Closed Bug 1338897 Opened 4 years ago Closed 4 years ago

Avoid using NSS Base64 functions in PSM

Categories

(Core :: Security: PSM, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla55
Tracking Status
firefox55 --- fixed

People

(Reporter: Cykesiopka, Assigned: Cykesiopka)

References

Details

(Keywords: addon-compat, Whiteboard: [psm-assigned])

Attachments

(1 file)

The NSS Base64 functions are less safe and convenient to use than the XPCOM ones.
They're also an unnecessary dependency on NSS.
Depends on: 1342736
Comment on attachment 8847155 [details]
Bug 1338897 - Avoid using NSS Base64 functions in PSM.

https://reviewboard.mozilla.org/r/120172/#review123060

Looks great. Sorry this took a while to review.

::: security/apps/AppSignatureVerification.cpp:50
(Diff revision 1)
>  extern mozilla::LazyLogModule gPIPNSSLog;
>  
>  namespace {
>  
> +inline nsDependentCSubstring
> +DigestToString(const Digest& digest)

It might be nice to call this "DigestToDependentString" to be a bit more clear that the result depends on the input living longer than it (also might be nice to document this).

::: security/nss.symbols:19
(Diff revision 1)
>  #endif
>  #include ../db/sqlite3/src/sqlite.symbols
>  ATOB_AsciiToData
>  ATOB_AsciiToData_Util
> -ATOB_ConvertAsciiToItem
>  ATOB_ConvertAsciiToItem_Util

I'd imagine we can get rid of this line as well now, right?

::: security/nss.symbols:510
(Diff revision 1)
>  SECITEM_AllocArray
>  SECITEM_AllocItem
>  SECITEM_AllocItem_Util
>  SECITEM_ArenaDupItem_Util
> -SECITEM_CompareItem
>  SECITEM_CompareItem_Util

Same here.
Attachment #8847155 - Flags: review?(dkeeler) → review+
Comment on attachment 8847155 [details]
Bug 1338897 - Avoid using NSS Base64 functions in PSM.

https://reviewboard.mozilla.org/r/120172/#review123060

No worries, thanks for the review!

> I'd imagine we can get rid of this line as well now, right?

Sadly, getting rid of the _Util symbols broke my try builds the last time I tried. Looks like we still need to keep this here as long as NSS itself uses the function.
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/312bdabd35b8
Avoid using NSS Base64 functions in PSM. r=keeler
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/312bdabd35b8
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
The changes here may impact add-ons that fit the following criteria:
1. Use nsICryptoHash or nsICryptoHMAC directly or indirectly.
2. Init either of the above with SHA-512 as the choice of hash algorithm.
3. Call `finish(true)` to get back base 64 output.

If these add-ons previously depended on the base 64 output having CRLF characters inserted every 64 characters, they need to stop doing that - the output will no longer have such characters.
Keywords: addon-compat
Blocks: 1356522
You need to log in before you can comment on or make changes to this bug.