From ad495a7d5e81336c73e85a34ea9491f08a6c63a3 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 20 2017 01:02:06 +0000 Subject: import nss-3.28.4-1.0.el7_3 --- diff --git a/.gitignore b/.gitignore index 1d16491..dac23b7 100644 --- a/.gitignore +++ b/.gitignore @@ -9,7 +9,7 @@ SOURCES/cert8.db.xml SOURCES/cert9.db.xml SOURCES/key3.db.xml SOURCES/key4.db.xml -SOURCES/nss-3.28.2.tar.gz +SOURCES/nss-3.28.4.tar.gz SOURCES/nss-config.xml SOURCES/nss-pem-20140125.tar.bz2 SOURCES/secmod.db.xml diff --git a/.nss.metadata b/.nss.metadata index bb1ad7d..abcc374 100644 --- a/.nss.metadata +++ b/.nss.metadata @@ -9,7 +9,7 @@ bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db 7cbb7841b1aefe52534704bf2a4358bfea1aa477 SOURCES/cert9.db.xml 24c123810543ff0f6848647d6d910744e275fb01 SOURCES/key3.db.xml af51b16a56fda1f7525a0eed3ecbdcbb4133be0c SOURCES/key4.db.xml -4f972f53cef8f87416a12199863e1ec043f0050d SOURCES/nss-3.28.2.tar.gz +f358559b9c058ec9ee54cca222722c671131f5cb SOURCES/nss-3.28.4.tar.gz 2905c9b06e7e686c9e3c0b5736a218766d4ae4c2 SOURCES/nss-config.xml 66f2060c35f4e97bdfa163e8bd7cb2ef5e8125d8 SOURCES/nss-pem-20140125.tar.bz2 ca9ebf79c1437169a02527c18b1e3909943c4be9 SOURCES/secmod.db.xml diff --git a/SOURCES/nss-ecpoint-encoding.patch b/SOURCES/nss-ecpoint-encoding.patch deleted file mode 100644 index 2577621..0000000 --- a/SOURCES/nss-ecpoint-encoding.patch +++ /dev/null @@ -1,330 +0,0 @@ - -# HG changeset patch -# User Kai Engert -# Date 1487329827 -3600 -# Node ID 0050234a859c2aac2cf8cb5092218191300b1901 -# Parent 0e25df041c8fdc8610c6f227084d11eb8ad81149 -Bug 1340103, Introduction of SECKEYECPublicKey.encoding in NSS 3.28 broke ABI, r=rrelyea/mt - -diff --git a/lib/cryptohi/keyi.h b/lib/cryptohi/keyi.h ---- a/lib/cryptohi/keyi.h -+++ b/lib/cryptohi/keyi.h -@@ -12,18 +12,11 @@ SEC_BEGIN_PROTOS - KeyType seckey_GetKeyType(SECOidTag pubKeyOid); - - /* extract the 'encryption' (could be signing) and hash oids from and - * algorithm, key and parameters (parameters is the parameters field - * of a algorithm ID structure (SECAlgorithmID)*/ - SECStatus sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg, - const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg); - --/* -- * Set the point encoding of a SECKEYPublicKey from the OID. -- * This has to be called on any SECKEYPublicKey holding a SECKEYECPublicKey -- * before it can be used. The encoding is used to dermine the public key size. -- */ --SECStatus seckey_SetPointEncoding(PLArenaPool *arena, SECKEYPublicKey *pubKey); -- - SEC_END_PROTOS - - #endif /* _KEYHI_H_ */ -diff --git a/lib/cryptohi/keythi.h b/lib/cryptohi/keythi.h ---- a/lib/cryptohi/keythi.h -+++ b/lib/cryptohi/keythi.h -@@ -120,19 +120,19 @@ typedef struct SECKEYDHPublicKeyStr SECK - ** Elliptic curve Public Key structure - ** The PKCS#11 layer needs DER encoding of ANSI X9.62 - ** parameters value - */ - typedef SECItem SECKEYECParams; - - struct SECKEYECPublicKeyStr { - SECKEYECParams DEREncodedParams; -- int size; /* size in bits */ -- SECItem publicValue; /* encoded point */ -- ECPointEncoding encoding; -+ int size; /* size in bits */ -+ SECItem publicValue; /* encoded point */ -+ ECPointEncoding encoding; /* deprecated, ignored */ - }; - typedef struct SECKEYECPublicKeyStr SECKEYECPublicKey; - - /* - ** FORTEZZA Public Key structures - */ - struct SECKEYFortezzaPublicKeyStr { - int KEAversion; -diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c ---- a/lib/cryptohi/seckey.c -+++ b/lib/cryptohi/seckey.c -@@ -542,16 +542,33 @@ seckey_GetKeyType(SECOidTag tag) - - /* Function used to determine what kind of cert we are dealing with. */ - KeyType - CERT_GetCertKeyType(const CERTSubjectPublicKeyInfo *spki) - { - return seckey_GetKeyType(SECOID_GetAlgorithmTag(&spki->algorithm)); - } - -+/* Ensure pubKey contains an OID */ -+static SECStatus -+seckey_HasCurveOID(const SECKEYPublicKey *pubKey) -+{ -+ SECItem oid; -+ SECStatus rv; -+ PORTCheapArenaPool tmpArena; -+ -+ PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE); -+ /* If we can decode it, an OID is available. */ -+ rv = SEC_QuickDERDecodeItem(&tmpArena.arena, &oid, -+ SEC_ASN1_GET(SEC_ObjectIDTemplate), -+ &pubKey->u.ec.DEREncodedParams); -+ PORT_DestroyCheapArena(&tmpArena); -+ return rv; -+} -+ - static SECKEYPublicKey * - seckey_ExtractPublicKey(const CERTSubjectPublicKeyInfo *spki) - { - SECKEYPublicKey *pubk; - SECItem os, newOs, newParms; - SECStatus rv; - PLArenaPool *arena; - SECOidTag tag; -@@ -634,17 +651,18 @@ seckey_ExtractPublicKey(const CERTSubjec - &spki->algorithm.parameters); - if (rv != SECSuccess) { - break; - } - rv = SECITEM_CopyItem(arena, &pubk->u.ec.publicValue, &newOs); - if (rv != SECSuccess) { - break; - } -- rv = seckey_SetPointEncoding(arena, pubk); -+ pubk->u.ec.encoding = ECPoint_Undefined; -+ rv = seckey_HasCurveOID(pubk); - if (rv == SECSuccess) { - return pubk; - } - break; - - default: - PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); - break; -@@ -1157,26 +1175,26 @@ SECKEY_CopyPublicKey(const SECKEYPublicK - rv = SECITEM_CopyItem(arena, ©k->u.dh.base, &pubk->u.dh.base); - if (rv != SECSuccess) - break; - rv = SECITEM_CopyItem(arena, ©k->u.dh.publicValue, - &pubk->u.dh.publicValue); - break; - case ecKey: - copyk->u.ec.size = pubk->u.ec.size; -+ rv = seckey_HasCurveOID(pubk); -+ if (rv != SECSuccess) { -+ break; -+ } - rv = SECITEM_CopyItem(arena, ©k->u.ec.DEREncodedParams, - &pubk->u.ec.DEREncodedParams); - if (rv != SECSuccess) { - break; - } -- rv = seckey_SetPointEncoding(arena, copyk); -- if (rv != SECSuccess) { -- break; -- } -- PORT_Assert(copyk->u.ec.encoding == pubk->u.ec.encoding); -+ copyk->u.ec.encoding = ECPoint_Undefined; - rv = SECITEM_CopyItem(arena, ©k->u.ec.publicValue, - &pubk->u.ec.publicValue); - break; - case nullKey: - return copyk; - default: - PORT_SetError(SEC_ERROR_INVALID_KEY); - rv = SECFailure; -@@ -1938,44 +1956,8 @@ SECKEY_GetECCOid(const SECKEYECParams *p - return 0; - oid.len = params->len - 2; - oid.data = params->data + 2; - if ((oidData = SECOID_FindOID(&oid)) == NULL) - return 0; - - return oidData->offset; - } -- --/* Set curve encoding in SECKEYECPublicKey in pubKey from OID. -- * If the encoding is not set, determining the key size of EC public keys will -- * fail. -- */ --SECStatus --seckey_SetPointEncoding(PLArenaPool *arena, SECKEYPublicKey *pubKey) --{ -- SECItem oid; -- SECOidTag tag; -- SECStatus rv; -- -- /* decode the OID tag */ -- rv = SEC_QuickDERDecodeItem(arena, &oid, SEC_ASN1_GET(SEC_ObjectIDTemplate), -- &pubKey->u.ec.DEREncodedParams); -- if (rv != SECSuccess) { -- return SECFailure; -- } -- -- tag = SECOID_FindOIDTag(&oid); -- switch (tag) { -- case SEC_OID_CURVE25519: -- pubKey->u.ec.encoding = ECPoint_XOnly; -- break; -- case SEC_OID_SECG_EC_SECP256R1: -- /* fall through */ -- case SEC_OID_SECG_EC_SECP384R1: -- /* fall through */ -- case SEC_OID_SECG_EC_SECP521R1: -- /* fall through */ -- default: -- /* unknown curve, default to uncompressed */ -- pubKey->u.ec.encoding = ECPoint_Uncompressed; -- } -- return SECSuccess; --} -diff --git a/lib/pk11wrap/pk11akey.c b/lib/pk11wrap/pk11akey.c ---- a/lib/pk11wrap/pk11akey.c -+++ b/lib/pk11wrap/pk11akey.c -@@ -760,22 +760,20 @@ PK11_ExtractPublicKey(PK11SlotInfo *slot - crv = CKR_OBJECT_HANDLE_INVALID; - break; - } - - crv = pk11_Attr2SecItem(arena, ecparams, - &pubKey->u.ec.DEREncodedParams); - if (crv != CKR_OK) - break; -+ pubKey->u.ec.encoding = ECPoint_Undefined; - crv = pk11_get_Decoded_ECPoint(arena, - &pubKey->u.ec.DEREncodedParams, value, - &pubKey->u.ec.publicValue); -- if (seckey_SetPointEncoding(arena, pubKey) != SECSuccess) { -- crv |= CKR_GENERAL_ERROR; -- } - break; - case fortezzaKey: - case nullKey: - default: - crv = CKR_OBJECT_HANDLE_INVALID; - break; - } - -diff --git a/lib/pk11wrap/pk11skey.c b/lib/pk11wrap/pk11skey.c ---- a/lib/pk11wrap/pk11skey.c -+++ b/lib/pk11wrap/pk11skey.c -@@ -2032,27 +2032,62 @@ PK11_PubDerive(SECKEYPrivateKey *privKey - PORT_SetError(PK11_MapError(crv)); - } - } - - PK11_FreeSymKey(symKey); - return NULL; - } - -+/* Test for curves that are known to use a special encoding. -+ * Extend this function when additional curves are added. */ -+static ECPointEncoding -+pk11_ECGetPubkeyEncoding(const SECKEYPublicKey *pubKey) -+{ -+ SECItem oid; -+ SECStatus rv; -+ PORTCheapArenaPool tmpArena; -+ ECPointEncoding encoding = ECPoint_Undefined; -+ -+ PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE); -+ -+ /* decode the OID tag */ -+ rv = SEC_QuickDERDecodeItem(&tmpArena.arena, &oid, -+ SEC_ASN1_GET(SEC_ObjectIDTemplate), -+ &pubKey->u.ec.DEREncodedParams); -+ if (rv == SECSuccess) { -+ SECOidTag tag = SECOID_FindOIDTag(&oid); -+ switch (tag) { -+ case SEC_OID_CURVE25519: -+ encoding = ECPoint_XOnly; -+ break; -+ case SEC_OID_SECG_EC_SECP256R1: -+ case SEC_OID_SECG_EC_SECP384R1: -+ case SEC_OID_SECG_EC_SECP521R1: -+ default: -+ /* unknown curve, default to uncompressed */ -+ encoding = ECPoint_Uncompressed; -+ } -+ } -+ PORT_DestroyCheapArena(&tmpArena); -+ return encoding; -+} -+ - /* Returns the size of the public key, or 0 if there - * is an error. */ - static CK_ULONG - pk11_ECPubKeySize(SECKEYPublicKey *pubKey) - { - SECItem *publicValue = &pubKey->u.ec.publicValue; - -- if (pubKey->u.ec.encoding == ECPoint_XOnly) { -+ ECPointEncoding encoding = pk11_ECGetPubkeyEncoding(pubKey); -+ if (encoding == ECPoint_XOnly) { - return publicValue->len; - } -- if (publicValue->data[0] == 0x04) { -+ if (encoding == ECPoint_Uncompressed) { - /* key encoded in uncompressed form */ - return ((publicValue->len - 1) / 2); - } - /* key encoding not recognized */ - return 0; - } - - static PK11SymKey * -diff --git a/lib/ssl/ssl3ecc.c b/lib/ssl/ssl3ecc.c ---- a/lib/ssl/ssl3ecc.c -+++ b/lib/ssl/ssl3ecc.c -@@ -298,17 +298,17 @@ ssl3_HandleECDHClientKeyExchange(sslSock - PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss)); - PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); - - clntPubKey.keyType = ecKey; - clntPubKey.u.ec.DEREncodedParams.len = - serverKeyPair->pubKey->u.ec.DEREncodedParams.len; - clntPubKey.u.ec.DEREncodedParams.data = - serverKeyPair->pubKey->u.ec.DEREncodedParams.data; -- clntPubKey.u.ec.encoding = serverKeyPair->pubKey->u.ec.encoding; -+ clntPubKey.u.ec.encoding = ECPoint_Undefined; - - rv = ssl3_ConsumeHandshakeVariable(ss, &clntPubKey.u.ec.publicValue, - 1, &b, &length); - if (rv != SECSuccess) { - PORT_SetError(errCode); - return SECFailure; - } - -@@ -382,21 +382,17 @@ ssl_ImportECDHKeyShare(sslSocket *ss, SE - peerKey->keyType = ecKey; - /* Set up the encoded params */ - rv = ssl_NamedGroup2ECParams(peerKey->arena, ecGroup, - &peerKey->u.ec.DEREncodedParams); - if (rv != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_RX_MALFORMED_ECDHE_KEY_SHARE); - return SECFailure; - } -- if (ecGroup->name == ssl_grp_ec_curve25519) { -- peerKey->u.ec.encoding = ECPoint_XOnly; -- } else { -- peerKey->u.ec.encoding = ECPoint_Uncompressed; -- } -+ peerKey->u.ec.encoding = ECPoint_Undefined; - - /* copy publicValue in peerKey */ - ecPoint.data = b; - ecPoint.len = length; - - rv = SECITEM_CopyItem(peerKey->arena, &peerKey->u.ec.publicValue, &ecPoint); - if (rv != SECSuccess) { - return SECFailure; diff --git a/SPECS/nss.spec b/SPECS/nss.spec index 7c243ed..eaf7f49 100644 --- a/SPECS/nss.spec +++ b/SPECS/nss.spec @@ -26,8 +26,8 @@ Summary: Network Security Services Name: nss -Version: 3.28.2 -Release: 1.6%{?dist} +Version: 3.28.4 +Release: 1.0%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -143,8 +143,6 @@ Patch129: moz-1320932.patch # Disable RSA-PSS until we get a new nss-softokn (taken from RHEL-6 # for rhbz#1390161) Patch130: disable-pss.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1340103 -Patch131: nss-ecpoint-encoding.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1341054 Patch132: nss-tstclnt-optspec.patch Patch200: nss-disable-curve25519-gtests.patch @@ -268,7 +266,6 @@ pushd nss %patch128 -p1 -b .enable-cipher-suites %patch129 -p1 -b .fix_ssl_sh_typo %patch130 -p1 -b .disable_pss -%patch131 -p1 -b .ecpoint-encoding %patch132 -p1 -b .tstclnt-optspec %patch200 -p1 -b .disable-curve25519-gtests %patch201 -p1 -b .disable-curve25519-tests @@ -863,6 +860,9 @@ fi %changelog +* Fri Apr 7 2017 Daiki Ueno - 3.28.4-1.0 +- Rebase to NSS 3.28.4 + * Mon Feb 20 2017 Daiki Ueno - 3.28.2-1.6 - Restore ssl-server-min-key-sizes.patch - Disable TLS_ECDHE_{RSA,ECDSA}_WITH_AES_128_CBC_SHA256 by default