I-BigSig, ukuba sengozini ku-Mozilla NSS engavumela ukusetshenziswa kwekhodi

Darkcrizt

Imizuzu ye-4

Izindaba mayelana ukukhomba ubungozi obubalulekile (sekuvele kuhlu ngaphansi kwe-CVE-2021-43527) en iqoqo lemitapo yolwazi yokubhala NSS (Amasevisi okuphepha enethiwekhi) kusuka ku-Mozilla okungase kuholele ekusetshenzisweni kwekhodi enonya lapho kucutshungulwa amasiginesha edijithali ye-DSA noma ye-RSA-PSS ecaciswe kusetshenziswa i-DER (Imithetho Egqamile Yokufaka Ikhodi).

Inkinga izibonakalisa ezinhlelweni ezisebenzisa i-NSS ukuphatha amasignesha edijithali I-CMS, S / MIME, PKCS # 7 kanye ne-PKCS # 12, noma lapho uqinisekisa izitifiketi ekusetshenzisweni I-TLS, X.509, OCSP ne-CRL. Ubungozi bungase buvele ezinhlelweni ezihlukahlukene zamaklayenti neseva ezinosekelo lwe-TLS, DTLS, ne-S/MIME, amaklayenti e-imeyili, nezibukeli ze-PDF ezisebenzisa ikholi ye-NSS CERT_VerifyCertificate () ukuze kuqinisekiswe amasiginesha edijithali.

I-LibreOffice, i-Evolution kanye ne-Evince ishiwo njengezibonelo zezinhlelo zokusebenza ezisengozini. Ngokunokwenzeka, inkinga ingaphinda ithinte amaphrojekthi afana nePidgin, Apache OpenOffice, Suricata, Curl, phakathi kwabanye.

Ngesikhathi esifanayo, ubungozi abuveli kuFirefox, Thunderbird kanye neTor Browser, ezisebenzisa i-mozilla ehlukile :: umtapo wezincwadi we-pkix wokuqinisekisa, nawo oyingxenye ye-NSS. I Iziphequluli ezisekelwe ku-Chrome (ngaphandle uma ahlanganiswe ngokuqondile ne-NSS), esebenzisa i-NSS kuze kube ngu-2015, kodwa adlulele ku-BoringSSL, abathinteki kule nkinga.

Ukuba sengozini kungenxa yesiphazamiso kukhodi yokuqinisekisa yesitifiketi ku-vfy_CreateContext umsebenzi wefayela le-secvfy.c. Iphutha lizibonakalisa kokubili lapho iklayenti lifunda isitifiketi esivela kuseva njengalapho iseva icubungula izitifiketi zeklayenti.

Lapho iqinisekisa isiginesha yedijithali ene-DER-encoded, i-NSS iqopha isiginesha ibe isilondolozi sosayizi ongashintshi bese idlulisela lesi sikhumbuzi kumojula ye-PKCS # 11. Ngesikhathi sokucutshungulwa, kumasignesha e-DSA kanye ne-RSA-PSS, usayizi uqinisekiswa ngokungalungile, okuholela okuholela ekuchichimeni kwebhafa eyabelwe isakhiwo se-VFYContextStr, uma usayizi wesiginesha yedijithali idlula amabhithi angu-16384 (amabhayithi angu-2048 abelwe isilondolozi, kodwa akuqinisekiswa ukuthi isiginesha ingaba nkulu).

Ikhodi equkethe ukuba sengozini ihlehlela emuva ngo-2003, kodwa bekungelona usongo kwaze kwaba yilapho kwenziwa kabusha ngo-2012. Ngo-2017, kwenziwa iphutha elifanayo lapho kuqaliswa ukusekelwa kwe-RSA-PSS. Ukuze wenze ukuhlasela, isizukulwane esinezisetshenziswa esinamandla sokhiye abathile akudingekile ukuze uthole idatha edingekayo, ngoba ukuchichima kwenzeka esigabeni ngaphambi kokuqinisekiswa kokufaneleka kwesiginesha yedijithali. Ingxenye engaphandle kwemingcele yedatha ibhalelwe endaweni yenkumbulo equkethe izikhombi zokusebenza, okwenza kube lula ukudala izinto ezisebenzayo.

Ukuba sengozini kukhonjwe abacwaningi be-Google Project Zero ngesikhathi sokuhlolwa ngezindlela ezintsha zokuhlola ezididayo futhi kuwukuboniswa okuhle kokuthi ubungozi obuncane bungase bungabonakali kanjani isikhathi eside kuphrojekthi eyaziwayo ehlolwe kahle.

Ngokuqondene ne izinkinga eziyinhloko inkinga engazange ibonwe isikhathi eside:

  • Umtapo wolwazi we-NSS nokuhlolwa okungaqondakali akwenziwanga ngokuphelele, kodwa ezingeni lengxenye ngayinye.
  • Isibonelo, ikhodi yokukhipha ikhodi i-DER nokucubungula izitifiketi yaqinisekiswa ngokwehlukana; Ngesikhathi sokuphinga, kungenzeka ukuthi isitifiketi sitholwe, okuholele ekubonakalisweni kobungozi okukhulunywa ngabo, kodwa ukuqinisekiswa kwaso akuzange kufinyelele ikhodi yokuqinisekisa futhi inkinga ayizange idalulwe.
  • Ngesikhathi sokuhlolwa okudidayo, imikhawulo eqinile yabekwa kusayizi wokuphumayo (amabhayithi ayi-10,000) ngaphandle kwemikhawulo enjalo ku-NSS (izakhiwo eziningi ezikumodi evamile zingaba zikhulu kunamabhayithi angu-10,000, ngakho-ke, ukukhomba izinkinga, kudingeka idatha yokokufaka eyengeziwe. ). Ukuze uthole ukuqinisekiswa okugcwele, umkhawulo bekufanele ube ngamabhayithi angu-2 24 -1 (16 MB), ohambisana nosayizi omkhulu wesitifiketi esivunyelwe ku-TLS.
  • Umbono oyiphutha mayelana nokufakwa kwekhodi ngokuhlolwa okungaqondakali. Ikhodi esengozini iye yahlolwa ngokuqhubekayo, kodwa kusetshenziswa ama-fuzers, awakwazanga ukukhiqiza idatha yokufaka edingekayo. Isibonelo, i-fuzzer tls_server_target isebenzise isethi echazwe ngaphambilini yezitifiketi ezingaphandle kwebhokisi, ezikhawulele ukuqinisekiswa kwekhodi yokuqinisekisa yesitifiketi kumilayezo ye-TLS kuphela nezinguquko zesimo sephrothokholi.

Ekugcineni, Kuhle ukusho ukuthi inkinga nge-codename BigSig ilungisiwe ku-NSS 3.73 naku-NSS ESR 3.68.1 kanye nezibuyekezo zesisombululo kwifomu lephakheji sezivele zikhishwe ekusabalaliseni okuhlukene: i-Debian, i-RHEL, Ubuntu, i-SUSE, i-Arch Linux, i-Gentoo, i-FreeBSD, njll.

Uma ufuna ukwazi kabanzi ngakho, ungaxhumana isixhumanisi esilandelayo.


Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Unomthwalo wemfanelo ngedatha: AB Internet Networks 2008 SL
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.