| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D77596
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D75840
|
| |
|
|
|
|
|
|
|
|
|
| |
There is really no good reason to explicitly change the TARGET
variable. And the empty SHARED_LIBRARY variable should also be
in the manifest.mn to begin with.
All the other empty variables start empty or undefined, so there
is also no need to explicitly set them empty.
Differential Revision: https://phabricator.services.mozilla.com/D70691
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Drop the WIN% "32" default DLL suffix
* Add default resource file handling => drop default RES
* Generate IMPORT_LIBRARY based on IMPORT_LIB_SUFFIX and
SHARED_LIBRARY, so we can drop all the explicit empty
IMPORT_LIBRARY lines
Originally this patch also tried to add a default MAPFILE rule,
but this fails, because the ARCH makefiles set linker flags
based on an existing MAPFILE variable.
Differential Revision: https://phabricator.services.mozilla.com/D70369
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Double-colon rule behaviour isn't really compatible with parallel
build. This gets rid of all of them, so we can codify the
directory dependencies.
This leaves just three problems, which aren't really fixable with
the current build system without completely replacing it:
* everything depends on nsinstall
* everything depends on installed headers
* ckfw child directories depend on the build parent libs
This is handled by the prepare_build target.
Overall this allows most if the build to run in parallel.
P.S. the release_md:: has to stay :-(
P.P.S. no clue, why freebl must use libs: instead of using the
TARGETS and .PHONY variables
Differential Revision: https://phabricator.services.mozilla.com/D69023
|
| |
|
|
|
|
|
| |
Copying private headers is now simply included in the exports
target, as these headers use an extra directory anyway.
Differential Revision: https://phabricator.services.mozilla.com/D69021
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This still serializes many targets, but at least these targets
themself run their build in parallel. The main serialization
happens in nss/Makefile and nss/coreconf/rules.mk's all target.
We can't add these as real dependencies, as all Makefile snippets
use the same variable names. I tried to always run sub-makes to
hack in the depndencies, but these don't know of each other, so
targets very often run twice, and this breaks the build.
Having a tests:: target and a tests directory leads to misery (and
doesn't work), so it's renamed to check.
This just works with NSS_DISABLE_GTESTS=1 specified and is fixed
by a follow up patch, which removes the double-colon usage and
adds the directory dependencies!
Differential Revision: https://phabricator.services.mozilla.com/D69019
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D70672
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
initialized. r=mt
NSS has several config functions that multiprocess servers must call before NSS is initialized to set up shared memory caches between the processes. These functions call ssl_init(), which initializes the ssl policy. The ssl policy initialization, however needs to happen after NSS itself is initialized. Doing so before hand causes (in the best case) policy to be ignored by these servers, and crashes (in the worst case).
Instead, these cache functions should just initialize those things it needs (that is the NSPR ssl error codes).
This patch does:
1) fixes the cache init code to only initialize error codes.
2) fixes the selfserv MP code to 1) be compatible with ssl.sh's selfserv management (at least on Unix), and 2) mimic the way real servers handle the MP_Cache init code (calling NSS_Init after the cache set up).
3) update ssl.sh server policy test to test policy usage on an MP server. This
is only done for non-windows like OS's because they can't catch the kill signal
to force their children to shutdown.
I've verified that the test fails if 2 and 3 are included but 1 is not
(and succeeds if all three are included).
Differential Revision: https://phabricator.services.mozilla.com/D70948
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update to PKCS #11 v3.0 part 2.
Create the functions and switch to the C_Interface() function to fetch the PKCS #11 function table. Also PKCS #11 v3.0 uses a new fork safe interface. NSS can already handle the case if the PKCS #11 module happens to be fork safe (when asked by the application to refresh the tokens in the child process, NSS can detect that such a refresh is not necessary and continue. Softoken could also be put in fork_safe mode with an environment variable. With this patch it's the default, and NSS asks for the fork safe API by default. Technically softoken should implement the old non-fork safe interface when PKCS #11 v2.0 is called, but NSS no longer needs it, and doing so would double the number of PKCS #11 interfaces are needed. You can still compile with fork unsafe semantics, and the PKCS #11 V3.0 module will do the right thing and not include the fork safe flag. Firefox does not fork(), so for firefox this is simply code that is no longer compilied.
We now use C_GetInterface, which allows us to specify what kind of interface we want (PKCS #11 v3.0, PKCS #11 v2.0, fork safe, etc.). Vendor specific functions can now be accessed through the C_GetInterface. If the C_GetInterface function does not exists, we fall bak to the old C_GetFunctionList.
There are 24 new functions in PKCS #11 v3.0:
C_GetInterfaceList - return a table of all the supported interfaces
C_GetInterface - return a specific interface. You can specify interface name, version and flags separately. You can leave off any of these and you will get what the token thinks is the best match of the interfaces that meet the criteria. We do this in softoken by the order of the interface list.
C_SessionCancel - Cancel one or more multipart operation
C_LoginUser - Supply a user name to C_Login(). This function has no meaning for softoken, so it just returns CKR_OPERATION_NOT_INITIALIZED under the theory that if we in the future want to support usernames, the NSS db would need special initialization to make that happen.
C_Message* and C_*Message* (20 functions in all) are the new AEAD interface (they are written generally so that it can be used for things other than AEAD). In this patch they are unimplemented (see the next patch).
This patch adds regular (NSC_) and FIPS (FC_) versions of these functions.
Also when creating the PKCS #11 v2.0 interface, we had to create a 2.0 specific version of C_GetInfo so that it can return a 2.40 in the CK_VERSION field rather than 3.00. We do this with #defines since all the function tables are generated automagically with pkcs11f.h.
Differential Revision: https://phabricator.services.mozilla.com/D67240
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://phabricator.services.mozilla.com/D63241
This patch implements the first phase: updating the headers.
lib/util/pkcs11.h
lib/util/pkcs11f.h
lib/util/pkcs11t.h
Were updated using the released OASIS PKCS #11 v3.0 header files.
lib/util/pkcs11n.h was updated to finally deprecate all uses of CK?_NETSCAPE_?.
A new define as added: NSS_PKCS11_2_0_COMPAT. If it's defined, the small
semantic changes (including the removal of deprecated defines) between the
NSS PKCS #11 v2 header file and the new PKCS #11 v3 are reverted in favor of
the PKCS #11 v2 definitions. This include the removal of CK?_NETSCAPE_? in
favor of CK?_NSS_?.
One notable change was caused by an inconsistancy between the spec and the
released headers in PKCS #11 v2.40. CK_GCM_PARAMS had an extra field in
the header that was not in the spec. OASIS considers the header file to be
normative, so PKCS #11 v3.0 resolved the issue in favor of the header file
definition. NSS had the spec definition, so now there are 2 defines for this
structure:
CK_NSS_GCM_PARAMS - the old nss define. Still used internally in freebl.
CK_GCM_PARAMS_V3 - the new define.
CK_GCM_PARAMS - no longer referenced in NSS itself. It's defined as
CK_GCM_PARAMS_V3 if NSS_PKCS11_2_0_COMPAT is *not* defined, and it's defined as
CKM_NSS_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is defined.
Softoken has been updated to accept either CK_NSS_GCM_PARAMS or
CK_GCM_PARAMS_V3. In a future patch NSS will be updated to use
CK_GCM_PARAMS_V3 and fall back to CK_NSS_GMC_PARAMS.
One other semantic difference between the 3.0 version of pkcs11f.h and the
version here: In the oasis version of the header, you must define
CK_PKCS11_2_0_ONLY to get just the PKCS #11 v2 defines. In our version you
must define CK_PKCS11_3 to get the PCKS #11 v3 defines.
Most of this patch is to handle changing the deprecated defines that have been
removed in PCKS #11 v3 from NSS.
Differential Revision: https://phabricator.services.mozilla.com/D63241
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
https://phabricator.services.mozilla.com/D59412
When testing Bug 1608245, I realized that I had inadvertently broken
fipstest.c's handling of KI and KI_len. This lead to it passing bogus
keys (with unusually large lengths exceeding the bounds of sizeof KI)
to kbkdf_Dispatch(...).
This uses Bob Relyea's suggestion on how to handle this: detect the
size of KI when processing the mech selection, storing KI_len there.
This simplifies reading of the KI value in later code.
|
| |
|
|
|
|
| |
is safe to call r=jcj,kjacobs
Differential Revision: https://phabricator.services.mozilla.com/D61931
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
if external r=jcj
Add ZLIB_INCLUDE_DIR variable
On Linux platform[1], the build system forces to use zlib from the
system instead of compiling the one located intree.
The following error is raised when the zlib header is installed
somewhere else than in the default system include path:
ssl3con.c:39:18: fatal error: zlib.h: No such file or directory
#include "zlib.h"
The same trick setup for sqlite include directory is reproduced for
zlib. The build system disallows in any manner to give arguments to the
compiler explicity.
The variable ZLIB_INCLUDE_DIR point to the directory where the zlib
header is located.
[1]:
https://hg.mozilla.org/projects/nss/file/NSS_3_33_BRANCH/coreconf/Linux.mk#l180
[2]:
https://hg.mozilla.org/projects/nss/file/NSS_3_33_BRANCH/lib/softoken/manifest.mn#l17
|
| |
|
|
|
|
|
|
|
| |
mode KDFs suitable for use in SCP03 and other protocols. These KDFs were
introduced in PKCS#11 v3.0.
Resolves: BZ#1599603
https://phabricator.services.mozilla.com/D54821
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D58072
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D50042
|
| | |
|
| |
|
|
|
|
|
|
|
| |
and updated support commands. r=jcj,kjacobs,mt
Added two new fields do scheduled distrust of CAs in nssckbi/builtins.
Also, created a testlib to validate these fields with gtests.
Differential Revision: https://phabricator.services.mozilla.com/D36597
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Reviewers: rrelyea, mt
Reviewed By: mt
Subscribers: HubertKario
Bug #: 1494063
Differential Revision: https://phabricator.services.mozilla.com/D29166
|
| | |
|
| |
|
|
|
|
| |
out. r=jcj
Differential Revision: https://phabricator.services.mozilla.com/D47013
|
| | |
|
| |
|
|
|
|
| |
Check for pointer wrap on output-length check in the derdump utility.
Differential Revision: https://phabricator.services.mozilla.com/D46196
|
| |
|
|
|
|
| |
r=marcusburghardt
Differential Revision: https://phabricator.services.mozilla.com/D41486
|
| |
|
|
|
|
| |
pk12util. r=jcj
Differential Revision: https://phabricator.services.mozilla.com/D45452
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D40121
|
| |
|
|
|
|
| |
r=jcj
Differential Revision: https://phabricator.services.mozilla.com/D43134
|
| | |
|
| |
|
|
|
|
| |
cmds. r=kjacobs
Differential Revision: https://phabricator.services.mozilla.com/D42165
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D39444
|
| |
|
|
| |
r=marcusburghardt,jcj
|
| |
|
|
| |
r=marcusburghardt,jcj
|
| |
|
|
| |
r=marcusburghardt,jcj
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D25654
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Stop using a global anti-replay context and enable creating a context directly.
This increases the overhead of managing anti-replay for applications marginally,
but allows much greater flexibility in use of anti-replay mechanisms. In
particular, it enables the testing of 0-RTT in a threaded environment.
The comments in sslexp should be clear enough in explaining how this works.
Basically, this is a new reference-counted object that can be created and
tracked by applications.
The only thing that I can see might be a problem with the API is that I haven't
exposed a function to add a reference for use by applications. My thinking is
that reference counting is an internal thing; it seems like applications won't
need to worry about that.
selfserv is updated to create a context and attach it to sockets. This shows
that the management overhead is minor.
The gtests have been tweaked to create a context during setup. The context is
owned by the overall test framework and is passed to server instances after the
sockets are initialized.
Bonus changes:
* ESNI keys are copied from the model socket when calling SSL_ReConfigFD().
* Some better tracing in the anti-replay functions.
Neither of these seemed worth the overhead of a bug to fix.
Differential Revision: https://phabricator.services.mozilla.com/D34660
|
| |
|
|
| |
This also lets us CAVS tests more than just SHA256.
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Differential Revision: https://phabricator.services.mozilla.com/D28519
Patch notes:
cmd/fipstest:
Update fipstest to allow using old CAVS vectors in our all.sh. The various scripts have been moved to tests/fips/cavs_scripts. IKE functions were added to fipstest, and fipstest was updated to support verifying the output of ecdh and dh key agreement tests (kas).
fipstest.c:
NOTE: fipstest is the program NSS uses to process CAVS vectors from NIST. For historical reasons, it has known memory management issues. In general if there is a mistake, fipstest will likely crash. It has very little error checking. It has a very simplistic parser for the CAVS files. It requires the elements of the CAVS files to be in the correct order (most notably it requires the last element to always be in the last position. This is true of all the tests in fipstest, not just the new code.
1. when verifying ec_dh and dh, accept both CAVSHashZZ and HashZZ as the input hash. This allows verify not only to verify NIST CAVS vectors, but also the output of ec_dh and dh functional tests.
2. create ike functions modelled after the tls test functions. We test ike at the pkcs #11 level. There are three ike tests (driven by the three types of ike tests that NIST supplies):
2.1) ikev1. This generates the ike v1 keys from the provided input. It used ike_prf to generate SKEYID and ikev1_prf to generate SKEYID_d, SKEYID_a, and SKEYID_e.
2.2) ikev1_psk. This generates ike v1 keys from the provided input. It uses a pre-shared-secret-key. It also
used ike_prf to generate SKEYID (though it uses it with bDataAsKey=false), and ikev1_prf to generate SKEYID_d, SKEYID_a, and SKEYID_e.
2.3) ikev2. This generates ike v2 keys from the provided input. It uses ike_prf to generate SKEYSEED and ike_prf_plus to generate the key material. It also does a rekey using ike_prf and bRekey = true.
3. Add parameters so the tls can be called.
lib/softoken
This is the main location where the new functionality is provided.
fipstest.c
Add the power up self test for ike. The actual test lives in sftkike.c.
manifest.mn
Add sftkike.c to the build.
pkcs11.c
Add AES XCBC MAC and IKE Mechanisms to the softoken mechanism table.
pkcs11c.c
sftk_MapCryptError() is now a 'global' within softoken and lives in pkcs11u.c. This was done so that sftkike.c can use it.
sftk_InitCBCMac(). Update to handle AES XCBC., which is AES CBC MAC except 1) the underlying AES key is derived from the input key, and 2) the pad block is obscured using 2 new keys (k2, k3) also derived from the input key.
sftk_MACFinal() handle the special pad processing for the XCBC case.
sftk_MACUpdate() change the padding code to keep one full pad in the buffer. This won't affect normal MACs, but means that the last block in the Mac is always in the buffer so it can be processed in the XCBC case.
NSC_DerviceKey() add the ike functions into the mechanism swtich table. The actual implementations are in sftkike.c
pkcs11i.h
Add the XCBC state information into the SessionContext structure.
sftk_MapCryptError is now global, include it in the header.
include the ike and aes_xcbc helper functions.
pkcs11u.c
sftk_MapCryptError() now lives in pkcs11 utilities.
sftkike.c
prf_* functions implement all the underlying prf specific stuff. It hides whether the prf is an hmac or aes_xcbc. If there are additional prfs, they can be implemented here without affecting the rest of the derivation code. The AES_XCBC code is aes specific. If we ever add another XCBC type operation, we would probably want to initialize some encryption functions in prf_setup and only handle the difference between hmac and xcbc in the other prf functions.
sftk_aes_xcbc_get_keys - takes in input key and derives k1, k2, and k3. This function handles this derivation for both the prf_ functions in sftkike and the exported AES_XCBC Mac in pkcs11c.c
sftk_xcbc_mac_pad - function to handle the correct padding method for the last block of an xcbc operation. Unlike sftk_aes_xcbc_get_keys, it is independent of the xcbc's underlying encryption method, though only AES_XCBC is defined at this time.
sftk_ike_prf - common prf between ikev1 and ikev2 to generate SKEYID/SKEYSEED. See comments in code.
sftk_ike1_prf - ikev1 prf to generate the session keys in ikev1 from SKEYID. See comments in code.
sftk_ike_prf_plus - ike prf+ to generate the session keys in ikev2 from SKEYSEED. See comments in code.
sftk_aes_xcbc_new_keys - used in pkcs11c.c to generate the 2 derived keys used in aes_xcbc. Loads k1 into the pkcs11 slot as a session key.
prf_test - helper function to test our known test vectors for our FIPS powerup self tests.
sftk_fips_IKE_PowerUpSelfTests - test to make sure our basic system is working correctly.
softokn.gyp - add sftkike.c to gyp
lib/util
pkcs11n.h
add defines and structures for IKE. Since they are not yet an official PKCS #11 mechanism, use CKM_NSS and CK_NSS names for them.
pkcs11t.h
add CKM_AES_XCBC* mechanisms. These are defined in the latest PKCS #11 spec.
tests/fips
The work in this directory hooks up the CAVS tests we run to do fips validation into our normal test suite. This lets us use the NIST generated samples for
cavs_samples/* These are all vectors generated by the NIST CAVS tools (*.req) or the expected results generated by the last openssl or NSS runs and verified by the NIST CAVS tools (*.fax). These are the inputs to our fipstest. No need to detail review these. The are not explicitly included in this patch because they are too big for phabricator to handle.
cavs_scripts/* See the read me in that directory. These scripts were originally in cmd/fipstest. I added ike.sh, and I updated the verify target of all the scripts so they they return 0 on success and 1 on failure. This allows us to use the tests in fips.sh
fips.sh run the CAVS tests as part of the fips tests. This works to test our IKE support. Three of the cavs tests can take significant type (dsa and rsa takes several minutes, tdea is just over a minute). The code currently skips running those tests. You can run all the cavs tests by setting CAV_VECTORS=all
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
This adds a new (experimental) API that allows users of libssl to provide their
own clock function. This is primarily of use in testing, but it also enables
our QUIC implementation, which also runs off an external clock.
SSL Sockets (and session IDs, when they are in memory) now have a "now()"
function and void* arg attached to them. By default, this is a function that
calls PR_Now(). These values are copied from the socket to any session ID that
is created from the socket, and to any session ID that is restored from the
session cache.
The ssl_Time() and ssl_TimeUsec() functions have been removed.
As part of this, the experimental SSL_SetupAntiReplay() function had to be
modified to take an external clock (PR_Now() suffices generally). That function
relies on knowing the time, and it doesn't have a socket to work from. To avoid
problems arising from the change in the signature, SSL_SetupAntiReplay is now
removed.
There are now three uses of time in the library:
* The primary source of time runs of these newly added functions. This governs
session expiry, 0-RTT checks, and related functions.
* The session cache uses a separate time to manage its locking. This is of type
PRUint32 in seconds (rather than PRTime in microseconds). In investigating
this, I found several places where this time in seconds was leaking across to
the main functions via the lastAccessTime property. That was fixed. The
cache functions that use time now all call ssl_CacheNow() to get time.
* DTLS timers run using PRIntervalTime. This is a little annoying and these
could be made to use the main time source, but that would result in
conversions between PRTime and PRIntervalTime at the DTLS API. PRIntervalTime
has a different epoch to PRTime, so this would be a little awkward.
Only the first of these can be controlled using the new API.
Bugs found:
* Expiration time of resumption tokens was based on the sid->expirationTime,
which didn't account for the lifetime provided by the server. These are now
capped by the minimum of ssl_ticket_lifetime and the value the server
indicates.
I removed ssl3_sid_timeout, the old limit, because inconsistent lifetimes
between client and server messed with tests. The client would have a lower
cap than the server, which prevented testing of the enforcement of server
limits without jumping through hoops.
* There was a missing time conversion in tls13_InWindow which made the window
checks too lenient.
* lastAccessTime was being set to seconds-since-epoch instead of
microseconds-since-epoch in a few places.
Reviewers: ekr, KevinJacobs
Reviewed By: KevinJacobs
Subscribers: cjpatton
Bug #: 1543874
Differential Revision: https://phabricator.services.mozilla.com/D27238
|
| |
|
|
|
|
| |
try: -p linux64,linux64-fuzz -u gtest -t clang-format,scan-build
Differential Revision: https://phabricator.services.mozilla.com/D24399
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
CID 1444897, 1444896, 1444894, 1444892, 1444891, 1444888, 1444885, 1444881
Not sure how to manage the creation of bugs for these.
Reviewers: jcj
Tags: #secure-revision
Differential Revision: https://phabricator.services.mozilla.com/D29611
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
auth, r=mt
Reviewers: mt
Reviewed By: mt
Bug #: 1532312
Differential Revision: https://phabricator.services.mozilla.com/D21936
|
| |
|
|
|
|
|
|
|
|
| |
Reviewers: mt
Reviewed By: mt
Bug #: 1528262
Differential Revision: https://phabricator.services.mozilla.com/D21516
|
| | |
|
| | |
|
| |
|
|
|
|
| |
r=jcj
Differential Revision: https://phabricator.services.mozilla.com//D18655
|
