Closed Bug 1990242 Opened 2 months ago Closed 1 month ago

Move NSS DB password hash away from SHA-1

Categories

(NSS :: Libraries, enhancement)

Product:
NSS
Component:
Libraries
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: hpj, Assigned: hpj)

References

(Blocks 1 open bug)

Details

Attachments

(2 files)

nss-use-approved-pw-hash.patch
2.98 KB, patch
Details | Diff | Splinter Review
Bug 1990242 - Move NSS DB password hash away from SHA-1. r=rrelyea
48 bytes, text/x-phabricator-request
Details | Review

NIST will require moving away from SHA-1 in security mechanisms starting January 2031. sftkpwd.c contains code to hash the database password and a salt with SHA-1 to arrive at the key. We will likely have to move to a new algorithm for compliance. Due to service windows, this affects downstreams currently.

CNSA 2.0 specifies SHA-384 or SHA-512. We should probably move to one of these.

Blocks: 1968647

Accept databases that used either SHA-1 or SHA-384 to hash the password. When a new password is set, hash with SHA-1 if it's blank, otherwise SHA-384. Use the stored salt's size to determine the current algorithm.

As I understand it, this is approved use of SHA-1, since a blank/unset password is a "no security" context.

A database with a blank password will be forwards and backwards portable. A database with a non-empty password will only be forwards portable.

The algorithm is left unchanged until the password is actively set by the user. Since upgrading will always require user interaction anyway (password must be entered), this seems like a reasonable way to do it, and it avoids the element of surprise inherent in implicit upgrade (e.g. on unlock). In Firefox, it's sufficient to set the password without changing it.

Attachment #9515436 - Flags: review?(rrelyea)

Can you make this patch a phabricator patch? Thanks,

bob

When the database password is set or changed, migrate the database to
a new passwordToKey function using SHA-384.

SHA-1-based databases will still be supported. The hash function to use
is determined by the size of the stored salt.

An empty password will always use SHA-1.

Done. Slight caveat: moz-phab claims nss-reviewers isn't a valid reviewer name, so I left it out.

Pushed by rrelyea@redhat.com:
https://hg.mozilla.org/projects/nss/rev/695ee02208ec
Move NSS DB password hash away from SHA-1. r=rrelyea

Status: UNCONFIRMED → RESOLVED
Closed: 1 month ago
Resolution: --- → FIXED
Assignee: nobody → rrelyea
Assignee: rrelyea → hpj

Set the assignee to hpj, I only reviewed and checked in the patch.

Comment on attachment 9515436 [details] [diff] [review]
nss-use-approved-pw-hash.patch

I've already reviewed this in phabriator.

Attachment #9515436 - Flags: review?(rrelyea)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: