diff --git a/SOURCES/nss-transcript.patch b/SOURCES/nss-transcript.patch new file mode 100644 index 0000000..170b3bc --- /dev/null +++ b/SOURCES/nss-transcript.patch @@ -0,0 +1,63 @@ +# HG changeset patch +# User Martin Thomson +# Date 1501813647 -36000 +# Fri Aug 04 12:27:27 2017 +1000 +# Node ID 839200ce0943166a079284bdf45dcc37bb672925 +# Parent 6254e8431392863fd0aa7e70c311add48af05775 +Bug 1377618 - Simplify handling of CertificateVerify, r=kaie + +diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c +--- a/lib/ssl/ssl3con.c ++++ b/lib/ssl/ssl3con.c +@@ -9758,13 +9758,12 @@ ssl3_HandleCertificateVerify(sslSocket * + + hashAlg = ssl_SignatureSchemeToHashType(sigScheme); + +- if (hashes->u.pointer_to_hash_input.data) { +- rv = ssl3_ComputeHandshakeHash(hashes->u.pointer_to_hash_input.data, +- hashes->u.pointer_to_hash_input.len, +- hashAlg, &localHashes); +- } else { +- rv = SECFailure; +- } ++ /* Read from the message buffer, but we need to use only up to the end ++ * of the previous handshake message. The length of the transcript up to ++ * that point is saved in |hashes->u.transcriptLen|. */ ++ rv = ssl3_ComputeHandshakeHash(ss->ssl3.hs.messages.buf, ++ hashes->u.transcriptLen, ++ hashAlg, &localHashes); + + if (rv == SECSuccess) { + hashesForVerify = &localHashes; +@@ -11664,15 +11663,15 @@ ssl3_HandleHandshakeMessage(sslSocket *s + * additional handshake messages will have been added to the + * buffer, e.g. the certificate_verify message itself.) + * +- * Therefore, we use SSL3Hashes.u.pointer_to_hash_input +- * to signal the current state of the buffer. ++ * Therefore, we use SSL3Hashes.u.transcriptLen to save how much ++ * data there is and read directly from ss->ssl3.hs.messages ++ * when calculating the hashes. + * + * ssl3_HandleCertificateVerify will detect + * hashType == handshake_hash_record + * and use that information to calculate the hash. + */ +- hashes.u.pointer_to_hash_input.data = ss->ssl3.hs.messages.buf; +- hashes.u.pointer_to_hash_input.len = ss->ssl3.hs.messages.len; ++ hashes.u.transcriptLen = ss->ssl3.hs.messages.len; + hashesPtr = &hashes; + } else { + computeHashes = PR_TRUE; +diff --git a/lib/ssl/ssl3prot.h b/lib/ssl/ssl3prot.h +--- a/lib/ssl/ssl3prot.h ++++ b/lib/ssl/ssl3prot.h +@@ -236,7 +236,7 @@ typedef struct { + union { + PRUint8 raw[64]; + SSL3HashesIndividually s; +- SECItem pointer_to_hash_input; ++ unsigned int transcriptLen; + } u; + } SSL3Hashes; + diff --git a/SPECS/nss.spec b/SPECS/nss.spec index bb0ec75..c372718 100644 --- a/SPECS/nss.spec +++ b/SPECS/nss.spec @@ -27,7 +27,7 @@ Summary: Network Security Services Name: nss Version: 3.28.4 -Release: 11%{?dist} +Release: 12%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -153,6 +153,8 @@ Patch140: nss-ssl3gthr.patch # Work around for yum # https://bugzilla.redhat.com/show_bug.cgi?id=1469526 Patch141: nss-sysinit-getenv.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1377618 +Patch142: nss-transcript.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -266,6 +268,7 @@ pushd nss %patch139 -p1 -b .disable-pss-gtests %patch140 -p1 -b .ssl3gthr %patch141 -p1 -b .sysinit-getenv +%patch142 -p1 -b .transcript popd ######################################################### @@ -856,6 +859,9 @@ fi %changelog +* Fri Aug 4 2017 Daiki Ueno - 3.28.4-12 +- Backport patch to simplify transcript calculation for CertificateVerify + * Fri Jul 14 2017 Daiki Ueno - 3.28.4-11 - Rebuild to get correct release suffix (.el7 -> .el7_4)