From 716a00cd379c22440e8fd5f35a9547476045d010 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sep 01 2015 05:35:34 +0000 Subject: import nss-softokn-3.16.2.3-13.el7_1 --- diff --git a/SOURCES/CheckForPeqQ-or-PnoteqQ-before-adding-P-and-Q.patch b/SOURCES/CheckForPeqQ-or-PnoteqQ-before-adding-P-and-Q.patch new file mode 100644 index 0000000..d9d49d9 --- /dev/null +++ b/SOURCES/CheckForPeqQ-or-PnoteqQ-before-adding-P-and-Q.patch @@ -0,0 +1,64 @@ +# HG changeset patch +# User Wan-Teh Chang +# Date 1430759760 25200 +# Node ID 2c05e861ce070a1c29083b00f987cc930974909d +# Parent ca159a08d006b28aff5b66545f9782a4a0e53349 +Bug 1125025: Check for P == Q or P == -Q before adding P and Q. +Check for P == -P before doubling P. r=rrelyea. + +diff --git a/lib/freebl/ecl/ecp_jac.c b/lib/freebl/ecl/ecp_jac.c +--- a/lib/freebl/ecl/ecp_jac.c ++++ b/lib/freebl/ecl/ecp_jac.c +@@ -139,16 +139,30 @@ ec_GFp_pt_add_jac_aff(const mp_int *px, + MP_CHECKOK(group->meth->field_mul(&A, pz, &B, group->meth)); + MP_CHECKOK(group->meth->field_mul(&A, qx, &A, group->meth)); + MP_CHECKOK(group->meth->field_mul(&B, qy, &B, group->meth)); + + /* C = A - px, D = B - py */ + MP_CHECKOK(group->meth->field_sub(&A, px, &C, group->meth)); + MP_CHECKOK(group->meth->field_sub(&B, py, &D, group->meth)); + ++ if (mp_cmp_z(&C) == 0) { ++ /* P == Q or P == -Q */ ++ if (mp_cmp_z(&D) == 0) { ++ /* P == Q */ ++ /* It is cheaper to double (qx, qy, 1) than (px, py, pz). */ ++ MP_DIGIT(&D, 0) = 1; /* Set D to 1. */ ++ MP_CHECKOK(ec_GFp_pt_dbl_jac(qx, qy, &D, rx, ry, rz, group)); ++ } else { ++ /* P == -Q */ ++ MP_CHECKOK(ec_GFp_pt_set_inf_jac(rx, ry, rz)); ++ } ++ goto CLEANUP; ++ } ++ + /* C2 = C^2, C3 = C^3 */ + MP_CHECKOK(group->meth->field_sqr(&C, &C2, group->meth)); + MP_CHECKOK(group->meth->field_mul(&C, &C2, &C3, group->meth)); + + /* rz = pz * C */ + MP_CHECKOK(group->meth->field_mul(pz, &C, rz, group->meth)); + + /* C = px * C^2 */ +@@ -200,17 +214,18 @@ ec_GFp_pt_dbl_jac(const mp_int *px, cons + MP_DIGITS(&t1) = 0; + MP_DIGITS(&M) = 0; + MP_DIGITS(&S) = 0; + MP_CHECKOK(mp_init(&t0)); + MP_CHECKOK(mp_init(&t1)); + MP_CHECKOK(mp_init(&M)); + MP_CHECKOK(mp_init(&S)); + +- if (ec_GFp_pt_is_inf_jac(px, py, pz) == MP_YES) { ++ /* P == inf or P == -P */ ++ if (ec_GFp_pt_is_inf_jac(px, py, pz) == MP_YES || mp_cmp_z(py) == 0) { + MP_CHECKOK(ec_GFp_pt_set_inf_jac(rx, ry, rz)); + goto CLEANUP; + } + + if (mp_cmp_d(pz, 1) == 0) { + /* M = 3 * px^2 + a */ + MP_CHECKOK(group->meth->field_sqr(px, &t0, group->meth)); + MP_CHECKOK(group->meth->field_add(&t0, &t0, &M, group->meth)); + + diff --git a/SPECS/nss-softokn.spec b/SPECS/nss-softokn.spec index c8a836b..86a4147 100644 --- a/SPECS/nss-softokn.spec +++ b/SPECS/nss-softokn.spec @@ -1,4 +1,4 @@ -%global nspr_version 4.10.6 +%global nspr_version 4.10.8 %global nss_name nss %global nss_util_version 3.19.1 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools @@ -31,7 +31,7 @@ Summary: Network Security Services Softoken Module Name: nss-softokn Version: 3.16.2.3 -Release: 12%{?dist} +Release: 13%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -83,6 +83,11 @@ Patch12: additional-covscan-fixes.patch Patch13: nss-softokn-3.16-tls12-mechanisms.patch Patch14: nss-softokn-3.16-sha384-key-derive.patch +# Patch related to CVE-2015-2730 +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1125025 +# from https://hg.mozilla.org/projects/nss/rev/2c05e861ce07 +Patch102: CheckForPeqQ-or-PnoteqQ-before-adding-P-and-Q.patch + # FIPS update Patch80: nss-softokn-3.16-fips-post.patch @@ -182,6 +187,9 @@ pushd nss %patch13 -p1 -b .1212106 popd %patch14 -p1 -b .sha384_key_derive +pushd nss +%patch102 -p1 -b .extra_check +popd %build @@ -487,6 +495,10 @@ done %{_includedir}/nss3/shsign.h %changelog +* Fri Aug 07 2015 Elio Maldonado - 3.16.2.3-13 +- Pick up upstream freebl patch for CVE-2015-2730 +- Check for P == Q or P ==-Q before adding P and Q + * Wed Jun 24 2015 Elio Maldonado - 3.16.2.3-12 - Bump nss_util_version to 3.19.1