2020-08-19 Kevin Jacobs <kjacobs@mozilla.com>
* tests/libpkix/certs/PayPalEE.cert:
Bug 1659792 - Update libpkix tests with unexpired PayPal cert. r=jcj
The in-tree `PayPalEE.cert `expired today. This patch replaces it
with a current copy that expires on 12 Jan 2022.
CI breakage before patch: https://treeherder.mozilla.org/#/jobs?repo
=nss&revision=2890f342de631bf6774ac747515a8b5736e20d3f CI with the
fix applied: https://treeherder.mozilla.org/#/jobs?repo=nss-
try&revision=bd28f21d8acbcb15502bd4fc606fc9c0ed09c810
[52c965eaffa1] [NSS_3_56_BETA1]
2020-08-18 Kevin Jacobs <kjacobs@mozilla.com>
* tests/interop/interop.sh:
Bug 1659814 - Pull updated tls-interop for dependency fix. r=jcj
[70376af425ae]
* automation/release/nspr-version.txt:
Bug 1656519 - NSS 3.56 should depend on NSPR 4.28. r=kaie
[2890f342de63]
Differential Revision: https://phabricator.services.mozilla.com/D87648
The keys exposed by osclientcerts may be from tokens that cannot do modern
crypto (namely, ECDSA and RSA-PSS). This patch attempts to identify and
differentiate between these keys. Unfortunately, there is no good way of doing
this on macOS at this time, so the implementation assumes everything supports
modern crypto on that platform. Additionally, the Windows implementation can't
make this determination if the cryptographic service provider would show UI, so
again in those cases the implementation assumes modern crypto is available.
Differential Revision: https://phabricator.services.mozilla.com/D86440
This fixes the following error when running on Apple Silicon DTK:
AGX: agxs_util.cpp:355:size_t getSystemMemorySize(): !!! Verification failed: status == 0
Differential Revision: https://phabricator.services.mozilla.com/D87048
When the last private browsing context exits, observers are notified of the
event "last-pb-context-exited". Before this patch, the private browsing shared
TLS state object would clear its list of insecure fallback sites opon observing
this. However, this is not correct, because the list should be set to reflect
the current set of insecure fallback sites as parsed from the preference
"security.tls.insecure_fallback_hosts" (which is by default empty, but wouldn't
be if a user has modified it).
Differential Revision: https://phabricator.services.mozilla.com/D86586
The keys exposed by osclientcerts may be from tokens that cannot do modern
crypto (namely, ECDSA and RSA-PSS). This patch attempts to identify and
differentiate between these keys. Unfortunately, there is no good way of doing
this on macOS at this time, so the implementation assumes everything supports
modern crypto on that platform.
Differential Revision: https://phabricator.services.mozilla.com/D86440
2020-08-07 Kevin Jacobs <kjacobs@mozilla.com>
* lib/pki/tdcache.c:
Bug 1625791 - Call STAN_GetCERTCertificate to load CERTCertificate
trust before caching. r=jcj,keeler
When caching certificates, `td->cache->lock` must not be held when
taking `slot->isPresentLock`. `add_cert_to_cache` holds then former
when calling the sort function in `add_subject_entry`, which will [[
https://searchfox.org/mozilla-central/rev/a3b25e347e2c22207c4b369b99
246e4aebf861a7/security/nss/lib/pki/certificate.c#266 | call ]]
`STAN_GetCERTCertificate` -> `fill_CERTCertificateFields` when
`cc->nssCertificate` [[ https://searchfox.org/mozilla-central/rev/a3
b25e347e2c22207c4b369b99246e4aebf861a7/security/nss/lib/pki/pki3hack
.c#923 | is NULL ]].
There are two problems with this:
# `fill_CERTCertificateFields` may end up locking
`slot->isPresentLock` (bad ordering, bug 1651564) # The above may
happen followed by another attempt to lock
`td->cache->lock`(deadlock, this bug).
By calling `STAN_GetCERTCertificate` prior to the first lock of
`td->cache->lock`, we can prevent the problematic call to
`fill_CERTCertificateFields` later on, because `cc->nssCertificate`
will already be filled.
[c06f22733446] [tip]
* gtests/ssl_gtest/ssl_auth_unittest.cc, lib/ssl/ssl3con.c:
Bug 1588941 - Send empty client cert msg when signature scheme
selection fails. r=mt
`ssl3_CompleteHandleCertificateRequest` does essentially two things:
1) Calls the `getClientAuthData` hook for certificate selection, and
2) calls `ssl_PickClientSignatureScheme` to select an appropriate
signature scheme when a cert is selected.
If the first function returns SECFailure, we default to sending an
empty certificate message. If the latter fails, however, this
bubbles up as a [[ https://searchfox.org/mozilla-central/rev/56bb74e
a8e04bdac57c33cbe9b54d889b9262ade/security/nss/lib/ssl/tls13con.c#26
70 | fatal error ]] (and an assertion failure) on the connection.
Importantly, the signature scheme selection can fail for reasons
that should not be considered fatal - notably when an RSA-PSS cert
is selected, but the token on which the key resides does not
actually support PSS.
This patch treats the failure to find a usable signature scheme as a
"no certificate" response, rather than killing the connection
entirely.
[41ecb7fe5546]
* lib/freebl/Makefile, lib/freebl/freebl_base.gypi,
lib/freebl/mpi/mpi_amd64_common.S, lib/freebl/mpi/mpi_amd64_gas.s:
Bug 1656981 - Use 64x64->128 multiply and MP_COMBA on x86_64 Mac.
r=mt
This patch makes two MPI changes for MacOS:
1. Rename `mpi_amd64_gas.s` to `mpi_amd64_common.S` and add defines
for macho64, allowing Intel Macs to take advantage of the 64x64->128
multiply code. 2. Define and use `NSS_USE_COMBA` on Intel Macs.
Performance results with `rsaperf -n none -p 10 -e -x 65537`
(default 2048-bit key): Before: `12629.12 operations/s. one
operation every 79 microseconds` With 64x64->128 assembly: `29431.65
operations/s. one operation every 33 microseconds` With MP_COMBA and
64x64->128 assembly: `30332.99 operations/s. one operation every 32
microseconds`
[330bdab498a3]
* lib/ssl/sslimpl.h:
Bug 1656429 - Clang-format fixup, r=bustage
[07083076fc92]
2020-08-05 Martin Thomson <mt@lowentropy.net>
* gtests/ssl_gtest/ssl_0rtt_unittest.cc,
gtests/ssl_gtest/tls_connect.cc, lib/ssl/ssl3exthandle.c,
lib/ssl/sslimpl.h, lib/ssl/tls13con.c, lib/ssl/tls13replay.c:
Bug 1656429 - Correct RTT estimate used in anti-replay, r=kjacobs
This was never a security problem, but the more time that passes
between the handshake and sending a ticket, the more likely we are
to reject 0-RTT. Eventually, 0-RTT only works if it is delayed in
the network by a surprising amount.
[b4a1c57eb569]
Differential Revision: https://phabricator.services.mozilla.com/D86454
nsNSSComponent has a background task queue that can be used for importing
intermediates from TLS connections instead of using the certificate
verification thread pool.
This patch also addresses places where PSM was directly accessing the isperm
member of CERTCertificate, which is protected by a lock.
Differential Revision: https://phabricator.services.mozilla.com/D86051
2020-07-27 Jan-Marek Glogowski <glogow@fbihome.de>
* lib/freebl/Makefile:
Bug 1652032 Disable all freebl assembler code for MSVC arm64
r=rrelyea,bbeurdouche
There are two places, where NSS tries to compile either x86_64 MSVC
assembler or GCC aarch64 code, which will fail the build. And also
drop the non-MSVC arch build flags for them.
AFAI could identify, there isn't any armasm64 compatible asm code in
the whole NSS library, so I don't even adapt AS for the build. The
cross-build finishes this way.
[d98bbb6168f4]
2020-07-24 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* cmd/bltest/blapitest.c, coreconf/config.gypi, coreconf/config.mk,
lib/freebl/alg2268.c, lib/freebl/deprecated/alg2268.c,
lib/freebl/freebl_base.gypi, lib/freebl/ldvector.c,
lib/freebl/loader.c, lib/freebl/loader.h, lib/freebl/manifest.mn,
lib/softoken/lowpbe.c, lib/softoken/pkcs11c.c:
Bug 1652729 - Add build flag to disable RC2 and relocate to
lib/freebl/deprecated. r=kjacobs
[e6c6f1d2d544]
2020-07-27 Robert Relyea <rrelyea@redhat.com>
* gtests/softoken_gtest/manifest.mn,
gtests/softoken_gtest/softoken_dh_vectors.h,
gtests/softoken_gtest/softoken_gtest.cc,
gtests/softoken_gtest/softoken_gtest.gyp, lib/freebl/blapi.h,
lib/freebl/dh.c, lib/freebl/ldvector.c, lib/freebl/loader.c,
lib/freebl/loader.h, lib/softoken/manifest.mn,
lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c,
lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c,
lib/softoken/sftkdhverify.c, lib/softoken/softoken.gyp:
Bug 1648822 Add stricter validation of DH keys when in FIPS mode.
Update: FIPS now also requires us to do y^q mod p testing on key
generation (always). We now do that in FIPS mode only, but in all
modes we do full DH verification for DH and ECDH. Because of this,
the path has now separated out the prime checks, which are now only
done for the DH operation if we aren't using a known prime and the
subprime value has been provided. I've also learned we can accept
keys that we do full validation on in FIPS mode, so I've added that
to this patch, though we still can't generate those kinds of keys
without adding the subprime at keygen time.
The new FIPS standard is dh operations must use approved primes.
Approved primes are those selected in the tls and ike RFCs.
Currently tls and ike have modes with checks whether the primes are
approved, but the check may not always happen. The safest thing to
do in FIPS mode is only allow those primes. In addition, FIPS
requires 1< y < p-1 (or technically 2<=y<=p-2, since y is an integer
those two tests are identical).
While making changes I realized we would want a mode where we can do
more strict checks on the prime while not requiring that the prime
be an approved prime. We already allow for strict checking if q is
supplied with the private key, but there were a couple of issues
with that check:
1. there was no way of actually setting q in the current NSS
pk11wrap interfaces. 2. If the prime was a safe prime, but g was an
actual generator, then we would fail the y^q mod p = 1 tests for 50%
of the keys, even though those keys are safe. 3. We weren't checking
primality of p and q.
So the old code:
if (q) { check y^q mod p = 1 if not fail }
check 1 <y < p-1 (done in DH_Derive).
New code:
if (! p is approved prime) { if (FIPS) fail; if (q) { y_test = y if
(p,q-> p is a safe prime) { y_test = 1 } check prime is prime Fail
if not check subprime is subprime fail if not y_test^q mod p = 1 } }
check 1 < y < p-1 (done in DH_Derive)
This means:
Existing code non-fips without setting the subprime continues to run
as before. Non-fips code which sets the subprime now runs slower,
but p and q are checked if p or q where not prime, the derive fails
(which it should). In FIPS mode only approved primes will succeed
now. Non-fips code can now set the subprime to q=(p-1)/2 if it
doesn't have an explicit q value (like in tls). If the derive
succeeds, we know that p is a safe prime. If p is approved, the
checks are skipped because we already know that p is a safe prime.
Code can optionally do a test derive on a new p and remember it's
safe so that we know longer need to check ever call (though if q is
not (p-1)/2, you will need to continue to do the checks each call
because y could still be a small subgroup).
This patch:
gtests/softoken_gtest
1. Added New dh tests to softoken_gtests. The tests were added to
softoken_gtests because we need to test both non-FIPS and FIPS mode.
Test vectors include a category, so the same test vectors can be
used in FIPS and non-FIPS even though each class may have different
results. Most of the test vectors where created either by dhparams
command in openssl, dsaparams in openssl, and the nss makepqg
command. Each vector includes a label, prime, base, optional
subprime, optional public key, test type, and key class (basically
size). 2. If public key is not supplied, we use a generated public
key. 3. If subPrime is supplied to wet it on the private key after
generation.
lib/freebl/dh.c
add primality tests to KEA_VerifyKey().
lib/softokn/
1. Allow CKA_SUBPRIME to be set after key generation or import.
This affects how we test for it's existance, since it is now always
there on the key, we check it's length to make sure it's non-zero.
2. We implement the psuedocode above as real code. 3. We create two
new functions: sftl_VerifyDH_Prime which return SECSuccess if Prime
is an approved prime. sftk_IsSafePrime which returns SECSuess of
both prime and subprime look reasonable, and sets a Bool to PR_TRUE
is subprime -> prime is safe (subprime = (prime-1)/2. These
functions are implemented in sftkdhverify.c 4.Cleanup incorrect
nominclature on primes (safe primes are not strong primes).
[0be91fa2217a]
* gtests/softoken_gtest/softoken_dh_vectors.h,
gtests/softoken_gtest/softoken_gtest.cc:
Fix more of the timeout issues on tests. (Drop expensive 4098 dh
tests ).
[4014c075a31b]
2020-07-29 Makoto Kato <m_kato@ga2.so-net.ne.jp>
* coreconf/config.gypi, lib/freebl/Makefile, lib/freebl/blinit.c,
lib/freebl/freebl.gyp, lib/freebl/sha1-armv8.c,
lib/freebl/sha_fast.c, lib/freebl/sha_fast.h:
Bug 1650702 - Use ARM's crypt extension for SHA1. r=kjacobs
ARM Crypto extension has SHA1 acceleration. Using this, SHA1 is 3
times faster on ARMv8 CPU. The following data is AWS's a1 instance
(Cortex-A72).
Before ====== ``` # mode in opreps cxreps context op time(sec)
thrgput sha1_e 954Mb 31M 0 0.000 10000.000 10.000 95Mb ```
After ===== ``` # mode in opreps cxreps context op time(sec) thrgput
sha1_e 2Gb 94M 0 0.000 10000.000 10.000 288Mb ```
[68b6eb737689]
2020-07-29 Jan-Marek Glogowski <glogow@fbihome.de>
* manifest.mn:
Bug 1653975 - Set "all" as the default Makefile target r=jcj,rrelyea
Just reorder the rules in manifest.mn, so all is again the first
rule. This restores pre-3.53 Makefile defaults.
[eb52747b7000]
2020-07-31 Makoto Kato <m_kato@ga2.so-net.ne.jp>
* lib/freebl/blapii.h, lib/freebl/blinit.c, nss-tool/hw-support.c:
Bug 1654142 - Add CPU feature detection for Intel SHA extension.
r=kjacobs
[e6b77a9c417a]
2020-08-03 Nathan Froyd <froydnj@mozilla.com>
* coreconf/detect_host_arch.py:
Bug 1656986 - special-case arm64 in detect_host_arch.py; r=jcj
This case comes up when attempting to build NSS on ARM64 Mac. If we
don't do this, we wind up detecting arm64 as "arm", with predictably
bad consequences.
[afa38fb2f0b5] [tip]
Differential Revision: https://phabricator.services.mozilla.com/D85888
When the macOS osclientcerts backend looks for issuer certificates, it can
result in network I/O unless it is specifically disabled. The Windows backend
already handles this, so this only applies to macOS.
Differential Revision: https://phabricator.services.mozilla.com/D85799
CLOSED TREE
Backed out changeset 30c58380f352 (bug 1635828)
Backed out changeset d232cb3c4779 (bug 1635828)
Backed out changeset 7c47f9b403ae (bug 1635828)
Allow access to the "com.apple.trustd.agent" service in the content process sandbox. VTDecompressionSessionCreate() fails without it, causing playback failure for some MP4 videos.
Translate deprecated OS version numbers so that sandbox version checks don't need to check for 10.16.
Differential Revision: https://phabricator.services.mozilla.com/D85213
This includes updates to authenticator, cubeb-coreaudio,
metal, gfx-backend-vulkan, gfx-backend-metal, freetype
libloading is duplicated because of ash
Differential Revision: https://phabricator.services.mozilla.com/D84688
2020-07-24 J.C. Jones <jjones@mozilla.com>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.55 final
[6705eec655c8] [NSS_3_55_RTM] <NSS_3_55_BRANCH>
2020-07-22 Kai Engert <kaie@kuix.de>
* lib/nss/nssinit.c:
Bug 1653310 - Backed out changeset ca207655b4b7, because with
updated NSPR this workaround is no longer required. r=kjacobe
[a448fe36e58b]
2020-07-21 Kevin Jacobs <kjacobs@mozilla.com>
* .hgtags:
Added tag NSS_3_55_BETA1 for changeset 0768baa431e7
[2572e14f17d6]
Differential Revision: https://phabricator.services.mozilla.com/D84845
osclientcerts requires functions that are available starting in macOS 10.14, so
it shouldn't be possible to enable it in earlier versions.
Differential Revision: https://phabricator.services.mozilla.com/D84764
This includes updates to authenticator, cubeb-coreaudio,
metal, gfx-backend-vulkan, gfx-backend-metal, freetype
libloading is duplicated because of ash
Differential Revision: https://phabricator.services.mozilla.com/D84688
This includes updates to authenticator, cubeb-coreaudio,
metal, gfx-backend-vulkan, gfx-backend-metal, freetype
libloading is duplicated because of ash
Differential Revision: https://phabricator.services.mozilla.com/D84688
2020-07-21 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* cmd/bltest/blapitest.c:
Bug 1653202 - Fix issue disabling other mechanisms when SEED is
deprecated in cmd/bltest/blapitest.c. r=kjacobs
[0768baa431e7] [NSS_3_55_BETA1]
2020-07-21 Kevin Jacobs <kjacobs@mozilla.com>
* automation/release/nspr-version.txt:
Bug 1652331 - NSS 3.55 should depend on NSPR 4.27. r=kaie
[3deefc218cd9]
2020-07-20 Billy Brumley <bbrumley@gmail.com>
* lib/freebl/ec.c:
Bug 1631573: Remove unnecessary scalar padding in ec.c
r=kjacobs,bbeurdouche
Subsequent calls to ECPoints_mul and ECPoint_mul remove this
padding.
Timing attack countermeasures are now applied more generally deeper
in the call stack.
[aeb2e583ee95]
2020-07-20 Kai Engert <kaie@kuix.de>
* lib/nss/nssinit.c:
Bug 1653310 - On macOS check if nssckbi exists prior to loading it.
r=kjacobs
[ca207655b4b7]
Differential Revision: https://phabricator.services.mozilla.com/D84420