chromiumos-overlay: dev-libs/nss, app-crypt/nss - Fix for CVE-2020-12403.

BUG=b/200992216
TEST=presubmit
RELEASE_NOTE=Fixed CVE-2020-12403.

cos-patch: security-moderate
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos-overlay/+/3173713
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Pavol Marko <pmarko@chromium.org>
Tested-by: Meena Shanmugam <meenashanmugam@google.com>
Commit-Queue: Meena Shanmugam <meenashanmugam@google.com>

Change-Id: I303c1e512ffc06487172c9e24d2fa1f0c8a33e8d
Reviewed-on: https://cos-review.googlesource.com/c/third_party/overlays/chromiumos-overlay/+/22590
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Reviewed-by: Roy Yang <royyang@google.com>
(cherry picked from commit 021e01b3d7664a1f88c4d33c85392c0d770e74f9)
Reviewed-on: https://cos-review.googlesource.com/c/third_party/overlays/chromiumos-overlay/+/22930
Reviewed-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
Main-Branch-Verified: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
diff --git a/app-crypt/nss/files/nss-3.44-CVE-2020-12403-set1.patch b/app-crypt/nss/files/nss-3.44-CVE-2020-12403-set1.patch
new file mode 100644
index 0000000..e96739f0
--- /dev/null
+++ b/app-crypt/nss/files/nss-3.44-CVE-2020-12403-set1.patch
@@ -0,0 +1,146 @@
+
+# HG changeset patch
+# User Benjamin Beurdouche <bbeurdouche@mozilla.com>
+# Date 1595031194 0
+# Node ID f282556e6cc7715f5754aeaadda6f902590e7e38
+# Parent  89733253df83ef7fe8dd0d49f6370b857e93d325
+Bug 1636771 - Disable PKCS11 incremental mode for ChaCha20. r=kjacobs,rrelyea
+
+Depends on D74801
+
+Differential Revision: https://phabricator.services.mozilla.com/D83994
+
+diff --git a/gtests/pk11_gtest/pk11_cipherop_unittest.cc b/gtests/pk11_gtest/pk11_cipherop_unittest.cc
+--- a/gtests/pk11_gtest/pk11_cipherop_unittest.cc
++++ b/gtests/pk11_gtest/pk11_cipherop_unittest.cc
+@@ -72,9 +72,58 @@ TEST(Pkcs11CipherOp, SingleCtxMultipleUn
+   ASSERT_EQ(GetBytes(ctx, outbuf, 17), SECSuccess);
+ 
+   PK11_FreeSymKey(key);
+   PK11_FreeSlot(slot);
+   PK11_DestroyContext(ctx, PR_TRUE);
+   NSS_ShutdownContext(globalctx);
+ }
+ 
++TEST(Pkcs11CipherOp, SingleCtxMultipleUnalignedCipherOpsChaCha20) {
++  PK11SlotInfo* slot;
++  PK11SymKey* key;
++  PK11Context* ctx;
++
++  NSSInitContext* globalctx =
++      NSS_InitContext("", "", "", "", NULL,
++                      NSS_INIT_READONLY | NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB |
++                          NSS_INIT_FORCEOPEN | NSS_INIT_NOROOTINIT);
++
++  const CK_MECHANISM_TYPE cipher = CKM_NSS_CHACHA20_CTR;
++
++  slot = PK11_GetInternalSlot();
++  ASSERT_TRUE(slot);
++
++  // Use arbitrary bytes for the ChaCha20 key and IV
++  uint8_t key_bytes[32];
++  for (size_t i = 0; i < 32; i++) {
++    key_bytes[i] = i;
++  }
++  SECItem keyItem = {siBuffer, key_bytes, 32};
++
++  uint8_t iv_bytes[16];
++  for (size_t i = 0; i < 16; i++) {
++    key_bytes[i] = i;
++  }
++  SECItem ivItem = {siBuffer, iv_bytes, 16};
++
++  SECItem* param = PK11_ParamFromIV(cipher, &ivItem);
++
++  key = PK11_ImportSymKey(slot, cipher, PK11_OriginUnwrap, CKA_ENCRYPT,
++                          &keyItem, NULL);
++  ctx = PK11_CreateContextBySymKey(cipher, CKA_ENCRYPT, key, param);
++  ASSERT_TRUE(key);
++  ASSERT_TRUE(ctx);
++
++  uint8_t outbuf[128];
++  // This is supposed to fail for Chacha20. This is because the underlying
++  // PK11_CipherOp operation is calling the C_EncryptUpdate function for
++  // which multi-part is disabled for ChaCha20 in counter mode.
++  ASSERT_EQ(GetBytes(ctx, outbuf, 7), SECFailure);
++
++  PK11_FreeSymKey(key);
++  PK11_FreeSlot(slot);
++  SECITEM_FreeItem(param, PR_TRUE);
++  PK11_DestroyContext(ctx, PR_TRUE);
++  NSS_ShutdownContext(globalctx);
++}
++
+ }  // namespace nss_test
+diff --git a/gtests/pk11_gtest/pk11_cipherop_unittest.cc.org b/gtests/pk11_gtest/pk11_cipherop_unittest.cc
+index 38982fd..700750c 100644
+--- a/gtests/pk11_gtest/pk11_cipherop_unittest.cc.org
++++ b/gtests/pk11_gtest/pk11_cipherop_unittest.cc
+@@ -77,4 +77,53 @@ TEST(Pkcs11CipherOp, SingleCtxMultipleUnalignedCipherOps) {
+   NSS_ShutdownContext(globalctx);
+ }
+ 
++TEST(Pkcs11CipherOp, SingleCtxMultipleUnalignedCipherOpsChaCha20) {
++  PK11SlotInfo* slot;
++  PK11SymKey* key;
++  PK11Context* ctx;
++
++  NSSInitContext* globalctx =
++      NSS_InitContext("", "", "", "", NULL,
++                      NSS_INIT_READONLY | NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB |
++                          NSS_INIT_FORCEOPEN | NSS_INIT_NOROOTINIT);
++
++  const CK_MECHANISM_TYPE cipher = CKM_NSS_CHACHA20_CTR;
++
++  slot = PK11_GetInternalSlot();
++  ASSERT_TRUE(slot);
++
++  // Use arbitrary bytes for the ChaCha20 key and IV
++  uint8_t key_bytes[32];
++  for (size_t i = 0; i < 32; i++) {
++    key_bytes[i] = i;
++  }
++  SECItem keyItem = {siBuffer, key_bytes, 32};
++
++  uint8_t iv_bytes[16];
++  for (size_t i = 0; i < 16; i++) {
++    key_bytes[i] = i;
++  }
++  SECItem ivItem = {siBuffer, iv_bytes, 16};
++
++  SECItem* param = PK11_ParamFromIV(cipher, &ivItem);
++
++  key = PK11_ImportSymKey(slot, cipher, PK11_OriginUnwrap, CKA_ENCRYPT,
++                          &keyItem, NULL);
++  ctx = PK11_CreateContextBySymKey(cipher, CKA_ENCRYPT, key, param);
++  ASSERT_TRUE(key);
++  ASSERT_TRUE(ctx);
++
++  uint8_t outbuf[128];
++  // This is supposed to fail for Chacha20. This is because the underlying
++  // PK11_CipherOp operation is calling the C_EncryptUpdate function for
++  // which multi-part is disabled for ChaCha20 in counter mode.
++  ASSERT_EQ(GetBytes(ctx, outbuf, 7), SECFailure);
++
++  PK11_FreeSymKey(key);
++  PK11_FreeSlot(slot);
++  SECITEM_FreeItem(param, PR_TRUE);
++  PK11_DestroyContext(ctx, PR_TRUE);
++  NSS_ShutdownContext(globalctx);
++}
++
+ }  // namespace nss_test
+
+diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
+index 003e2be..a3eecf5 100644
+--- a/lib/softoken/pkcs11c.c
++++ b/lib/softoken/pkcs11c.c
+@@ -1207,6 +1207,7 @@ sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+             break;
+
+         case CKM_NSS_CHACHA20_CTR:
++           context->multi = PR_FALSE;
+             if (key_type != CKK_NSS_CHACHA20) {
+                 crv = CKR_KEY_TYPE_INCONSISTENT;
+                 break;
+
diff --git a/app-crypt/nss/files/nss-3.44-CVE-2020-12403-set2.patch b/app-crypt/nss/files/nss-3.44-CVE-2020-12403-set2.patch
new file mode 100644
index 0000000..a116da4
--- /dev/null
+++ b/app-crypt/nss/files/nss-3.44-CVE-2020-12403-set2.patch
@@ -0,0 +1,54 @@
+
+# HG changeset patch
+# User Benjamin Beurdouche <bbeurdouche@mozilla.com>
+# Date 1595031218 0
+# Node ID c25adfdfab34ddb08d3262aac3242e3399de1095
+# Parent  f282556e6cc7715f5754aeaadda6f902590e7e38
+Bug 1636771 - Fix incorrect call to Chacha20Poly1305 by PKCS11. r=jcj,kjacobs,rrelyea
+
+Differential Revision: https://phabricator.services.mozilla.com/D74801
+
+diff --git a/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc b/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
+index a041947..a92c28a 100644
+--- a/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
++++ b/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
+@@ -44,7 +44,15 @@ class Pkcs11ChaCha20Poly1305Test
+     SECItem params = {siBuffer, reinterpret_cast<unsigned char*>(&aead_params),
+                       sizeof(aead_params)};
+ 
+-    // Encrypt.
++    // Encrypt with bad parameters (TagLen is too short).
++    aead_params.ulTagLen = 2;
++    rv = PK11_Encrypt(key.get(), kMech, &params, encrypted.data(),
++                      &encrypted_len, encrypted.size(), data, data_len);
++    EXPECT_EQ(SECFailure, rv);
++    EXPECT_EQ(0U, encrypted_len);
++
++     // Encrypt.
++    aead_params.ulTagLen = 16;
+     unsigned int outputLen = 0;
+     std::vector<uint8_t> output(data_len + aead_params.ulTagLen);
+     SECStatus rv = PK11_Encrypt(key.get(), kMech, &params, output.data(),
+
+diff --git a/lib/freebl/chacha20poly1305.c b/lib/freebl/chacha20poly1305.c
+--- a/lib/freebl/chacha20poly1305.c
++++ b/lib/freebl/chacha20poly1305.c
+@@ -76,17 +76,17 @@ ChaCha20Poly1305_InitContext(ChaCha20Pol
+ {
+ #ifdef NSS_DISABLE_CHACHAPOLY
+     return SECFailure;
+ #else
+     if (keyLen != 32) {
+         PORT_SetError(SEC_ERROR_BAD_KEY);
+         return SECFailure;
+     }
+-    if (tagLen == 0 || tagLen > 16) {
++    if (tagLen != 16) {
+         PORT_SetError(SEC_ERROR_INPUT_LEN);
+         return SECFailure;
+     }
+ 
+     PORT_Memcpy(ctx->key, key, sizeof(ctx->key));
+     ctx->tagLen = tagLen;
+ 
+     return SECSuccess;
diff --git a/app-crypt/nss/nss-3.44-r2.ebuild b/app-crypt/nss/nss-3.44-r2.ebuild
index 794fbfa..c5365d7 100644
--- a/app-crypt/nss/nss-3.44-r2.ebuild
+++ b/app-crypt/nss/nss-3.44-r2.ebuild
@@ -41,6 +41,8 @@
 	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
 	"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
 	"${FILESDIR}/${PN}-3.44-prefer-writable-tokens-for-trust.patch"
+	"${FILESDIR}/${PN}-3.44-CVE-2020-12403-set1.patch"
+	"${FILESDIR}/${PN}-3.44-CVE-2020-12403-set2.patch"
 )
 
 src_unpack() {
diff --git a/app-crypt/nss/nss-3.44-r4.ebuild b/app-crypt/nss/nss-3.44-r5.ebuild
similarity index 100%
rename from app-crypt/nss/nss-3.44-r4.ebuild
rename to app-crypt/nss/nss-3.44-r5.ebuild
diff --git a/dev-libs/nss/files/nss-3.44-CVE-2020-12403-set1.patch b/dev-libs/nss/files/nss-3.44-CVE-2020-12403-set1.patch
new file mode 100644
index 0000000..e96739f0
--- /dev/null
+++ b/dev-libs/nss/files/nss-3.44-CVE-2020-12403-set1.patch
@@ -0,0 +1,146 @@
+
+# HG changeset patch
+# User Benjamin Beurdouche <bbeurdouche@mozilla.com>
+# Date 1595031194 0
+# Node ID f282556e6cc7715f5754aeaadda6f902590e7e38
+# Parent  89733253df83ef7fe8dd0d49f6370b857e93d325
+Bug 1636771 - Disable PKCS11 incremental mode for ChaCha20. r=kjacobs,rrelyea
+
+Depends on D74801
+
+Differential Revision: https://phabricator.services.mozilla.com/D83994
+
+diff --git a/gtests/pk11_gtest/pk11_cipherop_unittest.cc b/gtests/pk11_gtest/pk11_cipherop_unittest.cc
+--- a/gtests/pk11_gtest/pk11_cipherop_unittest.cc
++++ b/gtests/pk11_gtest/pk11_cipherop_unittest.cc
+@@ -72,9 +72,58 @@ TEST(Pkcs11CipherOp, SingleCtxMultipleUn
+   ASSERT_EQ(GetBytes(ctx, outbuf, 17), SECSuccess);
+ 
+   PK11_FreeSymKey(key);
+   PK11_FreeSlot(slot);
+   PK11_DestroyContext(ctx, PR_TRUE);
+   NSS_ShutdownContext(globalctx);
+ }
+ 
++TEST(Pkcs11CipherOp, SingleCtxMultipleUnalignedCipherOpsChaCha20) {
++  PK11SlotInfo* slot;
++  PK11SymKey* key;
++  PK11Context* ctx;
++
++  NSSInitContext* globalctx =
++      NSS_InitContext("", "", "", "", NULL,
++                      NSS_INIT_READONLY | NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB |
++                          NSS_INIT_FORCEOPEN | NSS_INIT_NOROOTINIT);
++
++  const CK_MECHANISM_TYPE cipher = CKM_NSS_CHACHA20_CTR;
++
++  slot = PK11_GetInternalSlot();
++  ASSERT_TRUE(slot);
++
++  // Use arbitrary bytes for the ChaCha20 key and IV
++  uint8_t key_bytes[32];
++  for (size_t i = 0; i < 32; i++) {
++    key_bytes[i] = i;
++  }
++  SECItem keyItem = {siBuffer, key_bytes, 32};
++
++  uint8_t iv_bytes[16];
++  for (size_t i = 0; i < 16; i++) {
++    key_bytes[i] = i;
++  }
++  SECItem ivItem = {siBuffer, iv_bytes, 16};
++
++  SECItem* param = PK11_ParamFromIV(cipher, &ivItem);
++
++  key = PK11_ImportSymKey(slot, cipher, PK11_OriginUnwrap, CKA_ENCRYPT,
++                          &keyItem, NULL);
++  ctx = PK11_CreateContextBySymKey(cipher, CKA_ENCRYPT, key, param);
++  ASSERT_TRUE(key);
++  ASSERT_TRUE(ctx);
++
++  uint8_t outbuf[128];
++  // This is supposed to fail for Chacha20. This is because the underlying
++  // PK11_CipherOp operation is calling the C_EncryptUpdate function for
++  // which multi-part is disabled for ChaCha20 in counter mode.
++  ASSERT_EQ(GetBytes(ctx, outbuf, 7), SECFailure);
++
++  PK11_FreeSymKey(key);
++  PK11_FreeSlot(slot);
++  SECITEM_FreeItem(param, PR_TRUE);
++  PK11_DestroyContext(ctx, PR_TRUE);
++  NSS_ShutdownContext(globalctx);
++}
++
+ }  // namespace nss_test
+diff --git a/gtests/pk11_gtest/pk11_cipherop_unittest.cc.org b/gtests/pk11_gtest/pk11_cipherop_unittest.cc
+index 38982fd..700750c 100644
+--- a/gtests/pk11_gtest/pk11_cipherop_unittest.cc.org
++++ b/gtests/pk11_gtest/pk11_cipherop_unittest.cc
+@@ -77,4 +77,53 @@ TEST(Pkcs11CipherOp, SingleCtxMultipleUnalignedCipherOps) {
+   NSS_ShutdownContext(globalctx);
+ }
+ 
++TEST(Pkcs11CipherOp, SingleCtxMultipleUnalignedCipherOpsChaCha20) {
++  PK11SlotInfo* slot;
++  PK11SymKey* key;
++  PK11Context* ctx;
++
++  NSSInitContext* globalctx =
++      NSS_InitContext("", "", "", "", NULL,
++                      NSS_INIT_READONLY | NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB |
++                          NSS_INIT_FORCEOPEN | NSS_INIT_NOROOTINIT);
++
++  const CK_MECHANISM_TYPE cipher = CKM_NSS_CHACHA20_CTR;
++
++  slot = PK11_GetInternalSlot();
++  ASSERT_TRUE(slot);
++
++  // Use arbitrary bytes for the ChaCha20 key and IV
++  uint8_t key_bytes[32];
++  for (size_t i = 0; i < 32; i++) {
++    key_bytes[i] = i;
++  }
++  SECItem keyItem = {siBuffer, key_bytes, 32};
++
++  uint8_t iv_bytes[16];
++  for (size_t i = 0; i < 16; i++) {
++    key_bytes[i] = i;
++  }
++  SECItem ivItem = {siBuffer, iv_bytes, 16};
++
++  SECItem* param = PK11_ParamFromIV(cipher, &ivItem);
++
++  key = PK11_ImportSymKey(slot, cipher, PK11_OriginUnwrap, CKA_ENCRYPT,
++                          &keyItem, NULL);
++  ctx = PK11_CreateContextBySymKey(cipher, CKA_ENCRYPT, key, param);
++  ASSERT_TRUE(key);
++  ASSERT_TRUE(ctx);
++
++  uint8_t outbuf[128];
++  // This is supposed to fail for Chacha20. This is because the underlying
++  // PK11_CipherOp operation is calling the C_EncryptUpdate function for
++  // which multi-part is disabled for ChaCha20 in counter mode.
++  ASSERT_EQ(GetBytes(ctx, outbuf, 7), SECFailure);
++
++  PK11_FreeSymKey(key);
++  PK11_FreeSlot(slot);
++  SECITEM_FreeItem(param, PR_TRUE);
++  PK11_DestroyContext(ctx, PR_TRUE);
++  NSS_ShutdownContext(globalctx);
++}
++
+ }  // namespace nss_test
+
+diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
+index 003e2be..a3eecf5 100644
+--- a/lib/softoken/pkcs11c.c
++++ b/lib/softoken/pkcs11c.c
+@@ -1207,6 +1207,7 @@ sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+             break;
+
+         case CKM_NSS_CHACHA20_CTR:
++           context->multi = PR_FALSE;
+             if (key_type != CKK_NSS_CHACHA20) {
+                 crv = CKR_KEY_TYPE_INCONSISTENT;
+                 break;
+
diff --git a/dev-libs/nss/files/nss-3.44-CVE-2020-12403-set2.patch b/dev-libs/nss/files/nss-3.44-CVE-2020-12403-set2.patch
new file mode 100644
index 0000000..a116da4
--- /dev/null
+++ b/dev-libs/nss/files/nss-3.44-CVE-2020-12403-set2.patch
@@ -0,0 +1,54 @@
+
+# HG changeset patch
+# User Benjamin Beurdouche <bbeurdouche@mozilla.com>
+# Date 1595031218 0
+# Node ID c25adfdfab34ddb08d3262aac3242e3399de1095
+# Parent  f282556e6cc7715f5754aeaadda6f902590e7e38
+Bug 1636771 - Fix incorrect call to Chacha20Poly1305 by PKCS11. r=jcj,kjacobs,rrelyea
+
+Differential Revision: https://phabricator.services.mozilla.com/D74801
+
+diff --git a/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc b/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
+index a041947..a92c28a 100644
+--- a/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
++++ b/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
+@@ -44,7 +44,15 @@ class Pkcs11ChaCha20Poly1305Test
+     SECItem params = {siBuffer, reinterpret_cast<unsigned char*>(&aead_params),
+                       sizeof(aead_params)};
+ 
+-    // Encrypt.
++    // Encrypt with bad parameters (TagLen is too short).
++    aead_params.ulTagLen = 2;
++    rv = PK11_Encrypt(key.get(), kMech, &params, encrypted.data(),
++                      &encrypted_len, encrypted.size(), data, data_len);
++    EXPECT_EQ(SECFailure, rv);
++    EXPECT_EQ(0U, encrypted_len);
++
++     // Encrypt.
++    aead_params.ulTagLen = 16;
+     unsigned int outputLen = 0;
+     std::vector<uint8_t> output(data_len + aead_params.ulTagLen);
+     SECStatus rv = PK11_Encrypt(key.get(), kMech, &params, output.data(),
+
+diff --git a/lib/freebl/chacha20poly1305.c b/lib/freebl/chacha20poly1305.c
+--- a/lib/freebl/chacha20poly1305.c
++++ b/lib/freebl/chacha20poly1305.c
+@@ -76,17 +76,17 @@ ChaCha20Poly1305_InitContext(ChaCha20Pol
+ {
+ #ifdef NSS_DISABLE_CHACHAPOLY
+     return SECFailure;
+ #else
+     if (keyLen != 32) {
+         PORT_SetError(SEC_ERROR_BAD_KEY);
+         return SECFailure;
+     }
+-    if (tagLen == 0 || tagLen > 16) {
++    if (tagLen != 16) {
+         PORT_SetError(SEC_ERROR_INPUT_LEN);
+         return SECFailure;
+     }
+ 
+     PORT_Memcpy(ctx->key, key, sizeof(ctx->key));
+     ctx->tagLen = tagLen;
+ 
+     return SECSuccess;
diff --git a/dev-libs/nss/nss-3.44-r2.ebuild b/dev-libs/nss/nss-3.44-r2.ebuild
index 27489d5..8cbadb1 100644
--- a/dev-libs/nss/nss-3.44-r2.ebuild
+++ b/dev-libs/nss/nss-3.44-r2.ebuild
@@ -44,6 +44,8 @@
 	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
 	"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
 	"${FILESDIR}/${PN}-3.44-prefer-writable-tokens-for-trust.patch"
+	"${FILESDIR}/${PN}-3.44-CVE-2020-12403-set1.patch"
+	"${FILESDIR}/${PN}-3.44-CVE-2020-12403-set2.patch"
 )
 
 src_unpack() {
diff --git a/dev-libs/nss/nss-3.44-r7.ebuild b/dev-libs/nss/nss-3.44-r8.ebuild
similarity index 100%
rename from dev-libs/nss/nss-3.44-r7.ebuild
rename to dev-libs/nss/nss-3.44-r8.ebuild