diff --git a/mozilla-nss.changes b/mozilla-nss.changes index 6b2f582..8e5d81b 100644 --- a/mozilla-nss.changes +++ b/mozilla-nss.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Wed Apr 12 21:21:38 UTC 2017 - wr@rosenauer.org + +- update to NSS 3.29.5 + * Rare crashes in the base 64 decoder and encoder were fixed. + (bmo#1344380) + * A carry over bug in the RNG was fixed. (bmo#1345089) +- Allow use of session tickets when there is no ticket wrapping key + (boo#1015499, bmo#1320695) (nss-bmo1320695.patch) + ------------------------------------------------------------------- Thu Mar 16 20:27:50 UTC 2017 - wr@rosenauer.org diff --git a/mozilla-nss.spec b/mozilla-nss.spec index de750e0..45445e7 100644 --- a/mozilla-nss.spec +++ b/mozilla-nss.spec @@ -25,7 +25,7 @@ BuildRequires: mozilla-nspr-devel >= 4.13.1 BuildRequires: pkg-config BuildRequires: sqlite-devel BuildRequires: zlib-devel -Version: 3.29.3 +Version: 3.29.5 Release: 0 # bug437293 %ifarch ppc64 @@ -36,8 +36,8 @@ Summary: Network Security Services License: MPL-2.0 Group: System/Libraries Url: http://www.mozilla.org/projects/security/pki/nss/ -Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_29_3_RTM/src/nss-%{version}.tar.gz -# hg clone https://hg.mozilla.org/projects/nss nss-3.29.3/nss ; cd nss-3.29.3/nss ; hg up NSS_3_29_3_RTM +Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_29_5_RTM/src/nss-%{version}.tar.gz +# hg clone https://hg.mozilla.org/projects/nss nss-3.29.5/nss ; cd nss-3.29.5/nss ; hg up NSS_3_29_5_RTM #Source: nss-%{version}.tar.gz Source1: nss.pc.in Source3: nss-config.in @@ -51,12 +51,13 @@ Source9: pkcs11.txt Source99: %{name}.changes Patch1: nss-opt.patch Patch2: system-nspr.patch -Patch4: nss-no-rpath.patch -Patch5: renegotiate-transitional.patch -Patch6: malloc.patch -Patch7: nss-disable-ocsp-test.patch -Patch8: nss-sqlitename.patch -Patch9: nss-fix-hash.patch +Patch3: nss-no-rpath.patch +Patch4: renegotiate-transitional.patch +Patch5: malloc.patch +Patch6: nss-disable-ocsp-test.patch +Patch7: nss-sqlitename.patch +Patch8: nss-fix-hash.patch +Patch9: nss-bmo1320695.patch %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr) PreReq: mozilla-nspr >= %nspr_ver PreReq: libfreebl3 >= %{nss_softokn_fips_version} @@ -170,11 +171,12 @@ Mozilla project. cd nss %patch1 -p1 %patch2 -p1 +%patch3 -p1 %patch4 -p1 -%patch5 -p1 %if %suse_version > 1110 -%patch6 -p1 +%patch5 -p1 %endif +%patch6 -p1 %patch7 -p1 %patch8 -p1 %patch9 -p1 diff --git a/nss-3.29.3.tar.gz b/nss-3.29.3.tar.gz deleted file mode 100644 index d5234ab..0000000 --- a/nss-3.29.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:35ddcc31251ef829994efeee925011aa1414e32be7e388236970255aa3c8e1eb -size 7479458 diff --git a/nss-3.29.5.tar.gz b/nss-3.29.5.tar.gz new file mode 100644 index 0000000..7240f62 --- /dev/null +++ b/nss-3.29.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5df483b73535d726207483f6349df23fe56aee83382b94b13298aec2e254d985 +size 7480246 diff --git a/nss-bmo1320695.patch b/nss-bmo1320695.patch new file mode 100644 index 0000000..4659d87 --- /dev/null +++ b/nss-bmo1320695.patch @@ -0,0 +1,67 @@ +# HG changeset patch +# User Daiki Ueno +# Date 1481108447 -3600 +# Wed Dec 07 12:00:47 2016 +0100 +# Branch wip/dueno/ec-session-ticket +# Node ID 86c3a4cb4eb55f50f80904796f0664e11d9b5d73 +# Parent 5796201e791e6cbffc3615cb0c894cf1b0fc09a1 +Bug 1320695 - Using SessionTicket extension along with any ECDHE-ECDSA ciphersuite renders selfserv unusable + +When session ticket is used and wrapping key pair (for caching +generated keys at server side) is not available, disable caching +instead of returning an error. + +diff --git a/lib/ssl/ssl3exthandle.c b/lib/ssl/ssl3exthandle.c +--- a/lib/ssl/ssl3exthandle.c ++++ b/lib/ssl/ssl3exthandle.c +@@ -99,21 +99,22 @@ ssl3_GenerateSessionTicketKeys(void *dat + sslSocket *ss = (sslSocket *)data; + sslServerCertType certType = { ssl_auth_rsa_decrypt, NULL }; + const sslServerCert *sc; +- SECKEYPrivateKey *svrPrivKey; +- SECKEYPublicKey *svrPubKey; ++ SECKEYPrivateKey *svrPrivKey = NULL; ++ SECKEYPublicKey *svrPubKey = NULL; + + sc = ssl_FindServerCert(ss, &certType); + if (!sc || !sc->serverKeyPair) { + SSL_DBG(("%d: SSL[%d]: No ssl_auth_rsa_decrypt cert and key pair", + SSL_GETPID(), ss->fd)); +- goto loser; +- } +- svrPrivKey = sc->serverKeyPair->privKey; +- svrPubKey = sc->serverKeyPair->pubKey; +- if (svrPrivKey == NULL || svrPubKey == NULL) { +- SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.", +- SSL_GETPID(), ss->fd)); +- goto loser; ++ } else { ++ svrPrivKey = sc->serverKeyPair->privKey; ++ svrPubKey = sc->serverKeyPair->pubKey; ++ if (svrPrivKey == NULL || svrPubKey == NULL) { ++ SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.", ++ SSL_GETPID(), ss->fd)); ++ svrPrivKey = NULL; ++ svrPubKey = NULL; ++ } + } + + /* Get a copy of the session keys from shared memory. */ +diff --git a/lib/ssl/sslsnce.c b/lib/ssl/sslsnce.c +--- a/lib/ssl/sslsnce.c ++++ b/lib/ssl/sslsnce.c +@@ -1831,9 +1831,11 @@ ssl_GetSessionTicketKeys(SECKEYPrivateKe + PRBool keysGenerated = PR_FALSE; + cacheDesc *cache = &globalCache; + +- if (!cache->cacheMem) { +- /* cache is uninitialized. Generate keys and return them +- * without caching. */ ++ if (!cache->cacheMem || !svrPrivKey || !svrPubKey) { ++ /* Generated keys cannot be cached, because: ++ * - the cache is not initialized, or ++ * - key pairs to wrap them are not available ++ * Generate keys and return them without caching. */ + return GenerateTicketKeys(pwArg, keyName, aesKey, macKey); + } +