[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#795794: jessie-pu: package nss/3.17.2-1.1+deb8u1



Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi!

This is a small patch from mozilla hg. It fixes #774195 and is
confirmed to work. Would be cool if if can be included in the next
stable release.

Thanks!

  Christoph

-- System Information:
Debian Release: 8.0
  APT prefers stable-kfreebsd
  APT policy: (990, 'stable-kfreebsd'), (500, 'buildd-unstable'), (500, 'unstable'), (500, 'oldstable'), (1, 'experimental')
Architecture: kfreebsd-amd64 (x86_64)

Kernel: kFreeBSD 10.1-0-amd64
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
diff -Nru nss-3.17.2/debian/changelog nss-3.17.2/debian/changelog
--- nss-3.17.2/debian/changelog	2014-12-22 04:46:52.000000000 +0100
+++ nss-3.17.2/debian/changelog	2015-08-15 12:40:34.000000000 +0200
@@ -1,3 +1,12 @@
+nss (2:3.17.2-1.1+deb8u1) jessie; urgency=medium
+
+  [ Andrew Ayer ]
+  * Apply upstream patch (99_prefer_stronger_cert_chains.patch) to fix
+    certificate chain generation to prefer stronger/newer certificates
+    over weaker/older certs. Closes: #774195.
+
+ -- Christoph Egger <christoph@debian.org>  Sat, 15 Aug 2015 12:40:31 +0200
+
 nss (2:3.17.2-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru nss-3.17.2/debian/patches/99_prefer_stronger_cert_chains.patch nss-3.17.2/debian/patches/99_prefer_stronger_cert_chains.patch
--- nss-3.17.2/debian/patches/99_prefer_stronger_cert_chains.patch	1970-01-01 01:00:00.000000000 +0100
+++ nss-3.17.2/debian/patches/99_prefer_stronger_cert_chains.patch	2015-05-25 18:34:09.000000000 +0200
@@ -0,0 +1,135 @@
+Description: Prefer stronger, newer certs when building chain.
+Origin: https://hg.mozilla.org/projects/nss/rev/34e1379ff6c7
+Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1112461
+
+# HG changeset patch
+# User Ryan Sleevi <ryan.sleevi@gmail.com>
+# Date 1420768742 28800
+# Node ID 34e1379ff6c77f6c2dc52b542eafbe9c18034828
+# Parent  6978c29bd763e8e20c4e837ef4cdc7f7d6e802bc
+Bug 1112461 - Have libpkix match classic & mozilla::pkix in preferring newer certs to older certs. r=wtc
+
+diff --git a/lib/libpkix/pkix/checker/pkix_revocationchecker.c b/lib/libpkix/pkix/checker/pkix_revocationchecker.c
+--- a/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c
++++ b/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c
+@@ -132,32 +132,38 @@ pkix_RevocationChecker_RegisterSelf(void
+         entry.comparator = NULL;
+         entry.duplicateFunction = pkix_RevocationChecker_Duplicate;
+ 
+         systemClasses[PKIX_REVOCATIONCHECKER_TYPE] = entry;
+ 
+         PKIX_RETURN(REVOCATIONCHECKER);
+ }
+ 
+-/* Sort methods by theirs priorities */
++/* Sort methods by their priorities (lower priority = higher preference) */
+ static PKIX_Error *
+ pkix_RevocationChecker_SortComparator(
+         PKIX_PL_Object *obj1,
+         PKIX_PL_Object *obj2,
+         PKIX_Int32 *pResult,
+         void *plContext)
+ {
+     pkix_RevocationMethod *method1 = NULL, *method2 = NULL;
+     
+     PKIX_ENTER(BUILD, "pkix_RevocationChecker_SortComparator");
+     
+     method1 = (pkix_RevocationMethod *)obj1;
+     method2 = (pkix_RevocationMethod *)obj2;
+     
+-    *pResult = (method1->priority > method2->priority);
++    if (method1->priority < method2->priority) {
++      *pResult = -1;
++    } else if (method1->priority > method2->priority) {
++      *pResult = 1;
++    } else {
++      *pResult = 0;
++    }
+     
+     PKIX_RETURN(BUILD);
+ }
+ 
+ 
+ /* --Public-Functions--------------------------------------------- */
+ 
+ 
+diff --git a/lib/libpkix/pkix/top/pkix_build.c b/lib/libpkix/pkix/top/pkix_build.c
+--- a/nss/lib/libpkix/pkix/top/pkix_build.c
++++ b/nss/lib/libpkix/pkix/top/pkix_build.c
+@@ -655,19 +655,21 @@ pkix_ForwardBuilderState_IsIOPending(
+ 
+ /* --Private-BuildChain-Functions------------------------------------------- */
+ 
+ /*
+  * FUNCTION: pkix_Build_SortCertComparator
+  * DESCRIPTION:
+  *
+  *  This Function takes two Certificates cast in "obj1" and "obj2",
+- *  compares their validity NotAfter dates and returns the result at
+- *  "pResult". The comparison key(s) can be expanded by using other
+- *  data in the Certificate in the future.
++ *  compares them to determine which is a more preferable certificate
++ *  for chain building. This Function is suitable for use as a
++ *  comparator callback for pkix_List_BubbleSort, setting "*pResult" to
++ *  > 0 if "obj1" is less desirable than "obj2" and < 0 if "obj1"
++ *  is more desirable than "obj2".
+  *
+  * PARAMETERS:
+  *  "obj1"
+  *      Address of the PKIX_PL_Object that is a cast of PKIX_PL_Cert.
+  *      Must be non-NULL.
+  *  "obj2"
+  *      Address of the PKIX_PL_Object that is a cast of PKIX_PL_Cert.
+  *      Must be non-NULL.
+@@ -686,24 +688,24 @@ static PKIX_Error *
+ pkix_Build_SortCertComparator(
+         PKIX_PL_Object *obj1,
+         PKIX_PL_Object *obj2,
+         PKIX_Int32 *pResult,
+         void *plContext)
+ {
+         PKIX_PL_Date *date1 = NULL;
+         PKIX_PL_Date *date2 = NULL;
+-        PKIX_Boolean result = PKIX_FALSE;
++        PKIX_Int32 result = 0;
+ 
+         PKIX_ENTER(BUILD, "pkix_Build_SortCertComparator");
+         PKIX_NULLCHECK_THREE(obj1, obj2, pResult);
+ 
+         /*
+          * For sorting candidate certificates, we use NotAfter date as the
+-         * sorted key for now (can be expanded if desired in the future).
++         * comparison key for now (can be expanded if desired in the future).
+          *
+          * In PKIX_BuildChain, the List of CertStores was reordered so that
+          * trusted CertStores are ahead of untrusted CertStores. That sort, or
+          * this one, could be taken out if it is determined that it doesn't help
+          * performance, or in some way hinders the solution of choosing desired
+          * candidates.
+          */
+ 
+@@ -722,17 +724,22 @@ pkix_Build_SortCertComparator(
+         
+         PKIX_CHECK(PKIX_PL_Object_Compare
+                 ((PKIX_PL_Object *)date1,
+                 (PKIX_PL_Object *)date2,
+                 &result,
+                 plContext),
+                 PKIX_OBJECTCOMPARATORFAILED);
+ 
+-        *pResult = !result;
++        /*
++         * Invert the result, so that if date1 is greater than date2,
++         * obj1 is sorted before obj2. This is because pkix_List_BubbleSort
++         * sorts in ascending order.
++         */
++        *pResult = -result;
+ 
+ cleanup:
+ 
+         PKIX_DECREF(date1);
+         PKIX_DECREF(date2);
+ 
+         PKIX_RETURN(BUILD);
+ }
+
diff -Nru nss-3.17.2/debian/patches/series nss-3.17.2/debian/patches/series
--- nss-3.17.2/debian/patches/series	2014-12-22 04:23:24.000000000 +0100
+++ nss-3.17.2/debian/patches/series	2015-05-25 18:34:09.000000000 +0200
@@ -5,3 +5,4 @@
 95_add_spi+cacert_ca_certs.patch
 97_SSL_RENEGOTIATE_TRANSITIONAL.patch
 98_CVE-2014-1569.patch
+99_prefer_stronger_cert_chains.patch

Reply to: