Closed Bug 1253912 (NSS_ECC_MORE_THAN_SUITE_B) Opened 8 years ago Closed 8 years ago

Remove NSS_ECC_MORE_THAN_SUITE_B support

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox47 affected)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox47 --- affected

People

(Reporter: franziskus, Assigned: franziskus)

References

(Blocks 2 open bugs)

Details

Attachments

(1 file, 2 obsolete files)

ecc-cleanup.patch
317.96 KB, patch
rrelyea
: review+
Details | Diff | Splinter Review 
NSS doesn't support NSS_ECC_MORE_THAN_SUITE_B at the moment without source code changes. If it is not possible to use NSS_ECC_MORE_THAN_SUITE_B with the current code, all related code could be removed.
See Also: → ECL_USE_FP
Are you able to identify when this broke?  (I know, it means bisecting, but that should be relatively quick.)
Bug 335748 removes all the non suite B curves and bug 353896 makes sure to throw an error if NSS_ECC_MORE_THAN_SUITE_B is set. So NSS_ECC_MORE_THAN_SUITE_B is not usable since 3.11.5 (if the target is correct, but definitely since 3.12).
Hmmm... So, how are we getting non-SuiteB curves on some builders?
I'm guessing that Julien might want to comment on this bug.
Flags: needinfo?(julien.pierre)
Kai,

I have been discussing this issue off bugzilla and off the list. Our only requirement at Oracle is that there should still be a way to build with all the curves somehow, whatever the method to do that may be - additional build macros, files, etc.
Flags: needinfo?(julien.pierre)
Alias: NSS_ECC_MORE_THAN_SUITE_B
See Also: → 1128792
Attached patch ecc-cleanup.patch (obsolete) — Splinter Review 
This removes NSS_ECC_MORE_THAN_SUITE_B support and all associated code.

The only "observable" differences to the outside world are in ecl-curve.h and ecl-exp.h where I shrank the enums. But since none of those values were usable before, I wouldn't consider this a breaking change.
All OIDs are kept such that other PK11 token can still be used with other curves (in case anyone does this).

This should solve the bustages we currently have and will break the workaround for those additional curves.
Assignee: nobody → franziskuskiefer
Attachment #8777327 - Flags: review?(wtc)
Attachment #8777327 - Flags: review?(rrelyea)
Attachment #8777327 - Flags: review?(martin.thomson)
Attachment #8777327 - Flags: review?(kaie)
Franziskus, this looks promising.  It's surprisingly large though.

You need to remove the final column from the table in sslsock.c and the ssl_SuiteBOnly() function from ssl3ecc.c.  There are probably a few other bits of collateral as well.  ssl_InitNamedGroups() could probably just set the value of ss->namedGroups to UINT32_MAX and avoid the looping.  That sort of thing...
(In reply to Martin Thomson [:mt:] from comment #9)
> Franziskus, this looks promising.  It's surprisingly large though.

The largest part are files that get removed. And yes, there's a lot of dead code...

> You need to remove the final column from the table in sslsock.c and the
> ssl_SuiteBOnly() function from ssl3ecc.c.  There are probably a few other
> bits of collateral as well.  ssl_InitNamedGroups() could probably just set
> the value of ss->namedGroups to UINT32_MAX and avoid the looping.  That sort
> of thing...

right, I'll fix those things. I'm sure there are some more things we could simplify...
Comment on attachment 8777327 [details] [diff] [review]
ecc-cleanup.patch

Review of attachment 8777327 [details] [diff] [review]:
-----------------------------------------------------------------

Franziskus: I will wait until the NSS team has decided to do this
to review this patch carefully. I took a quick look and I suggest
some changes. See also the patch I emailed to the NSS team today,
which fixes the ssl_gtest.sh test failures with
NSS_ECC_MORE_THAN_SUITE_B=1.

::: external_tests/ssl_gtest/libssl_internals.c
@@ +44,2 @@
>  
>      return PR_MAX(SSL_RSASTRENGTH_TO_ECSTRENGTH(serverKeyBits), minKeaBits);

We should remove the minKeaBits local variable and just
pass the 256U constant to PR_MAX() here.

::: lib/ssl/sslimpl.h
@@ +177,1 @@
>      PRBool suiteb;

We should delete this member. If we can't, I suggest we rename
this member "suitebUnused" or "suitebReserved".
(In reply to Franziskus Kiefer [:fkiefer or :franziskus] from comment #7)
> Created attachment 8777327 [details] [diff] [review]
> ecc-cleanup.patch
> 
> This removes NSS_ECC_MORE_THAN_SUITE_B support and all associated code.
> 
> The only "observable" differences to the outside world are in ecl-curve.h
> and ecl-exp.h where I shrank the enums.

ecl-curve.h is a private header.  ecl-exp.h is an exported header, so
your changes to ecl-exp.h need to be carefully reviewed.  We may need
to leave the ECCurveName enum type unchanged.
Comment on attachment 8777327 [details] [diff] [review]
ecc-cleanup.patch

Review of attachment 8777327 [details] [diff] [review]:
-----------------------------------------------------------------

I like the code deleting.

::: cmd/bltest/tests/ecdsa/key0
@@ +1,3 @@
> +AAAACgYIKoZIzj0DAQcAAABBBNGB7n4kH15tKA/SMpetaQVqg6WxIuuUuMQT2tDX
> +NN5jKZfaxD47NsTjTr3x3D5t1qRBYuL6VtdgIuxBIHGG9dcAAAAgaGjyZBL+LN3a
> +7NkGiHJBfqh7XKNH0AnPF3vFWpostIQ=

I assume that this is just renaming key13 to key0, and key14 to key1?

::: lib/freebl/ecl/ecl-exp.h
@@ -31,5 @@
>  
>  	ECCurve_noName = 0,
>  
>  	/* NIST prime curves */
> -	ECCurve_NIST_P192,

As Wan-Teh points out, this is a public file, so we need to keep these.  You should just mark them deprecated.
> I assume that this is just renaming key13 to key0, and key14 to key1?

yep

> We may need to leave the ECCurveName enum type unchanged.
> As Wan-Teh points out, this is a public file, so we need to keep these.  You should just mark them deprecated.

Yeah, I was hoping that since those values are not usable we could remove them. But I guess we have to keep and deprecate them.
Comment on attachment 8777327 [details] [diff] [review]
ecc-cleanup.patch

I abstain from voting on this.
Attachment #8777327 - Flags: review?(kaie)
For obvious reasons, I'm not in favor of this change. This change basically means Oracle has to fork NSS.
Summary: NSS_ECC_MORE_THAN_SUITE_B support → Remove NSS_ECC_MORE_THAN_SUITE_B support
Depends on: 1304610
Comment on attachment 8777327 [details] [diff] [review]
ecc-cleanup.patch

Someone will have to remind me of the exact details of the agreement we came to at the meeting.
Attachment #8777327 - Flags: review?(martin.thomson)
I believe we agreed that the other curves should still continue to work if Oracle/Red Hat only change the content of the ecl directory for their NSS builds.

I pointed out that these extra curves need to continue to work not just for libssl, but also for certutil so that keygen/signing for these other curves continues to work.

Same may be needed in a few other tools as well, but I think this is the most critical one.

I believe the current patch does not address this requirement for certutil. It just removes the extra curves from a hardcoded list. It needs to enumerate the curves supported for keygen and/or signing.
I'll update the patch today.
Curves other than the 4 curves currently in ecl-curves.h will only work with a token using something other than freebl (or an old version). Other prime curves can be added to ecl-curves.h if someone wishes to do as a local patch (note that reverting ecl doesn't work anymore as of 4 day ago where the definition of ECCurveParams changed). libssl will continue to support other prime curves if an appropriate token is present, i.e. all curves listed at [1]. The same goes for certutil, it'll support the 4 curves that are present and others if there's an appropriate token, i.e. not freebl without modifications.

[1] https://github.com/nss-dev/nss/blob/c6d94f8f3c493a8cd0b75d3cc65e6eab5612a748/lib/ssl/sslsock.c#L150
Attached patch ecc-cleanup.patch (obsolete) — Splinter Review 
This should remove things as described in comment 19 and hopefully reflect what we discussed.
Attachment #8777327 - Attachment is obsolete: true
Attachment #8777327 - Flags: review?(wtc)
Attachment #8777327 - Flags: review?(rrelyea)
Attachment #8794133 - Flags: review?(wtc)
Attachment #8794133 - Flags: review?(rrelyea)
Attachment #8794133 - Flags: review?(martin.thomson)
Comment on attachment 8794133 [details] [diff] [review]
ecc-cleanup.patch

Review of attachment 8794133 [details] [diff] [review]:
-----------------------------------------------------------------

Would you mind throwing this on phabricator for me?
r+ from mt at https://nss-dev.phacility.com/D24
Attachment #8794133 - Attachment is obsolete: true
Attachment #8794133 - Flags: review?(wtc)
Attachment #8794133 - Flags: review?(rrelyea)
Attachment #8794133 - Flags: review?(martin.thomson)
Attachment #8794829 - Flags: review?(wtc)
Attachment #8794829 - Flags: review?(rrelyea)
Blocks: 653032
Comment on attachment 8794829 [details] [diff] [review]
ecc-cleanup.patch

Review of attachment 8794829 [details] [diff] [review]:
-----------------------------------------------------------------

Sorry it took so long to get to this. I was a long list, but easier to review than the list seemed to indicate. (mostly I had to verify that yes, indeed this file should be removed).

::: cmd/certutil/certutil.c
@@ +1262,5 @@
>  #ifndef NSS_DISABLE_ECC
>      FPS "%-20s Elliptic curve name (ec only)\n",
>          "   -q curve-name");
> +    FPS "%-20s One of nistp256, nistp384, nistp521, curve25519.\n", "");
> +    FPS "%-20s If a custom token is present, the following curves are also supported:\n", "");

Good!
Attachment #8794829 - Flags: review?(rrelyea) → review+
landed as https://hg.mozilla.org/projects/nss/rev/057be83a362092e04c435a6988f4ff22c134305b
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.28
Attachment #8794829 - Flags: review?(wtc)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: