Bug 1303224 - Remove the PKCS#11 bypass #15
Conversation
| @@ -23,7 +23,7 @@ cd nss && make nss_build_all | |||
| # we run scan-build on these folders | |||
| declare -a scan=("lib/ssl" "lib/freebl") | |||
| # corresponds to the number of errors that are expected in the |scan| folder | |||
| declare -a ignore=(1 0) | |||
| declare -a ignore=(0 0) | |||
There was a problem hiding this comment.
Since you are no longer ignoring, maybe you can instead remove the ability to ignore entirely.
There was a problem hiding this comment.
We should keep the ignores. The plan is to enable scan-build on other folders where we'll have the same problem.
| ** XXX: 'E' and 'x' were used in the past, please leave some | ||
| ** time before resuing those. */ | ||
| ** XXX: 'B', 'E', 'q', and 'x' were used in the past, please | ||
| ** leave some time before resuing those. */ |
There was a problem hiding this comment.
Include the release in which these were removed so that it is easier to decide when to overwrite them.
| @@ -1323,13 +1314,9 @@ main(int argc, char **argv) | |||
| progName = progName ? progName + 1 : tmp; | |||
|
|
|||
| optstate = PL_CreateOptState(argc, argv, | |||
| "BC:DNP:TUV:W:a:c:d:f:gin:op:qst:uvw:z"); | |||
| "C:DNP:TUV:W:a:c:d:f:gin:op:qst:uvw:z"); | |||
There was a problem hiding this comment.
Add a comment here too.
| @@ -960,7 +957,7 @@ main(int argc, char **argv) | |||
| SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledVersions); | |||
|
|
|||
| optstate = PL_CreateOptState(argc, argv, | |||
| "46BCDFGHKM:OR:STUV:W:Ya:bc:d:fgh:m:n:op:qr:st:uvw:z"); | |||
| "46CDFGHKM:OR:STUV:W:Ya:bc:d:fgh:m:n:op:qr:st:uvw:z"); | |||
| @@ -1199,7 +1199,10 @@ SSL_IMPORT SECStatus SSL_ExportKeyingMaterial(PRFileDesc *fd, | |||
| */ | |||
| SSL_IMPORT CERTCertificate *SSL_LocalCertificate(PRFileDesc *fd); | |||
|
|
|||
| /* Test an SSL configuration to see if SSL_BYPASS_PKCS11 can be turned on. | |||
| /* DEPRECATED: The PKCS#11 bypass has been removed. This function will now | |||
| ** always return false. | |||
There was a problem hiding this comment.
Remove the rest of the comment and the other comments on the #defines.
| spec->destroy(spec->encodeContext, freeit); | ||
| spec->destroy(spec->decodeContext, freeit); | ||
| spec->destroy(spec->encodeContext, PR_TRUE); | ||
| spec->destroy(spec->decodeContext, PR_TRUE); |
There was a problem hiding this comment.
Note to self: check if we actually need/use spec->destroy.
There was a problem hiding this comment.
Looks like we don't! Added another commit to get rid of it.
| if (spec->bypassCiphers) { | ||
| /* This function doesn't support PKCS#11 bypass. We fallback on the | ||
| * non-constant time version. */ | ||
| goto fallback; |
There was a problem hiding this comment.
You didn't remove the trailing fallback block at the end of this function.
There was a problem hiding this comment.
We still need it in case PK11_SignWithSymKey() fails.
There was a problem hiding this comment.
If there is only one case that calls that code, move it inline and remove the goto.
| } | ||
| hashesForVerify = hashes; | ||
| } else { | ||
| if (!hashes) { |
There was a problem hiding this comment.
If this is the right change (and I think that it is), then I think that we can simply add a PORT_Assert on line 9657.
There was a problem hiding this comment.
I fought with scan-build about this change here, as I started by doing what you suggested. The problem is that _HandleCertificateVerify() can definitely be called when seeing a certificate_verify message but ssl3.hs.ws != wait_certificate_verify. In that case we should bail out before checking for (!hashes) because that will be true in those cases.
There was a problem hiding this comment.
Not sure that I understand given that the ssl3.hs.ws check is above this, but it's a nit only, so do as you see fit.
There was a problem hiding this comment.
I was trying to say that ssl3_HandleCertificateVerify() will be called when we receive a certificate_verify message but don't expect any. In that case hashes == NULL. So we'd better assert after we checked that we actually expect a certificate_verify message, otherwise we'll throw a library error when we shouldn't.
| @@ -1223,7 +1223,7 @@ ssl_run_tests() | |||
| SERVER_OPTIONS= | |||
| ;; | |||
| "bypass") | |||
There was a problem hiding this comment.
can we just remove the option entirely? I mean, it will disable tests without locks on, but those should be fine, modulo any threading errors they might expose (and we're not sure that the locks will guard against that anyhow).
There was a problem hiding this comment.
Yeah, let's remove them.
| @@ -23,7 +23,7 @@ cd nss && make nss_build_all | |||
| # we run scan-build on these folders | |||
| declare -a scan=("lib/ssl" "lib/freebl") | |||
| # corresponds to the number of errors that are expected in the |scan| folder | |||
| declare -a ignore=(1 0) | |||
| declare -a ignore=(0 0) | |||
There was a problem hiding this comment.
We should keep the ignores. The plan is to enable scan-build on other folders where we'll have the same problem.
| @@ -1,716 +0,0 @@ | |||
| /* | |||
There was a problem hiding this comment.
this removes the file? strange way to display the diff....
There was a problem hiding this comment.
How would you show it? Just showing the filename and "deleted" means that you can't see what was deleted, which might be important.
| if (requiredECCbits > signatureKeyStrength) | ||
| requiredECCbits = signatureKeyStrength; | ||
|
|
||
| ecGroup = ssl_GetECGroupWithStrength(NULL, requiredECCbits); |
There was a problem hiding this comment.
you can update ssl_GetECGroupWithStrength to assert the socket now. This is the only call that doesn't have a socket.
There was a problem hiding this comment.
More cleanup, yay, thanks!
ttaubert
force-pushed
the
bug/1303224-remove-pk11-bypass
branch
from
4b3199e
to
de76a5b
Compare
|
Rebased. r? @franziskuskiefer @martinthomson |
ttaubert
force-pushed
the
bug/1303224-remove-pk11-bypass
branch
from
aa5bea4
to
51489b7
Compare
| if (!group || group->type != group_type_ec || | ||
| group->bits < requiredECCbits) { | ||
| continue; | ||
| } | ||
| if (!ss || ssl_NamedGroupEnabled(ss, group)) { |
There was a problem hiding this comment.
maybe assert the ss, just in case
ttaubert
force-pushed
the
bug/1303224-remove-pk11-bypass
branch
from
b85434a
to
6bd6e62
Compare
| if (spec->bypassCiphers) { | ||
| /* This function doesn't support PKCS#11 bypass. We fallback on the | ||
| * non-constant time version. */ | ||
| goto fallback; |
There was a problem hiding this comment.
If there is only one case that calls that code, move it inline and remove the goto.
| } | ||
| hashesForVerify = hashes; | ||
| } else { | ||
| if (!hashes) { |
There was a problem hiding this comment.
Not sure that I understand given that the ssl3.hs.ws check is above this, but it's a nit only, so do as you see fit.
ttaubert
force-pushed
the
bug/1303224-remove-pk11-bypass
branch
from
6bd6e62
to
f8ea10b
Compare
r? @martinthomson @franziskuskiefer