diff --git a/SOURCES/call-restartmodules-in-nssinit.patch b/SOURCES/call-restartmodules-in-nssinit.patch new file mode 100644 index 0000000..6a72aa8 --- /dev/null +++ b/SOURCES/call-restartmodules-in-nssinit.patch @@ -0,0 +1,35 @@ +diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c +--- a/lib/nss/nssinit.c ++++ b/lib/nss/nssinit.c +@@ -621,16 +621,31 @@ nss_Init(const char *configdir, const ch + initParams->minPWLen); + if (configStrings == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + configName = initParams->libraryDescription; + passwordRequired = initParams->passwordRequired; + } ++ ++ /* If we're NSS_ContextInit, we're probably a library. It could be ++ * possible that the application initialized NSS then forked(). The ++ * library would have no knowledge of that. If we call ++ * SECMOD_RestartModules() here, we will be able to continue on with ++ * NSS as normal. SECMOD_RestartModules() does have the side affect ++ * of losing all our PKCS #11 objects in the new process, but only if ++ * the module needs to be reinited. If it needs to be reinit those ++ * objects are inaccessible anyway, it it's always save to call ++ * SECMOD_RestartModules(PR_FALSE). ++ */ ++ /* NOTE: We could call SECMOD_Init() here, but if we aren't already ++ * inited, then there's no modules to restart, so SECMOD_RestartModules ++ * will return immediately */ ++ SECMOD_RestartModules(PR_FALSE); + } else { + configStrings = pk11_config_strings; + configName = pk11_config_name; + passwordRequired = pk11_password_required; + } + + /* Skip the module init if we are already initted and we are trying + * to init with noCertDB and noModDB */ diff --git a/SOURCES/disable-ems-gtests.patch b/SOURCES/disable-ems-gtests.patch new file mode 100644 index 0000000..62ebf74 --- /dev/null +++ b/SOURCES/disable-ems-gtests.patch @@ -0,0 +1,195 @@ +diff --git a/external_tests/ssl_gtest/ssl_loopback_unittest.cc b/external_tests/ssl_gtest/ssl_loopback_unittest.cc +--- a/external_tests/ssl_gtest/ssl_loopback_unittest.cc ++++ b/external_tests/ssl_gtest/ssl_loopback_unittest.cc +@@ -516,134 +516,16 @@ TEST_P(TlsConnectStream, ShortRead) { + // Read the first tranche. + WAIT_(client_->received_bytes() == 1024, 2000); + ASSERT_EQ(1024U, client_->received_bytes()); + // The second tranche should now immediately be available. + client_->ReadBytes(); + ASSERT_EQ(1200U, client_->received_bytes()); + } + +-TEST_P(TlsConnectGeneric, ConnectExtendedMasterSecret) { +- EnableExtendedMasterSecret(); +- Connect(); +- ResetRsa(); +- ExpectResumption(RESUME_SESSIONID); +- EnableExtendedMasterSecret(); +- Connect(); +-} +- +- +-TEST_P(TlsConnectGeneric, ConnectExtendedMasterSecretStaticRSA) { +- DisableDheAndEcdheCiphers(); +- EnableExtendedMasterSecret(); +- Connect(); +-} +- +-// This test is stream so we can catch the bad_record_mac alert. +-TEST_P(TlsConnectStream, ConnectExtendedMasterSecretStaticRSABogusCKE) { +- DisableDheAndEcdheCiphers(); +- EnableExtendedMasterSecret(); +- TlsInspectorReplaceHandshakeMessage* inspect = +- new TlsInspectorReplaceHandshakeMessage(kTlsHandshakeClientKeyExchange, +- DataBuffer( +- kBogusClientKeyExchange, +- sizeof(kBogusClientKeyExchange))); +- client_->SetPacketFilter(inspect); +- auto alert_recorder = new TlsAlertRecorder(); +- server_->SetPacketFilter(alert_recorder); +- ConnectExpectFail(); +- EXPECT_EQ(kTlsAlertFatal, alert_recorder->level()); +- EXPECT_EQ(kTlsAlertBadRecordMac, alert_recorder->description()); +-} +- +-// This test is stream so we can catch the bad_record_mac alert. +-TEST_P(TlsConnectStream, ConnectExtendedMasterSecretStaticRSABogusPMSVersionDetect) { +- DisableDheAndEcdheCiphers(); +- EnableExtendedMasterSecret(); +- client_->SetPacketFilter(new TlsInspectorClientHelloVersionChanger( +- server_)); +- auto alert_recorder = new TlsAlertRecorder(); +- server_->SetPacketFilter(alert_recorder); +- ConnectExpectFail(); +- EXPECT_EQ(kTlsAlertFatal, alert_recorder->level()); +- EXPECT_EQ(kTlsAlertBadRecordMac, alert_recorder->description()); +-} +- +-TEST_P(TlsConnectStream, ConnectExtendedMasterSecretStaticRSABogusPMSVersionIgnore) { +- DisableDheAndEcdheCiphers(); +- EnableExtendedMasterSecret(); +- client_->SetPacketFilter(new TlsInspectorClientHelloVersionChanger( +- server_)); +- server_->DisableRollbackDetection(); +- Connect(); +-} +- +-TEST_P(TlsConnectGeneric, ConnectExtendedMasterSecretECDHE) { +- EnableExtendedMasterSecret(); +- Connect(); +- +- ResetRsa(); +- EnableExtendedMasterSecret(); +- ExpectResumption(RESUME_SESSIONID); +- Connect(); +-} +- +-TEST_P(TlsConnectGeneric, ConnectExtendedMasterSecretTicket) { +- ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); +- EnableExtendedMasterSecret(); +- Connect(); +- +- ResetRsa(); +- ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET); +- +- EnableExtendedMasterSecret(); +- ExpectResumption(RESUME_TICKET); +- Connect(); +-} +- +-TEST_P(TlsConnectGeneric, +- ConnectExtendedMasterSecretClientOnly) { +- client_->EnableExtendedMasterSecret(); +- ExpectExtendedMasterSecret(false); +- Connect(); +-} +- +-TEST_P(TlsConnectGeneric, +- ConnectExtendedMasterSecretServerOnly) { +- server_->EnableExtendedMasterSecret(); +- ExpectExtendedMasterSecret(false); +- Connect(); +-} +- +-TEST_P(TlsConnectGeneric, +- ConnectExtendedMasterSecretResumeWithout) { +- EnableExtendedMasterSecret(); +- Connect(); +- +- ResetRsa(); +- server_->EnableExtendedMasterSecret(); +- auto alert_recorder = new TlsAlertRecorder(); +- server_->SetPacketFilter(alert_recorder); +- ConnectExpectFail(); +- EXPECT_EQ(kTlsAlertFatal, alert_recorder->level()); +- EXPECT_EQ(kTlsAlertHandshakeFailure, alert_recorder->description()); +-} +- +-TEST_P(TlsConnectGeneric, +- ConnectNormalResumeWithExtendedMasterSecret) { +- ConfigureSessionCache(RESUME_SESSIONID, RESUME_SESSIONID); +- ExpectExtendedMasterSecret(false); +- Connect(); +- +- ResetRsa(); +- EnableExtendedMasterSecret(); +- ExpectResumption(RESUME_NONE); +- Connect(); +-} +- + INSTANTIATE_TEST_CASE_P(VariantsStream10, TlsConnectGeneric, + ::testing::Combine( + TlsConnectTestBase::kTlsModesStream, + TlsConnectTestBase::kTlsV10)); + INSTANTIATE_TEST_CASE_P(VariantsAll, TlsConnectGeneric, + ::testing::Combine( + TlsConnectTestBase::kTlsModesAll, + TlsConnectTestBase::kTlsV11V12)); +diff --git a/external_tests/ssl_gtest/ssl_prf_unittest.cc b/external_tests/ssl_gtest/ssl_prf_unittest.cc +--- a/external_tests/ssl_gtest/ssl_prf_unittest.cc ++++ b/external_tests/ssl_gtest/ssl_prf_unittest.cc +@@ -201,53 +201,9 @@ TEST_F(TlsPrfTest, ExtendedMsParamErr) { + CheckForError(CKM_TLS_PRF, kPrfSeedSizeTlsPrf, kIncorrectSize, 0); + + // CKM_TLS_PRF && seed length != MD5_LENGTH + SHA1_LENGTH + CheckForError(CKM_TLS_PRF, kIncorrectSize, kPmsSize, 0); + + // !CKM_TLS_PRF && seed length != hash output length + CheckForError(CKM_SHA256, kIncorrectSize, kPmsSize, 0); + } +- +-// Test matrix: +-// +-// DH RSA +-// TLS_PRF 1 2 +-// SHA256 3 4 +-TEST_F(TlsPrfTest, ExtendedMsDhTlsPrf) { +- Init(); +- ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, +- CKM_TLS_PRF, +- nullptr, +- kExpectedOutputEmsTlsPrf); +-} +- +-TEST_F(TlsPrfTest, ExtendedMsRsaTlsPrf) { +- Init(); +- ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, +- CKM_TLS_PRF, +- &pms_version_, +- kExpectedOutputEmsTlsPrf); +- EXPECT_EQ(0, pms_version_.major); +- EXPECT_EQ(1, pms_version_.minor); +-} +- +- +-TEST_F(TlsPrfTest, ExtendedMsDhSha256) { +- Init(); +- ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, +- CKM_SHA256, +- nullptr, +- kExpectedOutputEmsSha256); +-} +- +-TEST_F(TlsPrfTest, ExtendedMsRsaSha256) { +- Init(); +- ComputeAndVerifyMs(CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, +- CKM_SHA256, +- &pms_version_, +- kExpectedOutputEmsSha256); +- EXPECT_EQ(0, pms_version_.major); +- EXPECT_EQ(1, pms_version_.minor); +-} +- + } // namespace nss_test +- diff --git a/SOURCES/fix-reuse-of-session-cache-entry.patch b/SOURCES/fix-reuse-of-session-cache-entry.patch new file mode 100644 index 0000000..7262fee --- /dev/null +++ b/SOURCES/fix-reuse-of-session-cache-entry.patch @@ -0,0 +1,24 @@ +diff --git a/lib/ssl/sslnonce.c b/lib/ssl/sslnonce.c +--- a/lib/ssl/sslnonce.c ++++ b/lib/ssl/sslnonce.c +@@ -279,19 +279,17 @@ ssl_LookupSID(const PRIPv6Addr *addr, PR + (((peerID == NULL) && (sid->peerID == NULL)) || + ((peerID != NULL) && (sid->peerID != NULL) && + PORT_Strcmp(sid->peerID, peerID) == 0)) && + /* is cacheable */ + (sid->version < SSL_LIBRARY_VERSION_3_0 || + sid->u.ssl3.keys.resumable) && + /* server hostname matches. */ + (sid->urlSvrName != NULL) && +- ((0 == PORT_Strcmp(urlSvrName, sid->urlSvrName)) || +- ((sid->peerCert != NULL) && (SECSuccess == +- CERT_VerifyCertName(sid->peerCert, urlSvrName))) ) ++ (0 == PORT_Strcmp(urlSvrName, sid->urlSvrName)) + ) { + /* Hit */ + sid->lastAccessTime = now; + sid->references++; + break; + } else { + sidp = &sid->next; + } diff --git a/SOURCES/flexible-certverify.patch b/SOURCES/flexible-certverify.patch new file mode 100644 index 0000000..481a07f --- /dev/null +++ b/SOURCES/flexible-certverify.patch @@ -0,0 +1,1136 @@ +diff --git a/external_tests/ssl_gtest/ssl_loopback_unittest.cc b/external_tests/ssl_gtest/ssl_loopback_unittest.cc +--- a/external_tests/ssl_gtest/ssl_loopback_unittest.cc ++++ b/external_tests/ssl_gtest/ssl_loopback_unittest.cc +@@ -318,23 +318,21 @@ TEST_P(TlsConnectPre12, SignatureAlgorit + ResetEcdsa(); + client_->SetSignatureAlgorithms(SignatureEcdsaSha384, + PR_ARRAY_SIZE(SignatureEcdsaSha384)); + server_->SetSignatureAlgorithms(SignatureEcdsaSha256, + PR_ARRAY_SIZE(SignatureEcdsaSha256)); + Connect(); + } + +-// The server requests client auth but doesn't offer a SHA-256 option. +-// This fails because NSS only uses SHA-256 for handshake transcript hashes. +-TEST_P(TlsConnectTls12, RequestClientAuthWithoutSha256) { ++TEST_P(TlsConnectTls12, RequestClientAuthWithSha384) { + server_->SetSignatureAlgorithms(SignatureRsaSha384, + PR_ARRAY_SIZE(SignatureRsaSha384)); + server_->RequestClientAuth(false); +- ConnectExpectFail(); ++ Connect(); + } + + TEST_P(TlsConnectGeneric, ConnectAlpn) { + EnableAlpn(); + Connect(); + client_->CheckAlpn(SSL_NEXT_PROTO_SELECTED, "a"); + server_->CheckAlpn(SSL_NEXT_PROTO_NEGOTIATED, "a"); + } +diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c +--- a/lib/ssl/ssl3con.c ++++ b/lib/ssl/ssl3con.c +@@ -3636,16 +3636,29 @@ ssl3_GetPrfHashMechanism(sslSocket *ss) + SSL3PRF prf_alg = ss->ssl3.hs.suite_def->prf_alg; + + if (prf_alg == 0) + return CKM_SHA256; + + return prf_alg; + } + ++static SSLHashType ++ssl3_GetSuitePrfHash(sslSocket *ss) ++{ ++ switch (ss->ssl3.hs.suite_def->prf_alg) { ++ case CKM_SHA384: ++ return ssl_hash_sha384; ++ case 0: ++ case CKM_SHA256: ++ default: ++ return ssl_hash_sha256; ++ } ++} ++ + + /* This method completes the derivation of the MS from the PMS. + ** + ** 1. Derive the MS, if possible, else return an error. + ** + ** 2. Check the version if |pms_version| is non-zero and if wrong, + ** return an error. + ** +@@ -3813,17 +3826,17 @@ tls_ComputeExtendedMasterSecretInt(sslSo + master_derive = CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH; + } else { + master_derive = CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE; + pms_version_ptr = &pms_version; + } + + if (pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2) { + /* TLS 1.2 */ +- extended_master_params.prfHashMechanism = CKM_SHA256; ++ extended_master_params.prfHashMechanism = ssl3_GetPrfHashMechanism(ss); + key_derive = CKM_TLS12_KEY_AND_MAC_DERIVE; + } else { + /* TLS < 1.2 */ + extended_master_params.prfHashMechanism = CKM_TLS_PRF; + key_derive = CKM_TLS_KEY_AND_MAC_DERIVE; + } + + extended_master_params.pVersion = pms_version_ptr; +@@ -4071,20 +4084,23 @@ loser: + /* ssl3_InitHandshakeHashes creates handshake hash contexts and hashes in + * buffered messages in ss->ssl3.hs.messages. */ + static SECStatus + ssl3_InitHandshakeHashes(sslSocket *ss) + { + SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd)); + + PORT_Assert(ss->ssl3.hs.hashType == handshake_hash_unknown); ++ if (ss->version == SSL_LIBRARY_VERSION_TLS_1_2) { ++ ss->ssl3.hs.hashType = handshake_hash_record; ++ } else + #ifndef NO_PKCS11_BYPASS + if (ss->opt.bypassPKCS11) { + PORT_Assert(!ss->ssl3.hs.sha_obj && !ss->ssl3.hs.sha_clone); +- if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) { ++ if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) { + /* If we ever support ciphersuites where the PRF hash isn't SHA-256 + * then this will need to be updated. */ + HASH_HashType ht; + CK_MECHANISM_TYPE hm; + SECOidTag ot; + SECOidData *hashOid; + + hm = ssl3_GetPrfHashMechanism(ss); +@@ -4112,17 +4128,17 @@ ssl3_InitHandshakeHashes(sslSocket *ss) + #endif + { + PORT_Assert(!ss->ssl3.hs.md5 && !ss->ssl3.hs.sha); + /* + * note: We should probably lookup an SSL3 slot for these + * handshake hashes in hopes that we wind up with the same slots + * that the master secret will wind up in ... + */ +- if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) { ++ if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) { + /* determine the hash from the prf */ + const SECOidData *hash_oid; + + PORT_Assert(ss->ssl3.hs.suite_def); + /* Get the PKCS #11 mechanism for the Hash from the cipher suite (prf_alg) + * Convert that to the OidTag. We can then use that OidTag to create our + * PK11Context */ + hash_oid = SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss)); +@@ -4137,38 +4153,16 @@ ssl3_InitHandshakeHashes(sslSocket *ss) + return SECFailure; + } + ss->ssl3.hs.hashType = handshake_hash_single; + + if (PK11_DigestBegin(ss->ssl3.hs.sha) != SECSuccess) { + ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); + return SECFailure; + } +- +- /* Create a backup SHA-1 hash for a potential client auth +- * signature. +- * +- * In TLS 1.2, ssl3_ComputeHandshakeHashes always uses the +- * handshake hash function (SHA-256). If the server or the client +- * does not support SHA-256 as a signature hash, we can either +- * maintain a backup SHA-1 handshake hash or buffer all handshake +- * messages. +- */ +- if (!ss->sec.isServer) { +- ss->ssl3.hs.backupHash = PK11_CreateDigestContext(SEC_OID_SHA1); +- if (ss->ssl3.hs.backupHash == NULL) { +- ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); +- return SECFailure; +- } +- +- if (PK11_DigestBegin(ss->ssl3.hs.backupHash) != SECSuccess) { +- ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); +- return SECFailure; +- } +- } + } else { + /* Both ss->ssl3.hs.md5 and ss->ssl3.hs.sha should be NULL or + * created successfully. */ + ss->ssl3.hs.md5 = PK11_CreateDigestContext(SEC_OID_MD5); + if (ss->ssl3.hs.md5 == NULL) { + ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); + return SECFailure; + } +@@ -4187,26 +4181,23 @@ ssl3_InitHandshakeHashes(sslSocket *ss) + } + if (PK11_DigestBegin(ss->ssl3.hs.sha) != SECSuccess) { + ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); + return SECFailure; + } + } + } + +- if (ss->ssl3.hs.messages.len > 0) { +- if (ssl3_UpdateHandshakeHashes(ss, ss->ssl3.hs.messages.buf, +- ss->ssl3.hs.messages.len) != +- SECSuccess) { +- return SECFailure; +- } +- PORT_Free(ss->ssl3.hs.messages.buf); +- ss->ssl3.hs.messages.buf = NULL; +- ss->ssl3.hs.messages.len = 0; +- ss->ssl3.hs.messages.space = 0; ++ if (ss->ssl3.hs.hashType != handshake_hash_record && ++ ss->ssl3.hs.messages.len > 0) { ++ if (ssl3_UpdateHandshakeHashes(ss, ss->ssl3.hs.messages.buf, ++ ss->ssl3.hs.messages.len) != SECSuccess) { ++ return SECFailure; ++ } ++ sslBuffer_Clear(&ss->ssl3.hs.messages); + } + + return SECSuccess; + } + + static SECStatus + ssl3_RestartHandshakeHashes(sslSocket *ss) + { +@@ -4237,66 +4228,71 @@ ssl3_RestartHandshakeHashes(sslSocket *s + /* Called from ssl3_InitHandshakeHashes() + ** ssl3_AppendHandshake() + ** ssl3_StartHandshakeHash() + ** ssl3_HandleV2ClientHello() + ** ssl3_HandleHandshakeMessage() + ** Caller must hold the ssl3Handshake lock. + */ + static SECStatus +-ssl3_UpdateHandshakeHashes(sslSocket *ss, const unsigned char *b, +- unsigned int l) ++ssl3_UpdateHandshakeHashes(sslSocket *ss, const unsigned char *b, unsigned int l) + { + SECStatus rv = SECSuccess; + + PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); + +- /* We need to buffer the handshake messages until we have established +- * which handshake hash function to use. */ +- if (ss->ssl3.hs.hashType == handshake_hash_unknown) { +- return sslBuffer_Append(&ss->ssl3.hs.messages, b, l); ++ /* With TLS 1.3, and versions TLS.1.1 and older, we keep the hash(es) ++ * always up to date. However, we must initially buffer the handshake ++ * messages, until we know what to do. ++ * If ss->ssl3.hs.hashType != handshake_hash_unknown, ++ * it means we know what to do. We calculate (hash our input), ++ * and we stop appending to the buffer. ++ * ++ * With TLS 1.2, we always append all handshake messages, ++ * and never update the hash, because the hash function we must use for ++ * certificate_verify might be different from the hash function we use ++ * when signing other handshake hashes. */ ++ ++ if (ss->ssl3.hs.hashType == handshake_hash_unknown || ++ ss->ssl3.hs.hashType == handshake_hash_record) { ++ return sslBuffer_Append(&ss->ssl3.hs.messages, b, l); + } + + PRINT_BUF(90, (NULL, "handshake hash input:", b, l)); + + #ifndef NO_PKCS11_BYPASS + if (ss->opt.bypassPKCS11) { + if (ss->ssl3.hs.hashType == handshake_hash_single) { +- ss->ssl3.hs.sha_obj->update(ss->ssl3.hs.sha_cx, b, l); +- } else { ++ PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); ++ ss->ssl3.hs.sha_obj->update(ss->ssl3.hs.sha_cx, b, l); ++ } else if (ss->ssl3.hs.hashType == handshake_hash_combo) { + MD5_Update((MD5Context *)ss->ssl3.hs.md5_cx, b, l); + SHA1_Update((SHA1Context *)ss->ssl3.hs.sha_cx, b, l); + } + return rv; + } + #endif + if (ss->ssl3.hs.hashType == handshake_hash_single) { +- rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l); +- if (rv != SECSuccess) { +- ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); +- return rv; +- } +- if (ss->ssl3.hs.backupHash) { +- rv = PK11_DigestOp(ss->ssl3.hs.backupHash, b, l); +- if (rv != SECSuccess) { +- ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); +- return rv; +- } +- } +- } else { +- rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l); +- if (rv != SECSuccess) { +- ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); +- return rv; +- } +- rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l); +- if (rv != SECSuccess) { +- ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); +- return rv; +- } ++ PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); ++ rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l); ++ if (rv != SECSuccess) { ++ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); ++ return rv; ++ } ++ } else if (ss->ssl3.hs.hashType == handshake_hash_combo) { ++ rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l); ++ if (rv != SECSuccess) { ++ ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE); ++ return rv; ++ } ++ rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l); ++ if (rv != SECSuccess) { ++ ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); ++ return rv; ++ } + } + return rv; + } + + /************************************************************************** + * Append Handshake functions. + * All these functions set appropriate error codes. + * Most rely on ssl3_AppendHandshake to set the error code. +@@ -4759,16 +4755,68 @@ ssl3_ConsumeSignatureAndHashAlgorithm(ss + } + return SECSuccess; + } + + /************************************************************************** + * end of Consume Handshake functions. + **************************************************************************/ + ++#ifndef NO_PKCS11_BYPASS ++static SECStatus ++ssl3_ComputeBypassHandshakeHash(unsigned char *buf, unsigned int len, ++ SSLHashType hashAlg, SSL3Hashes *hashes) ++{ ++ const SECHashObject *h_obj = NULL; ++ PRUint64 h_cx[MAX_MAC_CONTEXT_LLONGS]; ++ const SECOidData *hashOid = ++ SECOID_FindOIDByMechanism(ssl3_GetHashMechanismByHashType(hashAlg)); ++ ++ if (hashOid) { ++ h_obj = HASH_GetRawHashObject(HASH_GetHashTypeByOidTag(hashOid->offset)); ++ } ++ if (!h_obj) { ++ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); ++ return SECFailure; ++ } ++ h_obj->begin(h_cx); ++ h_obj->update(h_cx, buf, len); ++ h_obj->end(h_cx, hashes->u.raw, &hashes->len, sizeof(hashes->u.raw)); ++ PRINT_BUF(60, (NULL, "HASH: result", hashes->u.raw, hashes->len)); ++ hashes->hashAlg = hashAlg; ++ return SECSuccess; ++} ++#endif ++ ++static SECStatus ++ssl3_ComputePkcs11HandshakeHash(unsigned char *buf, unsigned int len, ++ SSLHashType hashAlg, SSL3Hashes *hashes) ++{ ++ SECStatus rv = SECFailure; ++ PK11Context *hashContext = PK11_CreateDigestContext( ++ ssl3_TLSHashAlgorithmToOID(hashAlg)); ++ ++ if (!hashContext) { ++ return rv; ++ } ++ rv = PK11_DigestBegin(hashContext); ++ if (rv == SECSuccess) { ++ rv = PK11_DigestOp(hashContext, buf, len); ++ } ++ if (rv == SECSuccess) { ++ rv = PK11_DigestFinal(hashContext, hashes->u.raw, &hashes->len, ++ sizeof(hashes->u.raw)); ++ } ++ if (rv == SECSuccess) { ++ hashes->hashAlg = hashAlg; ++ } ++ PK11_DestroyContext(hashContext, PR_TRUE); ++ return rv; ++} ++ + /* Extract the hashes of handshake messages to this point. + * Called from ssl3_SendCertificateVerify + * ssl3_SendFinished + * ssl3_HandleHandshakeMessage + * + * Caller must hold the SSL3HandshakeLock. + * Caller must hold a read or write lock on the Spec R/W lock. + * (There is presently no way to assert on a Read lock.) +@@ -4798,23 +4846,27 @@ ssl3_ComputeHandshakeHashes(sslSocket * + ss->ssl3.hs.hashType == handshake_hash_single) { + /* compute them without PKCS11 */ + PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS]; + + ss->ssl3.hs.sha_clone(sha_cx, ss->ssl3.hs.sha_cx); + ss->ssl3.hs.sha_obj->end(sha_cx, hashes->u.raw, &hashes->len, + sizeof(hashes->u.raw)); + +- PRINT_BUF(60, (NULL, "SHA-256: result", hashes->u.raw, hashes->len)); +- +- /* If we ever support ciphersuites where the PRF hash isn't SHA-256 +- * then this will need to be updated. */ +- hashes->hashAlg = ssl_hash_sha256; ++ PRINT_BUF(60, (NULL, "HASH: result", hashes->u.raw, hashes->len)); ++ ++ hashes->hashAlg = ssl3_GetSuitePrfHash(ss); + rv = SECSuccess; +- } else if (ss->opt.bypassPKCS11) { ++ } else if (ss->opt.bypassPKCS11 && ++ ss->ssl3.hs.hashType == handshake_hash_record) { ++ rv = ssl3_ComputeBypassHandshakeHash(ss->ssl3.hs.messages.buf, ++ ss->ssl3.hs.messages.len, ++ ssl3_GetSuitePrfHash(ss), ++ hashes); ++ } else if (ss->opt.bypassPKCS11) { /* TLS 1.1 or lower */ + /* compute them without PKCS11 */ + PRUint64 md5_cx[MAX_MAC_CONTEXT_LLONGS]; + PRUint64 sha_cx[MAX_MAC_CONTEXT_LLONGS]; + + #define md5cx ((MD5Context *)md5_cx) + #define shacx ((SHA1Context *)sha_cx) + + MD5_Clone (md5cx, (MD5Context *)ss->ssl3.hs.md5_cx); +@@ -4942,16 +4994,21 @@ tls12_loser: + if (PK11_RestoreContext(h, stateBuf, stateLen) != SECSuccess) { + ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); + rv = SECFailure; + } + if (stateBuf != stackBuf) { + PORT_ZFree(stateBuf, stateLen); + } + } ++ } else if (ss->ssl3.hs.hashType == handshake_hash_record) { ++ rv = ssl3_ComputePkcs11HandshakeHash(ss->ssl3.hs.messages.buf, ++ ss->ssl3.hs.messages.len, ++ ssl3_GetSuitePrfHash(ss), ++ hashes); + } else { + /* compute hashes with PKCS11 */ + PK11Context * md5; + PK11Context * sha = NULL; + unsigned char *md5StateBuf = NULL; + unsigned char *shaStateBuf = NULL; + unsigned int md5StateLen, shaStateLen; + unsigned char md5StackBuf[256]; +@@ -5096,41 +5153,16 @@ tls12_loser: + if (shaStateBuf != shaStackBuf) { + PORT_ZFree(shaStateBuf, shaStateLen); + } + } + } + return rv; + } + +-static SECStatus +-ssl3_ComputeBackupHandshakeHashes(sslSocket * ss, +- SSL3Hashes * hashes) /* output goes here. */ +-{ +- SECStatus rv = SECSuccess; +- +- PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); +- PORT_Assert( !ss->sec.isServer ); +- PORT_Assert( ss->ssl3.hs.hashType == handshake_hash_single ); +- +- rv = PK11_DigestFinal(ss->ssl3.hs.backupHash, hashes->u.raw, &hashes->len, +- sizeof(hashes->u.raw)); +- if (rv != SECSuccess) { +- ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE); +- rv = SECFailure; +- goto loser; +- } +- hashes->hashAlg = ssl_hash_sha1; +- +-loser: +- PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE); +- ss->ssl3.hs.backupHash = NULL; +- return rv; +-} +- + /* + * SSL 2 based implementations pass in the initial outbound buffer + * so that the handshake hash can contain the included information. + * + * Called from ssl2_BeginClientHandshake() in sslcon.c + */ + SECStatus + ssl3_StartHandshakeHash(sslSocket *ss, unsigned char * buf, int length) +@@ -6451,26 +6483,44 @@ ssl3_SendCertificateVerify(sslSocket *ss + + PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); + PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); + + SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake", + SSL_GETPID(), ss->fd)); + + ssl_GetSpecReadLock(ss); +- if (ss->ssl3.hs.hashType == handshake_hash_single && +- ss->ssl3.hs.backupHash) { +- rv = ssl3_ComputeBackupHandshakeHashes(ss, &hashes); +- PORT_Assert(!ss->ssl3.hs.backupHash); ++ ++ if (ss->ssl3.hs.hashType == handshake_hash_record && ++ ss->ssl3.hs.tls12CertVerifyHash != ssl3_GetSuitePrfHash(ss)) { ++#ifndef NO_PKCS11_BYPASS ++ if (ss->opt.bypassPKCS11) { ++ rv = ssl3_ComputeBypassHandshakeHash(ss->ssl3.hs.messages.buf, ++ ss->ssl3.hs.messages.len, ++ ss->ssl3.hs.tls12CertVerifyHash, ++ &hashes); ++ } else ++#endif ++ { ++ rv = ssl3_ComputePkcs11HandshakeHash(ss->ssl3.hs.messages.buf, ++ ss->ssl3.hs.messages.len, ++ ss->ssl3.hs.tls12CertVerifyHash, ++ &hashes); ++ } ++ if (rv != SECSuccess) { ++ ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE); ++ goto done; ++ } + } else { +- rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0); +- } ++ rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0); ++ } ++ + ssl_ReleaseSpecReadLock(ss); + if (rv != SECSuccess) { +- goto done; /* err code was set by ssl3_ComputeHandshakeHashes */ ++ goto done; /* err code was set by ssl3_ComputeHandshakeHashes */ + } + + isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); + isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); + keyType = ss->ssl3.clientPrivateKey->keyType; + rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS); + if (rv == SECSuccess) { + PK11SlotInfo * slot; +@@ -7249,88 +7299,18 @@ ssl3_ExtractClientKeyInfo(sslSocket *ss, + } + + done: + if (pubk) + SECKEY_DestroyPublicKey(pubk); + return rv; + } + +-/* Destroys the backup handshake hash context if we don't need it. Note that +- * this function selects the hash algorithm for client authentication +- * signatures; ssl3_SendCertificateVerify uses the presence of the backup hash +- * to determine whether to use SHA-1, or the PRF hash of the cipher suite. */ + static void +-ssl3_DestroyBackupHandshakeHashIfNotNeeded(sslSocket *ss, +- const SECItem *algorithms) +-{ +- SECStatus rv; +- SSLSignType sigAlg; +- PRBool preferSha1; +- PRBool supportsSha1 = PR_FALSE; +- PRBool supportsHandshakeHash = PR_FALSE; +- PRBool needBackupHash = PR_FALSE; +- unsigned int i; +- SECOidData *hashOid; +- TLSHashAlgorithm suitePRFHash; +- PRBool suitePRFIs256Or384 = PR_FALSE; +- +-#ifndef NO_PKCS11_BYPASS +- /* Backup handshake hash is not supported in PKCS #11 bypass mode. */ +- if (ss->opt.bypassPKCS11) { +- PORT_Assert(!ss->ssl3.hs.backupHash); +- return; +- } +-#endif +- PORT_Assert(ss->ssl3.hs.backupHash); +- +- /* Determine the key's signature algorithm and whether it prefers SHA-1. */ +- rv = ssl3_ExtractClientKeyInfo(ss, &sigAlg, &preferSha1); +- if (rv != SECSuccess) { +- goto done; +- } +- +- hashOid = SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss)); +- if (hashOid == NULL) { +- rv = SECFailure; +- goto done; +- } +- +- if (hashOid->offset == SEC_OID_SHA256) { +- suitePRFHash = tls_hash_sha256; +- suitePRFIs256Or384 = PR_TRUE; +- } else if (hashOid->offset == SEC_OID_SHA384) { +- suitePRFHash = tls_hash_sha384; +- suitePRFIs256Or384 = PR_TRUE; +- } +- +- /* Determine the server's hash support for that signature algorithm. */ +- for (i = 0; i < algorithms->len; i += 2) { +- if (algorithms->data[i+1] == sigAlg) { +- if (algorithms->data[i] == ssl_hash_sha1) { +- supportsSha1 = PR_TRUE; +- } else if (suitePRFIs256Or384 && +- algorithms->data[i] == suitePRFHash) { +- supportsHandshakeHash = PR_TRUE; +- } +- } +- } +- +- /* If either the server does not support SHA-256 or the client key prefers +- * SHA-1, leave the backup hash. */ +- if (supportsSha1 && (preferSha1 || !supportsHandshakeHash)) { +- needBackupHash = PR_TRUE; +- } +- +-done: +- if (!needBackupHash) { +- PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE); +- ss->ssl3.hs.backupHash = NULL; +- } +-} ++ssl3_DecideTls12CertVerifyHash(sslSocket *ss, const SECItem *algorithms); + + typedef struct dnameNode { + struct dnameNode *next; + SECItem name; + } dnameNode; + + /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete + * ssl3 Certificate Request message. +@@ -7486,19 +7466,20 @@ ssl3_HandleCertificateRequest(sslSocket + certUsageSSLClient, PR_FALSE); + if (ss->ssl3.clientCertChain == NULL) { + CERT_DestroyCertificate(ss->ssl3.clientCertificate); + ss->ssl3.clientCertificate = NULL; + SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey); + ss->ssl3.clientPrivateKey = NULL; + goto send_no_certificate; + } +- if (ss->ssl3.hs.hashType == handshake_hash_single) { +- ssl3_DestroyBackupHandshakeHashIfNotNeeded(ss, &algorithms); +- } ++ if (ss->ssl3.hs.hashType == handshake_hash_record || ++ ss->ssl3.hs.hashType == handshake_hash_single) { ++ ssl3_DecideTls12CertVerifyHash(ss, &algorithms); ++ } + break; /* not an error */ + + case SECFailure: + default: + send_no_certificate: + if (isTLS) { + ss->ssl3.sendEmptyCert = PR_TRUE; + } else { +@@ -7639,24 +7620,16 @@ ssl3_SendClientSecondRound(sslSocket *ss + + PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); + PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); + + sendClientCert = !ss->ssl3.sendEmptyCert && + ss->ssl3.clientCertChain != NULL && + ss->ssl3.clientPrivateKey != NULL; + +- if (!sendClientCert && +- ss->ssl3.hs.hashType == handshake_hash_single && +- ss->ssl3.hs.backupHash) { +- /* Don't need the backup handshake hash. */ +- PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE); +- ss->ssl3.hs.backupHash = NULL; +- } +- + /* We must wait for the server's certificate to be authenticated before + * sending the client certificate in order to disclosing the client + * certificate to an attacker that does not have a valid cert for the + * domain we are connecting to. + * + * XXX: We should do the same for the NPN extension, but for that we + * need an option to give the application the ability to leak the NPN + * information to get better performance. +@@ -9415,16 +9388,69 @@ ssl3_PickSignatureHashAlgorithm(sslSocke + } + } + } + + PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM); + return SECFailure; + } + ++static void ++ssl3_DecideTls12CertVerifyHash(sslSocket *ss, const SECItem *algorithms) ++{ ++ SECStatus rv; ++ SSLSignType sigAlg; ++ PRBool preferSha1 = PR_FALSE; ++ PRBool supportsSha1 = PR_FALSE; ++ PRBool supportsHandshakeHash = PR_FALSE; ++ unsigned int i; ++ SSLHashType otherHashAlg = ssl_hash_none; ++ ++ /* Determine the key's signature algorithm and whether it prefers SHA-1. */ ++ rv = ssl3_ExtractClientKeyInfo(ss, &sigAlg, &preferSha1); ++ if (rv != SECSuccess) { ++ return; ++ } ++ ++ /* Determine the server's hash support for that signature algorithm. */ ++ for (i = 0; i < algorithms->len; i += 2) { ++ if (algorithms->data[i + 1] == sigAlg) { ++ SSLHashType hashAlg = algorithms->data[i]; ++ SECOidTag hashOID; ++ PRUint32 policy; ++ if (hashAlg == ssl_hash_sha1 && ++ ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_3) { ++ /* TLS 1.3 explicitly forbids using SHA-1 with certificate_verify. */ ++ continue; ++ } ++ hashOID = ssl3_TLSHashAlgorithmToOID(hashAlg); ++ if ((NSS_GetAlgorithmPolicy(hashOID, &policy) == SECSuccess) && ++ !(policy & NSS_USE_ALG_IN_SSL_KX)) { ++ /* we ignore hashes we don't support */ ++ continue; ++ } ++ if (hashAlg == ssl_hash_sha1) { ++ supportsSha1 = PR_TRUE; ++ } else if (hashAlg == ssl3_GetSuitePrfHash(ss)) { ++ supportsHandshakeHash = PR_TRUE; ++ } ++ if (otherHashAlg == ssl_hash_none) { ++ otherHashAlg = hashAlg; ++ } ++ } ++ } ++ ++ if (supportsSha1 && preferSha1) { ++ ss->ssl3.hs.tls12CertVerifyHash = ssl_hash_sha1; ++ } else if (supportsHandshakeHash) { ++ ss->ssl3.hs.tls12CertVerifyHash = ssl3_GetSuitePrfHash(ss); /* Use suite PRF hash. */ ++ } else { ++ ss->ssl3.hs.tls12CertVerifyHash = otherHashAlg; ++ } ++} + + static SECStatus + ssl3_SendServerKeyExchange(sslSocket *ss) + { + const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def; + SECStatus rv = SECFailure; + int length; + PRBool isTLS; +@@ -9534,38 +9560,32 @@ ssl3_SendServerKeyExchange(sslSocket *ss + } + loser: + if (signed_hash.data != NULL) + PORT_Free(signed_hash.data); + return SECFailure; + } + + static SECStatus +-ssl3_EncodeCertificateRequestSigAlgs(sslSocket *ss, PRUint8 allowedHashAlg, +- PRUint8 *buf, ++ssl3_EncodeCertificateRequestSigAlgs(sslSocket *ss, PRUint8 *buf, + unsigned maxLen, PRUint32 *len) + { + unsigned int i; + + PORT_Assert(maxLen >= ss->ssl3.signatureAlgorithmCount * 2); + if (maxLen < ss->ssl3.signatureAlgorithmCount * 2) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + + *len = 0; + for (i = 0; i < ss->ssl3.signatureAlgorithmCount; ++i) { + const SSLSignatureAndHashAlg *alg = &ss->ssl3.signatureAlgorithms[i]; +- /* Note that we don't support a handshake hash with anything other than +- * SHA-256, so asking for a signature from clients for something else +- * would be inviting disaster. */ +- if (alg->hashAlg == allowedHashAlg) { +- buf[(*len)++] = (PRUint8)alg->hashAlg; +- buf[(*len)++] = (PRUint8)alg->sigAlg; +- } ++ buf[(*len)++] = (PRUint8)alg->hashAlg; ++ buf[(*len)++] = (PRUint8)alg->sigAlg; + } + + if (*len == 0) { + PORT_SetError(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM); + return SECFailure; + } + return SECSuccess; + } +@@ -9582,17 +9602,16 @@ ssl3_SendCertificateRequest(sslSocket *s + int length; + int i; + int calen = 0; + int nnames = 0; + int certTypesLength; + PRUint8 sigAlgs[MAX_SIGNATURE_ALGORITHMS * 2]; + unsigned int sigAlgsLength = 0; + SECOidData *hashOid; +- PRUint8 allowedHashAlg; + + SSL_TRC(3, ("%d: SSL3[%d]: send certificate_request handshake", + SSL_GETPID(), ss->fd)); + + PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); + PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); + + isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); +@@ -9615,27 +9634,19 @@ ssl3_SendCertificateRequest(sslSocket *s + certTypes = certificate_types; + certTypesLength = sizeof certificate_types; + + hashOid = SECOID_FindOIDByMechanism(ssl3_GetPrfHashMechanism(ss)); + if (hashOid == NULL) { + return SECFailure; /* err set by AppendHandshake. */ + } + +- if (hashOid->offset == SEC_OID_SHA256) { +- allowedHashAlg = ssl_hash_sha256; +- } else if (hashOid->offset == SEC_OID_SHA384) { +- allowedHashAlg = ssl_hash_sha384; +- } else { +- return SECFailure; /* err set by AppendHandshake. */ +- } +- + length = 1 + certTypesLength + 2 + calen; + if (isTLS12) { +- rv = ssl3_EncodeCertificateRequestSigAlgs(ss, allowedHashAlg, ++ rv = ssl3_EncodeCertificateRequestSigAlgs(ss, + sigAlgs, sizeof(sigAlgs), + &sigAlgsLength); + if (rv != SECSuccess) { + return rv; + } + length += 2 + sigAlgsLength; + } + +@@ -9696,70 +9707,89 @@ ssl3_SendServerHelloDone(sslSocket *ss) + static SECStatus + ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length, + SSL3Hashes *hashes) + { + SECItem signed_hash = {siBuffer, NULL, 0}; + SECStatus rv; + int errCode = SSL_ERROR_RX_MALFORMED_CERT_VERIFY; + SSL3AlertDescription desc = handshake_failure; +- PRBool isTLS, isTLS12; ++ PRBool isTLS; + SSLSignatureAndHashAlg sigAndHash; ++ SSL3Hashes localHashes; ++ SSL3Hashes *hashesForVerify = NULL; + + SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_verify handshake", + SSL_GETPID(), ss->fd)); + PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); + PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); + ++ /* TLS 1.3 is handled by tls13_HandleCertificateVerify */ ++ PORT_Assert(ss->ssl3.prSpec->version <= SSL_LIBRARY_VERSION_TLS_1_2); ++ + isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0); +- isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2); + + if (ss->ssl3.hs.ws != wait_cert_verify) { + desc = unexpected_message; + errCode = SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY; + goto alert_loser; + } + +- if (!hashes) { +- PORT_Assert(0); +- desc = internal_error; +- errCode = SEC_ERROR_LIBRARY_FAILURE; +- goto alert_loser; +- } +- +- if (isTLS12) { ++ if (ss->ssl3.hs.hashType != handshake_hash_record) { ++ if (!hashes) { ++ PORT_Assert(0); ++ desc = internal_error; ++ errCode = SEC_ERROR_LIBRARY_FAILURE; ++ goto alert_loser; ++ } ++ hashesForVerify = hashes; ++ } else { + rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length, + &sigAndHash); + if (rv != SECSuccess) { + goto loser; /* malformed or unsupported. */ + } + rv = ssl3_CheckSignatureAndHashAlgorithmConsistency( + ss, &sigAndHash, ss->sec.peerCert); + if (rv != SECSuccess) { + errCode = PORT_GetError(); + desc = decrypt_error; + goto alert_loser; + } + +- /* We only support CertificateVerify messages that use the handshake +- * hash. */ +- if (sigAndHash.hashAlg != hashes->hashAlg) { +- errCode = SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM; ++#ifndef NO_PKCS11_BYPASS ++ if (ss->opt.bypassPKCS11) { ++ rv = ssl3_ComputeBypassHandshakeHash(hashes->u.pointer_to_hash_input.data, ++ hashes->u.pointer_to_hash_input.len, ++ sigAndHash.hashAlg, ++ &localHashes); ++ } else ++#endif ++ { ++ rv = ssl3_ComputePkcs11HandshakeHash(hashes->u.pointer_to_hash_input.data, ++ hashes->u.pointer_to_hash_input.len, ++ sigAndHash.hashAlg, ++ &localHashes); ++ } ++ if (rv == SECSuccess) { ++ hashesForVerify = &localHashes; ++ } else { ++ errCode = SSL_ERROR_DIGEST_FAILURE; + desc = decrypt_error; + goto alert_loser; + } + } + + rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length); + if (rv != SECSuccess) { + goto loser; /* malformed. */ + } + + /* XXX verify that the key & kea match */ +- rv = ssl3_VerifySignedHashes(hashes, ss->sec.peerCert, &signed_hash, ++ rv = ssl3_VerifySignedHashes(hashesForVerify, ss->sec.peerCert, &signed_hash, + isTLS, ss->pkcs11PinArg); + if (rv != SECSuccess) { + errCode = PORT_GetError(); + desc = isTLS ? decrypt_error : handshake_failure; + goto alert_loser; + } + + signed_hash.data = NULL; +@@ -11638,34 +11668,63 @@ SECStatus + ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length) + { + SECStatus rv = SECSuccess; + SSL3HandshakeType type = ss->ssl3.hs.msg_type; + SSL3Hashes hashes; /* computed hashes are put here. */ + SSL3Hashes *hashesPtr = NULL; /* Set when hashes are computed */ + PRUint8 hdr[4]; + PRUint8 dtlsData[8]; ++ PRBool computeHashes = PR_FALSE; + + PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); + PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); + /* + * We have to compute the hashes before we update them with the + * current message. + */ + ssl_GetSpecReadLock(ss); /************************************/ +- if(((type == finished) && (ss->ssl3.hs.ws == wait_finished)) || +- ((type == certificate_verify) && (ss->ssl3.hs.ws == wait_cert_verify))) { +- SSL3Sender sender = (SSL3Sender)0; +- ssl3CipherSpec *rSpec = ss->ssl3.prSpec; +- +- if (type == finished) { +- sender = ss->sec.isServer ? sender_client : sender_server; +- rSpec = ss->ssl3.crSpec; +- } +- rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender); ++ ++ if ((type == finished) && (ss->ssl3.hs.ws == wait_finished)) { ++ computeHashes = PR_TRUE; ++ } else if ((type == certificate_verify) && (ss->ssl3.hs.ws == wait_cert_verify)) { ++ if (ss->ssl3.hs.hashType == handshake_hash_record) { ++ /* We cannot compute the hash yet. We must wait until we have ++ * decoded the certificate_verify message in ++ * ssl3_HandleCertificateVerify, which will tell us which ++ * hash function we must use. ++ * ++ * (ssl3_HandleCertificateVerify cannot simply look at the ++ * buffer length itself, because at the time we reach it, ++ * additional handshake messages will have been added to the ++ * buffer, e.g. the certificate_verify message itself.) ++ * ++ * Therefore, we use SSL3Hashes.u.pointer_to_hash_input ++ * to signal the current state of the buffer. ++ * ++ * ssl3_HandleCertificateVerify will detect ++ * hashType == handshake_hash_record ++ * and use that information to calculate the hash. ++ */ ++ hashes.u.pointer_to_hash_input.data = ss->ssl3.hs.messages.buf; ++ hashes.u.pointer_to_hash_input.len = ss->ssl3.hs.messages.len; ++ hashesPtr = &hashes; ++ } else { ++ computeHashes = PR_TRUE; ++ } ++ } ++ if (computeHashes) { ++ SSL3Sender sender = (SSL3Sender)0; ++ ssl3CipherSpec *rSpec = ss->ssl3.prSpec; ++ ++ if (type == finished) { ++ sender = ss->sec.isServer ? sender_client : sender_server; ++ rSpec = ss->ssl3.crSpec; ++ } ++ rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender); + if (rv == SECSuccess) { + hashesPtr = &hashes; + } + } + ssl_ReleaseSpecReadLock(ss); /************************************/ + if (rv != SECSuccess) { + return rv; /* error code was set by ssl3_ComputeHandshakeHashes*/ + } +@@ -13080,20 +13139,17 @@ ssl3_DestroySSL3Info(sslSocket *ss) + } + if (ss->ssl3.hs.sha) { + PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE); + } + if (ss->ssl3.hs.clientSigAndHash) { + PORT_Free(ss->ssl3.hs.clientSigAndHash); + } + if (ss->ssl3.hs.messages.buf) { +- PORT_Free(ss->ssl3.hs.messages.buf); +- ss->ssl3.hs.messages.buf = NULL; +- ss->ssl3.hs.messages.len = 0; +- ss->ssl3.hs.messages.space = 0; ++ sslBuffer_Clear(&ss->ssl3.hs.messages); + } + + /* free the SSL3Buffer (msg_body) */ + PORT_Free(ss->ssl3.hs.msg_body.buf); + + SECITEM_FreeItem(&ss->ssl3.hs.newSessionTicket.ticket, PR_FALSE); + + /* free up the CipherSpecs */ +diff --git a/lib/ssl/ssl3prot.h b/lib/ssl/ssl3prot.h +--- a/lib/ssl/ssl3prot.h ++++ b/lib/ssl/ssl3prot.h +@@ -254,16 +254,17 @@ typedef struct { + * which, if |hashAlg==ssl_hash_none| is also a SSL3HashesIndividually + * struct. */ + typedef struct { + unsigned int len; + SSLHashType hashAlg; + union { + PRUint8 raw[64]; + SSL3HashesIndividually s; ++ SECItem pointer_to_hash_input; + } u; + } SSL3Hashes; + + typedef struct { + union { + SSL3Opaque anonymous; + SSL3Hashes certified; + } u; +diff --git a/lib/ssl/sslimpl.h b/lib/ssl/sslimpl.h +--- a/lib/ssl/sslimpl.h ++++ b/lib/ssl/sslimpl.h +@@ -847,17 +847,18 @@ typedef struct DTLSQueuedMessageStr { + SSL3ContentType type; /* The message type */ + unsigned char *data; /* The data */ + PRUint16 len; /* The data length */ + } DTLSQueuedMessage; + + typedef enum { + handshake_hash_unknown = 0, + handshake_hash_combo = 1, /* The MD5/SHA-1 combination */ +- handshake_hash_single = 2 /* A single hash */ ++ handshake_hash_single = 2, /* A single hash */ ++ handshake_hash_record + } SSL3HandshakeHashType; + + /* + ** This is the "hs" member of the "ssl3" struct. + ** This entire struct is protected by ssl3HandshakeLock + */ + typedef struct SSL3HandshakeStateStr { + SSL3Random server_random; +@@ -880,22 +881,19 @@ typedef struct SSL3HandshakeStateStr { + * of the freebl _Clone functions, so we need a dedicated function + * pointer for the _Clone function. */ + void (*sha_clone)(void *dest, void *src); + #endif + /* PKCS #11 mode: + * SSL 3.0 - TLS 1.1 use both |md5| and |sha|. |md5| is used for MD5 and + * |sha| for SHA-1. + * TLS 1.2 and later use only |sha|, for SHA-256. */ +- /* NOTE: On the client side, TLS 1.2 and later use |md5| as a backup +- * handshake hash for generating client auth signatures. Confusingly, the +- * backup hash function is SHA-1. */ +-#define backupHash md5 + PK11Context * md5; + PK11Context * sha; ++ SSLHashType tls12CertVerifyHash; + + const ssl3KEADef * kea_def; + ssl3CipherSuite cipher_suite; + const ssl3CipherSuiteDef *suite_def; + SSLCompressionMethod compression; + sslBuffer msg_body; /* protected by recvBufLock */ + /* partial handshake message from record layer */ + unsigned int header_bytes; +@@ -1452,16 +1450,17 @@ extern SECStatus ssl_SaveWriteData(sslSo + const void* p, unsigned int l); + extern SECStatus ssl2_BeginClientHandshake(sslSocket *ss); + extern SECStatus ssl2_BeginServerHandshake(sslSocket *ss); + extern int ssl_Do1stHandshake(sslSocket *ss); + + extern SECStatus sslBuffer_Grow(sslBuffer *b, unsigned int newLen); + extern SECStatus sslBuffer_Append(sslBuffer *b, const void * data, + unsigned int len); ++extern void sslBuffer_Clear(sslBuffer *b); + + extern void ssl2_UseClearSendFunc(sslSocket *ss); + extern void ssl_ChooseSessionIDProcs(sslSecurityInfo *sec); + + extern sslSessionID *ssl3_NewSessionID(sslSocket *ss, PRBool is_server); + extern sslSessionID *ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port, + const char *peerID, const char *urlSvrName); + extern void ssl_FreeSID(sslSessionID *sid); +diff --git a/lib/ssl/sslsecur.c b/lib/ssl/sslsecur.c +--- a/lib/ssl/sslsecur.c ++++ b/lib/ssl/sslsecur.c +@@ -528,16 +528,27 @@ sslBuffer_Append(sslBuffer *b, const voi + rv = sslBuffer_Grow(b, newLen); + if (rv != SECSuccess) + return rv; + PORT_Memcpy(b->buf + b->len, data, len); + b->len += len; + return SECSuccess; + } + ++void ++sslBuffer_Clear(sslBuffer *b) ++{ ++ if (b->len > 0) { ++ PORT_Free(b->buf); ++ b->buf = NULL; ++ b->len = 0; ++ b->space = 0; ++ } ++} ++ + /* + ** Save away write data that is trying to be written before the security + ** handshake has been completed. When the handshake is completed, we will + ** flush this data out. + ** Caller must hold xmitBufLock + */ + SECStatus + ssl_SaveWriteData(sslSocket *ss, const void *data, unsigned int len) diff --git a/SOURCES/nss-ssl-delete-duplicates.patch b/SOURCES/nss-ssl-delete-duplicates.patch new file mode 100644 index 0000000..cd92b25 --- /dev/null +++ b/SOURCES/nss-ssl-delete-duplicates.patch @@ -0,0 +1,63 @@ +diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c +--- a/lib/ssl/ssl3con.c ++++ b/lib/ssl/ssl3con.c +@@ -426,36 +426,30 @@ static const ssl3CipherSuiteDef cipher_s + cipher_rc4_56, mac_sha,kea_rsa_export_1024, 0}, + + {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips, 0}, + {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips, 0}, + + {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_rsa, prf_256}, + {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa, prf_256}, + #ifndef NSS_DISABLE_ECC +- {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa}, +- {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa}, + {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa, prf_256}, + {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa, prf_256}, + {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_ecdhe_ecdsa, prf_384}, + {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_ecdhe_rsa, prf_384}, + {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, cipher_aes_256, hmac_sha384, kea_ecdhe_ecdsa, prf_384}, + {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, cipher_aes_256, hmac_sha384, kea_ecdhe_rsa, prf_384}, + #endif /* NSS_DISABLE_ECC */ + {TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_dhe_rsa, prf_384}, + {TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_dss, prf_256}, + {TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_dhe_dss, prf_384}, + {TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_dss, prf_256}, + {TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_dss, prf_256}, + {TLS_RSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_rsa, prf_384}, + +- {TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_dss, 0}, +- {TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_dss, 0}, +- {TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_dss, 0}, +- + #ifndef NSS_DISABLE_ECC + {TLS_ECDH_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdh_ecdsa, 0}, + {TLS_ECDH_ECDSA_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_ecdh_ecdsa, 0}, + {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa, 0}, + {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecdsa, 0}, + {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecdsa, 0}, + + {TLS_ECDHE_ECDSA_WITH_NULL_SHA, cipher_null, mac_sha, kea_ecdhe_ecdsa, 0}, +diff --git a/lib/ssl/sslinfo.c b/lib/ssl/sslinfo.c +--- a/lib/ssl/sslinfo.c ++++ b/lib/ssl/sslinfo.c +@@ -248,19 +248,16 @@ static const SSLCipherSuiteInfo suiteInf + {0,CS(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_ECDHE, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, }, + {0,CS(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384), S_ECDSA, K_ECDHE, C_AES, B_256, M_SHA384, 1, 0, 0, }, + {0,CS(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384), S_RSA, K_ECDHE, C_AES, B_256, M_SHA384, 1, 0, 0, }, + + #endif /* NSS_DISABLE_ECC */ + + {0,CS(TLS_DHE_DSS_WITH_AES_256_GCM_SHA384), S_DSA, K_DHE, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, }, + {0,CS(TLS_DHE_RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_DHE, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, }, +-{0,CS(TLS_DHE_DSS_WITH_AES_128_GCM_SHA256), S_DSA, K_DHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, }, +-{0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA256), S_DSA, K_DHE, C_AES, B_128, M_SHA256, 1, 0, 0, }, +-{0,CS(TLS_DHE_DSS_WITH_AES_256_CBC_SHA256), S_DSA, K_DHE, C_AES, B_256, M_SHA256, 1, 0, 0, }, + {0,CS(TLS_RSA_WITH_AES_256_GCM_SHA384), S_RSA, K_RSA, C_AESGCM, B_256, M_AEAD_128, 1, 0, 0, }, + + /* SSL 2 table */ + {0,CK(SSL_CK_RC4_128_WITH_MD5), S_RSA, K_RSA, C_RC4, B_128, M_MD5, 0, 0, 0, }, + {0,CK(SSL_CK_RC2_128_CBC_WITH_MD5), S_RSA, K_RSA, C_RC2, B_128, M_MD5, 0, 0, 0, }, + {0,CK(SSL_CK_DES_192_EDE3_CBC_WITH_MD5), S_RSA, K_RSA, C_3DES,B_3DES,M_MD5, 0, 0, 0, }, + {0,CK(SSL_CK_DES_64_CBC_WITH_MD5), S_RSA, K_RSA, C_DES, B_DES, M_MD5, 0, 0, 0, }, + {0,CK(SSL_CK_RC4_128_EXPORT40_WITH_MD5), S_RSA, K_RSA, C_RC4, B_40, M_MD5, 0, 1, 0, }, diff --git a/SOURCES/nss-ssl-ssl3con-delete-duplicates.patch b/SOURCES/nss-ssl-ssl3con-delete-duplicates.patch deleted file mode 100644 index fc0b697..0000000 --- a/SOURCES/nss-ssl-ssl3con-delete-duplicates.patch +++ /dev/null @@ -1,21 +0,0 @@ ---- ./nss/lib/ssl/ssl3con.c.delete_duplicates 2016-04-04 10:13:34.310883577 -0700 -+++ ./nss/lib/ssl/ssl3con.c 2016-04-04 10:18:32.544936462 -0700 -@@ -426,18 +426,16 @@ - cipher_rc4_56, mac_sha,kea_rsa_export_1024, 0}, - - {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips, 0}, - {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des, mac_sha, kea_rsa_fips, 0}, - - {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_rsa, prf_256}, - {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa, prf_256}, - #ifndef NSS_DISABLE_ECC -- {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa}, -- {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa}, - {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa, prf_256}, - {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa, prf_256}, - {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_ecdhe_ecdsa, prf_384}, - {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_ecdhe_rsa, prf_384}, - {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, cipher_aes_256, hmac_sha384, kea_ecdhe_ecdsa, prf_384}, - {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, cipher_aes_256, hmac_sha384, kea_ecdhe_rsa, prf_384}, - #endif /* NSS_DISABLE_ECC */ - {TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, cipher_aes_256_gcm, mac_aead, kea_dhe_rsa, prf_384}, diff --git a/SPECS/nss.spec b/SPECS/nss.spec index 649cf0a..21ea02d 100644 --- a/SPECS/nss.spec +++ b/SPECS/nss.spec @@ -27,7 +27,7 @@ Summary: Network Security Services Name: nss Version: 3.21.0 -Release: 9%{?dist} +Release: 17%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -154,7 +154,13 @@ Patch115: nss-prevent-abi-issue.patch Patch116: nss-tests-prevent-abi-issue.patch Patch117: fix-nss-test-filtering.patch Patch118: fix-allowed-sig-alg.patch -Patch119: nss-ssl-ssl3con-delete-duplicates.patch +Patch119: nss-ssl-delete-duplicates.patch +Patch120: fix-reuse-of-session-cache-entry.patch +Patch121: flexible-certverify.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1298692 +Patch122: disable-ems-gtests.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1317691 +Patch123: call-restartmodules-in-nssinit.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -277,8 +283,12 @@ popd %patch110 -p0 -b .no_ssl2 pushd nss %patch118 -p1 -b .allowed-sig-alg +%patch119 -p1 -b .delete_duplicates +%patch120 -p1 -b .session_cache +%patch121 -p1 -b .flexible_certverify +%patch122 -p1 -b .disable_ems_gtests +%patch123 -p1 -b .restartmodules_in_init popd -%patch119 -p0 -b .delete_duplicates ######################################################### # Higher-level libraries and test tools need access to @@ -543,7 +553,7 @@ pushd ./nss/tests/ # don't need to run all the tests when testing packaging # nss_cycles: standard pkix upgradedb sharedb -%global nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains" +%global nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ssl_gtests" # nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr # nss_ssl_run: cov auth stress # @@ -572,8 +582,11 @@ TEST_FAILURES=$(grep -c FAILED ./tests_results/security/localhost.1/output.log) if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then echo "okay: test suite detected no failures" else -# test suite is failing on arm and has for a while let's run the test suite but make it non fatal on arm -%ifnarch %{arm} + %ifarch %{arm} + : + # do nothing on arm where the test suite is failing and has been + # for while, do run the test suite but make it non fatal on arm + %else if [ ${GREP_EXIT_STATUS:-0} -eq 0 ]; then # while a situation in which grep return status is 0 and it doesn't output # anything shouldn't happen, set the default to something that is @@ -723,24 +736,6 @@ else fi /sbin/ldconfig -%posttrans -# An earlier version of this package had an incorrect %%postun script (3.14.3-9). -# (The incorrect %%postun always called "update-alternatives --remove", -# because it incorrectly assumed that test -f returns false for symbolic links.) -# The only possible remedy to fix the mistake that "always removes on upgrade" -# made by the older %%postun script, is to repair it in %%posttrans of the new package. -# Strategy: -# %%posttrans is never called when uninstalling. -# %%posttrans is only called when installing or upgrading a package. -# Because %%posttrans is the very last action of a package install, -# %%{_libdir}/libnssckbi.so must exist. -# If it does not, it's the result of the incorrect removal from a broken %%postun. -# In this case, we repeat installation of the alternatives link. -if ! test -e %{_libdir}/libnssckbi.so; then - %{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \ - %{alt_ckbi} %{_libdir}/nss/libnssckbi.so 10 -fi - %files %defattr(-,root,root) @@ -885,6 +880,37 @@ fi %changelog +* Thu Jun 30 2016 Kai Engert - 3.21.0-17 +- remove additional false duplicates from sha384 downstream patches + +* Tue Jun 28 2016 Kai Engert - 3.21.0-16 +- enable ssl_gtests (without extended master secret tests), Bug 1298692 +- call SECMOD_RestartModules in nss_Init, Bug 1317691 + +* Fri Jun 17 2016 Kai Engert - 3.21.0-15 +- escape all percent characters in all changelog comments + +* Fri Jun 17 2016 Kai Engert - 3.21.0-14 +- Support TLS 1.2 certificate_verify hashes other than PRF, + backported fix from NSS 3.25 (upstream bug 1179338). + +* Mon May 23 2016 Elio Maldonado - 3.21.0-13 +- Fix reuse of session cache entry +- Resolves: Bug 1241172 - Certificate verification fails with multiple https urls + +* Wed Apr 20 2016 Elio Maldonado - 3.21.0-12 +- Fix a flaw in %%check for nss not building on arm +- Resolves: Bug 1200856 + +* Wed Apr 20 2016 Elio Maldonado - 3.21.0-11 +- Cleanup: Remove unnecessary %%posttrans script from nss.spec +- Resolves: Bug 1174201 + +* Wed Apr 20 2016 Elio Maldonado - 3.21.0-10 +- Merge fixes from the rhel-7.2 branch +- Fix a bogus %%changelog entry +- Resolves: Bug 1297941 + * Fri Apr 15 2016 Kai Engert - 3.21.0-9 - Rebuild to require the latest nss-util build and nss-softokn build. @@ -898,22 +924,22 @@ fi - Fix missing support for sha384/dsa in certificate_request * Wed Mar 23 2016 Kai Engert - 3.21.0-5 +- Merge fixes from the rhel-7.2 branch - Fix the SigAlgs sent in certificate_request - -* Tue Mar 22 2016 Elio Maldonado - 3.21.0-4 - Ensure all ssl.sh tests are executed - Update sslauth test patch to run additional tests -* Thu Feb 25 2016 Elio Maldonado - 3.21.0-2 +* Fri Feb 26 2016 Elio Maldonado - 3.21.0-2 - Fix sha384 support and testing patches -* Mon Feb 22 2016 Elio Maldonado - 3.21.0-1 +* Wed Feb 17 2016 Elio Maldonado - 3.21.0-1 - Rebase to NSS-3.21 -- Resolves: Bug 1310581 * Tue Dec 15 2015 Elio Maldonado - 3.19.1-19 - Prevent TLS 1.2 Transcript Collision attacks against MD5 in key exchange protocol -- Resolves: Bug 1289883 +- Fix a mockbuild reported bad %%if condition when using the __isa_bits macro instead of list of 64-bit architectures +- Change the test to %%if 0%%{__isa_bits} == 64 as required for building the srpm which is noarch +- Resolves: Bug 1289884 * Wed Oct 21 2015 Kai Engert - 3.19.1-18 - Rebuild against updated NSPR @@ -1531,7 +1557,7 @@ fi - Move triggerpostun -n nss-sysinit script ahead of the other ones (#639248) * Tue Oct 05 2010 Elio Maldonado - 3.12.8-4 -- Fix invalid %postun scriptlet (#639248) +- Fix invalid %%postun scriptlet (#639248) * Wed Sep 29 2010 Elio Maldonado - 3.12.8-3 - Replace posttrans sysinit scriptlet with a triggerpostun one (#636787)