summaryrefslogtreecommitdiff
path: root/lib
Commit message (Collapse)AuthorAgeFilesLines
* Bug 1831983 - Add a constant time select function. r=mtHEADmasterJohn M. Schanck2023-05-175-0/+98
| | | | Differential Revision: https://phabricator.services.mozilla.com/D177803
* Bug 1774657 Updating an old dbm with lots of certs with keys to sql results ↵Robert Relyea2023-05-154-8/+45
| | | | | | | | | | | | | | in a database that is slow to access. This patch solves the problems in 3 ways: 1) The initial underlying issue is solved by not generating a trust record for user certs if they have default trust values (lib/softoken/legacydb/pcertdb.c). This will cause new databases created from old dbm databases to function normally. 2) Skip the integrity check if the record we are reading is already the default trust value (lib/softoken/sftkdb.c). This will increase the performance of reading sqlite databases created from the old dbm databases before patch 1 to perform reasonably. 3) Increase the cashe count. (lib/softoken/lowpbe.c). This affects applications which do multiple private key operations on the same private keys. Usually high speed operations would copy the keys to a session key for better performance, but sometimes that's not possible. This allows up to 20 RSA keys to be references by the application without a performance hit from the PBE checking integrity and/or decrypting the key entry. Differential Revision: https://phabricator.services.mozilla.com/D165221
* Bug 1804505 - Update the technical constraints for KamuSM. ↵Dennis Jackson2023-05-051-10/+2
| | | | | | | | r=nss-reviewers,jschanck Depends on D177241 Differential Revision: https://phabricator.services.mozilla.com/D177242
* Bug 1822921 - Add BJCA Global Root CA1 and CA2 root certificates ↵Dennis Jackson2023-05-051-0/+283
| | | | | | r=nss-reviewers,jschanck Differential Revision: https://phabricator.services.mozilla.com/D177241
* Bug 1786018 - Add explicit handling of zero length records. r=mtDennis Jackson2023-05-051-3/+8
| | | | | | | | | This is based on the patch developed by Leander in D157183, but is a little more explicit. Co-Authored-By: Leander Schwarz Differential Revision: https://phabricator.services.mozilla.com/D176157
* Bug 1829391 - Tidy up DTLS ACK Error Handling Path. r=mtDennis Jackson2023-05-051-4/+11
| | | | Differential Revision: https://phabricator.services.mozilla.com/D176156
* Bug 1806496 In FIPS mode, nss should reject RSASSA-PSS salt lengths larger ↵Robert Relyea2022-12-194-65/+93
| | | | | | | | | | | than the output size of the hash function used, or provide an indicator This patch adds a new mechanism specific check for PSS in fip_algorithms.h. The new check uses the hash mechanism provided in the pss mechanism list to look up the hash length. A static utility function in pkcs11c.c is moved to pkcs11u.c and made global so it can be reused in this code. We know that mechanism supplied in the parameters matches the hash because that check is enforces in pkcs11c.c for the combined hash and signed functions. Differential Revision: https://phabricator.services.mozilla.com/D165176
* Bug 1784163 - Fix reading raw negative numbers r=nss-reviewers,nkulatova,mtIaroslav Gridin2023-04-201-6/+6
| | | | | | set sign after adding digits Differential Revision: https://phabricator.services.mozilla.com/D154315
* Bug 1783647 - Integrate Vale Curve25519 r=nss-reviewers,bbeurdoucheNatalia Kulatova2023-04-176-1/+217
| | | | Differential Revision: https://phabricator.services.mozilla.com/D153944
* Bug 1799468 - Removing unused flags for Hacl* r=bbeurdoucheAnna Weine2023-04-171-6/+6
| | | | Differential Revision: https://phabricator.services.mozilla.com/D161464
* Bug 1727555 - Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6 ↵Anna Weine2023-04-1760-1382/+4665
| | | | | | r=nss-reviewers,jschanck Differential Revision: https://phabricator.services.mozilla.com/D158327
* Bug 1806010 FIPS-104-3 requires we restart post programmaticallyRobert Relyea2023-04-1215-206/+246
| | | | | | | | | | | | | FIPS -140-3 requires that we give applications a way to restart the Power On Self-Tests programmatically. Unloading the shared library is insufficient. Shutting down softoken and restarting it with a special flag is. This path accomplishes this task by: 1) adding a new startup flag init argument flag called forcePost which is parsed at FC_Initialize time. 2) Code which checks if the post ran properly takes a new Bool which tells the function whether or not to rerun the post operations. If post operations are to be rerun, all test flags are set to unknown or fail and the tests are rerun. The results are returned. 3) Public facing functions to verify integrity looks for a special non-valid character flag as the first character of the filename and uses that to decide if we should rerun post or not. Callers add the flag if post should be rerun. 4) pk11mode, the general FIPS test program makes sure we can turn on the forcePost flag. Differential Revision: https://phabricator.services.mozilla.com/D165050
* Bug 1815796: Add a CI task for tracking ECCKiila code status, update ↵Iaroslav Gridin2023-04-042-8/+8
| | | | | | whitespace in ECCKiila files r=nss-reviewers,nkulatova Differential Revision: https://phabricator.services.mozilla.com/D169262
* Bug 1819958. Removed deprecated sprintf function and replaced with snprintf. ↵Noah Lokocz2023-03-168-29/+31
| | | | | | r=djackson Differential Revision: https://phabricator.services.mozilla.com/D171859
* Set version numbers to 3.90 BetaJohn M. Schanck2023-03-093-6/+6
|
* Bug 1820834 - revert freebl/softoken RSA_MIN_MODULUS_BITS increase. r=rrelyeaJohn Schanck2023-03-071-1/+1
| | | | Differential Revision: https://phabricator.services.mozilla.com/D171882
* Bug 1820175 - PR_STATIC_ASSERT is cursed. r=jschanckDennis Jackson2023-03-061-2/+2
| | | | Differential Revision: https://phabricator.services.mozilla.com/D171754
* Bug 1767883 - Need to add policy control to keys lengths for signatures. ↵Robert Relyea2023-03-0313-19/+272
| | | | | | | | | | | | | | | | | r=nss-reviewers There are three changes in the patch which are related to key length processing: Change RSA_MIN_MODULUS_BITS in blalpit.h from 128 to 1023. This necessitated changes to the following tests: testcrmf.c: up the generated key for the test from 512 to 1024. pk11_rsapkcs1_unittest.cc (in pk11_gtest): skip the min padding test if the MIN_RSA_MODULUS_BITS is more than 736 (The largest hash we support is 512, which fits in an RSA key less then 736. If we can't generate a key less than 736, we can't test minimum padding, but we can never get into that situation anyway now). tls_subcerts_unittest.cc: set our key size to at least RSA_MIN_MODULUS_BITS, and then make sure the policy had a higher minimum key length so we still trigger the 'weakKey' event. pk11kea.c: use 1024 bits for the transfer key now that smaller keysizes aren't supported by softoken. Expand the add a new flag to meaning of NSS_XXX_MIN_KEY_SIZE beyond it's use in SSL (add the ability to limit signing and verification to this as well). This allows us to set strict FIPS 140-3 policies, where we can only sign with 2048, but can still verify 1024. This part includes: New utility functions in seckey.c: SECKEY_PrivateKeyStrengthInBits(): The private key equivalent to SECKEY_PublicKeyStrengthInBits(). This function could be exported globally, but isn't in this patch. seckey_EnforceKeySize(). Takes a key type and a length and makes sure that length falls into the range set by policy. secsign.c and secvfy.c: add policy length check where we check the other policy flags. nss.h, nssoptions.c: add NSS_KEY_SIZE_POLICY_FLAGS and define flags for SSL, VERIFY, and SIGN. SSL is set by default (to maintain the current behavior). pk11parse.c: add keywords for the new NSS_KEY_SIZE_POLICY_FLAGS. ssl3con.c: use the flags to decide if the policy lengths are active for SSL. policy.txt: Test that the new policy flags are parsed correctly sslpolicy.txt: Add tests to make sure the policy flags are functioning. Update fips_algorithms.h to make sure the FIPS indicators are exactly compliant with FIPS 140-3 current guidance (RSA 2028 and above, any key size, Legacy verification allowed for 1024, 1280, 1536, and 1792 [1024-1792, step 256]). The previous attempt to push failed because the pk11_rsapkcs1_unittest.cc change was eaten in the merge. Differential Revision: https://phabricator.services.mozilla.com/D146341
* Bug 1820175 - Fix unreachable code warning in fuzz builds. r=keelerJohn M. Schanck2023-03-031-4/+11
| | | | Differential Revision: https://phabricator.services.mozilla.com/D171603
* Bug 1820175 - Fix various compiler warnings in NSS. r=jschanck.Dennis Jackson2023-03-032-49/+46
| | | | Differential Revision: https://phabricator.services.mozilla.com/D171581
* Backed out changeset 761e7d215e0a for causing gtest failuresNSS_3_89_BETA1John M. Schanck2023-03-0213-272/+19
|
* Bug 1815136 - set PORT error after sftk_HMACCmp failure. ↵John M. Schanck2023-03-021-1/+6
| | | | | | r=nss-reviewers,nkulatova Differential Revision: https://phabricator.services.mozilla.com/D171495
* Bug 1767883 Need to add policy control to keys lengths for signatures.Robert Relyea2022-12-1913-19/+272
| | | | | | | | | | | | There are three changes in the patch which are related to key length processing: Change RSA_MIN_MODULUS_BITS in blalpit.h from 128 to 1023. This necessitated changes to the following tests: testcrmf.c: up the generated key for the test from 512 to 1024. pk11_rsapkcs1_unittest.cc (in pk11_gtest): skip the min padding test if the MIN_RSA_MODULUS_BITS is more than 736 (The largest hash we support is 512, which fits in an RSA key less then 736. If we can't generate a key less than 736, we can't test minimum padding, but we can never get into that situation anyway now). tls_subcerts_unittest.cc: set our key size to at least RSA_MIN_MODULUS_BITS, and then make sure the policy had a higher minimum key length so we still trigger the 'weakKey' event. pk11kea.c: use 1024 bits for the transfer key now that smaller keysizes aren't supported by softoken. Expand the add a new flag to meaning of NSS_XXX_MIN_KEY_SIZE beyond it's use in SSL (add the ability to limit signing and verification to this as well). This allows us to set strict FIPS 140-3 policies, where we can only sign with 2048, but can still verify 1024. This part includes: New utility functions in seckey.c: SECKEY_PrivateKeyStrengthInBits(): The private key equivalent to SECKEY_PublicKeyStrengthInBits(). This function could be exported globally, but isn't in this patch. seckey_EnforceKeySize(). Takes a key type and a length and makes sure that length falls into the range set by policy. secsign.c and secvfy.c: add policy length check where we check the other policy flags. nss.h, nssoptions.c: add NSS_KEY_SIZE_POLICY_FLAGS and define flags for SSL, VERIFY, and SIGN. SSL is set by default (to maintain the current behavior). pk11parse.c: add keywords for the new NSS_KEY_SIZE_POLICY_FLAGS. ssl3con.c: use the flags to decide if the policy lengths are active for SSL. policy.txt: Test that the new policy flags are parsed correctly sslpolicy.txt: Add tests to make sure the policy flags are functioning. Update fips_algorithms.h to make sure the FIPS indicators are exactly compliant with FIPS 140-3 current guidance (RSA 2028 and above, any key size, Legacy verification allowed for 1024, 1280, 1536, and 1792 [1024-1792, step 256]). Differential Revision: https://phabricator.services.mozilla.com/D146341
* Finish backout. (sigh)Robert Relyea2023-02-28585-77020/+0
|
* Sigh, even when I explicitly push to nss-try, it's pushing to nss!Robert Relyea2023-02-271-5/+1
|
* Add liboqsRobert Relyea2023-02-27586-1/+77025
|
* This change was supposed to be pushed to nss-try,Robert Relyea2023-02-27586-76581/+1
| | | | but something went out of wack. Back this change out of the tip
* Add liboqsRobert Relyea2023-02-27586-1/+76581
|
* Bug 1804662 - remove data length assertion in sec_PKCS7Decrypt. ↵John M. Schanck2023-02-231-1/+0
| | | | | | r=nss-reviewers,nkulatova Differential Revision: https://phabricator.services.mozilla.com/D170672
* Bug 1804660 - Make high tag number assertion failure an error. ↵John M. Schanck2023-02-231-3/+7
| | | | | | | | | | | | | | r=nss-reviewers,djackson If a template has an OPTIONAL field, and we find that the input does not match that field's tag number, we mark the field as missing. If the next field is an ASN.1 ANY, we need to write the previously-parsed tag number out. Since high tag number forms are rare, we never implemented the necessary re-encoding of multi-byte tags, and we noted this with an assertion. That assertion is remotely triggerable in debug builds. This patch removes the assertion and returns a SEC_ERROR_LIBRARY_FAILURE instead. Differential Revision: https://phabricator.services.mozilla.com/D170678
* Bug 1817513 - CKM_SHA384_KEY_DERIVATION correction maximum key length from ↵Anna Weine2023-02-231-1/+1
| | | | | | 284 to 384 r=nss-reviewers,jschanck Differential Revision: https://phabricator.services.mozilla.com/D170481
* Bug 1815167: Tolerate certificate_authorities xtn in ClientHello. ↵Dennis Jackson2023-02-224-1/+13
| | | | | | r=mt,nss-reviewers Differential Revision: https://phabricator.services.mozilla.com/D169918
* Bug 1789436: Fix build failure on Windows. r=bbeurdoucheDennis Jackson2023-02-201-9/+11
| | | | Differential Revision: https://phabricator.services.mozilla.com/D170360
* Bug 1804688 - Correct addition of GREASE value to ALPN xtn. r=mtDennis Jackson2023-02-151-25/+15
| | | | | | | | | | A long-standing comment suggested the length field should be 1 byte, but the code was adding a two-byte length. Inspection showed that the length field should indeed be two-bytes. This patch corrects the comment and adjusts the length calculation for the ALPN GREASE value. Tests are included in the child patch of this revision. Differential Revision: https://phabricator.services.mozilla.com/D169620
* Bug 1789436 - CH extension permutation. r=djacksonLeander Schwarz2023-02-157-1/+91
| | | | | | Depends on D161806 Differential Revision: https://phabricator.services.mozilla.com/D163078
* Bug 1570615: TLS GREASE (RFC8701) r=djacksonLeander Schwarz2023-02-1514-25/+428
| | | | Differential Revision: https://phabricator.services.mozilla.com/D161806
* Bug 1804640 - improve handling of unknown PKCS#12 safe bag types. r=rrelyeaJohn M. Schanck2023-02-093-10/+18
| | | | Differential Revision: https://phabricator.services.mozilla.com/D167443
* Set version numbers to 3.89 BetaAnna Weine2023-02-093-6/+6
|
* Bug 1815246 - Export NSS_CMSSignerInfo_GetDigestAlgTag. r=djacksonKai Engert2023-02-071-0/+6
| | | | Differential Revision: https://phabricator.services.mozilla.com/D169060
* Bug 1812671 - build failure while implicitly casting SECStatus to PRUInt32. ↵František Krenželok2023-01-302-2/+2
| | | | | | | | r=nss-reviewers,mt Author of the patch: Bob Relyea <rrelyea@redhat.com> Differential Revision: https://phabricator.services.mozilla.com/D167983
* Bug 1212915 - Add check for ClientHello SID max length. This is tested by ↵NSS_3_88_BETA1Leander Schwarz2023-01-161-1/+3
| | | | | | | | Bogo tests Server-TooLongSessionID-TLS1*. r=djackson Depends on D147675 Differential Revision: https://phabricator.services.mozilla.com/D147726
* Bug 1771100 - Added EarlyData ALPN test support to BoGo shim. r=djacksonLeander Schwarz2023-01-162-12/+20
| | | | Differential Revision: https://phabricator.services.mozilla.com/D157290
* Bug 1790357: ECH client - Discard resumption TLS < 1.3 Session(IDs|Tickets) ↵Leander Schwarz2023-01-161-0/+8
| | | | | | if ECH configs are setup. r=djackson Differential Revision: https://phabricator.services.mozilla.com/D157110
* Bug 1714245 - On HRR skip PSK incompatible with negotiated ciphersuites hash ↵Leander Schwarz2023-01-162-1/+17
| | | | | | algorithm. r=djackson Differential Revision: https://phabricator.services.mozilla.com/D156660
* Bug 1789410 - ECH client: Send ech_required alert on server negotiating TLS ↵Leander Schwarz2023-01-164-29/+30
| | | | | | 1.2. Fixed misleading Gtest, enabled corresponding BoGo test. r=djackson Differential Revision: https://phabricator.services.mozilla.com/D156565
* WIP: Bug 1804091 NSS needs to move off of DSA for integrity checks. ↵Robert Relyea2023-01-056-180/+328
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | r=nss-reviewers,jschanck When we first added integrity checks to NSS for FIPS compliance, the only signature method allowed was DSA. NIST will be sunsetting DSA in 2023, so we need to update our integrity checks again. Since the time we added these checks, NIST has started accepting HMAC as a valid signature algorithm for integrity checks. HMAC is easier, faster and requires smaller .chk files and openssl and gnutls has been using hmac now for years for this purpose. Since we need to move off of DSA anyway it's time to move to HMAC. This patch does this move. shlibsign now produces HMAC_256 by default. It moves the version number up because even though nss includes a type field, previous versions of NSS did not look at the type field when checking integrity. Bumping the version number will cause previous versions of NSS to fail early if presented with a newly generated integrity check file (even though it should fail later anyway). shlibsign now has the ability to generate 'legacy' check files so it can be used to generate check files for older versions of NSS. NSS can still accept older check files unless NSS_STRICT_INTEGRITY is set at compile time. This means tools which may be using old shlibsign to resign nss shared libraries will continue to work. At some point we can remove all DSA support (maybe after one enterprise release cycle). While completing this work, we also complete some integrity code cleanup. There are lots of magic numbers defining where things fall in the integrity check header. These are now moved to a structure and defined in the shsign.h header. Both shlibsign and shvfy have been updated to use this header. New test cases are not needed since fips.sh adequately tests our integrity code (both normal case and against mangled libraries which should fail). Though the lowhash test was updated to catch a particular issue we can run into when we use the LOWHASH code. On RHEL-7, we use the NSSLOWHASH_ interface in freebl in libc, which needs to run independently of nspr and nssutil. This requirement puts a pretty heavy burned on freebl to be self-contained when used for NSSLOWHASH_, including running integrity checks. The previous test program linked with nssutil and nspr (just like all of the rest of the nss tests) and weren't detecting issues when unimplemented stub functions where called. This patch includes fixing those lowhash tests and also implementing the stubs needed by the current integrity check code. cmd/lowhashtest/Makefile remove linking lowhashtest with all the libraries except freebl. cmd/lowhashtest/lowhashtest.c remove any dependency NSPR or NSSUTIL in the code. cmd/lowhashtest/manifest.mn remove spurious requires statements. cmd/shlibsign/shlibsign.c add hmac code. add ability to select the hash type from the command line. separate signature processing into their own functions for DSA and HMAC General cleanups. Use PR_ARRAY_SIZE rather then a custom define. move error printing outside utility functions (so we don't have to pass around filenames everywhere) Use NSSSignChkHeader instead of a Buf with magic offsets for the Check file Header. Add ability to make old style .chk files for old versions of NSS. Add option to revert to DSA Add option to use old version numbers: only valid if DSA is set. lib/freebl/Makefile All NSS_STRICT_INTEGRITY to be set at build time. Setting NSS_STRICT_INTEGRITY only accepts hmac256, hmac384, hmac512. If it's not set, NSS will accept older .chk file formats (like DSA-2). lib/freebl/nsslowhash.c lowhashtest files expect to set NSS_FIPS to force fips mode when testing the lowhash interface, but NSS_FIPS was not being looked at in the nsslow_GetFIPSEnabled. NOTE: setting NSS_FIPS to true will force FIPS mode if the system isn't already in FIPS mode. Setting it to FALSE will not turn it off if the system is already in FIPS mode. lib/freebl/shsign.h Update version. Add new defines for HMAC add new Header structure to remove magic offsets into a raw buffer in the code. lib/freebl/shvfy.c Add HMAC processing. Turn off DSA processing if NSS_STRICT_INTEGERITY is set. Refactor the signature processing. lib/freebl/stubs.c Add SECITEM_ItemsAreEqual for HMAC shvfy Add implementations for SECITEM_ItemsAreEqual, SECITEM_ZfreeItem, and PR_GetEnvSecure. The first is new. The second solves and existing bug which is only seen on RHEL7, and the last is needed for the fix to nsslowhash.c above. PR_GetEnvSecure() calls secure_getenv if _USE_GNU is set, otherwise it falls back to the normal getenv. This should be safe since it's only used in LOWHASH to get the NSS_FIPS environment variable, which only has the effect of making LOWHASH run in fips mode when it otherwise wouldn't. lib/freebl/stubs.c Add SECITEM_ItemsAreEqual for HMAC shvfy tests/lowhash/lowhash.sh Make the test executable so it can be run on it's own. Differential Revision: https://phabricator.services.mozilla.com/D164137
* Set version numbers to 3.88 BetaDennis Jackson2023-01-053-6/+6
|
* Bug 1807911 - Remove +x permissions on source code r=nss-reviewers,bbeurdoucheSylvestre Ledru2022-12-30133-0/+0
| | | | Differential Revision: https://phabricator.services.mozilla.com/D165677
* Bug 1798823 - Additional zero-length RSA modulus checks. r=nkulatovaNSS_3_87_BETA1John M. Schanck2022-12-152-12/+21
| | | | Differential Revision: https://phabricator.services.mozilla.com/D163622
* Bug 1798823 - add checks for zero-length RSA modulus to avoid memory errors ↵Iaroslav Gridin2022-12-152-0/+26
| | | | | | and failed assertions later r=nss-reviewers,nkulatova,jschanck Differential Revision: https://phabricator.services.mozilla.com/D162111
View Lorry Controller Status