mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Backed out changeset 48c77e0f9262 (bug 1815435) for causing xpcshell failures in test_cert_overrides.js CLOSED TREE UPGRADE_NSS_RELEASE

This commit is contained in:
Cristian Tuns 2023-03-06 16:33:38 -05:00
Родитель 1914826dbf
Коммит 260d13ed8e
81 изменённых файлов: 730 добавлений и 2628 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
build/moz.configure/nss.configure
Просмотреть файл

@ -9,7 +9,7 @@ system_lib_option("--with-system-nss", help="Use system NSS")
imply_option("--with-system-nspr", True, when="--with-system-nss")
nss_pkg = pkg_check_modules(
"NSS", "nss >= 3.89", when="--with-system-nss", config=False
"NSS", "nss >= 3.88", when="--with-system-nss", config=False
)
set_config("MOZ_SYSTEM_NSS", True, when="--with-system-nss")

2
security/nss/TAG-INFO
Просмотреть файл

@ -1 +1 @@
NSS_3_89_BETA3
NSS_3_88_1_RTM

2
security/nss/automation/abi-check/previous-nss-release
Просмотреть файл

@ -1 +1 @@
NSS_3_88_BRANCH
NSS_3_87_BRANCH

2
security/nss/automation/taskcluster/docker-builds/Dockerfile
Просмотреть файл

@ -2,7 +2,7 @@
# default image, so it's a fair bit bigger. Only use this for builds where
# the smaller docker image is missing something. These builds will run on
# the leaner configuration.
FROM ubuntu:bionic-20221215
FROM ubuntu:18.04
LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
RUN dpkg --add-architecture i386

2
security/nss/automation/taskcluster/docker-clang-format/Dockerfile
Просмотреть файл

@ -1,5 +1,5 @@
# Minimal image with clang-format 10
FROM ubuntu:bionic-20221215
FROM ubuntu:18.04
LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
RUN apt-get update \

2
security/nss/automation/taskcluster/docker-decision/Dockerfile
Просмотреть файл

@ -1,5 +1,5 @@
# Minimal image for running the decision task.
FROM ubuntu:bionic-20221215
FROM ubuntu:18.04
LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
RUN apt-get update \

2
security/nss/automation/taskcluster/docker-fuzz/Dockerfile
Просмотреть файл

@ -4,7 +4,7 @@
# docker invocation or ASAN won't work.
# On taskcluster for ASAN use `features: ["allowPtrace"]`.
# See https://github.com/google/sanitizers/issues/764#issuecomment-276700920
FROM ubuntu:bionic-20221215
FROM ubuntu:18.04
LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
RUN dpkg --add-architecture i386

2
security/nss/automation/taskcluster/docker-interop/Dockerfile
Просмотреть файл

@ -1,6 +1,6 @@
# Dockerfile for running interop tests.
# This includes Rust, golang, and nodejs.
FROM ubuntu:focal-20221130
FROM ubuntu:20.04
LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
RUN dpkg --add-architecture i386

2
security/nss/automation/taskcluster/docker/Dockerfile
Просмотреть файл

@ -1,5 +1,5 @@
# Lean image for running the bulk of the NSS CI tests on taskcluster.
FROM ubuntu:bionic-20221215
FROM ubuntu:18.04
LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
RUN dpkg --add-architecture i386

4
security/nss/automation/taskcluster/graph/src/extend.js
Просмотреть файл

@ -878,14 +878,14 @@ async function scheduleFuzzing32() {
async function scheduleWindows(name, base, build_script) {
base = merge(base, {
workerType: "b-win2012-azure",
workerType: "win2012r2",
env: {
PATH: "c:\\mozilla-build\\bin;c:\\mozilla-build\\python;" +
"c:\\mozilla-build\\msys\\local\\bin;c:\\mozilla-build\\7zip;" +
"c:\\mozilla-build\\info-zip;c:\\mozilla-build\\python\\Scripts;" +
"c:\\mozilla-build\\yasm;c:\\mozilla-build\\msys\\bin;" +
"c:\\Windows\\system32;c:\\mozilla-build\\upx391w;" +
"c:\\mozilla-build\\moztools-x64\\bin;c:\\mozilla-build\\wget;c:\\Program Files\\Mercurial",
"c:\\mozilla-build\\moztools-x64\\bin;c:\\mozilla-build\\wget",
DOMSUF: "localdomain",
HOST: "localhost",
},

2
security/nss/automation/taskcluster/graph/src/image_builder.js
Просмотреть файл

@ -56,6 +56,6 @@ export async function buildTask({name, path}) {
features: ["dind"],
maxRunTime: 7200,
kind: "build",
symbol: `I(${name})`
symbol: "I"
};
}

1
security/nss/cmd/addbuiltin/addbuiltin.c
Просмотреть файл

@ -74,6 +74,7 @@ getTrustString(unsigned int trust)
return "CKT_NSS_MUST_VERIFY_TRUST";
}
}
return "CKT_NSS_TRUST_UNKNOWN"; /* not reached */
}
static const SEC_ASN1Template serialTemplate[] = {

2
security/nss/cmd/bltest/blapitest.c
Просмотреть файл

@ -2319,9 +2319,9 @@ cipherInit(bltestCipherInfo *cipherInfo, PRBool encrypt)
case bltestRC5_CBC:
SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
cipherInfo->input.pBuf.len);
#endif
return bltest_rc5_init(cipherInfo, encrypt);
break;
#endif
case bltestAES_ECB:
case bltestAES_CBC:
case bltestAES_CTS:

2
security/nss/cmd/crmftest/testcrmf.c
Просмотреть файл

@ -85,7 +85,7 @@
#include "sechash.h"
#endif
#define MAX_KEY_LEN 1024
#define MAX_KEY_LEN 512
#define PATH_LEN 150
#define BUFF_SIZE 150
#define UID_BITS 800

42
security/nss/cmd/signtool/util.c
Просмотреть файл

@ -430,9 +430,51 @@ out_of_memory(void)
void
VerifyCertDir(char *dir, char *keyName)
{
char fn[FNSIZE];
/* don't try verifying if we don't have a local directory */
if (strncmp(dir, "multiaccess:", sizeof("multiaccess:") - 1) == 0) {
return;
}
/* this function is truly evil. Tools and applications should not have
* any knowledge of actual cert databases! */
return;
/* This code is really broken because it makes underlying assumptions about
* how the NSS profile directory is laid out, but these names can change
* from release to release. */
sprintf(fn, "%s/cert8.db", dir);
if (PR_Access(fn, PR_ACCESS_EXISTS)) {
PR_fprintf(errorFD, "%s: No certificate database in \"%s\"\n",
PROGRAM_NAME, dir);
PR_fprintf(errorFD, "%s: Check the -d arguments that you gave\n",
PROGRAM_NAME);
errorCount++;
exit(ERRX);
}
if (verbosity >= 0) {
PR_fprintf(outputFD, "using certificate directory: %s\n", dir);
}
if (keyName == NULL)
return;
/* if the user gave the -k key argument, verify that
a key database already exists */
sprintf(fn, "%s/key3.db", dir);
if (PR_Access(fn, PR_ACCESS_EXISTS)) {
PR_fprintf(errorFD, "%s: No private key database in \"%s\"\n",
PROGRAM_NAME,
dir);
PR_fprintf(errorFD, "%s: Check the -d arguments that you gave\n",
PROGRAM_NAME);
errorCount++;
exit(ERRX);
}
}
/*

1
security/nss/coreconf/coreconf.dep
Просмотреть файл

@ -10,3 +10,4 @@
*/
#error "Do not include this header file."

24
security/nss/coreconf/werror.py
Просмотреть файл

@ -49,29 +49,9 @@ def main():
# clang is unable to handle glib's expansion of strcmp and similar for
# optimized builds, so disable the resulting errors.
# See https://llvm.org/bugs/show_bug.cgi?id=20144
for w in ['array-bounds',
'unevaluated-expression',
'parentheses-equality',
'tautological-type-limit-compare',
'sign-compare',
'comma',
'implicit-fallthrough'
]:
for w in ['array-bounds', 'unevaluated-expression',
'parentheses-equality']:
set_warning(w, 'no-')
for w in ['tautological-constant-in-range-compare',
'bitfield-enum-conversion',
'empty-body',
'format-type-confusion',
'ignored-qualifiers',
'pointer-arith',
'type-limits',
'unreachable-code',
'unreachable-code-return',
'duplicated-cond',
'logical-op',
'implicit-function-declaration'
]:
set_warning(w,'')
print('-Qunused-arguments')
set_warning('shadow')

686
security/nss/doc/rst/legacy/jss/jss_provider_notes/index.rst
Просмотреть файл

@ -180,310 +180,382 @@ JSS Provider Notes
timeframe for fixing them. Meanwhile, the ``org.mozilla.jss.crypto.CryptoStore`` class
can be used for some of this functionality.
.. rubric:: Cipher
:name: Cipher_2
.. rubric:: Supported Algorithms
:name: supported_algorithms
.. rubric:: Notes
:name: notes
-
- AES
- DES
- DESede (*DES3* )
- RC2
- RC4
- RSA
- The following modes and padding schemes are supported:
+------------------------------+------------------------------+------------------------------+
| Algorithm | Mode | Padding |
+------------------------------+------------------------------+------------------------------+
| DES | ECB | NoPadding |
+------------------------------+------------------------------+------------------------------+
| | CBC | NoPadding |
+------------------------------+------------------------------+------------------------------+
| | | PKCS5 Padding |
+------------------------------+------------------------------+------------------------------+
| DESede | ECB | NoPadding |
| *DES3* | | |
+------------------------------+------------------------------+------------------------------+
| | CBC | NoPadding |
+------------------------------+------------------------------+------------------------------+
| | | PKCS5 Padding |
+------------------------------+------------------------------+------------------------------+
| AES | ECB | NoPadding |
+------------------------------+------------------------------+------------------------------+
| | CBC | NoPadding |
+------------------------------+------------------------------+------------------------------+
| | | PKCS5 Padding |
+------------------------------+------------------------------+------------------------------+
| RC4 | *None* | *None* |
+------------------------------+------------------------------+------------------------------+
| RC2 | CBC | NoPadding |
+------------------------------+------------------------------+------------------------------+
| | | PKCS5Padding |
+------------------------------+------------------------------+------------------------------+
- The SecureRandom argument passed to ``initSign()`` and ``initVerify()`` is ignored, because
NSS does not support specifying an external source of randomness.
.. rubric:: DSAPrivateKey
:name: DSAPrivateKey_2
- ``getX()`` is not supported because NSS does not support extracting data from private keys.
.. rubric:: KeyFactory
:name: KeyFactory_2
.. rubric:: Supported Algorithms
:name: supported_algorithms_2
.. rubric:: Notes
:name: notes_2
-
- DSA
- RSA
- The following transformations are supported for ``generatePublic()`` and
``generatePrivate()``:
+----------------------------------------------+----------------------------------------------+
| From | To |
+----------------------------------------------+----------------------------------------------+
| ``RSAPublicKeySpec`` | ``RSAPublicKey`` |
+----------------------------------------------+----------------------------------------------+
| ``DSAPublicKeySpec`` | ``DSAPublicKey`` |
+----------------------------------------------+----------------------------------------------+
| ``X509EncodedKeySpec`` | ``RSAPublicKey`` |
| | ``DSAPublicKey`` |
+----------------------------------------------+----------------------------------------------+
| ``RSAPrivateCrtKeySpec`` | ``RSAPrivateKey`` |
+----------------------------------------------+----------------------------------------------+
| ``DSAPrivateKeySpec`` | ``DSAPrivateKey`` |
+----------------------------------------------+----------------------------------------------+
| ``PKCS8EncodedKeySpec`` | ``RSAPrivateKey`` |
| | ``DSAPrivateKey`` |
+----------------------------------------------+----------------------------------------------+
- ``getKeySpec()`` is not supported. This method exports key material in plaintext and is
therefore insecure. Note that a public key's data can be accessed directly from the key.
- ``translateKey()`` simply gets the encoded form of the given key and then tries to import
it by calling ``generatePublic()`` or ``generatePrivate()``. Only ``X509EncodedKeySpec`` is
supported for public keys, and only ``PKCS8EncodedKeySpec`` is supported for private keys.
.. rubric:: KeyGenerator
:name: KeyGenerator_2
.. rubric:: Supported Algorithms
:name: supported_algorithms_3
.. rubric:: Notes
:name: notes_3
-
- AES
- DES
- DESede (*DES3* )
- RC4
- The SecureRandom argument passed to ``init()`` is ignored, because NSS does not support
specifying an external source of randomness.
- None of the key generation algorithms accepts an ``AlgorithmParameterSpec``.
.. rubric:: KeyPairGenerator
:name: KeyPairGenerator_2
.. rubric:: Supported Algorithms
:name: supported_algorithms_4
.. rubric:: Notes
:name: notes_4
-
- DSA
- RSA
- The SecureRandom argument passed to initialize() is ignored, because NSS does not support
specifying an external source of randomness.
.. rubric:: Mac
:name: Mac_2
.. rubric:: Supported Algorithms
:name: supported_algorithms_5
.. rubric:: Notes
:name: notes_5
-
- HmacSHA1 (*Hmac-SHA1* )
- Any secret key type (AES, DES, etc.) can be used as the MAC key, but it must be a JSS key.
That is, it must be an ``instanceof org.mozilla.jss.crypto.SecretKeyFacade``.
- The params passed to ``init()`` are ignored.
.. rubric:: MessageDigest
:name: MessageDigest_2
.. rubric:: Supported Algorithms
:name: supported_algorithms_6
-
- MD5
- MD2
- SHA-1 (*SHA1, SHA* )
.. rubric:: RSAPrivateKey
:name: RSAPrivateKey_2
.. rubric:: Notes
:name: notes_6
-
- ``getModulus()`` is not supported because NSS does not support extracting data from private
keys.
- ``getPrivateExponent()`` is not supported because NSS does not support extracting data from
private keys.
.. rubric:: SecretKeyFactory
:name: SecretKeyFactory_2
.. rubric:: Supported Algorithms
:name: supported_algorithms_7
.. rubric:: Notes
:name: notes_7
-
- AES
- DES
- DESede (*DES3* )
- PBAHmacSHA1
- PBEWithMD5AndDES
- PBEWithSHA1AndDES
- PBEWithSHA1AndDESede (*PBEWithSHA1AndDES3* )
- PBEWithSHA1And128RC4
- RC4
- ``generateSecret`` supports the following transformations:
+----------------------------------------------+----------------------------------------------+
| KeySpec Class | Key Algorithm |
+----------------------------------------------+----------------------------------------------+
| PBEKeySpec | *Using the appropriate PBE algorithm:* |
| org.mozilla.jss.crypto.PBEKeyGenParams | DES |
| | DESede |
| | RC4 |
+----------------------------------------------+----------------------------------------------+
| DESedeKeySpec | DESede |
+----------------------------------------------+----------------------------------------------+
| DESKeySpec | DES |
+----------------------------------------------+----------------------------------------------+
| SecretKeySpec | AES |
| | DES |
| | DESede |
| | RC4 |
+----------------------------------------------+----------------------------------------------+
- ``getKeySpec`` supports the following transformations:
+----------------------------------------------+----------------------------------------------+
| Key Algorithm | KeySpec Class |
+----------------------------------------------+----------------------------------------------+
| DESede | DESedeKeySpec |
+----------------------------------------------+----------------------------------------------+
| DES | DESKeySpec |
+----------------------------------------------+----------------------------------------------+
| DESede | SecretKeySpec |
| DES | |
| AES | |
| RC4 | |
+----------------------------------------------+----------------------------------------------+
- For increased security, some SecretKeys may not be extractable from their PKCS #11 token.
In this case, the key should be wrapped (encrypted with another key), and then the
encrypted key might be extractable from the token. This policy varies across PKCS #11
tokens.
- ``translateKey`` tries two approaches to copying keys. First, it tries to copy the key
material directly using NSS calls to PKCS #11. If that fails, it calls ``getEncoded()`` on
the source key, and then tries to create a new key on the target token from the encoded
bits. Both of these operations will fail if the source key is not extractable.
- The class ``java.security.spec.PBEKeySpec`` in JDK versions earlier than 1.4 does not
contain the salt and iteration fields, which are necessary for PBE key generation. These
fields were added in JDK 1.4. If you are using a JDK (or JRE) version earlier than 1.4, you
cannot use class ``java.security.spec.PBEKeySpec``. Instead, you can use
``org.mozilla.jss.crypto.PBEKeyGenParams``. If you are using JDK (or JRE) 1.4 or later, you
can use ``java.security.spec.PBEKeySpec`` or ``org.mozilla.jss.crypto.PBEKeyGenParams``.
.. rubric:: SecretKey
:name: SecretKey_2
.. rubric:: Supported Algorithms
:name: supported_algorithms_8
.. rubric:: Notes
:name: notes_8
-
- AES
- DES
- DESede (*DES3* )
- HmacSHA1
- RC2
- RC4
- ``SecretKey`` is implemented by the class ``org.mozilla.jss.crypto.SecretKeyFacade``, which
acts as a wrapper around the JSS class ``SymmetricKey``. Any ``SecretKeys`` handled by JSS
will actually be ``SecretKeyFacades``. This should usually be transparent.
.. rubric:: SecureRandom
:name: SecureRandom_2
.. rubric:: Supported Algorithms
:name: supported_algorithms_9
.. rubric:: Notes
:name: notes_9
-
- pkcs11prng
- This invokes the NSS internal pseudorandom number generator.
.. rubric:: Signature
:name: Signature_2
.. rubric:: Supported Algorithms
:name: supported_algorithms_10
.. rubric:: Notes
:name: notes_10
-
- SHA1withDSA (*DSA, DSS, SHA/DSA, SHA-1/DSA, SHA1/DSA, DSAWithSHA1, SHAwithDSA* )
- SHA-1/RSA (*SHA1/RSA, SHA1withRSA* )
- MD5/RSA (*MD5withRSA* )
- MD2/RSA
- The ``SecureRandom`` argument passed to ``initSign()`` and ``initVerify()`` is ignored,
because NSS does not support specifying an external source of randomness.
+---------------------------------------------------------------------------------------------------+
| .. rubric:: Cipher |
| :name: Cipher_2 |
| |
| .. rubric:: Supported Algorithms |
| :name: supported_algorithms |
| |
| .. rubric:: Notes |
| :name: notes |
| |
| - |
| |
| - AES |
| - DES |
| - DESede (*DES3* ) |
| - RC2 |
| - RC4 |
| - RSA |
| |
| - The following modes and padding schemes are supported: |
| |
| |
| +------------------------------+------------------------------+------------------------------+ |
| |
| | Algorithm | Mode | Padding | |
| |
| +------------------------------+------------------------------+------------------------------+ |
| |
| | DES | ECB | NoPadding | |
| |
| +------------------------------+------------------------------+------------------------------+ |
| |
| | | CBC | NoPadding | |
| |
| +------------------------------+------------------------------+------------------------------+ |
| |
| | | | PKCS5 Padding | |
| |
| +------------------------------+------------------------------+------------------------------+ |
| |
| | DESede | ECB | NoPadding | |
| |
| | *DES3* | | | |
| |
| +------------------------------+------------------------------+------------------------------+ |
| |
| | | CBC | NoPadding | |
| |
| +------------------------------+------------------------------+------------------------------+ |
| |
| | | | PKCS5 Padding | |
| |
| +------------------------------+------------------------------+------------------------------+ |
| |
| | AES | ECB | NoPadding | |
| |
| +------------------------------+------------------------------+------------------------------+ |
| |
| | | CBC | NoPadding | |
| |
| +------------------------------+------------------------------+------------------------------+ |
| |
| | | | PKCS5 Padding | |
| |
| +------------------------------+------------------------------+------------------------------+ |
| |
| | RC4 | *None* | *None* | |
| |
| +------------------------------+------------------------------+------------------------------+ |
| |
| | RC2 | CBC | NoPadding | |
| |
| +------------------------------+------------------------------+------------------------------+ |
| |
| | | | PKCS5Padding | |
| |
| +------------------------------+------------------------------+------------------------------+ |
| |
| - The SecureRandom argument passed to ``initSign()`` and ``initVerify()`` is ignored, because |
| NSS does not support specifying an external source of randomness. |
+---------------------------------------------------------------------------------------------------+
| .. rubric:: DSAPrivateKey |
| :name: DSAPrivateKey_2 |
| |
| - ``getX()`` is not supported because NSS does not support extracting data from private keys. |
+---------------------------------------------------------------------------------------------------+
| .. rubric:: KeyFactory |
| :name: KeyFactory_2 |
| |
| .. rubric:: Supported Algorithms |
| :name: supported_algorithms_2 |
| |
| .. rubric:: Notes |
| :name: notes_2 |
| |
| - |
| |
| - DSA |
| - RSA |
| |
| - The following transformations are supported for ``generatePublic()`` and |
| ``generatePrivate()``: |
| |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| | From | To | |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| | ``RSAPublicKeySpec`` | ``RSAPublicKey`` | |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| | ``DSAPublicKeySpec`` | ``DSAPublicKey`` | |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| | ``X509EncodedKeySpec`` | ``RSAPublicKey`` | |
| |
| | | ``DSAPublicKey`` | |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| | ``RSAPrivateCrtKeySpec`` | ``RSAPrivateKey`` | |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| | ``DSAPrivateKeySpec`` | ``DSAPrivateKey`` | |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| | ``PKCS8EncodedKeySpec`` | ``RSAPrivateKey`` | |
| |
| | | ``DSAPrivateKey`` | |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| - ``getKeySpec()`` is not supported. This method exports key material in plaintext and is |
| therefore insecure. Note that a public key's data can be accessed directly from the key. |
| - ``translateKey()`` simply gets the encoded form of the given key and then tries to import |
| it by calling ``generatePublic()`` or ``generatePrivate()``. Only ``X509EncodedKeySpec`` is |
| supported for public keys, and only ``PKCS8EncodedKeySpec`` is supported for private keys. |
+---------------------------------------------------------------------------------------------------+
| .. rubric:: KeyGenerator |
| :name: KeyGenerator_2 |
| |
| .. rubric:: Supported Algorithms |
| :name: supported_algorithms_3 |
| |
| .. rubric:: Notes |
| :name: notes_3 |
| |
| - |
| |
| - AES |
| - DES |
| - DESede (*DES3* ) |
| - RC4 |
| |
| - The SecureRandom argument passed to ``init()`` is ignored, because NSS does not support |
| specifying an external source of randomness. |
| - None of the key generation algorithms accepts an ``AlgorithmParameterSpec``. |
+---------------------------------------------------------------------------------------------------+
| .. rubric:: KeyPairGenerator |
| :name: KeyPairGenerator_2 |
| |
| .. rubric:: Supported Algorithms |
| :name: supported_algorithms_4 |
| |
| .. rubric:: Notes |
| :name: notes_4 |
| |
| - |
| |
| - DSA |
| - RSA |
| |
| - The SecureRandom argument passed to initialize() is ignored, because NSS does not support |
| specifying an external source of randomness. |
+---------------------------------------------------------------------------------------------------+
| .. rubric:: Mac |
| :name: Mac_2 |
| |
| .. rubric:: Supported Algorithms |
| :name: supported_algorithms_5 |
| |
| .. rubric:: Notes |
| :name: notes_5 |
| |
| - |
| |
| - HmacSHA1 (*Hmac-SHA1* ) |
| |
| - Any secret key type (AES, DES, etc.) can be used as the MAC key, but it must be a JSS key. |
| That is, it must be an ``instanceof org.mozilla.jss.crypto.SecretKeyFacade``. |
| - The params passed to ``init()`` are ignored. |
+---------------------------------------------------------------------------------------------------+
| .. rubric:: MessageDigest |
| :name: MessageDigest_2 |
| |
| .. rubric:: Supported Algorithms |
| :name: supported_algorithms_6 |
| |
| - |
| |
| - MD5 |
| - MD2 |
| - SHA-1 (*SHA1, SHA* ) |
+---------------------------------------------------------------------------------------------------+
| .. rubric:: RSAPrivateKey |
| :name: RSAPrivateKey_2 |
| |
| .. rubric:: Notes |
| :name: notes_6 |
| |
| - |
| |
| - ``getModulus()`` is not supported because NSS does not support extracting data from private |
| keys. |
| - ``getPrivateExponent()`` is not supported because NSS does not support extracting data from |
| private keys. |
+---------------------------------------------------------------------------------------------------+
| .. rubric:: SecretKeyFactory |
| :name: SecretKeyFactory_2 |
| |
| .. rubric:: Supported Algorithms |
| :name: supported_algorithms_7 |
| |
| .. rubric:: Notes |
| :name: notes_7 |
| |
| - |
| |
| - AES |
| - DES |
| - DESede (*DES3* ) |
| - PBAHmacSHA1 |
| - PBEWithMD5AndDES |
| - PBEWithSHA1AndDES |
| - PBEWithSHA1AndDESede (*PBEWithSHA1AndDES3* ) |
| - PBEWithSHA1And128RC4 |
| - RC4 |
| |
| - ``generateSecret`` supports the following transformations: |
| |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| | KeySpec Class | Key Algorithm | |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| | PBEKeySpec | *Using the appropriate PBE algorithm:* | |
| |
| | org.mozilla.jss.crypto.PBEKeyGenParams | DES | |
| |
| | | DESede | |
| |
| | | RC4 | |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| | DESedeKeySpec | DESede | |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| | DESKeySpec | DES | |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| | SecretKeySpec | AES | |
| |
| | | DES | |
| |
| | | DESede | |
| |
| | | RC4 | |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| - ``getKeySpec`` supports the following transformations: |
| |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| | Key Algorithm | KeySpec Class | |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| | DESede | DESedeKeySpec | |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| | DES | DESKeySpec | |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| | DESede | SecretKeySpec | |
| |
| | DES | | |
| |
| | AES | | |
| |
| | RC4 | | |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| - For increased security, some SecretKeys may not be extractable from their PKCS #11 token. |
| In this case, the key should be wrapped (encrypted with another key), and then the |
| encrypted key might be extractable from the token. This policy varies across PKCS #11 |
| tokens. |
| - ``translateKey`` tries two approaches to copying keys. First, it tries to copy the key |
| material directly using NSS calls to PKCS #11. If that fails, it calls ``getEncoded()`` on |
| the source key, and then tries to create a new key on the target token from the encoded |
| bits. Both of these operations will fail if the source key is not extractable. |
| - The class ``java.security.spec.PBEKeySpec`` in JDK versions earlier than 1.4 does not |
| contain the salt and iteration fields, which are necessary for PBE key generation. These |
| fields were added in JDK 1.4. If you are using a JDK (or JRE) version earlier than 1.4, you |
| cannot use class ``java.security.spec.PBEKeySpec``. Instead, you can use |
| ``org.mozilla.jss.crypto.PBEKeyGenParams``. If you are using JDK (or JRE) 1.4 or later, you |
| can use ``java.security.spec.PBEKeySpec`` or ``org.mozilla.jss.crypto.PBEKeyGenParams``. |
+---------------------------------------------------------------------------------------------------+
| .. rubric:: SecretKey |
| :name: SecretKey_2 |
| |
| .. rubric:: Supported Algorithms |
| :name: supported_algorithms_8 |
| |
| .. rubric:: Notes |
| :name: notes_8 |
| |
| - |
| |
| - AES |
| - DES |
| - DESede (*DES3* ) |
| - HmacSHA1 |
| - RC2 |
| - RC4 |
| |
| - ``SecretKey`` is implemented by the class ``org.mozilla.jss.crypto.SecretKeyFacade``, which |
| acts as a wrapper around the JSS class ``SymmetricKey``. Any ``SecretKeys`` handled by JSS |
| will actually be ``SecretKeyFacades``. This should usually be transparent. |
+---------------------------------------------------------------------------------------------------+
| .. rubric:: SecureRandom |
| :name: SecureRandom_2 |
| |
| .. rubric:: Supported Algorithms |
| :name: supported_algorithms_9 |
| |
| .. rubric:: Notes |
| :name: notes_9 |
| |
| - |
| |
| - pkcs11prng |
| |
| - This invokes the NSS internal pseudorandom number generator. |
+---------------------------------------------------------------------------------------------------+
| .. rubric:: Signature |
| :name: Signature_2 |
| |
| .. rubric:: Supported Algorithms |
| :name: supported_algorithms_10 |
| |
| .. rubric:: Notes |
| :name: notes_10 |
| |
| - |
| |
| - SHA1withDSA (*DSA, DSS, SHA/DSA, SHA-1/DSA, SHA1/DSA, DSAWithSHA1, SHAwithDSA* ) |
| - SHA-1/RSA (*SHA1/RSA, SHA1withRSA* ) |
| - MD5/RSA (*MD5withRSA* ) |
| - MD2/RSA |
| |
| - The ``SecureRandom`` argument passed to ``initSign()`` and ``initVerify()`` is ignored, |
| because NSS does not support specifying an external source of randomness. |
+---------------------------------------------------------------------------------------------------+

18
security/nss/doc/rst/releases/index.rst
Просмотреть файл

@ -8,9 +8,7 @@ Releases
:glob:
:hidden:
nss_3_88_1.rst
nss_3_88.rst
nss_3_87_1.rst
nss_3_87.rst
nss_3_86.rst
nss_3_85.rst
@ -19,8 +17,6 @@ Releases
nss_3_82.rst
nss_3_81.rst
nss_3_80.rst
nss_3_79_4.rst
nss_3_79_3.rst
nss_3_79_2.rst
nss_3_79_1.rst
nss_3_79.rst
@ -51,19 +47,15 @@ Releases
.. note::
**NSS 3.88.1** is the latest version of NSS.
Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_88_1_release_notes`
**NSS 3.88** is the latest version of NSS.
Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_88_release_notes`
**NSS 3.79.4** is the latest ESR version of NSS.
Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_79_4_release_notes`
**NSS 3.79.2** is the latest ESR version of NSS.
Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_79_2_release_notes`
.. container::
Changes in 3.88.1 included in this release:
- Bug 1804640 - improve handling of unknown PKCS#12 safe bag types.
Changes in 3.88 included in this release:
- Bug 1815870 - use a different treeherder symbol for each docker image build task.
@ -89,4 +81,4 @@ Releases
- Bug 1805907 - Extending RSA-PSS bltest test coverage (Adding SHA-256 and SHA-384)
- Bug 1804091 NSS needs to move off of DSA for integrity checks
- Bug 1805815 - Add initial testing with ACVP vector sets using acvp-rust
- Bug 1806369 - Don't clone libFuzzer, rely on clang instead
- Bug 1806369 - Don't clone libFuzzer, rely on clang instead

4
security/nss/doc/rst/releases/nss_3_69_1.rst
Просмотреть файл

@ -1,7 +1,7 @@
.. _mozilla_projects_nss_nss_3_69_1_release_notes:
NSS 3.69.1 release notes
========================
======================
`Introduction <#introduction>`__
--------------------------------
@ -29,7 +29,7 @@ NSS 3.69.1 release notes
.. _changes_3.69.1:
`Changes in NSS 3.69.1 <#changes_3.69.1>`__
-------------------------------------------
----------------------------------------------------
.. container::

4
security/nss/doc/rst/releases/nss_3_76_1.rst
Просмотреть файл

@ -1,7 +1,7 @@
.. _mozilla_projects_nss_nss_3_76_1_release_notes:
NSS 3.76.1 release notes
========================
======================
`Introduction <#introduction>`__
--------------------------------
@ -29,7 +29,7 @@ NSS 3.76.1 release notes
.. _changes_in_nss_3.76.1:
`Changes in NSS 3.76.1 <#changes_in_nss_3.76.1>`__
--------------------------------------------------
----------------------------------------------------
.. container::

2
security/nss/doc/rst/releases/nss_3_79.rst
Просмотреть файл

@ -30,7 +30,7 @@ NSS 3.79 release notes
.. _changes_in_nss_3.79:
`Changes in NSS 3.79 <#changes_in_nss_3.79>`__
----------------------------------------------
----------------------------------------------------
.. container::

4
security/nss/doc/rst/releases/nss_3_79_1.rst
Просмотреть файл

@ -1,7 +1,7 @@
.. _mozilla_projects_nss_nss_3_79_1_release_notes:
NSS 3.79.1 release notes
========================
======================
`Introduction <#introduction>`__
--------------------------------
@ -30,7 +30,7 @@ NSS 3.79.1 release notes
.. _changes_in_nss_3.79.1:
`Changes in NSS 3.79.1 <#changes_in_nss_3.79.1>`__
--------------------------------------------------
----------------------------------------------------
.. container::

4
security/nss/doc/rst/releases/nss_3_79_2.rst
Просмотреть файл

@ -1,7 +1,7 @@
.. _mozilla_projects_nss_nss_3_79_2_release_notes:
NSS 3.79.2 release notes
========================
======================
`Introduction <#introduction>`__
--------------------------------
@ -30,7 +30,7 @@ NSS 3.79.2 release notes
.. _changes_in_nss_3.79.2:
`Changes in NSS 3.79.2 <#changes_in_nss_3.79.2>`__
--------------------------------------------------
----------------------------------------------------
.. container::

4
security/nss/doc/rst/releases/nss_3_79_3.rst
Просмотреть файл

@ -1,7 +1,7 @@
.. _mozilla_projects_nss_nss_3_79_3_release_notes:
NSS 3.79.3 release notes
========================
======================
`Introduction <#introduction>`__
--------------------------------
@ -30,7 +30,7 @@ NSS 3.79.3 release notes
.. _changes_in_nss_3.79.3:
`Changes in NSS 3.79.3 <#changes_in_nss_3.79.3>`__
--------------------------------------------------
----------------------------------------------------
.. container::

58
security/nss/doc/rst/releases/nss_3_79_4.rst
Просмотреть файл

@ -1,58 +0,0 @@
.. _mozilla_projects_nss_nss_3_79_4_release_notes:
NSS 3.79.4 release notes
======================
`Introduction <#introduction>`__
--------------------------------
.. container::
Network Security Services (NSS) 3.79.4 was released on **9 February 2023**.
.. _distribution_information:
`Distribution Information <#distribution_information>`__
--------------------------------------------------------
.. container::
The HG tag is NSS_3_79_4_RTM. NSS 3.79.4 requires NSPR 4.34.1 or newer.
NSS 3.79.4 source distributions are available on ftp.mozilla.org for secure HTTPS download:
- Source tarballs:
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_79_4_RTM/src/
Other releases are available :ref:`mozilla_projects_nss_releases`.
.. _changes_in_nss_3.79.4:
`Changes in NSS 3.79.4 <#changes_in_nss_3.79.4>`__
----------------------------------------------------
.. container::
- Bug 1804640 - improve handling of unknown PKCS#12 safe bag types.
`Compatibility <#compatibility>`__
----------------------------------
.. container::
NSS 3.79.4 shared libraries are backwards-compatible with all older NSS 3.x shared
libraries. A program linked with older NSS 3.x shared libraries will work with
this new version of the shared libraries without recompiling or
relinking. Furthermore, applications that restrict their use of NSS APIs to the
functions listed in NSS Public Functions will remain compatible with future
versions of the NSS shared libraries.
`Feedback <#feedback>`__
------------------------
.. container::
Bugs discovered should be reported by filing a bug report on
`bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).

57
security/nss/doc/rst/releases/nss_3_87_1.rst
Просмотреть файл

@ -1,57 +0,0 @@
.. _mozilla_projects_nss_nss_3_87_1_release_notes:
NSS 3.87.1 release notes
======================
`Introduction <#introduction>`__
--------------------------------
.. container::
Network Security Services (NSS) 3.87.1 was released on **9 February 2022**.
.. _distribution_information:
`Distribution Information <#distribution_information>`__
--------------------------------------------------------
.. container::
The HG tag is NSS_3_87_RTM. NSS 3.87 requires NSPR 4.35 or newer.
NSS 3.87.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
- Source tarballs:
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_87_1_RTM/src/
Other releases are available :ref:`mozilla_projects_nss_releases`.
.. _changes_in_nss_3.87.1:
`Changes in NSS 3.87.1 <#changes_in_nss_3.87.1>`__
----------------------------------------------------
.. container::
- Bug 1804640 - improve handling of unknown PKCS#12 safe bag types.
`Compatibility <#compatibility>`__
----------------------------------
.. container::
NSS 3.87.1 shared libraries are backwards-compatible with all older NSS 3.x shared
libraries. A program linked with older NSS 3.x shared libraries will work with
this new version of the shared libraries without recompiling or
relinking. Furthermore, applications that restrict their use of NSS APIs to the
functions listed in NSS Public Functions will remain compatible with future
versions of the NSS shared libraries.
`Feedback <#feedback>`__
------------------------
.. container::
Bugs discovered should be reported by filing a bug report on
`bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).

4
security/nss/doc/rst/releases/nss_3_88_1.rst
Просмотреть файл

@ -1,7 +1,7 @@
.. _mozilla_projects_nss_nss_3_88_1_release_notes:
NSS 3.88.1 release notes
========================
======================
`Introduction <#introduction>`__
--------------------------------
@ -30,7 +30,7 @@ NSS 3.88.1 release notes
.. _changes_in_nss_3.88.1:
`Changes in NSS 3.88.1 <#changes_in_nss_3.88.1>`__
--------------------------------------------------
----------------------------------------------------
.. container::

2
security/nss/gtests/freebl_gtest/ecl_unittest.cc
Просмотреть файл

@ -14,7 +14,7 @@ namespace nss_test {
class ECLTest : public ::testing::Test {
protected:
ECCurveName GetCurveName(std::string name) {
const ECCurveName GetCurveName(std::string name) {
if (name == "P256") return ECCurve_NIST_P256;
if (name == "P384") return ECCurve_NIST_P384;
if (name == "P521") return ECCurve_NIST_P521;

1
security/nss/gtests/nss_bogo_shim/config.json
Просмотреть файл

@ -24,6 +24,7 @@
"*Ed25519*":"Add Ed25519 support (Bug 1325335)",
"*NoSSL3*":"Test passes but only because of handshake failure, NSS only rejects SSL3 immediately in TLS1.3 clients/servers.",
"GREASE-Server-TLS13":"NSS only supports ECH grease.",
"SendExtensionOnClientCertificate-TLS13":"Bug 1339392",
"CheckRecordVersion-TLS1":"NSS doesn't check record version field. Bug 1317634",
"CheckRecordVersion-TLS11":"NSS doesn't check record version field. Bug 1317634",

19
security/nss/gtests/nss_bogo_shim/nss_bogo_shim.cc
Просмотреть файл

@ -366,22 +366,6 @@ class TestAgent {
if (rv != SECSuccess) return false;
free(bin);
}
if (cfg_.get<bool>("enable-grease")) {
rv = SSL_OptionSet(ssl_fd_.get(), SSL_ENABLE_GREASE, PR_TRUE);
if (rv != SECSuccess) return false;
}
if (cfg_.get<bool>("permute-extensions")) {
rv = SSL_OptionSet(ssl_fd_.get(), SSL_ENABLE_CH_EXTENSION_PERMUTATION,
PR_TRUE);
if (rv != SECSuccess) return false;
}
} else {
// GREASE - BoGo expects servers to enable GREASE by default
rv = SSL_OptionSet(ssl_fd_.get(), SSL_ENABLE_GREASE, PR_TRUE);
if (rv != SECSuccess) return false;
}
rv = SSL_OptionSet(ssl_fd_.get(), SSL_ENABLE_EXTENDED_MASTER_SECRET,
@ -502,6 +486,7 @@ class TestAgent {
return SECFailure;
}
}
return SECSuccess;
}
// Write bytes to the other side then read them back and check
@ -911,8 +896,6 @@ std::unique_ptr<const Config> ReadConfig(int argc, char** argv) {
cfg->AddEntry<bool>("expect-hrr", false);
cfg->AddEntry<bool>("enable-ech-grease", false);
cfg->AddEntry<bool>("enable-early-data", false);
cfg->AddEntry<bool>("enable-grease", false);
cfg->AddEntry<bool>("permute-extensions", false);
cfg->AddEntry<bool>("on-resume-expect-reject-early-data", false);
cfg->AddEntry<bool>("on-resume-expect-accept-early-data", false);
cfg->AddEntry<bool>("expect-ticket-supports-early-data", false);

9
security/nss/gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc
Просмотреть файл

@ -169,11 +169,7 @@ class Pkcs11RsaPkcs1WycheproofTest : public ::testing::Test {
* Use 6 as the invalid value since modLen % 16 must be zero.
*/
TEST(RsaPkcs1Test, Pkcs1MinimumPadding) {
#define RSA_SHORT_KEY_LENGTH 736
/* if our minimum supported key length is big enough to handle
* our largest Hash function, we can't test a short length */
#if RSA_MIN_MODULUS_BITS < RSA_SHORT_KEY_LENGTH
const size_t kRsaShortKeyBits = RSA_SHORT_KEY_LENGTH;
const size_t kRsaShortKeyBits = 736;
const size_t kRsaKeyBits = 752;
static const std::vector<uint8_t> kMsg{'T', 'E', 'S', 'T'};
static const std::vector<uint8_t> kSha512DigestInfo{
@ -273,9 +269,6 @@ TEST(RsaPkcs1Test, Pkcs1MinimumPadding) {
SEC_OID_PKCS1_RSA_ENCRYPTION, SEC_OID_SHA512,
nullptr);
EXPECT_EQ(SECSuccess, rv);
#else
GTEST_SKIP();
#endif
}
TEST(RsaPkcs1Test, RequireNullParameter) {

21
security/nss/gtests/ssl_gtest/ssl_auth_unittest.cc
Просмотреть файл

@ -999,6 +999,27 @@ TEST_P(TlsConnectClientAuth12, ClientAuthBigRsaCheckSigAlg) {
2048);
}
// Replaces the signature scheme in a CertificateVerify message.
class TlsReplaceSignatureSchemeFilter : public TlsHandshakeFilter {
public:
TlsReplaceSignatureSchemeFilter(const std::shared_ptr<TlsAgent>& a,
SSLSignatureScheme scheme)
: TlsHandshakeFilter(a, {kTlsHandshakeCertificateVerify}),
scheme_(scheme) {}
protected:
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
const DataBuffer& input,
DataBuffer* output) {
*output = input;
output->Write(0, scheme_, 2);
return CHANGE;
}
private:
SSLSignatureScheme scheme_;
};
// Check if CertificateVerify signed with rsa_pss_rsae_* is properly
// rejected when the certificate is RSA-PSS.
//

31
security/nss/gtests/ssl_gtest/ssl_dhe_unittest.cc
Просмотреть файл

@ -643,6 +643,37 @@ TEST_P(TlsConnectGenericPre13, InvalidDERSignatureFfdhe) {
client_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
}
// Replace SignatureAndHashAlgorithm of a SKE.
class DHEServerKEXSigAlgReplacer : public TlsHandshakeFilter {
public:
DHEServerKEXSigAlgReplacer(const std::shared_ptr<TlsAgent>& server,
SSLSignatureScheme sig_scheme)
: TlsHandshakeFilter(server, {kTlsHandshakeServerKeyExchange}),
sig_scheme_(sig_scheme) {}
protected:
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
const DataBuffer& input,
DataBuffer* output) {
*output = input;
uint32_t len;
uint32_t idx = 0;
EXPECT_TRUE(output->Read(idx, 2, &len));
idx += 2 + len;
EXPECT_TRUE(output->Read(idx, 2, &len));
idx += 2 + len;
EXPECT_TRUE(output->Read(idx, 2, &len));
idx += 2 + len;
output->Write(idx, sig_scheme_, 2);
return CHANGE;
}
private:
SSLSignatureScheme sig_scheme_;
};
TEST_P(TlsConnectTls12, ConnectInconsistentSigAlgDHE) {
EnableOnlyDheCiphers();

25
security/nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc
Просмотреть файл

@ -620,6 +620,31 @@ TEST_P(TlsConnectGenericPre13, ConnectUnsupportedPointFormat) {
client_->CheckErrorCode(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM);
}
// Replace SignatureAndHashAlgorithm of a SKE.
class ECCServerKEXSigAlgReplacer : public TlsHandshakeFilter {
public:
ECCServerKEXSigAlgReplacer(const std::shared_ptr<TlsAgent> &server,
SSLSignatureScheme sig_scheme)
: TlsHandshakeFilter(server, {kTlsHandshakeServerKeyExchange}),
sig_scheme_(sig_scheme) {}
protected:
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader &header,
const DataBuffer &input,
DataBuffer *output) {
*output = input;
uint32_t point_len;
EXPECT_TRUE(output->Read(3, 1, &point_len));
output->Write(4 + point_len, sig_scheme_, 2);
return CHANGE;
}
private:
SSLSignatureScheme sig_scheme_;
};
TEST_P(TlsConnectTls12, ConnectUnsupportedSigAlg) {
EnsureTlsSetup();
client_->DisableAllCiphers();

101
security/nss/gtests/ssl_gtest/ssl_extension_unittest.cc
Просмотреть файл

@ -1357,107 +1357,6 @@ TEST_F(TlsConnectDatagram13, Dtls13RejectLegacyCookie) {
client_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
}
TEST_P(TlsConnectGeneric, ClientHelloExtensionPermutation) {
EnsureTlsSetup();
PR_ASSERT(SSL_OptionSet(client_->ssl_fd(),
SSL_ENABLE_CH_EXTENSION_PERMUTATION,
PR_TRUE) == SECSuccess);
Connect();
}
TEST_F(TlsConnectStreamTls13, ClientHelloExtensionPermutationWithPSK) {
EnsureTlsSetup();
ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
const uint8_t kPskDummyVal_[16] = {0x01, 0x02, 0x03, 0x04, 0x05,
0x06, 0x07, 0x08, 0x09, 0x0a,
0x0b, 0x0c, 0x0d, 0x0e, 0x0f};
SECItem psk_item;
psk_item.type = siBuffer;
psk_item.len = sizeof(kPskDummyVal_);
psk_item.data = const_cast<uint8_t*>(kPskDummyVal_);
PK11SymKey* key =
PK11_ImportSymKey(slot.get(), CKM_HKDF_KEY_GEN, PK11_OriginUnwrap,
CKA_DERIVE, &psk_item, NULL);
ScopedPK11SymKey scoped_psk_(key);
const std::string kPskDummyLabel_ = "NSS PSK GTEST label";
const SSLHashType kPskHash_ = ssl_hash_sha384;
AddPsk(scoped_psk_, kPskDummyLabel_, kPskHash_);
PR_ASSERT(SSL_OptionSet(client_->ssl_fd(),
SSL_ENABLE_CH_EXTENSION_PERMUTATION,
PR_TRUE) == SECSuccess);
Connect();
SendReceive();
CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_psk, ssl_sig_none);
}
/* This test checks that the ClientHello extension order is actually permuted
* if ss->opt.chXtnPermutation is set. It is asserted that at least one out of
* 10 extension orders differs from the others.
*
* This is a probabilistic test: The default TLS 1.3 ClientHello contains 8
* extensions, leading to a 1/8! probability for any extension order and the
* same probability for two drawn extension orders to coincide.
* Since all sequences are compared against each other this leads to a false
* positive rate of (1/8!)^(n^2-n).
* To achieve a spurious failure rate << 1/2^64, we compare n=10 drawn orders.
*
* This test assures that randomisation is happening but does not check quality
* of the used Fisher-Yates shuffle. */
TEST_F(TlsConnectStreamTls13,
ClientHelloExtensionPermutationProbabilisticTest) {
std::vector<std::vector<uint16_t>> orders;
/* Capture the extension order of 10 ClientHello messages. */
for (size_t i = 0; i < 10; i++) {
client_->StartConnect();
/* Enable ClientHello extension permutation. */
PR_ASSERT(SSL_OptionSet(client_->ssl_fd(),
SSL_ENABLE_CH_EXTENSION_PERMUTATION,
PR_TRUE) == SECSuccess);
/* Capture extension order filter. */
auto filter = MakeTlsFilter<TlsExtensionOrderCapture>(
client_, kTlsHandshakeClientHello);
/* Send ClientHello. */
client_->Handshake();
/* Remember extension order. */
orders.push_back(filter->order);
/* Reset client / server state. */
Reset();
}
/* Check for extension order inequality. */
size_t inequal = 0;
for (auto& outerOrders : orders) {
for (auto& innerOrders : orders) {
if (outerOrders != innerOrders) {
inequal++;
}
}
}
PR_ASSERT(inequal >= 1);
}
// The certificate_authorities xtn can be included in a ClientHello [RFC 8446,
// Section 4.2]
TEST_F(TlsConnectStreamTls13, ClientHelloCertAuthXtnToleration) {
EnsureTlsSetup();
uint8_t bodyBuf[3] = {0x00, 0x01, 0xff};
DataBuffer body(bodyBuf, sizeof(bodyBuf));
auto ch = MakeTlsFilter<TlsExtensionAppender>(
client_, kTlsHandshakeClientHello, ssl_tls13_certificate_authorities_xtn,
body);
// The Connection will fail because the added extension isn't in the client's
// transcript not because the extension is unsupported (Bug 1815167).
server_->ExpectSendAlert(bad_record_mac);
client_->ExpectSendAlert(bad_record_mac);
ConnectExpectFail();
server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
client_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
}
INSTANTIATE_TEST_SUITE_P(
ExtensionStream, TlsExtensionTestGeneric,
::testing::Combine(TlsConnectTestBase::kTlsVariantsStream,

3
security/nss/gtests/ssl_gtest/ssl_gtest.gyp
Просмотреть файл

@ -58,8 +58,7 @@
'tls_ech_unittest.cc',
'tls_protect.cc',
'tls_psk_unittest.cc',
'tls_subcerts_unittest.cc',
'tls_grease_unittest.cc'
'tls_subcerts_unittest.cc'
],
'dependencies': [
'<(DEPTH)/exports.gyp:nss_exports',

25
security/nss/gtests/ssl_gtest/ssl_version_unittest.cc
Просмотреть файл

@ -60,8 +60,8 @@ TEST_F(TlsConnectTest, TestDowngradeDetectionToTls11) {
server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0,
SSL_LIBRARY_VERSION_TLS_1_2);
client_->SetOption(SSL_ENABLE_HELLO_DOWNGRADE_CHECK, PR_TRUE);
MakeTlsFilter<TlsMessageVersionSetter>(client_, kTlsHandshakeClientHello,
SSL_LIBRARY_VERSION_TLS_1_1);
MakeTlsFilter<TlsClientHelloVersionSetter>(client_,
SSL_LIBRARY_VERSION_TLS_1_1);
ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
@ -69,8 +69,7 @@ TEST_F(TlsConnectTest, TestDowngradeDetectionToTls11) {
// Attempt to negotiate the bogus DTLS 1.1 version.
TEST_F(DtlsConnectTest, TestDtlsVersion11) {
MakeTlsFilter<TlsMessageVersionSetter>(client_, kTlsHandshakeClientHello,
((~0x0101) & 0xffff));
MakeTlsFilter<TlsClientHelloVersionSetter>(client_, ((~0x0101) & 0xffff));
ConnectExpectAlert(server_, kTlsAlertProtocolVersion);
client_->CheckErrorCode(SSL_ERROR_PROTOCOL_VERSION_ALERT);
server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_VERSION);
@ -161,8 +160,8 @@ TEST_P(TlsDowngradeTest, TlsDowngradeSentinelTest) {
TEST_F(TlsConnectTest, TestDowngradeDetectionToTls10) {
// Setting the option here has no effect.
client_->SetOption(SSL_ENABLE_HELLO_DOWNGRADE_CHECK, PR_TRUE);
MakeTlsFilter<TlsMessageVersionSetter>(client_, kTlsHandshakeClientHello,
SSL_LIBRARY_VERSION_TLS_1_0);
MakeTlsFilter<TlsClientHelloVersionSetter>(client_,
SSL_LIBRARY_VERSION_TLS_1_0);
client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0,
SSL_LIBRARY_VERSION_TLS_1_1);
server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0,
@ -276,8 +275,8 @@ class Tls13NoSupportedVersions : public TlsConnectStreamTls12 {
client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
SSL_LIBRARY_VERSION_TLS_1_2);
server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, max_server_version);
MakeTlsFilter<TlsMessageVersionSetter>(client_, kTlsHandshakeClientHello,
overwritten_client_version);
MakeTlsFilter<TlsClientHelloVersionSetter>(client_,
overwritten_client_version);
auto capture =
MakeTlsFilter<TlsHandshakeRecorder>(server_, kTlsHandshakeServerHello);
ConnectExpectAlert(server_, kTlsAlertDecryptError);
@ -311,8 +310,8 @@ TEST_F(Tls13NoSupportedVersions,
// Offer 1.3 but with ClientHello.legacy_version == TLS 1.4. This
// causes a bad MAC error when we read EncryptedExtensions.
TEST_F(TlsConnectStreamTls13, Tls14ClientHelloWithSupportedVersions) {
MakeTlsFilter<TlsMessageVersionSetter>(client_, kTlsHandshakeClientHello,
SSL_LIBRARY_VERSION_TLS_1_3 + 1);
MakeTlsFilter<TlsClientHelloVersionSetter>(client_,
SSL_LIBRARY_VERSION_TLS_1_3 + 1);
auto capture = MakeTlsFilter<TlsExtensionCapture>(
server_, ssl_tls13_supported_versions_xtn);
client_->ExpectSendAlert(kTlsAlertBadRecordMac);
@ -331,14 +330,12 @@ TEST_F(TlsConnectStreamTls13, Tls14ClientHelloWithSupportedVersions) {
// Offer 1.3 but with Server/ClientHello.legacy_version == SSL 3.0. This
// causes a protocol version alert. See RFC 8446 Appendix D.5.
TEST_F(TlsConnectStreamTls13, Ssl30ClientHelloWithSupportedVersions) {
MakeTlsFilter<TlsMessageVersionSetter>(client_, kTlsHandshakeClientHello,
SSL_LIBRARY_VERSION_3_0);
MakeTlsFilter<TlsClientHelloVersionSetter>(client_, SSL_LIBRARY_VERSION_3_0);
ConnectExpectAlert(server_, kTlsAlertProtocolVersion);
}
TEST_F(TlsConnectStreamTls13, Ssl30ServerHelloWithSupportedVersions) {
MakeTlsFilter<TlsMessageVersionSetter>(server_, kTlsHandshakeServerHello,
SSL_LIBRARY_VERSION_3_0);
MakeTlsFilter<TlsServerHelloVersionSetter>(server_, SSL_LIBRARY_VERSION_3_0);
StartConnect();
client_->ExpectSendAlert(kTlsAlertProtocolVersion);
/* Since the handshake is not finished the client will send an unencrypted

22
security/nss/gtests/ssl_gtest/tls_ech_unittest.cc
Просмотреть файл

@ -2884,28 +2884,6 @@ TEST_F(TlsConnectStreamTls13Ech, EchPublicNameNotLdh) {
ValidatePublicNames(kNotLdh, SECFailure);
}
TEST_F(TlsConnectStreamTls13, EchClientHelloExtensionPermutation) {
EnsureTlsSetup();
PR_ASSERT(SSL_OptionSet(client_->ssl_fd(),
SSL_ENABLE_CH_EXTENSION_PERMUTATION,
PR_TRUE) == SECSuccess);
SetupEch(client_, server_);
client_->ExpectEch();
server_->ExpectEch();
Connect();
}
TEST_F(TlsConnectStreamTls13, EchGreaseClientHelloExtensionPermutation) {
EnsureTlsSetup();
PR_ASSERT(SSL_OptionSet(client_->ssl_fd(),
SSL_ENABLE_CH_EXTENSION_PERMUTATION,
PR_TRUE) == SECSuccess);
PR_ASSERT(SSL_EnableTls13GreaseEch(client_->ssl_fd(), PR_FALSE) ==
SECSuccess);
Connect();
}
INSTANTIATE_TEST_SUITE_P(EchAgentTest, TlsAgentEchTest,
::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
TlsConnectTestBase::kTlsV13));

38
security/nss/gtests/ssl_gtest/tls_filter.cc
Просмотреть файл

@ -1015,12 +1015,6 @@ PacketFilter::Action TlsExtensionFilter::FilterExtensions(
return KEEP;
}
PacketFilter::Action TlsExtensionOrderCapture::FilterExtension(
uint16_t extension_type, const DataBuffer& input, DataBuffer* output) {
order.push_back(extension_type);
return KEEP;
}
PacketFilter::Action TlsExtensionCapture::FilterExtension(
uint16_t extension_type, const DataBuffer& input, DataBuffer* output) {
if (extension_type == extension_ && (last_ || !captured_)) {
@ -1205,7 +1199,15 @@ PacketFilter::Action SelectiveRecordDropFilter::FilterRecord(
return pattern;
}
PacketFilter::Action TlsMessageVersionSetter::FilterHandshake(
PacketFilter::Action TlsClientHelloVersionSetter::FilterHandshake(
const HandshakeHeader& header, const DataBuffer& input,
DataBuffer* output) {
*output = input;
output->Write(0, version_, 2);
return CHANGE;
}
PacketFilter::Action TlsServerHelloVersionSetter::FilterHandshake(
const HandshakeHeader& header, const DataBuffer& input,
DataBuffer* output) {
*output = input;
@ -1268,26 +1270,4 @@ PacketFilter::Action ClientHelloPreambleCapture::FilterHandshake(
return KEEP;
}
PacketFilter::Action ClientHelloCiphersuiteCapture::FilterHandshake(
const HandshakeHeader& header, const DataBuffer& input,
DataBuffer* output) {
EXPECT_TRUE(header.handshake_type() == kTlsHandshakeClientHello);
if (captured_) {
return KEEP;
}
captured_ = true;
TlsParser parser(input);
EXPECT_TRUE(parser.Skip(2 + 32)); // Version + Random
EXPECT_TRUE(parser.SkipVariable(1)); // Session ID
if (is_dtls_agent()) {
EXPECT_TRUE(parser.SkipVariable(1)); // Cookie
}
EXPECT_TRUE(parser.ReadVariable(&data_, 2)); // Ciphersuites
return KEEP;
}
} // namespace nss_test

165
security/nss/gtests/ssl_gtest/tls_filter.h
Просмотреть файл

@ -488,19 +488,6 @@ class TlsExtensionFilter : public TlsHandshakeFilter {
DataBuffer* output);
};
class TlsExtensionOrderCapture : public TlsExtensionFilter {
public:
TlsExtensionOrderCapture(const std::shared_ptr<TlsAgent>& a, uint8_t message)
: TlsExtensionFilter(a, {message}){};
std::vector<uint16_t> order;
protected:
PacketFilter::Action FilterExtension(uint16_t extension_type,
const DataBuffer& input,
DataBuffer* output) override;
};
class TlsExtensionCapture : public TlsExtensionFilter {
public:
TlsExtensionCapture(const std::shared_ptr<TlsAgent>& a, uint16_t ext,
@ -797,16 +784,27 @@ class SelectiveRecordDropFilter : public TlsRecordFilter {
uint8_t counter_;
};
// Set the version value in the ClientHello, ServerHello or HelloRetryRequest
class TlsMessageVersionSetter : public TlsHandshakeFilter {
// Set the version number in the ClientHello.
class TlsClientHelloVersionSetter : public TlsHandshakeFilter {
public:
TlsMessageVersionSetter(const std::shared_ptr<TlsAgent>& a, uint8_t message,
uint16_t version)
: TlsHandshakeFilter(a, {message}), version_(version) {
PR_ASSERT(message == kTlsHandshakeClientHello ||
message == kTlsHandshakeServerHello ||
message == kTlsHandshakeHelloRetryRequest);
}
TlsClientHelloVersionSetter(const std::shared_ptr<TlsAgent>& a,
uint16_t version)
: TlsHandshakeFilter(a, {kTlsHandshakeClientHello}), version_(version) {}
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
const DataBuffer& input,
DataBuffer* output);
private:
uint16_t version_;
};
// Set the version number in the ServerHello.
class TlsServerHelloVersionSetter : public TlsHandshakeFilter {
public:
TlsServerHelloVersionSetter(const std::shared_ptr<TlsAgent>& a,
uint16_t version)
: TlsHandshakeFilter(a, {kTlsHandshakeServerHello}), version_(version) {}
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
const DataBuffer& input,
@ -874,26 +872,6 @@ class ClientHelloPreambleCapture : public TlsHandshakeFilter {
DataBuffer data_;
};
class ClientHelloCiphersuiteCapture : public TlsHandshakeFilter {
public:
ClientHelloCiphersuiteCapture(const std::shared_ptr<TlsAgent>& a)
: TlsHandshakeFilter(a, {kTlsHandshakeClientHello}),
captured_(false),
data_() {}
const DataBuffer& contents() const { return data_; }
bool captured() const { return captured_; }
protected:
PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
const DataBuffer& input,
DataBuffer* output) override;
private:
bool captured_;
DataBuffer data_;
};
class ServerHelloRandomChanger : public TlsHandshakeFilter {
public:
ServerHelloRandomChanger(const std::shared_ptr<TlsAgent>& a)
@ -905,109 +883,6 @@ class ServerHelloRandomChanger : public TlsHandshakeFilter {
DataBuffer* output) override;
};
// Replace SignatureAndHashAlgorithm of a SKE.
class DHEServerKEXSigAlgReplacer : public TlsHandshakeFilter {
public:
DHEServerKEXSigAlgReplacer(const std::shared_ptr<TlsAgent>& server,
uint16_t sig_scheme)
: TlsHandshakeFilter(server, {kTlsHandshakeServerKeyExchange}),
sig_scheme_(sig_scheme) {}
protected:
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
const DataBuffer& input,
DataBuffer* output) {
*output = input;
uint32_t len;
uint32_t idx = 0;
EXPECT_TRUE(output->Read(idx, 2, &len));
idx += 2 + len;
EXPECT_TRUE(output->Read(idx, 2, &len));
idx += 2 + len;
EXPECT_TRUE(output->Read(idx, 2, &len));
idx += 2 + len;
output->Write(idx, sig_scheme_, 2);
return CHANGE;
}
private:
uint16_t sig_scheme_;
};
// Replace SignatureAndHashAlgorithm of a SKE.
class ECCServerKEXSigAlgReplacer : public TlsHandshakeFilter {
public:
ECCServerKEXSigAlgReplacer(const std::shared_ptr<TlsAgent>& server,
uint16_t sig_scheme)
: TlsHandshakeFilter(server, {kTlsHandshakeServerKeyExchange}),
sig_scheme_(sig_scheme) {}
protected:
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
const DataBuffer& input,
DataBuffer* output) {
*output = input;
uint32_t point_len;
EXPECT_TRUE(output->Read(3, 1, &point_len));
output->Write(4 + point_len, sig_scheme_, 2);
return CHANGE;
}
private:
uint16_t sig_scheme_;
};
// Replace NamedCurve of a ECDHE SKE.
class ECCServerKEXNamedCurveReplacer : public TlsHandshakeFilter {
public:
ECCServerKEXNamedCurveReplacer(const std::shared_ptr<TlsAgent>& server,
uint16_t curve_name)
: TlsHandshakeFilter(server, {kTlsHandshakeServerKeyExchange}),
curve_name_(curve_name) {}
protected:
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
const DataBuffer& input,
DataBuffer* output) {
*output = input;
uint32_t curve_type;
EXPECT_TRUE(output->Read(0, 1, &curve_type));
EXPECT_EQ(curve_type, ec_type_named);
output->Write(1, curve_name_, 2);
return CHANGE;
}
private:
uint16_t curve_name_;
};
// Replaces the signature scheme in a CertificateVerify message.
class TlsReplaceSignatureSchemeFilter : public TlsHandshakeFilter {
public:
TlsReplaceSignatureSchemeFilter(const std::shared_ptr<TlsAgent>& a,
uint16_t scheme)
: TlsHandshakeFilter(a, {kTlsHandshakeCertificateVerify}),
scheme_(scheme) {}
protected:
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
const DataBuffer& input,
DataBuffer* output) {
*output = input;
output->Write(0, scheme_, 2);
return CHANGE;
}
private:
uint16_t scheme_;
};
} // namespace nss_test
#endif

878
security/nss/gtests/ssl_gtest/tls_grease_unittest.cc
Просмотреть файл

@ -1,878 +0,0 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "secerr.h"
#include "ssl.h"
#include "gtest_utils.h"
#include "tls_connect.h"
#include "util.h"
namespace nss_test {
const uint8_t kTlsGreaseExtensionMessages[] = {kTlsHandshakeEncryptedExtensions,
kTlsHandshakeCertificate};
const uint16_t kTlsGreaseValues[] = {
0x0a0a, 0x1a1a, 0x2a2a, 0x3a3a, 0x4a4a, 0x5a5a, 0x6a6a, 0x7a7a,
0x8a8a, 0x9a9a, 0xaaaa, 0xbaba, 0xcaca, 0xdada, 0xeaea, 0xfafa};
const uint8_t kTlsGreasePskValues[] = {0x0B, 0x2A, 0x49, 0x68,
0x87, 0xA6, 0xC5, 0xE4};
size_t countGreaseInBuffer(const DataBuffer& list) {
if (!list.len()) {
return 0;
}
size_t occurrence = 0;
for (uint16_t greaseVal : kTlsGreaseValues) {
for (size_t i = 0; i < (list.len() - 1); i += 2) {
uint16_t sample = list.data()[i + 1] + (list.data()[i] << 8);
if (greaseVal == sample) {
occurrence++;
}
}
}
return occurrence;
}
class GreasePresenceAbsenceTestBase : public TlsConnectTestBase {
public:
GreasePresenceAbsenceTestBase(SSLProtocolVariant variant, uint16_t version,
bool shouldGrease)
: TlsConnectTestBase(variant, version), set_grease_(shouldGrease){};
void SetupGrease() {
EnsureTlsSetup();
ASSERT_EQ(SSL_OptionSet(client_->ssl_fd(), SSL_ENABLE_GREASE, set_grease_),
SECSuccess);
ASSERT_EQ(SSL_OptionSet(server_->ssl_fd(), SSL_ENABLE_GREASE, set_grease_),
SECSuccess);
}
bool expectGrease() {
return set_grease_ && version_ >= SSL_LIBRARY_VERSION_TLS_1_3;
}
void checkGreasePresence(const int ifEnabled, const int ifDisabled,
const DataBuffer& buffer) {
size_t expected = expectGrease() ? size_t(ifEnabled) : size_t(ifDisabled);
EXPECT_EQ(expected, countGreaseInBuffer(buffer));
}
private:
bool set_grease_;
};
class GreasePresenceAbsenceTestAllVersions
: public GreasePresenceAbsenceTestBase,
public ::testing::WithParamInterface<
std::tuple<SSLProtocolVariant, uint16_t, bool>> {
public:
GreasePresenceAbsenceTestAllVersions()
: GreasePresenceAbsenceTestBase(std::get<0>(GetParam()),
std::get<1>(GetParam()),
std::get<2>(GetParam())){};
};
// Varies stream/datagram, TLS Version and whether GREASE is enabled
INSTANTIATE_TEST_SUITE_P(GreaseTests, GreasePresenceAbsenceTestAllVersions,
::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
TlsConnectTestBase::kTlsV11Plus,
::testing::Values(true, false)));
// Varies whether GREASE is enabled for TLS13 only
class GreasePresenceAbsenceTestTlsStream13
: public GreasePresenceAbsenceTestBase,
public ::testing::WithParamInterface<bool> {
public:
GreasePresenceAbsenceTestTlsStream13()
: GreasePresenceAbsenceTestBase(
ssl_variant_stream, SSL_LIBRARY_VERSION_TLS_1_3, GetParam()){};
};
INSTANTIATE_TEST_SUITE_P(GreaseTests, GreasePresenceAbsenceTestTlsStream13,
::testing::Values(true, false));
// These tests check for the presence / absence of GREASE values in the various
// positions that we are permitted to add them. For positions which existed in
// prior versions of TLS, we check that enabling GREASE is only effective when
// negotiating TLS1.3 or higher and that disabling GREASE results in the absence
// of any GREASE values.
// For positions that specific to TLS1.3, we only check that enabling/disabling
// GREASE results in the correct presence/absence of the GREASE value.
TEST_P(GreasePresenceAbsenceTestAllVersions, ClientGreaseCiphersuites) {
SetupGrease();
auto ch1 = MakeTlsFilter<ClientHelloCiphersuiteCapture>(client_);
Connect();
EXPECT_TRUE(ch1->captured());
checkGreasePresence(1, 0, ch1->contents());
}
TEST_P(GreasePresenceAbsenceTestAllVersions, ClientGreaseNamedGroups) {
SetupGrease();
auto ch1 =
MakeTlsFilter<TlsExtensionCapture>(client_, ssl_supported_groups_xtn);
Connect();
EXPECT_TRUE(ch1->captured());
checkGreasePresence(1, 0, ch1->extension());
}
TEST_P(GreasePresenceAbsenceTestAllVersions, ClientGreaseKeyShare) {
SetupGrease();
auto ch1 =
MakeTlsFilter<TlsExtensionCapture>(client_, ssl_tls13_key_share_xtn);
Connect();
EXPECT_TRUE((version_ >= SSL_LIBRARY_VERSION_TLS_1_3) == ch1->captured());
checkGreasePresence(1, 0, ch1->extension());
}
TEST_P(GreasePresenceAbsenceTestAllVersions, ClientGreaseSigAlg) {
SetupGrease();
auto ch1 =
MakeTlsFilter<TlsExtensionCapture>(client_, ssl_signature_algorithms_xtn);
Connect();
EXPECT_TRUE((version_ >= SSL_LIBRARY_VERSION_TLS_1_2) == ch1->captured());
checkGreasePresence(1, 0, ch1->extension());
}
TEST_P(GreasePresenceAbsenceTestAllVersions, ClientGreaseSupportedVersions) {
SetupGrease();
auto ch1 = MakeTlsFilter<TlsExtensionCapture>(
client_, ssl_tls13_supported_versions_xtn);
Connect();
EXPECT_TRUE((version_ >= SSL_LIBRARY_VERSION_TLS_1_3) == ch1->captured());
// Supported Versions have a 1 byte length field.
TlsParser extParser(ch1->extension());
DataBuffer versions;
extParser.ReadVariable(&versions, 1);
checkGreasePresence(1, 0, versions);
}
TEST_P(GreasePresenceAbsenceTestTlsStream13, ClientGreasePskExchange) {
SetupGrease();
auto ch1 = MakeTlsFilter<TlsExtensionCapture>(
client_, ssl_tls13_psk_key_exchange_modes_xtn);
Connect();
EXPECT_TRUE(ch1->captured());
// PSK Exchange Modes have a 1 byte length field
TlsParser extParser(ch1->extension());
DataBuffer modes;
extParser.ReadVariable(&modes, 1);
// Scan for single byte GREASE PSK Values
size_t numGrease = 0;
for (uint8_t greaseVal : kTlsGreasePskValues) {
for (unsigned long i = 0; i < modes.len(); i++) {
if (greaseVal == modes.data()[i]) {
numGrease++;
}
}
}
EXPECT_EQ(expectGrease() ? size_t(1) : size_t(0), numGrease);
}
TEST_P(GreasePresenceAbsenceTestAllVersions, ClientGreaseAlpn) {
SetupGrease();
EnableAlpn();
auto ch1 =
MakeTlsFilter<TlsExtensionCapture>(client_, ssl_app_layer_protocol_xtn);
Connect();
EXPECT_TRUE((version_ >= SSL_LIBRARY_VERSION_TLS_1_1) == ch1->captured());
// ALPN Xtns have a redundant two-byte length
TlsParser alpnParser(ch1->extension());
alpnParser.Skip(2); // Skip the length
DataBuffer alpnEntry;
// Each ALPN entry has a single byte length prefixed.
size_t greaseAlpnEntrys = 0;
while (alpnParser.remaining()) {
alpnParser.ReadVariable(&alpnEntry, 1);
if (alpnEntry.len() == 2) {
greaseAlpnEntrys += countGreaseInBuffer(alpnEntry);
}
}
EXPECT_EQ(expectGrease() ? size_t(1) : size_t(0), greaseAlpnEntrys);
}
TEST_P(GreasePresenceAbsenceTestAllVersions, GreaseClientHelloExtension) {
SetupGrease();
auto ch1 =
MakeTlsFilter<TlsHandshakeRecorder>(client_, kTlsHandshakeClientHello);
Connect();
EXPECT_TRUE(ch1->buffer().len() > 0);
TlsParser extParser(ch1->buffer());
EXPECT_TRUE(extParser.Skip(2 + 32)); // Version + Random
EXPECT_TRUE(extParser.SkipVariable(1)); // Session ID
if (variant_ == ssl_variant_datagram) {
EXPECT_TRUE(extParser.SkipVariable(1)); // Cookie
}
EXPECT_TRUE(extParser.SkipVariable(2)); // Ciphersuites
EXPECT_TRUE(extParser.SkipVariable(1)); // Compression Methods
EXPECT_TRUE(extParser.Skip(2)); // Extension Lengths
// Scan for a 1-byte and a 0-byte extension.
uint32_t extType;
DataBuffer extBuf;
bool foundSmall = false;
bool foundLarge = false;
size_t numFound = 0;
while (extParser.remaining()) {
extParser.Read(&extType, 2);
extParser.ReadVariable(&extBuf, 2);
for (uint16_t greaseVal : kTlsGreaseValues) {
if (greaseVal == extType) {
numFound++;
foundSmall |= extBuf.len() == 0;
foundLarge |= extBuf.len() > 0;
}
}
}
EXPECT_EQ(foundSmall, expectGrease());
EXPECT_EQ(foundLarge, expectGrease());
EXPECT_EQ(numFound, expectGrease() ? size_t(2) : size_t(0));
}
TEST_P(GreasePresenceAbsenceTestTlsStream13, GreaseCertificateRequestSigAlg) {
SetupGrease();
client_->SetupClientAuth();
server_->RequestClientAuth(true);
auto cr =
MakeTlsFilter<TlsExtensionCapture>(server_, ssl_signature_algorithms_xtn);
cr->SetHandshakeTypes({kTlsHandshakeCertificateRequest});
cr->EnableDecryption();
Connect();
EXPECT_TRUE(cr->captured());
checkGreasePresence(1, 0, cr->extension());
}
TEST_P(GreasePresenceAbsenceTestTlsStream13,
GreaseCertificateRequestExtension) {
SetupGrease();
client_->SetupClientAuth();
server_->RequestClientAuth(true);
auto cr = MakeTlsFilter<TlsHandshakeRecorder>(
server_, kTlsHandshakeCertificateRequest);
cr->EnableDecryption();
Connect();
EXPECT_TRUE(cr->buffer().len() > 0);
TlsParser extParser(cr->buffer());
EXPECT_TRUE(extParser.SkipVariable(1)); // Context
EXPECT_TRUE(extParser.Skip(2)); // Extension Lengths
uint32_t extType;
DataBuffer extBuf;
bool found = false;
// Scan for a single, empty extension
while (extParser.remaining()) {
extParser.Read(&extType, 2);
extParser.ReadVariable(&extBuf, 2);
for (uint16_t greaseVal : kTlsGreaseValues) {
if (greaseVal == extType) {
EXPECT_TRUE(!found);
EXPECT_EQ(extBuf.len(), size_t(0));
found = true;
}
}
}
EXPECT_EQ(expectGrease(), found);
}
TEST_P(GreasePresenceAbsenceTestTlsStream13, GreaseNewSessionTicketExtension) {
SetupGrease();
auto nst = MakeTlsFilter<TlsHandshakeRecorder>(server_,
kTlsHandshakeNewSessionTicket);
nst->EnableDecryption();
Connect();
EXPECT_EQ(SECSuccess, SSL_SendSessionTicket(server_->ssl_fd(), nullptr, 0));
EXPECT_TRUE(nst->buffer().len() > 0);
TlsParser extParser(nst->buffer());
EXPECT_TRUE(extParser.Skip(4)); // lifetime
EXPECT_TRUE(extParser.Skip(4)); // age
EXPECT_TRUE(extParser.SkipVariable(1)); // Nonce
EXPECT_TRUE(extParser.SkipVariable(2)); // Ticket
EXPECT_TRUE(extParser.Skip(2)); // Extension Length
uint32_t extType;
DataBuffer extBuf;
bool found = false;
// Scan for a single, empty extension
while (extParser.remaining()) {
extParser.Read(&extType, 2);
extParser.ReadVariable(&extBuf, 2);
for (uint16_t greaseVal : kTlsGreaseValues) {
if (greaseVal == extType) {
EXPECT_TRUE(!found);
EXPECT_EQ(extBuf.len(), size_t(0));
found = true;
}
}
}
EXPECT_EQ(expectGrease(), found);
}
// Generic Client GREASE test
TEST_P(TlsConnectGeneric, ClientGrease) {
EnsureTlsSetup();
ASSERT_EQ(SSL_OptionSet(client_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE),
SECSuccess);
Connect();
}
// Generic Server GREASE test
TEST_P(TlsConnectGeneric, ServerGrease) {
EnsureTlsSetup();
ASSERT_EQ(SSL_OptionSet(server_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE),
SECSuccess);
Connect();
}
// Generic GREASE test
TEST_P(TlsConnectGeneric, Grease) {
EnsureTlsSetup();
ASSERT_EQ(SSL_OptionSet(client_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE),
SECSuccess);
ASSERT_EQ(SSL_OptionSet(server_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE),
SECSuccess);
Connect();
}
// Check that GREASE values can be correctly reconstructed after HRR.
TEST_P(TlsConnectGeneric, GreaseHRR) {
EnsureTlsSetup();
const std::vector<SSLNamedGroup> client_groups = {
ssl_grp_ec_curve25519, ssl_grp_ec_secp256r1, ssl_grp_ec_secp384r1};
const std::vector<SSLNamedGroup> server_groups = {
ssl_grp_ec_secp256r1, ssl_grp_ec_secp384r1, ssl_grp_ec_curve25519};
client_->ConfigNamedGroups(client_groups);
server_->ConfigNamedGroups(server_groups);
ASSERT_EQ(SSL_OptionSet(client_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE),
SECSuccess);
ASSERT_EQ(SSL_OptionSet(server_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE),
SECSuccess);
Connect();
}
// Check that GREASE additions interact correctly with psk-only handshake.
TEST_F(TlsConnectStreamTls13, GreasePsk) {
EnsureTlsSetup();
ASSERT_EQ(SSL_OptionSet(client_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE),
SECSuccess);
ASSERT_EQ(SSL_OptionSet(server_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE),
SECSuccess);
ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
const uint8_t kPskDummyVal_[16] = {0x01, 0x02, 0x03, 0x04, 0x05,
0x06, 0x07, 0x08, 0x09, 0x0a,
0x0b, 0x0c, 0x0d, 0x0e, 0x0f};
SECItem psk_item;
psk_item.type = siBuffer;
psk_item.len = sizeof(kPskDummyVal_);
psk_item.data = const_cast<uint8_t*>(kPskDummyVal_);
PK11SymKey* key =
PK11_ImportSymKey(slot.get(), CKM_HKDF_KEY_GEN, PK11_OriginUnwrap,
CKA_DERIVE, &psk_item, NULL);
ScopedPK11SymKey scoped_psk_(key);
const std::string kPskDummyLabel_ = "NSS PSK GTEST label";
const SSLHashType kPskHash_ = ssl_hash_sha384;
AddPsk(scoped_psk_, kPskDummyLabel_, kPskHash_);
Connect();
SendReceive();
CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_psk, ssl_sig_none);
}
// Test that ECH and GREASE work together successfully
TEST_F(TlsConnectStreamTls13, GreaseAndECH) {
EnsureTlsSetup();
SetupEch(client_, server_);
ASSERT_EQ(SSL_OptionSet(client_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE),
SECSuccess);
ASSERT_EQ(SSL_OptionSet(server_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE),
SECSuccess);
Connect();
}
// Test that TLS12 Server handles Client GREASE correctly
TEST_F(TlsConnectTest, GreaseTLS12Server) {
EnsureTlsSetup();
ASSERT_EQ(SSL_OptionSet(client_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE),
SECSuccess);
server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
SSL_LIBRARY_VERSION_TLS_1_2);
client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
SSL_LIBRARY_VERSION_TLS_1_3);
Connect();
}
// Test that TLS12 Client handles Server GREASE correctly
TEST_F(TlsConnectTest, GreaseTLS12Client) {
EnsureTlsSetup();
ASSERT_EQ(SSL_OptionSet(server_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE),
SECSuccess);
server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
SSL_LIBRARY_VERSION_TLS_1_3);
client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
SSL_LIBRARY_VERSION_TLS_1_2);
Connect();
}
class GreaseOnlyTestStreamTls13 : public TlsConnectStreamTls13 {
public:
GreaseOnlyTestStreamTls13() : TlsConnectStreamTls13() {}
void ConnectWithCustomChExpectFail(const std::string& ch,
uint8_t server_alert, uint32_t server_code,
uint32_t client_code) {
std::vector<uint8_t> ch_vec = hex_string_to_bytes(ch);
DataBuffer ch_buf;
EnsureTlsSetup();
TlsAgentTestBase::MakeRecord(variant_, ssl_ct_handshake,
SSL_LIBRARY_VERSION_TLS_1_3, ch_vec.data(),
ch_vec.size(), &ch_buf, 0);
StartConnect();
client_->SendDirect(ch_buf);
ExpectAlert(server_, server_alert);
server_->Handshake();
server_->CheckErrorCode(server_code);
client_->ExpectReceiveAlert(server_alert, kTlsAlertFatal);
client_->Handshake();
client_->CheckErrorCode(client_code);
}
};
// Client: Offer only GREASE CipherSuite value
TEST_F(GreaseOnlyTestStreamTls13, GreaseOnlyClientCipherSuite) {
// 0xdada
std::string ch =
"010000b003038afacda2963358e98f464f3ff0680ed3a9d382a8c3eac5e5604f5721add9"
"855c000002dada010000850000000b0009000006736572766572ff01000100000a001400"
"12001d00170018001901000101010201030104003300260024001d0020683668992de470"
"38660ee37bafc7392b05b8a94402ea1f3463ad3cfd7a694a46002b0003020304000d0018"
"001604030503060302030804080508060401050106010201002d00020101001c0002400"
"1";
ConnectWithCustomChExpectFail(ch, kTlsAlertHandshakeFailure,
SSL_ERROR_NO_CYPHER_OVERLAP,
SSL_ERROR_NO_CYPHER_OVERLAP);
}
// Client: Offer only GREASE SupportedGroups value
TEST_F(GreaseOnlyTestStreamTls13, GreaseOnlyClientSupportedGroup) {
// 0x3a3a
std::string ch =
"010000a40303484a4e14f547404da6115d7f73bbb0f1c9d65e66ac073dee6c4a62f72de9"
"a36f000006130113031302010000750000000b0009000006736572766572ff0100010000"
"0a000400023a3a003300260024001d0020e75cb8e217c95176954e8b5fb95843882462ce"
"2cd3fcfe67cf31463a05ea3d57002b0003020304000d0018001604030503060302030804"
"080508060401050106010201002d00020101001c00024001";
ConnectWithCustomChExpectFail(ch, kTlsAlertHandshakeFailure,
SSL_ERROR_NO_CYPHER_OVERLAP,
SSL_ERROR_NO_CYPHER_OVERLAP);
}
// Client: Offer only GREASE SigAlgs value
TEST_F(GreaseOnlyTestStreamTls13, GreaseOnlyClientSignatureAlgorithm) {
// 0x8a8a
std::string ch =
"010000a00303dfd8e2438a8d1b9f48d921dfc08959108807bd1105238bb3da2a2a8e3db0"
"6990000006130113031302010000710000000b0009000006736572766572ff0100010000"
"0a00140012001d00170018001901000101010201030104003300260024001d002074bb2c"
"94996d3ffc7ae5792f0c3c58676358a85ea304cd029fa3d6551013b333002b0003020304"
"000d000400028a8a002d00020101001c00024001";
ConnectWithCustomChExpectFail(ch, kTlsAlertHandshakeFailure,
SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM,
SSL_ERROR_NO_CYPHER_OVERLAP);
}
// Client: Offer only GREASE SupportedVersions value
TEST_F(GreaseOnlyTestStreamTls13, GreaseOnlyClientSupportedVersion) {
// 0xeaea
std::string ch =
"010000b203037e3618abae0dd0b3f06a504c47354551d1d5be36e9c3e1eac9c139c246b1"
"66da000006130113031302010000830000000b0009000006736572766572ff0100010000"
"0a00140012001d00170018001901000101010201030104003300260024001d00206b1816"
"577ff2e69d4d2661419150eaefa0328ffd396425cf1733ec06536b4e55002b000100000d"
"0018001604030503060302030804080508060401050106010201002d00020101001c0002"
"4001";
ConnectWithCustomChExpectFail(ch, kTlsAlertIllegalParameter,
SSL_ERROR_RX_MALFORMED_CLIENT_HELLO,
SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
}
class GreaseTestStreamTls12
: public TlsConnectStreamTls12,
public ::testing::WithParamInterface<uint16_t /* GREASE */> {
public:
GreaseTestStreamTls12() : TlsConnectStreamTls12(), grease_(GetParam()){};
void ConnectExpectSigAlgFail() {
client_->ExpectSendAlert(kTlsAlertIllegalParameter);
server_->ExpectReceiveAlert(kTlsAlertIllegalParameter);
ConnectExpectFail();
client_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
}
protected:
uint16_t grease_;
};
class TlsCertificateRequestSigAlgSetterFilter : public TlsHandshakeFilter {
public:
TlsCertificateRequestSigAlgSetterFilter(const std::shared_ptr<TlsAgent>& a,
uint16_t sigAlg)
: TlsHandshakeFilter(a, {kTlsHandshakeCertificateRequest}),
sigAlg_(sigAlg) {}
virtual PacketFilter::Action FilterHandshake(
const TlsHandshakeFilter::HandshakeHeader& header,
const DataBuffer& input, DataBuffer* output) {
TlsParser parser(input);
DataBuffer cert_types;
if (!parser.ReadVariable(&cert_types, 1)) {
ADD_FAILURE();
return KEEP;
}
if (!parser.SkipVariable(2)) {
ADD_FAILURE();
return KEEP;
}
DataBuffer cas;
if (!parser.ReadVariable(&cas, 2)) {
ADD_FAILURE();
return KEEP;
}
size_t idx = 0;
// Write certificate types.
idx = output->Write(idx, cert_types.len(), 1);
idx = output->Write(idx, cert_types);
// Write signature algorithm.
idx = output->Write(idx, sizeof(sigAlg_), 2);
idx = output->Write(idx, sigAlg_, 2);
// Write certificate authorities.
idx = output->Write(idx, cas.len(), 2);
idx = output->Write(idx, cas);
return CHANGE;
}
private:
uint16_t sigAlg_;
};
// Server: Offer only GREASE CertificateRequest SigAlg value
TEST_P(GreaseTestStreamTls12, GreaseOnlyServerTLS12CertificateRequestSigAlg) {
EnsureTlsSetup();
client_->SetupClientAuth();
server_->RequestClientAuth(true);
MakeTlsFilter<TlsCertificateRequestSigAlgSetterFilter>(server_, grease_);
client_->ExpectSendAlert(kTlsAlertHandshakeFailure);
server_->ExpectReceiveAlert(kTlsAlertHandshakeFailure);
ConnectExpectFail();
server_->CheckErrorCode(SSL_ERROR_HANDSHAKE_FAILURE_ALERT);
client_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
}
// Illegally GREASE ServerKeyExchange ECC SignatureAlgorithm
TEST_P(GreaseTestStreamTls12, GreasedTLS12ServerKexEccSigAlg) {
MakeTlsFilter<ECCServerKEXSigAlgReplacer>(server_, grease_);
EnableSomeEcdhCiphers();
client_->ExpectSendAlert(kTlsAlertIllegalParameter);
server_->ExpectReceiveAlert(kTlsAlertIllegalParameter);
ConnectExpectFail();
client_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
}
// Illegally GREASE ServerKeyExchange DHE SignatureAlgorithm
TEST_P(GreaseTestStreamTls12, GreasedTLS12ServerKexDheSigAlg) {
MakeTlsFilter<DHEServerKEXSigAlgReplacer>(server_, grease_);
EnableOnlyDheCiphers();
client_->ExpectSendAlert(kTlsAlertIllegalParameter);
server_->ExpectReceiveAlert(kTlsAlertIllegalParameter);
ConnectExpectFail();
client_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
}
// Illegally GREASE ServerKeyExchange ECDHE NamedCurve
TEST_P(GreaseTestStreamTls12, GreasedTLS12ServerKexEcdheNamedCurve) {
MakeTlsFilter<ECCServerKEXNamedCurveReplacer>(server_, grease_);
EnableSomeEcdhCiphers();
client_->ExpectSendAlert(kTlsAlertHandshakeFailure);
server_->ExpectReceiveAlert(kTlsAlertHandshakeFailure);
ConnectExpectFail();
server_->CheckErrorCode(SSL_ERROR_HANDSHAKE_FAILURE_ALERT);
client_->CheckErrorCode(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
}
// Illegally GREASE TLS12 Client CertificateVerify SignatureAlgorithm
TEST_P(GreaseTestStreamTls12, GreasedTLS12ClientCertificateVerifySigAlg) {
client_->SetupClientAuth();
server_->RequestClientAuth(true);
MakeTlsFilter<TlsReplaceSignatureSchemeFilter>(client_, grease_);
server_->ExpectSendAlert(kTlsAlertIllegalParameter);
client_->ExpectReceiveAlert(kTlsAlertIllegalParameter);
ConnectExpectFail();
client_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
}
class GreaseTestStreamTls13
: public TlsConnectStreamTls13,
public ::testing::WithParamInterface<uint16_t /* GREASE */> {
public:
GreaseTestStreamTls13() : grease_(GetParam()){};
protected:
uint16_t grease_;
};
// Illegally GREASE TLS13 Client CertificateVerify SignatureAlgorithm
TEST_P(GreaseTestStreamTls13, GreasedTLS13ClientCertificateVerifySigAlg) {
client_->SetupClientAuth();
server_->RequestClientAuth(true);
auto filter =
MakeTlsFilter<TlsReplaceSignatureSchemeFilter>(client_, grease_);
filter->EnableDecryption();
server_->ExpectSendAlert(kTlsAlertIllegalParameter);
client_->ExpectReceiveAlert(kTlsAlertIllegalParameter);
// Manually trigger handshake to avoid race conditions
StartConnect();
client_->Handshake();
server_->Handshake();
client_->Handshake();
server_->Handshake();
client_->Handshake();
server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CERT_VERIFY);
client_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
}
// Illegally GREASE TLS13 Server CertificateVerify SignatureAlgorithm
TEST_P(GreaseTestStreamTls13, GreasedTLS13ServerCertificateVerifySigAlg) {
EnsureTlsSetup();
auto filter =
MakeTlsFilter<TlsReplaceSignatureSchemeFilter>(server_, grease_);
filter->EnableDecryption();
client_->ExpectSendAlert(kTlsAlertIllegalParameter);
server_->ExpectReceiveAlert(kTlsAlertIllegalParameter);
ConnectExpectFail();
client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CERT_VERIFY);
}
// Illegally GREASE HelloRetryRequest version value
TEST_P(GreaseTestStreamTls13, GreasedHelloRetryRequestVersion) {
EnsureTlsSetup();
// Trigger HelloRetryRequest
MakeTlsFilter<TlsExtensionDropper>(client_, ssl_tls13_key_share_xtn);
auto filter = MakeTlsFilter<TlsMessageVersionSetter>(
server_, kTlsHandshakeHelloRetryRequest, grease_);
filter->EnableDecryption();
client_->ExpectSendAlert(kTlsAlertIllegalParameter);
server_->ExpectReceiveAlert(kTlsAlertIllegalParameter);
ConnectExpectFail();
client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
}
class GreaseTestStreamTls123
: public TlsConnectTestBase,
public ::testing::WithParamInterface<
std::tuple<uint16_t /* version */, uint16_t /* GREASE */>> {
public:
GreaseTestStreamTls123()
: TlsConnectTestBase(ssl_variant_stream, std::get<0>(GetParam())),
grease_(std::get<1>(GetParam())){};
void ConnectExpectIllegalGreaseFail() {
client_->ExpectSendAlert(kTlsAlertIllegalParameter);
if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
// Server expects handshake but receives encrypted alert.
server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
} else {
server_->ExpectReceiveAlert(kTlsAlertIllegalParameter);
}
ConnectExpectFail();
}
protected:
uint16_t grease_;
};
// Illegally GREASE TLS12 and TLS13 ServerHello version value
TEST_P(GreaseTestStreamTls123, GreasedServerHelloVersion) {
EnsureTlsSetup();
auto filter = MakeTlsFilter<TlsMessageVersionSetter>(
server_, kTlsHandshakeServerHello, grease_);
if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
filter->EnableDecryption();
}
ConnectExpectIllegalGreaseFail();
client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
}
// Illegally GREASE TLS12 and TLS13 selected CipherSuite value
TEST_P(GreaseTestStreamTls123, GreasedServerHelloCipherSuite) {
EnsureTlsSetup();
auto filter = MakeTlsFilter<SelectedCipherSuiteReplacer>(server_, grease_);
if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
filter->EnableDecryption();
}
ConnectExpectIllegalGreaseFail();
client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
}
class GreaseExtensionTestStreamTls13
: public TlsConnectStreamTls13,
public ::testing::WithParamInterface<
std::tuple<uint8_t /* message */, uint16_t /* GREASE */>> {
public:
GreaseExtensionTestStreamTls13()
: TlsConnectStreamTls13(),
message_(std::get<0>(GetParam())),
grease_(std::get<1>(GetParam())){};
protected:
uint8_t message_;
uint16_t grease_;
};
// Illegally GREASE TLS13 Server EncryptedExtensions and Certificate Extensions
// NSS currently allows offering unkown extensions in HelloRetryRequests!
TEST_P(GreaseExtensionTestStreamTls13, GreasedServerExtensions) {
EnsureTlsSetup();
DataBuffer empty = DataBuffer(1);
auto filter =
MakeTlsFilter<TlsExtensionAppender>(server_, message_, grease_, empty);
filter->EnableDecryption();
server_->ExpectReceiveAlert(kTlsAlertUnsupportedExtension);
client_->ExpectSendAlert(kTlsAlertUnsupportedExtension);
ConnectExpectFail();
client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_EXTENSION);
server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT);
}
// Illegally GREASE TLS12 and TLS13 ServerHello Extensions
TEST_P(GreaseTestStreamTls123, GreasedServerHelloExtensions) {
EnsureTlsSetup();
DataBuffer empty = DataBuffer(1);
auto filter = MakeTlsFilter<TlsExtensionAppender>(
server_, kTlsHandshakeServerHello, grease_, empty);
if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
filter->EnableDecryption();
server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
} else {
server_->ExpectReceiveAlert(kTlsAlertUnsupportedExtension);
}
client_->ExpectSendAlert(kTlsAlertUnsupportedExtension);
ConnectExpectFail();
client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_EXTENSION);
}
// Illegally GREASE TLS13 Client Certificate Extensions
// Server ignores injected client extensions and fails on CertificateVerify
TEST_P(GreaseTestStreamTls13, GreasedClientCertificateExtensions) {
client_->SetupClientAuth();
server_->RequestClientAuth(true);
DataBuffer empty = DataBuffer(1);
auto filter = MakeTlsFilter<TlsExtensionAppender>(
client_, kTlsHandshakeCertificate, grease_, empty);
filter->EnableDecryption();
server_->ExpectSendAlert(kTlsAlertDecryptError);
client_->ExpectReceiveAlert(kTlsAlertDecryptError);
// Manually trigger handshake to avoid race conditions
StartConnect();
client_->Handshake();
server_->Handshake();
client_->Handshake();
server_->Handshake();
client_->Handshake();
server_->CheckErrorCode(SEC_ERROR_BAD_SIGNATURE);
client_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT);
}
TEST_F(TlsConnectStreamTls13, GreaseClientHelloExtensionPermutation) {
EnsureTlsSetup();
PR_ASSERT(SSL_OptionSet(client_->ssl_fd(),
SSL_ENABLE_CH_EXTENSION_PERMUTATION,
PR_TRUE) == SECSuccess);
PR_ASSERT(SSL_OptionSet(client_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE) ==
SECSuccess);
Connect();
}
INSTANTIATE_TEST_SUITE_P(GreaseTestTls12, GreaseTestStreamTls12,
::testing::ValuesIn(kTlsGreaseValues));
INSTANTIATE_TEST_SUITE_P(GreaseTestTls13, GreaseTestStreamTls13,
::testing::ValuesIn(kTlsGreaseValues));
INSTANTIATE_TEST_SUITE_P(
GreaseTestTls123, GreaseTestStreamTls123,
::testing::Combine(TlsConnectTestBase::kTlsV12Plus,
::testing::ValuesIn(kTlsGreaseValues)));
INSTANTIATE_TEST_SUITE_P(
GreaseExtensionTest, GreaseExtensionTestStreamTls13,
testing::Combine(testing::ValuesIn(kTlsGreaseExtensionMessages),
testing::ValuesIn(kTlsGreaseValues)));
} // namespace nss_test

59
security/nss/gtests/ssl_gtest/tls_subcerts_unittest.cc
Просмотреть файл

@ -9,8 +9,6 @@
#include "prtime.h"
#include "secerr.h"
#include "ssl.h"
#include "nss.h"
#include "blapit.h"
#include "gtest_utils.h"
#include "tls_agent.h"
@ -350,22 +348,38 @@ static void GenerateWeakRsaKey(ScopedSECKEYPrivateKey& priv,
ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
ASSERT_TRUE(slot);
PK11RSAGenParams rsaparams;
// The absolute minimum size of RSA key that we can use with SHA-256 is
// 256bit (hash) + 256bit (salt) + 8 (start byte) + 8 (end byte) = 528.
#define RSA_WEAK_KEY 528
#if RSA_MIN_MODULUS_BITS < RSA_WEAK_KEY
// The absolute minimum size of RSA key that we can use with SHA-256 is
// 256bit (hash) + 256bit (salt) + 8 (start byte) + 8 (end byte) = 528.
rsaparams.keySizeInBits = 528;
#else
rsaparams.keySizeInBits = RSA_MIN_MODULUS_BITS + 1;
#endif
rsaparams.pe = 65537;
SECKEYPublicKey* p_pub = nullptr;
priv.reset(PK11_GenerateKeyPair(slot.get(), CKM_RSA_PKCS_KEY_PAIR_GEN,
&rsaparams, &p_pub, false, false, nullptr));
pub.reset(p_pub);
PR_ASSERT(priv);
return;
// Bug 1012786: PK11_GenerateKeyPair can fail if there is insufficient
// entropy to generate a random key. We can fake some.
for (int retry = 0; retry < 10; ++retry) {
SECKEYPublicKey* p_pub = nullptr;
priv.reset(PK11_GenerateKeyPair(slot.get(), CKM_RSA_PKCS_KEY_PAIR_GEN,
&rsaparams, &p_pub, false, false, nullptr));
pub.reset(p_pub);
if (priv) {
return;
}
ASSERT_FALSE(pub);
if (PORT_GetError() != SEC_ERROR_PKCS11_FUNCTION_FAILED) {
break;
}
// https://xkcd.com/221/
static const uint8_t FRESH_ENTROPY[16] = {4};
ASSERT_EQ(
SECSuccess,
PK11_RandomUpdate(
const_cast<void*>(reinterpret_cast<const void*>(FRESH_ENTROPY)),
sizeof(FRESH_ENTROPY)));
break;
}
ADD_FAILURE() << "Unable to generate an RSA key: "
<< PORT_ErrorToName(PORT_GetError());
}
// Fail to connect with a weak RSA key.
@ -376,18 +390,6 @@ TEST_P(TlsConnectTls13, DCWeakKey) {
ssl_sig_rsa_pss_pss_sha256};
client_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));
server_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));
#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY
// save the MIN POLICY length.
PRInt32 minRsa;
ASSERT_EQ(SECSuccess, NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &minRsa));
#if RSA_MIN_MODULUS_BITS >= 2048
ASSERT_EQ(SECSuccess,
NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, RSA_MIN_MODULUS_BITS + 1024));
#else
ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, 2048));
#endif
#endif
ScopedSECKEYPrivateKey dc_priv;
ScopedSECKEYPublicKey dc_pub;
@ -410,9 +412,6 @@ TEST_P(TlsConnectTls13, DCWeakKey) {
auto cfilter = MakeTlsFilter<TlsExtensionCapture>(
client_, ssl_delegated_credentials_xtn);
ConnectExpectAlert(client_, kTlsAlertInsufficientSecurity);
#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY
ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, minRsa));
#endif
}
class ReplaceDCSigScheme : public TlsHandshakeFilter {

5
security/nss/lib/cryptohi/keyhi.h
Просмотреть файл

@ -52,11 +52,6 @@ extern unsigned SECKEY_PublicKeyStrength(const SECKEYPublicKey *pubk);
*/
extern unsigned SECKEY_PublicKeyStrengthInBits(const SECKEYPublicKey *pubk);
/*
** Return the strength of the private key in bits
*/
extern unsigned SECKEY_PrivateKeyStrengthInBits(const SECKEYPrivateKey *privk);
/*
** Return the length of the signature in bytes
*/

4
security/nss/lib/cryptohi/keyi.h
Просмотреть файл

@ -4,7 +4,6 @@
#ifndef _KEYI_H_
#define _KEYI_H_
#include "secerr.h"
SEC_BEGIN_PROTOS
/* NSS private functions */
@ -37,9 +36,6 @@ SECStatus sec_DecodeRSAPSSParamsToMechanism(PLArenaPool *arena,
const SECItem *params,
CK_RSA_PKCS_PSS_PARAMS *mech);
/* make sure the key length matches the policy for keyType */
SECStatus seckey_EnforceKeySize(KeyType keyType, unsigned keyLength,
SECErrorCodes error);
SEC_END_PROTOS
#endif /* _KEYHI_H_ */

99
security/nss/lib/cryptohi/seckey.c
Просмотреть файл

@ -14,7 +14,6 @@
#include "secdig.h"
#include "prtime.h"
#include "keyi.h"
#include "nss.h"
SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
SEC_ASN1_MKSUB(SEC_IntegerTemplate)
@ -1041,59 +1040,6 @@ SECKEY_PublicKeyStrengthInBits(const SECKEYPublicKey *pubk)
return bitSize;
}
unsigned
SECKEY_PrivateKeyStrengthInBits(const SECKEYPrivateKey *privk)
{
unsigned bitSize = 0;
SECItem params = { siBuffer, NULL, 0 };
SECStatus rv;
if (!privk) {
PORT_SetError(SEC_ERROR_INVALID_KEY);
return 0;
}
/* interpret modulus length as key strength */
switch (privk->keyType) {
case rsaKey:
case rsaPssKey:
case rsaOaepKey:
/* some tokens don't export CKA_MODULUS on the private key,
* PK11_SignatureLen works around this if necessary */
bitSize = PK11_SignatureLen((SECKEYPrivateKey *)privk) * PR_BITS_PER_BYTE;
if (bitSize == -1) {
bitSize = 0;
}
return bitSize;
case dsaKey:
case fortezzaKey:
case dhKey:
case keaKey:
rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
CKA_PRIME, NULL, &params);
if ((rv != SECSuccess) || (params.data == NULL)) {
PORT_SetError(SEC_ERROR_INVALID_KEY);
return 0;
}
bitSize = SECKEY_BigIntegerBitLength(&params);
PORT_Free(params.data);
return bitSize;
case ecKey:
rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
CKA_EC_PARAMS, NULL, &params);
if ((rv != SECSuccess) || (params.data == NULL)) {
return 0;
}
bitSize = SECKEY_ECParamsToKeySize(&params);
PORT_Free(params.data);
return bitSize;
default:
break;
}
PORT_SetError(SEC_ERROR_INVALID_KEY);
return 0;
}
/* returns signature length in bytes (not bits) */
unsigned
SECKEY_SignatureLen(const SECKEYPublicKey *pubk)
@ -1267,51 +1213,6 @@ SECKEY_CopyPublicKey(const SECKEYPublicKey *pubk)
return NULL;
}
/*
* Check that a given key meets the policy limits for the given key
* size.
*/
SECStatus
seckey_EnforceKeySize(KeyType keyType, unsigned keyLength, SECErrorCodes error)
{
PRInt32 opt = -1;
PRInt32 optVal;
SECStatus rv;
switch (keyType) {
case rsaKey:
case rsaPssKey:
case rsaOaepKey:
opt = NSS_RSA_MIN_KEY_SIZE;
break;
case dsaKey:
case fortezzaKey:
opt = NSS_DSA_MIN_KEY_SIZE;
break;
case dhKey:
case keaKey:
opt = NSS_DH_MIN_KEY_SIZE;
break;
case ecKey:
opt = NSS_ECC_MIN_KEY_SIZE;
break;
case nullKey:
default:
PORT_SetError(SEC_ERROR_INVALID_KEY);
return SECFailure;
}
PORT_Assert(opt != -1);
rv = NSS_OptionGet(opt, &optVal);
if (rv != SECSuccess) {
return rv;
}
if (optVal > keyLength) {
PORT_SetError(error);
return SECFailure;
}
return SECSuccess;
}
/*
* Use the private key to find a public key handle. The handle will be on
* the same slot as the private key.

23
security/nss/lib/cryptohi/secsign.c
Просмотреть файл

@ -15,7 +15,6 @@
#include "pk11func.h"
#include "secerr.h"
#include "keyi.h"
#include "nss.h"
struct SGNContextStr {
SECOidTag signalg;
@ -33,7 +32,6 @@ sgn_NewContext(SECOidTag alg, SECItem *params, SECKEYPrivateKey *key)
SECOidTag hashalg, signalg;
KeyType keyType;
PRUint32 policyFlags;
PRInt32 optFlags;
SECStatus rv;
/* OK, map a PKCS #7 hash and encrypt algorithm into
@ -58,16 +56,6 @@ sgn_NewContext(SECOidTag alg, SECItem *params, SECKEYPrivateKey *key)
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
return NULL;
}
if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) {
if (optFlags & NSS_KEY_SIZE_POLICY_SIGN_FLAG) {
rv = seckey_EnforceKeySize(key->keyType,
SECKEY_PrivateKeyStrengthInBits(key),
SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
if (rv != SECSuccess) {
return NULL;
}
}
}
/* check the policy on the hash algorithm */
if ((NSS_GetAlgorithmPolicy(hashalg, &policyFlags) == SECFailure) ||
!(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {
@ -477,20 +465,9 @@ SGN_Digest(SECKEYPrivateKey *privKey,
SGNDigestInfo *di = 0;
SECOidTag enctag;
PRUint32 policyFlags;
PRInt32 optFlags;
result->data = 0;
if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) {
if (optFlags & NSS_KEY_SIZE_POLICY_SIGN_FLAG) {
rv = seckey_EnforceKeySize(privKey->keyType,
SECKEY_PrivateKeyStrengthInBits(privKey),
SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
if (rv != SECSuccess) {
return SECFailure;
}
}
}
/* check the policy on the hash algorithm */
if ((NSS_GetAlgorithmPolicy(algtag, &policyFlags) == SECFailure) ||
!(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {

13
security/nss/lib/cryptohi/secvfy.c
Просмотреть файл

@ -16,7 +16,6 @@
#include "secdig.h"
#include "secerr.h"
#include "keyi.h"
#include "nss.h"
/*
** Recover the DigestInfo from an RSA PKCS#1 signature.
@ -467,7 +466,6 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig,
unsigned int sigLen;
KeyType type;
PRUint32 policyFlags;
PRInt32 optFlags;
/* make sure the encryption algorithm matches the key type */
/* RSA-PSS algorithm can be used with both rsaKey and rsaPssKey */
@ -477,16 +475,7 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig,
PORT_SetError(SEC_ERROR_PKCS7_KEYALG_MISMATCH);
return NULL;
}
if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) {
if (optFlags & NSS_KEY_SIZE_POLICY_VERIFY_FLAG) {
rv = seckey_EnforceKeySize(key->keyType,
SECKEY_PublicKeyStrengthInBits(key),
SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
if (rv != SECSuccess) {
return NULL;
}
}
}
/* check the policy on the encryption algorithm */
if ((NSS_GetAlgorithmPolicy(encAlg, &policyFlags) == SECFailure) ||
!(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {

2
security/nss/lib/freebl/blapit.h
Просмотреть файл

@ -135,7 +135,7 @@ typedef int __BLAPI_DEPRECATED __attribute__((deprecated));
* These values come from the initial key size limits from the PKCS #11
* module. They may be arbitrarily adjusted to any value freebl supports.
*/
#define RSA_MIN_MODULUS_BITS 1023 /* 128 */
#define RSA_MIN_MODULUS_BITS 128
#define RSA_MAX_MODULUS_BITS 16384
#define RSA_MAX_EXPONENT_BITS 64
#define DH_MIN_P_BITS 128

15
security/nss/lib/freebl/rsa.c
Просмотреть файл

@ -1313,16 +1313,10 @@ get_blinding_params(RSAPrivateKey *key, mp_int *n, unsigned int modLen,
* Now, search its list of ready blinding params for a usable one.
*/
while (0 != (bp = rsabp->bp)) {
#ifdef UNSAFE_FUZZER_MODE
/* Found a match and there are still remaining uses left */
/* Return the parameters */
CHECK_MPI_OK(mp_copy(&bp->f, f));
CHECK_MPI_OK(mp_copy(&bp->g, g));
PZ_Unlock(blindingParamsList.lock);
return SECSuccess;
#else
if (--(bp->counter) > 0) {
#ifndef UNSAFE_FUZZER_MODE
if (--(bp->counter) > 0)
#endif
{
/* Found a match and there are still remaining uses left */
/* Return the parameters */
CHECK_MPI_OK(mp_copy(&bp->f, f));
@ -1352,7 +1346,6 @@ get_blinding_params(RSAPrivateKey *key, mp_int *n, unsigned int modLen,
}
PZ_Unlock(blindingParamsList.lock);
return SECSuccess;
#endif
}
/* We did not find a usable set of blinding params. Can we make one? */
/* Find a free bp struct. */

91
security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapcertstore.c
Просмотреть файл

@ -309,7 +309,7 @@ pkix_pl_LdapCertStore_BuildCrlList(
}
/* pkix crl own the der. */
PKIX_CHECK(
pkix_pl_CRL_CreateWithSignedCRL(nssCrl,
pkix_pl_CRL_CreateWithSignedCRL(nssCrl,
derCrlCopy, NULL, &crl, plContext),
PKIX_CRLCREATEWITHSIGNEDCRLFAILED);
/* Left control over memory pointed by derCrlCopy and
@ -427,7 +427,7 @@ pkix_pl_LdapCertStore_DestroyAVAList(
static PKIX_Error *
pkix_pl_LdapCertStore_MakeNameAVAList(
PLArenaPool *arena,
PKIX_PL_X500Name *subjectName,
PKIX_PL_X500Name *subjectName,
LDAPNameComponent ***pList,
void *plContext)
{
@ -874,52 +874,55 @@ pkix_pl_LdapCertStore_GetCRL(
PKIX_LISTGETLENGTHFAILED);
if (numNames > 0) {
/*
* LDAP Servers don't seem to be able to handle
* requests with more than more than one name.
* So only use first name.
*/
PKIX_CHECK(PKIX_List_GetItem
(issuerNames,
thisName,
(PKIX_PL_Object **)&issuer,
plContext),
PKIX_LISTGETITEMFAILED);
PKIX_CHECK
(pkix_pl_LdapCertStore_MakeNameAVAList
(requestArena,
issuer,
&(requestParams.nc),
for (thisName = 0; thisName < numNames; thisName++) {
PKIX_CHECK(PKIX_List_GetItem
(issuerNames,
thisName,
(PKIX_PL_Object **)&issuer,
plContext),
PKIX_LDAPCERTSTOREMAKENAMEAVALISTFAILED);
PKIX_LISTGETITEMFAILED);
PKIX_DECREF(issuer);
PKIX_CHECK
(pkix_pl_LdapCertStore_MakeNameAVAList
(requestArena,
issuer,
&(requestParams.nc),
plContext),
PKIX_LDAPCERTSTOREMAKENAMEAVALISTFAILED);
PKIX_DECREF(issuer);
if (*requestParams.nc == NULL) {
/*
* The issuer may not include any
* components that we know how to
* encode. We do not return an error,
* because the caller did not
* necessarily do anything wrong, but
* we return an empty List.
*/
PKIX_PL_NSSCALL
(CERTSTORE, PORT_FreeArena,
(requestArena, PR_FALSE));
PKIX_CHECK(PKIX_List_Create
(&filteredCRLs, plContext),
PKIX_LISTCREATEFAILED);
PKIX_CHECK(PKIX_List_SetImmutable
(filteredCRLs, plContext),
PKIX_LISTSETIMMUTABLEFAILED);
*pNBIOContext = NULL;
*pCrlList = filteredCRLs;
goto cleanup;
}
if (*requestParams.nc == NULL) {
/*
* The issuer may not include any
* components that we know how to
* encode. We do not return an error,
* because the caller did not
* necessarily do anything wrong, but
* we return an empty List.
*/
PKIX_PL_NSSCALL
(CERTSTORE, PORT_FreeArena,
(requestArena, PR_FALSE));
PKIX_CHECK(PKIX_List_Create
(&filteredCRLs, plContext),
PKIX_LISTCREATEFAILED);
PKIX_CHECK(PKIX_List_SetImmutable
(filteredCRLs, plContext),
PKIX_LISTSETIMMUTABLEFAILED);
*pNBIOContext = NULL;
*pCrlList = filteredCRLs;
goto cleanup;
* LDAP Servers don't seem to be able to handle
* requests with more than more than one name.
*/
break;
}
} else {
PKIX_ERROR(PKIX_IMPOSSIBLECRITERIONFORCRLQUERY);

30
security/nss/lib/nss/nss.h
Просмотреть файл

@ -22,12 +22,12 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
#define NSS_VERSION "3.89" _NSS_CUSTOMIZED " Beta"
#define NSS_VERSION "3.88.1" _NSS_CUSTOMIZED
#define NSS_VMAJOR 3
#define NSS_VMINOR 89
#define NSS_VPATCH 0
#define NSS_VMINOR 88
#define NSS_VPATCH 1
#define NSS_VBUILD 0
#define NSS_BETA PR_TRUE
#define NSS_BETA PR_FALSE
#ifndef RC_INVOKED
@ -302,28 +302,6 @@ SECStatus NSS_UnregisterShutdown(NSS_ShutdownFunc sFunc, void *appData);
#define NSS_DEFAULT_LOCKS 0x00d /* lock default values */
#define NSS_DEFAULT_SSL_LOCK 1 /* lock the ssl default values */
/* NSS_KEY_SIZE_POLICY controls what kinds of operations are subject to
* the NSS_XXX_MIN_KEY_SIZE values.
* NSS_KEY_SIZE_POLICY_FLAGS sets and clears all the flags to the input
* value
* On get it returns all the flags
* NSS_KEY_SIZE_POLICY_SET_FLAGS sets only the flags=1 in theinput value and
* does not affect the other flags
* On get it returns all the flags
* NSS_KEY_SIZE_POLICY_CLEAR_FLAGS clears only the flags=1 in the input
* value and does not affect the other flags
* On get it returns all the compliment of all the flags
* (cleared flags == 1) */
#define NSS_KEY_SIZE_POLICY_FLAGS 0x00e
#define NSS_KEY_SIZE_POLICY_SET_FLAGS 0x00f
#define NSS_KEY_SIZE_POLICY_CLEAR_FLAGS 0x010
/* currently defined flags */
#define NSS_KEY_SIZE_POLICY_SSL_FLAG 1
#define NSS_KEY_SIZE_POLICY_VERIFY_FLAG 2
#define NSS_KEY_SIZE_POLICY_SIGN_FLAG 4
#define NSS_ECC_MIN_KEY_SIZE 0x011
/*
* Set and get global options for the NSS library.
*/

28
security/nss/lib/nss/nssoptions.c
Просмотреть файл

@ -26,8 +26,6 @@ struct nssOps {
PRInt32 dtlsVersionMaxPolicy;
PRInt32 pkcs12DecodeForceUnicode;
PRInt32 defaultLocks;
PRInt32 keySizePolicyFlags;
PRInt32 eccMinKeySize;
};
static struct nssOps nss_ops = {
@ -39,9 +37,7 @@ static struct nssOps nss_ops = {
1,
0xffff,
PR_FALSE,
0,
NSS_KEY_SIZE_POLICY_SSL_FLAG,
SSL_ECC_MIN_CURVE_BITS
0
};
SECStatus
@ -82,18 +78,6 @@ NSS_OptionSet(PRInt32 which, PRInt32 value)
case NSS_DEFAULT_LOCKS:
nss_ops.defaultLocks = value;
break;
case NSS_KEY_SIZE_POLICY_FLAGS:
nss_ops.keySizePolicyFlags = value;
break;
case NSS_KEY_SIZE_POLICY_SET_FLAGS:
nss_ops.keySizePolicyFlags |= value;
break;
case NSS_KEY_SIZE_POLICY_CLEAR_FLAGS:
nss_ops.keySizePolicyFlags &= ~value;
break;
case NSS_ECC_MIN_KEY_SIZE:
nss_ops.eccMinKeySize = value;
break;
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure;
@ -135,16 +119,6 @@ NSS_OptionGet(PRInt32 which, PRInt32 *value)
case NSS_DEFAULT_LOCKS:
*value = nss_ops.defaultLocks;
break;
case NSS_KEY_SIZE_POLICY_FLAGS:
case NSS_KEY_SIZE_POLICY_SET_FLAGS:
*value = nss_ops.keySizePolicyFlags;
break;
case NSS_KEY_SIZE_POLICY_CLEAR_FLAGS:
*value = ~nss_ops.keySizePolicyFlags;
break;
case NSS_ECC_MIN_KEY_SIZE:
*value = nss_ops.eccMinKeySize;
break;
default:
rv = SECFailure;
}

2
security/nss/lib/nss/nssoptions.h
Просмотреть файл

@ -18,5 +18,3 @@
* happens because NSS used to count bit lengths incorrectly. */
#define SSL_DH_MIN_P_BITS 1023
#define SSL_DSA_MIN_P_BITS 1023
/* not really used by SSL, but define it here for consistency */
#define SSL_ECC_MIN_CURVE_BITS 255

7
security/nss/lib/pk11wrap/pk11kea.c
Просмотреть файл

@ -78,14 +78,15 @@ pk11_KeyExchange(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
if (privKeyHandle == CK_INVALID_HANDLE) {
PK11RSAGenParams rsaParams;
if (symKeyLength > 120) /* bytes */ {
/* we'd have to generate an RSA key pair > 1024 bits long,
if (symKeyLength > 53) /* bytes */ {
/* we'd have to generate an RSA key pair > 512 bits long,
** and that's too costly. Don't even try.
*/
PORT_SetError(SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY);
goto rsa_failed;
}
rsaParams.keySizeInBits = 1024;
rsaParams.keySizeInBits =
(symKeyLength > 21 || symKeyLength == 0) ? 512 : 256;
rsaParams.pe = 0x10001;
privKey = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,
&rsaParams, &pubKey, PR_FALSE, PR_TRUE, symKey->cx);

34
security/nss/lib/pk11wrap/pk11pars.c
Просмотреть файл

@ -434,21 +434,12 @@ static const optionFreeDef sslOptList[] = {
{ CIPHER_NAME("DTLS1.3"), 0x304 },
};
static const optionFreeDef keySizeFlagsList[] = {
{ CIPHER_NAME("KEY-SIZE-SSL"), NSS_KEY_SIZE_POLICY_SSL_FLAG },
{ CIPHER_NAME("KEY-SIZE-SIGN"), NSS_KEY_SIZE_POLICY_SIGN_FLAG },
{ CIPHER_NAME("KEY-SIZE-VERIFY"), NSS_KEY_SIZE_POLICY_VERIFY_FLAG },
};
static const optionFreeDef freeOptList[] = {
/* Restrictions for asymetric keys */
{ CIPHER_NAME("RSA-MIN"), NSS_RSA_MIN_KEY_SIZE },
{ CIPHER_NAME("DH-MIN"), NSS_DH_MIN_KEY_SIZE },
{ CIPHER_NAME("DSA-MIN"), NSS_DSA_MIN_KEY_SIZE },
{ CIPHER_NAME("ECC-MIN"), NSS_ECC_MIN_KEY_SIZE },
/* what operations doe the key size apply to */
{ CIPHER_NAME("KEY-SIZE-FLAGS"), NSS_KEY_SIZE_POLICY_FLAGS },
/* constraints on SSL Protocols */
{ CIPHER_NAME("TLS-VERSION-MIN"), NSS_TLS_VERSION_MIN_POLICY },
{ CIPHER_NAME("TLS-VERSION-MAX"), NSS_TLS_VERSION_MAX_POLICY },
@ -557,7 +548,6 @@ secmod_getPolicyOptValue(const char *policyValue, int policyValueLength,
*result = val;
return SECSuccess;
}
/* handle any ssl strings */
for (i = 0; i < PR_ARRAY_SIZE(sslOptList); i++) {
if (policyValueLength == sslOptList[i].name_size &&
PORT_Strncasecmp(sslOptList[i].name, policyValue,
@ -566,29 +556,7 @@ secmod_getPolicyOptValue(const char *policyValue, int policyValueLength,
return SECSuccess;
}
}
/* handle key_size flags. Each flag represents a bit, which
* gets or'd together. They can be separated by , | or + */
val = 0;
while (*policyValue) {
PRBool found = PR_FALSE;
for (i = 0; i < PR_ARRAY_SIZE(keySizeFlagsList); i++) {
if (PORT_Strncasecmp(keySizeFlagsList[i].name, policyValue,
keySizeFlagsList[i].name_size) == 0) {
val |= keySizeFlagsList[i].option;
found = PR_TRUE;
policyValue += keySizeFlagsList[i].name_size;
break;
}
}
if (!found) {
return SECFailure;
}
if (*policyValue == ',' || *policyValue == '|' || *policyValue == '+') {
policyValue++;
}
}
*result = val;
return SECSuccess;
return SECFailure;
}
/* Policy operations:

1
security/nss/lib/pkcs7/p7local.c
Просмотреть файл

@ -458,6 +458,7 @@ sec_PKCS7Decrypt(sec_PKCS7CipherObject *obj, unsigned char *output,
* If we do not, there is something wrong, either with our own
* logic or with (length of) the data given to us.
*/
PORT_Assert((padsize == 0) || (pcount % padsize) == 0);
if ((padsize != 0) && (pcount % padsize) != 0) {
PORT_Assert(final);
PORT_SetError(SEC_ERROR_BAD_DATA);

6
security/nss/lib/smime/smime.def
Просмотреть файл

@ -285,9 +285,3 @@ SEC_PKCS12DecoderRenameCertNicknames;
;+ local:
;+ *;
;+};
;+NSS_3.89 { # NSS 3.89 release
;+ global:
NSS_CMSSignerInfo_GetDigestAlgTag;
;+ local:
;+ *;
;+};

15
security/nss/lib/softoken/fips_algorithms.h
Просмотреть файл

@ -54,9 +54,7 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
/* mechanisms using the same key types share the same key type
* limits */
#define RSA_FB_KEY 2048, 4096 /* min, max */
#define RSA_FB_STEP 1
#define RSA_LEGACY_FB_KEY 1024, 1792 /* min, max */
#define RSA_LEGACY_FB_STEP 256
#define RSA_FB_STEP 1024
#define DSA_FB_KEY 2048, 4096 /* min, max */
#define DSA_FB_STEP 1024
#define DH_FB_KEY 2048, 4096 /* min, max */
@ -68,7 +66,6 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
{ CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_FB_KEY, CKF_KPG }, RSA_FB_STEP, SFTKFIPSNone },
{ CKM_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
{ CKM_RSA_PKCS_OAEP, { RSA_FB_KEY, CKF_ENC }, RSA_FB_STEP, SFTKFIPSNone },
{ CKM_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
/* -------------- RSA Multipart Signing Operations -------------------- */
{ CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
{ CKM_SHA256_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
@ -78,14 +75,6 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
{ CKM_SHA256_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
{ CKM_SHA384_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
{ CKM_SHA512_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
{ CKM_SHA224_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
{ CKM_SHA256_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
{ CKM_SHA384_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
{ CKM_SHA512_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
{ CKM_SHA224_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
{ CKM_SHA256_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
{ CKM_SHA384_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
{ CKM_SHA512_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
/* ------------------------- DSA Operations --------------------------- */
{ CKM_DSA_KEY_PAIR_GEN, { DSA_FB_KEY, CKF_KPG }, DSA_FB_STEP, SFTKFIPSNone },
{ CKM_DSA, { DSA_FB_KEY, CKF_SGN }, DSA_FB_STEP, SFTKFIPSNone },
@ -142,7 +131,7 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
/* ---------------------- SSL/TLS operations ------------------------- */
{ CKM_SHA224_KEY_DERIVATION, { 112, 224, CKF_KDF }, 1, SFTKFIPSNone },
{ CKM_SHA256_KEY_DERIVATION, { 128, 256, CKF_KDF }, 1, SFTKFIPSNone },
{ CKM_SHA384_KEY_DERIVATION, { 192, 384, CKF_KDF }, 1, SFTKFIPSNone },
{ CKM_SHA384_KEY_DERIVATION, { 192, 284, CKF_KDF }, 1, SFTKFIPSNone },
{ CKM_SHA512_KEY_DERIVATION, { 256, 512, CKF_KDF }, 1, SFTKFIPSNone },
{ CKM_TLS12_MASTER_KEY_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone },
{ CKM_TLS12_MASTER_KEY_DERIVE_DH, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone },

7
security/nss/lib/softoken/pkcs11c.c
Просмотреть файл

@ -2099,12 +2099,7 @@ static SECStatus
sftk_HMACCmp(CK_ULONG *copyLen, unsigned char *sig, unsigned int sigLen,
unsigned char *hash, unsigned int hashLen)
{
if (NSS_SecureMemcmp(sig, hash, *copyLen) == 0) {
return SECSuccess;
}
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
return SECFailure;
return (NSS_SecureMemcmp(sig, hash, *copyLen) == 0) ? SECSuccess : SECFailure;
}
/*

8
security/nss/lib/softoken/softkver.h
Просмотреть файл

@ -17,11 +17,11 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
#define SOFTOKEN_VERSION "3.89" SOFTOKEN_ECC_STRING " Beta"
#define SOFTOKEN_VERSION "3.88.1" SOFTOKEN_ECC_STRING
#define SOFTOKEN_VMAJOR 3
#define SOFTOKEN_VMINOR 89
#define SOFTOKEN_VPATCH 0
#define SOFTOKEN_VMINOR 88
#define SOFTOKEN_VPATCH 1
#define SOFTOKEN_VBUILD 0
#define SOFTOKEN_BETA PR_TRUE
#define SOFTOKEN_BETA PR_FALSE
#endif /* _SOFTKVER_H_ */

34
security/nss/lib/ssl/ssl.h
Просмотреть файл

@ -346,40 +346,6 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd);
*/
#define SSL_SUPPRESS_END_OF_EARLY_DATA 41
/* Enables TLS GREASE (specified in RFC8701, following Chrome 55 implementation
* decisions).
*
* If enabled and the client's ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3 or
* the server's ss->version >= SSL_LIBRARY_VERSION_TLS_1_3, this adds random
* GREASE values to:
* - ClientHello (Client):
* - A cipher_suite value to the cipher_suites field.
* - An empty and a 1B zeroed payload extension.
* - A named group value to the supported_groups extension and a
* KeyShareEntry value for the added named group.
* - A signature algorithm value to the signature_algorithms extension.
* - A version value to the supported_versions extension.
* - A PskKeyExchangeMode value to the psk_key_exchange_modes extension.
* - A alpn value to the application_layer_protocol_negotiation extension.
*
* - CertificateRequest (Server):
* - An empty extension.
* - A signature algorithm value to the signature_algorithms extension.
*
* - NewSessionTicket (Server):
* - An empty extension.
*
* GREASE values MUST nerver be negotiated but ignored.
*/
#define SSL_ENABLE_GREASE 42
/* Enables TLS ClientHello Extension Permutation.
*
* On a TLS ClientHello all extensions but the Psk extension
* (which MUST be last) will be sent in randomly shuffeld order.
*/
#define SSL_ENABLE_CH_EXTENSION_PERMUTATION 43
#ifdef SSL_DEPRECATED_FUNCTION
/* Old deprecated function names */
SSL_IMPORT SECStatus SSL_Enable(PRFileDesc *fd, int option, PRIntn on);

105
security/nss/lib/ssl/ssl3con.c
Просмотреть файл

@ -5099,18 +5099,6 @@ ssl3_AppendCipherSuites(sslSocket *ss, PRBool fallbackSCSV, sslBuffer *buf)
}
}
}
/* GREASE CipherSuites:
* A client MAY select one or more GREASE cipher suite values and advertise
* them in the "cipher_suites" field [RFC8701, Section 3.1]. */
if (ss->opt.enableGrease && ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3) {
rv = sslBuffer_AppendNumber(buf, ss->ssl3.hs.grease->idx[grease_cipher],
sizeof(ssl3CipherSuite));
if (rv != SECSuccess) {
return SECFailure;
}
}
if (SSL_ALL_VERSIONS_DISABLED(&ss->vrange) ||
(SSL_BUFFER_LEN(buf) - saveLen) == 0) {
PORT_SetError(SSL_ERROR_SSL_DISABLED);
@ -5532,16 +5520,6 @@ ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type)
}
}
/* Setup TLS ClientHello Extension Permutation? */
if (type == client_hello_initial &&
ss->vrange.max > SSL_LIBRARY_VERSION_3_0 &&
ss->opt.enableChXtnPermutation) {
rv = tls_ClientHelloExtensionPermutationSetup(ss);
if (rv != SECSuccess) {
goto loser;
}
}
if (isTLS || (ss->firstHsDone && ss->peerRequestedProtection)) {
rv = ssl_ConstructExtensions(ss, &extensionBuf, ssl_hs_client_hello);
if (rv != SECSuccess) {
@ -7450,8 +7428,7 @@ ssl_HandleDHServerKeyExchange(sslSocket *ss, PRUint8 *b, PRUint32 length)
SECItem dh_Ys = { siBuffer, NULL, 0 };
unsigned dh_p_bits;
unsigned dh_g_bits;
PRInt32 minDH = 0;
PRInt32 optval;
PRInt32 minDH;
SSL3Hashes hashes;
SECItem signature = { siBuffer, NULL, 0 };
@ -7462,12 +7439,9 @@ ssl_HandleDHServerKeyExchange(sslSocket *ss, PRUint8 *b, PRUint32 length)
if (rv != SECSuccess) {
goto loser; /* malformed. */
}
rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval);
if ((rv == SECSuccess) && (optval & NSS_KEY_SIZE_POLICY_SSL_FLAG)) {
(void)NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH);
}
if (minDH <= 0) {
rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH);
if (rv != SECSuccess || minDH <= 0) {
minDH = SSL_DH_MIN_P_BITS;
}
dh_p_bits = SECKEY_BigIntegerBitLength(&dh_p);
@ -10226,7 +10200,7 @@ ssl3_SendServerKeyExchange(sslSocket *ss)
SECStatus
ssl3_EncodeSigAlgs(const sslSocket *ss, PRUint16 minVersion, PRBool forCert,
PRBool grease, sslBuffer *buf)
sslBuffer *buf)
{
SSLSignatureScheme filtered[MAX_SIGNATURE_SCHEMES] = { 0 };
unsigned int filteredCount = 0;
@ -10237,12 +10211,12 @@ ssl3_EncodeSigAlgs(const sslSocket *ss, PRUint16 minVersion, PRBool forCert,
if (rv != SECSuccess) {
return SECFailure;
}
return ssl3_EncodeFilteredSigAlgs(ss, filtered, filteredCount, grease, buf);
return ssl3_EncodeFilteredSigAlgs(ss, filtered, filteredCount, buf);
}
SECStatus
ssl3_EncodeFilteredSigAlgs(const sslSocket *ss, const SSLSignatureScheme *schemes,
PRUint32 numSchemes, PRBool grease, sslBuffer *buf)
PRUint32 numSchemes, sslBuffer *buf)
{
if (!numSchemes) {
PORT_SetError(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM);
@ -10263,35 +10237,6 @@ ssl3_EncodeFilteredSigAlgs(const sslSocket *ss, const SSLSignatureScheme *scheme
return SECFailure;
}
}
/* GREASE SignatureAlgorithms:
* A client MAY select one or more GREASE signature algorithm values and
* advertise them in the "signature_algorithms" or
* "signature_algorithms_cert" extensions, if sent [RFC8701, Section 3.1].
*
* When sending a CertificateRequest in TLS 1.3, a server MAY behave as
* follows: [...] A server MAY select one or more GREASE signature
* algorithm values and advertise them in the "signature_algorithms" or
* "signature_algorithms_cert" extensions, if present
* [RFC8701, Section 4.1]. */
if (grease &&
((!ss->sec.isServer && ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3) ||
(ss->sec.isServer && ss->version >= SSL_LIBRARY_VERSION_TLS_1_3))) {
PRUint16 value;
if (ss->sec.isServer) {
rv = tls13_RandomGreaseValue(&value);
if (rv != SECSuccess) {
return SECFailure;
}
} else {
value = ss->ssl3.hs.grease->idx[grease_sigalg];
}
rv = sslBuffer_AppendNumber(buf, value, 2);
if (rv != SECSuccess) {
return SECFailure;
}
}
return sslBuffer_InsertLength(buf, lengthOffset, 2);
}
@ -10383,8 +10328,7 @@ ssl3_SendCertificateRequest(sslSocket *ss)
length = 1 + certTypesLength + 2 + calen;
if (isTLS12) {
rv = ssl3_EncodeSigAlgs(ss, ss->version, PR_TRUE /* forCert */,
PR_FALSE /* GREASE */, &sigAlgsBuf);
rv = ssl3_EncodeSigAlgs(ss, ss->version, PR_TRUE /* forCert */, &sigAlgsBuf);
if (rv != SECSuccess) {
return rv;
}
@ -11539,22 +11483,15 @@ SECStatus
ssl_SetAuthKeyBits(sslSocket *ss, const SECKEYPublicKey *pubKey)
{
SECStatus rv;
PRUint32 minKey = 0;
PRUint32 minKey;
PRInt32 optval;
PRBool usePolicyLength = PR_TRUE;
rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval);
if (rv == SECSuccess) {
usePolicyLength = (PRBool)((optval & NSS_KEY_SIZE_POLICY_SSL_FLAG) == NSS_KEY_SIZE_POLICY_SSL_FLAG);
}
ss->sec.authKeyBits = SECKEY_PublicKeyStrengthInBits(pubKey);
switch (SECKEY_GetPublicKeyType(pubKey)) {
case rsaKey:
case rsaPssKey:
case rsaOaepKey:
rv = usePolicyLength ? NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &optval)
: SECFailure;
rv = NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &optval);
if (rv == SECSuccess && optval > 0) {
minKey = (PRUint32)optval;
} else {
@ -11563,8 +11500,7 @@ ssl_SetAuthKeyBits(sslSocket *ss, const SECKEYPublicKey *pubKey)
break;
case dsaKey:
rv = usePolicyLength ? NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &optval)
: SECFailure;
rv = NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &optval);
if (rv == SECSuccess && optval > 0) {
minKey = (PRUint32)optval;
} else {
@ -11573,8 +11509,7 @@ ssl_SetAuthKeyBits(sslSocket *ss, const SECKEYPublicKey *pubKey)
break;
case dhKey:
rv = usePolicyLength ? NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &optval)
: SECFailure;
rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &optval);
if (rv == SECSuccess && optval > 0) {
minKey = (PRUint32)optval;
} else {
@ -11583,15 +11518,9 @@ ssl_SetAuthKeyBits(sslSocket *ss, const SECKEYPublicKey *pubKey)
break;
case ecKey:
rv = usePolicyLength ? NSS_OptionGet(NSS_ECC_MIN_KEY_SIZE, &optval)
: SECFailure;
if (rv == SECSuccess && optval > 0) {
minKey = (PRUint32)optval;
} else {
/* Don't check EC strength here on the understanding that we
* only support curves we like. */
minKey = ss->sec.authKeyBits;
}
/* Don't check EC strength here on the understanding that we only
* support curves we like. */
minKey = ss->sec.authKeyBits;
break;
default:
@ -14160,12 +14089,6 @@ ssl3_DestroySSL3Info(sslSocket *ss)
PK11_HPKE_DestroyContext(ss->ssl3.hs.echHpkeCtx, PR_TRUE);
PORT_Free((void *)ss->ssl3.hs.echPublicName); /* CONST */
sslBuffer_Clear(&ss->ssl3.hs.greaseEchBuf);
/* TLS 1.3 GREASE (client) state. */
tls13_ClientGreaseDestroy(ss);
/* TLS ClientHello Extension Permutation state. */
tls_ClientHelloExtensionPermutationDestroy(ss);
}
/* check if the current cipher spec is FIPS. We only need to

14
security/nss/lib/ssl/ssl3ecc.c
Просмотреть файл

@ -906,20 +906,6 @@ ssl_SendSupportedGroupsXtn(const sslSocket *ss, TLSExtensionData *xtnData,
}
}
/* GREASE SupportedGroups:
* A client MAY select one or more GREASE named group values and advertise
* them in the "supported_groups" extension, if sent [RFC8701, Section 3.1].
*/
if (!ss->sec.isServer &&
ss->opt.enableGrease &&
ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3) {
rv = sslBuffer_AppendNumber(buf, ss->ssl3.hs.grease->idx[grease_group], 2);
if (rv != SECSuccess) {
return SECFailure;
}
found = PR_TRUE;
}
if (!found) {
/* We added nothing, don't send the extension. */
return SECSuccess;

81
security/nss/lib/ssl/ssl3ext.c
Просмотреть файл

@ -45,7 +45,6 @@ static const ssl3ExtensionHandler clientHelloHandlers[] = {
{ ssl_app_layer_protocol_xtn, &ssl3_ServerHandleAppProtoXtn },
{ ssl_use_srtp_xtn, &ssl3_ServerHandleUseSRTPXtn },
{ ssl_cert_status_xtn, &ssl3_ServerHandleStatusRequestXtn },
{ ssl_tls13_certificate_authorities_xtn, &tls13_ServerHandleCertAuthoritiesXtn },
{ ssl_signature_algorithms_xtn, &ssl3_HandleSigAlgsXtn },
{ ssl_extended_master_secret_xtn, &ssl3_HandleExtendedMasterSecretXtn },
{ ssl_signed_cert_timestamp_xtn, &ssl3_ServerHandleSignedCertTimestampXtn },
@ -124,8 +123,6 @@ static const ssl3ExtensionHandler certificateRequestHandlers[] = {
* extension, if it were listed last). See bug 1243641.
*/
static const sslExtensionBuilder clientHelloSendersTLS[] = {
/* TLS 1.3 GREASE extensions - empty. */
{ ssl_tls13_grease_xtn, &tls13_SendEmptyGreaseXtn },
{ ssl_server_name_xtn, &ssl3_ClientSendServerNameXtn },
{ ssl_extended_master_secret_xtn, &ssl3_SendExtendedMasterSecretXtn },
{ ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn },
@ -149,8 +146,6 @@ static const sslExtensionBuilder clientHelloSendersTLS[] = {
{ ssl_tls13_psk_key_exchange_modes_xtn, &tls13_ClientSendPskModesXtn },
{ ssl_tls13_post_handshake_auth_xtn, &tls13_ClientSendPostHandshakeAuthXtn },
{ ssl_record_size_limit_xtn, &ssl_SendRecordSizeLimitXtn },
/* TLS 1.3 GREASE extensions - 1 zero byte. */
{ ssl_tls13_grease_xtn, &tls13_SendGreaseXtn },
/* The pre_shared_key extension MUST be last. */
{ ssl_tls13_pre_shared_key_xtn, &tls13_ClientSendPreSharedKeyXtn },
{ 0, NULL }
@ -164,8 +159,6 @@ static const sslExtensionBuilder clientHelloSendersSSL3[] = {
static const sslExtensionBuilder tls13_cert_req_senders[] = {
{ ssl_signature_algorithms_xtn, &ssl3_SendSigAlgsXtn },
{ ssl_tls13_certificate_authorities_xtn, &tls13_SendCertAuthoritiesXtn },
/* TLS 1.3 GREASE extension. */
{ ssl_tls13_grease_xtn, &tls13_SendEmptyGreaseXtn },
{ 0, NULL }
};
@ -761,12 +754,7 @@ ssl_ConstructExtensions(sslSocket *ss, sslBuffer *buf, SSLHandshakeType message)
switch (message) {
case ssl_hs_client_hello:
if (ss->vrange.max > SSL_LIBRARY_VERSION_3_0) {
/* Use TLS ClientHello Extension Permutation? */
if (ss->opt.enableChXtnPermutation) {
sender = ss->ssl3.hs.chExtensionPermutation;
} else {
sender = clientHelloSendersTLS;
}
sender = clientHelloSendersTLS;
} else {
sender = clientHelloSendersSSL3;
}
@ -803,7 +791,6 @@ ssl_ConstructExtensions(sslSocket *ss, sslBuffer *buf, SSLHandshakeType message)
}
for (; sender->ex_sender != NULL; ++sender) {
PRUint16 ex_type = sender->ex_type;
PRBool append = PR_FALSE;
unsigned int start = buf->len;
unsigned int length;
@ -827,14 +814,8 @@ ssl_ConstructExtensions(sslSocket *ss, sslBuffer *buf, SSLHandshakeType message)
continue;
}
/* If TLS 1.3 GREASE is enabled, replace ssl_tls13_grease_xtn dummy
* GREASE extension types with randomly generated GREASE value. */
rv = tls13_MaybeGreaseExtensionType(ss, message, &ex_type);
if (rv != SECSuccess) {
goto loser; /* Code already set. */
}
rv = sslBuffer_AppendNumber(buf, ex_type, 2);
buf->len = start;
rv = sslBuffer_AppendNumber(buf, sender->ex_type, 2);
if (rv != SECSuccess) {
goto loser; /* Code already set. */
}
@ -848,7 +829,7 @@ ssl_ConstructExtensions(sslSocket *ss, sslBuffer *buf, SSLHandshakeType message)
if (message == ssl_hs_client_hello ||
message == ssl_hs_certificate_request) {
ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
ex_type;
sender->ex_type;
}
}
@ -1125,57 +1106,3 @@ ssl3_ExtConsumeHandshakeVariable(const sslSocket *ss, SECItem *i,
{
return ssl3_ConsumeHandshakeVariable((sslSocket *)ss, i, bytes, b, length);
}
SECStatus
tls_ClientHelloExtensionPermutationSetup(sslSocket *ss)
{
size_t buildersLen = PR_ARRAY_SIZE(clientHelloSendersTLS);
const size_t buildersSize = (sizeof(sslExtensionBuilder) * buildersLen);
/* Psk Extension and then NULL entry MUST be last. */
const size_t permutationLen = buildersLen - 2;
/* There shouldn't already be a stored permutation. */
PR_ASSERT(!ss->ssl3.hs.chExtensionPermutation);
/* This shuffle handles up to 256 extensions. */
PR_ASSERT(buildersLen < 256);
uint8_t permutation[256] = { 0 };
sslExtensionBuilder *builders = PORT_ZAlloc(buildersSize);
if (!builders) {
return SECFailure;
}
/* Get a working copy of default builders. */
PORT_Memcpy(builders, clientHelloSendersTLS, buildersSize);
/* Get permutation randoms. */
if (PK11_GenerateRandom(permutation, permutationLen) != SECSuccess) {
PORT_Free(builders);
return SECFailure;
}
/* Fisher-Yates Shuffle */
for (size_t i = permutationLen - 1; i > 0; i--) {
size_t idx = permutation[i - 1] % (i + 1);
sslExtensionBuilder tmp = builders[i];
builders[i] = builders[idx];
builders[idx] = tmp;
}
/* Make sure that Psk extension is penultimate (before NULL entry). */
PR_ASSERT(builders[buildersLen - 2].ex_type == ssl_tls13_pre_shared_key_xtn);
PR_ASSERT(builders[buildersLen - 2].ex_sender == clientHelloSendersTLS[buildersLen - 2].ex_sender);
ss->ssl3.hs.chExtensionPermutation = builders;
return SECSuccess;
}
void
tls_ClientHelloExtensionPermutationDestroy(sslSocket *ss)
{
if (ss->ssl3.hs.chExtensionPermutation) {
PORT_Free(ss->ssl3.hs.chExtensionPermutation);
ss->ssl3.hs.chExtensionPermutation = NULL;
}
}

2
security/nss/lib/ssl/ssl3ext.h
Просмотреть файл

@ -206,7 +206,5 @@ SECStatus SSLExp_InstallExtensionHooks(
sslCustomExtensionHooks *ssl_FindCustomExtensionHooks(sslSocket *ss, PRUint16 extension);
SECStatus ssl_CallCustomExtensionSenders(sslSocket *ss, sslBuffer *buf,
SSLHandshakeType message);
SECStatus tls_ClientHelloExtensionPermutationSetup(sslSocket *ss);
void tls_ClientHelloExtensionPermutationDestroy(sslSocket *ss);
#endif

30
security/nss/lib/ssl/ssl3exthandle.c
Просмотреть файл

@ -201,7 +201,7 @@ ssl3_FreeSniNameArray(TLSExtensionData *xtnData)
* Clients sends a filled in session ticket if one is available, and otherwise
* sends an empty ticket. Servers always send empty tickets.
*/
SECStatus
PRInt32
ssl3_ClientSendSessionTicketXtn(const sslSocket *ss, TLSExtensionData *xtnData,
sslBuffer *buf, PRBool *added)
{
@ -456,33 +456,20 @@ ssl3_ClientSendAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData,
sslBuffer *buf, PRBool *added)
{
SECStatus rv;
const unsigned int len = ss->opt.nextProtoNego.len;
/* Renegotiations do not send this extension. */
if (!ss->opt.enableALPN || !ss->opt.nextProtoNego.len || ss->firstHsDone) {
PR_ASSERT(!ss->opt.nextProtoNego.data);
if (!ss->opt.enableALPN || !ss->opt.nextProtoNego.data || ss->firstHsDone) {
return SECSuccess;
}
PRBool addGrease = ss->opt.enableGrease && ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3;
/* The list of protocol strings is prefixed with a 2-byte length */
rv = sslBuffer_AppendNumber(buf, ss->opt.nextProtoNego.len + (addGrease ? 3 : 0), 2);
if (rv != SECSuccess) {
return SECFailure;
}
/* The list of protocol strings */
rv = sslBuffer_Append(buf, ss->opt.nextProtoNego.data, ss->opt.nextProtoNego.len);
if (rv != SECSuccess) {
return SECFailure;
}
/* A client MAY select one or more GREASE ALPN identifiers and advertise
* them in the "application_layer_protocol_negotiation" extension, if sent
* [RFC8701, Section 3.1]. */
if (addGrease) {
rv = sslBuffer_AppendNumber(buf, 2, 1);
if (len > 0) {
/* Each protocol string is prefixed with a single byte length. */
rv = sslBuffer_AppendNumber(buf, len, 2);
if (rv != SECSuccess) {
return SECFailure;
}
rv = sslBuffer_AppendNumber(buf, ss->ssl3.hs.grease->idx[grease_alpn], 2);
rv = sslBuffer_Append(buf, ss->opt.nextProtoNego.data, len);
if (rv != SECSuccess) {
return SECFailure;
}
@ -1661,8 +1648,7 @@ ssl3_SendSigAlgsXtn(const sslSocket *ss, TLSExtensionData *xtnData,
minVersion = ss->vrange.min; /* ClientHello */
}
SECStatus rv = ssl3_EncodeSigAlgs(ss, minVersion, PR_TRUE /* forCert */,
ss->opt.enableGrease, buf);
SECStatus rv = ssl3_EncodeSigAlgs(ss, minVersion, PR_TRUE /* forCert */, buf);
if (rv != SECSuccess) {
return SECFailure;
}

30
security/nss/lib/ssl/sslimpl.h
Просмотреть файл

@ -290,8 +290,6 @@ typedef struct sslOptionsStr {
unsigned int enableTls13GreaseEch : 1;
unsigned int enableTls13BackendEch : 1;
unsigned int callExtensionWriterOnEchInner : 1;
unsigned int enableGrease : 1;
unsigned int enableChXtnPermutation : 1;
} sslOptions;
typedef enum { sslHandshakingUndetermined = 0,
@ -612,24 +610,6 @@ typedef struct {
PRUint32 timeout;
} dtlsTimer;
/* TLS 1.3 client GREASE entry indices. */
typedef enum {
grease_cipher,
grease_extension1,
grease_extension2,
grease_group,
grease_sigalg,
grease_version,
grease_alpn,
grease_entries
} tls13ClientGreaseEntry;
/* TLS 1.3 client GREASE values struct. */
typedef struct tls13ClientGreaseStr {
PRUint16 idx[grease_entries];
PRUint8 pskKem;
} tls13ClientGrease;
/*
** This is the "hs" member of the "ssl3" struct.
** This entire struct is protected by ssl3HandshakeLock
@ -782,12 +762,6 @@ typedef struct SSL3HandshakeStateStr {
sslBuffer greaseEchBuf; /* Client: Remember GREASE ECH, as advertised, for CH2 (HRR case).
Server: Remember HRR Grease Value, for transcript calculations */
PRBool echInvalidExtension; /* Client: True if the server offered an invalid extension for the ClientHelloInner */
/* TLS 1.3 GREASE state. */
tls13ClientGrease *grease;
/* ClientHello Extension Permutation state. */
sslExtensionBuilder *chExtensionPermutation;
} SSL3HandshakeState;
#define SSL_ASSERT_HASHES_EMPTY(ss) \
@ -1766,10 +1740,10 @@ SECStatus ssl3_AuthCertificate(sslSocket *ss);
SECStatus ssl_ReadCertificateStatus(sslSocket *ss, PRUint8 *b,
PRUint32 length);
SECStatus ssl3_EncodeSigAlgs(const sslSocket *ss, PRUint16 minVersion, PRBool forCert,
PRBool grease, sslBuffer *buf);
sslBuffer *buf);
SECStatus ssl3_EncodeFilteredSigAlgs(const sslSocket *ss,
const SSLSignatureScheme *schemes,
PRUint32 numSchemes, PRBool grease, sslBuffer *buf);
PRUint32 numSchemes, sslBuffer *buf);
SECStatus ssl3_FilterSigAlgs(const sslSocket *ss, PRUint16 minVersion, PRBool disableRsae, PRBool forCert,
unsigned int maxSchemes, SSLSignatureScheme *filteredSchemes,
unsigned int *numFilteredSchemes);

4
security/nss/lib/ssl/sslsecur.c
Просмотреть файл

@ -217,10 +217,6 @@ SSL_ResetHandshake(PRFileDesc *s, PRBool asServer)
sslBuffer_Clear(&ss->ssl3.hs.greaseEchBuf);
}
tls13_ClientGreaseDestroy(ss);
tls_ClientHelloExtensionPermutationDestroy(ss);
if (!ss->TCPconnected)
ss->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ss, &addr));

2
security/nss/lib/ssl/sslsnce.c
Просмотреть файл

@ -1820,7 +1820,7 @@ ssl_GetSelfEncryptKeyPair(SECKEYPublicKey **pubKey,
return SECSuccess;
}
static SECStatus
static PRBool
ssl_GenerateSelfEncryptKeys(void *pwArg, PRUint8 *keyName,
PK11SymKey **aesKey, PK11SymKey **macKey);

10
security/nss/lib/ssl/sslsock.c
Просмотреть файл

@ -96,8 +96,6 @@ static sslOptions ssl_defaults = {
.enableTls13GreaseEch = PR_FALSE,
.enableTls13BackendEch = PR_FALSE,
.callExtensionWriterOnEchInner = PR_FALSE,
.enableGrease = PR_FALSE,
.enableChXtnPermutation = PR_FALSE
};
/*
@ -893,14 +891,6 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRIntn val)
ss->opt.suppressEndOfEarlyData = val;
break;
case SSL_ENABLE_GREASE:
ss->opt.enableGrease = val;
break;
case SSL_ENABLE_CH_EXTENSION_PERMUTATION:
ss->opt.enableChXtnPermutation = val;
break;
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure;

2
security/nss/lib/ssl/sslt.h
Просмотреть файл

@ -551,8 +551,6 @@ typedef enum {
ssl_tls13_post_handshake_auth_xtn = 49,
ssl_signature_algorithms_cert_xtn = 50,
ssl_tls13_key_share_xtn = 51,
/* TLS 1.3 GREASE extension dummy type for builders. */
ssl_tls13_grease_xtn = 0x0a0a,
ssl_next_proto_nego_xtn = 13172, /* Deprecated. */
ssl_renegotiation_info_xtn = 0xff01,
ssl_tls13_short_header_xtn = 0xff03, /* Deprecated. */

168
security/nss/lib/ssl/tls13con.c
Просмотреть файл

@ -454,11 +454,6 @@ tls13_SetupClientHello(sslSocket *ss, sslClientHelloType chType)
return SECSuccess;
}
rv = tls13_ClientGreaseSetup(ss);
if (rv != SECSuccess) {
return SECFailure;
}
/* Select the first enabled group.
* TODO(ekr@rtfm.com): be smarter about offering the group
* that the other side negotiated if we are resuming. */
@ -1568,9 +1563,6 @@ tls13_NegotiateKeyExchange(sslSocket *ss,
missing_extension);
return SECFailure;
}
/* Since the server insists on DHE to provide forward secracy, for
* every other PskKem value but DHE stateless resumption is disabled,
* this includes other specified and GREASE values. */
if (!memchr(ss->xtnData.psk_ke_modes.data, tls13_psk_dh_ke,
ss->xtnData.psk_ke_modes.len)) {
SSL_TRC(3, ("%d: TLS13[%d]: client offered PSK without DH",
@ -5302,7 +5294,6 @@ tls13_SendNewSessionTicket(sslSocket *ss, const PRUint8 *appToken,
SECStatus rv;
NewSessionTicket ticket = { 0 };
PRUint32 max_early_data_size_len = 0;
PRUint32 greaseLen = 0;
PRUint8 ticketNonce[sizeof(ss->ssl3.hs.ticketNonce)];
sslBuffer ticketNonceBuf = SSL_BUFFER(ticketNonce);
@ -5316,10 +5307,6 @@ tls13_SendNewSessionTicket(sslSocket *ss, const PRUint8 *appToken,
}
ticket.ticket_lifetime_hint = ssl_ticket_lifetime;
if (ss->opt.enableGrease) {
greaseLen = 4; /* type + len + 0 (empty) */
}
/* The ticket age obfuscator. */
rv = PK11_GenerateRandom((PRUint8 *)&ticket.ticket_age_add,
sizeof(ticket.ticket_age_add));
@ -5351,13 +5338,11 @@ tls13_SendNewSessionTicket(sslSocket *ss, const PRUint8 *appToken,
goto loser;
message_length =
4 + /* lifetime */
4 + /* ticket_age_add */
1 + sizeof(ticketNonce) + /* ticket_nonce */
2 + /* extensions lentgh */
max_early_data_size_len + /* max_early_data_size extension length */
greaseLen + /* GREASE extension length */
2 + /* ticket length */
4 + /* lifetime */
4 + /* ticket_age_add */
1 + sizeof(ticketNonce) + /* ticket_nonce */
2 + max_early_data_size_len + /* max_early_data_size_len */
2 + /* ticket length */
ticket_data.len;
rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_new_session_ticket,
@ -5385,33 +5370,11 @@ tls13_SendNewSessionTicket(sslSocket *ss, const PRUint8 *appToken,
if (rv != SECSuccess)
goto loser;
/* Extensions */
rv = ssl3_AppendHandshakeNumber(ss, max_early_data_size_len + greaseLen, 2);
/* Extensions. */
rv = ssl3_AppendHandshakeNumber(ss, max_early_data_size_len, 2);
if (rv != SECSuccess)
goto loser;
/* GREASE NewSessionTicket:
* When sending a NewSessionTicket message in TLS 1.3, a server MAY select
* one or more GREASE extension values and advertise them as extensions
* with varying length and contents [RFC8701, SEction 4.1]. */
if (ss->opt.enableGrease) {
PR_ASSERT(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3);
PRUint16 grease;
rv = tls13_RandomGreaseValue(&grease);
if (rv != SECSuccess)
goto loser;
/* Extension type */
rv = ssl3_AppendHandshakeNumber(ss, grease, 2);
if (rv != SECSuccess)
goto loser;
/* Extension length */
rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
if (rv != SECSuccess)
goto loser;
}
/* Max early data size extension. */
if (max_early_data_size_len) {
rv = ssl3_AppendHandshakeNumber(
ss, ssl_tls13_early_data_xtn, 2);
@ -5654,7 +5617,7 @@ static const struct {
certificate) },
{ ssl_delegated_credentials_xtn, _M2(client_hello, certificate) },
{ ssl_tls13_cookie_xtn, _M2(client_hello, hello_retry_request) },
{ ssl_tls13_certificate_authorities_xtn, _M2(client_hello, certificate_request) },
{ ssl_tls13_certificate_authorities_xtn, _M1(certificate_request) },
{ ssl_tls13_supported_versions_xtn, _M3(client_hello, server_hello,
hello_retry_request) },
{ ssl_record_size_limit_xtn, _M2(client_hello, encrypted_extensions) },
@ -6452,117 +6415,4 @@ tls13_MaybeTls13(sslSocket *ss)
}
return PR_FALSE;
}
/* Setup random client GREASE values according to RFC8701. State must be kept
* so an equal ClientHello might be send on HelloRetryRequest. */
SECStatus
tls13_ClientGreaseSetup(sslSocket *ss)
{
if (!ss->opt.enableGrease) {
return SECSuccess;
}
PORT_Assert(ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3);
if (ss->ssl3.hs.grease) {
return SECFailure;
}
ss->ssl3.hs.grease = PORT_Alloc(sizeof(tls13ClientGrease));
if (!ss->ssl3.hs.grease) {
return SECFailure;
}
tls13ClientGrease *grease = ss->ssl3.hs.grease;
/* We require eight GREASE values and randoms. */
PRUint8 random[8];
/* Generate random GREASE values. */
if (PK11_GenerateRandom(random, sizeof(random)) != SECSuccess) {
return SECFailure;
}
for (size_t i = 0; i < PR_ARRAY_SIZE(grease->idx); i++) {
random[i] = ((random[i] & 0xf0) | 0x0a);
grease->idx[i] = ((random[i] << 8) | random[i]);
}
/* Specific PskKeyExchangeMode GREASE value. */
grease->pskKem = 0x0b + ((random[8 - 1] >> 5) * 0x1f);
/* Duplicate extensions are not allowed. */
if (grease->idx[grease_extension1] == grease->idx[grease_extension2]) {
grease->idx[grease_extension2] ^= 0x1010;
}
return SECSuccess;
}
/* Destroy client GREASE state. */
void
tls13_ClientGreaseDestroy(sslSocket *ss)
{
if (ss->ssl3.hs.grease) {
PORT_Free(ss->ssl3.hs.grease);
ss->ssl3.hs.grease = NULL;
}
}
/* Generate a random GREASE value according to RFC8701.
* This function does not provide valid PskKeyExchangeMode GREASE values! */
SECStatus
tls13_RandomGreaseValue(PRUint16 *out)
{
PRUint8 random;
if (PK11_GenerateRandom(&random, sizeof(random)) != SECSuccess) {
return SECFailure;
}
random = ((random & 0xf0) | 0x0a);
*out = ((random << 8) | random);
return SECSuccess;
}
/* Set TLS 1.3 GREASE Extension random GREASE type. */
SECStatus
tls13_MaybeGreaseExtensionType(const sslSocket *ss,
const SSLHandshakeType message,
PRUint16 *exType)
{
if (*exType != ssl_tls13_grease_xtn) {
return SECSuccess;
}
PR_ASSERT(ss->opt.enableGrease);
PR_ASSERT(message == ssl_hs_client_hello ||
message == ssl_hs_certificate_request);
/* GREASE ClientHello:
* A client MAY select one or more GREASE extension values and
* advertise them as extensions with varying length and contents
* [RFC8701, Section 3.1]. */
if (message == ssl_hs_client_hello) {
PR_ASSERT(ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3);
/* Check if the first GREASE extension was already added. */
if (!ssl3_ExtensionAdvertised(ss, ss->ssl3.hs.grease->idx[grease_extension1])) {
*exType = ss->ssl3.hs.grease->idx[grease_extension1];
} else {
*exType = ss->ssl3.hs.grease->idx[grease_extension2];
}
}
/* GREASE CertificateRequest:
* When sending a CertificateRequest in TLS 1.3, a server MAY behave as
* follows: A server MAY select one or more GREASE extension values and
* advertise them as extensions with varying length and contents
* [RFC8701, Section 4.1]. */
else if (message == ssl_hs_certificate_request) {
PR_ASSERT(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3);
/* Get random grease extension type. */
SECStatus rv = tls13_RandomGreaseValue(exType);
if (rv != SECSuccess) {
return SECFailure;
}
}
return SECSuccess;
}
}

6
security/nss/lib/ssl/tls13con.h
Просмотреть файл

@ -152,12 +152,6 @@ SECStatus tls13_AEAD(PK11Context *context, PRBool decrypt,
const unsigned char *in, unsigned int inLen);
void tls13_SetSpecRecordVersion(sslSocket *ss, ssl3CipherSpec *spec);
SECStatus SSLExp_SendCertificateRequest(PRFileDesc *fd);
SECStatus tls13_ClientGreaseSetup(sslSocket *ss);
void tls13_ClientGreaseDestroy(sslSocket *ss);
SECStatus tls13_RandomGreaseValue(PRUint16 *out);
SECStatus tls13_MaybeGreaseExtensionType(const sslSocket *ss,
const SSLHandshakeType message,
PRUint16 *exType);
/* Use this instead of FATAL_ERROR when no alert shall be sent. */
#define LOG_ERROR(ss, prError) \

17
security/nss/lib/ssl/tls13ech.c
Просмотреть файл

@ -1420,34 +1420,23 @@ tls13_ConstructInnerExtensionsFromOuter(sslSocket *ss, sslBuffer *chOuterXtnsBuf
}
break;
case ssl_tls13_supported_versions_xtn:
/* Only TLS 1.3 and GREASE on CHInner. */
/* Only TLS 1.3 on CHInner. */
rv = sslBuffer_AppendNumber(chInnerXtns, extensionType, 2);
if (rv != SECSuccess) {
goto loser;
}
/* Extension length. */
tmpLen = (ss->opt.enableGrease) ? 5 : 3;
rv = sslBuffer_AppendNumber(chInnerXtns, tmpLen, 2);
rv = sslBuffer_AppendNumber(chInnerXtns, 3, 2);
if (rv != SECSuccess) {
goto loser;
}
/* ProtocolVersion length */
rv = sslBuffer_AppendNumber(chInnerXtns, tmpLen - 1, 1);
rv = sslBuffer_AppendNumber(chInnerXtns, 2, 1);
if (rv != SECSuccess) {
goto loser;
}
/* ProtocolVersion TLS 1.3 */
rv = sslBuffer_AppendNumber(chInnerXtns, SSL_LIBRARY_VERSION_TLS_1_3, 2);
if (rv != SECSuccess) {
goto loser;
}
/* ProtocolVersion GREASE */
if (ss->opt.enableGrease) {
rv = sslBuffer_AppendNumber(chInnerXtns, ss->ssl3.hs.grease->idx[grease_version], 2);
if (rv != SECSuccess) {
goto loser;
}
}
/* Only update state on second invocation of this function */
if (shouldCompress) {
ss->xtnData.echAdvertised[ss->xtnData.echNumAdvertised++] = extensionType;

91
security/nss/lib/ssl/tls13exthandle.c
Просмотреть файл

@ -154,29 +154,6 @@ tls13_ClientSendKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData,
return SECFailure;
}
}
/* GREASE KeyShareEntry:
* [The client] MAY also send KeyShareEntry values for a subset of those
* selected in the "key_share" extension. For each of these, the
* "key_exchange" field MAY be any value [RFC8701, Section 3.1].
*
* By default we do not send KeyShares for every NamedGroup so the
* ServerKeyShare handshake message / additional round-trip is not
* triggered by sending GREASE KeyShareEntries. */
if (ss->opt.enableGrease) {
rv = sslBuffer_AppendNumber(buf, ss->ssl3.hs.grease->idx[grease_group], 2);
if (rv != SECSuccess)
return rv;
/* Entry length */
rv = sslBuffer_AppendNumber(buf, 2, 2);
if (rv != SECSuccess)
return rv;
/* Entry value */
rv = sslBuffer_AppendNumber(buf, 0xCD, 2);
if (rv != SECSuccess)
return rv;
}
rv = sslBuffer_InsertLength(buf, lengthOffset, 2);
if (rv != SECSuccess) {
return SECFailure;
@ -900,16 +877,6 @@ tls13_ClientSendSupportedVersionsXtn(const sslSocket *ss, TLSExtensionData *xtnD
}
}
/* GREASE SupportedVersions:
* A client MAY select one or more GREASE version values and advertise them
* in the "supported_versions" extension, if sent [RFC8701, Section 3.1]. */
if (ss->opt.enableGrease) {
rv = sslBuffer_AppendNumber(buf, ss->ssl3.hs.grease->idx[grease_version], 2);
if (rv != SECSuccess) {
return SECFailure;
}
}
rv = sslBuffer_InsertLength(buf, lengthOffset, 1);
if (rv != SECSuccess) {
return SECFailure;
@ -1078,6 +1045,7 @@ SECStatus
tls13_ClientSendPskModesXtn(const sslSocket *ss, TLSExtensionData *xtnData,
sslBuffer *buf, PRBool *added)
{
static const PRUint8 ke_modes[] = { tls13_psk_dh_ke };
SECStatus rv;
if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3 ||
@ -1088,15 +1056,7 @@ tls13_ClientSendPskModesXtn(const sslSocket *ss, TLSExtensionData *xtnData,
SSL_TRC(3, ("%d: TLS13[%d]: send psk key exchange modes extension",
SSL_GETPID(), ss->fd));
/* GREASE PskKeyExchangeMode:
* A client MAY select one or more GREASE PskKeyExchangeMode values and
* advertise them in the "psk_key_exchange_modes" extension, if sent
* [RFC8701, Section 3.1]. */
if (ss->opt.enableGrease) {
rv = sslBuffer_AppendVariable(buf, (PRUint8[]){ tls13_psk_dh_ke, ss->ssl3.hs.grease->pskKem }, 2, 1);
} else {
rv = sslBuffer_AppendVariable(buf, (PRUint8[]){ tls13_psk_dh_ke }, 1, 1);
}
rv = sslBuffer_AppendVariable(buf, ke_modes, sizeof(ke_modes), 1);
if (rv != SECSuccess) {
return SECFailure;
}
@ -1216,15 +1176,6 @@ loser:
return SECFailure;
}
SECStatus
tls13_ServerHandleCertAuthoritiesXtn(const sslSocket *ss, TLSExtensionData *xtnData, SECItem *data)
{
SSL_TRC(3, ("%d: TLS13[%d]: ignore certificate_authorities extension",
SSL_GETPID(), ss->fd));
/* NSS ignores certificate_authorities in the ClientHello */
return SECSuccess;
}
SECStatus
tls13_ServerSendHrrKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData,
sslBuffer *buf, PRBool *added)
@ -1390,8 +1341,7 @@ tls13_ClientSendDelegatedCredentialsXtn(const sslSocket *ss,
return SECSuccess;
}
rv = ssl3_EncodeFilteredSigAlgs(ss, filtered, filteredCount,
PR_FALSE /* GREASE */, buf);
rv = ssl3_EncodeFilteredSigAlgs(ss, filtered, filteredCount, buf);
if (rv != SECSuccess) {
return SECFailure;
}
@ -1765,38 +1715,3 @@ alert_loser:
PORT_SetError(SSL_ERROR_RX_MALFORMED_ECH_EXTENSION);
return SECFailure;
}
SECStatus
tls13_SendEmptyGreaseXtn(const sslSocket *ss,
TLSExtensionData *xtnData,
sslBuffer *buf, PRBool *added)
{
if (!ss->opt.enableGrease ||
(!ss->sec.isServer && ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3) ||
(ss->sec.isServer && ss->version < SSL_LIBRARY_VERSION_TLS_1_3)) {
return SECSuccess;
}
*added = PR_TRUE;
return SECSuccess;
}
SECStatus
tls13_SendGreaseXtn(const sslSocket *ss,
TLSExtensionData *xtnData,
sslBuffer *buf, PRBool *added)
{
if (!ss->opt.enableGrease ||
(!ss->sec.isServer && ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3) ||
(ss->sec.isServer && ss->version < SSL_LIBRARY_VERSION_TLS_1_3)) {
return SECSuccess;
}
SECStatus rv = sslBuffer_AppendVariable(buf, (PRUint8[]){ 0x00 }, 1, 2);
if (rv != SECSuccess) {
return SECFailure;
}
*added = PR_TRUE;
return SECSuccess;
}

8
security/nss/lib/ssl/tls13exthandle.h
Просмотреть файл

@ -75,8 +75,6 @@ SECStatus tls13_SendCertAuthoritiesXtn(const sslSocket *ss,
SECStatus tls13_ClientHandleCertAuthoritiesXtn(const sslSocket *ss,
TLSExtensionData *xtnData,
SECItem *data);
SECStatus tls13_ServerHandleCertAuthoritiesXtn(const sslSocket *ss, TLSExtensionData *xtnData, SECItem *data);
SECStatus tls13_ServerHandleCookieXtn(const sslSocket *ss,
TLSExtensionData *xtnData,
SECItem *data);
@ -117,11 +115,5 @@ SECStatus tls13_ClientSendDelegatedCredentialsXtn(const sslSocket *ss,
SECStatus tls13_ServerHandleDelegatedCredentialsXtn(const sslSocket *ss,
TLSExtensionData *xtnData,
SECItem *data);
SECStatus tls13_SendEmptyGreaseXtn(const sslSocket *ss,
TLSExtensionData *xtnData,
sslBuffer *buf, PRBool *added);
SECStatus tls13_SendGreaseXtn(const sslSocket *ss,
TLSExtensionData *xtnData,
sslBuffer *buf, PRBool *added);
#endif

8
security/nss/lib/util/nssutil.h
Просмотреть файл

@ -19,12 +19,12 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
*/
#define NSSUTIL_VERSION "3.89 Beta"
#define NSSUTIL_VERSION "3.88.1"
#define NSSUTIL_VMAJOR 3
#define NSSUTIL_VMINOR 89
#define NSSUTIL_VPATCH 0
#define NSSUTIL_VMINOR 88
#define NSSUTIL_VPATCH 1
#define NSSUTIL_VBUILD 0
#define NSSUTIL_BETA PR_TRUE
#define NSSUTIL_BETA PR_FALSE
SEC_BEGIN_PROTOS

10
security/nss/lib/util/secasn1d.c
Просмотреть файл

@ -2207,13 +2207,9 @@ sec_asn1d_next_in_sequence(sec_asn1d_state *state)
* In practice this does not happen, but for completeness
* sake it should probably be made to work at some point.
*/
if (child_found_tag_modifiers >= SEC_ASN1_HIGH_TAG_NUMBER) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
state->top->status = decodeError;
} else {
identifier = (unsigned char)(child_found_tag_modifiers | child_found_tag_number);
sec_asn1d_record_any_header(child, (char *)&identifier, 1);
}
PORT_Assert(child_found_tag_number < SEC_ASN1_HIGH_TAG_NUMBER);
identifier = (unsigned char)(child_found_tag_modifiers | child_found_tag_number);
sec_asn1d_record_any_header(child, (char *)&identifier, 1);
}
}
}

2
security/nss/tests/policy/crypto-policy.txt
Просмотреть файл

@ -6,8 +6,6 @@
0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Standard policy
0 disallow=ALL_allow=HMAC-SHA1:HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.0:dtls-version-min=tls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Legacy policy
0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Reduced policy
0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072:KEY-SIZE-FLAGS=KEY-SIZE-SSL,KEY-SIZE-SIGN,KEY-SIZE-VERIFY NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Valid key size
2 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072:KEY-SIZE-FLAGS=UNKNOWN,KEY-SIZE-SIGN,KEY-SIZE-VERIFY NSS-POLICY-FAIL.*unknown.* Invalid key size
2 disallow=ALL_allow=dtls-version-min=:dtls-version-max= NSS-POLICY-FAIL Missing value
2 disallow=ALL_allow=RSA-MIN=whatever NSS-POLICY-FAIL Invalid value
2 disallow=ALL_allow=flower NSS-POLICY-FAIL Invalid identifier

4
security/nss/tests/ssl/sslpolicy.txt
Просмотреть файл

@ -194,10 +194,6 @@
1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:ecdsa/all:dsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly
0 noECC SSL3 d disallow=dsa Disallow DSA Signatures Explicitly
1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification
1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-ssl Restrict RSA keys when used in SSL
0 noECC SSL3 d allow=rsa-min=1023 Restrict RSA keys when used in SSL
# test default settings
# NOTE: tstclient will attempt to overide the defaults, so we detect we
# were successful by locking in our settings