diff --git a/.gitignore b/.gitignore index fadcdf8..67272da 100644 --- a/.gitignore +++ b/.gitignore @@ -9,7 +9,7 @@ SOURCES/cert8.db.xml SOURCES/cert9.db.xml SOURCES/key3.db.xml SOURCES/key4.db.xml -SOURCES/nss-3.21.0.tar.gz +SOURCES/nss-3.21.3.tar.gz SOURCES/nss-config.xml SOURCES/nss-pem-20140125.tar.bz2 SOURCES/secmod.db.xml diff --git a/.nss.metadata b/.nss.metadata index 473c632..e8b243f 100644 --- a/.nss.metadata +++ b/.nss.metadata @@ -9,7 +9,7 @@ bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db 7cbb7841b1aefe52534704bf2a4358bfea1aa477 SOURCES/cert9.db.xml 24c123810543ff0f6848647d6d910744e275fb01 SOURCES/key3.db.xml af51b16a56fda1f7525a0eed3ecbdcbb4133be0c SOURCES/key4.db.xml -d42285342e5c27c9f884b3d569c865c09c1d6538 SOURCES/nss-3.21.0.tar.gz +b6e2612dbf78a04cac2a81784143e918ed03aea7 SOURCES/nss-3.21.3.tar.gz 2905c9b06e7e686c9e3c0b5736a218766d4ae4c2 SOURCES/nss-config.xml 66f2060c35f4e97bdfa163e8bd7cb2ef5e8125d8 SOURCES/nss-pem-20140125.tar.bz2 ca9ebf79c1437169a02527c18b1e3909943c4be9 SOURCES/secmod.db.xml diff --git a/SOURCES/moz-1314604.patch b/SOURCES/moz-1314604.patch new file mode 100644 index 0000000..7d27f67 --- /dev/null +++ b/SOURCES/moz-1314604.patch @@ -0,0 +1,115 @@ +diff -up ./lib/ssl/ssl3con.c.moz-1314604 ./lib/ssl/ssl3con.c +--- ./lib/ssl/ssl3con.c.moz-1314604 2016-11-07 21:30:40.035272554 +0100 ++++ ./lib/ssl/ssl3con.c 2016-11-07 21:31:14.876273952 +0100 +@@ -6196,6 +6196,7 @@ sendDHClientKeyExchange(sslSocket * ss, + + if (pms == NULL) { + ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); ++ rv = SECFailure; + goto loser; + } + +@@ -6939,7 +6940,6 @@ ssl3_HandleServerKeyExchange(sslSocket * + SECItem dh_Ys = {siBuffer, NULL, 0}; + unsigned dh_p_bits; + unsigned dh_g_bits; +- unsigned dh_Ys_bits; + PRInt32 minDH; + + rv = ssl3_ConsumeHandshakeVariable(ss, &dh_p, 2, &b, &length); +@@ -6968,9 +6968,10 @@ ssl3_HandleServerKeyExchange(sslSocket * + if (rv != SECSuccess) { + goto loser; /* malformed. */ + } +- dh_Ys_bits = SECKEY_BigIntegerBitLength(&dh_Ys); +- if (dh_Ys_bits > dh_p_bits || dh_Ys_bits <= 1) +- goto alert_loser; ++ if (!ssl_IsValidDHEShare(&dh_p, &dh_Ys)) { ++ errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY; ++ goto alert_loser; ++ } + if (isTLS12) { + rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, + &sigAndHash); +@@ -9906,6 +9907,12 @@ ssl3_HandleDHClientKeyExchange(sslSocket + goto loser; + } + ++ if (!ssl_IsValidDHEShare(&srvrPubKey->u.dh.prime, ++ &clntPubKey.u.dh.publicValue)) { ++ PORT_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); ++ return SECFailure; ++ } ++ + isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); + + if (isTLS) target = CKM_TLS_MASTER_KEY_DERIVE_DH; +diff -up ./lib/ssl/sslimpl.h.moz-1314604 ./lib/ssl/sslimpl.h +--- ./lib/ssl/sslimpl.h.moz-1314604 2016-11-07 21:30:40.028272553 +0100 ++++ ./lib/ssl/sslimpl.h 2016-11-07 21:30:40.047272554 +0100 +@@ -1647,6 +1647,7 @@ int ssl3_GatherCompleteHandshake(sslSock + extern SECStatus ssl3_CreateRSAStepDownKeys(sslSocket *ss); + + extern SECStatus ssl3_SelectDHParams(sslSocket *ss); ++extern PRBool ssl_IsValidDHEShare(const SECItem *dh_p, const SECItem *dh_Ys); + + #ifndef NSS_DISABLE_ECC + extern void ssl3_FilterECCipherSuitesByServerCerts(sslSocket *ss); +diff -up ./lib/ssl/sslsock.c.moz-1314604 ./lib/ssl/sslsock.c +--- ./lib/ssl/sslsock.c.moz-1314604 2016-11-07 21:30:40.040272554 +0100 ++++ ./lib/ssl/sslsock.c 2016-11-07 21:30:40.048272554 +0100 +@@ -1462,6 +1462,54 @@ SSL_DHEGroupPrefSet(PRFileDesc *fd, + return SECSuccess; + } + ++/* This validates dh_Ys against the group prime. */ ++PRBool ++ssl_IsValidDHEShare(const SECItem *dh_p, const SECItem *dh_Ys) ++{ ++ unsigned int size_p = SECKEY_BigIntegerBitLength(dh_p); ++ unsigned int size_y = SECKEY_BigIntegerBitLength(dh_Ys); ++ unsigned int commonPart; ++ int cmp; ++ ++ if (dh_p->len == 0 || dh_Ys->len == 0) { ++ return PR_FALSE; ++ } ++ ++ /* Check that the prime is at least odd. */ ++ if ((dh_p->data[dh_p->len - 1] & 0x01) == 0) { ++ return PR_FALSE; ++ } ++ /* dh_Ys can't be 1, or bigger than dh_p. */ ++ if (size_y <= 1 || size_y > size_p) { ++ return PR_FALSE; ++ } ++ /* If dh_Ys is shorter, then it's definitely smaller than p-1. */ ++ if (size_y < size_p) { ++ return PR_TRUE; ++ } ++ ++ /* Compare the common part of each, minus the final octet. */ ++ commonPart = (size_p + 7) / 8; ++ PORT_Assert(commonPart <= dh_Ys->len); ++ PORT_Assert(commonPart <= dh_p->len); ++ cmp = PORT_Memcmp(dh_Ys->data + dh_Ys->len - commonPart, ++ dh_p->data + dh_p->len - commonPart, commonPart - 1); ++ if (cmp < 0) { ++ return PR_TRUE; ++ } ++ if (cmp > 0) { ++ return PR_FALSE; ++ } ++ ++ /* The last octet of the prime is the only thing that is different and that ++ * has to be two greater than the share, otherwise we have Ys == p - 1, ++ * and that means small subgroups. */ ++ if (dh_Ys->data[dh_Ys->len - 1] >= (dh_p->data[dh_p->len - 1] - 1)) { ++ return PR_FALSE; ++ } ++ ++ return PR_TRUE; ++} + + PRCallOnceType gWeakDHParamsRegisterOnce; + int gWeakDHParamsRegisterError; diff --git a/SPECS/nss.spec b/SPECS/nss.spec index 21ea02d..8ac83a5 100644 --- a/SPECS/nss.spec +++ b/SPECS/nss.spec @@ -26,8 +26,8 @@ Summary: Network Security Services Name: nss -Version: 3.21.0 -Release: 17%{?dist} +Version: 3.21.3 +Release: 2%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -161,6 +161,8 @@ Patch121: flexible-certverify.patch Patch122: disable-ems-gtests.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1317691 Patch123: call-restartmodules-in-nssinit.patch +# CVE-2016-8635 +Patch124: moz-1314604.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -288,6 +290,7 @@ pushd nss %patch121 -p1 -b .flexible_certverify %patch122 -p1 -b .disable_ems_gtests %patch123 -p1 -b .restartmodules_in_init +%patch124 -p1 -b .moz-1314604 popd ######################################################### @@ -880,6 +883,16 @@ fi %changelog +* Tue Nov 08 2016 Kai Engert - 3.21.3-2 +- Mozilla #1314604 / Red Hat CVE-2016-8635 + +* Wed Nov 02 2016 Kai Engert - 3.21.3-1.1 +- rebuild + +* Wed Oct 26 2016 Daiki Ueno - 3.21.3-1 +- Rebase to NSS 3.21.3 +- Resolves: #1383887 + * Thu Jun 30 2016 Kai Engert - 3.21.0-17 - remove additional false duplicates from sha384 downstream patches