diff --git a/.gitignore b/.gitignore index 0a17197..b0ffa84 100644 --- a/.gitignore +++ b/.gitignore @@ -4,5 +4,4 @@ SOURCES/blank-cert9.db SOURCES/blank-key3.db SOURCES/blank-key4.db SOURCES/blank-secmod.db -SOURCES/nss-3.66.tar.gz -SOURCES/nss-softokn-cavs-1.0.tar.gz +SOURCES/nss-3.67.tar.gz diff --git a/.nss.metadata b/.nss.metadata index 8d58692..46cc0d2 100644 --- a/.nss.metadata +++ b/.nss.metadata @@ -4,5 +4,4 @@ b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db 7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db -c0d452f828e16e3345e891fe2bd016250f1b51e1 SOURCES/nss-3.66.tar.gz -d8a7f044570732caf4ed06fd44a63b3e86ea2a16 SOURCES/nss-softokn-cavs-1.0.tar.gz +9cccf98f0476905c0d863a6b2cb08a1955482241 SOURCES/nss-3.67.tar.gz diff --git a/SOURCES/nss-3.66-fix-gtest-parsing.patch b/SOURCES/nss-3.66-fix-gtest-parsing.patch new file mode 100644 index 0000000..7e5ff4b --- /dev/null +++ b/SOURCES/nss-3.66-fix-gtest-parsing.patch @@ -0,0 +1,16 @@ +diff -up ./tests/common/parsegtestreport.sed.new_gtest ./tests/common/parsegtestreport.sed +--- ./tests/common/parsegtestreport.sed.new_gtest 2021-06-17 16:26:49.361035662 -0700 ++++ ./tests/common/parsegtestreport.sed 2021-06-17 16:49:08.512261136 -0700 +@@ -1,8 +1,11 @@ + /\CTR[14] += !(++gcm->CTR[15]); - gcm->CTR[13] += !(gcm->CTR[15]) && !(gcm->CTR[14]); -- gcm->CTR[12] += !(gcm->CTR[15]) && !(gcm->CTR[13]) && !(gcm->CTR[12]); -+ gcm->CTR[12] += !(gcm->CTR[15]) && !(gcm->CTR[14]) && !(gcm->CTR[13]); - - /* Now hash AAD - it would actually make sense to seperate the context - * creation from the AAD, because that would allow to reuse the H, which - - diff --git a/SOURCES/nss-3.67-fix-coverity-issues.patch b/SOURCES/nss-3.67-fix-coverity-issues.patch new file mode 100644 index 0000000..a68fa57 --- /dev/null +++ b/SOURCES/nss-3.67-fix-coverity-issues.patch @@ -0,0 +1,45 @@ +diff -up ./lib/pk11wrap/pk11cxt.c.coverity ./lib/pk11wrap/pk11cxt.c +--- ./lib/pk11wrap/pk11cxt.c.coverity 2021-06-18 09:36:19.499203028 -0700 ++++ ./lib/pk11wrap/pk11cxt.c 2021-06-18 09:37:57.993765299 -0700 +@@ -382,7 +382,7 @@ pk11_CreateNewContextInSlot(CK_MECHANISM + * of the connection.*/ + context->fortezzaHack = PR_FALSE; + if (type == CKM_SKIPJACK_CBC64) { +- if (symKey->origin == PK11_OriginFortezzaHack) { ++ if (symKey && (symKey->origin == PK11_OriginFortezzaHack)) { + context->fortezzaHack = PR_TRUE; + } + } +diff -up ./lib/pk11wrap/pk11hpke.c.coverity ./lib/pk11wrap/pk11hpke.c +--- ./lib/pk11wrap/pk11hpke.c.coverity 2021-06-18 13:40:05.410644464 -0700 ++++ ./lib/pk11wrap/pk11hpke.c 2021-06-18 13:42:40.627606469 -0700 +@@ -1164,8 +1164,6 @@ PK11_HPKE_Seal(HpkeContext *cx, const SE + unsigned char tagBuf[HASH_LENGTH_MAX]; + size_t tagLen; + unsigned int fixedBits; +- PORT_Assert(cx->baseNonce->len == sizeof(ivOut)); +- PORT_Memcpy(ivOut, cx->baseNonce->data, cx->baseNonce->len); + + /* aad may be NULL, PT may be zero-length but not NULL. */ + if (!cx || !cx->aeadContext || +@@ -1176,6 +1174,9 @@ PK11_HPKE_Seal(HpkeContext *cx, const SE + return SECFailure; + } + ++ PORT_Assert(cx->baseNonce->len == sizeof(ivOut)); ++ PORT_Memcpy(ivOut, cx->baseNonce->data, cx->baseNonce->len); ++ + tagLen = cx->aeadParams->tagLen; + maxOut = pt->len + tagLen; + fixedBits = (cx->baseNonce->len - 8) * 8; +diff -up ./lib/softoken/sftkike.c.coverity ./lib/softoken/sftkike.c +--- ./lib/softoken/sftkike.c.coverity 2021-06-18 09:33:59.633405513 -0700 ++++ ./lib/softoken/sftkike.c 2021-06-18 09:34:20.305523382 -0700 +@@ -1411,7 +1411,6 @@ sftk_fips_IKE_PowerUpSelfTests(void) + (outKeySize != sizeof(ike_known_sha256_prf_plus)) || + (PORT_Memcmp(outKeyData, ike_known_sha256_prf_plus, + sizeof(ike_known_sha256_prf_plus)) != 0)) { +- PORT_ZFree(outKeyData, outKeySize); + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } diff --git a/SPECS/nss.spec b/SPECS/nss.spec index b1b68a1..b88d808 100644 --- a/SPECS/nss.spec +++ b/SPECS/nss.spec @@ -1,6 +1,6 @@ %global nspr_build_version 4.25.0 %global nspr_version 4.25.0 -%global nss_version 3.66.0 +%global nss_version 3.67.0 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global saved_files_dir %{_libdir}/nss/saved %global dracutlibdir %{_prefix}/lib/dracut @@ -93,7 +93,6 @@ Source25: key3.db.xml Source26: key4.db.xml Source27: secmod.db.xml Source28: nss-p11-kit.config -Source29: nss-softokn-cavs-1.0.tar.gz Source30: PayPalEE.cert # To inject hardening flags for DSO @@ -150,8 +149,10 @@ Patch225: nss-3.53-fix-private_key_mac.patch Patch229: nss-3.53.1-measure-fix.patch # no upstream bug yet Patch230: nss-3.66-no-small-primes.patch -# -Patch231: nss-3.66-ppcle-fix.patch +# no upstream bug yet +Patch232: nss-3.66-fix-gtest-parsing.patch +# no upstream bug yet +Patch233: nss-3.67-fix-coverity-issues.patch %description @@ -280,7 +281,7 @@ Header and library files for doing development with Network Security Services. %prep -%autosetup -N -n %{name}-%{nss_archive_version} -a 29 +%autosetup -N -n %{name}-%{nss_archive_version} pushd nss %autopatch -p1 popd @@ -924,6 +925,12 @@ update-crypto-policies --no-reload &> /dev/null || : %changelog +* Fri Jun 18 2021 Bob Relyea - 3.67.0-2 +- Fix coverity issues + +* Thu Jun 17 2021 Bob Relyea - 3.67.0-1 +- Rebase to NSS 3.67 + * Tue Jun 15 2021 Bob Relyea - 3.66.0-2 - Restore old pkcs12 defaults.