Closed Bug 478839 Opened 15 years ago Closed 15 years ago

Firefox should support South Korean SEED crypto cipher suites

Categories

(Core :: Security: PSM, enhancement)

Product:
Core
Component:
Security: PSM
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.2b1
Tracking Flags:
Tracking Status
blocking1.9.1 --- .4+
status1.9.1 --- .4-fixed

People

(Reporter: nelson, Assigned: KaiE)

Details

Attachments

(1 file)

Patch v1
2.59 KB, patch
nelson
: review+
dveditz
: approval1.9.1.4+
Details | Diff | Splinter Review 
Now that NSS supports the South Korean SEED crypto algorithm in SSL/TLS
cipher suites, Firefox should also make it possible for users to enable
and disable this cipher suite, ASAP.

My apologies if this is a duplicate.  I searched for an open bug on "SEED"
and found nothing relevant.
Please provide a list of cipher IDs.

Two files need to be changed:
mozilla/netwerk/base/public/security-prefs.js
mozilla/security/manager/ssl/src/nsNSSComponent.cpp

With the list of SEED cipher IDs, and the entries for e.g. the camellia ciphers, someone should easily be able to produce the patch.
I'm not sure what you're requesting, Kai, but I'll guess it's this:

#define TLS_RSA_WITH_SEED_CBC_SHA               0x0096
I conclude there is only one cipher suite for SEED?
For example, I see 6 entries related to Camellia.

I looked for a similar ID and produced an entry similar to 

 {"security.ssl3.rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA}, // 256-bit AES encryption with RSA and a SHA1 MAC
Attached patch Patch v1Splinter Review 

        Attachment #362720 -
        Flags: review?(nelson)

    
    

    
  
Yes, presently we implement only one single SEED ciphersuite

    
    

    
  
Comment on attachment 362720 [details] [diff] [review]
Patch v1

Kai, in these files, is there any significance to the order in which the ciphersuite prefs appear?  
Does placing the new SEED ciphersuite after the "null" ciphersuites imply that it is considered less secure than they are?  

Finally, is this really all that is needed?

    
    

    
  
Added the new PSM module peer Honza to the cc
list.

Kai, it's better to list the SEED cipher suite
next to the Camellia cipher suites because they
belong to the same category.

    
    

    
  
(In reply to comment #6)
> Kai, in these files, is there any significance to the order in which the
> ciphersuite prefs appear?  

order does not imply meaning


> Does placing the new SEED ciphersuite after the "null" ciphersuites imply that
> it is considered less secure than they are?

I didn't mean to imply anything, I simply added at the end.


> Finally, is this really all that is needed?

I think it is, PSM will initially loop over this array and call NSS enable functions, with the enable flag according to the pref.

Unless NSS has additional unusual enabling requirements for SEED...

    
    

    
  
(In reply to comment #7)
> Kai, it's better to list the SEED cipher suite
> next to the Camellia cipher suites because they
> belong to the same category.

If you don't like the current position, please propose an exact place in file nsNSSComponent.cpp

    
    

    
  
Comment on attachment 362720 [details] [diff] [review]
Patch v1

Kai, thanks for your answers.  r=nelson

        Attachment #362720 -
        Flags: review?(nelson) → review+

        Attachment #362720 -
        Flags: approval1.9.1.2?

    
    

    
  
This should get landed on trunk before landing on branch, although I see no reason not to approve it for branch. Please land on trunk asap.
blocking1.9.1: --- → ?

    
    

    
  
Comment on attachment 362720 [details] [diff] [review]
Patch v1

Trunk before branch, please, though we're very very interested in taking this, so renominate as soon as it lands there!
blocking1.9.1: ? → needed

          status1.9.1:
          --- → wanted

    
    

    
  
To progress this bug continuosly, what should we do next?

    
    

    
  
The patch is already reviewed.
Keywords: checkin-needed

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/248010090120
Status: NEW → RESOLVED
Closed: 15 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.2b1

    
    

    
  
Kai: Is this ready for branch? Please request approval if so.

    
    

    
  
Comment on attachment 362720 [details] [diff] [review]
Patch v1

Landing on 1.9.2 branch for Firefox 3.6.x sounds good to me.

Landing on 1.9.1 for Firefox 3.5.x might be fine, too.

        Attachment #362720 -
        Flags: approval1.9.2?

    
    

    
  
This should already be on 1.9.2. It landed before 1.9.2 branched.

    
    

    
  
Comment on attachment 362720 [details] [diff] [review]
Patch v1

Yep. This isn't needed for 1.9.2. I was asking about 1.9.1.

        Attachment #362720 -
        Flags: approval1.9.2?

    
    

    
  
Comment on attachment 362720 [details] [diff] [review]
Patch v1

Landing this patch on mozilla 1.9.1 will enable a new feature in firefox 3.5.x

Are drivers willing to do that?

        Attachment #362720 -
        Flags: approval1.9.1.4?

        Attachment #362720 -
        Flags: approval1.9.1.4? → approval1.9.1.4+

    
    

    
  
Comment on attachment 362720 [details] [diff] [review]
Patch v1

Approved for 1.9.1.4, a=dveditz for release-drivers

    
    

    
  
I work at KISA. 
After creating TLS_RSA_WITH_SEED_CBC_SHA,  we recently created a new patch including TLS_RSA_WITH_SEED_CBC_SHA, TLS_DHE_DSS_WITH_SEED_CBC_SHA and TLS_DHE_RSA_WITH_SEED_CBC_SHA.
Could I upload it now? Or Should I create a new Bugzilla process to adopt the patch file that is modified for enabling TLS_DHE_DSS and TLS_DHE_RSA?

    
    

    
  
Seed is in the softoken. It's currently frozen for FIPS, but you can still provide your patch. We'll put it in the softoken 3.13 branch to be queued for the next FIPS validation.

bob

    
    

    
  
But not in this bug.  
Please file a new bug, product NSS, component libraries, version trunk,
importance: enhancement, and attach your patch to that.
blocking1.9.1: needed → .4+

    
    

    
  
pushed to mozilla-1.9.1 tree
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/653b75a8f46f

What keyword should we add for fixed1.9.1.4 ?

    
    

    
  
Is there a means to test this fix and verify it?

Kai, you just change the status1.9.1 to .4-fixed, which has been done.

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: