2020-07-16 Billy Brumley <bbrumley@gmail.com>
* lib/freebl/ecl/ecl-priv.h, lib/freebl/ecl/ecl.c,
lib/freebl/ecl/ecp_secp521r1.c, lib/freebl/freebl_base.gypi,
lib/freebl/manifest.mn:
Bug 1631583 - ECC: constant time P-521 r=kjacobs,rrelyea,bbeurdouche
This portable code contributed by the Network and Information
Security Group (NISEC) at Tampere University comes from:
[ECCKiila](https://gitlab.com/nisec/ecckiila) that uses
[Fiat](https://github.com/mit-plv/fiat-crypto) for the underlying
field arithmetic.
Co-authored-by: Luis Rivera-Zamarripa <luis.riverazamarripa@tuni.fi>
Co-authored-by: Jesús-Javier Chi-Domínguez
<jesus.chidominguez@tuni.fi>
[ca068f5b5c17] [tip]
* lib/freebl/ecl/ecl-priv.h, lib/freebl/ecl/ecl.c,
lib/freebl/ecl/ecp_secp384r1.c, lib/freebl/freebl_base.gypi,
lib/freebl/manifest.mn, tests/ec/ectest.sh:
Bug 1631583 - ECC: constant time P-384 r=bbeurdouche,rrelyea
This portable code contributed by the Network and Information
Security Group (NISEC) at Tampere University comes from:
[ECCKiila](https://gitlab.com/nisec/ecckiila) that uses
[Fiat](https://github.com/mit-plv/fiat-crypto) for the underlying
field arithmetic.
Co-authored-by: Luis Rivera-Zamarripa <luis.riverazamarripa@tuni.fi>
Co-authored-by: Jesús-Javier Chi-Domínguez
<jesus.chidominguez@tuni.fi>
[d19a3cd451bb]
2020-07-13 Robert Relyea <rrelyea@redhat.com>
* lib/pk11wrap/pk11pub.h:
Bug 1643528 Cannot compile code with nss headers and -Werror=strict-
prototypes r=kjacobs
[01ffd8fef7fa]
2020-07-10 Daiki Ueno <dueno@redhat.com>
* gtests/ssl_gtest/ssl_auth_unittest.cc, lib/ssl/ssl3con.c,
lib/ssl/ssl3exthandle.c, lib/ssl/sslimpl.h,
lib/ssl/tls13exthandle.c:
Bug 1646324, advertise rsa_pkcs1_* schemes in CH and CR for certs,
r=mt
Summary: In TLS 1.3, unless "signature_algorithms_cert" is
advertised, the "signature_algorithms" extension is used as an
indication of supported algorithms for signatures on certificates.
While rsa_pkcs1_* signatures schemes cannot be used for signing
handshake messages, they should be advertised if the peer wants to
to support certificates signed with RSA PKCS#1.
This adds a flag to ssl3_EncodeSigAlgs() and ssl3_FilterSigAlgs() to
preserve rsa_pkcs1_* schemes in the output.
Reviewers: mt
Reviewed By: mt
Bug #: 1646324
[df1d2695e115]
2020-07-09 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* gtests/pk11_gtest/pk11_pbkdf2_unittest.cc, lib/pk11wrap/pk11pbe.c:
Bug 1649648 - Fix null pointers passed as argument in
pk11wrap/pk11pbe.c:886 r=kjacobs
[de661583d467]
Differential Revision: https://phabricator.services.mozilla.com/D83824
PSM internals are currently tightly-copuled with NSS data types. In many cases
this is unnecessary, because PSM often needs only a sequence of bytes (in the
case of certificates, for example). This tight coupling can also have
performance and architectural impacts. For example, thread contention for NSS
resources has caused performance issues in the past. This patch starts the
process of avoiding using these types as much as possible in PSM.
More specifically, RootCABinNumber can take a Span<uint8_t> instead of a
SECItem. Instead of taking a PK11SlotInfo (which essentially requires having a
CERTCertificate), we can use PK11_FindEncodedCertInSlot to see if the
certificate exists on a small number of specific slots to achieve the same
effect as before. Doing this should eventually allow us to avoid creating a
CERTCertificate, which implicitly involves searching all slots on all modules.
Differential Revision: https://phabricator.services.mozilla.com/D83682
With these changes, on my Linux analysis with ClangBuildAnalyzer, the
top two expensive headers, DOMTypes.h and TabMessageUtils.h are no longer
among the 30 most expensive headers.
Differential Revision: https://phabricator.services.mozilla.com/D82935
Before this patch, the "Servers" tab of the certificate manager would show
built-in distrust records that had corresponding certificates (lately, this has
only consisted of two DigiNotar look-alike roots that were added many years ago
to block the real DigiNotar roots and potential cross-signs).
This patch changes the implementation to only show certificates that actually
have a corresponding error override in the "Servers" tab.
Differential Revision: https://phabricator.services.mozilla.com/D83190
As of kernel 5.8 (commit [e9c15badb][]), Linux will set the internal
`FMODE_NONOTIFY` flag on files that don't exist in the filesystem,
including (unnamed) pipes and sockets. Although this flag isn't
properly part of the userspace API, it will be returned by F_GETFL, so
userspace code that tries to change file flags will pass it to F_SETFL.
The implementation of `F_SETFL` has an allow list of flags userspace can
change (`SETFL_MASK`) and ignores all others, but our sandbox has a list
of flags *known* to be ignored, because currently unknown flags could
potentially be accepted by the kernel in the future.
This patch adds `FMODE_NONOTIFY` as an ignored flag.
[e9c15badb]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e9c15badbb7b20ccdbadf5da14e0a68fbad51015
Differential Revision: https://phabricator.services.mozilla.com/D83205
Evidently, keys stored on some tokens can only be accessed via the deprecated
CryptoAPI interface. This patch adds support for such keys.
Differential Revision: https://phabricator.services.mozilla.com/D82789
2020-06-26 Kevin Jacobs <kjacobs@mozilla.com>
* automation/abi-check/expected-report-libssl3.so.txt, automation/abi-
check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h,
lib/util/nssutil.h:
Set version numbers to 3.55 beta
[332ab7db68ba]
2020-06-25 Kevin Jacobs <kjacobs@mozilla.com>
* tests/all.sh:
Bug 1649190 - Run cipher, sdr, and ocsp tests under standard test
cycle.
[f373809abfc0]
2020-06-15 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/common/testvectors/p256ecdsa-sha256-vectors.h,
gtests/common/testvectors/p384ecdsa-sha384-vectors.h,
gtests/common/testvectors/p521ecdsa-sha512-vectors.h,
gtests/common/testvectors_base/test-structs.h,
gtests/common/wycheproof/genTestVectors.py,
gtests/pk11_gtest/pk11_ecdsa_unittest.cc:
Bug 1649226 - Add Wycheproof ECDSA tests.
[41292ff7f545]
2020-06-30 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* lib/pkcs12/p12d.c:
Bug 1649322 - Fix null pointer passed as argument in
pk11wrap/pk11pbe.c:1246 r=kjacobs
[cc43ebf5bf88]
2020-06-30 Danh <congdanhqx@gmail.com>
* coreconf/arch.mk, coreconf/config.mk, lib/freebl/Makefile:
Bug 1646594 - Enable AVX2 if applicable on x86_64 with make 4.3
r=bbeurdouche
[b579895aceb0]
2020-07-02 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* lib/ssl/ssl3con.c:
Bug 1649316 - Prevent memcmp to be called with a zero length in
ssl/ssl3con.c:6621 r=kjacobs
[8fe9213d0551]
2020-07-02 Alexander Scheel <ascheel@redhat.com>
* lib/cryptohi/secvfy.c:
Bug 1649487 - Fix bad assert in VFY_EndWithSignature. r=jcj
[c9438b528103]
2020-07-06 Dana Keeler <dkeeler@mozilla.com>
* automation/abi-check/expected-report-libnss3.so.txt,
gtests/pk11_gtest/pk11_find_certs_unittest.cc, lib/nss/nss.def,
lib/pk11wrap/pk11cert.c, lib/pk11wrap/pk11pub.h:
Bug 1649633 - add PK11_FindEncodedCertInSlot r=kjacobs,jcj
PK11_FindEncodedCertInSlot can be used to determine the PKCS#11
object handle of an encoded certificate in a given slot. If the
given certificate does not exist in that slot, CK_INVALID_HANDLE is
returned.
[32fe710a942f]
* gtests/pk11_gtest/pk11_find_certs_unittest.cc:
Bug 1649633 - follow-up to make test comparisons in
pk11_find_certs_unittest.cc yoda comparisons r=kjacobs
[424dae31a1c1]
2020-07-07 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc, lib/freebl/rsapkcs.c:
Bug 1067214 - Check minimum padding in RSA_CheckSignRecover.
r=rrelyea
This patch adds a check to `RSA_CheckSignRecover` enforcing a
minimum padding length of 8 bytes for PKCS #1 v1.5-formatted
signatures. In practice, RSA key size requirements already ensure
this requirement is met, but smaller (read: broken) key sizes can be
used via configuration overrides, and NSS should just follow the
spec.
[e5324bd5a885]
2020-07-08 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/ssl_gtest/libssl_internals.c,
gtests/ssl_gtest/libssl_internals.h,
gtests/ssl_gtest/ssl_record_unittest.cc,
gtests/ssl_gtest/tls_agent.cc, gtests/ssl_gtest/tls_agent.h,
lib/ssl/dtls13con.c, lib/ssl/dtls13con.h, lib/ssl/ssl3con.c,
lib/ssl/ssl3prot.h, lib/ssl/sslspec.h, lib/ssl/sslt.h,
lib/ssl/tls13con.c, lib/ssl/tls13exthandle.c:
Bug 1647752 - Update DTLS 1.3 implementation to draft-38. r=mt
This patch updates DTLS 1.3 to draft-38. Specifically:
# `ssl_ct_ack` value changes from 25 to 26. # AEAD limits in
`tls13_UnprotectRecord` enforce a maximum of 2^36-1 (as we only
support GCM/ChaCha20 AEADs) decryption failures before the
connection is closed. # Post-handshake authentication will no longer
be negotiated in DTLS 1.3. This allows us to side-step the more
convoluted state machine requirements.
[132a87fc8689]
2020-07-09 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* lib/pk11wrap/pk11pbe.c, lib/pkcs12/p12d.c:
Bug 1649322 - Fix null pointer passed as argument in
pk11wrap/pk11pbe.c:1246 r=kjacobs
This is a fixup patch that reverts https://hg.mozilla.org/projects/n
ss/rev/cc43ebf5bf88355837c5fafa2f3c46e37626707a and adds a null
check around the memcpy in question.
[80bea0e22b20]
2020-07-09 J.C. Jones <jjones@mozilla.com>
* lib/softoken/pkcs11.c:
Bug 1651520 - slotLock race in NSC_GetTokenInfo r=kjacobs
Basically, NSC_GetTokenInfo doesn't lock slot->slotLock before
accessing slot after obtaining it, even though slotLock is defined
as its lock. [0]
[0] https://searchfox.org/nss/rev/a412e70e55218aaf670f1f10322fa734d8
a9fbde/lib/softoken/pkcs11i.h#320-321
[58c2abd7404e] [tip]
Differential Revision: https://phabricator.services.mozilla.com/D82466
This adds the boolean pref security.sandbox.content.headless (on Linux
only) which does two things:
1. Sets the MOZ_HEADLESS env var for content processes, so that they
don't initialize GTK and don't connect to the X server.
2. Disallows brokered access to parts of the filesystem used only for
graphics -- most critically connecting to the X11 socket itself, but
also opening GPU device nodes and the parts of sysfs used by Mesa, for
example.
This is experimental; use at your own risk.
Setting this pref will break native widgets, so it's also necessary to
set widget.disable-native-theme-for-content
Additionally, it breaks Flash and WebGL; see bug 1638466 for the latter.
Differential Revision: https://phabricator.services.mozilla.com/D81425
Now that filesystem broker policy entries that depend on prefs can be
cached in the "common" policy object, let's do this wherever possible.
Partially fixes bug 1600189.
Differential Revision: https://phabricator.services.mozilla.com/D81424
When the SandboxBrokerPolicyFactory is constructed, prefs aren't
available, which constrains the cached subset of the content process
policy to entries that don't depend on prefs. Delaying the computation
until a content process is started removes that restriction.
(This also delays the reading of dynamic linker configuration to discover
library directories, so a test needs to be adjusted.)
Differential Revision: https://phabricator.services.mozilla.com/D81423
Not strictly necessary, but I noticed this while I was making changes:
AddDynamicPathList can be a simple static function instead of a private
static method, and doesn't need to be in the header.
Differential Revision: https://phabricator.services.mozilla.com/D81422
CLOSED TREE
Backed out changeset 51d7c644a1e6 (bug 1650163)
Backed out changeset 3d2b6908447a (bug 1650163)
Backed out changeset 79141707d47b (bug 1650163)
This commit does:
- Sync files under security/sandbox/chromium/ with Chromium 81.0.4044.138
- Update files under security/sandbox/chromium-shim/
- Apply patches under security/sandbox/chromium-shim/patches/with_update/
- Add mozilla::AddWin32kLockdownPolicy to apply MITIGATION_WIN32K_DISABLE before SUBSYS_WIN32K_LOCKDOWN
Differential Revision: https://phabricator.services.mozilla.com/D79560
This commit updates files under security/sandbox/chromium-shim/patches/
to prepare our codebase for Chromium sandbox update. See patch files for
the details of each patch.
This also removes the following patches from with_update no longer needed.
1) update_chromium_linux_x86_syscalls.patch is included in
b4f3df4e77
2) ifdef_out_ApplyMitigationsToCurrentThread.patch cannot be used because
we use ApplyMitigationsToCurrentThread since the following commit.
4bed2eb502
3) mingw_base_win_get_caller.patch is included in
d8b73eb8f0
4) fix_incorrect_int_use_in_Kernel32BaseVersion.patch is fixed by
https://hg.mozilla.org/mozilla-central/rev/dc9d71fb3bac807a37dbfba35d609ac4ffff1980
5) revert_removal_of_AlterEnvironment_on_Windows.patch is altered by adding
environment_internal.h/cc as a different commit.
6) mingw_undefine_MemoryBarrier.patch is no longer needed as
base::subtle::MemoryBarrier was removed by
bdbaaf4e7e
7) public_siginfo_fields.patch is included in
6bd491daaf
Differential Revision: https://phabricator.services.mozilla.com/D79558
This commit does:
- Sync files under security/sandbox/chromium/ with Chromium 81.0.4044.138
- Update files under security/sandbox/chromium-shim/
- Apply patches under security/sandbox/chromium-shim/patches/with_update/
- Apply a workaround for Clang's bug to compile *_interception.cc
- Add mozilla::AddWin32kLockdownPolicy to apply MITIGATION_WIN32K_DISABLE before SUBSYS_WIN32K_LOCKDOWN
Differential Revision: https://phabricator.services.mozilla.com/D79560
This commit updates files under security/sandbox/chromium-shim/patches/
to prepare our codebase for Chromium sandbox update. See patch files for
the details of each patch.
This also removes the following patches from with_update no longer needed.
1) update_chromium_linux_x86_syscalls.patch is included in
b4f3df4e77
2) ifdef_out_ApplyMitigationsToCurrentThread.patch cannot be used because
we use ApplyMitigationsToCurrentThread since the following commit.
4bed2eb502
3) mingw_base_win_get_caller.patch is included in
d8b73eb8f0
4) fix_incorrect_int_use_in_Kernel32BaseVersion.patch is fixed by
https://hg.mozilla.org/mozilla-central/rev/dc9d71fb3bac807a37dbfba35d609ac4ffff1980
5) revert_removal_of_AlterEnvironment_on_Windows.patch is altered by adding
environment_internal.h/cc as a different commit.
6) mingw_undefine_MemoryBarrier.patch is no longer needed as
base::subtle::MemoryBarrier was removed by
bdbaaf4e7e
7) public_siginfo_fields.patch is included in
6bd491daaf
Differential Revision: https://phabricator.services.mozilla.com/D79558
This commit does:
- Sync files under security/sandbox/chromium/ with Chromium 81.0.4044.138
- Update files under security/sandbox/chromium-shim/
- Apply patches under security/sandbox/chromium-shim/patches/with_update/
- Apply a workaround for Clang's bug to compile *_interception.cc
- Add mozilla::AddWin32kLockdownPolicy to apply MITIGATION_WIN32K_DISABLE before SUBSYS_WIN32K_LOCKDOWN
Differential Revision: https://phabricator.services.mozilla.com/D79560
This commit updates files under security/sandbox/chromium-shim/patches/
to prepare our codebase for Chromium sandbox update. See patch files for
the details of each patch.
This also removes the following patches from with_update no longer needed.
1) update_chromium_linux_x86_syscalls.patch is included in
b4f3df4e77
2) ifdef_out_ApplyMitigationsToCurrentThread.patch cannot be used because
we use ApplyMitigationsToCurrentThread since the following commit.
4bed2eb502
3) mingw_base_win_get_caller.patch is included in
d8b73eb8f0
4) fix_incorrect_int_use_in_Kernel32BaseVersion.patch is fixed by
https://hg.mozilla.org/mozilla-central/rev/dc9d71fb3bac807a37dbfba35d609ac4ffff1980
5) revert_removal_of_AlterEnvironment_on_Windows.patch is altered by adding
environment_internal.h/cc as a different commit.
6) mingw_undefine_MemoryBarrier.patch is no longer needed as
base::subtle::MemoryBarrier was removed by
bdbaaf4e7e
7) public_siginfo_fields.patch is included in
6bd491daaf
Differential Revision: https://phabricator.services.mozilla.com/D79558
Kevin Jacobs
Dana Keeler
ffxbld
Simon Giesecke
Dorel Luca
Moritz Birghan
Frederik Braun
Jed Davis
Mike Hommey
Kris Maglione
Nika Layzell
Mihai Alexandru Michis
Toshihito Kikuchi
Manish Giri
Narcis Beleuzu
R. Martinho Fernandes
Doug Thayer
Sylvestre Ledru
Kershaw Chang
Haik Aftandilian
Jon Bauman