Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Hi! This is a small patch from mozilla hg. It fixes #774195 and is confirmed to work. Would be cool if if can be included in the next stable release. Thanks! Christoph -- System Information: Debian Release: 8.0 APT prefers stable-kfreebsd APT policy: (990, 'stable-kfreebsd'), (500, 'buildd-unstable'), (500, 'unstable'), (500, 'oldstable'), (1, 'experimental') Architecture: kfreebsd-amd64 (x86_64) Kernel: kFreeBSD 10.1-0-amd64 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init)
diff -Nru nss-3.17.2/debian/changelog nss-3.17.2/debian/changelog --- nss-3.17.2/debian/changelog 2014-12-22 04:46:52.000000000 +0100 +++ nss-3.17.2/debian/changelog 2015-08-15 12:40:34.000000000 +0200 @@ -1,3 +1,12 @@ +nss (2:3.17.2-1.1+deb8u1) jessie; urgency=medium + + [ Andrew Ayer ] + * Apply upstream patch (99_prefer_stronger_cert_chains.patch) to fix + certificate chain generation to prefer stronger/newer certificates + over weaker/older certs. Closes: #774195. + + -- Christoph Egger <christ...@debian.org> Sat, 15 Aug 2015 12:40:31 +0200 + nss (2:3.17.2-1.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru nss-3.17.2/debian/patches/99_prefer_stronger_cert_chains.patch nss-3.17.2/debian/patches/99_prefer_stronger_cert_chains.patch --- nss-3.17.2/debian/patches/99_prefer_stronger_cert_chains.patch 1970-01-01 01:00:00.000000000 +0100 +++ nss-3.17.2/debian/patches/99_prefer_stronger_cert_chains.patch 2015-05-25 18:34:09.000000000 +0200 @@ -0,0 +1,135 @@ +Description: Prefer stronger, newer certs when building chain. +Origin: https://hg.mozilla.org/projects/nss/rev/34e1379ff6c7 +Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1112461 + +# HG changeset patch +# User Ryan Sleevi <ryan.sle...@gmail.com> +# Date 1420768742 28800 +# Node ID 34e1379ff6c77f6c2dc52b542eafbe9c18034828 +# Parent 6978c29bd763e8e20c4e837ef4cdc7f7d6e802bc +Bug 1112461 - Have libpkix match classic & mozilla::pkix in preferring newer certs to older certs. r=wtc + +diff --git a/lib/libpkix/pkix/checker/pkix_revocationchecker.c b/lib/libpkix/pkix/checker/pkix_revocationchecker.c +--- a/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c ++++ b/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c +@@ -132,32 +132,38 @@ pkix_RevocationChecker_RegisterSelf(void + entry.comparator = NULL; + entry.duplicateFunction = pkix_RevocationChecker_Duplicate; + + systemClasses[PKIX_REVOCATIONCHECKER_TYPE] = entry; + + PKIX_RETURN(REVOCATIONCHECKER); + } + +-/* Sort methods by theirs priorities */ ++/* Sort methods by their priorities (lower priority = higher preference) */ + static PKIX_Error * + pkix_RevocationChecker_SortComparator( + PKIX_PL_Object *obj1, + PKIX_PL_Object *obj2, + PKIX_Int32 *pResult, + void *plContext) + { + pkix_RevocationMethod *method1 = NULL, *method2 = NULL; + + PKIX_ENTER(BUILD, "pkix_RevocationChecker_SortComparator"); + + method1 = (pkix_RevocationMethod *)obj1; + method2 = (pkix_RevocationMethod *)obj2; + +- *pResult = (method1->priority > method2->priority); ++ if (method1->priority < method2->priority) { ++ *pResult = -1; ++ } else if (method1->priority > method2->priority) { ++ *pResult = 1; ++ } else { ++ *pResult = 0; ++ } + + PKIX_RETURN(BUILD); + } + + + /* --Public-Functions--------------------------------------------- */ + + +diff --git a/lib/libpkix/pkix/top/pkix_build.c b/lib/libpkix/pkix/top/pkix_build.c +--- a/nss/lib/libpkix/pkix/top/pkix_build.c ++++ b/nss/lib/libpkix/pkix/top/pkix_build.c +@@ -655,19 +655,21 @@ pkix_ForwardBuilderState_IsIOPending( + + /* --Private-BuildChain-Functions------------------------------------------- */ + + /* + * FUNCTION: pkix_Build_SortCertComparator + * DESCRIPTION: + * + * This Function takes two Certificates cast in "obj1" and "obj2", +- * compares their validity NotAfter dates and returns the result at +- * "pResult". The comparison key(s) can be expanded by using other +- * data in the Certificate in the future. ++ * compares them to determine which is a more preferable certificate ++ * for chain building. This Function is suitable for use as a ++ * comparator callback for pkix_List_BubbleSort, setting "*pResult" to ++ * > 0 if "obj1" is less desirable than "obj2" and < 0 if "obj1" ++ * is more desirable than "obj2". + * + * PARAMETERS: + * "obj1" + * Address of the PKIX_PL_Object that is a cast of PKIX_PL_Cert. + * Must be non-NULL. + * "obj2" + * Address of the PKIX_PL_Object that is a cast of PKIX_PL_Cert. + * Must be non-NULL. +@@ -686,24 +688,24 @@ static PKIX_Error * + pkix_Build_SortCertComparator( + PKIX_PL_Object *obj1, + PKIX_PL_Object *obj2, + PKIX_Int32 *pResult, + void *plContext) + { + PKIX_PL_Date *date1 = NULL; + PKIX_PL_Date *date2 = NULL; +- PKIX_Boolean result = PKIX_FALSE; ++ PKIX_Int32 result = 0; + + PKIX_ENTER(BUILD, "pkix_Build_SortCertComparator"); + PKIX_NULLCHECK_THREE(obj1, obj2, pResult); + + /* + * For sorting candidate certificates, we use NotAfter date as the +- * sorted key for now (can be expanded if desired in the future). ++ * comparison key for now (can be expanded if desired in the future). + * + * In PKIX_BuildChain, the List of CertStores was reordered so that + * trusted CertStores are ahead of untrusted CertStores. That sort, or + * this one, could be taken out if it is determined that it doesn't help + * performance, or in some way hinders the solution of choosing desired + * candidates. + */ + +@@ -722,17 +724,22 @@ pkix_Build_SortCertComparator( + + PKIX_CHECK(PKIX_PL_Object_Compare + ((PKIX_PL_Object *)date1, + (PKIX_PL_Object *)date2, + &result, + plContext), + PKIX_OBJECTCOMPARATORFAILED); + +- *pResult = !result; ++ /* ++ * Invert the result, so that if date1 is greater than date2, ++ * obj1 is sorted before obj2. This is because pkix_List_BubbleSort ++ * sorts in ascending order. ++ */ ++ *pResult = -result; + + cleanup: + + PKIX_DECREF(date1); + PKIX_DECREF(date2); + + PKIX_RETURN(BUILD); + } + diff -Nru nss-3.17.2/debian/patches/series nss-3.17.2/debian/patches/series --- nss-3.17.2/debian/patches/series 2014-12-22 04:23:24.000000000 +0100 +++ nss-3.17.2/debian/patches/series 2015-05-25 18:34:09.000000000 +0200 @@ -5,3 +5,4 @@ 95_add_spi+cacert_ca_certs.patch 97_SSL_RENEGOTIATE_TRANSITIONAL.patch 98_CVE-2014-1569.patch +99_prefer_stronger_cert_chains.patch
