From aada6b10b73091276397404059605d13e7548462 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Nov 16 2016 03:27:17 +0000
Subject: import nss-3.21.3-2.el7_3


---

diff --git a/.gitignore b/.gitignore
index fadcdf8..67272da 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,7 +9,7 @@ SOURCES/cert8.db.xml
 SOURCES/cert9.db.xml
 SOURCES/key3.db.xml
 SOURCES/key4.db.xml
-SOURCES/nss-3.21.0.tar.gz
+SOURCES/nss-3.21.3.tar.gz
 SOURCES/nss-config.xml
 SOURCES/nss-pem-20140125.tar.bz2
 SOURCES/secmod.db.xml
diff --git a/.nss.metadata b/.nss.metadata
index 473c632..e8b243f 100644
--- a/.nss.metadata
+++ b/.nss.metadata
@@ -9,7 +9,7 @@ bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db
 7cbb7841b1aefe52534704bf2a4358bfea1aa477 SOURCES/cert9.db.xml
 24c123810543ff0f6848647d6d910744e275fb01 SOURCES/key3.db.xml
 af51b16a56fda1f7525a0eed3ecbdcbb4133be0c SOURCES/key4.db.xml
-d42285342e5c27c9f884b3d569c865c09c1d6538 SOURCES/nss-3.21.0.tar.gz
+b6e2612dbf78a04cac2a81784143e918ed03aea7 SOURCES/nss-3.21.3.tar.gz
 2905c9b06e7e686c9e3c0b5736a218766d4ae4c2 SOURCES/nss-config.xml
 66f2060c35f4e97bdfa163e8bd7cb2ef5e8125d8 SOURCES/nss-pem-20140125.tar.bz2
 ca9ebf79c1437169a02527c18b1e3909943c4be9 SOURCES/secmod.db.xml
diff --git a/SOURCES/moz-1314604.patch b/SOURCES/moz-1314604.patch
new file mode 100644
index 0000000..7d27f67
--- /dev/null
+++ b/SOURCES/moz-1314604.patch
@@ -0,0 +1,115 @@
+diff -up ./lib/ssl/ssl3con.c.moz-1314604 ./lib/ssl/ssl3con.c
+--- ./lib/ssl/ssl3con.c.moz-1314604	2016-11-07 21:30:40.035272554 +0100
++++ ./lib/ssl/ssl3con.c	2016-11-07 21:31:14.876273952 +0100
+@@ -6196,6 +6196,7 @@ sendDHClientKeyExchange(sslSocket * ss,
+ 
+     if (pms == NULL) {
+ 	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
++	rv = SECFailure;
+ 	goto loser;
+     }
+ 
+@@ -6939,7 +6940,6 @@ ssl3_HandleServerKeyExchange(sslSocket *
+ 	SECItem          dh_Ys     = {siBuffer, NULL, 0};
+         unsigned dh_p_bits;
+         unsigned dh_g_bits;
+-        unsigned dh_Ys_bits;
+         PRInt32  minDH;
+ 
+     	rv = ssl3_ConsumeHandshakeVariable(ss, &dh_p, 2, &b, &length);
+@@ -6968,9 +6968,10 @@ ssl3_HandleServerKeyExchange(sslSocket *
+     	if (rv != SECSuccess) {
+ 	    goto loser;		/* malformed. */
+ 	}
+-        dh_Ys_bits = SECKEY_BigIntegerBitLength(&dh_Ys);
+-        if (dh_Ys_bits > dh_p_bits || dh_Ys_bits <= 1)
+-	    goto alert_loser;
++        if (!ssl_IsValidDHEShare(&dh_p, &dh_Ys)) {
++            errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY;
++            goto alert_loser;
++        }
+ 	if (isTLS12) {
+ 	    rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length,
+ 						       &sigAndHash);
+@@ -9906,6 +9907,12 @@ ssl3_HandleDHClientKeyExchange(sslSocket
+ 	goto loser;
+     }
+ 
++    if (!ssl_IsValidDHEShare(&srvrPubKey->u.dh.prime,
++                             &clntPubKey.u.dh.publicValue)) {
++        PORT_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
++        return SECFailure;
++    }
++
+     isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
+ 
+     if (isTLS) target = CKM_TLS_MASTER_KEY_DERIVE_DH;
+diff -up ./lib/ssl/sslimpl.h.moz-1314604 ./lib/ssl/sslimpl.h
+--- ./lib/ssl/sslimpl.h.moz-1314604	2016-11-07 21:30:40.028272553 +0100
++++ ./lib/ssl/sslimpl.h	2016-11-07 21:30:40.047272554 +0100
+@@ -1647,6 +1647,7 @@ int ssl3_GatherCompleteHandshake(sslSock
+ extern SECStatus ssl3_CreateRSAStepDownKeys(sslSocket *ss);
+ 
+ extern SECStatus ssl3_SelectDHParams(sslSocket *ss);
++extern PRBool ssl_IsValidDHEShare(const SECItem *dh_p, const SECItem *dh_Ys);
+ 
+ #ifndef NSS_DISABLE_ECC
+ extern void      ssl3_FilterECCipherSuitesByServerCerts(sslSocket *ss);
+diff -up ./lib/ssl/sslsock.c.moz-1314604 ./lib/ssl/sslsock.c
+--- ./lib/ssl/sslsock.c.moz-1314604	2016-11-07 21:30:40.040272554 +0100
++++ ./lib/ssl/sslsock.c	2016-11-07 21:30:40.048272554 +0100
+@@ -1462,6 +1462,54 @@ SSL_DHEGroupPrefSet(PRFileDesc *fd,
+     return SECSuccess;
+ }
+ 
++/* This validates dh_Ys against the group prime. */
++PRBool
++ssl_IsValidDHEShare(const SECItem *dh_p, const SECItem *dh_Ys)
++{
++    unsigned int size_p = SECKEY_BigIntegerBitLength(dh_p);
++    unsigned int size_y = SECKEY_BigIntegerBitLength(dh_Ys);
++    unsigned int commonPart;
++    int cmp;
++
++    if (dh_p->len == 0 || dh_Ys->len == 0) {
++        return PR_FALSE;
++    }
++
++    /* Check that the prime is at least odd. */
++    if ((dh_p->data[dh_p->len - 1] & 0x01) == 0) {
++        return PR_FALSE;
++    }
++    /* dh_Ys can't be 1, or bigger than dh_p. */
++    if (size_y <= 1 || size_y > size_p) {
++        return PR_FALSE;
++    }
++    /* If dh_Ys is shorter, then it's definitely smaller than p-1. */
++    if (size_y < size_p) {
++        return PR_TRUE;
++    }
++
++    /* Compare the common part of each, minus the final octet. */
++    commonPart = (size_p + 7) / 8;
++    PORT_Assert(commonPart <= dh_Ys->len);
++    PORT_Assert(commonPart <= dh_p->len);
++    cmp = PORT_Memcmp(dh_Ys->data + dh_Ys->len - commonPart,
++                      dh_p->data + dh_p->len - commonPart, commonPart - 1);
++    if (cmp < 0) {
++        return PR_TRUE;
++    }
++    if (cmp > 0) {
++        return PR_FALSE;
++    }
++
++    /* The last octet of the prime is the only thing that is different and that
++     * has to be two greater than the share, otherwise we have Ys == p - 1,
++     * and that means small subgroups. */
++    if (dh_Ys->data[dh_Ys->len - 1] >= (dh_p->data[dh_p->len - 1] - 1)) {
++        return PR_FALSE;
++    }
++
++    return PR_TRUE;
++}
+ 
+ PRCallOnceType gWeakDHParamsRegisterOnce;
+ int gWeakDHParamsRegisterError;
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
index 21ea02d..8ac83a5 100644
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -26,8 +26,8 @@
 
 Summary:          Network Security Services
 Name:             nss
-Version:          3.21.0
-Release:          17%{?dist}
+Version:          3.21.3
+Release:          2%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -161,6 +161,8 @@ Patch121: flexible-certverify.patch
 Patch122: disable-ems-gtests.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1317691
 Patch123: call-restartmodules-in-nssinit.patch
+# CVE-2016-8635
+Patch124: moz-1314604.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -288,6 +290,7 @@ pushd nss
 %patch121 -p1 -b .flexible_certverify
 %patch122 -p1 -b .disable_ems_gtests
 %patch123 -p1 -b .restartmodules_in_init
+%patch124 -p1 -b .moz-1314604
 popd
 
 #########################################################
@@ -880,6 +883,16 @@ fi
 
 
 %changelog
+* Tue Nov 08 2016 Kai Engert <kaie@redhat.com> - 3.21.3-2
+- Mozilla #1314604 / Red Hat CVE-2016-8635
+
+* Wed Nov 02 2016 Kai Engert <kaie@redhat.com> - 3.21.3-1.1
+- rebuild
+
+* Wed Oct 26 2016 Daiki Ueno <dueno@redhat.com> - 3.21.3-1
+- Rebase to NSS 3.21.3
+- Resolves: #1383887
+
 * Thu Jun 30 2016 Kai Engert <kaie@redhat.com> - 3.21.0-17
 - remove additional false duplicates from sha384 downstream patches