This patch adds a new property `process_type` to the launcher process failure
ping, indicating which process type the browser process failed to initialize
as a sandboxed process.
Depends on D83639
Differential Revision: https://phabricator.services.mozilla.com/D83640
2020-08-21 Kevin Jacobs <kjacobs@mozilla.com>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.56 final
[809ff9ff0140] [NSS_3_56_RTM] <NSS_3_56_BRANCH>
2020-08-19 Kevin Jacobs <kjacobs@mozilla.com>
* .hgtags:
Added tag NSS_3_56_BETA1 for changeset 52c965eaffa1
[0d8ff40479d5]
Differential Revision: https://phabricator.services.mozilla.com/D87882
2020-08-19 Kevin Jacobs <kjacobs@mozilla.com>
* tests/libpkix/certs/PayPalEE.cert:
Bug 1659792 - Update libpkix tests with unexpired PayPal cert. r=jcj
The in-tree `PayPalEE.cert `expired today. This patch replaces it
with a current copy that expires on 12 Jan 2022.
CI breakage before patch: https://treeherder.mozilla.org/#/jobs?repo
=nss&revision=2890f342de631bf6774ac747515a8b5736e20d3f CI with the
fix applied: https://treeherder.mozilla.org/#/jobs?repo=nss-
try&revision=bd28f21d8acbcb15502bd4fc606fc9c0ed09c810
[52c965eaffa1] [NSS_3_56_BETA1]
2020-08-18 Kevin Jacobs <kjacobs@mozilla.com>
* tests/interop/interop.sh:
Bug 1659814 - Pull updated tls-interop for dependency fix. r=jcj
[70376af425ae]
* automation/release/nspr-version.txt:
Bug 1656519 - NSS 3.56 should depend on NSPR 4.28. r=kaie
[2890f342de63]
Differential Revision: https://phabricator.services.mozilla.com/D87648
The keys exposed by osclientcerts may be from tokens that cannot do modern
crypto (namely, ECDSA and RSA-PSS). This patch attempts to identify and
differentiate between these keys. Unfortunately, there is no good way of doing
this on macOS at this time, so the implementation assumes everything supports
modern crypto on that platform. Additionally, the Windows implementation can't
make this determination if the cryptographic service provider would show UI, so
again in those cases the implementation assumes modern crypto is available.
Differential Revision: https://phabricator.services.mozilla.com/D86440
This fixes the following error when running on Apple Silicon DTK:
AGX: agxs_util.cpp:355:size_t getSystemMemorySize(): !!! Verification failed: status == 0
Differential Revision: https://phabricator.services.mozilla.com/D87048
When the last private browsing context exits, observers are notified of the
event "last-pb-context-exited". Before this patch, the private browsing shared
TLS state object would clear its list of insecure fallback sites opon observing
this. However, this is not correct, because the list should be set to reflect
the current set of insecure fallback sites as parsed from the preference
"security.tls.insecure_fallback_hosts" (which is by default empty, but wouldn't
be if a user has modified it).
Differential Revision: https://phabricator.services.mozilla.com/D86586
The keys exposed by osclientcerts may be from tokens that cannot do modern
crypto (namely, ECDSA and RSA-PSS). This patch attempts to identify and
differentiate between these keys. Unfortunately, there is no good way of doing
this on macOS at this time, so the implementation assumes everything supports
modern crypto on that platform.
Differential Revision: https://phabricator.services.mozilla.com/D86440
2020-08-07 Kevin Jacobs <kjacobs@mozilla.com>
* lib/pki/tdcache.c:
Bug 1625791 - Call STAN_GetCERTCertificate to load CERTCertificate
trust before caching. r=jcj,keeler
When caching certificates, `td->cache->lock` must not be held when
taking `slot->isPresentLock`. `add_cert_to_cache` holds then former
when calling the sort function in `add_subject_entry`, which will [[
https://searchfox.org/mozilla-central/rev/a3b25e347e2c22207c4b369b99
246e4aebf861a7/security/nss/lib/pki/certificate.c#266 | call ]]
`STAN_GetCERTCertificate` -> `fill_CERTCertificateFields` when
`cc->nssCertificate` [[ https://searchfox.org/mozilla-central/rev/a3
b25e347e2c22207c4b369b99246e4aebf861a7/security/nss/lib/pki/pki3hack
.c#923 | is NULL ]].
There are two problems with this:
# `fill_CERTCertificateFields` may end up locking
`slot->isPresentLock` (bad ordering, bug 1651564) # The above may
happen followed by another attempt to lock
`td->cache->lock`(deadlock, this bug).
By calling `STAN_GetCERTCertificate` prior to the first lock of
`td->cache->lock`, we can prevent the problematic call to
`fill_CERTCertificateFields` later on, because `cc->nssCertificate`
will already be filled.
[c06f22733446] [tip]
* gtests/ssl_gtest/ssl_auth_unittest.cc, lib/ssl/ssl3con.c:
Bug 1588941 - Send empty client cert msg when signature scheme
selection fails. r=mt
`ssl3_CompleteHandleCertificateRequest` does essentially two things:
1) Calls the `getClientAuthData` hook for certificate selection, and
2) calls `ssl_PickClientSignatureScheme` to select an appropriate
signature scheme when a cert is selected.
If the first function returns SECFailure, we default to sending an
empty certificate message. If the latter fails, however, this
bubbles up as a [[ https://searchfox.org/mozilla-central/rev/56bb74e
a8e04bdac57c33cbe9b54d889b9262ade/security/nss/lib/ssl/tls13con.c#26
70 | fatal error ]] (and an assertion failure) on the connection.
Importantly, the signature scheme selection can fail for reasons
that should not be considered fatal - notably when an RSA-PSS cert
is selected, but the token on which the key resides does not
actually support PSS.
This patch treats the failure to find a usable signature scheme as a
"no certificate" response, rather than killing the connection
entirely.
[41ecb7fe5546]
* lib/freebl/Makefile, lib/freebl/freebl_base.gypi,
lib/freebl/mpi/mpi_amd64_common.S, lib/freebl/mpi/mpi_amd64_gas.s:
Bug 1656981 - Use 64x64->128 multiply and MP_COMBA on x86_64 Mac.
r=mt
This patch makes two MPI changes for MacOS:
1. Rename `mpi_amd64_gas.s` to `mpi_amd64_common.S` and add defines
for macho64, allowing Intel Macs to take advantage of the 64x64->128
multiply code. 2. Define and use `NSS_USE_COMBA` on Intel Macs.
Performance results with `rsaperf -n none -p 10 -e -x 65537`
(default 2048-bit key): Before: `12629.12 operations/s. one
operation every 79 microseconds` With 64x64->128 assembly: `29431.65
operations/s. one operation every 33 microseconds` With MP_COMBA and
64x64->128 assembly: `30332.99 operations/s. one operation every 32
microseconds`
[330bdab498a3]
* lib/ssl/sslimpl.h:
Bug 1656429 - Clang-format fixup, r=bustage
[07083076fc92]
2020-08-05 Martin Thomson <mt@lowentropy.net>
* gtests/ssl_gtest/ssl_0rtt_unittest.cc,
gtests/ssl_gtest/tls_connect.cc, lib/ssl/ssl3exthandle.c,
lib/ssl/sslimpl.h, lib/ssl/tls13con.c, lib/ssl/tls13replay.c:
Bug 1656429 - Correct RTT estimate used in anti-replay, r=kjacobs
This was never a security problem, but the more time that passes
between the handshake and sending a ticket, the more likely we are
to reject 0-RTT. Eventually, 0-RTT only works if it is delayed in
the network by a surprising amount.
[b4a1c57eb569]
Differential Revision: https://phabricator.services.mozilla.com/D86454
nsNSSComponent has a background task queue that can be used for importing
intermediates from TLS connections instead of using the certificate
verification thread pool.
This patch also addresses places where PSM was directly accessing the isperm
member of CERTCertificate, which is protected by a lock.
Differential Revision: https://phabricator.services.mozilla.com/D86051
2020-07-27 Jan-Marek Glogowski <glogow@fbihome.de>
* lib/freebl/Makefile:
Bug 1652032 Disable all freebl assembler code for MSVC arm64
r=rrelyea,bbeurdouche
There are two places, where NSS tries to compile either x86_64 MSVC
assembler or GCC aarch64 code, which will fail the build. And also
drop the non-MSVC arch build flags for them.
AFAI could identify, there isn't any armasm64 compatible asm code in
the whole NSS library, so I don't even adapt AS for the build. The
cross-build finishes this way.
[d98bbb6168f4]
2020-07-24 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* cmd/bltest/blapitest.c, coreconf/config.gypi, coreconf/config.mk,
lib/freebl/alg2268.c, lib/freebl/deprecated/alg2268.c,
lib/freebl/freebl_base.gypi, lib/freebl/ldvector.c,
lib/freebl/loader.c, lib/freebl/loader.h, lib/freebl/manifest.mn,
lib/softoken/lowpbe.c, lib/softoken/pkcs11c.c:
Bug 1652729 - Add build flag to disable RC2 and relocate to
lib/freebl/deprecated. r=kjacobs
[e6c6f1d2d544]
2020-07-27 Robert Relyea <rrelyea@redhat.com>
* gtests/softoken_gtest/manifest.mn,
gtests/softoken_gtest/softoken_dh_vectors.h,
gtests/softoken_gtest/softoken_gtest.cc,
gtests/softoken_gtest/softoken_gtest.gyp, lib/freebl/blapi.h,
lib/freebl/dh.c, lib/freebl/ldvector.c, lib/freebl/loader.c,
lib/freebl/loader.h, lib/softoken/manifest.mn,
lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c,
lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c,
lib/softoken/sftkdhverify.c, lib/softoken/softoken.gyp:
Bug 1648822 Add stricter validation of DH keys when in FIPS mode.
Update: FIPS now also requires us to do y^q mod p testing on key
generation (always). We now do that in FIPS mode only, but in all
modes we do full DH verification for DH and ECDH. Because of this,
the path has now separated out the prime checks, which are now only
done for the DH operation if we aren't using a known prime and the
subprime value has been provided. I've also learned we can accept
keys that we do full validation on in FIPS mode, so I've added that
to this patch, though we still can't generate those kinds of keys
without adding the subprime at keygen time.
The new FIPS standard is dh operations must use approved primes.
Approved primes are those selected in the tls and ike RFCs.
Currently tls and ike have modes with checks whether the primes are
approved, but the check may not always happen. The safest thing to
do in FIPS mode is only allow those primes. In addition, FIPS
requires 1< y < p-1 (or technically 2<=y<=p-2, since y is an integer
those two tests are identical).
While making changes I realized we would want a mode where we can do
more strict checks on the prime while not requiring that the prime
be an approved prime. We already allow for strict checking if q is
supplied with the private key, but there were a couple of issues
with that check:
1. there was no way of actually setting q in the current NSS
pk11wrap interfaces. 2. If the prime was a safe prime, but g was an
actual generator, then we would fail the y^q mod p = 1 tests for 50%
of the keys, even though those keys are safe. 3. We weren't checking
primality of p and q.
So the old code:
if (q) { check y^q mod p = 1 if not fail }
check 1 <y < p-1 (done in DH_Derive).
New code:
if (! p is approved prime) { if (FIPS) fail; if (q) { y_test = y if
(p,q-> p is a safe prime) { y_test = 1 } check prime is prime Fail
if not check subprime is subprime fail if not y_test^q mod p = 1 } }
check 1 < y < p-1 (done in DH_Derive)
This means:
Existing code non-fips without setting the subprime continues to run
as before. Non-fips code which sets the subprime now runs slower,
but p and q are checked if p or q where not prime, the derive fails
(which it should). In FIPS mode only approved primes will succeed
now. Non-fips code can now set the subprime to q=(p-1)/2 if it
doesn't have an explicit q value (like in tls). If the derive
succeeds, we know that p is a safe prime. If p is approved, the
checks are skipped because we already know that p is a safe prime.
Code can optionally do a test derive on a new p and remember it's
safe so that we know longer need to check ever call (though if q is
not (p-1)/2, you will need to continue to do the checks each call
because y could still be a small subgroup).
This patch:
gtests/softoken_gtest
1. Added New dh tests to softoken_gtests. The tests were added to
softoken_gtests because we need to test both non-FIPS and FIPS mode.
Test vectors include a category, so the same test vectors can be
used in FIPS and non-FIPS even though each class may have different
results. Most of the test vectors where created either by dhparams
command in openssl, dsaparams in openssl, and the nss makepqg
command. Each vector includes a label, prime, base, optional
subprime, optional public key, test type, and key class (basically
size). 2. If public key is not supplied, we use a generated public
key. 3. If subPrime is supplied to wet it on the private key after
generation.
lib/freebl/dh.c
add primality tests to KEA_VerifyKey().
lib/softokn/
1. Allow CKA_SUBPRIME to be set after key generation or import.
This affects how we test for it's existance, since it is now always
there on the key, we check it's length to make sure it's non-zero.
2. We implement the psuedocode above as real code. 3. We create two
new functions: sftl_VerifyDH_Prime which return SECSuccess if Prime
is an approved prime. sftk_IsSafePrime which returns SECSuess of
both prime and subprime look reasonable, and sets a Bool to PR_TRUE
is subprime -> prime is safe (subprime = (prime-1)/2. These
functions are implemented in sftkdhverify.c 4.Cleanup incorrect
nominclature on primes (safe primes are not strong primes).
[0be91fa2217a]
* gtests/softoken_gtest/softoken_dh_vectors.h,
gtests/softoken_gtest/softoken_gtest.cc:
Fix more of the timeout issues on tests. (Drop expensive 4098 dh
tests ).
[4014c075a31b]
2020-07-29 Makoto Kato <m_kato@ga2.so-net.ne.jp>
* coreconf/config.gypi, lib/freebl/Makefile, lib/freebl/blinit.c,
lib/freebl/freebl.gyp, lib/freebl/sha1-armv8.c,
lib/freebl/sha_fast.c, lib/freebl/sha_fast.h:
Bug 1650702 - Use ARM's crypt extension for SHA1. r=kjacobs
ARM Crypto extension has SHA1 acceleration. Using this, SHA1 is 3
times faster on ARMv8 CPU. The following data is AWS's a1 instance
(Cortex-A72).
Before ====== ``` # mode in opreps cxreps context op time(sec)
thrgput sha1_e 954Mb 31M 0 0.000 10000.000 10.000 95Mb ```
After ===== ``` # mode in opreps cxreps context op time(sec) thrgput
sha1_e 2Gb 94M 0 0.000 10000.000 10.000 288Mb ```
[68b6eb737689]
2020-07-29 Jan-Marek Glogowski <glogow@fbihome.de>
* manifest.mn:
Bug 1653975 - Set "all" as the default Makefile target r=jcj,rrelyea
Just reorder the rules in manifest.mn, so all is again the first
rule. This restores pre-3.53 Makefile defaults.
[eb52747b7000]
2020-07-31 Makoto Kato <m_kato@ga2.so-net.ne.jp>
* lib/freebl/blapii.h, lib/freebl/blinit.c, nss-tool/hw-support.c:
Bug 1654142 - Add CPU feature detection for Intel SHA extension.
r=kjacobs
[e6b77a9c417a]
2020-08-03 Nathan Froyd <froydnj@mozilla.com>
* coreconf/detect_host_arch.py:
Bug 1656986 - special-case arm64 in detect_host_arch.py; r=jcj
This case comes up when attempting to build NSS on ARM64 Mac. If we
don't do this, we wind up detecting arm64 as "arm", with predictably
bad consequences.
[afa38fb2f0b5] [tip]
Differential Revision: https://phabricator.services.mozilla.com/D85888
When the macOS osclientcerts backend looks for issuer certificates, it can
result in network I/O unless it is specifically disabled. The Windows backend
already handles this, so this only applies to macOS.
Differential Revision: https://phabricator.services.mozilla.com/D85799
CLOSED TREE
Backed out changeset 30c58380f352 (bug 1635828)
Backed out changeset d232cb3c4779 (bug 1635828)
Backed out changeset 7c47f9b403ae (bug 1635828)
Allow access to the "com.apple.trustd.agent" service in the content process sandbox. VTDecompressionSessionCreate() fails without it, causing playback failure for some MP4 videos.
Translate deprecated OS version numbers so that sandbox version checks don't need to check for 10.16.
Differential Revision: https://phabricator.services.mozilla.com/D85213
This includes updates to authenticator, cubeb-coreaudio,
metal, gfx-backend-vulkan, gfx-backend-metal, freetype
libloading is duplicated because of ash
Differential Revision: https://phabricator.services.mozilla.com/D84688
2020-07-24 J.C. Jones <jjones@mozilla.com>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.55 final
[6705eec655c8] [NSS_3_55_RTM] <NSS_3_55_BRANCH>
2020-07-22 Kai Engert <kaie@kuix.de>
* lib/nss/nssinit.c:
Bug 1653310 - Backed out changeset ca207655b4b7, because with
updated NSPR this workaround is no longer required. r=kjacobe
[a448fe36e58b]
2020-07-21 Kevin Jacobs <kjacobs@mozilla.com>
* .hgtags:
Added tag NSS_3_55_BETA1 for changeset 0768baa431e7
[2572e14f17d6]
Differential Revision: https://phabricator.services.mozilla.com/D84845
osclientcerts requires functions that are available starting in macOS 10.14, so
it shouldn't be possible to enable it in earlier versions.
Differential Revision: https://phabricator.services.mozilla.com/D84764
This includes updates to authenticator, cubeb-coreaudio,
metal, gfx-backend-vulkan, gfx-backend-metal, freetype
libloading is duplicated because of ash
Differential Revision: https://phabricator.services.mozilla.com/D84688
This includes updates to authenticator, cubeb-coreaudio,
metal, gfx-backend-vulkan, gfx-backend-metal, freetype
libloading is duplicated because of ash
Differential Revision: https://phabricator.services.mozilla.com/D84688
2020-07-21 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* cmd/bltest/blapitest.c:
Bug 1653202 - Fix issue disabling other mechanisms when SEED is
deprecated in cmd/bltest/blapitest.c. r=kjacobs
[0768baa431e7] [NSS_3_55_BETA1]
2020-07-21 Kevin Jacobs <kjacobs@mozilla.com>
* automation/release/nspr-version.txt:
Bug 1652331 - NSS 3.55 should depend on NSPR 4.27. r=kaie
[3deefc218cd9]
2020-07-20 Billy Brumley <bbrumley@gmail.com>
* lib/freebl/ec.c:
Bug 1631573: Remove unnecessary scalar padding in ec.c
r=kjacobs,bbeurdouche
Subsequent calls to ECPoints_mul and ECPoint_mul remove this
padding.
Timing attack countermeasures are now applied more generally deeper
in the call stack.
[aeb2e583ee95]
2020-07-20 Kai Engert <kaie@kuix.de>
* lib/nss/nssinit.c:
Bug 1653310 - On macOS check if nssckbi exists prior to loading it.
r=kjacobs
[ca207655b4b7]
Differential Revision: https://phabricator.services.mozilla.com/D84420
WebRender makes extensive use of shared memory buffers, particularly for
images decoded in the content process. These images can be arbitrarily
large, and there being insufficient memory for an allocation must be
handled gracefully.
On Linux, we will currently crash with a SIGBUS signal during image
decoding instead of just displaying the broken image tag. This is
because the pages backing the shared memory are only allocated when we
write to them. This blocks shipping WebRender on Linux.
This patch uses posix_fallocate to force the reservation of the pages,
and allows failing gracefully if they are unavailable.
Differential Revision: https://phabricator.services.mozilla.com/D80650
2020-07-16 Billy Brumley <bbrumley@gmail.com>
* lib/freebl/ecl/ecl-priv.h, lib/freebl/ecl/ecl.c,
lib/freebl/ecl/ecp_secp521r1.c, lib/freebl/freebl_base.gypi,
lib/freebl/manifest.mn:
Bug 1631583 - ECC: constant time P-521 r=kjacobs,rrelyea,bbeurdouche
This portable code contributed by the Network and Information
Security Group (NISEC) at Tampere University comes from:
[ECCKiila](https://gitlab.com/nisec/ecckiila) that uses
[Fiat](https://github.com/mit-plv/fiat-crypto) for the underlying
field arithmetic.
Co-authored-by: Luis Rivera-Zamarripa <luis.riverazamarripa@tuni.fi>
Co-authored-by: Jesús-Javier Chi-Domínguez
<jesus.chidominguez@tuni.fi>
[ca068f5b5c17] [tip]
* lib/freebl/ecl/ecl-priv.h, lib/freebl/ecl/ecl.c,
lib/freebl/ecl/ecp_secp384r1.c, lib/freebl/freebl_base.gypi,
lib/freebl/manifest.mn, tests/ec/ectest.sh:
Bug 1631583 - ECC: constant time P-384 r=bbeurdouche,rrelyea
This portable code contributed by the Network and Information
Security Group (NISEC) at Tampere University comes from:
[ECCKiila](https://gitlab.com/nisec/ecckiila) that uses
[Fiat](https://github.com/mit-plv/fiat-crypto) for the underlying
field arithmetic.
Co-authored-by: Luis Rivera-Zamarripa <luis.riverazamarripa@tuni.fi>
Co-authored-by: Jesús-Javier Chi-Domínguez
<jesus.chidominguez@tuni.fi>
[d19a3cd451bb]
2020-07-13 Robert Relyea <rrelyea@redhat.com>
* lib/pk11wrap/pk11pub.h:
Bug 1643528 Cannot compile code with nss headers and -Werror=strict-
prototypes r=kjacobs
[01ffd8fef7fa]
2020-07-10 Daiki Ueno <dueno@redhat.com>
* gtests/ssl_gtest/ssl_auth_unittest.cc, lib/ssl/ssl3con.c,
lib/ssl/ssl3exthandle.c, lib/ssl/sslimpl.h,
lib/ssl/tls13exthandle.c:
Bug 1646324, advertise rsa_pkcs1_* schemes in CH and CR for certs,
r=mt
Summary: In TLS 1.3, unless "signature_algorithms_cert" is
advertised, the "signature_algorithms" extension is used as an
indication of supported algorithms for signatures on certificates.
While rsa_pkcs1_* signatures schemes cannot be used for signing
handshake messages, they should be advertised if the peer wants to
to support certificates signed with RSA PKCS#1.
This adds a flag to ssl3_EncodeSigAlgs() and ssl3_FilterSigAlgs() to
preserve rsa_pkcs1_* schemes in the output.
Reviewers: mt
Reviewed By: mt
Bug #: 1646324
[df1d2695e115]
2020-07-09 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* gtests/pk11_gtest/pk11_pbkdf2_unittest.cc, lib/pk11wrap/pk11pbe.c:
Bug 1649648 - Fix null pointers passed as argument in
pk11wrap/pk11pbe.c:886 r=kjacobs
[de661583d467]
Differential Revision: https://phabricator.services.mozilla.com/D83824
PSM internals are currently tightly-copuled with NSS data types. In many cases
this is unnecessary, because PSM often needs only a sequence of bytes (in the
case of certificates, for example). This tight coupling can also have
performance and architectural impacts. For example, thread contention for NSS
resources has caused performance issues in the past. This patch starts the
process of avoiding using these types as much as possible in PSM.
More specifically, RootCABinNumber can take a Span<uint8_t> instead of a
SECItem. Instead of taking a PK11SlotInfo (which essentially requires having a
CERTCertificate), we can use PK11_FindEncodedCertInSlot to see if the
certificate exists on a small number of specific slots to achieve the same
effect as before. Doing this should eventually allow us to avoid creating a
CERTCertificate, which implicitly involves searching all slots on all modules.
Differential Revision: https://phabricator.services.mozilla.com/D83682
With these changes, on my Linux analysis with ClangBuildAnalyzer, the
top two expensive headers, DOMTypes.h and TabMessageUtils.h are no longer
among the 30 most expensive headers.
Differential Revision: https://phabricator.services.mozilla.com/D82935
Before this patch, the "Servers" tab of the certificate manager would show
built-in distrust records that had corresponding certificates (lately, this has
only consisted of two DigiNotar look-alike roots that were added many years ago
to block the real DigiNotar roots and potential cross-signs).
This patch changes the implementation to only show certificates that actually
have a corresponding error override in the "Servers" tab.
Differential Revision: https://phabricator.services.mozilla.com/D83190
As of kernel 5.8 (commit [e9c15badb][]), Linux will set the internal
`FMODE_NONOTIFY` flag on files that don't exist in the filesystem,
including (unnamed) pipes and sockets. Although this flag isn't
properly part of the userspace API, it will be returned by F_GETFL, so
userspace code that tries to change file flags will pass it to F_SETFL.
The implementation of `F_SETFL` has an allow list of flags userspace can
change (`SETFL_MASK`) and ignores all others, but our sandbox has a list
of flags *known* to be ignored, because currently unknown flags could
potentially be accepted by the kernel in the future.
This patch adds `FMODE_NONOTIFY` as an ignored flag.
[e9c15badb]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e9c15badbb7b20ccdbadf5da14e0a68fbad51015
Differential Revision: https://phabricator.services.mozilla.com/D83205
Evidently, keys stored on some tokens can only be accessed via the deprecated
CryptoAPI interface. This patch adds support for such keys.
Differential Revision: https://phabricator.services.mozilla.com/D82789
2020-06-26 Kevin Jacobs <kjacobs@mozilla.com>
* automation/abi-check/expected-report-libssl3.so.txt, automation/abi-
check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h,
lib/util/nssutil.h:
Set version numbers to 3.55 beta
[332ab7db68ba]
2020-06-25 Kevin Jacobs <kjacobs@mozilla.com>
* tests/all.sh:
Bug 1649190 - Run cipher, sdr, and ocsp tests under standard test
cycle.
[f373809abfc0]
2020-06-15 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/common/testvectors/p256ecdsa-sha256-vectors.h,
gtests/common/testvectors/p384ecdsa-sha384-vectors.h,
gtests/common/testvectors/p521ecdsa-sha512-vectors.h,
gtests/common/testvectors_base/test-structs.h,
gtests/common/wycheproof/genTestVectors.py,
gtests/pk11_gtest/pk11_ecdsa_unittest.cc:
Bug 1649226 - Add Wycheproof ECDSA tests.
[41292ff7f545]
2020-06-30 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* lib/pkcs12/p12d.c:
Bug 1649322 - Fix null pointer passed as argument in
pk11wrap/pk11pbe.c:1246 r=kjacobs
[cc43ebf5bf88]
2020-06-30 Danh <congdanhqx@gmail.com>
* coreconf/arch.mk, coreconf/config.mk, lib/freebl/Makefile:
Bug 1646594 - Enable AVX2 if applicable on x86_64 with make 4.3
r=bbeurdouche
[b579895aceb0]
2020-07-02 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* lib/ssl/ssl3con.c:
Bug 1649316 - Prevent memcmp to be called with a zero length in
ssl/ssl3con.c:6621 r=kjacobs
[8fe9213d0551]
2020-07-02 Alexander Scheel <ascheel@redhat.com>
* lib/cryptohi/secvfy.c:
Bug 1649487 - Fix bad assert in VFY_EndWithSignature. r=jcj
[c9438b528103]
2020-07-06 Dana Keeler <dkeeler@mozilla.com>
* automation/abi-check/expected-report-libnss3.so.txt,
gtests/pk11_gtest/pk11_find_certs_unittest.cc, lib/nss/nss.def,
lib/pk11wrap/pk11cert.c, lib/pk11wrap/pk11pub.h:
Bug 1649633 - add PK11_FindEncodedCertInSlot r=kjacobs,jcj
PK11_FindEncodedCertInSlot can be used to determine the PKCS#11
object handle of an encoded certificate in a given slot. If the
given certificate does not exist in that slot, CK_INVALID_HANDLE is
returned.
[32fe710a942f]
* gtests/pk11_gtest/pk11_find_certs_unittest.cc:
Bug 1649633 - follow-up to make test comparisons in
pk11_find_certs_unittest.cc yoda comparisons r=kjacobs
[424dae31a1c1]
2020-07-07 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc, lib/freebl/rsapkcs.c:
Bug 1067214 - Check minimum padding in RSA_CheckSignRecover.
r=rrelyea
This patch adds a check to `RSA_CheckSignRecover` enforcing a
minimum padding length of 8 bytes for PKCS #1 v1.5-formatted
signatures. In practice, RSA key size requirements already ensure
this requirement is met, but smaller (read: broken) key sizes can be
used via configuration overrides, and NSS should just follow the
spec.
[e5324bd5a885]
2020-07-08 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/ssl_gtest/libssl_internals.c,
gtests/ssl_gtest/libssl_internals.h,
gtests/ssl_gtest/ssl_record_unittest.cc,
gtests/ssl_gtest/tls_agent.cc, gtests/ssl_gtest/tls_agent.h,
lib/ssl/dtls13con.c, lib/ssl/dtls13con.h, lib/ssl/ssl3con.c,
lib/ssl/ssl3prot.h, lib/ssl/sslspec.h, lib/ssl/sslt.h,
lib/ssl/tls13con.c, lib/ssl/tls13exthandle.c:
Bug 1647752 - Update DTLS 1.3 implementation to draft-38. r=mt
This patch updates DTLS 1.3 to draft-38. Specifically:
# `ssl_ct_ack` value changes from 25 to 26. # AEAD limits in
`tls13_UnprotectRecord` enforce a maximum of 2^36-1 (as we only
support GCM/ChaCha20 AEADs) decryption failures before the
connection is closed. # Post-handshake authentication will no longer
be negotiated in DTLS 1.3. This allows us to side-step the more
convoluted state machine requirements.
[132a87fc8689]
2020-07-09 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* lib/pk11wrap/pk11pbe.c, lib/pkcs12/p12d.c:
Bug 1649322 - Fix null pointer passed as argument in
pk11wrap/pk11pbe.c:1246 r=kjacobs
This is a fixup patch that reverts https://hg.mozilla.org/projects/n
ss/rev/cc43ebf5bf88355837c5fafa2f3c46e37626707a and adds a null
check around the memcpy in question.
[80bea0e22b20]
2020-07-09 J.C. Jones <jjones@mozilla.com>
* lib/softoken/pkcs11.c:
Bug 1651520 - slotLock race in NSC_GetTokenInfo r=kjacobs
Basically, NSC_GetTokenInfo doesn't lock slot->slotLock before
accessing slot after obtaining it, even though slotLock is defined
as its lock. [0]
[0] https://searchfox.org/nss/rev/a412e70e55218aaf670f1f10322fa734d8
a9fbde/lib/softoken/pkcs11i.h#320-321
[58c2abd7404e] [tip]
Differential Revision: https://phabricator.services.mozilla.com/D82466
This adds the boolean pref security.sandbox.content.headless (on Linux
only) which does two things:
1. Sets the MOZ_HEADLESS env var for content processes, so that they
don't initialize GTK and don't connect to the X server.
2. Disallows brokered access to parts of the filesystem used only for
graphics -- most critically connecting to the X11 socket itself, but
also opening GPU device nodes and the parts of sysfs used by Mesa, for
example.
This is experimental; use at your own risk.
Setting this pref will break native widgets, so it's also necessary to
set widget.disable-native-theme-for-content
Additionally, it breaks Flash and WebGL; see bug 1638466 for the latter.
Differential Revision: https://phabricator.services.mozilla.com/D81425
Now that filesystem broker policy entries that depend on prefs can be
cached in the "common" policy object, let's do this wherever possible.
Partially fixes bug 1600189.
Differential Revision: https://phabricator.services.mozilla.com/D81424
When the SandboxBrokerPolicyFactory is constructed, prefs aren't
available, which constrains the cached subset of the content process
policy to entries that don't depend on prefs. Delaying the computation
until a content process is started removes that restriction.
(This also delays the reading of dynamic linker configuration to discover
library directories, so a test needs to be adjusted.)
Differential Revision: https://phabricator.services.mozilla.com/D81423
Not strictly necessary, but I noticed this while I was making changes:
AddDynamicPathList can be a simple static function instead of a private
static method, and doesn't need to be in the header.
Differential Revision: https://phabricator.services.mozilla.com/D81422
CLOSED TREE
Backed out changeset 51d7c644a1e6 (bug 1650163)
Backed out changeset 3d2b6908447a (bug 1650163)
Backed out changeset 79141707d47b (bug 1650163)
This commit does:
- Sync files under security/sandbox/chromium/ with Chromium 81.0.4044.138
- Update files under security/sandbox/chromium-shim/
- Apply patches under security/sandbox/chromium-shim/patches/with_update/
- Add mozilla::AddWin32kLockdownPolicy to apply MITIGATION_WIN32K_DISABLE before SUBSYS_WIN32K_LOCKDOWN
Differential Revision: https://phabricator.services.mozilla.com/D79560
This commit updates files under security/sandbox/chromium-shim/patches/
to prepare our codebase for Chromium sandbox update. See patch files for
the details of each patch.
This also removes the following patches from with_update no longer needed.
1) update_chromium_linux_x86_syscalls.patch is included in
b4f3df4e77
2) ifdef_out_ApplyMitigationsToCurrentThread.patch cannot be used because
we use ApplyMitigationsToCurrentThread since the following commit.
4bed2eb502
3) mingw_base_win_get_caller.patch is included in
d8b73eb8f0
4) fix_incorrect_int_use_in_Kernel32BaseVersion.patch is fixed by
https://hg.mozilla.org/mozilla-central/rev/dc9d71fb3bac807a37dbfba35d609ac4ffff1980
5) revert_removal_of_AlterEnvironment_on_Windows.patch is altered by adding
environment_internal.h/cc as a different commit.
6) mingw_undefine_MemoryBarrier.patch is no longer needed as
base::subtle::MemoryBarrier was removed by
bdbaaf4e7e
7) public_siginfo_fields.patch is included in
6bd491daaf
Differential Revision: https://phabricator.services.mozilla.com/D79558
This commit does:
- Sync files under security/sandbox/chromium/ with Chromium 81.0.4044.138
- Update files under security/sandbox/chromium-shim/
- Apply patches under security/sandbox/chromium-shim/patches/with_update/
- Apply a workaround for Clang's bug to compile *_interception.cc
- Add mozilla::AddWin32kLockdownPolicy to apply MITIGATION_WIN32K_DISABLE before SUBSYS_WIN32K_LOCKDOWN
Differential Revision: https://phabricator.services.mozilla.com/D79560
This commit updates files under security/sandbox/chromium-shim/patches/
to prepare our codebase for Chromium sandbox update. See patch files for
the details of each patch.
This also removes the following patches from with_update no longer needed.
1) update_chromium_linux_x86_syscalls.patch is included in
b4f3df4e77
2) ifdef_out_ApplyMitigationsToCurrentThread.patch cannot be used because
we use ApplyMitigationsToCurrentThread since the following commit.
4bed2eb502
3) mingw_base_win_get_caller.patch is included in
d8b73eb8f0
4) fix_incorrect_int_use_in_Kernel32BaseVersion.patch is fixed by
https://hg.mozilla.org/mozilla-central/rev/dc9d71fb3bac807a37dbfba35d609ac4ffff1980
5) revert_removal_of_AlterEnvironment_on_Windows.patch is altered by adding
environment_internal.h/cc as a different commit.
6) mingw_undefine_MemoryBarrier.patch is no longer needed as
base::subtle::MemoryBarrier was removed by
bdbaaf4e7e
7) public_siginfo_fields.patch is included in
6bd491daaf
Differential Revision: https://phabricator.services.mozilla.com/D79558
This commit does:
- Sync files under security/sandbox/chromium/ with Chromium 81.0.4044.138
- Update files under security/sandbox/chromium-shim/
- Apply patches under security/sandbox/chromium-shim/patches/with_update/
- Apply a workaround for Clang's bug to compile *_interception.cc
- Add mozilla::AddWin32kLockdownPolicy to apply MITIGATION_WIN32K_DISABLE before SUBSYS_WIN32K_LOCKDOWN
Differential Revision: https://phabricator.services.mozilla.com/D79560
This commit updates files under security/sandbox/chromium-shim/patches/
to prepare our codebase for Chromium sandbox update. See patch files for
the details of each patch.
This also removes the following patches from with_update no longer needed.
1) update_chromium_linux_x86_syscalls.patch is included in
b4f3df4e77
2) ifdef_out_ApplyMitigationsToCurrentThread.patch cannot be used because
we use ApplyMitigationsToCurrentThread since the following commit.
4bed2eb502
3) mingw_base_win_get_caller.patch is included in
d8b73eb8f0
4) fix_incorrect_int_use_in_Kernel32BaseVersion.patch is fixed by
https://hg.mozilla.org/mozilla-central/rev/dc9d71fb3bac807a37dbfba35d609ac4ffff1980
5) revert_removal_of_AlterEnvironment_on_Windows.patch is altered by adding
environment_internal.h/cc as a different commit.
6) mingw_undefine_MemoryBarrier.patch is no longer needed as
base::subtle::MemoryBarrier was removed by
bdbaaf4e7e
7) public_siginfo_fields.patch is included in
6bd491daaf
Differential Revision: https://phabricator.services.mozilla.com/D79558
The current taskqueue is blocked until the current function has finished; Running the event loop would only process events on the running thread.
Additionally, we make mIPCLaunchThread an nsISerialEventTarget to guarantee that at shutdown the tasks are run in order regardless of the IPC Launch Thread type.
Differential Revision: https://phabricator.services.mozilla.com/D81511
This adds the boolean pref security.sandbox.content.headless (on Linux
only) which does two things:
1. Sets the MOZ_HEADLESS env var for content processes, so that they
don't initialize GTK and don't connect to the X server.
2. Disallows brokered access to parts of the filesystem used only for
graphics -- most critically connecting to the X11 socket itself, but
also opening GPU device nodes and the parts of sysfs used by Mesa, for
example.
This is experimental; use at your own risk.
Setting this pref will break native widgets, so it's also necessary to
set widget.disable-native-theme-for-content
Additionally, it breaks Flash and WebGL; see bug 1638466 for the latter.
Differential Revision: https://phabricator.services.mozilla.com/D81425
Now that filesystem broker policy entries that depend on prefs can be
cached in the "common" policy object, let's do this wherever possible.
Should also fix bug 1621231.
Differential Revision: https://phabricator.services.mozilla.com/D81424
When the SandboxBrokerPolicyFactory is constructed, prefs aren't
available, which constrains the cached subset of the content process
policy to entries that don't depend on prefs. Delaying the computation
until a content process is started removes that restriction.
Differential Revision: https://phabricator.services.mozilla.com/D81423
Not strictly necessary, but I noticed this while I was making changes:
AddDynamicPathList can be a simple static function instead of a private
static method, and doesn't need to be in the header.
Differential Revision: https://phabricator.services.mozilla.com/D81422
Fix the content and Flash sandbox policies to use the major and minor number for OS version checks allowing video playback to work properly on macOS 11 Big Sur.
Pass the macOS major and minor version to sandbox policies as a combined string.
Remove unused OSXVersion methods and members and more minor cleanup in Sandbox.mm.
Leave in the checks for unsupported versions (macOS 10.9 - 10.11) for now in case this fix needs to be uplifted.
Differential Revision: https://phabricator.services.mozilla.com/D81385
This just spins the event loop during fast shutdown until all queued
cert_storage tasks have completed. The patch achieves this by simply
adding a counter which will be incremented and decremented on the
main thread via tying into the tasks' `new` and `done` methods. A
slightly more performant solution would use a condvar and sleep the
main thread waiting on pending operations to complete, but given the
low frequency of these occuring during shutdown, such an approach
would be overkill.
Differential Revision: https://phabricator.services.mozilla.com/D80906
Before P1, GetCurrentThreadSerialEventTarget would have always returned the same data as NS_GetCurrentThread, making the comment incorrect Now it will properly return the running TaskQueue if any.
This change of name more clearly exposes what they are doing, as we aren't always dealing with threads directly; but a nsISerialEventTarget
Differential Revision: https://phabricator.services.mozilla.com/D80354
2020-06-22 Kevin Jacobs <kjacobs@mozilla.com>
* lib/util/quickder.c:
Bug 1646520 - Stricter leading-zero checks for ASN.1 INTEGER values.
r=jcj
This patch adjusts QuickDER to strictly enforce INTEGER encoding
with respect to leading zeros:
- If the MSB of the first (value) octet is set, a single zero byte MAY
be present to make the value positive. This singular pad byte is
removed.
- Otherwise, the first octet must not be zero.
[2bd2f3267dc5] [tip]
Differential Revision: https://phabricator.services.mozilla.com/D80543
2020-06-16 Sohaib ul Hassan <sohaibulhassan@tuni.fi>
* lib/freebl/mpi/mpi.c, lib/freebl/mpi/mpi.h,
lib/freebl/mpi/mplogic.c:
Bug 1631597 - Constant-time GCD and modular inversion
r=rrelyea,kjacobs
The implementation is based on the work by Bernstein and Yang
(https://eprint.iacr.org/2019/266) "Fast constant-time gcd
computation and modular inversion". It fixes the old mp_gcd and
s_mp_invmod_odd_m functions.
The patch also fix mpl_significant_bits s_mp_div_2d and s_mp_mul_2d
by having less control flow to reduce side-channel leaks.
Co Author : Billy Bob Brumley
[699541a7793b] [tip]
Differential Revision: https://phabricator.services.mozilla.com/D80120
I think at this point we can remove all of RemoteWebProgressManager, some/all of the TabProgressListener recreations, and probably a bunch more.
Differential Revision: https://phabricator.services.mozilla.com/D79240
I think at this point we can remove all of RemoteWebProgressManager, some/all of the TabProgressListener recreations, and probably a bunch more.
Differential Revision: https://phabricator.services.mozilla.com/D79240
I think at this point we can remove all of RemoteWebProgressManager, some/all of the TabProgressListener recreations, and probably a bunch more.
Differential Revision: https://phabricator.services.mozilla.com/D79240
This commit does:
- Sync files under security/sandbox/chromium/ with Chromium 81.0.4044.138
- Update files under security/sandbox/chromium-shim/
- Apply patches under security/sandbox/chromium-shim/patches/with_update/
- Apply a workaround for Clang's bug to compile filesystem_interception.cc
- Add mozilla::AddWin32kLockdownPolicy to apply MITIGATION_WIN32K_DISABLE before SUBSYS_WIN32K_LOCKDOWN
Depends on D79558
Differential Revision: https://phabricator.services.mozilla.com/D79560
This commit updates files under security/sandbox/chromium-shim/patches/
to prepare our codebase for Chromium sandbox update. See patch files for
the details of each patch.
This also removes the following patches from with_update no longer needed.
1) update_chromium_linux_x86_syscalls.patch is included in
b4f3df4e77
2) ifdef_out_ApplyMitigationsToCurrentThread.patch cannot be used because
we use ApplyMitigationsToCurrentThread since the following commit.
4bed2eb502
3) mingw_base_win_get_caller.patch is included in
d8b73eb8f0
4) fix_incorrect_int_use_in_Kernel32BaseVersion.patch is fixed by
https://hg.mozilla.org/mozilla-central/rev/dc9d71fb3bac807a37dbfba35d609ac4ffff1980
5) revert_removal_of_AlterEnvironment_on_Windows.patch is altered by adding
environment_internal.h/cc as a different commit.
6) mingw_undefine_MemoryBarrier.patch is no longer needed as
base::subtle::MemoryBarrier was removed by
bdbaaf4e7e
7) public_siginfo_fields.patch is included in
6bd491daaf
Differential Revision: https://phabricator.services.mozilla.com/D79558
2020-06-12 Kevin Jacobs <kjacobs@mozilla.com>
* cmd/lib/secutil.c:
Bug 1645479 - Use SECITEM_CopyItem instead of SECITEM_MakeItem in
secutil.c. r=jcj
This patch converts a call to `SECITEM_MakeItem` to use
`SECITEM_CopyItem` instead. Using the former works fine in NSS CI,
but causes build failures in mozilla-central due to differences in
how both symbols are exported (i.e. when folding nssutil into nss).
[cbf75aedf480] [tip]
2020-06-11 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/ssl_gtest/libssl_internals.c,
gtests/ssl_gtest/ssl_resumption_unittest.cc:
Bug 1644774 - Use ClearServerCache instead of
SSLInt_ClearSelfEncryptKey for ticket invalidation. r=mt
[7b2413d80ce3]
2020-06-10 Kevin Jacobs <kjacobs@mozilla.com>
* cmd/lib/basicutil.c, cmd/lib/secutil.c, cmd/lib/secutil.h,
cmd/selfserv/selfserv.c, cmd/tstclnt/tstclnt.c, lib/ssl/tls13psk.c:
Bug 1603042 - Support external PSKs in tstclnt/selfserv. r=jcj
This patch adds support for TLS 1.3 external PSKs in tstclnt and
selfserv with the `-z` option.
Command examples:
- `selfserv -D -p 4443 -d . -n localhost.localdomain -w nss -V tls1.3:
-H 1 -z 0xAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD[:label] -m`
- `tstclnt -h 127.0.0.1 -p 4443 -z
0xAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD[:label] -d . -w nss`
For OpenSSL interop:
- `openssl s_server -nocert -port 4433 -psk
AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD [-psk_identity label]`
Note: If the optional label is omitted, both NSS tools and OpenSSL
default to "Client_identity".
[c1b1112af415]
2020-06-09 Kevin Jacobs <kjacobs@mozilla.com>
* lib/ssl/tls13con.c:
Bug 1642638 - Don't assert sid ciphersuite to be defined in fuzzer
mode. r=mt
[238bd7912429]
2020-06-08 Kevin Jacobs <kjacobs@mozilla.com>
* lib/freebl/freebl.gyp, lib/freebl/freebl_base.gypi:
Bug 1642802 - Win64 GYP builds to use HACL* curve25519.
r=bbeurdouche
This patch causes Windows 64-bit GYP builds to use HACL* curve25519
rather than the 32-bit (fiat-crypto) implementation.
For non-clang/GCC Win64 builds, we define `KRML_VERIFIED_UINT128` to
workaround an upstream bug that breaks Win32 builds by selecting a
64-bit `__int128` implementation (in types.h).
For clang/GCC builds, using the compiler-provided type yields a ~5x
speedup on Win64.
[566fa62d6522]
2020-06-05 Jeff Walden <jwalden@mit.edu>
* lib/pk11wrap/pk11cert.c, lib/pk11wrap/pk11kea.c,
lib/pk11wrap/pk11merge.c, lib/pk11wrap/pk11nobj.c,
lib/pk11wrap/pk11obj.c, lib/pk11wrap/pk11skey.c,
lib/pk11wrap/secmodi.h:
Bug 1643557 - Make pk11_FindObjectByTemplate accept a size_t count
rather than a signed type to avoid internal signed-unsigned
comparison warnings. r=kjacobs
Depends on D78454
[5ee293d1a282]
* lib/pk11wrap/pk11skey.c:
Bug 1643557 - Make PK11_SetWrapKey explicitly handle being passed a
negative wrap argument, to avoid a signed-unsigned comparison.
r=kjacobs
Depends on D78453
[7bb3677a2ed0]
* lib/pk11wrap/pk11akey.c, lib/pk11wrap/pk11cert.c,
lib/pk11wrap/pk11obj.c, lib/pk11wrap/secmodi.h:
Bug 1643557 - Change the type of the size argument to
pk11_FindObjectsByTemplate to be size_t, consistent with the type of
some (small) numeric values passed to it after the previous
revision. r=kjacobs
Depends on D78452
[eaf223c2646a]
* lib/pk11wrap/pk11slot.c:
Bug 1643557 - Use size_t for various counts in pk11slot.c. r=kjacobs
Depends on D78451
[465a7954ce0a]
* lib/pk11wrap/pk11priv.h, lib/pk11wrap/pk11slot.c:
Bug 1643557 - Make pk11_MatchString accept a size_t length rather
than an int length (consistent with all callers), and reformulate
its internals to avoid a signed-unsigned comparison. r=kjacobs
Depends on D78450
[fff8c883ef7d]
* lib/pk11wrap/pk11skey.c, lib/ssl/sslsnce.c, lib/util/secport.h:
Bug 1643557 - Add PORT_AssertNotReached and use it instead of
PORT_Assert(!"str"), which may warn about vacuous string literal to
boolean conversions. r=kjacobs
Depends on D78449
[c0aa47eb2fdd]
* lib/util/secoid.c:
Bug 1643557 - Use SECOidTag as the type of a loop variable over all
values of that type to avoid a signed-unsigned comparison warning.
r=kjacobs
Depends on D78448
[d7f1e9975e67]
* lib/util/utilpars.c:
Bug 1643557 - Use size_t for a parameter-indexing variable to
eliminate a signed-unsigned comparison warning. r=kjacobs
Depends on D78447
[5d7206908ca7]
* lib/freebl/rsapkcs.c:
Bug 1643557 - Used unsigned int for two for-loops upper-bounded by
unsigned ints in rsa_FormatOneBlock. r=kjacobs
Depends on D78446
[ed9a1a41ca1e]
* lib/pk11wrap/debug_module.c:
Bug 1643557 - Use unsigned int for log level, consistent with
PRLogModuleLevel. r=kjacobs
[7f89fa701ce3]
Differential Revision: https://phabricator.services.mozilla.com/D79566
converts:
* security.sandbox.rdd.win32k-disable
* security.sandbox.gmp.win32k-disable
I'm assuming the pattern established by the other, newer, win32k StaticPrefs can
be followed here, and the xpcom checks aren't needed.
Differential Revision: https://phabricator.services.mozilla.com/D78933
In general, PSM caches intermediates from verified certificate chains in the
NSS certdb. Before bug 1619021, this would include preloaded intermediates,
which is unnecessary because cert_storage has a copy of those certificates, and
so they don't need to take up time and space in the NSS certdb. This patch
introduces the intermediate preloading healer, which periodically runs on a
background thread, looks for these duplicate intermediates, and removes them
from the NSS certdb.
Differential Revision: https://phabricator.services.mozilla.com/D77152
2020-06-01 Kevin Jacobs <kjacobs@mozilla.com>
* coreconf/config.gypi, lib/freebl/Makefile, lib/freebl/blinit.c,
lib/freebl/freebl.gyp, lib/freebl/sha256-armv8.c,
lib/freebl/sha256.h, lib/freebl/sha512.c, mach:
Bug 1528113 - Use ARM's crypto extension for SHA256
[ea54fd986036]
2020-04-08 Kevin Jacobs <kjacobs@mozilla.com>
* automation/abi-check/expected-report-libssl3.so.txt,
gtests/ssl_gtest/libssl_internals.c,
gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/manifest.mn,
gtests/ssl_gtest/ssl_0rtt_unittest.cc,
gtests/ssl_gtest/ssl_extension_unittest.cc,
gtests/ssl_gtest/ssl_gtest.gyp, gtests/ssl_gtest/tls_agent.cc,
gtests/ssl_gtest/tls_agent.h, gtests/ssl_gtest/tls_connect.cc,
gtests/ssl_gtest/tls_connect.h,
gtests/ssl_gtest/tls_psk_unittest.cc, lib/ssl/manifest.mn,
lib/ssl/ssl.gyp, lib/ssl/ssl3con.c, lib/ssl/ssl3ext.c,
lib/ssl/ssl3ext.h, lib/ssl/sslerr.h, lib/ssl/sslexp.h,
lib/ssl/sslimpl.h, lib/ssl/sslinfo.c, lib/ssl/sslsecur.c,
lib/ssl/sslsock.c, lib/ssl/sslt.h, lib/ssl/tls13con.c,
lib/ssl/tls13con.h, lib/ssl/tls13exthandle.c, lib/ssl/tls13psk.c,
lib/ssl/tls13psk.h, lib/ssl/tls13replay.c:
Bug 1603042 - TLS 1.3 out-of-band PSK support
[a448d7919077]
2020-06-01 Makoto Kato <m_kato@ga2.so-net.ne.jp>
* coreconf/config.gypi, lib/freebl/Makefile, lib/freebl/blinit.c,
lib/freebl/freebl.gyp, lib/freebl/sha256-armv8.c,
lib/freebl/sha256.h, lib/freebl/sha512.c:
Bug 1528113 - Use ARM's crypto extension for SHA256 r=kjacobs
ARMv8 CPU has accelerated hardware instruction for SHA256 that
supports GCC 4.9+. We should use it if available.
[61c83f79e90c]
2020-06-02 Kevin Jacobs <kjacobs@mozilla.com>
* automation/abi-check/expected-report-libssl3.so.txt,
gtests/ssl_gtest/libssl_internals.c,
gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/manifest.mn,
gtests/ssl_gtest/ssl_0rtt_unittest.cc,
gtests/ssl_gtest/ssl_extension_unittest.cc,
gtests/ssl_gtest/ssl_gtest.gyp, gtests/ssl_gtest/tls_agent.cc,
gtests/ssl_gtest/tls_agent.h, gtests/ssl_gtest/tls_connect.cc,
gtests/ssl_gtest/tls_connect.h,
gtests/ssl_gtest/tls_psk_unittest.cc, lib/ssl/manifest.mn,
lib/ssl/ssl.gyp, lib/ssl/ssl3con.c, lib/ssl/ssl3ext.c,
lib/ssl/ssl3ext.h, lib/ssl/sslerr.h, lib/ssl/sslexp.h,
lib/ssl/sslimpl.h, lib/ssl/sslinfo.c, lib/ssl/sslsecur.c,
lib/ssl/sslsock.c, lib/ssl/sslt.h, lib/ssl/tls13con.c,
lib/ssl/tls13con.h, lib/ssl/tls13exthandle.c, lib/ssl/tls13psk.c,
lib/ssl/tls13psk.h, lib/ssl/tls13replay.c:
Bug 1603042 - TLS 1.3 out-of-band PSK support r=mt
This patch adds support for External (out-of-band) PSKs in TLS 1.3.
An External PSK (EPSK) can be set by calling `SSL_AddExternalPsk`,
and removed with `SSL_RemoveExternalPsk`. `SSL_AddExternalPsk0Rtt`
can be used to add a PSK while also specifying a suite and
max_early_data_size for use with 0-RTT.
As part of handling PSKs more generically, the patch also changes
how resumption PSKs are handled internally, so as to rely on the
same mechanisms where possible.
A socket is currently limited to only one External PSK at a time. If
the server doesn't find the same identity for the configured EPSK,
it will fall back to certificate authentication.
[a2293e897889]
* lib/freebl/mpi/mplogic.c:
cast in LZCNTLOOP
[96e65b2e9531]
* lib/freebl/freebl.gyp:
Use KRML_VERIFIED_UINT128 on MSVC builds
[abd50c862bdb]
2020-06-03 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/ssl_gtest/ssl_exporter_unittest.cc, lib/ssl/sslinfo.c,
lib/ssl/tls13con.c:
Bug 1643123 - Allow External PSKs to be used with Early Export
[46ef0c025cfc]
2020-06-02 Sylvestre Ledru <sledru@mozilla.com>
* lib/ssl/tls13con.c:
Bug 1642809 - Fix an assert (we need a comparison, not assignment)
r=kjacobs
[d0789cb32d8e]
2020-06-03 Mike Hommey <mh@glandium.org>
* cmd/shlibsign/Makefile:
Bug 1642153 - Avoid infinite recursion when CHECKLOC is not set.
r=jcj
[e955ece90b05]
2020-06-03 Martin Thomson <mt@lowentropy.net>
* gtests/ssl_gtest/ssl_auth_unittest.cc,
gtests/ssl_gtest/ssl_resumption_unittest.cc, lib/ssl/tls13con.c:
Bug 1642871 - Allow tickets and PHA after resumption, r=kjacobs
The first part of this is fairly simple: we accidentally disabled
sending of session tickets after resumption.
The second part is much less obvious, because the spec is unclear.
This change takes the interpretation that it is OK to use post-
handshake authentication if the handshake is resumed, but not OK if
the handshake is based on a PSK. (This is based on a first-
principles understanding of resumption being a continuation of a
certificate-based connection rather than a reading of the spec, see
the bug for why the spec appears to be unhelpful on this point.)
This still prohibits the use of post-handshake authentication if an
external PSK was used, but that is more an abundance of caution than
anything principled.
[e9502f71b7fe]
2020-06-04 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/ssl_gtest/ssl_exporter_unittest.cc, lib/ssl/sslinfo.c,
lib/ssl/tls13con.c:
Bug 1643123 - Allow External PSKs to be used with Early Export r=mt
This patch adjusts `tls13_exporter` to pull the hash algorithm from
the first PSK when a suite is not configured yet, which allows early
export with external PSKs.
[d211f3013abb]
Differential Revision: https://phabricator.services.mozilla.com/D78578
In general, PSM caches intermediates from verified certificate chains in the
NSS certdb. Before bug 1619021, this would include preloaded intermediates,
which is unnecessary because cert_storage has a copy of those certificates, and
so they don't need to take up time and space in the NSS certdb. This patch
introduces the intermediate preloading healer, which periodically runs on a
background thread, looks for these duplicate intermediates, and removes them
from the NSS certdb.
Differential Revision: https://phabricator.services.mozilla.com/D77152
Content processes allow a restricted subset of F_{GET,SET}{FD,FL} that
prevents setting unknown or known-unsafe flags, which was copied to the
socket process policy; this patch moves it to the common policy and
removes RDD's copy of GMP's override.
The immediate reason for this is DMD using F_GETFL via fdopen to use a
file descriptor passed over IPC, but in general this should be safe and
it's a reasonable thing to expect to be able to use.
Differential Revision: https://phabricator.services.mozilla.com/D77379
2020-05-29 J.C. Jones <jjones@mozilla.com>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.53 final
[7e453a5afcb4] [NSS_3_53_RTM] <NSS_3_53_BRANCH>
2020-05-28 Kevin Jacobs <kjacobs@mozilla.com>
* .hgtags:
Added tag NSS_3_53_BETA2 for changeset 8fe22033a88e
[90c954f62c9d]
Differential Revision: https://phabricator.services.mozilla.com/D77555
To implement filtering client certificates by the acceptable CAs list sent by
servers when they request client certificates, we need the CAs that issued the
client certificates. To that end, this change modifies the macOS backend of
the osclientcerts module to also gather issuing CAs while looking for client
certificates. These certificates will not affect trust decisions in gecko.
Differential Revision: https://phabricator.services.mozilla.com/D74985
There's no use case for stateful comparators, so they can be just plain
function pointers.
This is used in some hot places like CSS selector matching.
Differential Revision: https://phabricator.services.mozilla.com/D77084
This is mostly changes to handle retrieving the security state asynchronously via the parent process, needing lots of async/await additions.
It also removes the docshell mixed content flag checks (which don't seem to be used in code, only tests), which are mostly still covered by checks of the security UI.
Differential Revision: https://phabricator.services.mozilla.com/D75448
This removes all docshell nsISecureBrowserUI and mixed content properties, and moves them into CanonicalBrowsingContext/WindowGlobalParent. It makes the mixed content blocker just compute the state for the current load, and then send the results to the parent process, where we update the security state accordingly.
I think we could in the future remove onSecurityChange entirely, and instead just fire an event to the <browser> element notifying it of changes to the queryable securityUI.
Unfortunately we have a lot of existing code that depends on specific ordering between onSecurityChange and onLocationChange, so I had to hook into the RemoteWebProgress implementation in BrowserParent to mimic the same timings.
Differential Revision: https://phabricator.services.mozilla.com/D75447
This is mostly changes to handle retrieving the security state asynchronously via the parent process, needing lots of async/await additions.
It also removes the docshell mixed content flag checks (which don't seem to be used in code, only tests), which are mostly still covered by checks of the security UI.
Differential Revision: https://phabricator.services.mozilla.com/D75448
This removes all docshell nsISecureBrowserUI and mixed content properties, and moves them into CanonicalBrowsingContext/WindowGlobalParent. It makes the mixed content blocker just compute the state for the current load, and then send the results to the parent process, where we update the security state accordingly.
I think we could in the future remove onSecurityChange entirely, and instead just fire an event to the <browser> element notifying it of changes to the queryable securityUI.
Unfortunately we have a lot of existing code that depends on specific ordering between onSecurityChange and onLocationChange, so I had to hook into the RemoteWebProgress implementation in BrowserParent to mimic the same timings.
Differential Revision: https://phabricator.services.mozilla.com/D75447
We have evidence that some sites have disabled ciphersuites with SHA-1-based
MACs due to attacks against SHA-1 (disregarding the fact that these attacks
don't necessarily apply to HMAC-SHA-1) while still relying on RSA key exchange.
Before this patch, PSM did not enable any ciphersuites with RSA key exchange
and non-SHA-1-based MACs. Consequently, Firefox would be unable to connect to
these sites while other browsers would.
This patch enables TLS_RSA_WITH_AES_128_GCM_SHA256 and
TLS_RSA_WITH_AES_256_GCM_SHA384, which are the only two ciphersuites (other
than grease) that Chrome enables that Firefox did not (before this patch).
Differential Revision: https://phabricator.services.mozilla.com/D76543
2020-05-22 J.C. Jones <jjones@mozilla.com>
* lib/freebl/altivec-types.h, lib/freebl/ppc-crypto.h:
Bug 1629414 - Guard USE_PPC_CRYPTO and VSX types with __VSX__ and
__ALTIVEC__ r=kjacobs
This avoids build errors on non-VSX architectures even when not
compiling the POWER accelerated code.
[c7a1c91cd9be] [tip]
2020-05-21 Jeff Walden <jwalden@mit.edu>
* lib/freebl/aes-x86.c:
Bug 1639033 - Use unsigned int for a loop counter to eliminate a
signed-unsigned comparison warning in aes-x86.c. r=kjacobs
Depends on D75847
[e23fe363fa05]
* lib/freebl/ec.c:
Bug 1639033 - Used unsigned int instead of int in a few places in
ec.c to eliminate signed-unsigned comparison warnings. r=kjacobs
Depends on D75846
[0d778b0e778f]
* lib/freebl/cmac.c:
Bug 1639033 - Use unsigned int rather than int for two variables to
eliminate a bunch of signed-unsigned comparison warnings. r=kjacobs
Depends on D75845
[df5c8f6430a0]
* lib/freebl/mpi/mplogic.c, lib/freebl/mpi/mplogic.h:
Bug 1639033 - Use unsigned int for various count variables in
mplogic.c to eliminate signed-unsigned comparison warnings.
r=kjacobs
Depends on D75844
[ce5b8b7e010c]
* lib/freebl/aeskeywrap.c:
Bug 1639033 - Use size_t for loops up to sizeof(T) in aeskeywrap.c
to eliminate some signed-comparison warnings. r=kjacobs
Depends on D75843
[563a7cd7484b]
* lib/softoken/pkcs11i.h, lib/softoken/sftkike.c:
Bug 1639033 - Change +sftk_xcbc_mac_pad's block-size argument to be
unsigned int to avoid sign-comparison warnings. r=kjacobs
Depends on D75842
[a5f80d0805ca]
2020-05-22 Jeff Walden <jwalden@mit.edu>
* lib/jar/jar.c:
Bug 1639033 - Use the jarType enum type, not int, for certain
variables and arguments in jar.c -- for greater precision, and to
avoid sign-comparison warnings. r=kjacobs
Depends on D75841
[e65dd5c2cf86]
2020-05-19 Jeff Walden <jwalden@mit.edu>
* lib/softoken/pkcs11.c, lib/softoken/pkcs11i.h:
Bug 1639033 - Make all |moduleIndex| variables in pkcs11.c be
unsigned, to eliminate a -Wsign-compare warning. r=kjacobs
Depends on D75840
[6512178a58f5]
* cmd/lib/basicutil.c:
Bug 1639033 - Fix signed-unsigned comparison warning in basicutil.c.
r=kjacobs
[98390eef50a1]
2020-05-22 Martin Thomson <mt@lowentropy.net>
* lib/ssl/sslencode.c:
Bug 1640041 - Don't memcpy nothing, r=jcj
Depends on D76421
[8d7c96ab80a7]
* lib/ssl/sslsock.c:
Bug 1640042 - Don't memcpy nothing, r=jcj
[1a634da46b87]
* gtests/ssl_gtest/ssl_0rtt_unittest.cc,
gtests/ssl_gtest/ssl_recordsep_unittest.cc,
gtests/ssl_gtest/tls_connect.cc, lib/ssl/ssl.h, lib/ssl/ssl3gthr.c,
lib/ssl/sslimpl.h, lib/ssl/sslsock.c, lib/ssl/tls13con.c:
Bug 1639413 - Option to disable TLS 1.3 EndOfEarlyData message,
r=kjacobs
This adds the ability to disable EndOfEarlyData.
On the client this is relatively simple, you just turn the message
off.
The server is complicated because the server uses this to drive the
installation of the right keys. Without it, things get very messy.
Thus, I have decided that this is best left to the
SSL_RecordLayerData interface. That needs an ugly hack in order to
let the new data to pass, but the damage is otherwise relatively
minor, apart from one obvious thing.
We never really built the SSL_RecordLayerData API to take
application data. It only did that to support testing of the
functions. Now that we have to deal with this new wrinkle, adding
support for 0-RTT is necessary. This change does that. That requires
a barrage of new checks to see if application data is acceptable.
And then early data is captured in a completely different way, which
adds another layer of awfulness.
Note that this exposes us to the possibility that Certificate or
Finished are received in early data when using SSL_RecordLayerData
and this option. I don't think that fixing that is worthwhile as it
requires tracking the epoch of handshake messages separate to
ss->ssl3.crSpec and the epoch only really exists on that API so that
applications don't accidentally do bad things. In QUIC, we
specifically block handshake messages in early data, so we have
ample protection.
[10325739e149]
Differential Revision: https://phabricator.services.mozilla.com/D76572
This matches how the `Dispatch(already_AddRefed<nsIRunnable>)`
overloads work in C++: `Dispatch` takes ownership of the runnable, and
leaks it if dispatch fails—because the thread manager is shutting down,
for instance. This avoids a race where a runnable can be released on
either the owning or target thread.
Rust doesn't allow arbitrary `Self` types yet (see
rust-lang/rust#44874), so we need to change `dispatch` and
`dispatch_with_options` to be associated methods.
Differential Revision: https://phabricator.services.mozilla.com/D75858
This function ought to be declared by `winapi`, but is not, for whatever
reason. However, its definition is stable enough that we can just
declare it inline rather than invoking bindgen every single build (and
unnecessarily compiling a build script on non-windows platforms) to
discover its definition for us.
Differential Revision: https://phabricator.services.mozilla.com/D76015
2020-05-19 Robert Relyea <rrelyea@redhat.com>
* lib/freebl/dsa.c:
Bug 1631576 - Force a fixed length for DSA exponentiation
r=pereida,bbrumley
[daa823a4a29b] [tip]
2020-05-14 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* lib/freebl/Makefile, lib/freebl/deprecated/seed.c,
lib/freebl/deprecated/seed.h, lib/freebl/freebl.gyp,
lib/freebl/freebl_base.gypi, lib/freebl/seed.c, lib/freebl/seed.h:
Bug 1636389 - Relocate deprecated seed algorithm. r=kjacobs
[d2cfb4ccdf16]
2020-05-14 Jan-Marek Glogowski <glogow@fbihome.de>
* automation/taskcluster/scripts/split.sh, lib/Makefile,
lib/manifest.mn:
Bug 1637083 fix the lib dependencies for the split build
r=jcj,rrelyea
This build can be tested by running NSS_BUILD_MODULAR=1
nss/automation/taskcluster/scripts/build.sh from a directory
containing the nss and nspr repositories.
To make this build's make conditionals easier to handle, it also
merges the manifest.mn into the Makefile, because parts of the
conditionals depends on $(OS_ARCH) setting.
In the end, the goal is just to set the correct build $(DIRS).
This also drops the freebl dependeny of ssl, which seems not to be
needed, even if it's declared in /lib/ssl/ssl.gyp.
[789d7241e1f0]
2020-05-13 Jan-Marek Glogowski <glogow@fbihome.de>
* coreconf/rules.mk, lib/ckfw/builtins/manifest.mn,
lib/ckfw/manifest.mn, manifest.mn:
Bug 1637083 Replace pre-dependency with shell hack r=rrelyea
Originally I tried multiple variants using make's conditionals to
limit DIRS and enforce building the parent directory before the sub-
directory. None of them worked for me, most resulting in an infinite
recursion, so I used the current pre-depends workaround to fulfill
the real dependency.
Now I remembered that automake can handle this case for SUBDIRS
specifying "." as a directory. The generated Makefile handles it via
shell scripting; not nice, but it works.
So this gets rid of the workaround, replacing it with a small shell
test.
[744881490c78]
Differential Revision: https://phabricator.services.mozilla.com/D76050
Sylvestre Ledru
Mihai Alexandru Michis
ffxbld
Julien Cristau
Haik Aftandilian
Toshihito Kikuchi
Kevin Jacobs
Dana Keeler
Simon Giesecke
Mike Hommey
Jean-Yves Avenard
Bogdan Tara
Noemi Erli
Moritz Birghan
Valentin Gosu
Andrea Marchesini
R. Martinho Fernandes
Victor Porof
Butkovits Atila
Olli Pettay
Jeff Muizelaar
Csoregi Natalia
J.C. Jones
Andreea Pavel
Kashav Madan
Bob Owen
Andrew Osmond
Matthew Noorenberghe
Dorel Luca
Frederik Braun
Jed Davis
Kris Maglione
Nika Layzell
Manish Giri
Narcis Beleuzu
Doug Thayer
Kershaw Chang
Jon Bauman
Nihanth Subramanya
lougeniac64
Coroiu Cristina
Mathieu Leplatre
Matt Woodrow
tkhan
Cosmin Sabou
Gijs Kruitbosch
Razvan Maries
Nicholas Nethercote
Alexis Beingessner
Adam Roach [:abr]
Jan Andre Ikenmeyer
Christoph Kerschbaumer
Martin Thomson
Jared Wein
J.C. Jones
Benjamin Beurdouche
Erica Wright
Emilio Cobos Álvarez
David Major
Gian-Carlo Pascutto
Magnus Melin
Lina Cambridge
Nathan Froyd