| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D177803
|
|
|
|
|
|
|
|
|
| |
This is based on the patch developed by Leander in D157183, but is a
little more explicit.
Co-Authored-By: Leander Schwarz
Differential Revision: https://phabricator.services.mozilla.com/D176157
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D176156
|
|
|
|
|
|
|
| |
This ensures we properly test the different DTLS / TLS versions and makes the
expected behaviour explicit.
Differential Revision: https://phabricator.services.mozilla.com/D176155
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D176056
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r=nss-reviewers
There are three changes in the patch which are related to key length processing:
Change RSA_MIN_MODULUS_BITS in blalpit.h from 128 to 1023. This necessitated changes to the following tests: testcrmf.c: up the generated key for the test from 512 to 1024. pk11_rsapkcs1_unittest.cc (in pk11_gtest): skip the min padding test if the MIN_RSA_MODULUS_BITS is more than 736 (The largest hash we support is 512, which fits in an RSA key less then 736. If we can't generate a key less than 736, we can't test minimum padding, but we can never get into that situation anyway now). tls_subcerts_unittest.cc: set our key size to at least RSA_MIN_MODULUS_BITS, and then make sure the policy had a higher minimum key length so we still trigger the 'weakKey' event. pk11kea.c: use 1024 bits for the transfer key now that smaller keysizes aren't supported by softoken.
Expand the add a new flag to meaning of NSS_XXX_MIN_KEY_SIZE beyond it's use in SSL (add the ability to limit signing and verification to this as well). This allows us to set strict FIPS 140-3 policies, where we can only sign with 2048, but can still verify 1024. This part includes: New utility functions in seckey.c: SECKEY_PrivateKeyStrengthInBits(): The private key equivalent to SECKEY_PublicKeyStrengthInBits(). This function could be exported globally, but isn't in this patch. seckey_EnforceKeySize(). Takes a key type and a length and makes sure that length falls into the range set by policy. secsign.c and secvfy.c: add policy length check where we check the other policy flags. nss.h, nssoptions.c: add NSS_KEY_SIZE_POLICY_FLAGS and define flags for SSL, VERIFY, and SIGN. SSL is set by default (to maintain the current behavior). pk11parse.c: add keywords for the new NSS_KEY_SIZE_POLICY_FLAGS. ssl3con.c: use the flags to decide if the policy lengths are active for SSL. policy.txt: Test that the new policy flags are parsed correctly sslpolicy.txt: Add tests to make sure the policy flags are functioning.
Update fips_algorithms.h to make sure the FIPS indicators are exactly compliant with FIPS 140-3 current guidance (RSA 2028 and above, any key size, Legacy verification allowed for 1024, 1280, 1536, and 1792 [1024-1792, step 256]).
The previous attempt to push failed because the pk11_rsapkcs1_unittest.cc
change was eaten in the merge.
Differential Revision: https://phabricator.services.mozilla.com/D146341
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D171581
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are three changes in the patch which are related to key length processing:
Change RSA_MIN_MODULUS_BITS in blalpit.h from 128 to 1023. This necessitated changes to the following tests: testcrmf.c: up the generated key for the test from 512 to 1024. pk11_rsapkcs1_unittest.cc (in pk11_gtest): skip the min padding test if the MIN_RSA_MODULUS_BITS is more than 736 (The largest hash we support is 512, which fits in an RSA key less then 736. If we can't generate a key less than 736, we can't test minimum padding, but we can never get into that situation anyway now). tls_subcerts_unittest.cc: set our key size to at least RSA_MIN_MODULUS_BITS, and then make sure the policy had a higher minimum key length so we still trigger the 'weakKey' event. pk11kea.c: use 1024 bits for the transfer key now that smaller keysizes aren't supported by softoken.
Expand the add a new flag to meaning of NSS_XXX_MIN_KEY_SIZE beyond it's use in SSL (add the ability to limit signing and verification to this as well). This allows us to set strict FIPS 140-3 policies, where we can only sign with 2048, but can still verify 1024. This part includes: New utility functions in seckey.c: SECKEY_PrivateKeyStrengthInBits(): The private key equivalent to SECKEY_PublicKeyStrengthInBits(). This function could be exported globally, but isn't in this patch. seckey_EnforceKeySize(). Takes a key type and a length and makes sure that length falls into the range set by policy. secsign.c and secvfy.c: add policy length check where we check the other policy flags. nss.h, nssoptions.c: add NSS_KEY_SIZE_POLICY_FLAGS and define flags for SSL, VERIFY, and SIGN. SSL is set by default (to maintain the current behavior). pk11parse.c: add keywords for the new NSS_KEY_SIZE_POLICY_FLAGS. ssl3con.c: use the flags to decide if the policy lengths are active for SSL. policy.txt: Test that the new policy flags are parsed correctly sslpolicy.txt: Add tests to make sure the policy flags are functioning.
Update fips_algorithms.h to make sure the FIPS indicators are exactly compliant with FIPS 140-3 current guidance (RSA 2028 and above, any key size, Legacy verification allowed for 1024, 1280, 1536, and 1792 [1024-1792, step 256]).
Differential Revision: https://phabricator.services.mozilla.com/D146341
|
| |
|
|
|
|
|
|
| |
r=mt,nss-reviewers
Differential Revision: https://phabricator.services.mozilla.com/D169918
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D170360
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D169622
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds tests to check that we correctly add GREASE codepoints in the permitted
locations (when enabled and using TLS1.3 or higher) and that we do not add any codepoints
if disabled or negotiating an earlier version of TLS. The tests check:
For ClientHello:
- 1 codepoint is added to ciphersuites, name groups, key share, sig algs, supported
versions, psk exchange methods, ALPN.
- A 0-byte and a 1-byte GREASE extension is added.
For CertificateRequests:
- 1 codepoint is added to the sig alg extension.
- 1 0-byte GREASE extension is added.
For NewSessionTicket:
- 1 1-byte GREASE extension is added.
Differential Revision: https://phabricator.services.mozilla.com/D169621
|
|
|
|
|
|
| |
Depends on D161806
Differential Revision: https://phabricator.services.mozilla.com/D163078
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D161806
|
|
|
|
|
|
|
|
| |
Bogo tests Server-TooLongSessionID-TLS1*. r=djackson
Depends on D147675
Differential Revision: https://phabricator.services.mozilla.com/D147726
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D157290
|
|
|
|
|
|
| |
if ECH configs are setup. r=djackson
Differential Revision: https://phabricator.services.mozilla.com/D157110
|
|
|
|
|
|
| |
algorithm. r=djackson
Differential Revision: https://phabricator.services.mozilla.com/D156660
|
|
|
|
|
|
| |
1.2. Fixed misleading Gtest, enabled corresponding BoGo test. r=djackson
Differential Revision: https://phabricator.services.mozilla.com/D156565
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D154631
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D154209
|
|
|
|
|
|
| |
Depends on D134922
Differential Revision: https://phabricator.services.mozilla.com/D134923
|
|
|
|
|
|
| |
Depends on D134921
Differential Revision: https://phabricator.services.mozilla.com/D134922
|
|
|
|
|
|
| |
Depends on D134920
Differential Revision: https://phabricator.services.mozilla.com/D134921
|
|
|
|
|
|
| |
Depends on D134886
Differential Revision: https://phabricator.services.mozilla.com/D134920
|
|
|
|
|
|
| |
Depends on D134853
Differential Revision: https://phabricator.services.mozilla.com/D134886
|
|
|
|
|
|
| |
Depends on D134846
Differential Revision: https://phabricator.services.mozilla.com/D134853
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D158323
|
|
|
|
|
|
| |
*UnsolicitedServerNameAck bogo ECH test. r=djackson
Differential Revision: https://phabricator.services.mozilla.com/D152739
|
|
|
|
|
|
| |
server name. r=djackson
Differential Revision: https://phabricator.services.mozilla.com/D151696
|
|
|
|
|
|
| |
bogo test. r=djackson
Differential Revision: https://phabricator.services.mozilla.com/D151695
|
|
|
|
|
|
| |
CHInner.random on HRR. r=djackson
Differential Revision: https://phabricator.services.mozilla.com/D151692
|
|
|
|
|
|
|
|
|
|
|
|
| |
configs in EncryptedExtensions and if not accepting ECH. Changed config setting behavior to skip configs with unsupported mandatory extensions instead of failing. r=djackson
The following bogo tests test the changed behavior:
- TLS-ECH-GREASE-Client-TLS12-RejectRetryConfigs
- TLS-ECH-Client-TLS12-RejectRetryConfigs - This and above test, test correct rejection of TLS 1.2 server ECH extension with rettry configs (outside EncryptedExtensions)
- TLS-ECH-Client-Accept-RejectRetryConfigs - Test correct rejection of retry configs received even though ECH was acceped by server.
- TLS-ECH-Client-SelectECHConfig - Tests correct skipping of unsupported (mandatory extension) configs.
Differential Revision: https://phabricator.services.mozilla.com/D151607
|
|
|
|
|
|
| |
creation to skip TLS 1.2 only extensions to comply with BoGo. r=djackson
Differential Revision: https://phabricator.services.mozilla.com/D151489
|
|
|
|
|
|
| |
accept_confirmation bugs. r=djackson
Differential Revision: https://phabricator.services.mozilla.com/D153479
|
|
|
|
|
|
|
|
|
|
| |
It was required to update docker-interop image to ubuntu 20.04 since a newer Go release was required for the BoGo tests to run.
See nss/gtests/nss_bogo_shim/config.json for a list of disabled BoGo test, including short descriptions/bug links.
A -loose-local-errors falg was added to Bogo (runner.go) to allow usage of more tests by ignoring differences in local errors on the Go side of test connections, similar to the remote error 'suppression' used. The code is patched to the BoGo runner after cloning in nss/tests/bogo/bogo.sh and can be found in nss/gtests/nss_bogo_shim/nss_loose_local_errors.patch.
Differential Revision: https://phabricator.services.mozilla.com/D147675
|
|
|
|
|
|
| |
TlsConnectTestBase::ConnectAndCheckCipherSuite. r=bbeurdouche,nss-reviewers
Differential Revision: https://phabricator.services.mozilla.com/D154594
|
|
|
|
|
|
|
|
|
|
| |
r=kjacobs,rrelyea
Previously we only used the "object" attribute (mapped to CKA_LABEL) to find certificates by PKCS #11 URI. This updates the logic to match also with "id" (mapped to CKA_ID) and reject the request if a "type" attribute is present with the value other than "cert".
Note: as "id" may not be null-terminated, the PKCS #11 URI API had to be revamped to allow binary blobs. This is still not perfect because PK11URIAttribute doesn't have a length field of value.
Differential Revision: https://phabricator.services.mozilla.com/D98940
|
|
|
|
|
|
| |
code is set. r=mt,nss-reviewers.
Differential Revision: https://phabricator.services.mozilla.com/D151645
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D138149
|
|
|
|
|
|
| |
allocating it on initialization. Replaced redundant code with assert. Debug builds: Added buffer freeing/allocation for each record. r=djackson
Differential Revision: https://phabricator.services.mozilla.com/D144034
|
|
|
|
|
|
|
|
|
|
| |
r=djackson
Added test cases for alerts during and pre handshake as well as TLS 1.3 only after handshake (application data) cases due to unsupported de- and encryption of lower TLS version records in gtest.
Adjusted some test cases that expect failed connections to the updated alerts.
Differential Revision: https://phabricator.services.mozilla.com/D144029
|
|
|
|
|
|
| |
ClientHello.legacy_version. r=djackson
Differential Revision: https://phabricator.services.mozilla.com/D144279
|
|
|
|
|
|
| |
ECPointFormat extension alerts. r=djackson
Differential Revision: https://phabricator.services.mozilla.com/D144420
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GROUP. r=keeler,nss-reviewers,djackson
In an iteration over elements of an indefinite-length encoded GROUP
(sec_asn1d_next_in_group), the child of the current state is responsible for
parsing the GROUP's end-of-contents octets---a call to
sec_asn1d_parse_end_of_contents(state->child) sets the endofcontents flag for
state->child and a later call to sec_asn1d_next_in_group checks
state->child->endofcontents and terminates the iteration.
In an iteration over elements of an indefinite-length encoded SEQUENCE
(sec_asn1d_next_in_sequence), on the other hand, the current state, not its
child, handles the end-of-contents octets.
Prior to this commit, an error would occur when state pointed to an
indefinite-length encoded GROUP and state->child pointed to an
indefinite-length encoded SEQUENCE. In this case, state->child would be passed
to sec_asn1d_parse_end_of_contents to parse the SEQUENCE's end-of-contents
octets. This would set the endofcontents flag for state->child, and this would
be misinterpreted as an end-of-iteration signal for the surrounding GROUP.
Differential Revision: https://phabricator.services.mozilla.com/D142985
|
|
|
|
|
|
| |
zero-length record/fragment handling tests. Enabled tls fuzzer empty alert test. r=djackson
Differential Revision: https://phabricator.services.mozilla.com/D141841
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
boundaries. r=djackson
Old overlong record check flow:
1.) There is a check for the default maximally allowed record size in ssl3gthr.c/ssl3_GatherData after reception of TLS records. In the same file the DTLS reception buffers are set to the maximum possible record size in dtls_GatherData.
2.) Next the ssl3_HandleRecord handler checks TLS and DTLS records sizes, considering possibly set size limits by the record-size-limit-extension and the maximally approximated cipher expansion possible in NSS.
3.) Until this patch there was a less strict redundant size check in ssl3con.c/ssl3_UnprotectRecord. In tls13con.c/tls13_UnprotectRecord and ssl3con.c/ssl3_UnprotectRecord the plaintext size is checked for validity after unprotecting (plaintext checks were not changed in this patch).
4.) DTLS errors regarding record size and unprotecting are inconsistently sometimes propagated to the peer (alerts) and sometimes silently dropped.
Changes:
1.) In ssl3gthr.c TLS 1.3 specific cases for overlong record checks and DTLS buffer allocation have been added.
2.) The ssl3_HandleRecord handler checks for RFC compliant records sizes (all TLS versions), considering limits set by record_size_limit_extension. This is less strict for TLS <= 1.2, stricter checks have been moved to the unprotection functions to create a similar 'check flow/levels' for all TLS versions.
3.)
- TLS <= 1.2: Moved strict check for maximum allowed plaintext + approximated maximum cipher expansion to ssl3con.c/ssl3_UnprotectRecord.
- TLS 1.3: Added strict check for maximum allowed plaintext + actually used cipher expansion to tls13con.c/tls13_UnprotectRecord.
(Maximum allowed plaintext considers limits set by record_size_limit_extension)
4.) Following RFC6347, Section 4.1.2.7 DTLS errors regarding records and unprotecting and now consistently dropped silently.
Added Tests:
- Positive tests (All (D)TLS versions): Test that largest valid plainext + encryption expansion are successfully sent and handled.
- Negative tests (All (D)TLS versions): Test that all added/updated boundaries lead to the expected alerts. Tested with smallest illegal record size for each of the mentioned checks.
Differential Revision: https://phabricator.services.mozilla.com/D138529
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D143514
|