As Chrome has removed support for the HPKP (HTTP Public Key Pinning) header,
continuing to support it in Firefox is a compatibility risk. This patch adds
the preference "security.cert_pinning.hpkp.enabled" and sets it to false by
default. As such, the platform will no longer process the HPKP header nor
consult any cached HPKP information for certificate pins.
Preloaded (statically-compiled) pins are still enabled in Firefox by default.
This patch also disables dynamically setting pins via our remote security
settings infrastructure, as it uses the same backend and represents similar
compatibility risk.
Differential Revision: https://phabricator.services.mozilla.com/D52773
--HG--
extra : moz-landing-system : lando
2019-11-04 Marcus Burghardt <mburghardt@mozilla.com>
* lib/pk11wrap/pk11cert.c:
Bug 1590495 - Crash in PK11_MakeCertFromHandle->pk11_fastCert. r=jcj
Fixed controls to avoid crashes caused by slots possibly without a
token in pk11_fastCert. Also, improved arguments controls in
PK11_MakeCertFromHandle.
[dc9552c2aa77] [tip]
2019-11-01 Franziskus Kiefer <franziskuskiefer@gmail.com>
* gtests/pk11_gtest/manifest.mn,
gtests/pk11_gtest/pk11_des_unittest.cc,
gtests/pk11_gtest/pk11_gtest.gyp, lib/softoken/pkcs11c.c:
Bug 1591742 - check des iv length and add test for it, r=jcj,kjacobs
Summary: Let's make sure the DES IV has the length we expect it to
have.
Bug #: 1591742
[35857ae98190]
2019-11-01 Dana Keeler <dkeeler@mozilla.com>
* gtests/mozpkix_gtest/pkixcheck_CheckKeyUsage_tests.cpp, lib/mozpkix
/test-lib/pkixtestnss.cpp, tests/gtests/gtests.sh:
Bug 1588567 - enable mozilla::pkix gtests in NSS r=jcj
[27a29997f598]
2019-11-01 Deian Stefan <deian@cs.ucsd.edu>
* lib/softoken/pkcs11c.c:
Bug 1591315 - Update NSC_Decrypt length in constant time r=kjacobs
Update NSC_Decrypt length in constant time
[7f578a829b29]
2019-11-01 Kai Engert <kaie@kuix.de>
* automation/taskcluster/graph/src/queue.js:
Bug 1562671 - Limit Master Password KDF iterations for NSS
continuous integration tests. r=mt
[c8b490583b86]
* lib/softoken/lgglue.c, lib/softoken/sftkdb.c, lib/softoken/sftkdb.h,
lib/softoken/sftkdbti.h, lib/softoken/sftkpwd.c:
Bug 1562671 - Add environment variables to control Master Password
KDF iteration count. Disable iteration count for legacy DBM storage
by default. r=rrelyea
[ced91a705aa3]
2019-11-01 Bob Relyea <rrelyea@redhat.com>
* lib/softoken/legacydb/keydb.c, lib/softoken/lgglue.c,
lib/softoken/pkcs11.c, lib/softoken/sftkdb.c, lib/softoken/sftkdb.h,
lib/softoken/sftkdbti.h, lib/softoken/sftkpwd.c:
Bug 1562671 - Support higher iteration count for Master Password
KDF. Bob Relyea's base patch. Requires the follow-up patch. r=kaie
[6619bb43d746]
2019-10-28 Martin Thomson <mt@lowentropy.net>
* coreconf/Linux.mk, coreconf/WIN32.mk, coreconf/command.mk,
coreconf/config.gypi, coreconf/rules.mk, lib/freebl/aes-armv8.c,
lib/freebl/aes-x86.c, lib/freebl/config.mk, lib/freebl/freebl.gyp,
lib/freebl/intel-aes.h, lib/freebl/intel-gcm-wrap.c,
lib/freebl/rijndael.c, lib/freebl/rijndael.h, lib/ssl/config.mk,
lib/ssl/ssl.gyp:
Bug 1590972 - Use -std=c99 for all C code, r=jcj
This switches to using -std=c99 for compiling all C code.
Previously, we only enabled this option for lib/freebl and lib/ssl.
For Linux, this means we need to define _DEFAULT_SOURCE to access
some of the functions we use. On glibc 2.12 (our oldest supported
version), we also need to define _BSD_SOURCE to access these
functions.
The only tricky part is dealing with partial C99 implementation in
gcc 4.4. From what I've seen, the only problem is that - in that
mode - it doesn't support nesting of unnamed fields:
https://gcc.gnu.org/onlinedocs/gcc-4.4.7/gcc/Unnamed-Fields.html
This also switches from -std=c++0x to -std=c++11 as the 0x variant,
though identical in meaning, is deprecated.
[dbba7db4b79d]
2019-10-30 Giulio Benetti <giulio.benetti@benettiengineering.com>
* lib/freebl/aes-armv8.c, lib/freebl/rijndael.c:
Bug 1590676 - Fix build if arm doesn't support NEON r=kjacobs
At the moment NSS assumes that ARM supports NEON extension but this
is not true and leads to build failure on ARM without NEON
extension. Add check to assure USE_HW_AES is not defined if ARM
without NEON extension is used.
[58f2471ace3b]
2019-10-30 Martin Thomson <mt@lowentropy.net>
* gtests/ssl_gtest/tls_agent.cc:
Bug 1575411 - Disable EMS for tests, a=bustage
[6e5f69781137]
2019-10-29 J.C. Jones <jjones@mozilla.com>
* gtests/ssl_gtest/tls_esni_unittest.cc:
Bug 1590970 - Fix clang-format from
e7956ee3ba1b6d05e3175bbcd795583fde867720 r=me
[d1e43cb9f227]
2019-10-29 Giulio Benetti <giulio.benetti@benettiengineering.com>
* lib/ssl/tls13esni.c:
Bug 1590678 - Remove -Wmaybe-uninitialized warning in tls13esni.c
r=jcj
[df5e9021809a]
2019-10-29 Martin Thomson <martin.thomson@gmail.com>
* lib/ssl/ssl.h, lib/ssl/sslsock.c:
Bug 1575411 - Enable extended master secret by default,
r=jcj,kjacobs
See the bug for discussion about the implications of this.
[d1c68498610d]
2019-10-29 Martin Thomson <mt@lowentropy.net>
* gtests/ssl_gtest/tls_esni_unittest.cc, lib/ssl/sslexp.h:
Bug 1590970 - Stop using time() for ESNI tests, r=kjacobs
Summary: The ESNI tests were using time() rather than PR_Now(), so
they slipped the net when I went looking for bad time functions. Now
they do the right thing again.
What we were probably seeing in the intermittents was the case where
we set the time for most of the SSL functions to PR_Now(), and that
was just before a second rollover. Then, when time() was called, it
returned t+1 so the ESNI keys that were being generated in the ESNI
tests were given a notBefore time that was in the future relative to
the time being given to the TLS stack. Had the ESNI keys generation
been given time() - 1 for notBefore, as I have done here, this would
never have turned up.
Reviewers: kjacobs
Tags: #secure-revision
Bug #: 1590970
[e7956ee3ba1b]
Differential Revision: https://phabricator.services.mozilla.com/D51858
--HG--
extra : moz-landing-system : lando
This patch provides Delegated Credential information (authKeyBits and signature scheme) to CertVerifier such that we can enforce a policy check and disallow weak keys in the Delegated Credential.
This information is not passed from http3 - adding this will be done in a separate bug.
Differential Revision: https://phabricator.services.mozilla.com/D47181
--HG--
rename : security/manager/ssl/tests/unit/test_delegated_credentials/delegated-selfsigned.key => security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key
rename : security/manager/ssl/tests/unit/test_delegated_credentials/delegated-selfsigned.key.keyspec => security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key.keyspec
extra : moz-landing-system : lando
Add separate entitlement files for the browser (aka parent process) and plugin-container processes. Leave the old production and developer entitlement files in place.
Once automation has been updated to use the new process-specific entitlement files (bug 1593072), the older entitlement files can be removed.
Future work will change the process-specific entitlements to be minimized for each process type.
Update codesign.bash to
1) use the separate browser and plugin-container entitlement files
2) only sign executables with entitlements, not sign unnecessary files
3) output to a .dmg instead of a .zip file.
Differential Revision: https://phabricator.services.mozilla.com/D52117
--HG--
extra : moz-landing-system : lando
Revert bug 1570581 by removing the AppleEvent entitlement from our hardened runtime configuration for both production and development.
Now that native messaging helpers are started 'disclaimed' with a new attribution chain, the entitlement is not needed.
Differential Revision: https://phabricator.services.mozilla.com/D48029
--HG--
extra : moz-landing-system : lando
2019-11-04 Marcus Burghardt <mburghardt@mozilla.com>
* lib/pk11wrap/pk11cert.c:
Bug 1590495 - Crash in PK11_MakeCertFromHandle->pk11_fastCert. r=jcj
Fixed controls to avoid crashes caused by slots possibly without a
token in pk11_fastCert. Also, improved arguments controls in
PK11_MakeCertFromHandle.
[dc9552c2aa77] [tip]
2019-11-01 Franziskus Kiefer <franziskuskiefer@gmail.com>
* gtests/pk11_gtest/manifest.mn,
gtests/pk11_gtest/pk11_des_unittest.cc,
gtests/pk11_gtest/pk11_gtest.gyp, lib/softoken/pkcs11c.c:
Bug 1591742 - check des iv length and add test for it, r=jcj,kjacobs
Summary: Let's make sure the DES IV has the length we expect it to
have.
Bug #: 1591742
[35857ae98190]
2019-11-01 Dana Keeler <dkeeler@mozilla.com>
* gtests/mozpkix_gtest/pkixcheck_CheckKeyUsage_tests.cpp, lib/mozpkix
/test-lib/pkixtestnss.cpp, tests/gtests/gtests.sh:
Bug 1588567 - enable mozilla::pkix gtests in NSS r=jcj
[27a29997f598]
2019-11-01 Deian Stefan <deian@cs.ucsd.edu>
* lib/softoken/pkcs11c.c:
Bug 1591315 - Update NSC_Decrypt length in constant time r=kjacobs
Update NSC_Decrypt length in constant time
[7f578a829b29]
2019-11-01 Kai Engert <kaie@kuix.de>
* automation/taskcluster/graph/src/queue.js:
Bug 1562671 - Limit Master Password KDF iterations for NSS
continuous integration tests. r=mt
[c8b490583b86]
* lib/softoken/lgglue.c, lib/softoken/sftkdb.c, lib/softoken/sftkdb.h,
lib/softoken/sftkdbti.h, lib/softoken/sftkpwd.c:
Bug 1562671 - Add environment variables to control Master Password
KDF iteration count. Disable iteration count for legacy DBM storage
by default. r=rrelyea
[ced91a705aa3]
2019-11-01 Bob Relyea <rrelyea@redhat.com>
* lib/softoken/legacydb/keydb.c, lib/softoken/lgglue.c,
lib/softoken/pkcs11.c, lib/softoken/sftkdb.c, lib/softoken/sftkdb.h,
lib/softoken/sftkdbti.h, lib/softoken/sftkpwd.c:
Bug 1562671 - Support higher iteration count for Master Password
KDF. Bob Relyea's base patch. Requires the follow-up patch. r=kaie
[6619bb43d746]
2019-10-28 Martin Thomson <mt@lowentropy.net>
* coreconf/Linux.mk, coreconf/WIN32.mk, coreconf/command.mk,
coreconf/config.gypi, coreconf/rules.mk, lib/freebl/aes-armv8.c,
lib/freebl/aes-x86.c, lib/freebl/config.mk, lib/freebl/freebl.gyp,
lib/freebl/intel-aes.h, lib/freebl/intel-gcm-wrap.c,
lib/freebl/rijndael.c, lib/freebl/rijndael.h, lib/ssl/config.mk,
lib/ssl/ssl.gyp:
Bug 1590972 - Use -std=c99 for all C code, r=jcj
This switches to using -std=c99 for compiling all C code.
Previously, we only enabled this option for lib/freebl and lib/ssl.
For Linux, this means we need to define _DEFAULT_SOURCE to access
some of the functions we use. On glibc 2.12 (our oldest supported
version), we also need to define _BSD_SOURCE to access these
functions.
The only tricky part is dealing with partial C99 implementation in
gcc 4.4. From what I've seen, the only problem is that - in that
mode - it doesn't support nesting of unnamed fields:
https://gcc.gnu.org/onlinedocs/gcc-4.4.7/gcc/Unnamed-Fields.html
This also switches from -std=c++0x to -std=c++11 as the 0x variant,
though identical in meaning, is deprecated.
[dbba7db4b79d]
2019-10-30 Giulio Benetti <giulio.benetti@benettiengineering.com>
* lib/freebl/aes-armv8.c, lib/freebl/rijndael.c:
Bug 1590676 - Fix build if arm doesn't support NEON r=kjacobs
At the moment NSS assumes that ARM supports NEON extension but this
is not true and leads to build failure on ARM without NEON
extension. Add check to assure USE_HW_AES is not defined if ARM
without NEON extension is used.
[58f2471ace3b]
2019-10-30 Martin Thomson <mt@lowentropy.net>
* gtests/ssl_gtest/tls_agent.cc:
Bug 1575411 - Disable EMS for tests, a=bustage
[6e5f69781137]
2019-10-29 J.C. Jones <jjones@mozilla.com>
* gtests/ssl_gtest/tls_esni_unittest.cc:
Bug 1590970 - Fix clang-format from
e7956ee3ba1b6d05e3175bbcd795583fde867720 r=me
[d1e43cb9f227]
2019-10-29 Giulio Benetti <giulio.benetti@benettiengineering.com>
* lib/ssl/tls13esni.c:
Bug 1590678 - Remove -Wmaybe-uninitialized warning in tls13esni.c
r=jcj
[df5e9021809a]
2019-10-29 Martin Thomson <martin.thomson@gmail.com>
* lib/ssl/ssl.h, lib/ssl/sslsock.c:
Bug 1575411 - Enable extended master secret by default,
r=jcj,kjacobs
See the bug for discussion about the implications of this.
[d1c68498610d]
2019-10-29 Martin Thomson <mt@lowentropy.net>
* gtests/ssl_gtest/tls_esni_unittest.cc, lib/ssl/sslexp.h:
Bug 1590970 - Stop using time() for ESNI tests, r=kjacobs
Summary: The ESNI tests were using time() rather than PR_Now(), so
they slipped the net when I went looking for bad time functions. Now
they do the right thing again.
What we were probably seeing in the intermittents was the case where
we set the time for most of the SSL functions to PR_Now(), and that
was just before a second rollover. Then, when time() was called, it
returned t+1 so the ESNI keys that were being generated in the ESNI
tests were given a notBefore time that was in the future relative to
the time being given to the TLS stack. Had the ESNI keys generation
been given time() - 1 for notBefore, as I have done here, this would
never have turned up.
Reviewers: kjacobs
Tags: #secure-revision
Bug #: 1590970
[e7956ee3ba1b]
Differential Revision: https://phabricator.services.mozilla.com/D51858
--HG--
extra : moz-landing-system : lando
Revert bug 1570581 by removing the AppleEvent entitlement from our hardened runtime configuration for both production and development.
Now that native messaging helpers are started 'disclaimed' with a new attribution chain, the entitlement is not needed.
Differential Revision: https://phabricator.services.mozilla.com/D48029
--HG--
extra : moz-landing-system : lando
This code is compiled when `MOZ_NEW_CERT_STORAGE` is not defined, which is the
case on beta.
Differential Revision: https://phabricator.services.mozilla.com/D51559
--HG--
extra : moz-landing-system : lando
2019-10-28 Kevin Jacobs <kjacobs@mozilla.com>
* automation/abi-check/expected-report-libssl3.so.txt,
gtests/ssl_gtest/libssl_internals.c,
gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/tls_agent.cc,
gtests/ssl_gtest/tls_agent.h, gtests/ssl_gtest/tls_filter.h,
gtests/ssl_gtest/tls_subcerts_unittest.cc, lib/ssl/ssl3con.c,
lib/ssl/sslimpl.h, lib/ssl/sslinfo.c, lib/ssl/sslt.h,
lib/ssl/tls13con.c:
Bug 1588244 - Store TLS 1.3 peerDelegCred, authKeyBits, and scheme
in SSLPreliminaryChannelInfo. r=mt
This patch adjusts where we set `authKeyBits` (Et al.) for TLS 1.3,
such that `CertVerifier` can check the strength of a delegated
credential keypair.
The corresponding PSM changeset is in D47181.
[fcdda17cdc36] [tip]
2019-10-28 Kai Engert <kaie@kuix.de>
* coreconf/coreconf.dep:
Dummy change, trigger a build after bustage to test latest NSPR
commit
[ec2adf31fb8c]
2019-10-26 Martin Thomson <mt@lowentropy.net>
* lib/ssl/sslauth.c, lib/ssl/sslcon.c, lib/ssl/tls13esni.c:
Bug 1590970 - Use ssl_Time consistently, r=kjacobs
I missed a few places that used PR_Now() before.
[c6021063e64a]
2019-10-22 Deian Stefan <deian@cs.ucsd.edu>
* gtests/pk11_gtest/pk11_cbc_unittest.cc:
Bug 1459141 - A few more CBC padding tests. r=jcj
This patch adds more test vectors for AES-CBC and 3DES-CBC padding.
[38f1c92a5e11]
2019-10-22 Marcus Burghardt <mburghardt@mozilla.com>
* cmd/btoa/btoa.c:
Bug 1590339 - Fix MemoryLeak in btoa.c. r=kjacobs
[5feab64d2d20]
2019-10-21 Marcus Burghardt <mburghardt@mozilla.com>
* lib/ckfw/builtins/testlib/certdata-testlib.txt:
Bug 1589810 - Uninitialized variable warnings from certdata.perl.
r=mt
[3f40060ca7b3]
2019-10-19 Martin Thomson <martin.thomson@gmail.com>
* gtests/ssl_gtest/ssl_version_unittest.cc:
Bug 1573118 - Fix busted unit tests, r=jcj
These unit tests were broken by the change to TLS version defaults.
In retrospect, this shouldn't have been surprising, but now that it
I'm seeing bustage, I'm somewhat surprised that there are so few
failures.
[7e0b8364687b]
* lib/ssl/sslsock.c:
Bug 1573118 - Enable TLS 1.3 by default, r=jcj
As planned for 3.47, but now for 3.48.
[bc77cf318f38]
2019-10-18 J.C. Jones <jjones@mozilla.com>
* automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
check/expected-report-libsmime3.so.txt, automation/abi-check
/expected-report-libssl3.so.txt, automation/abi-check/previous-nss-
release, lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.48 beta
[0e7dd2050d09]
* .hgtags:
Added tag NSS_3_47_RTM for changeset 7ccb4ade5577
[dcadb95b9d77] <NSS_3_47_BRANCH>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.47 final
[7ccb4ade5577] [NSS_3_47_RTM] <NSS_3_47_BRANCH>
Differential Revision: https://phabricator.services.mozilla.com/D50840
--HG--
extra : moz-landing-system : lando
Add the com.apple.security.smartcard entitlement to Firefox's entitlements list.
Needed for clients of some CryptoTokenKit.framework API's, per SmartCardServices(7).
Differential Revision: https://phabricator.services.mozilla.com/D51303
--HG--
extra : moz-landing-system : lando
Lots of these callbacks have a non-`void*` final parameter, which UBSAN
complains about. This commit changes them to have a `void*` parameter.
This requires undoing the machinery added in the first two commits of bug
1473631: `TypePrefChangeFunc` and `PREF_CHANGE_METHOD`. The resulting code is
simpler (which is good) and more boilerplate-y (which is bad) but avoids the
undefined behaviour (which is good).
Differential Revision: https://phabricator.services.mozilla.com/D50901
--HG--
extra : moz-landing-system : lando
This patch converts the certList attribute of nsITransportSecurityInfo
from nsIX509CertList to Array<nsIx509Cert>
Differential Revision: https://phabricator.services.mozilla.com/D48745
--HG--
extra : moz-landing-system : lando
OS.File.writeAtomic expects either a utf-8 string or a typed array. This patch
fixes instances in pippki.js in certificate export where this was not
guaranteed to be the case. It also extends the test for this functionality to
cover more cases.
Differential Revision: https://phabricator.services.mozilla.com/D50117
--HG--
extra : moz-landing-system : lando
Bug 1267643 removed filtering of client certificates based on the
"certificate_authorities" list sent in the client certificate request from the
server in TLS handshakes because it is impossible to implement as specified
without false negatives (i.e. excluding certificates that could be usable but
don't seem to be according to the certificates the client is aware of). In
practice, however, it seems enough users rely on this behavior[0] that we
should add it back until the platform can save client certificate selections
across restarts and the "select one automatically" option is removed (see also
bug 634697).
[0] See e.g. bug 1588703, bug 1590297, bug 1590596, bug 1074195 comment 27,
and any other duplicates of this bug.
Differential Revision: https://phabricator.services.mozilla.com/D50355
--HG--
extra : moz-landing-system : lando
This change enables the version downgrade sentinel across all channels. We
don't have good telemetry on this, but Chrome reports 0.02%, which is low enough
to just make the change without additional validation on our end.
This only really affects intercepting middleboxes that forward the real server's
ServerHello.random. That's a terrible idea, and, as above, the evidence
suggests that this is now rare enough to have those boxes break connections.
The pref will remain for those cases where problems persist.
Differential Revision: https://phabricator.services.mozilla.com/D50387
--HG--
extra : moz-landing-system : lando
Dana Keeler
Victor Porof
J.C. Jones
ffxbld
Kevin Jacobs
Haik Aftandilian
Ciure Andrei
Sean Feng
Gian-Carlo Pascutto
Bob Owen
Narcis Beleuzu
Brindusan Cristian
Nicholas Nethercote
Nihanth Subramanya
Dorel Luca
Dragana Damjanovic
Andreea Pavel
Razvan Maries
Gijs Kruitbosch
Martin Thomson