adding a new custom ciphersuite to NSS (to be used by Thunderbird for TLS establishment)

classic Classic list List threaded Threaded
21 messages Options
12
Reply | Threaded
Open this post in threaded view
|

adding a new custom ciphersuite to NSS (to be used by Thunderbird for TLS establishment)

Mozilla - Security mailing list
Hi

Hope everyone doing great.

I have a small research oriented project in which I have to add a custom similar to AES like cipher to the NSS which will later be used by the Thunderbird for TLS establishment.

Currently, I have added/defined my ciphers in the following files by doing my own limited research:

i. sslproto.h
ii. sslenum.c
iii. ssl3con.c
iv. ssl3ecc.c

the ciphersuite name is === TLS_ECDHE_ECDSA_WITH_MYAES_128_GCM_SHA256, HEX number given to it  === OXC02A


however when I compile the following error comes in:
ssl3con.c(184): error C2078 too many initalizers
ssl3con.c(293): error C2065 cipher myaes_128_gcm : undeclared identifier

and alot more errors ...

What should be the best approach or steps to successfully integrate a custom CIPHERSUITE, should I look at the "
Support for Camellia Cipher Suites to TLS RFC4132: Attachment #245822: patch for NSS trunk" and "SEED cipher" patches ?

I will be contributing to this open source society by providing a documentation/patch/video of what I have done which will benefit others.

Regards.
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: adding a new custom ciphersuite to NSS (to be used by Thunderbird for TLS establishment)

Mozilla - Security mailing list
Hello again, can anyone guide me ? Thanks.
On Wednesday, November 22, 2017 at 11:53:49 PM UTC+5, f masood wrote:

> Hi
>
> Hope everyone doing great.
>
> I have a small research oriented project in which I have to add a custom similar to AES like cipher to the NSS which will later be used by the Thunderbird for TLS establishment.
>
> Currently, I have added/defined my ciphers in the following files by doing my own limited research:
>
> i. sslproto.h
> ii. sslenum.c
> iii. ssl3con.c
> iv. ssl3ecc.c
>
> the ciphersuite name is === TLS_ECDHE_ECDSA_WITH_MYAES_128_GCM_SHA256, HEX number given to it  === OXC02A
>
>
> however when I compile the following error comes in:
> ssl3con.c(184): error C2078 too many initalizers
> ssl3con.c(293): error C2065 cipher myaes_128_gcm : undeclared identifier
>
> and alot more errors ...
>
> What should be the best approach or steps to successfully integrate a custom CIPHERSUITE, should I look at the "
> Support for Camellia Cipher Suites to TLS RFC4132: Attachment #245822: patch for NSS trunk" and "SEED cipher" patches ?
>
> I will be contributing to this open source society by providing a documentation/patch/video of what I have done which will benefit others.
>
> Regards.

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: adding a new custom ciphersuite to NSS (to be used by Thunderbird for TLS establishment)

Mozilla - Security mailing list
In reply to this post by Mozilla - Security mailing list
***Update***

so I was doing manual patching after looking the Camellia Cipher Patch in my Thunderbird NSS direcotry on Windows platform since I want to create the the binary on windows platform and I got the following issues:

i. pk11table.c location changed

ii. pk11pars.h file not found [cant patch the file]

iii. sslimpl.h had number 64 and 40 in the patch, what number should I give, following lines from orignal:
                a. #define ssl_V3_SUITES_IMPLEMENTED 64

                b. #define ssl_V3_SUITES_IMPLEMENTED 40

iv. What numbers to assign cipher in secoid.c


ps: this patch is very old, almost a decade old, can anyone guide me or provide me a slightly new patch please thanks?


On Friday, November 24, 2017 at 9:42:52 AM UTC+5, f masood wrote:

> Hello again, can anyone guide me ? Thanks.
> On Wednesday, November 22, 2017 at 11:53:49 PM UTC+5, f masood wrote:
> > Hi
> >
> > Hope everyone doing great.
> >
> > I have a small research oriented project in which I have to add a custom similar to AES like cipher to the NSS which will later be used by the Thunderbird for TLS establishment.
> >
> > Currently, I have added/defined my ciphers in the following files by doing my own limited research:
> >
> > i. sslproto.h
> > ii. sslenum.c
> > iii. ssl3con.c
> > iv. ssl3ecc.c
> >
> > the ciphersuite name is === TLS_ECDHE_ECDSA_WITH_MYAES_128_GCM_SHA256, HEX number given to it  === OXC02A
> >
> >
> > however when I compile the following error comes in:
> > ssl3con.c(184): error C2078 too many initalizers
> > ssl3con.c(293): error C2065 cipher myaes_128_gcm : undeclared identifier
> >
> > and alot more errors ...
> >
> > What should be the best approach or steps to successfully integrate a custom CIPHERSUITE, should I look at the "
> > Support for Camellia Cipher Suites to TLS RFC4132: Attachment #245822: patch for NSS trunk" and "SEED cipher" patches ?
> >
> > I will be contributing to this open source society by providing a documentation/patch/video of what I have done which will benefit others.
> >
> > Regards.

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: adding a new custom ciphersuite to NSS (to be used by Thunderbird for TLS establishment)

Franziskus Kiefer
I suggest looking at these patches [1][2] for example. They add
ChaCha20Poly1305 to NSS and TLS. It does everything you want to do as well.

Cheers

[1] https://hg.mozilla.org/projects/nss/rev/b7b1d793bc64
[2] https://hg.mozilla.org/projects/nss/rev/b6c9ec057991

On Fri, Nov 24, 2017 at 8:19 AM, f masood via dev-security <
[hidden email]> wrote:

> ***Update***
>
> so I was doing manual patching after looking the Camellia Cipher Patch in
> my Thunderbird NSS direcotry on Windows platform since I want to create the
> the binary on windows platform and I got the following issues:
>
> i.      pk11table.c location changed
>
> ii.     pk11pars.h file not found [cant patch the file]
>
> iii.    sslimpl.h had number 64 and 40 in the patch, what number should I
> give, following lines from orignal:
>                 a. #define ssl_V3_SUITES_IMPLEMENTED 64
>
>                 b. #define ssl_V3_SUITES_IMPLEMENTED 40
>
> iv. What numbers to assign cipher in secoid.c
>
>
> ps: this patch is very old, almost a decade old, can anyone guide me or
> provide me a slightly new patch please thanks?
>
>
> On Friday, November 24, 2017 at 9:42:52 AM UTC+5, f masood wrote:
> > Hello again, can anyone guide me ? Thanks.
> > On Wednesday, November 22, 2017 at 11:53:49 PM UTC+5, f masood wrote:
> > > Hi
> > >
> > > Hope everyone doing great.
> > >
> > > I have a small research oriented project in which I have to add a
> custom similar to AES like cipher to the NSS which will later be used by
> the Thunderbird for TLS establishment.
> > >
> > > Currently, I have added/defined my ciphers in the following files by
> doing my own limited research:
> > >
> > > i. sslproto.h
> > > ii. sslenum.c
> > > iii. ssl3con.c
> > > iv. ssl3ecc.c
> > >
> > > the ciphersuite name is === TLS_ECDHE_ECDSA_WITH_MYAES_128_GCM_SHA256,
> HEX number given to it  === OXC02A
> > >
> > >
> > > however when I compile the following error comes in:
> > > ssl3con.c(184): error C2078 too many initalizers
> > > ssl3con.c(293): error C2065 cipher myaes_128_gcm : undeclared
> identifier
> > >
> > > and alot more errors ...
> > >
> > > What should be the best approach or steps to successfully integrate a
> custom CIPHERSUITE, should I look at the "
> > > Support for Camellia Cipher Suites to TLS RFC4132: Attachment #245822:
> patch for NSS trunk" and "SEED cipher" patches ?
> > >
> > > I will be contributing to this open source society by providing a
> documentation/patch/video of what I have done which will benefit others.
> > >
> > > Regards.
>
> _______________________________________________
> dev-security mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-security
>
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: adding a new custom ciphersuite to NSS (to be used by Thunderbird for TLS establishment)

Mozilla - Security mailing list
In reply to this post by Mozilla - Security mailing list
Thank you very much for the reply.
I didn't follow the patch myself, because ChaCha20 is a stream cipher and the cipher I want to add is similar to AES like a block cipher so shouldn't there be issue ?
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: adding a new custom ciphersuite to NSS (to be used by Thunderbird for TLS establishment)

Mozilla - Security mailing list
In reply to this post by Mozilla - Security mailing list
Update:

The above provided patch is helpful thanks. But I have a small query:

1.   I have compiled TB before doing changes and created a binary (.exe).

2.   Then, I applied the ChaCha/Poly patch to the NSS directory.

3.   Now, how can I recompile/build so that only NSS folder changes are executed that is new ChaCha and POLY obj files are created.

4.   I dont want to re-compile the whole TB folder from scratch (after running clobber command) because it takes an HOUR to compile.

5.   When I run ./mozilla mach build or ./mozilla mach build binaries command I get the error: not open comipler generated file: \obj-i686-mingw32\security]nss\lib\freebl\poly1305\poly1305.obj" No such file or directory



On Friday, November 24, 2017 at 2:47:23 PM UTC+5, f masood wrote:
> Thank you very much for the reply.
> I didn't follow the patch myself, because ChaCha20 is a stream cipher and the cipher I want to add is similar to AES like a block cipher so shouldn't there be issue ?

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: adding a new custom ciphersuite to NSS (to be used by Thunderbird for TLS establishment)

Mozilla - Security mailing list
In reply to this post by Mozilla - Security mailing list
Update:

1. i have done the changes as done by the patch however, I get the following error:

i.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (178) : too many initializers

ii.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (179) : too many initializers

iii.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (5609) : too many initializers

iv.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (5591) : too many initializers

can anyone help me out ?  i am stuck pretty bad !
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: adding a new custom ciphersuite to NSS (to be used by Thunderbird for TLS establishment)

Ángel González-2
On 2017-11-27 at 03:41 -0800, f masood via dev-security wrote:

> Update:
>
> 1. i have done the changes as done by the patch however, I get the following error:
>
> i.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (178) : too many initializers
>
> ii.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (179) : too many initializers
>
> iii.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (5609) : too many initializers
>
> iv.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (5591) : too many initializers
>
> can anyone help me out ?  i am stuck pretty bad !

Maybe you could provide a relevant snippet of the changes you were
doing? Or at least provide a link to the file in hg.mozilla.org
You clearly have an error in the C code around line 179 of
mozilla/security/nss/lib/ssl/ssl3con.c but how should we know what you
changed, and therein, what's wrong there?

Cheers

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: adding a new custom ciphersuite to NSS (to be used by Thunderbird for TLS establishment)

Mozilla - Security mailing list
In reply to this post by Mozilla - Security mailing list
*** Update # 4***

1. So, I am kind of successful.

2. What I did was looked at the PATCH (ChaCha20+Poly1305) shared with me by Mr. Franziskus Kiefer (very kind of him) and started doing the changes. I made a "ecdhe_ecdsa_myseed_cbc_sha" ciphersuite, which is basically SEED cipher but did all the changes in all the required *.C, *.H and other files.

3. There were few times when I got the error that compilation failed because something was defined / declared. Again looked at the files where SEED was declared and used similar convention for declaring MYSEED ...

4. Eventually, all the errors were gone and Thunderbird got compiled and a binary(.exe) was generated.

5. Now, I have opened the "CONFIG EDITOR" of thunderbird and when I search for ssl, all the TLS ciphers like aes_128_gcm, aes_256_gcm, chacha20 etc. show up but my "ecdhe_ecdsa_ns_cbc_sha" does not shows up. If I manually edit and add the "pref("security.ssl3.ecdhe_ecdsa_ns_cbc_sha", true);" in "grepprefs.js" it shows up.

6. Should I manually add it ? Is this right approach or what ? All the other ciphers automatically get loaded but why is my custom doesn't shows up ?


ps: i'll be creating and sharing a patch which will help this open community :)

On Monday, November 27, 2017 at 4:41:30 PM UTC+5, f masood wrote:

> Update:
>
> 1. i have done the changes as done by the patch however, I get the following error:
>
> i.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (178) : too many initializers
>
> ii.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (179) : too many initializers
>
> iii.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (5609) : too many initializers
>
> iv.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (5591) : too many initializers
>
> can anyone help me out ?  i am stuck pretty bad !

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: adding a new custom ciphersuite to NSS (to be used by Thunderbird for TLS establishment)

Mozilla - Security mailing list
In reply to this post by Mozilla - Security mailing list
*** Update # 4***

1. So, I am kind of successful.

2. What I did was looked at the PATCH (ChaCha20+Poly1305) shared with me by Mr. Franziskus Kiefer (very kind of him) and started doing the changes. I made a "ecdhe_ecdsa_myseed_cbc_sha" ciphersuite, which is basically SEED cipher but did all the changes in all the required *.C, *.H and other files.

3. There were few times when I got the error that compilation failed because something was defined / declared. Again looked at the files where SEED was declared and used similar convention for declaring MYSEED ...

4. Eventually, all the errors were gone and Thunderbird got compiled and a binary(.exe) was generated.

5. Now, I have opened the "CONFIG EDITOR" of thunderbird and when I search for ssl, all the TLS ciphers like aes_128_gcm, aes_256_gcm, chacha20 etc. show up but my "ecdhe_ecdsa_ns_cbc_sha" does not shows up. If I manually edit and add the "pref("security.ssl3.ecdhe_ecdsa_myseed_cbc_sha", true);" in "grepprefs.js" it shows up. I think I should add it to /netwerk/base/grepprefs.js file.

6. But my question is that my "TLS_ECDHE_ECDSA_WITH_MYSEED_CBC_SHA" doesnt shows up in wireshark when CLIENT HELLO is send, I know that for successful communication my server also needs to have this cipher but why is Thunderbird Client not sending the cipher in CLIENT HELLO PACKET. 15 ciphers are send to servers and they are those aes 128, aes 256, chacha etc. ciphers but mycipher is not present. Can anyone help me ?


ps: i'll be creating and sharing a patch which will help this open community :)


On Monday, November 27, 2017 at 4:41:30 PM UTC+5, f masood wrote:

> Update:
>
> 1. i have done the changes as done by the patch however, I get the following error:
>
> i.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (178) : too many initializers
>
> ii.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (179) : too many initializers
>
> iii.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (5609) : too many initializers
>
> iv.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (5591) : too many initializers
>
> can anyone help me out ?  i am stuck pretty bad !

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: adding a new custom ciphersuite to NSS (to be used by Thunderbird for TLS establishment)

Mozilla - Security mailing list
In reply to this post by Mozilla - Security mailing list
*** Update # 4***

1. So, I am kind of successful.

2. What I did was looked at the PATCH (ChaCha20+Poly1305) shared with me by Mr. Franziskus Kiefer (very kind of him) and started doing the changes. I made a "ecdhe_ecdsa_myseed_cbc_sha" ciphersuite, which is basically SEED cipher but did all the changes in all the required *.C, *.H and other files.

3. There were few times when I got the error that compilation failed because something was defined / declared. Again looked at the files where SEED was declared and used similar convention for declaring MYSEED ...

4. Eventually, all the errors were gone and Thunderbird got compiled and a binary(.exe) was generated.

5. Now, I have opened the "CONFIG EDITOR" of thunderbird and when I search for ssl, all the TLS ciphers like aes_128_gcm, aes_256_gcm, chacha20 etc. show up but my "ecdhe_ecdsa_myseed_cbc_sha" does not shows up. If I manually edit and add the "pref("security.ssl3.ecdhe_ecdsa_myseed_cbc_sha", true);" in "grepprefs.js" it shows up. I think I should add it to /netwerk/base/grepprefs.js file.

6. But my question is that my "TLS_ECDHE_ECDSA_WITH_MYSEED_CBC_SHA" doesnt shows up in wireshark when CLIENT HELLO is send, I know that for successful communication my server also needs to have this cipher but why is Thunderbird Client not sending the cipher in CLIENT HELLO PACKET. 15 ciphers are sent to servers and they are those aes 128, aes 256, chacha etc. ciphers but mycipher myseed is not present. Can anyone help / guide me ?


ps: i'll be creating and sharing a patch which will help this open community :)

On Wednesday, November 22, 2017 at 11:53:49 PM UTC+5, f masood wrote:

> Hi
>
> Hope everyone doing great.
>
> I have a small research oriented project in which I have to add a custom similar to AES like cipher to the NSS which will later be used by the Thunderbird for TLS establishment.
>
> Currently, I have added/defined my ciphers in the following files by doing my own limited research:
>
> i. sslproto.h
> ii. sslenum.c
> iii. ssl3con.c
> iv. ssl3ecc.c
>
> the ciphersuite name is === TLS_ECDHE_ECDSA_WITH_MYAES_128_GCM_SHA256, HEX number given to it  === OXC02A
>
>
> however when I compile the following error comes in:
> ssl3con.c(184): error C2078 too many initalizers
> ssl3con.c(293): error C2065 cipher myaes_128_gcm : undeclared identifier
>
> and alot more errors ...
>
> What should be the best approach or steps to successfully integrate a custom CIPHERSUITE, should I look at the "
> Support for Camellia Cipher Suites to TLS RFC4132: Attachment #245822: patch for NSS trunk" and "SEED cipher" patches ?
>
> I will be contributing to this open source society by providing a documentation/patch/video of what I have done which will benefit others.
>
> Regards.

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: adding a new custom ciphersuite to NSS (to be used by Thunderbird for TLS establishment)

Mozilla - Security mailing list
In reply to this post by Mozilla - Security mailing list
Thanks for the reply.

1. I did the changes to SSL3con.c but now when I start the Thunderbird.exe the application crashes and Mozilla Crash report dialog comes in.


2. I have created a diff file in which i have used NS naming convention instead of MYSEED. So, NS === SEED cipher.

3. The diff file can be downloaded from the following link:
https://drive.google.com/drive/folders/1ZUY-rSBOZd5fVq58jVRUBJeFYrNkCgQB



On Wednesday, November 29, 2017 at 2:06:40 AM UTC+5, Ángel wrote:

> On 2017-11-27 at 03:41 -0800, f masood via dev-security wrote:
> > Update:
> >
> > 1. i have done the changes as done by the patch however, I get the following error:
> >
> > i.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (178) : too many initializers
> >
> > ii.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (179) : too many initializers
> >
> > iii.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (5609) : too many initializers
> >
> > iv.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (5591) : too many initializers
> >
> > can anyone help me out ?  i am stuck pretty bad !
>
> Maybe you could provide a relevant snippet of the changes you were
> doing? Or at least provide a link to the file in hg.mozilla.org
> You clearly have an error in the C code around line 179 of
> mozilla/security/nss/lib/ssl/ssl3con.c but how should we know what you
> changed, and therein, what's wrong there?
>
> Cheers

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: adding a new custom ciphersuite to NSS (to be used by Thunderbird for TLS establishment)

Mozilla - Security mailing list
In reply to this post by Mozilla - Security mailing list
*** Update # 6 ***

Something is related to internet I beleive.

1 If my INTERNT is not working the THUNDERBIRD application gets started. And in offline mode (without INTERNET on my system) I can go and browse the application.

2 But as soon I add my ACCOUNT details and try to CONNECT, the application crashes.

3 Wireshark unable to capture any traffic / packets.


Any guide about my patch / changes I have done or any help ?
On Wednesday, November 29, 2017 at 11:03:35 AM UTC+5, f masood wrote:

> Thanks for the reply.
>
> 1. I did the changes to SSL3con.c but now when I start the Thunderbird.exe the application crashes and Mozilla Crash report dialog comes in.
>
>
> 2. I have created a diff file in which i have used NS naming convention instead of MYSEED. So, NS === SEED cipher.
>
> 3. The diff file can be downloaded from the following link:
> https://drive.google.com/drive/folders/1ZUY-rSBOZd5fVq58jVRUBJeFYrNkCgQB
>
>
>
> On Wednesday, November 29, 2017 at 2:06:40 AM UTC+5, Ángel wrote:
> > On 2017-11-27 at 03:41 -0800, f masood via dev-security wrote:
> > > Update:
> > >
> > > 1. i have done the changes as done by the patch however, I get the following error:
> > >
> > > i.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (178) : too many initializers
> > >
> > > ii.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (179) : too many initializers
> > >
> > > iii.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (5609) : too many initializers
> > >
> > > iv.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (5591) : too many initializers
> > >
> > > can anyone help me out ?  i am stuck pretty bad !
> >
> > Maybe you could provide a relevant snippet of the changes you were
> > doing? Or at least provide a link to the file in hg.mozilla.org
> > You clearly have an error in the C code around line 179 of
> > mozilla/security/nss/lib/ssl/ssl3con.c but how should we know what you
> > changed, and therein, what's wrong there?
> >
> > Cheers

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: adding a new custom ciphersuite to NSS (to be used by Thunderbird for TLS establishment)

Ángel González-2
On 2017-11-30 at 00:20 -0800, f masood via dev-security wrote:

> *** Update # 6 ***
>
> Something is related to internet I beleive.
>
> 1 If my INTERNT is not working the THUNDERBIRD application gets started. And in offline mode (without INTERNET on my system) I can go and browse the application.
>
> 2 But as soon I add my ACCOUNT details and try to CONNECT, the application crashes.
>
> 3 Wireshark unable to capture any traffic / packets.
>
>
> Any guide about my patch / changes I have done or any help ?


Your patch crashes the application. If you don't have internet,
thunderbird doesn't try to use your code, and that's why it works in
such case.

Have you tried opening thunderbird in your debugger?
Crashes like this are easier to find with one.

Best regards


_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: adding a new custom ciphersuite to NSS (to be used by Thunderbird for TLS establishment)

Mozilla - Security mailing list
In reply to this post by Mozilla - Security mailing list
Any help ???
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: adding a new custom ciphersuite to NSS (to be used by Thunderbird for TLS establishment)

Mozilla - Security mailing list
In reply to this post by Mozilla - Security mailing list
On Wednesday, November 29, 2017 at 11:03:35 AM UTC+5, f masood wrote:

> Thanks for the reply.
>
> 1. I did the changes to SSL3con.c but now when I start the Thunderbird.exe the application crashes and Mozilla Crash report dialog comes in.
>
>
> 2. I have created a diff file in which i have used NS naming convention instead of MYSEED. So, NS === SEED cipher.
>
> 3. The diff file can be downloaded from the following link:
> https://drive.google.com/drive/folders/1ZUY-rSBOZd5fVq58jVRUBJeFYrNkCgQB
>
>
>
> On Wednesday, November 29, 2017 at 2:06:40 AM UTC+5, Ángel wrote:
> > On 2017-11-27 at 03:41 -0800, f masood via dev-security wrote:
> > > Update:
> > >
> > > 1. i have done the changes as done by the patch however, I get the following error:
> > >
> > > i.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (178) : too many initializers
> > >
> > > ii.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (179) : too many initializers
> > >
> > > iii.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (5609) : too many initializers
> > >
> > > iv.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (5591) : too many initializers
> > >
> > > can anyone help me out ?  i am stuck pretty bad !
> >
> > Maybe you could provide a relevant snippet of the changes you were
> > doing? Or at least provide a link to the file in hg.mozilla.org
> > You clearly have an error in the C code around line 179 of
> > mozilla/security/nss/lib/ssl/ssl3con.c but how should we know what you
> > changed, and therein, what's wrong there?
> >
> > Cheers

I have manually done changes (addition) in the

mozilla/security/manager/ssl/nsNSSCallbacks.cpp file i.e.

case TLS_ECDHE_ECDSA_WITH_MYSEED_CBC_SHA: value = 15; break;

Although it is not mentioned in the PATCH file of CHACHA but all the CIPHERSUITES have been added to this file also, is this might be calling the thunderbird to crash again and again ???
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: adding a new custom ciphersuite to NSS (to be used by Thunderbird for TLS establishment)

Kyle Hamilton
First, you shouldn't include .pyc files in patches.  (binary files in
patch files tend to make patches unreadable by most text viewers.)
Python will recompile .py files to .pyc as necessary.

Second, have you tried running your code through a debugger?  If it's
crashing, chances are it's either not allocating memory correctly, or
it's writing outside the bounds of memory that it's allocated.  A
debugger will help you figure out what's going on, and why.

-Kyle H

On Mon, Dec 4, 2017 at 12:03 AM, f masood via dev-security
<[hidden email]> wrote:

> On Wednesday, November 29, 2017 at 11:03:35 AM UTC+5, f masood wrote:
>> Thanks for the reply.
>>
>> 1. I did the changes to SSL3con.c but now when I start the Thunderbird.exe the application crashes and Mozilla Crash report dialog comes in.
>>
>>
>> 2. I have created a diff file in which i have used NS naming convention instead of MYSEED. So, NS === SEED cipher.
>>
>> 3. The diff file can be downloaded from the following link:
>> https://drive.google.com/drive/folders/1ZUY-rSBOZd5fVq58jVRUBJeFYrNkCgQB
>>
>>
>>
>> On Wednesday, November 29, 2017 at 2:06:40 AM UTC+5, Ángel wrote:
>> > On 2017-11-27 at 03:41 -0800, f masood via dev-security wrote:
>> > > Update:
>> > >
>> > > 1. i have done the changes as done by the patch however, I get the following error:
>> > >
>> > > i.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (178) : too many initializers
>> > >
>> > > ii.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (179) : too many initializers
>> > >
>> > > iii.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (5609) : too many initializers
>> > >
>> > > iv.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (5591) : too many initializers
>> > >
>> > > can anyone help me out ?  i am stuck pretty bad !
>> >
>> > Maybe you could provide a relevant snippet of the changes you were
>> > doing? Or at least provide a link to the file in hg.mozilla.org
>> > You clearly have an error in the C code around line 179 of
>> > mozilla/security/nss/lib/ssl/ssl3con.c but how should we know what you
>> > changed, and therein, what's wrong there?
>> >
>> > Cheers
>
> I have manually done changes (addition) in the
>
> mozilla/security/manager/ssl/nsNSSCallbacks.cpp file i.e.
>
> case TLS_ECDHE_ECDSA_WITH_MYSEED_CBC_SHA: value = 15; break;
>
> Although it is not mentioned in the PATCH file of CHACHA but all the CIPHERSUITES have been added to this file also, is this might be calling the thunderbird to crash again and again ???
> _______________________________________________
> dev-security mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-security
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: adding a new custom ciphersuite to NSS (to be used by Thunderbird for TLS establishment)

Mozilla - Security mailing list
In reply to this post by Mozilla - Security mailing list
On Monday, December 4, 2017 at 10:41:11 PM UTC+5, Ángel wrote:

> On 2017-11-30 at 00:20 -0800, f masood via dev-security wrote:
> > *** Update # 6 ***
> >
> > Something is related to internet I beleive.
> >
> > 1 If my INTERNT is not working the THUNDERBIRD application gets started. And in offline mode (without INTERNET on my system) I can go and browse the application.
> >
> > 2 But as soon I add my ACCOUNT details and try to CONNECT, the application crashes.
> >
> > 3 Wireshark unable to capture any traffic / packets.
> >
> >
> > Any guide about my patch / changes I have done or any help ?
>
>
> Your patch crashes the application. If you don't have internet,
> thunderbird doesn't try to use your code, and that's why it works in
> such case.
>
> Have you tried opening thunderbird in your debugger?
> Crashes like this are easier to find with one.
>
> Best regards

Thanks for reply.
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: adding a new custom ciphersuite to NSS (to be used by Thunderbird for TLS establishment)

Mozilla - Security mailing list
In reply to this post by Mozilla - Security mailing list
On Tuesday, December 5, 2017 at 8:21:41 AM UTC+5, Kyle Hamilton wrote:

> First, you shouldn't include .pyc files in patches.  (binary files in
> patch files tend to make patches unreadable by most text viewers.)
> Python will recompile .py files to .pyc as necessary.
>
> Second, have you tried running your code through a debugger?  If it's
> crashing, chances are it's either not allocating memory correctly, or
> it's writing outside the bounds of memory that it's allocated.  A
> debugger will help you figure out what's going on, and why.
>
> -Kyle H
>
> On Mon, Dec 4, 2017 at 12:03 AM, f masood via dev-security
> <[hidden email]> wrote:
> > On Wednesday, November 29, 2017 at 11:03:35 AM UTC+5, f masood wrote:
> >> Thanks for the reply.
> >>
> >> 1. I did the changes to SSL3con.c but now when I start the Thunderbird.exe the application crashes and Mozilla Crash report dialog comes in.
> >>
> >>
> >> 2. I have created a diff file in which i have used NS naming convention instead of MYSEED. So, NS === SEED cipher.
> >>
> >> 3. The diff file can be downloaded from the following link:
> >> https://drive.google.com/drive/folders/1ZUY-rSBOZd5fVq58jVRUBJeFYrNkCgQB
> >>
> >>
> >>
> >> On Wednesday, November 29, 2017 at 2:06:40 AM UTC+5, Ángel wrote:
> >> > On 2017-11-27 at 03:41 -0800, f masood via dev-security wrote:
> >> > > Update:
> >> > >
> >> > > 1. i have done the changes as done by the patch however, I get the following error:
> >> > >
> >> > > i.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (178) : too many initializers
> >> > >
> >> > > ii.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (179) : too many initializers
> >> > >
> >> > > iii.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (5609) : too many initializers
> >> > >
> >> > > iv.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (5591) : too many initializers
> >> > >
> >> > > can anyone help me out ?  i am stuck pretty bad !
> >> >
> >> > Maybe you could provide a relevant snippet of the changes you were
> >> > doing? Or at least provide a link to the file in hg.mozilla.org
> >> > You clearly have an error in the C code around line 179 of
> >> > mozilla/security/nss/lib/ssl/ssl3con.c but how should we know what you
> >> > changed, and therein, what's wrong there?
> >> >
> >> > Cheers
> >
> > I have manually done changes (addition) in the
> >
> > mozilla/security/manager/ssl/nsNSSCallbacks.cpp file i.e.
> >
> > case TLS_ECDHE_ECDSA_WITH_MYSEED_CBC_SHA: value = 15; break;
> >
> > Although it is not mentioned in the PATCH file of CHACHA but all the CIPHERSUITES have been added to this file also, is this might be calling the thunderbird to crash again and again ???
> > _______________________________________________
> > dev-security mailing list
> > [hidden email]
> > https://lists.mozilla.org/listinfo/dev-security

1. So, I ran CLOBBER command and then rebuilt the complete THUNDERBIRD [it took 118 minutes], now its not crashing.

2. But the CIPHERSUITE (MYSEED) is not being sent to SERVER in client hello packet by the thunderbird, I can only see the ciphers already added before [e.g aes, chacha, aes-gcm etc...] .

3. have followed all the steps of the patch of adding ChaCha Poly in NSS.

any help in this regard ?

4. or how to test it ? any other method ?
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: adding a new custom ciphersuite to NSS (to be used by Thunderbird for TLS establishment)

Mozilla - Security mailing list
In reply to this post by Mozilla - Security mailing list
On Tuesday, December 5, 2017 at 8:50:42 AM UTC+5, f masood wrote:

> On Tuesday, December 5, 2017 at 8:21:41 AM UTC+5, Kyle Hamilton wrote:
> > First, you shouldn't include .pyc files in patches.  (binary files in
> > patch files tend to make patches unreadable by most text viewers.)
> > Python will recompile .py files to .pyc as necessary.
> >
> > Second, have you tried running your code through a debugger?  If it's
> > crashing, chances are it's either not allocating memory correctly, or
> > it's writing outside the bounds of memory that it's allocated.  A
> > debugger will help you figure out what's going on, and why.
> >
> > -Kyle H
> >
> > On Mon, Dec 4, 2017 at 12:03 AM, f masood via dev-security
> > <[hidden email]> wrote:
> > > On Wednesday, November 29, 2017 at 11:03:35 AM UTC+5, f masood wrote:
> > >> Thanks for the reply.
> > >>
> > >> 1. I did the changes to SSL3con.c but now when I start the Thunderbird.exe the application crashes and Mozilla Crash report dialog comes in.
> > >>
> > >>
> > >> 2. I have created a diff file in which i have used NS naming convention instead of MYSEED. So, NS === SEED cipher.
> > >>
> > >> 3. The diff file can be downloaded from the following link:
> > >> https://drive.google.com/drive/folders/1ZUY-rSBOZd5fVq58jVRUBJeFYrNkCgQB
> > >>
> > >>
> > >>
> > >> On Wednesday, November 29, 2017 at 2:06:40 AM UTC+5, Ángel wrote:
> > >> > On 2017-11-27 at 03:41 -0800, f masood via dev-security wrote:
> > >> > > Update:
> > >> > >
> > >> > > 1. i have done the changes as done by the patch however, I get the following error:
> > >> > >
> > >> > > i.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (178) : too many initializers
> > >> > >
> > >> > > ii.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (179) : too many initializers
> > >> > >
> > >> > > iii.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (5609) : too many initializers
> > >> > >
> > >> > > iv.   /mozilla/security/nss/lib/ssl/ssl3con.c (179) :error C2078 (5591) : too many initializers
> > >> > >
> > >> > > can anyone help me out ?  i am stuck pretty bad !
> > >> >
> > >> > Maybe you could provide a relevant snippet of the changes you were
> > >> > doing? Or at least provide a link to the file in hg.mozilla.org
> > >> > You clearly have an error in the C code around line 179 of
> > >> > mozilla/security/nss/lib/ssl/ssl3con.c but how should we know what you
> > >> > changed, and therein, what's wrong there?
> > >> >
> > >> > Cheers
> > >
> > > I have manually done changes (addition) in the
> > >
> > > mozilla/security/manager/ssl/nsNSSCallbacks.cpp file i.e.
> > >
> > > case TLS_ECDHE_ECDSA_WITH_MYSEED_CBC_SHA: value = 15; break;
> > >
> > > Although it is not mentioned in the PATCH file of CHACHA but all the CIPHERSUITES have been added to this file also, is this might be calling the thunderbird to crash again and again ???
> > > _______________________________________________
> > > dev-security mailing list
> > > [hidden email]
> > > https://lists.mozilla.org/listinfo/dev-security
>
> 1. So, I ran CLOBBER command and then rebuilt the complete THUNDERBIRD [it took 118 minutes], now its not crashing.
>
> 2. But the CIPHERSUITE (MYSEED) is not being sent to SERVER in client hello packet by the thunderbird, I can only see the ciphers already added before [e.g aes, chacha, aes-gcm etc...] .
>
> 3. have followed all the steps of the patch of adding ChaCha Poly in NSS.
>
> any help in this regard ?
>
> 4. or how to test it ? any other method ?

***Update #7***

all the existing ciphers are added in the files:

a.   /manager/ssl/nsNSSCallbacks.cpp

b.   /manager/ssl/nsNSSComponent.cpp


but the ChaCha patch does not have modification to this file ??? Should I add the cipher here ? Any help ?
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
12