mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-09 11:25:00 +00:00

History

Kevin Jacobs b838f38de2 Bug 1671713 - land NSS 035110dfa0b9 UPGRADE_NSS_RELEASE, r=bbeurdouche 2020-10-26 Robert Relyea <rrelyea@redhat.com> * lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c, tests/ssl/ssl.sh: Bug 1672291 libpkix OCSP failures on SHA1 self-signed root certs when SHA1 signatures are disabled. r=mt When libpkix is checking an OCSP cert, it can't use the passed in set of trust anchors as a base because only the single root that signed the leaf can sign the OCSP request. As a result it actually checks the signature of the self-signed root when processing an OCSP request. This fails of the root cert signature is invalid for any reason (including it's a sha1 self-signed root cert and we've disabled sha1 signatures (say, by policy)). Further investigation indicates the difference between our classic code and the current code is the classic code only checks OCSP responses on leaf certs. In the real world, those responses are signed by intermediate certificates (who won't have sha1 signed certificates anymore), so our signature processing works just fine. pkix checks OCSP on the intermediate certificates as well, which are signed by the root cert. In this case the root cert is a chain of 1, and is effectively a leaf. This patch updates the OCSP response code to not check the signatures on the single cert if that cert is a selfsigned root cert. This requires bug 391476 so we still do the other validation checking on the certs (making sure it's trusted as a CA). [035110dfa0b9] [tip] 2020-10-23 Robert Relyea <rrelyea@redhat.com> * lib/certhigh/certvfypkix.c, lib/libpkix/pkix_pl_nss/module/pkix_pl_nsscontext.c, lib/libpkix/pkix_pl_nss/module/pkix_pl_nsscontext.h, lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c, lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c, tests/ssl/ssl.sh: Bug 1672291 libpkix OCSP failures on SHA1 self-signed root certs when SHA1 signatures are disabled. When libpkix is checking an OCSP cert, it can't use the passed in set of trust anchors as a base because only the single root that signed the leaf can sign the OCSP request. As a result it actually checks the signature of the self-signed root when processing an OCSP request. This fails of the root cert signature is invalid for any reason (including it's a sha1 self-signed root cert and we've disabled sha1 signatures (say, by policy)). Further investigation indicates the difference between our classic code and the current code is the classic code only checks OCSP responses on leaf certs. In the real world, those responses are signed by intermediate certificates (who won't have sha1 signed certificates anymore), so our signature processing works just fine. pkix checks OCSP on the intermediate certificates as well, which are signed by the root cert. In this case the root cert is a chain of 1, and is effectively a leaf. This patch updates the OCSP response code to not check the signatures on the single cert if that cert is a selfsigned root cert. This requires bug 391476 so we still do the other validation checking on the certs (making sure it's trusted as a CA). [97f69f7a89a1] 2020-10-26 Kevin Jacobs <kjacobs@mozilla.com> * gtests/ssl_gtest/tls_filter.cc: Bug 1644209 - Fix broken SelectedCipherSuiteReplacer filter. r=mt This patch corrects the `SelectedCipherSuiteReplacer`filter to always parse the `session_id` variable (`legacy_session_id` for TLS 1.3+). The previous code attempted to skip it in 1.3+ but did not account for DTLS wire versions, resulting in intermittent failures. [a79d14b06b4a] 2020-10-26 Daiki Ueno <dueno@redhat.com> * gtests/ssl_gtest/ssl_tls13compat_unittest.cc, lib/ssl/ssl3con.c, lib/ssl/sslimpl.h: Bug `1672703`, always tolerate the first CCS in TLS 1.3, r=mt Summary: This flips the meaning of the flag for checking excessive CCS messages, so it only rejects multiple CCS messages while the first CCS message is always accepted. Reviewers: mt Reviewed By: mt Bug #: `1672703` [b03a4fc5b902] 2020-10-23 Robert Relyea <rrelyea@redhat.com> * automation/abi-check/expected-report-libnssutil3.so.txt, gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp, lib/nss/nss.h, lib/ssl/ssl3con.c, lib/util/SECerrs.h, lib/util/nssutil.def, lib/util/secerr.h, tests/policy/policy.sh: Bug 1670835 Crypto Policy Support needs to be updated with disable/enable support Policy update Current state of the nss policy system: The initial policy patch focused on getting policy working well in handling ssl. The policy infrastructure used two existing NSS infrastructure: 1) Algorithm policies tied the OIDS and 2) the ssl policy constraints first created to handle export policy restrictions. To make loadable policies work, we added a couple of new things: 1) a policy parser to the secmod infrastructure which allows us to set algorithm policies based on a config file. This file had two sections: disallow= and allow=. Disallow turned off policy bits, and allow turned them on. Disallow was always parsed first, so you could very strictly control your policy map by saying disallow=all allow={exclusive list of allowed algorithms} 2) a new NSS_Option() value that allowed the policy parser to set integer values (like minimum tls version) based on the data in the policy parser. 3) SSL code which is run at ssl_init time that reads the algorithm policies and maps the results to SSL policies. The resulting loaded policy code, in general, sets the boundaries of what it possible, actually enable/disable of ssl cipher suites are still under program control, and the builtin NSS default values. The only consession to configuration is if a cipher is disallowed by policy, it is also disabled. Allowing a cipher suite by policy that wasn't already enabled, however, doesn't enable that policy by default. Inside the policy restrictions, applications can still make their own decisions on configuration and preference. At the time the policy system was designed, there were 3 additional features, which were designed, but not specified: disable, enable, and lock. disable and enable work just like disallow and allow, except the specify what the default settings are. This would allow the policy file to change the underlying default in the case where the application doesn't try to configure ssl on it's own. lock would make either the policy or configuration 'locked' meaning once the lock has been executed, no further changes to those configurations would be allowed. What is needed: We have a need for the following additional features: 1) we want to turn more of the sha-1 hash function off by default. We still need sha-1 digest because it's used in many non-secure cases, but we do want to disable more sha-1 signature usage. Currently only CERT-SIGNATURE and various hmac usages in SSL ciphers can be controlled by policy. We want to disallow a greater range of signature (that is signature use in general). 2) we want to disable more ciphers by default, but need a way to have certain policies (like LEGACY) turn them back on, so that our shipped system is more secure by default. What this patch provides: 1) A new policy flag NSS_USE_ALG_IN_ANY_SIGNATURE was added. The cryptohi code which exports the NSS sign/verify high level code now checks the hash and signing algorithm against this new policy flag and fails if the policy isn't available. New key words were added to the policy parser for 'all-signature', which implies all signature flags at once, and 'signature', which maps to NSS_USE_ANY_SIGNATURE. NOTE: disable=all/signature and disable=all/all-signature are effective equivalent because cert-signatures eventually call the low level signature functions, but disable=all allow=rsa-pss/all- signature and disable=all allow=rsa-pss/signature are different in that the latter allows all rsa-pss signature and the latter allows rsa-pss signatures, but no on certificates (or on smime in the future) Also new keywords were added for rsa-pkcs, rsa-pss, and ecdsa for signature algorithms (along with dsa). 2) This patch implements disable and enable. These functions only work on SSL configuration. In the future SMIME/CMS configuration could also be added. Because the policy system is parsed and handled by NSS, and SSL configuration is handled in SSL, we use the same Apply code we used to apply ssl policy to set the inital configuration. The configured enable/disable state is configured in the ALGORTHIM policy system, where one bit says the enable/disable value is active and another bit which gives it's state. 3) two locks have been implented, policy-lock and ssl-lock. These are specified in the parser as flags (flags=policy-lock,ssl-lock). The policy locks all the policy changes: ssl_policy, algorithm policy, and options. It is implemented by two new exported functions: NSS_IsPolicyLocked() and NSS_LockPolicy(). The first allows applications to test if the policy is locked without having to try changing the policy. The various policy set functions check the NSS_IsPolicyLocked() function and returns SEC_ERROR_POLICY_LOCK if it's true. The ssl-lock changes the state of the policy to locked, and the state cannot be changed back without shutting down NSS. The second is implemented by setting a new Option called NSS_DEFAULT_LOCKS and the NSS_DEFAULT_SSL_LOCK flag. The idea is we can add an SMIME lock in the future. SSL checks the NSS_DEFAULT_SSL_LOCK flag before trying to set the cipher suite value, and blocks the change if it's set. 4) sslpolicy tests were updated to test the enable, disable, flags =policy-lock, flags=ssl-lock and the new signature primitives. 5) policy tests were updated to be able to run standalone (like all the other all.sh tests), as well as new tests to detect when no signing algorithms have been enabled. What is not in the patch 1) S/MIME signature policy has been defined for a while, but never hooked up. 2) S/MIME export policy needs to be connected back to the algorithm policy system just like the ssl cipher suites already are. 3) S/MIME default configuration needs to be connected back to the policy system. 4) ECC Curve policy needs to be hooked up with the signature policy (probably should create a generic 'key meets policy' function and have every call it). [6f79a7695812] * automation/abi-check/expected-report-libnss3.so.txt, gtests/pk11_gtest/pk11_rsaoaep_unittest.cc, lib/nss/nss.def, lib/pk11wrap/pk11pub.h, lib/pk11wrap/pk11skey.c: Bug 1666891 - Add PK11_Pub{Wrap,Unwrap}SymKeyWithMechanism r=mt,rrelyea Summary This is useful for RSA-OAEP support. The CKM_RSA_PKCS_OAEP mechanism requires a CK_RSA_PKCS_OAEP_PARAMS be present for PKCS#11 calls. This provides required context for OAEP. However, PK11_PubWrapSymKey lacks a way of providing this context and historically silently converted CKM_RSA_PKCS_OAEP to CKM_RSA_PKCS when a RSA key is provided. Introducing a new call will let us indicate parameters and potentially support other mechanisms in the future. This call mirrors the earlier calls introduced for RSA-PSS: PK11_SignWithMechanism and PK11_VerifyWithMechanism. The CKM_RSA_PKCS_OAEP mechanism requires a CK_RSA_PKCS_OAEP_PARAMS be present for PKCS#11 calls. This provides required context for OAEP. However, PK11_PubUnwrapSymKey lacks a way of providing this context, and additionally lacked a way of indicating which mechanism type to use for the unwrap operation (instead detecting it by key type). Introducing a new call will let us indicate parameters and potentially support other mechanisms in the future. Signed-off-by: Alexander Scheel <ascheel@redhat.com> [33f920fcd175] 2020-10-23 Petr Sumbera <petr.sumbera@oracle.com> * coreconf/config.gypi: Bug 1667989 - coreconf/config.gypi should allow correct linking on Solaris r=kjacobs,bbeurdouche [e3bd9c2f9259] 2020-10-23 Kevin Jacobs <kjacobs@mozilla.com> * automation/abi-check/expected-report-libnss3.so.txt, gtests/pk11_gtest/pk11_find_certs_unittest.cc, lib/nss/nss.def: Bug 1668123 - Export CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData. r=jcj [0f15b05daeed] 2020-07-30 Benjamin Beurdouche <bbeurdouche@mozilla.com> * lib/ckfw/builtins/certdata.txt: Bug 1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA. r=kjacobs [7076e78ddafe] 2020-10-14 J.C. Jones <jjones@mozilla.com> * lib/util/secasn1d.c: Bug 1663091 - Remove unnecessary assertions in the streaming ASN.1 decoder r=kjacobs The streaming ASN.1 decoder had assertions that, on debug builds, blocked embedding indefinite-length fields inside of definite-length fields/contexts, however that behavior does work correctly, and is valid ASN.1: it tends to happen when wrapping a signature around existing ASN.1-encoded data, if that already-encoded data had an indefinite length. Really these two assertion were just overzealous. The conditional after the asserts handle the case well, and memory sanitizers have not found issue here either. [d0153cc0c464] Differential Revision: https://phabricator.services.mozilla.com/D95093		2020-11-02 18:04:59 +00:00
..
automation	Bug 1671713 - land NSS 035110dfa0b9 UPGRADE_NSS_RELEASE, r=bbeurdouche	2020-11-02 18:04:59 +00:00
cmd	Bug 1655105 - land NSS afa38fb2f0b5 UPGRADE_NSS_RELEASE, r=jcj	2020-08-04 19:54:56 +00:00
coreconf	Bug 1671713 - land NSS 035110dfa0b9 UPGRADE_NSS_RELEASE, r=bbeurdouche	2020-11-02 18:04:59 +00:00
cpputil	Bug 1666567 - land NSS NSS_3_58_BETA1 UPGRADE_NSS_RELEASE, r=kjacobs	2020-10-12 20:42:51 +00:00
doc
fuzz
gtests	Bug 1671713 - land NSS 035110dfa0b9 UPGRADE_NSS_RELEASE, r=bbeurdouche	2020-11-02 18:04:59 +00:00
lib	Bug 1671713 - land NSS 035110dfa0b9 UPGRADE_NSS_RELEASE, r=bbeurdouche	2020-11-02 18:04:59 +00:00
nss/automation/abi-check
nss-tool	Bug 1655105 - land NSS afa38fb2f0b5 UPGRADE_NSS_RELEASE, r=jcj	2020-08-04 19:54:56 +00:00
pkg
tests	Bug 1671713 - land NSS 035110dfa0b9 UPGRADE_NSS_RELEASE, r=bbeurdouche	2020-11-02 18:04:59 +00:00
.arcconfig
.clang-format
.gitignore
.sancov-blacklist
.taskcluster.yml
build.sh
COPYING
exports.gyp
help.txt
mach
Makefile	Bug 1636656 - land NSS daa823a4a29b UPGRADE_NSS_RELEASE, r=kjacobs	2020-05-19 21:55:59 +00:00
manifest.mn	Bug 1655105 - land NSS afa38fb2f0b5 UPGRADE_NSS_RELEASE, r=jcj	2020-08-04 19:54:56 +00:00
nss.gyp
readme.md
TAG-INFO	Bug 1671713 - land NSS 035110dfa0b9 UPGRADE_NSS_RELEASE, r=bbeurdouche	2020-11-02 18:04:59 +00:00
trademarks.txt

readme.md

Network Security Services

Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. NSS supports TLS 1.2, TLS 1.3, PKCS #5, PKCS#7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards.

Getting started

In order to get started create a new directory on that you will be uses as your local work area, and check out NSS and NSPR. (Note that there's no git mirror of NSPR and you require mercurial to get the latest NSPR source.)

git clone https://github.com/nss-dev/nss.git
hg clone https://hg.mozilla.org/projects/nspr

NSS can also be cloned with mercurial

hg clone https://hg.mozilla.org/projects/nss

Building NSS

This build system is under development. It does not yet support all the features or platforms that NSS supports. To build on anything other than Mac or Linux please use the legacy build system as described below.

Build requirements:

gyp
ninja

After changing into the NSS directory a typical build is done as follows

./build.sh

Once the build is done the build output is found in the directory ../dist/Debug for debug builds and ../dist/Release for opt builds. Exported header files can be found in the include directory, library files in directory lib, and tools in directory bin. In order to run the tools, set your system environment to use the libraries of your build from the "lib" directory, e.g., using the LD_LIBRARY_PATH or DYLD_LIBRARY_PATH.

See help.txt for more information on using build.sh.

Building NSS (legacy build system)

After changing into the NSS directory a typical build of 32-bit NSS is done as follows:

make nss_build_all

The following environment variables might be useful:

BUILD_OPT=1 to get an optimised build
USE_64=1 to get a 64-bit build (recommended)

The complete list of environment variables can be found here.

To clean the build directory run:

make nss_clean_all

Tests

Setup

Make sure that the address $HOST.$DOMSUF on your computer is available. This is necessary because NSS tests generate certificates and establish TLS connections, which requires a fully qualified domain name. You can test this by calling ping $HOST.$DOMSUF. If this is working, you're all set. If it's not, set or export:

HOST=nss
DOMSUF=local

Note that you might have to add nss.local to /etc/hosts if it's not there. The entry should look something like 127.0.0.1 nss.local nss.

Running tests

Runnning all tests will take a while!

cd tests
./all.sh

Make sure that all environment variables set for the build are set while running the tests as well. Test results are published in the folder ../../test_results/.

Individual tests can be run with the NSS_TESTS environment variable, e.g. NSS_TESTS=ssl_gtests ./all.sh or by changing into the according directory and running the bash script there cd ssl_gtests && ./ssl_gtests.sh. The following tests are available:

cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests bogo policy

To make tests run faster it's recommended to set NSS_CYCLES=standard to run only the standard cycle.

Releases

NSS releases can be found at Mozilla's download server. Because NSS depends on the base library NSPR you should download the archive that combines both NSS and NSPR.

Contributing

Bugzilla is used to track NSS development and bugs. File new bugs in the NSS product.

A list with good first bugs to start with are listed here.

NSS Folder Structure

The nss directory contains the following important subdirectories:

coreconf contains the build logic.
lib contains all library code that is used to create the runtime libraries.
cmd contains a set of various tool programs that are built with NSS. Several tools are general purpose and can be used to inspect and manipulate the storage files that software using the NSS library creates and modifies. Other tools are only used for testing purposes.
test and gtests contain the NSS test suite. While test contains shell scripts to drive test programs in cmd, gtests holds a set of gtests.

A more comprehensible overview of the NSS folder structure and API guidelines can be found here.

NSS supports build configurations for FIPS-140 compliance, and alternative build configurations that disable functionality specific to FIPS-140 compliance.

This section documents the environment variables and build parameters that control these configurations.

Build FIPS startup tests

The C macro NSS_NO_INIT_SUPPORT controls the FIPS startup self tests. If NSS_NO_INIT_SUPPORT is defined, the startup tests are disabled.

The legacy build system (make) by default disables these tests. To enable these tests, set environment variable NSS_FORCE_FIPS=1 at build time.

The gyp build system by default disables these tests. To enable these tests, pass parameter --enable-fips to build.sh.

Building either FIPS compliant or alternative compliant code

The C macro NSS_FIPS_DISABLED can be used to disable some FIPS compliant code and enable alternative implementations.

The legacy build system (make) never defines NSS_FIPS_DISABLED and always uses the FIPS compliant code.

The gyp build system by default defines NSS_FIPS_DISABLED. To use the FIPS compliant code, pass parameter --enable-fips to build.sh.

Test execution

The NSS test suite may contain tests that are included, excluded, or are different based on the FIPS build configuration. To execute the correct tests, it's necessary to determine which build configuration was used.

The legacy build system (make) uses environment variables to control all aspects of the build configuration, including FIPS build configuration.

Because the gyp build system doesn't use environment variables to control the build configuration, the NSS tests cannot rely on environment variables to determine the build configuration.

A helper binary named nss-build-flags is produced as part of the NSS build, which prints the C macro symbols that were defined at build time, and which are relevant to test execution.