From 24f97a1683b5a8d5fc66c1ad8fffa722b91b914f Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Thu, 2 Jan 2020 21:24:54 +0100 Subject: Issue #1338 - Part 4: Initialize NSS with desired run-time values. This NSS version (and onward) has variables to enable PKDBF rounds for master password hardening (combating brute-force guessing). Since we use DBM, we need to explicitly enable iteration counts in DBM mode, and adjust the rounds used with a lower maximum because the PKDBF routine for DBM is considerably slower for which the NSS default of 10,000 is debilitatingly high. The method for this is run-time configuration through environment variables. We set these prior to NSS initialization from nsAppRunner.cpp so the NSS lib picks them up and allows us to continue using the DBM cert/key stores with stored rounds per record. --- toolkit/xre/nsAppRunner.cpp | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'toolkit/xre') diff --git a/toolkit/xre/nsAppRunner.cpp b/toolkit/xre/nsAppRunner.cpp index 035d35a9d..ab3f3881d 100644 --- a/toolkit/xre/nsAppRunner.cpp +++ b/toolkit/xre/nsAppRunner.cpp @@ -2800,6 +2800,18 @@ XREMain::XRE_mainInit(bool* aExitFlag) #endif SetupErrorHandling(gArgv[0]); + + // Set up environment for NSS DBM database + + // Allow iteration counts in DBM mode + SaveToEnv("NSS_ALLOW_LEGACY_DBM_ITERATION_COUNT=1"); + // Set default Master Password rounds to a sane value for DBM which is slower + // than SQL for PKDBF. The NSS hard-coded default of 10,000 is too much. +#ifdef DEBUG + SaveToEnv("NSS_MAX_MP_PBE_ITERATION_COUNT=15"); +#else + SaveToEnv("NSS_MAX_MP_PBE_ITERATION_COUNT=500"); +#endif #ifdef CAIRO_HAS_DWRITE_FONT { -- cgit v1.2.3