diff --git a/SOURCES/nss-lockcert-api-change.patch b/SOURCES/nss-lockcert-api-change.patch deleted file mode 100644 index 0eba9a4..0000000 --- a/SOURCES/nss-lockcert-api-change.patch +++ /dev/null @@ -1,68 +0,0 @@ -# HG changeset patch -# User Franziskus Kiefer -# Date 1486546862 -3600 -# Wed Feb 08 10:41:02 2017 +0100 -# Node ID 896e3eb3a79933a51886949c7adb67ef37b721c0 -# Parent a8d77070526320ad0edc7ba164ce97f10c4f7d94 -Bug 1278965 - tsan race in CERTCertificate, r=wtc,ttaubert - -diff --git a/lib/certdb/cert.h b/lib/certdb/cert.h ---- a/lib/certdb/cert.h -+++ b/lib/certdb/cert.h -@@ -1405,24 +1405,11 @@ void CERT_SetStatusConfig(CERTCertDBHand - void CERT_LockCertRefCount(CERTCertificate *cert); - - /* -- * Free the cert reference count lock -+ * Release the cert reference count lock - */ - void CERT_UnlockCertRefCount(CERTCertificate *cert); - - /* -- * Acquire the cert trust lock -- * There is currently one global lock for all certs, but I'm putting a cert -- * arg here so that it will be easy to make it per-cert in the future if -- * that turns out to be necessary. -- */ --void CERT_LockCertTrust(const CERTCertificate *cert); -- --/* -- * Free the cert trust lock -- */ --void CERT_UnlockCertTrust(const CERTCertificate *cert); -- --/* - * Digest the cert's subject public key using the specified algorithm. - * NOTE: this digests the value of the BIT STRING subjectPublicKey (excluding - * the tag, length, and number of unused bits) rather than the whole -diff --git a/lib/certdb/certi.h b/lib/certdb/certi.h ---- a/lib/certdb/certi.h -+++ b/lib/certdb/certi.h -@@ -378,14 +378,27 @@ PRUint32 cert_CountDNSPatterns(CERTGener - SECStatus cert_CheckLeafTrust(CERTCertificate* cert, SECCertUsage usage, - unsigned int* failedFlags, PRBool* isTrusted); - - /* - * Acquire the cert temp/perm lock - */ - void CERT_LockCertTempPerm(const CERTCertificate* cert); - - /* - * Release the temp/perm lock - */ - void CERT_UnlockCertTempPerm(const CERTCertificate* cert); - -+/* -+ * Acquire the cert trust lock -+ * There is currently one global lock for all certs, but I'm putting a cert -+ * arg here so that it will be easy to make it per-cert in the future if -+ * that turns out to be necessary. -+ */ -+void CERT_LockCertTrust(const CERTCertificate* cert); -+ -+/* -+ * Release the cert trust lock -+ */ -+void CERT_UnlockCertTrust(const CERTCertificate* cert); -+ - #endif /* _CERTI_H_ */ diff --git a/SOURCES/nss-ssl2-server-random.patch b/SOURCES/nss-ssl2-server-random.patch new file mode 100644 index 0000000..0a242c8 --- /dev/null +++ b/SOURCES/nss-ssl2-server-random.patch @@ -0,0 +1,177 @@ +# HG changeset patch +# User Martin Thomson +# Date 1535458477 -7200 +# Tue Aug 28 14:14:37 2018 +0200 +# Branch NSS_3_36_BRANCH +# Node ID 14bfa8390396e18ba5b35c7fb299a2c2023f6448 +# Parent 42bc6956fda39f6afe81b8de7afb542f3216bc7e +Bug 1483128 - Move random generation, r?ekr + +Summary: This is the simpler fix. It's making the bug pretty obvious though. + +Reviewers: ekr, kaie + +Subscribers: HubertKario, mt, ekr, beurdouche, kaie, jcj, ueno, wtc, rrelyea + +Tags: #secure-revision, PHID-PROJ-ffhf7tdvqze7zrdn6dh3 + +Bug #: 1483128 + +Differential Revision: https://phabricator.services.mozilla.com/D4282 + +diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c +--- a/lib/ssl/ssl3con.c ++++ b/lib/ssl/ssl3con.c +@@ -8082,14 +8082,6 @@ ssl3_HandleClientHello(sslSocket *ss, PR + } + } + +- /* Generate the Server Random now so it is available +- * when we process the ClientKeyShare in TLS 1.3 */ +- rv = ssl3_GetNewRandom(ss->ssl3.hs.server_random); +- if (rv != SECSuccess) { +- errCode = SSL_ERROR_GENERATE_RANDOM_FAILURE; +- goto loser; +- } +- + #ifndef TLS_1_3_DRAFT_VERSION + /* + * [draft-ietf-tls-tls13-11 Section 6.3.1.1]. +@@ -8878,6 +8870,7 @@ ssl_ConstructServerHello(sslSocket *ss, + SECStatus rv; + SSL3ProtocolVersion version; + sslSessionID *sid = ss->sec.ci.sid; ++ const PRUint8 *random; + + if (IS_DTLS(ss) && ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { + version = dtls_TLSVersionToDTLSVersion(ss->version); +@@ -8889,9 +8882,17 @@ ssl_ConstructServerHello(sslSocket *ss, + if (rv != SECSuccess) { + return SECFailure; + } +- /* Random already generated in ssl3_HandleClientHello */ +- rv = sslBuffer_Append(messageBuf, helloRetry ? ssl_hello_retry_random : ss->ssl3.hs.server_random, +- SSL3_RANDOM_LENGTH); ++ ++ if (helloRetry) { ++ random = ssl_hello_retry_random; ++ } else { ++ rv = ssl3_GetNewRandom(ss->ssl3.hs.server_random); ++ if (rv != SECSuccess) { ++ return SECFailure; ++ } ++ random = ss->ssl3.hs.server_random; ++ } ++ rv = sslBuffer_Append(messageBuf, random, SSL3_RANDOM_LENGTH); + if (rv != SECSuccess) { + return SECFailure; + } +# HG changeset patch +# User Martin Thomson +# Date 1535458545 -7200 +# Tue Aug 28 14:15:45 2018 +0200 +# Node ID eee3954f57355ad04bc32f1c2dfe25d7e13a3382 +# Parent 4c7ffcfd43f613eb08ee7b4a75dbeb1a7fb540ce +Bug 1483128 - Test that randoms aren't fixed, r?ekr + +Summary: +We can't easily test that ClientHello.random and ServerHello.random are truly +random in these tests, but we can catch mistakes the likes of which produced +this bug. This just runs a few handshakes and tests that none of the random +values are equal to any other, or they are equal to zero. + +Reviewers: ekr + +Subscribers: mt, ekr, beurdouche, kaie, jcj, ueno, rrelyea, wtc, HubertKario + +Tags: #secure-revision, PHID-PROJ-ffhf7tdvqze7zrdn6dh3 + +Bug #: 1483128 + +Differential Revision: https://phabricator.services.mozilla.com/D4413 + +diff --git a/gtests/ssl_gtest/ssl_loopback_unittest.cc b/gtests/ssl_gtest/ssl_loopback_unittest.cc +--- a/gtests/ssl_gtest/ssl_loopback_unittest.cc ++++ b/gtests/ssl_gtest/ssl_loopback_unittest.cc +@@ -541,6 +541,47 @@ TEST_F(TlsConnectTest, OneNRecordSplitti + EXPECT_EQ(ExpectedCbcLen(20), records->record(2).buffer.len()); + } + ++// We can't test for randomness easily here, but we can test that we don't ++// produce a zero value, or produce the same value twice. There are 5 values ++// here: two ClientHello.random, two ServerHello.random, and one zero value. ++// Matrix them and fail if any are the same. ++TEST_P(TlsConnectGeneric, CheckRandoms) { ++ ConfigureSessionCache(RESUME_NONE, RESUME_NONE); ++ ++ static const size_t random_len = 32; ++ uint8_t crandom1[random_len], srandom1[random_len]; ++ uint8_t z[random_len] = {0}; ++ ++ auto ch = MakeTlsFilter(client_, ssl_hs_client_hello); ++ auto sh = MakeTlsFilter(server_, ssl_hs_server_hello); ++ Connect(); ++ ASSERT_TRUE(ch->buffer().len() > (random_len + 2)); ++ ASSERT_TRUE(sh->buffer().len() > (random_len + 2)); ++ memcpy(crandom1, ch->buffer().data() + 2, random_len); ++ memcpy(srandom1, sh->buffer().data() + 2, random_len); ++ EXPECT_NE(0, memcmp(crandom1, srandom1, random_len)); ++ EXPECT_NE(0, memcmp(crandom1, z, random_len)); ++ EXPECT_NE(0, memcmp(srandom1, z, random_len)); ++ ++ Reset(); ++ ch = MakeTlsFilter(client_, ssl_hs_client_hello); ++ sh = MakeTlsFilter(server_, ssl_hs_server_hello); ++ Connect(); ++ ASSERT_TRUE(ch->buffer().len() > (random_len + 2)); ++ ASSERT_TRUE(sh->buffer().len() > (random_len + 2)); ++ const uint8_t* crandom2 = ch->buffer().data() + 2; ++ const uint8_t* srandom2 = sh->buffer().data() + 2; ++ ++ EXPECT_NE(0, memcmp(crandom2, srandom2, random_len)); ++ EXPECT_NE(0, memcmp(crandom2, z, random_len)); ++ EXPECT_NE(0, memcmp(srandom2, z, random_len)); ++ ++ EXPECT_NE(0, memcmp(crandom1, crandom2, random_len)); ++ EXPECT_NE(0, memcmp(crandom1, srandom2, random_len)); ++ EXPECT_NE(0, memcmp(srandom1, crandom2, random_len)); ++ EXPECT_NE(0, memcmp(srandom1, srandom2, random_len)); ++} ++ + INSTANTIATE_TEST_CASE_P( + GenericStream, TlsConnectGeneric, + ::testing::Combine(TlsConnectTestBase::kTlsVariantsStream, +diff --git a/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc b/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc +--- a/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc ++++ b/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc +@@ -350,6 +350,30 @@ TEST_P(SSLv2ClientHelloTest, RequireSafe + Connect(); + } + ++TEST_P(SSLv2ClientHelloTest, CheckServerRandom) { ++ ConfigureSessionCache(RESUME_NONE, RESUME_NONE); ++ SetAvailableCipherSuite(TLS_DHE_RSA_WITH_AES_128_CBC_SHA); ++ ++ static const size_t random_len = 32; ++ uint8_t srandom1[random_len]; ++ uint8_t z[random_len] = {0}; ++ ++ auto sh = MakeTlsFilter(server_, ssl_hs_server_hello); ++ Connect(); ++ ASSERT_TRUE(sh->buffer().len() > (random_len + 2)); ++ memcpy(srandom1, sh->buffer().data() + 2, random_len); ++ EXPECT_NE(0, memcmp(srandom1, z, random_len)); ++ ++ Reset(); ++ sh = MakeTlsFilter(server_, ssl_hs_server_hello); ++ Connect(); ++ ASSERT_TRUE(sh->buffer().len() > (random_len + 2)); ++ const uint8_t* srandom2 = sh->buffer().data() + 2; ++ ++ EXPECT_NE(0, memcmp(srandom2, z, random_len)); ++ EXPECT_NE(0, memcmp(srandom1, srandom2, random_len)); ++} ++ + // Connect to the server with TLS 1.1, signalling that this is a fallback from + // a higher version. As the server doesn't support anything higher than TLS 1.1 + // it must accept the connection. diff --git a/SOURCES/nss-tests-ssl-normal-normal.patch b/SOURCES/nss-tests-ssl-normal-normal.patch new file mode 100644 index 0000000..aa5346a --- /dev/null +++ b/SOURCES/nss-tests-ssl-normal-normal.patch @@ -0,0 +1,20 @@ +# HG changeset patch +# User Daiki Ueno +# Date 1520875743 -3600 +# Mon Mar 12 18:29:03 2018 +0100 +# Node ID 1053cc7b45a2dfe4a44558f0a0e7c4b3f0e9c6ec +# Parent be88b7a4fb599a367a13688a9790d3010f3b3692 +Bug 1444960, Exercise SSL tests which only run under non-FIPS, r=kaie + +diff --git a/tests/all.sh b/tests/all.sh +--- a/tests/all.sh ++++ b/tests/all.sh +@@ -309,7 +309,7 @@ TESTS=${NSS_TESTS:-$tests} + + ALL_TESTS=${TESTS} + +-nss_ssl_tests="crl iopr policy" ++nss_ssl_tests="crl iopr policy normal_normal" + if [ $NO_INIT_SUPPORT -eq 0 ]; then + nss_ssl_tests="$nss_ssl_tests fips_normal normal_fips" + fi diff --git a/SPECS/nss.spec b/SPECS/nss.spec index 984a6fe..d117328 100644 --- a/SPECS/nss.spec +++ b/SPECS/nss.spec @@ -27,7 +27,7 @@ Summary: Network Security Services Name: nss Version: 3.36.0 -Release: 5%{?dist} +Release: 7%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -135,9 +135,10 @@ Patch139: nss-modutil-skip-changepw-fips.patch # Work around for yum # https://bugzilla.redhat.com/show_bug.cgi?id=1469526 Patch141: nss-sysinit-getenv.patch -# To revert the change in: -# https://hg.mozilla.org/projects/nss/rev/896e3eb3a799 -Patch142: nss-lockcert-api-change.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1483128 +Patch142: nss-ssl2-server-random.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1444960 +Patch143: nss-tests-ssl-normal-normal.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -246,7 +247,8 @@ pushd nss %patch138 -p1 -b .devslot-reinsert %patch139 -p1 -b .modutil-skip-changepw-fips %patch141 -p1 -b .sysinit-getenv -%patch142 -p1 -R -b .lockcert-api-change +%patch142 -p1 -b .ssl2-server-random +%patch143 -p1 -b .tests-ssl-normal-normal popd ######################################################### @@ -847,6 +849,14 @@ fi %changelog +* Wed Aug 29 2018 Daiki Ueno - 3.36.0-7 +- Backport upstream fix for CVE-2018-12384 +- Remove nss-lockcert-api-change.patch, which turned out to be a + mistake (the symbol was not exported from libnss) + +* Thu Apr 19 2018 Daiki Ueno - 3.36.0-6 +- Exercise SSL tests which only run under non-FIPS setting + * Wed Apr 18 2018 Daiki Ueno - 3.36.0-5 - Restore CERT_LockCertTrust and CERT_UnlockCertTrust back in cert.h