diff --git a/mozilla-nss.changes b/mozilla-nss.changes index a67232d..be974b0 100644 --- a/mozilla-nss.changes +++ b/mozilla-nss.changes @@ -1,10 +1,12 @@ ------------------------------------------------------------------- -Sun Apr 9 08:16:21 UTC 2017 - wr@rosenauer.org +Wed Apr 12 21:21:38 UTC 2017 - wr@rosenauer.org - update to NSS 3.29.5 * Rare crashes in the base 64 decoder and encoder were fixed. (bmo#1344380) * A carry over bug in the RNG was fixed. (bmo#1345089) +- Allow use of session tickets when there is no ticket wrapping key + (boo#1015499, bmo#1320695) ------------------------------------------------------------------- Thu Mar 16 20:27:50 UTC 2017 - wr@rosenauer.org diff --git a/mozilla-nss.spec b/mozilla-nss.spec index a249bed..45445e7 100644 --- a/mozilla-nss.spec +++ b/mozilla-nss.spec @@ -51,12 +51,13 @@ Source9: pkcs11.txt Source99: %{name}.changes Patch1: nss-opt.patch Patch2: system-nspr.patch -Patch4: nss-no-rpath.patch -Patch5: renegotiate-transitional.patch -Patch6: malloc.patch -Patch7: nss-disable-ocsp-test.patch -Patch8: nss-sqlitename.patch -Patch9: nss-fix-hash.patch +Patch3: nss-no-rpath.patch +Patch4: renegotiate-transitional.patch +Patch5: malloc.patch +Patch6: nss-disable-ocsp-test.patch +Patch7: nss-sqlitename.patch +Patch8: nss-fix-hash.patch +Patch9: nss-bmo1320695.patch %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr) PreReq: mozilla-nspr >= %nspr_ver PreReq: libfreebl3 >= %{nss_softokn_fips_version} @@ -170,11 +171,12 @@ Mozilla project. cd nss %patch1 -p1 %patch2 -p1 +%patch3 -p1 %patch4 -p1 -%patch5 -p1 %if %suse_version > 1110 -%patch6 -p1 +%patch5 -p1 %endif +%patch6 -p1 %patch7 -p1 %patch8 -p1 %patch9 -p1 diff --git a/nss-bmo1320695.patch b/nss-bmo1320695.patch new file mode 100644 index 0000000..4659d87 --- /dev/null +++ b/nss-bmo1320695.patch @@ -0,0 +1,67 @@ +# HG changeset patch +# User Daiki Ueno +# Date 1481108447 -3600 +# Wed Dec 07 12:00:47 2016 +0100 +# Branch wip/dueno/ec-session-ticket +# Node ID 86c3a4cb4eb55f50f80904796f0664e11d9b5d73 +# Parent 5796201e791e6cbffc3615cb0c894cf1b0fc09a1 +Bug 1320695 - Using SessionTicket extension along with any ECDHE-ECDSA ciphersuite renders selfserv unusable + +When session ticket is used and wrapping key pair (for caching +generated keys at server side) is not available, disable caching +instead of returning an error. + +diff --git a/lib/ssl/ssl3exthandle.c b/lib/ssl/ssl3exthandle.c +--- a/lib/ssl/ssl3exthandle.c ++++ b/lib/ssl/ssl3exthandle.c +@@ -99,21 +99,22 @@ ssl3_GenerateSessionTicketKeys(void *dat + sslSocket *ss = (sslSocket *)data; + sslServerCertType certType = { ssl_auth_rsa_decrypt, NULL }; + const sslServerCert *sc; +- SECKEYPrivateKey *svrPrivKey; +- SECKEYPublicKey *svrPubKey; ++ SECKEYPrivateKey *svrPrivKey = NULL; ++ SECKEYPublicKey *svrPubKey = NULL; + + sc = ssl_FindServerCert(ss, &certType); + if (!sc || !sc->serverKeyPair) { + SSL_DBG(("%d: SSL[%d]: No ssl_auth_rsa_decrypt cert and key pair", + SSL_GETPID(), ss->fd)); +- goto loser; +- } +- svrPrivKey = sc->serverKeyPair->privKey; +- svrPubKey = sc->serverKeyPair->pubKey; +- if (svrPrivKey == NULL || svrPubKey == NULL) { +- SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.", +- SSL_GETPID(), ss->fd)); +- goto loser; ++ } else { ++ svrPrivKey = sc->serverKeyPair->privKey; ++ svrPubKey = sc->serverKeyPair->pubKey; ++ if (svrPrivKey == NULL || svrPubKey == NULL) { ++ SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.", ++ SSL_GETPID(), ss->fd)); ++ svrPrivKey = NULL; ++ svrPubKey = NULL; ++ } + } + + /* Get a copy of the session keys from shared memory. */ +diff --git a/lib/ssl/sslsnce.c b/lib/ssl/sslsnce.c +--- a/lib/ssl/sslsnce.c ++++ b/lib/ssl/sslsnce.c +@@ -1831,9 +1831,11 @@ ssl_GetSessionTicketKeys(SECKEYPrivateKe + PRBool keysGenerated = PR_FALSE; + cacheDesc *cache = &globalCache; + +- if (!cache->cacheMem) { +- /* cache is uninitialized. Generate keys and return them +- * without caching. */ ++ if (!cache->cacheMem || !svrPrivKey || !svrPubKey) { ++ /* Generated keys cannot be cached, because: ++ * - the cache is not initialized, or ++ * - key pairs to wrap them are not available ++ * Generate keys and return them without caching. */ + return GenerateTicketKeys(pwArg, keyName, aesKey, macKey); + } +