Update to NSS 3.50

This commit is contained in:
Daiki Ueno 2020-03-04 17:34:17 +01:00
parent c9d26fb099
commit 7ea65d900e
3 changed files with 132 additions and 2 deletions

30
nss-kremlin-ppc64le.patch Normal file
View File

@ -0,0 +1,30 @@
Index: nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
===================================================================
--- nss.orig/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
+++ nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
@@ -56,7 +56,9 @@ typedef const char *Prims_string;
#include <emmintrin.h>
typedef __m128i FStar_UInt128_uint128;
#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
- (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__))
+ (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
+ (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
+ defined(__s390x__))
typedef unsigned __int128 FStar_UInt128_uint128;
#else
typedef struct FStar_UInt128_uint128_s {
Index: nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
===================================================================
--- nss.orig/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
+++ nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
@@ -25,7 +25,9 @@
#include "LowStar_Endianness.h"
#if !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
- (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__))
+ (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
+ (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
+ defined(__s390x__))
/* GCC + using native unsigned __int128 support */

94
nss-signtool-format.patch Normal file
View File

@ -0,0 +1,94 @@
diff --git a/cmd/modutil/install.c b/cmd/modutil/install.c
--- a/cmd/modutil/install.c
+++ b/cmd/modutil/install.c
@@ -825,17 +825,20 @@ rm_dash_r(char *path)
dir = PR_OpenDir(path);
if (!dir) {
return -1;
}
/* Recursively delete all entries in the directory */
while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
- sprintf(filename, "%s/%s", path, entry->name);
+ if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
+ PR_CloseDir(dir);
+ return -1;
+ }
if (rm_dash_r(filename)) {
PR_CloseDir(dir);
return -1;
}
}
if (PR_CloseDir(dir) != PR_SUCCESS) {
return -1;
diff --git a/cmd/signtool/util.c b/cmd/signtool/util.c
--- a/cmd/signtool/util.c
+++ b/cmd/signtool/util.c
@@ -132,17 +132,20 @@ rm_dash_r(char *path)
if (!dir) {
PR_fprintf(errorFD, "Error: Unable to open directory %s.\n", path);
errorCount++;
return -1;
}
/* Recursively delete all entries in the directory */
while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
- sprintf(filename, "%s/%s", path, entry->name);
+ if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
+ errorCount++;
+ return -1;
+ }
if (rm_dash_r(filename))
return -1;
}
if (PR_CloseDir(dir) != PR_SUCCESS) {
PR_fprintf(errorFD, "Error: Could not close %s.\n", path);
errorCount++;
return -1;
diff --git a/lib/libpkix/pkix/util/pkix_list.c b/lib/libpkix/pkix/util/pkix_list.c
--- a/lib/libpkix/pkix/util/pkix_list.c
+++ b/lib/libpkix/pkix/util/pkix_list.c
@@ -1530,17 +1530,17 @@ cleanup:
*/
PKIX_Error *
PKIX_List_SetItem(
PKIX_List *list,
PKIX_UInt32 index,
PKIX_PL_Object *item,
void *plContext)
{
- PKIX_List *element;
+ PKIX_List *element = NULL;
PKIX_ENTER(LIST, "PKIX_List_SetItem");
PKIX_NULLCHECK_ONE(list);
if (list->immutable){
PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
}
diff --git a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
--- a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
+++ b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
@@ -102,17 +102,17 @@ cleanup:
*/
static PKIX_Error *
pkix_pl_OID_Equals(
PKIX_PL_Object *first,
PKIX_PL_Object *second,
PKIX_Boolean *pResult,
void *plContext)
{
- PKIX_Int32 cmpResult;
+ PKIX_Int32 cmpResult = 0;
PKIX_ENTER(OID, "pkix_pl_OID_Equals");
PKIX_NULLCHECK_THREE(first, second, pResult);
PKIX_CHECK(pkix_pl_OID_Comparator
(first, second, &cmpResult, plContext),
PKIX_OIDCOMPARATORFAILED);

View File

@ -1,5 +1,5 @@
%global nspr_version 4.24.0 %global nspr_version 4.25.0
%global nss_version 3.49.2 %global nss_version 3.50.0
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
%global saved_files_dir %{_libdir}/nss/saved %global saved_files_dir %{_libdir}/nss/saved
%global dracutlibdir %{_prefix}/lib/dracut %global dracutlibdir %{_prefix}/lib/dracut
@ -112,6 +112,9 @@ Patch10: nss-3.47-ike-fix.patch
# as it still doesn't work under FIPS mode because of missing HKDF # as it still doesn't work under FIPS mode because of missing HKDF
# support in PKCS #11. # support in PKCS #11.
Patch11: nss-tls13-default.patch Patch11: nss-tls13-default.patch
Patch12: nss-signtool-format.patch
# https://github.com/FStarLang/kremlin/issues/166
Patch13: nss-kremlin-ppc64le.patch
%description %description
Network Security Services (NSS) is a set of libraries designed to Network Security Services (NSS) is a set of libraries designed to
@ -878,6 +881,9 @@ update-crypto-policies &> /dev/null || :
%changelog %changelog
* Mon Feb 17 2020 Daiki Ueno <dueno@redhat.com> - 3.50.0-1
- Update to NSS 3.50
* Mon Jan 27 2020 Daiki Ueno <dueno@redhat.com> - 3.49.2-1 * Mon Jan 27 2020 Daiki Ueno <dueno@redhat.com> - 3.49.2-1
- Update to NSS 3.49.2 - Update to NSS 3.49.2
- Don't enable TLS 1.3 by default (#1794814) - Don't enable TLS 1.3 by default (#1794814)