gecko-dev/security
Kevin Jacobs 1eb47f6133 Bug 1684061 - land NSS 97ef009f7a78 UPGRADE_NSS_RELEASE, r=bbeurdouche
2020-12-11  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/abi-check/expected-report-libssl3.so.txt, automation/abi-
	check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h,
	lib/util/nssutil.h:
	Set version numbers to 3.61 Beta
	[f277d2674c80]

	* gtests/<...>
	Bug 1677207 - Update Google Test to release-1.10.0 r=bbeurdouche

	./gtests/google_test/update.sh release-1.10.0 && hg remove -A && hg
	add gtests/google_test/*

	[89141382df45]

	* gtests/<...>
	Bug 1677207 - Replace references to TestCase, which is deprecated,
	with TestSuite r=bbeurdouche

	grep -rl --exclude-dir=google_test INSTANTIATE_TEST_CASE_P gtests |
	xargs sed -i '' s/INSTANTIATE_TEST_CASE_P/INSTANTIATE_TEST_SUITE_P/g
	grep -rl --exclude-dir=google_test SetUpTestCase gtests | xargs sed
	-i '' s/SetUpTestCase/SetUpTestSuite/g

	[e15b78be87fa]

	* gtests/ssl_gtest/ssl_ciphersuite_unittest.cc,
	gtests/ssl_gtest/ssl_debug_env_unittest.cc,
	gtests/ssl_gtest/ssl_extension_unittest.cc,
	gtests/ssl_gtest/ssl_loopback_unittest.cc,
	gtests/ssl_gtest/ssl_renegotiation_unittest.cc,
	gtests/ssl_gtest/ssl_resumption_unittest.cc,
	gtests/ssl_gtest/ssl_version_unittest.cc,
	gtests/ssl_gtest/tls_ech_unittest.cc:
	Bug 1677207 - Use GTEST_SKIP in ssl_gtests. r=bbeurdouche

	[0772f1bf5fd6]

2020-12-17  Robert Relyea  <rrelyea@redhat.com>

	* gtests/common/testvectors/ike-aesxcbc-vectors.h,
	gtests/common/testvectors/ike-sha1-vectors.h,
	gtests/common/testvectors/ike-sha256-vectors.h,
	gtests/common/testvectors/ike-sha384-vectors.h,
	gtests/common/testvectors/ike-sha512-vectors.h,
	gtests/common/testvectors_base/test-structs.h,
	gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp,
	gtests/pk11_gtest/pk11_ike_unittest.cc, lib/softoken/sftkike.c:
	Bug 1682071 IKE Quick mode IPSEC give you incorrect keys if you are
	asking for keys smaller than the hash size.

	IKE Appendix B fixes.

	This patch fixes 2 problems.

	 If you run either ike v1 App B or quick mode asking for a key with
	length

	mod macsize = 0, you will generate an extra block that's not used
	and overwrites the end of the buffer.

	 If you use quick mode, the function incorrectly subsets the
	existing key

	rather than generating a new key. This is correct behavior for
	Appendix B, where appendix B is trying to take a generated key and
	create a new longer key (with no diversification, just transform the
	key into something that's longer), so if you ask for a key less than
	or equal to, then you want to just subset the original key. In quick
	mode you are taking a base key and creating a set of new keys based
	on additional data, so you want to subset the generated data. This
	patch only subsets the original key if you aren't doing quickmode.

	Full test vectors have now been added for all ike modes in this
	patch as well (previously we depended on the FIPS CAVS tests to test
	ike, which covers basic IKEv1, IKEv1_psk, and IKEv2 but not IKEv1
	App B and IKE v1 Quick mode).

	[f4995c9fa185]

2020-12-18  Robert Relyea  <rrelyea@redhat.com>

	* gtests/common/testvectors/rsa_pkcs1_2048_test-vectors.h,
	gtests/common/testvectors/rsa_pkcs1_3072_test-vectors.h,
	gtests/common/testvectors/rsa_pkcs1_4096_test-vectors.h,
	gtests/freebl_gtest/Makefile, gtests/freebl_gtest/manifest.mn,
	gtests/freebl_gtest/rsa_unittest.cc, gtests/manifest.mn,
	gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc,
	gtests/pk11_gtest/pk11_rsaoaep_unittest.cc, lib/freebl/alghmac.c,
	lib/freebl/alghmac.h, lib/freebl/rsapkcs.c:
	Bug 1651411 New tlsfuzzer code can still detect timing issues in RSA
	operations.

	This patch defeats Bleichenbacher by not trying to hide the size of
	the decrypted text, but to hide if the text succeeded for failed.
	This is done by generating a fake returned text that's based on the
	key and the cipher text, so the fake data is always the same for the
	same key and cipher text. Both the length and the plain text are
	generated with a prf.

	Here's the proposed spec the patch codes to:

	 1. Use SHA-256 to hash the private exponent encoded as a big-
	endian integer to a string the same length as the public modulus.
	Keep this value secret. (this is just an optimisation so that the
	implementation doesn't have to serialise the key over and over
	again) 2. Check the length of input according to step one of
	https://tools.ietf.org/html/rfc8017#section-7.2.2 3. When provided
	with a ciphertext, use SHA-256 HMAC(key=hash_from_step1,
	text=ciphertext) to generate the key derivation key 4. Use SHA-256
	HMAC with key derivation key as the key and a two-byte big- endian
	iterator concatenated with byte string "length" with the big- endian
	representation of 2048 (0x0800) as the bit length of the generated
	string.
	      - Iterate this PRF 8 times to generate a 256 byte string 5. initialise
	the length of synthetic message to 0 6. split the PRF output into 2
	byte strings, convert into big-endian integers, zero- out high-order
	bits so that they have the same bit length as the octet length of
	the maximum acceptable message size (k-11), select the last integer
	that is no larger than (k-11) or remain at 0 if no integer is
	smaller than (k-11); this selection needs to be performed using a
	side-channel free operators 7. Use SHA-256 HMAC with key derivation
	key as the key and a two-byte big-endian iterator concatenated with
	byte string "message" with the big-endian representation of k*8
	      - use this PRF to generate k bytes of output (right-truncate last HMAC
	call if the number of generated bytes is not a multiple of SHA-256
	output size) 8. perform the RSA decryption as described in step 2 of
	section 7.2.2 of rfc8017 9. Verify the EM message padding as
	described in step 3 of section 7.2.2 of rfc8017, but instead of
	outputting "decryption error", return the last l bytes of the
	"message" PRF, when l is the selected synthetic message length using
	the "length" PRF, make this decision and copy using side-channel
	free operation

	[fc05574c7399]

2020-12-22  Robert Relyea  <rrelyea@redhat.com>

	* gtests/freebl_gtest/rsa_unittest.cc,
	gtests/pk11_gtest/pk11_rsaoaep_unittest.cc, lib/freebl/alghmac.c,
	lib/freebl/rsapkcs.c:
	Restore lost portion of the bleichenbacher timing batch that
	addressed review comments. All the review comments pertained to
	actual code comments, so this patch only affects the comments.
	[fcebe146314e]

2020-12-22  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/dev/devslot.c:
	Bug 1682863 - Revert nssSlot_IsTokenPresent to 3.58 after ongoing Fx
	hangs with slow PKCS11 devices. r=bbeurdouche

	This patch reverts the `nssSlot_IsTokenPresent` changes made in bug
	1663661 and bug 1679290, restoring the version used in NSS 3.58 and
	earlier. It's not an actual `hg backout` because the comment in
	lib/dev/devt.h is worth keeping. While removing the nested locking
	did resolve the hang for some (most?) third-party modules, problems
	remain with some slower tokens after an even further relaxation of
	the locking, which defeats the purpose of addressing the races in
	the first place.

	The crash addressed by these patches was caused by the Intermediate
	Preloading Healer in Firefox, which has been disabled. We clearly
	have insufficient test coverage for third-party modules, and now
	that osclientcerts is enabled in Fx Nightly, any problems caused by
	these and similar changes is unlikely to be reported until Fx Beta,
	well after NSS RTM. I think the best option at this point is to
	simply revert NSS.

	[97ef009f7a78] [tip]

Differential Revision: https://phabricator.services.mozilla.com/D100401
2020-12-23 19:54:31 +00:00
..
apps Bug 1272794 - Clean up Digest class API r=keeler,necko-reviewers,valentin 2020-11-11 22:16:38 +00:00
certverifier Backed out changeset b1c01a78a999 (bug 1676303) for perma failures in test_sanctions_symantec_apple_google.js CLOSED TREE 2020-12-16 22:04:49 +02:00
ct Bug 1654103: Standardize on Black for Python code in mozilla-central. 2020-10-26 18:34:53 +00:00
mac/hardenedruntime
manager No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM 2020-12-21 14:41:51 +00:00
nss Bug 1684061 - land NSS 97ef009f7a78 UPGRADE_NSS_RELEASE, r=bbeurdouche 2020-12-23 19:54:31 +00:00
sandbox Bug 1678174 - Add remaining time64 syscalls to the Linux sandboxes. r=gcp 2020-12-08 01:02:18 +00:00
.eslintrc.js
generate_certdata.py Bug 1654103: Standardize on Black for Python code in mozilla-central. 2020-10-26 18:34:53 +00:00
generate_mapfile.py Bug 1654103: Standardize on Black for Python code in mozilla-central. 2020-10-26 18:34:53 +00:00
moz.build Bug 1678079 - Add PSM support and xpcshell tests for ECH. r=keeler,kershaw 2020-12-04 15:26:17 +00:00
nss.symbols Bug 1661543 - Backed out 1 changesets (bug 1651449) for performance regression. a=backout CLOSED TREE 2020-08-27 22:31:36 +02:00