mozilla-central has some imported files of build_config.h from Chromium.
Actually although they doesn't have riscv64 defines yet, I would like to
add it to build Firefox for riscv64.
Differential Revision: https://phabricator.services.mozilla.com/D119051
Currently we return an error when creating a WebGL context in headless
mode, but our WebGL implementation renders to an offscreen context, so
in theory it could work normally in a headless browser, and in practice
it already does work on some OSes. This patch removes that check; the
attempt to use GL may fail, in which case we'll return an error to
content.
The main purpose of this patch is to run content processes with headless
mode set in an otherwise non-headless browser, but it should also be
useful for fully headless mode. Comments in bug NNNNNNN indicate that
this change should be sufficient for headless WebGL on Windows and MacOS,
although it may not have been extensively tested.
Linux is more complicated. The EGL/X11 backend manages its own
connection to the X server (indirectly via the EGL library); a later
patch in this series allows doing that in GLX mode as well. Our Wayland
support can't do this yet, but it should be possible.
This patch also modifies the Linux sandbox policy so that content
processes can connect to a local X server (via the file broker) even when
the parent process is in headless mode.
Differential Revision: https://phabricator.services.mozilla.com/D118721
Bug 1215723 introduced a mechanism whereby DataStorage data would be propagated
to content processes to avoid the IPC calls involved in querying if hosts were
HSTS. With a low number of content processes, this was a reasonable approach.
However, with Fission and the proliferation of content processes, propagating
changes in DataStorage data to every content process wakes up unrelated
processes and is inefficient. This patch restores the behavior that
nsISiteSecurityService and DataStorage is not available to content processes.
Additionally, bug 1626076 made it possible to use DataStorage directly from the
socket process. However, as of bug 1650356, this is no longer necessary, so
this patch removes that behavior as well.
Differential Revision: https://phabricator.services.mozilla.com/D118207
Bug 1215723 introduced a mechanism whereby DataStorage data would be propagated
to content processes to avoid the IPC calls involved in querying if hosts were
HSTS. With a low number of content processes, this was a reasonable approach.
However, with Fission and the proliferation of content processes, propagating
changes in DataStorage data to every content process wakes up unrelated
processes and is inefficient. This patch restores the behavior that
nsISiteSecurityService and DataStorage is not available to content processes.
Additionally, bug 1626076 made it possible to use DataStorage directly from the
socket process. However, as of bug 1650356, this is no longer necessary, so
this patch removes that behavior as well.
Differential Revision: https://phabricator.services.mozilla.com/D118207
Set the 'security.pki.use_modern_crypto_with_pkcs12' preference to true if user wants to backup
own certificates to the file using AES-128-CBC (for the password) and AES_256_CBC (for the certificate) algorithms.
Differential Revision: https://phabricator.services.mozilla.com/D116638
This extends on the changes in part 12a and consumes the new PortRef-based API
in all existing process types other than the fork server. The IPDL C++ unit
tests were already broken before this change, and were not updated.
Differential Revision: https://phabricator.services.mozilla.com/D112777
This extends on the changes in part 12a and consumes the new PortRef-based API
in all existing process types other than the fork server. The IPDL C++ unit
tests were already broken before this change, and were not updated.
Differential Revision: https://phabricator.services.mozilla.com/D112777
Otherwise the build fails on OpenBSD:
In file included from security/sandbox/common/SandboxSettings.cpp:7:
/usr/obj/m-c/dist/include/mozilla/SandboxSettings.h:39:26: error: unknown type name 'GeckoProcessType'
bool StartOpenBSDSandbox(GeckoProcessType type);
Differential Revision: https://phabricator.services.mozilla.com/D116633
The public key pinning implementation is much less complex than the HSTS
implementation, and only needs a small subset of the parameters of the latter.
Furthermore, the information it relies on is static, and so is safe to access
from content processes. This patch separates the two implementations, thus
simplifying both of them and avoiding some unnecessary IPC calls in the
process.
Differential Revision: https://phabricator.services.mozilla.com/D117096
This patch converts the pinning preference
"security.cert_pinning.enforcement_level" to be static. It also removes some
unused pinning preferences and parameters.
Differential Revision: https://phabricator.services.mozilla.com/D117095
Previously, SetDisableAllSecurityChecksAndLetAttackersInterceptMyData would
only work as expected if another operation happened to clear the TLS session
cache (namely, changing a preference that caused nsNSSComponent to change its
TLS options and clear the TLS session cache). This patch ensures that this
function works without relying on such coincidences.
Differential Revision: https://phabricator.services.mozilla.com/D117495
The public key pinning implementation is much less complex than the HSTS
implementation, and only needs a small subset of the parameters of the latter.
Furthermore, the information it relies on is static, and so is safe to access
from content processes. This patch separates the two implementations, thus
simplifying both of them and avoiding some unnecessary IPC calls in the
process.
Differential Revision: https://phabricator.services.mozilla.com/D117096
This patch converts the pinning preference
"security.cert_pinning.enforcement_level" to be static. It also removes some
unused pinning preferences and parameters.
Differential Revision: https://phabricator.services.mozilla.com/D117095
Previously, SetDisableAllSecurityChecksAndLetAttackersInterceptMyData would
only work as expected if another operation happened to clear the TLS session
cache (namely, changing a preference that caused nsNSSComponent to change its
TLS options and clear the TLS session cache). This patch ensures that this
function works without relying on such coincidences.
Differential Revision: https://phabricator.services.mozilla.com/D117495
The public key pinning implementation is much less complex than the HSTS
implementation, and only needs a small subset of the parameters of the latter.
Furthermore, the information it relies on is static, and so is safe to access
from content processes. This patch separates the two implementations, thus
simplifying both of them and avoiding some unnecessary IPC calls in the
process.
Differential Revision: https://phabricator.services.mozilla.com/D117096
This patch converts the pinning preference
"security.cert_pinning.enforcement_level" to be static. It also removes some
unused pinning preferences and parameters.
Differential Revision: https://phabricator.services.mozilla.com/D117095
nsIX509Cert.keyUsages is only used by the front-end. As of bug 1688703, the new
certificate viewer utility files can be used anywhere in the front-end to
decode certificates. Since this code is JS instead of C/C++, this is
preferrable from the standpoint of reducing attack surface.
Differential Revision: https://phabricator.services.mozilla.com/D113197
2021-05-28 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.66 final
[46633639570c] [NSS_3_66_RTM] <NSS_3_66_BRANCH>
* .hgtags:
Added tag NSS_3_66_BETA1 for changeset ef591b9d25a3
[9904a426633e] <NSS_3_66_BRANCH>
Differential Revision: https://phabricator.services.mozilla.com/D116223
SecCertificateCopyNormalizedIssuerSequence and
SecCertificateCopyNormalizedSubjectSequence normalize DN sequences (shocking, I
know). This means that if the output from these functions is used to identify
certificates, naively comparing bytes will result in mismatches. Since
normalization is unnecessary and unwanted, we should avoid these functions in
osclientcerts.
Differential Revision: https://phabricator.services.mozilla.com/D115942
2021-05-25 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* lib/ckfw/builtins/certdata.txt:
Bug 1710716 - Remove Expired Sonera Class2 CA from NSS. r=bwilson
Depends on D115882
[ef591b9d25a3] [tip]
* lib/ckfw/builtins/certdata.txt:
Bug 1710716 - Remove Expired Root Certificates from NSS - QuoVadis
Root Certification Authority. r=bwilson
Depends on D115877
[f7ff828026cd]
* lib/ckfw/builtins/certdata.txt:
Bug 1708307 - Remove Trustis FPS Root CA from NSS. r=bwilson
[4ef15c2043cf]
* lib/ckfw/builtins/certdata.txt:
Bug 1707097 - Add Certum Trusted Root CA to NSS. r=bwilson
Depends on D115890
[4f4982362348]
* lib/ckfw/builtins/certdata.txt:
Bug 1707097 - Add Certum EC-384 CA to NSS. r=bwilson
Depends on D115889
[171e74b54ca4]
* lib/ckfw/builtins/certdata.txt:
Bug 1703942 - Add ANF Secure Server Root CA to NSS. r=bwilson
Depends on D115888
[e189b4f85ce5]
* lib/ckfw/builtins/certdata.txt:
Bug 1697071 - Add GLOBALTRUST 2020 root cert to NSS. r=bwilson
[487e89fcb141]
2021-05-20 Robert Relyea <rrelyea@redhat.com>
* doc/certutil.xml, doc/html/certutil.html, doc/html/derdump.html,
doc/html/modutil.html, doc/html/pk12util.html, doc/html/pp.html,
doc/html/signver.html, doc/html/ssltap.html, doc/modutil.xml,
doc/nroff/certutil.1, doc/nroff/crlutil.1, doc/nroff/derdump.1,
doc/nroff/modutil.1, doc/nroff/pk12util.1, doc/nroff/pp.1,
doc/nroff/signtool.1, doc/nroff/signver.1, doc/nroff/ssltap.1,
doc/nroff/vfychain.1, doc/nroff/vfyserv.1, doc/pk12util.xml,
doc/signver.xml:
Bug 1712184 NSS tools manpages need to be updated to reflect that
sqlite is the default database.
This patch does 2 things:
1) update certutil.xml pk12util.xml modutil.xml and signver.xml to
reflect the fact the the sql database is default. Many of these also
has examples of specifying sql:dirname which is now the default. I
did not replace them with dbm:dirname since we don't want to
encourage regressing back. The one exception is in the paragraph
explaining how to get to the old database format.
2) I ran make in the diretory to update the .1 and .html files
generated from the .xml files. There are a number of old updates to
the .xml files which haven't been picked up in their corresponding
html or man page files. This updates are included in this patch.
It is really only necessary to review the changes to the .xml files,
the rest were reviewed when their patches were applied.
bob
[da25615e92c8]
2021-05-24 Mike Hommey <mh@glandium.org>
* lib/freebl/freebl.gyp:
Bug 1712230 - Don't build ppc-gcm.s with clang integrated assembler.
r=bbeurdouche
Like intel-gcm.s.
[2300e178c90f]
2021-05-20 Robert Relyea <rrelyea@redhat.com>
* lib/freebl/blapi.h:
Bug 1712211 Strict prototype error when trying to compile nss code
that includes blapi.h
in blapi.h, strict prototypes compiles fail on: extern
BLAKE2BContext *BLAKE2B_NewContext();
This patch fixes that problem.
[207465bda46a]
Differential Revision: https://phabricator.services.mozilla.com/D115972
- Move the decision logic for Win32k Lockdown to a common area where it can
be re-used
- Cache the Win32k Lockdown state, since the result will never change
- Add IDL to allow JavaScript to query it
- Add it to the "about:support" page
- Add an annotation to Crash Reporter after the first time it's read
Differential Revision: https://phabricator.services.mozilla.com/D114850
Win32k Lockdown requires WebRender, but WR is not currently guaranteed
on all computers. It can also fail to initialize and fallback to
non-WR render path.
We don't want a situation where "Win32k Lockdown + No WR" occurs without
the user explicitly requesting unsupported behavior.
Differential Revision: https://phabricator.services.mozilla.com/D114849
2021-05-11 Robert Relyea <rrelyea@redhat.com>
* automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
check/expected-report-libssl3.so.txt, cmd/selfserv/selfserv.c,
cmd/strsclnt/strsclnt.c, cmd/tstclnt/tstclnt.c, lib/nss/nss.def,
lib/pk11wrap/pk11cxt.c, lib/pk11wrap/pk11load.c,
lib/pk11wrap/pk11obj.c, lib/pk11wrap/pk11priv.h,
lib/pk11wrap/pk11pub.h, lib/pk11wrap/pk11slot.c,
lib/pk11wrap/secmodt.h, lib/softoken/config.mk,
lib/softoken/fips_algorithms.h, lib/softoken/fipstokn.c,
lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c,
lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c,
lib/softoken/sftkmessage.c, lib/ssl/ssl3con.c, lib/ssl/sslimpl.h,
lib/ssl/sslinfo.c, lib/ssl/sslt.h, lib/util/pkcs11n.h,
tests/ssl/ssl.sh, tests/ssl/sslcov.txt:
Bug 1710773 NSS needs FIPS 180-3 FIPS indicators. r=mt
Changes from the review: The while loop was taken out of it's
subshell pipe, which prevented the selfserv PID from being passed on
to the final selfserv-kill. This eventally lead to a freeze on
windows.
The last paragraph of ISO 19790:2012 section 7.2.4.2 states:
All services shall [02.24] provide an indicator when the service
utilises an approved cryptographic algorithm, security function or
process in an approved manner and those services or processes
specified in 7.4.3
This means our libraries need to grow an API or provide some
additional information via contexts or similar in order for an
application to be able to query this indicator. This can't be just a
Security Policy description because ISO 24759:2017 section 6.2.4.2
states:
TE02.24.02: The tester shall execute all services and verify that
the indicator provides an unambiguous indication of whether the
service utilizes an approved cryptographic algorithm, security
function or process in an approved manner or not.
The indicator can't be just a marker over an algorithm either,
because it needs to show different values based on whether the
algorithm parameters causes the algorithm to run in approved or non-
approved mode (ie keys outside of valid range for RSA means RSA is
being used in non-approved mode ...)
For NSS, there is a PKCS #11 design: https://docs.google.com/documen
t/d/1Me9YksPE7K1Suvk9Ls5PqJXPpDmpAboLsrq0z54m_tA/edit?usp=sharing
This patch implments the above design as well as: 1) NSS proper
functions to access these indicators from either the pk11wrap layer
or the ssl layer. 2) Updates to the ssl tests which will output the
value of the
Changes decription by file: cmd/selfserv/selfserv.c Add a FIPS
indicator if the connection was excuted in FIPS mode on a FIPS
token. cmd/strsclnt/strsclnt.c Add a FIPS indicator if the
connection was excuted in FIPS mode on a FIPS token.
cmd/tstclnt/tstclnt.c Add a FIPS indicator if the connection was
excuted in FIPS mode on a FIPS token. lib/nss/nss.def Add the new
pk11 functions to access the fips indicator. lib/pk11wrap/pk11cxt.c
Implement a function to get the FIPS indicator for the current
PK11Context. lib/pk11wrap/pk11load.c Get the fips indicator function
from the PKCS #11 module using the vendor function interface from
PKCS #11 v3.0 lib/pk11wrap/pk11obj.c Implement a function to get the
FIPS indicator for a specific PKCS #11 object.
lib/pk11wrap/pk11priv.h Add a generalized helper function to get the
FIPS indicator used by all the other exported functions to get FIPS
indicator. lib/pk11wrap/pk11pub.h Add function to get the FIPS
indicator for the current PK11Context. lib/pk11wrap/pk11slot.c
Implement a generalized helper function to get the FIPS indicator.
Implement a function to get the FIPS indicator for the latest single
shot operation on the slot. lib/pk11wrap/secmodt.h Add a new field
to hold the fipsIndicator function. lib/softoken/fips_algorithms.h
New sample header which vendors can replace with their own table. In
the default NSS case, the table in this header will be empty.
lib/softoken/fipstokn.c Add Vendor specific interface for the FIPS
indicator to the FIPS token. lib/softoken/pkcs11.c Add Vendor
specific interface for the FIPS indicator to the non-FIPS token.
Factor out the code tha maps an attribute value to a mechanism flag
to it's own file so it can be used by other parts of softoken. (new
function is in pkcs11u.c Implement the function that returns the
FIPS indicator. This function fetches the indicator from either the
session or the object or both. The session indicator is in the
crypto context (except the last operation indicator, which is in the
session itself. The object indicator is in the base object.
lib/softoken/pkcs11c.c Record the FIPS indicator in the various
helper function.
- sftk_TerminateOp is called when a crypto operation had been
finalized, so we can store that fips indicator in the lastOpWasFIPS
field.
- sftk_InitGeneric is called when a crypto operation has been
initialized, so we can make a preliminary determination if the
operation is within the FIPS policy (could later change bases on
other operations. For this to work, we need the actual mechanism, so
pMechanism is now a parameter to sftk_InitGeneric.
- sftk_HKDF - HKDF when used in TLS has the unusual characteristic
that the salt could actually be a key. In this case, usually the
base key is some known public value which would not be FIPS
generated, but the security is based on whether the salt is really a
FIPS generated key. In this case we redo the calculation based on
the salt key. lib/softoken/pkcs11i.h
- add the FIPS indicators to the various structures (crypto contexts,
sessions, objects).
- add the FIPS indicators function list
- add pMechanism the the sftkInitGeneric function.
- add the helper function to map Attribute Types to Mechanism Flags.
- add the function that will look up the current operation in the FIPS
table to determine that it is allowed by policy.
lib/softoken/pkcs11u.c
- include the new fips_algorithms.h (if NSS_FIPS_DISABLED is not on)
- handle the FIPS status for objects and session on creation an copy.
- implement the helper function to map Attribute Types to Mechanism
Flags.
- get the key length of a key. This involves getting the key type and
then using the key type to determin the appropriate attribute to
fetch. Most keys it's simply the CKA_VALUE. ECC is special, we get
the key length from the curve. Since only a subset of curves can be
FIPS Curves, we use key length to return false for other curves.
- the handle special function handles any unusal semantics for various
mechanism types. This function precodes possible mechanism semantics
we may need to check. The special handling can be selected by the
mechanism table in fips_algorithms.h
- sftk_operationIsFIPS - the actual function to determine if the
givelib/n operation is in the FIPS table. lib/softoken/sftkmessage.c
- just need to update the sftk_InitGeneric function to pass the
mechanism. lib/ssl/ssl3con.c
- and functions to query the underlying crypto contexts to see if the
current ssl session is running in FIPS approved mode based on the
security policy. It does so by checking the CipherSpecIsFIPS
function to verify that both the mac and the encryption algorithm
FIPS conforms to the ciphers in the security profile (using
PK11_GetFIPSStatus). We check both the cipher specs for read and
write. These underlying specs depends on the keys used in these
specs being generated with FIPS approved algorithms as well, so this
verifies the kea and kdf functions as well. lib/ssl/sslimpl.h
- ass ssl_isFIPS() so it can be used by other files here in the ssl
directory. lib/ssl/sslinfo.c
- set the new isFIPS field in the existing sslinfo structure.
SSL_GetChannelInfo knows how to handle sslinfo structures that are
smaller then expected and larger than expected. unknown fields will
be set to '0' (so new applications running against old versions will
always get zero for new fields). sslinfo that are smaller will only
return a the subset the calling application expects (so old
applications will not get the new fields). lib/ssl/sslt.h
- Add the new isFIPS field (must be at the end of the ChannelInfo
structure). lib/util/pkcs11n.h
- add the new FIPS indicator defines. tests/ssl/ssl.h
- The main changes was to turn on verbose for the coverage tests so we
can test the FIPS indicators on various cipher suites. NOTE: this
only works with either NSS_TEST_FIPS_ALGORIHTMS set, or a vendor
fips_algorthims.h, so vendors will need to do their own test
interpretation. While working in ssl.sh I fixed an number of other
issues:
- many tests that were skipped in FIPS mode were skipped not because
they didn't work in FIPS mode, but because tstclnt requires a
password when running in FIPS mode. I've now added the password if
the function is running in fips mode and removed the fips
restrictions.
- dtls had a race condition. the server side needed to come up before
the client, but couldn't end before the client ran. We already had a
sleep to guarrentee the former, I added a sleep before sending the
server it's data to handle the latter.
- CURVE25519 is the default ECC curve, but it's not a fiPS curve, so I
disable it in FIPS mode so we will actually get FIPS indicators when
using ECDHE.
- I added TLS 1.3 to the coverage tests.
[40edc4f4c117] [tip]
Differential Revision: https://phabricator.services.mozilla.com/D115625
- Move the decision logic for Win32k Lockdown to a common area where it can
be re-used
- Cache the Win32k Lockdown state, since the result will never change
- Add IDL to allow JavaScript to query it
- Add it to the "about:support" page
- Add an annotation to Crash Reporter after the first time it's read
Differential Revision: https://phabricator.services.mozilla.com/D114850
Win32k Lockdown requires WebRender, but WR is not currently guaranteed
on all computers. It can also fail to initialize and fallback to
non-WR render path.
We don't want a situation where "Win32k Lockdown + No WR" occurs without
the user explicitly requesting unsupported behavior.
Differential Revision: https://phabricator.services.mozilla.com/D114849
This patch removes the ability for Firefox profiles to receive dynamic HSTS
preloading information via kinto/remote settings. This feature was implemented
some time ago but was never used. It is being removed to make upcoming changes
easier.
Differential Revision: https://phabricator.services.mozilla.com/D115315
This patch removes some unnecessary leftover declarations from
nsISiteSecurityService.idl that could have been removed in previous patches.
Differential Revision: https://phabricator.services.mozilla.com/D115314
Enabling osclientcerts by default may have an impact on how long it takes to
scan for client authentication certificates. This patch adds telemetry to
measure this.
Differential Revision: https://phabricator.services.mozilla.com/D115257
When doing (e.g.) `MOZ_LOG=PlatformDecoderModule:4`, ffmpeg ends up doing
`ioctl(TCGETS, ...)` via `tcgetattr`, and this crashes the RDD. We don't care
much about the result, so let's just say `ENOTTY`.
Differential Revision: https://phabricator.services.mozilla.com/D113162
As an intermediate step to allow mach commands as standalone functions, the MachCommandBase
subclass instance that currently corresponds to self has to be made available as a separate
argument (named command_context).
Differential Revision: https://phabricator.services.mozilla.com/D109650
2021-05-14 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.65 final
[0e785b3a4a10] [NSS_3_65_RTM] <NSS_3_65_BRANCH>
* .hgtags:
Added tag NSS_3_65_BETA1 for changeset 1bdb4713e2f0
[6f4869107d74] <NSS_3_65_BRANCH>
2021-05-11 Robert Relyea <rrelyea@redhat.com>
* gtests/pk11_gtest/pk11_hpke_unittest.cc:
fix clang format error from patch for bug 1709750
[1bdb4713e2f0] [NSS_3_65_BETA1]
* coreconf/NetBSD.mk:
Bug 1709654 Update for NetBSD configuration patch by Thomas Klausner
r=rrelyea
In the NetBSD configuration, the symbol hiding flags are not
defined. This leads to conflicts when openssl and nss are linked
into the same binary. For a longer discussion on the topic, see
https://groups.google.com/a/mozilla.org/g/dev-tech-
crypto/c/Al0Pt0zhARE
Match more closely to OpenBSD.mk, and in particular, hide symbols
(MAPFILE).
- fix wrong value of CPU_ARCH on NetBSD/evbarm-earmv7f
- s/aarch64eb/aarch64/
[a7769615f285]
Differential Revision: https://phabricator.services.mozilla.com/D115135
Sometimes SSL_ForceHandshake will return SECFailure without setting an error
code. When this happens, calling GetXPCOMFromNSSError on that not-an-error-code
will fail. This patch first checks for this situation and substitutes
SEC_ERROR_LIBRARY_FAILURE if applicable.
Differential Revision: https://phabricator.services.mozilla.com/D114908
Bug 1689729 moved some certificate verification operations to the socket thread
using synchronous runnables. Unfortunately this caused a performance regression
that can't be addressed until all certificate verification operations that
involve NSS certificate resources happen on the socket thread. Until then, this
patch reverts that behavior.
Differential Revision: https://phabricator.services.mozilla.com/D115023
Before this patch, osclientcerts would look for client certificates and keys
upon initialization. However, this is unnecessary, given that most users won't
ever even be asked to use them. This patch avoids doing this work at startup,
saving some time there. Additionally, this should help avoid shutdown hangs
related to the background task that loads osclientcerts.
Differential Revision: https://phabricator.services.mozilla.com/D114655
2021-05-06 Martin Thomson <mt@lowentropy.net>
* gtests/pk11_gtest/pk11_hpke_unittest.cc:
Bug 1709750 - Disable HPKE test when fuzzing, r=bbeurdouche
[1d066793c349] [tip]
2021-05-05 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* lib/freebl/ppc-gcm-wrap.c, lib/freebl/ppc-gcm.h:
Bug 1566124 - Clang format run. r=beurdouche
[cb714d62058c]
2021-05-05 mamonet <maamoun.tk@gmail.com>
* lib/freebl/Makefile, lib/freebl/freebl.gyp, lib/freebl/ppc-gcm-
wrap.c, lib/freebl/ppc-gcm.h, lib/freebl/ppc-gcm.s,
lib/freebl/rijndael.c:
[1133fef2f7ce]
2021-03-17 Martin Thomson <mt@lowentropy.net>
* gtests/common/testvectors/hpke-convert.py,
gtests/common/testvectors/hpke-vectors.h, lib/pk11wrap/pk11hpke.c,
lib/pk11wrap/pk11hpke.h:
Bug 1699021 - Add AES-256-GCM to HPKE, r=bbeurdouche
[9fa53d717386]
* automation/abi-check/expected-report-libssl3.so.txt,
cmd/selfserv/selfserv.c, gtests/ssl_gtest/libssl_internals.c,
gtests/ssl_gtest/libssl_internals.h,
gtests/ssl_gtest/tls_connect.cc, gtests/ssl_gtest/tls_connect.h,
gtests/ssl_gtest/tls_ech_unittest.cc, lib/ssl/sslexp.h,
lib/ssl/sslsock.c, lib/ssl/sslt.h, lib/ssl/tls13ech.c,
lib/ssl/tls13ech.h, lib/ssl/tls13exthandle.c,
lib/ssl/tls13hashstate.c, lib/ssl/tls13hashstate.h:
Bug 1698419 - ECH -10 updates, r=bbeurdouche
The main changes here are:
* an update to HPKE -08
* a move to the single-byte configuration ID
* reordering of ECHConfig
The addition of the explicit configuration ID means that the API for
constructing ECHConfig(List) needs to change. That means a name
change, unfortunately. I took the opportunity to make further
changes to the arguments.
[fa93bd88b690]
2021-03-16 Martin Thomson <mt@lowentropy.net>
* coreconf/config.gypi, coreconf/config.mk,
gtests/common/testvectors/hpke-convert.py,
gtests/common/testvectors/hpke-vectors.h,
gtests/pk11_gtest/pk11_hpke_unittest.cc,
gtests/ssl_gtest/ssl_auth_unittest.cc,
gtests/ssl_gtest/ssl_tls13compat_unittest.cc,
gtests/ssl_gtest/tls_ech_unittest.cc, lib/pk11wrap/pk11hpke.c,
lib/pk11wrap/pk11hpke.h, lib/pk11wrap/pk11pub.h, lib/ssl/tls13ech.c:
Bug 1692930 - Update HPKE to final version, r=bbeurdouche
This adds the final HPKE version string.
This removes the draft version markers from the implementation and
stops tracking the draft version with the exported syntax.
I've added the script that I used to convert the JSON test vectors
from the specification; that should allow us to pick up new tests
relatively easily, especially if we need to add new algorithms.
This change breaks several ECH test cases. As fixing those tests is
extraordinarily fiddly, I'm going to defer making those changes
until we need to update ECH. As we can't land this code until ECH is
updated to depend on the final HPKE and until we have coordinated
with servers on when the ECH update can be deployed, it should be OK
to defer.
In short, don't land this without the matching ECH changes.
[e78141a928f4]
2021-05-04 Robert Relyea <rrelyea@redhat.com>
* automation/abi-check/expected-report-libnss3.so.txt,
cmd/lib/basicutil.h, cmd/lib/secutil.c, cmd/lib/secutil.h,
cmd/pk12util/pk12util.c, cmd/pp/pp.c, doc/pk12util.xml, doc/pp.xml,
lib/nss/nss.def, lib/pk11wrap/pk11akey.c, lib/pk11wrap/pk11pub.h,
lib/pkcs12/p12d.c, lib/pkcs12/p12e.c, lib/pkcs12/p12local.c,
lib/pkcs12/p12local.h, lib/pkcs12/p12plcy.c, lib/util/secoidt.h,
tests/tools/tools.sh:
Bug 1707130 NSS should use modern algorithms in PKCS#12 files by
default r=mt
Also fixes: Bug 452464 pk12util -o fails when -C option specifies
AES or Camellia ciphers
Related: Bug 1694689 Firefox should use modern algorithms in PKCS#12
files by default Bug 452471 pk12util -o fails when -c option
specifies pkcs12v2 PBE ciphers
The base of this fix is was a simple 3 line fix in pkcs12.c,
changing the initial setting of cipher and cert cipher.
Overview for why this patch is larger than just 3 lines: 1. First
issue was found in trying to change the mac hashing value. a. While
the decrypt side knew how to handle SHA2 hashes, the equivalent code
was not updated on the encrypt side. I refactored that code and
placed the common function in p12local.c. Now p12e.c and p12d.c
share common code to find the required function to produce the mac
key. b. The prf hmac was hard coded to SHA1. I changed the code to
pass the hmac matching the hashing algorithm for the mac. This
required changes to p12e.c to calculate and pass the new hmac as
well and adding new PK11_ExportEncryptedPrivateKey and
PK11_ExportEncryptedPrivKey to take the PKCS #5 v2 parameters. I
also corrected an error which prevented pkcs12 encoding of ciphers
other than AES. 2. Once I've made my changes, I realized we didn't
have a way of testing them. While we had code that verified that
particular sets of parameters for pkcs12 worked together and could
be listed and imported, we didn't have a way to verify what
algorithms were actually generated by our tools. a. pk12util -l
doesn't list the encryption used for the certs, so I updated pp to
take a pkcs12 option. In doing so I had to update pp to handle
indefinite encoding when decoding blocks. I also factored that
decoding out in it's own function so the change only needed to be
placed once. Finally I renabled a function which prints the output
of an EncryptedPrivate key. This function was disabled long ago when
the Encrypted Private key info was made private for NSS. It has
since been exported, so these functions could easily be enabled
(archeological note: I verified that this disabling was not a recent
think I found I had done it back when I still have a netscape email
address;). b. I updated tools.sh to us the new pp -t pkcs12 feature
to verify that the key encryption, cert encryption, and hash
functions matched what we expected when we exported a new key. I
also updated tools.sh to handle the new hash variable option to
pk12util. c. I discovered several tests commented out with comments
that the don't work. I enabled those tests and discovered that they
can now encrypt, but the can't decrypt because of pkcs12 policy. I
updated the policy code, but I updated it to use the new NSS system
wide policy mechanism. This enabled all the ciphers to work. There
is still policy work to do. The pk12 policy currently only prevents
ciphers from use in decrypting the certificates, not decrypting the
keys and not encrypting. I left that for future work. 3. New options
for pp and pk12util were added to the man pages for these tools.
--------------------------------------------------------------------
------- With that in mind, here's a file by file description of the
patch:
automation/abi-check/expected-report-libnss3.so.txt
-Add new exported functions. (see lib/nss/nss.def)
cmd/lib/basicutil.h:
-Removed the HAVE_EPV_TEMPLATE ifdefs (NSS has exported the Encrypted
Private Key data structure for a while now.
cmd/lib/secutil.c: global: Updated several functions to take a const
char * m (message) rather than a char * m global: Made the various
PrintPKCS7 return an error code. global: Added a state variable to
be passed around the various PKCS7 Print functions. It gives the
proper context to interpret PKCS7 Data Content. PKCS 12 used PKCS7
to package the various PKCS12 Safes and Bags.
-Updated SECU_StripTagAndLength to handle indefinite encoding, and to
set the Error code.
-Added SECU_ExtractDERAndStep to grab the next DER Tag, Length, and
Data.
-Updated secu_PrintRawStringQuotesOptional to remove the inline DER
parsing and use SECU_ExtractDERAndStep().
-Updated SECU_PrintEncodedObjectID to return the SECOidTag just like
SECU_PrintObjectID.
-Renable SECU_PrintPrivateKey
-Added secu_PrintPKCS12Attributes to print out the Attributes tied to
a PKCS #12 Bag
-Added secu_PrintPKCS12Bag to print out a PKCS #12 Bag
-Added secu_PrintPKCS7Data, which uses the state to determine what it
was printing out.
-Added secu_PrintDERPKCS7ContentInfo which is identical to the global
function SECU_PrintPKCS7ContentInfo except it takes a state
variable. The latter function now calls the former.
-Added secu_PrintPKCS12DigestInfo to print the Hash information of
the Mac. DigestInfo is the name in the PKCS 12 spec.
-Added secu_PrintPKCS12MacData to print the Mac portion of the PKCS
12 file.
-Added SECU_PrintPKCS12 to print otu the pkcs12 file.
cmd/lib/secutil.h
-Added string for pkc12 for the command line of pp reenabled
SECU_PrintPrivateKey
-Added SECU_PrintPKCS12 for export.
cmd/pk12util/pk12util.c
-Added the -M option to specify a hash algorithm for the mac. updated
P12U_ExportPKCS12Object: pass the hash algorithm to the
PasswordIntegrity handler.
-Added PKCS12U_FindTagFromString: generalized string to SECOidTag
which only filters based on the oid having a matching PKCS #11
mechanism. updated PKCS12U_MapCipherFromString to call use
PKCS12U_FindTagFromString to get the candidate tag before doing it's
post processing to decide if the tag is really an encryption
algorithm.
-Added PKCS12U_MapHashFromString with is like MapCipherFromString
except it verifies the resulting tag is a hash object.
-Updated main to 1) change the default cipher, change the default
certCipher, and process the new hash argument. NOTE: in the old code
we did not encrypt the certs in FIPS mode. That's because the certs
were encrypted with RC4 in the default pkcs12 file, which wasn't a
FIPS algorithm. Since AES is, we can use it independent on whether
or not we are in FIPS mode.
cmd/pp/pp.c
-Added the pkcs12 option which calls SECU_PrintPKCS12 from secutil.c
lib/nss/nss.def
-Add exports to the new PK11_ExportEncryptedPrivKeyInfoV2 and
PK11_ExportEncryptedPrivateKeyInfoV2 (V2 means PKCS 5 v2, not
Version 2 of ExportEncrypted*Info).
-Add export for the old HASH_GetHMACOidTagByHashOidTag which should
have been exported long ago to avoid the proliferation of copies of
this function in places like ssl.
lib/pk11wrap/pk11akey.c
-Add PK11_ExportEncryptedPrivKeyInfoV2 (which the old function now
calls), which takes the 3 PKCS 5 v2 parameters. The underlying pkcs5
code can fill in missing tags if necessary, but supplying all three
gives the caller full control of the underlying pkcs5 PBE used.
-Add PK11_ExportEncryptedPrivateKeyInfoV2, same as the above function
except it takes a cert which is used to look up the private key.
It's the function that pkcs12 actually uses, but the former was
exported for completeness.
lib/pk11wrap/pk11pub.h
-Added the new PK11_ExportEncryptedPriv*KeyInfoV2 functions.
lib/pkcs12/p12d.c
-Remove the switch statement and place it in p12local.c so that
p12e.c can use the same function.
lib/pkc12/p12e.c
-Remove the unnecessary privAlg check so we can encode any mechanism
we support. This only prevented encoding certificates in the pk12
file, not the keys.
-add code to get the hmac used in the pbe prf from the integrity
hash, which is under application control.
-Do the same for key encryption, then use the new
PK11_ExportEncryptedPrivateKeyInfo to pass that hash value.
-Use the new sec_pkcs12_algtag_to_keygen_mech so there is only one
switch statement to update rather than 2.
-Update the hash data to old the length of the largest hash rather
than the length of a SHA1 hash.
lib/pkcs12/p12local.c
- Add new function new sec_pkcs12_algtag_to_keygen_mech to factor out
the common switch statement between p12e and p12d.
lib/pkcs12/p12local.h
-Export the new sec_pkcs12_algtag_to_keygen_mech
lib/pkcs12/p12plcy.c
-Map the old p12 policy functions to use the new
NSS_GetAlgorithmPolicy. We keep the old table so that applications
can change the policy with the old PKCS12 specific defines (so the
old code keeps working). NOTE: policies now default to true rather
than false.
lib/util/secoidt.h
-Add new NSS_USE_ALG_IN_PKCS12 used by pk11plcy.c NOTE: I have not
updated the policy table in pk11wrap/pk11pars.c, so we can't yet
control pkcs12 policy with the nss system policy table. That's a
patch for another time.
test/tools/tool.sh
-global: Remove trailing spaces
-global: DEFAULT is changed to 'default'
-Update the PBE mechanism to exactly match the string in secoid.c.
PKCS #12 does case independent compares, so case doesn't matter
there, but now I'm comparing to the output of pp, and I didn't want
to spend the time to figure out case independent compares in bash.
-Add our defauts and shell variables at the top so there are easy to
change in the future. export_with_*** have all been colapsed into a
single export_p12_file which handles taking 'default' and turning
off that argument.
-Add for loops for the hash functions.
-Restore the camellia ciphers back now that they work.
-Restore the pkcs12V2pbe back now that they work.
-Collect various pbe types into single variables and use those
variables in loops
-Reduce the number of tests ran in optimized mode (which takes 60x
the time to do a pbe then than debug mode based on a larger
iterator).
-Add verify_p12 which dumps out the p12 file and makes sure the
expected CERT_ENCRYPTION, KEY_ENCRYPTION, and HASH are used.
doc/pp.xml
-Add pkcs12 option
doc/pk12util.xml
-Add -M option
-Update synopsis with options in the description but not in the
synopsis
[0a1687e1b39e]
Differential Revision: https://phabricator.services.mozilla.com/D114584
This `madvise` type is used by one Linux distro's libc, and in
principle could be used by other userspace libraries trying to optimize
performance, and I'd rather not allow it (see bug for more details).
Therefore, this patch returns an error instead of treating it as an
unknown syscall (which crashes on Nightly).
However, the content policy doesn't yet filter `madvise` (bug 1510861);
this patch doesn't change that.
Differential Revision: https://phabricator.services.mozilla.com/D112884
Not all in-tree Rust libraries were using workspace-hack.
Additionally, some needed winapi features were missing from
workspace-hack's configuration.
Now, winapi is re-compiled less frequently on a full build.
Differential Revision: https://phabricator.services.mozilla.com/D113564
Win32k is required for moz-icon in the file content process and we don't want to
block enabling for web content processes on this and other uses that may only be
in the file content process.
Differential Revision: https://phabricator.services.mozilla.com/D112960
In bug 1174288 and related bugs we created a framework for generating
test certificates (and later, keys) from specifications at build time. This
turned out to take too long to run on each build, so this system was largely
left disabled (see all of the "# Temporarily disabled. See bug 1256495."
comments removed in this patch). This patch introduces a mach command
("generate-test-certs") that can generate test certificates and keys. The
expectation is that when a developer needs to add new such artifacts, they can
use this new command. Similarly, when the artifacts need to be updated (for
example, because they've expired), this command can regenerate them all at
once.
Differential Revision: https://phabricator.services.mozilla.com/D108869
Previously, the macOS backend of osclientcerts used
kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw for RSA PKCS#1v1.5 signing, which
relies on the underlying implementation backing the signing key knowing how to
handle the given data to sign. On Catalina (which uses CryptoTokenKit as
opposed to TokenD), this doesn't appear to work (or, at least, there have been
reports of incompatibilities).
This patch parses out the data to be signed to determine the hash algorithm to
use and the hash data to sign, which is similar to how the Windows backend
works.
Differential Revision: https://phabricator.services.mozilla.com/D111344
In some special cases the PK11_FindRawCertsWithSubject could return failure.
We don't want to return with failure but try the other slots before.
Differential Revision: https://phabricator.services.mozilla.com/D111261
On macOS, users can add "identity preference" items in the keychain. These
provide a mapping from email/URLs to client certificates. Identity
preferences can have wildcards and/or prefix matching for URLs, and
the macOS SecIdentityCopyPreferred API can be used to get the preferred
client cert for a URL. This patch uses this mechanism such that it
avoids prompting the user to choose a client certificate when a preferred
one has been set.
Differential Revision: https://phabricator.services.mozilla.com/D110123
Eliminates the NPAPI plugin process type from the GeckoChildProcess enum as part of NPAPI removal. In order to avoid altering enum values when updating the process list, the GECKO_PROCESS_TYPE macro has been updated to include the desired enum value. We want to resist altering the values as they need to be consistent e.g. in telemetry reports.
We also remove plugins from adjacent spots that need to maintain consistency with GeckoChildProcess -- most notably the nsICrashService.
Differential Revision: https://phabricator.services.mozilla.com/D108689
Removes Windows NPAPI process sandboxing code, including the code to establish a viable temp directory that was accessible by the sandboxed process.
Differential Revision: https://phabricator.services.mozilla.com/D108688
Eliminates the NPAPI plugin process type from the GeckoChildProcess enum as part of NPAPI removal. In order to avoid altering enum values when updating the process list, the GECKO_PROCESS_TYPE macro has been updated to include the desired enum value. We want to resist altering the values as they need to be consistent e.g. in telemetry reports.
We also remove plugins from adjacent spots that need to maintain consistency with GeckoChildProcess -- most notably the nsICrashService.
Differential Revision: https://phabricator.services.mozilla.com/D108689
Removes Windows NPAPI process sandboxing code, including the code to establish a viable temp directory that was accessible by the sandboxed process.
Differential Revision: https://phabricator.services.mozilla.com/D108688
- Add missing include directives and forward declarations.
- Remove some extra include directives.
- Add missing namespace qualifications.
- Move include directives out of namespace in toolkit/xre/GlobalSemaphore.h
Differential Revision: https://phabricator.services.mozilla.com/D98894
The function to detect whether the kernel has separate syscalls for
socket operations (rather than only `socketcall`) had a comment that
it's called only once, which is no longer true. So, this seems like a
good time to add a cache (but not on newer archs like `x86_64` where the
answer is constant).
This patch also removes the ifdefs on `__NR_socket`, because all archs
have it now, and our local headers will define it even if the build
host's headers don't.
Differential Revision: https://phabricator.services.mozilla.com/D105853
When setting up calls to `sendmsg` for IPC on Unix systems, we generate
`iovec`s for the entire message or until the `IOV_MAX` limit is reached,
whichever comes first. However, messages can be very large (up to 256
MiB currently), while the OS socket buffer is relatively small (8KiB on
macOS and FreeBSD, ~200KiB on Linux).
This patch detects the socket buffer size with the `SO_SNDBUF` socket
option and cuts off the `iovec` array after it's reached; it also adjusts
the Linux sandbox policy to allow reading that value in all processes.
On my test machines this increases throughput on large messages by about
2.5x on macOS (from ~0.3 to ~0.7 GB/s), but on Linux the improvement is
only about 5% (most of the running time is spent elsewhere).
Differential Revision: https://phabricator.services.mozilla.com/D105852
We're already vendoring 0.8 so no reason not to do this. We're still
held back by an ancient tokio version, which I filed bug 1697845 for.
There are no breaking changes that affect any of our internal consumers.
Differential Revision: https://phabricator.services.mozilla.com/D108046
Using `dlsym` for `gdk_wayland_display_get_type` is a cleaner solution
to bug 1696319, allowing running with a GTK that lacks the Wayland
backend.
Also adds a symmetric implementation for `gdk_x11_display_get_type`,
which should help running without X11.
Differential Revision: https://phabricator.services.mozilla.com/D107406
Because Widevine may probe madvise using advice arguments we do not currently
support, including invalid arguments, this patch changes the handling of these
args so we will not crash in nightly.
Differential Revision: https://phabricator.services.mozilla.com/D106537
Firefox sometimes caches intermediate certificates from verified connections in
case they are useful in the future. This operation involves modifying the NSS
cert database, and so should only be done on the socket thread (ideally when it
is idle).
Differential Revision: https://phabricator.services.mozilla.com/D106230
Note that this patch only transforms the use of the nsDataHashtable type alias
to a directly equivalent use of nsTHashMap. It does not change the specification
of the hash key type to make use of the key class deduction that nsTHashMap
allows for in some cases. That can be done in a separate step, but requires more
attention.
Differential Revision: https://phabricator.services.mozilla.com/D106008
Using `dlsym` for `gdk_wayland_display_get_type` is a cleaner solution
to bug 1696319, allowing running with a GTK that lacks the Wayland
backend.
Also adds a symmetric implementation for `gdk_x11_display_get_type`,
which should help running without X11.
Differential Revision: https://phabricator.services.mozilla.com/D107406
Otherwise the OCSP channel that tries to check the certificate for the DoH
server will also try to use TRR leading to DNS failures.
Differential Revision: https://phabricator.services.mozilla.com/D106884
This makes the naming more consistent with other functions called
Insert and/or Update. Also, it removes the ambiguity whether
Put expects that an entry already exists or not, in particular because
it differed from nsTHashtable::PutEntry in that regard.
Differential Revision: https://phabricator.services.mozilla.com/D105473
When osclientcerts obtains or uses an OS handle on a private key, the
underlying implementation may display some sort of authentication or pin
prompt. In some cases, caching this handle rather than obtaining it multiple
times can prevent multiple prompts. So, this is what this patch does.
Differential Revision: https://phabricator.services.mozilla.com/D106222
2021-02-19 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.62 final
[a8e045a9fff6] [NSS_3_62_RTM] <NSS_3_62_BRANCH>
2021-02-15 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* .hgtags:
Added tag NSS_3_62_BETA1 for changeset a5c857139b37
[145c269c82d6] <NSS_3_62_BRANCH>
Differential Revision: https://phabricator.services.mozilla.com/D105739
This is only used for CORS preflight requests. It is controlled by a pref.
Connections that server such request will be isolated from other anonymous connections.
Differential Revision: https://phabricator.services.mozilla.com/D96775
```
2021-02-05 Danh <congdanhqx@gmail.com>
* gtests/manifest.mn:
Bug 1688374 - Fix parallel build NSS-3.61 with make. r=kjacobs
[a5c857139b37] [NSS_3_62_BETA1]
2021-02-05 Robert Relyea <rrelyea@redhat.com>
* lib/libpkix/pkix/util/pkix_tools.c:
Bug 1682044 pkix_Build_GatherCerts() + pkix_CacheCert_Add() can
corrupt "cachedCertTable"
Patch by Andrew Cagney Preliminary Review by Ryan Sleevie Tested
against all.sh rrelyea. r=kjacobs
(this bug is old)
pkix_Build_GatherCerts() has two code paths for creating the list
"certsFound":
pkix_CacheCert_Lookup() this sets "certsFound" to a new list
"certsFound" and "cachedCertTable" share items but not the list
pkix_CacheCert_Add(pkix_pl_Pk11CertStore_CertQuery()) this sets
"certsFound" to a new list; and then adds the list to
"cachedCertTable" "certsFound" and "cachedCertTable" share a linked
list
Because the latter doesn't create a separate list, deleting list
elements from "certsFound" can also delete list elements from within
"cacheCertTable". And if this happens while pkix_CacheCert_Lookup()
is trying to update the same element's reference, a core dump can
result.
In detail (note that reference counts may occasionally seem off by
1, its because data is being captured before function local
variables release their reference):
pkix_Build_GatherCerts() calls pkix_pl_Pk11CertStore_CertQuery()
(via a pointer) to sets "certsFound":
PKIX_CHECK(getCerts (certStore, state->certSel, state->verifyNode,
&nbioContext, &certsFound, plContext), PKIX_GETCERTSFAILED);
it then calls:
PKIX_CHECK(pkix_CacheCert_Add (certStore, certSelParams,
certsFound, plContext), PKIX_CACHECERTADDFAILED);
[dafda4eee75c]
```
Differential Revision: https://phabricator.services.mozilla.com/D105209
There are no code changes, only #include changes.
It was a fairly mechanical process: Search for all "AUTO_PROFILER_LABEL", and in each file, if only labels are used, convert "GeckoProfiler.h" into "ProfilerLabels.h" (or just add that last one where needed).
In some files, there were also some marker calls but no other profiler-related calls, in these cases "GeckoProfiler.h" was replaced with both "ProfilerLabels.h" and "ProfilerMarkers.h", which still helps in reducing the use of the all-encompassing "GeckoProfiler.h".
Differential Revision: https://phabricator.services.mozilla.com/D104588
Bug 1583610 modified the cipher suite ordering on ARM devices to prefer
ChaCha20/Poly1305 with the assumption that hardware support for AES wouldn't be
available. However, because there are ARM devices with hardware support for
AES, this patch makes this only happen when that support isn't available.
Differential Revision: https://phabricator.services.mozilla.com/D104897
Loading an accumulated set of crlite stashes can take some time. To address
this, this patch dispatches an asynchronous background task to read the
accumulated set of crlite stashes in a way that doesn't block certificate
verification. Of course, this means that the stash information won't
necessarily be available for the first few verifications. This shouldn't be a
security concern as long as the crlite filter is no more than 10 days out of
date (the maximum lifespan of an OCSP response, which is what Firefox relies on
currently in release). Note that currently crlite filters as published by
remote settings regularly end up being more than 10 days old, which will be
addressed in https://github.com/mozilla/crlite/issues/153. Note further that
crlite is currently not being enforced by default on any channel, so making
this change now is not a security concern.
Differential Revision: https://phabricator.services.mozilla.com/D104447
InitializeCipherSuite() in nsNSSComponent.cpp controls which encryption schemes
are allowed when decrypting PKCS12 files. Before this patch, the AES ciphers
were not enabled, which prevented importing PKCS12 files that used AES.
This patch fixes this and adds a test.
Differential Revision: https://phabricator.services.mozilla.com/D104567
2021-02-04 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/ssl_gtest/ssl_recordsize_unittest.cc, lib/ssl/ssl3ext.c:
Bug 1690583 - Fix CH padding extension size calculation. r=mt
Bug 1654332 changed the way that NSS constructs Client Hello
messages. `ssl_CalculatePaddingExtLen` now receives a
`clientHelloLength` value that includes the 4B handshake header.
This looks okay per the inline comment (which states that only the
record header is omitted from the length), but the function actually
assumes that the handshake header is also omitted.
This patch removes the addition of the handshake header length.
Those bytes are already included in the buffered CH.
[fc3a4c142c16] [tip]
* automation/abi-check/expected-report-libnss3.so.txt:
Bug 1690421 - Adjust 3.62 ABI report formatting for new libabigail.
r=bbeurdouche
[a1ed44dba32e]
2021-02-03 Kevin Jacobs <kjacobs@mozilla.com>
* automation/taskcluster/docker-builds/Dockerfile:
Bug 1690421 - Install packaged libabigail in docker-builds image
r=bbeurdouche
[3c719b620136]
2021-01-31 Kevin Jacobs <kjacobs@mozilla.com>
* cmd/selfserv/selfserv.c, cmd/tstclnt/tstclnt.c,
lib/ssl/tls13hashstate.c, lib/ssl/tls13hashstate.h:
Bug 1689228 - Minor ECH -09 fixes for interop testing, fuzzing. r=mt
A few minor ECH -09 fixes for interop testing and fuzzing:
- selfserv now takes a PKCS8 keypair for ECH. This is more
maintainable and significantly less terrible than parsing the
ECHConfigs and cobbling one together within selfserv (e.g. we can
support other KEMs without modifying the server).
- Get rid of the newline character in tstclnt retry_configs output.
- Fuzzer fixes in tls13_HandleHrrCookie:
- We shouldn't use internal_error when PK11_HPKE_ImportContext fails.
Cookies are unprotected in fuzzer mode, so this can be expected to
occur.
- Only restore the application token when recovering hash state,
otherwise the copy could happen twice, leaking one of the
allocations.
[8bbea1902024]
2021-01-25 Kevin Jacobs <kjacobs@mozilla.com>
* lib/ssl/ssl3exthandle.c:
Bug 1674819 - Fixup a51fae403328, enum type may be signed.
r=bbeurdouche
[2004338a2080]
Differential Revision: https://phabricator.services.mozilla.com/D104258
See bug 1689728. To avoid contention on NSS resources and thread-safety issues,
this patch dispatches synchronous events to the socket thread in
NSSCertDBTrustDomain::GetCertTrust and FindIssuer to gather information from
NSS rather than using NSS directly on the cert verification threads.
Differential Revision: https://phabricator.services.mozilla.com/D103514
This patch improves the performance of DER.jsm by changing readBytes to use
slice rather than repeatedly calling readByte.
Additionally, this patch removes the validation that the input to DERDecoder
consists of an array of integers in the range [0, 255]. This check is
unnecessary for all current consumers of DER.jsm because the input comes from
atob, which only outputs values in that range. If other consumers use DER.jsm
in the future, they will have to determine whether or not they need to validate
the input themselves first.
Differential Revision: https://phabricator.services.mozilla.com/D103838
The patch for the chromium changes doesn't include the updates to
windows_version, because these are already in the release version of chromium
and so will be picked up when we next update.
Differential Revision: https://phabricator.services.mozilla.com/D103473
When we moved to python3, sign_app.py had some issues that weren't addressed.
This patch addresses those issues and regenerates the input files for
test_signed_apps.js because the issuing certificates will expire soon.
Differential Revision: https://phabricator.services.mozilla.com/D103063
2021-01-22 Kevin Jacobs <kjacobs@mozilla.com>
* automation/abi-check/previous-nss-release, lib/nss/nss.h,
lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.62 Beta
[680ec01577b9]
2021-01-23 Kevin Jacobs <kjacobs@mozilla.com>
* tests/chains/scenarios/nameconstraints.cfg,
tests/libpkix/certs/NameConstraints.ipaca.cert,
tests/libpkix/certs/NameConstraints.ocsp1.cert:
Bug 1686134 - Renew two chains libpkix test certificates. r=rrelyea
[3ddcd845704c]
2021-01-25 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/common/testvectors/hpke-vectors.h,
gtests/pk11_gtest/pk11_hpke_unittest.cc, lib/pk11wrap/pk11hpke.c,
lib/pk11wrap/pk11hpke.h, lib/pk11wrap/pk11pub.h:
Bug 1678398 - Update HPKE to draft-07. r=mt
This patch updates HPKE to draft-07. A few other minor changes are
included:
- Refactor HPKE gtests for increased parameterized testing.
- Replace memcpy calls with PORT_Memcpy
- Serialization tweaks to make way for context Export/Import (D99277).
This should not be landed without an ECH update, as fixed ECH test
vectors will otherwise fail to decrypt.
[e0bf8cadadc7]
* automation/abi-check/expected-report-libnss3.so.txt,
gtests/pk11_gtest/pk11_hpke_unittest.cc, lib/nss/nss.def,
lib/pk11wrap/pk11hpke.c, lib/pk11wrap/pk11pub.h:
Bug 1678398 - Add Export/Import functions for HPKE context. r=mt
This patch adds and exports two new HPKE functions:
`PK11_HPKE_ExportContext` and `PK11_HPKE_ImportContext`, which are
used to export a serialized HPKE context, then later reimport that
context and resume Open and Export operations. Only receiver
contexts are currently supported for export (see the rationale in
pk11pub.h).
One other change introduced here is that `PK11_HPKE_GetEncapPubKey`
now works as expected on the receiver side.
If the `wrapKey` argument is provided to the Export/Import
functions, then the symmetric keys are wrapped with AES Key Wrap
with Padding (SP800-38F, 6.3) prior to serialization.
[8bcd12ab3b34]
* automation/abi-check/expected-report-libssl3.so.txt,
gtests/ssl_gtest/libssl_internals.c,
gtests/ssl_gtest/libssl_internals.h,
gtests/ssl_gtest/ssl_extension_unittest.cc,
gtests/ssl_gtest/tls_ech_unittest.cc, lib/ssl/ssl3con.c,
lib/ssl/ssl3ext.c, lib/ssl/ssl3ext.h, lib/ssl/sslexp.h,
lib/ssl/sslimpl.h, lib/ssl/sslsecur.c, lib/ssl/sslsock.c,
lib/ssl/sslt.h, lib/ssl/tls13con.c, lib/ssl/tls13con.h,
lib/ssl/tls13ech.c, lib/ssl/tls13ech.h, lib/ssl/tls13exthandle.c,
lib/ssl/tls13exthandle.h, lib/ssl/tls13hashstate.c,
lib/ssl/tls13hashstate.h:
Bug 1681585 - Update ECH to Draft-09. r=mt
This patch updates ECH implementation to draft-09. Changes of note
are:
- Acceptance signal derivation is now based on the handshake secret.
- `config_id` hint changes from 32B to 8B, trial decryption added on
the server.
- Duplicate code in HRR cookie handling has been consolidated into
`tls13_HandleHrrCookie`.
- `ech_is_inner` extension is added, which causes a server to indicate
ECH acceptance.
- Per the above, support signaling ECH acceptance when acting as a
backend server in split-mode (i.e. when there is no other local
Encrypted Client Hello state).
[ed07a2e2a124]
2021-01-24 Kevin Jacobs <kjacobs@mozilla.com>
* cmd/selfserv/selfserv.c:
Bug 1681585 - Add ECH support to selfserv. r=mt
Usage example: mkdir dbdir && cd dbdir certutil -N -d . certutil -S
-s "CN=ech-public.com" -n ech-public.com -x -t "C,C,C" -m 1234 -d .
certutil -S -s "CN=ech-private-backend.com" -n ech-private-
backend.com -x -t "C,C,C" -m 2345 -d . ../dist/Debug/bin/selfserv -a
ech-public.com -a ech-private-backend.com -n ech-public.com -n ech-
private-backend.com -p 8443 -d dbdir/ -X publicname:ech-public.com
(Copy echconfig from selfserv output and paste into the below
command) ../dist/Debug/bin/tstclnt -D -p 8443 -v -A
tests/ssl/sslreq.dat -h ech-private-backend.com -o -N <echconfig> -v
[92dcda94c1d4]
Differential Revision: https://phabricator.services.mozilla.com/D102982
CLOSED TREE
Backed out changeset 3c771d45563a (bug 1684040)
Backed out changeset 76e79151d53c (bug 1684040)
Backed out changeset 7a993eb7bfde (bug 1684040)
2021-01-22 Kevin Jacobs <kjacobs@mozilla.com>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.61 final
[b09bdf93e079] [NSS_3_61_RTM] <NSS_3_61_BRANCH>
2021-01-19 Kevin Jacobs <kjacobs@mozilla.com>
* .hgtags:
Added tag NSS_3_61_BETA1 for changeset 68ae9b456b1b
[3c88f7111594]
Differential Revision: https://phabricator.services.mozilla.com/D102781
This patch changes nsNSSCertificate::GetDbKey to use mozilla::pkix::BackCert
instead of requiring a decoded CERTCertificate.
Differential Revision: https://phabricator.services.mozilla.com/D101836
Thunderbird does not yet have the same blocklist initialization as Firefox, so we skip calling InitDllBlocklistOOP to avoid a MOZ_RELEASE_ASSERT.
Differential Revision: https://phabricator.services.mozilla.com/D99173
Before this patch, nsIX509Cert.isSelfSigned was only used by LocalCertService
to verify that the certificate it uses is self-signed. This shouldn't have been
necessary, because the certificate isn't a trust anchor and an override has to
be added for it anyway. Additionally, the certificate in question is already
guaranteed to be self-signed because it was either just generated that way or
it was retrieved from the database (the code for which checks that it's
self-signed).
Differential Revision: https://phabricator.services.mozilla.com/D101810
This removes nsIX509Cert.subjectAltNames and reduces potential attack surface
by avoiding parsing subject alternative names in C/C++. It also reduces PSM
reliance on NSS types.
Differential Revision: https://phabricator.services.mozilla.com/D101418
This patch is to improve the way to detect an injected dependent module for
automatic DLL blocking (bug 1659438).
In the previous version, we created a list of dependent modules in the launcher
process and shared it with other processes via the shared section. However, it
was not compatible with third-party applications who tamper the Import Table and
revert it in the injected module's DllMain (bug 1682834) because we parsed the
Import Table in the launcher process after it was reverted.
With this patch, we check the Import Table in `patched_NtMapViewOfSection`,
so we can see tampering before it's reverted. More specifically, we create
a list of dependent modules in the browser process as below.
1. The launcher process creates a section object and initializes
the kernel32.dll's functions in it.
2. The launcher process transfers a writable handle of the shared
section to the browser process.
3. In the browser process, if an injected dependent module is being
mapped by `NtMapViewOfSection`, we add its NT path to the shared
section and block it with `REDIRECT_TO_NOOP_ENTRYPOINT`.
4. The `main` function of the browser process converts the writable
handle of the shared section into a readonly handle.
5. The browser process transfers a readonly handle of the shared
section to a sandbox process.
Since automatic DLL blocking may still cause a compat issue like bug 1682304,
we activate it only in Nightly for now.
Differential Revision: https://phabricator.services.mozilla.com/D101460
CLOSED TREE
Backed out changeset f82f5070bee5 (bug 1205985)
Backed out changeset 89b03879ce7d (bug 1205985)
Backed out changeset 9ba60febbcf8 (bug 1205985)
This patch is to improve the way to detect an injected dependent module for
automatic DLL blocking (bug 1659438).
In the previous version, we created a list of dependent modules in the launcher
process and shared it with other processes via the shared section. However, it
was not compatible with third-party applications who tamper the Import Table and
revert it in the injected module's DllMain (bug 1682834) because we parsed the
Import Table in the launcher process after it was reverted.
With this patch, we check the Import Table in `patched_NtMapViewOfSection`,
so we can see tampering before it's reverted. More specifically, we create
a list of dependent modules in the browser process as below.
1. The launcher process creates a section object and initializes
the kernel32.dll's functions in it.
2. The launcher process transfers a writable handle of the shared
section to the browser process.
3. In the browser process, if an injected dependent module is being
mapped by `NtMapViewOfSection`, we add its NT path to the shared
section and block it with `REDIRECT_TO_NOOP_ENTRYPOINT`.
4. The `main` function of the browser process converts the writable
handle of the shared section into a readonly handle.
5. The browser process transfers a readonly handle of the shared
section to a sandbox process.
Since automatic DLL blocking may still cause a compat issue like bug 1682304,
we activate it only in Nightly for now.
Differential Revision: https://phabricator.services.mozilla.com/D101460
TLS error report sending was disabled by default in bug 1579906. The server
that ingested these reports has been decommissioned as well, so this patch
removes this dead code.
Differential Revision: https://phabricator.services.mozilla.com/D99405
As of bug 1594931, Firefox does not migrate old NSS DB files to the newer
version. As a result, any old NSS DB files that exist in the profile directory
either were already migrated or will never be migrated. To avoid data loss,
this patch removes the functionality that would remove key3.db if it existed in
the profile directory.
Differential Revision: https://phabricator.services.mozilla.com/D99946
2020-12-11 Kevin Jacobs <kjacobs@mozilla.com>
* automation/abi-check/expected-report-libssl3.so.txt, automation/abi-
check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h,
lib/util/nssutil.h:
Set version numbers to 3.61 Beta
[f277d2674c80]
* gtests/<...>
Bug 1677207 - Update Google Test to release-1.10.0 r=bbeurdouche
./gtests/google_test/update.sh release-1.10.0 && hg remove -A && hg
add gtests/google_test/*
[89141382df45]
* gtests/<...>
Bug 1677207 - Replace references to TestCase, which is deprecated,
with TestSuite r=bbeurdouche
grep -rl --exclude-dir=google_test INSTANTIATE_TEST_CASE_P gtests |
xargs sed -i '' s/INSTANTIATE_TEST_CASE_P/INSTANTIATE_TEST_SUITE_P/g
grep -rl --exclude-dir=google_test SetUpTestCase gtests | xargs sed
-i '' s/SetUpTestCase/SetUpTestSuite/g
[e15b78be87fa]
* gtests/ssl_gtest/ssl_ciphersuite_unittest.cc,
gtests/ssl_gtest/ssl_debug_env_unittest.cc,
gtests/ssl_gtest/ssl_extension_unittest.cc,
gtests/ssl_gtest/ssl_loopback_unittest.cc,
gtests/ssl_gtest/ssl_renegotiation_unittest.cc,
gtests/ssl_gtest/ssl_resumption_unittest.cc,
gtests/ssl_gtest/ssl_version_unittest.cc,
gtests/ssl_gtest/tls_ech_unittest.cc:
Bug 1677207 - Use GTEST_SKIP in ssl_gtests. r=bbeurdouche
[0772f1bf5fd6]
2020-12-17 Robert Relyea <rrelyea@redhat.com>
* gtests/common/testvectors/ike-aesxcbc-vectors.h,
gtests/common/testvectors/ike-sha1-vectors.h,
gtests/common/testvectors/ike-sha256-vectors.h,
gtests/common/testvectors/ike-sha384-vectors.h,
gtests/common/testvectors/ike-sha512-vectors.h,
gtests/common/testvectors_base/test-structs.h,
gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp,
gtests/pk11_gtest/pk11_ike_unittest.cc, lib/softoken/sftkike.c:
Bug 1682071 IKE Quick mode IPSEC give you incorrect keys if you are
asking for keys smaller than the hash size.
IKE Appendix B fixes.
This patch fixes 2 problems.
If you run either ike v1 App B or quick mode asking for a key with
length
mod macsize = 0, you will generate an extra block that's not used
and overwrites the end of the buffer.
If you use quick mode, the function incorrectly subsets the
existing key
rather than generating a new key. This is correct behavior for
Appendix B, where appendix B is trying to take a generated key and
create a new longer key (with no diversification, just transform the
key into something that's longer), so if you ask for a key less than
or equal to, then you want to just subset the original key. In quick
mode you are taking a base key and creating a set of new keys based
on additional data, so you want to subset the generated data. This
patch only subsets the original key if you aren't doing quickmode.
Full test vectors have now been added for all ike modes in this
patch as well (previously we depended on the FIPS CAVS tests to test
ike, which covers basic IKEv1, IKEv1_psk, and IKEv2 but not IKEv1
App B and IKE v1 Quick mode).
[f4995c9fa185]
2020-12-18 Robert Relyea <rrelyea@redhat.com>
* gtests/common/testvectors/rsa_pkcs1_2048_test-vectors.h,
gtests/common/testvectors/rsa_pkcs1_3072_test-vectors.h,
gtests/common/testvectors/rsa_pkcs1_4096_test-vectors.h,
gtests/freebl_gtest/Makefile, gtests/freebl_gtest/manifest.mn,
gtests/freebl_gtest/rsa_unittest.cc, gtests/manifest.mn,
gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc,
gtests/pk11_gtest/pk11_rsaoaep_unittest.cc, lib/freebl/alghmac.c,
lib/freebl/alghmac.h, lib/freebl/rsapkcs.c:
Bug 1651411 New tlsfuzzer code can still detect timing issues in RSA
operations.
This patch defeats Bleichenbacher by not trying to hide the size of
the decrypted text, but to hide if the text succeeded for failed.
This is done by generating a fake returned text that's based on the
key and the cipher text, so the fake data is always the same for the
same key and cipher text. Both the length and the plain text are
generated with a prf.
Here's the proposed spec the patch codes to:
1. Use SHA-256 to hash the private exponent encoded as a big-
endian integer to a string the same length as the public modulus.
Keep this value secret. (this is just an optimisation so that the
implementation doesn't have to serialise the key over and over
again) 2. Check the length of input according to step one of
https://tools.ietf.org/html/rfc8017#section-7.2.2 3. When provided
with a ciphertext, use SHA-256 HMAC(key=hash_from_step1,
text=ciphertext) to generate the key derivation key 4. Use SHA-256
HMAC with key derivation key as the key and a two-byte big- endian
iterator concatenated with byte string "length" with the big- endian
representation of 2048 (0x0800) as the bit length of the generated
string.
- Iterate this PRF 8 times to generate a 256 byte string 5. initialise
the length of synthetic message to 0 6. split the PRF output into 2
byte strings, convert into big-endian integers, zero- out high-order
bits so that they have the same bit length as the octet length of
the maximum acceptable message size (k-11), select the last integer
that is no larger than (k-11) or remain at 0 if no integer is
smaller than (k-11); this selection needs to be performed using a
side-channel free operators 7. Use SHA-256 HMAC with key derivation
key as the key and a two-byte big-endian iterator concatenated with
byte string "message" with the big-endian representation of k*8
- use this PRF to generate k bytes of output (right-truncate last HMAC
call if the number of generated bytes is not a multiple of SHA-256
output size) 8. perform the RSA decryption as described in step 2 of
section 7.2.2 of rfc8017 9. Verify the EM message padding as
described in step 3 of section 7.2.2 of rfc8017, but instead of
outputting "decryption error", return the last l bytes of the
"message" PRF, when l is the selected synthetic message length using
the "length" PRF, make this decision and copy using side-channel
free operation
[fc05574c7399]
2020-12-22 Robert Relyea <rrelyea@redhat.com>
* gtests/freebl_gtest/rsa_unittest.cc,
gtests/pk11_gtest/pk11_rsaoaep_unittest.cc, lib/freebl/alghmac.c,
lib/freebl/rsapkcs.c:
Restore lost portion of the bleichenbacher timing batch that
addressed review comments. All the review comments pertained to
actual code comments, so this patch only affects the comments.
[fcebe146314e]
2020-12-22 Kevin Jacobs <kjacobs@mozilla.com>
* lib/dev/devslot.c:
Bug 1682863 - Revert nssSlot_IsTokenPresent to 3.58 after ongoing Fx
hangs with slow PKCS11 devices. r=bbeurdouche
This patch reverts the `nssSlot_IsTokenPresent` changes made in bug
1663661 and bug 1679290, restoring the version used in NSS 3.58 and
earlier. It's not an actual `hg backout` because the comment in
lib/dev/devt.h is worth keeping. While removing the nested locking
did resolve the hang for some (most?) third-party modules, problems
remain with some slower tokens after an even further relaxation of
the locking, which defeats the purpose of addressing the races in
the first place.
The crash addressed by these patches was caused by the Intermediate
Preloading Healer in Firefox, which has been disabled. We clearly
have insufficient test coverage for third-party modules, and now
that osclientcerts is enabled in Fx Nightly, any problems caused by
these and similar changes is unlikely to be reported until Fx Beta,
well after NSS RTM. I think the best option at this point is to
simply revert NSS.
[97ef009f7a78] [tip]
Differential Revision: https://phabricator.services.mozilla.com/D100401
Bug 1583109 introduced new function templates StringJoin and StringJoinAppend.
These are now used to replace several custom loops across the codebase that
implement string-joining algorithms to simplify the code.
Differential Revision: https://phabricator.services.mozilla.com/D98750