Bug 1649545 - land NSS 615362dff5ad UPGRADE_NSS_RELEASE, r=jcj

2020-07-18  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* gtests/pk11_gtest/pk11_cipherop_unittest.cc, lib/softoken/pkcs11c.c:
	Bug 1636771 - Disable PKCS11 incremental mode for ChaCha20.
	r=kjacobs,rrelyea

	Depends on D74801

	[615362dff5ad] [tip]

	* gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc,
	lib/freebl/chacha20poly1305.c:
	Bug 1636771 - Fix incorrect call to Chacha20Poly1305 by PKCS11.
	r=jcj,kjacobs,rrelyea

	[a5e82e40f03e]

2020-07-16  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/softoken/pkcs11c.c:
	Bug 1637222 - Enforce IV length check for DES. r=kjacobs,jcj

	[0c70232cb6d3]

Differential Revision: https://phabricator.services.mozilla.com/D84043

security/nss/TAG-INFO

@@ -1 +1 @@
-ca068f5b5c17
+615362dff5ad

security/nss/coreconf/coreconf.dep

@@ -10,4 +10,3 @@
  */
 
 #error "Do not include this header file."
-

security/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc

@@ -45,7 +45,7 @@ class Pkcs11ChaCha20Poly1305Test
     SECItem params = {siBuffer, reinterpret_cast<unsigned char*>(&aead_params),
                       sizeof(aead_params)};
 
-    // Encrypt with bad parameters.
+    // Encrypt with bad parameters (TagLen is too long).
     unsigned int encrypted_len = 0;
     std::vector<uint8_t> encrypted(data_len + aead_params.ulTagLen);
     aead_params.ulTagLen = 158072;
@@ -54,9 +54,16 @@ class Pkcs11ChaCha20Poly1305Test
                      &encrypted_len, encrypted.size(), data, data_len);
     EXPECT_EQ(SECFailure, rv);
     EXPECT_EQ(0U, encrypted_len);
-    aead_params.ulTagLen = 16;
+
+    // Encrypt with bad parameters (TagLen is too short).
+    aead_params.ulTagLen = 2;
+    rv = PK11_Encrypt(key.get(), kMech, &params, encrypted.data(),
+                      &encrypted_len, encrypted.size(), data, data_len);
+    EXPECT_EQ(SECFailure, rv);
+    EXPECT_EQ(0U, encrypted_len);
 
     // Encrypt.
+    aead_params.ulTagLen = 16;
     rv = PK11_Encrypt(key.get(), kMech, &params, encrypted.data(),
                       &encrypted_len, encrypted.size(), data, data_len);
 

security/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc

@@ -77,4 +77,53 @@ TEST(Pkcs11CipherOp, SingleCtxMultipleUnalignedCipherOps) {
   NSS_ShutdownContext(globalctx);
 }
 
+TEST(Pkcs11CipherOp, SingleCtxMultipleUnalignedCipherOpsChaCha20) {
+  PK11SlotInfo* slot;
+  PK11SymKey* key;
+  PK11Context* ctx;
+
+  NSSInitContext* globalctx =
+      NSS_InitContext("", "", "", "", NULL,
+                      NSS_INIT_READONLY | NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB |
+                          NSS_INIT_FORCEOPEN | NSS_INIT_NOROOTINIT);
+
+  const CK_MECHANISM_TYPE cipher = CKM_NSS_CHACHA20_CTR;
+
+  slot = PK11_GetInternalSlot();
+  ASSERT_TRUE(slot);
+
+  // Use arbitrary bytes for the ChaCha20 key and IV
+  uint8_t key_bytes[32];
+  for (size_t i = 0; i < 32; i++) {
+    key_bytes[i] = i;
+  }
+  SECItem keyItem = {siBuffer, key_bytes, 32};
+
+  uint8_t iv_bytes[16];
+  for (size_t i = 0; i < 16; i++) {
+    key_bytes[i] = i;
+  }
+  SECItem ivItem = {siBuffer, iv_bytes, 16};
+
+  SECItem* param = PK11_ParamFromIV(cipher, &ivItem);
+
+  key = PK11_ImportSymKey(slot, cipher, PK11_OriginUnwrap, CKA_ENCRYPT,
+                          &keyItem, NULL);
+  ctx = PK11_CreateContextBySymKey(cipher, CKA_ENCRYPT, key, param);
+  ASSERT_TRUE(key);
+  ASSERT_TRUE(ctx);
+
+  uint8_t outbuf[128];
+  // This is supposed to fail for Chacha20. This is because the underlying
+  // PK11_CipherOp operation is calling the C_EncryptUpdate function for
+  // which multi-part is disabled for ChaCha20 in counter mode.
+  ASSERT_EQ(GetBytes(ctx, outbuf, 7), SECFailure);
+
+  PK11_FreeSymKey(key);
+  PK11_FreeSlot(slot);
+  SECITEM_FreeItem(param, PR_TRUE);
+  PK11_DestroyContext(ctx, PR_TRUE);
+  NSS_ShutdownContext(globalctx);
+}
+
 }  // namespace nss_test

security/nss/lib/freebl/chacha20poly1305.c

@@ -81,7 +81,7 @@ ChaCha20Poly1305_InitContext(ChaCha20Poly1305Context *ctx,
         PORT_SetError(SEC_ERROR_BAD_KEY);
         return SECFailure;
     }
-    if (tagLen == 0 || tagLen > 16) {
+    if (tagLen != 16) {
         PORT_SetError(SEC_ERROR_INPUT_LEN);
         return SECFailure;
     }

security/nss/lib/softoken/pkcs11c.c

@@ -984,10 +984,6 @@ sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
                 crv = CKR_KEY_TYPE_INCONSISTENT;
                 break;
             }
-            if (pMechanism->ulParameterLen < 8) {
-                crv = CKR_DOMAIN_PARAMS_INVALID;
-                break;
-            }
             t = NSS_DES_CBC;
             goto finish_des;
         case CKM_DES3_ECB:
@@ -1005,12 +1001,13 @@ sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
                 crv = CKR_KEY_TYPE_INCONSISTENT;
                 break;
             }
-            if (pMechanism->ulParameterLen < 8) {
+            t = NSS_DES_EDE3_CBC;
+        finish_des:
+            if ((t != NSS_DES && t != NSS_DES_EDE3) && (pMechanism->pParameter == NULL ||
+                                                        pMechanism->ulParameterLen < 8)) {
                 crv = CKR_DOMAIN_PARAMS_INVALID;
                 break;
             }
-            t = NSS_DES_EDE3_CBC;
-        finish_des:
             context->blockSize = 8;
             att = sftk_FindAttribute(key, CKA_VALUE);
             if (att == NULL) {
@@ -1259,6 +1256,7 @@ sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
             unsigned char *nonce;
             unsigned long counter_len;
             unsigned long nonce_len;
+            context->multi = PR_FALSE;
             if (pMechanism->mechanism == CKM_NSS_CHACHA20_CTR) {
                 if (key_type != CKK_NSS_CHACHA20) {
                     crv = CKR_KEY_TYPE_INCONSISTENT;