Update NSS to 3.21 RTM and NSPR to 4.11 RTM

nss/lib/freebl/dh.c

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
  * Diffie-Hellman parameter generation, key generation, and secret derivation.
  * KEA secret generation and verification.
  */
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
@@ skipping 187 matching lines @@
 
 SECStatus 
 DH_Derive(SECItem *publicValue, 
           SECItem *prime, 
           SECItem *privateValue, 
           SECItem *derivedSecret, 
           unsigned int outBytes)
 {
     mp_int p, Xa, Yb, ZZ, psub1;
     mp_err err = MP_OKAY;
-    int len = 0;
+    unsigned int len = 0;
     unsigned int nb;
     unsigned char *secret = NULL;
     if (!publicValue || !prime || !privateValue || !derivedSecret) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     memset(derivedSecret, 0, sizeof *derivedSecret);
     MP_DIGITS(&p)  = 0;
     MP_DIGITS(&Xa) = 0;
     MP_DIGITS(&Yb) = 0;
@@ skipping 26 matching lines @@
     }
 
     /* ZZ = (Yb)**Xa mod p */
     CHECK_MPI_OK( mp_exptmod(&Yb, &Xa, &p, &ZZ) );
     /* number of bytes in the derived secret */
     len = mp_unsigned_octet_size(&ZZ);
     if (len <= 0) {
         err = MP_BADARG;
         goto cleanup;
     }
+
+    /*
+     * We check to make sure that ZZ is not equal to 1 or -1 mod p.

[Ryan Sleevi, 2015/12/11 01:26:14]

Of interest

[davidben, 2015/12/11 22:10:58]

Meh. https://crbug.com/482950.

If I'm understanding this right (certainly possible), this is especially absurd
because they already do a check in line 231 that, assuming you're using a safe
prime, throws out points on small subgroups. And if it's not a safe prime, this
check isn't even sufficient because there would then be other points on the
small subgroup.

NSS's bug is here:
https://bugzilla.mozilla.org/show_bug.cgi?id=1160139
And the reporter (same person who filed the bug on our end) specifically wants a
1 mod 4 prime which cannot be a safe prime. A safe prime is always going to be 3
mod 4.

+     * This helps guard against small subgroup attacks, since an attacker
+     * using a subgroup of size N will produce 1 or -1 with probability 1/N.
+     * When the protocol is executed within a properly large subgroup, the
+     * probability of this result will be negligibly small.  For example,
+     * with a strong prime of the form 2p+1, the probability will be 1/p.
+     *
+     * We return MP_BADARG because this is probably the result of a bad
+     * public value or a bad prime having been provided.
+     */
+    if (mp_cmp_d(&ZZ, 1) == 0 ||
+        mp_cmp(&ZZ, &psub1) == 0) {
+        err = MP_BADARG;
+        goto cleanup;
+    }
+
     /* allocate a buffer which can hold the entire derived secret. */
     secret = PORT_Alloc(len);
     /* grab the derived secret */
     err = mp_to_unsigned_octets(&ZZ, secret, len);
     if (err >= 0) err = MP_OKAY;
     /* 
     ** if outBytes is 0 take all of the bytes from the derived secret.
     ** if outBytes is not 0 take exactly outBytes from the derived secret, zero
     ** pad at the beginning if necessary, and truncate beginning bytes 
     ** if necessary.
@@ skipping 138 matching lines @@
     mp_clear(&p);
     mp_clear(&q);
     mp_clear(&y);
     mp_clear(&r);
     if (err) {
         MP_TO_SEC_ERROR(err);
         return PR_FALSE;
     }
     return (cmp == 0) ? PR_TRUE : PR_FALSE;
 }