| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
initialized. r=mt
NSS has several config functions that multiprocess servers must call before NSS is initialized to set up shared memory caches between the processes. These functions call ssl_init(), which initializes the ssl policy. The ssl policy initialization, however needs to happen after NSS itself is initialized. Doing so before hand causes (in the best case) policy to be ignored by these servers, and crashes (in the worst case).
Instead, these cache functions should just initialize those things it needs (that is the NSPR ssl error codes).
This patch does:
1) fixes the cache init code to only initialize error codes.
2) fixes the selfserv MP code to 1) be compatible with ssl.sh's selfserv management (at least on Unix), and 2) mimic the way real servers handle the MP_Cache init code (calling NSS_Init after the cache set up).
3) update ssl.sh server policy test to test policy usage on an MP server. This
is only done for non-windows like OS's because they can't catch the kill signal
to force their children to shutdown.
I've verified that the test fails if 2 and 3 are included but 1 is not
(and succeeds if all three are included).
Differential Revision: https://phabricator.services.mozilla.com/D70948
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Part 2 of 2
Use the official PKCS #11 HKDF mechanism to implement tls 1.3.
1) The new mechanism is a single derive mechanism, so we no longer need to
pick it based on the underlying hmac (Note, we still need to know the
underlying hmac, which is passed in as a mechanism parameter).
2) Use the new keygen to generate CKK_HKDF keys rather than doing it by hand
with the random number generator (never was really the best way of doing this).
3) modify tls13hkdf.c to use the new mechanisms:
1) Extract: use the new key handle in the mechanism parameters to pass the
salt when the salt is a key handle.
Extract: use the explicit NULL salt parameter if for the hash len salt of
zeros.
2) Expand: Expand is mostly a helper function which takes a mechanism. For
regular expand, the mechanism is the normal _Derive, for the Raw version
its the _Data function. That creates a data object, which is extractable
in FIPS mode.
4) update slot handling in tls13hkdf.c:
1) we need to make sure that the key and the salt key are in the same
slot. Provide a PK11wrap function to make that guarrentee (and use that
function in PK11_WrapKey, which already has to do the same function).
2) When importing a 'data' key for the zero key case, make sure we import
into the salt key's slot. If there is no salt key, use PK11_GetBestSlot()
rather than PK11_GetInternal slot.
Differential Revision: https://phabricator.services.mozilla.com/D69899
|
|
|
|
|
|
| |
Remove support for RSAE in delegated credentials (both in DC signatures and SPKIs), add SignatureScheme list functionality to initial DC extension.
Differential Revision: https://phabricator.services.mozilla.com/D65252
|
|
|
|
| |
4349f611f7b96de63934837d6940095ac1a5db33 r=bustage
|
|
|
|
|
|
|
|
|
| |
mode KDFs suitable for use in SCP03 and other protocols. These KDFs were
introduced in PKCS#11 v3.0.
Resolves: BZ#1599603
https://phabricator.services.mozilla.com/D54821
|
|
|
|
|
|
|
|
|
| |
Disale libnssdbm by default and add flag to enable it in builds.
On CI a build and certs test with enabled legacy DB are added.
Note that for some reason the coverage build fails. I have no idea why. I'm open for ideas.
Differential Revision: https://phabricator.services.mozilla.com/D54673
|
|
|
|
|
|
| |
fix for prng kat tests
Differential Revision: https://phabricator.services.mozilla.com/D54095
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D49184
|
|
|
|
|
|
|
|
| |
end-entity certs with default scheme override r=mt
If an end-entity cert has an SPKI type of 'rsaEncryption', override the DC alg to be `ssl_sig_rsa_pss_rsae_sha256`.
Differential Revision: https://phabricator.services.mozilla.com/D49176
|
|
|
|
|
|
|
|
|
| |
and updated support commands. r=jcj,kjacobs,mt
Added two new fields do scheduled distrust of CAs in nssckbi/builtins.
Also, created a testlib to validate these fields with gtests.
Differential Revision: https://phabricator.services.mozilla.com/D36597
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reviewers: rrelyea, mt
Reviewed By: mt
Subscribers: HubertKario
Bug #: 1494063
Differential Revision: https://phabricator.services.mozilla.com/D29166
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
This increases the limit of record expansion by 16 so that it doesn't
reject maximum block padding when HMAC-SHA384 is used.
To test this, tlsfuzzer is updated to the latest version
(commit 80d7932ead1d8dae6e555cfd2b1c4c5beb2847df).
Reviewers: mt
Reviewed By: mt
Bug #: 1580286
Differential Revision: https://phabricator.services.mozilla.com/D46760
|
|
|
|
| |
r=jcj
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch increases SSL testing on taskcluster, specifically, running an additional 395 tests on each SSL cycle (more for FIPS targets), and adding a new 'stress' cycle.
Notable changes:
1) This patch removes SSL stress tests from the default `NSS_SSL_RUN` list in all.sh and ssl.sh. If stress tests are needed, this variable must be set to include.
2) The "normal_normal" case is added to `NSS_SSL_TESTS` for all targets. FIPS targets also run "normal_fips", "fips_normal", and "fips_fips".
3) `--enable-libpkix` is now set for all taskcluster "build.sh" builds in order to support a number of OCSP tests that were previously not run.
Differential Revision: https://phabricator.services.mozilla.com/D43283
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D43282
|
|
|
|
|
|
| |
builds. r=jcj
Differential Revision: https://phabricator.services.mozilla.com/D41392
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Reviewers: KevinJacobs
Tags: #secure-revision
Bug #: 1564714
Differential Revision: https://phabricator.services.mozilla.com/D37522
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D25654
|
| |
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Differential Revision: https://phabricator.services.mozilla.com/D28519
Patch notes:
cmd/fipstest:
Update fipstest to allow using old CAVS vectors in our all.sh. The various scripts have been moved to tests/fips/cavs_scripts. IKE functions were added to fipstest, and fipstest was updated to support verifying the output of ecdh and dh key agreement tests (kas).
fipstest.c:
NOTE: fipstest is the program NSS uses to process CAVS vectors from NIST. For historical reasons, it has known memory management issues. In general if there is a mistake, fipstest will likely crash. It has very little error checking. It has a very simplistic parser for the CAVS files. It requires the elements of the CAVS files to be in the correct order (most notably it requires the last element to always be in the last position. This is true of all the tests in fipstest, not just the new code.
1. when verifying ec_dh and dh, accept both CAVSHashZZ and HashZZ as the input hash. This allows verify not only to verify NIST CAVS vectors, but also the output of ec_dh and dh functional tests.
2. create ike functions modelled after the tls test functions. We test ike at the pkcs #11 level. There are three ike tests (driven by the three types of ike tests that NIST supplies):
2.1) ikev1. This generates the ike v1 keys from the provided input. It used ike_prf to generate SKEYID and ikev1_prf to generate SKEYID_d, SKEYID_a, and SKEYID_e.
2.2) ikev1_psk. This generates ike v1 keys from the provided input. It uses a pre-shared-secret-key. It also
used ike_prf to generate SKEYID (though it uses it with bDataAsKey=false), and ikev1_prf to generate SKEYID_d, SKEYID_a, and SKEYID_e.
2.3) ikev2. This generates ike v2 keys from the provided input. It uses ike_prf to generate SKEYSEED and ike_prf_plus to generate the key material. It also does a rekey using ike_prf and bRekey = true.
3. Add parameters so the tls can be called.
lib/softoken
This is the main location where the new functionality is provided.
fipstest.c
Add the power up self test for ike. The actual test lives in sftkike.c.
manifest.mn
Add sftkike.c to the build.
pkcs11.c
Add AES XCBC MAC and IKE Mechanisms to the softoken mechanism table.
pkcs11c.c
sftk_MapCryptError() is now a 'global' within softoken and lives in pkcs11u.c. This was done so that sftkike.c can use it.
sftk_InitCBCMac(). Update to handle AES XCBC., which is AES CBC MAC except 1) the underlying AES key is derived from the input key, and 2) the pad block is obscured using 2 new keys (k2, k3) also derived from the input key.
sftk_MACFinal() handle the special pad processing for the XCBC case.
sftk_MACUpdate() change the padding code to keep one full pad in the buffer. This won't affect normal MACs, but means that the last block in the Mac is always in the buffer so it can be processed in the XCBC case.
NSC_DerviceKey() add the ike functions into the mechanism swtich table. The actual implementations are in sftkike.c
pkcs11i.h
Add the XCBC state information into the SessionContext structure.
sftk_MapCryptError is now global, include it in the header.
include the ike and aes_xcbc helper functions.
pkcs11u.c
sftk_MapCryptError() now lives in pkcs11 utilities.
sftkike.c
prf_* functions implement all the underlying prf specific stuff. It hides whether the prf is an hmac or aes_xcbc. If there are additional prfs, they can be implemented here without affecting the rest of the derivation code. The AES_XCBC code is aes specific. If we ever add another XCBC type operation, we would probably want to initialize some encryption functions in prf_setup and only handle the difference between hmac and xcbc in the other prf functions.
sftk_aes_xcbc_get_keys - takes in input key and derives k1, k2, and k3. This function handles this derivation for both the prf_ functions in sftkike and the exported AES_XCBC Mac in pkcs11c.c
sftk_xcbc_mac_pad - function to handle the correct padding method for the last block of an xcbc operation. Unlike sftk_aes_xcbc_get_keys, it is independent of the xcbc's underlying encryption method, though only AES_XCBC is defined at this time.
sftk_ike_prf - common prf between ikev1 and ikev2 to generate SKEYID/SKEYSEED. See comments in code.
sftk_ike1_prf - ikev1 prf to generate the session keys in ikev1 from SKEYID. See comments in code.
sftk_ike_prf_plus - ike prf+ to generate the session keys in ikev2 from SKEYSEED. See comments in code.
sftk_aes_xcbc_new_keys - used in pkcs11c.c to generate the 2 derived keys used in aes_xcbc. Loads k1 into the pkcs11 slot as a session key.
prf_test - helper function to test our known test vectors for our FIPS powerup self tests.
sftk_fips_IKE_PowerUpSelfTests - test to make sure our basic system is working correctly.
softokn.gyp - add sftkike.c to gyp
lib/util
pkcs11n.h
add defines and structures for IKE. Since they are not yet an official PKCS #11 mechanism, use CKM_NSS and CK_NSS names for them.
pkcs11t.h
add CKM_AES_XCBC* mechanisms. These are defined in the latest PKCS #11 spec.
tests/fips
The work in this directory hooks up the CAVS tests we run to do fips validation into our normal test suite. This lets us use the NIST generated samples for
cavs_samples/* These are all vectors generated by the NIST CAVS tools (*.req) or the expected results generated by the last openssl or NSS runs and verified by the NIST CAVS tools (*.fax). These are the inputs to our fipstest. No need to detail review these. The are not explicitly included in this patch because they are too big for phabricator to handle.
cavs_scripts/* See the read me in that directory. These scripts were originally in cmd/fipstest. I added ike.sh, and I updated the verify target of all the scripts so they they return 0 on success and 1 on failure. This allows us to use the tests in fips.sh
fips.sh run the CAVS tests as part of the fips tests. This works to test our IKE support. Three of the cavs tests can take significant type (dsa and rsa takes several minutes, tdea is just over a minute). The code currently skips running those tests. You can run all the cavs tests by setting CAV_VECTORS=all
|
|/
|
|
|
|
|
|
|
|
| |
Reviewers: mt
Reviewed By: mt
Bug #: 1553443
Differential Revision: https://phabricator.services.mozilla.com/D32128
|
|
|
|
|
|
| |
try: -p linux64,linux64-fuzz -u gtest -t clang-format,scan-build
Differential Revision: https://phabricator.services.mozilla.com/D24399
|
|
|
|
|
|
|
|
|
|
|
|
| |
auth, r=mt
Reviewers: mt
Reviewed By: mt
Bug #: 1532312
Differential Revision: https://phabricator.services.mozilla.com/D21936
|
| |
|
| |
|
| |
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D17014
|
|
|
|
|
|
|
|
|
|
| |
Reviewers: mt
Reviewed By: mt
Bug #: 1528262
Differential Revision: https://phabricator.services.mozilla.com/D21516
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
This adds a new policy keyword "DSA" to explicitly disable DSA in TLS 1.2 or earlier.
We could make this a bit more generic, e.g., by adding "ECDSA", "RSA-PSS" etc. However, considering the current use of policy in [fedora-crypto-policies](https://gitlab.com/redhat-crypto/fedora-crypto-policies), I realized that adding new keywords may cause compatibility problems; because the Fedora configuration has `disallow=ALL`, all new keywords would be disabled by default. I think it's okay for DSA, though.
Reviewers: kaie
Reviewed By: kaie
Bug #: 1493936
Differential Revision: https://phabricator.services.mozilla.com/D6777
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libpkix, when validating a leaf certificate against the CAs' name
constraints, treats the Subject DN CN attribute as a DNS name. This
may be reasonable behaviour for server certificates, but does not
make sense for other kinds of certificates (e.g. user certificates,
OCSP signing certificates, etc.)
Update the libpkix name constraints checker to only treat the CN as
a DNS name for server certificates (i.e. when id-kp-serverAuth is
asserted in the Extended Key Usage extension). For compatibility,
the behaviour is unchanged (i.e. CN is still treated as a DNS name)
when the certificate does not have an Extended Key Usage extension.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
We check if $HOME/.pki and $HOME/.pki/nssdb exist; if they do, then we use
this path. Otherwise, use ${XDG_DATA_HOME:-$HOME/.local/share}/pki/nssdb
Test Plan:
Create dummy empty dir and set HOME to it. Then, check if getUserDb returns:
1. $HOME/.pki/nssdb when this path exists;
2. $HOME/.local/share/pki/nssdb when $HOME/.pki/nssdb does not and XDG_DATA_HOME is not defined;
3. $XDG_DATA_HOME/pki/nssdb when $HOME/.pki/nssdb does not exist and XDG_DATA_HOME is defined.
Reviewers: mt
Reviewed By: mt
Bug #: 818686
Differential Revision: https://phabricator.services.mozilla.com/D14007
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: As suggested in RFC 8446 Appendix D.5, TLS 1.3 server should send protocol_version alert in response to a ClientHello with legacy_version set to 0x300 or smaller.
Reviewers: mt
Reviewed By: mt
Bug #: 1490006
Differential Revision: https://phabricator.services.mozilla.com/D11870
|
|
|
|
|
|
|
|
|
|
| |
Reviewers: mt
Reviewed By: mt
Bug #: 1444444
Differential Revision: https://phabricator.services.mozilla.com/D12441
|
|
|
|
|
| |
Patch by Kai
r=rrelyea
|
| |
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D9630
|
| |
|
|
|
|
|
|
| |
The tests/interop/interop.sh script is using a forked repository of tls-interop,
which is merging back into the mainline. Going forward, we should use the
mainline repo.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: As a start, it only tests TLS 1.3 so far; 8 out of 18 are skipped because of failures.
Reviewers: franziskus, HubertKario, mt
Reviewed By: mt
Subscribers: mt
Bug #: 1485989
Differential Revision: https://phabricator.services.mozilla.com/D4217
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This does some fairly major restructuring of the docker images we use for CI.
The genesis of the change is that we were pulling a version of clang that didn't
work for fuzzing tests. It turns out that is a use case that is not
well-supported anyway, and we have open bugs on it, but this installs
workarounds for all the problems I found.
Firstly, our images were bloated. This slims down most of the images. The
biggest gains are in the clang-format image (down to around a fifth of its
previous size). The main linux image we use for building and running tests is
also less than half its original size.
To achieve that, I had to make two new images. One for all the esoteric builds
we run (we compile with multiple gcc and clang versions, and I've added some
more to that list). That's a fairly sizeable image. The other is for the
interop and bogo suites, where we rely on having Rust and go available. go adds
a tidy 250Mb to an image, and Rust adds 750Mb. Using an image with both of
those for regular builds can't be good for performance. I didn't expect to see
real performance gains here, but the Linux build (32-bit, default config) went
from 4:18 down to 2:42 (roughly). The bulk of that time is accounted for by
downloading the docker image, so it's clear that an optimization worth spending
the time on.
Secondly, we had a lot of custom configuration stuff in the builds. This
removes most of that in favour of using stock Ubuntu packages from 18.04.
The one exception here is - I hope - temporary. As noted in the bug comments,
the current release of LLVM 6 has a bug where you can't run address sanitizer on
a 32-bit machine if it has glibc 2.27 (which Ubuntu 18.04 does). That's fairly
crippling because we need a newer version of LLVM than runs by default on Ubuntu
16.04, so we're stuck with installing a non-stock version for 32-bit runs. I've
opted to (temporarily) run 16.04 with an LLVM from the LLVM project.
The final change, which is minor, but a little odd and worth noting: the images
now rely on "localhost.localdomain" being aliased to the local machine. This is
something :wcosta has done for us (thanks!). Thus, we no longer have to run as
root so that we can tweak /etc/hosts before we run. There is a little cleanup
related to this, but nothing significant. (The scripts still include the `su
worker` tweak for aarch64, but I've added a guard and we can remove that with
bug 1488325.)
There is still more work to be done for the HACL* and SAW builds, which use some
very strange configurations. Also, all of the aarch64 images aren't built
automatically, so we use images from Franziskus' dockerhub account. This is not
good. After digging around a little, there's probably something to be done with
QEMU, but I decided that was a project for another time.
|
| |
|
| |
|
| |
|
| |
|
| |
|