Issue #1338 - Part 4: Initialize NSS with desired run-time values.

This NSS version (and onward) has variables to enable PKDBF rounds for
master password hardening (combating brute-force guessing).
Since we use DBM, we need to explicitly enable iteration counts in DBM
mode, and adjust the rounds used with a lower maximum because the PKDBF
routine for DBM is considerably slower for which the NSS default of
10,000 is debilitatingly high.
The method for this is run-time configuration through environment
variables. We set these prior to NSS initialization from nsAppRunner.cpp
so the NSS lib picks them up and allows us to continue using the DBM
cert/key stores with stored rounds per record.

1 files changed, 12 insertions, 0 deletions

diff --git a/toolkit/xre/nsAppRunner.cpp b/toolkit/xre/nsAppRunner.cpp
index 035d35a9d..ab3f3881d 100644
--- a/toolkit/xre/nsAppRunner.cpp
+++ b/toolkit/xre/nsAppRunner.cpp
@@ -2800,6 +2800,18 @@ XREMain::XRE_mainInit(bool* aExitFlag)
 #endif
 
   SetupErrorHandling(gArgv[0]);
+  
+  // Set up environment for NSS DBM database
+
+  // Allow iteration counts in DBM mode
+  SaveToEnv("NSS_ALLOW_LEGACY_DBM_ITERATION_COUNT=1");
+  // Set default Master Password rounds to a sane value for DBM which is slower
+  // than SQL for PKDBF. The NSS hard-coded default of 10,000 is too much.
+#ifdef DEBUG
+  SaveToEnv("NSS_MAX_MP_PBE_ITERATION_COUNT=15");
+#else
+  SaveToEnv("NSS_MAX_MP_PBE_ITERATION_COUNT=500");
+#endif
 
 #ifdef CAIRO_HAS_DWRITE_FONT
   {