Because CAs can back-date a certificate (i.e. set the "notBefore" field to
earlier than when a certificate actually existed), the "notBefore" field can't
be relied on when determining when CRLite information is recent enough to check
a certificate with. To that end, this patch instead uses the earliest timestamp
from the embedded SCTs in the certificate being checked.
Differential Revision: https://phabricator.services.mozilla.com/D90599
2020-09-23 Dana Keeler <dkeeler@mozilla.com>
* gtests/mozpkix_gtest/pkixbuild_tests.cpp,
gtests/mozpkix_gtest/pkixcert_extension_tests.cpp,
gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp,
gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp,
gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp,
gtests/mozpkix_gtest/pkixgtest.h,
lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp:
Bug 1665715 - (2/2) pass encoded signed certificate timestamp
extension (if present) in CheckRevocation r=jcj
This will allow Firefox to make decisions based on the earliest
known time that a certificate exists (with respect to certificate
transparency) that a CA is unlikely to back-date. In particular,
this is essential for CRLite. Note that if the SCT signature isn't
validated, a CA could still make a certificate appear to have
existed for longer than it really has. However, this change is not
an attempt to catch malicious CAs. The aim is to avoid false
positives in CRLite resulting from CAs backdating the notBefore
field on certificates they issue.
Depends on D90595
[8ebee3cec9cf] [tip]
2020-09-18 Dana Keeler <dkeeler@mozilla.com>
* gtests/mozpkix_gtest/pkixbuild_tests.cpp,
gtests/mozpkix_gtest/pkixcert_extension_tests.cpp,
gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp,
gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp,
gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp,
gtests/mozpkix_gtest/pkixgtest.h,
lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp:
Bug 1665715 - (1/2) revert e8f2720c8254 (bug 1593141) because it's
no longer necessary r=jcj
Bug 1593141 added the certificate's notBefore field as an argument
to TrustDomain::CheckRevocation so that Firefox could use it with
CRLite. However, since CAs can backdate that field, we need to use
the earliest embedded SCT timestamp instead.
[c1f4d565ceda]
Differential Revision: https://phabricator.services.mozilla.com/D91211
CLOSED TREE
2020-09-23 Dana Keeler <dkeeler@mozilla.com>
* gtests/mozpkix_gtest/pkixbuild_tests.cpp,
gtests/mozpkix_gtest/pkixcert_extension_tests.cpp,
gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp,
gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp,
gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp,
gtests/mozpkix_gtest/pkixgtest.h,
lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp:
Bug 1665715 - (2/2) pass encoded signed certificate timestamp
extension (if present) in CheckRevocation r=jcj
This will allow Firefox to make decisions based on the earliest
known time that a certificate exists (with respect to certificate
transparency) that a CA is unlikely to back-date. In particular,
this is essential for CRLite. Note that if the SCT signature isn't
validated, a CA could still make a certificate appear to have
existed for longer than it really has. However, this change is not
an attempt to catch malicious CAs. The aim is to avoid false
positives in CRLite resulting from CAs backdating the notBefore
field on certificates they issue.
Depends on D90595
[8ebee3cec9cf] [tip]
2020-09-18 Dana Keeler <dkeeler@mozilla.com>
* gtests/mozpkix_gtest/pkixbuild_tests.cpp,
gtests/mozpkix_gtest/pkixcert_extension_tests.cpp,
gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp,
gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp,
gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp,
gtests/mozpkix_gtest/pkixgtest.h,
lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp:
Bug 1665715 - (1/2) revert e8f2720c8254 (bug 1593141) because it's
no longer necessary r=jcj
Bug 1593141 added the certificate's notBefore field as an argument
to TrustDomain::CheckRevocation so that Firefox could use it with
CRLite. However, since CAs can backdate that field, we need to use
the earliest embedded SCT timestamp instead.
[c1f4d565ceda]
Differential Revision: https://phabricator.services.mozilla.com/D91211
Because CAs can back-date a certificate (i.e. set the "notBefore" field to
earlier than when a certificate actually existed), the "notBefore" field can't
be relied on when determining when CRLite information is recent enough to check
a certificate with. To that end, this patch instead uses the earliest timestamp
from the embedded SCTs in the certificate being checked.
Differential Revision: https://phabricator.services.mozilla.com/D90599
2020-09-23 Dana Keeler <dkeeler@mozilla.com>
* gtests/mozpkix_gtest/pkixbuild_tests.cpp,
gtests/mozpkix_gtest/pkixcert_extension_tests.cpp,
gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp,
gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp,
gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp,
gtests/mozpkix_gtest/pkixgtest.h,
lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp:
Bug 1665715 - (2/2) pass encoded signed certificate timestamp
extension (if present) in CheckRevocation r=jcj
This will allow Firefox to make decisions based on the earliest
known time that a certificate exists (with respect to certificate
transparency) that a CA is unlikely to back-date. In particular,
this is essential for CRLite. Note that if the SCT signature isn't
validated, a CA could still make a certificate appear to have
existed for longer than it really has. However, this change is not
an attempt to catch malicious CAs. The aim is to avoid false
positives in CRLite resulting from CAs backdating the notBefore
field on certificates they issue.
Depends on D90595
[8ebee3cec9cf] [tip]
2020-09-18 Dana Keeler <dkeeler@mozilla.com>
* gtests/mozpkix_gtest/pkixbuild_tests.cpp,
gtests/mozpkix_gtest/pkixcert_extension_tests.cpp,
gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp,
gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp,
gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp,
gtests/mozpkix_gtest/pkixgtest.h,
lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp:
Bug 1665715 - (1/2) revert e8f2720c8254 (bug 1593141) because it's
no longer necessary r=jcj
Bug 1593141 added the certificate's notBefore field as an argument
to TrustDomain::CheckRevocation so that Firefox could use it with
CRLite. However, since CAs can backdate that field, we need to use
the earliest embedded SCT timestamp instead.
[c1f4d565ceda]
Differential Revision: https://phabricator.services.mozilla.com/D91211
The ABI on ARM64 requires 16-byte stack alignment, and that includes the
small temporary stack that exists only so that we can `longjmp` off of
it in the child process after calling `clone`.
Differential Revision: https://phabricator.services.mozilla.com/D90001
In addition to e.g. lacking `open` in favor of `openat`, Linux/arm64
also removes a number of older syscalls along similar lines, like `dup2`
in favor of `dup3`, and all variants of `select` other than `pselect6`.
Differential Revision: https://phabricator.services.mozilla.com/D90000
Linux/arm64 omits syscalls that can be implemented in terms of newer
syscalls by inserting constant arguments; this means that all of the
basic filesystem operations use the `at` versions, like `unlinkat`
replacing both `unlink` and `rmdir`. We've supported some of them when
x86 libcs started using them, but there are several others we were
missing; this patch adds them.
Differential Revision: https://phabricator.services.mozilla.com/D89999
Linux/arm64 seems to exclude any syscalls that were redundant when it was
created (specifically, that can be implemented in terms of another by
inserting constant arguments), which includes all the of the non-`at`
filesystem syscalls --- for example, `open` vs. `openat`.
This patch rearranges ifdefs to handle that case; later patches will
fill in the currently unhandled syscalls in the `at`-only side.
Differential Revision: https://phabricator.services.mozilla.com/D89998
Not strictly part of ARM support, but worth committing, and in
particular printing the `AT_*` flags in hex is helpful for matching them
against headers when `*at` syscalls fail.
Differential Revision: https://phabricator.services.mozilla.com/D89997
We no longer use GConf (bug 1433685), so we can remove the sandbox rule
allowing it to call utime(). That syscall doesn't exist on ARM or ARM64,
so this rule would have to be ifdef'ed if it were re-added.
Differential Revision: https://phabricator.services.mozilla.com/D89996
Chromium's Linux sandboxing code needs some architecture-specific files
for ARM and ARM64 that we don't currently include in our partial import.
These are copied from Chromium tag 81.0.4044.138 (matching the latest
import of the rest of security/sandbox/chromium) without changes.
Differential Revision: https://phabricator.services.mozilla.com/D89994
Bug 1658042 attempted to identify keys that could only handle legacy crypto
using CryptFindCertificateKeyProvInfo. However, it appears that this API can
be incredibly slow and potentially involve network I/O. This patch reworks
the legacy crypto handling by using CryptAcquireCertificatePrivateKey with the
CRYPT_ACQUIRE_SILENT_FLAG flag to avoid showing UI at inopportune times.
Differential Revision: https://phabricator.services.mozilla.com/D90733
2020-09-18 Kevin Jacobs <kjacobs@mozilla.com>
* automation/abi-check/previous-nss-release, lib/nss/nss.h,
lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.58 Beta
[c28e20f61e5d] [tip]
* .hgtags:
Added tag NSS_3_57_RTM for changeset cf7e3e8abd77
[a963849538ca] <NSS_3_57_BRANCH>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.57 final
[cf7e3e8abd77] [NSS_3_57_RTM] <NSS_3_57_BRANCH>
Differential Revision: https://phabricator.services.mozilla.com/D91070
2020-09-18 Kevin Jacobs <kjacobs@mozilla.com>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.57 final
[cf7e3e8abd77] [NSS_3_57_RTM] <NSS_3_57_BRANCH>
2020-09-15 Kevin Jacobs <kjacobs@mozilla.com>
* .hgtags:
Added tag NSS_3_57_BETA1 for changeset 56224882ccc3
[f46f20c58c4f]
Differential Revision: https://phabricator.services.mozilla.com/D90726
The MOZ_MUST_USE macro is defined as clang's and gcc's nonstandard __attribute__((warn_unused_result)). Now that we compile as C++17 by default (bug 1560664), we can replace MOZ_MUST_USE with C++17's standard [[nodiscard]] attribute.
We can also stop #including mozilla/Attributes.h because it was only needed for its MOZ_MUST_USE declaration.
Differential Revision: https://phabricator.services.mozilla.com/D90350
The earlier fix ea452bb92e6a proved the executable's imagebase in a child
process is not always the same as the local imagebase. This patch applies
the new approach to retieve the imagebase from a handle to all channels.
Interestingly, we observed the launcher failures at `VirtualProtectEx` only
when launching a sandboxed process, not when launching the browser process.
In the long term, we may need to take care of all `WriteProcessMemory` calls
for a child process for greater safety, but given that observation, this
patch only updates `RestoreImportDirectory` and `InitializeDllBlocklistOOP`.
Differential Revision: https://phabricator.services.mozilla.com/D90316
2020-09-14 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* coreconf/arch.mk:
Bug 1660735 - Fix typo in coreconfig/arch.mk. r=kjacobs
[2a17c8655a74] [tip]
* coreconf/config.mk:
Bug 1660734 - Fix typo in coreconf/config.mk. r=kjacobs
[4ae56ec2411b]
2020-09-11 Kevin Jacobs <kjacobs@mozilla.com>
* lib/ckfw/builtins/nssckbi.h:
Bug 1663049 - September 2020 batch of root changes,
NSS_BUILTINS_LIBRARY_VERSION 2.44. r=jcj
[141ef83ac10b]
* lib/ckfw/builtins/certdata.txt:
Bug 1663049 - Add SecureTrust's Trustwave Global root certificates
to NSS. r=KathleenWilson,jcj
[7dfc054a983e]
* lib/ckfw/builtins/certdata.txt:
Bug 1656077 - Remove Taiwan Government Root Certification Authority
root cert. r=KathleenWilson,jcj
Depends on D89841
[32a0d8f751ef]
* lib/ckfw/builtins/certdata.txt:
Bug 1653092 - Disable server trust bit for OISTE WISeKey Global Root
GA CA root cert. r=KathleenWilson,jcj
Depends on D89840
[1cdfb26b3220]
* lib/ckfw/builtins/certdata.txt:
Bug 1651211 - Remove EE Certification Centre Root CA root cert.
r=KathleenWilson,jcj
[089aeca370df]
2020-09-11 Danh <congdanhqx@gmail.com>
* coreconf/arch.mk, coreconf/config.mk, lib/freebl/Makefile:
Bug 1659727 - Move makefile avx2 detection to config.mk. r=kjacobs
Summary: Current code base use CPU_ARCH to detect if avx2 is
supported in arch.mk However, when arch.mk included, CPU_ARCH
haven't been initialised, CPU_ARCH will be initialised by the OS
specific code later on.
Move the AVX2 detection to config.mk, after all other initialisation
done.
Reviewers: kjacobs
Reviewed By: kjacobs
Subscribers: kjacobs
Bug #: 1659727
[c6dcb99e6121]
2020-09-08 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/freebl_gtest/mpi_unittest.cc, lib/freebl/mpi/mpi.c:
Bug 1605922 - Account for negative sign in mp_radix_size
r=bbeurdouche
[b64436ecbd79]
2020-09-09 Daiki Ueno <dueno@redhat.com>
* lib/freebl/Makefile:
Bug 1659256, add gcc version check on AArch64 optimization,
r=rrelyea
Summary: As described in https://access.redhat.com/solutions/19458,
gcc version in RHEL-7 is still 4.8.x and cannot compile the newly
added aes-armv8.c. There is a version check already for 32-bit arm,
but not for AArch64. This also removes NS_USE_GCC check added in bug
1652032 in favor of the automatic detection using CC_IS_* macros.
Reviewers: rrelyea
Reviewed By: rrelyea
Subscribers: jmux, kjacobs
Bug #: 1659256
[b971c77c0d68]
2020-09-08 Michael Shigorin <mike@altlinux.org>
* coreconf/config.gypi:
Bug 1663346 - Build e2k architecture as 64-bit r=jcj
[e524a577761d]
2020-09-05 Daiki Ueno <dueno@redhat.com>
* lib/freebl/fipsfreebl.c:
Bug 1662738, run RNG self-tests only if NSPR is linked, r=rrelyea
Summary: After the continuous DRBG test was added, RNG self-tests
have no longer worked standalone. This moves the self-tests to the
DO_REST block so it only runs when the program is also linked to
NSPR.
Reviewers: rrelyea
Reviewed By: rrelyea
Bug #: 1662738
[e03296e73ba6]
2020-09-02 Khem Raj <raj.khem@gmail.com>
* lib/libpkix/pkix/util/pkix_logger.c:
Bug 1661378 - pkix: Do not use NULL where 0 is needed Clang finds
this error
pkix_logger.c:316:32: error: cast to smaller integer type
'PKIX_ERRORCLASS' from 'void *' [-Werror,-Wvoid-pointer-to-enum-
cast] logger->logComponent = (PKIX_ERRORCLASS)NULL;
^~~~~~~~~~~~~~~~~~~~~ pkix_logger.c:617:32: error: cast to smaller
integer type 'PKIX_ERRORCLASS' from 'void *' [-Werror,-Wvoid-
pointer-to-enum-cast] logger->logComponent = (PKIX_ERRORCLASS)NULL;
^~~~~~~~~~~~~~~~~~~~~ 2 errors generated.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
[9213848965f6]
Differential Revision: https://phabricator.services.mozilla.com/D90130
This patch modifies the implementation of nsIX509CertValidity to use
mozilla::pkix to decode notBefore/notAfter values from the given encoded
certificate rather than using a CERTCertificate. This will help in avoiding
CERTCertificate in the implementation of nsIX509Cert.
This patch also renames/moves the previous implementation (which was in
nsNSSCertValidity.{h,cpp} but was called nsX509CertValidity) to be more
consistent and to drop the unnecessary "ns" prefix. It is now in the files
X509CertValidity.{h,cpp} and is called X509CertValidity.
Differential Revision: https://phabricator.services.mozilla.com/D89644
The MOZ_MUST_USE macro is defined as clang's and gcc's nonstandard __attribute__((warn_unused_result)). Now that we compile as C++17 by default (bug 1560664), we can replace MOZ_MUST_USE with C++17's standard [[nodiscard]] attribute.
The [[nodiscard]] attribute must precede a function declaration's declaration specifiers (like static, extern, inline, or virtual). The __attribute__((warn_unused_result)) attribute does not have this order restriction.
Differential Revision: https://phabricator.services.mozilla.com/D89235
Limitations in the NSS PKCS7 API prevent completely avoiding CERTCertificate in
this implementation, but these changes avoid a large number of unnecessary
certificate decoding operations.
Differential Revision: https://phabricator.services.mozilla.com/D87930
Per the manpage "Both stat() and lstat() act as though AT_NO_AUTOMOUNT
was set.", so don't bail if it's set in a call to fstatat.
Differential Revision: https://phabricator.services.mozilla.com/D89121
This patch was generated by running:
```
perl -p -i \
-e 's/^(\s+)([a-zA-Z0-9.]+) = NS_ConvertUTF8toUTF16\((.*)\);/\1CopyUTF8toUTF16(\3, \2);/;' \
-e 's/^(\s+)([a-zA-Z0-9.]+) = NS_ConvertUTF16toUTF8\((.*)\);/\1CopyUTF16toUTF8(\3, \2);/;' \
$FILE
```
against every .cpp and .h in mozilla-central, and then fixing up the
inevitable errors that happen as a result of matching C++ expressions with
regexes. The errors fell into three categories:
1. Calling the convert functions with `std::string::c_str()`; these were
changed to simply pass the string instead, relying on implicit conversion
to `mozilla::Span`.
2. Calling the convert functions with raw pointers, which is not permitted
with the copy functions; these were changed to invoke `MakeStringSpan` first.
3. Other miscellaneous errors resulting from over-eager regexes and/or the
replacement not being type-aware. These changes were reverted.
Differential Revision: https://phabricator.services.mozilla.com/D88903
2020-08-21 Kevin Jacobs <kjacobs@mozilla.com>
* automation/abi-check/previous-nss-release, lib/nss/nss.h,
lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.57 Beta
[783f49ae6126]
2020-08-24 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/ssl_gtest/ssl_auth_unittest.cc, lib/ssl/dtls13con.c,
lib/ssl/dtlscon.c, lib/ssl/ssl3con.c, lib/ssl/sslimpl.h,
lib/ssl/sslnonce.c:
Bug 1653641 - Cleanup inaccurate DTLS comments, code review fixes.
r=mt
[0e1b5c711cb9]
2020-08-24 Robert Relyea <rrelyea@redhat.com>
* lib/freebl/fipsfreebl.c, lib/softoken/fipstest.c,
lib/softoken/kbkdf.c, lib/softoken/lowpbe.c, lib/softoken/lowpbe.h,
lib/softoken/pkcs11c.c, lib/softoken/pkcs11i.h,
lib/softoken/sftkhmac.c, lib/softoken/sftkike.c:
Bug 1660304 New FIPS IG requires self-tests for approved kdfs.
r=ueno comments=kjacobs
FIPS guidance now requires self-tests for our kdfs. It also requires
self-tests for cmac which we didn't have in the cmac patch.
Currently only one test per kdf is necessary. Specifially for
SP-800-108, only one of the three flavors are needed (counter,
feedback, or pipeline). This patch includes more complete testing
but it has been turned off the currently extraneous tests under the
assumption that NIST guidance may require them in the future. HKDF
is currently not included in FIPS, but is on track to be included,
so hkdf have been included in this patch.
Because the test vectors are const strings, the patch pushes some
const definitions that were missing in existing private interfaces.
There are three flavors of self-tests: Function implemented in
freebl are added to the freebl/fipsfreebl.c Functions implemented in
pkcs11c.c have selftests completely implemented in
softoken/fipstest.c Functions implemented in their own .c file have
their selftest function implemented in that .c file and called by
fipstests.c These are consistant with the previous choices for
selftests.
Some private interfaces that took in keys from pkcs #11 structures
or outputted keys to pkcs #11 structures were modified to optionally
take keys in by bytes and output keys as bytes so the self-tests can
work in just bytes.
[5dca54fe61c2]
2020-08-25 Daiki Ueno <dueno@redhat.com>
* lib/softoken/manifest.mn:
Bug 1659252, disable building libnssdbm3.so if NSS_DISABLE_DBM=1,
r=rrelyea
Reviewers: rrelyea
Reviewed By: rrelyea
Bug #: 1659252
[4d55d36ca6ef]
2020-08-24 Kevin Jacobs <kjacobs@mozilla.com>
* lib/pk11wrap/pk11cxt.c, lib/softoken/pkcs11c.c, lib/softoken/sdb.c,
lib/softoken/sftkpwd.c:
Bug 1651834 - Fix various static analyzer warnings. r=rrelyea
[ab04fd73fd6d]
2020-08-28 Mike Hommey <mh@glandium.org>
* lib/freebl/blapii.h:
Bug 1661810 - Define pre_align/post_align based on the compiler.
r=jcj
Things worked fine before we upgraded to clang 11 presumably because
the stack was always 16-bytes aligned in the first place, or
something akin to that, and the lack of pre_align/post_align doing
anything didn't matter. The runtime misalignment of the stack may
well be a clang > 9 bug, but keeping pre_align/post_align tied to
the x86/x64 is a footgun anyways.
[c100e11991f6] [tip]
Differential Revision: https://phabricator.services.mozilla.com/D88876
ffxbld
Kershaw Chang
Razvan Maries
Dana Keeler
J.C. Jones
Bogdan Tara
Jed Davis
Simon Giesecke
Andrea Marchesini
Narcis Beleuzu
Kevin Jacobs
Moritz Birghan
Chris Peterson
Toshihito Kikuchi
Alexis Beingessner
Julien Cristau
Nathan Froyd
Sylvestre Ledru
Mihai Alexandru Michis