pool/mozilla-nss
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- Allow use of session tickets when there is no ticket wrapping key

Browse Source 
(boo#1015499, bmo#1320695)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=238
This commit is contained in:
Wolfgang Rosenauer 2017-04-12 21:26:25 +00:00 committed by Git OBS Bridge
parent 32ecde7ac4
commit c072bb869b
3 changed files with 80 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
mozilla-nss.changes
View File

@ -1,10 +1,12 @@
------------------------------------------------------------------- -------------------------------------------------------------------
Sun Apr 9 08:16:21 UTC 2017 - wr@rosenauer.org Wed Apr 12 21:21:38 UTC 2017 - wr@rosenauer.org
- update to NSS 3.29.5 - update to NSS 3.29.5
* Rare crashes in the base 64 decoder and encoder were fixed. * Rare crashes in the base 64 decoder and encoder were fixed.
(bmo#1344380) (bmo#1344380)
* A carry over bug in the RNG was fixed. (bmo#1345089) * A carry over bug in the RNG was fixed. (bmo#1345089)
- Allow use of session tickets when there is no ticket wrapping key
(boo#1015499, bmo#1320695)
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Mar 16 20:27:50 UTC 2017 - wr@rosenauer.org Thu Mar 16 20:27:50 UTC 2017 - wr@rosenauer.org

18
mozilla-nss.spec
View File

@ -51,12 +51,13 @@ Source9: pkcs11.txt
Source99: %{name}.changes Source99: %{name}.changes
Patch1: nss-opt.patch Patch1: nss-opt.patch
Patch2: system-nspr.patch Patch2: system-nspr.patch
Patch4: nss-no-rpath.patch Patch3: nss-no-rpath.patch
Patch5: renegotiate-transitional.patch Patch4: renegotiate-transitional.patch
Patch6: malloc.patch Patch5: malloc.patch
Patch7: nss-disable-ocsp-test.patch Patch6: nss-disable-ocsp-test.patch
Patch8: nss-sqlitename.patch Patch7: nss-sqlitename.patch
Patch9: nss-fix-hash.patch Patch8: nss-fix-hash.patch
Patch9: nss-bmo1320695.patch
%define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr) %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr)
PreReq: mozilla-nspr >= %nspr_ver PreReq: mozilla-nspr >= %nspr_ver
PreReq: libfreebl3 >= %{nss_softokn_fips_version} PreReq: libfreebl3 >= %{nss_softokn_fips_version}
@ -170,11 +171,12 @@ Mozilla project.
cd nss cd nss
%patch1 -p1 %patch1 -p1
%patch2 -p1 %patch2 -p1
%patch3 -p1
%patch4 -p1 %patch4 -p1
%patch5 -p1
%if %suse_version > 1110 %if %suse_version > 1110
%patch6 -p1 %patch5 -p1
%endif %endif
%patch6 -p1
%patch7 -p1 %patch7 -p1
%patch8 -p1 %patch8 -p1
%patch9 -p1 %patch9 -p1

67
nss-bmo1320695.patch Normal file
View File

@ -0,0 +1,67 @@
# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1481108447 -3600
# Wed Dec 07 12:00:47 2016 +0100
# Branch wip/dueno/ec-session-ticket
# Node ID 86c3a4cb4eb55f50f80904796f0664e11d9b5d73
# Parent 5796201e791e6cbffc3615cb0c894cf1b0fc09a1
Bug 1320695 - Using SessionTicket extension along with any ECDHE-ECDSA ciphersuite renders selfserv unusable
When session ticket is used and wrapping key pair (for caching
generated keys at server side) is not available, disable caching
instead of returning an error.
diff --git a/lib/ssl/ssl3exthandle.c b/lib/ssl/ssl3exthandle.c
--- a/lib/ssl/ssl3exthandle.c
+++ b/lib/ssl/ssl3exthandle.c
@@ -99,21 +99,22 @@ ssl3_GenerateSessionTicketKeys(void *dat
sslSocket *ss = (sslSocket *)data;
sslServerCertType certType = { ssl_auth_rsa_decrypt, NULL };
const sslServerCert *sc;
- SECKEYPrivateKey *svrPrivKey;
- SECKEYPublicKey *svrPubKey;
+ SECKEYPrivateKey *svrPrivKey = NULL;
+ SECKEYPublicKey *svrPubKey = NULL;
sc = ssl_FindServerCert(ss, &certType);
if (!sc || !sc->serverKeyPair) {
SSL_DBG(("%d: SSL[%d]: No ssl_auth_rsa_decrypt cert and key pair",
SSL_GETPID(), ss->fd));
- goto loser;
- }
- svrPrivKey = sc->serverKeyPair->privKey;
- svrPubKey = sc->serverKeyPair->pubKey;
- if (svrPrivKey == NULL || svrPubKey == NULL) {
- SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.",
- SSL_GETPID(), ss->fd));
- goto loser;
+ } else {
+ svrPrivKey = sc->serverKeyPair->privKey;
+ svrPubKey = sc->serverKeyPair->pubKey;
+ if (svrPrivKey == NULL || svrPubKey == NULL) {
+ SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.",
+ SSL_GETPID(), ss->fd));
+ svrPrivKey = NULL;
+ svrPubKey = NULL;
+ }
}
/* Get a copy of the session keys from shared memory. */
diff --git a/lib/ssl/sslsnce.c b/lib/ssl/sslsnce.c
--- a/lib/ssl/sslsnce.c
+++ b/lib/ssl/sslsnce.c
@@ -1831,9 +1831,11 @@ ssl_GetSessionTicketKeys(SECKEYPrivateKe
PRBool keysGenerated = PR_FALSE;
cacheDesc *cache = &globalCache;
- if (!cache->cacheMem) {
- /* cache is uninitialized. Generate keys and return them
- * without caching. */
+ if (!cache->cacheMem || !svrPrivKey || !svrPubKey) {
+ /* Generated keys cannot be cached, because:
+ * - the cache is not initialized, or
+ * - key pairs to wrap them are not available
+ * Generate keys and return them without caching. */
return GenerateTicketKeys(pwArg, keyName, aesKey, macKey);
}