2020-12-11 Kevin Jacobs <kjacobs@mozilla.com>
* automation/abi-check/expected-report-libssl3.so.txt, automation/abi-
check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h,
lib/util/nssutil.h:
Set version numbers to 3.61 Beta
[f277d2674c80]
* gtests/<...>
Bug 1677207 - Update Google Test to release-1.10.0 r=bbeurdouche
./gtests/google_test/update.sh release-1.10.0 && hg remove -A && hg
add gtests/google_test/*
[89141382df45]
* gtests/<...>
Bug 1677207 - Replace references to TestCase, which is deprecated,
with TestSuite r=bbeurdouche
grep -rl --exclude-dir=google_test INSTANTIATE_TEST_CASE_P gtests |
xargs sed -i '' s/INSTANTIATE_TEST_CASE_P/INSTANTIATE_TEST_SUITE_P/g
grep -rl --exclude-dir=google_test SetUpTestCase gtests | xargs sed
-i '' s/SetUpTestCase/SetUpTestSuite/g
[e15b78be87fa]
* gtests/ssl_gtest/ssl_ciphersuite_unittest.cc,
gtests/ssl_gtest/ssl_debug_env_unittest.cc,
gtests/ssl_gtest/ssl_extension_unittest.cc,
gtests/ssl_gtest/ssl_loopback_unittest.cc,
gtests/ssl_gtest/ssl_renegotiation_unittest.cc,
gtests/ssl_gtest/ssl_resumption_unittest.cc,
gtests/ssl_gtest/ssl_version_unittest.cc,
gtests/ssl_gtest/tls_ech_unittest.cc:
Bug 1677207 - Use GTEST_SKIP in ssl_gtests. r=bbeurdouche
[0772f1bf5fd6]
2020-12-17 Robert Relyea <rrelyea@redhat.com>
* gtests/common/testvectors/ike-aesxcbc-vectors.h,
gtests/common/testvectors/ike-sha1-vectors.h,
gtests/common/testvectors/ike-sha256-vectors.h,
gtests/common/testvectors/ike-sha384-vectors.h,
gtests/common/testvectors/ike-sha512-vectors.h,
gtests/common/testvectors_base/test-structs.h,
gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp,
gtests/pk11_gtest/pk11_ike_unittest.cc, lib/softoken/sftkike.c:
Bug 1682071 IKE Quick mode IPSEC give you incorrect keys if you are
asking for keys smaller than the hash size.
IKE Appendix B fixes.
This patch fixes 2 problems.
If you run either ike v1 App B or quick mode asking for a key with
length
mod macsize = 0, you will generate an extra block that's not used
and overwrites the end of the buffer.
If you use quick mode, the function incorrectly subsets the
existing key
rather than generating a new key. This is correct behavior for
Appendix B, where appendix B is trying to take a generated key and
create a new longer key (with no diversification, just transform the
key into something that's longer), so if you ask for a key less than
or equal to, then you want to just subset the original key. In quick
mode you are taking a base key and creating a set of new keys based
on additional data, so you want to subset the generated data. This
patch only subsets the original key if you aren't doing quickmode.
Full test vectors have now been added for all ike modes in this
patch as well (previously we depended on the FIPS CAVS tests to test
ike, which covers basic IKEv1, IKEv1_psk, and IKEv2 but not IKEv1
App B and IKE v1 Quick mode).
[f4995c9fa185]
2020-12-18 Robert Relyea <rrelyea@redhat.com>
* gtests/common/testvectors/rsa_pkcs1_2048_test-vectors.h,
gtests/common/testvectors/rsa_pkcs1_3072_test-vectors.h,
gtests/common/testvectors/rsa_pkcs1_4096_test-vectors.h,
gtests/freebl_gtest/Makefile, gtests/freebl_gtest/manifest.mn,
gtests/freebl_gtest/rsa_unittest.cc, gtests/manifest.mn,
gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc,
gtests/pk11_gtest/pk11_rsaoaep_unittest.cc, lib/freebl/alghmac.c,
lib/freebl/alghmac.h, lib/freebl/rsapkcs.c:
Bug 1651411 New tlsfuzzer code can still detect timing issues in RSA
operations.
This patch defeats Bleichenbacher by not trying to hide the size of
the decrypted text, but to hide if the text succeeded for failed.
This is done by generating a fake returned text that's based on the
key and the cipher text, so the fake data is always the same for the
same key and cipher text. Both the length and the plain text are
generated with a prf.
Here's the proposed spec the patch codes to:
1. Use SHA-256 to hash the private exponent encoded as a big-
endian integer to a string the same length as the public modulus.
Keep this value secret. (this is just an optimisation so that the
implementation doesn't have to serialise the key over and over
again) 2. Check the length of input according to step one of
https://tools.ietf.org/html/rfc8017#section-7.2.2 3. When provided
with a ciphertext, use SHA-256 HMAC(key=hash_from_step1,
text=ciphertext) to generate the key derivation key 4. Use SHA-256
HMAC with key derivation key as the key and a two-byte big- endian
iterator concatenated with byte string "length" with the big- endian
representation of 2048 (0x0800) as the bit length of the generated
string.
- Iterate this PRF 8 times to generate a 256 byte string 5. initialise
the length of synthetic message to 0 6. split the PRF output into 2
byte strings, convert into big-endian integers, zero- out high-order
bits so that they have the same bit length as the octet length of
the maximum acceptable message size (k-11), select the last integer
that is no larger than (k-11) or remain at 0 if no integer is
smaller than (k-11); this selection needs to be performed using a
side-channel free operators 7. Use SHA-256 HMAC with key derivation
key as the key and a two-byte big-endian iterator concatenated with
byte string "message" with the big-endian representation of k*8
- use this PRF to generate k bytes of output (right-truncate last HMAC
call if the number of generated bytes is not a multiple of SHA-256
output size) 8. perform the RSA decryption as described in step 2 of
section 7.2.2 of rfc8017 9. Verify the EM message padding as
described in step 3 of section 7.2.2 of rfc8017, but instead of
outputting "decryption error", return the last l bytes of the
"message" PRF, when l is the selected synthetic message length using
the "length" PRF, make this decision and copy using side-channel
free operation
[fc05574c7399]
2020-12-22 Robert Relyea <rrelyea@redhat.com>
* gtests/freebl_gtest/rsa_unittest.cc,
gtests/pk11_gtest/pk11_rsaoaep_unittest.cc, lib/freebl/alghmac.c,
lib/freebl/rsapkcs.c:
Restore lost portion of the bleichenbacher timing batch that
addressed review comments. All the review comments pertained to
actual code comments, so this patch only affects the comments.
[fcebe146314e]
2020-12-22 Kevin Jacobs <kjacobs@mozilla.com>
* lib/dev/devslot.c:
Bug 1682863 - Revert nssSlot_IsTokenPresent to 3.58 after ongoing Fx
hangs with slow PKCS11 devices. r=bbeurdouche
This patch reverts the `nssSlot_IsTokenPresent` changes made in bug
1663661 and bug 1679290, restoring the version used in NSS 3.58 and
earlier. It's not an actual `hg backout` because the comment in
lib/dev/devt.h is worth keeping. While removing the nested locking
did resolve the hang for some (most?) third-party modules, problems
remain with some slower tokens after an even further relaxation of
the locking, which defeats the purpose of addressing the races in
the first place.
The crash addressed by these patches was caused by the Intermediate
Preloading Healer in Firefox, which has been disabled. We clearly
have insufficient test coverage for third-party modules, and now
that osclientcerts is enabled in Fx Nightly, any problems caused by
these and similar changes is unlikely to be reported until Fx Beta,
well after NSS RTM. I think the best option at this point is to
simply revert NSS.
[97ef009f7a78] [tip]
Differential Revision: https://phabricator.services.mozilla.com/D100401
Bug 1583109 introduced new function templates StringJoin and StringJoinAppend.
These are now used to replace several custom loops across the codebase that
implement string-joining algorithms to simplify the code.
Differential Revision: https://phabricator.services.mozilla.com/D98750
Bug 1583109 introduced new function templates StringJoin and StringJoinAppend.
These are now used to replace several custom loops across the codebase that
implement string-joining algorithms to simplify the code.
Differential Revision: https://phabricator.services.mozilla.com/D98750
This patch removes telemetry probes for TLS 1.3 Delegated Credentials. The
probes are expiring soon and we do not plan to run any more experiments that
would justify their renewal. There is no plan to enable this feature in beta or
release until the draft hits RFC stage.
Differential Revision: https://phabricator.services.mozilla.com/D99557
2020-12-11 Kevin Jacobs <kjacobs@mozilla.com>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.60 final
[2015cf6ca323] [NSS_3_60_RTM] <NSS_3_60_BRANCH>
2020-12-08 Kevin Jacobs <kjacobs@mozilla.com>
* .hgtags:
Added tag NSS_3_60_BETA1 for changeset f84fb229842a
[1fe6cb3c3874]
Differential Revision: https://phabricator.services.mozilla.com/D99488
This moves parts of IPCMessageUtils.h to two new header files and adapts
the include directives as necessary. The new header files are:
- EnumSerializer.h, which defines the templates for enum serializers
- IPCMessageUtilsSpecializations.h, which defines template specializations
of ParamTraits with extra dependencies (building upon both IPCMessageUtils.h
and EnumSerializer.h)
This should minimize the dependencies pulled in by every consumer of
IPCMessageUtils.h
Differential Revision: https://phabricator.services.mozilla.com/D94459
This patch removes the hand-rolled shared background thread in favor of
individual background synchronous event targets. Also, the timer configuration
was moved to the main thread. It now dispatches events to the background task
queue, which makes it easier to reason about.
Differential Revision: https://phabricator.services.mozilla.com/D98977
This patch extends the lifetimes of the following telemetry probes to Firefox 92:
CRLITE_RESULT
INTERMEDIATE_PRELOADING_ERRORS
INTERMEDIATE_PRELOADING_UPDATE_TIME_MS
security.intermediate_preloading_num_preloaded
security.intermediate_preloading_num_pending
This patch removes the following telemetry probes:
CRLITE_FASTER_THAN_OCSP_MS
OCSP_FASTER_THAN_CRLITE_MS
Differential Revision: https://phabricator.services.mozilla.com/D98988
32-bit Linux architectures have gained new versions of every system
call handling time values, to allow a transition to 64-bit time_t that
will continue to work after the year 2038; newer versions of glibc will
attempt them and fall back to the 32-bit path (without caching the
failure, so at best we take the overhead of handling SIGSYS).
This patch allows time64 syscalls in the same cases where we allow their
time32 versions, including the restrictions on clockid_t to prevent
interacting with other processes or threads of other processes. (I've
confirmed that the argument types match otherwise, so it's safe to reuse
the same policies.)
Differential Revision: https://phabricator.services.mozilla.com/D98693
Telemetry indicated that setting various security state (in particular, CRLite
state) was causing main thread hangs due to base64 decoding. This patch
rearranges cert_storage slightly to do these decodings off the main thread.
Differential Revision: https://phabricator.services.mozilla.com/D98691
This patch enables PSM and Firefox to use TLS 1.3 Encrypted Client Hello (draft -08). Specifically:
- Compile NSS with NSS_ENABLE_DRAFT_HPKE=1
- Add ECH "public_name" handling in SSLServerCertVerification.cpp (see: https://tools.ietf.org/html/draft-ietf-tls-esni-08#section-6.3.2)
- Adds `mIsAcceptedEch` to TransportSecurityInfo, and xpcshell tests for ECH use cases
- Adds EncryptedClientHelloServer to facilitate the xpcshell tests
- Un-ifdef Set/GetEchConfigs code in nsNSSIOLayer.cpp. Also reverted the Base64 encoding and decoding, as the data returned from DNS is already decoded (wire-format).
Differential Revision: https://phabricator.services.mozilla.com/D92651
This patch enables PSM and Firefox to use TLS 1.3 Encrypted Client Hello (draft -08). Specifically:
- Compile NSS with NSS_ENABLE_DRAFT_HPKE=1
- Add ECH "public_name" handling in SSLServerCertVerification.cpp (see: https://tools.ietf.org/html/draft-ietf-tls-esni-08#section-6.3.2)
- Adds `mIsAcceptedEch` to TransportSecurityInfo, and xpcshell tests for ECH use cases
- Adds EncryptedClientHelloServer to facilitate the xpcshell tests
- Un-ifdef Set/GetEchConfigs code in nsNSSIOLayer.cpp. Also reverted the Base64 encoding and decoding, as the data returned from DNS is already decoded (wire-format).
Differential Revision: https://phabricator.services.mozilla.com/D92651
This patch updates test_sanctions_symantec_apple_google.js to test a chain through an allow-listed Apple intermediate certificate chaining to a Symantec root certificate that is present in NSS.
Differential Revision: https://phabricator.services.mozilla.com/D98511
This patch changes a test referencing //VeriSign Class 3 Public Primary Certification Authority - G4//, which was removed in bug 1670769, with a similar VeriSign root CA that still exists and meets the same requirements for the test.
Differential Revision: https://phabricator.services.mozilla.com/D98510
2020-12-01 Kevin Jacobs <kjacobs@mozilla.com>
* lib/ckfw/builtins/nssckbi.h:
Bug 1678189 - December 2020 batch of root changes,
NSS_BUILTINS_LIBRARY_VERSION 2.46. r=bbeurdouche
[f8c49b334e51] [tip]
* lib/ckfw/builtins/certdata.txt:
Bug 1678166 - Add NAVER Global Root Certification Authority root
cert to NSS. r=bbeurdouche,KathleenWilson
[b9742b439a81]
2020-12-01 Benjamin Beurdouche <benjamin.beurdouche@inria.fr>
* lib/ckfw/builtins/certdata.txt:
Bug 1670769 - Remove 10 GeoTrust, thawte, and VeriSign root certs
from NSS. r=kjacobs,KathleenWilson
[4c69d6d0cf21]
2020-12-01 Kevin Jacobs <kjacobs@mozilla.com>
* lib/ssl/ssl3exthandle.c:
Bug 1674819 - Fix undefined shift when fuzzing r=bbeurdouche
In fuzzer mode, session tickets are serialized without any
encryption or integrity protection. This leads to a post-deserialize
UBSAN error when shifting by a fuzzed (large) authType value. A real
NSS server will not produce these values.
[a51fae403328]
2020-11-30 Benjamin Beurdouche <benjamin.beurdouche@inria.fr>
* build.sh, coreconf/config.gypi, lib/ckfw/builtins/testlib/builtins-
testlib.gyp, lib/ckfw/builtins/testlib/nssckbi-testlib.def, nss.gyp:
Bug 1678384 - Add a build flag to allow building nssckbi-testlib in
m-c r=kjacobs
[22bf7c680b60]
2020-12-01 Kevin Jacobs <kjacobs@mozilla.com>
* lib/dev/devslot.c:
Bug 1679290 - Don't hold slot lock when taking session lock
r=bbeurdouche
[[ https://hg.mozilla.org/projects/nss/rev/0ed11a5835ac1556ff978362c
d61069d48f4c5db | 0ed11a5835ac1556ff978362cd61069d48f4c5db ]] fixed
a number of race conditions related to NSSSlot member accesses.
Unfortunately the locking order that was imposed by that patch has
been found to cause problems for at least one PKCS11 module,
libnsspem.
This patch drops nested locking in favor of unlocking/re-locking.
While this isn't perfect, the original problem in bug 1663661 was
that `slot->token` could become NULL, which we can easily check
after reacquiring.
[19585ccc7a1f]
2020-11-25 Makoto Kato <m_kato@ga2.so-net.ne.jp>
* lib/freebl/blinit.c:
Bug 1678990 - Use __ARM_FEATURE_CRYPTO for feature detection.
r=bbeurdouche
Actually, we have CPU feature detection for Linux and FreeBSD on
aarch64 platform. But others don't.
macOS doesn't has any CPU feature detection for ARM Crypto
Extension, but toolchain default is turned on. So we should respect
__ARM_FEATURE_CRYPTO.
[f1e48fbead3d]
2020-11-19 Lauri Kasanen <cand@gmx.com>
* lib/freebl/Makefile:
Bug 1642174 - Resolve sha512-p8.o: ABI version 2 is not compatible
with ABI version 1 output. r=jcj Don't try to build the SHA-2
accelerated asm on old-ABI ppc.
Currently make only, I don't have enough gyp-fu to do that side.
However, the reporters of 1642174 and 1635625 both used make, not
gyp.
Signed-off-by: Lauri Kasanen <cand@gmx.com>
[d806f7992b10]
Differential Revision: https://phabricator.services.mozilla.com/D98509
Before this patch, when RemoteSecuritySettings would download multiple new
stashes, it would add the first one to cert_storage, which would reconstruct
the in-memory representation of all of the issuer/serial hashmaps/sets
(including preexisting ones), and then RemoteSecuritySettings would add the
second one, and cert_storage would reconstruct the entire in-memory
representation of the issuer/serial hashmaps/sets again, and so on, re-doing
all of the work each time. This is essentially O(n^2) work. This patch improves
both RemoteSecuritySettings and cert_storage to minimize this work, reducing it
to O(n).
Differential Revision: https://phabricator.services.mozilla.com/D97829
It's a common way to check the existence of system calls. Glibc may fall
back to fstatat when statx is called, passing down the null path.
Since we handle fstatat, let's return -EFAULT the same way the real
fstatat syscall would do.
This is needed for the sandbox not to constantly crash due to this statx
call in rustc:
09c9c9f7da/library/std/src/sys/unix/fs.rs (L119-L123)
Differential Revision: https://phabricator.services.mozilla.com/D98414
This allows us to avoid calling any NSSCertificateDB methods on the main
thread or allocating memory for xpconnect wrappers of cert objects.
Differential Revision: https://phabricator.services.mozilla.com/D97970
