From ec27c0de4e9c1054f2d7faed2dae910ef5b88f17 Mon Sep 17 00:00:00 2001 From: "rsleevi@chromium.org" Date: Mon, 1 Jul 2013 23:23:37 +0000 Subject: Revert 209515 "Reland http://crrev.com/209278" > Reland http://crrev.com/209278 > > Update dependency to NSS >= 3.14.3 and NSPR >= 4.9.2 > > Technically NSS 3.14.3 depends on NSPR 4.9.5, but Debian stable still > ships 4.9.2 on stable, so this is the lower bound. > > 3.14.3 contains a number of important security fixes, and support for > older systems is no longer desirable. > > BUG=245370 > TBR=thestig@chromium.org, wtc@chromium.org > > Review URL: https://chromiumcodereview.appspot.com/18332012 TBR=rsleevi@chromium.org Review URL: https://codereview.chromium.org/18414004 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@209534 0039d316-1c4b-4281-b951-d872f2087c98 --- chrome/installer/linux/debian/build.sh | 2 +- chrome/installer/linux/debian/expected_deps | 4 +- chrome/installer/linux/rpm/build.sh | 2 +- crypto/nss_util.cc | 18 ++++--- crypto/signature_creator_nss.cc | 6 ++- net/cert/cert_verify_proc_nss.cc | 29 +++++++++++ net/socket/ssl_client_socket_nss.cc | 25 ++++++++-- net/third_party/nss/README.chromium | 4 ++ net/third_party/nss/patches/aes256keylength.patch | 15 ++++++ net/third_party/nss/patches/applypatches.sh | 2 + net/third_party/nss/ssl.gyp | 1 + net/third_party/nss/ssl/bodge/secure_memcmp.c | 59 +++++++++++++++++++++++ net/third_party/nss/ssl/sslsnce.c | 5 ++ 13 files changed, 156 insertions(+), 16 deletions(-) create mode 100644 net/third_party/nss/patches/aes256keylength.patch create mode 100644 net/third_party/nss/ssl/bodge/secure_memcmp.c diff --git a/chrome/installer/linux/debian/build.sh b/chrome/installer/linux/debian/build.sh index 48df8e9..d9d98a1 100755 --- a/chrome/installer/linux/debian/build.sh +++ b/chrome/installer/linux/debian/build.sh @@ -295,7 +295,7 @@ ADDITION_DEPS="ca-certificates, libcurl3, \ # exists, but it was moved to "universe" repository, which isn't installed by # default). DPKG_SHLIB_DEPS=$(sed \ - 's/\(libnspr4-0d ([^)]*)\), /\1 | libnspr4 (>= 4.9.5-0ubuntu0), /g' \ + 's/\(libnspr4-0d ([^)]*)\), /\1 | libnspr4 (>= 4.8.7-0ubuntu1), /g' \ <<< $DPKG_SHLIB_DEPS) # Fix-up libudev dependency because Ubuntu 13.04 has libudev1 instead of diff --git a/chrome/installer/linux/debian/expected_deps b/chrome/installer/linux/debian/expected_deps index 2668316..0e16912 100644 --- a/chrome/installer/linux/debian/expected_deps +++ b/chrome/installer/linux/debian/expected_deps @@ -14,8 +14,8 @@ libgcrypt11 (>= 1.4.5) libgdk-pixbuf2.0-0 (>= 2.22.0) libglib2.0-0 (>= 2.18.0) libgtk2.0-0 (>= 2.24.0) -libnspr4 (>= 4.9.2) -libnss3 (>= 3.14.3) +libnspr4 (>= 1.8.0.10) +libnss3 (>= 3.12.6) libpango1.0-0 (>= 1.22.0) libstdc++6 (>= 4.6) libudev0 (>= 147) diff --git a/chrome/installer/linux/rpm/build.sh b/chrome/installer/linux/rpm/build.sh index 7134e59..544a46a 100755 --- a/chrome/installer/linux/rpm/build.sh +++ b/chrome/installer/linux/rpm/build.sh @@ -124,7 +124,7 @@ do_package() { # https://bugzilla.novell.com/show_bug.cgi?id=556248 DEPENDS="lsb >= 4.0, \ libcurl.so.4${EMPTY_VERSION}${PKG_ARCH}, \ - libnss3.so(NSS_3.14.3)${PKG_ARCH}, \ + libnss3.so(NSS_3.12.3)${PKG_ARCH}, \ wget, \ xdg-utils, \ zlib, \ diff --git a/crypto/nss_util.cc b/crypto/nss_util.cc index 52bb054..850d47d 100644 --- a/crypto/nss_util.cc +++ b/crypto/nss_util.cc @@ -384,17 +384,23 @@ class NSSInitSingleton { base::TimeTicks start_time = base::TimeTicks::Now(); EnsureNSPRInit(); - // We *must* have NSS >= 3.14.3. + // We *must* have NSS >= 3.12.3. See bug 26448. COMPILE_ASSERT( - (NSS_VMAJOR == 3 && NSS_VMINOR == 14 && NSS_VPATCH >= 3) || - (NSS_VMAJOR == 3 && NSS_VMINOR > 14) || + (NSS_VMAJOR == 3 && NSS_VMINOR == 12 && NSS_VPATCH >= 3) || + (NSS_VMAJOR == 3 && NSS_VMINOR > 12) || (NSS_VMAJOR > 3), nss_version_check_failed); // Also check the run-time NSS version. // NSS_VersionCheck is a >= check, not strict equality. - if (!NSS_VersionCheck("3.14.3")) { - LOG(FATAL) << "NSS_VersionCheck(\"3.14.3\") failed. NSS >= 3.14.3 is " - "required. Please upgrade to the latest NSS, and if you " + if (!NSS_VersionCheck("3.12.3")) { + // It turns out many people have misconfigured NSS setups, where + // their run-time NSPR doesn't match the one their NSS was compiled + // against. So rather than aborting, complain loudly. + LOG(ERROR) << "NSS_VersionCheck(\"3.12.3\") failed. " + "We depend on NSS >= 3.12.3, and this error is not fatal " + "only because many people have busted NSS setups (for " + "example, using the wrong version of NSPR). " + "Please upgrade to the latest NSS and NSPR, and if you " "still get this error, contact your distribution " "maintainer."; } diff --git a/crypto/signature_creator_nss.cc b/crypto/signature_creator_nss.cc index 82e4444..3a30efb 100644 --- a/crypto/signature_creator_nss.cc +++ b/crypto/signature_creator_nss.cc @@ -44,7 +44,11 @@ SignatureCreator* SignatureCreator::Create(RSAPrivateKey* key) { } bool SignatureCreator::Update(const uint8* data_part, int data_part_len) { - SECStatus rv = SGN_Update(sign_context_, data_part, data_part_len); + // TODO(wtc): Remove this const_cast when we require NSS 3.12.5. + // See NSS bug https://bugzilla.mozilla.org/show_bug.cgi?id=518255 + SECStatus rv = SGN_Update(sign_context_, + const_cast(data_part), + data_part_len); if (rv != SECSuccess) { NOTREACHED(); return false; diff --git a/net/cert/cert_verify_proc_nss.cc b/net/cert/cert_verify_proc_nss.cc index c3b3ae8..2a944e6 100644 --- a/net/cert/cert_verify_proc_nss.cc +++ b/net/cert/cert_verify_proc_nss.cc @@ -158,6 +158,10 @@ CertStatus MapCertErrorToCertStatus(int err) { void GetCertChainInfo(CERTCertList* cert_list, CERTCertificate* root_cert, CertVerifyResult* verify_result) { + // NOTE: Using a NSS library before 3.12.3.1 will crash below. To see the + // NSS version currently in use: + // 1. use ldd on the chrome executable for NSS's location (ie. libnss3.so*) + // 2. use ident libnss3.so* for the library's version DCHECK(cert_list); CERTCertificate* verified_cert = NULL; @@ -342,6 +346,31 @@ SECStatus PKIXVerifyCert(CERTCertificate* cert_handle, bool use_crl = check_revocation; bool use_ocsp = check_revocation; + // These CAs have multiple keys, which trigger two bugs in NSS's CRL code. + // 1. NSS may use one key to verify a CRL signed with another key, + // incorrectly concluding that the CRL's signature is invalid. + // Hopefully this bug will be fixed in NSS 3.12.9. + // 2. NSS considers all certificates issued by the CA as revoked when it + // receives a CRL with an invalid signature. This overly strict policy + // has been relaxed in NSS 3.12.7. See + // https://bugzilla.mozilla.org/show_bug.cgi?id=562542. + // So we have to turn off CRL checking for these CAs. See + // http://crbug.com/55695. + static const char* const kMultipleKeyCA[] = { + "CN=Microsoft Secure Server Authority," + "DC=redmond,DC=corp,DC=microsoft,DC=com", + "CN=Microsoft Secure Server Authority", + }; + + if (!NSS_VersionCheck("3.12.7")) { + for (size_t i = 0; i < arraysize(kMultipleKeyCA); ++i) { + if (strcmp(cert_handle->issuerName, kMultipleKeyCA[i]) == 0) { + use_crl = false; + break; + } + } + } + PRUint64 revocation_method_flags = CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD | CERT_REV_M_ALLOW_NETWORK_FETCHING | diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc index ca71836..bffadfa 100644 --- a/net/socket/ssl_client_socket_nss.cc +++ b/net/socket/ssl_client_socket_nss.cc @@ -1274,6 +1274,7 @@ SECStatus SSLClientSocketNSS::Core::OwnAuthCertHandler( PRFileDesc* socket, PRBool checksig, PRBool is_server) { +#ifdef SSL_ENABLE_FALSE_START Core* core = reinterpret_cast(arg); if (!core->handshake_callback_called_) { // Only need to turn off False Start in the initial handshake. Also, it is @@ -1290,6 +1291,7 @@ SECStatus SSLClientSocketNSS::Core::OwnAuthCertHandler( SSL_OptionSet(socket, SSL_ENABLE_FALSE_START, PR_FALSE); } } +#endif // Tell NSS to not verify the certificate. return SECSuccess; @@ -2417,8 +2419,8 @@ void SSLClientSocketNSS::Core::UpdateConnectionStatus() { SSL_CONNECTION_COMPRESSION_MASK) << SSL_CONNECTION_COMPRESSION_SHIFT; - // NSS 3.14.x doesn't have a version macro for TLS 1.2 (because NSS didn't - // support it yet), so use 0x0303 directly. + // NSS 3.12.x doesn't have version macros for TLS 1.1 and 1.2 (because NSS + // doesn't support them yet), so we use 0x0302 and 0x0303 directly. int version = SSL_CONNECTION_VERSION_UNKNOWN; if (channel_info.protocolVersion < SSL_LIBRARY_VERSION_3_0) { // All versions less than SSL_LIBRARY_VERSION_3_0 are treated as SSL @@ -2428,7 +2430,7 @@ void SSLClientSocketNSS::Core::UpdateConnectionStatus() { version = SSL_CONNECTION_VERSION_SSL3; } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_3_1_TLS) { version = SSL_CONNECTION_VERSION_TLS1; - } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_TLS_1_1) { + } else if (channel_info.protocolVersion == 0x0302) { version = SSL_CONNECTION_VERSION_TLS1_1; } else if (channel_info.protocolVersion == 0x0303) { version = SSL_CONNECTION_VERSION_TLS1_2; @@ -2438,6 +2440,10 @@ void SSLClientSocketNSS::Core::UpdateConnectionStatus() { SSL_CONNECTION_VERSION_SHIFT; } + // SSL_HandshakeNegotiatedExtension was added in NSS 3.12.6. + // Since SSL_MAX_EXTENSIONS was added at the same time, we can test + // SSL_MAX_EXTENSIONS for the presence of SSL_HandshakeNegotiatedExtension. +#if defined(SSL_MAX_EXTENSIONS) PRBool peer_supports_renego_ext; ok = SSL_HandshakeNegotiatedExtension(nss_fd_, ssl_renegotiation_info_xtn, &peer_supports_renego_ext); @@ -2471,6 +2477,7 @@ void SSLClientSocketNSS::Core::UpdateConnectionStatus() { peer_supports_renego_ext == PR_TRUE); } } +#endif if (ssl_config_.version_fallback) { nss_handshake_state_.ssl_connection_status |= @@ -3146,18 +3153,25 @@ int SSLClientSocketNSS::InitializeSSLOptions() { SSL_CipherPrefSet(nss_fd_, *it, PR_FALSE); } +#ifdef SSL_ENABLE_SESSION_TICKETS // Support RFC 5077 rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SESSION_TICKETS, PR_TRUE); if (rv != SECSuccess) { LogFailedNSSFunction( net_log_, "SSL_OptionSet", "SSL_ENABLE_SESSION_TICKETS"); } +#else + #error "You need to install NSS-3.12 or later to build chromium" +#endif +#ifdef SSL_ENABLE_FALSE_START rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_FALSE_START, ssl_config_.false_start_enabled); if (rv != SECSuccess) LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_FALSE_START"); +#endif +#ifdef SSL_ENABLE_RENEGOTIATION // We allow servers to request renegotiation. Since we're a client, // prohibiting this is rather a waste of time. Only servers are in a // position to prevent renegotiation attacks. @@ -3169,12 +3183,14 @@ int SSLClientSocketNSS::InitializeSSLOptions() { LogFailedNSSFunction( net_log_, "SSL_OptionSet", "SSL_ENABLE_RENEGOTIATION"); } +#endif // SSL_ENABLE_RENEGOTIATION +#ifdef SSL_CBC_RANDOM_IV rv = SSL_OptionSet(nss_fd_, SSL_CBC_RANDOM_IV, PR_TRUE); if (rv != SECSuccess) LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_CBC_RANDOM_IV"); +#endif -// Added in NSS 3.15 #ifdef SSL_ENABLE_OCSP_STAPLING if (IsOCSPStaplingSupported()) { rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OCSP_STAPLING, PR_TRUE); @@ -3185,7 +3201,6 @@ int SSLClientSocketNSS::InitializeSSLOptions() { } #endif -// Chromium patch to libssl #ifdef SSL_ENABLE_CACHED_INFO rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_CACHED_INFO, ssl_config_.cached_info_enabled); diff --git a/net/third_party/nss/README.chromium b/net/third_party/nss/README.chromium index 4c7e137..197c2d6 100644 --- a/net/third_party/nss/README.chromium +++ b/net/third_party/nss/README.chromium @@ -75,6 +75,10 @@ Patches: patches/cbc.patch https://code.google.com/p/chromium/issues/detail?id=172658#c12 + * Define AES_256_KEY_LENGTH if the system blapit.h header doesn't define it. + Remove this patch when all system NSS packages are NSS 3.12.10 or later. + patches/aes256keylength.patch + * Change ssl3_SuiteBOnly to always return PR_TRUE. The softoken in NSS versions older than 3.15 report an EC key size range of 112 bits to 571 bits, even when it is compiled to support only the NIST P-256, P-384, and diff --git a/net/third_party/nss/patches/aes256keylength.patch b/net/third_party/nss/patches/aes256keylength.patch new file mode 100644 index 0000000..e77e16e --- /dev/null +++ b/net/third_party/nss/patches/aes256keylength.patch @@ -0,0 +1,15 @@ +diff -pu a/nss/lib/ssl/sslsnce.c b/nss/lib/ssl/sslsnce.c +--- a/nss/lib/ssl/sslsnce.c 2013-04-27 09:17:17.216390477 -0700 ++++ b/nss/lib/ssl/sslsnce.c 2013-04-27 09:41:36.887048239 -0700 +@@ -87,6 +87,11 @@ + #include "nspr.h" + #include "sslmutex.h" + ++/* AES_256_KEY_LENGTH was added to blapit.h in NSS 3.12.10. */ ++#ifndef AES_256_KEY_LENGTH ++#define AES_256_KEY_LENGTH 32 /* bytes */ ++#endif ++ + /* + ** Format of a cache entry in the shared memory. + */ diff --git a/net/third_party/nss/patches/applypatches.sh b/net/third_party/nss/patches/applypatches.sh index aee9fb0..e8d9f5f 100755 --- a/net/third_party/nss/patches/applypatches.sh +++ b/net/third_party/nss/patches/applypatches.sh @@ -38,6 +38,8 @@ patch -p4 < $patches_dir/secretexporterlocks.patch patch -p4 < $patches_dir/cbc.patch +patch -p4 < $patches_dir/aes256keylength.patch + patch -p4 < $patches_dir/suitebonly.patch patch -p4 < $patches_dir/secitemarray.patch diff --git a/net/third_party/nss/ssl.gyp b/net/third_party/nss/ssl.gyp index c5d7ede..31567c2 100644 --- a/net/third_party/nss/ssl.gyp +++ b/net/third_party/nss/ssl.gyp @@ -68,6 +68,7 @@ 'ssl/win32err.c', 'ssl/win32err.h', 'ssl/bodge/secitem_array.c', + 'ssl/bodge/secure_memcmp.c', ], 'sources!': [ 'ssl/os2_err.c', diff --git a/net/third_party/nss/ssl/bodge/secure_memcmp.c b/net/third_party/nss/ssl/bodge/secure_memcmp.c new file mode 100644 index 0000000..b18579c --- /dev/null +++ b/net/third_party/nss/ssl/bodge/secure_memcmp.c @@ -0,0 +1,59 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +// This file exists to provide the secure memcmp function. This was added in +// NSS 3.12.5. + +#include + +/* + * Perform a constant-time compare of two memory regions. The return value is + * 0 if the memory regions are equal and non-zero otherwise. + */ +int +NSS_SecureMemcmp(const void *ia, const void *ib, size_t n) +{ + const unsigned char *a = (const unsigned char*) ia; + const unsigned char *b = (const unsigned char*) ib; + size_t i; + unsigned char r = 0; + + for (i = 0; i < n; ++i) { + r |= *a++ ^ *b++; + } + + return r; +} diff --git a/net/third_party/nss/ssl/sslsnce.c b/net/third_party/nss/ssl/sslsnce.c index eb39b5d..6b30f7d 100644 --- a/net/third_party/nss/ssl/sslsnce.c +++ b/net/third_party/nss/ssl/sslsnce.c @@ -87,6 +87,11 @@ #include "nspr.h" #include "sslmutex.h" +/* AES_256_KEY_LENGTH was added to blapit.h in NSS 3.12.10. */ +#ifndef AES_256_KEY_LENGTH +#define AES_256_KEY_LENGTH 32 /* bytes */ +#endif + /* ** Format of a cache entry in the shared memory. */ -- cgit v1.1