This removes processing of HTTP Public Key Pinning headers, remotely modifying
pinning information, and using cached pinning information, all of which was
already disabled in bug 1412438. Static pins that ship with the browser are
still enforced.
Differential Revision: https://phabricator.services.mozilla.com/D73352
Passing Cr.ERROR to an Error constructor is incorrect since it just sets the
message of the error to the integer value of the Cr.ERROR. Cr.ERRORs need to be
used as the second argument to Component.Exception to correctly construct an
Exception object with its result property set to the Cr.ERROR value.
This was done automatically by an expansion of the new
mozilla/no-throw-cr-literal eslint rule that will be introduced in the next
commit.
Differential Revision: https://phabricator.services.mozilla.com/D28075
2020-05-01 J.C. Jones <jjones@mozilla.com>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.52 final
[befc258c4336] [NSS_3_52_RTM] <NSS_3_52_BRANCH>
2020-04-30 Kevin Jacobs <kjacobs@mozilla.com>
* .hgtags:
Added tag NSS_3_52_BETA2 for changeset bb4462a16de8
[c5d002af1d61]
Differential Revision: https://phabricator.services.mozilla.com/D73512
2020-05-01 J.C. Jones <jjones@mozilla.com>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.52 final
[befc258c4336] [NSS_3_52_RTM] <NSS_3_52_BRANCH>
2020-04-30 Kevin Jacobs <kjacobs@mozilla.com>
* .hgtags:
Added tag NSS_3_52_BETA2 for changeset bb4462a16de8
[c5d002af1d61]
Differential Revision: https://phabricator.services.mozilla.com/D73512
2020-04-30 zhujianwei7 <zhujianwei7@huawei.com>
* lib/smime/cmssigdata.c:
Bug 1630925 - Guard all instances of NSSCMSSignedData.signerInfos
r=kjacobs
[bb4462a16de8] [NSS_3_52_BETA2]
2020-04-30 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/pk11_gtest/pk11_seed_cbc_unittest.cc, lib/freebl/seed.c,
lib/freebl/seed.h:
Bug 1619959 - Properly handle multi-block SEED ECB inputs.
r=bbeurdouche,jcj
[d67517e92371]
2020-04-28 Kevin Jacobs <kjacobs@mozilla.com>
* .hgtags:
Added tag NSS_3_52_BETA1 for changeset 0b30eb1c3650
[11415c3334ab]
2020-04-24 Robert Relyea <rrelyea@redhat.com>
* lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c:
Bug 1571677 Name Constraints validation: CN treated as DNS name even
when syntactically invalid as DNS name r=mt
This patch makes libpkix treat name contraints the same the NSS cert
verifier. This proposal available for review for 9 months without
objection.
Time to make this official
[0b30eb1c3650] [NSS_3_52_BETA1]
2020-04-27 Edouard Oger <eoger@fastmail.com>
* lib/freebl/blinit.c:
Bug 1633498 - Do not define getauxval on iOS targets. r=jcj
[7b5e3b9fbc7d]
2020-04-27 Robert Relyea <rrelyea@redhat.com>
* lib/softoken/sftkike.c:
Bug 1629663 NSS missing IKEv1 Quick Mode KDF prf r=kjacobs
Fix possible free before alloc error found by kjacobs
[7f91e3dcfb9b]
2020-04-20 Robert Relyea <rrelyea@redhat.com>
* lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c,
lib/softoken/pkcs11i.h, lib/softoken/sftkike.c, lib/util/pkcs11n.h:
Bug 1629663 NSS missing IKEv1 Quick Mode KDF prf r=kjacobs
We found another KDF function in libreswan that is not using the NSS
KDF API.
Unfortunately, it seems the existing IKE KDF's in NSS are not usable
for the Quick Mode use.
The libreswan code is in compute_proto_keymat() and the
specification is in https://tools.ietf.org/html/rfc2409#section-5.5
It needs:
KEYMAT = prf(SKEYID_d, [g(qm)^xy ] | protocol | SPI | Ni_b | Nr_b).
which an be thought of as: KEYMAT = prf(KEY, [KEY] | BYTES)
but with the kicker that it also does multiple rounds aka key
expansion: KEYMAT = K1 | K2 | K3 | ...
where
K1 = prf(KEY, [KEY] | BYTES) K2 = prf(KEY, K1 | [KEY] | BYTES) K3 =
prf(KEY, K1 | [KEY] | BYTES) etc.
to generate the needed keying material >PRF size
This patch implements this by extendind the Appendix B Mechanism to
take and optional key and data in a new Mechanism parameter
structure. Which flavor is used (old CK_MECHANISM_TYPE or the new
parameter) is determined by the mechanism parameter lengths.
Application which try to use this new feature on old versions of NSS
will get an error (rather than invalid data).
[225bb39eade1]
Differential Revision: https://phabricator.services.mozilla.com/D73383
When the browser process starts a sandbox process, we copy the executable's IAT
for ntdll.dll into the new process to prevent DLL injection via IAT tampering as
the launcher process does. However, if IAT has been modified by a module injected
via `SetWindowHookEx`, the browser process cannot copy IAT because a modified IAT
is invalid in a different process, failing to start any sandbox processes.
The proposed fix is to cache IAT before COM initialization which may load
modules via `SetWindowHookEx` for the first time in the process.
Differential Revision: https://phabricator.services.mozilla.com/D73303
mozilla::pkix treats the id-kp-OCSPSigning extended key usage as forbidden
unless specifically required. Client authentication certificate filtering in
gecko uses mozilla::pkix, so before this patch, certificates with this EKU would
be filtered out. Normally this is correct, because client authentication
certificates should never have this EKU. However, there is at least one private
PKI where client certificates have this EKU. For interoperability, this patch
works around this restriction by falling back to requiring id-kp-OCSPSigning if
path building initially fails.
Differential Revision: https://phabricator.services.mozilla.com/D72760
2020-04-24 Kevin Jacobs <kjacobs@mozilla.com>
* automation/abi-check/expected-report-libnss3.so.txt,
gtests/softoken_gtest/softoken_gtest.cc, lib/nss/nss.def,
lib/pk11wrap/pk11obj.c, lib/pk11wrap/pk11pub.h, lib/softoken/sdb.c:
Bug 1612881 - Maintain PKCS11 C_GetAttributeValue semantics on
attributes that lack NSS database columns r=keeler,rrelyea
`sdb_GetAttributeValueNoLock` builds a query string from a list of
attributes in the input template. Unfortunately,
`sqlite3_prepare_v2` will fail the entire query if one of the
attributes is missing from the underlying table. The PKCS #11 spec
[[ https://www.cryptsoft.com/pkcs11doc/v220/pkcs11__all_8h.html#aC_G
etAttributeValue | requires ]] setting the output `ulValueLen` field
to -1 for such invalid attributes.
This patch reads and stores the columns of nssPublic/nssPrivate when
opened, then filters an input template in
`sdb_GetAttributeValueNoLock` for unbacked/invalid attributes,
removing them from the query and setting their template output
lengths to -1.
[aae226c20dfd] [tip]
2020-04-23 Kevin Jacobs <kjacobs@mozilla.com>
* lib/ssl/sslnonce.c:
Bug 1531906 - Relax ssl3_SetSIDSessionTicket assertions to permit
valid, evicted or externally-cached sids. r=mt
This patch relaxes an overzealous assertion for the case where: 1)
Two sockets start connections with a shared SID. 2) One receives an
empty session ticket in the SH, and evicts the SID from cache. 3)
The second socket receives a new session ticket, and attempts to set
it in the SID.
We currently assert that the sid is `in_client_cache` at 3), but
clearly it cannot be. The outstanding reference remains valid
despite the eviction.
This also solves a related assertion failure after
https://hg.mozilla.org/mozilla-central/rev/c5a8b641d905 where the
same scenario occurs, but instead of being `in_client_cache` or
evicted, the SID is `in_external_cache`.
[a68de0859582]
2020-04-16 Robert Relyea <rrelyea@redhat.com>
* gtests/common/testvectors/kwp-vectors.h,
gtests/pk11_gtest/manifest.mn,
gtests/pk11_gtest/pk11_aeskeywrapkwp_unittest.cc,
gtests/pk11_gtest/pk11_gtest.gyp, lib/freebl/aeskeywrap.c,
lib/freebl/blapi.h, lib/freebl/blapit.h, lib/freebl/hmacct.c,
lib/freebl/ldvector.c, lib/freebl/loader.c, lib/freebl/loader.h,
lib/pk11wrap/pk11mech.c, lib/softoken/lowpbe.c,
lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c,
lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c, lib/ssl/ssl3con.c,
lib/util/secport.h:
Bug 1630721 Softoken Functions for FIPS missing r=mt
For FIPS we need the following:
1. NIST official Key padding for AES Key Wrap. 2. Combined
Hash/Sign mechanisms for DSA and ECDSA.
In the first case our AES_KEY_WRAP_PAD function addes pkcs8 padding
to the normal AES_KEY_WRAP, which is a different algorithm then the
padded key wrap specified by NIST. PKCS #11 recognized this and
created a special mechanism to handle NIST padding. That is why we
don't have industry test vectors for CKM_NSS_AES_KEY_WRAP_PAD. This
patch implements that NIST version (while maintaining our own). Also
PKCS #11 v3.0 specified PKCS #11 mechanism for AES_KEY_WRAP which
are compatible (semantically) with the NSS vendor specific versions,
but with non-vendor specific numbers. Softoken now accepts both
numbers.
This patch also updates softoken to handle DSA and ECDSA combined
hash algorithms other than just SHA1 (which is no longer validated).
Finally this patch uses the NIST KWP test vectors in new gtests for
the AES_KEY_WRAP_KWP wrapping algorithm.
As part of the AES_KEY_WRAP_KWP code, the Constant time macros have
been generalized and moved to secport. Old macros scattered
throughout the code have been deleted and existing contant time code
has been updated to use the new macros.
[3682d5ef3db5]
2020-04-21 Lauri Kasanen <cand@gmx.com>
* lib/freebl/Makefile, lib/freebl/freebl.gyp,
lib/freebl/freebl_base.gypi, lib/freebl/gcm.h, lib/freebl/ppc-
crypto.h, lib/freebl/scripts/LICENSE, lib/freebl/scripts/gen.sh,
lib/freebl/scripts/ppc-xlate.pl, lib/freebl/scripts/sha512p8-ppc.pl,
lib/freebl/sha512-p8.s, lib/freebl/sha512.c:
Bug 1613238 - POWER SHA-2 digest vector acceleration. r=jcj,kjacobs
[2d66bd9dcad4]
2020-04-18 Robert Relyea <rrelyea@redhat.com>
* coreconf/Linux.mk, coreconf/config.gypi, lib/softoken/sdb.c:
Bug 1603801 [patch] Avoid dcache pollution from sdb_measureAccess()
r=mt
As implemented, when sdb_measureAccess() runs it creates up to
10,000 negative dcache entries (cached nonexistent filenames).
There is no advantage to leaving these particular filenames in the
cache; they will never be searched again. Subsequent runs will run a
new test with an intentionally different set of filenames. This can
have detrimental effects on some systems; a massive negative dcache
can lead to memory or performance problems.
Since not all platforms have a problem with negative dcache entries,
this patch is limitted to those platforms that request it at
compilie time (Linux is current the only patch that does.)
[928721f70164]
2020-04-16 Kevin Jacobs <kjacobs@mozilla.com>
* coreconf/config.gypi:
Bug 1630458 - Produce debug symbols in GYP/MSVC debug builds. r=mt
[25006e23a777]
2020-04-13 Robert Relyea <rrelyea@redhat.com>
* lib/ckfw/object.c, lib/ckfw/session.c:
Bug 1629655 ckfw needs to support temporary session objects.
r=kjacobs
libckfw needs to create temporary objects whose space will to be
freed after use (rather than at token shutdown). Currently only
token objects are supported and they are allocated out of a global
arena owned by the slot, so the objects only go away when the slot
is closed.
This patch sets the arena to NULL in nssCKFWObject_Create() if the
object is a session object. This tells nssCKFWObject_Create() to
create a new arena specifically for this object. That arena is
stored in localArena. When the object is destroyed, any localArena's
will be freed.
[808ec0e6fd77]
2020-04-14 Robert Relyea <rrelyea@redhat.com>
* cmd/selfserv/selfserv.c, lib/ssl/sslsnce.c, tests/ssl/ssl.sh:
Bug 1629661 MPConfig calls in SSL initializes policy before NSS is
initialized. r=mt
NSS has several config functions that multiprocess servers must call
before NSS is initialized to set up shared memory caches between the
processes. These functions call ssl_init(), which initializes the
ssl policy. The ssl policy initialization, however needs to happen
after NSS itself is initialized. Doing so before hand causes (in the
best case) policy to be ignored by these servers, and crashes (in
the worst case).
Instead, these cache functions should just initialize those things
it needs (that is the NSPR ssl error codes).
This patch does: 1) fixes the cache init code to only initialize
error codes. 2) fixes the selfserv MP code to 1) be compatible with
ssl.sh's selfserv management (at least on Unix), and 2) mimic the
way real servers handle the MP_Cache init code (calling NSS_Init
after the cache set up). 3) update ssl.sh server policy test to test
policy usage on an MP server. This is only done for non-windows like
OS's because they can't catch the kill signal to force their
children to shutdown.
I've verified that the test fails if 2 and 3 are included but 1 is
not (and succeeds if all three are included).
[a252957a3805]
Differential Revision: https://phabricator.services.mozilla.com/D72409
Importing security.h introduced namespace collisions so I removed the `using namespace mozilla;` and replaced it with specific names.
Differential Revision: https://phabricator.services.mozilla.com/D72422
One attempt will still be used by the blank password auth attempt. This does not completely fix the problem in this case but will allow a user to continue attempting until their account is locked out now.
Differential Revision: https://phabricator.services.mozilla.com/D71811
Unfortunately, since the new ecdsa library has a different interface and slightly different inner workings compared to the old PyECC library, the changes to support this update are not trivial. Luckily the ecdsa library is extensible enough to allow us to adjust the library's functionality with function parameters rather than monkey-patching, as we were doing with the previous version of the code. All of these interface changes are in addition to the normal rote Python 3 updates. This was tested by running a build with and without this patch and ensuring there were no unexpected diffs.
Differential Revision: https://phabricator.services.mozilla.com/D70117
CHECK_FORK_GETPID was useful back when Android didn't support pthread_atfork, which it has since at least ICS (API 14 or 15), and Fennec has required API 16 for a while now.
Moreover, softoken.h also defines CHECK_FORK_PTHREAD on its own, and pkcs11.c initialization code prioritizes CHECK_FORK_PTHREAD, while the finalization code prioritizes CHECK_FORK_GETPID, such that reinitialization was never possible.
Differential Revision: https://phabricator.services.mozilla.com/D67940
When sending a client certificate to a server in a TLS handshake, one of the
certificates in the chain should be issued by one of the issuers indicated in
the server's certificate_authorities list in the certificate request message.
The client auth data callback doesn't provide a way to specify this chain
directly - NSS builds it itself. This means that certificates known to gecko
but not NSS won't be included in the chain. This patch stashes the necessary
certificates temporarily so that NSS can find them and send them to the server.
Differential Revision: https://phabricator.services.mozilla.com/D71368
Jared Wein
Gian-Carlo Pascutto
ffxbld
Simon Giesecke
Dana Keeler
Benjamin Beurdouche
Ricky Stewart
Chanhee Cho
Ian Moody
Razvan Maries
J.C. Jones
Ciure Andrei
Bogdan Tara
Kevin Jacobs
Toshihito Kikuchi
Kershaw Chang
Christoph Kerschbaumer
Csoregi Natalia
Matthew Noorenberghe