Accepting request 487715 from mozilla:Factory

- update to NSS 3.29.5
  * Rare crashes in the base 64 decoder and encoder were fixed.
    (bmo#1344380)
  * A carry over bug in the RNG was fixed. (bmo#1345089)
- Allow use of session tickets when there is no ticket wrapping key
  (boo#1015499, bmo#1320695) (nss-bmo1320695.patch)

OBS-URL: https://build.opensuse.org/request/show/487715
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=125

mozilla-nss.changes

@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Wed Apr 12 21:21:38 UTC 2017 - wr@rosenauer.org
+
+- update to NSS 3.29.5
+  * Rare crashes in the base 64 decoder and encoder were fixed.
+    (bmo#1344380)
+  * A carry over bug in the RNG was fixed. (bmo#1345089)
+- Allow use of session tickets when there is no ticket wrapping key
+  (boo#1015499, bmo#1320695) (nss-bmo1320695.patch)
+
 -------------------------------------------------------------------
 Thu Mar 16 20:27:50 UTC 2017 - wr@rosenauer.org
 

mozilla-nss.spec

@@ -25,7 +25,7 @@ BuildRequires:  mozilla-nspr-devel >= 4.13.1
 BuildRequires:  pkg-config
 BuildRequires:  sqlite-devel
 BuildRequires:  zlib-devel
-Version:        3.29.3
+Version:        3.29.5
 Release:        0
 # bug437293
 %ifarch ppc64
@@ -36,8 +36,8 @@ Summary:        Network Security Services
 License:        MPL-2.0
 Group:          System/Libraries
 Url:            http://www.mozilla.org/projects/security/pki/nss/
-Source:         https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_29_3_RTM/src/nss-%{version}.tar.gz
+Source:         https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_29_5_RTM/src/nss-%{version}.tar.gz
-# hg clone https://hg.mozilla.org/projects/nss nss-3.29.3/nss ; cd nss-3.29.3/nss ; hg up NSS_3_29_3_RTM
+# hg clone https://hg.mozilla.org/projects/nss nss-3.29.5/nss ; cd nss-3.29.5/nss ; hg up NSS_3_29_5_RTM
 #Source:         nss-%{version}.tar.gz
 Source1:        nss.pc.in
 Source3:        nss-config.in
@@ -51,12 +51,13 @@ Source9:        pkcs11.txt
 Source99:       %{name}.changes
 Patch1:         nss-opt.patch
 Patch2:         system-nspr.patch
-Patch4:         nss-no-rpath.patch
+Patch3:         nss-no-rpath.patch
-Patch5:         renegotiate-transitional.patch
+Patch4:         renegotiate-transitional.patch
-Patch6:         malloc.patch
+Patch5:         malloc.patch
-Patch7:         nss-disable-ocsp-test.patch
+Patch6:         nss-disable-ocsp-test.patch
-Patch8:         nss-sqlitename.patch
+Patch7:         nss-sqlitename.patch
-Patch9:         nss-fix-hash.patch
+Patch8:         nss-fix-hash.patch
+Patch9:         nss-bmo1320695.patch
 %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr)
 PreReq:         mozilla-nspr >= %nspr_ver
 PreReq:         libfreebl3 >= %{nss_softokn_fips_version}
@@ -170,11 +171,12 @@ Mozilla project.
 cd nss
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 %patch4 -p1
-%patch5 -p1
 %if %suse_version > 1110
-%patch6 -p1
+%patch5 -p1
 %endif
+%patch6 -p1
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1

nss-3.29.3.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:35ddcc31251ef829994efeee925011aa1414e32be7e388236970255aa3c8e1eb
-size 7479458

nss-3.29.5.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5df483b73535d726207483f6349df23fe56aee83382b94b13298aec2e254d985
+size 7480246

nss-bmo1320695.patch

@@ -0,0 +1,67 @@
+# HG changeset patch
+# User Daiki Ueno <dueno@redhat.com>
+# Date 1481108447 -3600
+#      Wed Dec 07 12:00:47 2016 +0100
+# Branch wip/dueno/ec-session-ticket
+# Node ID 86c3a4cb4eb55f50f80904796f0664e11d9b5d73
+# Parent  5796201e791e6cbffc3615cb0c894cf1b0fc09a1
+Bug 1320695 - Using SessionTicket extension along with any ECDHE-ECDSA ciphersuite renders selfserv unusable
+
+When session ticket is used and wrapping key pair (for caching
+generated keys at server side) is not available, disable caching
+instead of returning an error.
+
+diff --git a/lib/ssl/ssl3exthandle.c b/lib/ssl/ssl3exthandle.c
+--- a/lib/ssl/ssl3exthandle.c
++++ b/lib/ssl/ssl3exthandle.c
+@@ -99,21 +99,22 @@ ssl3_GenerateSessionTicketKeys(void *dat
+     sslSocket *ss = (sslSocket *)data;
+     sslServerCertType certType = { ssl_auth_rsa_decrypt, NULL };
+     const sslServerCert *sc;
+-    SECKEYPrivateKey *svrPrivKey;
+-    SECKEYPublicKey *svrPubKey;
++    SECKEYPrivateKey *svrPrivKey = NULL;
++    SECKEYPublicKey *svrPubKey = NULL;
+ 
+     sc = ssl_FindServerCert(ss, &certType);
+     if (!sc || !sc->serverKeyPair) {
+         SSL_DBG(("%d: SSL[%d]: No ssl_auth_rsa_decrypt cert and key pair",
+                  SSL_GETPID(), ss->fd));
+-        goto loser;
+-    }
+-    svrPrivKey = sc->serverKeyPair->privKey;
+-    svrPubKey = sc->serverKeyPair->pubKey;
+-    if (svrPrivKey == NULL || svrPubKey == NULL) {
+-        SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.",
+-                 SSL_GETPID(), ss->fd));
+-        goto loser;
++    } else {
++        svrPrivKey = sc->serverKeyPair->privKey;
++        svrPubKey = sc->serverKeyPair->pubKey;
++        if (svrPrivKey == NULL || svrPubKey == NULL) {
++            SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.",
++                     SSL_GETPID(), ss->fd));
++            svrPrivKey = NULL;
++            svrPubKey = NULL;
++        }
+     }
+ 
+     /* Get a copy of the session keys from shared memory. */
+diff --git a/lib/ssl/sslsnce.c b/lib/ssl/sslsnce.c
+--- a/lib/ssl/sslsnce.c
++++ b/lib/ssl/sslsnce.c
+@@ -1831,9 +1831,11 @@ ssl_GetSessionTicketKeys(SECKEYPrivateKe
+     PRBool keysGenerated = PR_FALSE;
+     cacheDesc *cache = &globalCache;
+ 
+-    if (!cache->cacheMem) {
+-        /* cache is uninitialized. Generate keys and return them
+-         * without caching. */
++    if (!cache->cacheMem || !svrPrivKey || !svrPubKey) {
++        /* Generated keys cannot be cached, because:
++         * - the cache is not initialized, or
++         * - key pairs to wrap them are not available
++         * Generate keys and return them without caching. */
+         return GenerateTicketKeys(pwArg, keyName, aesKey, macKey);
+     }
+