Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP2:Update
MozillaFirefox.21210
mozilla-neqo-fix-fips-crash.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File mozilla-neqo-fix-fips-crash.patch of Package MozillaFirefox.21210
Fixes a crash in FIPS mode, as neqo was trying to import keys from raw key material, which is not allowed in FIPS mode. https://github.com/mozilla/neqo/pull/1247 diff --git a/Cargo.lock b/Cargo.lock --- a/Cargo.lock +++ b/Cargo.lock @@ -2268,8 +2268,8 @@ dependencies = [ "log", "mio", "mio-extras", - "neqo-common", - "neqo-crypto", + "neqo-common 0.4.28", + "neqo-crypto 0.4.28 (git+https://github.com/mozilla/neqo?tag=v0.4.28)", "neqo-http3", "neqo-qpack", "neqo-transport", @@ -2770,7 +2770,7 @@ dependencies = [ "libc", "libloading 0.5.2", "lucet-module-wasmsbx", - "memoffset", + "memoffset 0.5.6", "nix", "num-derive", "num-traits", @@ -3231,6 +3231,18 @@ dependencies = [ [[package]] name = "neqo-common" version = "0.4.28" +dependencies = [ + "chrono", + "env_logger", + "lazy_static", + "log", + "qlog", + "winapi", +] + +[[package]] +name = "neqo-common" +version = "0.4.28" source = "git+https://github.com/mozilla/neqo?tag=v0.4.28#c3d909e40d2ee68e2937b7dac1831a27520bf460" dependencies = [ "chrono", @@ -3244,11 +3256,23 @@ dependencies = [ [[package]] name = "neqo-crypto" version = "0.4.28" +dependencies = [ + "bindgen", + "log", + "neqo-common 0.4.28", + "serde", + "serde_derive", + "toml", +] + +[[package]] +name = "neqo-crypto" +version = "0.4.28" source = "git+https://github.com/mozilla/neqo?tag=v0.4.28#c3d909e40d2ee68e2937b7dac1831a27520bf460" dependencies = [ "bindgen", "log", - "neqo-common", + "neqo-common 0.4.28 (git+https://github.com/mozilla/neqo?tag=v0.4.28)", "serde", "serde_derive", "toml", @@ -3257,11 +3281,10 @@ dependencies = [ [[package]] name = "neqo-http3" version = "0.4.28" -source = "git+https://github.com/mozilla/neqo?tag=v0.4.28#c3d909e40d2ee68e2937b7dac1831a27520bf460" dependencies = [ "log", - "neqo-common", - "neqo-crypto", + "neqo-common 0.4.28", + "neqo-crypto 0.4.28", "neqo-qpack", "neqo-transport", "qlog", @@ -3271,12 +3294,11 @@ dependencies = [ [[package]] name = "neqo-qpack" version = "0.4.28" -source = "git+https://github.com/mozilla/neqo?tag=v0.4.28#c3d909e40d2ee68e2937b7dac1831a27520bf460" dependencies = [ "lazy_static", "log", - "neqo-common", - "neqo-crypto", + "neqo-common 0.4.28", + "neqo-crypto 0.4.28", "neqo-transport", "qlog", "static_assertions", @@ -3285,13 +3307,12 @@ dependencies = [ [[package]] name = "neqo-transport" version = "0.4.28" -source = "git+https://github.com/mozilla/neqo?tag=v0.4.28#c3d909e40d2ee68e2937b7dac1831a27520bf460" dependencies = [ "indexmap", "lazy_static", "log", - "neqo-common", - "neqo-crypto", + "neqo-common 0.4.28", + "neqo-crypto 0.4.28", "qlog", "smallvec", ] @@ -3301,8 +3322,8 @@ name = "neqo_glue" version = "0.1.0" dependencies = [ "log", - "neqo-common", - "neqo-crypto", + "neqo-common 0.4.28", + "neqo-crypto 0.4.28", "neqo-http3", "neqo-qpack", "neqo-transport", diff --git a/netwerk/protocol/http/Http3Session.cpp b/netwerk/protocol/http/Http3Session.cpp --- a/netwerk/protocol/http/Http3Session.cpp +++ b/netwerk/protocol/http/Http3Session.cpp @@ -119,6 +119,10 @@ nsresult Http3Session::Init(const nsHttp nsINetAddr* selfAddr, nsINetAddr* peerAddr, HttpConnectionUDP* udpConn, uint32_t controlFlags, nsIInterfaceRequestor* callbacks) { + // HTTP3/QUIC is not available in FIPS +// if (PK11_IsFIPS()) { +// return NS_ERROR_NOT_AVAILABLE; +// } LOG3(("Http3Session::Init %p", this)); MOZ_ASSERT(OnSocketThread(), "not on socket thread"); diff --git a/netwerk/socket/neqo_glue/Cargo.toml b/netwerk/socket/neqo_glue/Cargo.toml --- a/netwerk/socket/neqo_glue/Cargo.toml +++ b/netwerk/socket/neqo_glue/Cargo.toml @@ -8,10 +8,10 @@ edition = "2018" name = "neqo_glue" [dependencies] -neqo-http3 = { tag = "v0.4.28", git = "https://github.com/mozilla/neqo" } -neqo-transport = { tag = "v0.4.28", git = "https://github.com/mozilla/neqo" } -neqo-common = { tag = "v0.4.28", git = "https://github.com/mozilla/neqo" } -neqo-qpack = { tag = "v0.4.28", git = "https://github.com/mozilla/neqo" } +neqo-common = { path = "../../../third_party/rust/neqo-common" } +neqo-http3 = { path = "../../../third_party/rust/neqo-http3" } +neqo-qpack = { path = "../../../third_party/rust/neqo-qpack" } +neqo-transport = { path = "../../../third_party/rust/neqo-transport/" } nserror = { path = "../../../xpcom/rust/nserror" } nsstring = { path = "../../../xpcom/rust/nsstring" } xpcom = { path = "../../../xpcom/rust/xpcom" } @@ -20,7 +20,6 @@ log = "0.4.0" qlog = "0.4.0" [dependencies.neqo-crypto] -tag = "v0.4.28" -git = "https://github.com/mozilla/neqo" +path = "../../../third_party/rust/neqo-crypto" default-features = false features = ["gecko"] diff --git a/netwerk/test/http3server/Cargo.toml b/netwerk/test/http3server/Cargo.toml --- a/netwerk/test/http3server/Cargo.toml +++ b/netwerk/test/http3server/Cargo.toml @@ -5,10 +5,10 @@ authors = ["Dragana Damjanovic <dragana. edition = "2018" [dependencies] -neqo-transport = { tag = "v0.4.28", git = "https://github.com/mozilla/neqo" } -neqo-common = { tag = "v0.4.28", git = "https://github.com/mozilla/neqo" } -neqo-http3 = { tag = "v0.4.28", git = "https://github.com/mozilla/neqo" } -neqo-qpack = { tag = "v0.4.28", git = "https://github.com/mozilla/neqo" } +neqo-transport = { path = "../../../third_party/rust/neqo-transport" } +neqo-common = { path = "../../../third_party/rust/neqo-common" } +neqo-http3 = { path = "../../../third_party/rust/neqo-http3" } +neqo-qpack = { path = "../../../third_party/rust/neqo-qpack" } mio = "0.6.17" mio-extras = "2.0.5" log = "0.4.0" diff --git a/third_party/rust/neqo-crypto/bindings/bindings.toml b/third_party/rust/neqo-crypto/bindings/bindings.toml --- a/third_party/rust/neqo-crypto/bindings/bindings.toml +++ b/third_party/rust/neqo-crypto/bindings/bindings.toml @@ -163,7 +163,7 @@ functions = [ "PK11_GetKeyData", "PK11_GetMechanism", "PK11_HPKE_Serialize", - "PK11_ImportSymKey", + "PK11_ImportDataKey", "PK11_ReadRawAttribute", "PK11_ReferenceSymKey", "SECITEM_FreeItem", @@ -196,11 +196,10 @@ variables = [ "CKM_AES_ECB", "CKM_AES_GCM", "CKM_EC_KEY_PAIR_GEN", + "CKM_HKDF_DERIVE", "CKM_INVALID_MECHANISM", "CKM_NSS_CHACHA20_CTR", "CKM_NSS_CHACHA20_POLY1305", - "CKM_NSS_HKDF_SHA256", - "CKM_NSS_HKDF_SHA384", "PK11_ATTR_INSENSITIVE", "PK11_ATTR_PRIVATE", "PK11_ATTR_PUBLIC", diff --git a/third_party/rust/neqo-crypto/src/hkdf.rs b/third_party/rust/neqo-crypto/src/hkdf.rs --- a/third_party/rust/neqo-crypto/src/hkdf.rs +++ b/third_party/rust/neqo-crypto/src/hkdf.rs @@ -10,8 +10,8 @@ use crate::constants::{ }; use crate::err::{Error, Res}; use crate::p11::{ - random, Item, PK11Origin, PK11SymKey, PK11_ImportSymKey, Slot, SymKey, CKA_DERIVE, - CKM_NSS_HKDF_SHA256, CKM_NSS_HKDF_SHA384, CK_ATTRIBUTE_TYPE, CK_MECHANISM_TYPE, + random, Item, PK11Origin, PK11SymKey, PK11_ImportDataKey, Slot, SymKey, CKA_DERIVE, + CKM_HKDF_DERIVE, CK_ATTRIBUTE_TYPE, CK_MECHANISM_TYPE, }; use std::convert::TryFrom; @@ -52,27 +52,22 @@ fn key_size(version: Version, cipher: Ci /// # Errors /// Only if NSS fails. pub fn generate_key(version: Version, cipher: Cipher) -> Res<SymKey> { - import_key(version, cipher, &random(key_size(version, cipher)?)) + import_key(version, &random(key_size(version, cipher)?)) } /// Import a symmetric key for use with HKDF. /// /// # Errors /// Errors returned if the key buffer is an incompatible size or the NSS functions fail. -pub fn import_key(version: Version, cipher: Cipher, buf: &[u8]) -> Res<SymKey> { +pub fn import_key(version: Version, buf: &[u8]) -> Res<SymKey> { if version != TLS_VERSION_1_3 { return Err(Error::UnsupportedVersion); } - let mech = match cipher { - TLS_AES_128_GCM_SHA256 | TLS_CHACHA20_POLY1305_SHA256 => CKM_NSS_HKDF_SHA256, - TLS_AES_256_GCM_SHA384 => CKM_NSS_HKDF_SHA384, - _ => return Err(Error::UnsupportedCipher), - }; let slot = Slot::internal()?; let key_ptr = unsafe { - PK11_ImportSymKey( + PK11_ImportDataKey( *slot, - CK_MECHANISM_TYPE::from(mech), + CK_MECHANISM_TYPE::from(CKM_HKDF_DERIVE), PK11Origin::PK11_OriginUnwrap, CK_ATTRIBUTE_TYPE::from(CKA_DERIVE), &mut Item::wrap(buf), diff --git a/third_party/rust/neqo-crypto/src/selfencrypt.rs b/third_party/rust/neqo-crypto/src/selfencrypt.rs --- a/third_party/rust/neqo-crypto/src/selfencrypt.rs +++ b/third_party/rust/neqo-crypto/src/selfencrypt.rs @@ -41,7 +41,7 @@ impl SelfEncrypt { fn make_aead(&self, k: &SymKey, salt: &[u8]) -> Res<Aead> { debug_assert_eq!(salt.len(), Self::SALT_LENGTH); - let salt = hkdf::import_key(self.version, self.cipher, salt)?; + let salt = hkdf::import_key(self.version, salt)?; let secret = hkdf::extract(self.version, self.cipher, Some(&salt), k)?; Aead::new(self.version, self.cipher, &secret, "neqo self") } diff --git a/third_party/rust/neqo-crypto/tests/aead.rs b/third_party/rust/neqo-crypto/tests/aead.rs --- a/third_party/rust/neqo-crypto/tests/aead.rs +++ b/third_party/rust/neqo-crypto/tests/aead.rs @@ -26,7 +26,6 @@ fn make_aead(cipher: Cipher) -> Aead { let secret = hkdf::import_key( TLS_VERSION_1_3, - cipher, &[ 0x47, 0xb2, 0xea, 0xea, 0x6c, 0x26, 0x6e, 0x32, 0xc0, 0x69, 0x7a, 0x9e, 0x2a, 0x89, 0x8b, 0xdf, 0x5c, 0x4f, 0xb3, 0xe5, 0xac, 0x34, 0xf0, 0xe5, 0x49, 0xbf, 0x2c, 0x58, diff --git a/third_party/rust/neqo-crypto/tests/hkdf.rs b/third_party/rust/neqo-crypto/tests/hkdf.rs --- a/third_party/rust/neqo-crypto/tests/hkdf.rs +++ b/third_party/rust/neqo-crypto/tests/hkdf.rs @@ -38,8 +38,8 @@ fn cipher_hash_len(cipher: Cipher) -> us fn import_keys(cipher: Cipher) -> (SymKey, SymKey) { let l = cipher_hash_len(cipher); ( - hkdf::import_key(TLS_VERSION_1_3, cipher, &SALT[0..l]).expect("import salt"), - hkdf::import_key(TLS_VERSION_1_3, cipher, &IKM[0..l]).expect("import IKM"), + hkdf::import_key(TLS_VERSION_1_3, &SALT[0..l]).expect("import salt"), + hkdf::import_key(TLS_VERSION_1_3, &IKM[0..l]).expect("import IKM"), ) } diff --git a/third_party/rust/neqo-crypto/tests/hp.rs b/third_party/rust/neqo-crypto/tests/hp.rs --- a/third_party/rust/neqo-crypto/tests/hp.rs +++ b/third_party/rust/neqo-crypto/tests/hp.rs @@ -9,7 +9,7 @@ use neqo_crypto::hp::HpKey; use test_fixture::fixture_init; fn make_hp(cipher: Cipher) -> HpKey { - let ikm = hkdf::import_key(TLS_VERSION_1_3, cipher, &[0; 16]).expect("import IKM"); + let ikm = hkdf::import_key(TLS_VERSION_1_3, &[0; 16]).expect("import IKM"); let prk = hkdf::extract(TLS_VERSION_1_3, cipher, None, &ikm).expect("extract works"); HpKey::extract(TLS_VERSION_1_3, cipher, &prk, "hp").expect("extract label works") } diff --git a/third_party/rust/neqo-transport/src/crypto.rs b/third_party/rust/neqo-transport/src/crypto.rs --- a/third_party/rust/neqo-transport/src/crypto.rs +++ b/third_party/rust/neqo-transport/src/crypto.rs @@ -433,11 +433,11 @@ impl CryptoDxState { TLS_VERSION_1_3, cipher, Some( - hkdf::import_key(TLS_VERSION_1_3, cipher, salt) + hkdf::import_key(TLS_VERSION_1_3, salt) .as_ref() .unwrap(), ), - hkdf::import_key(TLS_VERSION_1_3, cipher, dcid) + hkdf::import_key(TLS_VERSION_1_3, dcid) .as_ref() .unwrap(), ) @@ -1094,8 +1094,7 @@ impl CryptoStates { let app_read = |epoch| CryptoDxAppData { dx: read(epoch), cipher: TLS_AES_128_GCM_SHA256, - next_secret: hkdf::import_key(TLS_VERSION_1_3, TLS_AES_128_GCM_SHA256, &[0xaa; 32]) - .unwrap(), + next_secret: hkdf::import_key(TLS_VERSION_1_3, &[0xaa; 32]).unwrap(), }; Self { initial: Some(CryptoState { @@ -1120,8 +1119,7 @@ impl CryptoStates { 0x00, 0xa1, 0x54, 0x43, 0xf1, 0x82, 0x03, 0xa0, 0x7d, 0x60, 0x60, 0xf6, 0x88, 0xf3, 0x0f, 0x21, 0x63, 0x2b, ]; - let secret = - hkdf::import_key(TLS_VERSION_1_3, TLS_CHACHA20_POLY1305_SHA256, SECRET).unwrap(); + let secret = hkdf::import_key(TLS_VERSION_1_3, SECRET).unwrap(); let app_read = |epoch| CryptoDxAppData { dx: CryptoDxState { direction: CryptoDxDirection::Read, diff --git a/third_party/rust/neqo-transport/src/packet/retry.rs b/third_party/rust/neqo-transport/src/packet/retry.rs --- a/third_party/rust/neqo-transport/src/packet/retry.rs +++ b/third_party/rust/neqo-transport/src/packet/retry.rs @@ -28,7 +28,7 @@ fn make_aead(secret: &[u8]) -> Aead { #[cfg(debug_assertions)] ::neqo_crypto::assert_initialized(); - let secret = hkdf::import_key(TLS_VERSION_1_3, TLS_AES_128_GCM_SHA256, secret).unwrap(); + let secret = hkdf::import_key(TLS_VERSION_1_3, secret).unwrap(); Aead::new(TLS_VERSION_1_3, TLS_AES_128_GCM_SHA256, &secret, "quic ").unwrap() } thread_local!(static RETRY_AEAD_29: RefCell<Aead> = RefCell::new(make_aead(RETRY_SECRET_29))); diff --git a/third_party/rust/neqo-transport/tests/common/mod.rs b/third_party/rust/neqo-transport/tests/common/mod.rs --- a/third_party/rust/neqo-transport/tests/common/mod.rs +++ b/third_party/rust/neqo-transport/tests/common/mod.rs @@ -121,13 +121,11 @@ pub fn client_initial_aead_and_hp(dcid: TLS_VERSION_1_3, TLS_AES_128_GCM_SHA256, Some( - hkdf::import_key(TLS_VERSION_1_3, TLS_AES_128_GCM_SHA256, INITIAL_SALT) + hkdf::import_key(TLS_VERSION_1_3, INITIAL_SALT) .as_ref() .unwrap(), ), - hkdf::import_key(TLS_VERSION_1_3, TLS_AES_128_GCM_SHA256, dcid) - .as_ref() - .unwrap(), + hkdf::import_key(TLS_VERSION_1_3, dcid).as_ref().unwrap(), ) .unwrap();
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
