Closed Bug 1735309 Opened 4 years ago Closed 4 years ago

FIPS-mode crashes neqo

Categories

(Core :: Networking: HTTP, defect, P2)

Product:
Core
Component:
Networking: HTTP
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
91 Branch
Tracking Flags:
Tracking Status
firefox-esr91 94+ fixed
firefox94 --- fixed

People

(Reporter: dragana, Assigned: dragana)

References

(Blocks 1 open bug)

Details

(Whiteboard: [necko-triaged])

Attachments

(1 file)

Use PK11_ImportDataKey for FIPS safety
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-esr91+
Details | Review

SUSE is currently having the following problem with FF91esr: When run in FIPS-mode, Firefox crashes in neqo.
As it turns out the call to hkdf::import_key(TLS_VERSION_1_3, cipher, salt) in new_initial() in third_party/rust/neqo-transport/src/crypto.rs fails, because it tries to create a key from raw key material, which is apparently not allowed in FIPS-mode.

This is fixed in PR 1247.

This bug will create a patch for FF91.

[Tracking Requested - why for this release]: This patch is only needed for esr91. see the description.

tracking-firefox-esr91: --- → ?
Target Milestone: --- → 91 Branch

Comment on attachment 9245438 [details]
Use PK11_ImportDataKey for FIPS safety

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: SUSE is currently having the following problem with FF91esr: When run in FIPS-mode, Firefox crashes in neqo.
  • User impact if declined:
  • Fix Landed on Version: 93
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky):
  • String or UUID changes made by this patch:
Attachment #9245438 - Flags: approval-mozilla-esr91?

Martin, can you please add some text about the risk for this uplift (see comment 4). I am not familiar with nss well enough to write this. Thanks.

Flags: needinfo?(mt)

Risks: This change swaps out the use of one API for an equivalent function that doesn't crash when FIPS is enabled. This is a small amount of changed code, but the functions that are being used are extremely widely used (we use this API for every TLS connection) and the code around this is very thoroughly tested.

Flags: needinfo?(mt)

Please link this bug to the Neqo update bug containing this fix for m-c as well.

Flags: needinfo?(dd.mozilla)

Comment on attachment 9245438 [details]
Use PK11_ImportDataKey for FIPS safety

Approved for 91.3esr.

Attachment #9245438 - Flags: approval-mozilla-esr91? → approval-mozilla-esr91+

The fix landed in m.c. in bug 1733603.

Depends on: 1733603
Flags: needinfo?(dd.mozilla)
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
status-firefox94: --- → fixed
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: