gecko-dev/security
Kevin Jacobs cb86341c99 Bug 1655105 - land NSS afa38fb2f0b5 UPGRADE_NSS_RELEASE, r=jcj
2020-07-27  Jan-Marek Glogowski  <glogow@fbihome.de>

	* lib/freebl/Makefile:
	Bug 1652032 Disable all freebl assembler code for MSVC arm64
	r=rrelyea,bbeurdouche

	There are two places, where NSS tries to compile either x86_64 MSVC
	assembler or GCC aarch64 code, which will fail the build. And also
	drop the non-MSVC arch build flags for them.

	AFAI could identify, there isn't any armasm64 compatible asm code in
	the whole NSS library, so I don't even adapt AS for the build. The
	cross-build finishes this way.

	[d98bbb6168f4]

2020-07-24  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* cmd/bltest/blapitest.c, coreconf/config.gypi, coreconf/config.mk,
	lib/freebl/alg2268.c, lib/freebl/deprecated/alg2268.c,
	lib/freebl/freebl_base.gypi, lib/freebl/ldvector.c,
	lib/freebl/loader.c, lib/freebl/loader.h, lib/freebl/manifest.mn,
	lib/softoken/lowpbe.c, lib/softoken/pkcs11c.c:
	Bug 1652729 - Add build flag to disable RC2 and relocate to
	lib/freebl/deprecated. r=kjacobs

	[e6c6f1d2d544]

2020-07-27  Robert Relyea  <rrelyea@redhat.com>

	* gtests/softoken_gtest/manifest.mn,
	gtests/softoken_gtest/softoken_dh_vectors.h,
	gtests/softoken_gtest/softoken_gtest.cc,
	gtests/softoken_gtest/softoken_gtest.gyp, lib/freebl/blapi.h,
	lib/freebl/dh.c, lib/freebl/ldvector.c, lib/freebl/loader.c,
	lib/freebl/loader.h, lib/softoken/manifest.mn,
	lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c,
	lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c,
	lib/softoken/sftkdhverify.c, lib/softoken/softoken.gyp:
	Bug 1648822 Add stricter validation of DH keys when in FIPS mode.

	Update: FIPS now also requires us to do y^q mod p testing on key
	generation (always). We now do that in FIPS mode only, but in all
	modes we do full DH verification for DH and ECDH. Because of this,
	the path has now separated out the prime checks, which are now only
	done for the DH operation if we aren't using a known prime and the
	subprime value has been provided. I've also learned we can accept
	keys that we do full validation on in FIPS mode, so I've added that
	to this patch, though we still can't generate those kinds of keys
	without adding the subprime at keygen time.

	The new FIPS standard is dh operations must use approved primes.
	Approved primes are those selected in the tls and ike RFCs.
	Currently tls and ike have modes with checks whether the primes are
	approved, but the check may not always happen. The safest thing to
	do in FIPS mode is only allow those primes. In addition, FIPS
	requires 1< y < p-1 (or technically 2<=y<=p-2, since y is an integer
	those two tests are identical).

	While making changes I realized we would want a mode where we can do
	more strict checks on the prime while not requiring that the prime
	be an approved prime. We already allow for strict checking if q is
	supplied with the private key, but there were a couple of issues
	with that check:

	 1. there was no way of actually setting q in the current NSS
	pk11wrap interfaces. 2. If the prime was a safe prime, but g was an
	actual generator, then we would fail the y^q mod p = 1 tests for 50%
	of the keys, even though those keys are safe. 3. We weren't checking
	primality of p and q.

	So the old code:

	 if (q) { check y^q mod p = 1 if not fail }

	 check 1 <y < p-1 (done in DH_Derive).

	New code:

	 if (! p is approved prime) { if (FIPS) fail; if (q) { y_test = y if
	(p,q-> p is a safe prime) { y_test = 1 } check prime is prime Fail
	if not check subprime is subprime fail if not y_test^q mod p = 1 } }
	check 1 < y < p-1 (done in DH_Derive)

	This means:

	Existing code non-fips without setting the subprime continues to run
	as before. Non-fips code which sets the subprime now runs slower,
	but p and q are checked if p or q where not prime, the derive fails
	(which it should). In FIPS mode only approved primes will succeed
	now. Non-fips code can now set the subprime to q=(p-1)/2 if it
	doesn't have an explicit q value (like in tls). If the derive
	succeeds, we know that p is a safe prime. If p is approved, the
	checks are skipped because we already know that p is a safe prime.
	Code can optionally do a test derive on a new p and remember it's
	safe so that we know longer need to check ever call (though if q is
	not (p-1)/2, you will need to continue to do the checks each call
	because y could still be a small subgroup).

	This patch:

	gtests/softoken_gtest

	 1. Added New dh tests to softoken_gtests. The tests were added to
	softoken_gtests because we need to test both non-FIPS and FIPS mode.
	Test vectors include a category, so the same test vectors can be
	used in FIPS and non-FIPS even though each class may have different
	results. Most of the test vectors where created either by dhparams
	command in openssl, dsaparams in openssl, and the nss makepqg
	command. Each vector includes a label, prime, base, optional
	subprime, optional public key, test type, and key class (basically
	size). 2. If public key is not supplied, we use a generated public
	key. 3. If subPrime is supplied to wet it on the private key after
	generation.

	lib/freebl/dh.c

	 add primality tests to KEA_VerifyKey().

	lib/softokn/

	 1. Allow CKA_SUBPRIME to be set after key generation or import.
	This affects how we test for it's existance, since it is now always
	there on the key, we check it's length to make sure it's non-zero.
	2. We implement the psuedocode above as real code. 3. We create two
	new functions: sftl_VerifyDH_Prime which return SECSuccess if Prime
	is an approved prime. sftk_IsSafePrime which returns SECSuess of
	both prime and subprime look reasonable, and sets a Bool to PR_TRUE
	is subprime -> prime is safe (subprime = (prime-1)/2. These
	functions are implemented in sftkdhverify.c 4.Cleanup incorrect
	nominclature on primes (safe primes are not strong primes).
	[0be91fa2217a]

	* gtests/softoken_gtest/softoken_dh_vectors.h,
	gtests/softoken_gtest/softoken_gtest.cc:
	Fix more of the timeout issues on tests. (Drop expensive 4098 dh
	tests ).
	[4014c075a31b]

2020-07-29  Makoto Kato  <m_kato@ga2.so-net.ne.jp>

	* coreconf/config.gypi, lib/freebl/Makefile, lib/freebl/blinit.c,
	lib/freebl/freebl.gyp, lib/freebl/sha1-armv8.c,
	lib/freebl/sha_fast.c, lib/freebl/sha_fast.h:
	Bug 1650702 - Use ARM's crypt extension for SHA1. r=kjacobs

	ARM Crypto extension has SHA1 acceleration. Using this, SHA1 is 3
	times faster on ARMv8 CPU. The following data is AWS's a1 instance
	(Cortex-A72).

	Before ====== ``` # mode in opreps cxreps context op time(sec)
	thrgput sha1_e 954Mb 31M 0 0.000 10000.000 10.000 95Mb ```

	After ===== ``` # mode in opreps cxreps context op time(sec) thrgput
	sha1_e 2Gb 94M 0 0.000 10000.000 10.000 288Mb ```

	[68b6eb737689]

2020-07-29  Jan-Marek Glogowski  <glogow@fbihome.de>

	* manifest.mn:
	Bug 1653975 - Set "all" as the default Makefile target r=jcj,rrelyea

	Just reorder the rules in manifest.mn, so all is again the first
	rule. This restores pre-3.53 Makefile defaults.

	[eb52747b7000]

2020-07-31  Makoto Kato  <m_kato@ga2.so-net.ne.jp>

	* lib/freebl/blapii.h, lib/freebl/blinit.c, nss-tool/hw-support.c:
	Bug 1654142 - Add CPU feature detection for Intel SHA extension.
	r=kjacobs

	[e6b77a9c417a]

2020-08-03  Nathan Froyd  <froydnj@mozilla.com>

	* coreconf/detect_host_arch.py:
	Bug 1656986 - special-case arm64 in detect_host_arch.py; r=jcj

	This case comes up when attempting to build NSS on ARM64 Mac. If we
	don't do this, we wind up detecting arm64 as "arm", with predictably
	bad consequences.

	[afa38fb2f0b5] [tip]

Differential Revision: https://phabricator.services.mozilla.com/D85888
2020-08-04 19:54:56 +00:00
..
apps Bug 1648010 - Replace uses of NS_LITERAL_STRING/NS_LITERAL_CSTRING macros by _ns literals. r=geckoview-reviewers,jgilbert,agi,hsivonen,froydnj 2020-07-01 08:29:29 +00:00
certverifier Bug 1654835 - Remove CERTCertificate from PublicKeyPinningService.cpp r=keeler 2020-07-30 08:44:59 +00:00
ct Bug 1649312 - No derogatory language: Remove references to grandfather in comments r=njn,zbraniecki,keeler,jgraham 2020-07-01 15:23:26 +00:00
mac/hardenedruntime
manager Bug 1656992 - osclientcerts: disable AIA fetching when looking for issuer certificates (macOS) r=kjacobs 2020-08-04 18:06:14 +00:00
nss Bug 1655105 - land NSS afa38fb2f0b5 UPGRADE_NSS_RELEASE, r=jcj 2020-08-04 19:54:56 +00:00
sandbox Bug 1655655 - Some MP4 Videos Fail to Play on Big Sur r=spohl 2020-07-29 21:59:32 +00:00
.eslintrc.js Bug 1622328 - add license info to all eslintrc files r=Standard8,webcompat-reviewers,miketaylr 2020-03-19 13:47:51 +00:00
generate_certdata.py Bug 1633039 - Don't check for Python 2 in configure r=glandium 2020-05-05 16:02:02 +00:00
generate_mapfile.py
moz.build Bug 1641783 - Move MOZ_FOLD_LIBS to python configure. r=froydnj 2020-05-29 12:15:51 +00:00
nss.symbols Bug 1653029 - pass a span of bytes to RootCABinNumber instead of NSS types r=rmf,kjacobs 2020-07-16 21:17:53 +00:00