import nss-3.67.0-2.el8_4

2021-06-24 04:29:16 +00:00 · 2021-06-24 04:29:16 +00:00 · 610c3a152d
commit 610c3a152d
parent 1d082b272e
6 changed files with 75 additions and 42 deletions
--- a/.gitignore
+++ b/.gitignore
@ -4,5 +4,4 @@ SOURCES/blank-cert9.db
 SOURCES/blank-key3.db
 SOURCES/blank-key4.db
 SOURCES/blank-secmod.db
-SOURCES/nss-3.66.tar.gz
-SOURCES/nss-softokn-cavs-1.0.tar.gz
+SOURCES/nss-3.67.tar.gz
--- a/.nss.metadata
+++ b/.nss.metadata
@ -4,5 +4,4 @@ b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db
 7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db
 f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db
 bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db
-c0d452f828e16e3345e891fe2bd016250f1b51e1 SOURCES/nss-3.66.tar.gz
-d8a7f044570732caf4ed06fd44a63b3e86ea2a16 SOURCES/nss-softokn-cavs-1.0.tar.gz
+9cccf98f0476905c0d863a6b2cb08a1955482241 SOURCES/nss-3.67.tar.gz
--- a/SOURCES/nss-3.66-fix-gtest-parsing.patch
+++ b/SOURCES/nss-3.66-fix-gtest-parsing.patch
@ -0,0 +1,16 @@
+diff -up ./tests/common/parsegtestreport.sed.new_gtest ./tests/common/parsegtestreport.sed
+--- ./tests/common/parsegtestreport.sed.new_gtest	2021-06-17 16:26:49.361035662 -0700
+++ ./tests/common/parsegtestreport.sed	2021-06-17 16:49:08.512261136 -0700
+@@ -1,8 +1,11 @@
+ /\<testcase/{
+-  s/^.* name="\([^"]*\)" value_param="\([^"]*\)" status="\([^"]*\)" time="[^"]*" classname="\([^"]*\)".*$/\3 '\4: \1 \2'/
+  s/^.* name="\([^"]*\)" value_param="\([^"]*\)" status="\([^"]*\)" time="[^"]*" classname="\([^"]*\).*$/\3 '\4: \1 \2'/
+   t end
+   s/^.* name="\([^"]*\)" status="\([^"]*\)" time="[^"]*" classname="\([^"]*\)".*$/\2 '\3: \1'/
+   t end
+  s/^.* name="\([^"]*\)" value_param="\([^"]*\)" status="\([^"]*\)" result="[^"]*" time="[^"]*" timestamp="[^"]*" classname="\([^"]*\)".*$/\3 '\4: \1 \2'/
+  t end
+  s/^.* name="\([^"]*\)" status="\([^"]*\)" result="[^"]*" time="[^"]*" timestamp="[^"]*" classname="\([^"]*\)".*$/\2 '\3: \1'/
+ }
+ d
+ : end
--- a/SOURCES/nss-3.66-ppcle-fix.patch
+++ b/SOURCES/nss-3.66-ppcle-fix.patch
@ -1,33 +0,0 @@
-diff --git a/lib/freebl/ppc-gcm.s b/lib/freebl/ppc-gcm.s
--- a/lib/freebl/ppc-gcm.s
-+++ b/lib/freebl/ppc-gcm.s
-@@ -692,7 +692,6 @@
- 
-     mtctr        9
- 
-    li           10, 0
-     li           25, 0x10
-     li           26, 0x20
-     li           27, 0x30
-@@ -703,6 +702,7 @@
- 
- .align 5
- .L8x_loop:
-+    li           10, 0
-     VEC_LOAD_INC K, KS, 10
- 
-     vadduwm      CTR1, CTR, I1
-diff --git a/lib/freebl/ppc-gcm-wrap.c b/lib/freebl/ppc-gcm-wrap.c
--- a/lib/freebl/ppc-gcm-wrap.c
-+++ b/lib/freebl/ppc-gcm-wrap.c
-@@ -155,7 +155,7 @@
-     /* Promote the counter by 1 */
-     gcm->CTR[14] += !(++gcm->CTR[15]);
-     gcm->CTR[13] += !(gcm->CTR[15]) && !(gcm->CTR[14]);
-    gcm->CTR[12] += !(gcm->CTR[15]) && !(gcm->CTR[13]) && !(gcm->CTR[12]);
-+    gcm->CTR[12] += !(gcm->CTR[15]) && !(gcm->CTR[14]) && !(gcm->CTR[13]);
- 
-     /* Now hash AAD - it would actually make sense to seperate the context
-      * creation from the AAD, because that would allow to reuse the H, which
-
-
--- a/SOURCES/nss-3.67-fix-coverity-issues.patch
+++ b/SOURCES/nss-3.67-fix-coverity-issues.patch
@ -0,0 +1,45 @@
+diff -up ./lib/pk11wrap/pk11cxt.c.coverity ./lib/pk11wrap/pk11cxt.c
+--- ./lib/pk11wrap/pk11cxt.c.coverity	2021-06-18 09:36:19.499203028 -0700
+++ ./lib/pk11wrap/pk11cxt.c	2021-06-18 09:37:57.993765299 -0700
+@@ -382,7 +382,7 @@ pk11_CreateNewContextInSlot(CK_MECHANISM
+      * of the connection.*/
+     context->fortezzaHack = PR_FALSE;
+     if (type == CKM_SKIPJACK_CBC64) {
+-        if (symKey->origin == PK11_OriginFortezzaHack) {
+        if (symKey && (symKey->origin == PK11_OriginFortezzaHack)) {
+             context->fortezzaHack = PR_TRUE;
+         }
+     }
+diff -up ./lib/pk11wrap/pk11hpke.c.coverity ./lib/pk11wrap/pk11hpke.c
+--- ./lib/pk11wrap/pk11hpke.c.coverity	2021-06-18 13:40:05.410644464 -0700
+++ ./lib/pk11wrap/pk11hpke.c	2021-06-18 13:42:40.627606469 -0700
+@@ -1164,8 +1164,6 @@ PK11_HPKE_Seal(HpkeContext *cx, const SE
+     unsigned char tagBuf[HASH_LENGTH_MAX];
+     size_t tagLen;
+     unsigned int fixedBits;
+-    PORT_Assert(cx->baseNonce->len == sizeof(ivOut));
+-    PORT_Memcpy(ivOut, cx->baseNonce->data, cx->baseNonce->len);
+ 
+     /* aad may be NULL, PT may be zero-length but not NULL. */
+     if (!cx || !cx->aeadContext ||
+@@ -1176,6 +1174,9 @@ PK11_HPKE_Seal(HpkeContext *cx, const SE
+         return SECFailure;
+     }
+ 
+    PORT_Assert(cx->baseNonce->len == sizeof(ivOut));
+    PORT_Memcpy(ivOut, cx->baseNonce->data, cx->baseNonce->len);
+
+     tagLen = cx->aeadParams->tagLen;
+     maxOut = pt->len + tagLen;
+     fixedBits = (cx->baseNonce->len - 8) * 8;
+diff -up ./lib/softoken/sftkike.c.coverity ./lib/softoken/sftkike.c
+--- ./lib/softoken/sftkike.c.coverity	2021-06-18 09:33:59.633405513 -0700
+++ ./lib/softoken/sftkike.c	2021-06-18 09:34:20.305523382 -0700
+@@ -1411,7 +1411,6 @@ sftk_fips_IKE_PowerUpSelfTests(void)
+         (outKeySize != sizeof(ike_known_sha256_prf_plus)) ||
+         (PORT_Memcmp(outKeyData, ike_known_sha256_prf_plus,
+                      sizeof(ike_known_sha256_prf_plus)) != 0)) {
+-        PORT_ZFree(outKeyData, outKeySize);
+         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+         return SECFailure;
+     }
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@ -1,6 +1,6 @@
 %global nspr_build_version 4.25.0
 %global nspr_version 4.25.0
-%global nss_version 3.66.0
+%global nss_version 3.67.0
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global saved_files_dir %{_libdir}/nss/saved
 %global dracutlibdir %{_prefix}/lib/dracut
@ -93,7 +93,6 @@ Source25:         key3.db.xml
 Source26:         key4.db.xml
 Source27:         secmod.db.xml
 Source28:         nss-p11-kit.config
-Source29:         nss-softokn-cavs-1.0.tar.gz
 Source30:         PayPalEE.cert

 # To inject hardening flags for DSO
@ -150,8 +149,10 @@ Patch225:         nss-3.53-fix-private_key_mac.patch
 Patch229:         nss-3.53.1-measure-fix.patch
 # no upstream bug yet
 Patch230:         nss-3.66-no-small-primes.patch
-#
-Patch231:         nss-3.66-ppcle-fix.patch
+# no upstream bug yet
+Patch232:         nss-3.66-fix-gtest-parsing.patch
+# no upstream bug yet
+Patch233:         nss-3.67-fix-coverity-issues.patch


 %description
@ -280,7 +281,7 @@ Header and library files for doing development with Network Security Services.


 %prep
-%autosetup -N -n %{name}-%{nss_archive_version} -a 29
+%autosetup -N -n %{name}-%{nss_archive_version}
 pushd nss
 %autopatch -p1
 popd
@ -924,6 +925,12 @@ update-crypto-policies --no-reload &> /dev/null || :


 %changelog
+* Fri Jun 18 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-2
+- Fix coverity issues
+
+* Thu Jun 17 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-1
+- Rebase to NSS 3.67
+
 * Tue Jun 15 2021 Bob Relyea <rrelyea@redhat.com> - 3.66.0-2
 - Restore old pkcs12 defaults.