Update to NSS 3.51

NSS softoken does not include CKM_NSS_IKE1_APP_B_PRF_DERIVE in it's mechanism list, causing libreswan to crash.

.gitignore

@@ -34,3 +34,15 @@ TestUser51.cert
 /nss-3.41.tar.gz
 /nss-3.42.tar.gz
 /nss-3.42.1.tar.gz
+/nss-3.43.tar.gz
+/nss-3.44.tar.gz
+/nss-3.44.1.tar.gz
+/nss-3.46.tar.gz
+/nss-3.46.1.tar.gz
+/nss-3.47.tar.gz
+/nss-3.47.1.tar.gz
+/nss-3.48.tar.gz
+/nss-3.49.tar.gz
+/nss-3.49.2.tar.gz
+/nss-3.50.tar.gz
+/nss-3.51.tar.gz

nss-3.47-ike-fix.patch

@@ -0,0 +1,22 @@
+diff -up ./lib/softoken/pkcs11.c.ike_fix ./lib/softoken/pkcs11.c
+--- ./lib/softoken/pkcs11.c.ike_fix	2019-11-04 10:15:08.022176945 -0800
++++ ./lib/softoken/pkcs11.c	2019-11-04 10:17:35.396733750 -0800
+@@ -330,7 +330,7 @@ static const struct mechanismList mechan
+     { CKM_AES_CTS, { 16, 32, CKF_EN_DE }, PR_TRUE },
+     { CKM_AES_CTR, { 16, 32, CKF_EN_DE }, PR_TRUE },
+     { CKM_AES_GCM, { 16, 32, CKF_EN_DE }, PR_TRUE },
+-    { CKM_AES_XCBC_MAC_96, { 16, 16, CKF_SN_VR }, PR_TRUE },
++    { CKM_AES_XCBC_MAC_96, { 12, 12, CKF_SN_VR }, PR_TRUE },
+     { CKM_AES_XCBC_MAC, { 16, 16, CKF_SN_VR }, PR_TRUE },
+     /* ------------------------- Camellia Operations --------------------- */
+     { CKM_CAMELLIA_KEY_GEN, { 16, 32, CKF_GENERATE }, PR_TRUE },
+@@ -518,7 +518,8 @@ static const struct mechanismList mechan
+     /* --------------------IPSEC ----------------------- */
+     { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE },
+     { CKM_NSS_IKE_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE },
+-    { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE }
++    { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE },
++    { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE }
+ };
+ static const CK_ULONG mechanismCount = sizeof(mechanisms) / sizeof(mechanisms[0]);
+ 

nss-kremlin-ppc64le.patch

@@ -0,0 +1,30 @@
+Index: nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
+===================================================================
+--- nss.orig/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
++++ nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
+@@ -56,7 +56,9 @@ typedef const char *Prims_string;
+ #include <emmintrin.h>
+ typedef __m128i FStar_UInt128_uint128;
+ #elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
+-    (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__))
++    (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
++    (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
++     defined(__s390x__))
+ typedef unsigned __int128 FStar_UInt128_uint128;
+ #else
+ typedef struct FStar_UInt128_uint128_s {
+Index: nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
+===================================================================
+--- nss.orig/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
++++ nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
+@@ -25,7 +25,9 @@
+ #include "LowStar_Endianness.h"
+ 
+ #if !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
+-    (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__))
++    (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
++    (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
++     defined(__s390x__))
+ 
+ /* GCC + using native unsigned __int128 support */
+ 

nss-signtool-format.patch

@@ -0,0 +1,94 @@
+diff --git a/cmd/modutil/install.c b/cmd/modutil/install.c
+--- a/cmd/modutil/install.c
++++ b/cmd/modutil/install.c
+@@ -825,17 +825,20 @@ rm_dash_r(char *path)
+ 
+         dir = PR_OpenDir(path);
+         if (!dir) {
+             return -1;
+         }
+ 
+         /* Recursively delete all entries in the directory */
+         while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
+-            sprintf(filename, "%s/%s", path, entry->name);
++            if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
++                PR_CloseDir(dir);
++                return -1;
++            }
+             if (rm_dash_r(filename)) {
+                 PR_CloseDir(dir);
+                 return -1;
+             }
+         }
+ 
+         if (PR_CloseDir(dir) != PR_SUCCESS) {
+             return -1;
+diff --git a/cmd/signtool/util.c b/cmd/signtool/util.c
+--- a/cmd/signtool/util.c
++++ b/cmd/signtool/util.c
+@@ -132,17 +132,20 @@ rm_dash_r(char *path)
+         if (!dir) {
+             PR_fprintf(errorFD, "Error: Unable to open directory %s.\n", path);
+             errorCount++;
+             return -1;
+         }
+ 
+         /* Recursively delete all entries in the directory */
+         while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
+-            sprintf(filename, "%s/%s", path, entry->name);
++            if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
++                errorCount++;
++                return -1;
++            }
+             if (rm_dash_r(filename))
+                 return -1;
+         }
+ 
+         if (PR_CloseDir(dir) != PR_SUCCESS) {
+             PR_fprintf(errorFD, "Error: Could not close %s.\n", path);
+             errorCount++;
+             return -1;
+diff --git a/lib/libpkix/pkix/util/pkix_list.c b/lib/libpkix/pkix/util/pkix_list.c
+--- a/lib/libpkix/pkix/util/pkix_list.c
++++ b/lib/libpkix/pkix/util/pkix_list.c
+@@ -1530,17 +1530,17 @@ cleanup:
+  */
+ PKIX_Error *
+ PKIX_List_SetItem(
+         PKIX_List *list,
+         PKIX_UInt32 index,
+         PKIX_PL_Object *item,
+         void *plContext)
+ {
+-        PKIX_List *element;
++        PKIX_List *element = NULL;
+ 
+         PKIX_ENTER(LIST, "PKIX_List_SetItem");
+         PKIX_NULLCHECK_ONE(list);
+ 
+         if (list->immutable){
+                 PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
+         }
+ 
+diff --git a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
+--- a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
++++ b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
+@@ -102,17 +102,17 @@ cleanup:
+  */
+ static PKIX_Error *
+ pkix_pl_OID_Equals(
+         PKIX_PL_Object *first,
+         PKIX_PL_Object *second,
+         PKIX_Boolean *pResult,
+         void *plContext)
+ {
+-        PKIX_Int32 cmpResult;
++        PKIX_Int32 cmpResult = 0;
+ 
+         PKIX_ENTER(OID, "pkix_pl_OID_Equals");
+         PKIX_NULLCHECK_THREE(first, second, pResult);
+ 
+         PKIX_CHECK(pkix_pl_OID_Comparator
+                     (first, second, &cmpResult, plContext),
+                     PKIX_OIDCOMPARATORFAILED);
+ 

nss-tls13-default.patch

@@ -0,0 +1,12 @@
+diff -up nss/lib/ssl/sslsock.c.tls13-default nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.tls13-default	2020-01-27 10:21:44.930830558 +0100
++++ nss/lib/ssl/sslsock.c	2020-01-27 10:21:47.419852229 +0100
+@@ -97,7 +97,7 @@ static sslOptions ssl_defaults = {
+  */
+ static SSLVersionRange versions_defaults_stream = {
+     SSL_LIBRARY_VERSION_TLS_1_0,
+-    SSL_LIBRARY_VERSION_TLS_1_3
++    SSL_LIBRARY_VERSION_TLS_1_2
+ };
+ 
+ static SSLVersionRange versions_defaults_datagram = {

nss.spec

@@ -1,5 +1,5 @@
-%global nspr_version 4.20.0
-%global nss_version 3.42.1
+%global nspr_version 4.25.0
+%global nss_version 3.51.0
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global saved_files_dir %{_libdir}/nss/saved
 %global dracutlibdir %{_prefix}/lib/dracut
@@ -105,6 +105,16 @@ Patch2:           nss-539183.patch
 # Once the buildroot aha been bootstrapped the patch may be removed
 # but it doesn't hurt to keep it.
 Patch4:           iquote.patch
+# add missing ike mechanism to softoken
+Patch10:          nss-3.47-ike-fix.patch
+# To revert the upstream change:
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1573118
+# as it still doesn't work under FIPS mode because of missing HKDF
+# support in PKCS #11.
+Patch11:	  nss-tls13-default.patch
+Patch12:          nss-signtool-format.patch
+# https://github.com/FStarLang/kremlin/issues/166
+Patch13:          nss-kremlin-ppc64le.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -237,6 +247,9 @@ pushd nss
 %autopatch -p1
 popd
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=1247353
+find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \;
+
 
 %build
 
@@ -550,7 +563,7 @@ do
 done
 
 # Copy some freebl include files we also want
-for file in blapi.h alghmac.h
+for file in blapi.h alghmac.h cmac.h
 do
   install -p -m 644 dist/private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss3
 done
@@ -843,6 +856,7 @@ update-crypto-policies &> /dev/null || :
 %{_includedir}/nss3/blapi.h
 %{_includedir}/nss3/blapit.h
 %{_includedir}/nss3/alghmac.h
+%{_includedir}/nss3/cmac.h
 %{_includedir}/nss3/lowkeyi.h
 %{_includedir}/nss3/lowkeyti.h
 
@@ -867,6 +881,71 @@ update-crypto-policies &> /dev/null || :
 
 
 %changelog
+* Tue Apr  7 2020 Daiki Ueno <dueno@redhat.com> - 3.51.0-1
+- Update to NSS 3.51
+
+* Thu Mar  5 2020 Daiki Ueno <dueno@redhat.com> - 3.50.0-2
+- Apply CMAC fixes from upstream
+
+* Mon Feb 17 2020 Daiki Ueno <dueno@redhat.com> - 3.50.0-1
+- Update to NSS 3.50
+
+* Mon Jan 27 2020 Daiki Ueno <dueno@redhat.com> - 3.49.2-1
+- Update to NSS 3.49.2
+- Don't enable TLS 1.3 by default (#1794814)
+
+* Fri Jan 10 2020 Daiki Ueno <dueno@redhat.com> - 3.49.0-1
+- Update to NSS 3.49
+- Fix build on armv7hl with the patch proposed in upstream
+
+* Fri Jan  3 2020 Daiki Ueno <dueno@redhat.com> - 3.48.0-1
+- Update to NSS 3.48
+
+* Tue Dec  3 2019 Daiki Ueno <dueno@redhat.com> - 3.47.1-4
+- Update nss-3.47-certdb-temp-cert.patch to avoid setting empty trust value
+
+* Tue Dec  3 2019 Daiki Ueno <dueno@redhat.com> - 3.47.1-3
+- Update nss-3.47-certdb-temp-cert.patch to the final version
+
+* Thu Nov 28 2019 Daiki Ueno <dueno@redhat.com> - 3.47.1-2
+- Fix intermittent SEC_ERROR_UNKNOWN_ISSUER (#1752303, #1648617)
+
+* Fri Nov 22 2019 Daiki Ueno <dueno@redhat.com> - 3.47.1-1
+- Update to NSS 3.47.1
+
+* Thu Nov 7 2019 Bob Relyea <rrelyea@redhat.com> - 3.47.0-3
+- Include ike mechanism fix
+
+* Wed Oct 23 2019 Daiki Ueno <dueno@redhat.com> - 3.47.0-2
+- Install cmac.h required by blapi.h (#1764513)
+
+* Tue Oct 22 2019 Daiki Ueno <dueno@redhat.com> - 3.47.0-1
+- Update to NSS 3.47
+
+* Mon Oct 21 2019 Daiki Ueno <dueno@redhat.com> - 3.46.1-1
+- Update to NSS 3.46.1
+
+* Wed Sep  4 2019 Daiki Ueno <dueno@redhat.com> - 3.46.0-2
+- Rebuild with NSPR 4.22
+
+* Tue Sep  3 2019 Daiki Ueno <dueno@redhat.com> - 3.46.0-1
+- Update to NSS 3.46
+
+* Tue Jul  2 2019 Daiki Ueno <dueno@redhat.com> - 3.44.1-1
+- Update to NSS 3.44.1
+
+* Mon May 20 2019 Daiki Ueno <dueno@redhat.com> - 3.44.0-2
+- Skip TLS 1.3 tests under FIPS mode
+
+* Fri May 17 2019 Daiki Ueno <dueno@redhat.com> - 3.44.0-1
+- Update to NSS 3.44
+
+* Mon May  6 2019 Daiki Ueno <dueno@redhat.com> - 3.43.0-3
+- Fix PKCS#11 module leak if C_GetSlotInfo() failed
+
+* Thu Mar 21 2019 Daiki Ueno <dueno@redhat.com> - 3.43.0-1
+- Update to NSS 3.43
+
 * Mon Feb 11 2019 Daiki Ueno <dueno@redhat.com> - 3.42.1-1
 - Update to NSS 3.42.1
 

sources

@@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403
 SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
-SHA512 (nss-3.42.1.tar.gz) = 468e1d4ea9d2b832c7b8975443ee6fe2790b39cbbd9f8e3d8428a43f47cce0e81d5ca21e3566701b75bcd4af09110c0134e204b2850d30ecfd6347ec27e6e265
+SHA512 (nss-3.51.tar.gz) = 9c894b1ea41449b000750a7b3a89fcb43dfc3d0d4d6dcc0dc288bc73996f76f1ee1ede927a8aecae6d4a07f9f3d3e3a042c6a60cf06e27e0cdc004fce2e510fd