1. 13 Jan, 2021 2 commits
  2. 11 Dec, 2020 1 commit
  3. 27 Jul, 2020 2 commits
    • Robert Relyea's avatar
    • Robert Relyea's avatar
      Bug 1648822 Add stricter validation of DH keys when in FIPS mode. · c817f229
      Robert Relyea authored
      Update:
      FIPS now also requires us to do y^q mod p testing on key generation (always).
      We now do that in FIPS mode only, but in all modes we do full DH verification
      for DH and ECDH. Because of this, the path has now separated out the prime
      checks, which are now only done for the DH operation if we aren't using a known
      prime and the subprime value has been provided. I've also learned we can accept
      keys that we do full validation on in FIPS mode, so I've added that to
      this patch, though we still can't generate those kinds of keys without
      adding the subprime at keygen time.
      
      The new FIPS standard is dh operations must use approved primes. Approved
      primes are those selected in the tls and ike RFCs. Currently tls and ike
      have modes with checks whether the primes are approved, but the check may
      not always happen. The safest thing to do in FIPS mode is only allow those
      primes. In addition, FIPS requires 1< y < p-1 (or technically 2<=y<=p-2, since
      y is an integer those two tests are identical).
      
      While making changes I realized we would want a mode where we can do more strict
      checks on the prime while not requiring that the prime be an approved prime. We
      already allow for strict checking if q is supplied with the private key, but there
      were a couple of issues with that check:
      
          1. there was no way of actually setting q in the current NSS pk11wrap interfaces.
          2. If the prime was a safe prime, but g was an actual generator, then we would fail the y^q mod p = 1 tests for 50% of the keys, even though those keys are safe.
          3. We weren't checking primality of p and q.
      
      So the old code:
      
        if (q) {
          check y^q mod p = 1
          if not fail
        }
      
        check 1 <y < p-1 (done in DH_Derive).
      
      New code:
      
       if (! p is approved prime) {
         if (FIPS) fail;
         if (q) {
            y_test = y
            if (p,q-> p is a safe prime) {
               y_test = 1
            }
            check prime is prime Fail if not
            check subprime is subprime fail if not
            y_test^q mod p = 1
         }
       }
       check 1 < y < p-1 (done in DH_Derive)
      
      This means:
      
      Existing code non-fips without setting the subprime continues to run as before.
      Non-fips code which sets the subprime now runs slower, but p and q are checked
        if p or q where not prime, the derive fails (which it should).
      In FIPS mode only approved primes will succeed now.
      Non-fips code can now set the subprime to q=(p-1)/2 if it doesn't have an
      explicit q value (like in tls). If the derive succeeds, we know that p is a
      safe prime. If p is approved, the checks are skipped because we already know
      that p is a safe prime. Code can optionally do a test derive on a new p and
      remember it's safe so that we know longer need to  check ever call (though if
      q is not (p-1)/2, you will need to  continue to do the checks each call
      because y could still be a small subgroup).
      
      This patch:
      
      gtests/softoken_gtest
      
        1. Added New dh tests to softoken_gtests. The tests were added to softoken_gtests
      because we need to test both non-FIPS and FIPS mode. Test vectors include a
      category, so the same test vectors can be used in FIPS and non-FIPS even though
      each class may have different results. Most of the test vectors where created
      either by dhparams command in openssl, dsaparams in openssl, and the nss makepqg
      command. Each vector includes a label, prime, base, optional subprime, optional
      public key, test type, and key class (basically size).
        2. If public key is not supplied, we use a generated public key.
        3. If subPrime is supplied to wet it on the private key after generation.
      
      lib/freebl/dh.c
      
          add primality tests to KEA_VerifyKey().
      
      lib/softokn/
      
        1. Allow CKA_SUBPRIME to be set after key generation or import. This affects
      how we test for it's existance, since it is now always there on the key, we
      check it's length to make sure it's non-zero.
        2. We implement the psuedocode above as real code.
        3. We create two new functions: sftl_VerifyDH_Prime which return SECSuccess if Prime is an approved prime. sftk_IsSafePrime which returns SECSuess of both prime and subprime look reasonable, and sets a Bool to PR_TRUE is subprime -> prime is safe (subprime = (prime-1)/2. These functions are implemented in sftkdhverify.c
        4.Cleanup incorrect nominclature on primes (safe primes are not strong primes).
      c817f229
  4. 24 Apr, 2020 1 commit
  5. 11 Oct, 2019 1 commit
  6. 27 Aug, 2019 1 commit
    • Kevin Jacobs's avatar
      Bug 1485533 - Close gaps in taskcluster SSL testing. r=mt · 939f0611
      Kevin Jacobs authored
      This patch increases SSL testing on taskcluster, specifically, running an additional 395 tests on each SSL cycle (more for FIPS targets), and adding a new 'stress' cycle.
      
      Notable changes:
      
      1) This patch removes SSL stress tests from the default `NSS_SSL_RUN` list in all.sh and ssl.sh. If stress tests are needed, this variable must be set to include.
      
      2) The "normal_normal" case is added to `NSS_SSL_TESTS` for all targets. FIPS targets also run "normal_fips", "fips_normal", and "fips_fips".
      
      3) `--enable-libpkix` is now set for all taskcluster "build.sh" builds in order to support a number of OCSP tests that were previously not run.
      
      Differential Revision: https://phabricator.services.mozilla.com/D43283
      
      --HG--
      extra : moz-landing-system : lando
      939f0611
  7. 23 Aug, 2019 1 commit
  8. 26 Jul, 2019 1 commit
  9. 24 Jul, 2019 1 commit
  10. 03 Jun, 2019 1 commit
  11. 31 May, 2019 2 commits
  12. 29 Apr, 2019 1 commit
    • Martin Thomson's avatar
      Bug 1543545 - Option to produce static libraries, r=kevinjacobs · 5e56bd97
      Martin Thomson authored
      Summary:
      The fine folks in application services would like to use NSS, but would greatly
      prefer static linking.  Part of that is driven by iOS constraints on performance
      and a possible rejection from the store for dynamic linking (NSS dynamically
      loads softoken).  This provides a build option that produces a fully statically
      linked set of libraries.
      
      Reviewers: KevinJacobs
      
      Tags: #secure-revision
      
      Bug #: 1543545
      
      Differential Revision: https://phabricator.services.mozilla.com/D29303
      
      --HG--
      extra : rebase_source : 8d75b17776ecde38c7350cf70946e0221349e01f
      5e56bd97
  13. 03 Aug, 2018 1 commit
    • Franziskus Kiefer's avatar
      Bug 1479787 - build mozpkix as part of NSS, r=mt,keeler · 53850b92
      Franziskus Kiefer authored
      Differential Revision: https://phabricator.services.mozilla.com/D2719
      Differential Revision: https://phabricator.services.mozilla.com/D2720
      Differential Revision: https://phabricator.services.mozilla.com/D2861
      
      --HG--
      rename : cpputil/scoped_ptrs.h => cpputil/nss_scoped_ptrs.h
      rename : lib/mozpkix/test/gtest/README.txt => gtests/mozpkix_gtest/README.txt
      rename : lib/mozpkix/test/gtest/pkixbuild_tests.cpp => gtests/mozpkix_gtest/pkixbuild_tests.cpp
      rename : lib/mozpkix/test/gtest/pkixcert_extension_tests.cpp => gtests/mozpkix_gtest/pkixcert_extension_tests.cpp
      rename : lib/mozpkix/test/gtest/pkixcert_signature_algorithm_tests.cpp => gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp
      rename : lib/mozpkix/test/gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp => gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp
      rename : lib/mozpkix/test/gtest/pkixcheck_CheckIssuer_tests.cpp => gtests/mozpkix_gtest/pkixcheck_CheckIssuer_tests.cpp
      rename : lib/mozpkix/test/gtest/pkixcheck_CheckKeyUsage_tests.cpp => gtests/mozpkix_gtest/pkixcheck_CheckKeyUsage_tests.cpp
      rename : lib/mozpkix/test/gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp => gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp
      rename : lib/mozpkix/test/gtest/pkixcheck_CheckValidity_tests.cpp => gtests/mozpkix_gtest/pkixcheck_CheckValidity_tests.cpp
      rename : lib/mozpkix/test/gtest/pkixcheck_ParseValidity_tests.cpp => gtests/mozpkix_gtest/pkixcheck_ParseValidity_tests.cpp
      rename : lib/mozpkix/test/gtest/pkixcheck_TLSFeaturesSatisfiedInternal_tests.cpp => gtests/mozpkix_gtest/pkixcheck_TLSFeaturesSatisfiedInternal_tests.cpp
      rename : lib/mozpkix/test/gtest/pkixder_input_tests.cpp => gtests/mozpkix_gtest/pkixder_input_tests.cpp
      rename : lib/mozpkix/test/gtest/pkixder_pki_types_tests.cpp => gtests/mozpkix_gtest/pkixder_pki_types_tests.cpp
      rename : lib/mozpkix/test/gtest/pkixder_universal_types_tests.cpp => gtests/mozpkix_gtest/pkixder_universal_types_tests.cpp
      rename : lib/mozpkix/test/gtest/pkixgtest.cpp => gtests/mozpkix_gtest/pkixgtest.cpp
      rename : lib/mozpkix/test/gtest/pkixgtest.h => gtests/mozpkix_gtest/pkixgtest.h
      rename : lib/mozpkix/test/gtest/pkixnames_tests.cpp => gtests/mozpkix_gtest/pkixnames_tests.cpp
      rename : lib/mozpkix/test/gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp => gtests/mozpkix_gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp
      rename : lib/mozpkix/test/gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp => gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
      rename : lib/mozpkix/test/lib/pkixtestnss.h => lib/mozpkix/include/pkix-test/pkixtestnss.h
      rename : lib/mozpkix/test/lib/pkixtestutil.h => lib/mozpkix/include/pkix-test/pkixtestutil.h
      rename : lib/mozpkix/lib/pkixcheck.h => lib/mozpkix/include/pkix/pkixcheck.h
      rename : lib/mozpkix/lib/pkixder.h => lib/mozpkix/include/pkix/pkixder.h
      rename : lib/mozpkix/lib/pkixutil.h => lib/mozpkix/include/pkix/pkixutil.h
      rename : lib/mozpkix/test/lib/pkixtestalg.cpp => lib/mozpkix/test-lib/pkixtestalg.cpp
      rename : lib/mozpkix/test/lib/pkixtestnss.cpp => lib/mozpkix/test-lib/pkixtestnss.cpp
      rename : lib/mozpkix/test/lib/pkixtestutil.cpp => lib/mozpkix/test-lib/pkixtestutil.cpp
      extra : rebase_source : 7b1375fef0c8e0c361f44d16f69c31d0bd6d0b41
      53850b92
  14. 29 Dec, 2017 1 commit
  15. 17 Aug, 2017 1 commit
    • Franziskus Kiefer's avatar
      Bug 1389570 - set slot->flags for user pin initialized when in nodb mode, r=mt · c0d81073
      Franziskus Kiefer authored
      Summary:
      NSS_NoDB_Init(".");
      PK11SlotInfo* slot = PK11_GetInternalKeySlot();
      PK11_NeedUserInit(slot) used to returned PR_TRUE because we never set the init flag that's checked by that function when we start in noDB mode.
      This patch fixes that. As mentioned in the patch this is not the nicest way to fix this. The way login/init status and these flags are handled shold probably be rewritten.
      
      Differential Revision: https://nss-review.dev.mozaws.net/D406
      
      --HG--
      extra : rebase_source : 2e9ba93705eff065ecc3dc71e59e2ab28628c23d
      c0d81073
  16. 10 Aug, 2017 1 commit
  17. 02 Aug, 2017 1 commit
  18. 01 Aug, 2017 1 commit
    • David Keeler's avatar
      Bug 1379273 - make softoken resettable via PK11_ResetToken r=franziskus,ttaubert · 2c66d718
      David Keeler authored
      Summary:
      Two issues prevented PK11_ResetToken from working properly:
      1. The backing DB tables would be dropped and never recreated, preventing
      future operations from working.
      2. The needLogin property of the SFTKSlot would not be updated properly,
      preventing PK11_InitPin (and thus other operations) from succeeding.
      
      Reviewers: ttaubert, franziskus
      
      Reviewed By: ttaubert, franziskus
      
      Differential Revision: https://nss-review.dev.mozaws.net/D382
      
      --HG--
      rename : gtests/util_gtest/Makefile => gtests/softoken_gtest/Makefile
      rename : gtests/util_gtest/manifest.mn => gtests/softoken_gtest/manifest.mn
      rename : gtests/common/gtests.cc => gtests/softoken_gtest/softoken_gtest.cc
      rename : gtests/util_gtest/util_gtest.gyp => gtests/softoken_gtest/softoken_gtest.gyp
      extra : rebase_source : 93a0da1ae8544462d6836b4da3a7490ed4c8c36d
      extra : histedit_source : 32ada4bb767cb840df79dfef051b6151b5d5e10d
      2c66d718
  19. 12 Oct, 2017 1 commit
    • David Keeler's avatar
      Bug 1405522 - Fix authenticated attribute migration under password changes in... · 7181762f
      David Keeler authored
      Bug 1405522 - Fix authenticated attribute migration under password changes in the sql DBs r=ttaubert
      
      Summary:
      The underlying issue is that the sqlite-backed DB format stores CK_ULONG values
      in a machine-independent format, meaning it has to translate back and forth when
      running on a machine where CK_ULONG is not the same size (or endianness,
      presumably) as the stored format. Before this patch, both
      sftkdb_SetAttributeValue and sftk_updateMacs did not use the machine-independent
      format in the correct places. This manifested in a bug where if the password was
      changed, certificate trust settings would be reset to "untrusted".
      
      Bug #: 1405522
      
      Differential Revision: https://phabricator.services.mozilla.com/D100
      
      --HG--
      extra : rebase_source : f2a7853405e5ce8b6a6c65eb0eb41f5c985a8e9e
      7181762f