From 07491e58b7821609a0920b350774adc0a52e5dcd Mon Sep 17 00:00:00 2001 From: "J.C. Jones" Date: Tue, 5 Nov 2019 20:29:59 +0000 Subject: [PATCH] Bug 1592007 - land NSS dc9552c2aa77 UPGRADE_NSS_RELEASE, r=kjacobs 2019-11-04 Marcus Burghardt * lib/pk11wrap/pk11cert.c: Bug 1590495 - Crash in PK11_MakeCertFromHandle->pk11_fastCert. r=jcj Fixed controls to avoid crashes caused by slots possibly without a token in pk11_fastCert. Also, improved arguments controls in PK11_MakeCertFromHandle. [dc9552c2aa77] [tip] 2019-11-01 Franziskus Kiefer * gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_des_unittest.cc, gtests/pk11_gtest/pk11_gtest.gyp, lib/softoken/pkcs11c.c: Bug 1591742 - check des iv length and add test for it, r=jcj,kjacobs Summary: Let's make sure the DES IV has the length we expect it to have. Bug #: 1591742 [35857ae98190] 2019-11-01 Dana Keeler * gtests/mozpkix_gtest/pkixcheck_CheckKeyUsage_tests.cpp, lib/mozpkix /test-lib/pkixtestnss.cpp, tests/gtests/gtests.sh: Bug 1588567 - enable mozilla::pkix gtests in NSS r=jcj [27a29997f598] 2019-11-01 Deian Stefan * lib/softoken/pkcs11c.c: Bug 1591315 - Update NSC_Decrypt length in constant time r=kjacobs Update NSC_Decrypt length in constant time [7f578a829b29] 2019-11-01 Kai Engert * automation/taskcluster/graph/src/queue.js: Bug 1562671 - Limit Master Password KDF iterations for NSS continuous integration tests. r=mt [c8b490583b86] * lib/softoken/lgglue.c, lib/softoken/sftkdb.c, lib/softoken/sftkdb.h, lib/softoken/sftkdbti.h, lib/softoken/sftkpwd.c: Bug 1562671 - Add environment variables to control Master Password KDF iteration count. Disable iteration count for legacy DBM storage by default. r=rrelyea [ced91a705aa3] 2019-11-01 Bob Relyea * lib/softoken/legacydb/keydb.c, lib/softoken/lgglue.c, lib/softoken/pkcs11.c, lib/softoken/sftkdb.c, lib/softoken/sftkdb.h, lib/softoken/sftkdbti.h, lib/softoken/sftkpwd.c: Bug 1562671 - Support higher iteration count for Master Password KDF. Bob Relyea's base patch. Requires the follow-up patch. r=kaie [6619bb43d746] 2019-10-28 Martin Thomson * coreconf/Linux.mk, coreconf/WIN32.mk, coreconf/command.mk, coreconf/config.gypi, coreconf/rules.mk, lib/freebl/aes-armv8.c, lib/freebl/aes-x86.c, lib/freebl/config.mk, lib/freebl/freebl.gyp, lib/freebl/intel-aes.h, lib/freebl/intel-gcm-wrap.c, lib/freebl/rijndael.c, lib/freebl/rijndael.h, lib/ssl/config.mk, lib/ssl/ssl.gyp: Bug 1590972 - Use -std=c99 for all C code, r=jcj This switches to using -std=c99 for compiling all C code. Previously, we only enabled this option for lib/freebl and lib/ssl. For Linux, this means we need to define _DEFAULT_SOURCE to access some of the functions we use. On glibc 2.12 (our oldest supported version), we also need to define _BSD_SOURCE to access these functions. The only tricky part is dealing with partial C99 implementation in gcc 4.4. From what I've seen, the only problem is that - in that mode - it doesn't support nesting of unnamed fields: https://gcc.gnu.org/onlinedocs/gcc-4.4.7/gcc/Unnamed-Fields.html This also switches from -std=c++0x to -std=c++11 as the 0x variant, though identical in meaning, is deprecated. [dbba7db4b79d] 2019-10-30 Giulio Benetti * lib/freebl/aes-armv8.c, lib/freebl/rijndael.c: Bug 1590676 - Fix build if arm doesn't support NEON r=kjacobs At the moment NSS assumes that ARM supports NEON extension but this is not true and leads to build failure on ARM without NEON extension. Add check to assure USE_HW_AES is not defined if ARM without NEON extension is used. [58f2471ace3b] 2019-10-30 Martin Thomson * gtests/ssl_gtest/tls_agent.cc: Bug 1575411 - Disable EMS for tests, a=bustage [6e5f69781137] 2019-10-29 J.C. Jones * gtests/ssl_gtest/tls_esni_unittest.cc: Bug 1590970 - Fix clang-format from e7956ee3ba1b6d05e3175bbcd795583fde867720 r=me [d1e43cb9f227] 2019-10-29 Giulio Benetti * lib/ssl/tls13esni.c: Bug 1590678 - Remove -Wmaybe-uninitialized warning in tls13esni.c r=jcj [df5e9021809a] 2019-10-29 Martin Thomson * lib/ssl/ssl.h, lib/ssl/sslsock.c: Bug 1575411 - Enable extended master secret by default, r=jcj,kjacobs See the bug for discussion about the implications of this. [d1c68498610d] 2019-10-29 Martin Thomson * gtests/ssl_gtest/tls_esni_unittest.cc, lib/ssl/sslexp.h: Bug 1590970 - Stop using time() for ESNI tests, r=kjacobs Summary: The ESNI tests were using time() rather than PR_Now(), so they slipped the net when I went looking for bad time functions. Now they do the right thing again. What we were probably seeing in the intermittents was the case where we set the time for most of the SSL functions to PR_Now(), and that was just before a second rollover. Then, when time() was called, it returned t+1 so the ESNI keys that were being generated in the ESNI tests were given a notBefore time that was in the future relative to the time being given to the TLS stack. Had the ESNI keys generation been given time() - 1 for notBefore, as I have done here, this would never have turned up. Reviewers: kjacobs Tags: #secure-revision Bug #: 1590970 [e7956ee3ba1b] Differential Revision: https://phabricator.services.mozilla.com/D51858 --HG-- extra : moz-landing-system : lando --- security/nss/TAG-INFO | 2 +- .../automation/taskcluster/graph/src/queue.js | 3 +- security/nss/coreconf/Linux.mk | 1 + security/nss/coreconf/WIN32.mk | 6 + security/nss/coreconf/command.mk | 2 + security/nss/coreconf/config.gypi | 7 +- security/nss/coreconf/coreconf.dep | 1 + security/nss/coreconf/rules.mk | 34 +-- .../pkixcheck_CheckKeyUsage_tests.cpp | 4 +- security/nss/gtests/pk11_gtest/manifest.mn | 1 + .../gtests/pk11_gtest/pk11_des_unittest.cc | 65 +++++ security/nss/gtests/pk11_gtest/pk11_gtest.gyp | 1 + security/nss/gtests/ssl_gtest/tls_agent.cc | 3 + .../nss/gtests/ssl_gtest/tls_esni_unittest.cc | 159 ++++++------ security/nss/lib/freebl/aes-armv8.c | 31 +-- security/nss/lib/freebl/aes-x86.c | 12 +- security/nss/lib/freebl/config.mk | 5 - security/nss/lib/freebl/freebl.gyp | 17 -- security/nss/lib/freebl/intel-aes.h | 34 +-- security/nss/lib/freebl/intel-gcm-wrap.c | 2 +- security/nss/lib/freebl/rijndael.c | 13 +- security/nss/lib/freebl/rijndael.h | 2 +- .../nss/lib/mozpkix/test-lib/pkixtestnss.cpp | 2 +- security/nss/lib/pk11wrap/pk11cert.c | 10 +- security/nss/lib/softoken/legacydb/keydb.c | 33 ++- security/nss/lib/softoken/lgglue.c | 15 +- security/nss/lib/softoken/pkcs11.c | 4 +- security/nss/lib/softoken/pkcs11c.c | 16 +- security/nss/lib/softoken/sftkdb.c | 14 +- security/nss/lib/softoken/sftkdb.h | 3 + security/nss/lib/softoken/sftkdbti.h | 8 +- security/nss/lib/softoken/sftkpwd.c | 227 +++++++++++++++--- security/nss/lib/ssl/config.mk | 4 - security/nss/lib/ssl/ssl.gyp | 5 - security/nss/lib/ssl/ssl.h | 2 +- security/nss/lib/ssl/sslexp.h | 8 +- security/nss/lib/ssl/sslsock.c | 2 +- security/nss/lib/ssl/tls13esni.c | 2 +- security/nss/tests/gtests/gtests.sh | 10 +- 39 files changed, 536 insertions(+), 234 deletions(-) create mode 100644 security/nss/gtests/pk11_gtest/pk11_des_unittest.cc diff --git a/security/nss/TAG-INFO b/security/nss/TAG-INFO index 53bcb38e200f..93ea4feba740 100644 --- a/security/nss/TAG-INFO +++ b/security/nss/TAG-INFO @@ -1 +1 @@ -fcdda17cdc36 \ No newline at end of file +dc9552c2aa77 \ No newline at end of file diff --git a/security/nss/automation/taskcluster/graph/src/queue.js b/security/nss/automation/taskcluster/graph/src/queue.js index 0dc6bbbc4c90..874947af5b85 100644 --- a/security/nss/automation/taskcluster/graph/src/queue.js +++ b/security/nss/automation/taskcluster/graph/src/queue.js @@ -96,7 +96,8 @@ function convertTask(def) { let env = merge({ NSS_HEAD_REPOSITORY: process.env.NSS_HEAD_REPOSITORY, - NSS_HEAD_REVISION: process.env.NSS_HEAD_REVISION + NSS_HEAD_REVISION: process.env.NSS_HEAD_REVISION, + NSS_MAX_MP_PBE_ITERATION_COUNT: "100", }, def.env || {}); if (def.parent) { diff --git a/security/nss/coreconf/Linux.mk b/security/nss/coreconf/Linux.mk index d321284d3c44..d07f8a3c5e66 100644 --- a/security/nss/coreconf/Linux.mk +++ b/security/nss/coreconf/Linux.mk @@ -21,6 +21,7 @@ ifeq ($(USE_PTHREADS),1) endif DEFAULT_COMPILER = gcc +DEFINES += -D_DEFAULT_SOURCE -D_BSD_SOURCE ifeq ($(OS_TARGET),Android) ifndef ANDROID_NDK diff --git a/security/nss/coreconf/WIN32.mk b/security/nss/coreconf/WIN32.mk index 7269cc7a289b..ac1a454bcee2 100644 --- a/security/nss/coreconf/WIN32.mk +++ b/security/nss/coreconf/WIN32.mk @@ -261,6 +261,12 @@ else endif endif +# clear any CSTD and CXXSTD unless we're using GCC +ifndef NS_USE_GCC + CSTD = + CXXSTD = +endif + # # override the definitions of RELEASE_TREE found in tree.mk # diff --git a/security/nss/coreconf/command.mk b/security/nss/coreconf/command.mk index 5e92748aa1f0..a892520568be 100644 --- a/security/nss/coreconf/command.mk +++ b/security/nss/coreconf/command.mk @@ -14,6 +14,8 @@ CCF = $(CC) $(CFLAGS) LINK_DLL = $(LD) $(OS_DLLFLAGS) $(DLLFLAGS) $(XLDFLAGS) CFLAGS = $(OPTIMIZER) $(OS_CFLAGS) $(WARNING_CFLAGS) $(XP_DEFINE) \ $(DEFINES) $(INCLUDES) $(XCFLAGS) +CSTD = -std=c99 +CXXSTD = -std=c++11 PERL = perl RANLIB = echo TAR = /bin/tar diff --git a/security/nss/coreconf/config.gypi b/security/nss/coreconf/config.gypi index f4426ac32236..3b049111a8cc 100644 --- a/security/nss/coreconf/config.gypi +++ b/security/nss/coreconf/config.gypi @@ -355,6 +355,8 @@ 'LINUX2_1', 'LINUX', 'linux', + '_DEFAULT_SOURCE', # for functions, strdup, realpath, and getentropy + '_BSD_SOURCE', # for the above in glibc <= 2.19 ], }], [ 'OS=="dragonfly" or OS=="freebsd"', { @@ -391,8 +393,11 @@ '-ffunction-sections', '-fdata-sections', ], + 'cflags_c': [ + '-std=c99', + ], 'cflags_cc': [ - '-std=c++0x', + '-std=c++11', ], 'ldflags': [ '-z', 'noexecstack', diff --git a/security/nss/coreconf/coreconf.dep b/security/nss/coreconf/coreconf.dep index 5182f75552c8..590d1bfaeee3 100644 --- a/security/nss/coreconf/coreconf.dep +++ b/security/nss/coreconf/coreconf.dep @@ -10,3 +10,4 @@ */ #error "Do not include this header file." + diff --git a/security/nss/coreconf/rules.mk b/security/nss/coreconf/rules.mk index 3a801352980e..acf4fcc62362 100644 --- a/security/nss/coreconf/rules.mk +++ b/security/nss/coreconf/rules.mk @@ -391,23 +391,23 @@ core_abspath = '$(if $(findstring :,$(1)),$(1),$(if $(filter /%,$(1)),$(1),$(PWD $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.c @$(MAKE_OBJDIR) ifdef USE_NT_C_SYNTAX - $(CC) -Fo$@ -c $(CFLAGS) $(call core_abspath,$<) + $(CC) -Fo$@ -c $(CSTD) $(CFLAGS) $(call core_abspath,$<) else ifdef NEED_ABSOLUTE_PATH - $(CC) -o $@ -c $(CFLAGS) $(call core_abspath,$<) + $(CC) -o $@ -c $(CSTD) $(CFLAGS) $(call core_abspath,$<) else - $(CC) -o $@ -c $(CFLAGS) $< + $(CC) -o $@ -c $(CSTD) $(CFLAGS) $< endif endif $(PROG_PREFIX)%$(OBJ_SUFFIX): %.c ifdef USE_NT_C_SYNTAX - $(CC) -Fo$@ -c $(CFLAGS) $(call core_abspath,$<) + $(CC) -Fo$@ -c $(CSTD) $(CFLAGS) $(call core_abspath,$<) else ifdef NEED_ABSOLUTE_PATH - $(CC) -o $@ -c $(CFLAGS) $(call core_abspath,$<) + $(CC) -o $@ -c $(CSTD) $(CFLAGS) $(call core_abspath,$<) else - $(CC) -o $@ -c $(CFLAGS) $< + $(CC) -o $@ -c $(CSTD) $(CFLAGS) $< endif endif @@ -428,12 +428,12 @@ $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.S $(OBJDIR)/$(PROG_PREFIX)%: %.cpp @$(MAKE_OBJDIR) ifdef USE_NT_C_SYNTAX - $(CCC) -Fo$@ -c $(CFLAGS) $(CXXFLAGS) $(call core_abspath,$<) + $(CCC) -Fo$@ -c $(CXXSTD) $(CFLAGS) $(CXXFLAGS) $(call core_abspath,$<) else ifdef NEED_ABSOLUTE_PATH - $(CCC) -o $@ -c $(CFLAGS) $(CXXFLAGS) $(call core_abspath,$<) + $(CCC) -o $@ -c $(CXXSTD) $(CFLAGS) $(CXXFLAGS) $(call core_abspath,$<) else - $(CCC) -o $@ -c $(CFLAGS) $(CXXFLAGS) $< + $(CCC) -o $@ -c $(CXXSTD) $(CFLAGS) $(CXXFLAGS) $< endif endif @@ -444,16 +444,16 @@ $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.cc $(MAKE_OBJDIR) ifdef STRICT_CPLUSPLUS_SUFFIX echo "#line 1 \"$<\"" | cat - $< > $(OBJDIR)/t_$*.cc - $(CCC) -o $@ -c $(CFLAGS) $(CXXFLAGS) $(OBJDIR)/t_$*.cc + $(CCC) -o $@ -c $(CXXSTD) $(CFLAGS) $(CXXFLAGS) $(OBJDIR)/t_$*.cc rm -f $(OBJDIR)/t_$*.cc else ifdef USE_NT_C_SYNTAX - $(CCC) -Fo$@ -c $(CFLAGS) $(CXXFLAGS) $(call core_abspath,$<) + $(CCC) -Fo$@ -c $(CXXSTD) $(CFLAGS) $(CXXFLAGS) $(call core_abspath,$<) else ifdef NEED_ABSOLUTE_PATH - $(CCC) -o $@ -c $(CFLAGS) $(CXXFLAGS) $(call core_abspath,$<) + $(CCC) -o $@ -c $(CXXSTD) $(CFLAGS) $(CXXFLAGS) $(call core_abspath,$<) else - $(CCC) -o $@ -c $(CFLAGS) $(CXXFLAGS) $< + $(CCC) -o $@ -c $(CXXSTD) $(CFLAGS) $(CXXFLAGS) $< endif endif endif #STRICT_CPLUSPLUS_SUFFIX @@ -462,16 +462,16 @@ $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.cpp @$(MAKE_OBJDIR) ifdef STRICT_CPLUSPLUS_SUFFIX echo "#line 1 \"$<\"" | cat - $< > $(OBJDIR)/t_$*.cc - $(CCC) -o $@ -c $(CFLAGS) $(CXXFLAGS) $(OBJDIR)/t_$*.cc + $(CCC) -o $@ -c $(CXXSTD) $(CFLAGS) $(CXXFLAGS) $(OBJDIR)/t_$*.cc rm -f $(OBJDIR)/t_$*.cc else ifdef USE_NT_C_SYNTAX - $(CCC) -Fo$@ -c $(CFLAGS) $(CXXFLAGS) $(call core_abspath,$<) + $(CCC) -Fo$@ -c $(CXXSTD) $(CFLAGS) $(CXXFLAGS) $(call core_abspath,$<) else ifdef NEED_ABSOLUTE_PATH - $(CCC) -o $@ -c $(CFLAGS) $(CXXFLAGS) $(call core_abspath,$<) + $(CCC) -o $@ -c $(CXXSTD) $(CFLAGS) $(CXXFLAGS) $(call core_abspath,$<) else - $(CCC) -o $@ -c $(CFLAGS) $(CXXFLAGS) $< + $(CCC) -o $@ -c $(CXXSTD) $(CFLAGS) $(CXXFLAGS) $< endif endif endif #STRICT_CPLUSPLUS_SUFFIX diff --git a/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckKeyUsage_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckKeyUsage_tests.cpp index 136f8719a8a6..b87f0a772885 100644 --- a/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckKeyUsage_tests.cpp +++ b/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckKeyUsage_tests.cpp @@ -166,8 +166,8 @@ void ASSERT_SimpleCase(uint8_t unusedBits, uint8_t bits, KeyUsage usage) // Test that none of the other non-padding bits are mistaken for the given // key usage in the single-byte value case. - NAMED_SIMPLE_KU(notGood, unusedBits, - static_cast((~bits >> unusedBits) << unusedBits)); + uint8_t paddingBits = (static_cast(~bits) >> unusedBits) << unusedBits; + NAMED_SIMPLE_KU(notGood, unusedBits, paddingBits); ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, ¬Good, usage)); ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, ¬Good, usage)); diff --git a/security/nss/gtests/pk11_gtest/manifest.mn b/security/nss/gtests/pk11_gtest/manifest.mn index 861f45fec0a2..09e12047a3bc 100644 --- a/security/nss/gtests/pk11_gtest/manifest.mn +++ b/security/nss/gtests/pk11_gtest/manifest.mn @@ -14,6 +14,7 @@ CPPSRCS = \ pk11_chacha20poly1305_unittest.cc \ pk11_curve25519_unittest.cc \ pk11_der_private_key_import_unittest.cc \ + pk11_des_unittest.cc \ pk11_ecdsa_unittest.cc \ pk11_encrypt_derive_unittest.cc \ pk11_export_unittest.cc \ diff --git a/security/nss/gtests/pk11_gtest/pk11_des_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_des_unittest.cc new file mode 100644 index 000000000000..30f1afb8d9a2 --- /dev/null +++ b/security/nss/gtests/pk11_gtest/pk11_des_unittest.cc @@ -0,0 +1,65 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this file, + * You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include +#include "nss.h" +#include "pk11pub.h" + +#include "nss_scoped_ptrs.h" + +#include "gtest/gtest.h" + +namespace nss_test { + +class Pkcs11DesTest : public ::testing::Test { + protected: + SECStatus EncryptWithIV(std::vector& iv, + const CK_MECHANISM_TYPE mech) { + // Generate a random key. + ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); + ScopedPK11SymKey sym_key( + PK11_KeyGen(slot.get(), mech, nullptr, 8, nullptr)); + EXPECT_TRUE(!!sym_key); + + std::vector data(16); + std::vector output(16); + + SECItem params = {siBuffer, iv.data(), + static_cast(iv.size())}; + + // Try to encrypt. + unsigned int output_len = 0; + return PK11_Encrypt(sym_key.get(), mech, ¶ms, output.data(), + &output_len, output.size(), data.data(), data.size()); + } +}; + +TEST_F(Pkcs11DesTest, ZeroLengthIV) { + std::vector iv(0); + EXPECT_EQ(SECFailure, EncryptWithIV(iv, CKM_DES_CBC)); + EXPECT_EQ(SECFailure, EncryptWithIV(iv, CKM_DES3_CBC)); +} + +TEST_F(Pkcs11DesTest, IVTooShort) { + std::vector iv(7); + EXPECT_EQ(SECFailure, EncryptWithIV(iv, CKM_DES_CBC)); + EXPECT_EQ(SECFailure, EncryptWithIV(iv, CKM_DES3_CBC)); +} + +TEST_F(Pkcs11DesTest, WrongLengthIV) { + // We tolerate IVs > 8 + std::vector iv(15, 0); + EXPECT_EQ(SECSuccess, EncryptWithIV(iv, CKM_DES_CBC)); + EXPECT_EQ(SECSuccess, EncryptWithIV(iv, CKM_DES3_CBC)); +} + +TEST_F(Pkcs11DesTest, AllGood) { + std::vector iv(8, 0); + EXPECT_EQ(SECSuccess, EncryptWithIV(iv, CKM_DES_CBC)); + EXPECT_EQ(SECSuccess, EncryptWithIV(iv, CKM_DES3_CBC)); +} + +} // namespace nss_test diff --git a/security/nss/gtests/pk11_gtest/pk11_gtest.gyp b/security/nss/gtests/pk11_gtest/pk11_gtest.gyp index f2a81d6dfffa..fb8ea8dd977a 100644 --- a/security/nss/gtests/pk11_gtest/pk11_gtest.gyp +++ b/security/nss/gtests/pk11_gtest/pk11_gtest.gyp @@ -20,6 +20,7 @@ 'pk11_cipherop_unittest.cc', 'pk11_curve25519_unittest.cc', 'pk11_der_private_key_import_unittest.cc', + 'pk11_des_unittest.cc', 'pk11_ecdsa_unittest.cc', 'pk11_encrypt_derive_unittest.cc', 'pk11_find_certs_unittest.cc', diff --git a/security/nss/gtests/ssl_gtest/tls_agent.cc b/security/nss/gtests/ssl_gtest/tls_agent.cc index 0c6faabd931b..88640481e51d 100644 --- a/security/nss/gtests/ssl_gtest/tls_agent.cc +++ b/security/nss/gtests/ssl_gtest/tls_agent.cc @@ -286,6 +286,9 @@ bool TlsAgent::EnsureTlsSetup(PRFileDesc* modelSocket) { EXPECT_EQ(SECSuccess, rv); if (rv != SECSuccess) return false; + // All these tests depend on having this disabled to start with. + SetOption(SSL_ENABLE_EXTENDED_MASTER_SECRET, PR_FALSE); + return true; } diff --git a/security/nss/gtests/ssl_gtest/tls_esni_unittest.cc b/security/nss/gtests/ssl_gtest/tls_esni_unittest.cc index 90dccc5257ed..26275e0bc1ec 100644 --- a/security/nss/gtests/ssl_gtest/tls_esni_unittest.cc +++ b/security/nss/gtests/ssl_gtest/tls_esni_unittest.cc @@ -4,8 +4,6 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this file, * You can obtain one at http://mozilla.org/MPL/2.0/. */ -#include - #include "secerr.h" #include "ssl.h" @@ -57,7 +55,7 @@ static void UpdateEsniKeysChecksum(DataBuffer* buf) { buf->Write(2, sha256, 4); } -static void GenerateEsniKey(time_t windowStart, SSLNamedGroup group, +static void GenerateEsniKey(PRTime now, SSLNamedGroup group, std::vector& cipher_suites, DataBuffer* record, ScopedSECKEYPublicKey* pubKey = nullptr, @@ -73,8 +71,9 @@ static void GenerateEsniKey(time_t windowStart, SSLNamedGroup group, unsigned int encoded_len = 0; SECStatus rv = SSL_EncodeESNIKeys( - &cipher_suites[0], cipher_suites.size(), group, pub, 100, windowStart, - windowStart + 10, encoded, &encoded_len, sizeof(encoded)); + &cipher_suites[0], cipher_suites.size(), group, pub, 100, + (now / PR_USEC_PER_SEC) - 1, (now / PR_USEC_PER_SEC) + 10, encoded, + &encoded_len, sizeof(encoded)); ASSERT_EQ(SECSuccess, rv); ASSERT_GT(encoded_len, 0U); @@ -92,15 +91,15 @@ static void GenerateEsniKey(time_t windowStart, SSLNamedGroup group, record->Write(0, encoded, encoded_len); } -static void SetupEsni(const std::shared_ptr& client, +static void SetupEsni(PRTime now, const std::shared_ptr& client, const std::shared_ptr& server, SSLNamedGroup group = ssl_grp_ec_curve25519) { ScopedSECKEYPublicKey pub; ScopedSECKEYPrivateKey priv; DataBuffer record; - GenerateEsniKey(time(nullptr), ssl_grp_ec_curve25519, kDefaultSuites, &record, - &pub, &priv); + GenerateEsniKey(now, ssl_grp_ec_curve25519, kDefaultSuites, &record, &pub, + &priv); SECStatus rv = SSL_SetESNIKeyPair(server->ssl_fd(), priv.get(), record.data(), record.len()); ASSERT_EQ(SECSuccess, rv); @@ -124,77 +123,87 @@ static void CheckSniExtension(const DataBuffer& data) { ASSERT_EQ(expected, name); } -static void ClientInstallEsni(std::shared_ptr& agent, - const DataBuffer& record, PRErrorCode err = 0) { - SECStatus rv = - SSL_EnableESNI(agent->ssl_fd(), record.data(), record.len(), kDummySni); - if (err == 0) { - ASSERT_EQ(SECSuccess, rv); - } else { - ASSERT_EQ(SECFailure, rv); - ASSERT_EQ(err, PORT_GetError()); - } -} +class TlsAgentEsniTest : public TlsAgentTestClient13 { + public: + void SetUp() override { now_ = PR_Now(); } -TEST_P(TlsAgentTestClient13, EsniInstall) { + protected: + PRTime now() const { return now_; } + + void InstallEsni(const DataBuffer& record, PRErrorCode err = 0) { + SECStatus rv = SSL_EnableESNI(agent_->ssl_fd(), record.data(), record.len(), + kDummySni); + if (err == 0) { + ASSERT_EQ(SECSuccess, rv); + } else { + ASSERT_EQ(SECFailure, rv); + ASSERT_EQ(err, PORT_GetError()); + } + } + + private: + PRTime now_ = 0; +}; + +TEST_P(TlsAgentEsniTest, EsniInstall) { EnsureInit(); DataBuffer record; - GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record); - ClientInstallEsni(agent_, record); + GenerateEsniKey(now(), ssl_grp_ec_curve25519, kDefaultSuites, &record); + InstallEsni(record); } // The next set of tests fail at setup time. -TEST_P(TlsAgentTestClient13, EsniInvalidHash) { +TEST_P(TlsAgentEsniTest, EsniInvalidHash) { EnsureInit(); DataBuffer record; GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record); record.data()[2]++; - ClientInstallEsni(agent_, record, SSL_ERROR_RX_MALFORMED_ESNI_KEYS); + InstallEsni(record, SSL_ERROR_RX_MALFORMED_ESNI_KEYS); } -TEST_P(TlsAgentTestClient13, EsniInvalidVersion) { +TEST_P(TlsAgentEsniTest, EsniInvalidVersion) { EnsureInit(); DataBuffer record; - GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record); + GenerateEsniKey(now(), ssl_grp_ec_curve25519, kDefaultSuites, &record); record.Write(0, 0xffff, 2); - ClientInstallEsni(agent_, record, SSL_ERROR_UNSUPPORTED_VERSION); + InstallEsni(record, SSL_ERROR_UNSUPPORTED_VERSION); } -TEST_P(TlsAgentTestClient13, EsniShort) { +TEST_P(TlsAgentEsniTest, EsniShort) { EnsureInit(); DataBuffer record; - GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record); + GenerateEsniKey(now(), ssl_grp_ec_curve25519, kDefaultSuites, &record); record.Truncate(record.len() - 1); UpdateEsniKeysChecksum(&record); - ClientInstallEsni(agent_, record, SSL_ERROR_RX_MALFORMED_ESNI_KEYS); + InstallEsni(record, SSL_ERROR_RX_MALFORMED_ESNI_KEYS); } -TEST_P(TlsAgentTestClient13, EsniLong) { +TEST_P(TlsAgentEsniTest, EsniLong) { EnsureInit(); DataBuffer record; - GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record); + GenerateEsniKey(now(), ssl_grp_ec_curve25519, kDefaultSuites, &record); record.Write(record.len(), 1, 1); UpdateEsniKeysChecksum(&record); - ClientInstallEsni(agent_, record, SSL_ERROR_RX_MALFORMED_ESNI_KEYS); + InstallEsni(record, SSL_ERROR_RX_MALFORMED_ESNI_KEYS); } -TEST_P(TlsAgentTestClient13, EsniExtensionMismatch) { +TEST_P(TlsAgentEsniTest, EsniExtensionMismatch) { EnsureInit(); DataBuffer record; - GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record); + GenerateEsniKey(now(), ssl_grp_ec_curve25519, kDefaultSuites, &record); record.Write(record.len() - 1, 1, 1); UpdateEsniKeysChecksum(&record); - ClientInstallEsni(agent_, record, SSL_ERROR_RX_MALFORMED_ESNI_KEYS); + InstallEsni(record, SSL_ERROR_RX_MALFORMED_ESNI_KEYS); } // The following tests fail by ignoring the Esni block. -TEST_P(TlsAgentTestClient13, EsniUnknownGroup) { +TEST_P(TlsAgentEsniTest, EsniUnknownGroup) { EnsureInit(); DataBuffer record; - GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record); + GenerateEsniKey(now(), ssl_grp_ec_curve25519, kDefaultSuites, &record); record.Write(8, 0xffff, 2); // Fake group UpdateEsniKeysChecksum(&record); - ClientInstallEsni(agent_, record, 0); + InstallEsni(record, 0); auto filter = MakeTlsFilter(agent_, ssl_tls13_encrypted_sni_xtn); agent_->Handshake(); @@ -202,11 +211,11 @@ TEST_P(TlsAgentTestClient13, EsniUnknownGroup) { ASSERT_TRUE(!filter->captured()); } -TEST_P(TlsAgentTestClient13, EsniUnknownCS) { +TEST_P(TlsAgentEsniTest, EsniUnknownCS) { EnsureInit(); DataBuffer record; - GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kBogusSuites, &record); - ClientInstallEsni(agent_, record, 0); + GenerateEsniKey(now(), ssl_grp_ec_curve25519, kBogusSuites, &record); + InstallEsni(record, 0); auto filter = MakeTlsFilter(agent_, ssl_tls13_encrypted_sni_xtn); agent_->Handshake(); @@ -214,12 +223,12 @@ TEST_P(TlsAgentTestClient13, EsniUnknownCS) { ASSERT_TRUE(!filter->captured()); } -TEST_P(TlsAgentTestClient13, EsniInvalidCS) { +TEST_P(TlsAgentEsniTest, EsniInvalidCS) { EnsureInit(); DataBuffer record; - GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kTls12Suites, &record); + GenerateEsniKey(now(), ssl_grp_ec_curve25519, kTls12Suites, &record); UpdateEsniKeysChecksum(&record); - ClientInstallEsni(agent_, record, 0); + InstallEsni(record, 0); auto filter = MakeTlsFilter(agent_, ssl_tls13_encrypted_sni_xtn); agent_->Handshake(); @@ -227,36 +236,34 @@ TEST_P(TlsAgentTestClient13, EsniInvalidCS) { ASSERT_TRUE(!filter->captured()); } -TEST_P(TlsAgentTestClient13, EsniNotReady) { +TEST_P(TlsAgentEsniTest, EsniNotReady) { EnsureInit(); DataBuffer record; - GenerateEsniKey(time(0) + 1000, ssl_grp_ec_curve25519, kDefaultSuites, - &record); - ClientInstallEsni(agent_, record, 0); + GenerateEsniKey(now() + 1000, ssl_grp_ec_curve25519, kDefaultSuites, &record); + InstallEsni(record, 0); auto filter = MakeTlsFilter(agent_, ssl_tls13_encrypted_sni_xtn); agent_->Handshake(); ASSERT_TRUE(!filter->captured()); } -TEST_P(TlsAgentTestClient13, EsniExpired) { +TEST_P(TlsAgentEsniTest, EsniExpired) { EnsureInit(); DataBuffer record; - GenerateEsniKey(time(0) - 1000, ssl_grp_ec_curve25519, kDefaultSuites, - &record); - ClientInstallEsni(agent_, record, 0); + GenerateEsniKey(now() - 1000, ssl_grp_ec_curve25519, kDefaultSuites, &record); + InstallEsni(record, 0); auto filter = MakeTlsFilter(agent_, ssl_tls13_encrypted_sni_xtn); agent_->Handshake(); ASSERT_TRUE(!filter->captured()); } -TEST_P(TlsAgentTestClient13, NoSniSoNoEsni) { +TEST_P(TlsAgentEsniTest, NoSniSoNoEsni) { EnsureInit(); DataBuffer record; - GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record); + GenerateEsniKey(now(), ssl_grp_ec_curve25519, kDefaultSuites, &record); SSL_SetURL(agent_->ssl_fd(), ""); - ClientInstallEsni(agent_, record, 0); + InstallEsni(record, 0); auto filter = MakeTlsFilter(agent_, ssl_tls13_encrypted_sni_xtn); agent_->Handshake(); @@ -275,7 +282,7 @@ static int32_t SniCallback(TlsAgent* agent, const SECItem* srvNameAddr, TEST_P(TlsConnectTls13, ConnectEsni) { EnsureTlsSetup(); - SetupEsni(client_, server_); + SetupEsni(now(), client_, server_); auto cFilterSni = MakeTlsFilter(client_, ssl_server_name_xtn); auto cFilterEsni = @@ -300,7 +307,7 @@ TEST_P(TlsConnectTls13, ConnectEsniHrr) { EnsureTlsSetup(); const std::vector groups = {ssl_grp_ec_secp384r1}; server_->ConfigNamedGroups(groups); - SetupEsni(client_, server_); + SetupEsni(now(), client_, server_); auto hrr_capture = MakeTlsFilter( server_, kTlsHandshakeHelloRetryRequest); auto filter = @@ -322,8 +329,8 @@ TEST_P(TlsConnectTls13, ConnectEsniNoDummy) { ScopedSECKEYPrivateKey priv; DataBuffer record; - GenerateEsniKey(time(nullptr), ssl_grp_ec_curve25519, kDefaultSuites, &record, - &pub, &priv); + GenerateEsniKey(now(), ssl_grp_ec_curve25519, kDefaultSuites, &record, &pub, + &priv); SECStatus rv = SSL_SetESNIKeyPair(server_->ssl_fd(), priv.get(), record.data(), record.len()); ASSERT_EQ(SECSuccess, rv); @@ -346,8 +353,8 @@ TEST_P(TlsConnectTls13, ConnectEsniNullDummy) { ScopedSECKEYPrivateKey priv; DataBuffer record; - GenerateEsniKey(time(nullptr), ssl_grp_ec_curve25519, kDefaultSuites, &record, - &pub, &priv); + GenerateEsniKey(now(), ssl_grp_ec_curve25519, kDefaultSuites, &record, &pub, + &priv); SECStatus rv = SSL_SetESNIKeyPair(server_->ssl_fd(), priv.get(), record.data(), record.len()); ASSERT_EQ(SECSuccess, rv); @@ -372,14 +379,15 @@ TEST_P(TlsConnectTls13, ConnectEsniCSMismatch) { ScopedSECKEYPrivateKey priv; DataBuffer record; - GenerateEsniKey(time(nullptr), ssl_grp_ec_curve25519, kDefaultSuites, &record, - &pub, &priv); + GenerateEsniKey(now(), ssl_grp_ec_curve25519, kDefaultSuites, &record, &pub, + &priv); PRUint8 encoded[1024]; unsigned int encoded_len = 0; SECStatus rv = SSL_EncodeESNIKeys( &kChaChaSuite[0], kChaChaSuite.size(), ssl_grp_ec_curve25519, pub.get(), - 100, time(0), time(0) + 10, encoded, &encoded_len, sizeof(encoded)); + 100, (now() / PR_USEC_PER_SEC) - 1, (now() / PR_USEC_PER_SEC) + 10, + encoded, &encoded_len, sizeof(encoded)); ASSERT_EQ(SECSuccess, rv); ASSERT_LT(0U, encoded_len); rv = SSL_SetESNIKeyPair(server_->ssl_fd(), priv.get(), encoded, encoded_len); @@ -392,7 +400,7 @@ TEST_P(TlsConnectTls13, ConnectEsniCSMismatch) { TEST_P(TlsConnectTls13, ConnectEsniP256) { EnsureTlsSetup(); - SetupEsni(client_, server_, ssl_grp_ec_secp256r1); + SetupEsni(now(), client_, server_, ssl_grp_ec_secp256r1); auto cfilter = MakeTlsFilter(client_, ssl_server_name_xtn); auto sfilter = @@ -405,18 +413,21 @@ TEST_P(TlsConnectTls13, ConnectEsniP256) { TEST_P(TlsConnectTls13, ConnectMismatchedEsniKeys) { EnsureTlsSetup(); - SetupEsni(client_, server_); + SetupEsni(now(), client_, server_); // Now install a new set of keys on the client, so we have a mismatch. DataBuffer record; - GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record); - ClientInstallEsni(client_, record, 0); + GenerateEsniKey(now(), ssl_grp_ec_curve25519, kDefaultSuites, &record); + + SECStatus rv = + SSL_EnableESNI(client_->ssl_fd(), record.data(), record.len(), kDummySni); + ASSERT_EQ(SECSuccess, rv); ConnectExpectAlert(server_, illegal_parameter); server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO); } TEST_P(TlsConnectTls13, ConnectDamagedEsniExtensionCH) { EnsureTlsSetup(); - SetupEsni(client_, server_); + SetupEsni(now(), client_, server_); auto filter = MakeTlsFilter( client_, ssl_tls13_encrypted_sni_xtn, 50); // in the ciphertext ConnectExpectAlert(server_, illegal_parameter); @@ -425,7 +436,7 @@ TEST_P(TlsConnectTls13, ConnectDamagedEsniExtensionCH) { TEST_P(TlsConnectTls13, ConnectRemoveEsniExtensionEE) { EnsureTlsSetup(); - SetupEsni(client_, server_); + SetupEsni(now(), client_, server_); auto filter = MakeTlsFilter(server_, ssl_tls13_encrypted_sni_xtn); filter->EnableDecryption(); @@ -435,7 +446,7 @@ TEST_P(TlsConnectTls13, ConnectRemoveEsniExtensionEE) { TEST_P(TlsConnectTls13, ConnectShortEsniExtensionEE) { EnsureTlsSetup(); - SetupEsni(client_, server_); + SetupEsni(now(), client_, server_); DataBuffer shortNonce; auto filter = MakeTlsFilter( server_, ssl_tls13_encrypted_sni_xtn, shortNonce); @@ -446,7 +457,7 @@ TEST_P(TlsConnectTls13, ConnectShortEsniExtensionEE) { TEST_P(TlsConnectTls13, ConnectBogusEsniExtensionEE) { EnsureTlsSetup(); - SetupEsni(client_, server_); + SetupEsni(now(), client_, server_); const uint8_t bogusNonceBuf[16] = {0}; DataBuffer bogusNonce(bogusNonceBuf, sizeof(bogusNonceBuf)); auto filter = MakeTlsFilter( @@ -461,7 +472,7 @@ TEST_P(TlsConnectTls13, ConnectBogusEsniExtensionEE) { // The client then aborts when it sees the server did TLS 1.2. TEST_P(TlsConnectTls13, EsniButTLS12Server) { EnsureTlsSetup(); - SetupEsni(client_, server_); + SetupEsni(now(), client_, server_); client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, SSL_LIBRARY_VERSION_TLS_1_3); server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, diff --git a/security/nss/lib/freebl/aes-armv8.c b/security/nss/lib/freebl/aes-armv8.c index 40d5e2d34e94..8213272f5399 100644 --- a/security/nss/lib/freebl/aes-armv8.c +++ b/security/nss/lib/freebl/aes-armv8.c @@ -5,9 +5,10 @@ #include "secerr.h" #include "rijndael.h" -#if (defined(__clang__) || \ - (defined(__GNUC__) && defined(__GNUC_MINOR__) && \ - (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ > 8)))) +#if ((defined(__clang__) || \ + (defined(__GNUC__) && defined(__GNUC_MINOR__) && \ + (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ > 8)))) && \ + (defined(__ARM_NEON) || defined(__ARM_NEON__))) #ifndef __ARM_FEATURE_CRYPTO #error "Compiler option is invalid" @@ -28,7 +29,7 @@ arm_aes_encrypt_ecb_128(AESContext *cx, unsigned char *output, #endif uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10; uint8x16_t key11; - const PRUint8 *key = (const PRUint8 *)cx->expandedKey; + const PRUint8 *key = (const PRUint8 *)cx->k.expandedKey; if (!inputLen) { return SECSuccess; @@ -113,7 +114,7 @@ arm_aes_decrypt_ecb_128(AESContext *cx, unsigned char *output, #endif uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10; uint8x16_t key11; - const PRUint8 *key = (const PRUint8 *)cx->expandedKey; + const PRUint8 *key = (const PRUint8 *)cx->k.expandedKey; if (inputLen == 0) { return SECSuccess; @@ -199,7 +200,7 @@ arm_aes_encrypt_cbc_128(AESContext *cx, unsigned char *output, uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10; uint8x16_t key11; uint8x16_t iv; - const PRUint8 *key = (const PRUint8 *)cx->expandedKey; + const PRUint8 *key = (const PRUint8 *)cx->k.expandedKey; if (!inputLen) { return SECSuccess; @@ -293,7 +294,7 @@ arm_aes_decrypt_cbc_128(AESContext *cx, unsigned char *output, uint8x16_t iv; uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10; uint8x16_t key11; - const PRUint8 *key = (const PRUint8 *)cx->expandedKey; + const PRUint8 *key = (const PRUint8 *)cx->k.expandedKey; if (!inputLen) { return SECSuccess; @@ -388,7 +389,7 @@ arm_aes_encrypt_ecb_192(AESContext *cx, unsigned char *output, #endif uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10; uint8x16_t key11, key12, key13; - PRUint8 *key = (PRUint8 *)cx->expandedKey; + PRUint8 *key = (PRUint8 *)cx->k.expandedKey; if (!inputLen) { return SECSuccess; @@ -479,7 +480,7 @@ arm_aes_decrypt_ecb_192(AESContext *cx, unsigned char *output, #endif uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10; uint8x16_t key11, key12, key13; - const PRUint8 *key = (const PRUint8 *)cx->expandedKey; + const PRUint8 *key = (const PRUint8 *)cx->k.expandedKey; if (!inputLen) { return SECSuccess; @@ -571,7 +572,7 @@ arm_aes_encrypt_cbc_192(AESContext *cx, unsigned char *output, uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10; uint8x16_t key11, key12, key13; uint8x16_t iv; - PRUint8 *key = (PRUint8 *)cx->expandedKey; + PRUint8 *key = (PRUint8 *)cx->k.expandedKey; if (!inputLen) { return SECSuccess; @@ -670,7 +671,7 @@ arm_aes_decrypt_cbc_192(AESContext *cx, unsigned char *output, uint8x16_t iv; uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10; uint8x16_t key11, key12, key13; - const PRUint8 *key = (const PRUint8 *)cx->expandedKey; + const PRUint8 *key = (const PRUint8 *)cx->k.expandedKey; if (!inputLen) { return SECSuccess; @@ -771,7 +772,7 @@ arm_aes_encrypt_ecb_256(AESContext *cx, unsigned char *output, #endif uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10; uint8x16_t key11, key12, key13, key14, key15; - PRUint8 *key = (PRUint8 *)cx->expandedKey; + PRUint8 *key = (PRUint8 *)cx->k.expandedKey; if (inputLen == 0) { return SECSuccess; @@ -867,7 +868,7 @@ arm_aes_decrypt_ecb_256(AESContext *cx, unsigned char *output, #endif uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10; uint8x16_t key11, key12, key13, key14, key15; - const PRUint8 *key = (const PRUint8 *)cx->expandedKey; + const PRUint8 *key = (const PRUint8 *)cx->k.expandedKey; if (!inputLen) { return SECSuccess; @@ -965,7 +966,7 @@ arm_aes_encrypt_cbc_256(AESContext *cx, unsigned char *output, uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10; uint8x16_t key11, key12, key13, key14, key15; uint8x16_t iv; - const PRUint8 *key = (const PRUint8 *)cx->expandedKey; + const PRUint8 *key = (const PRUint8 *)cx->k.expandedKey; if (!inputLen) { return SECSuccess; @@ -1071,7 +1072,7 @@ arm_aes_decrypt_cbc_256(AESContext *cx, unsigned char *output, uint8x16_t iv; uint8x16_t key1, key2, key3, key4, key5, key6, key7, key8, key9, key10; uint8x16_t key11, key12, key13, key14, key15; - const PRUint8 *key = (const PRUint8 *)cx->expandedKey; + const PRUint8 *key = (const PRUint8 *)cx->k.expandedKey; if (!inputLen) { return SECSuccess; diff --git a/security/nss/lib/freebl/aes-x86.c b/security/nss/lib/freebl/aes-x86.c index 830b4782fe5f..edd0b512513f 100644 --- a/security/nss/lib/freebl/aes-x86.c +++ b/security/nss/lib/freebl/aes-x86.c @@ -21,7 +21,7 @@ static void native_key_expansion128(AESContext *cx, const unsigned char *key) { - __m128i *keySchedule = cx->keySchedule; + __m128i *keySchedule = cx->k.keySchedule; pre_align __m128i tmp_key post_align; pre_align __m128i tmp post_align; keySchedule[0] = _mm_loadu_si128((__m128i *)key); @@ -61,7 +61,7 @@ native_key_expansion128(AESContext *cx, const unsigned char *key) static void native_key_expansion192(AESContext *cx, const unsigned char *key) { - __m128i *keySchedule = cx->keySchedule; + __m128i *keySchedule = cx->k.keySchedule; pre_align __m128i tmp1 post_align; pre_align __m128i tmp2 post_align; pre_align __m128i tmp3 post_align; @@ -96,7 +96,7 @@ native_key_expansion192(AESContext *cx, const unsigned char *key) static void native_key_expansion256(AESContext *cx, const unsigned char *key) { - __m128i *keySchedule = cx->keySchedule; + __m128i *keySchedule = cx->k.keySchedule; pre_align __m128i tmp_key post_align; pre_align __m128i tmp1 post_align; pre_align __m128i tmp2 post_align; @@ -148,10 +148,10 @@ rijndael_native_encryptBlock(AESContext *cx, { int i; pre_align __m128i m post_align = _mm_loadu_si128((__m128i *)input); - m = _mm_xor_si128(m, cx->keySchedule[0]); + m = _mm_xor_si128(m, cx->k.keySchedule[0]); for (i = 1; i < cx->Nr; ++i) { - m = _mm_aesenc_si128(m, cx->keySchedule[i]); + m = _mm_aesenc_si128(m, cx->k.keySchedule[i]); } - m = _mm_aesenclast_si128(m, cx->keySchedule[cx->Nr]); + m = _mm_aesenclast_si128(m, cx->k.keySchedule[cx->Nr]); _mm_storeu_si128((__m128i *)output, m); } diff --git a/security/nss/lib/freebl/config.mk b/security/nss/lib/freebl/config.mk index 7ac50db65915..918a66363f47 100644 --- a/security/nss/lib/freebl/config.mk +++ b/security/nss/lib/freebl/config.mk @@ -90,12 +90,7 @@ EXTRA_SHARED_LIBS += \ endif endif -ifeq (,$(filter-out DragonFly FreeBSD Linux NetBSD OpenBSD, $(OS_TARGET))) -CFLAGS += -std=gnu99 -endif - ifeq ($(OS_ARCH), Darwin) -CFLAGS += -std=gnu99 EXTRA_SHARED_LIBS += -dylib_file @executable_path/libplc4.dylib:$(DIST)/lib/libplc4.dylib -dylib_file @executable_path/libplds4.dylib:$(DIST)/lib/libplds4.dylib endif diff --git a/security/nss/lib/freebl/freebl.gyp b/security/nss/lib/freebl/freebl.gyp index 39506921c722..f12508136b8a 100644 --- a/security/nss/lib/freebl/freebl.gyp +++ b/security/nss/lib/freebl/freebl.gyp @@ -361,15 +361,6 @@ 'MP_API_COMPATIBLE' ], 'conditions': [ - [ 'OS=="mac"', { - 'xcode_settings': { - # I'm not sure since when this is supported. - # But I hope that doesn't matter. We also assume this is x86/x64. - 'OTHER_CFLAGS': [ - '-std=gnu99', - ], - }, - }], [ 'OS=="win" and target_arch=="ia32"', { 'msvs_settings': { 'VCCLCompilerTool': { @@ -424,14 +415,6 @@ 'FREEBL_LOWHASH', 'FREEBL_NO_DEPEND', ], - 'cflags': [ - '-std=gnu99', - ], - }], - [ 'OS=="dragonfly" or OS=="freebsd" or OS=="netbsd" or OS=="openbsd"', { - 'cflags': [ - '-std=gnu99', - ], }], [ 'OS=="linux" or OS=="android"', { 'conditions': [ diff --git a/security/nss/lib/freebl/intel-aes.h b/security/nss/lib/freebl/intel-aes.h index 970f5192c06a..e7fe1a03baa5 100644 --- a/security/nss/lib/freebl/intel-aes.h +++ b/security/nss/lib/freebl/intel-aes.h @@ -123,21 +123,21 @@ SECStatus intel_aes_encrypt_ctr_256(CTRContext *cx, unsigned char *output, : (nr) == 12 ? intel_aes_encrypt_ctr_192 \ : intel_aes_encrypt_ctr_256) -#define native_aes_init(encrypt, keysize) \ - do { \ - if (encrypt) { \ - if (keysize == 16) \ - intel_aes_encrypt_init_128(key, cx->expandedKey); \ - else if (keysize == 24) \ - intel_aes_encrypt_init_192(key, cx->expandedKey); \ - else \ - intel_aes_encrypt_init_256(key, cx->expandedKey); \ - } else { \ - if (keysize == 16) \ - intel_aes_decrypt_init_128(key, cx->expandedKey); \ - else if (keysize == 24) \ - intel_aes_decrypt_init_192(key, cx->expandedKey); \ - else \ - intel_aes_decrypt_init_256(key, cx->expandedKey); \ - } \ +#define native_aes_init(encrypt, keysize) \ + do { \ + if (encrypt) { \ + if (keysize == 16) \ + intel_aes_encrypt_init_128(key, cx->k.expandedKey); \ + else if (keysize == 24) \ + intel_aes_encrypt_init_192(key, cx->k.expandedKey); \ + else \ + intel_aes_encrypt_init_256(key, cx->k.expandedKey); \ + } else { \ + if (keysize == 16) \ + intel_aes_decrypt_init_128(key, cx->k.expandedKey); \ + else if (keysize == 24) \ + intel_aes_decrypt_init_192(key, cx->k.expandedKey); \ + else \ + intel_aes_decrypt_init_256(key, cx->k.expandedKey); \ + } \ } while (0) diff --git a/security/nss/lib/freebl/intel-gcm-wrap.c b/security/nss/lib/freebl/intel-gcm-wrap.c index 7558ffe5917a..059fc633293b 100644 --- a/security/nss/lib/freebl/intel-gcm-wrap.c +++ b/security/nss/lib/freebl/intel-gcm-wrap.c @@ -89,7 +89,7 @@ intel_AES_GCM_CreateContext(void *context, gcm->Mlen = 0; /* first prepare H and its derivatives for ghash */ - intel_aes_gcmINIT(gcm->Htbl, (unsigned char *)aes->expandedKey, aes->Nr); + intel_aes_gcmINIT(gcm->Htbl, (unsigned char *)aes->k.expandedKey, aes->Nr); /* Initial TAG value is zero */ _mm_storeu_si128((__m128i *)gcm->T, _mm_setzero_si128()); diff --git a/security/nss/lib/freebl/rijndael.c b/security/nss/lib/freebl/rijndael.c index 26bd58ee0787..fbf229aa5ed8 100644 --- a/security/nss/lib/freebl/rijndael.c +++ b/security/nss/lib/freebl/rijndael.c @@ -20,7 +20,8 @@ #include "gcm.h" #include "mpi.h" -#if !defined(IS_LITTLE_ENDIAN) && !defined(NSS_X86_OR_X64) +#if (!defined(IS_LITTLE_ENDIAN) && !defined(NSS_X86_OR_X64)) || \ + (defined(__arm__) && !defined(__ARM_NEON) && !defined(__ARM_NEON__)) // not test yet on big endian platform of arm #undef USE_HW_AES #endif @@ -330,7 +331,7 @@ rijndael_key_expansion7(AESContext *cx, const unsigned char *key, unsigned int N PRUint32 *W; PRUint32 *pW; PRUint32 tmp; - W = cx->expandedKey; + W = cx->k.expandedKey; /* 1. the first Nk words contain the cipher key */ memcpy(W, key, Nk * 4); i = Nk; @@ -362,7 +363,7 @@ rijndael_key_expansion(AESContext *cx, const unsigned char *key, unsigned int Nk rijndael_key_expansion7(cx, key, Nk); return; } - W = cx->expandedKey; + W = cx->k.expandedKey; /* The first Nk words contain the input cipher key */ memcpy(W, key, Nk * 4); i = Nk; @@ -439,7 +440,7 @@ rijndael_invkey_expansion(AESContext *cx, const unsigned char *key, unsigned int /* ... but has the additional step of InvMixColumn, * excepting the first and last round keys. */ - roundkeyw = cx->expandedKey + cx->Nb; + roundkeyw = cx->k.expandedKey + cx->Nb; for (r = 1; r < cx->Nr; ++r) { /* each key word, roundkeyw, represents a column in the key * matrix. Each column is multiplied by the InvMixColumn matrix. @@ -537,7 +538,7 @@ rijndael_encryptBlock128(AESContext *cx, pOut = (unsigned char *)output; } #endif - roundkeyw = cx->expandedKey; + roundkeyw = cx->k.expandedKey; /* Step 1: Add Round Key 0 to initial state */ COLUMN_0(state) = *((PRUint32 *)(pIn)) ^ *roundkeyw++; COLUMN_1(state) = *((PRUint32 *)(pIn + 4)) ^ *roundkeyw++; @@ -632,7 +633,7 @@ rijndael_decryptBlock128(AESContext *cx, pOut = (unsigned char *)output; } #endif - roundkeyw = cx->expandedKey + cx->Nb * cx->Nr + 3; + roundkeyw = cx->k.expandedKey + cx->Nb * cx->Nr + 3; /* reverse the final key addition */ COLUMN_3(state) = *((PRUint32 *)(pIn + 12)) ^ *roundkeyw--; COLUMN_2(state) = *((PRUint32 *)(pIn + 8)) ^ *roundkeyw--; diff --git a/security/nss/lib/freebl/rijndael.h b/security/nss/lib/freebl/rijndael.h index 1b63a323da97..61060e016e70 100644 --- a/security/nss/lib/freebl/rijndael.h +++ b/security/nss/lib/freebl/rijndael.h @@ -68,7 +68,7 @@ struct AESContextStr { __m128i keySchedule[15]; #endif PRUint32 expandedKey[RIJNDAEL_MAX_EXP_KEY_SIZE]; - }; + } k; unsigned int Nb; unsigned int Nr; freeblCipherFunc worker; diff --git a/security/nss/lib/mozpkix/test-lib/pkixtestnss.cpp b/security/nss/lib/mozpkix/test-lib/pkixtestnss.cpp index 099bf8348d1c..1e50f46f4533 100644 --- a/security/nss/lib/mozpkix/test-lib/pkixtestnss.cpp +++ b/security/nss/lib/mozpkix/test-lib/pkixtestnss.cpp @@ -236,7 +236,7 @@ GenerateKeyPairInner() } PK11RSAGenParams params; params.keySizeInBits = 2048; - params.pe = 3; + params.pe = 65537; // Bug 1012786: PK11_GenerateKeyPair can fail if there is insufficient // entropy to generate a random key. Attempting to add some entropy and diff --git a/security/nss/lib/pk11wrap/pk11cert.c b/security/nss/lib/pk11wrap/pk11cert.c index 122fe43da560..655c5f9703b6 100644 --- a/security/nss/lib/pk11wrap/pk11cert.c +++ b/security/nss/lib/pk11wrap/pk11cert.c @@ -245,7 +245,7 @@ pk11_fastCert(PK11SlotInfo *slot, CK_OBJECT_HANDLE certID, /* Get the cryptoki object from the handle */ token = PK11Slot_GetNSSToken(slot); - if (token->defaultSession) { + if (token && token->defaultSession) { co = nssCryptokiObject_Create(token, token->defaultSession, certID); } else { PORT_SetError(SEC_ERROR_NO_TOKEN); @@ -307,9 +307,15 @@ PK11_MakeCertFromHandle(PK11SlotInfo *slot, CK_OBJECT_HANDLE certID, CERTCertificate *cert = NULL; CERTCertTrust *trust; + if (slot == NULL || certID == CK_INVALID_HANDLE) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + cert = pk11_fastCert(slot, certID, privateLabel, &nickname); - if (cert == NULL) + if (cert == NULL) { goto loser; + } if (nickname) { if (cert->nickname != NULL) { diff --git a/security/nss/lib/softoken/legacydb/keydb.c b/security/nss/lib/softoken/legacydb/keydb.c index b4aa7754b6d3..c8c4d07ba889 100644 --- a/security/nss/lib/softoken/legacydb/keydb.c +++ b/security/nss/lib/softoken/legacydb/keydb.c @@ -1213,6 +1213,8 @@ nsslowkey_EncodePW(SECOidTag alg, const SECItem *salt, SECItem *data) unsigned char one = 1; SECItem *epw = NULL; SECItem *encParam; + int iterLen = 0; + int saltLen; SECStatus rv; param.salt = *salt; @@ -1221,6 +1223,17 @@ nsslowkey_EncodePW(SECOidTag alg, const SECItem *salt, SECItem *data) param.iter.len = 1; edi.encryptedData = *data; + iterLen = salt->len > 1 ? salt->data[salt->len - 1] : 2; + saltLen = (salt->len - iterLen) - 1; + /* if the resulting saltLen is a sha hash length, then assume that + * the iteration count is tacked on the end of the buffer */ + if ((saltLen == SHA1_LENGTH) || (saltLen == SHA256_LENGTH) || (saltLen == SHA384_LENGTH) || (saltLen == SHA224_LENGTH) || + (saltLen == SHA512_LENGTH)) { + param.iter.data = &salt->data[saltLen]; + param.iter.len = iterLen; + param.salt.len = saltLen; + } + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) { return NULL; @@ -1270,9 +1283,23 @@ nsslowkey_DecodePW(const SECItem *derData, SECOidTag *alg, SECItem *salt) if (rv != SECSuccess) { goto loser; } - rv = SECITEM_CopyItem(NULL, salt, ¶m.salt); - if (rv != SECSuccess) { - goto loser; + /* if the iteration count isn't one, tack it at the end of the salt */ + if (!((param.iter.len == 1) && (param.iter.data[0] == 1))) { + int total_len = param.salt.len + param.iter.len + 1; + salt->data = PORT_Alloc(total_len); + if (salt->data == NULL) { + goto loser; + } + PORT_Memcpy(salt->data, param.salt.data, param.salt.len); + PORT_Memcpy(&salt->data[param.salt.len], param.iter.data, + param.iter.len); + salt->data[total_len - 1] = param.iter.len; + salt->len = total_len; + } else { + rv = SECITEM_CopyItem(NULL, salt, ¶m.salt); + if (rv != SECSuccess) { + goto loser; + } } pwe = SECITEM_DupItem(&edi.encryptedData); diff --git a/security/nss/lib/softoken/lgglue.c b/security/nss/lib/softoken/lgglue.c index 94f05412952d..8cfb4ec561ad 100644 --- a/security/nss/lib/softoken/lgglue.c +++ b/security/nss/lib/softoken/lgglue.c @@ -171,6 +171,8 @@ sftkdb_encrypt_stub(PLArenaPool *arena, SDB *sdb, SECItem *plainText, { SFTKDBHandle *handle = sdb->app_private; SECStatus rv; + SECItem *key; + int iterationCount; if (handle == NULL) { return SECFailure; @@ -192,9 +194,18 @@ sftkdb_encrypt_stub(PLArenaPool *arena, SDB *sdb, SECItem *plainText, /* PORT_SetError */ return SECFailure; } + key = handle->newKey ? handle->newKey : &handle->passwordKey; + if (sftk_isLegacyIterationCountAllowed()) { + if (handle->newKey) { + iterationCount = handle->newDefaultIterationCount; + } else { + iterationCount = handle->defaultIterationCount; + } + } else { + iterationCount = 1; + } - rv = sftkdb_EncryptAttribute(arena, - handle->newKey ? handle->newKey : &handle->passwordKey, + rv = sftkdb_EncryptAttribute(arena, key, iterationCount, plainText, cipherText); PZ_Unlock(handle->passwordLock); diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c index 05e3ac1d4767..7f3a01746405 100644 --- a/security/nss/lib/softoken/pkcs11.c +++ b/security/nss/lib/softoken/pkcs11.c @@ -626,7 +626,7 @@ sftk_hasNullPassword(SFTKSlot *slot, SFTKDBHandle *keydb) pwenabled = PR_FALSE; if (sftkdb_HasPasswordSet(keydb) == SECSuccess) { PRBool tokenRemoved = PR_FALSE; - SECStatus rv = sftkdb_CheckPassword(keydb, "", &tokenRemoved); + SECStatus rv = sftkdb_CheckPasswordNull(keydb, &tokenRemoved); if (tokenRemoved) { sftk_CloseAllSessions(slot, PR_FALSE); } @@ -3947,7 +3947,7 @@ NSC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin, PZ_Unlock(slot->slotLock); tokenRemoved = PR_FALSE; - rv = sftkdb_CheckPassword(handle, "", &tokenRemoved); + rv = sftkdb_CheckPasswordNull(handle, &tokenRemoved); if (tokenRemoved) { sftk_CloseAllSessions(slot, PR_FALSE); } diff --git a/security/nss/lib/softoken/pkcs11c.c b/security/nss/lib/softoken/pkcs11c.c index ccf9a02ae5ad..ac6e72fa0b33 100644 --- a/security/nss/lib/softoken/pkcs11c.c +++ b/security/nss/lib/softoken/pkcs11c.c @@ -1002,6 +1002,10 @@ sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, crv = CKR_KEY_TYPE_INCONSISTENT; break; } + if (pMechanism->ulParameterLen < 8) { + crv = CKR_DOMAIN_PARAMS_INVALID; + break; + } t = NSS_DES_CBC; goto finish_des; case CKM_DES3_ECB: @@ -1019,6 +1023,10 @@ sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, crv = CKR_KEY_TYPE_INCONSISTENT; break; } + if (pMechanism->ulParameterLen < 8) { + crv = CKR_DOMAIN_PARAMS_INVALID; + break; + } t = NSS_DES_EDE3_CBC; finish_des: context->blockSize = 8; @@ -1759,10 +1767,12 @@ NSC_Decrypt(CK_SESSION_HANDLE hSession, } finalLen = maxoutlen; crv2 = NSC_DecryptFinal(hSession, pData, &finalLen); - if (crv == CKR_OK && crv2 == CKR_OK) { - *pulDataLen = updateLen + finalLen; + if (crv == CKR_OK) { + *pulDataLen = CT_SEL(CK_RVToMask(crv2), updateLen + finalLen, *pulDataLen); + return crv2; + } else { + return crv; } - return crv == CKR_OK ? crv2 : crv; } rv = (*context->update)(context->cipherInfo, pData, &outlen, maxoutlen, diff --git a/security/nss/lib/softoken/sftkdb.c b/security/nss/lib/softoken/sftkdb.c index 409c910f4647..61cb2ce8b9ab 100644 --- a/security/nss/lib/softoken/sftkdb.c +++ b/security/nss/lib/softoken/sftkdb.c @@ -530,6 +530,7 @@ sftk_signTemplate(PLArenaPool *arena, SFTKDBHandle *handle, goto loser; } rv = sftkdb_SignAttribute(arena, &keyHandle->passwordKey, + keyHandle->defaultIterationCount, objectID, template[i].type, &plainText, &signText); PZ_Unlock(keyHandle->passwordLock); @@ -663,6 +664,7 @@ sftk_ExtractTemplate(PLArenaPool *arena, SFTKObject *object, break; } rv = sftkdb_EncryptAttribute(arena, &handle->passwordKey, + handle->defaultIterationCount, &plainText, &cipherText); PZ_Unlock(handle->passwordLock); if (rv == SECSuccess) { @@ -2449,7 +2451,7 @@ sftk_getDBForTokenObject(SFTKSlot *slot, CK_OBJECT_HANDLE objectID) * initialize a new database handle */ static SFTKDBHandle * -sftk_NewDBHandle(SDB *sdb, int type) +sftk_NewDBHandle(SDB *sdb, int type, PRBool legacy) { SFTKDBHandle *handle = PORT_New(SFTKDBHandle); handle->ref = 1; @@ -2461,6 +2463,7 @@ sftk_NewDBHandle(SDB *sdb, int type) handle->updatePasswordKey = NULL; handle->updateID = NULL; handle->type = type; + handle->usesLegacyStorage = legacy; handle->passwordKey.data = NULL; handle->passwordKey.len = 0; handle->passwordLock = NULL; @@ -2620,6 +2623,7 @@ sftk_DBInit(const char *configdir, const char *certPrefix, PRBool newInit = PR_FALSE; PRBool needUpdate = PR_FALSE; char *nconfdir = NULL; + PRBool legacy = PR_TRUE; if (!readOnly) { flags = SDB_CREATE; @@ -2652,12 +2656,14 @@ sftk_DBInit(const char *configdir, const char *certPrefix, case NSS_DB_TYPE_EXTERN: /* SHOULD open a loadable db */ crv = s_open(confdir, certPrefix, keyPrefix, 9, 4, flags, noCertDB ? NULL : &certSDB, noKeyDB ? NULL : &keySDB, &newInit); + legacy = PR_FALSE; /* * if we failed to open the DB's read only, use the old ones if * the exists. */ if (crv != CKR_OK) { + legacy = PR_TRUE; if ((flags & SDB_RDONLY) == SDB_RDONLY) { nconfdir = sftk_legacyPathFromSDBPath(confdir); } @@ -2711,12 +2717,12 @@ sftk_DBInit(const char *configdir, const char *certPrefix, goto done; } if (!noCertDB) { - *certDB = sftk_NewDBHandle(certSDB, SFTK_CERTDB_TYPE); + *certDB = sftk_NewDBHandle(certSDB, SFTK_CERTDB_TYPE, legacy); } else { *certDB = NULL; } if (!noKeyDB) { - *keyDB = sftk_NewDBHandle(keySDB, SFTK_KEYDB_TYPE); + *keyDB = sftk_NewDBHandle(keySDB, SFTK_KEYDB_TYPE, legacy); } else { *keyDB = NULL; } @@ -2759,7 +2765,7 @@ sftk_DBInit(const char *configdir, const char *certPrefix, (sftkdb_HasPasswordSet(*keyDB) == SECSuccess) ? PR_TRUE : PR_FALSE; /* if the password on the key db is NULL, kick off our update * chain of events */ - sftkdb_CheckPassword((*keyDB), "", &tokenRemoved); + sftkdb_CheckPasswordNull((*keyDB), &tokenRemoved); } else { /* we don't have a key DB, update the certificate DB now */ sftkdb_Update(*certDB, NULL); diff --git a/security/nss/lib/softoken/sftkdb.h b/security/nss/lib/softoken/sftkdb.h index a47c89670181..bce39dc920f0 100644 --- a/security/nss/lib/softoken/sftkdb.h +++ b/security/nss/lib/softoken/sftkdb.h @@ -25,6 +25,7 @@ CK_RV sftkdb_closeDB(SFTKDBHandle *handle); SECStatus sftkdb_PWIsInitialized(SFTKDBHandle *keydb); SECStatus sftkdb_CheckPassword(SFTKDBHandle *keydb, const char *pw, PRBool *tokenRemoved); +SECStatus sftkdb_CheckPasswordNull(SFTKDBHandle *keydb, PRBool *tokenRemoved); SECStatus sftkdb_PWCached(SFTKDBHandle *keydb); SECStatus sftkdb_HasPasswordSet(SFTKDBHandle *keydb); SECStatus sftkdb_ResetKeyDB(SFTKDBHandle *keydb); @@ -69,3 +70,5 @@ SFTKDBHandle *sftk_getKeyDB(SFTKSlot *slot); SFTKDBHandle *sftk_getDBForTokenObject(SFTKSlot *slot, CK_OBJECT_HANDLE objectID); void sftk_freeDB(SFTKDBHandle *certHandle); + +PRBool sftk_isLegacyIterationCountAllowed(void); diff --git a/security/nss/lib/softoken/sftkdbti.h b/security/nss/lib/softoken/sftkdbti.h index 7b1db45607f1..a3a19414e0a7 100644 --- a/security/nss/lib/softoken/sftkdbti.h +++ b/security/nss/lib/softoken/sftkdbti.h @@ -13,7 +13,9 @@ struct SFTKDBHandleStr { PRInt32 ref; CK_OBJECT_HANDLE type; SECItem passwordKey; + int defaultIterationCount; SECItem *newKey; + int newDefaultIterationCount; SECItem *oldKey; SECItem *updatePasswordKey; PZLock *passwordLock; @@ -21,6 +23,7 @@ struct SFTKDBHandleStr { SDB *update; char *updateID; PRBool updateDBIsInit; + PRBool usesLegacyStorage; }; #define SFTK_KEYDB_TYPE 0x40000000 @@ -39,9 +42,10 @@ struct SFTKDBHandleStr { SECStatus sftkdb_DecryptAttribute(SECItem *passKey, SECItem *cipherText, SECItem **plainText); SECStatus sftkdb_EncryptAttribute(PLArenaPool *arena, SECItem *passKey, - SECItem *plainText, SECItem **cipherText); + int iterationCount, SECItem *plainText, + SECItem **cipherText); SECStatus sftkdb_SignAttribute(PLArenaPool *arena, SECItem *passKey, - CK_OBJECT_HANDLE objectID, + int iterationCount, CK_OBJECT_HANDLE objectID, CK_ATTRIBUTE_TYPE attrType, SECItem *plainText, SECItem **sigText); SECStatus sftkdb_VerifyAttribute(SECItem *passKey, diff --git a/security/nss/lib/softoken/sftkpwd.c b/security/nss/lib/softoken/sftkpwd.c index 9f97c77038fa..f2acf7664777 100644 --- a/security/nss/lib/softoken/sftkpwd.c +++ b/security/nss/lib/softoken/sftkpwd.c @@ -34,6 +34,41 @@ #include "secerr.h" #include "softoken.h" +static const int NSS_MP_PBE_ITERATION_COUNT = 10000; + +static int +getPBEIterationCount(void) +{ + int c = NSS_MP_PBE_ITERATION_COUNT; + + char *val = getenv("NSS_MIN_MP_PBE_ITERATION_COUNT"); + if (val) { + int minimum = atoi(val); + if (c < minimum) { + c = minimum; + } + } + + val = getenv("NSS_MAX_MP_PBE_ITERATION_COUNT"); + if (val) { + int maximum = atoi(val); + if (c > maximum) { + c = maximum; + } + } + + return c; +} + +PRBool +sftk_isLegacyIterationCountAllowed(void) +{ + static const char *legacyCountEnvVar = + "NSS_ALLOW_LEGACY_DBM_ITERATION_COUNT"; + char *iterEnv = getenv(legacyCountEnvVar); + return (iterEnv && strcmp("0", iterEnv) != 0); +} + /****************************************************************** * * Key DB password handling functions @@ -132,7 +167,7 @@ const SEC_ASN1Template sftkdb_EncryptedDataInfoTemplate[] = { * to data in cipherText, if cipherText is freed, cipherValue will be invalid. */ static SECStatus -sftkdb_decodeCipherText(SECItem *cipherText, sftkCipherValue *cipherValue) +sftkdb_decodeCipherText(const SECItem *cipherText, sftkCipherValue *cipherValue) { PLArenaPool *arena = NULL; SFTKDBEncryptedDataInfo edi; @@ -225,7 +260,8 @@ loser: * with SECITEM_FreeItem by the caller. */ SECStatus -sftkdb_DecryptAttribute(SECItem *passKey, SECItem *cipherText, SECItem **plain) +sftkdb_DecryptAttribute(SECItem *passKey, SECItem *cipherText, + SECItem **plain) { SECStatus rv; sftkCipherValue cipherValue; @@ -235,6 +271,7 @@ sftkdb_DecryptAttribute(SECItem *passKey, SECItem *cipherText, SECItem **plain) if (rv != SECSuccess) { goto loser; } + /* fprintf(stderr, "sftkdb_DecryptAttribute iteration: %d\n", cipherValue.param->iter); */ *plain = nsspkcs5_CipherData(cipherValue.param, passKey, &cipherValue.value, PR_FALSE, NULL); @@ -261,7 +298,8 @@ loser: */ SECStatus sftkdb_EncryptAttribute(PLArenaPool *arena, SECItem *passKey, - SECItem *plainText, SECItem **cipherText) + int iterationCount, SECItem *plainText, + SECItem **cipherText) { SECStatus rv; sftkCipherValue cipherValue; @@ -275,7 +313,7 @@ sftkdb_EncryptAttribute(PLArenaPool *arena, SECItem *passKey, RNG_GenerateGlobalRandomBytes(saltData, cipherValue.salt.len); param = nsspkcs5_NewParam(cipherValue.alg, HASH_AlgSHA1, &cipherValue.salt, - 1); + iterationCount); if (param == NULL) { rv = SECFailure; goto loser; @@ -413,7 +451,8 @@ loser: */ SECStatus sftkdb_SignAttribute(PLArenaPool *arena, SECItem *passKey, - CK_OBJECT_HANDLE objectID, CK_ATTRIBUTE_TYPE attrType, + int iterationCount, CK_OBJECT_HANDLE objectID, + CK_ATTRIBUTE_TYPE attrType, SECItem *plainText, SECItem **signature) { SECStatus rv; @@ -446,7 +485,8 @@ sftkdb_SignAttribute(PLArenaPool *arena, SECItem *passKey, RNG_GenerateGlobalRandomBytes(saltData, prfLength); /* initialize our pkcs5 parameter */ - param = nsspkcs5_NewParam(signValue.alg, HASH_AlgSHA1, &signValue.salt, 1); + param = nsspkcs5_NewParam(signValue.alg, HASH_AlgSHA1, &signValue.salt, + iterationCount); if (param == NULL) { rv = SECFailure; goto loser; @@ -491,7 +531,7 @@ loser: * and sftkdb_DecryptAttribute calls. */ static void -sftkdb_switchKeys(SFTKDBHandle *keydb, SECItem *passKey) +sftkdb_switchKeys(SFTKDBHandle *keydb, SECItem *passKey, int iterationCount) { unsigned char *data; int len; @@ -507,6 +547,7 @@ sftkdb_switchKeys(SFTKDBHandle *keydb, SECItem *passKey) len = keydb->passwordKey.len; keydb->passwordKey.data = passKey->data; keydb->passwordKey.len = passKey->len; + keydb->defaultIterationCount = iterationCount; passKey->data = data; passKey->len = len; SKIP_AFTER_FORK(PZ_Unlock(keydb->passwordLock)); @@ -660,6 +701,90 @@ sftkdb_HasPasswordSet(SFTKDBHandle *keydb) return (crv == CKR_OK) ? SECSuccess : SECFailure; } +/* pull out the common final part of checking a password */ +SECStatus +sftkdb_finishPasswordCheck(SFTKDBHandle *keydb, SECItem *key, + const char *pw, SECItem *value, + PRBool *tokenRemoved); + +/* + * check to see if we have the NULL password set. + * We special case the NULL password so that if you have no password set, you + * don't do thousands of hash rounds. This allows us to startup and get + * webpages without slowdown in normal mode. + */ +SECStatus +sftkdb_CheckPasswordNull(SFTKDBHandle *keydb, PRBool *tokenRemoved) +{ + /* just like sftkdb_CheckPassowd, we get the salt and value, and + * create a dbkey */ + SECStatus rv; + SECItem salt, value; + unsigned char saltData[SDB_MAX_META_DATA_LEN]; + unsigned char valueData[SDB_MAX_META_DATA_LEN]; + SECItem key; + SDB *db; + CK_RV crv; + sftkCipherValue cipherValue; + + cipherValue.param = NULL; + cipherValue.arena = NULL; + + if (keydb == NULL) { + return SECFailure; + } + + db = sftk_getPWSDB(keydb); + if (db == NULL) { + return SECFailure; + } + + key.data = NULL; + key.len = 0; + + /* get the entry from the database */ + salt.data = saltData; + salt.len = sizeof(saltData); + value.data = valueData; + value.len = sizeof(valueData); + crv = (*db->sdb_GetMetaData)(db, "password", &salt, &value); + if (crv != CKR_OK) { + rv = SECFailure; + goto done; + } + + /* get our intermediate key based on the entry salt value */ + rv = sftkdb_passwordToKey(keydb, &salt, "", &key); + if (rv != SECSuccess) { + goto done; + } + + /* First get the cipher type */ + rv = sftkdb_decodeCipherText(&value, &cipherValue); + if (rv != SECSuccess) { + goto done; + } + + if (cipherValue.param->iter != 1) { + rv = SECFailure; + goto done; + } + + rv = sftkdb_finishPasswordCheck(keydb, &key, "", &value, tokenRemoved); + +done: + if (key.data) { + PORT_ZFree(key.data, key.len); + } + if (cipherValue.param) { + nsspkcs5_DestroyPBEParameter(cipherValue.param); + } + if (cipherValue.arena) { + PORT_FreeArena(cipherValue.arena, PR_FALSE); + } + return rv; +} + #define SFTK_PW_CHECK_STRING "password-check" #define SFTK_PW_CHECK_LEN 14 @@ -674,7 +799,6 @@ sftkdb_CheckPassword(SFTKDBHandle *keydb, const char *pw, PRBool *tokenRemoved) unsigned char saltData[SDB_MAX_META_DATA_LEN]; unsigned char valueData[SDB_MAX_META_DATA_LEN]; SECItem key; - SECItem *result = NULL; SDB *db; CK_RV crv; @@ -710,8 +834,33 @@ sftkdb_CheckPassword(SFTKDBHandle *keydb, const char *pw, PRBool *tokenRemoved) goto done; } + rv = sftkdb_finishPasswordCheck(keydb, &key, pw, &value, tokenRemoved); + +done: + if (key.data) { + PORT_ZFree(key.data, key.len); + } + return rv; +} + +/* we need to pass iterationCount in case we are updating a new database + * and from an old one. */ +SECStatus +sftkdb_finishPasswordCheck(SFTKDBHandle *keydb, SECItem *key, const char *pw, + SECItem *value, PRBool *tokenRemoved) +{ + SECItem *result = NULL; + SECStatus rv; + int iterationCount = getPBEIterationCount(); + + if (*pw == 0) { + iterationCount = 1; + } else if (keydb->usesLegacyStorage && !sftk_isLegacyIterationCountAllowed()) { + iterationCount = 1; + } + /* decrypt the entry value */ - rv = sftkdb_DecryptAttribute(&key, &value, &result); + rv = sftkdb_DecryptAttribute(key, value, &result); if (rv != SECSuccess) { goto done; } @@ -752,7 +901,7 @@ sftkdb_CheckPassword(SFTKDBHandle *keydb, const char *pw, PRBool *tokenRemoved) * as well as changing which database is returned from * SFTK_GET_PW_DB (thus effecting both sftkdb_CheckPassword() * and sftkdb_HasPasswordSet()) */ - keydb->updatePasswordKey = SECITEM_DupItem(&key); + keydb->updatePasswordKey = SECITEM_DupItem(key); PZ_Unlock(keydb->passwordLock); if (keydb->updatePasswordKey == NULL) { /* PORT_Error set by SECITEM_DupItem */ @@ -787,7 +936,7 @@ sftkdb_CheckPassword(SFTKDBHandle *keydb, const char *pw, PRBool *tokenRemoved) * are good to go */ goto done; } - sftkdb_CheckPassword(keydb, "", tokenRemoved); + sftkdb_CheckPasswordNull(keydb, tokenRemoved); /* * Important 'NULL' code here. At this point either we @@ -821,15 +970,15 @@ sftkdb_CheckPassword(SFTKDBHandle *keydb, const char *pw, PRBool *tokenRemoved) PZ_Unlock(keydb->passwordLock); } /* load the keys, so the keydb can parse it's key set */ - sftkdb_switchKeys(keydb, &key); + sftkdb_switchKeys(keydb, key, iterationCount); /* we need to update, do it now */ if (((keydb->db->sdb_flags & SDB_RDONLY) == 0) && keydb->update) { /* update the peer certdb if it exists */ if (keydb->peerDB) { - sftkdb_Update(keydb->peerDB, &key); + sftkdb_Update(keydb->peerDB, key); } - sftkdb_Update(keydb, &key); + sftkdb_Update(keydb, key); } } else { rv = SECFailure; @@ -837,9 +986,6 @@ sftkdb_CheckPassword(SFTKDBHandle *keydb, const char *pw, PRBool *tokenRemoved) } done: - if (key.data) { - PORT_ZFree(key.data, key.len); - } if (result) { SECITEM_FreeItem(result, PR_TRUE); } @@ -857,7 +1003,7 @@ sftkdb_PWCached(SFTKDBHandle *keydb) static CK_RV sftk_updateMacs(PLArenaPool *arena, SFTKDBHandle *handle, - CK_OBJECT_HANDLE id, SECItem *newKey) + CK_OBJECT_HANDLE id, SECItem *newKey, int iterationCount) { SFTKDBHandle *keyHandle = handle; SDB *keyTarget = NULL; @@ -924,7 +1070,8 @@ sftk_updateMacs(PLArenaPool *arena, SFTKDBHandle *handle, SECItem plainText; plainText.data = authAttr.pValue; plainText.len = authAttr.ulValueLen; - if (sftkdb_SignAttribute(arena, newKey, id, authAttr.type, &plainText, + if (sftkdb_SignAttribute(arena, newKey, iterationCount, id, + authAttr.type, &plainText, &signText) != SECSuccess) { return CKR_GENERAL_ERROR; } @@ -939,7 +1086,7 @@ sftk_updateMacs(PLArenaPool *arena, SFTKDBHandle *handle, static CK_RV sftk_updateEncrypted(PLArenaPool *arena, SFTKDBHandle *keydb, - CK_OBJECT_HANDLE id, SECItem *newKey) + CK_OBJECT_HANDLE id, SECItem *newKey, int iterationCount) { CK_ATTRIBUTE_TYPE privAttrTypes[] = { CKA_VALUE, @@ -980,7 +1127,8 @@ sftk_updateEncrypted(PLArenaPool *arena, SFTKDBHandle *keydb, SECItem *result; plainText.data = privAttr.pValue; plainText.len = privAttr.ulValueLen; - if (sftkdb_EncryptAttribute(arena, newKey, &plainText, &result) != SECSuccess) { + if (sftkdb_EncryptAttribute(arena, newKey, iterationCount, + &plainText, &result) != SECSuccess) { return CKR_GENERAL_ERROR; } privAttr.pValue = result->data; @@ -991,6 +1139,7 @@ sftk_updateEncrypted(PLArenaPool *arena, SFTKDBHandle *keydb, // Write the newly encrypted attributes out directly. CK_OBJECT_HANDLE newId = id & SFTK_OBJ_ID_MASK; keydb->newKey = newKey; + keydb->newDefaultIterationCount = iterationCount; crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, newId, &privAttr, 1); keydb->newKey = NULL; if (crv != CKR_OK) { @@ -1002,8 +1151,8 @@ sftk_updateEncrypted(PLArenaPool *arena, SFTKDBHandle *keydb, } static CK_RV -sftk_convertAttributes(SFTKDBHandle *handle, - CK_OBJECT_HANDLE id, SECItem *newKey) +sftk_convertAttributes(SFTKDBHandle *handle, CK_OBJECT_HANDLE id, + SECItem *newKey, int iterationCount) { CK_RV crv = CKR_OK; PLArenaPool *arena = NULL; @@ -1017,13 +1166,14 @@ sftk_convertAttributes(SFTKDBHandle *handle, /* * first handle the MACS */ - crv = sftk_updateMacs(arena, handle, id, newKey); + crv = sftk_updateMacs(arena, handle, id, newKey, iterationCount); if (crv != CKR_OK) { goto loser; } if (handle->type == SFTK_KEYDB_TYPE) { - crv = sftk_updateEncrypted(arena, handle, id, newKey); + crv = sftk_updateEncrypted(arena, handle, id, newKey, + iterationCount); if (crv != CKR_OK) { goto loser; } @@ -1045,7 +1195,7 @@ loser: */ CK_RV sftkdb_convertObjects(SFTKDBHandle *handle, CK_ATTRIBUTE *template, - CK_ULONG count, SECItem *newKey) + CK_ULONG count, SECItem *newKey, int iterationCount) { SDBFind *find = NULL; CK_ULONG idCount = SFTK_MAX_IDS; @@ -1061,7 +1211,8 @@ sftkdb_convertObjects(SFTKDBHandle *handle, CK_ATTRIBUTE *template, while ((crv == CKR_OK) && (idCount == SFTK_MAX_IDS)) { crv = sftkdb_FindObjects(handle, find, ids, SFTK_MAX_IDS, &idCount); for (i = 0; (crv == CKR_OK) && (i < idCount); i++) { - crv = sftk_convertAttributes(handle, ids[i], newKey); + crv = sftk_convertAttributes(handle, ids[i], newKey, + iterationCount); } } crv2 = sftkdb_FindObjectsFinal(handle, find); @@ -1086,6 +1237,7 @@ sftkdb_ChangePassword(SFTKDBHandle *keydb, SFTKDBHandle *certdb; unsigned char saltData[SDB_MAX_META_DATA_LEN]; unsigned char valueData[SDB_MAX_META_DATA_LEN]; + int iterationCount = getPBEIterationCount(); CK_RV crv; SDB *db; @@ -1121,6 +1273,12 @@ sftkdb_ChangePassword(SFTKDBHandle *keydb, RNG_GenerateGlobalRandomBytes(salt.data, salt.len); } + if (newPin && *newPin == 0) { + iterationCount = 1; + } else if (keydb->usesLegacyStorage && !sftk_isLegacyIterationCountAllowed()) { + iterationCount = 1; + } + rv = sftkdb_passwordToKey(keydb, &salt, newPin, &newKey); if (rv != SECSuccess) { goto loser; @@ -1129,7 +1287,7 @@ sftkdb_ChangePassword(SFTKDBHandle *keydb, /* * convert encrypted entries here. */ - crv = sftkdb_convertObjects(keydb, NULL, 0, &newKey); + crv = sftkdb_convertObjects(keydb, NULL, 0, &newKey, iterationCount); if (crv != CKR_OK) { rv = SECFailure; goto loser; @@ -1141,13 +1299,15 @@ sftkdb_ChangePassword(SFTKDBHandle *keydb, CK_OBJECT_CLASS myClass = CKO_NETSCAPE_TRUST; objectType.pValue = &myClass; - crv = sftkdb_convertObjects(certdb, &objectType, 1, &newKey); + crv = sftkdb_convertObjects(certdb, &objectType, 1, &newKey, + iterationCount); if (crv != CKR_OK) { rv = SECFailure; goto loser; } myClass = CKO_PUBLIC_KEY; - crv = sftkdb_convertObjects(certdb, &objectType, 1, &newKey); + crv = sftkdb_convertObjects(certdb, &objectType, 1, &newKey, + iterationCount); if (crv != CKR_OK) { rv = SECFailure; goto loser; @@ -1157,7 +1317,8 @@ sftkdb_ChangePassword(SFTKDBHandle *keydb, plainText.data = (unsigned char *)SFTK_PW_CHECK_STRING; plainText.len = SFTK_PW_CHECK_LEN; - rv = sftkdb_EncryptAttribute(NULL, &newKey, &plainText, &result); + rv = sftkdb_EncryptAttribute(NULL, &newKey, iterationCount, + &plainText, &result); if (rv != SECSuccess) { goto loser; } @@ -1176,7 +1337,7 @@ sftkdb_ChangePassword(SFTKDBHandle *keydb, keydb->newKey = NULL; - sftkdb_switchKeys(keydb, &newKey); + sftkdb_switchKeys(keydb, &newKey, iterationCount); loser: if (newKey.data) { @@ -1201,7 +1362,7 @@ sftkdb_ClearPassword(SFTKDBHandle *keydb) SECItem oldKey; oldKey.data = NULL; oldKey.len = 0; - sftkdb_switchKeys(keydb, &oldKey); + sftkdb_switchKeys(keydb, &oldKey, 1); if (oldKey.data) { PORT_ZFree(oldKey.data, oldKey.len); } diff --git a/security/nss/lib/ssl/config.mk b/security/nss/lib/ssl/config.mk index b901a8830d27..d13613f78cee 100644 --- a/security/nss/lib/ssl/config.mk +++ b/security/nss/lib/ssl/config.mk @@ -60,7 +60,3 @@ endif ifdef NSS_DISABLE_TLS_1_3 DEFINES += -DNSS_DISABLE_TLS_1_3 endif - -ifeq (,$(filter-out DragonFly FreeBSD Linux NetBSD OpenBSD, $(OS_TARGET))) -CFLAGS += -std=gnu99 -endif diff --git a/security/nss/lib/ssl/ssl.gyp b/security/nss/lib/ssl/ssl.gyp index ae8f8d94f5d3..3e1b5531a6e3 100644 --- a/security/nss/lib/ssl/ssl.gyp +++ b/security/nss/lib/ssl/ssl.gyp @@ -70,11 +70,6 @@ 'UNSAFE_FUZZER_MODE', ], }], - [ 'OS=="dragonfly" or OS=="freebsd" or OS=="netbsd" or OS=="openbsd" or OS=="linux"', { - 'cflags': [ - '-std=gnu99', - ], - }], [ 'enable_sslkeylogfile==1', { 'defines': [ 'NSS_ALLOW_SSLKEYLOGFILE', diff --git a/security/nss/lib/ssl/ssl.h b/security/nss/lib/ssl/ssl.h index b914aa07f3e9..dc5a9d4cd5eb 100644 --- a/security/nss/lib/ssl/ssl.h +++ b/security/nss/lib/ssl/ssl.h @@ -190,7 +190,7 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd); /* Use draft-ietf-tls-session-hash. Controls whether we offer the * extended_master_secret extension which, when accepted, hashes * the handshake transcript into the master secret. This option is - * disabled by default. + * enabled by default. */ #define SSL_ENABLE_EXTENDED_MASTER_SECRET 30 diff --git a/security/nss/lib/ssl/sslexp.h b/security/nss/lib/ssl/sslexp.h index 94b3dab68603..b734d86ca386 100644 --- a/security/nss/lib/ssl/sslexp.h +++ b/security/nss/lib/ssl/sslexp.h @@ -536,7 +536,7 @@ typedef SECStatus(PR_CALLBACK *SSLResumptionTokenCallback)( * group -- the named group this key corresponds to * pubKey -- the public key for the key pair * pad -- the length to pad to - * notBefore/notAfter -- validity range + * notBefore/notAfter -- validity range in seconds since epoch * out/outlen/maxlen -- where to output the data */ #define SSL_EncodeESNIKeys(cipherSuites, cipherSuiteCount, \ @@ -791,12 +791,12 @@ typedef PRTime(PR_CALLBACK *SSLTimeFunc)(void *arg); * handshake (Client Hello). * * The *Get function puts the current set of active (enabled and policy set as - * PR_TRUE) cipher suites in the cipherOrder outparam. Cipher suites that + * PR_TRUE) cipher suites in the cipherOrder outparam. Cipher suites that * aren't active aren't included. The paramenters are: * - PRFileDesc *fd = FileDescriptor to get information. * - PRUint16 *cipherOrder = The memory allocated for cipherOrder needs to be * SSL_GetNumImplementedCiphers() * sizeof(PRUint16) or more. - * - PRUint16 numCiphers = The number of active ciphersuites listed in + * - PRUint16 numCiphers = The number of active ciphersuites listed in * *cipherOrder is written here. * * The *Set function permits reorder the CipherSuites list for the Handshake @@ -812,7 +812,7 @@ typedef PRTime(PR_CALLBACK *SSLTimeFunc)(void *arg); * - const PRUint16 *cipherOrder = Must receive all ciphers to be ordered, in * the desired order. They will be set in the begin of the list. Only * suites listed by SSL_ImplementedCiphers() can be included. - * - PRUint16 numCiphers = Must receive the number of items in *cipherOrder. + * - PRUint16 numCiphers = Must receive the number of items in *cipherOrder. * */ #define SSL_CipherSuiteOrderGet(fd, cipherOrder, numCiphers) \ SSL_EXPERIMENTAL_API("SSL_CipherSuiteOrderGet", \ diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c index 027bb91575e0..aa0e76e3ce8f 100644 --- a/security/nss/lib/ssl/sslsock.c +++ b/security/nss/lib/ssl/sslsock.c @@ -81,7 +81,7 @@ static sslOptions ssl_defaults = { .reuseServerECDHEKey = PR_TRUE, .enableFallbackSCSV = PR_FALSE, .enableServerDhe = PR_TRUE, - .enableExtendedMS = PR_FALSE, + .enableExtendedMS = PR_TRUE, .enableSignedCertTimestamps = PR_FALSE, .requireDHENamedGroups = PR_FALSE, .enable0RttData = PR_FALSE, diff --git a/security/nss/lib/ssl/tls13esni.c b/security/nss/lib/ssl/tls13esni.c index caedc0b44a9e..f2f8d0a9c3d6 100644 --- a/security/nss/lib/ssl/tls13esni.c +++ b/security/nss/lib/ssl/tls13esni.c @@ -728,7 +728,7 @@ tls13_ServerDecryptEsniXtn(const sslSocket *ss, const PRUint8 *in, unsigned int { sslReader rdr = SSL_READER(in, inLen); PRUint64 suite; - const ssl3CipherSuiteDef *suiteDef; + const ssl3CipherSuiteDef *suiteDef = NULL; SSLAEADCipher aead = NULL; TLSExtension *keyShareExtension; TLS13KeyShareEntry *entry = NULL; diff --git a/security/nss/tests/gtests/gtests.sh b/security/nss/tests/gtests/gtests.sh index 2b45e1ccda00..53a7258c47fe 100755 --- a/security/nss/tests/gtests/gtests.sh +++ b/security/nss/tests/gtests/gtests.sh @@ -64,8 +64,14 @@ gtest_start() pushd "$DIR" GTESTREPORT="$DIR/report.xml" PARSED_REPORT="$DIR/report.parsed" + # The mozilla::pkix gtests cause an ODR violation that we ignore. + # See bug 1588567. + if [ "$i" = "mozpkix_gtest" ]; then + EXTRA_ASAN_OPTIONS="detect_odr_violation=0" + fi echo "executing $i" - "${BINDIR}/$i" "${SOURCE_DIR}/gtests/freebl_gtest/kat/Hash_DRBG.rsp" \ + ASAN_OPTIONS="$ASAN_OPTIONS:$EXTRA_ASAN_OPTIONS" "${BINDIR}/$i" \ + "${SOURCE_DIR}/gtests/freebl_gtest/kat/Hash_DRBG.rsp" \ -d "$DIR" -w --gtest_output=xml:"${GTESTREPORT}" \ --gtest_filter="${GTESTFILTER:-*}" html_msg $? 0 "$i run successfully" @@ -93,7 +99,7 @@ gtest_cleanup() } ################## main ################################################# -GTESTS="${GTESTS:-prng_gtest certhigh_gtest certdb_gtest der_gtest pk11_gtest util_gtest freebl_gtest softoken_gtest sysinit_gtest blake2b_gtest smime_gtest}" +GTESTS="${GTESTS:-prng_gtest certhigh_gtest certdb_gtest der_gtest pk11_gtest util_gtest freebl_gtest softoken_gtest sysinit_gtest blake2b_gtest smime_gtest mozpkix_gtest}" gtest_init "$0" gtest_start gtest_cleanup