Update to NSS 3.51

2020-04-07 11:18:10 +02:00 · 2020-04-07 11:18:10 +02:00 · 364a86cc8f
parent 4a5cdbbdb2
commit 364a86cc8f
4 changed files with 7 additions and 81 deletions
--- a/.gitignore
+++ b/.gitignore
@ -45,3 +45,4 @@ TestUser51.cert
 /nss-3.49.tar.gz
 /nss-3.49.2.tar.gz
 /nss-3.50.tar.gz
+/nss-3.51.tar.gz
--- a/nss-cmac-fixes.patch
+++ b/nss-cmac-fixes.patch
@ -1,75 +0,0 @@
-# HG changeset patch
-# User Robert Relyea <rrelyea@redhat.com>
-# Date 1581383641 28800
-#      Mon Feb 10 17:14:01 2020 -0800
-# Node ID df142975f4f695f84a662abdd27219c21c87c8d1
-# Parent  046a6f5bfb271ed03ed6a93e3f879d57905999c5
-Bug 1611209 - Value of CKM_AES_CMAC and CKM_AES_CMAC_GENERAL are swapped r=rrelyea
-
-diff --git a/lib/util/pkcs11t.h b/lib/util/pkcs11t.h
--- a/lib/util/pkcs11t.h
-+++ b/lib/util/pkcs11t.h
-@@ -898,8 +898,8 @@ typedef CK_ULONG CK_MECHANISM_TYPE;
- #define CKM_AES_CCM 0x00001088
- #define CKM_AES_CTS 0x00001089
- /* AES-CMAC values copied from v2.40 errata 1 header file */
-#define CKM_AES_CMAC_GENERAL 0x0000108A
-#define CKM_AES_CMAC 0x0000108B
-+#define CKM_AES_CMAC 0x0000108A
-+#define CKM_AES_CMAC_GENERAL 0x0000108B
- #define CKM_AES_XCBC_MAC 0x0000108C
- #define CKM_AES_XCBC_MAC_96 0x0000108D
- 
-# HG changeset patch
-# User Robert Relyea <rrelyea@redhat.com>
-# Date 1581371554 28800
-#      Mon Feb 10 13:52:34 2020 -0800
-# Node ID 046a6f5bfb271ed03ed6a93e3f879d57905999c5
-# Parent  f161f15f8c8d37070aa5763a1edd91cbbc7c54fb
-Bug 1610687 - Crash on unaligned CMACContext.aes.keySchedule when using AES-NI intrinsics r=kjacobs
-https://phabricator.services.mozilla.com/D60699
-
-diff --git a/lib/freebl/cmac.c b/lib/freebl/cmac.c
--- a/lib/freebl/cmac.c
-+++ b/lib/freebl/cmac.c
-@@ -22,7 +22,7 @@ struct CMACContextStr {
-      * add a new Context pointer to the cipher union with the correct type. */
-     CMACCipher cipherType;
-     union {
-        AESContext aes;
-+        AESContext *aes;
-     } cipher;
-     int blockSize;
- 
-@@ -62,7 +62,7 @@ cmac_Encrypt(CMACContext *ctx, unsigned 
- {
-     if (ctx->cipherType == CMAC_AES) {
-         unsigned int tmpOutputLen;
-        SECStatus rv = AES_Encrypt(&ctx->cipher.aes, output, &tmpOutputLen,
-+        SECStatus rv = AES_Encrypt(ctx->cipher.aes, output, &tmpOutputLen,
-                                    ctx->blockSize, input, inputLen);
- 
-         /* Assumption: AES_Encrypt (when in ECB mode) always returns an
-@@ -156,8 +156,9 @@ CMAC_Init(CMACContext *ctx, CMACCipher t
- 
-     ctx->blockSize = AES_BLOCK_SIZE;
-     ctx->cipherType = CMAC_AES;
-    if (AES_InitContext(&ctx->cipher.aes, key, key_len, NULL, NSS_AES, 1,
-                        ctx->blockSize) != SECSuccess) {
-+    ctx->cipher.aes = AES_CreateContext(key, NULL, NSS_AES, 1, key_len,
-+                                        ctx->blockSize);
-+    if (ctx->cipher.aes == NULL) {
-         return SECFailure;
-     }
- 
-@@ -308,8 +309,8 @@ CMAC_Destroy(CMACContext *ctx, PRBool fr
-         return;
-     }
- 
-    if (ctx->cipherType == CMAC_AES) {
-        AES_DestroyContext(&ctx->cipher.aes, PR_FALSE);
-+    if (ctx->cipherType == CMAC_AES && ctx->cipher.aes != NULL) {
-+        AES_DestroyContext(ctx->cipher.aes, PR_TRUE);
-     }
- 
-     /* Destroy everything in the context. This includes sensitive data in
--- a/nss.spec
+++ b/nss.spec
@ -1,5 +1,5 @@
 %global nspr_version 4.25.0
-%global nss_version 3.50.0
+%global nss_version 3.51.0
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global saved_files_dir %{_libdir}/nss/saved
 %global dracutlibdir %{_prefix}/lib/dracut
@ -43,7 +43,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          2%{?dist}
+Release:          1%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}
@ -115,9 +115,6 @@ Patch11:	  nss-tls13-default.patch
 Patch12:          nss-signtool-format.patch
 # https://github.com/FStarLang/kremlin/issues/166
 Patch13:          nss-kremlin-ppc64le.patch
-# https://bugzilla.mozilla.org/show_bug.cgi?id=1611209
-# https://bugzilla.mozilla.org/show_bug.cgi?id=1610687
-Patch14:	  nss-cmac-fixes.patch

 %description
 Network Security Services (NSS) is a set of libraries designed to
@ -883,6 +880,9 @@ update-crypto-policies &> /dev/null || :


 %changelog
+* Tue Apr  7 2020 Daiki Ueno <dueno@redhat.com> - 3.51.0-1
+- Update to NSS 3.51
+
 * Thu Mar  5 2020 Daiki Ueno <dueno@redhat.com> - 3.50.0-2
 - Apply CMAC fixes from upstream

--- a/2
+++ b/2
@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403
 SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
-SHA512 (nss-3.50.tar.gz) = d6bcaf8ad65b5a97c42cd6cbbc68add5c4b49db74b2debcedb2a007f72511ac0e9bd21fd2dec041bc1975cfc8af26a48450aa0d1b962f755931ab2ac45c795b1
+SHA512 (nss-3.51.tar.gz) = 9c894b1ea41449b000750a7b3a89fcb43dfc3d0d4d6dcc0dc288bc73996f76f1ee1ede927a8aecae6d4a07f9f3d3e3a042c6a60cf06e27e0cdc004fce2e510fd