diff --git a/Bug-1412829-reject-empty-supported_signature_algorit.patch b/Bug-1412829-reject-empty-supported_signature_algorit.patch deleted file mode 100644 index 33e847db7f1db0ed757ed7d7afa773a200c98d60..0000000000000000000000000000000000000000 --- a/Bug-1412829-reject-empty-supported_signature_algorit.patch +++ /dev/null @@ -1,114 +0,0 @@ -From 96728bb2bc55246d2bb3d98e4c1ab4b5b58a5c41 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Thu, 22 Nov 2018 10:55:20 +0100 -Subject: [PATCH 441/489] Bug 1412829, reject empty - supported_signature_algorithms in CR in TLS 1.2, - r=mt - -Summary: This basically reverts bug 1335069 to align with RFC 5246. - -Reviewers: mt - -Reviewed By: mt - -Bug #: 1412829 - -Differential Revision: https://phabricator.services.mozilla.com/D12563 - ---HG-- -extra : amend_source : a87f98603e14841654948c7664dbde26ebaf04e4 ---- - gtests/nss_bogo_shim/config.json | 3 ++- - gtests/ssl_gtest/ssl_auth_unittest.cc | 15 +++++---------- - lib/ssl/ssl3con.c | 17 +++++++++-------- - 3 files changed, 16 insertions(+), 19 deletions(-) - -diff --git a/gtests/nss_bogo_shim/config.json b/gtests/nss_bogo_shim/config.json -index 66f55d3..5c7a2e3 100644 ---- a/gtests/nss_bogo_shim/config.json -+++ b/gtests/nss_bogo_shim/config.json -@@ -64,7 +64,8 @@ - "RequireAnyClientCertificate-TLS1*":"Bug 1339387", - "SendExtensionOnClientCertificate-TLS13":"Bug 1339392", - "ALPNClient-Mismatch-TLS13":"NSS sends alerts in response to errors in protected handshake messages in the clear", -- "P224-Server":"NSS doesn't support P-224" -+ "P224-Server":"NSS doesn't support P-224", -+ "ClientAuth-SHA1-Fallback*":"Boring wants us to fall back to SHA-1 if supported_signature_algorithms in CR is empty." - }, - "ErrorMap" : { - ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:":"SSL_ERROR_NO_CYPHER_OVERLAP", -diff --git a/gtests/ssl_gtest/ssl_auth_unittest.cc b/gtests/ssl_gtest/ssl_auth_unittest.cc -index 93a8c54..3a52ac2 100644 ---- a/gtests/ssl_gtest/ssl_auth_unittest.cc -+++ b/gtests/ssl_gtest/ssl_auth_unittest.cc -@@ -386,9 +386,9 @@ class TlsZeroCertificateRequestSigAlgsFilter : public TlsHandshakeFilter { - } - }; - --// Check that we fall back to SHA-1 when the server doesn't provide any -+// Check that we send an alert when the server doesn't provide any - // supported_signature_algorithms in the CertificateRequest message. --TEST_P(TlsConnectTls12, ClientAuthNoSigAlgsFallback) { -+TEST_P(TlsConnectTls12, ClientAuthNoSigAlgs) { - EnsureTlsSetup(); - MakeTlsFilter(server_); - auto capture_cert_verify = MakeTlsFilter( -@@ -396,15 +396,10 @@ TEST_P(TlsConnectTls12, ClientAuthNoSigAlgsFallback) { - client_->SetupClientAuth(); - server_->RequestClientAuth(true); - -- ConnectExpectAlert(server_, kTlsAlertDecryptError); -- -- // We're expecting a bad signature here because we tampered with a handshake -- // message (CertReq). Previously, without the SHA-1 fallback, we would've -- // seen a malformed record alert. -- server_->CheckErrorCode(SEC_ERROR_BAD_SIGNATURE); -- client_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT); -+ ConnectExpectAlert(client_, kTlsAlertHandshakeFailure); - -- CheckSigScheme(capture_cert_verify, 0, server_, ssl_sig_rsa_pkcs1_sha1, 1024); -+ server_->CheckErrorCode(SSL_ERROR_HANDSHAKE_FAILURE_ALERT); -+ client_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM); - } - - static const SSLSignatureScheme kSignatureSchemeEcdsaSha384[] = { -diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c -index d7e8452..225f4f6 100644 ---- a/lib/ssl/ssl3con.c -+++ b/lib/ssl/ssl3con.c -@@ -6171,16 +6171,12 @@ ssl_PickClientSignatureScheme(sslSocket *ss, const SSLSignatureScheme *schemes, - - PORT_Assert(pubKey); - -- if (!isTLS13 && numSchemes == 0) { -- /* If the server didn't provide any signature algorithms -- * then let's assume they support SHA-1. */ -- rv = ssl_PickFallbackSignatureScheme(ss, pubKey); -- SECKEY_DestroyPublicKey(pubKey); -- return rv; -+ if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) { -+ /* We should have already checked that a signature scheme was -+ * listed in the request. */ -+ PORT_Assert(schemes && numSchemes > 0); - } - -- PORT_Assert(schemes && numSchemes > 0); -- - if (!isTLS13 && - (SECKEY_GetPublicKeyType(pubKey) == rsaKey || - SECKEY_GetPublicKeyType(pubKey) == dsaKey) && -@@ -7331,6 +7327,11 @@ ssl3_HandleCertificateRequest(sslSocket *ss, PRUint8 *b, PRUint32 length) - PORT_SetError(SSL_ERROR_RX_MALFORMED_CERT_REQUEST); - goto loser; /* malformed, alert has been sent */ - } -+ if (signatureSchemeCount == 0) { -+ errCode = SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM; -+ desc = handshake_failure; -+ goto alert_loser; -+ } - } - - rv = ssl3_ParseCertificateRequestCAs(ss, &b, &length, &ca_list); --- -1.7.12.4 - diff --git a/Bug-1507135-Add-additional-null-checks-to-CMS-messag.patch b/Bug-1507135-Add-additional-null-checks-to-CMS-messag.patch deleted file mode 100644 index 54c3c7ac3c65156636194f20815ce2b41f394f4b..0000000000000000000000000000000000000000 --- a/Bug-1507135-Add-additional-null-checks-to-CMS-messag.patch +++ /dev/null @@ -1,216 +0,0 @@ -From 3b2d7d955f1baca00129454eddbe8fb5117c4fef Mon Sep 17 00:00:00 2001 -From: "J.C. Jones" -Date: Mon, 14 Jan 2019 10:35:25 -0700 -Subject: [PATCH 458/489] Bug 1507135 - Add additional null checks to CMS - message functions r=mt - -Differential review: https://phabricator.services.mozilla.com//D16488 - ---HG-- -extra : rebase_source : 31028021bec842d521d70c5200edb6ea8461fa23 ---- - lib/smime/cmsmessage.c | 69 ++++++++++++++++++++++++++++++++++++++++++-------- - 1 file changed, 59 insertions(+), 10 deletions(-) - -diff --git a/lib/smime/cmsmessage.c b/lib/smime/cmsmessage.c -index 27d1256..f41a432 100644 ---- a/lib/smime/cmsmessage.c -+++ b/lib/smime/cmsmessage.c -@@ -29,8 +29,9 @@ NSS_CMSMessage_Create(PLArenaPool *poolp) - - if (poolp == NULL) { - poolp = PORT_NewArena(1024); /* XXX what is right value? */ -- if (poolp == NULL) -+ if (poolp == NULL) { - return NULL; -+ } - poolp_is_ours = PR_TRUE; - } - -@@ -44,8 +45,9 @@ NSS_CMSMessage_Create(PLArenaPool *poolp) - if (mark) { - PORT_ArenaRelease(poolp, mark); - } -- } else -+ } else { - PORT_FreeArena(poolp, PR_FALSE); -+ } - return NULL; - } - -@@ -53,8 +55,9 @@ NSS_CMSMessage_Create(PLArenaPool *poolp) - cmsg->poolp_is_ours = poolp_is_ours; - cmsg->refCount = 1; - -- if (mark) -+ if (mark) { - PORT_ArenaUnmark(poolp, mark); -+ } - - return cmsg; - } -@@ -73,8 +76,13 @@ NSS_CMSMessage_SetEncodingParams(NSSCMSMessage *cmsg, - NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg, - SECAlgorithmID **detached_digestalgs, SECItem **detached_digests) - { -- if (pwfn) -+ if (cmsg == NULL) { -+ return; -+ } -+ if (pwfn) { - PK11_SetPasswordFunc(pwfn); -+ } -+ - cmsg->pwfn_arg = pwfn_arg; - cmsg->decrypt_key_cb = decrypt_key_cb; - cmsg->decrypt_key_cb_arg = decrypt_key_cb_arg; -@@ -89,18 +97,21 @@ void - NSS_CMSMessage_Destroy(NSSCMSMessage *cmsg) - { - PORT_Assert(cmsg->refCount > 0); -- if (cmsg->refCount <= 0) /* oops */ -+ if (cmsg->refCount <= 0) { /* oops */ - return; -+ } - - cmsg->refCount--; /* thread safety? */ -- if (cmsg->refCount > 0) -+ if (cmsg->refCount > 0) { - return; -+ } - - NSS_CMSContentInfo_Destroy(&(cmsg->contentInfo)); - - /* if poolp is not NULL, cmsg is the owner of its arena */ -- if (cmsg->poolp_is_ours) -+ if (cmsg->poolp_is_ours) { - PORT_FreeArena(cmsg->poolp, PR_FALSE); /* XXX clear it? */ -+ } - } - - /* -@@ -112,8 +123,9 @@ NSS_CMSMessage_Destroy(NSSCMSMessage *cmsg) - NSSCMSMessage * - NSS_CMSMessage_Copy(NSSCMSMessage *cmsg) - { -- if (cmsg == NULL) -+ if (cmsg == NULL) { - return NULL; -+ } - - PORT_Assert(cmsg->refCount > 0); - -@@ -127,6 +139,10 @@ NSS_CMSMessage_Copy(NSSCMSMessage *cmsg) - PLArenaPool * - NSS_CMSMessage_GetArena(NSSCMSMessage *cmsg) - { -+ if (cmsg == NULL) { -+ return NULL; -+ } -+ - return cmsg->poolp; - } - -@@ -136,6 +152,10 @@ NSS_CMSMessage_GetArena(NSSCMSMessage *cmsg) - NSSCMSContentInfo * - NSS_CMSMessage_GetContentInfo(NSSCMSMessage *cmsg) - { -+ if (cmsg == NULL) { -+ return NULL; -+ } -+ - return &(cmsg->contentInfo); - } - -@@ -147,6 +167,10 @@ NSS_CMSMessage_GetContentInfo(NSSCMSMessage *cmsg) - SECItem * - NSS_CMSMessage_GetContent(NSSCMSMessage *cmsg) - { -+ if (cmsg == NULL) { -+ return NULL; -+ } -+ - /* this is a shortcut */ - NSSCMSContentInfo *cinfo = NSS_CMSMessage_GetContentInfo(cmsg); - SECItem *pItem = NSS_CMSContentInfo_GetInnerContent(cinfo); -@@ -164,6 +188,10 @@ NSS_CMSMessage_ContentLevelCount(NSSCMSMessage *cmsg) - int count = 0; - NSSCMSContentInfo *cinfo; - -+ if (cmsg == NULL) { -+ return 0; -+ } -+ - /* walk down the chain of contentinfos */ - for (cinfo = &(cmsg->contentInfo); cinfo != NULL;) { - count++; -@@ -183,6 +211,10 @@ NSS_CMSMessage_ContentLevel(NSSCMSMessage *cmsg, int n) - int count = 0; - NSSCMSContentInfo *cinfo; - -+ if (cmsg == NULL) { -+ return NULL; -+ } -+ - /* walk down the chain of contentinfos */ - for (cinfo = &(cmsg->contentInfo); cinfo != NULL && count < n; - cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) { -@@ -200,6 +232,10 @@ NSS_CMSMessage_ContainsCertsOrCrls(NSSCMSMessage *cmsg) - { - NSSCMSContentInfo *cinfo; - -+ if (cmsg == NULL) { -+ return PR_FALSE; -+ } -+ - /* descend into CMS message */ - for (cinfo = &(cmsg->contentInfo); cinfo != NULL; - cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) { -@@ -221,6 +257,10 @@ NSS_CMSMessage_IsEncrypted(NSSCMSMessage *cmsg) - { - NSSCMSContentInfo *cinfo; - -+ if (cmsg == NULL) { -+ return PR_FALSE; -+ } -+ - /* walk down the chain of contentinfos */ - for (cinfo = &(cmsg->contentInfo); cinfo != NULL; - cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) { -@@ -251,13 +291,21 @@ NSS_CMSMessage_IsSigned(NSSCMSMessage *cmsg) - { - NSSCMSContentInfo *cinfo; - -+ if (cmsg == NULL) { -+ return PR_FALSE; -+ } -+ - /* walk down the chain of contentinfos */ - for (cinfo = &(cmsg->contentInfo); cinfo != NULL; - cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) { - switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) { - case SEC_OID_PKCS7_SIGNED_DATA: -- if (!NSS_CMSArray_IsEmpty((void **)cinfo->content.signedData->signerInfos)) -+ if (cinfo->content.signedData == NULL) { -+ return PR_FALSE; -+ } -+ if (!NSS_CMSArray_IsEmpty((void **)cinfo->content.signedData->signerInfos)) { - return PR_TRUE; -+ } - break; - default: - /* callback here for generic wrappers? */ -@@ -278,8 +326,9 @@ NSS_CMSMessage_IsContentEmpty(NSSCMSMessage *cmsg, unsigned int minLen) - { - SECItem *item = NULL; - -- if (cmsg == NULL) -+ if (cmsg == NULL) { - return PR_TRUE; -+ } - - item = NSS_CMSContentInfo_GetContent(NSS_CMSMessage_GetContentInfo(cmsg)); - --- -1.7.12.4 - diff --git a/Bug-1507174-Add-additional-null-checks-to-other-CMS-.patch b/Bug-1507174-Add-additional-null-checks-to-other-CMS-.patch deleted file mode 100644 index 83800691bb1f3cbc1af9b4679ce57d83de0498ed..0000000000000000000000000000000000000000 --- a/Bug-1507174-Add-additional-null-checks-to-other-CMS-.patch +++ /dev/null @@ -1,319 +0,0 @@ -From 03d1823087e93e38485bf4fef0020fb0653ea616 Mon Sep 17 00:00:00 2001 -From: "J.C. Jones" -Date: Fri, 11 Jan 2019 22:33:16 -0700 -Subject: [PATCH 459/489] Bug 1507174 - Add additional null checks to other - CMS functions r=mt - -Differential review: https://phabricator.services.mozilla.com//D16383 - ---HG-- -extra : rebase_source : b5a87375965bbef9cd93e0ee936134631b597009 ---- - lib/smime/cmscinfo.c | 92 +++++++++++++++++++++++++++++++++++++++++++------- - lib/smime/cmsdigdata.c | 4 ++- - lib/smime/cmsencdata.c | 4 ++- - lib/smime/cmsenvdata.c | 5 +++ - lib/smime/cmsmessage.c | 3 ++ - lib/smime/cmsudf.c | 2 +- - 6 files changed, 95 insertions(+), 15 deletions(-) - -diff --git a/lib/smime/cmscinfo.c b/lib/smime/cmscinfo.c -index 08db662..453ccaa 100644 ---- a/lib/smime/cmscinfo.c -+++ b/lib/smime/cmscinfo.c -@@ -51,6 +51,10 @@ NSS_CMSContentInfo_Destroy(NSSCMSContentInfo *cinfo) - { - SECOidTag kind; - -+ if (cinfo == NULL) { -+ return; -+ } -+ - kind = NSS_CMSContentInfo_GetContentTypeTag(cinfo); - switch (kind) { - case SEC_OID_PKCS7_ENVELOPED_DATA: -@@ -86,6 +90,11 @@ NSSCMSContentInfo * - NSS_CMSContentInfo_GetChildContentInfo(NSSCMSContentInfo *cinfo) - { - NSSCMSContentInfo *ccinfo = NULL; -+ -+ if (cinfo == NULL) { -+ return NULL; -+ } -+ - SECOidTag tag = NSS_CMSContentInfo_GetContentTypeTag(cinfo); - switch (tag) { - case SEC_OID_PKCS7_SIGNED_DATA: -@@ -127,6 +136,9 @@ SECStatus - NSS_CMSContentInfo_SetDontStream(NSSCMSContentInfo *cinfo, PRBool dontStream) - { - SECStatus rv; -+ if (cinfo == NULL) { -+ return SECFailure; -+ } - - rv = NSS_CMSContentInfo_Private_Init(cinfo); - if (rv != SECSuccess) { -@@ -145,15 +157,20 @@ NSS_CMSContentInfo_SetContent(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, - SECOidTag type, void *ptr) - { - SECStatus rv; -+ if (cinfo == NULL || cmsg == NULL) { -+ return SECFailure; -+ } - - cinfo->contentTypeTag = SECOID_FindOIDByTag(type); -- if (cinfo->contentTypeTag == NULL) -+ if (cinfo->contentTypeTag == NULL) { - return SECFailure; -+ } - - /* do not copy the oid, just create a reference */ - rv = SECITEM_CopyItem(cmsg->poolp, &(cinfo->contentType), &(cinfo->contentTypeTag->oid)); -- if (rv != SECSuccess) -+ if (rv != SECSuccess) { - return SECFailure; -+ } - - cinfo->content.pointer = ptr; - -@@ -185,8 +202,9 @@ SECStatus - NSS_CMSContentInfo_SetContent_Data(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, - SECItem *data, PRBool detached) - { -- if (NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_DATA, (void *)data) != SECSuccess) -+ if (NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_DATA, (void *)data) != SECSuccess) { - return SECFailure; -+ } - if (detached) { - cinfo->rawContent = NULL; - } -@@ -230,6 +248,10 @@ NSS_CMSContentInfo_SetContent_EncryptedData(NSSCMSMessage *cmsg, NSSCMSContentIn - void * - NSS_CMSContentInfo_GetContent(NSSCMSContentInfo *cinfo) - { -+ if (cinfo == NULL) { -+ return NULL; -+ } -+ - SECOidTag tag = cinfo->contentTypeTag - ? cinfo->contentTypeTag->offset - : SEC_OID_UNKNOWN; -@@ -260,6 +282,10 @@ NSS_CMSContentInfo_GetInnerContent(NSSCMSContentInfo *cinfo) - SECOidTag tag; - SECItem *pItem = NULL; - -+ if (cinfo == NULL) { -+ return NULL; -+ } -+ - tag = NSS_CMSContentInfo_GetContentTypeTag(cinfo); - if (NSS_CMSType_IsData(tag)) { - pItem = cinfo->content.data; -@@ -282,6 +308,10 @@ NSS_CMSContentInfo_GetInnerContent(NSSCMSContentInfo *cinfo) - SECOidTag - NSS_CMSContentInfo_GetContentTypeTag(NSSCMSContentInfo *cinfo) - { -+ if (cinfo == NULL) { -+ return SEC_OID_UNKNOWN; -+ } -+ - if (cinfo->contentTypeTag == NULL) - cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType)); - -@@ -294,11 +324,17 @@ NSS_CMSContentInfo_GetContentTypeTag(NSSCMSContentInfo *cinfo) - SECItem * - NSS_CMSContentInfo_GetContentTypeOID(NSSCMSContentInfo *cinfo) - { -- if (cinfo->contentTypeTag == NULL) -+ if (cinfo == NULL) { -+ return NULL; -+ } -+ -+ if (cinfo->contentTypeTag == NULL) { - cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType)); -+ } - -- if (cinfo->contentTypeTag == NULL) -+ if (cinfo->contentTypeTag == NULL) { - return NULL; -+ } - - return &(cinfo->contentTypeTag->oid); - } -@@ -310,8 +346,13 @@ NSS_CMSContentInfo_GetContentTypeOID(NSSCMSContentInfo *cinfo) - SECOidTag - NSS_CMSContentInfo_GetContentEncAlgTag(NSSCMSContentInfo *cinfo) - { -- if (cinfo->contentEncAlgTag == SEC_OID_UNKNOWN) -+ if (cinfo == NULL) { -+ return SEC_OID_UNKNOWN; -+ } -+ -+ if (cinfo->contentEncAlgTag == SEC_OID_UNKNOWN) { - cinfo->contentEncAlgTag = SECOID_GetAlgorithmTag(&(cinfo->contentEncAlg)); -+ } - - return cinfo->contentEncAlgTag; - } -@@ -322,6 +363,10 @@ NSS_CMSContentInfo_GetContentEncAlgTag(NSSCMSContentInfo *cinfo) - SECAlgorithmID * - NSS_CMSContentInfo_GetContentEncAlg(NSSCMSContentInfo *cinfo) - { -+ if (cinfo == NULL) { -+ return NULL; -+ } -+ - return &(cinfo->contentEncAlg); - } - -@@ -330,10 +375,14 @@ NSS_CMSContentInfo_SetContentEncAlg(PLArenaPool *poolp, NSSCMSContentInfo *cinfo - SECOidTag bulkalgtag, SECItem *parameters, int keysize) - { - SECStatus rv; -+ if (cinfo == NULL) { -+ return SECFailure; -+ } - - rv = SECOID_SetAlgorithmID(poolp, &(cinfo->contentEncAlg), bulkalgtag, parameters); -- if (rv != SECSuccess) -+ if (rv != SECSuccess) { - return SECFailure; -+ } - cinfo->keysize = keysize; - return SECSuccess; - } -@@ -343,27 +392,42 @@ NSS_CMSContentInfo_SetContentEncAlgID(PLArenaPool *poolp, NSSCMSContentInfo *cin - SECAlgorithmID *algid, int keysize) - { - SECStatus rv; -+ if (cinfo == NULL) { -+ return SECFailure; -+ } - - rv = SECOID_CopyAlgorithmID(poolp, &(cinfo->contentEncAlg), algid); -- if (rv != SECSuccess) -+ if (rv != SECSuccess) { - return SECFailure; -- if (keysize >= 0) -+ } -+ if (keysize >= 0) { - cinfo->keysize = keysize; -+ } - return SECSuccess; - } - - void - NSS_CMSContentInfo_SetBulkKey(NSSCMSContentInfo *cinfo, PK11SymKey *bulkkey) - { -- cinfo->bulkkey = PK11_ReferenceSymKey(bulkkey); -- cinfo->keysize = PK11_GetKeyStrength(cinfo->bulkkey, &(cinfo->contentEncAlg)); -+ if (cinfo == NULL) { -+ return; -+ } -+ -+ if (bulkkey == NULL) { -+ cinfo->bulkkey = NULL; -+ cinfo->keysize = 0; -+ } else { -+ cinfo->bulkkey = PK11_ReferenceSymKey(bulkkey); -+ cinfo->keysize = PK11_GetKeyStrength(cinfo->bulkkey, &(cinfo->contentEncAlg)); -+ } - } - - PK11SymKey * - NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo *cinfo) - { -- if (cinfo->bulkkey == NULL) -+ if (cinfo == NULL || cinfo->bulkkey == NULL) { - return NULL; -+ } - - return PK11_ReferenceSymKey(cinfo->bulkkey); - } -@@ -371,5 +435,9 @@ NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo *cinfo) - int - NSS_CMSContentInfo_GetBulkKeySize(NSSCMSContentInfo *cinfo) - { -+ if (cinfo == NULL) { -+ return 0; -+ } -+ - return cinfo->keysize; - } -diff --git a/lib/smime/cmsdigdata.c b/lib/smime/cmsdigdata.c -index 9ea2270..a249686 100644 ---- a/lib/smime/cmsdigdata.c -+++ b/lib/smime/cmsdigdata.c -@@ -56,7 +56,9 @@ void - NSS_CMSDigestedData_Destroy(NSSCMSDigestedData *digd) - { - /* everything's in a pool, so don't worry about the storage */ -- NSS_CMSContentInfo_Destroy(&(digd->contentInfo)); -+ if (digd != NULL) { -+ NSS_CMSContentInfo_Destroy(&(digd->contentInfo)); -+ } - return; - } - -diff --git a/lib/smime/cmsencdata.c b/lib/smime/cmsencdata.c -index d2fc335..f2a2746 100644 ---- a/lib/smime/cmsencdata.c -+++ b/lib/smime/cmsencdata.c -@@ -87,7 +87,9 @@ void - NSS_CMSEncryptedData_Destroy(NSSCMSEncryptedData *encd) - { - /* everything's in a pool, so don't worry about the storage */ -- NSS_CMSContentInfo_Destroy(&(encd->contentInfo)); -+ if (encd != NULL) { -+ NSS_CMSContentInfo_Destroy(&(encd->contentInfo)); -+ } - return; - } - -diff --git a/lib/smime/cmsenvdata.c b/lib/smime/cmsenvdata.c -index d5d5c41..95b3fb9 100644 ---- a/lib/smime/cmsenvdata.c -+++ b/lib/smime/cmsenvdata.c -@@ -144,6 +144,11 @@ NSS_CMSEnvelopedData_Encode_BeforeStart(NSSCMSEnvelopedData *envd) - poolp = envd->cmsg->poolp; - cinfo = &(envd->contentInfo); - -+ if (cinfo == NULL) { -+ PORT_SetError(SEC_ERROR_BAD_DATA); -+ goto loser; -+ } -+ - recipientinfos = envd->recipientInfos; - if (recipientinfos == NULL) { - PORT_SetError(SEC_ERROR_BAD_DATA); -diff --git a/lib/smime/cmsmessage.c b/lib/smime/cmsmessage.c -index f41a432..366b71a 100644 ---- a/lib/smime/cmsmessage.c -+++ b/lib/smime/cmsmessage.c -@@ -96,6 +96,9 @@ NSS_CMSMessage_SetEncodingParams(NSSCMSMessage *cmsg, - void - NSS_CMSMessage_Destroy(NSSCMSMessage *cmsg) - { -+ if (cmsg == NULL) -+ return; -+ - PORT_Assert(cmsg->refCount > 0); - if (cmsg->refCount <= 0) { /* oops */ - return; -diff --git a/lib/smime/cmsudf.c b/lib/smime/cmsudf.c -index 3ef4268..5c8a81e 100644 ---- a/lib/smime/cmsudf.c -+++ b/lib/smime/cmsudf.c -@@ -239,7 +239,7 @@ NSS_CMSGenericWrapperData_Destroy(SECOidTag type, NSSCMSGenericWrapperData *gd) - { - const nsscmstypeInfo *typeInfo = nss_cmstype_lookup(type); - -- if (typeInfo && typeInfo->destroy) { -+ if (typeInfo && (typeInfo->destroy) && (gd != NULL)) { - (*typeInfo->destroy)(gd); - } - } --- -1.7.12.4 - diff --git a/fix-core-dump-when-sigd-signerInfos-is-NULL.patch b/fix-core-dump-when-sigd-signerInfos-is-NULL.patch deleted file mode 100644 index cbe4bef5667fc103c428a30668f47c539e1f6e1e..0000000000000000000000000000000000000000 --- a/fix-core-dump-when-sigd-signerInfos-is-NULL.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 0641f1a9351fdb06d7e5d19a48ad7fe6175713e7 Mon Sep 17 00:00:00 2001 -From: guoxiaoqi -Date: Thu, 30 Apr 2020 09:40:20 +0800 -Subject: [PATCH] fix core dump when sigd->signerInfos is NULL - -Signed-off-by: guoxiaoqi ---- - nss/lib/smime/cmssigdata.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/nss/lib/smime/cmssigdata.c b/nss/lib/smime/cmssigdata.c -index 7dd6ea4..32a8166 100644 ---- a/nss/lib/smime/cmssigdata.c -+++ b/nss/lib/smime/cmssigdata.c -@@ -476,7 +476,7 @@ NSS_CMSSignedData_SignerInfoCount(NSSCMSSignedData *sigd) - NSSCMSSignerInfo * - NSS_CMSSignedData_GetSignerInfo(NSSCMSSignedData *sigd, int i) - { -- if (!sigd) { -+ if (!sigd || !sigd->signerInfos) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; - } --- -1.8.3.1 - diff --git a/nss-3.40.1.tar.gz b/nss-3.40.1.tar.gz deleted file mode 100644 index f736adf19267a62eafba2cfa7c790c5c600c5864..0000000000000000000000000000000000000000 Binary files a/nss-3.40.1.tar.gz and /dev/null differ diff --git a/nss-3.54.tar.gz b/nss-3.54.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..877cfe0b49b4b63da9778b0622adfbf42f9d445b Binary files /dev/null and b/nss-3.54.tar.gz differ diff --git a/nss-config b/nss-config index d22bbaac4073985b4f8c86c8d2b7db1b4c53d09a..f1faa4c1e74176d10669c03283a0d5f5b59950d5 100644 --- a/nss-config +++ b/nss-config @@ -3,8 +3,8 @@ prefix=/usr major_version=3 -minor_version=40 -patch_version=1 +minor_version=54 +patch_version=0 usage() { diff --git a/nss-softokn-config b/nss-softokn-config index 137dcdbd3f6ffcc19dd9e039e06a7a7b3553adff..250809588fe45e1fe0bd64eae96a1683c348555a 100644 --- a/nss-softokn-config +++ b/nss-softokn-config @@ -3,8 +3,8 @@ prefix=/usr major_version=3 -minor_version=40 -patch_version=1 +minor_version=54 +patch_version=0 usage() { diff --git a/nss-softokn.pc b/nss-softokn.pc index 5ba0c996e68da20bd1875256e7d6d7824f74a21a..db1cf7af72f1fe66befd204a2ec54fe531c2a6cb 100644 --- a/nss-softokn.pc +++ b/nss-softokn.pc @@ -5,7 +5,7 @@ includedir=/usr/include/nss3 Name: NSS-SOFTOKN Description: Network Security Services Softoken PKCS #11 Module -Version: 3.40.1 -Requires: nspr >= 4.20.0, nss-util >= 3.40.1 +Version: 3.54 +Requires: nspr >= 4.20.0, nss-util >= 3.54 Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3 Cflags: -I${includedir} diff --git a/nss-util-config b/nss-util-config index ce51cc576c005f748597b778b119cd0f3d67e168..d430180d5f17365eb96ce79221110fc22a5d6497 100644 --- a/nss-util-config +++ b/nss-util-config @@ -3,8 +3,8 @@ prefix=/usr major_version=3 -minor_version=40 -patch_version=1 +minor_version=54 +patch_version=0 usage() { diff --git a/nss-util.pc b/nss-util.pc index c9616e0d49ba56084c322c9008d48b93b5ebe838..f036ca2e9820ec0bdb3a2e8bbe2a7e4c9ac2f202 100644 --- a/nss-util.pc +++ b/nss-util.pc @@ -5,7 +5,7 @@ includedir=/usr/include/nss3 Name: NSS-UTIL Description: Network Security Services Utility Library -Version: 3.40.1 +Version: 3.54 Requires: nspr >= 4.20.0 Libs: -L${libdir} -lnssutil3 Cflags: -I${includedir} diff --git a/nss.pc b/nss.pc index a82990a01e0b4d9d969422541758a2a6837cd3ca..042352ba62ea8862ffb7f2182a7415741bac1cc6 100644 --- a/nss.pc +++ b/nss.pc @@ -5,7 +5,7 @@ includedir=/usr/include/nss3 Name: NSS Description: Network Security Services -Version: 3.40.1 -Requires: nspr >= 4.20.0, nss-util >= 3.40.1 +Version: 3.54 +Requires: nspr >= 4.20.0, nss-util >= 3.54 Libs: -L${libdir} -lssl3 -lsmime3 -lnss3 Cflags: -I${includedir} diff --git a/nss.spec b/nss.spec index b12002e2c8cfb754afcff8e2237d59bc6594adab..574ccbf3761db2e2cce12ec45a3c64a94942051f 100644 --- a/nss.spec +++ b/nss.spec @@ -1,5 +1,6 @@ %global nspr_version 4.20.0 -%global nss_version 3.40.1 +%global nss_version 3.54.0 +%global nss_archive_version 3.54 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv" @@ -8,11 +9,12 @@ %global dracut_conf_dir %{dracutlibdir}/dracut.conf.d %bcond_with test +%bcond_without dbm Summary: Network Security Services Name: nss Version: %{nss_version} -Release: 12 +Release: 1 License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Provides: nss-system-init @@ -23,7 +25,7 @@ BuildRequires: nspr-devel >= %{nspr_version} nss-softokn sqlite-devel zlib-de BuildRequires: pkgconf gawk psmisc perl-interpreter gcc-c++ gdb obsoletes: nss-sysinit < %{version}-%{release} -Source0: https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_40_1_RTM/src/%{name}-%{nss_version}.tar.gz +Source0: https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_54_RTM/src/%{name}-%{nss_archive_version}.tar.gz Source1: nss-util.pc Source2: nss-util-config Source3: nss-softokn.pc @@ -38,10 +40,6 @@ Source14: blank-key4.db Source15: system-pkcs11.txt Source16: setup-nsssysinit.sh Patch0: nss-539183.patch -Patch1: Bug-1412829-reject-empty-supported_signature_algorit.patch -Patch2: Bug-1507135-Add-additional-null-checks-to-CMS-messag.patch -Patch3: Bug-1507174-Add-additional-null-checks-to-other-CMS-.patch -Patch4: fix-core-dump-when-sigd-signerInfos-is-NULL.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -122,18 +120,10 @@ Requires: man-db Help document for NSS %prep -%setup -q -n %{name}-%{nss_version} +%setup -q -n %{name}-%{nss_archive_version} %patch0 -p0 -b .539183 -pushd nss -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -popd - -%patch4 -p1 - %build export NSS_FORCE_FIPS=1 @@ -168,23 +158,25 @@ export NSPR_LIB_DIR=%{_libdir} export NSS_USE_SYSTEM_SQLITE=1 export NSS_ALLOW_SSLKEYLOGFILE=1 +%if %{with dbm} +%else +export NSS_DISABLE_DBM=1 +%endif + %ifnarch noarch %if 0%{__isa_bits} == 64 export USE_64=1 %endif %endif -##### phase 2: build the rest of nss -make -C ./nss/coreconf -make -C ./nss/lib/dbm - # Set the policy file location # if set NSS will always check for the policy file and load if it exists export POLICY_FILE="nss.config" # location of the policy file export POLICY_PATH="/etc/crypto-policies/back-ends" -make -C ./nss +make -C ./nss all +make -C ./nss latest # build the man pages clean pushd ./nss @@ -324,7 +316,7 @@ install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt # Copy the binary libraries we want -for file in libnssutil3.so libsoftokn3.so libnssdbm3.so libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so +for file in libnssutil3.so libsoftokn3.so %{?with_dbm:libnssdbm3.so} libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so do install -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} done @@ -354,7 +346,7 @@ do done # Copy some freebl include files we also want -for file in blapi.h alghmac.h +for file in blapi.h alghmac.h cmac.h do install -p -m 644 dist/private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss3 done @@ -390,10 +382,10 @@ install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_mandir}/man1/pp.1 #$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libnssdbm3.so %post -update-crypto-policies +update-crypto-policies &> /dev/null || : %postun -update-crypto-policies +update-crypto-policies &> /dev/null || : %files %{!?_licensedir:%global license %%doc} @@ -516,8 +508,10 @@ update-crypto-policies #%{_libdir}/libfreebl3.chk %{_libdir}/libfreeblpriv3.so #%{_libdir}/libfreeblpriv3.chk +%if %{with_dbm} %{_libdir}/libnssdbm3.so #%{_libdir}/libnssdbm3.chk +%endif %{_libdir}/libsoftokn3.so #%{_libdir}/libsoftokn3.chk %dir %{_libdir}/nss @@ -532,6 +526,7 @@ update-crypto-policies %files softokn-devel %{_libdir}/libfreebl.a %{_includedir}/nss3/blapi.h +%{_includedir}/nss3/cmac.h %{_includedir}/nss3/blapit.h %{_includedir}/nss3/alghmac.h %{_includedir}/nss3/lowkeyi.h @@ -548,6 +543,9 @@ update-crypto-policies %doc %{_mandir}/man* %changelog +* Fri Aug 21 2020 wangchen - 3.54-1 +- update to 3.54 + * Thu Apr 30 2020 openEuler Buildteam - 3.40.1-12 - fix core dump when sigd-signerInfos is NULL