Update to NSS 3.28.3

2017-02-21 16:08:03 +01:00 · 2017-02-21 16:08:03 +01:00 · 1f164283dd
parent 0a864f5b54
commit 1f164283dd
4 changed files with 9 additions and 172 deletions
--- a/.gitignore
+++ b/.gitignore
@ -13,3 +13,4 @@ TestUser51.cert
 /nss-3.26.0.tar.gz
 /nss-3.27.0.tar.gz
 /nss-3.28.1.tar.gz
+/nss-3.28.3.tar.gz
--- a/nss-check-pss.patch
+++ b/nss-check-pss.patch
@ -1,167 +0,0 @@
-diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
--- a/lib/ssl/ssl3con.c
-+++ b/lib/ssl/ssl3con.c
-@@ -7061,49 +7061,68 @@ ssl3_SendClientKeyExchange(sslSocket *ss
- 
- loser:
-     if (serverKey)
-         SECKEY_DestroyPublicKey(serverKey);
-     return rv; /* err code already set. */
- }
- 
- static SECStatus
-ssl_PickSignatureScheme(sslSocket *ss, SECKEYPublicKey *key,
-+ssl_PickSignatureScheme(sslSocket *ss,
-+                        SECKEYPublicKey *pubKey,
-+                        SECKEYPrivateKey *privKey,
-                         const SignatureScheme *peerSchemes,
-                         unsigned int peerSchemeCount,
-                         PRBool requireSha1)
- {
-     unsigned int i, j;
-     const namedGroupDef *group = NULL;
-     KeyType keyType;
-+    PK11SlotInfo *slot;
-+    PRBool slotDoesPss;
-     PRBool isTLS13 = ss->version == SSL_LIBRARY_VERSION_TLS_1_3;
- 
-    if (!key) {
-+    if (!pubKey || !privKey) {
-         PORT_Assert(0);
-         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-         return SECFailure;
-     }
-    keyType = SECKEY_GetPublicKeyType(key);
-+    slot = PK11_GetSlotFromPrivateKey(privKey);
-+    if (!slot) {
-+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-+        return SECFailure;
-+    }
-+    slotDoesPss = PK11_DoesMechanism(slot, auth_alg_defs[ssl_auth_rsa_pss]);
-+    PK11_FreeSlot(slot);
-+
-+    keyType = SECKEY_GetPublicKeyType(pubKey);
-+
-     if (keyType == ecKey) {
-        group = ssl_ECPubKey2NamedGroup(key);
-+        group = ssl_ECPubKey2NamedGroup(pubKey);
-     }
- 
-     /* Here we look for the first local preference that the client has
-      * indicated support for in their signature_algorithms extension. */
-     for (i = 0; i < ss->ssl3.signatureSchemeCount; ++i) {
-         SSLHashType hashType;
-         SECOidTag hashOID;
-         SignatureScheme preferred = ss->ssl3.signatureSchemes[i];
-         PRUint32 policy;
- 
-         if (!ssl_SignatureSchemeValidForKey(isTLS13, keyType, group,
-                                             preferred)) {
-             continue;
-         }
- 
-+        /* Skip RSA-PSS schemes when the certificate's private key slot does
-+         * not support this signature mechanism. */
-+        if (ssl_IsRsaPssSignatureScheme(preferred) && !slotDoesPss) {
-+            continue;
-+        }
-+
-         hashType = ssl_SignatureSchemeToHashType(preferred);
-         hashOID = ssl3_HashTypeToOID(hashType);
-         if (requireSha1 && hashOID != SEC_OID_SHA1) {
-             continue;
-         }
-         if ((NSS_GetAlgorithmPolicy(hashOID, &policy) == SECSuccess) &&
-             !(policy & NSS_USE_ALG_IN_SSL_KX)) {
-             /* we ignore hashes we don't support */
-@@ -7148,51 +7167,54 @@ ssl3_PickServerSignatureScheme(sslSocket
-                 PORT_Assert(0);
-                 PORT_SetError(SEC_ERROR_INVALID_KEY);
-                 return SECFailure;
-         }
-         return SECSuccess;
-     }
- 
-     /* Sets error code, if needed. */
-    return ssl_PickSignatureScheme(ss, keyPair->pubKey,
-+    return ssl_PickSignatureScheme(ss, keyPair->pubKey, keyPair->privKey,
-                                    ss->ssl3.hs.clientSigSchemes,
-                                    ss->ssl3.hs.numClientSigScheme,
-                                   PR_FALSE);
-+                                   PR_FALSE /* requireSha1 */);
- }
- 
- static SECStatus
- ssl_PickClientSignatureScheme(sslSocket *ss, const SignatureScheme *schemes,
-                               unsigned int numSchemes)
- {
-    SECKEYPublicKey *key;
-+    SECKEYPrivateKey *privKey = ss->ssl3.clientPrivateKey;
-+    SECKEYPublicKey *pubKey;
-     SECStatus rv;
- 
-    key = CERT_ExtractPublicKey(ss->ssl3.clientCertificate);
-    PORT_Assert(key);
-+    pubKey = CERT_ExtractPublicKey(ss->ssl3.clientCertificate);
-+    PORT_Assert(pubKey);
-     if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3 &&
-        (SECKEY_GetPublicKeyType(key) == rsaKey ||
-         SECKEY_GetPublicKeyType(key) == dsaKey) &&
-        SECKEY_PublicKeyStrengthInBits(key) <= 1024) {
-+        (SECKEY_GetPublicKeyType(pubKey) == rsaKey ||
-+         SECKEY_GetPublicKeyType(pubKey) == dsaKey) &&
-+        SECKEY_PublicKeyStrengthInBits(pubKey) <= 1024) {
-         /* If the key is a 1024-bit RSA or DSA key, assume conservatively that
-          * it may be unable to sign SHA-256 hashes. This is the case for older
-          * Estonian ID cards that have 1024-bit RSA keys. In FIPS 186-2 and
-          * older, DSA key size is at most 1024 bits and the hash function must
-          * be SHA-1.
-          */
-        rv = ssl_PickSignatureScheme(ss, key, schemes, numSchemes, PR_TRUE);
-+        rv = ssl_PickSignatureScheme(ss, pubKey, privKey, schemes, numSchemes,
-+                                     PR_TRUE /* requireSha1 */);
-         if (rv == SECSuccess) {
-            SECKEY_DestroyPublicKey(key);
-+            SECKEY_DestroyPublicKey(pubKey);
-             return SECSuccess;
-         }
-         /* If this fails, that's because the peer doesn't advertise SHA-1,
-          * so fall back to the full negotiation. */
-     }
-    rv = ssl_PickSignatureScheme(ss, key, schemes, numSchemes, PR_FALSE);
-    SECKEY_DestroyPublicKey(key);
-+    rv = ssl_PickSignatureScheme(ss, pubKey, privKey, schemes, numSchemes,
-+                                 PR_FALSE /* requireSha1 */);
-+    SECKEY_DestroyPublicKey(pubKey);
-     return rv;
- }
- 
- /* Called from ssl3_HandleServerHelloDone(). */
- static SECStatus
- ssl3_SendCertificateVerify(sslSocket *ss, SECKEYPrivateKey *privKey)
- {
-     SECStatus rv = SECFailure;
-@@ -10593,16 +10615,23 @@ ssl3_EncodeSigAlgs(sslSocket *ss, PRUint
-         return SECFailure;
-     }
- 
-     for (i = 0; i < ss->ssl3.signatureSchemeCount; ++i) {
-         PRUint32 policy = 0;
-         SSLHashType hashType = ssl_SignatureSchemeToHashType(
-             ss->ssl3.signatureSchemes[i]);
-         SECOidTag hashOID = ssl3_HashTypeToOID(hashType);
-+
-+        /* Skip RSA-PSS schemes if there are no tokens to verify them. */
-+        if (ssl_IsRsaPssSignatureScheme(ss->ssl3.signatureSchemes[i]) &&
-+            !PK11_TokenExists(auth_alg_defs[ssl_auth_rsa_pss])) {
-+            continue;
-+        }
-+
-         if ((NSS_GetAlgorithmPolicy(hashOID, &policy) != SECSuccess) ||
-             (policy & NSS_USE_ALG_IN_SSL_KX)) {
-             p = ssl_EncodeUintX((PRUint32)ss->ssl3.signatureSchemes[i], 2, p);
-         }
-     }
- 
-     if (p == buf) {
-         PORT_SetError(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM);
--- a/nss.spec
+++ b/nss.spec
@ -1,6 +1,6 @@
 %global nspr_version 4.13.0
-%global nss_util_version 3.28.1
-%global nss_softokn_version 3.28.1
+%global nss_util_version 3.28.3
+%global nss_softokn_version 3.28.3
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"

@ -18,10 +18,10 @@

 Summary:          Network Security Services
 Name:             nss
-Version:          3.28.1
+Version:          3.28.3
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release:          1.3%{?dist}
+Release:          1.0%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@ -803,6 +803,9 @@ fi


 %changelog
+* Tue Feb 21 2017 Daiki Ueno <dueno@redhat.com> - 3.28.3-1.0
+- Rebase to NSS 3.28.3
+
 * Fri Jan 20 2017 Daiki Ueno <dueno@redhat.com> - 3.28.1-1.3
 - Disable TLS 1.3
 - Add "Conflicts" with packages using older Mozilla codebase, which is
--- a/2
+++ b/2
@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403
 SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
-SHA512 (nss-3.28.1.tar.gz) = f10c8e404741fafe5e5772dc754ff4503ec1826942db5fbc13b99155fcac50f29e1405dd249b69a27f27ebcfef73849b1f0f636a2076ab761384e8a0ed9a2b8b
+SHA512 (nss-3.28.3.tar.gz) = 77602600c8d1e1b432a3c6be804ad80b2f8c2d521baf8bbe123eee6ded24d2344b4941b883e42145cd1d4d9f93062a63c18747215fb7e226e2a2489a9edaa678