diff --git a/.gitignore b/.gitignore index f37de1b..1364787 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/nss-util-3.16.2.tar.gz +SOURCES/nss-util-3.16.2.3.tar.gz diff --git a/.nss-util.metadata b/.nss-util.metadata index aa9ac64..18acf54 100644 --- a/.nss-util.metadata +++ b/.nss-util.metadata @@ -1 +1 @@ -b0daf5ef12d60579867aaeccc52d1a772d6d45f7 SOURCES/nss-util-3.16.2.tar.gz +7caf9def7d49b78e081522da65c409c7c9d05f6b SOURCES/nss-util-3.16.2.3.tar.gz diff --git a/SOURCES/cve-2014-1568-utils.patch b/SOURCES/cve-2014-1568-utils.patch deleted file mode 100644 index 2b55e28..0000000 --- a/SOURCES/cve-2014-1568-utils.patch +++ /dev/null @@ -1,273 +0,0 @@ -angeset patch -# User Kai Engert -# Date 1411493332 -7200 -# Node ID fb7208e91ae8e819b38a80480f816efb32fbfab3 -# Parent 4e90910ad2f9741978820ec2314b12a504d78c4e -Fix bug 1064636, patch part 1, r=rrelyea - -diff --git a/lib/util/manifest.mn b/lib/util/manifest.mn ---- a/lib/util/manifest.mn -+++ b/lib/util/manifest.mn -@@ -17,16 +17,17 @@ EXPORTS = \ - nssrwlkt.h \ - nssutil.h \ - pkcs11.h \ - pkcs11f.h \ - pkcs11p.h \ - pkcs11t.h \ - pkcs11n.h \ - pkcs11u.h \ -+ pkcs1sig.h \ - portreg.h \ - secasn1.h \ - secasn1t.h \ - seccomon.h \ - secder.h \ - secdert.h \ - secdig.h \ - secdigt.h \ -@@ -53,16 +54,17 @@ CSRCS = \ - dersubr.c \ - dertime.c \ - errstrs.c \ - nssb64d.c \ - nssb64e.c \ - nssrwlk.c \ - nssilock.c \ - oidstring.c \ -+ pkcs1sig.c \ - portreg.c \ - secalgid.c \ - secasn1d.c \ - secasn1e.c \ - secasn1u.c \ - secitem.c \ - secload.c \ - secoid.c \ -diff --git a/lib/util/nssutil.def b/lib/util/nssutil.def ---- a/lib/util/nssutil.def -+++ b/lib/util/nssutil.def -@@ -266,8 +266,14 @@ NSSUTIL_QuoteSize; - SECITEM_AllocArray; - SECITEM_DupArray; - SECITEM_FreeArray; - SECITEM_ReallocItemV2; - SECITEM_ZfreeArray; - ;+ local: - ;+ *; - ;+}; -+;+NSSUTIL_3.17.1 { # NSS Utilities 3.17.1 release -+;+ global: -+_SGN_VerifyPKCS1DigestInfo; -+;+ local: -+;+ *; -+;+}; -diff --git a/lib/util/pkcs1sig.c b/lib/util/pkcs1sig.c -new file mode 100644 ---- /dev/null -+++ b/lib/util/pkcs1sig.c -@@ -0,0 +1,169 @@ -+/* This Source Code Form is subject to the terms of the Mozilla Public -+ * License, v. 2.0. If a copy of the MPL was not distributed with this -+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. -+ */ -+ -+#include "pkcs1sig.h" -+#include "hasht.h" -+#include "secerr.h" -+#include "secasn1t.h" -+#include "secoid.h" -+ -+typedef struct pkcs1PrefixStr pkcs1Prefix; -+struct pkcs1PrefixStr { -+ unsigned int len; -+ PRUint8 *data; -+}; -+ -+typedef struct pkcs1PrefixesStr pkcs1Prefixes; -+struct pkcs1PrefixesStr { -+ unsigned int digestLen; -+ pkcs1Prefix prefixWithParams; -+ pkcs1Prefix prefixWithoutParams; -+}; -+ -+/* The value for SGN_PKCS1_DIGESTINFO_MAX_PREFIX_LEN_EXCLUDING_OID is based on -+ * the possible prefix encodings as explained below. -+ */ -+#define MAX_PREFIX_LEN_EXCLUDING_OID 10 -+ -+static SECStatus -+encodePrefix(const SECOidData *hashOid, unsigned int digestLen, -+ pkcs1Prefix *prefix, PRBool withParams) -+{ -+ /* with params coding is: -+ * Sequence (2 bytes) { -+ * Sequence (2 bytes) { -+ * Oid (2 bytes) { -+ * Oid value (derOid->oid.len) -+ * } -+ * NULL (2 bytes) -+ * } -+ * OCTECT (2 bytes); -+ * -+ * without params coding is: -+ * Sequence (2 bytes) { -+ * Sequence (2 bytes) { -+ * Oid (2 bytes) { -+ * Oid value (derOid->oid.len) -+ * } -+ * } -+ * OCTECT (2 bytes); -+ */ -+ -+ unsigned int innerSeqLen = 2 + hashOid->oid.len; -+ unsigned int outerSeqLen = 2 + innerSeqLen + 2 + digestLen; -+ unsigned int extra = 0; -+ -+ if (withParams) { -+ innerSeqLen += 2; -+ outerSeqLen += 2; -+ extra = 2; -+ } -+ -+ if (innerSeqLen >= 128 || -+ outerSeqLen >= 128 || -+ (outerSeqLen + 2 - digestLen) > -+ (MAX_PREFIX_LEN_EXCLUDING_OID + hashOid->oid.len)) { -+ /* this is actually a library failure, It shouldn't happen */ -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ return SECFailure; -+ } -+ -+ prefix->len = 6 + hashOid->oid.len + extra + 2; -+ prefix->data = PORT_Alloc(prefix->len); -+ if (!prefix->data) { -+ PORT_SetError(SEC_ERROR_NO_MEMORY); -+ return SECFailure; -+ } -+ -+ prefix->data[0] = SEC_ASN1_SEQUENCE|SEC_ASN1_CONSTRUCTED; -+ prefix->data[1] = outerSeqLen; -+ prefix->data[2] = SEC_ASN1_SEQUENCE|SEC_ASN1_CONSTRUCTED; -+ prefix->data[3] = innerSeqLen; -+ prefix->data[4] = SEC_ASN1_OBJECT_ID; -+ prefix->data[5] = hashOid->oid.len; -+ PORT_Memcpy(&prefix->data[6], hashOid->oid.data, hashOid->oid.len); -+ if (withParams) { -+ prefix->data[6 + hashOid->oid.len] = SEC_ASN1_NULL; -+ prefix->data[6 + hashOid->oid.len + 1] = 0; -+ } -+ prefix->data[6 + hashOid->oid.len + extra] = SEC_ASN1_OCTET_STRING; -+ prefix->data[6 + hashOid->oid.len + extra + 1] = digestLen; -+ -+ return SECSuccess; -+} -+ -+SECStatus -+_SGN_VerifyPKCS1DigestInfo(SECOidTag digestAlg, -+ const SECItem* digest, -+ const SECItem* dataRecoveredFromSignature, -+ PRBool unsafeAllowMissingParameters) -+{ -+ SECOidData *hashOid; -+ pkcs1Prefixes pp; -+ const pkcs1Prefix* expectedPrefix; -+ SECStatus rv, rv2, rv3; -+ -+ if (!digest || !digest->data || -+ !dataRecoveredFromSignature || !dataRecoveredFromSignature->data) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ return SECFailure; -+ } -+ -+ hashOid = SECOID_FindOIDByTag(digestAlg); -+ if (hashOid == NULL) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ return SECFailure; -+ } -+ -+ pp.digestLen = digest->len; -+ pp.prefixWithParams.data = NULL; -+ pp.prefixWithoutParams.data = NULL; -+ -+ rv2 = encodePrefix(hashOid, pp.digestLen, &pp.prefixWithParams, PR_TRUE); -+ rv3 = encodePrefix(hashOid, pp.digestLen, &pp.prefixWithoutParams, PR_FALSE); -+ -+ rv = SECSuccess; -+ if (rv2 != SECSuccess || rv3 != SECSuccess) { -+ rv = SECFailure; -+ } -+ -+ if (rv == SECSuccess) { -+ /* We don't attempt to avoid timing attacks on these comparisons because -+ * signature verification is a public key operation, not a private key -+ * operation. -+ */ -+ -+ if (dataRecoveredFromSignature->len == -+ pp.prefixWithParams.len + pp.digestLen) { -+ expectedPrefix = &pp.prefixWithParams; -+ } else if (unsafeAllowMissingParameters && -+ dataRecoveredFromSignature->len == -+ pp.prefixWithoutParams.len + pp.digestLen) { -+ expectedPrefix = &pp.prefixWithoutParams; -+ } else { -+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); -+ rv = SECFailure; -+ } -+ } -+ -+ if (rv == SECSuccess) { -+ if (memcmp(dataRecoveredFromSignature->data, expectedPrefix->data, -+ expectedPrefix->len) || -+ memcmp(dataRecoveredFromSignature->data + expectedPrefix->len, -+ digest->data, digest->len)) { -+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); -+ rv = SECFailure; -+ } -+ } -+ -+ if (pp.prefixWithParams.data) { -+ PORT_Free(pp.prefixWithParams.data); -+ } -+ if (pp.prefixWithoutParams.data) { -+ PORT_Free(pp.prefixWithoutParams.data); -+ } -+ -+ return rv; -+} -diff --git a/lib/util/pkcs1sig.h b/lib/util/pkcs1sig.h -new file mode 100644 ---- /dev/null -+++ b/lib/util/pkcs1sig.h -@@ -0,0 +1,30 @@ -+/* This Source Code Form is subject to the terms of the Mozilla Public -+ * License, v. 2.0. If a copy of the MPL was not distributed with this -+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. -+ */ -+ -+#ifndef _PKCS1SIG_H_ -+#define _PKCS1SIG_H_ -+ -+#include "hasht.h" -+#include "seccomon.h" -+#include "secoidt.h" -+ -+/* SGN_VerifyPKCS1DigestInfo verifies that the length of the digest is correct -+ * for the given algorithm, then verifies that the recovered data from the -+ * PKCS#1 signature is a properly-formatted DigestInfo that identifies the -+ * given digest algorithm, then verifies that the digest in the DigestInfo -+ * matches the given digest. -+ * -+ * dataRecoveredFromSignature must be the result of calling PK11_VerifyRecover -+ * or equivalent. -+ * -+ * If unsafeAllowMissingParameters is true (not recommended), then a DigestInfo -+ * without the mandatory ASN.1 NULL parameter will also be accepted. -+ */ -+SECStatus _SGN_VerifyPKCS1DigestInfo(SECOidTag digestAlg, -+ const SECItem* digest, -+ const SECItem* dataRecoveredFromSignature, -+ PRBool unsafeAllowMissingParameters); -+ -+#endif /* _PKCS1SIG_H_ */ diff --git a/SPECS/nss-util.spec b/SPECS/nss-util.spec index 5f874ad..177d75f 100644 --- a/SPECS/nss-util.spec +++ b/SPECS/nss-util.spec @@ -2,8 +2,8 @@ Summary: Network Security Services Utilities Library Name: nss-util -Version: 3.16.2 -Release: 2%{?dist} +Version: 3.16.2.3 +Release: 1%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -33,8 +33,6 @@ Source3: nss-util-config.in Patch1: build-nss-util-only.patch Patch2: hasht-dont-include-prtypes.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1064636 -Patch6: cve-2014-1568-utils.patch Patch7: pkcs1sig-include-prtypes.patch %description @@ -58,9 +56,6 @@ Header and library files for doing development with Network Security Services. %setup -q %patch1 -p0 -b .utilonly %patch2 -p0 -b .prtypes -pushd nss -%patch6 -p1 -b .cve-2014-1568 -popd %patch7 -p0 -b .include_prtypes @@ -228,6 +223,9 @@ done %{_includedir}/nss3/templates/templates.c %changelog +* Wed Nov 19 2014 Elio Maldonado - 3.16.2.1-1 +- Resolves: Bug 1165525 - Upgrade to NSS 3.16.2.3 for Firefox 31.3 + * Tue Sep 23 2014 Elio Maldonado - 3.16.2-2 - Resolves: bug 1145433 - CVE-2014-1568