| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
This increases the limit of record expansion by 16 so that it doesn't
reject maximum block padding when HMAC-SHA384 is used.
To test this, tlsfuzzer is updated to the latest version
(commit 80d7932ead1d8dae6e555cfd2b1c4c5beb2847df).
Reviewers: mt
Reviewed By: mt
Bug #: 1580286
Differential Revision: https://phabricator.services.mozilla.com/D46760
|
| |
|
|
| |
r=jcj
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch increases SSL testing on taskcluster, specifically, running an additional 395 tests on each SSL cycle (more for FIPS targets), and adding a new 'stress' cycle.
Notable changes:
1) This patch removes SSL stress tests from the default `NSS_SSL_RUN` list in all.sh and ssl.sh. If stress tests are needed, this variable must be set to include.
2) The "normal_normal" case is added to `NSS_SSL_TESTS` for all targets. FIPS targets also run "normal_fips", "fips_normal", and "fips_fips".
3) `--enable-libpkix` is now set for all taskcluster "build.sh" builds in order to support a number of OCSP tests that were previously not run.
Differential Revision: https://phabricator.services.mozilla.com/D43283
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D43282
|
| |
|
|
|
|
| |
builds. r=jcj
Differential Revision: https://phabricator.services.mozilla.com/D41392
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Reviewers: KevinJacobs
Tags: #secure-revision
Bug #: 1564714
Differential Revision: https://phabricator.services.mozilla.com/D37522
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D25654
|
| | |
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Differential Revision: https://phabricator.services.mozilla.com/D28519
Patch notes:
cmd/fipstest:
Update fipstest to allow using old CAVS vectors in our all.sh. The various scripts have been moved to tests/fips/cavs_scripts. IKE functions were added to fipstest, and fipstest was updated to support verifying the output of ecdh and dh key agreement tests (kas).
fipstest.c:
NOTE: fipstest is the program NSS uses to process CAVS vectors from NIST. For historical reasons, it has known memory management issues. In general if there is a mistake, fipstest will likely crash. It has very little error checking. It has a very simplistic parser for the CAVS files. It requires the elements of the CAVS files to be in the correct order (most notably it requires the last element to always be in the last position. This is true of all the tests in fipstest, not just the new code.
1. when verifying ec_dh and dh, accept both CAVSHashZZ and HashZZ as the input hash. This allows verify not only to verify NIST CAVS vectors, but also the output of ec_dh and dh functional tests.
2. create ike functions modelled after the tls test functions. We test ike at the pkcs #11 level. There are three ike tests (driven by the three types of ike tests that NIST supplies):
2.1) ikev1. This generates the ike v1 keys from the provided input. It used ike_prf to generate SKEYID and ikev1_prf to generate SKEYID_d, SKEYID_a, and SKEYID_e.
2.2) ikev1_psk. This generates ike v1 keys from the provided input. It uses a pre-shared-secret-key. It also
used ike_prf to generate SKEYID (though it uses it with bDataAsKey=false), and ikev1_prf to generate SKEYID_d, SKEYID_a, and SKEYID_e.
2.3) ikev2. This generates ike v2 keys from the provided input. It uses ike_prf to generate SKEYSEED and ike_prf_plus to generate the key material. It also does a rekey using ike_prf and bRekey = true.
3. Add parameters so the tls can be called.
lib/softoken
This is the main location where the new functionality is provided.
fipstest.c
Add the power up self test for ike. The actual test lives in sftkike.c.
manifest.mn
Add sftkike.c to the build.
pkcs11.c
Add AES XCBC MAC and IKE Mechanisms to the softoken mechanism table.
pkcs11c.c
sftk_MapCryptError() is now a 'global' within softoken and lives in pkcs11u.c. This was done so that sftkike.c can use it.
sftk_InitCBCMac(). Update to handle AES XCBC., which is AES CBC MAC except 1) the underlying AES key is derived from the input key, and 2) the pad block is obscured using 2 new keys (k2, k3) also derived from the input key.
sftk_MACFinal() handle the special pad processing for the XCBC case.
sftk_MACUpdate() change the padding code to keep one full pad in the buffer. This won't affect normal MACs, but means that the last block in the Mac is always in the buffer so it can be processed in the XCBC case.
NSC_DerviceKey() add the ike functions into the mechanism swtich table. The actual implementations are in sftkike.c
pkcs11i.h
Add the XCBC state information into the SessionContext structure.
sftk_MapCryptError is now global, include it in the header.
include the ike and aes_xcbc helper functions.
pkcs11u.c
sftk_MapCryptError() now lives in pkcs11 utilities.
sftkike.c
prf_* functions implement all the underlying prf specific stuff. It hides whether the prf is an hmac or aes_xcbc. If there are additional prfs, they can be implemented here without affecting the rest of the derivation code. The AES_XCBC code is aes specific. If we ever add another XCBC type operation, we would probably want to initialize some encryption functions in prf_setup and only handle the difference between hmac and xcbc in the other prf functions.
sftk_aes_xcbc_get_keys - takes in input key and derives k1, k2, and k3. This function handles this derivation for both the prf_ functions in sftkike and the exported AES_XCBC Mac in pkcs11c.c
sftk_xcbc_mac_pad - function to handle the correct padding method for the last block of an xcbc operation. Unlike sftk_aes_xcbc_get_keys, it is independent of the xcbc's underlying encryption method, though only AES_XCBC is defined at this time.
sftk_ike_prf - common prf between ikev1 and ikev2 to generate SKEYID/SKEYSEED. See comments in code.
sftk_ike1_prf - ikev1 prf to generate the session keys in ikev1 from SKEYID. See comments in code.
sftk_ike_prf_plus - ike prf+ to generate the session keys in ikev2 from SKEYSEED. See comments in code.
sftk_aes_xcbc_new_keys - used in pkcs11c.c to generate the 2 derived keys used in aes_xcbc. Loads k1 into the pkcs11 slot as a session key.
prf_test - helper function to test our known test vectors for our FIPS powerup self tests.
sftk_fips_IKE_PowerUpSelfTests - test to make sure our basic system is working correctly.
softokn.gyp - add sftkike.c to gyp
lib/util
pkcs11n.h
add defines and structures for IKE. Since they are not yet an official PKCS #11 mechanism, use CKM_NSS and CK_NSS names for them.
pkcs11t.h
add CKM_AES_XCBC* mechanisms. These are defined in the latest PKCS #11 spec.
tests/fips
The work in this directory hooks up the CAVS tests we run to do fips validation into our normal test suite. This lets us use the NIST generated samples for
cavs_samples/* These are all vectors generated by the NIST CAVS tools (*.req) or the expected results generated by the last openssl or NSS runs and verified by the NIST CAVS tools (*.fax). These are the inputs to our fipstest. No need to detail review these. The are not explicitly included in this patch because they are too big for phabricator to handle.
cavs_scripts/* See the read me in that directory. These scripts were originally in cmd/fipstest. I added ike.sh, and I updated the verify target of all the scripts so they they return 0 on success and 1 on failure. This allows us to use the tests in fips.sh
fips.sh run the CAVS tests as part of the fips tests. This works to test our IKE support. Three of the cavs tests can take significant type (dsa and rsa takes several minutes, tdea is just over a minute). The code currently skips running those tests. You can run all the cavs tests by setting CAV_VECTORS=all
|
| |/
|
|
|
|
|
|
|
|
| |
Reviewers: mt
Reviewed By: mt
Bug #: 1553443
Differential Revision: https://phabricator.services.mozilla.com/D32128
|
| |
|
|
|
|
| |
try: -p linux64,linux64-fuzz -u gtest -t clang-format,scan-build
Differential Revision: https://phabricator.services.mozilla.com/D24399
|
| |
|
|
|
|
|
|
|
|
|
|
| |
auth, r=mt
Reviewers: mt
Reviewed By: mt
Bug #: 1532312
Differential Revision: https://phabricator.services.mozilla.com/D21936
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D17014
|
| |
|
|
|
|
|
|
|
|
| |
Reviewers: mt
Reviewed By: mt
Bug #: 1528262
Differential Revision: https://phabricator.services.mozilla.com/D21516
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
This adds a new policy keyword "DSA" to explicitly disable DSA in TLS 1.2 or earlier.
We could make this a bit more generic, e.g., by adding "ECDSA", "RSA-PSS" etc. However, considering the current use of policy in [fedora-crypto-policies](https://gitlab.com/redhat-crypto/fedora-crypto-policies), I realized that adding new keywords may cause compatibility problems; because the Fedora configuration has `disallow=ALL`, all new keywords would be disabled by default. I think it's okay for DSA, though.
Reviewers: kaie
Reviewed By: kaie
Bug #: 1493936
Differential Revision: https://phabricator.services.mozilla.com/D6777
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
libpkix, when validating a leaf certificate against the CAs' name
constraints, treats the Subject DN CN attribute as a DNS name. This
may be reasonable behaviour for server certificates, but does not
make sense for other kinds of certificates (e.g. user certificates,
OCSP signing certificates, etc.)
Update the libpkix name constraints checker to only treat the CN as
a DNS name for server certificates (i.e. when id-kp-serverAuth is
asserted in the Extended Key Usage extension). For compatibility,
the behaviour is unchanged (i.e. CN is still treated as a DNS name)
when the certificate does not have an Extended Key Usage extension.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
We check if $HOME/.pki and $HOME/.pki/nssdb exist; if they do, then we use
this path. Otherwise, use ${XDG_DATA_HOME:-$HOME/.local/share}/pki/nssdb
Test Plan:
Create dummy empty dir and set HOME to it. Then, check if getUserDb returns:
1. $HOME/.pki/nssdb when this path exists;
2. $HOME/.local/share/pki/nssdb when $HOME/.pki/nssdb does not and XDG_DATA_HOME is not defined;
3. $XDG_DATA_HOME/pki/nssdb when $HOME/.pki/nssdb does not exist and XDG_DATA_HOME is defined.
Reviewers: mt
Reviewed By: mt
Bug #: 818686
Differential Revision: https://phabricator.services.mozilla.com/D14007
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Summary: As suggested in RFC 8446 Appendix D.5, TLS 1.3 server should send protocol_version alert in response to a ClientHello with legacy_version set to 0x300 or smaller.
Reviewers: mt
Reviewed By: mt
Bug #: 1490006
Differential Revision: https://phabricator.services.mozilla.com/D11870
|
| |
|
|
|
|
|
|
|
|
| |
Reviewers: mt
Reviewed By: mt
Bug #: 1444444
Differential Revision: https://phabricator.services.mozilla.com/D12441
|
| |
|
|
|
| |
Patch by Kai
r=rrelyea
|
| | |
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D9630
|
| | |
|
| |
|
|
|
|
| |
The tests/interop/interop.sh script is using a forked repository of tls-interop,
which is merging back into the mainline. Going forward, we should use the
mainline repo.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: As a start, it only tests TLS 1.3 so far; 8 out of 18 are skipped because of failures.
Reviewers: franziskus, HubertKario, mt
Reviewed By: mt
Subscribers: mt
Bug #: 1485989
Differential Revision: https://phabricator.services.mozilla.com/D4217
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This does some fairly major restructuring of the docker images we use for CI.
The genesis of the change is that we were pulling a version of clang that didn't
work for fuzzing tests. It turns out that is a use case that is not
well-supported anyway, and we have open bugs on it, but this installs
workarounds for all the problems I found.
Firstly, our images were bloated. This slims down most of the images. The
biggest gains are in the clang-format image (down to around a fifth of its
previous size). The main linux image we use for building and running tests is
also less than half its original size.
To achieve that, I had to make two new images. One for all the esoteric builds
we run (we compile with multiple gcc and clang versions, and I've added some
more to that list). That's a fairly sizeable image. The other is for the
interop and bogo suites, where we rely on having Rust and go available. go adds
a tidy 250Mb to an image, and Rust adds 750Mb. Using an image with both of
those for regular builds can't be good for performance. I didn't expect to see
real performance gains here, but the Linux build (32-bit, default config) went
from 4:18 down to 2:42 (roughly). The bulk of that time is accounted for by
downloading the docker image, so it's clear that an optimization worth spending
the time on.
Secondly, we had a lot of custom configuration stuff in the builds. This
removes most of that in favour of using stock Ubuntu packages from 18.04.
The one exception here is - I hope - temporary. As noted in the bug comments,
the current release of LLVM 6 has a bug where you can't run address sanitizer on
a 32-bit machine if it has glibc 2.27 (which Ubuntu 18.04 does). That's fairly
crippling because we need a newer version of LLVM than runs by default on Ubuntu
16.04, so we're stuck with installing a non-stock version for 32-bit runs. I've
opted to (temporarily) run 16.04 with an LLVM from the LLVM project.
The final change, which is minor, but a little odd and worth noting: the images
now rely on "localhost.localdomain" being aliased to the local machine. This is
something :wcosta has done for us (thanks!). Thus, we no longer have to run as
root so that we can tweak /etc/hosts before we run. There is a little cleanup
related to this, but nothing significant. (The scripts still include the `su
worker` tweak for aarch64, but I've added a guard and we can remove that with
bug 1488325.)
There is still more work to be done for the HACL* and SAW builds, which use some
very strange configurations. Also, all of the aarch64 images aren't built
automatically, so we use images from Franziskus' dockerhub account. This is not
good. After digging around a little, there's probably something to be done with
QEMU, but I decided that was a project for another time.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D1346
|
| |
|
|
|
|
|
|
| |
Reviewers: franziskus
Bug #: 1476672
Differential Revision: https://phabricator.services.mozilla.com/D2223
|
| |
|
|
|
|
|
|
|
|
| |
Summary: This patch allows client applications to specify tokens unambiguously with PKCS #11 URI, instead of token name. It also includes a minor fixes to PKCS #11 URI handling that previously treated the scheme case sensitively.
Reviewers: kaie, rrelyea
Bug #: 1475274
Differential Revision: https://phabricator.services.mozilla.com/D2099
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Summary: This change makes it possible to remove orphaned private key with the `-F` command. Similarly to `-R` (bug 430198), it reads a key ID from `-k`.
Reviewers: kaie
Reviewed By: kaie
Bug #: 291383
Differential Revision: https://phabricator.services.mozilla.com/D2094
|
| |
|
|
| |
for errors, r=rrelyea
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r=rrelyea,fkiefer
Summary:
In bug 1413596, we changed SECKEY_GetPrivateKeyType() to return
rsaPssKey, if the private key is restricted to RSA-PSS when importing.
Although the intention of this change was to extend the certutil
output to provide more information about key types, it introduced
inconsistency with the existing code, as SECKEY_GetPublicKeyType()
still returns rsaKey.
This patch partially revert the change and determine the actual
(restricted) key type in a different way, using CERT_GetCertKeyType()
and PK11_GetCertFromPrivateKey().
Reviewers: rrelyea, franziskus
Reviewed By: franziskus
Subscribers: franziskus
Bug #: 1471985
Differential Revision: https://phabricator.services.mozilla.com/D1911
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D1843
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds support for the new codepoints that we added in TLS 1.3 draft -23.
In short, the split between rsa_pss_rsae and rsa_pss_pss made our support
for PSS inconsistent (we would generate only the former).
This adds support for the rsa_pss_pss_shaX signature schemes. It does so by
using the ssl_auth_rsa_pss codepoint, which I originally added, then we decided
not to use because the generic RSA codepoints were enough at the time. Now,
with the split on signature schemes, it isn't possible with the current
certificate configuration APIs to have everything work with just
ssl_auth_rsa_sign. We expect PSS keys to be configured alongside PKCS#1 keys
and use SSLAuthType to distinguish them, but if we only use ssl_auth_rsa_sign,
we can't find the right key when resuming.
In this way, we are assigning certificates an SSLAuthType based on the type of
the key and not the signature it has. That makes it cleaner than what we used
to have, at least.
That said, once we support signature_algorithms_cert extensions properly, we
will not want to bucket certificates on the server. Instead, we will have a
list and pick the first that matches, with no attempt to use types as we had.
There are just too many ways in which a certificate might be chosen or not when
you have to examine the entire chain. Of course, that's an even bigger change
than this.
The biggest change here is to attempt to determine the signature scheme based
on the certificate SPKI. If that works, then we use that signature scheme,
otherwise we fall back to the existing logic (which searches a list). For PSS
with parameters and EC (EC only in TLS 1.3), there is just one signature scheme
for a given SPKI, so that works out nicely. PSS without parameters, ECDSA, and
older RSA certificates fall back to searching. I expect all future schemes to
have just one scheme each, so it's a structure that I think supports that well.
|
| |
|
|
| |
adding a test, r=rrelyea
|
| |
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D1212
|
| | |
|
