Closed Bug 1641178 Opened 4 years ago Closed 3 years ago

Use a sufficiently secure encryption scheme

Categories

(Core :: Storage: IndexedDB, enhancement, P2)

enhancement

Tracking

()

RESOLVED FIXED
88 Branch
Tracking Status
firefox88 --- fixed

People

(Reporter: sg, Assigned: sg)

References

Details

Attachments

(1 file, 1 obsolete file)

The dummy encryption should be replaced by a real NSS-based encryption scheme using a proper symmetric cipher, message authentication, keys per database, and some measures to ensure IV uniqueness.

This will not be sufficient for non-private browsing encryption.

Assignee: nobody → sgiesecke
Status: NEW → ASSIGNED
Priority: -- → P2

Comment on attachment 9152030 [details]
Bug 1641178 - Generate keys per database. r=#dom-workers-and-storage

Revision D77020 was moved to bug 1638396. Setting attachment 9152030 [details] to obsolete.

Attachment #9152030 - Attachment is obsolete: true
Pushed by sgiesecke@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8f7c25b71590
Add NSSCipherStrategy. r=dom-workers-and-storage-reviewers,jcj,janv

I can't reproduce this locally. It seems to be related to passing nullptr as aad to PK11_AEADOp from NSSCipherStrategy::Cipher. Benjamin, can you check if this use is wrong, or if there's an issue within NSS?

Flags: needinfo?(sgiesecke) → needinfo?(bbeurdouche)

I think that might actually be an NSS bug, I'll try to have a look ASAP...

I think we might have identified the issue, we are working it.

Flags: needinfo?(bbeurdouche)

Simon, if the fix I had in mind is enough, it has landed in NSS. So it should be in Mozilla central next time I uplift, probably tomorrow.
You can already try it, by copy pasting a copy of NSS master into security/nss and rebuilding.

Flags: needinfo?(sgiesecke)
Pushed by sgiesecke@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/3b3b6706f48f
Add NSSCipherStrategy. r=dom-workers-and-storage-reviewers,jcj,janv
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 88 Branch

(In reply to Benjamin Beurdouche [:beurdouche] from comment #9)

Simon, if the fix I had in mind is enough, it has landed in NSS. So it should be in Mozilla central next time I uplift, probably tomorrow.
You can already try it, by copy pasting a copy of NSS master into security/nss and rebuilding.

I try'd again, and that worked, and it landed now, so everything looks good. Thanks for taking care of this!

Flags: needinfo?(sgiesecke)
Regressions: CVE-2023-4050
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: