Bug 1614053 - land NSS 735ed2e47040 UPGRADE_NSS_RELEASE, r=kjacobs

2020-02-10 Robert Relyea <rrelyea@redhat.com> * lib/freebl/cmac.c: Bug 1610687 - Crash on unaligned CMACContext.aes.keySchedule when using AES-NI intrinsics r=kjacobs [046a6f5bfb27] * lib/util/pkcs11t.h: Bug 1611209 - Value of CKM_AES_CMAC and CKM_AES_CMAC_GENERAL are swapped r=rrelyea [df142975f4f6] 2020-02-11 Victor Tapia <victor.tapia@canonical.com> * lib/pk11wrap/pk11util.c, lib/sysinit/nsssysinit.c: Bug 1582169 - Disable reading /proc/sys/crypto/fips_enabled if FIPS is not enabled on build r=jcj,rrelyea [55ba54adfcae] 2020-02-11 J.C. Jones <jjones@mozilla.com> * lib/sysinit/nsssysinit.c: Bug 1614786 - Fixup for ‘getFIPSEnv’ being unused r=kjacobs Fixes a regression from Bug 1582169 ../../lib/sysinit/nsssysinit.c:153:1: error: ‘getFIPSEnv’ defined but not used [-Werror=unused-function] [06925efe306b] 2020-02-11 Dana Keeler <dkeeler@mozilla.com> * cmd/lib/secutil.c, lib/libpkix/pkix_pl_nss/module/pkix_pl_colcertstore.c: bug 1538980 - null-terminate ascii input in SECU_ReadDERFromFile so strstr is safe to call r=jcj,kjacobs [735ed2e47040] [tip] Differential Revision: https://phabricator.services.mozilla.com/D62451 --HG-- extra : moz-landing-system : lando
2020-02-12 16:22:10 +00:00 · 2020-02-12 16:22:10 +00:00 · 982674831d
--- a/old-configure.in
+++ b/old-configure.in
@ -1489,7 +1489,7 @@ MOZ_ARG_WITH_BOOL(system-nss,
    _USE_SYSTEM_NSS=1 )

 if test -n "$_USE_SYSTEM_NSS"; then
-    AM_PATH_NSS(3.50, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
+    AM_PATH_NSS(3.51, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
 fi

 NSS_CFLAGS="$NSS_CFLAGS -I${DIST}/include/nss"
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@ -1 +1 @@
-NSS_3_50_RTM
+735ed2e47040
--- a/security/nss/automation/abi-check/previous-nss-release
+++ b/security/nss/automation/abi-check/previous-nss-release
@ -1 +1 @@
-NSS_3_49_BRANCH
+NSS_3_50_BRANCH
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@ -494,23 +494,30 @@ SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii,
    if (ascii) {
        /* First convert ascii to binary */
        SECItem filedata;
-        char *asc, *body;

        /* Read in ascii data */
        rv = SECU_FileToItem(&filedata, inFile);
        if (rv != SECSuccess)
            return rv;
-        asc = (char *)filedata.data;
-        if (!asc) {
+        if (!filedata.data) {
            fprintf(stderr, "unable to read data from input file\n");
            return SECFailure;
        }
+        /* need one additional byte for zero terminator */
+        rv = SECITEM_ReallocItemV2(NULL, &filedata, filedata.len + 1);
+        if (rv != SECSuccess) {
+            PORT_Free(filedata.data);
+            return rv;
+        }
+        char *asc = (char *)filedata.data;
+        asc[filedata.len - 1] = '\0';

        if (warnOnPrivateKeyInAsciiFile && strstr(asc, "PRIVATE KEY")) {
            fprintf(stderr, "Warning: ignoring private key. Consider to use "
                            "pk12util.\n");
        }

+        char *body;
        /* check for headers and trailers and remove them */
        if ((body = strstr(asc, "-----BEGIN")) != NULL) {
            char *trailer = NULL;
@ -528,14 +535,7 @@ SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii,
                return SECFailure;
            }
        } else {
-            /* need one additional byte for zero terminator */
-            rv = SECITEM_ReallocItemV2(NULL, &filedata, filedata.len + 1);
-            if (rv != SECSuccess) {
-                PORT_Free(filedata.data);
-                return rv;
-            }
-            body = (char *)filedata.data;
-            body[filedata.len - 1] = '\0';
+            body = asc;
        }

        /* Convert to binary */
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@ -10,4 +10,3 @@
 */

 #error "Do not include this header file."
-
--- a/security/nss/lib/freebl/cmac.c
+++ b/security/nss/lib/freebl/cmac.c
@ -22,7 +22,7 @@ struct CMACContextStr {
     * add a new Context pointer to the cipher union with the correct type. */
    CMACCipher cipherType;
    union {
-        AESContext aes;
+        AESContext *aes;
    } cipher;
    int blockSize;

@ -62,7 +62,7 @@ cmac_Encrypt(CMACContext *ctx, unsigned char *output,
 {
    if (ctx->cipherType == CMAC_AES) {
        unsigned int tmpOutputLen;
-        SECStatus rv = AES_Encrypt(&ctx->cipher.aes, output, &tmpOutputLen,
+        SECStatus rv = AES_Encrypt(ctx->cipher.aes, output, &tmpOutputLen,
                                   ctx->blockSize, input, inputLen);

        /* Assumption: AES_Encrypt (when in ECB mode) always returns an
@ -156,8 +156,9 @@ CMAC_Init(CMACContext *ctx, CMACCipher type,

    ctx->blockSize = AES_BLOCK_SIZE;
    ctx->cipherType = CMAC_AES;
-    if (AES_InitContext(&ctx->cipher.aes, key, key_len, NULL, NSS_AES, 1,
-                        ctx->blockSize) != SECSuccess) {
+    ctx->cipher.aes = AES_CreateContext(key, NULL, NSS_AES, 1, key_len,
+                                        ctx->blockSize);
+    if (ctx->cipher.aes == NULL) {
        return SECFailure;
    }

@ -308,8 +309,8 @@ CMAC_Destroy(CMACContext *ctx, PRBool free_it)
        return;
    }

-    if (ctx->cipherType == CMAC_AES) {
-        AES_DestroyContext(&ctx->cipher.aes, PR_FALSE);
+    if (ctx->cipherType == CMAC_AES && ctx->cipher.aes != NULL) {
+        AES_DestroyContext(ctx->cipher.aes, PR_TRUE);
    }

    /* Destroy everything in the context. This includes sensitive data in
--- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_colcertstore.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_colcertstore.c
@ -55,16 +55,26 @@ SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii)
    if (ascii) {
        /* First convert ascii to binary */
        SECItem filedata;
-        char *asc, *body;

        /* Read in ascii data */
        rv = SECU_FileToItem(&filedata, inFile);
-        asc = (char *)filedata.data;
-        if (!asc) {
+        if (rv != SECSuccess) {
+            return rv;
+        }
+        if (!filedata.data) {
            fprintf(stderr, "unable to read data from input file\n");
            return SECFailure;
        }
+        /* need one additional byte for zero terminator */
+        rv = SECITEM_ReallocItemV2(NULL, &filedata, filedata.len + 1);
+        if (rv != SECSuccess) {
+            PORT_Free(filedata.data);
+            return rv;
+        }
+        char *asc = (char *)filedata.data;
+        asc[filedata.len - 1] = '\0';

+        char *body;
        /* check for headers and trailers and remove them */
        if ((body = strstr(asc, "-----BEGIN")) != NULL) {
            char *trailer = NULL;
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@ -22,12 +22,12 @@
 * The format of the version string should be
 *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
 */
-#define NSS_VERSION "3.50" _NSS_CUSTOMIZED
+#define NSS_VERSION "3.51" _NSS_CUSTOMIZED " Beta"
 #define NSS_VMAJOR 3
-#define NSS_VMINOR 50
+#define NSS_VMINOR 51
 #define NSS_VPATCH 0
 #define NSS_VBUILD 0
-#define NSS_BETA PR_FALSE
+#define NSS_BETA PR_TRUE

 #ifndef RC_INVOKED

--- a/security/nss/lib/pk11wrap/pk11util.c
+++ b/security/nss/lib/pk11wrap/pk11util.c
@ -99,6 +99,7 @@ int
 secmod_GetSystemFIPSEnabled(void)
 {
 #ifdef LINUX
+#ifndef NSS_FIPS_DISABLED
    FILE *f;
    char d;
    size_t size;
@ -116,6 +117,7 @@ secmod_GetSystemFIPSEnabled(void)
    if (d == '1') {
        return 1;
    }
+#endif
 #endif
    return 0;
 }
--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@ -17,11 +17,11 @@
 * The format of the version string should be
 *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
 */
-#define SOFTOKEN_VERSION "3.50" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION "3.51" SOFTOKEN_ECC_STRING " Beta"
 #define SOFTOKEN_VMAJOR 3
-#define SOFTOKEN_VMINOR 50
+#define SOFTOKEN_VMINOR 51
 #define SOFTOKEN_VPATCH 0
 #define SOFTOKEN_VBUILD 0
-#define SOFTOKEN_BETA PR_FALSE
+#define SOFTOKEN_BETA PR_TRUE

 #endif /* _SOFTKVER_H_ */
--- a/security/nss/lib/sysinit/nsssysinit.c
+++ b/security/nss/lib/sysinit/nsssysinit.c
@ -149,6 +149,7 @@ userCanModifySystemDB()
    return (access(NSS_DEFAULT_SYSTEM, W_OK) == 0);
 }

+#ifndef NSS_FIPS_DISABLED
 static PRBool
 getFIPSEnv(void)
 {
@ -164,10 +165,12 @@ getFIPSEnv(void)
    }
    return PR_FALSE;
 }
+#endif /* NSS_FIPS_DISABLED */

 static PRBool
 getFIPSMode(void)
 {
+#ifndef NSS_FIPS_DISABLED
    FILE *f;
    char d;
    size_t size;
@ -186,6 +189,9 @@ getFIPSMode(void)
    if (d != '1')
        return PR_FALSE;
    return PR_TRUE;
+#else
+    return PR_FALSE;
+#endif /* NSS_FIPS_DISABLED */
 }

 #define NSS_DEFAULT_FLAGS "flags=readonly"
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@ -19,12 +19,12 @@
 * The format of the version string should be
 *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
 */
-#define NSSUTIL_VERSION "3.50"
+#define NSSUTIL_VERSION "3.51 Beta"
 #define NSSUTIL_VMAJOR 3
-#define NSSUTIL_VMINOR 50
+#define NSSUTIL_VMINOR 51
 #define NSSUTIL_VPATCH 0
 #define NSSUTIL_VBUILD 0
-#define NSSUTIL_BETA PR_FALSE
+#define NSSUTIL_BETA PR_TRUE

 SEC_BEGIN_PROTOS

--- a/security/nss/lib/util/pkcs11t.h
+++ b/security/nss/lib/util/pkcs11t.h
@ -898,8 +898,8 @@ typedef CK_ULONG CK_MECHANISM_TYPE;
 #define CKM_AES_CCM 0x00001088
 #define CKM_AES_CTS 0x00001089
 /* AES-CMAC values copied from v2.40 errata 1 header file */
-#define CKM_AES_CMAC_GENERAL 0x0000108A
-#define CKM_AES_CMAC 0x0000108B
+#define CKM_AES_CMAC 0x0000108A
+#define CKM_AES_CMAC_GENERAL 0x0000108B
 #define CKM_AES_XCBC_MAC 0x0000108C
 #define CKM_AES_XCBC_MAC_96 0x0000108D