packages/nss
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

upgrade version to 3.72

Browse Source
This commit is contained in:
Anonymous_Z 2021-11-29 16:50:23 +08:00
parent eb6d2df911
commit d7cdc783f6
9 changed files with 6 additions and 32100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19783
0001-CVE-2020-6829-and-CVE-2020-12400.patch
View File

File diff suppressed because it is too large Load Diff

28
0001-work-around-btrfs-sqlite.patch
View File

@ -1,28 +0,0 @@
From 8c3347d43170dfddc88255e31e28c4d7e506d2fc Mon Sep 17 00:00:00 2001
From: baizg1107 <preloyalwhite@163.com>
Date: Tue, 9 Feb 2021 19:41:21 +0800
Subject: [PATCH] work around btrfs sqlite
---
nss/lib/softoken/sdb.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/nss/lib/softoken/sdb.c b/nss/lib/softoken/sdb.c
index de0fd1f..b2fc0d1 100644
--- a/nss/lib/softoken/sdb.c
+++ b/nss/lib/softoken/sdb.c
@@ -690,6 +690,11 @@ sdb_openDB(const char *name, sqlite3 **sqlDB, int flags)
openFlags = SQLITE_OPEN_READONLY;
} else {
openFlags = SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE;
+ /* btrfs and sqlite seem to incorrectly open readwrite.
+ * when the file is readonly explicitly reject that issue here */
+ if ((_NSSUTIL_Access(name, PR_ACCESS_EXISTS) == PR_SUCCESS) && (_NSSUTIL_Access(name, PR_ACCESS_WRITE_OK) != PR_SUCCESS)) {
+ return SQLITE_READONLY;
+ }
}
/* Requires SQLite 3.5.0 or newer. */
--
2.23.0

11923
0002-CVE-2020-6829-and-CVE-2020-12400.patch
View File

File diff suppressed because it is too large Load Diff

57
CVE-2020-12401.patch
View File

@ -1,57 +0,0 @@
# HG changeset patch
# User Billy Brumley <bbrumley@gmail.com>
# Date 1595283525 0
# Node ID aeb2e583ee957a699d949009c7ba37af76515c20
# Parent ca207655b4b7cb1d3a5e438c1fb9b90d45596da6
Bug 1631573: Remove unnecessary scalar padding in ec.c r=kjacobs,bbeurdouche
Subsequent calls to ECPoints_mul and ECPoint_mul remove this padding.
Timing attack countermeasures are now applied more generally deeper in
the call stack.
Differential Revision: https://phabricator.services.mozilla.com/D82011
diff --git a/nss/lib/freebl/ec.c b/nss/lib/freebl/ec.c
--- a/nss/lib/freebl/ec.c
+++ b/nss/lib/freebl/ec.c
@@ -719,37 +719,16 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *k
mp_tohex(&n, mpstr);
printf("n : %s \n", mpstr);
#endif
PORT_SetError(SEC_ERROR_NEED_RANDOM);
goto cleanup;
}
/*
- ** We do not want timing information to leak the length of k,
- ** so we compute k*G using an equivalent scalar of fixed
- ** bit-length.
- ** Fix based on patch for ECDSA timing attack in the paper
- ** by Billy Bob Brumley and Nicola Tuveri at
- ** http://eprint.iacr.org/2011/232
- **
- ** How do we convert k to a value of a fixed bit-length?
- ** k starts off as an integer satisfying 0 <= k < n. Hence,
- ** n <= k+n < 2n, which means k+n has either the same number
- ** of bits as n or one more bit than n. If k+n has the same
- ** number of bits as n, the second addition ensures that the
- ** final value has exactly one more bit than n. Thus, we
- ** always end up with a value that exactly one more bit than n.
- */
- CHECK_MPI_OK(mp_add(&k, &n, &k));
- if (mpl_significant_bits(&k) <= mpl_significant_bits(&n)) {
- CHECK_MPI_OK(mp_add(&k, &n, &k));
- }
-
- /*
** ANSI X9.62, Section 5.3.2, Step 2
**
** Compute kG
*/
kGpoint.len = EC_GetPointSize(ecParams);
kGpoint.data = PORT_Alloc(kGpoint.len);
if ((kGpoint.data == NULL) ||
(ec_points_mul(ecParams, &k, NULL, NULL, &kGpoint) != SECSuccess))

96
backport-0001-CVE-2020-12403.patch
View File

@ -1,96 +0,0 @@
# HG changeset patch
# User Benjamin Beurdouche <bbeurdouche@mozilla.com>
# Date 1595031194 0
# Node ID f282556e6cc7715f5754aeaadda6f902590e7e38
# Parent 89733253df83ef7fe8dd0d49f6370b857e93d325
Bug 1636771 - Disable PKCS11 incremental mode for ChaCha20. r=kjacobs,rrelyea
Depends on D74801
Differential Revision: https://phabricator.services.mozilla.com/D83994
diff --git a/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc b/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc
--- a/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc
+++ b/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc
@@ -72,9 +72,58 @@ TEST(Pkcs11CipherOp, SingleCtxMultipleUn
ASSERT_EQ(GetBytes(ctx, outbuf, 17), SECSuccess);
PK11_FreeSymKey(key);
PK11_FreeSlot(slot);
PK11_DestroyContext(ctx, PR_TRUE);
NSS_ShutdownContext(globalctx);
}
+TEST(Pkcs11CipherOp, SingleCtxMultipleUnalignedCipherOpsChaCha20) {
+ PK11SlotInfo* slot;
+ PK11SymKey* key;
+ PK11Context* ctx;
+
+ NSSInitContext* globalctx =
+ NSS_InitContext("", "", "", "", NULL,
+ NSS_INIT_READONLY | NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB |
+ NSS_INIT_FORCEOPEN | NSS_INIT_NOROOTINIT);
+
+ const CK_MECHANISM_TYPE cipher = CKM_NSS_CHACHA20_CTR;
+
+ slot = PK11_GetInternalSlot();
+ ASSERT_TRUE(slot);
+
+ // Use arbitrary bytes for the ChaCha20 key and IV
+ uint8_t key_bytes[32];
+ for (size_t i = 0; i < 32; i++) {
+ key_bytes[i] = i;
+ }
+ SECItem keyItem = {siBuffer, key_bytes, 32};
+
+ uint8_t iv_bytes[16];
+ for (size_t i = 0; i < 16; i++) {
+ key_bytes[i] = i;
+ }
+ SECItem ivItem = {siBuffer, iv_bytes, 16};
+
+ SECItem* param = PK11_ParamFromIV(cipher, &ivItem);
+
+ key = PK11_ImportSymKey(slot, cipher, PK11_OriginUnwrap, CKA_ENCRYPT,
+ &keyItem, NULL);
+ ctx = PK11_CreateContextBySymKey(cipher, CKA_ENCRYPT, key, param);
+ ASSERT_TRUE(key);
+ ASSERT_TRUE(ctx);
+
+ uint8_t outbuf[128];
+ // This is supposed to fail for Chacha20. This is because the underlying
+ // PK11_CipherOp operation is calling the C_EncryptUpdate function for
+ // which multi-part is disabled for ChaCha20 in counter mode.
+ ASSERT_EQ(GetBytes(ctx, outbuf, 7), SECFailure);
+
+ PK11_FreeSymKey(key);
+ PK11_FreeSlot(slot);
+ SECITEM_FreeItem(param, PR_TRUE);
+ PK11_DestroyContext(ctx, PR_TRUE);
+ NSS_ShutdownContext(globalctx);
+}
+
} // namespace nss_test
diff --git a/nss/lib/softoken/pkcs11c.c b/nss/lib/softoken/pkcs11c.c
--- a/nss/lib/softoken/pkcs11c.c
+++ b/nss/lib/softoken/pkcs11c.c
@@ -1251,16 +1251,17 @@ sftk_CryptInit(CK_SESSION_HANDLE hSessio
case CKM_NSS_CHACHA20_CTR: /* old NSS private version */
case CKM_CHACHA20: /* PKCS #11 v3 version */
{
unsigned char *counter;
unsigned char *nonce;
unsigned long counter_len;
unsigned long nonce_len;
+ context->multi = PR_FALSE;
if (pMechanism->mechanism == CKM_NSS_CHACHA20_CTR) {
if (key_type != CKK_NSS_CHACHA20) {
crv = CKR_KEY_TYPE_INCONSISTENT;
break;
}
if (pMechanism->pParameter == NULL || pMechanism->ulParameterLen != 16) {
crv = CKR_MECHANISM_PARAM_INVALID;
break;

74
backport-0002-CVE-2020-12403.patch
View File

@ -1,74 +0,0 @@
# HG changeset patch
# User Benjamin Beurdouche <bbeurdouche@mozilla.com>
# Date 1595031218 0
# Node ID c25adfdfab34ddb08d3262aac3242e3399de1095
# Parent f282556e6cc7715f5754aeaadda6f902590e7e38
Bug 1636771 - Fix incorrect call to Chacha20Poly1305 by PKCS11. r=jcj,kjacobs,rrelyea
Differential Revision: https://phabricator.services.mozilla.com/D74801
diff --git a/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc b/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
--- a/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
+++ b/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
@@ -40,28 +40,35 @@ class Pkcs11ChaCha20Poly1305Test
aead_params.ulNonceLen = iv_len;
aead_params.pAAD = toUcharPtr(aad);
aead_params.ulAADLen = aad_len;
aead_params.ulTagLen = 16;
SECItem params = {siBuffer, reinterpret_cast<unsigned char*>(&aead_params),
sizeof(aead_params)};
- // Encrypt with bad parameters.
+ // Encrypt with bad parameters (TagLen is too long).
unsigned int encrypted_len = 0;
std::vector<uint8_t> encrypted(data_len + aead_params.ulTagLen);
aead_params.ulTagLen = 158072;
SECStatus rv =
PK11_Encrypt(key.get(), kMech, &params, encrypted.data(),
&encrypted_len, encrypted.size(), data, data_len);
EXPECT_EQ(SECFailure, rv);
EXPECT_EQ(0U, encrypted_len);
- aead_params.ulTagLen = 16;
+
+ // Encrypt with bad parameters (TagLen is too short).
+ aead_params.ulTagLen = 2;
+ rv = PK11_Encrypt(key.get(), kMech, &params, encrypted.data(),
+ &encrypted_len, encrypted.size(), data, data_len);
+ EXPECT_EQ(SECFailure, rv);
+ EXPECT_EQ(0U, encrypted_len);
// Encrypt.
+ aead_params.ulTagLen = 16;
rv = PK11_Encrypt(key.get(), kMech, &params, encrypted.data(),
&encrypted_len, encrypted.size(), data, data_len);
// Return if encryption failure was expected due to invalid IV.
// Without valid ciphertext, all further tests can be skipped.
if (invalid_iv) {
EXPECT_EQ(rv, SECFailure);
EXPECT_EQ(0U, encrypted_len)
diff --git a/nss/lib/freebl/chacha20poly1305.c b/nss/lib/freebl/chacha20poly1305.c
--- a/nss/lib/freebl/chacha20poly1305.c
+++ b/nss/lib/freebl/chacha20poly1305.c
@@ -76,17 +76,17 @@ ChaCha20Poly1305_InitContext(ChaCha20Pol
{
#ifdef NSS_DISABLE_CHACHAPOLY
return SECFailure;
#else
if (keyLen != 32) {
PORT_SetError(SEC_ERROR_BAD_KEY);
return SECFailure;
}
- if (tagLen == 0 || tagLen > 16) {
+ if (tagLen != 16) {
PORT_SetError(SEC_ERROR_INPUT_LEN);
return SECFailure;
}
PORT_Memcpy(ctx->key, key, sizeof(ctx->key));
ctx->tagLen = tagLen;
return SECSuccess;

122
backport-CVE-2020-25648-tighten-CSS-handling-in-compatibility-mode.patch
View File

@ -1,122 +0,0 @@
From e10a362f69191506e73bfa31778da45f4c5df482 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Mon, 12 Oct 2020 17:42:01 +0000
Subject: [PATCH] Bug 1641480, TLS 1.3: tighten CCS handling in compatibility
mode, r=mt
This makes the server reject CCS when the client doesn't indicate the
use of the middlebox compatibility mode with a non-empty
ClientHello.legacy_session_id, or it sends multiple CCS in a row.
Differential Revision: https://phabricator.services.mozilla.com/D79994
--HG--
extra : moz-landing-system : lando
---
gtests/ssl_gtest/ssl_tls13compat_unittest.cc | 33 ++++++++++++++++++++
lib/ssl/ssl3con.c | 18 ++++-
lib/ssl/sslimpl.h | 4 +
3 files changed, 52 insertions(+), 3 deletions(-)
diff --git a/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc b/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc
index 6905ed0c0..dcede798c 100644
--- a/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc
+++ b/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc
@@ -348,6 +348,39 @@ TEST_F(TlsConnectStreamTls13, ChangeCipherSpecBeforeClientHelloTwice) {
client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT);
}
+// The server rejects a ChangeCipherSpec if the client advertises an
+// empty session ID.
+TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterClientHelloEmptySid) {
+ EnsureTlsSetup();
+ ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
+
+ StartConnect();
+ client_->Handshake(); // Send ClientHello
+ client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs))); // Send CCS
+
+ server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
+ server_->Handshake(); // Consume ClientHello and CCS
+ server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
+}
+
+// The server rejects multiple ChangeCipherSpec even if the client
+// indicates compatibility mode with non-empty session ID.
+TEST_F(Tls13CompatTest, ChangeCipherSpecAfterClientHelloTwice) {
+ EnsureTlsSetup();
+ ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
+ EnableCompatMode();
+
+ StartConnect();
+ client_->Handshake(); // Send ClientHello
+ // Send CCS twice in a row
+ client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs)));
+ client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs)));
+
+ server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
+ server_->Handshake(); // Consume ClientHello and CCS.
+ server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
+}
+
// If we negotiate 1.2, we abort.
TEST_F(TlsConnectStreamTls13, ChangeCipherSpecBeforeClientHello12) {
EnsureTlsSetup();
diff --git a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
index 8be53d357..5f22872f8 100644
--- a/nss/lib/ssl/ssl3con.c
+++ b/nss/lib/ssl/ssl3con.c
@@ -6645,7 +6645,11 @@ ssl_CheckServerSessionIdCorrectness(sslSocket *ss, SECItem *sidBytes)
/* TLS 1.3: We sent a session ID. The server's should match. */
if (!IS_DTLS(ss) && (sentRealSid || sentFakeSid)) {
- return sidMatch;
+ if (sidMatch) {
+ ss->ssl3.hs.allowCcs = PR_TRUE;
+ return PR_TRUE;
+ }
+ return PR_FALSE;
}
/* TLS 1.3 (no SID)/DTLS 1.3: The server shouldn't send a session ID. */
@@ -8692,6 +8696,7 @@ ssl3_HandleClientHello(sslSocket *ss, PRUint8 *b, PRUint32 length)
errCode = PORT_GetError();
goto alert_loser;
}
+ ss->ssl3.hs.allowCcs = PR_TRUE;
}
/* TLS 1.3 requires that compression include only null. */
@@ -13061,8 +13066,15 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText)
ss->ssl3.hs.ws != idle_handshake &&
cText->buf->len == 1 &&
cText->buf->buf[0] == change_cipher_spec_choice) {
- /* Ignore the CCS. */
- return SECSuccess;
+ if (ss->ssl3.hs.allowCcs) {
+ /* Ignore the first CCS. */
+ ss->ssl3.hs.allowCcs = PR_FALSE;
+ return SECSuccess;
+ }
+
+ /* Compatibility mode is not negotiated. */
+ alert = unexpected_message;
+ PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
}
if (IS_DTLS(ss) ||
diff --git a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
index b0e44a088..44c43a0e6 100644
--- a/nss/lib/ssl/sslimpl.h
+++ b/nss/lib/ssl/sslimpl.h
@@ -710,6 +710,10 @@ typedef struct SSL3HandshakeStateStr {
* or received. */
PRBool receivedCcs; /* A server received ChangeCipherSpec
* before the handshake started. */
+ PRBool allowCcs; /* A server allows ChangeCipherSpec
+ * as the middlebox compatibility mode
+ * is explicitly indicarted by
+ * legacy_session_id in TLS 1.3 ClientHello. */
PRBool clientCertRequested; /* True if CertificateRequest received. */
ssl3KEADef kea_def_mutable; /* Used to hold the writable kea_def
* we use for TLS 1.3 */

BIN
nss-3.54.tar.gz → nss-3.72.tar.gz
View File

Binary file not shown.

23
nss.spec
View File

@ -1,6 +1,6 @@
%global nspr_version 4.26.0
%global nss_version 3.54.0
%global nss_archive_version 3.54
%global nss_version 3.72.0
%global nss_archive_version 3.72
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
%global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
@ -14,7 +14,7 @@
Summary: Network Security Services
Name: nss
Version: %{nss_version}
Release: 10
Release: 1
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Provides: nss-system-init
@ -40,13 +40,6 @@ Source14: blank-key4.db
Source15: system-pkcs11.txt
Source16: setup-nsssysinit.sh
Patch0: nss-539183.patch
Patch1: 0001-CVE-2020-6829-and-CVE-2020-12400.patch
Patch2: 0002-CVE-2020-6829-and-CVE-2020-12400.patch
Patch3: CVE-2020-12401.patch
Patch4: backport-CVE-2020-25648-tighten-CSS-handling-in-compatibility-mode.patch
Patch5: 0001-work-around-btrfs-sqlite.patch
Patch6: backport-0001-CVE-2020-12403.patch
Patch7: backport-0002-CVE-2020-12403.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@ -130,13 +123,6 @@ Help document for NSS
%setup -q -n %{name}-%{nss_archive_version}
%patch0 -p0 -b .539183
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%build
@ -558,6 +544,9 @@ update-crypto-policies &>/dev/null||:
%doc %{_mandir}/man*
%changelog
* Mon Nov 29 2021 liudabo <liudabo1@huawei.com> - 3.72-1
- upgrade version to 3.72
* Fri Jul 23 2021 yuanxin <yuanxin24@huawei.com> - 3.54-10
- remove BuildRequires gdb