From 7ea65d900ed25723488ea42fc203f99c0d1e6b86 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Wed, 4 Mar 2020 17:34:17 +0100 Subject: [PATCH] Update to NSS 3.50 --- nss-kremlin-ppc64le.patch | 30 +++++++++++++ nss-signtool-format.patch | 94 +++++++++++++++++++++++++++++++++++++++ nss.spec | 10 ++++- 3 files changed, 132 insertions(+), 2 deletions(-) create mode 100644 nss-kremlin-ppc64le.patch create mode 100644 nss-signtool-format.patch diff --git a/nss-kremlin-ppc64le.patch b/nss-kremlin-ppc64le.patch new file mode 100644 index 0000000..d4e9d89 --- /dev/null +++ b/nss-kremlin-ppc64le.patch @@ -0,0 +1,30 @@ +Index: nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h +=================================================================== +--- nss.orig/lib/freebl/verified/kremlin/include/kremlin/internal/types.h ++++ nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h +@@ -56,7 +56,9 @@ typedef const char *Prims_string; + #include + typedef __m128i FStar_UInt128_uint128; + #elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \ +- (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__)) ++ (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \ ++ (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \ ++ defined(__s390x__)) + typedef unsigned __int128 FStar_UInt128_uint128; + #else + typedef struct FStar_UInt128_uint128_s { +Index: nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h +=================================================================== +--- nss.orig/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h ++++ nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h +@@ -25,7 +25,9 @@ + #include "LowStar_Endianness.h" + + #if !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \ +- (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__)) ++ (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \ ++ (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \ ++ defined(__s390x__)) + + /* GCC + using native unsigned __int128 support */ + diff --git a/nss-signtool-format.patch b/nss-signtool-format.patch new file mode 100644 index 0000000..f54e7f3 --- /dev/null +++ b/nss-signtool-format.patch @@ -0,0 +1,94 @@ +diff --git a/cmd/modutil/install.c b/cmd/modutil/install.c +--- a/cmd/modutil/install.c ++++ b/cmd/modutil/install.c +@@ -825,17 +825,20 @@ rm_dash_r(char *path) + + dir = PR_OpenDir(path); + if (!dir) { + return -1; + } + + /* Recursively delete all entries in the directory */ + while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) { +- sprintf(filename, "%s/%s", path, entry->name); ++ if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) { ++ PR_CloseDir(dir); ++ return -1; ++ } + if (rm_dash_r(filename)) { + PR_CloseDir(dir); + return -1; + } + } + + if (PR_CloseDir(dir) != PR_SUCCESS) { + return -1; +diff --git a/cmd/signtool/util.c b/cmd/signtool/util.c +--- a/cmd/signtool/util.c ++++ b/cmd/signtool/util.c +@@ -132,17 +132,20 @@ rm_dash_r(char *path) + if (!dir) { + PR_fprintf(errorFD, "Error: Unable to open directory %s.\n", path); + errorCount++; + return -1; + } + + /* Recursively delete all entries in the directory */ + while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) { +- sprintf(filename, "%s/%s", path, entry->name); ++ if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) { ++ errorCount++; ++ return -1; ++ } + if (rm_dash_r(filename)) + return -1; + } + + if (PR_CloseDir(dir) != PR_SUCCESS) { + PR_fprintf(errorFD, "Error: Could not close %s.\n", path); + errorCount++; + return -1; +diff --git a/lib/libpkix/pkix/util/pkix_list.c b/lib/libpkix/pkix/util/pkix_list.c +--- a/lib/libpkix/pkix/util/pkix_list.c ++++ b/lib/libpkix/pkix/util/pkix_list.c +@@ -1530,17 +1530,17 @@ cleanup: + */ + PKIX_Error * + PKIX_List_SetItem( + PKIX_List *list, + PKIX_UInt32 index, + PKIX_PL_Object *item, + void *plContext) + { +- PKIX_List *element; ++ PKIX_List *element = NULL; + + PKIX_ENTER(LIST, "PKIX_List_SetItem"); + PKIX_NULLCHECK_ONE(list); + + if (list->immutable){ + PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST); + } + +diff --git a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c +--- a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c ++++ b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c +@@ -102,17 +102,17 @@ cleanup: + */ + static PKIX_Error * + pkix_pl_OID_Equals( + PKIX_PL_Object *first, + PKIX_PL_Object *second, + PKIX_Boolean *pResult, + void *plContext) + { +- PKIX_Int32 cmpResult; ++ PKIX_Int32 cmpResult = 0; + + PKIX_ENTER(OID, "pkix_pl_OID_Equals"); + PKIX_NULLCHECK_THREE(first, second, pResult); + + PKIX_CHECK(pkix_pl_OID_Comparator + (first, second, &cmpResult, plContext), + PKIX_OIDCOMPARATORFAILED); + diff --git a/nss.spec b/nss.spec index 2056e83..ab4e761 100644 --- a/nss.spec +++ b/nss.spec @@ -1,5 +1,5 @@ -%global nspr_version 4.24.0 -%global nss_version 3.49.2 +%global nspr_version 4.25.0 +%global nss_version 3.50.0 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global saved_files_dir %{_libdir}/nss/saved %global dracutlibdir %{_prefix}/lib/dracut @@ -112,6 +112,9 @@ Patch10: nss-3.47-ike-fix.patch # as it still doesn't work under FIPS mode because of missing HKDF # support in PKCS #11. Patch11: nss-tls13-default.patch +Patch12: nss-signtool-format.patch +# https://github.com/FStarLang/kremlin/issues/166 +Patch13: nss-kremlin-ppc64le.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -878,6 +881,9 @@ update-crypto-policies &> /dev/null || : %changelog +* Mon Feb 17 2020 Daiki Ueno - 3.50.0-1 +- Update to NSS 3.50 + * Mon Jan 27 2020 Daiki Ueno - 3.49.2-1 - Update to NSS 3.49.2 - Don't enable TLS 1.3 by default (#1794814)