```
2021-08-17 Robert Relyea <rrelyea@redhat.com>
* lib/softoken/lowpbe.c:
Bug 1726022 Cache additional PBE entries
Firefox password manager is slow to load (22s for 361 passwords on
an i7), using 100% CPU and causing laptop fans to spin up
Possible solution based on increasing the number of cache entries
used by the PKCS5v2 values as the current code thrashes the cache as
we use 2 pbe's per read operation.
This patch is tested for correctness, but not fixing the issue. New
test cases are needed.
[fe82761e35aa] [tip]
```
Differential Revision: https://phabricator.services.mozilla.com/D123442
Chrome has removed 3DES completely[0], but we're still seeing some uses of it
in telemetry. Our assumption is that this is either due to old devices that
can't be upgraded, and hence probably use TLS 1.0, or servers that bafflingly
choose 3DES when there are other, better, ciphersuites in common.
This patch allows 3DES to only be enabled when deprecated versions of TLS are
enabled. This should protect users against the latter case (where 3DES is
unnecessary) while allowing them to use it in the former case (where it may be
necessary).
NB: The only 3DES ciphersuite gecko makes possible to enable is
TLS_RSA_WITH_3DES_EDE_CBC_SHA. This patch also changes the preference
corresponding to this ciphersuite from "security.ssl3.rsa_des_ede3_sha" to
"security.ssl3.deprecated.rsa_des_ede3_sha".
[0] https://www.chromestatus.com/feature/6678134168485888
Differential Revision: https://phabricator.services.mozilla.com/D121797
Chrome has removed 3DES completely[0], but we're still seeing some uses of it
in telemetry. Our assumption is that this is either due to old devices that
can't be upgraded, and hence probably use TLS 1.0, or servers that bafflingly
choose 3DES when there are other, better, ciphersuites in common.
This patch allows 3DES to only be enabled when deprecated versions of TLS are
enabled. This should protect users against the latter case (where 3DES is
unnecessary) while allowing them to use it in the former case (where it may be
necessary).
NB: The only 3DES ciphersuite gecko makes possible to enable is
TLS_RSA_WITH_3DES_EDE_CBC_SHA. This patch also changes the preference
corresponding to this ciphersuite from "security.ssl3.rsa_des_ede3_sha" to
"security.ssl3.deprecated.rsa_des_ede3_sha".
[0] https://www.chromestatus.com/feature/6678134168485888
Differential Revision: https://phabricator.services.mozilla.com/D121797
2021-08-05 Martin Thomson <mt@lowentropy.net>
o * lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
| Set version numbers to 3.69 final
| [2f5c77e2c5b9] [NSS_3_69_RTM] <NSS_3_69_BRANCH>
|
2021-07-30 Martin Thomson <mt@lowentropy.net>
o * .hgtags:
| Added tag NSS_3_69_BETA1 for changeset 60211e7f03ee
| [51b699171a91] <NSS_3_69_BRANCH>
|
2021-07-29 Martin Thomson <mt@lowentropy.net>
o * lib/ssl/sslsock.c:
| Bug 1722613 - Disable DTLS 1.0 and 1.1 by default, r=rrelyea
|
| [60211e7f03ee] [NSS_3_69_BETA1]
|
2021-07-15 Robert Relyea <rrelyea@redhat.com>
o * automation/taskcluster/docker-builds/Dockerfile,
~ automation/taskcluster/docker-gcc-4.4/Dockerfile,
automation/taskcluster/docker/Dockerfile, lib/softoken/sftkpwd.c,
tests/dbtests/dbtests.sh:
Bug 1720226 integrity checks in key4.db not happening on private
components with AES_CBC When we added support for AES, we also added
support for integrity checks on the encrypted components.
It turns out the code that verifies the integrity checks was broken
in 2 ways:
1. it wasn't accurately operating when AES was being used (the if
statement wasn't actually triggering for AES_CBC because we were
looking for AES in the wrong field). 2. password update did not
update the integrity checks in the correct location, meaning any
database which AES encrypted keys, and which had their password
updated will not be able to validate their keys.
While we found this in a previous rebase, the patch had not been
pushed upstream.
The attached patch needs sqlite3 to run the tests.
[1e86f5cfc1cd]
Differential Revision: https://phabricator.services.mozilla.com/D121837
```
2021-07-24 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* doc/rst/build_artifacts.rst, doc/rst/community.rst,
doc/rst/getting_started.rst, doc/rst/index.rst, doc/rst/more.rst,
doc/rst/releases/index.rst, doc/rst/releases/nss_3_64.rst,
doc/rst/releases/nss_3_65.rst, doc/rst/releases/nss_3_66.rst,
doc/rst/releases/nss_3_67.rst, doc/rst/releases/nss_3_68.rst:
Documentation: update and release notes for NSS 3.64 to 3.68
[e9236397be13] [tip]
2021-07-20 Robert Relyea <rrelyea@redhat.com>
* gtests/ssl_gtest/nss_policy.h,
gtests/ssl_gtest/ssl_auth_unittest.cc,
gtests/ssl_gtest/ssl_extension_unittest.cc,
gtests/ssl_gtest/tls_agent.cc, gtests/ssl_gtest/tls_agent.h,
gtests/ssl_gtest/tls_connect.cc, lib/ssl/ssl3con.c,
lib/ssl/sslimpl.h:
Bug 1720235 SSL handling of signature algorithms ignores
environmental invalid algorithms.
Our QA is quite extensive on handling of alert corner cases. Our
code that checks if a signature algorithm is supported ignores the
role of policy. If SHA1 is turned off by policy, for instance, we
only detect that late in the game. This shows up in our test cases
as decrypt_alerts rather than illegal_parameter or handshake_error
alerts. It also shows up in us apparently accepting a client auth
request which only has invalid alerts.
We also don't handle filtering out signature algorithms that are
illegal in tls 13 mode.
This patch not only fixes these issues, but also issues where we
proposing signature algorithms in server mode that we don't support
by policy.
This patch includes:
In gtests: 1) adding support for policy in ssl_gtests. Currently
both the server an client will run with the same policy. The patch
allows us to set policy on one and keeping the old policy on the
other.
2) Update extension tests which failed in tls 1.3 because the patch
now correctly rejects illegal tls 1.3 auth values. The test was
updated to use a legal auth value in tls 1.3 (so we are correctly
testing the format issue.
3) Update extension tests to handle the case where we try to use an
illegal value for tls 1.3.
4) add tests to ssl_auth_unittests.cc to make sure we can properly
connect even when several auth methods are turned off by policy
(make sure we don't advertize them on the client side, and that the
server doesn't select them when the client doesn't advertize them).
5) add tests to ssl_auth_unittests.cc to make sure we don't send
empty client auth requests when the requester only sends invalid
auth requests.
patch itself: 1) The handling of policy checks for ssl schemes were
scattered in various locations. I've consolidated them into a single
function. That function now checks for NSS_ALG_USE_IN_ANY_SIGNATURE
as if this is off by policy, we will fail if we try to use the
algorithm in a signature in any case. NSS now supports policy on all
signature algorithms, not just DSA, so we need to check the policy
of all the algorithms.
2) to support the policy check on the signature algorithms, I added
a new ssl_AuthTypeToOID, which also replaces our switch in checking
if the SPKI matches our auth type.
3) ssl_SignatureSchemeValid now accepts an spkiOid of
SEC_OID_UNKNOWN. To allow us to filter signature schemes based on
version and policy restrictions before we try to select a
certificate. This prevents us from sending empty client auth
messages when we are presented with only invalid signature schemes.
4) We filter supported algorithms against policy early, preventing
us from sending, or even setting invalid algorithms if they are
turned off by policy.
5) ssl ConsumeSignatureScheme was handling alerts inconsistently.
The Consume could send an allert in it's failure case, but the check
of scheme validity wouldn't sent an alert. The collers were
inconstent as well. Now ssl_ConsumeSignatureScheme always sends and
alert on failure, and the callers do not.
[c71bb1bedf7d]
```
Differential Revision: https://phabricator.services.mozilla.com/D120787
```
2021-07-22 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* doc/rst/index.rst:
Display warning on the new NSS documentation
[8f41147c2192] [tip]
2021-07-20 Robert Relyea <rrelyea@redhat.com>
* lib/softoken/sdb.c:
Bug 1721476 sqlite 3.34 changed it's open semantics, causing nss
failures.
https://sqlite.org/forum/info/42cf8e985bb051a2
sqlite is now permissive on opening a readonly file even if you ask
for the file to be opened R/W.
normally sqlite is very conservative in changing it's underlying
semantics, but evidently they chose convience over compatibility.
NSS now needs to check the file permissions itself to preserve nss
semantics.
[f2d34a957599]
2021-07-15 Robert Relyea <rrelyea@redhat.com>
* tests/common/init.sh, tests/common/parsegtestreport.sed,
tests/common/parsegtestreport.sh, tests/gtests/gtests.sh,
tests/ssl_gtests/ssl_gtests.sh:
Bug 1720230 Gtest update changed the gtest reports, losing gtest
details in all.sh reports.
This patch includes the updated .sed script, and an experiment using
bash instead to see how hard it would be to make a more robust
parser.
The robust parser generates identical output as sed, but takes about
30x longer, so instead of subsecond operations, it takes almost half
a minute. With that result, I think we can stay with sed and
continue to update when we get new versions of gtests. (sigh).
time cat report.xml.0 | sed -f parsegtestreport.sed > r1
real 0m0.710s user 0m0.705s sys 0m0.008s
time cat report.xml.0 | sh parsegtestreport.sh > r2
real 0m25.066s user 0m17.759s sys 0m9.506s [rrelyea@localhost
common]$ diff r1 r2
updated: with review comments from Martin and move the report
parsing to the common code so it can be shared with both ssl_gtests
and gtests shell scripts.
[f12856d5d2c2]
2021-07-13 Robert Relyea <rrelyea@redhat.com>
* gtests/softoken_gtest/softoken_dh_vectors.h, lib/softoken/pkcs11c.c,
lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c,
lib/softoken/sftkdhverify.c:
Bug 1720228 NSS incorrectly accepting 1536 bit DH primes in FIPS
mode
When NSS is in FIPS mode, it should reject all primes smaller than
2048. The ike 1536 prime is in the accepted primes table. In FIPS
mode it should be rejected.
[d2ec946e601a]
2021-07-15 Robert Relyea <rrelyea@redhat.com>
* cmd/manifest.mn, cmd/sdbthreadtst/Makefile,
cmd/sdbthreadtst/manifest.mn, cmd/sdbthreadtst/sdbthreadtst.c,
cmd/sdbthreadtst/sdbthreadtst.gyp, lib/softoken/sdb.c,
lib/softoken/sftkdb.c, nss.gyp, tests/dbtests/dbtests.sh:
Bug 1720232 SQLite calls could timeout in starvation situations.
Some of our servers could cause random failures when trying to
generate many key pairs from multiple threads. This is caused
because some threads would starve long enough for them to give up on
getting a begin transaction on sqlite. sqlite only allows one
transaction at a time.
Also, there were some bugs in error handling of the broken
transaction case where NSS would try to cancel a transation after
the begin failed (most cases were correct, but one case in
particular was problematic).
[b54b0d41e51b]
2021-07-13 Robert Relyea <rrelyea@redhat.com>
* lib/pk11wrap/pk11cxt.c, lib/pk11wrap/pk11hpke.c,
lib/softoken/kbkdf.c, lib/softoken/sftkhmac.c,
lib/softoken/sftkike.c:
Bug 1720225 Coverity/cpp scanner errors found in nss 3.67
A number of coverity/scanner issues were found in the kdf code which
was added in nss 3.44 and the fixes never upstreamed, as well as
coverity/scanner errors in nss 3.66. Not all errors were fixed,
those errors which were determined to be false positives were just
recorded. No attempt has been made to fix coverity/scanner errors in
gtests.
[d1b9709d8861]
```
Differential Revision: https://phabricator.services.mozilla.com/D120624
```
2021-07-22 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* doc/rst/index.rst:
Display warning on the new NSS documentation
[8f41147c2192] [tip]
2021-07-20 Robert Relyea <rrelyea@redhat.com>
* lib/softoken/sdb.c:
Bug 1721476 sqlite 3.34 changed it's open semantics, causing nss
failures.
https://sqlite.org/forum/info/42cf8e985bb051a2
sqlite is now permissive on opening a readonly file even if you ask
for the file to be opened R/W.
normally sqlite is very conservative in changing it's underlying
semantics, but evidently they chose convience over compatibility.
NSS now needs to check the file permissions itself to preserve nss
semantics.
[f2d34a957599]
2021-07-15 Robert Relyea <rrelyea@redhat.com>
* tests/common/init.sh, tests/common/parsegtestreport.sed,
tests/common/parsegtestreport.sh, tests/gtests/gtests.sh,
tests/ssl_gtests/ssl_gtests.sh:
Bug 1720230 Gtest update changed the gtest reports, losing gtest
details in all.sh reports.
This patch includes the updated .sed script, and an experiment using
bash instead to see how hard it would be to make a more robust
parser.
The robust parser generates identical output as sed, but takes about
30x longer, so instead of subsecond operations, it takes almost half
a minute. With that result, I think we can stay with sed and
continue to update when we get new versions of gtests. (sigh).
time cat report.xml.0 | sed -f parsegtestreport.sed > r1
real 0m0.710s user 0m0.705s sys 0m0.008s
time cat report.xml.0 | sh parsegtestreport.sh > r2
real 0m25.066s user 0m17.759s sys 0m9.506s [rrelyea@localhost
common]$ diff r1 r2
updated: with review comments from Martin and move the report
parsing to the common code so it can be shared with both ssl_gtests
and gtests shell scripts.
[f12856d5d2c2]
2021-07-13 Robert Relyea <rrelyea@redhat.com>
* gtests/softoken_gtest/softoken_dh_vectors.h, lib/softoken/pkcs11c.c,
lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c,
lib/softoken/sftkdhverify.c:
Bug 1720228 NSS incorrectly accepting 1536 bit DH primes in FIPS
mode
When NSS is in FIPS mode, it should reject all primes smaller than
2048. The ike 1536 prime is in the accepted primes table. In FIPS
mode it should be rejected.
[d2ec946e601a]
2021-07-15 Robert Relyea <rrelyea@redhat.com>
* cmd/manifest.mn, cmd/sdbthreadtst/Makefile,
cmd/sdbthreadtst/manifest.mn, cmd/sdbthreadtst/sdbthreadtst.c,
cmd/sdbthreadtst/sdbthreadtst.gyp, lib/softoken/sdb.c,
lib/softoken/sftkdb.c, nss.gyp, tests/dbtests/dbtests.sh:
Bug 1720232 SQLite calls could timeout in starvation situations.
Some of our servers could cause random failures when trying to
generate many key pairs from multiple threads. This is caused
because some threads would starve long enough for them to give up on
getting a begin transaction on sqlite. sqlite only allows one
transaction at a time.
Also, there were some bugs in error handling of the broken
transaction case where NSS would try to cancel a transation after
the begin failed (most cases were correct, but one case in
particular was problematic).
[b54b0d41e51b]
2021-07-13 Robert Relyea <rrelyea@redhat.com>
* lib/pk11wrap/pk11cxt.c, lib/pk11wrap/pk11hpke.c,
lib/softoken/kbkdf.c, lib/softoken/sftkhmac.c,
lib/softoken/sftkike.c:
Bug 1720225 Coverity/cpp scanner errors found in nss 3.67
A number of coverity/scanner issues were found in the kdf code which
was added in nss 3.44 and the fixes never upstreamed, as well as
coverity/scanner errors in nss 3.66. Not all errors were fixed,
those errors which were determined to be false positives were just
recorded. No attempt has been made to fix coverity/scanner errors in
gtests.
[d1b9709d8861]
```
Differential Revision: https://phabricator.services.mozilla.com/D120624
This step removes all the dependencies of mach commands to
having a MachCommandBase as the `self` by using the `command_context`
argument instead. This also removes any remaining statefulness from those
classes that implement mach commands, ultimately making it easier to move
existing commands out of classes in a follow-up.
Differential Revision: https://phabricator.services.mozilla.com/D118058
Benjamin Beurdouche
Dana Keeler
ffxbld
Andi-Bogdan Postelnicu
R. Martinho Fernandes
Valentin Gosu
Mike Hommey
Alexandre Lissy
Narcis Beleuzu
Nicklas Boman
Ben Hearsum
Martin Thomson
stransky
Zibi Braniecki
Butkovits Atila
Christoph Kerschbaumer
Sandor Molnar
Dorel Luca
Benjamin Beurdouche
Kashav Madan
Alex Lopez