Bug#795794: jessie-pu: package nss/3.17.2-1.1+deb8u1
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hi!
This is a small patch from mozilla hg. It fixes #774195 and is
confirmed to work. Would be cool if if can be included in the next
stable release.
Thanks!
Christoph
-- System Information:
Debian Release: 8.0
APT prefers stable-kfreebsd
APT policy: (990, 'stable-kfreebsd'), (500, 'buildd-unstable'), (500, 'unstable'), (500, 'oldstable'), (1, 'experimental')
Architecture: kfreebsd-amd64 (x86_64)
Kernel: kFreeBSD 10.1-0-amd64
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
diff -Nru nss-3.17.2/debian/changelog nss-3.17.2/debian/changelog
--- nss-3.17.2/debian/changelog 2014-12-22 04:46:52.000000000 +0100
+++ nss-3.17.2/debian/changelog 2015-08-15 12:40:34.000000000 +0200
@@ -1,3 +1,12 @@
+nss (2:3.17.2-1.1+deb8u1) jessie; urgency=medium
+
+ [ Andrew Ayer ]
+ * Apply upstream patch (99_prefer_stronger_cert_chains.patch) to fix
+ certificate chain generation to prefer stronger/newer certificates
+ over weaker/older certs. Closes: #774195.
+
+ -- Christoph Egger <christoph@debian.org> Sat, 15 Aug 2015 12:40:31 +0200
+
nss (2:3.17.2-1.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru nss-3.17.2/debian/patches/99_prefer_stronger_cert_chains.patch nss-3.17.2/debian/patches/99_prefer_stronger_cert_chains.patch
--- nss-3.17.2/debian/patches/99_prefer_stronger_cert_chains.patch 1970-01-01 01:00:00.000000000 +0100
+++ nss-3.17.2/debian/patches/99_prefer_stronger_cert_chains.patch 2015-05-25 18:34:09.000000000 +0200
@@ -0,0 +1,135 @@
+Description: Prefer stronger, newer certs when building chain.
+Origin: https://hg.mozilla.org/projects/nss/rev/34e1379ff6c7
+Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1112461
+
+# HG changeset patch
+# User Ryan Sleevi <ryan.sleevi@gmail.com>
+# Date 1420768742 28800
+# Node ID 34e1379ff6c77f6c2dc52b542eafbe9c18034828
+# Parent 6978c29bd763e8e20c4e837ef4cdc7f7d6e802bc
+Bug 1112461 - Have libpkix match classic & mozilla::pkix in preferring newer certs to older certs. r=wtc
+
+diff --git a/lib/libpkix/pkix/checker/pkix_revocationchecker.c b/lib/libpkix/pkix/checker/pkix_revocationchecker.c
+--- a/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c
++++ b/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c
+@@ -132,32 +132,38 @@ pkix_RevocationChecker_RegisterSelf(void
+ entry.comparator = NULL;
+ entry.duplicateFunction = pkix_RevocationChecker_Duplicate;
+
+ systemClasses[PKIX_REVOCATIONCHECKER_TYPE] = entry;
+
+ PKIX_RETURN(REVOCATIONCHECKER);
+ }
+
+-/* Sort methods by theirs priorities */
++/* Sort methods by their priorities (lower priority = higher preference) */
+ static PKIX_Error *
+ pkix_RevocationChecker_SortComparator(
+ PKIX_PL_Object *obj1,
+ PKIX_PL_Object *obj2,
+ PKIX_Int32 *pResult,
+ void *plContext)
+ {
+ pkix_RevocationMethod *method1 = NULL, *method2 = NULL;
+
+ PKIX_ENTER(BUILD, "pkix_RevocationChecker_SortComparator");
+
+ method1 = (pkix_RevocationMethod *)obj1;
+ method2 = (pkix_RevocationMethod *)obj2;
+
+- *pResult = (method1->priority > method2->priority);
++ if (method1->priority < method2->priority) {
++ *pResult = -1;
++ } else if (method1->priority > method2->priority) {
++ *pResult = 1;
++ } else {
++ *pResult = 0;
++ }
+
+ PKIX_RETURN(BUILD);
+ }
+
+
+ /* --Public-Functions--------------------------------------------- */
+
+
+diff --git a/lib/libpkix/pkix/top/pkix_build.c b/lib/libpkix/pkix/top/pkix_build.c
+--- a/nss/lib/libpkix/pkix/top/pkix_build.c
++++ b/nss/lib/libpkix/pkix/top/pkix_build.c
+@@ -655,19 +655,21 @@ pkix_ForwardBuilderState_IsIOPending(
+
+ /* --Private-BuildChain-Functions------------------------------------------- */
+
+ /*
+ * FUNCTION: pkix_Build_SortCertComparator
+ * DESCRIPTION:
+ *
+ * This Function takes two Certificates cast in "obj1" and "obj2",
+- * compares their validity NotAfter dates and returns the result at
+- * "pResult". The comparison key(s) can be expanded by using other
+- * data in the Certificate in the future.
++ * compares them to determine which is a more preferable certificate
++ * for chain building. This Function is suitable for use as a
++ * comparator callback for pkix_List_BubbleSort, setting "*pResult" to
++ * > 0 if "obj1" is less desirable than "obj2" and < 0 if "obj1"
++ * is more desirable than "obj2".
+ *
+ * PARAMETERS:
+ * "obj1"
+ * Address of the PKIX_PL_Object that is a cast of PKIX_PL_Cert.
+ * Must be non-NULL.
+ * "obj2"
+ * Address of the PKIX_PL_Object that is a cast of PKIX_PL_Cert.
+ * Must be non-NULL.
+@@ -686,24 +688,24 @@ static PKIX_Error *
+ pkix_Build_SortCertComparator(
+ PKIX_PL_Object *obj1,
+ PKIX_PL_Object *obj2,
+ PKIX_Int32 *pResult,
+ void *plContext)
+ {
+ PKIX_PL_Date *date1 = NULL;
+ PKIX_PL_Date *date2 = NULL;
+- PKIX_Boolean result = PKIX_FALSE;
++ PKIX_Int32 result = 0;
+
+ PKIX_ENTER(BUILD, "pkix_Build_SortCertComparator");
+ PKIX_NULLCHECK_THREE(obj1, obj2, pResult);
+
+ /*
+ * For sorting candidate certificates, we use NotAfter date as the
+- * sorted key for now (can be expanded if desired in the future).
++ * comparison key for now (can be expanded if desired in the future).
+ *
+ * In PKIX_BuildChain, the List of CertStores was reordered so that
+ * trusted CertStores are ahead of untrusted CertStores. That sort, or
+ * this one, could be taken out if it is determined that it doesn't help
+ * performance, or in some way hinders the solution of choosing desired
+ * candidates.
+ */
+
+@@ -722,17 +724,22 @@ pkix_Build_SortCertComparator(
+
+ PKIX_CHECK(PKIX_PL_Object_Compare
+ ((PKIX_PL_Object *)date1,
+ (PKIX_PL_Object *)date2,
+ &result,
+ plContext),
+ PKIX_OBJECTCOMPARATORFAILED);
+
+- *pResult = !result;
++ /*
++ * Invert the result, so that if date1 is greater than date2,
++ * obj1 is sorted before obj2. This is because pkix_List_BubbleSort
++ * sorts in ascending order.
++ */
++ *pResult = -result;
+
+ cleanup:
+
+ PKIX_DECREF(date1);
+ PKIX_DECREF(date2);
+
+ PKIX_RETURN(BUILD);
+ }
+
diff -Nru nss-3.17.2/debian/patches/series nss-3.17.2/debian/patches/series
--- nss-3.17.2/debian/patches/series 2014-12-22 04:23:24.000000000 +0100
+++ nss-3.17.2/debian/patches/series 2015-05-25 18:34:09.000000000 +0200
@@ -5,3 +5,4 @@
95_add_spi+cacert_ca_certs.patch
97_SSL_RENEGOTIATE_TRANSITIONAL.patch
98_CVE-2014-1569.patch
+99_prefer_stronger_cert_chains.patch
Reply to: