diff -up ./lib/pk11wrap/pk11cxt.c.coverity ./lib/pk11wrap/pk11cxt.c --- ./lib/pk11wrap/pk11cxt.c.coverity 2021-06-18 09:36:19.499203028 -0700 +++ ./lib/pk11wrap/pk11cxt.c 2021-06-18 09:37:57.993765299 -0700 @@ -382,7 +382,7 @@ pk11_CreateNewContextInSlot(CK_MECHANISM * of the connection.*/ context->fortezzaHack = PR_FALSE; if (type == CKM_SKIPJACK_CBC64) { - if (symKey->origin == PK11_OriginFortezzaHack) { + if (symKey && (symKey->origin == PK11_OriginFortezzaHack)) { context->fortezzaHack = PR_TRUE; } } diff -up ./lib/pk11wrap/pk11hpke.c.coverity ./lib/pk11wrap/pk11hpke.c --- ./lib/pk11wrap/pk11hpke.c.coverity 2021-06-18 13:40:05.410644464 -0700 +++ ./lib/pk11wrap/pk11hpke.c 2021-06-18 13:42:40.627606469 -0700 @@ -1164,8 +1164,6 @@ PK11_HPKE_Seal(HpkeContext *cx, const SE unsigned char tagBuf[HASH_LENGTH_MAX]; size_t tagLen; unsigned int fixedBits; - PORT_Assert(cx->baseNonce->len == sizeof(ivOut)); - PORT_Memcpy(ivOut, cx->baseNonce->data, cx->baseNonce->len); /* aad may be NULL, PT may be zero-length but not NULL. */ if (!cx || !cx->aeadContext || @@ -1176,6 +1174,9 @@ PK11_HPKE_Seal(HpkeContext *cx, const SE return SECFailure; } + PORT_Assert(cx->baseNonce->len == sizeof(ivOut)); + PORT_Memcpy(ivOut, cx->baseNonce->data, cx->baseNonce->len); + tagLen = cx->aeadParams->tagLen; maxOut = pt->len + tagLen; fixedBits = (cx->baseNonce->len - 8) * 8; diff -up ./lib/softoken/sftkike.c.coverity ./lib/softoken/sftkike.c --- ./lib/softoken/sftkike.c.coverity 2021-06-18 09:33:59.633405513 -0700 +++ ./lib/softoken/sftkike.c 2021-06-18 09:34:20.305523382 -0700 @@ -1411,7 +1411,6 @@ sftk_fips_IKE_PowerUpSelfTests(void) (outKeySize != sizeof(ike_known_sha256_prf_plus)) || (PORT_Memcmp(outKeyData, ike_known_sha256_prf_plus, sizeof(ike_known_sha256_prf_plus)) != 0)) { - PORT_ZFree(outKeyData, outKeySize); PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); return SECFailure; }