From 2b122e4485e055f53609ee75829bba57bf0a6821 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Tue, 7 Apr 2020 11:18:10 +0200 Subject: [PATCH] Update to NSS 3.51 --- .gitignore | 1 + nss-cmac-fixes.patch | 75 -------------------------------------------- nss.spec | 10 +++--- sources | 2 +- 4 files changed, 7 insertions(+), 81 deletions(-) delete mode 100644 nss-cmac-fixes.patch diff --git a/.gitignore b/.gitignore index a7bb829..8e05a87 100644 --- a/.gitignore +++ b/.gitignore @@ -46,3 +46,4 @@ TestUser51.cert /nss-3.49.tar.gz /nss-3.49.2.tar.gz /nss-3.50.tar.gz +/nss-3.51.tar.gz diff --git a/nss-cmac-fixes.patch b/nss-cmac-fixes.patch deleted file mode 100644 index 9bcd954..0000000 --- a/nss-cmac-fixes.patch +++ /dev/null @@ -1,75 +0,0 @@ -# HG changeset patch -# User Robert Relyea -# Date 1581383641 28800 -# Mon Feb 10 17:14:01 2020 -0800 -# Node ID df142975f4f695f84a662abdd27219c21c87c8d1 -# Parent 046a6f5bfb271ed03ed6a93e3f879d57905999c5 -Bug 1611209 - Value of CKM_AES_CMAC and CKM_AES_CMAC_GENERAL are swapped r=rrelyea - -diff --git a/lib/util/pkcs11t.h b/lib/util/pkcs11t.h ---- a/lib/util/pkcs11t.h -+++ b/lib/util/pkcs11t.h -@@ -898,8 +898,8 @@ typedef CK_ULONG CK_MECHANISM_TYPE; - #define CKM_AES_CCM 0x00001088 - #define CKM_AES_CTS 0x00001089 - /* AES-CMAC values copied from v2.40 errata 1 header file */ --#define CKM_AES_CMAC_GENERAL 0x0000108A --#define CKM_AES_CMAC 0x0000108B -+#define CKM_AES_CMAC 0x0000108A -+#define CKM_AES_CMAC_GENERAL 0x0000108B - #define CKM_AES_XCBC_MAC 0x0000108C - #define CKM_AES_XCBC_MAC_96 0x0000108D - -# HG changeset patch -# User Robert Relyea -# Date 1581371554 28800 -# Mon Feb 10 13:52:34 2020 -0800 -# Node ID 046a6f5bfb271ed03ed6a93e3f879d57905999c5 -# Parent f161f15f8c8d37070aa5763a1edd91cbbc7c54fb -Bug 1610687 - Crash on unaligned CMACContext.aes.keySchedule when using AES-NI intrinsics r=kjacobs -https://phabricator.services.mozilla.com/D60699 - -diff --git a/lib/freebl/cmac.c b/lib/freebl/cmac.c ---- a/lib/freebl/cmac.c -+++ b/lib/freebl/cmac.c -@@ -22,7 +22,7 @@ struct CMACContextStr { - * add a new Context pointer to the cipher union with the correct type. */ - CMACCipher cipherType; - union { -- AESContext aes; -+ AESContext *aes; - } cipher; - int blockSize; - -@@ -62,7 +62,7 @@ cmac_Encrypt(CMACContext *ctx, unsigned - { - if (ctx->cipherType == CMAC_AES) { - unsigned int tmpOutputLen; -- SECStatus rv = AES_Encrypt(&ctx->cipher.aes, output, &tmpOutputLen, -+ SECStatus rv = AES_Encrypt(ctx->cipher.aes, output, &tmpOutputLen, - ctx->blockSize, input, inputLen); - - /* Assumption: AES_Encrypt (when in ECB mode) always returns an -@@ -156,8 +156,9 @@ CMAC_Init(CMACContext *ctx, CMACCipher t - - ctx->blockSize = AES_BLOCK_SIZE; - ctx->cipherType = CMAC_AES; -- if (AES_InitContext(&ctx->cipher.aes, key, key_len, NULL, NSS_AES, 1, -- ctx->blockSize) != SECSuccess) { -+ ctx->cipher.aes = AES_CreateContext(key, NULL, NSS_AES, 1, key_len, -+ ctx->blockSize); -+ if (ctx->cipher.aes == NULL) { - return SECFailure; - } - -@@ -308,8 +309,8 @@ CMAC_Destroy(CMACContext *ctx, PRBool fr - return; - } - -- if (ctx->cipherType == CMAC_AES) { -- AES_DestroyContext(&ctx->cipher.aes, PR_FALSE); -+ if (ctx->cipherType == CMAC_AES && ctx->cipher.aes != NULL) { -+ AES_DestroyContext(ctx->cipher.aes, PR_TRUE); - } - - /* Destroy everything in the context. This includes sensitive data in diff --git a/nss.spec b/nss.spec index 7848957..63ac639 100644 --- a/nss.spec +++ b/nss.spec @@ -1,5 +1,5 @@ %global nspr_version 4.25.0 -%global nss_version 3.50.0 +%global nss_version 3.51.0 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global saved_files_dir %{_libdir}/nss/saved %global dracutlibdir %{_prefix}/lib/dracut @@ -43,7 +43,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM", Summary: Network Security Services Name: nss Version: %{nss_version} -Release: 3%{?dist} +Release: 1%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Requires: nspr >= %{nspr_version} @@ -115,9 +115,6 @@ Patch11: nss-tls13-default.patch Patch12: nss-signtool-format.patch # https://github.com/FStarLang/kremlin/issues/166 Patch13: nss-kremlin-ppc64le.patch -# https://bugzilla.mozilla.org/show_bug.cgi?id=1611209 -# https://bugzilla.mozilla.org/show_bug.cgi?id=1610687 -Patch14: nss-cmac-fixes.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -889,6 +886,9 @@ update-crypto-policies &> /dev/null || : %changelog +* Tue Apr 7 2020 Daiki Ueno - 3.51.0-1 +- Update to NSS 3.51 + * Thu Mar 26 2020 Tom Stellard - 3.50.0-3 - Use __make macro to invoke make diff --git a/sources b/sources index 8a7e320..d0ba033 100644 --- a/sources +++ b/sources @@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403 SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310 -SHA512 (nss-3.50.tar.gz) = d6bcaf8ad65b5a97c42cd6cbbc68add5c4b49db74b2debcedb2a007f72511ac0e9bd21fd2dec041bc1975cfc8af26a48450aa0d1b962f755931ab2ac45c795b1 +SHA512 (nss-3.51.tar.gz) = 9c894b1ea41449b000750a7b3a89fcb43dfc3d0d4d6dcc0dc288bc73996f76f1ee1ede927a8aecae6d4a07f9f3d3e3a042c6a60cf06e27e0cdc004fce2e510fd