1. 10 Mar, 2021 2 commits
  2. 27 Feb, 2021 1 commit
  3. 31 Jan, 2021 1 commit
    • Kevin Jacobs's avatar
      Bug 1689228 - Minor ECH -09 fixes for interop testing, fuzzing. r=mt · 4df976da
      Kevin Jacobs authored
      A few minor ECH -09 fixes for interop testing and fuzzing:
      - selfserv now takes a PKCS8 keypair for ECH. This is more maintainable and significantly
        less terrible than parsing the ECHConfigs and cobbling one together within selfserv
        (e.g. we can support other KEMs without modifying the server).
      - Get rid of the newline character in tstclnt retry_configs output.
      - Fuzzer fixes in tls13_HandleHrrCookie:
       - We shouldn't use internal_error when PK11_HPKE_ImportContext fails. Cookies are
         unprotected in fuzzer mode, so this can be expected to occur.
       - Only restore the application token when recovering hash state, otherwise the
         copy could happen twice, leaking one of the allocations.
      Differential Revision: https://phabricator.services.mozilla.com/D103247
      extra : moz-landing-system : lando
  4. 24 Jan, 2021 1 commit
    • Kevin Jacobs's avatar
      Bug 1681585 - Add ECH support to selfserv. r=mt · bda8540c
      Kevin Jacobs authored
      Usage example:
      mkdir dbdir && cd dbdir
      certutil -N -d .
      certutil -S -s "CN=ech-public.com" -n ech-public.com -x -t "C,C,C" -m 1234 -d .
      certutil -S -s "CN=ech-private-backend.com" -n ech-private-backend.com -x -t "C,C,C" -m 2345 -d .
      ../dist/Debug/bin/selfserv -a ech-public.com -a ech-private-backend.com -n ech-public.com -n ech-private-backend.com -p 8443 -d dbdir/ -X publicname:ech-public.com
      (Copy echconfig from selfserv output and paste into the below command)
      ../dist/Debug/bin/tstclnt -D -p 8443 -v -A tests/ssl/sslreq.dat -h ech-private-backend.com -o -N <echconfig> -v
      Differential Revision: https://phabricator.services.mozilla.com/D101050
      extra : moz-landing-system : lando
  5. 03 Dec, 2020 1 commit
  6. 17 Nov, 2020 1 commit
    • Kevin Jacobs's avatar
      Bug 1654332 - Update ESNI to draft-08 (ECH). r=mt · 4516d102
      Kevin Jacobs authored
      This patch adds support for Encrypted Client Hello (draft-ietf-tls-esni-08), replacing the existing ESNI (draft -02) support.
      There are five new experimental functions to enable this:
        - SSL_EncodeEchConfig: Generates an encoded (not BASE64) ECHConfig given a set of parameters.
        - SSL_SetClientEchConfigs: Configures the provided ECHConfig to the given socket. When configured, an ephemeral HPKE keypair will be generated for the CH encryption.
        - SSL_SetServerEchConfigs: Configures the provided ECHConfig and keypair to the socket. The keypair specified will be used for HPKE operations in order to decrypt encrypted Client Hellos as they are received.
        - SSL_GetEchRetryConfigs: If ECH is rejected by the server and compatible retry_configs are provided, this API allows the application to extract those retry_configs for use in a new connection.
        - SSL_EnableTls13GreaseEch: When enabled, non-ECH Client Hellos will have a "GREASE ECH" (i.e. fake) extension appended. GREASE ECH is disabled by default, as there are known compatibility issues that will be addressed in a subsequent draft.
      The following ESNI experimental functions are deprecated by this update:
        - SSL_EncodeESNIKeys
        - SSL_EnableESNI
        - SSL_SetESNIKeyPair
      In order to be used, NSS must be compiled with `NSS_ENABLE_DRAFT_HPKE` defined.
      Differential Revision: https://phabricator.services.mozilla.com/D86106
      rename : gtests/ssl_gtest/tls_esni_unittest.cc => gtests/ssl_gtest/tls_ech_unittest.cc
      rename : lib/ssl/tls13esni.c => lib/ssl/tls13ech.c
      rename : lib/ssl/tls13esni.h => lib/ssl/tls13ech.h
      extra : moz-landing-system : lando
  7. 24 Jul, 2020 1 commit
  8. 21 Jul, 2020 1 commit
  9. 12 Jun, 2020 1 commit
  10. 10 Jun, 2020 1 commit
    • Kevin Jacobs's avatar
      Bug 1603042 - Support external PSKs in tstclnt/selfserv. r=jcj · 5b672708
      Kevin Jacobs authored
      This patch adds support for TLS 1.3 external PSKs in tstclnt and selfserv with the `-z` option.
      Command examples:
      - `selfserv -D -p 4443 -d . -n localhost.localdomain -w nss -V tls1.3: -H 1 -z 0xAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD[:label] -m`
      - `tstclnt -h -p 4443  -z 0xAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD[:label] -d . -w nss`
      For OpenSSL interop:
      - `openssl s_server -nocert -port 4433 -psk AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD [-psk_identity label]`
      Note: If the optional label is omitted, both NSS tools and OpenSSL default to "Client_identity".
      Differential Revision: https://phabricator.services.mozilla.com/D75836
      extra : moz-landing-system : lando
  11. 03 Jun, 2020 1 commit
  12. 19 May, 2020 1 commit
  13. 05 May, 2020 6 commits
  14. 14 Apr, 2020 1 commit
    • Robert Relyea's avatar
      Bug 1629661 MPConfig calls in SSL initializes policy before NSS is initialized. r=mt · 108aa431
      Robert Relyea authored
      NSS has several config functions that multiprocess servers must call before NSS is initialized to set up shared memory caches between the processes. These functions call ssl_init(), which initializes the ssl policy. The ssl policy initialization, however needs to happen after NSS itself is initialized. Doing so before hand causes (in the best case) policy to be ignored by these servers, and crashes (in the worst case).
      Instead, these cache functions should just initialize those things it needs (that is the NSPR ssl error codes).
      This patch does:
      1) fixes the cache init code to only initialize error codes.
      2) fixes the selfserv MP code to 1) be compatible with ssl.sh's selfserv management (at least on Unix), and 2) mimic the way real servers handle the MP_Cache init code (calling NSS_Init after the cache set up).
      3) update ssl.sh server policy test to test policy usage on an MP server. This
      is only done for non-windows like OS's because they can't catch the kill signal
      to force their children to shutdown.
      I've verified that the test fails if 2 and 3 are included but 1 is not
      (and succeeds if all three are included).
      Differential Revision: https://phabricator.services.mozilla.com/D70948
  15. 26 Mar, 2020 1 commit
  16. 18 Mar, 2020 1 commit
    • Robert Relyea's avatar
      Bug 1603628 Update NSS to handle PKCS #11 v3.0 r=ueno r=mt · a95d4e2c
      Robert Relyea authored
      Update to PKCS #11 v3.0 part 2.
      Create the functions and switch to the C_Interface() function to fetch the PKCS #11 function table. Also PKCS #11 v3.0 uses a new fork safe interface. NSS can already handle the case if the PKCS #11 module happens to be fork safe (when asked by the application to refresh the tokens in the child process, NSS can detect that such a refresh is not necessary and continue. Softoken could also be put in fork_safe mode with an environment variable. With this patch it's the default, and NSS asks for the fork safe API by default. Technically softoken should implement the old non-fork safe interface when PKCS #11 v2.0 is called, but NSS no longer needs it, and doing so would double the number of PKCS #11 interfaces are needed. You can still compile with fork unsafe semantics, and the PKCS #11 V3.0 module will do the right thing and not include the fork safe flag. Firefox does not fork(), so for firefox this is simply code that is no longer compilied.
      We now use C_GetInterface, which allows us to specify what kind of interface we want (PKCS #11 v3.0, PKCS #11 v2.0, fork safe, etc.). Vendor specific functions can now be accessed through the C_GetInterface. If the C_GetInterface function does not exists, we fall bak to the old C_GetFunctionList.
      There are 24 new functions in PKCS #11 v3.0:
      C_GetInterfaceList - return a table of all the supported interfaces
      C_GetInterface - return a specific interface. You can specify interface name, version and flags separately. You can leave off any of these and you will get what the token thinks is the best match of the interfaces that meet the criteria. We do this in softoken by the order of the interface list.
      C_SessionCancel - Cancel one or more multipart operation
      C_LoginUser - Supply a user name to C_Login(). This function has no meaning for softoken, so it just returns CKR_OPERATION_NOT_INITIALIZED under the theory that if we in the future want to support usernames, the NSS db would need special initialization to make that happen.
      C_Message* and C_*Message*  (20 functions in all) are the new AEAD interface (they are written generally so that it can be used for things other than AEAD). In this patch they are unimplemented (see the next patch).
      This patch adds regular (NSC_) and FIPS (FC_) versions of these functions.
      Also when creating the PKCS #11 v2.0 interface, we had to create a 2.0 specific version of C_GetInfo so that it can return a 2.40 in the CK_VERSION field rather than 3.00. We do this with #defines since all the function tables are generated automagically with pkcs11f.h.
      Differential Revision: https://phabricator.services.mozilla.com/D67240
  17. 18 Feb, 2020 1 commit
    • Robert Relyea's avatar
      Bug 1603628 Update NSS to handle PKCS #11 v3.0 r=daiki r=mhoye · ba931199
      Robert Relyea authored
      This patch implements the first phase: updating the headers.
      Were updated using the released OASIS PKCS #11 v3.0 header files.
      lib/util/pkcs11n.h was updated to finally deprecate all uses of CK?_NETSCAPE_?.
      A new define as added: NSS_PKCS11_2_0_COMPAT. If it's defined, the small
      semantic changes (including the removal of deprecated defines) between the
      NSS PKCS #11 v2 header file and the new PKCS #11 v3 are reverted in favor of
      the PKCS #11 v2 definitions. This include the removal of CK?_NETSCAPE_? in
      favor of CK?_NSS_?.
      One notable change was caused by an inconsistancy between the spec and the
      released headers in PKCS #11 v2.40. CK_GCM_PARAMS had an extra field in
      the header that was not in the spec. OASIS considers the header file to be
      normative, so PKCS #11 v3.0 resolved the issue in favor of the header file
      definition. NSS had the spec definition, so now there are 2 defines for this
      CK_NSS_GCM_PARAMS - the old nss define. Still used internally in freebl.
      CK_GCM_PARAMS_V3 - the new define.
      CK_GCM_PARAMS - no longer referenced in NSS itself. It's defined as
      CK_GCM_PARAMS_V3 if NSS_PKCS11_2_0_COMPAT is *not* defined, and it's defined as
      CKM_NSS_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is defined.
      Softoken has been updated to accept either CK_NSS_GCM_PARAMS or
      CK_GCM_PARAMS_V3. In a future patch NSS will be updated to use
      CK_GCM_PARAMS_V3 and fall back to CK_NSS_GMC_PARAMS.
      One other semantic difference between the 3.0 version of pkcs11f.h and the
      version here: In the oasis version of the header, you must define
      CK_PKCS11_2_0_ONLY to get just the PKCS #11 v2 defines. In our version you
      must define CK_PKCS11_3 to get the PCKS #11 v3 defines.
      Most of this patch is to handle changing the deprecated defines that have been
      removed in PCKS #11 v3 from NSS.
      Differential Revision: https://phabricator.services.mozilla.com/D63241
  18. 13 Mar, 2020 1 commit
  19. 11 Feb, 2020 1 commit
  20. 07 Jan, 2020 1 commit
  21. 06 Jan, 2020 1 commit
  22. 01 Jan, 2020 1 commit
  23. 22 Oct, 2019 1 commit
  24. 15 Oct, 2019 1 commit
  25. 11 Oct, 2019 1 commit
  26. 27 Sep, 2019 2 commits
  27. 24 Sep, 2019 1 commit
  28. 18 Sep, 2019 2 commits
  29. 16 Sep, 2019 1 commit
  30. 10 Sep, 2019 1 commit
  31. 30 Aug, 2019 1 commit
  32. 23 Aug, 2019 1 commit