pool/mozilla-nss
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 487715 from mozilla:Factory

Browse Source 
- update to NSS 3.29.5
  * Rare crashes in the base 64 decoder and encoder were fixed.
    (bmo#1344380)
  * A carry over bug in the RNG was fixed. (bmo#1345089)
- Allow use of session tickets when there is no ticket wrapping key
  (boo#1015499, bmo#1320695) (nss-bmo1320695.patch)

OBS-URL: https://build.opensuse.org/request/show/487715
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=125
This commit is contained in:
Dominique Leuenberger 2017-04-18 11:47:28 +00:00 committed by Git OBS Bridge
commit 9746ae6f6e
5 changed files with 93 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
mozilla-nss.changes
View File

@ -1,3 +1,13 @@
-------------------------------------------------------------------
Wed Apr 12 21:21:38 UTC 2017 - wr@rosenauer.org
- update to NSS 3.29.5
* Rare crashes in the base 64 decoder and encoder were fixed.
(bmo#1344380)
* A carry over bug in the RNG was fixed. (bmo#1345089)
- Allow use of session tickets when there is no ticket wrapping key
(boo#1015499, bmo#1320695) (nss-bmo1320695.patch)
-------------------------------------------------------------------
Thu Mar 16 20:27:50 UTC 2017 - wr@rosenauer.org

24
mozilla-nss.spec
View File

@ -25,7 +25,7 @@ BuildRequires: mozilla-nspr-devel >= 4.13.1
BuildRequires: pkg-config
BuildRequires: sqlite-devel
BuildRequires: zlib-devel
Version: 3.29.3
Version: 3.29.5
Release: 0
# bug437293
%ifarch ppc64
@ -36,8 +36,8 @@ Summary: Network Security Services
License: MPL-2.0
Group: System/Libraries
Url: http://www.mozilla.org/projects/security/pki/nss/
Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_29_3_RTM/src/nss-%{version}.tar.gz
# hg clone https://hg.mozilla.org/projects/nss nss-3.29.3/nss ; cd nss-3.29.3/nss ; hg up NSS_3_29_3_RTM
Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_29_5_RTM/src/nss-%{version}.tar.gz
# hg clone https://hg.mozilla.org/projects/nss nss-3.29.5/nss ; cd nss-3.29.5/nss ; hg up NSS_3_29_5_RTM
#Source: nss-%{version}.tar.gz
Source1: nss.pc.in
Source3: nss-config.in
@ -51,12 +51,13 @@ Source9: pkcs11.txt
Source99: %{name}.changes
Patch1: nss-opt.patch
Patch2: system-nspr.patch
Patch4: nss-no-rpath.patch
Patch5: renegotiate-transitional.patch
Patch6: malloc.patch
Patch7: nss-disable-ocsp-test.patch
Patch8: nss-sqlitename.patch
Patch9: nss-fix-hash.patch
Patch3: nss-no-rpath.patch
Patch4: renegotiate-transitional.patch
Patch5: malloc.patch
Patch6: nss-disable-ocsp-test.patch
Patch7: nss-sqlitename.patch
Patch8: nss-fix-hash.patch
Patch9: nss-bmo1320695.patch
%define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr)
PreReq: mozilla-nspr >= %nspr_ver
PreReq: libfreebl3 >= %{nss_softokn_fips_version}
@ -170,11 +171,12 @@ Mozilla project.
cd nss
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%if %suse_version > 1110
%patch6 -p1
%patch5 -p1
%endif
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1

3
nss-3.29.3.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:35ddcc31251ef829994efeee925011aa1414e32be7e388236970255aa3c8e1eb
size 7479458

3
nss-3.29.5.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5df483b73535d726207483f6349df23fe56aee83382b94b13298aec2e254d985
size 7480246

67
nss-bmo1320695.patch Normal file
View File

@ -0,0 +1,67 @@
# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1481108447 -3600
# Wed Dec 07 12:00:47 2016 +0100
# Branch wip/dueno/ec-session-ticket
# Node ID 86c3a4cb4eb55f50f80904796f0664e11d9b5d73
# Parent 5796201e791e6cbffc3615cb0c894cf1b0fc09a1
Bug 1320695 - Using SessionTicket extension along with any ECDHE-ECDSA ciphersuite renders selfserv unusable
When session ticket is used and wrapping key pair (for caching
generated keys at server side) is not available, disable caching
instead of returning an error.
diff --git a/lib/ssl/ssl3exthandle.c b/lib/ssl/ssl3exthandle.c
--- a/lib/ssl/ssl3exthandle.c
+++ b/lib/ssl/ssl3exthandle.c
@@ -99,21 +99,22 @@ ssl3_GenerateSessionTicketKeys(void *dat
sslSocket *ss = (sslSocket *)data;
sslServerCertType certType = { ssl_auth_rsa_decrypt, NULL };
const sslServerCert *sc;
- SECKEYPrivateKey *svrPrivKey;
- SECKEYPublicKey *svrPubKey;
+ SECKEYPrivateKey *svrPrivKey = NULL;
+ SECKEYPublicKey *svrPubKey = NULL;
sc = ssl_FindServerCert(ss, &certType);
if (!sc || !sc->serverKeyPair) {
SSL_DBG(("%d: SSL[%d]: No ssl_auth_rsa_decrypt cert and key pair",
SSL_GETPID(), ss->fd));
- goto loser;
- }
- svrPrivKey = sc->serverKeyPair->privKey;
- svrPubKey = sc->serverKeyPair->pubKey;
- if (svrPrivKey == NULL || svrPubKey == NULL) {
- SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.",
- SSL_GETPID(), ss->fd));
- goto loser;
+ } else {
+ svrPrivKey = sc->serverKeyPair->privKey;
+ svrPubKey = sc->serverKeyPair->pubKey;
+ if (svrPrivKey == NULL || svrPubKey == NULL) {
+ SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.",
+ SSL_GETPID(), ss->fd));
+ svrPrivKey = NULL;
+ svrPubKey = NULL;
+ }
}
/* Get a copy of the session keys from shared memory. */
diff --git a/lib/ssl/sslsnce.c b/lib/ssl/sslsnce.c
--- a/lib/ssl/sslsnce.c
+++ b/lib/ssl/sslsnce.c
@@ -1831,9 +1831,11 @@ ssl_GetSessionTicketKeys(SECKEYPrivateKe
PRBool keysGenerated = PR_FALSE;
cacheDesc *cache = &globalCache;
- if (!cache->cacheMem) {
- /* cache is uninitialized. Generate keys and return them
- * without caching. */
+ if (!cache->cacheMem || !svrPrivKey || !svrPubKey) {
+ /* Generated keys cannot be cached, because:
+ * - the cache is not initialized, or
+ * - key pairs to wrap them are not available
+ * Generate keys and return them without caching. */
return GenerateTicketKeys(pwArg, keyName, aesKey, macKey);
}