Last Comment Bug 1293334 - (CVE-2016-9074) Replace unreliable divSpoiler (timing side-channel defense)
(CVE-2016-9074)
: Replace unreliable divSpoiler (timing side-channel defense)
Status: RESOLVED FIXED
[post-critsmash-triage][adv-main50+][...
: csectype-other, sec-moderate
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: trunk
: Unspecified Unspecified
-- normal (vote)
: 3.27
Assigned To: Franziskus Kiefer [:fkiefer or :franziskus]
:
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-08-08 10:16 PDT by Franziskus Kiefer [:fkiefer or :franziskus]
Modified: 2017-02-09 08:03 PST (History)
13 users (show)
mwobensmith: qe‑verify-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
wontfix
+
wontfix
+
fixed
+
fixed
50+
fixed


Attachments
divSpoil.patch (5.07 KB, patch)
2016-08-09 07:27 PDT, Franziskus Kiefer [:fkiefer or :franziskus]
rlb: review+
wladd: review+
Details | Diff | Splinter Review
divSpoil.patch (OK for 3.26 branch) (5.50 KB, patch)
2016-08-22 05:55 PDT, Franziskus Kiefer [:fkiefer or :franziskus]
franziskuskiefer: review+
dveditz: sec‑approval+
Details | Diff | Splinter Review
backport to NSS 3.21, v1 (5.90 KB, patch)
2016-09-07 05:17 PDT, Kai Engert (:kaie)
franziskuskiefer: review+
Details | Diff | Splinter Review
incremental for nss 3.21, restrict parameter -Wno-error=misleading-indentation to gcc >= 6 (892 bytes, patch)
2016-09-23 09:21 PDT, Kai Engert (:kaie)
kaie: review-
Details | Diff | Splinter Review
incremental for nss 3.21, restrict parameter -Wno-error=misleading-indentation to gcc >= 6 (patch v2) (1.02 KB, patch)
2016-09-23 09:26 PDT, Kai Engert (:kaie)
franziskuskiefer: review+
Details | Diff | Splinter Review
incremental for nss 3.21, fix misleading indentation (3.70 KB, patch)
2016-09-23 11:49 PDT, Wan-Teh Chang
no flags Details | Diff | Splinter Review
incremental for nss 3.21, fix misleading indentation (patch v2) (3.88 KB, patch)
2016-09-23 12:07 PDT, Wan-Teh Chang
no flags Details | Diff | Splinter Review
Uplift NSS 3.26.1 to the Firefox-Beta-50 branch (8.89 KB, patch)
2016-09-26 22:46 PDT, Kai Engert (:kaie)
rkothari: approval‑mozilla‑beta+
Details | Diff | Splinter Review
Uplift NSS 3.21.2 to the Firefox-ESR-45 branch (9.82 KB, patch)
2016-09-26 22:58 PDT, Kai Engert (:kaie)
rkothari: approval‑mozilla‑esr45+
Details | Diff | Splinter Review

Description User image Franziskus Kiefer [:fkiefer or :franziskus] 2016-08-08 10:16:31 PDT
As agl notes in [0] the divSpoiler hack to avoid CPU optimisation and thus timing side channels isn't working. We have the same code [1] that we should replace with something similar (Barrett reduction sounds like a good choice).

[0] https://github.com/openssl/openssl/pull/1027
[1] http://searchfox.org/nss/source/lib/ssl/ssl3con.c#13102
Comment 1 User image Kai Engert (:kaie) 2016-08-08 10:38:05 PDT
(In reply to Franziskus Kiefer [:fkiefer or :franziskus] from comment #0)
> [1] http://searchfox.org/nss/source/lib/ssl/ssl3con.c#13102

As a general suggestion, I recommend to mention affected function names, as links with line numbers, that don't refer to a specific revision, will get outdated very quickly.
Comment 2 User image Franziskus Kiefer [:fkiefer or :franziskus] 2016-08-08 10:40:30 PDT
my bad, here the permalink for [1] from comment 1 http://searchfox.org/nss/rev/0c9572bf1d038dc933133836e0f09d25a7684881/lib/ssl/ssl3con.c#13102
Comment 3 User image Franziskus Kiefer [:fkiefer or :franziskus] 2016-08-09 07:27:28 PDT
Created attachment 8779342 [details] [diff] [review]
divSpoil.patch

this is basically the solution from open/boringssl. I'm sure agl doesn't mind, but we can ask him.
Comment 4 User image Eric Rescorla (:ekr) 2016-08-09 07:59:34 PDT
Franziskus, can you ask Watson?
Comment 5 User image Watson Ladd 2016-08-09 14:25:17 PDT
Comment on attachment 8779342 [details] [diff] [review]
divSpoil.patch

Review of attachment 8779342 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good: I've verified that the ranges are sufficient for removing the padding lengths we need to deal with, and that they are right.
Comment 6 User image Andrew McCreight [:mccr8] 2016-08-11 10:47:26 PDT
What should the security rating on this be?
https://wiki.mozilla.org/Security_Severity_Ratings
Comment 7 User image Franziskus Kiefer [:fkiefer or :franziskus] 2016-08-15 07:41:17 PDT
Considering that the original bug 822365 that was thought to fix this issue is sec-high, this one should be sec-high as well.
Comment 8 User image Franziskus Kiefer [:fkiefer or :franziskus] 2016-08-15 07:44:56 PDT
Comment on attachment 8779342 [details] [diff] [review]
divSpoil.patch

Richard can you have a look at this?
Comment 9 User image Richard Barnes [:rbarnes] 2016-08-17 08:30:40 PDT
Comment on attachment 8779342 [details] [diff] [review]
divSpoil.patch

Review of attachment 8779342 [details] [diff] [review]:
-----------------------------------------------------------------

r=me with the documentation comments below addressed.

::: lib/ssl/ssl3con.c
@@ +13102,5 @@
> +
> +    /* The time to compute (macStart - scanStart) % macSize varies based on
> +     * the amount of padding. Thus we explicitely handle all mac sizes with
> +     * (hopefully) constant time modulo.
> +     */

It would be helpful to note the general formula here, e.g.:

/*
 * rotateOffset must be smaller than 1/e, where e is the error in
 * the approximation of 1/macSize by a fraction whose denominator
 * is a power of two.
 */

How do we know that this is the case?  It doesn't seem to follow from the inequalities at the top of the method.  It looks like Watson agrees that we're OK here, but we should describe that here so that people don't have to puzzle over it in the future.

@@ +13148,5 @@
>      /* Now rotate the MAC. If we knew that the MAC fit into a CPU cache line
>       * we could line-align |rotatedMac| and rotate in place. */
>      memset(out, 0, macSize);
> +    rotateOffset = macSize - rotateOffset;
> +    rotateOffset &= ~ssl_ConstantTimeGE(rotateOffset, macSize);

This notation is pretty opaque.  It's equivalent to an ssl_constantTimeSelect, right?  If so, that would be clearer.
Comment 10 User image Franziskus Kiefer [:fkiefer or :franziskus] 2016-08-22 05:55:59 PDT
Created attachment 8783517 [details] [diff] [review]
divSpoil.patch (OK for 3.26 branch)
Comment 11 User image Kai Engert (:kaie) 2016-08-22 08:28:05 PDT
Which Firefox branches need this fix?
Comment 12 User image Franziskus Kiefer [:fkiefer or :franziskus] 2016-08-22 22:24:17 PDT
This bug fixes what ought to be fixed in bug 822365. So the exploit is known for about 4 years already. Though the code changed considerably as a result of bug 822365 such that it's not immediately clear to me if/how the original attack still works. It'll land with 3.27 and and such be in Firefox 51.
Dan, do we want to backport the fix to other Firefox versions? I think an uplift to 50 would be reasonable. Not sure about 49 and ESR.
Comment 13 User image Daniel Veditz [:dveditz] 2016-08-23 12:01:14 PDT
This looks like a small part of the fix in bug 822365. Does this flawed timing attack defense (which seemed to work OK at the time) really defeat the whole of the Lucky13 defense? I'm guessing sec-moderate is more appropriate, but if this does resurrect Lucky13 then we should go back to sec-high.

If it's sec-high we should definitely push for Firefox 49 (NSS 3.25?) -- we still have a week or two. If it's sec-moderate and we're still mostly safe from lucky13 then 50 is probably OK. Either way we'll want this on the ESR release that matches when it ships.
Comment 14 User image Daniel Veditz [:dveditz] 2016-08-23 12:02:08 PDT
Comment on attachment 8783517 [details] [diff] [review]
divSpoil.patch (OK for 3.26 branch)

sec-approval=dveditz
Comment 15 User image Gerry Chang [:gchang] 2016-08-26 00:06:30 PDT
Track for 49+ to monitor if it will become sec-high.
Comment 16 User image Franziskus Kiefer [:fkiefer or :franziskus] 2016-08-26 01:26:34 PDT
I think sec-moderate is fine, but let's wait for opinions from Wan-Teh and Bob who oversaw the original lucky13 fix.
Comment 17 User image Wan-Teh Chang 2016-08-26 11:44:50 PDT
I agree sec-moderate is appropriate.
Comment 18 User image Liz Henry (:lizzard) (needinfo? me) 2016-09-02 15:33:46 PDT
I think waiting for 50 will be best here. We only have a week to go till release and have a lot of other uncertainties still in play.
Comment 19 User image Franziskus Kiefer [:fkiefer or :franziskus] 2016-09-04 09:52:04 PDT
https://hg.mozilla.org/projects/nss/rev/1e202f0a01b9
Comment 20 User image Kai Engert (:kaie) 2016-09-06 06:48:56 PDT
Based on comments from Dan and Liz, it seems the request is to fix this 
for Firefox 50, and ESR 45.5, scheduled for 2016-11-08

Firefox 50 will require a backport of the fix to NSS_3_26_BRANCH and a NSS 3.26.1 release.

ESR 45.5 will require a backport of the fix to NSS_3_21_BRANCH and a NSS 3.21.2 release.

Franziskus, is the patch compatible with those older branches (in other words, your patch doesn't depend on anything else that has been added after the release of NSS 3.21.1) ?
Comment 21 User image Kai Engert (:kaie) 2016-09-06 06:52:09 PDT
Regarding branch landing timing, I suggest that we land the updated NSS branch releases into the mozilla-beta and mozilla-esr45 branches, shortly after 2016-09-13.

Dan, Liz, does that work for you? Will be give branch commit approvals by mid september?
Comment 22 User image Franziskus Kiefer [:fkiefer or :franziskus] 2016-09-06 10:07:02 PDT
The patch is self-contained. I don't think there's a problem with applying this to 3.26 and 3.21.
Comment 23 User image Liz Henry (:lizzard) (needinfo? me) 2016-09-06 13:30:53 PDT
We aren't 100% sure of the release date right now. Probably 2016-09-13, but we have a little uncertainty right now that we may need to slip the date.  Landing after we release should be ok. Dan, what do you think?

Ritu: fyi, here's the NSS update plans for 50 while it is in beta.
Comment 24 User image Daniel Veditz [:dveditz] 2016-09-06 21:55:32 PDT
sounds good.
Comment 25 User image Kai Engert (:kaie) 2016-09-07 05:17:24 PDT
Created attachment 8788866 [details] [diff] [review]
backport to NSS 3.21, v1

Merge attempt for NSS 3.21 branch.

I was testing on Fedora 24 with gcc 6.1.1, and I ran into a warning-as-error, misleading indentation.

I suggest to disable that error on the old branch, which doesn't have our code reformatting yet.
Comment 26 User image Kai Engert (:kaie) 2016-09-07 05:20:03 PDT
Comment on attachment 8783517 [details] [diff] [review]
divSpoil.patch (OK for 3.26 branch)

Your original patch applies fine and builds without errors on NSS_3_26_BRANCH
Comment 27 User image Kai Engert (:kaie) 2016-09-07 06:32:05 PDT
Regarding the announcement of the NSS 3.21.2 and NSS 3.26.1 releases:

When are we allowed to send the public announcement message for those NSS security fix releases?

I'd like to land the code into Firefox beta and ESR 45 as soon as possible (soon after the mit-september releases are done), and this will require me to make the new NSS releases publicly available on FTP/S3 (which means people will find them).

Should the NSS announcement be sent immediately, with a vague text - or -
should the NSS version annoucement be delayed until some later date?
(If yes, please suggest the date.)
Comment 28 User image Kai Engert (:kaie) 2016-09-07 06:33:55 PDT
Will we require separate branch approval+ for landing the NSS update into mozilla-beta and mozilla-esr45, or are the existing tracking+ flags in this bugs sufficient for branch landing?
Comment 29 User image Franziskus Kiefer [:fkiefer or :franziskus] 2016-09-07 10:15:56 PDT
Comment on attachment 8788866 [details] [diff] [review]
backport to NSS 3.21, v1

Review of attachment 8788866 [details] [diff] [review]:
-----------------------------------------------------------------

I'm not sure what exactly is misleading here. But making this warning non-fatal for the branch makes sense.
Comment 30 User image Kai Engert (:kaie) 2016-09-07 10:55:16 PDT
(In reply to Franziskus Kiefer [:fkiefer or :franziskus] from comment #29)
> I'm not sure what exactly is misleading here.

For the lines that trigger the warning we have 

  if ()
    action();

However, those two lines start with a different mixed amount of tabs and spaces. The compiler apparently wants to warn that the indenting might mislead a human reader.
Comment 31 User image Daniel Veditz [:dveditz] 2016-09-07 14:00:21 PDT
(In reply to Kai Engert (:kaie) from comment #27)
> I'd like to land the code into Firefox beta and ESR 45 as soon as possible
> (soon after the mit-september releases are done), and this will require me
> to make the new NSS releases publicly available on FTP/S3 (which means
> people will find them).

Are you landing "final" versions on the "beta" branch, and thus triggering what looks like an NSS "release"? Why so early in the cycle? If we need testing could we land these as "beta" versions of NSS and then change the definition (header value) to final later in the cycle?

How has this not come up before? We've fixed NSS bugs in the past and not released advisories for them until that version of Firefox was released.

> Should the NSS announcement be sent immediately, with a vague text - or -

What else is being fixed in these versions?

(In reply to Kai Engert (:kaie) from comment #28)
> Will we require separate branch approval+ for landing the NSS update into
> mozilla-beta and mozilla-esr45, or are the existing tracking+ flags in this
> bugs sufficient for branch landing?

The tracking flags mean tracking, nothing more. When a patch for a tracked bug is produced then the approval process is there to give release managers a chance to make sure the actual patch isn't too complicated/risky/untested/late for a given milestone.
Comment 32 User image Kai Engert (:kaie) 2016-09-08 04:09:52 PDT
(In reply to Daniel Veditz [:dveditz] from comment #31)
> 
> Are you landing "final" versions on the "beta" branch, and thus triggering
> what looks like an NSS "release"?

Correct.

> Why so early in the cycle?

I just assumed you want all changes to mozilla-beta happening as early as possible.


> If we need
> testing could we land these as "beta" versions of NSS and then change the
> definition (header value) to final later in the cycle?

We could. What's the deadline for landing the final header version changes (and configure update to require the new version number) into the mozilla-beta and mozilla-esr45 branches?

We should start by testing with mozilla-central immediately, by uplifting a new NSS 3.27 beta to m-i today, I'll work to get this done. (It might have been a good idea to do this immediately after this fix landed into NSS trunk.)


> How has this not come up before? We've fixed NSS bugs in the past and not
> released advisories for them until that version of Firefox was released.

Not sure I understand the question. Yes, situations like that had been come up before. I made my comment to ensure everyone is aware of these needs for timing the announcements.

> 
> > Should the NSS announcement be sent immediately, with a vague text - or -
> 
> What else is being fixed in these versions?

Nothing else. The proposal is to produce security NSS releases, which are based on the currently used NSS branch releases used by the respective Firefox branches, plus this fix.

(These days we have one NSS branch for each Firefox branch.)


> The tracking flags mean tracking, nothing more.

Thanks for the clarification. We'll make attachments for the approval process.
Comment 33 User image Kai Engert (:kaie) 2016-09-08 04:42:11 PDT
Regarding Dan's testing question:

- the fix from this bug hasn't produced any issues with the NSS own test suite

- a try build with this fix has now been started here:
  https://treeherder.mozilla.org/#/jobs?repo=try&revision=0a08925056fc

  (if try build succeeds, I'll uplift into mozilla-inbound by tomorrow)
Comment 34 User image Liz Henry (:lizzard) (needinfo? me) 2016-09-13 11:25:55 PDT
It's too early to land this in mozilla-beta since the release date for 49 is now Sept. 20th. We should do this after we ship 49. Kai, I should have let you know, sorry about that.
Comment 35 User image Kai Engert (:kaie) 2016-09-16 10:34:06 PDT
No problem, thanks for the update.

I'll work on it later next week.
Comment 36 User image Kai Engert (:kaie) 2016-09-23 09:02:48 PDT
Comment on attachment 8788866 [details] [diff] [review]
backport to NSS 3.21, v1

Franziskus, the patch for NSS 3.21.x doesn't work with older gcc versions, apparently not on OSX. We need to limit -Wno-error=misleading-indentation to compiler versions that support it.
Comment 37 User image Kai Engert (:kaie) 2016-09-23 09:21:08 PDT
Created attachment 8794281 [details] [diff] [review]
incremental for nss 3.21, restrict parameter -Wno-error=misleading-indentation to gcc >= 6

Based on other compiler version checks in the same file, I think this should work?
Comment 38 User image Kai Engert (:kaie) 2016-09-23 09:23:22 PDT
Comment on attachment 8794281 [details] [diff] [review]
incremental for nss 3.21, restrict parameter -Wno-error=misleading-indentation to gcc >= 6

>diff --git a/coreconf/Werror.mk b/coreconf/Werror.mk
>+    CC_VERSION := $(subst ., ,$(shell $(CC) -dumpversion))
>+    ifeq (,$(filter 0 1 2 3 4 5,$(word 1,$(CC_VERSION))))
>+      WARNING_CFLAGS += -Werror -Wno-error=misleading-indentation
>+    endif

We should also add a comment that explains the intention:

# Only add -Wno-error=misleading-indentation for gcc 6 and newer
Comment 39 User image Kai Engert (:kaie) 2016-09-23 09:23:59 PDT
Comment on attachment 8794281 [details] [diff] [review]
incremental for nss 3.21, restrict parameter -Wno-error=misleading-indentation to gcc >= 6

sorry, let me redo this patch
Comment 40 User image Kai Engert (:kaie) 2016-09-23 09:26:52 PDT
Created attachment 8794285 [details] [diff] [review]
incremental for nss 3.21, restrict parameter -Wno-error=misleading-indentation to gcc >= 6 (patch v2)
Comment 41 User image Wan-Teh Chang 2016-09-23 09:31:51 PDT
Comment on attachment 8794281 [details] [diff] [review]
incremental for nss 3.21, restrict parameter -Wno-error=misleading-indentation to gcc >= 6

Review of attachment 8794281 [details] [diff] [review]:
-----------------------------------------------------------------

::: coreconf/Werror.mk
@@ +61,5 @@
>  
>    ifeq ($(NSS_ENABLE_WERROR),1)
> +    CC_VERSION := $(subst ., ,$(shell $(CC) -dumpversion))
> +    ifeq (,$(filter 0 1 2 3 4 5,$(word 1,$(CC_VERSION))))
> +      WARNING_CFLAGS += -Werror -Wno-error=misleading-indentation

This patch is wrong. -Werror is fine for all versions of GCC and clang.

I suggest we simply remove -Wno-error=misleading-indentation. If an
NSS 3.21.x package needs to be built with the latest version of GCC,
the NSS 3.21.x package spec file should add -Wno-error=misleading-indentation.

We should not add such a change to an NSS branch without adding it to
the NSS trunk first.
Comment 42 User image Kai Engert (:kaie) 2016-09-23 09:46:54 PDT
(In reply to Wan-Teh Chang from comment #41)
> 
> This patch is wrong. -Werror is fine for all versions of GCC and clang.

That's why I made the second version of the patch, which keeps -Werror in general.


> I suggest we simply remove -Wno-error=misleading-indentation. If an
> NSS 3.21.x package needs to be built with the latest version of GCC,
> the NSS 3.21.x package spec file should add
> -Wno-error=misleading-indentation.
> 
> We should not add such a change to an NSS branch without adding it to
> the NSS trunk first.

I don't intend to add this parameter to the NSS trunk. We don't need it there. We have reformatted our code on trunk, that prevents the error, and doesn't require the parameter.

This parameter is specifically suggested for the old NSS branch, where we shouldn't mess with cleaning up the bad whitespace.

Adding the patch to NSS directly is preferred, because this isn't just about creating NSS packages, but our continous integration includes systems that use gcc 6.
Comment 43 User image Kai Engert (:kaie) 2016-09-23 09:49:16 PDT
(In reply to Kai Engert (:kaie) from comment #42)
> 
> Adding the patch to NSS directly is preferred, because this isn't just about
> creating NSS packages, but our continous integration includes systems that
> use gcc 6.

... and I'd like to build the NSS 3.21 release candidate on our continous integration infrastructure, just for completeness, to ensure all tests still pass on all platforms with this fix on that branch.
Comment 44 User image Wan-Teh Chang 2016-09-23 10:14:18 PDT
GCC documentation says:

    In the case of mixed tabs and spaces, the warning uses
    the -ftabstop= option to determine if the statements
    line up (defaulting to 8).

https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html

NSS uses a tabstop of 8. So if GCC cannot handle that, we
should submit a bug report to GCC.
Comment 45 User image Kai Engert (:kaie) 2016-09-23 11:36:45 PDT
Checked in to the NSS_3_26_BRANCH:
https://hg.mozilla.org/projects/nss/rev/d38536fcc726

NSS tests look good.

Checked in to the NSS_3_21_BRANCH:
https://hg.mozilla.org/projects/nss/rev/6883f1fc9129
https://hg.mozilla.org/projects/nss/rev/6ca604746182

NSS tests still running.

I'll shortly proceed with creating the NSS 3.21.2 and NSS 3.26.1 releases,

and will attach branch uplift patches for beta/esr approval by monday.
Comment 46 User image Wan-Teh Chang 2016-09-23 11:49:33 PDT
Created attachment 8794349 [details] [diff] [review]
incremental for nss 3.21, fix misleading indentation

I compiled NSS_3_21_BRANCH with gcc 6.2.0. The misleading
indentations are not hard to fix. I think we should fix
the misleading indentations rather than disabling the
-Wmisleading-indentation compiler warning.
Comment 47 User image Wan-Teh Chang 2016-09-23 12:07:48 PDT
Created attachment 8794355 [details] [diff] [review]
incremental for nss 3.21, fix misleading indentation (patch v2)

I updated my patch because Kai's patch has been checked in.

I hope the benefits of compiling NSS_3_21_BRANCH with -Wmisleading-indentation
are clear.
Comment 48 User image Kai Engert (:kaie) 2016-09-23 12:26:30 PDT
Wan-Teh, I appreciate your intention to simplify, but let me say:
- I'm trying to minimize patches that backport security fixes as much as possible,
  and white space changes in particular can usually create confusion very easily,
  and distract from the real change
- I had not attempted to go the whitespace fixing approach in the first place,
  because my expectation was that a much larger number of places might have
  required fixing, so it's good that only very few places would need a fix.
- the benefit of the compiler warning seems negligible in this particular scenario,
  because we know the code is correct, and we're not developing new code on this branch.

My preference is to keep things simple, and because buildbot seems to currently build fine with the code as checked in, avoiding additional commits seems simpler to me, so in my opinion your patch isn't necessary.

But if Franziskus thinks differently and prefers the whitespace cleanup and gives you r+, I'll check it in, and will have to trigger another round of test builds afterwards.
Comment 49 User image Wan-Teh Chang 2016-09-23 13:20:24 PDT
I was mainly curious about the speculation that -Wmisleading-indentation
cannot handle mixed tabs and spaces correctly. I found that GCC handles
mixed tabs and spaces correctly in all the four files it warns about.
* The two files in lib/dbm/src/ use a tab stop of 4. The warnings could
  also be fixed by compiling those files with the -ftabstop=4 option.
* The other two files simply have incorrect indentations.
I'm glad I don't need to submit a bug report to GCC.

I also wanted to know if any of the incorrect indentations is a bug.
Fortunately none of them is. Without looking at the warnings, we cannot
be sure.

So, whether you accept my patch or not is secondary to me.
Comment 50 User image Kai Engert (:kaie) 2016-09-23 13:45:57 PDT
Comment on attachment 8794355 [details] [diff] [review]
incremental for nss 3.21, fix misleading indentation (patch v2)

Wan-Teh, thanks a lot for your thorough verifications!
I'll defer to Franziskus if we should check this in, or can skip it.
Comment 51 User image Franziskus Kiefer [:fkiefer or :franziskus] 2016-09-26 00:21:26 PDT
Comment on attachment 8794355 [details] [diff] [review]
incremental for nss 3.21, fix misleading indentation (patch v2)

Review of attachment 8794355 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks a lot for the investigation Wan-Teh.
But since there's no bug I think we should leave the 3.21 branch alone.
Comment 52 User image Kai Engert (:kaie) 2016-09-26 22:46:13 PDT
Created attachment 8795159 [details] [diff] [review]
Uplift NSS 3.26.1 to the Firefox-Beta-50 branch

Firefox-50 beta branch currently uses NSS 3.26.
A version NSS 3.26.1 has been released, which contains this bugfix as the only change since NSS 3.26.

This patch uplifts to NSS 3.26.1, which includes this bugfix, plus version number changes, only.
Comment 53 User image Kai Engert (:kaie) 2016-09-26 22:58:39 PDT
Created attachment 8795164 [details] [diff] [review]
Uplift NSS 3.21.2 to the Firefox-ESR-45 branch

Firefox-ESR-45 branch currently uses NSS 3.21.1
A version NSS 3.21.2 has been released, which contains this bugfix as the only change since NSS 3.21.1

This patch uplifts to NSS 3.21.2, which includes this bugfix, plus version number changes, only.
Comment 54 User image Ritu Kothari (:ritu) 2016-09-27 11:27:00 PDT
Comment on attachment 8795159 [details] [diff] [review]
Uplift NSS 3.26.1 to the Firefox-Beta-50 branch

NSS update, Beta50+
Comment 55 User image Ritu Kothari (:ritu) 2016-09-27 11:27:23 PDT
Comment on attachment 8795164 [details] [diff] [review]
Uplift NSS 3.21.2 to the Firefox-ESR-45 branch

NSS update, ESR45.5+
Comment 56 User image Ritu Kothari (:ritu) 2016-09-27 11:29:38 PDT
Hi Dan, based on comment 12, it seems Fx51 will be on NSS 3.27. What should we do about status-51 "affected" on this bug?
Comment 57 User image Kai Engert (:kaie) 2016-09-27 12:26:04 PDT
(In reply to Ritu Kothari (:ritu) from comment #56)
> Hi Dan, based on comment 12, it seems Fx51 will be on NSS 3.27. What should
> we do about status-51 "affected" on this bug?

Firefox 51 is already using NSS 3.27, which already contains the fix for this bug.
I'm flipping the bit to fixed.
Comment 58 User image Kai Engert (:kaie) 2016-09-27 12:38:14 PDT
mozilla-beta tree is closed for "uplift week".
Can you please advise when I should check in?
Comment 60 User image Ryan VanderMeulen [:RyanVM] 2016-09-27 14:55:21 PDT
https://hg.mozilla.org/releases/mozilla-beta/rev/d42771a06d13
Comment 61 User image Huzaifa Sidhpurwala 2016-11-06 22:55:43 PST
Hi,

I am trying to understand if this is really a security flaw? I understand that barrett reduction is much better, but is the div_spoiler implementation broken, ie it did not implement the fix correctly?

If not, that this is just security hardening and not a flaw imo
Comment 62 User image Franziskus Kiefer [:fkiefer or :franziskus] 2016-11-06 23:06:15 PST
(In reply to Huzaifa Sidhpurwala from comment #61)
> Hi,
> 
> I am trying to understand if this is really a security flaw? I understand
> that barrett reduction is much better, but is the div_spoiler implementation
> broken, ie it did not implement the fix correctly?
> 
> If not, that this is just security hardening and not a flaw imo

Yes this is a security flaw. See links comment 1, i.e. division on Intel CPUs is not constant time, which provides the attacker with a padding oracle.
Comment 63 User image Huzaifa Sidhpurwala 2016-11-07 23:43:02 PST
(In reply to Franziskus Kiefer [:fkiefer or :franziskus] from comment #62)
> (In reply to Huzaifa Sidhpurwala from comment #61)
> > Hi,
> > 
> > I am trying to understand if this is really a security flaw? I understand
> > that barrett reduction is much better, but is the div_spoiler implementation
> > broken, ie it did not implement the fix correctly?
> > 
> > If not, that this is just security hardening and not a flaw imo
> 
> Yes this is a security flaw. See links comment 1, i.e. division on Intel
> CPUs is not constant time, which provides the attacker with a padding oracle.

I know, but the workaround to that is to use the divspoiler mechanism, which was used everywhere, barrett reduction is just the better way of doing it.
Comment 64 User image Huzaifa Sidhpurwala 2016-11-21 06:31:55 PST
Note:

Just to clarify the above, i dont understand why a CVE id was assigned in the first place. barrett reduction is a much better way of doing constant-time operation, but div_spoiler is not vulnerable in the first place (not perfect but not vulnerable).

So even that the older method isnt really vulnerable, this is not really a security issue.
Comment 65 User image Huzaifa Sidhpurwala 2016-11-21 06:37:26 PST
(In reply to Franziskus Kiefer [:fkiefer or :franziskus] from comment #62)
> (In reply to Huzaifa Sidhpurwala from comment #61)
> > Hi,
> > 
> > I am trying to understand if this is really a security flaw? I understand
> > that barrett reduction is much better, but is the div_spoiler implementation
> > broken, ie it did not implement the fix correctly?
> > 
> > If not, that this is just security hardening and not a flaw imo
> 
> Yes this is a security flaw. See links comment 1, i.e. division on Intel
> CPUs is not constant time, which provides the attacker with a padding oracle.

No, this is not a security flaw. div_spoiler solves the problem, its not perfect but works, barrett reduction is just a better way of doing things.
Comment 66 User image Kai Engert (:kaie) 2016-11-21 06:52:39 PST
Huzaifa, I'd like to suggest, please clarify what action you expect.
Comment 67 User image Huzaifa Sidhpurwala 2016-11-23 21:58:40 PST
(In reply to Kai Engert (:kaie) from comment #66)
> Huzaifa, I'd like to suggest, please clarify what action you expect.

Not sure if this makes any difference now. I want to suggest we reject this CVE id. This is not a security flaw. div_spoiler works well, barrett reduction is just a better method of handling things. This is an enhancement bug not a security flaw.
Comment 68 User image Franziskus Kiefer [:fkiefer or :franziskus] 2016-11-23 23:59:07 PST
Huzaifa: I think you're missing the point. At the danger of repeating myself let me explain again what this bug is about.
The original code added the so called divSpoiler to |macStart - scanStart| in the hope that this would make CPUs compute |divq| operations in constant time. That's however not the case (at least not everywhere).
The new code, using barrett reduction, aims to bypass the problem of non-constant-time div operations on CPUs by not using it. Barrett instead only subtracts.
So this change has nothing to with enhancement but is fixing a security issue. Because observing timing differences in CPU instructions is relatively hard, this is sec-moderate.
Comment 69 User image Huzaifa Sidhpurwala 2016-11-24 20:11:34 PST
(In reply to Franziskus Kiefer [:fkiefer or :franziskus] from comment #68)
> Huzaifa: I think you're missing the point. At the danger of repeating myself
> let me explain again what this bug is about.
> The original code added the so called divSpoiler to |macStart - scanStart|
> in the hope that this would make CPUs compute |divq| operations in constant
> time. That's however not the case (at least not everywhere).
> The new code, using barrett reduction, aims to bypass the problem of
> non-constant-time div operations on CPUs by not using it. Barrett instead
> only subtracts.
> So this change has nothing to with enhancement but is fixing a security
> issue. Because observing timing differences in CPU instructions is
> relatively hard, this is sec-moderate.

Ok that makes it clear, thanks!

Note You need to log in before you can comment on or make changes to this bug.