chromiumos-overlay: dev-libs/nss, app-crypt/nss - Fix for CVE-2020-12403.
BUG=b/190702288
TEST=presubmit
RELEASE_NOTE=Fixed CVE-2020-12403
cos-patch: security-moderate
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos-overlay/+/3173713
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Pavol Marko <pmarko@chromium.org>
Tested-by: Meena Shanmugam <meenashanmugam@google.com>
Commit-Queue: Meena Shanmugam <meenashanmugam@google.com>
Change-Id: I2ddfa7194373da5b38a1178035aa461791b6507f
Reviewed-on: https://cos-review.googlesource.com/c/third_party/overlays/chromiumos-overlay/+/23013
Reviewed-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Main-Branch-Verified: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
diff --git a/app-crypt/nss/files/nss-3.44-CVE-2020-12403-set1.patch b/app-crypt/nss/files/nss-3.44-CVE-2020-12403-set1.patch
new file mode 100644
index 0000000..e96739f0
--- /dev/null
+++ b/app-crypt/nss/files/nss-3.44-CVE-2020-12403-set1.patch
@@ -0,0 +1,146 @@
+
+# HG changeset patch
+# User Benjamin Beurdouche <bbeurdouche@mozilla.com>
+# Date 1595031194 0
+# Node ID f282556e6cc7715f5754aeaadda6f902590e7e38
+# Parent 89733253df83ef7fe8dd0d49f6370b857e93d325
+Bug 1636771 - Disable PKCS11 incremental mode for ChaCha20. r=kjacobs,rrelyea
+
+Depends on D74801
+
+Differential Revision: https://phabricator.services.mozilla.com/D83994
+
+diff --git a/gtests/pk11_gtest/pk11_cipherop_unittest.cc b/gtests/pk11_gtest/pk11_cipherop_unittest.cc
+--- a/gtests/pk11_gtest/pk11_cipherop_unittest.cc
++++ b/gtests/pk11_gtest/pk11_cipherop_unittest.cc
+@@ -72,9 +72,58 @@ TEST(Pkcs11CipherOp, SingleCtxMultipleUn
+ ASSERT_EQ(GetBytes(ctx, outbuf, 17), SECSuccess);
+
+ PK11_FreeSymKey(key);
+ PK11_FreeSlot(slot);
+ PK11_DestroyContext(ctx, PR_TRUE);
+ NSS_ShutdownContext(globalctx);
+ }
+
++TEST(Pkcs11CipherOp, SingleCtxMultipleUnalignedCipherOpsChaCha20) {
++ PK11SlotInfo* slot;
++ PK11SymKey* key;
++ PK11Context* ctx;
++
++ NSSInitContext* globalctx =
++ NSS_InitContext("", "", "", "", NULL,
++ NSS_INIT_READONLY | NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB |
++ NSS_INIT_FORCEOPEN | NSS_INIT_NOROOTINIT);
++
++ const CK_MECHANISM_TYPE cipher = CKM_NSS_CHACHA20_CTR;
++
++ slot = PK11_GetInternalSlot();
++ ASSERT_TRUE(slot);
++
++ // Use arbitrary bytes for the ChaCha20 key and IV
++ uint8_t key_bytes[32];
++ for (size_t i = 0; i < 32; i++) {
++ key_bytes[i] = i;
++ }
++ SECItem keyItem = {siBuffer, key_bytes, 32};
++
++ uint8_t iv_bytes[16];
++ for (size_t i = 0; i < 16; i++) {
++ key_bytes[i] = i;
++ }
++ SECItem ivItem = {siBuffer, iv_bytes, 16};
++
++ SECItem* param = PK11_ParamFromIV(cipher, &ivItem);
++
++ key = PK11_ImportSymKey(slot, cipher, PK11_OriginUnwrap, CKA_ENCRYPT,
++ &keyItem, NULL);
++ ctx = PK11_CreateContextBySymKey(cipher, CKA_ENCRYPT, key, param);
++ ASSERT_TRUE(key);
++ ASSERT_TRUE(ctx);
++
++ uint8_t outbuf[128];
++ // This is supposed to fail for Chacha20. This is because the underlying
++ // PK11_CipherOp operation is calling the C_EncryptUpdate function for
++ // which multi-part is disabled for ChaCha20 in counter mode.
++ ASSERT_EQ(GetBytes(ctx, outbuf, 7), SECFailure);
++
++ PK11_FreeSymKey(key);
++ PK11_FreeSlot(slot);
++ SECITEM_FreeItem(param, PR_TRUE);
++ PK11_DestroyContext(ctx, PR_TRUE);
++ NSS_ShutdownContext(globalctx);
++}
++
+ } // namespace nss_test
+diff --git a/gtests/pk11_gtest/pk11_cipherop_unittest.cc.org b/gtests/pk11_gtest/pk11_cipherop_unittest.cc
+index 38982fd..700750c 100644
+--- a/gtests/pk11_gtest/pk11_cipherop_unittest.cc.org
++++ b/gtests/pk11_gtest/pk11_cipherop_unittest.cc
+@@ -77,4 +77,53 @@ TEST(Pkcs11CipherOp, SingleCtxMultipleUnalignedCipherOps) {
+ NSS_ShutdownContext(globalctx);
+ }
+
++TEST(Pkcs11CipherOp, SingleCtxMultipleUnalignedCipherOpsChaCha20) {
++ PK11SlotInfo* slot;
++ PK11SymKey* key;
++ PK11Context* ctx;
++
++ NSSInitContext* globalctx =
++ NSS_InitContext("", "", "", "", NULL,
++ NSS_INIT_READONLY | NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB |
++ NSS_INIT_FORCEOPEN | NSS_INIT_NOROOTINIT);
++
++ const CK_MECHANISM_TYPE cipher = CKM_NSS_CHACHA20_CTR;
++
++ slot = PK11_GetInternalSlot();
++ ASSERT_TRUE(slot);
++
++ // Use arbitrary bytes for the ChaCha20 key and IV
++ uint8_t key_bytes[32];
++ for (size_t i = 0; i < 32; i++) {
++ key_bytes[i] = i;
++ }
++ SECItem keyItem = {siBuffer, key_bytes, 32};
++
++ uint8_t iv_bytes[16];
++ for (size_t i = 0; i < 16; i++) {
++ key_bytes[i] = i;
++ }
++ SECItem ivItem = {siBuffer, iv_bytes, 16};
++
++ SECItem* param = PK11_ParamFromIV(cipher, &ivItem);
++
++ key = PK11_ImportSymKey(slot, cipher, PK11_OriginUnwrap, CKA_ENCRYPT,
++ &keyItem, NULL);
++ ctx = PK11_CreateContextBySymKey(cipher, CKA_ENCRYPT, key, param);
++ ASSERT_TRUE(key);
++ ASSERT_TRUE(ctx);
++
++ uint8_t outbuf[128];
++ // This is supposed to fail for Chacha20. This is because the underlying
++ // PK11_CipherOp operation is calling the C_EncryptUpdate function for
++ // which multi-part is disabled for ChaCha20 in counter mode.
++ ASSERT_EQ(GetBytes(ctx, outbuf, 7), SECFailure);
++
++ PK11_FreeSymKey(key);
++ PK11_FreeSlot(slot);
++ SECITEM_FreeItem(param, PR_TRUE);
++ PK11_DestroyContext(ctx, PR_TRUE);
++ NSS_ShutdownContext(globalctx);
++}
++
+ } // namespace nss_test
+
+diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
+index 003e2be..a3eecf5 100644
+--- a/lib/softoken/pkcs11c.c
++++ b/lib/softoken/pkcs11c.c
+@@ -1207,6 +1207,7 @@ sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+ break;
+
+ case CKM_NSS_CHACHA20_CTR:
++ context->multi = PR_FALSE;
+ if (key_type != CKK_NSS_CHACHA20) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+
diff --git a/app-crypt/nss/files/nss-3.44-CVE-2020-12403-set2.patch b/app-crypt/nss/files/nss-3.44-CVE-2020-12403-set2.patch
new file mode 100644
index 0000000..a116da4
--- /dev/null
+++ b/app-crypt/nss/files/nss-3.44-CVE-2020-12403-set2.patch
@@ -0,0 +1,54 @@
+
+# HG changeset patch
+# User Benjamin Beurdouche <bbeurdouche@mozilla.com>
+# Date 1595031218 0
+# Node ID c25adfdfab34ddb08d3262aac3242e3399de1095
+# Parent f282556e6cc7715f5754aeaadda6f902590e7e38
+Bug 1636771 - Fix incorrect call to Chacha20Poly1305 by PKCS11. r=jcj,kjacobs,rrelyea
+
+Differential Revision: https://phabricator.services.mozilla.com/D74801
+
+diff --git a/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc b/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
+index a041947..a92c28a 100644
+--- a/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
++++ b/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
+@@ -44,7 +44,15 @@ class Pkcs11ChaCha20Poly1305Test
+ SECItem params = {siBuffer, reinterpret_cast<unsigned char*>(&aead_params),
+ sizeof(aead_params)};
+
+- // Encrypt.
++ // Encrypt with bad parameters (TagLen is too short).
++ aead_params.ulTagLen = 2;
++ rv = PK11_Encrypt(key.get(), kMech, ¶ms, encrypted.data(),
++ &encrypted_len, encrypted.size(), data, data_len);
++ EXPECT_EQ(SECFailure, rv);
++ EXPECT_EQ(0U, encrypted_len);
++
++ // Encrypt.
++ aead_params.ulTagLen = 16;
+ unsigned int outputLen = 0;
+ std::vector<uint8_t> output(data_len + aead_params.ulTagLen);
+ SECStatus rv = PK11_Encrypt(key.get(), kMech, ¶ms, output.data(),
+
+diff --git a/lib/freebl/chacha20poly1305.c b/lib/freebl/chacha20poly1305.c
+--- a/lib/freebl/chacha20poly1305.c
++++ b/lib/freebl/chacha20poly1305.c
+@@ -76,17 +76,17 @@ ChaCha20Poly1305_InitContext(ChaCha20Pol
+ {
+ #ifdef NSS_DISABLE_CHACHAPOLY
+ return SECFailure;
+ #else
+ if (keyLen != 32) {
+ PORT_SetError(SEC_ERROR_BAD_KEY);
+ return SECFailure;
+ }
+- if (tagLen == 0 || tagLen > 16) {
++ if (tagLen != 16) {
+ PORT_SetError(SEC_ERROR_INPUT_LEN);
+ return SECFailure;
+ }
+
+ PORT_Memcpy(ctx->key, key, sizeof(ctx->key));
+ ctx->tagLen = tagLen;
+
+ return SECSuccess;
diff --git a/app-crypt/nss/nss-3.44-r2.ebuild b/app-crypt/nss/nss-3.44-r2.ebuild
index 50019a4..09dbadf 100644
--- a/app-crypt/nss/nss-3.44-r2.ebuild
+++ b/app-crypt/nss/nss-3.44-r2.ebuild
@@ -40,6 +40,8 @@
"${FILESDIR}/${PN}-3.32-gentoo-fixups.patch"
"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
+ "${FILESDIR}/${PN}-3.44-CVE-2020-12403-set1.patch"
+ "${FILESDIR}/${PN}-3.44-CVE-2020-12403-set2.patch"
)
src_unpack() {
diff --git a/app-crypt/nss/nss-3.44-r3.ebuild b/app-crypt/nss/nss-3.44-r4.ebuild
similarity index 100%
rename from app-crypt/nss/nss-3.44-r3.ebuild
rename to app-crypt/nss/nss-3.44-r4.ebuild
diff --git a/dev-libs/nss/files/nss-3.44-CVE-2020-12403-set1.patch b/dev-libs/nss/files/nss-3.44-CVE-2020-12403-set1.patch
new file mode 100644
index 0000000..e96739f0
--- /dev/null
+++ b/dev-libs/nss/files/nss-3.44-CVE-2020-12403-set1.patch
@@ -0,0 +1,146 @@
+
+# HG changeset patch
+# User Benjamin Beurdouche <bbeurdouche@mozilla.com>
+# Date 1595031194 0
+# Node ID f282556e6cc7715f5754aeaadda6f902590e7e38
+# Parent 89733253df83ef7fe8dd0d49f6370b857e93d325
+Bug 1636771 - Disable PKCS11 incremental mode for ChaCha20. r=kjacobs,rrelyea
+
+Depends on D74801
+
+Differential Revision: https://phabricator.services.mozilla.com/D83994
+
+diff --git a/gtests/pk11_gtest/pk11_cipherop_unittest.cc b/gtests/pk11_gtest/pk11_cipherop_unittest.cc
+--- a/gtests/pk11_gtest/pk11_cipherop_unittest.cc
++++ b/gtests/pk11_gtest/pk11_cipherop_unittest.cc
+@@ -72,9 +72,58 @@ TEST(Pkcs11CipherOp, SingleCtxMultipleUn
+ ASSERT_EQ(GetBytes(ctx, outbuf, 17), SECSuccess);
+
+ PK11_FreeSymKey(key);
+ PK11_FreeSlot(slot);
+ PK11_DestroyContext(ctx, PR_TRUE);
+ NSS_ShutdownContext(globalctx);
+ }
+
++TEST(Pkcs11CipherOp, SingleCtxMultipleUnalignedCipherOpsChaCha20) {
++ PK11SlotInfo* slot;
++ PK11SymKey* key;
++ PK11Context* ctx;
++
++ NSSInitContext* globalctx =
++ NSS_InitContext("", "", "", "", NULL,
++ NSS_INIT_READONLY | NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB |
++ NSS_INIT_FORCEOPEN | NSS_INIT_NOROOTINIT);
++
++ const CK_MECHANISM_TYPE cipher = CKM_NSS_CHACHA20_CTR;
++
++ slot = PK11_GetInternalSlot();
++ ASSERT_TRUE(slot);
++
++ // Use arbitrary bytes for the ChaCha20 key and IV
++ uint8_t key_bytes[32];
++ for (size_t i = 0; i < 32; i++) {
++ key_bytes[i] = i;
++ }
++ SECItem keyItem = {siBuffer, key_bytes, 32};
++
++ uint8_t iv_bytes[16];
++ for (size_t i = 0; i < 16; i++) {
++ key_bytes[i] = i;
++ }
++ SECItem ivItem = {siBuffer, iv_bytes, 16};
++
++ SECItem* param = PK11_ParamFromIV(cipher, &ivItem);
++
++ key = PK11_ImportSymKey(slot, cipher, PK11_OriginUnwrap, CKA_ENCRYPT,
++ &keyItem, NULL);
++ ctx = PK11_CreateContextBySymKey(cipher, CKA_ENCRYPT, key, param);
++ ASSERT_TRUE(key);
++ ASSERT_TRUE(ctx);
++
++ uint8_t outbuf[128];
++ // This is supposed to fail for Chacha20. This is because the underlying
++ // PK11_CipherOp operation is calling the C_EncryptUpdate function for
++ // which multi-part is disabled for ChaCha20 in counter mode.
++ ASSERT_EQ(GetBytes(ctx, outbuf, 7), SECFailure);
++
++ PK11_FreeSymKey(key);
++ PK11_FreeSlot(slot);
++ SECITEM_FreeItem(param, PR_TRUE);
++ PK11_DestroyContext(ctx, PR_TRUE);
++ NSS_ShutdownContext(globalctx);
++}
++
+ } // namespace nss_test
+diff --git a/gtests/pk11_gtest/pk11_cipherop_unittest.cc.org b/gtests/pk11_gtest/pk11_cipherop_unittest.cc
+index 38982fd..700750c 100644
+--- a/gtests/pk11_gtest/pk11_cipherop_unittest.cc.org
++++ b/gtests/pk11_gtest/pk11_cipherop_unittest.cc
+@@ -77,4 +77,53 @@ TEST(Pkcs11CipherOp, SingleCtxMultipleUnalignedCipherOps) {
+ NSS_ShutdownContext(globalctx);
+ }
+
++TEST(Pkcs11CipherOp, SingleCtxMultipleUnalignedCipherOpsChaCha20) {
++ PK11SlotInfo* slot;
++ PK11SymKey* key;
++ PK11Context* ctx;
++
++ NSSInitContext* globalctx =
++ NSS_InitContext("", "", "", "", NULL,
++ NSS_INIT_READONLY | NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB |
++ NSS_INIT_FORCEOPEN | NSS_INIT_NOROOTINIT);
++
++ const CK_MECHANISM_TYPE cipher = CKM_NSS_CHACHA20_CTR;
++
++ slot = PK11_GetInternalSlot();
++ ASSERT_TRUE(slot);
++
++ // Use arbitrary bytes for the ChaCha20 key and IV
++ uint8_t key_bytes[32];
++ for (size_t i = 0; i < 32; i++) {
++ key_bytes[i] = i;
++ }
++ SECItem keyItem = {siBuffer, key_bytes, 32};
++
++ uint8_t iv_bytes[16];
++ for (size_t i = 0; i < 16; i++) {
++ key_bytes[i] = i;
++ }
++ SECItem ivItem = {siBuffer, iv_bytes, 16};
++
++ SECItem* param = PK11_ParamFromIV(cipher, &ivItem);
++
++ key = PK11_ImportSymKey(slot, cipher, PK11_OriginUnwrap, CKA_ENCRYPT,
++ &keyItem, NULL);
++ ctx = PK11_CreateContextBySymKey(cipher, CKA_ENCRYPT, key, param);
++ ASSERT_TRUE(key);
++ ASSERT_TRUE(ctx);
++
++ uint8_t outbuf[128];
++ // This is supposed to fail for Chacha20. This is because the underlying
++ // PK11_CipherOp operation is calling the C_EncryptUpdate function for
++ // which multi-part is disabled for ChaCha20 in counter mode.
++ ASSERT_EQ(GetBytes(ctx, outbuf, 7), SECFailure);
++
++ PK11_FreeSymKey(key);
++ PK11_FreeSlot(slot);
++ SECITEM_FreeItem(param, PR_TRUE);
++ PK11_DestroyContext(ctx, PR_TRUE);
++ NSS_ShutdownContext(globalctx);
++}
++
+ } // namespace nss_test
+
+diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
+index 003e2be..a3eecf5 100644
+--- a/lib/softoken/pkcs11c.c
++++ b/lib/softoken/pkcs11c.c
+@@ -1207,6 +1207,7 @@ sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+ break;
+
+ case CKM_NSS_CHACHA20_CTR:
++ context->multi = PR_FALSE;
+ if (key_type != CKK_NSS_CHACHA20) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+
diff --git a/dev-libs/nss/files/nss-3.44-CVE-2020-12403-set2.patch b/dev-libs/nss/files/nss-3.44-CVE-2020-12403-set2.patch
new file mode 100644
index 0000000..a116da4
--- /dev/null
+++ b/dev-libs/nss/files/nss-3.44-CVE-2020-12403-set2.patch
@@ -0,0 +1,54 @@
+
+# HG changeset patch
+# User Benjamin Beurdouche <bbeurdouche@mozilla.com>
+# Date 1595031218 0
+# Node ID c25adfdfab34ddb08d3262aac3242e3399de1095
+# Parent f282556e6cc7715f5754aeaadda6f902590e7e38
+Bug 1636771 - Fix incorrect call to Chacha20Poly1305 by PKCS11. r=jcj,kjacobs,rrelyea
+
+Differential Revision: https://phabricator.services.mozilla.com/D74801
+
+diff --git a/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc b/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
+index a041947..a92c28a 100644
+--- a/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
++++ b/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
+@@ -44,7 +44,15 @@ class Pkcs11ChaCha20Poly1305Test
+ SECItem params = {siBuffer, reinterpret_cast<unsigned char*>(&aead_params),
+ sizeof(aead_params)};
+
+- // Encrypt.
++ // Encrypt with bad parameters (TagLen is too short).
++ aead_params.ulTagLen = 2;
++ rv = PK11_Encrypt(key.get(), kMech, ¶ms, encrypted.data(),
++ &encrypted_len, encrypted.size(), data, data_len);
++ EXPECT_EQ(SECFailure, rv);
++ EXPECT_EQ(0U, encrypted_len);
++
++ // Encrypt.
++ aead_params.ulTagLen = 16;
+ unsigned int outputLen = 0;
+ std::vector<uint8_t> output(data_len + aead_params.ulTagLen);
+ SECStatus rv = PK11_Encrypt(key.get(), kMech, ¶ms, output.data(),
+
+diff --git a/lib/freebl/chacha20poly1305.c b/lib/freebl/chacha20poly1305.c
+--- a/lib/freebl/chacha20poly1305.c
++++ b/lib/freebl/chacha20poly1305.c
+@@ -76,17 +76,17 @@ ChaCha20Poly1305_InitContext(ChaCha20Pol
+ {
+ #ifdef NSS_DISABLE_CHACHAPOLY
+ return SECFailure;
+ #else
+ if (keyLen != 32) {
+ PORT_SetError(SEC_ERROR_BAD_KEY);
+ return SECFailure;
+ }
+- if (tagLen == 0 || tagLen > 16) {
++ if (tagLen != 16) {
+ PORT_SetError(SEC_ERROR_INPUT_LEN);
+ return SECFailure;
+ }
+
+ PORT_Memcpy(ctx->key, key, sizeof(ctx->key));
+ ctx->tagLen = tagLen;
+
+ return SECSuccess;
diff --git a/dev-libs/nss/nss-3.44-r2.ebuild b/dev-libs/nss/nss-3.44-r2.ebuild
index 52ab06f..5e2ab02 100644
--- a/dev-libs/nss/nss-3.44-r2.ebuild
+++ b/dev-libs/nss/nss-3.44-r2.ebuild
@@ -43,6 +43,8 @@
"${FILESDIR}/${PN}-3.32-gentoo-fixups.patch"
"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
+ "${FILESDIR}/${PN}-3.44-CVE-2020-12403-set1.patch"
+ "${FILESDIR}/${PN}-3.44-CVE-2020-12403-set2.patch"
)
src_unpack() {
diff --git a/dev-libs/nss/nss-3.44-r6.ebuild b/dev-libs/nss/nss-3.44-r7.ebuild
similarity index 100%
rename from dev-libs/nss/nss-3.44-r6.ebuild
rename to dev-libs/nss/nss-3.44-r7.ebuild