(AESContext *cx, unsigned char *output,
#endif
uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10;
uint8x16_t key11, key12, key13;
const PRUint8 *key = (const PRUint8 *)cx->expandedKey;
const PRUint8 *key = (const PRUint8 *)cx->k.expandedKey;
if (!inputLen) {
return SECSuccess;
@ -571,7 +572,7 @@ arm_aes_encrypt_cbc_192(AESContext *cx, unsigned char *output,
uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10;
uint8x16_t key11, key12, key13;
uint8x16_t iv;
PRUint8 *key = (PRUint8 *)cx->expandedKey;
PRUint8 *key = (PRUint8 *)cx->k.expandedKey;
if (!inputLen) {
return SECSuccess;
@ -670,7 +671,7 @@ arm_aes_decrypt_cbc_192(AESContext *cx, unsigned char *output,
uint8x16_t iv;
uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10;
uint8x16_t key11, key12, key13;
const PRUint8 *key = (const PRUint8 *)cx->expandedKey;
const PRUint8 *key = (const PRUint8 *)cx->k.expandedKey;
if (!inputLen) {
return SECSuccess;
@ -771,7 +772,7 @@ arm_aes_encrypt_ecb_256(AESContext *cx, unsigned char *output,
#endif
uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10;
uint8x16_t key11, key12, key13, key14, key15;
PRUint8 *key = (PRUint8 *)cx->expandedKey;
PRUint8 *key = (PRUint8 *)cx->k.expandedKey;
if (inputLen == 0) {
return SECSuccess;
@ -867,7 +868,7 @@ arm_aes_decrypt_ecb_256(AESContext *cx, unsigned char *output,
#endif
uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10;
uint8x16_t key11, key12, key13, key14, key15;
const PRUint8 *key = (const PRUint8 *)cx->expandedKey;
const PRUint8 *key = (const PRUint8 *)cx->k.expandedKey;
if (!inputLen) {
return SECSuccess;
@ -965,7 +966,7 @@ arm_aes_encrypt_cbc_256(AESContext *cx, unsigned char *output,
uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10;
uint8x16_t key11, key12, key13, key14, key15;
uint8x16_t iv;
const PRUint8 *key = (const PRUint8 *)cx->expandedKey;
const PRUint8 *key = (const PRUint8 *)cx->k.expandedKey;
if (!inputLen) {
return SECSuccess;
@ -1071,7 +1072,7 @@ arm_aes_decrypt_cbc_256(AESContext *cx, unsigned char *output,
uint8x16_t iv;
uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10;
uint8x16_t key11, key12, key13, key14, key15;
const PRUint8 *key = (const PRUint8 *)cx->expandedKey;
const PRUint8 *key = (const PRUint8 *)cx->k.expandedKey;
if (!inputLen) {
return SECSuccess;

12
security/nss/lib/freebl/aes-x86.c
Просмотреть файл

@ -21,7 +21,7 @@
static void
native_key_expansion128(AESContext *cx, const unsigned char *key)
{
__m128i *keySchedule = cx->keySchedule;
__m128i *keySchedule = cx->k.keySchedule;
pre_align __m128i tmp_key post_align;
pre_align __m128i tmp post_align;
keySchedule[0] = _mm_loadu_si128((__m128i *)key);
@ -61,7 +61,7 @@ native_key_expansion128(AESContext *cx, const unsigned char *key)
static void
native_key_expansion192(AESContext *cx, const unsigned char *key)
{
__m128i *keySchedule = cx->keySchedule;
__m128i *keySchedule = cx->k.keySchedule;
pre_align __m128i tmp1 post_align;
pre_align __m128i tmp2 post_align;
pre_align __m128i tmp3 post_align;
@ -96,7 +96,7 @@ native_key_expansion192(AESContext *cx, const unsigned char *key)
static void
native_key_expansion256(AESContext *cx, const unsigned char *key)
{
__m128i *keySchedule = cx->keySchedule;
__m128i *keySchedule = cx->k.keySchedule;
pre_align __m128i tmp_key post_align;
pre_align __m128i tmp1 post_align;
pre_align __m128i tmp2 post_align;
@ -148,10 +148,10 @@ rijndael_native_encryptBlock(AESContext *cx,
{
int i;
pre_align __m128i m post_align = _mm_loadu_si128((__m128i *)input);
m = _mm_xor_si128(m, cx->keySchedule[0]);
m = _mm_xor_si128(m, cx->k.keySchedule[0]);
for (i = 1; i < cx->Nr; ++i) {
m = _mm_aesenc_si128(m, cx->keySchedule[i]);
m = _mm_aesenc_si128(m, cx->k.keySchedule[i]);
}
m = _mm_aesenclast_si128(m, cx->keySchedule[cx->Nr]);
m = _mm_aesenclast_si128(m, cx->k.keySchedule[cx->Nr]);
_mm_storeu_si128((__m128i *)output, m);
}

5
security/nss/lib/freebl/config.mk
Просмотреть файл

@ -90,12 +90,7 @@ EXTRA_SHARED_LIBS += \
endif
endif
ifeq (,$(filter-out DragonFly FreeBSD Linux NetBSD OpenBSD, $(OS_TARGET)))
CFLAGS += -std=gnu99
endif
ifeq ($(OS_ARCH), Darwin)
CFLAGS += -std=gnu99
EXTRA_SHARED_LIBS += -dylib_file @executable_path/libplc4.dylib:$(DIST)/lib/libplc4.dylib -dylib_file @executable_path/libplds4.dylib:$(DIST)/lib/libplds4.dylib
endif

17
security/nss/lib/freebl/freebl.gyp
Просмотреть файл

@ -361,15 +361,6 @@
'MP_API_COMPATIBLE'
],
'conditions': [
[ 'OS=="mac"', {
'xcode_settings': {
# I'm not sure since when this is supported.
# But I hope that doesn't matter. We also assume this is x86/x64.
'OTHER_CFLAGS': [
'-std=gnu99',
],
},
}],
[ 'OS=="win" and target_arch=="ia32"', {
'msvs_settings': {
'VCCLCompilerTool': {
@ -424,14 +415,6 @@
'FREEBL_LOWHASH',
'FREEBL_NO_DEPEND',
],
'cflags': [
'-std=gnu99',
],
}],
[ 'OS=="dragonfly" or OS=="freebsd" or OS=="netbsd" or OS=="openbsd"', {
'cflags': [
'-std=gnu99',
],
}],
[ 'OS=="linux" or OS=="android"', {
'conditions': [

34
security/nss/lib/freebl/intel-aes.h
Просмотреть файл

@ -123,21 +123,21 @@ SECStatus intel_aes_encrypt_ctr_256(CTRContext *cx, unsigned char *output,
: (nr) == 12 ? intel_aes_encrypt_ctr_192 \
: intel_aes_encrypt_ctr_256)
#define native_aes_init(encrypt, keysize) \
do { \
if (encrypt) { \
if (keysize == 16) \
intel_aes_encrypt_init_128(key, cx->expandedKey); \
else if (keysize == 24) \
intel_aes_encrypt_init_192(key, cx->expandedKey); \
else \
intel_aes_encrypt_init_256(key, cx->expandedKey); \
} else { \
if (keysize == 16) \
intel_aes_decrypt_init_128(key, cx->expandedKey); \
else if (keysize == 24) \
intel_aes_decrypt_init_192(key, cx->expandedKey); \
else \
intel_aes_decrypt_init_256(key, cx->expandedKey); \
} \
#define native_aes_init(encrypt, keysize) \
do { \
if (encrypt) { \
if (keysize == 16) \
intel_aes_encrypt_init_128(key, cx->k.expandedKey); \
else if (keysize == 24) \
intel_aes_encrypt_init_192(key, cx->k.expandedKey); \
else \
intel_aes_encrypt_init_256(key, cx->k.expandedKey); \
} else { \
if (keysize == 16) \
intel_aes_decrypt_init_128(key, cx->k.expandedKey); \
else if (keysize == 24) \
intel_aes_decrypt_init_192(key, cx->k.expandedKey); \
else \
intel_aes_decrypt_init_256(key, cx->k.expandedKey); \
} \
} while (0)

2
security/nss/lib/freebl/intel-gcm-wrap.c
Просмотреть файл

@ -89,7 +89,7 @@ intel_AES_GCM_CreateContext(void *context,
gcm->Mlen = 0;
/* first prepare H and its derivatives for ghash */
intel_aes_gcmINIT(gcm->Htbl, (unsigned char *)aes->expandedKey, aes->Nr);
intel_aes_gcmINIT(gcm->Htbl, (unsigned char *)aes->k.expandedKey, aes->Nr);
/* Initial TAG value is zero */
_mm_storeu_si128((__m128i *)gcm->T, _mm_setzero_si128());

13
security/nss/lib/freebl/rijndael.c
Просмотреть файл

@ -20,7 +20,8 @@
#include "gcm.h"
#include "mpi.h"
#if !defined(IS_LITTLE_ENDIAN) && !defined(NSS_X86_OR_X64)
#if (!defined(IS_LITTLE_ENDIAN) && !defined(NSS_X86_OR_X64)) || \
(defined(__arm__) && !defined(__ARM_NEON) && !defined(__ARM_NEON__))
// not test yet on big endian platform of arm
#undef USE_HW_AES
#endif
@ -330,7 +331,7 @@ rijndael_key_expansion7(AESContext *cx, const unsigned char *key, unsigned int N
PRUint32 *W;
PRUint32 *pW;
PRUint32 tmp;
W = cx->expandedKey;
W = cx->k.expandedKey;
/* 1. the first Nk words contain the cipher key */
memcpy(W, key, Nk * 4);
i = Nk;
@ -362,7 +363,7 @@ rijndael_key_expansion(AESContext *cx, const unsigned char *key, unsigned int Nk
rijndael_key_expansion7(cx, key, Nk);
return;
}
W = cx->expandedKey;
W = cx->k.expandedKey;
/* The first Nk words contain the input cipher key */
memcpy(W, key, Nk * 4);
i = Nk;
@ -439,7 +440,7 @@ rijndael_invkey_expansion(AESContext *cx, const unsigned char *key, unsigned int
/* ... but has the additional step of InvMixColumn,
* excepting the first and last round keys.
*/
roundkeyw = cx->expandedKey + cx->Nb;
roundkeyw = cx->k.expandedKey + cx->Nb;
for (r = 1; r < cx->Nr; ++r) {
/* each key word, roundkeyw, represents a column in the key
* matrix. Each column is multiplied by the InvMixColumn matrix.
@ -537,7 +538,7 @@ rijndael_encryptBlock128(AESContext *cx,
pOut = (unsigned char *)output;
}
#endif
roundkeyw = cx->expandedKey;
roundkeyw = cx->k.expandedKey;
/* Step 1: Add Round Key 0 to initial state */
COLUMN_0(state) = *((PRUint32 *)(pIn)) ^ *roundkeyw++;
COLUMN_1(state) = *((PRUint32 *)(pIn + 4)) ^ *roundkeyw++;
@ -632,7 +633,7 @@ rijndael_decryptBlock128(AESContext *cx,
pOut = (unsigned char *)output;
}
#endif
roundkeyw = cx->expandedKey + cx->Nb * cx->Nr + 3;
roundkeyw = cx->k.expandedKey + cx->Nb * cx->Nr + 3;
/* reverse the final key addition */
COLUMN_3(state) = *((PRUint32 *)(pIn + 12)) ^ *roundkeyw--;
COLUMN_2(state) = *((PRUint32 *)(pIn + 8)) ^ *roundkeyw--;

2
security/nss/lib/freebl/rijndael.h
Просмотреть файл

@ -68,7 +68,7 @@ struct AESContextStr {
__m128i keySchedule[15];
#endif
PRUint32 expandedKey[RIJNDAEL_MAX_EXP_KEY_SIZE];
};
} k;
unsigned int Nb;
unsigned int Nr;
freeblCipherFunc worker;

2
security/nss/lib/mozpkix/test-lib/pkixtestnss.cpp
Просмотреть файл

@ -236,7 +236,7 @@ GenerateKeyPairInner()
}
PK11RSAGenParams params;
params.keySizeInBits = 2048;
params.pe = 3;
params.pe = 65537;
// Bug 1012786: PK11_GenerateKeyPair can fail if there is insufficient
// entropy to generate a random key. Attempting to add some entropy and

10
security/nss/lib/pk11wrap/pk11cert.c
Просмотреть файл

@ -245,7 +245,7 @@ pk11_fastCert(PK11SlotInfo *slot, CK_OBJECT_HANDLE certID,
/* Get the cryptoki object from the handle */
token = PK11Slot_GetNSSToken(slot);
if (token->defaultSession) {
if (token && token->defaultSession) {
co = nssCryptokiObject_Create(token, token->defaultSession, certID);
} else {
PORT_SetError(SEC_ERROR_NO_TOKEN);
@ -307,9 +307,15 @@ PK11_MakeCertFromHandle(PK11SlotInfo *slot, CK_OBJECT_HANDLE certID,
CERTCertificate *cert = NULL;
CERTCertTrust *trust;
if (slot == NULL || certID == CK_INVALID_HANDLE) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return NULL;
}
cert = pk11_fastCert(slot, certID, privateLabel, &nickname);
if (cert == NULL)
if (cert == NULL) {
goto loser;
}
if (nickname) {
if (cert->nickname != NULL) {

33
security/nss/lib/softoken/legacydb/keydb.c
Просмотреть файл

@ -1213,6 +1213,8 @@ nsslowkey_EncodePW(SECOidTag alg, const SECItem *salt, SECItem *data)
unsigned char one = 1;
SECItem *epw = NULL;
SECItem *encParam;
int iterLen = 0;
int saltLen;
SECStatus rv;
param.salt = *salt;
@ -1221,6 +1223,17 @@ nsslowkey_EncodePW(SECOidTag alg, const SECItem *salt, SECItem *data)
param.iter.len = 1;
edi.encryptedData = *data;
iterLen = salt->len > 1 ? salt->data[salt->len - 1] : 2;
saltLen = (salt->len - iterLen) - 1;
/* if the resulting saltLen is a sha hash length, then assume that
* the iteration count is tacked on the end of the buffer */
if ((saltLen == SHA1_LENGTH) || (saltLen == SHA256_LENGTH) || (saltLen == SHA384_LENGTH) || (saltLen == SHA224_LENGTH) ||
(saltLen == SHA512_LENGTH)) {
param.iter.data = &salt->data[saltLen];
param.iter.len = iterLen;
param.salt.len = saltLen;
}
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena == NULL) {
return NULL;
@ -1270,9 +1283,23 @@ nsslowkey_DecodePW(const SECItem *derData, SECOidTag *alg, SECItem *salt)
if (rv != SECSuccess) {
goto loser;
}
rv = SECITEM_CopyItem(NULL, salt, &param.salt);
if (rv != SECSuccess) {
goto loser;
/* if the iteration count isn't one, tack it at the end of the salt */
if (!((param.iter.len == 1) && (param.iter.data[0] == 1))) {
int total_len = param.salt.len + param.iter.len + 1;
salt->data = PORT_Alloc(total_len);
if (salt->data == NULL) {
goto loser;
}
PORT_Memcpy(salt->data, param.salt.data, param.salt.len);
PORT_Memcpy(&salt->data[param.salt.len], param.iter.data,
param.iter.len);
salt->data[total_len - 1] = param.iter.len;
salt->len = total_len;
} else {
rv = SECITEM_CopyItem(NULL, salt, &param.salt);
if (rv != SECSuccess) {
goto loser;
}
}
pwe = SECITEM_DupItem(&edi.encryptedData);

15
security/nss/lib/softoken/lgglue.c
Просмотреть файл

@ -171,6 +171,8 @@ sftkdb_encrypt_stub(PLArenaPool *arena, SDB *sdb, SECItem *plainText,
{
SFTKDBHandle *handle = sdb->app_private;
SECStatus rv;
SECItem *key;
int iterationCount;
if (handle == NULL) {
return SECFailure;
@ -192,9 +194,18 @@ sftkdb_encrypt_stub(PLArenaPool *arena, SDB *sdb, SECItem *plainText,
/* PORT_SetError */
return SECFailure;
}
key = handle->newKey ? handle->newKey : &handle->passwordKey;
if (sftk_isLegacyIterationCountAllowed()) {
if (handle->newKey) {
iterationCount = handle->newDefaultIterationCount;
} else {
iterationCount = handle->defaultIterationCount;
}
} else {
iterationCount = 1;
}
rv = sftkdb_EncryptAttribute(arena,
handle->newKey ? handle->newKey : &handle->passwordKey,
rv = sftkdb_EncryptAttribute(arena, key, iterationCount,
plainText, cipherText);
PZ_Unlock(handle->passwordLock);

4
security/nss/lib/softoken/pkcs11.c
Просмотреть файл

@ -626,7 +626,7 @@ sftk_hasNullPassword(SFTKSlot *slot, SFTKDBHandle *keydb)
pwenabled = PR_FALSE;
if (sftkdb_HasPasswordSet(keydb) == SECSuccess) {
PRBool tokenRemoved = PR_FALSE;
SECStatus rv = sftkdb_CheckPassword(keydb, "", &tokenRemoved);
SECStatus rv = sftkdb_CheckPasswordNull(keydb, &tokenRemoved);
if (tokenRemoved) {
sftk_CloseAllSessions(slot, PR_FALSE);
}
@ -3947,7 +3947,7 @@ NSC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
PZ_Unlock(slot->slotLock);
tokenRemoved = PR_FALSE;
rv = sftkdb_CheckPassword(handle, "", &tokenRemoved);
rv = sftkdb_CheckPasswordNull(handle, &tokenRemoved);
if (tokenRemoved) {
sftk_CloseAllSessions(slot, PR_FALSE);
}

16
security/nss/lib/softoken/pkcs11c.c
Просмотреть файл

@ -1002,6 +1002,10 @@ sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
crv = CKR_KEY_TYPE_INCONSISTENT;
break;
}
if (pMechanism->ulParameterLen < 8) {
crv = CKR_DOMAIN_PARAMS_INVALID;
break;
}
t = NSS_DES_CBC;
goto finish_des;
case CKM_DES3_ECB:
@ -1019,6 +1023,10 @@ sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
crv = CKR_KEY_TYPE_INCONSISTENT;
break;
}
if (pMechanism->ulParameterLen < 8) {
crv = CKR_DOMAIN_PARAMS_INVALID;
break;
}
t = NSS_DES_EDE3_CBC;
finish_des:
context->blockSize = 8;
@ -1759,10 +1767,12 @@ NSC_Decrypt(CK_SESSION_HANDLE hSession,
}
finalLen = maxoutlen;
crv2 = NSC_DecryptFinal(hSession, pData, &finalLen);
if (crv == CKR_OK && crv2 == CKR_OK) {
*pulDataLen = updateLen + finalLen;
if (crv == CKR_OK) {
*pulDataLen = CT_SEL(CK_RVToMask(crv2), updateLen + finalLen, *pulDataLen);
return crv2;
} else {
return crv;
}
return crv == CKR_OK ? crv2 : crv;
}
rv = (*context->update)(context->cipherInfo, pData, &outlen, maxoutlen,

14
security/nss/lib/softoken/sftkdb.c
Просмотреть файл

@ -530,6 +530,7 @@ sftk_signTemplate(PLArenaPool *arena, SFTKDBHandle *handle,
goto loser;
}
rv = sftkdb_SignAttribute(arena, &keyHandle->passwordKey,
keyHandle->defaultIterationCount,
objectID, template[i].type,
&plainText, &signText);
PZ_Unlock(keyHandle->passwordLock);
@ -663,6 +664,7 @@ sftk_ExtractTemplate(PLArenaPool *arena, SFTKObject *object,
break;
}
rv = sftkdb_EncryptAttribute(arena, &handle->passwordKey,
handle->defaultIterationCount,
&plainText, &cipherText);
PZ_Unlock(handle->passwordLock);
if (rv == SECSuccess) {
@ -2449,7 +2451,7 @@ sftk_getDBForTokenObject(SFTKSlot *slot, CK_OBJECT_HANDLE objectID)
* initialize a new database handle
*/
static SFTKDBHandle *
sftk_NewDBHandle(SDB *sdb, int type)
sftk_NewDBHandle(SDB *sdb, int type, PRBool legacy)
{
SFTKDBHandle *handle = PORT_New(SFTKDBHandle);
handle->ref = 1;
@ -2461,6 +2463,7 @@ sftk_NewDBHandle(SDB *sdb, int type)
handle->updatePasswordKey = NULL;
handle->updateID = NULL;
handle->type = type;
handle->usesLegacyStorage = legacy;
handle->passwordKey.data = NULL;
handle->passwordKey.len = 0;
handle->passwordLock = NULL;
@ -2620,6 +2623,7 @@ sftk_DBInit(const char *configdir, const char *certPrefix,
PRBool newInit = PR_FALSE;
PRBool needUpdate = PR_FALSE;
char *nconfdir = NULL;
PRBool legacy = PR_TRUE;
if (!readOnly) {
flags = SDB_CREATE;
@ -2652,12 +2656,14 @@ sftk_DBInit(const char *configdir, const char *certPrefix,
case NSS_DB_TYPE_EXTERN: /* SHOULD open a loadable db */
crv = s_open(confdir, certPrefix, keyPrefix, 9, 4, flags,
noCertDB ? NULL : &certSDB, noKeyDB ? NULL : &keySDB, &newInit);
legacy = PR_FALSE;
/*
* if we failed to open the DB's read only, use the old ones if
* the exists.
*/
if (crv != CKR_OK) {
legacy = PR_TRUE;
if ((flags & SDB_RDONLY) == SDB_RDONLY) {
nconfdir = sftk_legacyPathFromSDBPath(confdir);
}
@ -2711,12 +2717,12 @@ sftk_DBInit(const char *configdir, const char *certPrefix,
goto done;
}
if (!noCertDB) {
*certDB = sftk_NewDBHandle(certSDB, SFTK_CERTDB_TYPE);
*certDB = sftk_NewDBHandle(certSDB, SFTK_CERTDB_TYPE, legacy);
} else {
*certDB = NULL;
}
if (!noKeyDB) {
*keyDB = sftk_NewDBHandle(keySDB, SFTK_KEYDB_TYPE);
*keyDB = sftk_NewDBHandle(keySDB, SFTK_KEYDB_TYPE, legacy);
} else {
*keyDB = NULL;
}
@ -2759,7 +2765,7 @@ sftk_DBInit(const char *configdir, const char *certPrefix,
(sftkdb_HasPasswordSet(*keyDB) == SECSuccess) ? PR_TRUE : PR_FALSE;
/* if the password on the key db is NULL, kick off our update
* chain of events */
sftkdb_CheckPassword((*keyDB), "", &tokenRemoved);
sftkdb_CheckPasswordNull((*keyDB), &tokenRemoved);
} else {
/* we don't have a key DB, update the certificate DB now */
sftkdb_Update(*certDB, NULL);

3
security/nss/lib/softoken/sftkdb.h
Просмотреть файл

@ -25,6 +25,7 @@ CK_RV sftkdb_closeDB(SFTKDBHandle *handle);
SECStatus sftkdb_PWIsInitialized(SFTKDBHandle *keydb);
SECStatus sftkdb_CheckPassword(SFTKDBHandle *keydb, const char *pw,
PRBool *tokenRemoved);
SECStatus sftkdb_CheckPasswordNull(SFTKDBHandle *keydb, PRBool *tokenRemoved);
SECStatus sftkdb_PWCached(SFTKDBHandle *keydb);
SECStatus sftkdb_HasPasswordSet(SFTKDBHandle *keydb);
SECStatus sftkdb_ResetKeyDB(SFTKDBHandle *keydb);
@ -69,3 +70,5 @@ SFTKDBHandle *sftk_getKeyDB(SFTKSlot *slot);
SFTKDBHandle *sftk_getDBForTokenObject(SFTKSlot *slot,
CK_OBJECT_HANDLE objectID);
void sftk_freeDB(SFTKDBHandle *certHandle);
PRBool sftk_isLegacyIterationCountAllowed(void);

8
security/nss/lib/softoken/sftkdbti.h
Просмотреть файл

@ -13,7 +13,9 @@ struct SFTKDBHandleStr {
PRInt32 ref;
CK_OBJECT_HANDLE type;
SECItem passwordKey;
int defaultIterationCount;
SECItem *newKey;
int newDefaultIterationCount;
SECItem *oldKey;
SECItem *updatePasswordKey;
PZLock *passwordLock;
@ -21,6 +23,7 @@ struct SFTKDBHandleStr {
SDB *update;
char *updateID;
PRBool updateDBIsInit;
PRBool usesLegacyStorage;
};
#define SFTK_KEYDB_TYPE 0x40000000
@ -39,9 +42,10 @@ struct SFTKDBHandleStr {
SECStatus sftkdb_DecryptAttribute(SECItem *passKey, SECItem *cipherText,
SECItem **plainText);
SECStatus sftkdb_EncryptAttribute(PLArenaPool *arena, SECItem *passKey,
SECItem *plainText, SECItem **cipherText);
int iterationCount, SECItem *plainText,
SECItem **cipherText);
SECStatus sftkdb_SignAttribute(PLArenaPool *arena, SECItem *passKey,
CK_OBJECT_HANDLE objectID,
int iterationCount, CK_OBJECT_HANDLE objectID,
CK_ATTRIBUTE_TYPE attrType,
SECItem *plainText, SECItem **sigText);
SECStatus sftkdb_VerifyAttribute(SECItem *passKey,

227
security/nss/lib/softoken/sftkpwd.c
Просмотреть файл

@ -34,6 +34,41 @@
#include "secerr.h"
#include "softoken.h"
static const int NSS_MP_PBE_ITERATION_COUNT = 10000;
static int
getPBEIterationCount(void)
{
int c = NSS_MP_PBE_ITERATION_COUNT;
char *val = getenv("NSS_MIN_MP_PBE_ITERATION_COUNT");
if (val) {
int minimum = atoi(val);
if (c < minimum) {
c = minimum;
}
}
val = getenv("NSS_MAX_MP_PBE_ITERATION_COUNT");
if (val) {
int maximum = atoi(val);
if (c > maximum) {
c = maximum;
}
}
return c;
}
PRBool
sftk_isLegacyIterationCountAllowed(void)
{
static const char *legacyCountEnvVar =
"NSS_ALLOW_LEGACY_DBM_ITERATION_COUNT";
char *iterEnv = getenv(legacyCountEnvVar);
return (iterEnv && strcmp("0", iterEnv) != 0);
}
/******************************************************************
*
* Key DB password handling functions
@ -132,7 +167,7 @@ const SEC_ASN1Template sftkdb_EncryptedDataInfoTemplate[] = {
* to data in cipherText, if cipherText is freed, cipherValue will be invalid.
*/
static SECStatus
sftkdb_decodeCipherText(SECItem *cipherText, sftkCipherValue *cipherValue)
sftkdb_decodeCipherText(const SECItem *cipherText, sftkCipherValue *cipherValue)
{
PLArenaPool *arena = NULL;
SFTKDBEncryptedDataInfo edi;
@ -225,7 +260,8 @@ loser:
* with SECITEM_FreeItem by the caller.
*/
SECStatus
sftkdb_DecryptAttribute(SECItem *passKey, SECItem *cipherText, SECItem **plain)
sftkdb_DecryptAttribute(SECItem *passKey, SECItem *cipherText,
SECItem **plain)
{
SECStatus rv;
sftkCipherValue cipherValue;
@ -235,6 +271,7 @@ sftkdb_DecryptAttribute(SECItem *passKey, SECItem *cipherText, SECItem **plain)
if (rv != SECSuccess) {
goto loser;
}
/* fprintf(stderr, "sftkdb_DecryptAttribute iteration: %d\n", cipherValue.param->iter); */
*plain = nsspkcs5_CipherData(cipherValue.param, passKey, &cipherValue.value,
PR_FALSE, NULL);
@ -261,7 +298,8 @@ loser:
*/
SECStatus
sftkdb_EncryptAttribute(PLArenaPool *arena, SECItem *passKey,
SECItem *plainText, SECItem **cipherText)
int iterationCount, SECItem *plainText,
SECItem **cipherText)
{
SECStatus rv;
sftkCipherValue cipherValue;
@ -275,7 +313,7 @@ sftkdb_EncryptAttribute(PLArenaPool *arena, SECItem *passKey,
RNG_GenerateGlobalRandomBytes(saltData, cipherValue.salt.len);
param = nsspkcs5_NewParam(cipherValue.alg, HASH_AlgSHA1, &cipherValue.salt,
1);
iterationCount);
if (param == NULL) {
rv = SECFailure;
goto loser;
@ -413,7 +451,8 @@ loser:
*/
SECStatus
sftkdb_SignAttribute(PLArenaPool *arena, SECItem *passKey,
CK_OBJECT_HANDLE objectID, CK_ATTRIBUTE_TYPE attrType,
int iterationCount, CK_OBJECT_HANDLE objectID,
CK_ATTRIBUTE_TYPE attrType,
SECItem *plainText, SECItem **signature)
{
SECStatus rv;
@ -446,7 +485,8 @@ sftkdb_SignAttribute(PLArenaPool *arena, SECItem *passKey,
RNG_GenerateGlobalRandomBytes(saltData, prfLength);
/* initialize our pkcs5 parameter */
param = nsspkcs5_NewParam(signValue.alg, HASH_AlgSHA1, &signValue.salt, 1);
param = nsspkcs5_NewParam(signValue.alg, HASH_AlgSHA1, &signValue.salt,
iterationCount);
if (param == NULL) {
rv = SECFailure;
goto loser;
@ -491,7 +531,7 @@ loser:
* and sftkdb_DecryptAttribute calls.
*/
static void
sftkdb_switchKeys(SFTKDBHandle *keydb, SECItem *passKey)
sftkdb_switchKeys(SFTKDBHandle *keydb, SECItem *passKey, int iterationCount)
{
unsigned char *data;
int len;
@ -507,6 +547,7 @@ sftkdb_switchKeys(SFTKDBHandle *keydb, SECItem *passKey)
len = keydb->passwordKey.len;
keydb->passwordKey.data = passKey->data;
keydb->passwordKey.len = passKey->len;
keydb->defaultIterationCount = iterationCount;
passKey->data = data;
passKey->len = len;
SKIP_AFTER_FORK(PZ_Unlock(keydb->passwordLock));
@ -660,6 +701,90 @@ sftkdb_HasPasswordSet(SFTKDBHandle *keydb)
return (crv == CKR_OK) ? SECSuccess : SECFailure;
}
/* pull out the common final part of checking a password */
SECStatus
sftkdb_finishPasswordCheck(SFTKDBHandle *keydb, SECItem *key,
const char *pw, SECItem *value,
PRBool *tokenRemoved);
/*
* check to see if we have the NULL password set.
* We special case the NULL password so that if you have no password set, you
* don't do thousands of hash rounds. This allows us to startup and get
* webpages without slowdown in normal mode.
*/
SECStatus
sftkdb_CheckPasswordNull(SFTKDBHandle *keydb, PRBool *tokenRemoved)
{
/* just like sftkdb_CheckPassowd, we get the salt and value, and
* create a dbkey */
SECStatus rv;
SECItem salt, value;
unsigned char saltData[SDB_MAX_META_DATA_LEN];
unsigned char valueData[SDB_MAX_META_DATA_LEN];
SECItem key;
SDB *db;
CK_RV crv;
sftkCipherValue cipherValue;
cipherValue.param = NULL;
cipherValue.arena = NULL;
if (keydb == NULL) {
return SECFailure;
}
db = sftk_getPWSDB(keydb);
if (db == NULL) {
return SECFailure;
}
key.data = NULL;
key.len = 0;
/* get the entry from the database */
salt.data = saltData;
salt.len = sizeof(saltData);
value.data = valueData;
value.len = sizeof(valueData);
crv = (*db->sdb_GetMetaData)(db, "password", &salt, &value);
if (crv != CKR_OK) {
rv = SECFailure;
goto done;
}
/* get our intermediate key based on the entry salt value */
rv = sftkdb_passwordToKey(keydb, &salt, "", &key);
if (rv != SECSuccess) {
goto done;
}
/* First get the cipher type */
rv = sftkdb_decodeCipherText(&value, &cipherValue);
if (rv != SECSuccess) {
goto done;
}
if (cipherValue.param->iter != 1) {
rv = SECFailure;
goto done;
}
rv = sftkdb_finishPasswordCheck(keydb, &key, "", &value, tokenRemoved);
done:
if (key.data) {
PORT_ZFree(key.data, key.len);
}
if (cipherValue.param) {
nsspkcs5_DestroyPBEParameter(cipherValue.param);
}
if (cipherValue.arena) {
PORT_FreeArena(cipherValue.arena, PR_FALSE);
}
return rv;
}
#define SFTK_PW_CHECK_STRING "password-check"
#define SFTK_PW_CHECK_LEN 14
@ -674,7 +799,6 @@ sftkdb_CheckPassword(SFTKDBHandle *keydb, const char *pw, PRBool *tokenRemoved)
unsigned char saltData[SDB_MAX_META_DATA_LEN];
unsigned char valueData[SDB_MAX_META_DATA_LEN];
SECItem key;
SECItem *result = NULL;
SDB *db;
CK_RV crv;
@ -710,8 +834,33 @@ sftkdb_CheckPassword(SFTKDBHandle *keydb, const char *pw, PRBool *tokenRemoved)
goto done;
}
rv = sftkdb_finishPasswordCheck(keydb, &key, pw, &value, tokenRemoved);
done:
if (key.data) {
PORT_ZFree(key.data, key.len);
}
return rv;
}
/* we need to pass iterationCount in case we are updating a new database
* and from an old one. */
SECStatus
sftkdb_finishPasswordCheck(SFTKDBHandle *keydb, SECItem *key, const char *pw,
SECItem *value, PRBool *tokenRemoved)
{
SECItem *result = NULL;
SECStatus rv;
int iterationCount = getPBEIterationCount();
if (*pw == 0) {
iterationCount = 1;
} else if (keydb->usesLegacyStorage && !sftk_isLegacyIterationCountAllowed()) {
iterationCount = 1;
}
/* decrypt the entry value */
rv = sftkdb_DecryptAttribute(&key, &value, &result);
rv = sftkdb_DecryptAttribute(key, value, &result);
if (rv != SECSuccess) {
goto done;
}
@ -752,7 +901,7 @@ sftkdb_CheckPassword(SFTKDBHandle *keydb, const char *pw, PRBool *tokenRemoved)
* as well as changing which database is returned from
* SFTK_GET_PW_DB (thus effecting both sftkdb_CheckPassword()
* and sftkdb_HasPasswordSet()) */
keydb->updatePasswordKey = SECITEM_DupItem(&key);
keydb->updatePasswordKey = SECITEM_DupItem(key);
PZ_Unlock(keydb->passwordLock);
if (keydb->updatePasswordKey == NULL) {
/* PORT_Error set by SECITEM_DupItem */
@ -787,7 +936,7 @@ sftkdb_CheckPassword(SFTKDBHandle *keydb, const char *pw, PRBool *tokenRemoved)
* are good to go */
goto done;
}
sftkdb_CheckPassword(keydb, "", tokenRemoved);
sftkdb_CheckPasswordNull(keydb, tokenRemoved);
/*
* Important 'NULL' code here. At this point either we
@ -821,15 +970,15 @@ sftkdb_CheckPassword(SFTKDBHandle *keydb, const char *pw, PRBool *tokenRemoved)
PZ_Unlock(keydb->passwordLock);
}
/* load the keys, so the keydb can parse it's key set */
sftkdb_switchKeys(keydb, &key);
sftkdb_switchKeys(keydb, key, iterationCount);
/* we need to update, do it now */
if (((keydb->db->sdb_flags & SDB_RDONLY) == 0) && keydb->update) {
/* update the peer certdb if it exists */
if (keydb->peerDB) {
sftkdb_Update(keydb->peerDB, &key);
sftkdb_Update(keydb->peerDB, key);
}
sftkdb_Update(keydb, &key);
sftkdb_Update(keydb, key);
}
} else {
rv = SECFailure;
@ -837,9 +986,6 @@ sftkdb_CheckPassword(SFTKDBHandle *keydb, const char *pw, PRBool *tokenRemoved)
}
done:
if (key.data) {
PORT_ZFree(key.data, key.len);
}
if (result) {
SECITEM_FreeItem(result, PR_TRUE);
}
@ -857,7 +1003,7 @@ sftkdb_PWCached(SFTKDBHandle *keydb)
static CK_RV
sftk_updateMacs(PLArenaPool *arena, SFTKDBHandle *handle,
CK_OBJECT_HANDLE id, SECItem *newKey)
CK_OBJECT_HANDLE id, SECItem *newKey, int iterationCount)
{
SFTKDBHandle *keyHandle = handle;
SDB *keyTarget = NULL;
@ -924,7 +1070,8 @@ sftk_updateMacs(PLArenaPool *arena, SFTKDBHandle *handle,
SECItem plainText;
plainText.data = authAttr.pValue;
plainText.len = authAttr.ulValueLen;
if (sftkdb_SignAttribute(arena, newKey, id, authAttr.type, &plainText,
if (sftkdb_SignAttribute(arena, newKey, iterationCount, id,
authAttr.type, &plainText,
&signText) != SECSuccess) {
return CKR_GENERAL_ERROR;
}
@ -939,7 +1086,7 @@ sftk_updateMacs(PLArenaPool *arena, SFTKDBHandle *handle,
static CK_RV
sftk_updateEncrypted(PLArenaPool *arena, SFTKDBHandle *keydb,
CK_OBJECT_HANDLE id, SECItem *newKey)
CK_OBJECT_HANDLE id, SECItem *newKey, int iterationCount)
{
CK_ATTRIBUTE_TYPE privAttrTypes[] = {
CKA_VALUE,
@ -980,7 +1127,8 @@ sftk_updateEncrypted(PLArenaPool *arena, SFTKDBHandle *keydb,
SECItem *result;
plainText.data = privAttr.pValue;
plainText.len = privAttr.ulValueLen;
if (sftkdb_EncryptAttribute(arena, newKey, &plainText, &result) != SECSuccess) {
if (sftkdb_EncryptAttribute(arena, newKey, iterationCount,
&plainText, &result) != SECSuccess) {
return CKR_GENERAL_ERROR;
}
privAttr.pValue = result->data;
@ -991,6 +1139,7 @@ sftk_updateEncrypted(PLArenaPool *arena, SFTKDBHandle *keydb,
// Write the newly encrypted attributes out directly.
CK_OBJECT_HANDLE newId = id & SFTK_OBJ_ID_MASK;
keydb->newKey = newKey;
keydb->newDefaultIterationCount = iterationCount;
crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, newId, &privAttr, 1);
keydb->newKey = NULL;
if (crv != CKR_OK) {
@ -1002,8 +1151,8 @@ sftk_updateEncrypted(PLArenaPool *arena, SFTKDBHandle *keydb,
}
static CK_RV
sftk_convertAttributes(SFTKDBHandle *handle,
CK_OBJECT_HANDLE id, SECItem *newKey)
sftk_convertAttributes(SFTKDBHandle *handle, CK_OBJECT_HANDLE id,
SECItem *newKey, int iterationCount)
{
CK_RV crv = CKR_OK;
PLArenaPool *arena = NULL;
@ -1017,13 +1166,14 @@ sftk_convertAttributes(SFTKDBHandle *handle,
/*
* first handle the MACS
*/
crv = sftk_updateMacs(arena, handle, id, newKey);
crv = sftk_updateMacs(arena, handle, id, newKey, iterationCount);
if (crv != CKR_OK) {
goto loser;
}
if (handle->type == SFTK_KEYDB_TYPE) {
crv = sftk_updateEncrypted(arena, handle, id, newKey);
crv = sftk_updateEncrypted(arena, handle, id, newKey,
iterationCount);
if (crv != CKR_OK) {
goto loser;
}
@ -1045,7 +1195,7 @@ loser:
*/
CK_RV
sftkdb_convertObjects(SFTKDBHandle *handle, CK_ATTRIBUTE *template,
CK_ULONG count, SECItem *newKey)
CK_ULONG count, SECItem *newKey, int iterationCount)
{
SDBFind *find = NULL;
CK_ULONG idCount = SFTK_MAX_IDS;
@ -1061,7 +1211,8 @@ sftkdb_convertObjects(SFTKDBHandle *handle, CK_ATTRIBUTE *template,
while ((crv == CKR_OK) && (idCount == SFTK_MAX_IDS)) {
crv = sftkdb_FindObjects(handle, find, ids, SFTK_MAX_IDS, &idCount);
for (i = 0; (crv == CKR_OK) && (i < idCount); i++) {
crv = sftk_convertAttributes(handle, ids[i], newKey);
crv = sftk_convertAttributes(handle, ids[i], newKey,
iterationCount);
}
}
crv2 = sftkdb_FindObjectsFinal(handle, find);
@ -1086,6 +1237,7 @@ sftkdb_ChangePassword(SFTKDBHandle *keydb,
SFTKDBHandle *certdb;
unsigned char saltData[SDB_MAX_META_DATA_LEN];
unsigned char valueData[SDB_MAX_META_DATA_LEN];
int iterationCount = getPBEIterationCount();
CK_RV crv;
SDB *db;
@ -1121,6 +1273,12 @@ sftkdb_ChangePassword(SFTKDBHandle *keydb,
RNG_GenerateGlobalRandomBytes(salt.data, salt.len);
}
if (newPin && *newPin == 0) {
iterationCount = 1;
} else if (keydb->usesLegacyStorage && !sftk_isLegacyIterationCountAllowed()) {
iterationCount = 1;
}
rv = sftkdb_passwordToKey(keydb, &salt, newPin, &newKey);
if (rv != SECSuccess) {
goto loser;
@ -1129,7 +1287,7 @@ sftkdb_ChangePassword(SFTKDBHandle *keydb,
/*
* convert encrypted entries here.
*/
crv = sftkdb_convertObjects(keydb, NULL, 0, &newKey);
crv = sftkdb_convertObjects(keydb, NULL, 0, &newKey, iterationCount);
if (crv != CKR_OK) {
rv = SECFailure;
goto loser;
@ -1141,13 +1299,15 @@ sftkdb_ChangePassword(SFTKDBHandle *keydb,
CK_OBJECT_CLASS myClass = CKO_NETSCAPE_TRUST;
objectType.pValue = &myClass;
crv = sftkdb_convertObjects(certdb, &objectType, 1, &newKey);
crv = sftkdb_convertObjects(certdb, &objectType, 1, &newKey,
iterationCount);
if (crv != CKR_OK) {
rv = SECFailure;
goto loser;
}
myClass = CKO_PUBLIC_KEY;
crv = sftkdb_convertObjects(certdb, &objectType, 1, &newKey);
crv = sftkdb_convertObjects(certdb, &objectType, 1, &newKey,
iterationCount);
if (crv != CKR_OK) {
rv = SECFailure;
goto loser;
@ -1157,7 +1317,8 @@ sftkdb_ChangePassword(SFTKDBHandle *keydb,
plainText.data = (unsigned char *)SFTK_PW_CHECK_STRING;
plainText.len = SFTK_PW_CHECK_LEN;
rv = sftkdb_EncryptAttribute(NULL, &newKey, &plainText, &result);
rv = sftkdb_EncryptAttribute(NULL, &newKey, iterationCount,
&plainText, &result);
if (rv != SECSuccess) {
goto loser;
}
@ -1176,7 +1337,7 @@ sftkdb_ChangePassword(SFTKDBHandle *keydb,
keydb->newKey = NULL;
sftkdb_switchKeys(keydb, &newKey);
sftkdb_switchKeys(keydb, &newKey, iterationCount);
loser:
if (newKey.data) {
@ -1201,7 +1362,7 @@ sftkdb_ClearPassword(SFTKDBHandle *keydb)
SECItem oldKey;
oldKey.data = NULL;
oldKey.len = 0;
sftkdb_switchKeys(keydb, &oldKey);
sftkdb_switchKeys(keydb, &oldKey, 1);
if (oldKey.data) {
PORT_ZFree(oldKey.data, oldKey.len);
}

4
security/nss/lib/ssl/config.mk
Просмотреть файл

@ -60,7 +60,3 @@ endif
ifdef NSS_DISABLE_TLS_1_3
DEFINES += -DNSS_DISABLE_TLS_1_3
endif
ifeq (,$(filter-out DragonFly FreeBSD Linux NetBSD OpenBSD, $(OS_TARGET)))
CFLAGS += -std=gnu99
endif

5
security/nss/lib/ssl/ssl.gyp
Просмотреть файл

@ -70,11 +70,6 @@
'UNSAFE_FUZZER_MODE',
],
}],
[ 'OS=="dragonfly" or OS=="freebsd" or OS=="netbsd" or OS=="openbsd" or OS=="linux"', {
'cflags': [
'-std=gnu99',
],
}],
[ 'enable_sslkeylogfile==1', {
'defines': [
'NSS_ALLOW_SSLKEYLOGFILE',

2
security/nss/lib/ssl/ssl.h
Просмотреть файл

@ -190,7 +190,7 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd);
/* Use draft-ietf-tls-session-hash. Controls whether we offer the
* extended_master_secret extension which, when accepted, hashes
* the handshake transcript into the master secret. This option is
* disabled by default.
* enabled by default.
*/
#define SSL_ENABLE_EXTENDED_MASTER_SECRET 30

8
security/nss/lib/ssl/sslexp.h
Просмотреть файл

@ -536,7 +536,7 @@ typedef SECStatus(PR_CALLBACK *SSLResumptionTokenCallback)(
* group -- the named group this key corresponds to
* pubKey -- the public key for the key pair
* pad -- the length to pad to
* notBefore/notAfter -- validity range
* notBefore/notAfter -- validity range in seconds since epoch
* out/outlen/maxlen -- where to output the data
*/
#define SSL_EncodeESNIKeys(cipherSuites, cipherSuiteCount, \
@ -791,12 +791,12 @@ typedef PRTime(PR_CALLBACK *SSLTimeFunc)(void *arg);
* handshake (Client Hello).
*
* The *Get function puts the current set of active (enabled and policy set as
* PR_TRUE) cipher suites in the cipherOrder outparam. Cipher suites that
* PR_TRUE) cipher suites in the cipherOrder outparam. Cipher suites that
* aren't active aren't included. The paramenters are:
* - PRFileDesc *fd = FileDescriptor to get information.
* - PRUint16 *cipherOrder = The memory allocated for cipherOrder needs to be
* SSL_GetNumImplementedCiphers() * sizeof(PRUint16) or more.
* - PRUint16 numCiphers = The number of active ciphersuites listed in
* - PRUint16 numCiphers = The number of active ciphersuites listed in
* *cipherOrder is written here.
*
* The *Set function permits reorder the CipherSuites list for the Handshake
@ -812,7 +812,7 @@ typedef PRTime(PR_CALLBACK *SSLTimeFunc)(void *arg);
* - const PRUint16 *cipherOrder = Must receive all ciphers to be ordered, in
* the desired order. They will be set in the begin of the list. Only
* suites listed by SSL_ImplementedCiphers() can be included.
* - PRUint16 numCiphers = Must receive the number of items in *cipherOrder.
* - PRUint16 numCiphers = Must receive the number of items in *cipherOrder.
* */
#define SSL_CipherSuiteOrderGet(fd, cipherOrder, numCiphers) \
SSL_EXPERIMENTAL_API("SSL_CipherSuiteOrderGet", \

2
security/nss/lib/ssl/sslsock.c
Просмотреть файл

@ -81,7 +81,7 @@ static sslOptions ssl_defaults = {
.reuseServerECDHEKey = PR_TRUE,
.enableFallbackSCSV = PR_FALSE,
.enableServerDhe = PR_TRUE,
.enableExtendedMS = PR_FALSE,
.enableExtendedMS = PR_TRUE,
.enableSignedCertTimestamps = PR_FALSE,
.requireDHENamedGroups = PR_FALSE,
.enable0RttData = PR_FALSE,

2
security/nss/lib/ssl/tls13esni.c
Просмотреть файл

@ -728,7 +728,7 @@ tls13_ServerDecryptEsniXtn(const sslSocket *ss, const PRUint8 *in, unsigned int
{
sslReader rdr = SSL_READER(in, inLen);
PRUint64 suite;
const ssl3CipherSuiteDef *suiteDef;
const ssl3CipherSuiteDef *suiteDef = NULL;
SSLAEADCipher aead = NULL;
TLSExtension *keyShareExtension;
TLS13KeyShareEntry *entry = NULL;

10
security/nss/tests/gtests/gtests.sh
Просмотреть файл

@ -64,8 +64,14 @@ gtest_start()
pushd "$DIR"
GTESTREPORT="$DIR/report.xml"
PARSED_REPORT="$DIR/report.parsed"
# The mozilla::pkix gtests cause an ODR violation that we ignore.
# See bug 1588567.
if [ "$i" = "mozpkix_gtest" ]; then
EXTRA_ASAN_OPTIONS="detect_odr_violation=0"
fi
echo "executing $i"
"${BINDIR}/$i" "${SOURCE_DIR}/gtests/freebl_gtest/kat/Hash_DRBG.rsp" \
ASAN_OPTIONS="$ASAN_OPTIONS:$EXTRA_ASAN_OPTIONS" "${BINDIR}/$i" \
"${SOURCE_DIR}/gtests/freebl_gtest/kat/Hash_DRBG.rsp" \
-d "$DIR" -w --gtest_output=xml:"${GTESTREPORT}" \
--gtest_filter="${GTESTFILTER:-*}"
html_msg $? 0 "$i run successfully"
@ -93,7 +99,7 @@ gtest_cleanup()
}
################## main #################################################
GTESTS="${GTESTS:-prng_gtest certhigh_gtest certdb_gtest der_gtest pk11_gtest util_gtest freebl_gtest softoken_gtest sysinit_gtest blake2b_gtest smime_gtest}"
GTESTS="${GTESTS:-prng_gtest certhigh_gtest certdb_gtest der_gtest pk11_gtest util_gtest freebl_gtest softoken_gtest sysinit_gtest blake2b_gtest smime_gtest mozpkix_gtest}"
gtest_init "$0"
gtest_start
gtest_cleanup