Backed out changeset 7d55de92c194 (bug 1594931) for failing xpcshell at test_sdr_preexisting.js on a CLOSED TREE

--HG--
rename : security/manager/ssl/tests/unit/test_broken_fips/key4.db => security/manager/ssl/tests/unit/test_sdr_preexisting/key4.db
This commit is contained in:
Andreea Pavel 2019-12-13 22:48:02 +02:00
parent 39d7eb39ed
commit 1adff31cb1
36 changed files with 379 additions and 26 deletions

View File

@ -45,6 +45,10 @@ ifdef MOZ_SYSTEM_NSS
DEFINES += -DMOZ_SYSTEM_NSS=1
endif
ifdef NSS_DISABLE_DBM
DEFINES += -DNSS_DISABLE_DBM=1
endif
ifdef MOZ_ARTIFACT_BUILDS
DEFINES += -DMOZ_ARTIFACT_BUILDS=1
endif

View File

@ -361,6 +361,9 @@ bin/libfreebl_64int_3.so
#endif
@BINPATH@/@DLL_PREFIX@nss3@DLL_SUFFIX@
@BINPATH@/@DLL_PREFIX@nssckbi@DLL_SUFFIX@
#ifndef NSS_DISABLE_DBM
@BINPATH@/@DLL_PREFIX@nssdbm3@DLL_SUFFIX@
#endif
#ifndef MOZ_FOLD_LIBS
@BINPATH@/@DLL_PREFIX@nssutil3@DLL_SUFFIX@
@BINPATH@/@DLL_PREFIX@smime3@DLL_SUFFIX@

View File

@ -30,6 +30,10 @@ DEFINES += \
-DANDROID_CPU_ARCH=$(ANDROID_CPU_ARCH) \
$(NULL)
ifdef NSS_DISABLE_DBM
DEFINES += -DNSS_DISABLE_DBM=1
endif
ifdef MOZ_DEBUG
DEFINES += -DMOZ_DEBUG=1
endif

View File

@ -71,6 +71,12 @@
@BINPATH@/@DLL_PREFIX@freebl3.chk
@BINPATH@/@DLL_PREFIX@softokn3.chk
#endif
#ifndef NSS_DISABLE_DBM
@BINPATH@/@DLL_PREFIX@nssdbm3@DLL_SUFFIX@
#ifndef CROSS_COMPILE
@BINPATH@/@DLL_PREFIX@nssdbm3.chk
#endif
#endif
#ifndef MOZ_FOLD_LIBS
@BINPATH@/@DLL_PREFIX@mozsqlite3@DLL_SUFFIX@

Binary file not shown.

Binary file not shown.

Binary file not shown.

View File

@ -470,6 +470,7 @@ class MacArtifactJob(ArtifactJob):
'libmozglue.dylib',
'libnss3.dylib',
'libnssckbi.dylib',
'libnssdbm3.dylib',
'libplugin_child_interpose.dylib',
# 'libreplace_jemalloc.dylib',
# 'libreplace_malloc.dylib',

View File

@ -228,6 +228,9 @@ GeneratedFile('nsSTSPreloadList.h',
script='../../../xpcom/ds/tools/make_dafsa.py',
inputs=['nsSTSPreloadList.inc'])
if CONFIG['NSS_DISABLE_DBM']:
DEFINES['NSS_DISABLE_DBM'] = '1'
DEFINES['SSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES'] = 'True'
DEFINES['NSS_ENABLE_ECC'] = 'True'

View File

@ -8,19 +8,19 @@
// Tests that if Firefox attempts and fails to load a PKCS#11 module DB that was
// in FIPS mode, Firefox can still make use of keys in the key database.
// secomd.db can be created via `certutil -N -d <dir>`. Putting it in FIPS mode
// involves running `modutil -fips true -dbdir <dir>`. key4.db is from
// test_sdr_preexisting/key4.db.
// involves running `modutil -fips true -dbdir <dir>`. key3.db is from
// test_sdr_preexisting/key3.db.
function run_test() {
let profile = do_get_profile();
let keyDBName = "key4.db";
let keyDBName = "key3.db";
let keyDBFile = do_get_file(`test_broken_fips/${keyDBName}`);
keyDBFile.copyTo(profile, keyDBName);
let pkcs11modDBName = "pkcs11.txt";
let pkcs11modDBFile = do_get_file(`test_broken_fips/${pkcs11modDBName}`);
pkcs11modDBFile.copyTo(profile, pkcs11modDBName);
let secmodDBName = "secmod.db";
let secmodDBFile = do_get_file(`test_broken_fips/${secmodDBName}`);
secmodDBFile.copyTo(profile, secmodDBName);
let moduleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService(
Ci.nsIPKCS11ModuleDB
@ -41,10 +41,7 @@ function run_test() {
"decrypted ciphertext should match expected plaintext"
);
let pkcs11modDBFileFIPS = do_get_profile();
pkcs11modDBFileFIPS.append(`${pkcs11modDBName}.fips`);
ok(
pkcs11modDBFileFIPS.exists(),
"backed-up PKCS#11 module db should now exist"
);
let secmodDBFileFIPS = do_get_profile();
secmodDBFileFIPS.append(`${secmodDBName}.fips`);
ok(secmodDBFileFIPS.exists(), "backed-up PKCS#11 module db should now exist");
}

View File

@ -1,5 +0,0 @@
library=
name=NSS Internal FIPS PKCS #11 Module
parameters=configdir='.' certPrefix='' keyPrefix='' secmod='' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
NSS=slotParams={0x00000003=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,SHA256,SHA512,Camellia,SEED,RANDOM ] } Flags=internal,FIPS,critical

View File

@ -17,7 +17,9 @@
// `certutil -d . -A -n "Let's Encrypt Authority X1" -t ,, -a \
// -i LetsEncrypt.pem`
//
// This should create the cert9.db and key4.db files.
// This should create cert8.db and key3.db files for use on non-Android
// platforms. Perform the same steps with "sql:." as the argument to the "-d"
// flag to create cert9.db and key4.db for use with Android.
//
// (The crucial property of the first certificate is that it is a built-in trust
// anchor, so any replacement must also have this property. The second
@ -75,8 +77,9 @@
"use strict";
function run_test() {
const certDBName = "cert9.db";
const keyDBName = "key4.db";
const isAndroid = AppConstants.platform == "android";
const certDBName = isAndroid ? "cert9.db" : "cert8.db";
const keyDBName = isAndroid ? "key4.db" : "key3.db";
let profile = do_get_profile();
let certDBFile = do_get_file(`test_cert_isBuiltInRoot_reload/${certDBName}`);
certDBFile.copyTo(profile, certDBName);

View File

@ -9,11 +9,171 @@
// a preexisting NSS key database. Creating the database is straight-forward:
// simply run Firefox (or xpcshell) and encrypt something using
// nsISecretDecoderRing (e.g. by saving a password or directly using the
// interface). The resulting key4.db file (in the profile directory) now
// interface). The resulting key3.db file (in the profile directory) now
// contains the private key used to encrypt the data.
// "Upgrading" a key3.db with certutil to use on Android appears not to work.
// Because the keys have to be the same for this test to work the way it does,
// the key from key3.db must be extracted and added to a new key4.db. This can
// be done with NSS' PK11_* APIs like so (although note that the following code
// is not guaranteed to compile or work, but is more of a guideline for how to
// do this in the future if necessary):
//
// #include <stdio.h>
//
// #include "nss.h"
// #include "pk11pub.h"
// #include "prerror.h"
// #include "secerr.h"
//
// void printPRError(const char* message) {
// fprintf(stderr, "%s: %s\n", message, PR_ErrorToString(PR_GetError(), 0));
// }
//
// int main(int argc, char* argv[]) {
// if (NSS_Initialize(".", "", "", "", NSS_INIT_NOMODDB | NSS_INIT_NOROOTINIT)
// != SECSuccess) {
// printPRError("NSS_Initialize failed");
// return 1;
// }
//
// PK11SlotInfo* slot = PK11_GetInternalKeySlot();
// if (!slot) {
// printPRError("PK11_GetInternalKeySlot failed");
// return 1;
// }
//
// // Create a key to wrap the SDR key to export it.
// unsigned char wrappingKeyIDBytes[] = { 0 };
// SECItem wrappingKeyID = {
// siBuffer,
// wrappingKeyIDBytes,
// sizeof(wrappingKeyIDBytes)
// };
// PK11SymKey* wrappingKey = PK11_TokenKeyGen(slot, CKM_DES3_CBC, 0, 0,
// &wrappingKeyID, PR_FALSE, NULL);
// if (!wrappingKey) {
// printPRError("PK11_TokenKeyGen failed");
// return 1;
// }
//
// // This is the magic identifier NSS uses for the SDR key.
// unsigned char sdrKeyIDBytes[] = {
// 0xF8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
// 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
// };
// SECItem sdrKeyID = { siBuffer, sdrKeyIDBytes, sizeof(sdrKeyIDBytes) };
// PK11SymKey* sdrKey = PK11_FindFixedKey(slot, CKM_DES3_CBC, &sdrKeyID,
// NULL);
// if (!sdrKey) {
// printPRError("PK11_FindFixedKey failed");
// return 1;
// }
//
// // Wrap the SDR key.
// unsigned char wrappedKeyBuf[1024];
// SECItem wrapped = { siBuffer, wrappedKeyBuf, sizeof(wrappedKeyBuf) };
// if (PK11_WrapSymKey(CKM_DES3_ECB, NULL, wrappingKey, sdrKey, &wrapped)
// != SECSuccess) {
// printPRError("PK11_WrapSymKey failed");
// return 1;
// }
//
// // Unwrap the SDR key (NSS considers the SDR key "sensitive" and so won't
// // just export it as raw key material - we have to export it and then
// // re-import it as non-sensitive to get that data.
// PK11SymKey* unwrapped = PK11_UnwrapSymKey(wrappingKey, CKM_DES3_ECB, NULL,
// &wrapped, CKM_DES3_CBC,
// CKA_ENCRYPT, 0);
// if (!unwrapped) {
// printPRError("PK11_UnwrapSymKey failed");
// return 1;
// }
// if (PK11_ExtractKeyValue(unwrapped) != SECSuccess) {
// printPRError("PK11_ExtractKeyValue failed");
// return 1;
// }
// SECItem* keyData = PK11_GetKeyData(unwrapped);
// if (!keyData) {
// printPRError("PK11_GetKeyData failed");
// return 1;
// }
// for (int i = 0; i < keyData->len; i++) {
// printf("0x%02hhx, ", keyData->data[i]);
// }
// printf("\n");
//
// PK11_FreeSymKey(unwrapped);
// PK11_FreeSymKey(sdrKey);
// PK11_FreeSymKey(wrappingKey);
// PK11_FreeSlot(slot);
//
// if (NSS_Shutdown() != SECSuccess) {
// printPRError("NSS_Shutdown failed");
// return 1;
// }
// return 0;
// }
//
// The output of compiling and running the above should be the bytes of the SDR
// key. Given that, create a key4.db with an empty password using
// `certutil -N -d sql:.` and then compile and run the following:
//
// #include <stdio.h>
//
// #include "nss.h"
// #include "pk11pub.h"
// #include "prerror.h"
// #include "secerr.h"
// #include "secmod.h"
//
// void printPRError(const char* message) {
// fprintf(stderr, "%s: %s\n", message, PR_ErrorToString(PR_GetError(), 0));
// }
//
// int main(int argc, char* argv[]) {
// if (NSS_Initialize("sql:.", "", "", "",
// NSS_INIT_NOMODDB | NSS_INIT_NOROOTINIT) != SECSuccess) {
// printPRError("NSS_Initialize failed");
// return 1;
// }
//
// PK11SlotInfo* slot = PK11_GetInternalKeySlot();
// if (!slot) {
// printPRError("PK11_GetInternalKeySlot failed");
// return 1;
// }
//
// // These are the bytes of the SDR key from the previous step:
// unsigned char keyBytes[] = {
// 0x70, 0xab, 0xea, 0x1f, 0x8f, 0xe3, 0x4a, 0x7a, 0xb5, 0xb0, 0x43, 0xe5,
// 0x51, 0x83, 0x86, 0xe5, 0xb3, 0x43, 0xa8, 0x1f, 0xc1, 0x57, 0x86, 0x46
// };
// SECItem keyItem = { siBuffer, keyBytes, sizeof(keyBytes) };
// PK11SymKey* key = PK11_ImportSymKey(slot, CKM_DES3_CBC, PK11_OriginUnwrap,
// CKA_ENCRYPT, &keyItem, NULL);
// if (!key) {
// printPRError("PK11_ImportSymKey failed");
// return 1;
// }
//
// PK11_FreeSymKey(key);
// PK11_FreeSlot(slot);
//
// if (NSS_Shutdown() != SECSuccess) {
// printPRError("NSS_Shutdown failed");
// return 1;
// }
// return 0;
// }
//
// This should create a key4.db file with the SDR key. (Note however that this
// does not set the magic key ID for the SDR key. Currently this is not a
// problem because the NSS implementation that backs the SDR simply tries all
// applicable keys it has when decrypting, so this still works.)
function run_test() {
const keyDBName = "key4.db";
const isAndroid = AppConstants.platform == "android";
const keyDBName = isAndroid ? "key4.db" : "key3.db";
let profile = do_get_profile();
let keyDBFile = do_get_file(`test_sdr_preexisting/${keyDBName}`);
keyDBFile.copyTo(profile, keyDBName);

View File

@ -58,8 +58,8 @@ function run_test() {
});
let profile = do_get_profile();
let keyDBFile = do_get_file("test_sdr_preexisting_with_password/key4.db");
keyDBFile.copyTo(profile, "key4.db");
let keyDBFile = do_get_file("test_sdr_preexisting_with_password/key3.db");
keyDBFile.copyTo(profile, "key3.db");
let sdr = Cc["@mozilla.org/security/sdr;1"].getService(
Ci.nsISecretDecoderRing

View File

@ -0,0 +1,149 @@
// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
"use strict";
// Tests that the SDR implementation is able to decrypt strings encrypted using
// a preexisting NSS key database that a) has a password and b) has already been
// upgraded from the old dbm format in a previous run of Firefox.
// To create such a database, run the xpcshell test
// `test_sdr_preexisting_with_password.js` and locate the file `key4.db` created
// in the xpcshell test profile directory.
// This does not apply to Android as the dbm implementation was never enabled on
// that platform.
var gMockPrompter = {
passwordToTry: "password",
numPrompts: 0,
// This intentionally does not use arrow function syntax to avoid an issue
// where in the context of the arrow function, |this != gMockPrompter| due to
// how objects get wrapped when going across xpcom boundaries.
promptPassword(dialogTitle, text, password, checkMsg, checkValue) {
this.numPrompts++;
if (this.numPrompts > 1) {
// don't keep retrying a bad password
return false;
}
equal(
text,
"Please enter your master password.",
"password prompt text should be as expected"
);
equal(checkMsg, null, "checkMsg should be null");
ok(this.passwordToTry, "passwordToTry should be non-null");
password.value = this.passwordToTry;
return true;
},
QueryInterface: ChromeUtils.generateQI([Ci.nsIPrompt]),
};
// Mock nsIWindowWatcher. PSM calls getNewPrompter on this to get an nsIPrompt
// to call promptPassword. We return the mock one, above.
var gWindowWatcher = {
getNewPrompter: () => gMockPrompter,
QueryInterface: ChromeUtils.generateQI([Ci.nsIWindowWatcher]),
};
function run_test() {
let windowWatcherCID = MockRegistrar.register(
"@mozilla.org/embedcomp/window-watcher;1",
gWindowWatcher
);
registerCleanupFunction(() => {
MockRegistrar.unregister(windowWatcherCID);
});
let profile = do_get_profile();
let key3DBFile = do_get_file("test_sdr_upgraded_with_password/key3.db");
key3DBFile.copyTo(profile, "key3.db");
let key4DBFile = do_get_file("test_sdr_upgraded_with_password/key4.db");
key4DBFile.copyTo(profile, "key4.db");
// Unfortunately we have to also copy the certificate databases as well.
// Otherwise, NSS will think it has to create them, which will cause NSS to
// think it has to also do a migration, which will open key3.db and not close
// it until shutdown, which means that on Windows removing the file just after
// startup fails. Luckily users profiles will have both key and certificate
// databases anyway, so this is an accurate reflection of normal use.
let cert8DBFile = do_get_file("test_sdr_upgraded_with_password/cert8.db");
cert8DBFile.copyTo(profile, "cert8.db");
let cert9DBFile = do_get_file("test_sdr_upgraded_with_password/cert9.db");
cert9DBFile.copyTo(profile, "cert9.db");
let sdr = Cc["@mozilla.org/security/sdr;1"].getService(
Ci.nsISecretDecoderRing
);
let testcases = [
// a full padding block
{
ciphertext:
"MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECGeDHwVfyFqzBBAYvqMq/kDMsrARVNdC1C8d",
plaintext: "password",
},
// 7 bytes of padding
{
ciphertext:
"MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECCAzLDVmYG2/BAh3IoIsMmT8dQ==",
plaintext: "a",
},
// 6 bytes of padding
{
ciphertext:
"MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECPN8zlZzn8FdBAiu2acpT8UHsg==",
plaintext: "bb",
},
// 1 byte of padding
{
ciphertext:
"MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECD5px1eMKkJQBAgUPp35GlrDvQ==",
plaintext: "!seven!",
},
// 2 bytes of padding
{
ciphertext:
"MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECMh0hLtKDyUdBAixw9UZsMt+vA==",
plaintext: "sixsix",
},
// long plaintext requiring more than two blocks
{
ciphertext:
"MFoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECDRX1qi+/FX1BDATFIcIneQjvBuq3wdFxzllJt2VtUD69ACdOKAXH3eA87oHDvuHqOeCDwRy4UzoG5s=",
plaintext: "thisismuchlongerandsotakesupmultipleblocks",
},
// this differs from the previous ciphertext by one bit and demonstrates
// that this implementation does not enforce message integrity
{
ciphertext:
"MFoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECDRX1qi+/FX1BDAbFIcIneQjvBuq3wdFxzllJt2VtUD69ACdOKAXH3eA87oHDvuHqOeCDwRy4UzoG5s=",
plaintext: "nnLbuwLRkhlongerandsotakesupmultipleblocks",
},
];
for (let testcase of testcases) {
let decrypted = sdr.decryptString(testcase.ciphertext);
equal(
decrypted,
testcase.plaintext,
"decrypted ciphertext should match expected plaintext"
);
}
equal(
gMockPrompter.numPrompts,
1,
"Should have been prompted for a password once"
);
// NSS does not close the old database when performing an upgrade. Thus, on
// Windows, we can't delete the old database file on the run that we perform
// an upgrade. However, we can delete it on subsequent runs.
let key3DBInProfile = do_get_profile();
key3DBInProfile.append("key3.db");
ok(
!key3DBInProfile.exists(),
"key3.db should not exist after running with key4.db with a password"
);
}

View File

@ -39,6 +39,7 @@ support-files =
test_sanctions/**
test_sdr_preexisting/**
test_sdr_preexisting_with_password/**
test_sdr_upgraded_with_password/**
test_self_signed_certs/**
test_signed_apps/**
test_startcom_wosign/**
@ -192,6 +193,9 @@ run-sequentially = hardcoded ports
[test_sdr_preexisting_with_password.js]
# Not relevant to Android. See the comment in the test.
skip-if = toolkit == 'android'
[test_sdr_upgraded_with_password.js]
# Not relevant to Android. See the comment in the test.
skip-if = toolkit == 'android'
[test_self_signed_certs.js]
[test_session_resumption.js]
run-sequentially = hardcoded ports

View File

@ -83,7 +83,8 @@ gyp_vars['nss_public_dist_dir'] = '$PRODUCT_DIR/dist'
gyp_vars['nss_dist_obj_dir'] = '$PRODUCT_DIR/dist/bin'
# We don't currently build NSS tests.
gyp_vars['disable_tests'] = 1
gyp_vars['disable_dbm'] = 1
if CONFIG['NSS_DISABLE_DBM']:
gyp_vars['disable_dbm'] = 1
gyp_vars['disable_libpkix'] = 1
gyp_vars['enable_sslkeylogfile'] = 1
# pkg-config won't reliably find zlib on our builders, so just force it.

Binary file not shown.

View File

@ -80,7 +80,8 @@ add_task(async function test_common_initialize() {
// Before initializing the service for the first time, we should copy the key
// file required to decrypt the logins contained in the SQLite databases used
// by migration tests. This file is not required for the other tests.
const keyDBName = "key4.db";
const isAndroid = AppConstants.platform == "android";
const keyDBName = isAndroid ? "key4.db" : "key3.db";
await OS.File.copy(
do_get_file(`data/${keyDBName}`).path,
OS.Path.join(OS.Constants.Path.profileDir, keyDBName)

View File

@ -67,6 +67,9 @@ with Files('moz.*'):
with Files('toolkit.mozbuild'):
BUG_COMPONENT = ('Firefox Build System', 'General')
with Files('nss.configure'):
BUG_COMPONENT = ('Firefox Build System', 'General')
with Files('library/**'):
BUG_COMPONENT = ('Firefox Build System', 'General')

View File

@ -815,6 +815,8 @@ option('--enable-ipdl-tests', help='Enable expensive IPDL tests')
set_config('MOZ_IPDL_TESTS',
depends_if('--enable-ipdl-tests')(lambda _: True))
include('nss.configure')
# Graphics
# ==============================================================
option('--disable-skia', help='Disable use of Skia')

17
toolkit/nss.configure Normal file
View File

@ -0,0 +1,17 @@
# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
# vim: set filetype=python:
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
# DBM support in NSS
# ==============================================================
@depends(build_project)
def dbm_default(build_project):
return build_project != 'mobile/android'
option('--enable-dbm', default=dbm_default,
help='{Enable|Disable} building DBM')
set_config('NSS_DISABLE_DBM', depends('--enable-dbm')(lambda x: not x))