Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-11-23 12:51:06 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Backed out changeset 692727a38d4d (bug 1815435) for causing build bustage in /security/nss/lib/ssl/ssl3ext.c UPGRADE_NSS_RELEASE CLOSED TREE

Browse Source
This commit is contained in:
Sandor Molnar 2023-03-03 01:54:42 +02:00
parent c3648375f8
commit d5d3dff294
59 changed files with 581 additions and 2232 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build/moz.configure/nss.configure
View File

@ -9,7 +9,7 @@ system_lib_option("--with-system-nss", help="Use system NSS")
imply_option("--with-system-nspr", True, when="--with-system-nss")
nss_pkg = pkg_check_modules(
"NSS", "nss >= 3.89", when="--with-system-nss", config=False
"NSS", "nss >= 3.88", when="--with-system-nss", config=False
)
set_config("MOZ_SYSTEM_NSS", True, when="--with-system-nss")

2
security/nss/TAG-INFO
View File

@ -1 +1 @@
NSS_3_89_BETA1
NSS_3_88_1_RTM

2
security/nss/automation/abi-check/previous-nss-release
View File

@ -1 +1 @@
NSS_3_88_BRANCH
NSS_3_87_BRANCH

2
security/nss/automation/taskcluster/docker-builds/Dockerfile
View File

@ -2,7 +2,7 @@
# default image, so it's a fair bit bigger. Only use this for builds where
# the smaller docker image is missing something. These builds will run on
# the leaner configuration.
FROM ubuntu:bionic-20221215
FROM ubuntu:18.04
LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
RUN dpkg --add-architecture i386

2
security/nss/automation/taskcluster/docker-clang-format/Dockerfile
View File

@ -1,5 +1,5 @@
# Minimal image with clang-format 10
FROM ubuntu:bionic-20221215
FROM ubuntu:18.04
LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
RUN apt-get update \

2
security/nss/automation/taskcluster/docker-decision/Dockerfile
View File

@ -1,5 +1,5 @@
# Minimal image for running the decision task.
FROM ubuntu:bionic-20221215
FROM ubuntu:18.04
LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
RUN apt-get update \

2
security/nss/automation/taskcluster/docker-fuzz/Dockerfile
View File

@ -4,7 +4,7 @@
# docker invocation or ASAN won't work.
# On taskcluster for ASAN use `features: ["allowPtrace"]`.
# See https://github.com/google/sanitizers/issues/764#issuecomment-276700920
FROM ubuntu:bionic-20221215
FROM ubuntu:18.04
LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
RUN dpkg --add-architecture i386

2
security/nss/automation/taskcluster/docker-interop/Dockerfile
View File

@ -1,6 +1,6 @@
# Dockerfile for running interop tests.
# This includes Rust, golang, and nodejs.
FROM ubuntu:focal-20221130
FROM ubuntu:20.04
LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
RUN dpkg --add-architecture i386

2
security/nss/automation/taskcluster/docker/Dockerfile
View File

@ -1,5 +1,5 @@
# Lean image for running the bulk of the NSS CI tests on taskcluster.
FROM ubuntu:bionic-20221215
FROM ubuntu:18.04
LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
RUN dpkg --add-architecture i386

4
security/nss/automation/taskcluster/graph/src/extend.js
View File

@ -878,14 +878,14 @@ async function scheduleFuzzing32() {
async function scheduleWindows(name, base, build_script) {
base = merge(base, {
workerType: "b-win2012-azure",
workerType: "win2012r2",
env: {
PATH: "c:\\mozilla-build\\bin;c:\\mozilla-build\\python;" +
"c:\\mozilla-build\\msys\\local\\bin;c:\\mozilla-build\\7zip;" +
"c:\\mozilla-build\\info-zip;c:\\mozilla-build\\python\\Scripts;" +
"c:\\mozilla-build\\yasm;c:\\mozilla-build\\msys\\bin;" +
"c:\\Windows\\system32;c:\\mozilla-build\\upx391w;" +
"c:\\mozilla-build\\moztools-x64\\bin;c:\\mozilla-build\\wget;c:\\Program Files\\Mercurial",
"c:\\mozilla-build\\moztools-x64\\bin;c:\\mozilla-build\\wget",
DOMSUF: "localdomain",
HOST: "localhost",
},

2
security/nss/automation/taskcluster/graph/src/image_builder.js
View File

@ -56,6 +56,6 @@ export async function buildTask({name, path}) {
features: ["dind"],
maxRunTime: 7200,
kind: "build",
symbol: `I(${name})`
symbol: "I"
};
}

1
security/nss/coreconf/coreconf.dep
View File

@ -10,3 +10,4 @@
*/
#error "Do not include this header file."

686
security/nss/doc/rst/legacy/jss/jss_provider_notes/index.rst
View File

@ -180,310 +180,382 @@ JSS Provider Notes
timeframe for fixing them. Meanwhile, the ``org.mozilla.jss.crypto.CryptoStore`` class
can be used for some of this functionality.
.. rubric:: Cipher
:name: Cipher_2
.. rubric:: Supported Algorithms
:name: supported_algorithms
.. rubric:: Notes
:name: notes
-
- AES
- DES
- DESede (*DES3* )
- RC2
- RC4
- RSA
- The following modes and padding schemes are supported:
+------------------------------+------------------------------+------------------------------+
| Algorithm | Mode | Padding |
+------------------------------+------------------------------+------------------------------+
| DES | ECB | NoPadding |
+------------------------------+------------------------------+------------------------------+
| | CBC | NoPadding |
+------------------------------+------------------------------+------------------------------+
| | | PKCS5 Padding |
+------------------------------+------------------------------+------------------------------+
| DESede | ECB | NoPadding |
| *DES3* | | |
+------------------------------+------------------------------+------------------------------+
| | CBC | NoPadding |
+------------------------------+------------------------------+------------------------------+
| | | PKCS5 Padding |
+------------------------------+------------------------------+------------------------------+
| AES | ECB | NoPadding |
+------------------------------+------------------------------+------------------------------+
| | CBC | NoPadding |
+------------------------------+------------------------------+------------------------------+
| | | PKCS5 Padding |
+------------------------------+------------------------------+------------------------------+
| RC4 | *None* | *None* |
+------------------------------+------------------------------+------------------------------+
| RC2 | CBC | NoPadding |
+------------------------------+------------------------------+------------------------------+
| | | PKCS5Padding |
+------------------------------+------------------------------+------------------------------+
- The SecureRandom argument passed to ``initSign()`` and ``initVerify()`` is ignored, because
NSS does not support specifying an external source of randomness.
.. rubric:: DSAPrivateKey
:name: DSAPrivateKey_2
- ``getX()`` is not supported because NSS does not support extracting data from private keys.
.. rubric:: KeyFactory
:name: KeyFactory_2
.. rubric:: Supported Algorithms
:name: supported_algorithms_2
.. rubric:: Notes
:name: notes_2
-
- DSA
- RSA
- The following transformations are supported for ``generatePublic()`` and
``generatePrivate()``:
+----------------------------------------------+----------------------------------------------+
| From | To |
+----------------------------------------------+----------------------------------------------+
| ``RSAPublicKeySpec`` | ``RSAPublicKey`` |
+----------------------------------------------+----------------------------------------------+
| ``DSAPublicKeySpec`` | ``DSAPublicKey`` |
+----------------------------------------------+----------------------------------------------+
| ``X509EncodedKeySpec`` | ``RSAPublicKey`` |
| | ``DSAPublicKey`` |
+----------------------------------------------+----------------------------------------------+
| ``RSAPrivateCrtKeySpec`` | ``RSAPrivateKey`` |
+----------------------------------------------+----------------------------------------------+
| ``DSAPrivateKeySpec`` | ``DSAPrivateKey`` |
+----------------------------------------------+----------------------------------------------+
| ``PKCS8EncodedKeySpec`` | ``RSAPrivateKey`` |
| | ``DSAPrivateKey`` |
+----------------------------------------------+----------------------------------------------+
- ``getKeySpec()`` is not supported. This method exports key material in plaintext and is
therefore insecure. Note that a public key's data can be accessed directly from the key.
- ``translateKey()`` simply gets the encoded form of the given key and then tries to import
it by calling ``generatePublic()`` or ``generatePrivate()``. Only ``X509EncodedKeySpec`` is
supported for public keys, and only ``PKCS8EncodedKeySpec`` is supported for private keys.
.. rubric:: KeyGenerator
:name: KeyGenerator_2
.. rubric:: Supported Algorithms
:name: supported_algorithms_3
.. rubric:: Notes
:name: notes_3
-
- AES
- DES
- DESede (*DES3* )
- RC4
- The SecureRandom argument passed to ``init()`` is ignored, because NSS does not support
specifying an external source of randomness.
- None of the key generation algorithms accepts an ``AlgorithmParameterSpec``.
.. rubric:: KeyPairGenerator
:name: KeyPairGenerator_2
.. rubric:: Supported Algorithms
:name: supported_algorithms_4
.. rubric:: Notes
:name: notes_4
-
- DSA
- RSA
- The SecureRandom argument passed to initialize() is ignored, because NSS does not support
specifying an external source of randomness.
.. rubric:: Mac
:name: Mac_2
.. rubric:: Supported Algorithms
:name: supported_algorithms_5
.. rubric:: Notes
:name: notes_5
-
- HmacSHA1 (*Hmac-SHA1* )
- Any secret key type (AES, DES, etc.) can be used as the MAC key, but it must be a JSS key.
That is, it must be an ``instanceof org.mozilla.jss.crypto.SecretKeyFacade``.
- The params passed to ``init()`` are ignored.
.. rubric:: MessageDigest
:name: MessageDigest_2
.. rubric:: Supported Algorithms
:name: supported_algorithms_6
-
- MD5
- MD2
- SHA-1 (*SHA1, SHA* )
.. rubric:: RSAPrivateKey
:name: RSAPrivateKey_2
.. rubric:: Notes
:name: notes_6
-
- ``getModulus()`` is not supported because NSS does not support extracting data from private
keys.
- ``getPrivateExponent()`` is not supported because NSS does not support extracting data from
private keys.
.. rubric:: SecretKeyFactory
:name: SecretKeyFactory_2
.. rubric:: Supported Algorithms
:name: supported_algorithms_7
.. rubric:: Notes
:name: notes_7
-
- AES
- DES
- DESede (*DES3* )
- PBAHmacSHA1
- PBEWithMD5AndDES
- PBEWithSHA1AndDES
- PBEWithSHA1AndDESede (*PBEWithSHA1AndDES3* )
- PBEWithSHA1And128RC4
- RC4
- ``generateSecret`` supports the following transformations:
+----------------------------------------------+----------------------------------------------+
| KeySpec Class | Key Algorithm |
+----------------------------------------------+----------------------------------------------+
| PBEKeySpec | *Using the appropriate PBE algorithm:* |
| org.mozilla.jss.crypto.PBEKeyGenParams | DES |
| | DESede |
| | RC4 |
+----------------------------------------------+----------------------------------------------+
| DESedeKeySpec | DESede |
+----------------------------------------------+----------------------------------------------+
| DESKeySpec | DES |
+----------------------------------------------+----------------------------------------------+
| SecretKeySpec | AES |
| | DES |
| | DESede |
| | RC4 |
+----------------------------------------------+----------------------------------------------+
- ``getKeySpec`` supports the following transformations:
+----------------------------------------------+----------------------------------------------+
| Key Algorithm | KeySpec Class |
+----------------------------------------------+----------------------------------------------+
| DESede | DESedeKeySpec |
+----------------------------------------------+----------------------------------------------+
| DES | DESKeySpec |
+----------------------------------------------+----------------------------------------------+
| DESede | SecretKeySpec |
| DES | |
| AES | |
| RC4 | |
+----------------------------------------------+----------------------------------------------+
- For increased security, some SecretKeys may not be extractable from their PKCS #11 token.
In this case, the key should be wrapped (encrypted with another key), and then the
encrypted key might be extractable from the token. This policy varies across PKCS #11
tokens.
- ``translateKey`` tries two approaches to copying keys. First, it tries to copy the key
material directly using NSS calls to PKCS #11. If that fails, it calls ``getEncoded()`` on
the source key, and then tries to create a new key on the target token from the encoded
bits. Both of these operations will fail if the source key is not extractable.
- The class ``java.security.spec.PBEKeySpec`` in JDK versions earlier than 1.4 does not
contain the salt and iteration fields, which are necessary for PBE key generation. These
fields were added in JDK 1.4. If you are using a JDK (or JRE) version earlier than 1.4, you
cannot use class ``java.security.spec.PBEKeySpec``. Instead, you can use
``org.mozilla.jss.crypto.PBEKeyGenParams``. If you are using JDK (or JRE) 1.4 or later, you
can use ``java.security.spec.PBEKeySpec`` or ``org.mozilla.jss.crypto.PBEKeyGenParams``.
.. rubric:: SecretKey
:name: SecretKey_2
.. rubric:: Supported Algorithms
:name: supported_algorithms_8
.. rubric:: Notes
:name: notes_8
-
- AES
- DES
- DESede (*DES3* )
- HmacSHA1
- RC2
- RC4
- ``SecretKey`` is implemented by the class ``org.mozilla.jss.crypto.SecretKeyFacade``, which
acts as a wrapper around the JSS class ``SymmetricKey``. Any ``SecretKeys`` handled by JSS
will actually be ``SecretKeyFacades``. This should usually be transparent.
.. rubric:: SecureRandom
:name: SecureRandom_2
.. rubric:: Supported Algorithms
:name: supported_algorithms_9
.. rubric:: Notes
:name: notes_9
-
- pkcs11prng
- This invokes the NSS internal pseudorandom number generator.
.. rubric:: Signature
:name: Signature_2
.. rubric:: Supported Algorithms
:name: supported_algorithms_10
.. rubric:: Notes
:name: notes_10
-
- SHA1withDSA (*DSA, DSS, SHA/DSA, SHA-1/DSA, SHA1/DSA, DSAWithSHA1, SHAwithDSA* )
- SHA-1/RSA (*SHA1/RSA, SHA1withRSA* )
- MD5/RSA (*MD5withRSA* )
- MD2/RSA
- The ``SecureRandom`` argument passed to ``initSign()`` and ``initVerify()`` is ignored,
because NSS does not support specifying an external source of randomness.
+---------------------------------------------------------------------------------------------------+
| .. rubric:: Cipher |
| :name: Cipher_2 |
| |
| .. rubric:: Supported Algorithms |
| :name: supported_algorithms |
| |
| .. rubric:: Notes |
| :name: notes |
| |
| - |
| |
| - AES |
| - DES |
| - DESede (*DES3* ) |
| - RC2 |
| - RC4 |
| - RSA |
| |
| - The following modes and padding schemes are supported: |
| |
| |
| +------------------------------+------------------------------+------------------------------+ |
| |
| | Algorithm | Mode | Padding | |
| |
| +------------------------------+------------------------------+------------------------------+ |
| |
| | DES | ECB | NoPadding | |
| |
| +------------------------------+------------------------------+------------------------------+ |
| |
| | | CBC | NoPadding | |
| |
| +------------------------------+------------------------------+------------------------------+ |
| |
| | | | PKCS5 Padding | |
| |
| +------------------------------+------------------------------+------------------------------+ |
| |
| | DESede | ECB | NoPadding | |
| |
| | *DES3* | | | |
| |
| +------------------------------+------------------------------+------------------------------+ |
| |
| | | CBC | NoPadding | |
| |
| +------------------------------+------------------------------+------------------------------+ |
| |
| | | | PKCS5 Padding | |
| |
| +------------------------------+------------------------------+------------------------------+ |
| |
| | AES | ECB | NoPadding | |
| |
| +------------------------------+------------------------------+------------------------------+ |
| |
| | | CBC | NoPadding | |
| |
| +------------------------------+------------------------------+------------------------------+ |
| |
| | | | PKCS5 Padding | |
| |
| +------------------------------+------------------------------+------------------------------+ |
| |
| | RC4 | *None* | *None* | |
| |
| +------------------------------+------------------------------+------------------------------+ |
| |
| | RC2 | CBC | NoPadding | |
| |
| +------------------------------+------------------------------+------------------------------+ |
| |
| | | | PKCS5Padding | |
| |
| +------------------------------+------------------------------+------------------------------+ |
| |
| - The SecureRandom argument passed to ``initSign()`` and ``initVerify()`` is ignored, because |
| NSS does not support specifying an external source of randomness. |
+---------------------------------------------------------------------------------------------------+
| .. rubric:: DSAPrivateKey |
| :name: DSAPrivateKey_2 |
| |
| - ``getX()`` is not supported because NSS does not support extracting data from private keys. |
+---------------------------------------------------------------------------------------------------+
| .. rubric:: KeyFactory |
| :name: KeyFactory_2 |
| |
| .. rubric:: Supported Algorithms |
| :name: supported_algorithms_2 |
| |
| .. rubric:: Notes |
| :name: notes_2 |
| |
| - |
| |
| - DSA |
| - RSA |
| |
| - The following transformations are supported for ``generatePublic()`` and |
| ``generatePrivate()``: |
| |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| | From | To | |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| | ``RSAPublicKeySpec`` | ``RSAPublicKey`` | |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| | ``DSAPublicKeySpec`` | ``DSAPublicKey`` | |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| | ``X509EncodedKeySpec`` | ``RSAPublicKey`` | |
| |
| | | ``DSAPublicKey`` | |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| | ``RSAPrivateCrtKeySpec`` | ``RSAPrivateKey`` | |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| | ``DSAPrivateKeySpec`` | ``DSAPrivateKey`` | |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| | ``PKCS8EncodedKeySpec`` | ``RSAPrivateKey`` | |
| |
| | | ``DSAPrivateKey`` | |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| - ``getKeySpec()`` is not supported. This method exports key material in plaintext and is |
| therefore insecure. Note that a public key's data can be accessed directly from the key. |
| - ``translateKey()`` simply gets the encoded form of the given key and then tries to import |
| it by calling ``generatePublic()`` or ``generatePrivate()``. Only ``X509EncodedKeySpec`` is |
| supported for public keys, and only ``PKCS8EncodedKeySpec`` is supported for private keys. |
+---------------------------------------------------------------------------------------------------+
| .. rubric:: KeyGenerator |
| :name: KeyGenerator_2 |
| |
| .. rubric:: Supported Algorithms |
| :name: supported_algorithms_3 |
| |
| .. rubric:: Notes |
| :name: notes_3 |
| |
| - |
| |
| - AES |
| - DES |
| - DESede (*DES3* ) |
| - RC4 |
| |
| - The SecureRandom argument passed to ``init()`` is ignored, because NSS does not support |
| specifying an external source of randomness. |
| - None of the key generation algorithms accepts an ``AlgorithmParameterSpec``. |
+---------------------------------------------------------------------------------------------------+
| .. rubric:: KeyPairGenerator |
| :name: KeyPairGenerator_2 |
| |
| .. rubric:: Supported Algorithms |
| :name: supported_algorithms_4 |
| |
| .. rubric:: Notes |
| :name: notes_4 |
| |
| - |
| |
| - DSA |
| - RSA |
| |
| - The SecureRandom argument passed to initialize() is ignored, because NSS does not support |
| specifying an external source of randomness. |
+---------------------------------------------------------------------------------------------------+
| .. rubric:: Mac |
| :name: Mac_2 |
| |
| .. rubric:: Supported Algorithms |
| :name: supported_algorithms_5 |
| |
| .. rubric:: Notes |
| :name: notes_5 |
| |
| - |
| |
| - HmacSHA1 (*Hmac-SHA1* ) |
| |
| - Any secret key type (AES, DES, etc.) can be used as the MAC key, but it must be a JSS key. |
| That is, it must be an ``instanceof org.mozilla.jss.crypto.SecretKeyFacade``. |
| - The params passed to ``init()`` are ignored. |
+---------------------------------------------------------------------------------------------------+
| .. rubric:: MessageDigest |
| :name: MessageDigest_2 |
| |
| .. rubric:: Supported Algorithms |
| :name: supported_algorithms_6 |
| |
| - |
| |
| - MD5 |
| - MD2 |
| - SHA-1 (*SHA1, SHA* ) |
+---------------------------------------------------------------------------------------------------+
| .. rubric:: RSAPrivateKey |
| :name: RSAPrivateKey_2 |
| |
| .. rubric:: Notes |
| :name: notes_6 |
| |
| - |
| |
| - ``getModulus()`` is not supported because NSS does not support extracting data from private |
| keys. |
| - ``getPrivateExponent()`` is not supported because NSS does not support extracting data from |
| private keys. |
+---------------------------------------------------------------------------------------------------+
| .. rubric:: SecretKeyFactory |
| :name: SecretKeyFactory_2 |
| |
| .. rubric:: Supported Algorithms |
| :name: supported_algorithms_7 |
| |
| .. rubric:: Notes |
| :name: notes_7 |
| |
| - |
| |
| - AES |
| - DES |
| - DESede (*DES3* ) |
| - PBAHmacSHA1 |
| - PBEWithMD5AndDES |
| - PBEWithSHA1AndDES |
| - PBEWithSHA1AndDESede (*PBEWithSHA1AndDES3* ) |
| - PBEWithSHA1And128RC4 |
| - RC4 |
| |
| - ``generateSecret`` supports the following transformations: |
| |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| | KeySpec Class | Key Algorithm | |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| | PBEKeySpec | *Using the appropriate PBE algorithm:* | |
| |
| | org.mozilla.jss.crypto.PBEKeyGenParams | DES | |
| |
| | | DESede | |
| |
| | | RC4 | |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| | DESedeKeySpec | DESede | |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| | DESKeySpec | DES | |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| | SecretKeySpec | AES | |
| |
| | | DES | |
| |
| | | DESede | |
| |
| | | RC4 | |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| - ``getKeySpec`` supports the following transformations: |
| |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| | Key Algorithm | KeySpec Class | |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| | DESede | DESedeKeySpec | |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| | DES | DESKeySpec | |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| | DESede | SecretKeySpec | |
| |
| | DES | | |
| |
| | AES | | |
| |
| | RC4 | | |
| |
| +----------------------------------------------+----------------------------------------------+ |
| |
| - For increased security, some SecretKeys may not be extractable from their PKCS #11 token. |
| In this case, the key should be wrapped (encrypted with another key), and then the |
| encrypted key might be extractable from the token. This policy varies across PKCS #11 |
| tokens. |
| - ``translateKey`` tries two approaches to copying keys. First, it tries to copy the key |
| material directly using NSS calls to PKCS #11. If that fails, it calls ``getEncoded()`` on |
| the source key, and then tries to create a new key on the target token from the encoded |
| bits. Both of these operations will fail if the source key is not extractable. |
| - The class ``java.security.spec.PBEKeySpec`` in JDK versions earlier than 1.4 does not |
| contain the salt and iteration fields, which are necessary for PBE key generation. These |
| fields were added in JDK 1.4. If you are using a JDK (or JRE) version earlier than 1.4, you |
| cannot use class ``java.security.spec.PBEKeySpec``. Instead, you can use |
| ``org.mozilla.jss.crypto.PBEKeyGenParams``. If you are using JDK (or JRE) 1.4 or later, you |
| can use ``java.security.spec.PBEKeySpec`` or ``org.mozilla.jss.crypto.PBEKeyGenParams``. |
+---------------------------------------------------------------------------------------------------+
| .. rubric:: SecretKey |
| :name: SecretKey_2 |
| |
| .. rubric:: Supported Algorithms |
| :name: supported_algorithms_8 |
| |
| .. rubric:: Notes |
| :name: notes_8 |
| |
| - |
| |
| - AES |
| - DES |
| - DESede (*DES3* ) |
| - HmacSHA1 |
| - RC2 |
| - RC4 |
| |
| - ``SecretKey`` is implemented by the class ``org.mozilla.jss.crypto.SecretKeyFacade``, which |
| acts as a wrapper around the JSS class ``SymmetricKey``. Any ``SecretKeys`` handled by JSS |
| will actually be ``SecretKeyFacades``. This should usually be transparent. |
+---------------------------------------------------------------------------------------------------+
| .. rubric:: SecureRandom |
| :name: SecureRandom_2 |
| |
| .. rubric:: Supported Algorithms |
| :name: supported_algorithms_9 |
| |
| .. rubric:: Notes |
| :name: notes_9 |
| |
| - |
| |
| - pkcs11prng |
| |
| - This invokes the NSS internal pseudorandom number generator. |
+---------------------------------------------------------------------------------------------------+
| .. rubric:: Signature |
| :name: Signature_2 |
| |
| .. rubric:: Supported Algorithms |
| :name: supported_algorithms_10 |
| |
| .. rubric:: Notes |
| :name: notes_10 |
| |
| - |
| |
| - SHA1withDSA (*DSA, DSS, SHA/DSA, SHA-1/DSA, SHA1/DSA, DSAWithSHA1, SHAwithDSA* ) |
| - SHA-1/RSA (*SHA1/RSA, SHA1withRSA* ) |
| - MD5/RSA (*MD5withRSA* ) |
| - MD2/RSA |
| |
| - The ``SecureRandom`` argument passed to ``initSign()`` and ``initVerify()`` is ignored, |
| because NSS does not support specifying an external source of randomness. |
+---------------------------------------------------------------------------------------------------+

18
security/nss/doc/rst/releases/index.rst
View File

@ -8,9 +8,7 @@ Releases
:glob:
:hidden:
nss_3_88_1.rst
nss_3_88.rst
nss_3_87_1.rst
nss_3_87.rst
nss_3_86.rst
nss_3_85.rst
@ -19,8 +17,6 @@ Releases
nss_3_82.rst
nss_3_81.rst
nss_3_80.rst
nss_3_79_4.rst
nss_3_79_3.rst
nss_3_79_2.rst
nss_3_79_1.rst
nss_3_79.rst
@ -51,19 +47,15 @@ Releases
.. note::
**NSS 3.88.1** is the latest version of NSS.
Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_88_1_release_notes`
**NSS 3.88** is the latest version of NSS.
Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_88_release_notes`
**NSS 3.79.4** is the latest ESR version of NSS.
Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_79_4_release_notes`
**NSS 3.79.2** is the latest ESR version of NSS.
Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_79_2_release_notes`
.. container::
Changes in 3.88.1 included in this release:
- Bug 1804640 - improve handling of unknown PKCS#12 safe bag types.
Changes in 3.88 included in this release:
- Bug 1815870 - use a different treeherder symbol for each docker image build task.
@ -89,4 +81,4 @@ Releases
- Bug 1805907 - Extending RSA-PSS bltest test coverage (Adding SHA-256 and SHA-384)
- Bug 1804091 NSS needs to move off of DSA for integrity checks
- Bug 1805815 - Add initial testing with ACVP vector sets using acvp-rust
- Bug 1806369 - Don't clone libFuzzer, rely on clang instead
- Bug 1806369 - Don't clone libFuzzer, rely on clang instead

4
security/nss/doc/rst/releases/nss_3_69_1.rst
View File

@ -1,7 +1,7 @@
.. _mozilla_projects_nss_nss_3_69_1_release_notes:
NSS 3.69.1 release notes
========================
======================
`Introduction <#introduction>`__
--------------------------------
@ -29,7 +29,7 @@ NSS 3.69.1 release notes
.. _changes_3.69.1:
`Changes in NSS 3.69.1 <#changes_3.69.1>`__
-------------------------------------------
----------------------------------------------------
.. container::

4
security/nss/doc/rst/releases/nss_3_76_1.rst
View File

@ -1,7 +1,7 @@
.. _mozilla_projects_nss_nss_3_76_1_release_notes:
NSS 3.76.1 release notes
========================
======================
`Introduction <#introduction>`__
--------------------------------
@ -29,7 +29,7 @@ NSS 3.76.1 release notes
.. _changes_in_nss_3.76.1:
`Changes in NSS 3.76.1 <#changes_in_nss_3.76.1>`__
--------------------------------------------------
----------------------------------------------------
.. container::

2
security/nss/doc/rst/releases/nss_3_79.rst
View File

@ -30,7 +30,7 @@ NSS 3.79 release notes
.. _changes_in_nss_3.79:
`Changes in NSS 3.79 <#changes_in_nss_3.79>`__
----------------------------------------------
----------------------------------------------------
.. container::

4
security/nss/doc/rst/releases/nss_3_79_1.rst
View File

@ -1,7 +1,7 @@
.. _mozilla_projects_nss_nss_3_79_1_release_notes:
NSS 3.79.1 release notes
========================
======================
`Introduction <#introduction>`__
--------------------------------
@ -30,7 +30,7 @@ NSS 3.79.1 release notes
.. _changes_in_nss_3.79.1:
`Changes in NSS 3.79.1 <#changes_in_nss_3.79.1>`__
--------------------------------------------------
----------------------------------------------------
.. container::

4
security/nss/doc/rst/releases/nss_3_79_2.rst
View File

@ -1,7 +1,7 @@
.. _mozilla_projects_nss_nss_3_79_2_release_notes:
NSS 3.79.2 release notes
========================
======================
`Introduction <#introduction>`__
--------------------------------
@ -30,7 +30,7 @@ NSS 3.79.2 release notes
.. _changes_in_nss_3.79.2:
`Changes in NSS 3.79.2 <#changes_in_nss_3.79.2>`__
--------------------------------------------------
----------------------------------------------------
.. container::

4
security/nss/doc/rst/releases/nss_3_79_3.rst
View File

@ -1,7 +1,7 @@
.. _mozilla_projects_nss_nss_3_79_3_release_notes:
NSS 3.79.3 release notes
========================
======================
`Introduction <#introduction>`__
--------------------------------
@ -30,7 +30,7 @@ NSS 3.79.3 release notes
.. _changes_in_nss_3.79.3:
`Changes in NSS 3.79.3 <#changes_in_nss_3.79.3>`__
--------------------------------------------------
----------------------------------------------------
.. container::

58
security/nss/doc/rst/releases/nss_3_79_4.rst
View File

@ -1,58 +0,0 @@
.. _mozilla_projects_nss_nss_3_79_4_release_notes:
NSS 3.79.4 release notes
======================
`Introduction <#introduction>`__
--------------------------------
.. container::
Network Security Services (NSS) 3.79.4 was released on **9 February 2023**.
.. _distribution_information:
`Distribution Information <#distribution_information>`__
--------------------------------------------------------
.. container::
The HG tag is NSS_3_79_4_RTM. NSS 3.79.4 requires NSPR 4.34.1 or newer.
NSS 3.79.4 source distributions are available on ftp.mozilla.org for secure HTTPS download:
- Source tarballs:
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_79_4_RTM/src/
Other releases are available :ref:`mozilla_projects_nss_releases`.
.. _changes_in_nss_3.79.4:
`Changes in NSS 3.79.4 <#changes_in_nss_3.79.4>`__
----------------------------------------------------
.. container::
- Bug 1804640 - improve handling of unknown PKCS#12 safe bag types.
`Compatibility <#compatibility>`__
----------------------------------
.. container::
NSS 3.79.4 shared libraries are backwards-compatible with all older NSS 3.x shared
libraries. A program linked with older NSS 3.x shared libraries will work with
this new version of the shared libraries without recompiling or
relinking. Furthermore, applications that restrict their use of NSS APIs to the
functions listed in NSS Public Functions will remain compatible with future
versions of the NSS shared libraries.
`Feedback <#feedback>`__
------------------------
.. container::
Bugs discovered should be reported by filing a bug report on
`bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).

57
security/nss/doc/rst/releases/nss_3_87_1.rst
View File

@ -1,57 +0,0 @@
.. _mozilla_projects_nss_nss_3_87_1_release_notes:
NSS 3.87.1 release notes
======================
`Introduction <#introduction>`__
--------------------------------
.. container::
Network Security Services (NSS) 3.87.1 was released on **9 February 2022**.
.. _distribution_information:
`Distribution Information <#distribution_information>`__
--------------------------------------------------------
.. container::
The HG tag is NSS_3_87_RTM. NSS 3.87 requires NSPR 4.35 or newer.
NSS 3.87.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
- Source tarballs:
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_87_1_RTM/src/
Other releases are available :ref:`mozilla_projects_nss_releases`.
.. _changes_in_nss_3.87.1:
`Changes in NSS 3.87.1 <#changes_in_nss_3.87.1>`__
----------------------------------------------------
.. container::
- Bug 1804640 - improve handling of unknown PKCS#12 safe bag types.
`Compatibility <#compatibility>`__
----------------------------------
.. container::
NSS 3.87.1 shared libraries are backwards-compatible with all older NSS 3.x shared
libraries. A program linked with older NSS 3.x shared libraries will work with
this new version of the shared libraries without recompiling or
relinking. Furthermore, applications that restrict their use of NSS APIs to the
functions listed in NSS Public Functions will remain compatible with future
versions of the NSS shared libraries.
`Feedback <#feedback>`__
------------------------
.. container::
Bugs discovered should be reported by filing a bug report on
`bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).

4
security/nss/doc/rst/releases/nss_3_88_1.rst
View File

@ -1,7 +1,7 @@
.. _mozilla_projects_nss_nss_3_88_1_release_notes:
NSS 3.88.1 release notes
========================
======================
`Introduction <#introduction>`__
--------------------------------
@ -30,7 +30,7 @@ NSS 3.88.1 release notes
.. _changes_in_nss_3.88.1:
`Changes in NSS 3.88.1 <#changes_in_nss_3.88.1>`__
--------------------------------------------------
----------------------------------------------------
.. container::

1
security/nss/gtests/nss_bogo_shim/config.json
View File

@ -24,6 +24,7 @@
"*Ed25519*":"Add Ed25519 support (Bug 1325335)",
"*NoSSL3*":"Test passes but only because of handshake failure, NSS only rejects SSL3 immediately in TLS1.3 clients/servers.",
"GREASE-Server-TLS13":"NSS only supports ECH grease.",
"SendExtensionOnClientCertificate-TLS13":"Bug 1339392",
"CheckRecordVersion-TLS1":"NSS doesn't check record version field. Bug 1317634",
"CheckRecordVersion-TLS11":"NSS doesn't check record version field. Bug 1317634",

18
security/nss/gtests/nss_bogo_shim/nss_bogo_shim.cc
View File

@ -366,22 +366,6 @@ class TestAgent {
if (rv != SECSuccess) return false;
free(bin);
}
if (cfg_.get<bool>("enable-grease")) {
rv = SSL_OptionSet(ssl_fd_.get(), SSL_ENABLE_GREASE, PR_TRUE);
if (rv != SECSuccess) return false;
}
if (cfg_.get<bool>("permute-extensions")) {
rv = SSL_OptionSet(ssl_fd_.get(), SSL_ENABLE_CH_EXTENSION_PERMUTATION,
PR_TRUE);
if (rv != SECSuccess) return false;
}
} else {
// GREASE - BoGo expects servers to enable GREASE by default
rv = SSL_OptionSet(ssl_fd_.get(), SSL_ENABLE_GREASE, PR_TRUE);
if (rv != SECSuccess) return false;
}
rv = SSL_OptionSet(ssl_fd_.get(), SSL_ENABLE_EXTENDED_MASTER_SECRET,
@ -912,8 +896,6 @@ std::unique_ptr<const Config> ReadConfig(int argc, char** argv) {
cfg->AddEntry<bool>("expect-hrr", false);
cfg->AddEntry<bool>("enable-ech-grease", false);
cfg->AddEntry<bool>("enable-early-data", false);
cfg->AddEntry<bool>("enable-grease", false);
cfg->AddEntry<bool>("permute-extensions", false);
cfg->AddEntry<bool>("on-resume-expect-reject-early-data", false);
cfg->AddEntry<bool>("on-resume-expect-accept-early-data", false);
cfg->AddEntry<bool>("expect-ticket-supports-early-data", false);

21
security/nss/gtests/ssl_gtest/ssl_auth_unittest.cc
View File

@ -999,6 +999,27 @@ TEST_P(TlsConnectClientAuth12, ClientAuthBigRsaCheckSigAlg) {
2048);
}
// Replaces the signature scheme in a CertificateVerify message.
class TlsReplaceSignatureSchemeFilter : public TlsHandshakeFilter {
public:
TlsReplaceSignatureSchemeFilter(const std::shared_ptr<TlsAgent>& a,
SSLSignatureScheme scheme)
: TlsHandshakeFilter(a, {kTlsHandshakeCertificateVerify}),
scheme_(scheme) {}
protected:
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
const DataBuffer& input,
DataBuffer* output) {
*output = input;
output->Write(0, scheme_, 2);
return CHANGE;
}
private:
SSLSignatureScheme scheme_;
};
// Check if CertificateVerify signed with rsa_pss_rsae_* is properly
// rejected when the certificate is RSA-PSS.
//

31
security/nss/gtests/ssl_gtest/ssl_dhe_unittest.cc
View File

@ -643,6 +643,37 @@ TEST_P(TlsConnectGenericPre13, InvalidDERSignatureFfdhe) {
client_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
}
// Replace SignatureAndHashAlgorithm of a SKE.
class DHEServerKEXSigAlgReplacer : public TlsHandshakeFilter {
public:
DHEServerKEXSigAlgReplacer(const std::shared_ptr<TlsAgent>& server,
SSLSignatureScheme sig_scheme)
: TlsHandshakeFilter(server, {kTlsHandshakeServerKeyExchange}),
sig_scheme_(sig_scheme) {}
protected:
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
const DataBuffer& input,
DataBuffer* output) {
*output = input;
uint32_t len;
uint32_t idx = 0;
EXPECT_TRUE(output->Read(idx, 2, &len));
idx += 2 + len;
EXPECT_TRUE(output->Read(idx, 2, &len));
idx += 2 + len;
EXPECT_TRUE(output->Read(idx, 2, &len));
idx += 2 + len;
output->Write(idx, sig_scheme_, 2);
return CHANGE;
}
private:
SSLSignatureScheme sig_scheme_;
};
TEST_P(TlsConnectTls12, ConnectInconsistentSigAlgDHE) {
EnableOnlyDheCiphers();

25
security/nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc
View File

@ -620,6 +620,31 @@ TEST_P(TlsConnectGenericPre13, ConnectUnsupportedPointFormat) {
client_->CheckErrorCode(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM);
}
// Replace SignatureAndHashAlgorithm of a SKE.
class ECCServerKEXSigAlgReplacer : public TlsHandshakeFilter {
public:
ECCServerKEXSigAlgReplacer(const std::shared_ptr<TlsAgent> &server,
SSLSignatureScheme sig_scheme)
: TlsHandshakeFilter(server, {kTlsHandshakeServerKeyExchange}),
sig_scheme_(sig_scheme) {}
protected:
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader &header,
const DataBuffer &input,
DataBuffer *output) {
*output = input;
uint32_t point_len;
EXPECT_TRUE(output->Read(3, 1, &point_len));
output->Write(4 + point_len, sig_scheme_, 2);
return CHANGE;
}
private:
SSLSignatureScheme sig_scheme_;
};
TEST_P(TlsConnectTls12, ConnectUnsupportedSigAlg) {
EnsureTlsSetup();
client_->DisableAllCiphers();

101
security/nss/gtests/ssl_gtest/ssl_extension_unittest.cc
View File

@ -1357,107 +1357,6 @@ TEST_F(TlsConnectDatagram13, Dtls13RejectLegacyCookie) {
client_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
}
TEST_P(TlsConnectGeneric, ClientHelloExtensionPermutation) {
EnsureTlsSetup();
PR_ASSERT(SSL_OptionSet(client_->ssl_fd(),
SSL_ENABLE_CH_EXTENSION_PERMUTATION,
PR_TRUE) == SECSuccess);
Connect();
}
TEST_F(TlsConnectStreamTls13, ClientHelloExtensionPermutationWithPSK) {
EnsureTlsSetup();
ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
const uint8_t kPskDummyVal_[16] = {0x01, 0x02, 0x03, 0x04, 0x05,
0x06, 0x07, 0x08, 0x09, 0x0a,
0x0b, 0x0c, 0x0d, 0x0e, 0x0f};
SECItem psk_item;
psk_item.type = siBuffer;
psk_item.len = sizeof(kPskDummyVal_);
psk_item.data = const_cast<uint8_t*>(kPskDummyVal_);
PK11SymKey* key =
PK11_ImportSymKey(slot.get(), CKM_HKDF_KEY_GEN, PK11_OriginUnwrap,
CKA_DERIVE, &psk_item, NULL);
ScopedPK11SymKey scoped_psk_(key);
const std::string kPskDummyLabel_ = "NSS PSK GTEST label";
const SSLHashType kPskHash_ = ssl_hash_sha384;
AddPsk(scoped_psk_, kPskDummyLabel_, kPskHash_);
PR_ASSERT(SSL_OptionSet(client_->ssl_fd(),
SSL_ENABLE_CH_EXTENSION_PERMUTATION,
PR_TRUE) == SECSuccess);
Connect();
SendReceive();
CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_psk, ssl_sig_none);
}
/* This test checks that the ClientHello extension order is actually permuted
* if ss->opt.chXtnPermutation is set. It is asserted that at least one out of
* 10 extension orders differs from the others.
*
* This is a probabilistic test: The default TLS 1.3 ClientHello contains 8
* extensions, leading to a 1/8! probability for any extension order and the
* same probability for two drawn extension orders to coincide.
* Since all sequences are compared against each other this leads to a false
* positive rate of (1/8!)^(n^2-n).
* To achieve a spurious failure rate << 1/2^64, we compare n=10 drawn orders.
*
* This test assures that randomisation is happening but does not check quality
* of the used Fisher-Yates shuffle. */
TEST_F(TlsConnectStreamTls13,
ClientHelloExtensionPermutationProbabilisticTest) {
std::vector<std::vector<uint16_t>> orders;
/* Capture the extension order of 10 ClientHello messages. */
for (size_t i = 0; i < 10; i++) {
client_->StartConnect();
/* Enable ClientHello extension permutation. */
PR_ASSERT(SSL_OptionSet(client_->ssl_fd(),
SSL_ENABLE_CH_EXTENSION_PERMUTATION,
PR_TRUE) == SECSuccess);
/* Capture extension order filter. */
auto filter = MakeTlsFilter<TlsExtensionOrderCapture>(
client_, kTlsHandshakeClientHello);
/* Send ClientHello. */
client_->Handshake();
/* Remember extension order. */
orders.push_back(filter->order);
/* Reset client / server state. */
Reset();
}
/* Check for extension order inequality. */
size_t inequal = 0;
for (auto& outerOrders : orders) {
for (auto& innerOrders : orders) {
if (outerOrders != innerOrders) {
inequal++;
}
}
}
PR_ASSERT(inequal >= 1);
}
// The certificate_authorities xtn can be included in a ClientHello [RFC 8446,
// Section 4.2]
TEST_F(TlsConnectStreamTls13, ClientHelloCertAuthXtnToleration) {
EnsureTlsSetup();
uint8_t bodyBuf[3] = {0x00, 0x01, 0xff};
DataBuffer body(bodyBuf, sizeof(bodyBuf));
auto ch = MakeTlsFilter<TlsExtensionAppender>(
client_, kTlsHandshakeClientHello, ssl_tls13_certificate_authorities_xtn,
body);
// The Connection will fail because the added extension isn't in the client's
// transcript not because the extension is unsupported (Bug 1815167).
server_->ExpectSendAlert(bad_record_mac);
client_->ExpectSendAlert(bad_record_mac);
ConnectExpectFail();
server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
client_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
}
INSTANTIATE_TEST_SUITE_P(
ExtensionStream, TlsExtensionTestGeneric,
::testing::Combine(TlsConnectTestBase::kTlsVariantsStream,

3
security/nss/gtests/ssl_gtest/ssl_gtest.gyp
View File

@ -58,8 +58,7 @@
'tls_ech_unittest.cc',
'tls_protect.cc',
'tls_psk_unittest.cc',
'tls_subcerts_unittest.cc',
'tls_grease_unittest.cc'
'tls_subcerts_unittest.cc'
],
'dependencies': [
'<(DEPTH)/exports.gyp:nss_exports',

25
security/nss/gtests/ssl_gtest/ssl_version_unittest.cc
View File

@ -60,8 +60,8 @@ TEST_F(TlsConnectTest, TestDowngradeDetectionToTls11) {
server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0,
SSL_LIBRARY_VERSION_TLS_1_2);
client_->SetOption(SSL_ENABLE_HELLO_DOWNGRADE_CHECK, PR_TRUE);
MakeTlsFilter<TlsMessageVersionSetter>(client_, kTlsHandshakeClientHello,
SSL_LIBRARY_VERSION_TLS_1_1);
MakeTlsFilter<TlsClientHelloVersionSetter>(client_,
SSL_LIBRARY_VERSION_TLS_1_1);
ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
@ -69,8 +69,7 @@ TEST_F(TlsConnectTest, TestDowngradeDetectionToTls11) {
// Attempt to negotiate the bogus DTLS 1.1 version.
TEST_F(DtlsConnectTest, TestDtlsVersion11) {
MakeTlsFilter<TlsMessageVersionSetter>(client_, kTlsHandshakeClientHello,
((~0x0101) & 0xffff));
MakeTlsFilter<TlsClientHelloVersionSetter>(client_, ((~0x0101) & 0xffff));
ConnectExpectAlert(server_, kTlsAlertProtocolVersion);
client_->CheckErrorCode(SSL_ERROR_PROTOCOL_VERSION_ALERT);
server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_VERSION);
@ -161,8 +160,8 @@ TEST_P(TlsDowngradeTest, TlsDowngradeSentinelTest) {
TEST_F(TlsConnectTest, TestDowngradeDetectionToTls10) {
// Setting the option here has no effect.
client_->SetOption(SSL_ENABLE_HELLO_DOWNGRADE_CHECK, PR_TRUE);
MakeTlsFilter<TlsMessageVersionSetter>(client_, kTlsHandshakeClientHello,
SSL_LIBRARY_VERSION_TLS_1_0);
MakeTlsFilter<TlsClientHelloVersionSetter>(client_,
SSL_LIBRARY_VERSION_TLS_1_0);
client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0,
SSL_LIBRARY_VERSION_TLS_1_1);
server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0,
@ -276,8 +275,8 @@ class Tls13NoSupportedVersions : public TlsConnectStreamTls12 {
client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
SSL_LIBRARY_VERSION_TLS_1_2);
server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, max_server_version);
MakeTlsFilter<TlsMessageVersionSetter>(client_, kTlsHandshakeClientHello,
overwritten_client_version);
MakeTlsFilter<TlsClientHelloVersionSetter>(client_,
overwritten_client_version);
auto capture =
MakeTlsFilter<TlsHandshakeRecorder>(server_, kTlsHandshakeServerHello);
ConnectExpectAlert(server_, kTlsAlertDecryptError);
@ -311,8 +310,8 @@ TEST_F(Tls13NoSupportedVersions,
// Offer 1.3 but with ClientHello.legacy_version == TLS 1.4. This
// causes a bad MAC error when we read EncryptedExtensions.
TEST_F(TlsConnectStreamTls13, Tls14ClientHelloWithSupportedVersions) {
MakeTlsFilter<TlsMessageVersionSetter>(client_, kTlsHandshakeClientHello,
SSL_LIBRARY_VERSION_TLS_1_3 + 1);
MakeTlsFilter<TlsClientHelloVersionSetter>(client_,
SSL_LIBRARY_VERSION_TLS_1_3 + 1);
auto capture = MakeTlsFilter<TlsExtensionCapture>(
server_, ssl_tls13_supported_versions_xtn);
client_->ExpectSendAlert(kTlsAlertBadRecordMac);
@ -331,14 +330,12 @@ TEST_F(TlsConnectStreamTls13, Tls14ClientHelloWithSupportedVersions) {
// Offer 1.3 but with Server/ClientHello.legacy_version == SSL 3.0. This
// causes a protocol version alert. See RFC 8446 Appendix D.5.
TEST_F(TlsConnectStreamTls13, Ssl30ClientHelloWithSupportedVersions) {
MakeTlsFilter<TlsMessageVersionSetter>(client_, kTlsHandshakeClientHello,
SSL_LIBRARY_VERSION_3_0);
MakeTlsFilter<TlsClientHelloVersionSetter>(client_, SSL_LIBRARY_VERSION_3_0);
ConnectExpectAlert(server_, kTlsAlertProtocolVersion);
}
TEST_F(TlsConnectStreamTls13, Ssl30ServerHelloWithSupportedVersions) {
MakeTlsFilter<TlsMessageVersionSetter>(server_, kTlsHandshakeServerHello,
SSL_LIBRARY_VERSION_3_0);
MakeTlsFilter<TlsServerHelloVersionSetter>(server_, SSL_LIBRARY_VERSION_3_0);
StartConnect();
client_->ExpectSendAlert(kTlsAlertProtocolVersion);
/* Since the handshake is not finished the client will send an unencrypted

22
security/nss/gtests/ssl_gtest/tls_ech_unittest.cc
View File

@ -2884,28 +2884,6 @@ TEST_F(TlsConnectStreamTls13Ech, EchPublicNameNotLdh) {
ValidatePublicNames(kNotLdh, SECFailure);
}
TEST_F(TlsConnectStreamTls13, EchClientHelloExtensionPermutation) {
EnsureTlsSetup();
PR_ASSERT(SSL_OptionSet(client_->ssl_fd(),
SSL_ENABLE_CH_EXTENSION_PERMUTATION,
PR_TRUE) == SECSuccess);
SetupEch(client_, server_);
client_->ExpectEch();
server_->ExpectEch();
Connect();
}
TEST_F(TlsConnectStreamTls13, EchGreaseClientHelloExtensionPermutation) {
EnsureTlsSetup();
PR_ASSERT(SSL_OptionSet(client_->ssl_fd(),
SSL_ENABLE_CH_EXTENSION_PERMUTATION,
PR_TRUE) == SECSuccess);
PR_ASSERT(SSL_EnableTls13GreaseEch(client_->ssl_fd(), PR_FALSE) ==
SECSuccess);
Connect();
}
INSTANTIATE_TEST_SUITE_P(EchAgentTest, TlsAgentEchTest,
::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
TlsConnectTestBase::kTlsV13));

38
security/nss/gtests/ssl_gtest/tls_filter.cc
View File

@ -1015,12 +1015,6 @@ PacketFilter::Action TlsExtensionFilter::FilterExtensions(
return KEEP;
}
PacketFilter::Action TlsExtensionOrderCapture::FilterExtension(
uint16_t extension_type, const DataBuffer& input, DataBuffer* output) {
order.push_back(extension_type);
return KEEP;
}
PacketFilter::Action TlsExtensionCapture::FilterExtension(
uint16_t extension_type, const DataBuffer& input, DataBuffer* output) {
if (extension_type == extension_ && (last_ || !captured_)) {
@ -1205,7 +1199,15 @@ PacketFilter::Action SelectiveRecordDropFilter::FilterRecord(
return pattern;
}
PacketFilter::Action TlsMessageVersionSetter::FilterHandshake(
PacketFilter::Action TlsClientHelloVersionSetter::FilterHandshake(
const HandshakeHeader& header, const DataBuffer& input,
DataBuffer* output) {
*output = input;
output->Write(0, version_, 2);
return CHANGE;
}
PacketFilter::Action TlsServerHelloVersionSetter::FilterHandshake(
const HandshakeHeader& header, const DataBuffer& input,
DataBuffer* output) {
*output = input;
@ -1268,26 +1270,4 @@ PacketFilter::Action ClientHelloPreambleCapture::FilterHandshake(
return KEEP;
}
PacketFilter::Action ClientHelloCiphersuiteCapture::FilterHandshake(
const HandshakeHeader& header, const DataBuffer& input,
DataBuffer* output) {
EXPECT_TRUE(header.handshake_type() == kTlsHandshakeClientHello);
if (captured_) {
return KEEP;
}
captured_ = true;
TlsParser parser(input);
EXPECT_TRUE(parser.Skip(2 + 32)); // Version + Random
EXPECT_TRUE(parser.SkipVariable(1)); // Session ID
if (is_dtls_agent()) {
EXPECT_TRUE(parser.SkipVariable(1)); // Cookie
}
EXPECT_TRUE(parser.ReadVariable(&data_, 2)); // Ciphersuites
return KEEP;
}
} // namespace nss_test

165
security/nss/gtests/ssl_gtest/tls_filter.h
View File

@ -488,19 +488,6 @@ class TlsExtensionFilter : public TlsHandshakeFilter {
DataBuffer* output);
};
class TlsExtensionOrderCapture : public TlsExtensionFilter {
public:
TlsExtensionOrderCapture(const std::shared_ptr<TlsAgent>& a, uint8_t message)
: TlsExtensionFilter(a, {message}){};
std::vector<uint16_t> order;
protected:
PacketFilter::Action FilterExtension(uint16_t extension_type,
const DataBuffer& input,
DataBuffer* output) override;
};
class TlsExtensionCapture : public TlsExtensionFilter {
public:
TlsExtensionCapture(const std::shared_ptr<TlsAgent>& a, uint16_t ext,
@ -797,16 +784,27 @@ class SelectiveRecordDropFilter : public TlsRecordFilter {
uint8_t counter_;
};
// Set the version value in the ClientHello, ServerHello or HelloRetryRequest
class TlsMessageVersionSetter : public TlsHandshakeFilter {
// Set the version number in the ClientHello.
class TlsClientHelloVersionSetter : public TlsHandshakeFilter {
public:
TlsMessageVersionSetter(const std::shared_ptr<TlsAgent>& a, uint8_t message,
uint16_t version)
: TlsHandshakeFilter(a, {message}), version_(version) {
PR_ASSERT(message == kTlsHandshakeClientHello ||
message == kTlsHandshakeServerHello ||
message == kTlsHandshakeHelloRetryRequest);
}
TlsClientHelloVersionSetter(const std::shared_ptr<TlsAgent>& a,
uint16_t version)
: TlsHandshakeFilter(a, {kTlsHandshakeClientHello}), version_(version) {}
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
const DataBuffer& input,
DataBuffer* output);
private:
uint16_t version_;
};
// Set the version number in the ServerHello.
class TlsServerHelloVersionSetter : public TlsHandshakeFilter {
public:
TlsServerHelloVersionSetter(const std::shared_ptr<TlsAgent>& a,
uint16_t version)
: TlsHandshakeFilter(a, {kTlsHandshakeServerHello}), version_(version) {}
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
const DataBuffer& input,
@ -874,26 +872,6 @@ class ClientHelloPreambleCapture : public TlsHandshakeFilter {
DataBuffer data_;
};
class ClientHelloCiphersuiteCapture : public TlsHandshakeFilter {
public:
ClientHelloCiphersuiteCapture(const std::shared_ptr<TlsAgent>& a)
: TlsHandshakeFilter(a, {kTlsHandshakeClientHello}),
captured_(false),
data_() {}
const DataBuffer& contents() const { return data_; }
bool captured() const { return captured_; }
protected:
PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
const DataBuffer& input,
DataBuffer* output) override;
private:
bool captured_;
DataBuffer data_;
};
class ServerHelloRandomChanger : public TlsHandshakeFilter {
public:
ServerHelloRandomChanger(const std::shared_ptr<TlsAgent>& a)
@ -905,109 +883,6 @@ class ServerHelloRandomChanger : public TlsHandshakeFilter {
DataBuffer* output) override;
};
// Replace SignatureAndHashAlgorithm of a SKE.
class DHEServerKEXSigAlgReplacer : public TlsHandshakeFilter {
public:
DHEServerKEXSigAlgReplacer(const std::shared_ptr<TlsAgent>& server,
uint16_t sig_scheme)
: TlsHandshakeFilter(server, {kTlsHandshakeServerKeyExchange}),
sig_scheme_(sig_scheme) {}
protected:
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
const DataBuffer& input,
DataBuffer* output) {
*output = input;
uint32_t len;
uint32_t idx = 0;
EXPECT_TRUE(output->Read(idx, 2, &len));
idx += 2 + len;
EXPECT_TRUE(output->Read(idx, 2, &len));
idx += 2 + len;
EXPECT_TRUE(output->Read(idx, 2, &len));
idx += 2 + len;
output->Write(idx, sig_scheme_, 2);
return CHANGE;
}
private:
uint16_t sig_scheme_;
};
// Replace SignatureAndHashAlgorithm of a SKE.
class ECCServerKEXSigAlgReplacer : public TlsHandshakeFilter {
public:
ECCServerKEXSigAlgReplacer(const std::shared_ptr<TlsAgent>& server,
uint16_t sig_scheme)
: TlsHandshakeFilter(server, {kTlsHandshakeServerKeyExchange}),
sig_scheme_(sig_scheme) {}
protected:
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
const DataBuffer& input,
DataBuffer* output) {
*output = input;
uint32_t point_len;
EXPECT_TRUE(output->Read(3, 1, &point_len));
output->Write(4 + point_len, sig_scheme_, 2);
return CHANGE;
}
private:
uint16_t sig_scheme_;
};
// Replace NamedCurve of a ECDHE SKE.
class ECCServerKEXNamedCurveReplacer : public TlsHandshakeFilter {
public:
ECCServerKEXNamedCurveReplacer(const std::shared_ptr<TlsAgent>& server,
uint16_t curve_name)
: TlsHandshakeFilter(server, {kTlsHandshakeServerKeyExchange}),
curve_name_(curve_name) {}
protected:
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
const DataBuffer& input,
DataBuffer* output) {
*output = input;
uint32_t curve_type;
EXPECT_TRUE(output->Read(0, 1, &curve_type));
EXPECT_EQ(curve_type, ec_type_named);
output->Write(1, curve_name_, 2);
return CHANGE;
}
private:
uint16_t curve_name_;
};
// Replaces the signature scheme in a CertificateVerify message.
class TlsReplaceSignatureSchemeFilter : public TlsHandshakeFilter {
public:
TlsReplaceSignatureSchemeFilter(const std::shared_ptr<TlsAgent>& a,
uint16_t scheme)
: TlsHandshakeFilter(a, {kTlsHandshakeCertificateVerify}),
scheme_(scheme) {}
protected:
virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
const DataBuffer& input,
DataBuffer* output) {
*output = input;
output->Write(0, scheme_, 2);
return CHANGE;
}
private:
uint16_t scheme_;
};
} // namespace nss_test
#endif

878
security/nss/gtests/ssl_gtest/tls_grease_unittest.cc
View File

@ -1,878 +0,0 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "secerr.h"
#include "ssl.h"
#include "gtest_utils.h"
#include "tls_connect.h"
#include "util.h"
namespace nss_test {
const uint8_t kTlsGreaseExtensionMessages[] = {kTlsHandshakeEncryptedExtensions,
kTlsHandshakeCertificate};
const uint16_t kTlsGreaseValues[] = {
0x0a0a, 0x1a1a, 0x2a2a, 0x3a3a, 0x4a4a, 0x5a5a, 0x6a6a, 0x7a7a,
0x8a8a, 0x9a9a, 0xaaaa, 0xbaba, 0xcaca, 0xdada, 0xeaea, 0xfafa};
const uint8_t kTlsGreasePskValues[] = {0x0B, 0x2A, 0x49, 0x68,
0x87, 0xA6, 0xC5, 0xE4};
size_t countGreaseInBuffer(const DataBuffer& list) {
if (!list.len()) {
return 0;
}
size_t occurrence = 0;
for (uint16_t greaseVal : kTlsGreaseValues) {
for (size_t i = 0; i < (list.len() - 1); i += 2) {
uint16_t sample = list.data()[i + 1] + (list.data()[i] << 8);
if (greaseVal == sample) {
occurrence++;
}
}
}
return occurrence;
}
class GreasePresenceAbsenceTestBase : public TlsConnectTestBase {
public:
GreasePresenceAbsenceTestBase(SSLProtocolVariant variant, uint16_t version,
bool shouldGrease)
: TlsConnectTestBase(variant, version), set_grease_(shouldGrease){};
void SetupGrease() {
EnsureTlsSetup();
ASSERT_EQ(SSL_OptionSet(client_->ssl_fd(), SSL_ENABLE_GREASE, set_grease_),
SECSuccess);
ASSERT_EQ(SSL_OptionSet(server_->ssl_fd(), SSL_ENABLE_GREASE, set_grease_),
SECSuccess);
}
bool expectGrease() {
return set_grease_ && version_ >= SSL_LIBRARY_VERSION_TLS_1_3;
}
void checkGreasePresence(const int ifEnabled, const int ifDisabled,
const DataBuffer& buffer) {
size_t expected = expectGrease() ? size_t(ifEnabled) : size_t(ifDisabled);
EXPECT_EQ(expected, countGreaseInBuffer(buffer));
}
private:
bool set_grease_;
};
class GreasePresenceAbsenceTestAllVersions
: public GreasePresenceAbsenceTestBase,
public ::testing::WithParamInterface<
std::tuple<SSLProtocolVariant, uint16_t, bool>> {
public:
GreasePresenceAbsenceTestAllVersions()
: GreasePresenceAbsenceTestBase(std::get<0>(GetParam()),
std::get<1>(GetParam()),
std::get<2>(GetParam())){};
};
// Varies stream/datagram, TLS Version and whether GREASE is enabled
INSTANTIATE_TEST_SUITE_P(GreaseTests, GreasePresenceAbsenceTestAllVersions,
::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
TlsConnectTestBase::kTlsV11Plus,
::testing::Values(true, false)));
// Varies whether GREASE is enabled for TLS13 only
class GreasePresenceAbsenceTestTlsStream13
: public GreasePresenceAbsenceTestBase,
public ::testing::WithParamInterface<bool> {
public:
GreasePresenceAbsenceTestTlsStream13()
: GreasePresenceAbsenceTestBase(
ssl_variant_stream, SSL_LIBRARY_VERSION_TLS_1_3, GetParam()){};
};
INSTANTIATE_TEST_SUITE_P(GreaseTests, GreasePresenceAbsenceTestTlsStream13,
::testing::Values(true, false));
// These tests check for the presence / absence of GREASE values in the various
// positions that we are permitted to add them. For positions which existed in
// prior versions of TLS, we check that enabling GREASE is only effective when
// negotiating TLS1.3 or higher and that disabling GREASE results in the absence
// of any GREASE values.
// For positions that specific to TLS1.3, we only check that enabling/disabling
// GREASE results in the correct presence/absence of the GREASE value.
TEST_P(GreasePresenceAbsenceTestAllVersions, ClientGreaseCiphersuites) {
SetupGrease();
auto ch1 = MakeTlsFilter<ClientHelloCiphersuiteCapture>(client_);
Connect();
EXPECT_TRUE(ch1->captured());
checkGreasePresence(1, 0, ch1->contents());
}
TEST_P(GreasePresenceAbsenceTestAllVersions, ClientGreaseNamedGroups) {
SetupGrease();
auto ch1 =
MakeTlsFilter<TlsExtensionCapture>(client_, ssl_supported_groups_xtn);
Connect();
EXPECT_TRUE(ch1->captured());
checkGreasePresence(1, 0, ch1->extension());
}
TEST_P(GreasePresenceAbsenceTestAllVersions, ClientGreaseKeyShare) {
SetupGrease();
auto ch1 =
MakeTlsFilter<TlsExtensionCapture>(client_, ssl_tls13_key_share_xtn);
Connect();
EXPECT_TRUE((version_ >= SSL_LIBRARY_VERSION_TLS_1_3) == ch1->captured());
checkGreasePresence(1, 0, ch1->extension());
}
TEST_P(GreasePresenceAbsenceTestAllVersions, ClientGreaseSigAlg) {
SetupGrease();
auto ch1 =
MakeTlsFilter<TlsExtensionCapture>(client_, ssl_signature_algorithms_xtn);
Connect();
EXPECT_TRUE((version_ >= SSL_LIBRARY_VERSION_TLS_1_2) == ch1->captured());
checkGreasePresence(1, 0, ch1->extension());
}
TEST_P(GreasePresenceAbsenceTestAllVersions, ClientGreaseSupportedVersions) {
SetupGrease();
auto ch1 = MakeTlsFilter<TlsExtensionCapture>(
client_, ssl_tls13_supported_versions_xtn);
Connect();
EXPECT_TRUE((version_ >= SSL_LIBRARY_VERSION_TLS_1_3) == ch1->captured());
// Supported Versions have a 1 byte length field.
TlsParser extParser(ch1->extension());
DataBuffer versions;
extParser.ReadVariable(&versions, 1);
checkGreasePresence(1, 0, versions);
}
TEST_P(GreasePresenceAbsenceTestTlsStream13, ClientGreasePskExchange) {
SetupGrease();
auto ch1 = MakeTlsFilter<TlsExtensionCapture>(
client_, ssl_tls13_psk_key_exchange_modes_xtn);
Connect();
EXPECT_TRUE(ch1->captured());
// PSK Exchange Modes have a 1 byte length field
TlsParser extParser(ch1->extension());
DataBuffer modes;
extParser.ReadVariable(&modes, 1);
// Scan for single byte GREASE PSK Values
size_t numGrease = 0;
for (uint8_t greaseVal : kTlsGreasePskValues) {
for (unsigned long i = 0; i < modes.len(); i++) {
if (greaseVal == modes.data()[i]) {
numGrease++;
}
}
}
EXPECT_EQ(expectGrease() ? size_t(1) : size_t(0), numGrease);
}
TEST_P(GreasePresenceAbsenceTestAllVersions, ClientGreaseAlpn) {
SetupGrease();
EnableAlpn();
auto ch1 =
MakeTlsFilter<TlsExtensionCapture>(client_, ssl_app_layer_protocol_xtn);
Connect();
EXPECT_TRUE((version_ >= SSL_LIBRARY_VERSION_TLS_1_1) == ch1->captured());
// ALPN Xtns have a redundant two-byte length
TlsParser alpnParser(ch1->extension());
alpnParser.Skip(2); // Skip the length
DataBuffer alpnEntry;
// Each ALPN entry has a single byte length prefixed.
size_t greaseAlpnEntrys = 0;
while (alpnParser.remaining()) {
alpnParser.ReadVariable(&alpnEntry, 1);
if (alpnEntry.len() == 2) {
greaseAlpnEntrys += countGreaseInBuffer(alpnEntry);
}
}
EXPECT_EQ(expectGrease() ? size_t(1) : size_t(0), greaseAlpnEntrys);
}
TEST_P(GreasePresenceAbsenceTestAllVersions, GreaseClientHelloExtension) {
SetupGrease();
auto ch1 =
MakeTlsFilter<TlsHandshakeRecorder>(client_, kTlsHandshakeClientHello);
Connect();
EXPECT_TRUE(ch1->buffer().len() > 0);
TlsParser extParser(ch1->buffer());
EXPECT_TRUE(extParser.Skip(2 + 32)); // Version + Random
EXPECT_TRUE(extParser.SkipVariable(1)); // Session ID
if (variant_ == ssl_variant_datagram) {
EXPECT_TRUE(extParser.SkipVariable(1)); // Cookie
}
EXPECT_TRUE(extParser.SkipVariable(2)); // Ciphersuites
EXPECT_TRUE(extParser.SkipVariable(1)); // Compression Methods
EXPECT_TRUE(extParser.Skip(2)); // Extension Lengths
// Scan for a 1-byte and a 0-byte extension.
uint32_t extType;
DataBuffer extBuf;
bool foundSmall = false;
bool foundLarge = false;
size_t numFound = 0;
while (extParser.remaining()) {
extParser.Read(&extType, 2);
extParser.ReadVariable(&extBuf, 2);
for (uint16_t greaseVal : kTlsGreaseValues) {
if (greaseVal == extType) {
numFound++;
foundSmall |= extBuf.len() == 0;
foundLarge |= extBuf.len() > 0;
}
}
}
EXPECT_EQ(foundSmall, expectGrease());
EXPECT_EQ(foundLarge, expectGrease());
EXPECT_EQ(numFound, expectGrease() ? size_t(2) : size_t(0));
}
TEST_P(GreasePresenceAbsenceTestTlsStream13, GreaseCertificateRequestSigAlg) {
SetupGrease();
client_->SetupClientAuth();
server_->RequestClientAuth(true);
auto cr =
MakeTlsFilter<TlsExtensionCapture>(server_, ssl_signature_algorithms_xtn);
cr->SetHandshakeTypes({kTlsHandshakeCertificateRequest});
cr->EnableDecryption();
Connect();
EXPECT_TRUE(cr->captured());
checkGreasePresence(1, 0, cr->extension());
}
TEST_P(GreasePresenceAbsenceTestTlsStream13,
GreaseCertificateRequestExtension) {
SetupGrease();
client_->SetupClientAuth();
server_->RequestClientAuth(true);
auto cr = MakeTlsFilter<TlsHandshakeRecorder>(
server_, kTlsHandshakeCertificateRequest);
cr->EnableDecryption();
Connect();
EXPECT_TRUE(cr->buffer().len() > 0);
TlsParser extParser(cr->buffer());
EXPECT_TRUE(extParser.SkipVariable(1)); // Context
EXPECT_TRUE(extParser.Skip(2)); // Extension Lengths
uint32_t extType;
DataBuffer extBuf;
bool found = false;
// Scan for a single, empty extension
while (extParser.remaining()) {
extParser.Read(&extType, 2);
extParser.ReadVariable(&extBuf, 2);
for (uint16_t greaseVal : kTlsGreaseValues) {
if (greaseVal == extType) {
EXPECT_TRUE(!found);
EXPECT_EQ(extBuf.len(), size_t(0));
found = true;
}
}
}
EXPECT_EQ(expectGrease(), found);
}
TEST_P(GreasePresenceAbsenceTestTlsStream13, GreaseNewSessionTicketExtension) {
SetupGrease();
auto nst = MakeTlsFilter<TlsHandshakeRecorder>(server_,
kTlsHandshakeNewSessionTicket);
nst->EnableDecryption();
Connect();
EXPECT_EQ(SECSuccess, SSL_SendSessionTicket(server_->ssl_fd(), nullptr, 0));
EXPECT_TRUE(nst->buffer().len() > 0);
TlsParser extParser(nst->buffer());
EXPECT_TRUE(extParser.Skip(4)); // lifetime
EXPECT_TRUE(extParser.Skip(4)); // age
EXPECT_TRUE(extParser.SkipVariable(1)); // Nonce
EXPECT_TRUE(extParser.SkipVariable(2)); // Ticket
EXPECT_TRUE(extParser.Skip(2)); // Extension Length
uint32_t extType;
DataBuffer extBuf;
bool found = false;
// Scan for a single, empty extension
while (extParser.remaining()) {
extParser.Read(&extType, 2);
extParser.ReadVariable(&extBuf, 2);
for (uint16_t greaseVal : kTlsGreaseValues) {
if (greaseVal == extType) {
EXPECT_TRUE(!found);
EXPECT_EQ(extBuf.len(), size_t(0));
found = true;
}
}
}
EXPECT_EQ(expectGrease(), found);
}
// Generic Client GREASE test
TEST_P(TlsConnectGeneric, ClientGrease) {
EnsureTlsSetup();
ASSERT_EQ(SSL_OptionSet(client_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE),
SECSuccess);
Connect();
}
// Generic Server GREASE test
TEST_P(TlsConnectGeneric, ServerGrease) {
EnsureTlsSetup();
ASSERT_EQ(SSL_OptionSet(server_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE),
SECSuccess);
Connect();
}
// Generic GREASE test
TEST_P(TlsConnectGeneric, Grease) {
EnsureTlsSetup();
ASSERT_EQ(SSL_OptionSet(client_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE),
SECSuccess);
ASSERT_EQ(SSL_OptionSet(server_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE),
SECSuccess);
Connect();
}
// Check that GREASE values can be correctly reconstructed after HRR.
TEST_P(TlsConnectGeneric, GreaseHRR) {
EnsureTlsSetup();
const std::vector<SSLNamedGroup> client_groups = {
ssl_grp_ec_curve25519, ssl_grp_ec_secp256r1, ssl_grp_ec_secp384r1};
const std::vector<SSLNamedGroup> server_groups = {
ssl_grp_ec_secp256r1, ssl_grp_ec_secp384r1, ssl_grp_ec_curve25519};
client_->ConfigNamedGroups(client_groups);
server_->ConfigNamedGroups(server_groups);
ASSERT_EQ(SSL_OptionSet(client_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE),
SECSuccess);
ASSERT_EQ(SSL_OptionSet(server_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE),
SECSuccess);
Connect();
}
// Check that GREASE additions interact correctly with psk-only handshake.
TEST_F(TlsConnectStreamTls13, GreasePsk) {
EnsureTlsSetup();
ASSERT_EQ(SSL_OptionSet(client_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE),
SECSuccess);
ASSERT_EQ(SSL_OptionSet(server_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE),
SECSuccess);
ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
const uint8_t kPskDummyVal_[16] = {0x01, 0x02, 0x03, 0x04, 0x05,
0x06, 0x07, 0x08, 0x09, 0x0a,
0x0b, 0x0c, 0x0d, 0x0e, 0x0f};
SECItem psk_item;
psk_item.type = siBuffer;
psk_item.len = sizeof(kPskDummyVal_);
psk_item.data = const_cast<uint8_t*>(kPskDummyVal_);
PK11SymKey* key =
PK11_ImportSymKey(slot.get(), CKM_HKDF_KEY_GEN, PK11_OriginUnwrap,
CKA_DERIVE, &psk_item, NULL);
ScopedPK11SymKey scoped_psk_(key);
const std::string kPskDummyLabel_ = "NSS PSK GTEST label";
const SSLHashType kPskHash_ = ssl_hash_sha384;
AddPsk(scoped_psk_, kPskDummyLabel_, kPskHash_);
Connect();
SendReceive();
CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_psk, ssl_sig_none);
}
// Test that ECH and GREASE work together successfully
TEST_F(TlsConnectStreamTls13, GreaseAndECH) {
EnsureTlsSetup();
SetupEch(client_, server_);
ASSERT_EQ(SSL_OptionSet(client_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE),
SECSuccess);
ASSERT_EQ(SSL_OptionSet(server_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE),
SECSuccess);
Connect();
}
// Test that TLS12 Server handles Client GREASE correctly
TEST_F(TlsConnectTest, GreaseTLS12Server) {
EnsureTlsSetup();
ASSERT_EQ(SSL_OptionSet(client_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE),
SECSuccess);
server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
SSL_LIBRARY_VERSION_TLS_1_2);
client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
SSL_LIBRARY_VERSION_TLS_1_3);
Connect();
}
// Test that TLS12 Client handles Server GREASE correctly
TEST_F(TlsConnectTest, GreaseTLS12Client) {
EnsureTlsSetup();
ASSERT_EQ(SSL_OptionSet(server_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE),
SECSuccess);
server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
SSL_LIBRARY_VERSION_TLS_1_3);
client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
SSL_LIBRARY_VERSION_TLS_1_2);
Connect();
}
class GreaseOnlyTestStreamTls13 : public TlsConnectStreamTls13 {
public:
GreaseOnlyTestStreamTls13() : TlsConnectStreamTls13() {}
void ConnectWithCustomChExpectFail(const std::string& ch,
uint8_t server_alert, uint32_t server_code,
uint32_t client_code) {
std::vector<uint8_t> ch_vec = hex_string_to_bytes(ch);
DataBuffer ch_buf;
EnsureTlsSetup();
TlsAgentTestBase::MakeRecord(variant_, ssl_ct_handshake,
SSL_LIBRARY_VERSION_TLS_1_3, ch_vec.data(),
ch_vec.size(), &ch_buf, 0);
StartConnect();
client_->SendDirect(ch_buf);
ExpectAlert(server_, server_alert);
server_->Handshake();
server_->CheckErrorCode(server_code);
client_->ExpectReceiveAlert(server_alert, kTlsAlertFatal);
client_->Handshake();
client_->CheckErrorCode(client_code);
}
};
// Client: Offer only GREASE CipherSuite value
TEST_F(GreaseOnlyTestStreamTls13, GreaseOnlyClientCipherSuite) {
// 0xdada
std::string ch =
"010000b003038afacda2963358e98f464f3ff0680ed3a9d382a8c3eac5e5604f5721add9"
"855c000002dada010000850000000b0009000006736572766572ff01000100000a001400"
"12001d00170018001901000101010201030104003300260024001d0020683668992de470"
"38660ee37bafc7392b05b8a94402ea1f3463ad3cfd7a694a46002b0003020304000d0018"
"001604030503060302030804080508060401050106010201002d00020101001c0002400"
"1";
ConnectWithCustomChExpectFail(ch, kTlsAlertHandshakeFailure,
SSL_ERROR_NO_CYPHER_OVERLAP,
SSL_ERROR_NO_CYPHER_OVERLAP);
}
// Client: Offer only GREASE SupportedGroups value
TEST_F(GreaseOnlyTestStreamTls13, GreaseOnlyClientSupportedGroup) {
// 0x3a3a
std::string ch =
"010000a40303484a4e14f547404da6115d7f73bbb0f1c9d65e66ac073dee6c4a62f72de9"
"a36f000006130113031302010000750000000b0009000006736572766572ff0100010000"
"0a000400023a3a003300260024001d0020e75cb8e217c95176954e8b5fb95843882462ce"
"2cd3fcfe67cf31463a05ea3d57002b0003020304000d0018001604030503060302030804"
"080508060401050106010201002d00020101001c00024001";
ConnectWithCustomChExpectFail(ch, kTlsAlertHandshakeFailure,
SSL_ERROR_NO_CYPHER_OVERLAP,
SSL_ERROR_NO_CYPHER_OVERLAP);
}
// Client: Offer only GREASE SigAlgs value
TEST_F(GreaseOnlyTestStreamTls13, GreaseOnlyClientSignatureAlgorithm) {
// 0x8a8a
std::string ch =
"010000a00303dfd8e2438a8d1b9f48d921dfc08959108807bd1105238bb3da2a2a8e3db0"
"6990000006130113031302010000710000000b0009000006736572766572ff0100010000"
"0a00140012001d00170018001901000101010201030104003300260024001d002074bb2c"
"94996d3ffc7ae5792f0c3c58676358a85ea304cd029fa3d6551013b333002b0003020304"
"000d000400028a8a002d00020101001c00024001";
ConnectWithCustomChExpectFail(ch, kTlsAlertHandshakeFailure,
SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM,
SSL_ERROR_NO_CYPHER_OVERLAP);
}
// Client: Offer only GREASE SupportedVersions value
TEST_F(GreaseOnlyTestStreamTls13, GreaseOnlyClientSupportedVersion) {
// 0xeaea
std::string ch =
"010000b203037e3618abae0dd0b3f06a504c47354551d1d5be36e9c3e1eac9c139c246b1"
"66da000006130113031302010000830000000b0009000006736572766572ff0100010000"
"0a00140012001d00170018001901000101010201030104003300260024001d00206b1816"
"577ff2e69d4d2661419150eaefa0328ffd396425cf1733ec06536b4e55002b000100000d"
"0018001604030503060302030804080508060401050106010201002d00020101001c0002"
"4001";
ConnectWithCustomChExpectFail(ch, kTlsAlertIllegalParameter,
SSL_ERROR_RX_MALFORMED_CLIENT_HELLO,
SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
}
class GreaseTestStreamTls12
: public TlsConnectStreamTls12,
public ::testing::WithParamInterface<uint16_t /* GREASE */> {
public:
GreaseTestStreamTls12() : TlsConnectStreamTls12(), grease_(GetParam()){};
void ConnectExpectSigAlgFail() {
client_->ExpectSendAlert(kTlsAlertIllegalParameter);
server_->ExpectReceiveAlert(kTlsAlertIllegalParameter);
ConnectExpectFail();
client_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
}
protected:
uint16_t grease_;
};
class TlsCertificateRequestSigAlgSetterFilter : public TlsHandshakeFilter {
public:
TlsCertificateRequestSigAlgSetterFilter(const std::shared_ptr<TlsAgent>& a,
uint16_t sigAlg)
: TlsHandshakeFilter(a, {kTlsHandshakeCertificateRequest}),
sigAlg_(sigAlg) {}
virtual PacketFilter::Action FilterHandshake(
const TlsHandshakeFilter::HandshakeHeader& header,
const DataBuffer& input, DataBuffer* output) {
TlsParser parser(input);
DataBuffer cert_types;
if (!parser.ReadVariable(&cert_types, 1)) {
ADD_FAILURE();
return KEEP;
}
if (!parser.SkipVariable(2)) {
ADD_FAILURE();
return KEEP;
}
DataBuffer cas;
if (!parser.ReadVariable(&cas, 2)) {
ADD_FAILURE();
return KEEP;
}
size_t idx = 0;
// Write certificate types.
idx = output->Write(idx, cert_types.len(), 1);
idx = output->Write(idx, cert_types);
// Write signature algorithm.
idx = output->Write(idx, sizeof(sigAlg_), 2);
idx = output->Write(idx, sigAlg_, 2);
// Write certificate authorities.
idx = output->Write(idx, cas.len(), 2);
idx = output->Write(idx, cas);
return CHANGE;
}
private:
uint16_t sigAlg_;
};
// Server: Offer only GREASE CertificateRequest SigAlg value
TEST_P(GreaseTestStreamTls12, GreaseOnlyServerTLS12CertificateRequestSigAlg) {
EnsureTlsSetup();
client_->SetupClientAuth();
server_->RequestClientAuth(true);
MakeTlsFilter<TlsCertificateRequestSigAlgSetterFilter>(server_, grease_);
client_->ExpectSendAlert(kTlsAlertHandshakeFailure);
server_->ExpectReceiveAlert(kTlsAlertHandshakeFailure);
ConnectExpectFail();
server_->CheckErrorCode(SSL_ERROR_HANDSHAKE_FAILURE_ALERT);
client_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
}
// Illegally GREASE ServerKeyExchange ECC SignatureAlgorithm
TEST_P(GreaseTestStreamTls12, GreasedTLS12ServerKexEccSigAlg) {
MakeTlsFilter<ECCServerKEXSigAlgReplacer>(server_, grease_);
EnableSomeEcdhCiphers();
client_->ExpectSendAlert(kTlsAlertIllegalParameter);
server_->ExpectReceiveAlert(kTlsAlertIllegalParameter);
ConnectExpectFail();
client_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
}
// Illegally GREASE ServerKeyExchange DHE SignatureAlgorithm
TEST_P(GreaseTestStreamTls12, GreasedTLS12ServerKexDheSigAlg) {
MakeTlsFilter<DHEServerKEXSigAlgReplacer>(server_, grease_);
EnableOnlyDheCiphers();
client_->ExpectSendAlert(kTlsAlertIllegalParameter);
server_->ExpectReceiveAlert(kTlsAlertIllegalParameter);
ConnectExpectFail();
client_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
}
// Illegally GREASE ServerKeyExchange ECDHE NamedCurve
TEST_P(GreaseTestStreamTls12, GreasedTLS12ServerKexEcdheNamedCurve) {
MakeTlsFilter<ECCServerKEXNamedCurveReplacer>(server_, grease_);
EnableSomeEcdhCiphers();
client_->ExpectSendAlert(kTlsAlertHandshakeFailure);
server_->ExpectReceiveAlert(kTlsAlertHandshakeFailure);
ConnectExpectFail();
server_->CheckErrorCode(SSL_ERROR_HANDSHAKE_FAILURE_ALERT);
client_->CheckErrorCode(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
}
// Illegally GREASE TLS12 Client CertificateVerify SignatureAlgorithm
TEST_P(GreaseTestStreamTls12, GreasedTLS12ClientCertificateVerifySigAlg) {
client_->SetupClientAuth();
server_->RequestClientAuth(true);
MakeTlsFilter<TlsReplaceSignatureSchemeFilter>(client_, grease_);
server_->ExpectSendAlert(kTlsAlertIllegalParameter);
client_->ExpectReceiveAlert(kTlsAlertIllegalParameter);
ConnectExpectFail();
client_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
}
class GreaseTestStreamTls13
: public TlsConnectStreamTls13,
public ::testing::WithParamInterface<uint16_t /* GREASE */> {
public:
GreaseTestStreamTls13() : grease_(GetParam()){};
protected:
uint16_t grease_;
};
// Illegally GREASE TLS13 Client CertificateVerify SignatureAlgorithm
TEST_P(GreaseTestStreamTls13, GreasedTLS13ClientCertificateVerifySigAlg) {
client_->SetupClientAuth();
server_->RequestClientAuth(true);
auto filter =
MakeTlsFilter<TlsReplaceSignatureSchemeFilter>(client_, grease_);
filter->EnableDecryption();
server_->ExpectSendAlert(kTlsAlertIllegalParameter);
client_->ExpectReceiveAlert(kTlsAlertIllegalParameter);
// Manually trigger handshake to avoid race conditions
StartConnect();
client_->Handshake();
server_->Handshake();
client_->Handshake();
server_->Handshake();
client_->Handshake();
server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CERT_VERIFY);
client_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
}
// Illegally GREASE TLS13 Server CertificateVerify SignatureAlgorithm
TEST_P(GreaseTestStreamTls13, GreasedTLS13ServerCertificateVerifySigAlg) {
EnsureTlsSetup();
auto filter =
MakeTlsFilter<TlsReplaceSignatureSchemeFilter>(server_, grease_);
filter->EnableDecryption();
client_->ExpectSendAlert(kTlsAlertIllegalParameter);
server_->ExpectReceiveAlert(kTlsAlertIllegalParameter);
ConnectExpectFail();
client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CERT_VERIFY);
}
// Illegally GREASE HelloRetryRequest version value
TEST_P(GreaseTestStreamTls13, GreasedHelloRetryRequestVersion) {
EnsureTlsSetup();
// Trigger HelloRetryRequest
MakeTlsFilter<TlsExtensionDropper>(client_, ssl_tls13_key_share_xtn);
auto filter = MakeTlsFilter<TlsMessageVersionSetter>(
server_, kTlsHandshakeHelloRetryRequest, grease_);
filter->EnableDecryption();
client_->ExpectSendAlert(kTlsAlertIllegalParameter);
server_->ExpectReceiveAlert(kTlsAlertIllegalParameter);
ConnectExpectFail();
client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
}
class GreaseTestStreamTls123
: public TlsConnectTestBase,
public ::testing::WithParamInterface<
std::tuple<uint16_t /* version */, uint16_t /* GREASE */>> {
public:
GreaseTestStreamTls123()
: TlsConnectTestBase(ssl_variant_stream, std::get<0>(GetParam())),
grease_(std::get<1>(GetParam())){};
void ConnectExpectIllegalGreaseFail() {
client_->ExpectSendAlert(kTlsAlertIllegalParameter);
if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
// Server expects handshake but receives encrypted alert.
server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
} else {
server_->ExpectReceiveAlert(kTlsAlertIllegalParameter);
}
ConnectExpectFail();
}
protected:
uint16_t grease_;
};
// Illegally GREASE TLS12 and TLS13 ServerHello version value
TEST_P(GreaseTestStreamTls123, GreasedServerHelloVersion) {
EnsureTlsSetup();
auto filter = MakeTlsFilter<TlsMessageVersionSetter>(
server_, kTlsHandshakeServerHello, grease_);
if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
filter->EnableDecryption();
}
ConnectExpectIllegalGreaseFail();
client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
}
// Illegally GREASE TLS12 and TLS13 selected CipherSuite value
TEST_P(GreaseTestStreamTls123, GreasedServerHelloCipherSuite) {
EnsureTlsSetup();
auto filter = MakeTlsFilter<SelectedCipherSuiteReplacer>(server_, grease_);
if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
filter->EnableDecryption();
}
ConnectExpectIllegalGreaseFail();
client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
}
class GreaseExtensionTestStreamTls13
: public TlsConnectStreamTls13,
public ::testing::WithParamInterface<
std::tuple<uint8_t /* message */, uint16_t /* GREASE */>> {
public:
GreaseExtensionTestStreamTls13()
: TlsConnectStreamTls13(),
message_(std::get<0>(GetParam())),
grease_(std::get<1>(GetParam())){};
protected:
uint8_t message_;
uint16_t grease_;
};
// Illegally GREASE TLS13 Server EncryptedExtensions and Certificate Extensions
// NSS currently allows offering unkown extensions in HelloRetryRequests!
TEST_P(GreaseExtensionTestStreamTls13, GreasedServerExtensions) {
EnsureTlsSetup();
DataBuffer empty = DataBuffer(1);
auto filter =
MakeTlsFilter<TlsExtensionAppender>(server_, message_, grease_, empty);
filter->EnableDecryption();
server_->ExpectReceiveAlert(kTlsAlertUnsupportedExtension);
client_->ExpectSendAlert(kTlsAlertUnsupportedExtension);
ConnectExpectFail();
client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_EXTENSION);
server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT);
}
// Illegally GREASE TLS12 and TLS13 ServerHello Extensions
TEST_P(GreaseTestStreamTls123, GreasedServerHelloExtensions) {
EnsureTlsSetup();
DataBuffer empty = DataBuffer(1);
auto filter = MakeTlsFilter<TlsExtensionAppender>(
server_, kTlsHandshakeServerHello, grease_, empty);
if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
filter->EnableDecryption();
server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
} else {
server_->ExpectReceiveAlert(kTlsAlertUnsupportedExtension);
}
client_->ExpectSendAlert(kTlsAlertUnsupportedExtension);
ConnectExpectFail();
client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_EXTENSION);
}
// Illegally GREASE TLS13 Client Certificate Extensions
// Server ignores injected client extensions and fails on CertificateVerify
TEST_P(GreaseTestStreamTls13, GreasedClientCertificateExtensions) {
client_->SetupClientAuth();
server_->RequestClientAuth(true);
DataBuffer empty = DataBuffer(1);
auto filter = MakeTlsFilter<TlsExtensionAppender>(
client_, kTlsHandshakeCertificate, grease_, empty);
filter->EnableDecryption();
server_->ExpectSendAlert(kTlsAlertDecryptError);
client_->ExpectReceiveAlert(kTlsAlertDecryptError);
// Manually trigger handshake to avoid race conditions
StartConnect();
client_->Handshake();
server_->Handshake();
client_->Handshake();
server_->Handshake();
client_->Handshake();
server_->CheckErrorCode(SEC_ERROR_BAD_SIGNATURE);
client_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT);
}
TEST_F(TlsConnectStreamTls13, GreaseClientHelloExtensionPermutation) {
EnsureTlsSetup();
PR_ASSERT(SSL_OptionSet(client_->ssl_fd(),
SSL_ENABLE_CH_EXTENSION_PERMUTATION,
PR_TRUE) == SECSuccess);
PR_ASSERT(SSL_OptionSet(client_->ssl_fd(), SSL_ENABLE_GREASE, PR_TRUE) ==
SECSuccess);
Connect();
}
INSTANTIATE_TEST_SUITE_P(GreaseTestTls12, GreaseTestStreamTls12,
::testing::ValuesIn(kTlsGreaseValues));
INSTANTIATE_TEST_SUITE_P(GreaseTestTls13, GreaseTestStreamTls13,
::testing::ValuesIn(kTlsGreaseValues));
INSTANTIATE_TEST_SUITE_P(
GreaseTestTls123, GreaseTestStreamTls123,
::testing::Combine(TlsConnectTestBase::kTlsV12Plus,
::testing::ValuesIn(kTlsGreaseValues)));
INSTANTIATE_TEST_SUITE_P(
GreaseExtensionTest, GreaseExtensionTestStreamTls13,
testing::Combine(testing::ValuesIn(kTlsGreaseExtensionMessages),
testing::ValuesIn(kTlsGreaseValues)));
} // namespace nss_test

8
security/nss/lib/nss/nss.h
View File

@ -22,12 +22,12 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
#define NSS_VERSION "3.89" _NSS_CUSTOMIZED " Beta"
#define NSS_VERSION "3.88.1" _NSS_CUSTOMIZED
#define NSS_VMAJOR 3
#define NSS_VMINOR 89
#define NSS_VPATCH 0
#define NSS_VMINOR 88
#define NSS_VPATCH 1
#define NSS_VBUILD 0
#define NSS_BETA PR_TRUE
#define NSS_BETA PR_FALSE
#ifndef RC_INVOKED

1
security/nss/lib/pkcs7/p7local.c
View File

@ -458,6 +458,7 @@ sec_PKCS7Decrypt(sec_PKCS7CipherObject *obj, unsigned char *output,
* If we do not, there is something wrong, either with our own
* logic or with (length of) the data given to us.
*/
PORT_Assert((padsize == 0) || (pcount % padsize) == 0);
if ((padsize != 0) && (pcount % padsize) != 0) {
PORT_Assert(final);
PORT_SetError(SEC_ERROR_BAD_DATA);

6
security/nss/lib/smime/smime.def
View File

@ -285,9 +285,3 @@ SEC_PKCS12DecoderRenameCertNicknames;
;+ local:
;+ *;
;+};
;+NSS_3.89 { # NSS 3.89 release
;+ global:
NSS_CMSSignerInfo_GetDigestAlgTag;
;+ local:
;+ *;
;+};

2
security/nss/lib/softoken/fips_algorithms.h
View File

@ -131,7 +131,7 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
/* ---------------------- SSL/TLS operations ------------------------- */
{ CKM_SHA224_KEY_DERIVATION, { 112, 224, CKF_KDF }, 1, SFTKFIPSNone },
{ CKM_SHA256_KEY_DERIVATION, { 128, 256, CKF_KDF }, 1, SFTKFIPSNone },
{ CKM_SHA384_KEY_DERIVATION, { 192, 384, CKF_KDF }, 1, SFTKFIPSNone },
{ CKM_SHA384_KEY_DERIVATION, { 192, 284, CKF_KDF }, 1, SFTKFIPSNone },
{ CKM_SHA512_KEY_DERIVATION, { 256, 512, CKF_KDF }, 1, SFTKFIPSNone },
{ CKM_TLS12_MASTER_KEY_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone },
{ CKM_TLS12_MASTER_KEY_DERIVE_DH, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone },

7
security/nss/lib/softoken/pkcs11c.c
View File

@ -2099,12 +2099,7 @@ static SECStatus
sftk_HMACCmp(CK_ULONG *copyLen, unsigned char *sig, unsigned int sigLen,
unsigned char *hash, unsigned int hashLen)
{
if (NSS_SecureMemcmp(sig, hash, *copyLen) == 0) {
return SECSuccess;
}
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
return SECFailure;
return (NSS_SecureMemcmp(sig, hash, *copyLen) == 0) ? SECSuccess : SECFailure;
}
/*

8
security/nss/lib/softoken/softkver.h
View File

@ -17,11 +17,11 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
#define SOFTOKEN_VERSION "3.89" SOFTOKEN_ECC_STRING " Beta"
#define SOFTOKEN_VERSION "3.88.1" SOFTOKEN_ECC_STRING
#define SOFTOKEN_VMAJOR 3
#define SOFTOKEN_VMINOR 89
#define SOFTOKEN_VPATCH 0
#define SOFTOKEN_VMINOR 88
#define SOFTOKEN_VPATCH 1
#define SOFTOKEN_VBUILD 0
#define SOFTOKEN_BETA PR_TRUE
#define SOFTOKEN_BETA PR_FALSE
#endif /* _SOFTKVER_H_ */

34
security/nss/lib/ssl/ssl.h
View File

@ -346,40 +346,6 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd);
*/
#define SSL_SUPPRESS_END_OF_EARLY_DATA 41
/* Enables TLS GREASE (specified in RFC8701, following Chrome 55 implementation
* decisions).
*
* If enabled and the client's ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3 or
* the server's ss->version >= SSL_LIBRARY_VERSION_TLS_1_3, this adds random
* GREASE values to:
* - ClientHello (Client):
* - A cipher_suite value to the cipher_suites field.
* - An empty and a 1B zeroed payload extension.
* - A named group value to the supported_groups extension and a
* KeyShareEntry value for the added named group.
* - A signature algorithm value to the signature_algorithms extension.
* - A version value to the supported_versions extension.
* - A PskKeyExchangeMode value to the psk_key_exchange_modes extension.
* - A alpn value to the application_layer_protocol_negotiation extension.
*
* - CertificateRequest (Server):
* - An empty extension.
* - A signature algorithm value to the signature_algorithms extension.
*
* - NewSessionTicket (Server):
* - An empty extension.
*
* GREASE values MUST nerver be negotiated but ignored.
*/
#define SSL_ENABLE_GREASE 42
/* Enables TLS ClientHello Extension Permutation.
*
* On a TLS ClientHello all extensions but the Psk extension
* (which MUST be last) will be sent in randomly shuffeld order.
*/
#define SSL_ENABLE_CH_EXTENSION_PERMUTATION 43
#ifdef SSL_DEPRECATED_FUNCTION
/* Old deprecated function names */
SSL_IMPORT SECStatus SSL_Enable(PRFileDesc *fd, int option, PRIntn on);

66
security/nss/lib/ssl/ssl3con.c
View File

@ -5099,18 +5099,6 @@ ssl3_AppendCipherSuites(sslSocket *ss, PRBool fallbackSCSV, sslBuffer *buf)
}
}
}
/* GREASE CipherSuites:
* A client MAY select one or more GREASE cipher suite values and advertise
* them in the "cipher_suites" field [RFC8701, Section 3.1]. */
if (ss->opt.enableGrease && ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3) {
rv = sslBuffer_AppendNumber(buf, ss->ssl3.hs.grease->idx[grease_cipher],
sizeof(ssl3CipherSuite));
if (rv != SECSuccess) {
return SECFailure;
}
}
if (SSL_ALL_VERSIONS_DISABLED(&ss->vrange) ||
(SSL_BUFFER_LEN(buf) - saveLen) == 0) {
PORT_SetError(SSL_ERROR_SSL_DISABLED);
@ -5532,16 +5520,6 @@ ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type)
}
}
/* Setup TLS ClientHello Extension Permutation? */
if (type == client_hello_initial &&
ss->vrange.max > SSL_LIBRARY_VERSION_3_0 &&
ss->opt.enableChXtnPermutation) {
rv = tls_ClientHelloExtensionPermutationSetup(ss);
if (rv != SECSuccess) {
goto loser;
}
}
if (isTLS || (ss->firstHsDone && ss->peerRequestedProtection)) {
rv = ssl_ConstructExtensions(ss, &extensionBuf, ssl_hs_client_hello);
if (rv != SECSuccess) {
@ -10222,7 +10200,7 @@ ssl3_SendServerKeyExchange(sslSocket *ss)
SECStatus
ssl3_EncodeSigAlgs(const sslSocket *ss, PRUint16 minVersion, PRBool forCert,
PRBool grease, sslBuffer *buf)
sslBuffer *buf)
{
SSLSignatureScheme filtered[MAX_SIGNATURE_SCHEMES] = { 0 };
unsigned int filteredCount = 0;
@ -10233,12 +10211,12 @@ ssl3_EncodeSigAlgs(const sslSocket *ss, PRUint16 minVersion, PRBool forCert,
if (rv != SECSuccess) {
return SECFailure;
}
return ssl3_EncodeFilteredSigAlgs(ss, filtered, filteredCount, grease, buf);
return ssl3_EncodeFilteredSigAlgs(ss, filtered, filteredCount, buf);
}
SECStatus
ssl3_EncodeFilteredSigAlgs(const sslSocket *ss, const SSLSignatureScheme *schemes,
PRUint32 numSchemes, PRBool grease, sslBuffer *buf)
PRUint32 numSchemes, sslBuffer *buf)
{
if (!numSchemes) {
PORT_SetError(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM);
@ -10259,35 +10237,6 @@ ssl3_EncodeFilteredSigAlgs(const sslSocket *ss, const SSLSignatureScheme *scheme
return SECFailure;
}
}
/* GREASE SignatureAlgorithms:
* A client MAY select one or more GREASE signature algorithm values and
* advertise them in the "signature_algorithms" or
* "signature_algorithms_cert" extensions, if sent [RFC8701, Section 3.1].
*
* When sending a CertificateRequest in TLS 1.3, a server MAY behave as
* follows: [...] A server MAY select one or more GREASE signature
* algorithm values and advertise them in the "signature_algorithms" or
* "signature_algorithms_cert" extensions, if present
* [RFC8701, Section 4.1]. */
if (grease &&
((!ss->sec.isServer && ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3) ||
(ss->sec.isServer && ss->version >= SSL_LIBRARY_VERSION_TLS_1_3))) {
PRUint16 value;
if (ss->sec.isServer) {
rv = tls13_RandomGreaseValue(&value);
if (rv != SECSuccess) {
return SECFailure;
}
} else {
value = ss->ssl3.hs.grease->idx[grease_sigalg];
}
rv = sslBuffer_AppendNumber(buf, value, 2);
if (rv != SECSuccess) {
return SECFailure;
}
}
return sslBuffer_InsertLength(buf, lengthOffset, 2);
}
@ -10379,8 +10328,7 @@ ssl3_SendCertificateRequest(sslSocket *ss)
length = 1 + certTypesLength + 2 + calen;
if (isTLS12) {
rv = ssl3_EncodeSigAlgs(ss, ss->version, PR_TRUE /* forCert */,
PR_FALSE /* GREASE */, &sigAlgsBuf);
rv = ssl3_EncodeSigAlgs(ss, ss->version, PR_TRUE /* forCert */, &sigAlgsBuf);
if (rv != SECSuccess) {
return rv;
}
@ -14141,12 +14089,6 @@ ssl3_DestroySSL3Info(sslSocket *ss)
PK11_HPKE_DestroyContext(ss->ssl3.hs.echHpkeCtx, PR_TRUE);
PORT_Free((void *)ss->ssl3.hs.echPublicName); /* CONST */
sslBuffer_Clear(&ss->ssl3.hs.greaseEchBuf);
/* TLS 1.3 GREASE (client) state. */
tls13_ClientGreaseDestroy(ss);
/* TLS ClientHello Extension Permutation state. */
tls_ClientHelloExtensionPermutationDestroy(ss);
}
/* check if the current cipher spec is FIPS. We only need to

14
security/nss/lib/ssl/ssl3ecc.c
View File

@ -906,20 +906,6 @@ ssl_SendSupportedGroupsXtn(const sslSocket *ss, TLSExtensionData *xtnData,
}
}
/* GREASE SupportedGroups:
* A client MAY select one or more GREASE named group values and advertise
* them in the "supported_groups" extension, if sent [RFC8701, Section 3.1].
*/
if (!ss->sec.isServer &&
ss->opt.enableGrease &&
ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3) {
rv = sslBuffer_AppendNumber(buf, ss->ssl3.hs.grease->idx[grease_group], 2);
if (rv != SECSuccess) {
return SECFailure;
}
found = PR_TRUE;
}
if (!found) {
/* We added nothing, don't send the extension. */
return SECSuccess;

81
security/nss/lib/ssl/ssl3ext.c
View File

@ -45,7 +45,6 @@ static const ssl3ExtensionHandler clientHelloHandlers[] = {
{ ssl_app_layer_protocol_xtn, &ssl3_ServerHandleAppProtoXtn },
{ ssl_use_srtp_xtn, &ssl3_ServerHandleUseSRTPXtn },
{ ssl_cert_status_xtn, &ssl3_ServerHandleStatusRequestXtn },
{ ssl_tls13_certificate_authorities_xtn, &tls13_ServerHandleCertAuthoritiesXtn },
{ ssl_signature_algorithms_xtn, &ssl3_HandleSigAlgsXtn },
{ ssl_extended_master_secret_xtn, &ssl3_HandleExtendedMasterSecretXtn },
{ ssl_signed_cert_timestamp_xtn, &ssl3_ServerHandleSignedCertTimestampXtn },
@ -124,8 +123,6 @@ static const ssl3ExtensionHandler certificateRequestHandlers[] = {
* extension, if it were listed last). See bug 1243641.
*/
static const sslExtensionBuilder clientHelloSendersTLS[] = {
/* TLS 1.3 GREASE extensions - empty. */
{ ssl_tls13_grease_xtn, &tls13_SendEmptyGreaseXtn },
{ ssl_server_name_xtn, &ssl3_ClientSendServerNameXtn },
{ ssl_extended_master_secret_xtn, &ssl3_SendExtendedMasterSecretXtn },
{ ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn },
@ -149,8 +146,6 @@ static const sslExtensionBuilder clientHelloSendersTLS[] = {
{ ssl_tls13_psk_key_exchange_modes_xtn, &tls13_ClientSendPskModesXtn },
{ ssl_tls13_post_handshake_auth_xtn, &tls13_ClientSendPostHandshakeAuthXtn },
{ ssl_record_size_limit_xtn, &ssl_SendRecordSizeLimitXtn },
/* TLS 1.3 GREASE extensions - 1 zero byte. */
{ ssl_tls13_grease_xtn, &tls13_SendGreaseXtn },
/* The pre_shared_key extension MUST be last. */
{ ssl_tls13_pre_shared_key_xtn, &tls13_ClientSendPreSharedKeyXtn },
{ 0, NULL }
@ -164,8 +159,6 @@ static const sslExtensionBuilder clientHelloSendersSSL3[] = {
static const sslExtensionBuilder tls13_cert_req_senders[] = {
{ ssl_signature_algorithms_xtn, &ssl3_SendSigAlgsXtn },
{ ssl_tls13_certificate_authorities_xtn, &tls13_SendCertAuthoritiesXtn },
/* TLS 1.3 GREASE extension. */
{ ssl_tls13_grease_xtn, &tls13_SendEmptyGreaseXtn },
{ 0, NULL }
};
@ -761,12 +754,7 @@ ssl_ConstructExtensions(sslSocket *ss, sslBuffer *buf, SSLHandshakeType message)
switch (message) {
case ssl_hs_client_hello:
if (ss->vrange.max > SSL_LIBRARY_VERSION_3_0) {
/* Use TLS ClientHello Extension Permutation? */
if (ss->opt.enableChXtnPermutation) {
sender = ss->ssl3.hs.chExtensionPermutation;
} else {
sender = clientHelloSendersTLS;
}
sender = clientHelloSendersTLS;
} else {
sender = clientHelloSendersSSL3;
}
@ -803,7 +791,6 @@ ssl_ConstructExtensions(sslSocket *ss, sslBuffer *buf, SSLHandshakeType message)
}
for (; sender->ex_sender != NULL; ++sender) {
PRUint16 ex_type = sender->ex_type;
PRBool append = PR_FALSE;
unsigned int start = buf->len;
unsigned int length;
@ -827,14 +814,8 @@ ssl_ConstructExtensions(sslSocket *ss, sslBuffer *buf, SSLHandshakeType message)
continue;
}
/* If TLS 1.3 GREASE is enabled, replace ssl_tls13_grease_xtn dummy
* GREASE extension types with randomly generated GREASE value. */
rv = tls13_MaybeGreaseExtensionType(ss, message, &ex_type);
if (rv != SECSuccess) {
goto loser; /* Code already set. */
}
rv = sslBuffer_AppendNumber(buf, ex_type, 2);
buf->len = start;
rv = sslBuffer_AppendNumber(buf, sender->ex_type, 2);
if (rv != SECSuccess) {
goto loser; /* Code already set. */
}
@ -848,7 +829,7 @@ ssl_ConstructExtensions(sslSocket *ss, sslBuffer *buf, SSLHandshakeType message)
if (message == ssl_hs_client_hello ||
message == ssl_hs_certificate_request) {
ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
ex_type;
sender->ex_type;
}
}
@ -1125,57 +1106,3 @@ ssl3_ExtConsumeHandshakeVariable(const sslSocket *ss, SECItem *i,
{
return ssl3_ConsumeHandshakeVariable((sslSocket *)ss, i, bytes, b, length);
}
SECStatus
tls_ClientHelloExtensionPermutationSetup(sslSocket *ss)
{
const size_t buildersLen = PR_ARRAY_SIZE(clientHelloSendersTLS);
const size_t buildersSize = (sizeof(sslExtensionBuilder) * buildersLen);
/* Psk Extension and then NULL entry MUST be last. */
const size_t permutationLen = buildersLen - 2;
/* There shouldn't already be a stored permutation. */
PR_ASSERT(!ss->ssl3.hs.chExtensionPermutation);
/* This shuffle handles up to 256 extensions. */
PR_ASSERT(buildersLen < 256);
uint8_t permutation[256] = { 0 };
sslExtensionBuilder *builders = PORT_ZAlloc(buildersSize);
if (!builders) {
return SECFailure;
}
/* Get a working copy of default builders. */
PORT_Memcpy(builders, clientHelloSendersTLS, buildersSize);
/* Get permutation randoms. */
if (PK11_GenerateRandom(permutation, permutationLen) != SECSuccess) {
PORT_Free(builders);
return SECFailure;
}
/* Fisher-Yates Shuffle */
for (size_t i = permutationLen - 1; i > 0; i--) {
size_t idx = permutation[i - 1] % (i + 1);
sslExtensionBuilder tmp = builders[i];
builders[i] = builders[idx];
builders[idx] = tmp;
}
/* Make sure that Psk extension is penultimate (before NULL entry). */
PR_ASSERT(builders[buildersLen - 2].ex_type == ssl_tls13_pre_shared_key_xtn);
PR_ASSERT(builders[buildersLen - 2].ex_sender == clientHelloSendersTLS[buildersLen - 2].ex_sender);
ss->ssl3.hs.chExtensionPermutation = builders;
return SECSuccess;
}
void
tls_ClientHelloExtensionPermutationDestroy(sslSocket *ss)
{
if (ss->ssl3.hs.chExtensionPermutation) {
PORT_Free(ss->ssl3.hs.chExtensionPermutation);
ss->ssl3.hs.chExtensionPermutation = NULL;
}
}

2
security/nss/lib/ssl/ssl3ext.h
View File

@ -206,7 +206,5 @@ SECStatus SSLExp_InstallExtensionHooks(
sslCustomExtensionHooks *ssl_FindCustomExtensionHooks(sslSocket *ss, PRUint16 extension);
SECStatus ssl_CallCustomExtensionSenders(sslSocket *ss, sslBuffer *buf,
SSLHandshakeType message);
SECStatus tls_ClientHelloExtensionPermutationSetup(sslSocket *ss);
void tls_ClientHelloExtensionPermutationDestroy(sslSocket *ss);
#endif

30
security/nss/lib/ssl/ssl3exthandle.c
View File

@ -201,7 +201,7 @@ ssl3_FreeSniNameArray(TLSExtensionData *xtnData)
* Clients sends a filled in session ticket if one is available, and otherwise
* sends an empty ticket. Servers always send empty tickets.
*/
SECStatus
PRInt32
ssl3_ClientSendSessionTicketXtn(const sslSocket *ss, TLSExtensionData *xtnData,
sslBuffer *buf, PRBool *added)
{
@ -456,33 +456,20 @@ ssl3_ClientSendAppProtoXtn(const sslSocket *ss, TLSExtensionData *xtnData,
sslBuffer *buf, PRBool *added)
{
SECStatus rv;
const unsigned int len = ss->opt.nextProtoNego.len;
/* Renegotiations do not send this extension. */
if (!ss->opt.enableALPN || !ss->opt.nextProtoNego.len || ss->firstHsDone) {
PR_ASSERT(!ss->opt.nextProtoNego.data);
if (!ss->opt.enableALPN || !ss->opt.nextProtoNego.data || ss->firstHsDone) {
return SECSuccess;
}
PRBool addGrease = ss->opt.enableGrease && ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3;
/* The list of protocol strings is prefixed with a 2-byte length */
rv = sslBuffer_AppendNumber(buf, ss->opt.nextProtoNego.len + (addGrease ? 3 : 0), 2);
if (rv != SECSuccess) {
return SECFailure;
}
/* The list of protocol strings */
rv = sslBuffer_Append(buf, ss->opt.nextProtoNego.data, ss->opt.nextProtoNego.len);
if (rv != SECSuccess) {
return SECFailure;
}
/* A client MAY select one or more GREASE ALPN identifiers and advertise
* them in the "application_layer_protocol_negotiation" extension, if sent
* [RFC8701, Section 3.1]. */
if (addGrease) {
rv = sslBuffer_AppendNumber(buf, 2, 1);
if (len > 0) {
/* Each protocol string is prefixed with a single byte length. */
rv = sslBuffer_AppendNumber(buf, len, 2);
if (rv != SECSuccess) {
return SECFailure;
}
rv = sslBuffer_AppendNumber(buf, ss->ssl3.hs.grease->idx[grease_alpn], 2);
rv = sslBuffer_Append(buf, ss->opt.nextProtoNego.data, len);
if (rv != SECSuccess) {
return SECFailure;
}
@ -1661,8 +1648,7 @@ ssl3_SendSigAlgsXtn(const sslSocket *ss, TLSExtensionData *xtnData,
minVersion = ss->vrange.min; /* ClientHello */
}
SECStatus rv = ssl3_EncodeSigAlgs(ss, minVersion, PR_TRUE /* forCert */,
ss->opt.enableGrease, buf);
SECStatus rv = ssl3_EncodeSigAlgs(ss, minVersion, PR_TRUE /* forCert */, buf);
if (rv != SECSuccess) {
return SECFailure;
}

30
security/nss/lib/ssl/sslimpl.h
View File

@ -290,8 +290,6 @@ typedef struct sslOptionsStr {
unsigned int enableTls13GreaseEch : 1;
unsigned int enableTls13BackendEch : 1;
unsigned int callExtensionWriterOnEchInner : 1;
unsigned int enableGrease : 1;
unsigned int enableChXtnPermutation : 1;
} sslOptions;
typedef enum { sslHandshakingUndetermined = 0,
@ -612,24 +610,6 @@ typedef struct {
PRUint32 timeout;
} dtlsTimer;
/* TLS 1.3 client GREASE entry indices. */
typedef enum {
grease_cipher,
grease_extension1,
grease_extension2,
grease_group,
grease_sigalg,
grease_version,
grease_alpn,
grease_entries
} tls13ClientGreaseEntry;
/* TLS 1.3 client GREASE values struct. */
typedef struct tls13ClientGreaseStr {
PRUint16 idx[grease_entries];
PRUint8 pskKem;
} tls13ClientGrease;
/*
** This is the "hs" member of the "ssl3" struct.
** This entire struct is protected by ssl3HandshakeLock
@ -782,12 +762,6 @@ typedef struct SSL3HandshakeStateStr {
sslBuffer greaseEchBuf; /* Client: Remember GREASE ECH, as advertised, for CH2 (HRR case).
Server: Remember HRR Grease Value, for transcript calculations */
PRBool echInvalidExtension; /* Client: True if the server offered an invalid extension for the ClientHelloInner */
/* TLS 1.3 GREASE state. */
tls13ClientGrease *grease;
/* ClientHello Extension Permutation state. */
sslExtensionBuilder *chExtensionPermutation;
} SSL3HandshakeState;
#define SSL_ASSERT_HASHES_EMPTY(ss) \
@ -1766,10 +1740,10 @@ SECStatus ssl3_AuthCertificate(sslSocket *ss);
SECStatus ssl_ReadCertificateStatus(sslSocket *ss, PRUint8 *b,
PRUint32 length);
SECStatus ssl3_EncodeSigAlgs(const sslSocket *ss, PRUint16 minVersion, PRBool forCert,
PRBool grease, sslBuffer *buf);
sslBuffer *buf);
SECStatus ssl3_EncodeFilteredSigAlgs(const sslSocket *ss,
const SSLSignatureScheme *schemes,
PRUint32 numSchemes, PRBool grease, sslBuffer *buf);
PRUint32 numSchemes, sslBuffer *buf);
SECStatus ssl3_FilterSigAlgs(const sslSocket *ss, PRUint16 minVersion, PRBool disableRsae, PRBool forCert,
unsigned int maxSchemes, SSLSignatureScheme *filteredSchemes,
unsigned int *numFilteredSchemes);

4
security/nss/lib/ssl/sslsecur.c
View File

@ -217,10 +217,6 @@ SSL_ResetHandshake(PRFileDesc *s, PRBool asServer)
sslBuffer_Clear(&ss->ssl3.hs.greaseEchBuf);
}
tls13_ClientGreaseDestroy(ss);
tls_ClientHelloExtensionPermutationDestroy(ss);
if (!ss->TCPconnected)
ss->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ss, &addr));

2
security/nss/lib/ssl/sslsnce.c
View File

@ -1820,7 +1820,7 @@ ssl_GetSelfEncryptKeyPair(SECKEYPublicKey **pubKey,
return SECSuccess;
}
static SECStatus
static PRBool
ssl_GenerateSelfEncryptKeys(void *pwArg, PRUint8 *keyName,
PK11SymKey **aesKey, PK11SymKey **macKey);

10
security/nss/lib/ssl/sslsock.c
View File

@ -96,8 +96,6 @@ static sslOptions ssl_defaults = {
.enableTls13GreaseEch = PR_FALSE,
.enableTls13BackendEch = PR_FALSE,
.callExtensionWriterOnEchInner = PR_FALSE,
.enableGrease = PR_FALSE,
.enableChXtnPermutation = PR_FALSE
};
/*
@ -893,14 +891,6 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRIntn val)
ss->opt.suppressEndOfEarlyData = val;
break;
case SSL_ENABLE_GREASE:
ss->opt.enableGrease = val;
break;
case SSL_ENABLE_CH_EXTENSION_PERMUTATION:
ss->opt.enableChXtnPermutation = val;
break;
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure;

2
security/nss/lib/ssl/sslt.h
View File

@ -551,8 +551,6 @@ typedef enum {
ssl_tls13_post_handshake_auth_xtn = 49,
ssl_signature_algorithms_cert_xtn = 50,
ssl_tls13_key_share_xtn = 51,
/* TLS 1.3 GREASE extension dummy type for builders. */
ssl_tls13_grease_xtn = 0x0a0a,
ssl_next_proto_nego_xtn = 13172, /* Deprecated. */
ssl_renegotiation_info_xtn = 0xff01,
ssl_tls13_short_header_xtn = 0xff03, /* Deprecated. */

168
security/nss/lib/ssl/tls13con.c
View File

@ -454,11 +454,6 @@ tls13_SetupClientHello(sslSocket *ss, sslClientHelloType chType)
return SECSuccess;
}
rv = tls13_ClientGreaseSetup(ss);
if (rv != SECSuccess) {
return SECFailure;
}
/* Select the first enabled group.
* TODO(ekr@rtfm.com): be smarter about offering the group
* that the other side negotiated if we are resuming. */
@ -1568,9 +1563,6 @@ tls13_NegotiateKeyExchange(sslSocket *ss,
missing_extension);
return SECFailure;
}
/* Since the server insists on DHE to provide forward secracy, for
* every other PskKem value but DHE stateless resumption is disabled,
* this includes other specified and GREASE values. */
if (!memchr(ss->xtnData.psk_ke_modes.data, tls13_psk_dh_ke,
ss->xtnData.psk_ke_modes.len)) {
SSL_TRC(3, ("%d: TLS13[%d]: client offered PSK without DH",
@ -5302,7 +5294,6 @@ tls13_SendNewSessionTicket(sslSocket *ss, const PRUint8 *appToken,
SECStatus rv;
NewSessionTicket ticket = { 0 };
PRUint32 max_early_data_size_len = 0;
PRUint32 greaseLen = 0;
PRUint8 ticketNonce[sizeof(ss->ssl3.hs.ticketNonce)];
sslBuffer ticketNonceBuf = SSL_BUFFER(ticketNonce);
@ -5316,10 +5307,6 @@ tls13_SendNewSessionTicket(sslSocket *ss, const PRUint8 *appToken,
}
ticket.ticket_lifetime_hint = ssl_ticket_lifetime;
if (ss->opt.enableGrease) {
greaseLen = 4; /* type + len + 0 (empty) */
}
/* The ticket age obfuscator. */
rv = PK11_GenerateRandom((PRUint8 *)&ticket.ticket_age_add,
sizeof(ticket.ticket_age_add));
@ -5351,13 +5338,11 @@ tls13_SendNewSessionTicket(sslSocket *ss, const PRUint8 *appToken,
goto loser;
message_length =
4 + /* lifetime */
4 + /* ticket_age_add */
1 + sizeof(ticketNonce) + /* ticket_nonce */
2 + /* extensions lentgh */
max_early_data_size_len + /* max_early_data_size extension length */
greaseLen + /* GREASE extension length */
2 + /* ticket length */
4 + /* lifetime */
4 + /* ticket_age_add */
1 + sizeof(ticketNonce) + /* ticket_nonce */
2 + max_early_data_size_len + /* max_early_data_size_len */
2 + /* ticket length */
ticket_data.len;
rv = ssl3_AppendHandshakeHeader(ss, ssl_hs_new_session_ticket,
@ -5385,33 +5370,11 @@ tls13_SendNewSessionTicket(sslSocket *ss, const PRUint8 *appToken,
if (rv != SECSuccess)
goto loser;
/* Extensions */
rv = ssl3_AppendHandshakeNumber(ss, max_early_data_size_len + greaseLen, 2);
/* Extensions. */
rv = ssl3_AppendHandshakeNumber(ss, max_early_data_size_len, 2);
if (rv != SECSuccess)
goto loser;
/* GREASE NewSessionTicket:
* When sending a NewSessionTicket message in TLS 1.3, a server MAY select
* one or more GREASE extension values and advertise them as extensions
* with varying length and contents [RFC8701, SEction 4.1]. */
if (ss->opt.enableGrease) {
PR_ASSERT(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3);
PRUint16 grease;
rv = tls13_RandomGreaseValue(&grease);
if (rv != SECSuccess)
goto loser;
/* Extension type */
rv = ssl3_AppendHandshakeNumber(ss, grease, 2);
if (rv != SECSuccess)
goto loser;
/* Extension length */
rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
if (rv != SECSuccess)
goto loser;
}
/* Max early data size extension. */
if (max_early_data_size_len) {
rv = ssl3_AppendHandshakeNumber(
ss, ssl_tls13_early_data_xtn, 2);
@ -5654,7 +5617,7 @@ static const struct {
certificate) },
{ ssl_delegated_credentials_xtn, _M2(client_hello, certificate) },
{ ssl_tls13_cookie_xtn, _M2(client_hello, hello_retry_request) },
{ ssl_tls13_certificate_authorities_xtn, _M2(client_hello, certificate_request) },
{ ssl_tls13_certificate_authorities_xtn, _M1(certificate_request) },
{ ssl_tls13_supported_versions_xtn, _M3(client_hello, server_hello,
hello_retry_request) },
{ ssl_record_size_limit_xtn, _M2(client_hello, encrypted_extensions) },
@ -6452,117 +6415,4 @@ tls13_MaybeTls13(sslSocket *ss)
}
return PR_FALSE;
}
/* Setup random client GREASE values according to RFC8701. State must be kept
* so an equal ClientHello might be send on HelloRetryRequest. */
SECStatus
tls13_ClientGreaseSetup(sslSocket *ss)
{
if (!ss->opt.enableGrease) {
return SECSuccess;
}
PORT_Assert(ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3);
if (ss->ssl3.hs.grease) {
return SECFailure;
}
ss->ssl3.hs.grease = PORT_Alloc(sizeof(tls13ClientGrease));
if (!ss->ssl3.hs.grease) {
return SECFailure;
}
tls13ClientGrease *grease = ss->ssl3.hs.grease;
/* We require eight GREASE values and randoms. */
PRUint8 random[8];
/* Generate random GREASE values. */
if (PK11_GenerateRandom(random, sizeof(random)) != SECSuccess) {
return SECFailure;
}
for (size_t i = 0; i < PR_ARRAY_SIZE(grease->idx); i++) {
random[i] = ((random[i] & 0xf0) | 0x0a);
grease->idx[i] = ((random[i] << 8) | random[i]);
}
/* Specific PskKeyExchangeMode GREASE value. */
grease->pskKem = 0x0b + ((random[8 - 1] >> 5) * 0x1f);
/* Duplicate extensions are not allowed. */
if (grease->idx[grease_extension1] == grease->idx[grease_extension2]) {
grease->idx[grease_extension2] ^= 0x1010;
}
return SECSuccess;
}
/* Destroy client GREASE state. */
void
tls13_ClientGreaseDestroy(sslSocket *ss)
{
if (ss->ssl3.hs.grease) {
PORT_Free(ss->ssl3.hs.grease);
ss->ssl3.hs.grease = NULL;
}
}
/* Generate a random GREASE value according to RFC8701.
* This function does not provide valid PskKeyExchangeMode GREASE values! */
SECStatus
tls13_RandomGreaseValue(PRUint16 *out)
{
PRUint8 random;
if (PK11_GenerateRandom(&random, sizeof(random)) != SECSuccess) {
return SECFailure;
}
random = ((random & 0xf0) | 0x0a);
*out = ((random << 8) | random);
return SECSuccess;
}
/* Set TLS 1.3 GREASE Extension random GREASE type. */
SECStatus
tls13_MaybeGreaseExtensionType(const sslSocket *ss,
const SSLHandshakeType message,
PRUint16 *exType)
{
if (*exType != ssl_tls13_grease_xtn) {
return SECSuccess;
}
PR_ASSERT(ss->opt.enableGrease);
PR_ASSERT(message == ssl_hs_client_hello ||
message == ssl_hs_certificate_request);
/* GREASE ClientHello:
* A client MAY select one or more GREASE extension values and
* advertise them as extensions with varying length and contents
* [RFC8701, Section 3.1]. */
if (message == ssl_hs_client_hello) {
PR_ASSERT(ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3);
/* Check if the first GREASE extension was already added. */
if (!ssl3_ExtensionAdvertised(ss, ss->ssl3.hs.grease->idx[grease_extension1])) {
*exType = ss->ssl3.hs.grease->idx[grease_extension1];
} else {
*exType = ss->ssl3.hs.grease->idx[grease_extension2];
}
}
/* GREASE CertificateRequest:
* When sending a CertificateRequest in TLS 1.3, a server MAY behave as
* follows: A server MAY select one or more GREASE extension values and
* advertise them as extensions with varying length and contents
* [RFC8701, Section 4.1]. */
else if (message == ssl_hs_certificate_request) {
PR_ASSERT(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3);
/* Get random grease extension type. */
SECStatus rv = tls13_RandomGreaseValue(exType);
if (rv != SECSuccess) {
return SECFailure;
}
}
return SECSuccess;
}
}

6
security/nss/lib/ssl/tls13con.h
View File

@ -152,12 +152,6 @@ SECStatus tls13_AEAD(PK11Context *context, PRBool decrypt,
const unsigned char *in, unsigned int inLen);
void tls13_SetSpecRecordVersion(sslSocket *ss, ssl3CipherSpec *spec);
SECStatus SSLExp_SendCertificateRequest(PRFileDesc *fd);
SECStatus tls13_ClientGreaseSetup(sslSocket *ss);
void tls13_ClientGreaseDestroy(sslSocket *ss);
SECStatus tls13_RandomGreaseValue(PRUint16 *out);
SECStatus tls13_MaybeGreaseExtensionType(const sslSocket *ss,
const SSLHandshakeType message,
PRUint16 *exType);
/* Use this instead of FATAL_ERROR when no alert shall be sent. */
#define LOG_ERROR(ss, prError) \

17
security/nss/lib/ssl/tls13ech.c
View File

@ -1420,34 +1420,23 @@ tls13_ConstructInnerExtensionsFromOuter(sslSocket *ss, sslBuffer *chOuterXtnsBuf
}
break;
case ssl_tls13_supported_versions_xtn:
/* Only TLS 1.3 and GREASE on CHInner. */
/* Only TLS 1.3 on CHInner. */
rv = sslBuffer_AppendNumber(chInnerXtns, extensionType, 2);
if (rv != SECSuccess) {
goto loser;
}
/* Extension length. */
tmpLen = (ss->opt.enableGrease) ? 5 : 3;
rv = sslBuffer_AppendNumber(chInnerXtns, tmpLen, 2);
rv = sslBuffer_AppendNumber(chInnerXtns, 3, 2);
if (rv != SECSuccess) {
goto loser;
}
/* ProtocolVersion length */
rv = sslBuffer_AppendNumber(chInnerXtns, tmpLen - 1, 1);
rv = sslBuffer_AppendNumber(chInnerXtns, 2, 1);
if (rv != SECSuccess) {
goto loser;
}
/* ProtocolVersion TLS 1.3 */
rv = sslBuffer_AppendNumber(chInnerXtns, SSL_LIBRARY_VERSION_TLS_1_3, 2);
if (rv != SECSuccess) {
goto loser;
}
/* ProtocolVersion GREASE */
if (ss->opt.enableGrease) {
rv = sslBuffer_AppendNumber(chInnerXtns, ss->ssl3.hs.grease->idx[grease_version], 2);
if (rv != SECSuccess) {
goto loser;
}
}
/* Only update state on second invocation of this function */
if (shouldCompress) {
ss->xtnData.echAdvertised[ss->xtnData.echNumAdvertised++] = extensionType;

91
security/nss/lib/ssl/tls13exthandle.c
View File

@ -154,29 +154,6 @@ tls13_ClientSendKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData,
return SECFailure;
}
}
/* GREASE KeyShareEntry:
* [The client] MAY also send KeyShareEntry values for a subset of those
* selected in the "key_share" extension. For each of these, the
* "key_exchange" field MAY be any value [RFC8701, Section 3.1].
*
* By default we do not send KeyShares for every NamedGroup so the
* ServerKeyShare handshake message / additional round-trip is not
* triggered by sending GREASE KeyShareEntries. */
if (ss->opt.enableGrease) {
rv = sslBuffer_AppendNumber(buf, ss->ssl3.hs.grease->idx[grease_group], 2);
if (rv != SECSuccess)
return rv;
/* Entry length */
rv = sslBuffer_AppendNumber(buf, 2, 2);
if (rv != SECSuccess)
return rv;
/* Entry value */
rv = sslBuffer_AppendNumber(buf, 0xCD, 2);
if (rv != SECSuccess)
return rv;
}
rv = sslBuffer_InsertLength(buf, lengthOffset, 2);
if (rv != SECSuccess) {
return SECFailure;
@ -900,16 +877,6 @@ tls13_ClientSendSupportedVersionsXtn(const sslSocket *ss, TLSExtensionData *xtnD
}
}
/* GREASE SupportedVersions:
* A client MAY select one or more GREASE version values and advertise them
* in the "supported_versions" extension, if sent [RFC8701, Section 3.1]. */
if (ss->opt.enableGrease) {
rv = sslBuffer_AppendNumber(buf, ss->ssl3.hs.grease->idx[grease_version], 2);
if (rv != SECSuccess) {
return SECFailure;
}
}
rv = sslBuffer_InsertLength(buf, lengthOffset, 1);
if (rv != SECSuccess) {
return SECFailure;
@ -1078,6 +1045,7 @@ SECStatus
tls13_ClientSendPskModesXtn(const sslSocket *ss, TLSExtensionData *xtnData,
sslBuffer *buf, PRBool *added)
{
static const PRUint8 ke_modes[] = { tls13_psk_dh_ke };
SECStatus rv;
if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3 ||
@ -1088,15 +1056,7 @@ tls13_ClientSendPskModesXtn(const sslSocket *ss, TLSExtensionData *xtnData,
SSL_TRC(3, ("%d: TLS13[%d]: send psk key exchange modes extension",
SSL_GETPID(), ss->fd));
/* GREASE PskKeyExchangeMode:
* A client MAY select one or more GREASE PskKeyExchangeMode values and
* advertise them in the "psk_key_exchange_modes" extension, if sent
* [RFC8701, Section 3.1]. */
if (ss->opt.enableGrease) {
rv = sslBuffer_AppendVariable(buf, (PRUint8[]){ tls13_psk_dh_ke, ss->ssl3.hs.grease->pskKem }, 2, 1);
} else {
rv = sslBuffer_AppendVariable(buf, (PRUint8[]){ tls13_psk_dh_ke }, 1, 1);
}
rv = sslBuffer_AppendVariable(buf, ke_modes, sizeof(ke_modes), 1);
if (rv != SECSuccess) {
return SECFailure;
}
@ -1216,15 +1176,6 @@ loser:
return SECFailure;
}
SECStatus
tls13_ServerHandleCertAuthoritiesXtn(const sslSocket *ss, TLSExtensionData *xtnData, SECItem *data)
{
SSL_TRC(3, ("%d: TLS13[%d]: ignore certificate_authorities extension",
SSL_GETPID(), ss->fd));
/* NSS ignores certificate_authorities in the ClientHello */
return SECSuccess;
}
SECStatus
tls13_ServerSendHrrKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData,
sslBuffer *buf, PRBool *added)
@ -1390,8 +1341,7 @@ tls13_ClientSendDelegatedCredentialsXtn(const sslSocket *ss,
return SECSuccess;
}
rv = ssl3_EncodeFilteredSigAlgs(ss, filtered, filteredCount,
PR_FALSE /* GREASE */, buf);
rv = ssl3_EncodeFilteredSigAlgs(ss, filtered, filteredCount, buf);
if (rv != SECSuccess) {
return SECFailure;
}
@ -1765,38 +1715,3 @@ alert_loser:
PORT_SetError(SSL_ERROR_RX_MALFORMED_ECH_EXTENSION);
return SECFailure;
}
SECStatus
tls13_SendEmptyGreaseXtn(const sslSocket *ss,
TLSExtensionData *xtnData,
sslBuffer *buf, PRBool *added)
{
if (!ss->opt.enableGrease ||
(!ss->sec.isServer && ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3) ||
(ss->sec.isServer && ss->version < SSL_LIBRARY_VERSION_TLS_1_3)) {
return SECSuccess;
}
*added = PR_TRUE;
return SECSuccess;
}
SECStatus
tls13_SendGreaseXtn(const sslSocket *ss,
TLSExtensionData *xtnData,
sslBuffer *buf, PRBool *added)
{
if (!ss->opt.enableGrease ||
(!ss->sec.isServer && ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3) ||
(ss->sec.isServer && ss->version < SSL_LIBRARY_VERSION_TLS_1_3)) {
return SECSuccess;
}
SECStatus rv = sslBuffer_AppendVariable(buf, (PRUint8[]){ 0x00 }, 1, 2);
if (rv != SECSuccess) {
return SECFailure;
}
*added = PR_TRUE;
return SECSuccess;
}

8
security/nss/lib/ssl/tls13exthandle.h
View File

@ -75,8 +75,6 @@ SECStatus tls13_SendCertAuthoritiesXtn(const sslSocket *ss,
SECStatus tls13_ClientHandleCertAuthoritiesXtn(const sslSocket *ss,
TLSExtensionData *xtnData,
SECItem *data);
SECStatus tls13_ServerHandleCertAuthoritiesXtn(const sslSocket *ss, TLSExtensionData *xtnData, SECItem *data);
SECStatus tls13_ServerHandleCookieXtn(const sslSocket *ss,
TLSExtensionData *xtnData,
SECItem *data);
@ -117,11 +115,5 @@ SECStatus tls13_ClientSendDelegatedCredentialsXtn(const sslSocket *ss,
SECStatus tls13_ServerHandleDelegatedCredentialsXtn(const sslSocket *ss,
TLSExtensionData *xtnData,
SECItem *data);
SECStatus tls13_SendEmptyGreaseXtn(const sslSocket *ss,
TLSExtensionData *xtnData,
sslBuffer *buf, PRBool *added);
SECStatus tls13_SendGreaseXtn(const sslSocket *ss,
TLSExtensionData *xtnData,
sslBuffer *buf, PRBool *added);
#endif

8
security/nss/lib/util/nssutil.h
View File

@ -19,12 +19,12 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
*/
#define NSSUTIL_VERSION "3.89 Beta"
#define NSSUTIL_VERSION "3.88.1"
#define NSSUTIL_VMAJOR 3
#define NSSUTIL_VMINOR 89
#define NSSUTIL_VPATCH 0
#define NSSUTIL_VMINOR 88
#define NSSUTIL_VPATCH 1
#define NSSUTIL_VBUILD 0
#define NSSUTIL_BETA PR_TRUE
#define NSSUTIL_BETA PR_FALSE
SEC_BEGIN_PROTOS

10
security/nss/lib/util/secasn1d.c
View File

@ -2207,13 +2207,9 @@ sec_asn1d_next_in_sequence(sec_asn1d_state *state)
* In practice this does not happen, but for completeness
* sake it should probably be made to work at some point.
*/
if (child_found_tag_modifiers >= SEC_ASN1_HIGH_TAG_NUMBER) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
state->top->status = decodeError;
} else {
identifier = (unsigned char)(child_found_tag_modifiers | child_found_tag_number);
sec_asn1d_record_any_header(child, (char *)&identifier, 1);
}
PORT_Assert(child_found_tag_number < SEC_ASN1_HIGH_TAG_NUMBER);
identifier = (unsigned char)(child_found_tag_modifiers | child_found_tag_number);
sec_asn1d_record_any_header(child, (char *)&identifier, 1);
}
}
}