- 27 Feb, 2021 1 commit
-
-
Hubert Kario authored
Differential Revision: https://phabricator.services.mozilla.com/D106617 --HG-- extra : moz-landing-system : lando
-
- 25 Feb, 2021 1 commit
-
-
Robert Relyea authored
-
- 24 Feb, 2021 3 commits
-
-
Robert Relyea authored
r=ueno,bbeurdouche User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0 Steps to reproduce: Using NSS with PKCS #11 library that returns CKR_ATTRIBUTE_VALUE_INVALID when searching for CKA_CLASS = CKO_PROFILE. Actual results: PK11_InitToken calls pk11_ReadProfileList and passes on failures. Thus, if the profiles cannot be read the token cannot be initialized. pk11_ReadProfileList in turn uses pk11_FindObjectsByTemplate to search for CKO_PROFILE objects. This function fails if C_FindObjectsInit fails. However, it should be perfectly ok that C_FindObjectsInit fails if CKO_PROFILE is not known. In fact, CKR_ATTRIBUTE_VALUE_INVALID is a valid return code here since the library does not know (yet) the value CKO_PROFILE for CKA_CLASS and since the CKA_CLASS is a fixed list it the standard allows to return this error code. Expected results: PK11_InitToken should complete successfully. Differential Revision: https://phabricator.services.mozilla.com/D106167
-
Benjamin Beurdouche authored
Depends on D104418 Differential Revision: https://phabricator.services.mozilla.com/D106144 --HG-- extra : moz-landing-system : lando
-
Arora Aashish authored
Differential Revision: https://phabricator.services.mozilla.com/D104418 --HG-- extra : moz-landing-system : lando
-
- 23 Feb, 2021 9 commits
-
-
Benjamin Beurdouche authored
Bug 1693217 - Increase nssckbi.h version number for March 2021 batch of root CA changes, CA list version 2.48. r=KathleenWilson Differential Revision: https://phabricator.services.mozilla.com/D105451 --HG-- extra : moz-landing-system : lando
-
Benjamin Beurdouche authored
Bug 1692094 - Set email distrust after to 21-03-01 for Camerfirma's 'Chambers of Commerce' and 'Global Chambersign' roots. r=KathleenWilson Differential Revision: https://phabricator.services.mozilla.com/D105435 --HG-- extra : moz-landing-system : lando
-
Benjamin Beurdouche authored
Differential Revision: https://phabricator.services.mozilla.com/D85334 --HG-- extra : moz-landing-system : lando
-
Benjamin Beurdouche authored
Depends on D105448 Differential Revision: https://phabricator.services.mozilla.com/D105457 --HG-- extra : moz-landing-system : lando
-
Benjamin Beurdouche authored
Differential Revision: https://phabricator.services.mozilla.com/D105448 --HG-- extra : moz-landing-system : lando
-
Benjamin Beurdouche authored
Differential Revision: https://phabricator.services.mozilla.com/D105444 --HG-- extra : moz-landing-system : lando
-
Benjamin Beurdouche authored
Bug 1687822 - Turn off Websites trust bit for the “Staat der Nederlanden Root CA - G3” root cert in NSS. r=KathleenWilson Differential Revision: https://phabricator.services.mozilla.com/D105436 --HG-- extra : moz-landing-system : lando
-
Benjamin Beurdouche authored
Bug 1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce Root - 2008' and 'Global Chambersign Root - 2008'. r=KathleenWilson Differential Revision: https://phabricator.services.mozilla.com/D105433 --HG-- extra : moz-landing-system : lando
-
Stephen Farrell authored
-
- 19 Feb, 2021 1 commit
-
-
Benjamin Beurdouche authored
-
- 05 Feb, 2021 1 commit
-
-
Danh authored
Differential Revision: https://phabricator.services.mozilla.com/D104259 --HG-- extra : moz-landing-system : lando
-
- 06 Feb, 2021 1 commit
-
-
Robert Relyea authored
Patch by Andrew Cagney Preliminary Review by Ryan Sleevie Tested against all.sh rrelyea. r=kjacobs (this bug is old) pkix_Build_GatherCerts() has two code paths for creating the list "certsFound": pkix_CacheCert_Lookup() this sets "certsFound" to a new list "certsFound" and "cachedCertTable" share items but not the list pkix_CacheCert_Add(pkix_pl_Pk11CertStore_CertQuery()) this sets "certsFound" to a new list; and then adds the list to "cachedCertTable" "certsFound" and "cachedCertTable" share a linked list Because the latter doesn't create a separate list, deleting list elements from "certsFound" can also delete list elements from within "cacheCertTable". And if this happens while pkix_CacheCert_Lookup() is trying to update the same element's reference, a core dump can result. In detail (note that reference counts may occasionally seem off by 1, its because data is being captured before function local variables release their reference): pkix_Build_GatherCerts() calls pkix_pl_Pk11CertStore_CertQuery() (via a pointer) to sets "certsFound": PKIX_CHECK(getCerts (certStore, state->certSel, state->verifyNode, &nbioContext, &certsFound, plContext), PKIX_GETCERTSFAILED); it then calls: PKIX_CHECK(pkix_CacheCert_Add (certStore, certSelParams, certsFound, plContext), PKIX_CACHECERTADDFAILED);
-
- 04 Feb, 2021 2 commits
-
-
Kevin Jacobs authored
Bug 1654332 changed the way that NSS constructs Client Hello messages. `ssl_CalculatePaddingExtLen` now receives a `clientHelloLength` value that includes the 4B handshake header. This looks okay per the inline comment (which states that only the record header is omitted from the length), but the function actually assumes that the handshake header is also omitted. This patch removes the addition of the handshake header length. Those bytes are already included in the buffered CH. Differential Revision: https://phabricator.services.mozilla.com/D103934 --HG-- extra : moz-landing-system : lando
-
Kevin Jacobs authored
Differential Revision: https://phabricator.services.mozilla.com/D104067 --HG-- extra : moz-landing-system : lando
-
- 03 Feb, 2021 1 commit
-
-
Kevin Jacobs authored
Differential Revision: https://phabricator.services.mozilla.com/D103849 --HG-- extra : moz-landing-system : lando
-
- 31 Jan, 2021 1 commit
-
-
Kevin Jacobs authored
A few minor ECH -09 fixes for interop testing and fuzzing: - selfserv now takes a PKCS8 keypair for ECH. This is more maintainable and significantly less terrible than parsing the ECHConfigs and cobbling one together within selfserv (e.g. we can support other KEMs without modifying the server). - Get rid of the newline character in tstclnt retry_configs output. - Fuzzer fixes in tls13_HandleHrrCookie: - We shouldn't use internal_error when PK11_HPKE_ImportContext fails. Cookies are unprotected in fuzzer mode, so this can be expected to occur. - Only restore the application token when recovering hash state, otherwise the copy could happen twice, leaking one of the allocations. Differential Revision: https://phabricator.services.mozilla.com/D103247 --HG-- extra : moz-landing-system : lando
-
- 25 Jan, 2021 1 commit
-
-
Kevin Jacobs authored
Differential Revision: https://phabricator.services.mozilla.com/D102964 --HG-- extra : moz-landing-system : lando
-
- 24 Jan, 2021 1 commit
-
-
Kevin Jacobs authored
Usage example: mkdir dbdir && cd dbdir certutil -N -d . certutil -S -s "CN=ech-public.com" -n ech-public.com -x -t "C,C,C" -m 1234 -d . certutil -S -s "CN=ech-private-backend.com" -n ech-private-backend.com -x -t "C,C,C" -m 2345 -d . ../dist/Debug/bin/selfserv -a ech-public.com -a ech-private-backend.com -n ech-public.com -n ech-private-backend.com -p 8443 -d dbdir/ -X publicname:ech-public.com (Copy echconfig from selfserv output and paste into the below command) ../dist/Debug/bin/tstclnt -D -p 8443 -v -A tests/ssl/sslreq.dat -h ech-private-backend.com -o -N <echconfig> -v Differential Revision: https://phabricator.services.mozilla.com/D101050 --HG-- extra : moz-landing-system : lando
-
- 25 Jan, 2021 3 commits
-
-
Kevin Jacobs authored
This patch updates ECH implementation to draft-09. Changes of note are: - Acceptance signal derivation is now based on the handshake secret. - `config_id` hint changes from 32B to 8B, trial decryption added on the server. - Duplicate code in HRR cookie handling has been consolidated into `tls13_HandleHrrCookie`. - `ech_is_inner` extension is added, which causes a server to indicate ECH acceptance. - Per the above, support signaling ECH acceptance when acting as a backend server in split-mode (i.e. when there is no other local Encrypted Client Hello state). Differential Revision: https://phabricator.services.mozilla.com/D101049 --HG-- extra : moz-landing-system : lando
-
Kevin Jacobs authored
This patch adds and exports two new HPKE functions: `PK11_HPKE_ExportContext` and `PK11_HPKE_ImportContext`, which are used to export a serialized HPKE context, then later reimport that context and resume Open and Export operations. Only receiver contexts are currently supported for export (see the rationale in pk11pub.h). One other change introduced here is that `PK11_HPKE_GetEncapPubKey` now works as expected on the receiver side. If the `wrapKey` argument is provided to the Export/Import functions, then the symmetric keys are wrapped with AES Key Wrap with Padding (SP800-38F, 6.3) prior to serialization. Differential Revision: https://phabricator.services.mozilla.com/D99277 --HG-- extra : moz-landing-system : lando
-
Kevin Jacobs authored
This patch updates HPKE to draft-07. A few other minor changes are included: - Refactor HPKE gtests for increased parameterized testing. - Replace memcpy calls with PORT_Memcpy - Serialization tweaks to make way for context Export/Import (D99277). This should not be landed without an ECH update, as fixed ECH test vectors will otherwise fail to decrypt. Differential Revision: https://phabricator.services.mozilla.com/D99276 --HG-- extra : moz-landing-system : lando
-
- 23 Jan, 2021 1 commit
-
-
Kevin Jacobs authored
Differential Revision: https://phabricator.services.mozilla.com/D102670 --HG-- extra : moz-landing-system : lando
-
- 22 Jan, 2021 1 commit
-
-
Kevin Jacobs authored
-
- 19 Jan, 2021 1 commit
-
-
Kevin Jacobs authored
-
- 13 Jan, 2021 3 commits
-
-
Kevin Jacobs authored
Differential Revision: https://phabricator.services.mozilla.com/D101648 --HG-- extra : moz-landing-system : lando
-
Kevin Jacobs authored
Differential Revision: https://phabricator.services.mozilla.com/D101668 --HG-- extra : moz-landing-system : lando
-
Kevin Jacobs authored
Differential Revision: https://phabricator.services.mozilla.com/D101218 --HG-- extra : moz-landing-system : lando
-
- 22 Dec, 2020 2 commits
-
-
Kevin Jacobs authored
Bug 1682863 - Revert nssSlot_IsTokenPresent to 3.58 after ongoing Fx hangs with slow PKCS11 devices. r=bbeurdouche This patch reverts the `nssSlot_IsTokenPresent` changes made in bug 1663661 and bug 1679290, restoring the version used in NSS 3.58 and earlier. It's not an actual `hg backout` because the comment in lib/dev/devt.h is worth keeping. While removing the nested locking did resolve the hang for some (most?) third-party modules, problems remain with some slower tokens after an even further relaxation of the locking, which defeats the purpose of addressing the races in the first place. The crash addressed by these patches was caused by the Intermediate Preloading Healer in Firefox, which has been disabled. We clearly have insufficient test coverage for third-party modules, and now that osclientcerts is enabled in Fx Nightly, any problems caused by these and similar changes is unlikely to be reported until Fx Beta, well after NSS RTM. I think the best option at this point is to simply revert NSS. Differential Revision: https://phabricator.services.mozilla.com/D100344 --HG-- extra : moz-landing-system : lando
-
Robert Relyea authored
review comments. All the review comments pertained to actual code comments, so this patch only affects the comments.
-
- 18 Dec, 2020 2 commits
-
-
Robert Relyea authored
This patch defeats Bleichenbacher by not trying to hide the size of the decrypted text, but to hide if the text succeeded for failed. This is done by generating a fake returned text that's based on the key and the cipher text, so the fake data is always the same for the same key and cipher text. Both the length and the plain text are generated with a prf. Here's the proposed spec the patch codes to: 1. Use SHA-256 to hash the private exponent encoded as a big-endian integer to a string the same length as the public modulus. Keep this value secret. (this is just an optimisation so that the implementation doesn't have to serialise the key over and over again) 2. Check the length of input according to step one of https://tools.ietf.org/html/rfc8017#section-7.2.2 3. When provided with a ciphertext, use SHA-256 HMAC(key=hash_from_step1, text=ciphertext) to generate the key derivation key 4. Use SHA-256 HMAC with key derivation key as the key and a two-byte big-endian iterator concatenated with byte string "length" with the big-endian representation of 2048 (0x0800) as the bit length of the generated string. - Iterate this PRF 8 times to generate a 256 byte string 5. initialise the length of synthetic message to 0 6. split the PRF output into 2 byte strings, convert into big-endian integers, zero-out high-order bits so that they have the same bit length as the octet length of the maximum acceptable message size (k-11), select the last integer that is no larger than (k-11) or remain at 0 if no integer is smaller than (k-11); this selection needs to be performed using a side-channel free operators 7. Use SHA-256 HMAC with key derivation key as the key and a two-byte big-endian iterator concatenated with byte string "message" with the big-endian representation of k*8 - use this PRF to generate k bytes of output (right-truncate last HMAC call if the number of generated bytes is not a multiple of SHA-256 output size) 8. perform the RSA decryption as described in step 2 of section 7.2.2 of rfc8017 9. Verify the EM message padding as described in step 3 of section 7.2.2 of rfc8017, but instead of outputting "decryption error", return the last l bytes of the "message" PRF, when l is the selected synthetic message length using the "length" PRF, make this decision and copy using side-channel free operation Differential Revision: https://phabricator.services.mozilla.com/D99843
-
Robert Relyea authored
Bug 1682071 IKE Quick mode IPSEC give you incorrect keys if you are asking for keys smaller than the hash size. IKE Appendix B fixes. This patch fixes 2 problems. If you run either ike v1 App B or quick mode asking for a key with length mod macsize = 0, you will generate an extra block that's not used and overwrites the end of the buffer. If you use quick mode, the function incorrectly subsets the existing key rather than generating a new key. This is correct behavior for Appendix B, where appendix B is trying to take a generated key and create a new longer key (with no diversification, just transform the key into something that's longer), so if you ask for a key less than or equal to, then you want to just subset the original key. In quick mode you are taking a base key and creating a set of new keys based on additional data, so you want to subset the generated data. This patch only subsets the original key if you aren't doing quickmode. Full test vectors have now been added for all ike modes in this patch as well (previously we depended on the FIPS CAVS tests to test ike, which covers basic IKEv1, IKEv1_psk, and IKEv2 but not IKEv1 App B and IKE v1 Quick mode). Differential Revision: https://phabricator.services.mozilla.com/D99569
-
- 11 Dec, 2020 4 commits
-
-
Kevin Jacobs authored
Differential Revision: https://phabricator.services.mozilla.com/D98821 --HG-- extra : moz-landing-system : lando
-
Kevin Jacobs authored
grep -rl --exclude-dir=google_test INSTANTIATE_TEST_CASE_P gtests | xargs sed -i '' s/INSTANTIATE_TEST_CASE_P/INSTANTIATE_TEST_SUITE_P/g grep -rl --exclude-dir=google_test SetUpTestCase gtests | xargs sed -i '' s/SetUpTestCase/SetUpTestSuite/g Differential Revision: https://phabricator.services.mozilla.com/D98818 --HG-- extra : moz-landing-system : lando
-
Kevin Jacobs authored
./gtests/google_test/update.sh release-1.10.0 && hg remove -A && hg add gtests/google_test/* Differential Revision: https://phabricator.services.mozilla.com/D98814 --HG-- extra : moz-landing-system : lando
-
Kevin Jacobs authored
-