From fa8cce37ed6206a2a7bbe7e8981a27b385ee5df6 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 28 Jul 2020 08:32:53 -0400 Subject: [PATCH] import nss-3.44.0-15.el8 --- .../nss-3.44-fix-cmac-alignment-crash.patch | 45 +++++++++++++++++++ SOURCES/nss-3.44-fix-swapped-cmac.patch | 15 +++++++ SPECS/nss.spec | 10 ++++- 3 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 SOURCES/nss-3.44-fix-cmac-alignment-crash.patch create mode 100644 SOURCES/nss-3.44-fix-swapped-cmac.patch diff --git a/SOURCES/nss-3.44-fix-cmac-alignment-crash.patch b/SOURCES/nss-3.44-fix-cmac-alignment-crash.patch new file mode 100644 index 0000000..3b68ef9 --- /dev/null +++ b/SOURCES/nss-3.44-fix-cmac-alignment-crash.patch @@ -0,0 +1,45 @@ +diff --git a/lib/freebl/cmac.c b/lib/freebl/cmac.c +--- a/lib/freebl/cmac.c ++++ b/lib/freebl/cmac.c +@@ -22,7 +22,7 @@ + * add a new Context pointer to the cipher union with the correct type. */ + CMACCipher cipherType; + union { +- AESContext aes; ++ AESContext *aes; + } cipher; + int blockSize; + +@@ -62,7 +62,7 @@ + { + if (ctx->cipherType == CMAC_AES) { + unsigned int tmpOutputLen; +- SECStatus rv = AES_Encrypt(&ctx->cipher.aes, output, &tmpOutputLen, ++ SECStatus rv = AES_Encrypt(ctx->cipher.aes, output, &tmpOutputLen, + ctx->blockSize, input, inputLen); + + /* Assumption: AES_Encrypt (when in ECB mode) always returns an +@@ -156,8 +156,9 @@ + + ctx->blockSize = AES_BLOCK_SIZE; + ctx->cipherType = CMAC_AES; +- if (AES_InitContext(&ctx->cipher.aes, key, key_len, NULL, NSS_AES, 1, +- ctx->blockSize) != SECSuccess) { ++ ctx->cipher.aes = AES_CreateContext(key, NULL, NSS_AES, 1, key_len, ++ ctx->blockSize); ++ if (ctx->cipher.aes == NULL) { + return SECFailure; + } + +@@ -308,8 +309,8 @@ + return; + } + +- if (ctx->cipherType == CMAC_AES) { +- AES_DestroyContext(&ctx->cipher.aes, PR_FALSE); ++ if (ctx->cipherType == CMAC_AES && ctx->cipher.aes != NULL) { ++ AES_DestroyContext(ctx->cipher.aes, PR_TRUE); + } + + /* Destroy everything in the context. This includes sensitive data in + diff --git a/SOURCES/nss-3.44-fix-swapped-cmac.patch b/SOURCES/nss-3.44-fix-swapped-cmac.patch new file mode 100644 index 0000000..54684ca --- /dev/null +++ b/SOURCES/nss-3.44-fix-swapped-cmac.patch @@ -0,0 +1,15 @@ +diff --git a/lib/util/pkcs11t.h b/lib/util/pkcs11t.h +--- a/lib/util/pkcs11t.h ++++ b/lib/util/pkcs11t.h +@@ -898,8 +898,8 @@ + #define CKM_AES_CCM 0x00001088 + #define CKM_AES_CTS 0x00001089 + /* AES-CMAC values copied from v2.40 errata 1 header file */ +-#define CKM_AES_CMAC_GENERAL 0x0000108A +-#define CKM_AES_CMAC 0x0000108B ++#define CKM_AES_CMAC 0x0000108A ++#define CKM_AES_CMAC_GENERAL 0x0000108B + #define CKM_AES_XCBC_MAC 0x0000108C + #define CKM_AES_XCBC_MAC_96 0x0000108D + + diff --git a/SPECS/nss.spec b/SPECS/nss.spec index 013b644..10e08e2 100644 --- a/SPECS/nss.spec +++ b/SPECS/nss.spec @@ -46,7 +46,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM", Summary: Network Security Services Name: nss Version: %{nss_version} -Release: 14%{?dist} +Release: 15%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Requires: nspr >= %{nspr_version} @@ -154,6 +154,10 @@ Patch216: nss-3.44-kbkdf.patch Patch217: nss-3.44-kbkdf-update.patch Patch218: nss-3.44-encrypt-update.patch Patch219: nss-3.44-kbkdf-coverity.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1611209 +Patch220: nss-3.44-fix-swapped-cmac.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1610687 +Patch221: nss-3.44-fix-cmac-alignment-crash.patch %description @@ -928,6 +932,10 @@ update-crypto-policies --no-reload &> /dev/null || : %changelog +* Fri Jan 31 2020 Bob Relyea - 3.44.0-15 +- Fix swapped CMAC PKCS #11 values. +- Fix data alignment crash in CMAC. + * Tue Dec 3 2019 Bob Relyea - 3.44.0-14 - Fix coverify scan issue