packages/nss
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update nss to 3.85

Browse Source
This commit is contained in:
zhouchenchen123 2022-12-27 13:36:55 +00:00
parent a75d3f4180
commit b4b1d6a877
6 changed files with 31 additions and 383 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Feature-nss-support-SM2-signature-algorithm.patch
View File

@ -250,7 +250,7 @@ index 85a569f..253ce8d 100644
+ 'sm2.c', + 'sm2.c',
'sysrand.c', 'sysrand.c',
'tlsprfalg.c', 'tlsprfalg.c',
], 'secmpi.c',
diff --git a/lib/freebl/manifest.mn b/lib/freebl/manifest.mn diff --git a/lib/freebl/manifest.mn b/lib/freebl/manifest.mn
index fd3218d..2dbf7c9 100644 index fd3218d..2dbf7c9 100644
--- a/lib/freebl/manifest.mn --- a/lib/freebl/manifest.mn

44
Feature-nss-support-SM3-digest-algorithm.patch
View File

@ -139,7 +139,7 @@ index 0054e17..2d400ec 100644
typedef struct SEEDContextStr SEEDContext; typedef struct SEEDContextStr SEEDContext;
typedef struct ChaCha20ContextStr ChaCha20Context; typedef struct ChaCha20ContextStr ChaCha20Context;
diff --git a/lib/freebl/freebl_base.gypi b/lib/freebl/freebl_base.gypi diff --git a/lib/freebl/freebl_base.gypi b/lib/freebl/freebl_base.gypi
index afbffac..85a569f 100644 index 34b6b3c..8f64046 100644
--- a/lib/freebl/freebl_base.gypi --- a/lib/freebl/freebl_base.gypi
+++ b/lib/freebl/freebl_base.gypi +++ b/lib/freebl/freebl_base.gypi
@@ -58,6 +58,7 @@ @@ -58,6 +58,7 @@
@ -149,31 +149,31 @@ index afbffac..85a569f 100644
+ 'sm3.c', + 'sm3.c',
'sysrand.c', 'sysrand.c',
'tlsprfalg.c', 'tlsprfalg.c',
], 'secmpi.c',
diff --git a/lib/freebl/ldvector.c b/lib/freebl/ldvector.c diff --git a/lib/freebl/ldvector.c b/lib/freebl/ldvector.c
index ac3b862..67bb001 100644 index 6f4bd6a..143584b 100644
--- a/lib/freebl/ldvector.c --- a/lib/freebl/ldvector.c
+++ b/lib/freebl/ldvector.c +++ b/lib/freebl/ldvector.c
@@ -376,9 +376,20 @@ static const struct FREEBLVectorStr vector = @@ -375,9 +375,20 @@ static const struct FREEBLVectorStr vector = {
/* End of version 3.024 */ /* End of version 3.024 */
ChaCha20_InitContext, ChaCha20_InitContext,
ChaCha20_CreateContext, ChaCha20_CreateContext,
- ChaCha20_DestroyContext - ChaCha20_DestroyContext
+ ChaCha20_DestroyContext, + ChaCha20_DestroyContext,
/* End of version 3.025 */ /* End of version 3.025 */
+ SM3_NewContext, + SM3_NewContext,
+ SM3_DestroyContext, + SM3_DestroyContext,
+ SM3_Begin, + SM3_Begin,
+ SM3_Update, + SM3_Update,
+ SM3_End, + SM3_End,
+ SM3_HashBuf, + SM3_HashBuf,
+ SM3_Hash, + SM3_Hash,
+ SM3_TraceState, + SM3_TraceState,
+ SM3_FlattenSize, + SM3_FlattenSize,
+ SM3_Flatten, + SM3_Flatten,
+ SM3_Resurrect + SM3_Resurrect
}; };
const FREEBLVector* const FREEBLVector*
diff --git a/lib/freebl/loader.c b/lib/freebl/loader.c diff --git a/lib/freebl/loader.c b/lib/freebl/loader.c

288
backport-CVE-2021-43527.patch
View File

@ -1,288 +0,0 @@
From 73a449016a1ff68539031ad600d88eab4399911f Mon Sep 17 00:00:00 2001
From: Dennis Jackson <djackson@mozilla.com>
Date: Mon, 22 Nov 2021 10:40:42 +0000
Subject: [PATCH] Bug 1737470 - Ensure DER encoded signatures are within size
limits. r=jschanck,mt,bbeurdouche,rrelyea
Differential Revision: https://phabricator.services.mozilla.com/D129514
---
lib/cryptohi/secvfy.c | 192 ++++++++++++++++++++++++++----------------
1 file changed, 121 insertions(+), 71 deletions(-)
diff --git a/lib/cryptohi/secvfy.c b/lib/cryptohi/secvfy.c
index 2540a544c5..17545848cf 100644
--- a/lib/cryptohi/secvfy.c
+++ b/lib/cryptohi/secvfy.c
@@ -164,6 +164,37 @@ verifyPKCS1DigestInfo(const VFYContext *cx, const SECItem *digest)
PR_FALSE /*XXX: unsafeAllowMissingParameters*/);
}
+static unsigned int
+checkedSignatureLen(const SECKEYPublicKey *pubk)
+{
+ unsigned int sigLen = SECKEY_SignatureLen(pubk);
+ if (sigLen == 0) {
+ /* Error set by SECKEY_SignatureLen */
+ return sigLen;
+ }
+ unsigned int maxSigLen;
+ switch (pubk->keyType) {
+ case rsaKey:
+ case rsaPssKey:
+ maxSigLen = (RSA_MAX_MODULUS_BITS + 7) / 8;
+ break;
+ case dsaKey:
+ maxSigLen = DSA_MAX_SIGNATURE_LEN;
+ break;
+ case ecKey:
+ maxSigLen = 2 * MAX_ECKEY_LEN;
+ break;
+ default:
+ PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+ return 0;
+ }
+ if (sigLen > maxSigLen) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return 0;
+ }
+ return sigLen;
+}
+
/*
* decode the ECDSA or DSA signature from it's DER wrapping.
* The unwrapped/raw signature is placed in the buffer pointed
@@ -174,38 +205,38 @@ decodeECorDSASignature(SECOidTag algid, const SECItem *sig, unsigned char *dsig,
unsigned int len)
{
SECItem *dsasig = NULL; /* also used for ECDSA */
- SECStatus rv = SECSuccess;
- if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
- (algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
- if (sig->len != len) {
- PORT_SetError(SEC_ERROR_BAD_DER);
- return SECFailure;
+ /* Safety: Ensure algId is as expected and that signature size is within maxmimums */
+ if (algid == SEC_OID_ANSIX9_DSA_SIGNATURE) {
+ if (len > DSA_MAX_SIGNATURE_LEN) {
+ goto loser;
}
-
- PORT_Memcpy(dsig, sig->data, sig->len);
- return SECSuccess;
- }
-
- if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
+ } else if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
if (len > MAX_ECKEY_LEN * 2) {
- PORT_SetError(SEC_ERROR_BAD_DER);
- return SECFailure;
+ goto loser;
}
- }
- dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
-
- if ((dsasig == NULL) || (dsasig->len != len)) {
- rv = SECFailure;
} else {
- PORT_Memcpy(dsig, dsasig->data, dsasig->len);
+ goto loser;
}
- if (dsasig != NULL)
+ /* Decode and pad to length */
+ dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
+ if (dsasig == NULL) {
+ goto loser;
+ }
+ if (dsasig->len != len) {
SECITEM_FreeItem(dsasig, PR_TRUE);
- if (rv == SECFailure)
- PORT_SetError(SEC_ERROR_BAD_DER);
- return rv;
+ goto loser;
+ }
+
+ PORT_Memcpy(dsig, dsasig->data, len);
+ SECITEM_FreeItem(dsasig, PR_TRUE);
+
+ return SECSuccess;
+
+loser:
+ PORT_SetError(SEC_ERROR_BAD_DER);
+ return SECFailure;
}
const SEC_ASN1Template hashParameterTemplate[] =
@@ -281,7 +312,7 @@ SECStatus
sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
const SECItem *param, SECOidTag *encalgp, SECOidTag *hashalg)
{
- int len;
+ unsigned int len;
PLArenaPool *arena;
SECStatus rv;
SECItem oid;
@@ -466,48 +497,52 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig,
cx->pkcs1RSADigestInfo = NULL;
rv = SECSuccess;
if (sig) {
- switch (type) {
- case rsaKey:
- rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
- &cx->pkcs1RSADigestInfo,
- &cx->pkcs1RSADigestInfoLen,
- cx->key,
- sig, wincx);
- break;
- case rsaPssKey:
- sigLen = SECKEY_SignatureLen(key);
- if (sigLen == 0) {
- /* error set by SECKEY_SignatureLen */
- rv = SECFailure;
+ rv = SECFailure;
+ if (type == rsaKey) {
+ rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
+ &cx->pkcs1RSADigestInfo,
+ &cx->pkcs1RSADigestInfoLen,
+ cx->key,
+ sig, wincx);
+ } else {
+ sigLen = checkedSignatureLen(key);
+ /* Check signature length is within limits */
+ if (sigLen == 0) {
+ /* error set by checkedSignatureLen */
+ rv = SECFailure;
+ goto loser;
+ }
+ if (sigLen > sizeof(cx->u)) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ rv = SECFailure;
+ goto loser;
+ }
+ switch (type) {
+ case rsaPssKey:
+ if (sig->len != sigLen) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ rv = SECFailure;
+ goto loser;
+ }
+ PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
+ rv = SECSuccess;
break;
- }
- if (sig->len != sigLen) {
- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
- rv = SECFailure;
+ case ecKey:
+ case dsaKey:
+ /* decodeECorDSASignature will check sigLen == sig->len after padding */
+ rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
break;
- }
- PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
- break;
- case dsaKey:
- case ecKey:
- sigLen = SECKEY_SignatureLen(key);
- if (sigLen == 0) {
- /* error set by SECKEY_SignatureLen */
+ default:
+ /* Unreachable */
rv = SECFailure;
- break;
- }
- rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
- break;
- default:
- rv = SECFailure;
- PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
- break;
+ goto loser;
+ }
+ }
+ if (rv != SECSuccess) {
+ goto loser;
}
}
- if (rv)
- goto loser;
-
/* check hash alg again, RSA may have changed it.*/
if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) {
/* error set by HASH_GetHashTypeByOidTag */
@@ -650,11 +685,16 @@ VFY_EndWithSignature(VFYContext *cx, SECItem *sig)
switch (cx->key->keyType) {
case ecKey:
case dsaKey:
- dsasig.data = cx->u.buffer;
- dsasig.len = SECKEY_SignatureLen(cx->key);
+ dsasig.len = checkedSignatureLen(cx->key);
if (dsasig.len == 0) {
return SECFailure;
}
+ if (dsasig.len > sizeof(cx->u)) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ return SECFailure;
+ }
+ dsasig.data = cx->u.buffer;
+
if (sig) {
rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data,
dsasig.len);
@@ -686,8 +726,13 @@ VFY_EndWithSignature(VFYContext *cx, SECItem *sig)
}
rsasig.data = cx->u.buffer;
- rsasig.len = SECKEY_SignatureLen(cx->key);
+ rsasig.len = checkedSignatureLen(cx->key);
if (rsasig.len == 0) {
+ /* Error set by checkedSignatureLen */
+ return SECFailure;
+ }
+ if (rsasig.len > sizeof(cx->u)) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
return SECFailure;
}
if (sig) {
@@ -749,7 +794,6 @@ vfy_VerifyDigest(const SECItem *digest, const SECKEYPublicKey *key,
SECStatus rv;
VFYContext *cx;
SECItem dsasig; /* also used for ECDSA */
-
rv = SECFailure;
cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx);
@@ -757,19 +801,25 @@ vfy_VerifyDigest(const SECItem *digest, const SECKEYPublicKey *key,
switch (key->keyType) {
case rsaKey:
rv = verifyPKCS1DigestInfo(cx, digest);
+ /* Error (if any) set by verifyPKCS1DigestInfo */
break;
- case dsaKey:
case ecKey:
+ case dsaKey:
dsasig.data = cx->u.buffer;
- dsasig.len = SECKEY_SignatureLen(cx->key);
+ dsasig.len = checkedSignatureLen(cx->key);
if (dsasig.len == 0) {
+ /* Error set by checkedSignatureLen */
+ rv = SECFailure;
break;
}
- if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx) !=
- SECSuccess) {
+ if (dsasig.len > sizeof(cx->u)) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ rv = SECFailure;
+ break;
+ }
+ rv = PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx);
+ if (rv != SECSuccess) {
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
- } else {
- rv = SECSuccess;
}
break;
default:

BIN
nss-3.72.tar.gz → nss-3.85.tar.gz
View File

Binary file not shown.

62
nss-539183.patch
View File

@ -1,62 +0,0 @@
--- ./nss/cmd/httpserv/httpserv.c.539183 2016-05-21 18:31:39.879585420 -0700
+++ ./nss/cmd/httpserv/httpserv.c 2016-05-21 18:37:22.374464057 -0700
@@ -953,23 +953,23 @@
getBoundListenSocket(unsigned short port)
{
PRFileDesc *listen_sock;
int listenQueueDepth = 5 + (2 * maxThreads);
PRStatus prStatus;
PRNetAddr addr;
PRSocketOptionData opt;
- addr.inet.family = PR_AF_INET;
- addr.inet.ip = PR_INADDR_ANY;
- addr.inet.port = PR_htons(port);
+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
+ errExit("PR_SetNetAddr");
+ }
- listen_sock = PR_NewTCPSocket();
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
if (listen_sock == NULL) {
- errExit("PR_NewTCPSocket");
+ errExit("PR_OpenTCPSockett");
}
opt.option = PR_SockOpt_Nonblocking;
opt.value.non_blocking = PR_FALSE;
prStatus = PR_SetSocketOption(listen_sock, &opt);
if (prStatus < 0) {
PR_Close(listen_sock);
errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
--- ./nss/cmd/selfserv/selfserv.c.539183 2016-05-21 18:31:39.882585367 -0700
+++ ./nss/cmd/selfserv/selfserv.c 2016-05-21 18:41:43.092801174 -0700
@@ -1711,23 +1711,23 @@
getBoundListenSocket(unsigned short port)
{
PRFileDesc *listen_sock;
int listenQueueDepth = 5 + (2 * maxThreads);
PRStatus prStatus;
PRNetAddr addr;
PRSocketOptionData opt;
- addr.inet.family = PR_AF_INET;
- addr.inet.ip = PR_INADDR_ANY;
- addr.inet.port = PR_htons(port);
+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
+ errExit("PR_SetNetAddr");
+ }
- listen_sock = PR_NewTCPSocket();
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
if (listen_sock == NULL) {
- errExit("PR_NewTCPSocket");
+ errExit("PR_OpenTCPSocket error");
}
opt.option = PR_SockOpt_Nonblocking;
opt.value.non_blocking = PR_FALSE;
prStatus = PR_SetSocketOption(listen_sock, &opt);
if (prStatus < 0) {
PR_Close(listen_sock);
errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");

18
nss.spec
View File

@ -1,6 +1,6 @@
%global nspr_version 4.26.0 %global nspr_version 4.35.0
%global nss_version 3.72.0 %global nss_version 3.85.0
%global nss_archive_version 3.72 %global nss_archive_version 3.85
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
%global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv" %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
@ -14,7 +14,7 @@
Summary: Network Security Services Summary: Network Security Services
Name: nss Name: nss
Version: %{nss_version} Version: %{nss_version}
Release: 6 Release: 1
License: MPLv2.0 License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/ URL: http://www.mozilla.org/projects/security/pki/nss/
Provides: nss-system-init Provides: nss-system-init
@ -25,7 +25,7 @@ BuildRequires: nspr-devel >= %{nspr_version} nss-softokn sqlite-devel zlib-de
BuildRequires: pkgconf gawk psmisc perl-interpreter gcc-c++ BuildRequires: pkgconf gawk psmisc perl-interpreter gcc-c++
obsoletes: nss-sysinit < %{version}-%{release} obsoletes: nss-sysinit < %{version}-%{release}
Source0: https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_72_RTM/src/%{name}-%{nss_archive_version}.tar.gz Source0: https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_85_RTM/src/%{name}-%{nss_archive_version}.tar.gz
Source1: nss-util.pc Source1: nss-util.pc
Source2: nss-util-config Source2: nss-util-config
Source3: nss-softokn.pc Source3: nss-softokn.pc
@ -39,9 +39,6 @@ Source13: blank-cert9.db
Source14: blank-key4.db Source14: blank-key4.db
Source15: system-pkcs11.txt Source15: system-pkcs11.txt
Source16: setup-nsssysinit.sh Source16: setup-nsssysinit.sh
Patch0: nss-539183.patch
Patch6000: backport-CVE-2021-43527.patch
# Feature: support sm2 and sm3 # Feature: support sm2 and sm3
Patch9000: Feature-nss-add-implement-of-SM3-digest-algorithm.patch Patch9000: Feature-nss-add-implement-of-SM3-digest-algorithm.patch
@ -130,9 +127,7 @@ Help document for NSS
%prep %prep
%setup -q -n %{name}-%{nss_archive_version} %setup -q -n %{name}-%{nss_archive_version}
%patch0 -p0 -b .539183
pushd nss pushd nss
%patch6000 -p1
%patch9000 -p1 %patch9000 -p1
%patch9001 -p1 %patch9001 -p1
%patch9002 -p1 %patch9002 -p1
@ -559,6 +554,9 @@ update-crypto-policies &>/dev/null||:
%doc %{_mandir}/man* %doc %{_mandir}/man*
%changelog %changelog
* Tue Dec 27 2022 zhouchenchen <zhouchenchen@huawei.com> - 3.85.0-1
- update source0 url
* Wed Nov 23 2022 zhouchenchen <zhouchenchen@huawei.com> - 3.72.0-6 * Wed Nov 23 2022 zhouchenchen <zhouchenchen@huawei.com> - 3.72.0-6
- update source0 url - update source0 url