2020-04-13 Kevin Jacobs <kjacobs@mozilla.com>
* lib/pk11wrap/debug_module.c, lib/pk11wrap/pk11load.c:
Bug 1629105 - Update PKCS11 module debug logger for v3.0 r=rrelyea
Differential Revision:
https://phabricator.services.mozilla.com/D70582
[50dcc34d470d] [tip]
2020-04-07 Robert Relyea <rrelyea@redhat.com>
* lib/ckfw/builtins/testlib/Makefile:
Bug 1465613 Fix gmake issue create by the patch which adds ability
to distrust certificates issued after a certain date for a specified
root cert r=jcj
I've been trying to run down an issue I've been having, and I think
this bug is the source. Whenever I build ('gmake' build), I get the
following untracted files: ? lib/ckfw/builtins/testlib/anchor.o ?
lib/ckfw/builtins/testlib/bfind.o ?
lib/ckfw/builtins/testlib/binst.o ?
lib/ckfw/builtins/testlib/bobject.o ?
lib/ckfw/builtins/testlib/bsession.o ?
lib/ckfw/builtins/testlib/bslot.o ?
lib/ckfw/builtins/testlib/btoken.o ?
lib/ckfw/builtins/testlib/ckbiver.o ?
lib/ckfw/builtins/testlib/constants.o
This is because of the way lib/ckfw/builtins/testlib works, it uses
the sources from the directory below, and explicitly reference them
with ../{source_name}.c. The object file then becomes
lib/ckfw/builtins/testlib/{OBJDIR}/../{source_name}.o.
The simple fix would be to paper over the issue and just add these
to .hgignore, but that would break our ability to build multiple
platforms on a single source directory. I'll include a patch that
fixes this issue.
bob
Differential Revision:
https://phabricator.services.mozilla.com/D70077
[92058f185316]
2020-04-06 Robert Relyea <rrelyea@redhat.com>
* automation/abi-check/expected-report-libnss3.so.txt,
gtests/ssl_gtest/tls_hkdf_unittest.cc, lib/nss/nss.def,
lib/pk11wrap/pk11pub.h, lib/pk11wrap/pk11skey.c,
lib/ssl/sslprimitive.c, lib/ssl/tls13con.c, lib/ssl/tls13con.h,
lib/ssl/tls13hkdf.c, lib/ssl/tls13replay.c, tests/ssl/ssl.sh:
Bug 1561637 TLS 1.3 does not work in FIPS mode r=mt
Part 2 of 2
Use the official PKCS #11 HKDF mechanism to implement tls 1.3.
1) The new mechanism is a single derive mechanism, so we no longer
need to pick it based on the underlying hmac (Note, we still need to
know the underlying hmac, which is passed in as a mechanism
parameter).
2) Use the new keygen to generate CKK_HKDF keys rather than doing it
by hand with the random number generator (never was really the best
way of doing this).
3) modify tls13hkdf.c to use the new mechanisms: 1) Extract: use the
new key handle in the mechanism parameters to pass the salt when the
salt is a key handle. Extract: use the explicit NULL salt parameter
if for the hash len salt of zeros. 2) Expand: Expand is mostly a
helper function which takes a mechanism. For regular expand, the
mechanism is the normal _Derive, for the Raw version its the _Data
function. That creates a data object, which is extractable in FIPS
mode.
4) update slot handling in tls13hkdf.c: 1) we need to make sure that
the key and the salt key are in the same slot. Provide a PK11wrap
function to make that guarrentee (and use that function in
PK11_WrapKey, which already has to do the same function). 2) When
importing a 'data' key for the zero key case, make sure we import
into the salt key's slot. If there is no salt key, use
PK11_GetBestSlot() rather than PK11_GetInternal slot.
Differential Revision:
https://phabricator.services.mozilla.com/D69899
[3d2b1738e064]
2020-04-06 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/common/testvectors/curve25519-vectors.h,
gtests/common/testvectors/p256ecdh-vectors.h,
gtests/common/testvectors/p384ecdh-vectors.h,
gtests/common/testvectors/p521ecdh-vectors.h,
gtests/common/testvectors/rsa_oaep_2048_sha1_mgf1sha1-vectors.h,
gtests/common/testvectors/rsa_oaep_2048_sha256_mgf1sha1-vectors.h,
gtests/common/testvectors/rsa_oaep_2048_sha256_mgf1sha256-vectors.h,
gtests/common/testvectors/rsa_oaep_2048_sha384_mgf1sha1-vectors.h,
gtests/common/testvectors/rsa_oaep_2048_sha384_mgf1sha384-vectors.h,
gtests/common/testvectors/rsa_oaep_2048_sha512_mgf1sha1-vectors.h,
gtests/common/testvectors/rsa_oaep_2048_sha512_mgf1sha512-vectors.h,
gtests/common/testvectors/rsa_pkcs1_2048_test-vectors.h,
gtests/common/testvectors/rsa_pkcs1_3072_test-vectors.h,
gtests/common/testvectors/rsa_pkcs1_4096_test-vectors.h,
gtests/common/testvectors/rsa_pss_2048_sha1_mgf1_20-vectors.h,
gtests/common/testvectors/rsa_pss_2048_sha256_mgf1_0-vectors.h,
gtests/common/testvectors/rsa_pss_2048_sha256_mgf1_32-vectors.h,
gtests/common/testvectors/rsa_pss_3072_sha256_mgf1_32-vectors.h,
gtests/common/testvectors/rsa_pss_4096_sha256_mgf1_32-vectors.h,
gtests/common/testvectors/rsa_pss_4096_sha512_mgf1_32-vectors.h,
gtests/common/testvectors/rsa_pss_misc-vectors.h,
gtests/common/testvectors/rsa_signature-vectors.h,
gtests/common/testvectors/rsa_signature_2048_sha224-vectors.h,
gtests/common/testvectors/rsa_signature_2048_sha256-vectors.h,
gtests/common/testvectors/rsa_signature_2048_sha512-vectors.h,
gtests/common/testvectors/rsa_signature_3072_sha256-vectors.h,
gtests/common/testvectors/rsa_signature_3072_sha384-vectors.h,
gtests/common/testvectors/rsa_signature_3072_sha512-vectors.h,
gtests/common/testvectors/rsa_signature_4096_sha384-vectors.h,
gtests/common/testvectors/rsa_signature_4096_sha512-vectors.h,
gtests/common/testvectors_base/rsa_signature-vectors_base.txt,
gtests/common/testvectors_base/test-structs.h,
gtests/common/wycheproof/genTestVectors.py,
gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp,
gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc,
gtests/pk11_gtest/pk11_rsaoaep_unittest.cc,
gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc,
gtests/pk11_gtest/pk11_rsapss_unittest.cc:
Bug 1612260 - Add Wycheproof vectors for RSA PKCS1 and PSS signing,
PKCS1 and OEAP decryption. r=bbeurdouche
This patch updates the Wycheproof script to build RSA test vectors
(covering PKCS1 decryption/verification, as well as PSS and OAEP)
and adds the appropriate test drivers.
Differential Revision:
https://phabricator.services.mozilla.com/D69847
[469fd8633757]
2020-04-01 Kevin Jacobs <kjacobs@mozilla.com>
* automation/taskcluster/docker-fuzz32/Dockerfile:
Bug 1626751 - Add apt-transport-https & apt-utils to fuzz32 docker
image r=jcj
We already install these packages on the image_builder image itself.
It seems they're now required on the fuzz32 image as well.
Differential Revision:
https://phabricator.services.mozilla.com/D69274
[c7a8195e3072]
2020-04-01 Giulio Benetti <giulio.benetti@benettiengineering.com>
* lib/freebl/Makefile:
Bug 1624864 - Don't force ARMv7 for gcm-arm32-neon r=jcj
[858209235972]
* coreconf/config.gypi, coreconf/config.mk, lib/freebl/Makefile,
lib/freebl/freebl.gyp, lib/freebl/gcm.c:
Bug 1620799 - Introduce NSS_DISABLE_ARM32_NEON r=jcj
Only some Arm32 supports neon, so let's introduce
NSS_DISABLE_ARM32_NEON to allow disabling Neon acceleration when
building for Arm32.
Signed-off-by: Giulio Benetti
<giulio.benetti@benettiengineering.com>
[b47b2c35aa64]
2020-04-01 Kevin Jacobs <kjacobs@mozilla.com>
* automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
check/expected-report-libsoftokn3.so.txt, automation/abi-check
/expected-report-libssl3.so.txt:
Fixup ABI checks after libabigail update and Delegated Credentials
backport. r=me
[7f50f6ca7658]
2020-03-31 hajma <tropikhajma@gmail.com>
* coreconf/SunOS5.mk:
Bug 1625133 - Fix implicit declaration of function 'getopt' on SunOS
r=jcj
[744788dd18dc]
2020-03-30 Robert Relyea <rrelyea@redhat.com>
* automation/abi-check/expected-report-libnss3.so.txt,
gtests/pk11_gtest/pk11_hkdf_unittest.cc, lib/nss/nss.def,
lib/pk11wrap/pk11mech.c, lib/pk11wrap/pk11obj.c,
lib/pk11wrap/pk11pub.h, lib/softoken/pkcs11.c,
lib/softoken/pkcs11c.c:
Bug 1561637 TLS 1.3 does not work in FIPS mode
Patch 1 of 2. This patch updates softoken and helper functions with
the new PKCS #11 v3 HKDF, which handles all the correct key
management so that we can work in FIPS mode
1) Salts can be passed in as data, as and explicit NULL (which per
spec means a zero filled buffer of length of the underlying HMAC),
or through a key handle 2) A Data object can be used as a key
(explicitly allowed for this mechanism by the spec). 3) A special
mechansism produces a data object rather than a key, the latter
which can be exported. Softoken does not do the optional validation
on the pInfo to verify that the requested values are supposed to be
data rather than keys. Some other tokens may.
The old hkdf mechanism has been retained for compatibility (well
namely until patch 2 is created, tls is still using it). The hkdf
function has been broken off into it's own function rather than
inline in the derive function.
Note: because the base key and/or the export key could really be a
data object, our explicit handling of sensitive and extractable are
adjusted to take into account that those flags do not exist in data
objects.
Differential Revision:
https://phabricator.services.mozilla.com/D68940
[e0922aac5267]
2020-03-26 Hans Petter Jansson <hpj@cl.no>
* cmd/lowhashtest/lowhashtest.c:
Bug 1622555 - Fix lowhashtest argument parsing. r=kjacobs
[f3c5ab41c972]
2020-03-26 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* lib/freebl/Makefile, lib/freebl/freebl.gyp:
Bug 1624377 - Replace freebl flag -msse4 by -msse4.1 -msse4.2 which
are supported by older compilers r=kjacobs
Differential Revision:
https://phabricator.services.mozilla.com/D68407
[16ee7cb36fff]
2020-03-26 Robert Relyea <rrelyea@redhat.com>
* gtests/ssl_gtest/libssl_internals.c, lib/pk11wrap/exports.gyp,
lib/pk11wrap/manifest.mn, lib/ssl/ssl3con.c, lib/ssl/sslprimitive.c,
lib/ssl/sslspec.h, lib/ssl/tls13con.c, lib/ssl/tls13con.h,
lib/ssl/tls13esni.c, lib/ssl/tls13exthandle.c:
Bug 1623374 Need to support the new PKCS #11 Message interface for
AES GCM and ChaCha Poly r=mt
Update ssl to use the new PK11_AEADOp() interface. 1. We restore the
use of PK11Context_Create() for AEAD operations. 2. AES GCM and
CHACHA/Poly specific functions are no longer needed as PK11_AEADOp()
handles all the mechanism specific processing. 3. TLS semantic
differences between the two algorithms is handled by their
parameters: 1. Nonce length is the length of the nonce counter. If
it's zero, then XOR_Counter is used (and the nonce length is the
sizeof(sslSequenceNumber)). 2. IV length is the full IV length -
nonce length. 3. TLS 1.3 always uses XOR_Counter. 4. The IV is
returned from the token in the encrypt case. Only in the explict
nonce case is it examined. (The code depends on the fact that the
count in the token will match sslSequenceNumber). I did have assert
code to verify this was happening for testing, but it's removed from
this patch it can be added back. 5. All the decrypt instances of
XOR_Counter IV creation have been colapsed into tls13_WriteNonce().
6. Even tough PK11_AEADOp returns and accepts the tag separately
(for encrypt and decrypt respectively). The SSL code still returns
the values as buffer||tag. 7. tls13_AEAD() has been enhanced so all
uses of AEAD outside of the TLS stream can use it instead of their
own wrapped version. It can handle streams (CreateContext()
tls13_AEAD() tls13_AEAD() DestroyContext()) or single shot
tls13_AEAD(context=NULL). In the later case, the keys for the single
shot operation should not be resued. 8. libssl_internals.c in the
gtests directory has been updated to handle advancing the internal
iv counter when we artifically advance the seqNum. Since we don't
have access to any token iv counter (including softoken), The code
switches to simulated message mode, and updates the simulated state
as appropriate. (obviously this is for testing only code as it
reaches into normally private data structures).
Differential Revision:
https://phabricator.services.mozilla.com/D68480
[e7c7f305078e]
2020-03-26 Robert Relyea <rrelyea@redhat.com>
* gtests/ssl_gtest/libssl_internals.c, lib/pk11wrap/exports.gyp,
lib/pk11wrap/manifest.mn, lib/ssl/ssl3con.c, lib/ssl/sslprimitive.c,
lib/ssl/sslspec.h, lib/ssl/tls13con.c, lib/ssl/tls13con.h,
lib/ssl/tls13esni.c, lib/ssl/tls13exthandle.c:
Bug 1623374 Need to support the new PKCS #11 Message interface for
AES GCM and ChaCha Poly r=mt
Update ssl to use the new PK11_AEADOp() interface. 1. We restore the
use of PK11Context_Create() for AEAD operations. 2. AES GCM and
CHACHA/Poly specific functions are no longer needed as PK11_AEADOp()
handles all the mechanism specific processing. 3. TLS semantic
differences between the two algorithms is handled by their
parameters: 1. Nonce length is the length of the nonce counter. If
it's zero, then XOR_Counter is used (and the nonce length is the
sizeof(sslSequenceNumber)). 2. IV length is the full IV length -
nonce length. 3. TLS 1.3 always uses XOR_Counter. 4. The IV is
returned from the token in the encrypt case. Only in the explict
nonce case is it examined. (The code depends on the fact that the
count in the token will match sslSequenceNumber). I did have assert
code to verify this was happening for testing, but it's removed from
this patch it can be added back. 5. All the decrypt instances of
XOR_Counter IV creation have been colapsed into tls13_WriteNonce().
6. Even tough PK11_AEADOp returns and accepts the tag separately
(for encrypt and decrypt respectively). The SSL code still returns
the values as buffer||tag. 7. tls13_AEAD() has been enhanced so all
uses of AEAD outside of the TLS stream can use it instead of their
own wrapped version. It can handle streams (CreateContext()
tls13_AEAD() tls13_AEAD() DestroyContext()) or single shot
tls13_AEAD(context=NULL). In the later case, the keys for the single
shot operation should not be resued. 8. libssl_internals.c in the
gtests directory has been updated to handle advancing the internal
iv counter when we artifically advance the seqNum. Since we don't
have access to any token iv counter (including softoken), The code
switches to simulated message mode, and updates the simulated state
as appropriate. (obviously this is for testing only code as it
reaches into normally private data structures).
Differential Revision:
https://phabricator.services.mozilla.com/D68480
[e7c7f305078e]
2020-03-23 Kevin Jacobs <kjacobs@mozilla.com>
* lib/softoken/pkcs11.c:
Bug 1624402 - Fix compilation error when NO_FORK_CHECK and
CHECK_FORK_* are defined r=rrelyea
Differential Revision:
https://phabricator.services.mozilla.com/D67911
[0225889e5292]
2020-03-23 Kevin Jacobs <kjacobs@mozilla.com>
* lib/util/pkcs11.h:
Bug 1624130 - Require CK_FUNCTION_LIST structs to be packed.
r=rrelyea
Differential Revision:
https://phabricator.services.mozilla.com/D67741
[7ab62d3d0445]
2020-03-19 Robert Relyea <rrelyea@redhat.com>
* automation/abi-check/expected-report-libnss3.so.txt,
gtests/pk11_gtest/pk11_aes_gcm_unittest.cc,
gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc,
lib/freebl/blapi.h, lib/freebl/blapii.h, lib/freebl/blapit.h,
lib/freebl/chacha20poly1305.c, lib/freebl/gcm.c, lib/freebl/gcm.h,
lib/freebl/intel-gcm-wrap.c, lib/freebl/intel-gcm.h,
lib/freebl/ldvector.c, lib/freebl/loader.c, lib/freebl/loader.h,
lib/freebl/rijndael.c, lib/freebl/rijndael.h, lib/nss/nss.def,
lib/pk11wrap/pk11cxt.c, lib/pk11wrap/pk11mech.c,
lib/pk11wrap/pk11priv.h, lib/pk11wrap/pk11pub.h,
lib/pk11wrap/pk11skey.c, lib/pk11wrap/pk11slot.c,
lib/pk11wrap/secmodti.h, lib/softoken/fipstokn.c,
lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c,
lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c,
lib/softoken/sftkmessage.c, lib/util/pkcs11n.h, lib/util/pkcs11t.h,
lib/util/secport.h:
Bug 1623374 Need to support the new PKCS #11 Message interface for
AES GCM and ChaCha Poly
PKCS #11 defines a new interface for handling AEAD type ciphers that
allow multiple AEAD operations without repeating the key schedule.
It also allows tokens to keep track of the number of operations, and
generate IVs (depending on the cipher).
This patch: 1. implement those new functions in softoken. With the
addition of CKF_MESSAGE_* flags to various mechanism, we need to
strip them when using the version 2 API of softoken (since there are
no C_Message* function in version 2). For that we need a separate
C_GetMechanismInfo function. We use the same trick we used to have a
separate version function for the V2 interface. Also now that the
new message functions are in their own file, they still need access
to the common Session state processing functions. those have gone
from static to exported within softoken to accomidate that. Same
with sftk_MapDecryptError() (sftk_MapVerifyError() was also made
global, though nothing else is yet using it). Only
C_MessageEncrptInit(), C_EncryptMessage(), C_MessageEncryptFinal,
C_MessageDecryptInit(), C_DecryptMessage(), and
C_MessageDecryptFinal are implemented. C_EncryptMessageBegin(),
C_EncryptMessageNext(), C_DecryptMessageBegin(), and
C_DecryptMessageNext() are all part of the multi-part withing a
multi-part operation and are only necessary for things like S/MIME
(potentially). If we wanted to implement them, we would need more
functions exported from freebl (and initaead, updateaead, finalaead
for each mechanism type). 2. make those interfaces call aes_gcm and
chacha20_poly1503 (and make adjustments for those ciphers). For AES,
I added a new function AES_AEAD, which handles both encrypt and
decrypt. Internally, the gcm functions (both the generic gcm and the
intel gcm wrapper) had their init functions split into key
scheduling and counter mode/tag initialization. The latter is still
called from init, but the former is now for each update call. IV
generation is handled by a single function in gcm.c, and shared with
intel_gcm_wrapper.c Since the AES functions already know about the
underlying PKCS #11 mechanism parameters, the new AEAD functions
also parse the PKCS #11 GCM parameters. For Chacha/Poly new aead
update functions were created called ChaChaPoly1305_Encrypt and
ChaChaChaPoly1305_Decrypt. There was no Message specific
initialization in the existing chacha_init, so no changes were
needed there. The primary difference between _Encrypt/_Decrypt and
_Seal/_Open is the fact that the tag is put at the end of the
encrypted data buffer in the latter, and in a generic buffer in the
former. 3. create new pk11wrap interfaces that also squash the api
differences between the various mechanisms for aead (similiar to the
way we do it for CBC and ECB crypto today). To accomplish this I
added PK11_AEADOp() and PK11_AEADRawOp(). Both functions handle the
case where the token only supports the single shot interface, by
using the single short interface to simulate the Message interface.
The PK11_AEADOp() also smooths out the differences in the parameters
and symantics of the various mechanism so the application does not
need to worry about the PKCS #11 differences in the mechanism. Both
use contexts from the standard PK11_CreateContext(), so key
schedules are done once for each key rather than once for each
message. MESSAGE/AEAD operations are selected by adding the psuedo
attribute flag CKA_NSS_MESSAGE to the requested operation
(CKA_ENCRYPT, CKA_DECRYPT, CKA_SIGN, CKA_VERIFY). 4. write tests for
the new interfaces Tests were added to make sure the PK11_AEADRawOp
interface works, The single shot interface is used to test output of
the message interface we also use two test only functions to force
the connection to use the simulation interface, which is also
compared to the non-simulate inteface. The AES_GCM also tests
various IV generators.
Differential Revision:
https://phabricator.services.mozilla.com/D67552
[293ac3688ced]
2020-03-18 Kevin Jacobs <kjacobs@mozilla.com>
* lib/freebl/mpi/mpcpucache.c:
Bug 1623184 - Clear ECX prior to cpuid, fixing query for Extended
Features r=bbeurdouche
While trying to benchmark the recent HACL* AVX2 code, I noticed that
it was not being called on two machines (that both support AVX2),
instead using only the AVX version.
In order to query for Extended Features (cpuid with EAX=7), we also
need to set ECX to 0: https://www.intel.com/content/www/us/en
/architecture-and-technology/64-ia-32-architectures-software-
developer-vol-2a-manual.html. The current code fails to do this,
resulting in flags that show no support.
Initially, I wrote a separate `freebl_cpuid_ex` function that
accepted a value for ECX as a separate input argument. However, some
definitions of `freebl_cpuid` already zero ECX, so making this
consistent is the simplest way to get the desired behavior.
With this patch, the two test machines (MacOS and Linux x64)
correctly use the AVX2 ChaCha20Poly1305 code.
Differential Revision:
https://phabricator.services.mozilla.com/D67235
[06d41fe87c58]
2020-03-17 Robert Relyea <rrelyea@redhat.com>
* automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
check/expected-report-libsoftokn3.so.txt, cmd/pk11mode/pk11mode.c,
lib/pk11wrap/pk11load.c, lib/pk11wrap/secmodi.h,
lib/pk11wrap/secmodt.h, lib/softoken/fipstokn.c,
lib/softoken/manifest.mn, lib/softoken/pkcs11.c,
lib/softoken/pkcs11c.c, lib/softoken/pkcs11i.h,
lib/softoken/sftkmessage.c, lib/softoken/softoken.gyp,
lib/softoken/softoken.h, lib/softoken/softokn.def,
lib/util/pkcs11.h, lib/util/pkcs11f.h, lib/util/pkcs11n.h,
nss/automation/abi-check/new-report-libnss3.so.txt, nss/automation
/abi-check/new-report-libsoftokn3.so.txt:
Bug 1603628 Update NSS to handle PKCS #11 v3.0 r=ueno r=mt
Update to PKCS #11 v3.0 part 2.
Create the functions and switch to the C_Interface() function to
fetch the PKCS #11 function table. Also PKCS #11 v3.0 uses a new
fork safe interface. NSS can already handle the case if the PKCS #11
module happens to be fork safe (when asked by the application to
refresh the tokens in the child process, NSS can detect that such a
refresh is not necessary and continue. Softoken could also be put in
fork_safe mode with an environment variable. With this patch it's
the default, and NSS asks for the fork safe API by default.
Technically softoken should implement the old non-fork safe
interface when PKCS #11 v2.0 is called, but NSS no longer needs it,
and doing so would double the number of PKCS #11 interfaces are
needed. You can still compile with fork unsafe semantics, and the
PKCS #11 V3.0 module will do the right thing and not include the
fork safe flag. Firefox does not fork(), so for firefox this is
simply code that is no longer compilied.
We now use C_GetInterface, which allows us to specify what kind of
interface we want (PKCS #11 v3.0, PKCS #11 v2.0, fork safe, etc.).
Vendor specific functions can now be accessed through the
C_GetInterface. If the C_GetInterface function does not exists, we
fall bak to the old C_GetFunctionList.
There are 24 new functions in PKCS #11 v3.0: C_GetInterfaceList -
return a table of all the supported interfaces C_GetInterface -
return a specific interface. You can specify interface name, version
and flags separately. You can leave off any of these and you will
get what the token thinks is the best match of the interfaces that
meet the criteria. We do this in softoken by the order of the
interface list. C_SessionCancel - Cancel one or more multipart
operation C_LoginUser - Supply a user name to C_Login(). This
function has no meaning for softoken, so it just returns
CKR_OPERATION_NOT_INITIALIZED under the theory that if we in the
future want to support usernames, the NSS db would need special
initialization to make that happen. C_Message* and C_*Message* (20
functions in all) are the new AEAD interface (they are written
generally so that it can be used for things other than AEAD). In
this patch they are unimplemented (see the next patch).
This patch adds regular (NSC_) and FIPS (FC_) versions of these
functions. Also when creating the PKCS #11 v2.0 interface, we had to
create a 2.0 specific version of C_GetInfo so that it can return a
2.40 in the CK_VERSION field rather than 3.00. We do this with
#defines since all the function tables are generated automagically
with pkcs11f.h.
Differential Revision:
https://phabricator.services.mozilla.com/D67240
[2364598f8a36]
2020-03-09 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* automation/taskcluster/scripts/run_hacl.sh,
lib/freebl/verified/Hacl_Poly1305_128.c,
lib/freebl/verified/Hacl_Poly1305_256.c:
Bug 1612493 - Fix Firefox build for Windows 2012 x64. r=kjacobs
Differential Revision:
https://phabricator.services.mozilla.com/D65945
[7e09cdab32d0]
2020-03-02 Kurt Miller <kurt@intricatesoftware.com>
* lib/freebl/blinit.c:
Bug 1618400 - Fix unused variable 'getauxval' on OpenBSD/arm64 r=jcj
https://bugzilla.mozilla.org/show_bug.cgi?id=1618400
[2c989888dee7]
2020-03-02 Giulio Benetti <giulio.benetti@benettiengineering.com>
* lib/freebl/blinit.c:
Bug 1614183 - Check if PPC __has_include(<sys/auxv.h>). r=kjacobs
Some build environment doesn't provide <sys/auxv.h> and this causes
build failure, so let's check if that header exists by using
__has_include() helper.
Signed-off-by: Giulio Benetti
<giulio.benetti@benettiengineering.com>
[bb7c46049f26]
2020-02-28 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* automation/taskcluster/scripts/run_hacl.sh,
lib/freebl/verified/Hacl_Chacha20.c,
lib/freebl/verified/Hacl_Chacha20Poly1305_128.c,
lib/freebl/verified/Hacl_Chacha20Poly1305_32.c,
lib/freebl/verified/Hacl_Chacha20_Vec128.c,
lib/freebl/verified/Hacl_Curve25519_51.c,
lib/freebl/verified/Hacl_Kremlib.h,
lib/freebl/verified/Hacl_Poly1305_128.c,
lib/freebl/verified/Hacl_Poly1305_32.c,
lib/freebl/verified/kremlin/include/kremlin/internal/types.h,
lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128.h, li
b/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128_Verifie
d.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt_8_1
6_32_64.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/LowStar_
Endianness.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar
_uint128_gcc64.h, lib/freebl/verified/libintvector.h:
Bug 1617533 - Update of HACL* after libintvector.h and coding style
changes. r=kjacobs
*** Bug 1617533 - Clang format
*** Bug 1617533 - Update HACL* commit for job in Taskcluster
*** Bug 1617533 - Update HACL* Kremlin code
Differential Revision:
https://phabricator.services.mozilla.com/D63829
[b6677ae9067e]
* automation/taskcluster/graph/src/extend.js, coreconf/arch.mk,
coreconf/config.mk, lib/freebl/Makefile, lib/freebl/blapii.h,
lib/freebl/blinit.c, lib/freebl/chacha20poly1305.c,
lib/freebl/freebl.gyp,
lib/freebl/verified/Hacl_Chacha20Poly1305_256.c,
lib/freebl/verified/Hacl_Chacha20Poly1305_256.h,
lib/freebl/verified/Hacl_Chacha20_Vec256.c,
lib/freebl/verified/Hacl_Chacha20_Vec256.h,
lib/freebl/verified/Hacl_Poly1305_256.c,
lib/freebl/verified/Hacl_Poly1305_256.h, nss-tool/hw-support.c:
Bug 1612493 - Support for HACL* AVX2 code for Chacha20, Poly1305 and
Chacha20Poly1305. r=kjacobs
*** Bug 1612493 - Import AVX2 code from HACL*
*** Bug 1612493 - Add CPU detection for AVX2, BMI1, BMI2, FMA, MOVBE
*** Bug 1612493 - New flag NSS_DISABLE_AVX2 for freebl/Makefile and
freebl.gyp
*** Bug 1612493 - Disable use of AVX2 on GCC 4.4 which doesn’t
support -mavx2
*** Bug 1612493 - Disable tests when the platform doesn't have
support for AVX2
Differential Revision:
https://phabricator.services.mozilla.com/D64718
[d5deac55f543]
2020-02-18 Robert Relyea <rrelyea@redhat.com>
* cmd/bltest/blapitest.c, cmd/fipstest/fipstest.c,
cmd/lib/pk11table.c, cmd/pk11gcmtest/pk11gcmtest.c,
cmd/shlibsign/shlibsign.c,
gtests/pk11_gtest/pk11_aes_gcm_unittest.cc,
gtests/pk11_gtest/pk11_cbc_unittest.cc, lib/certdb/crl.c,
lib/ckfw/dbm/db.c, lib/dev/devslot.c, lib/dev/devtoken.c,
lib/dev/devutil.c, lib/freebl/fipsfreebl.c, lib/freebl/gcm.c,
lib/freebl/intel-gcm-wrap.c, lib/pk11wrap/debug_module.c,
lib/pk11wrap/dev3hack.c, lib/pk11wrap/pk11akey.c,
lib/pk11wrap/pk11auth.c, lib/pk11wrap/pk11cert.c,
lib/pk11wrap/pk11err.c, lib/pk11wrap/pk11load.c,
lib/pk11wrap/pk11mech.c, lib/pk11wrap/pk11merge.c,
lib/pk11wrap/pk11nobj.c, lib/pk11wrap/pk11obj.c,
lib/pk11wrap/pk11pbe.c, lib/pk11wrap/pk11pk12.c,
lib/pk11wrap/pk11pqg.c, lib/pk11wrap/pk11skey.c,
lib/pk11wrap/pk11slot.c, lib/pk11wrap/pk11util.c, lib/pkcs12/p12d.c,
lib/pkcs12/p12e.c, lib/softoken/fipstokn.c,
lib/softoken/legacydb/lgattr.c, lib/softoken/legacydb/lgcreate.c,
lib/softoken/legacydb/lgfind.c, lib/softoken/legacydb/lginit.c,
lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c,
lib/softoken/pkcs11u.c, lib/softoken/sdb.c, lib/softoken/sftkdb.c,
lib/softoken/sftkpwd.c, lib/ssl/ssl3con.c, lib/ssl/sslprimitive.c,
lib/ssl/tls13con.c, lib/util/pkcs11.h, lib/util/pkcs11f.h,
lib/util/pkcs11n.h, lib/util/pkcs11t.h, lib/util/secoid.c, nss-
tool/enc/enctool.cc:
Bug 1603628 Update NSS to handle PKCS #11 v3.0 r=daiki r=mhoye
https://phabricator.services.mozilla.com/D63241
This patch implements the first phase: updating the headers.
lib/util/pkcs11.h lib/util/pkcs11f.h lib/util/pkcs11t.h
Were updated using the released OASIS PKCS #11 v3.0 header files.
lib/util/pkcs11n.h was updated to finally deprecate all uses of
CK?_NETSCAPE_?.
A new define as added: NSS_PKCS11_2_0_COMPAT. If it's defined, the
small semantic changes (including the removal of deprecated defines)
between the NSS PKCS #11 v2 header file and the new PKCS #11 v3 are
reverted in favor of the PKCS #11 v2 definitions. This include the
removal of CK?_NETSCAPE_? in favor of CK?_NSS_?.
One notable change was caused by an inconsistancy between the spec
and the released headers in PKCS #11 v2.40. CK_GCM_PARAMS had an
extra field in the header that was not in the spec. OASIS considers
the header file to be normative, so PKCS #11 v3.0 resolved the issue
in favor of the header file definition. NSS had the spec definition,
so now there are 2 defines for this structure:
CK_NSS_GCM_PARAMS - the old nss define. Still used internally in
freebl. CK_GCM_PARAMS_V3 - the new define. CK_GCM_PARAMS - no longer
referenced in NSS itself. It's defined as CK_GCM_PARAMS_V3 if
NSS_PKCS11_2_0_COMPAT is *not* defined, and it's defined as
CKM_NSS_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is defined.
Softoken has been updated to accept either CK_NSS_GCM_PARAMS or
CK_GCM_PARAMS_V3. In a future patch NSS will be updated to use
CK_GCM_PARAMS_V3 and fall back to CK_NSS_GMC_PARAMS.
One other semantic difference between the 3.0 version of pkcs11f.h
and the version here: In the oasis version of the header, you must
define CK_PKCS11_2_0_ONLY to get just the PKCS #11 v2 defines. In
our version you must define CK_PKCS11_3 to get the PCKS #11 v3
defines.
Most of this patch is to handle changing the deprecated defines that
have been removed in PCKS #11 v3 from NSS.
Differential Revision:
https://phabricator.services.mozilla.com/D63241
[b5d90a7fe217]
Differential Revision: https://phabricator.services.mozilla.com/D70773
--HG--
extra : moz-landing-system : lando
Network Security Services (NSS) is a set of libraries designed to support
cross-platform development of security-enabled client and server
applications. NSS supports TLS 1.2, TLS 1.3, PKCS #5, PKCS#7,
PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security
standards.
Getting started
In order to get started create a new directory on that you will be uses as your
local work area, and check out NSS and NSPR. (Note that there's no git mirror of
NSPR and you require mercurial to get the latest NSPR source.)
This build system is under development. It does not yet support all the
features or platforms that NSS supports. To build on anything other than Mac or
Linux please use the legacy build system as described below.
After changing into the NSS directory a typical build is done as follows
./build.sh
Once the build is done the build output is found in the directory
../dist/Debug for debug builds and ../dist/Release for opt builds.
Exported header files can be found in the include directory, library files in
directory lib, and tools in directory bin. In order to run the tools, set
your system environment to use the libraries of your build from the "lib"
directory, e.g., using the LD_LIBRARY_PATH or DYLD_LIBRARY_PATH.
See help.txt for
more information on using build.sh.
Building NSS (legacy build system)
After changing into the NSS directory a typical build of 32-bit NSS is done as
follows:
make nss_build_all
The following environment variables might be useful:
BUILD_OPT=1 to get an optimised build
USE_64=1 to get a 64-bit build (recommended)
The complete list of environment variables can be found
here.
To clean the build directory run:
make nss_clean_all
Tests
Setup
Make sure that the address $HOST.$DOMSUF on your computer is available. This
is necessary because NSS tests generate certificates and establish TLS
connections, which requires a fully qualified domain name.
You can test this by
calling ping $HOST.$DOMSUF. If this is working, you're all set. If it's not,
set or export:
HOST=nss
DOMSUF=local
Note that you might have to add nss.local to /etc/hosts if it's not
there. The entry should look something like 127.0.0.1 nss.local nss.
Running tests
Runnning all tests will take a while!
cd tests
./all.sh
Make sure that all environment variables set for the build are set while running
the tests as well. Test results are published in the folder
../../test_results/.
Individual tests can be run with the NSS_TESTS environment variable,
e.g. NSS_TESTS=ssl_gtests ./all.sh or by changing into the according directory
and running the bash script there cd ssl_gtests && ./ssl_gtests.sh. The
following tests are available:
To make tests run faster it's recommended to set NSS_CYCLES=standard to run
only the standard cycle.
Releases
NSS releases can be found at Mozilla's download
server. Because NSS depends
on the base library NSPR you should download the archive that combines both NSS
and NSPR.
Contributing
Bugzilla is used to track NSS development and
bugs. File new bugs in the NSS product.
A list with good first bugs to start with are listed
here.
NSS Folder Structure
The nss directory contains the following important subdirectories:
coreconf contains the build logic.
lib contains all library code that is used to create the runtime libraries.
cmd contains a set of various tool programs that are built with NSS. Several
tools are general purpose and can be used to inspect and manipulate the
storage files that software using the NSS library creates and modifies. Other
tools are only used for testing purposes.
test and gtests contain the NSS test suite. While test contains shell
scripts to drive test programs in cmd, gtests holds a set of
gtests.
A more comprehensible overview of the NSS folder structure and API guidelines
can be found
here.
Build mechanisms related to FIPS compliance
NSS supports build configurations for FIPS-140 compliance, and alternative build
configurations that disable functionality specific to FIPS-140 compliance.
This section documents the environment variables and build parameters that
control these configurations.
Build FIPS startup tests
The C macro NSS_NO_INIT_SUPPORT controls the FIPS startup self tests.
If NSS_NO_INIT_SUPPORT is defined, the startup tests are disabled.
The legacy build system (make) by default disables these tests.
To enable these tests, set environment variable NSS_FORCE_FIPS=1 at build time.
The gyp build system by default disables these tests.
To enable these tests, pass parameter --enable-fips to build.sh.
Building either FIPS compliant or alternative compliant code
The C macro NSS_FIPS_DISABLED can be used to disable some FIPS compliant code
and enable alternative implementations.
The legacy build system (make) never defines NSS_FIPS_DISABLED and always uses
the FIPS compliant code.
The gyp build system by default defines NSS_FIPS_DISABLED.
To use the FIPS compliant code, pass parameter --enable-fips to build.sh.
Test execution
The NSS test suite may contain tests that are included, excluded, or are
different based on the FIPS build configuration. To execute the correct tests,
it's necessary to determine which build configuration was used.
The legacy build system (make) uses environment variables to control all
aspects of the build configuration, including FIPS build configuration.
Because the gyp build system doesn't use environment variables to control the
build configuration, the NSS tests cannot rely on environment variables to
determine the build configuration.
A helper binary named nss-build-flags is produced as part of the NSS build,
which prints the C macro symbols that were defined at build time, and which are
relevant to test execution.
7d42f279f2