Bug#774195: marked as done (libnss3: libpkix incorrect prefers older, weaker certs over stronger, newer certs)

Mon, 25 May 2015 11:27:39 -0700 

On Wed, 20 May 2015 06:39:06 +0000
ow...@bugs.debian.org (Debian Bug Tracking System) wrote:

> On Wed, May 20, 2015 at 05:58:55PM +1200, VeNoMouS wrote:
> >  
> > 
> > Seriously, how long do we have to wait on this to be fixed... 
> 
> It *is* fixed, but somehow the BTS doesn't show it in the graph.
> 
> Now it's up to the security team as to what to do for jessie.

Mike, thanks for uploading the new nss to unstable.

Security team, are you planning a DSA for Jessie to fix this issue, or
should it go through the upcoming stable point release?  (Note that
the queue for the point release will be frozen this upcoming weekend.)

In either case, I wanted to help, so I've taken the upstream patch[1],
which is quite minimal and cleanly applies to the version of nss in
Jessie, and prepared an updated package with the patch.  Debdiff
attached, and .dsc available here:

        https://www.cloudmutt.com/s/nss_chain_patch/

I've built it on Jessie and tested it - it fixes the problem and
doesn't appear to have had any adverse effects.  Let me know if I've
missed anything or could do anything else to help.

Regards,
Andrew

[1] https://hg.mozilla.org/projects/nss/rev/34e1379ff6c7

diff -Nru nss-3.17.2/debian/changelog nss-3.17.2/debian/changelog
--- nss-3.17.2/debian/changelog	2014-12-21 19:46:52.000000000 -0800
+++ nss-3.17.2/debian/changelog	2015-05-25 09:34:53.000000000 -0700
@@ -1,3 +1,11 @@
+nss (2:3.17.2-1.1+deb8u1) UNRELEASED; urgency=medium
+
+  * Apply upstream patch (99_prefer_stronger_cert_chains.patch) to fix
+    certificate chain generation to prefer stronger/newer certificates
+    over weaker/older certs. Closes: #774195.
+
+ -- Andrew Ayer <a...@andrewayer.name>  Mon, 25 May 2015 09:21:06 -0700
+
 nss (2:3.17.2-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru nss-3.17.2/debian/patches/99_prefer_stronger_cert_chains.patch nss-3.17.2/debian/patches/99_prefer_stronger_cert_chains.patch
--- nss-3.17.2/debian/patches/99_prefer_stronger_cert_chains.patch	1969-12-31 16:00:00.000000000 -0800
+++ nss-3.17.2/debian/patches/99_prefer_stronger_cert_chains.patch	2015-05-25 09:34:09.000000000 -0700
@@ -0,0 +1,135 @@
+Description: Prefer stronger, newer certs when building chain.
+Origin: https://hg.mozilla.org/projects/nss/rev/34e1379ff6c7
+Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1112461
+
+# HG changeset patch
+# User Ryan Sleevi <ryan.sle...@gmail.com>
+# Date 1420768742 28800
+# Node ID 34e1379ff6c77f6c2dc52b542eafbe9c18034828
+# Parent  6978c29bd763e8e20c4e837ef4cdc7f7d6e802bc
+Bug 1112461 - Have libpkix match classic & mozilla::pkix in preferring newer certs to older certs. r=wtc
+
+diff --git a/lib/libpkix/pkix/checker/pkix_revocationchecker.c b/lib/libpkix/pkix/checker/pkix_revocationchecker.c
+--- a/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c
++++ b/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c
+@@ -132,32 +132,38 @@ pkix_RevocationChecker_RegisterSelf(void
+         entry.comparator = NULL;
+         entry.duplicateFunction = pkix_RevocationChecker_Duplicate;
+ 
+         systemClasses[PKIX_REVOCATIONCHECKER_TYPE] = entry;
+ 
+         PKIX_RETURN(REVOCATIONCHECKER);
+ }
+ 
+-/* Sort methods by theirs priorities */
++/* Sort methods by their priorities (lower priority = higher preference) */
+ static PKIX_Error *
+ pkix_RevocationChecker_SortComparator(
+         PKIX_PL_Object *obj1,
+         PKIX_PL_Object *obj2,
+         PKIX_Int32 *pResult,
+         void *plContext)
+ {
+     pkix_RevocationMethod *method1 = NULL, *method2 = NULL;
+     
+     PKIX_ENTER(BUILD, "pkix_RevocationChecker_SortComparator");
+     
+     method1 = (pkix_RevocationMethod *)obj1;
+     method2 = (pkix_RevocationMethod *)obj2;
+     
+-    *pResult = (method1->priority > method2->priority);
++    if (method1->priority < method2->priority) {
++      *pResult = -1;
++    } else if (method1->priority > method2->priority) {
++      *pResult = 1;
++    } else {
++      *pResult = 0;
++    }
+     
+     PKIX_RETURN(BUILD);
+ }
+ 
+ 
+ /* --Public-Functions--------------------------------------------- */
+ 
+ 
+diff --git a/lib/libpkix/pkix/top/pkix_build.c b/lib/libpkix/pkix/top/pkix_build.c
+--- a/nss/lib/libpkix/pkix/top/pkix_build.c
++++ b/nss/lib/libpkix/pkix/top/pkix_build.c
+@@ -655,19 +655,21 @@ pkix_ForwardBuilderState_IsIOPending(
+ 
+ /* --Private-BuildChain-Functions------------------------------------------- */
+ 
+ /*
+  * FUNCTION: pkix_Build_SortCertComparator
+  * DESCRIPTION:
+  *
+  *  This Function takes two Certificates cast in "obj1" and "obj2",
+- *  compares their validity NotAfter dates and returns the result at
+- *  "pResult". The comparison key(s) can be expanded by using other
+- *  data in the Certificate in the future.
++ *  compares them to determine which is a more preferable certificate
++ *  for chain building. This Function is suitable for use as a
++ *  comparator callback for pkix_List_BubbleSort, setting "*pResult" to
++ *  > 0 if "obj1" is less desirable than "obj2" and < 0 if "obj1"
++ *  is more desirable than "obj2".
+  *
+  * PARAMETERS:
+  *  "obj1"
+  *      Address of the PKIX_PL_Object that is a cast of PKIX_PL_Cert.
+  *      Must be non-NULL.
+  *  "obj2"
+  *      Address of the PKIX_PL_Object that is a cast of PKIX_PL_Cert.
+  *      Must be non-NULL.
+@@ -686,24 +688,24 @@ static PKIX_Error *
+ pkix_Build_SortCertComparator(
+         PKIX_PL_Object *obj1,
+         PKIX_PL_Object *obj2,
+         PKIX_Int32 *pResult,
+         void *plContext)
+ {
+         PKIX_PL_Date *date1 = NULL;
+         PKIX_PL_Date *date2 = NULL;
+-        PKIX_Boolean result = PKIX_FALSE;
++        PKIX_Int32 result = 0;
+ 
+         PKIX_ENTER(BUILD, "pkix_Build_SortCertComparator");
+         PKIX_NULLCHECK_THREE(obj1, obj2, pResult);
+ 
+         /*
+          * For sorting candidate certificates, we use NotAfter date as the
+-         * sorted key for now (can be expanded if desired in the future).
++         * comparison key for now (can be expanded if desired in the future).
+          *
+          * In PKIX_BuildChain, the List of CertStores was reordered so that
+          * trusted CertStores are ahead of untrusted CertStores. That sort, or
+          * this one, could be taken out if it is determined that it doesn't help
+          * performance, or in some way hinders the solution of choosing desired
+          * candidates.
+          */
+ 
+@@ -722,17 +724,22 @@ pkix_Build_SortCertComparator(
+         
+         PKIX_CHECK(PKIX_PL_Object_Compare
+                 ((PKIX_PL_Object *)date1,
+                 (PKIX_PL_Object *)date2,
+                 &result,
+                 plContext),
+                 PKIX_OBJECTCOMPARATORFAILED);
+ 
+-        *pResult = !result;
++        /*
++         * Invert the result, so that if date1 is greater than date2,
++         * obj1 is sorted before obj2. This is because pkix_List_BubbleSort
++         * sorts in ascending order.
++         */
++        *pResult = -result;
+ 
+ cleanup:
+ 
+         PKIX_DECREF(date1);
+         PKIX_DECREF(date2);
+ 
+         PKIX_RETURN(BUILD);
+ }
+
diff -Nru nss-3.17.2/debian/patches/series nss-3.17.2/debian/patches/series
--- nss-3.17.2/debian/patches/series	2014-12-21 19:23:24.000000000 -0800
+++ nss-3.17.2/debian/patches/series	2015-05-25 09:34:09.000000000 -0700
@@ -5,3 +5,4 @@
 95_add_spi+cacert_ca_certs.patch
 97_SSL_RENEGOTIATE_TRANSITIONAL.patch
 98_CVE-2014-1569.patch
+99_prefer_stronger_cert_chains.patch

Reply via email to