packages/nss
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!14 openEuler-nss

Browse Source 
Merge pull request !14 from Liquor/master
This commit is contained in:
openeuler-ci-bot 2020-08-01 10:55:36 +08:00 committed by Gitee
commit 59c4c8e7f6
13 changed files with 29 additions and 707 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

114
Bug-1412829-reject-empty-supported_signature_algorit.patch
View File

@ -1,114 +0,0 @@
From 96728bb2bc55246d2bb3d98e4c1ab4b5b58a5c41 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Thu, 22 Nov 2018 10:55:20 +0100
Subject: [PATCH 441/489] Bug 1412829, reject empty
supported_signature_algorithms in CR in TLS 1.2,
r=mt
Summary: This basically reverts bug 1335069 to align with RFC 5246.
Reviewers: mt
Reviewed By: mt
Bug #: 1412829
Differential Revision: https://phabricator.services.mozilla.com/D12563
--HG--
extra : amend_source : a87f98603e14841654948c7664dbde26ebaf04e4
---
gtests/nss_bogo_shim/config.json | 3 ++-
gtests/ssl_gtest/ssl_auth_unittest.cc | 15 +++++----------
lib/ssl/ssl3con.c | 17 +++++++++--------
3 files changed, 16 insertions(+), 19 deletions(-)
diff --git a/gtests/nss_bogo_shim/config.json b/gtests/nss_bogo_shim/config.json
index 66f55d3..5c7a2e3 100644
--- a/gtests/nss_bogo_shim/config.json
+++ b/gtests/nss_bogo_shim/config.json
@@ -64,7 +64,8 @@
"RequireAnyClientCertificate-TLS1*":"Bug 1339387",
"SendExtensionOnClientCertificate-TLS13":"Bug 1339392",
"ALPNClient-Mismatch-TLS13":"NSS sends alerts in response to errors in protected handshake messages in the clear",
- "P224-Server":"NSS doesn't support P-224"
+ "P224-Server":"NSS doesn't support P-224",
+ "ClientAuth-SHA1-Fallback*":"Boring wants us to fall back to SHA-1 if supported_signature_algorithms in CR is empty."
},
"ErrorMap" : {
":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:":"SSL_ERROR_NO_CYPHER_OVERLAP",
diff --git a/gtests/ssl_gtest/ssl_auth_unittest.cc b/gtests/ssl_gtest/ssl_auth_unittest.cc
index 93a8c54..3a52ac2 100644
--- a/gtests/ssl_gtest/ssl_auth_unittest.cc
+++ b/gtests/ssl_gtest/ssl_auth_unittest.cc
@@ -386,9 +386,9 @@ class TlsZeroCertificateRequestSigAlgsFilter : public TlsHandshakeFilter {
}
};
-// Check that we fall back to SHA-1 when the server doesn't provide any
+// Check that we send an alert when the server doesn't provide any
// supported_signature_algorithms in the CertificateRequest message.
-TEST_P(TlsConnectTls12, ClientAuthNoSigAlgsFallback) {
+TEST_P(TlsConnectTls12, ClientAuthNoSigAlgs) {
EnsureTlsSetup();
MakeTlsFilter<TlsZeroCertificateRequestSigAlgsFilter>(server_);
auto capture_cert_verify = MakeTlsFilter<TlsHandshakeRecorder>(
@@ -396,15 +396,10 @@ TEST_P(TlsConnectTls12, ClientAuthNoSigAlgsFallback) {
client_->SetupClientAuth();
server_->RequestClientAuth(true);
- ConnectExpectAlert(server_, kTlsAlertDecryptError);
-
- // We're expecting a bad signature here because we tampered with a handshake
- // message (CertReq). Previously, without the SHA-1 fallback, we would've
- // seen a malformed record alert.
- server_->CheckErrorCode(SEC_ERROR_BAD_SIGNATURE);
- client_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT);
+ ConnectExpectAlert(client_, kTlsAlertHandshakeFailure);
- CheckSigScheme(capture_cert_verify, 0, server_, ssl_sig_rsa_pkcs1_sha1, 1024);
+ server_->CheckErrorCode(SSL_ERROR_HANDSHAKE_FAILURE_ALERT);
+ client_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
}
static const SSLSignatureScheme kSignatureSchemeEcdsaSha384[] = {
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
index d7e8452..225f4f6 100644
--- a/lib/ssl/ssl3con.c
+++ b/lib/ssl/ssl3con.c
@@ -6171,16 +6171,12 @@ ssl_PickClientSignatureScheme(sslSocket *ss, const SSLSignatureScheme *schemes,
PORT_Assert(pubKey);
- if (!isTLS13 && numSchemes == 0) {
- /* If the server didn't provide any signature algorithms
- * then let's assume they support SHA-1. */
- rv = ssl_PickFallbackSignatureScheme(ss, pubKey);
- SECKEY_DestroyPublicKey(pubKey);
- return rv;
+ if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
+ /* We should have already checked that a signature scheme was
+ * listed in the request. */
+ PORT_Assert(schemes && numSchemes > 0);
}
- PORT_Assert(schemes && numSchemes > 0);
-
if (!isTLS13 &&
(SECKEY_GetPublicKeyType(pubKey) == rsaKey ||
SECKEY_GetPublicKeyType(pubKey) == dsaKey) &&
@@ -7331,6 +7327,11 @@ ssl3_HandleCertificateRequest(sslSocket *ss, PRUint8 *b, PRUint32 length)
PORT_SetError(SSL_ERROR_RX_MALFORMED_CERT_REQUEST);
goto loser; /* malformed, alert has been sent */
}
+ if (signatureSchemeCount == 0) {
+ errCode = SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM;
+ desc = handshake_failure;
+ goto alert_loser;
+ }
}
rv = ssl3_ParseCertificateRequestCAs(ss, &b, &length, &ca_list);
--
1.7.12.4

216
Bug-1507135-Add-additional-null-checks-to-CMS-messag.patch
View File

@ -1,216 +0,0 @@
From 3b2d7d955f1baca00129454eddbe8fb5117c4fef Mon Sep 17 00:00:00 2001
From: "J.C. Jones" <jjones@mozilla.com>
Date: Mon, 14 Jan 2019 10:35:25 -0700
Subject: [PATCH 458/489] Bug 1507135 - Add additional null checks to CMS
message functions r=mt
Differential review: https://phabricator.services.mozilla.com//D16488
--HG--
extra : rebase_source : 31028021bec842d521d70c5200edb6ea8461fa23
---
lib/smime/cmsmessage.c | 69 ++++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 59 insertions(+), 10 deletions(-)
diff --git a/lib/smime/cmsmessage.c b/lib/smime/cmsmessage.c
index 27d1256..f41a432 100644
--- a/lib/smime/cmsmessage.c
+++ b/lib/smime/cmsmessage.c
@@ -29,8 +29,9 @@ NSS_CMSMessage_Create(PLArenaPool *poolp)
if (poolp == NULL) {
poolp = PORT_NewArena(1024); /* XXX what is right value? */
- if (poolp == NULL)
+ if (poolp == NULL) {
return NULL;
+ }
poolp_is_ours = PR_TRUE;
}
@@ -44,8 +45,9 @@ NSS_CMSMessage_Create(PLArenaPool *poolp)
if (mark) {
PORT_ArenaRelease(poolp, mark);
}
- } else
+ } else {
PORT_FreeArena(poolp, PR_FALSE);
+ }
return NULL;
}
@@ -53,8 +55,9 @@ NSS_CMSMessage_Create(PLArenaPool *poolp)
cmsg->poolp_is_ours = poolp_is_ours;
cmsg->refCount = 1;
- if (mark)
+ if (mark) {
PORT_ArenaUnmark(poolp, mark);
+ }
return cmsg;
}
@@ -73,8 +76,13 @@ NSS_CMSMessage_SetEncodingParams(NSSCMSMessage *cmsg,
NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg,
SECAlgorithmID **detached_digestalgs, SECItem **detached_digests)
{
- if (pwfn)
+ if (cmsg == NULL) {
+ return;
+ }
+ if (pwfn) {
PK11_SetPasswordFunc(pwfn);
+ }
+
cmsg->pwfn_arg = pwfn_arg;
cmsg->decrypt_key_cb = decrypt_key_cb;
cmsg->decrypt_key_cb_arg = decrypt_key_cb_arg;
@@ -89,18 +97,21 @@ void
NSS_CMSMessage_Destroy(NSSCMSMessage *cmsg)
{
PORT_Assert(cmsg->refCount > 0);
- if (cmsg->refCount <= 0) /* oops */
+ if (cmsg->refCount <= 0) { /* oops */
return;
+ }
cmsg->refCount--; /* thread safety? */
- if (cmsg->refCount > 0)
+ if (cmsg->refCount > 0) {
return;
+ }
NSS_CMSContentInfo_Destroy(&(cmsg->contentInfo));
/* if poolp is not NULL, cmsg is the owner of its arena */
- if (cmsg->poolp_is_ours)
+ if (cmsg->poolp_is_ours) {
PORT_FreeArena(cmsg->poolp, PR_FALSE); /* XXX clear it? */
+ }
}
/*
@@ -112,8 +123,9 @@ NSS_CMSMessage_Destroy(NSSCMSMessage *cmsg)
NSSCMSMessage *
NSS_CMSMessage_Copy(NSSCMSMessage *cmsg)
{
- if (cmsg == NULL)
+ if (cmsg == NULL) {
return NULL;
+ }
PORT_Assert(cmsg->refCount > 0);
@@ -127,6 +139,10 @@ NSS_CMSMessage_Copy(NSSCMSMessage *cmsg)
PLArenaPool *
NSS_CMSMessage_GetArena(NSSCMSMessage *cmsg)
{
+ if (cmsg == NULL) {
+ return NULL;
+ }
+
return cmsg->poolp;
}
@@ -136,6 +152,10 @@ NSS_CMSMessage_GetArena(NSSCMSMessage *cmsg)
NSSCMSContentInfo *
NSS_CMSMessage_GetContentInfo(NSSCMSMessage *cmsg)
{
+ if (cmsg == NULL) {
+ return NULL;
+ }
+
return &(cmsg->contentInfo);
}
@@ -147,6 +167,10 @@ NSS_CMSMessage_GetContentInfo(NSSCMSMessage *cmsg)
SECItem *
NSS_CMSMessage_GetContent(NSSCMSMessage *cmsg)
{
+ if (cmsg == NULL) {
+ return NULL;
+ }
+
/* this is a shortcut */
NSSCMSContentInfo *cinfo = NSS_CMSMessage_GetContentInfo(cmsg);
SECItem *pItem = NSS_CMSContentInfo_GetInnerContent(cinfo);
@@ -164,6 +188,10 @@ NSS_CMSMessage_ContentLevelCount(NSSCMSMessage *cmsg)
int count = 0;
NSSCMSContentInfo *cinfo;
+ if (cmsg == NULL) {
+ return 0;
+ }
+
/* walk down the chain of contentinfos */
for (cinfo = &(cmsg->contentInfo); cinfo != NULL;) {
count++;
@@ -183,6 +211,10 @@ NSS_CMSMessage_ContentLevel(NSSCMSMessage *cmsg, int n)
int count = 0;
NSSCMSContentInfo *cinfo;
+ if (cmsg == NULL) {
+ return NULL;
+ }
+
/* walk down the chain of contentinfos */
for (cinfo = &(cmsg->contentInfo); cinfo != NULL && count < n;
cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
@@ -200,6 +232,10 @@ NSS_CMSMessage_ContainsCertsOrCrls(NSSCMSMessage *cmsg)
{
NSSCMSContentInfo *cinfo;
+ if (cmsg == NULL) {
+ return PR_FALSE;
+ }
+
/* descend into CMS message */
for (cinfo = &(cmsg->contentInfo); cinfo != NULL;
cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
@@ -221,6 +257,10 @@ NSS_CMSMessage_IsEncrypted(NSSCMSMessage *cmsg)
{
NSSCMSContentInfo *cinfo;
+ if (cmsg == NULL) {
+ return PR_FALSE;
+ }
+
/* walk down the chain of contentinfos */
for (cinfo = &(cmsg->contentInfo); cinfo != NULL;
cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
@@ -251,13 +291,21 @@ NSS_CMSMessage_IsSigned(NSSCMSMessage *cmsg)
{
NSSCMSContentInfo *cinfo;
+ if (cmsg == NULL) {
+ return PR_FALSE;
+ }
+
/* walk down the chain of contentinfos */
for (cinfo = &(cmsg->contentInfo); cinfo != NULL;
cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) {
case SEC_OID_PKCS7_SIGNED_DATA:
- if (!NSS_CMSArray_IsEmpty((void **)cinfo->content.signedData->signerInfos))
+ if (cinfo->content.signedData == NULL) {
+ return PR_FALSE;
+ }
+ if (!NSS_CMSArray_IsEmpty((void **)cinfo->content.signedData->signerInfos)) {
return PR_TRUE;
+ }
break;
default:
/* callback here for generic wrappers? */
@@ -278,8 +326,9 @@ NSS_CMSMessage_IsContentEmpty(NSSCMSMessage *cmsg, unsigned int minLen)
{
SECItem *item = NULL;
- if (cmsg == NULL)
+ if (cmsg == NULL) {
return PR_TRUE;
+ }
item = NSS_CMSContentInfo_GetContent(NSS_CMSMessage_GetContentInfo(cmsg));
--
1.7.12.4

319
Bug-1507174-Add-additional-null-checks-to-other-CMS-.patch
View File

@ -1,319 +0,0 @@
From 03d1823087e93e38485bf4fef0020fb0653ea616 Mon Sep 17 00:00:00 2001
From: "J.C. Jones" <jjones@mozilla.com>
Date: Fri, 11 Jan 2019 22:33:16 -0700
Subject: [PATCH 459/489] Bug 1507174 - Add additional null checks to other
CMS functions r=mt
Differential review: https://phabricator.services.mozilla.com//D16383
--HG--
extra : rebase_source : b5a87375965bbef9cd93e0ee936134631b597009
---
lib/smime/cmscinfo.c | 92 +++++++++++++++++++++++++++++++++++++++++++-------
lib/smime/cmsdigdata.c | 4 ++-
lib/smime/cmsencdata.c | 4 ++-
lib/smime/cmsenvdata.c | 5 +++
lib/smime/cmsmessage.c | 3 ++
lib/smime/cmsudf.c | 2 +-
6 files changed, 95 insertions(+), 15 deletions(-)
diff --git a/lib/smime/cmscinfo.c b/lib/smime/cmscinfo.c
index 08db662..453ccaa 100644
--- a/lib/smime/cmscinfo.c
+++ b/lib/smime/cmscinfo.c
@@ -51,6 +51,10 @@ NSS_CMSContentInfo_Destroy(NSSCMSContentInfo *cinfo)
{
SECOidTag kind;
+ if (cinfo == NULL) {
+ return;
+ }
+
kind = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
switch (kind) {
case SEC_OID_PKCS7_ENVELOPED_DATA:
@@ -86,6 +90,11 @@ NSSCMSContentInfo *
NSS_CMSContentInfo_GetChildContentInfo(NSSCMSContentInfo *cinfo)
{
NSSCMSContentInfo *ccinfo = NULL;
+
+ if (cinfo == NULL) {
+ return NULL;
+ }
+
SECOidTag tag = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
switch (tag) {
case SEC_OID_PKCS7_SIGNED_DATA:
@@ -127,6 +136,9 @@ SECStatus
NSS_CMSContentInfo_SetDontStream(NSSCMSContentInfo *cinfo, PRBool dontStream)
{
SECStatus rv;
+ if (cinfo == NULL) {
+ return SECFailure;
+ }
rv = NSS_CMSContentInfo_Private_Init(cinfo);
if (rv != SECSuccess) {
@@ -145,15 +157,20 @@ NSS_CMSContentInfo_SetContent(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo,
SECOidTag type, void *ptr)
{
SECStatus rv;
+ if (cinfo == NULL || cmsg == NULL) {
+ return SECFailure;
+ }
cinfo->contentTypeTag = SECOID_FindOIDByTag(type);
- if (cinfo->contentTypeTag == NULL)
+ if (cinfo->contentTypeTag == NULL) {
return SECFailure;
+ }
/* do not copy the oid, just create a reference */
rv = SECITEM_CopyItem(cmsg->poolp, &(cinfo->contentType), &(cinfo->contentTypeTag->oid));
- if (rv != SECSuccess)
+ if (rv != SECSuccess) {
return SECFailure;
+ }
cinfo->content.pointer = ptr;
@@ -185,8 +202,9 @@ SECStatus
NSS_CMSContentInfo_SetContent_Data(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo,
SECItem *data, PRBool detached)
{
- if (NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_DATA, (void *)data) != SECSuccess)
+ if (NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_DATA, (void *)data) != SECSuccess) {
return SECFailure;
+ }
if (detached) {
cinfo->rawContent = NULL;
}
@@ -230,6 +248,10 @@ NSS_CMSContentInfo_SetContent_EncryptedData(NSSCMSMessage *cmsg, NSSCMSContentIn
void *
NSS_CMSContentInfo_GetContent(NSSCMSContentInfo *cinfo)
{
+ if (cinfo == NULL) {
+ return NULL;
+ }
+
SECOidTag tag = cinfo->contentTypeTag
? cinfo->contentTypeTag->offset
: SEC_OID_UNKNOWN;
@@ -260,6 +282,10 @@ NSS_CMSContentInfo_GetInnerContent(NSSCMSContentInfo *cinfo)
SECOidTag tag;
SECItem *pItem = NULL;
+ if (cinfo == NULL) {
+ return NULL;
+ }
+
tag = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
if (NSS_CMSType_IsData(tag)) {
pItem = cinfo->content.data;
@@ -282,6 +308,10 @@ NSS_CMSContentInfo_GetInnerContent(NSSCMSContentInfo *cinfo)
SECOidTag
NSS_CMSContentInfo_GetContentTypeTag(NSSCMSContentInfo *cinfo)
{
+ if (cinfo == NULL) {
+ return SEC_OID_UNKNOWN;
+ }
+
if (cinfo->contentTypeTag == NULL)
cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType));
@@ -294,11 +324,17 @@ NSS_CMSContentInfo_GetContentTypeTag(NSSCMSContentInfo *cinfo)
SECItem *
NSS_CMSContentInfo_GetContentTypeOID(NSSCMSContentInfo *cinfo)
{
- if (cinfo->contentTypeTag == NULL)
+ if (cinfo == NULL) {
+ return NULL;
+ }
+
+ if (cinfo->contentTypeTag == NULL) {
cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType));
+ }
- if (cinfo->contentTypeTag == NULL)
+ if (cinfo->contentTypeTag == NULL) {
return NULL;
+ }
return &(cinfo->contentTypeTag->oid);
}
@@ -310,8 +346,13 @@ NSS_CMSContentInfo_GetContentTypeOID(NSSCMSContentInfo *cinfo)
SECOidTag
NSS_CMSContentInfo_GetContentEncAlgTag(NSSCMSContentInfo *cinfo)
{
- if (cinfo->contentEncAlgTag == SEC_OID_UNKNOWN)
+ if (cinfo == NULL) {
+ return SEC_OID_UNKNOWN;
+ }
+
+ if (cinfo->contentEncAlgTag == SEC_OID_UNKNOWN) {
cinfo->contentEncAlgTag = SECOID_GetAlgorithmTag(&(cinfo->contentEncAlg));
+ }
return cinfo->contentEncAlgTag;
}
@@ -322,6 +363,10 @@ NSS_CMSContentInfo_GetContentEncAlgTag(NSSCMSContentInfo *cinfo)
SECAlgorithmID *
NSS_CMSContentInfo_GetContentEncAlg(NSSCMSContentInfo *cinfo)
{
+ if (cinfo == NULL) {
+ return NULL;
+ }
+
return &(cinfo->contentEncAlg);
}
@@ -330,10 +375,14 @@ NSS_CMSContentInfo_SetContentEncAlg(PLArenaPool *poolp, NSSCMSContentInfo *cinfo
SECOidTag bulkalgtag, SECItem *parameters, int keysize)
{
SECStatus rv;
+ if (cinfo == NULL) {
+ return SECFailure;
+ }
rv = SECOID_SetAlgorithmID(poolp, &(cinfo->contentEncAlg), bulkalgtag, parameters);
- if (rv != SECSuccess)
+ if (rv != SECSuccess) {
return SECFailure;
+ }
cinfo->keysize = keysize;
return SECSuccess;
}
@@ -343,27 +392,42 @@ NSS_CMSContentInfo_SetContentEncAlgID(PLArenaPool *poolp, NSSCMSContentInfo *cin
SECAlgorithmID *algid, int keysize)
{
SECStatus rv;
+ if (cinfo == NULL) {
+ return SECFailure;
+ }
rv = SECOID_CopyAlgorithmID(poolp, &(cinfo->contentEncAlg), algid);
- if (rv != SECSuccess)
+ if (rv != SECSuccess) {
return SECFailure;
- if (keysize >= 0)
+ }
+ if (keysize >= 0) {
cinfo->keysize = keysize;
+ }
return SECSuccess;
}
void
NSS_CMSContentInfo_SetBulkKey(NSSCMSContentInfo *cinfo, PK11SymKey *bulkkey)
{
- cinfo->bulkkey = PK11_ReferenceSymKey(bulkkey);
- cinfo->keysize = PK11_GetKeyStrength(cinfo->bulkkey, &(cinfo->contentEncAlg));
+ if (cinfo == NULL) {
+ return;
+ }
+
+ if (bulkkey == NULL) {
+ cinfo->bulkkey = NULL;
+ cinfo->keysize = 0;
+ } else {
+ cinfo->bulkkey = PK11_ReferenceSymKey(bulkkey);
+ cinfo->keysize = PK11_GetKeyStrength(cinfo->bulkkey, &(cinfo->contentEncAlg));
+ }
}
PK11SymKey *
NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo *cinfo)
{
- if (cinfo->bulkkey == NULL)
+ if (cinfo == NULL || cinfo->bulkkey == NULL) {
return NULL;
+ }
return PK11_ReferenceSymKey(cinfo->bulkkey);
}
@@ -371,5 +435,9 @@ NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo *cinfo)
int
NSS_CMSContentInfo_GetBulkKeySize(NSSCMSContentInfo *cinfo)
{
+ if (cinfo == NULL) {
+ return 0;
+ }
+
return cinfo->keysize;
}
diff --git a/lib/smime/cmsdigdata.c b/lib/smime/cmsdigdata.c
index 9ea2270..a249686 100644
--- a/lib/smime/cmsdigdata.c
+++ b/lib/smime/cmsdigdata.c
@@ -56,7 +56,9 @@ void
NSS_CMSDigestedData_Destroy(NSSCMSDigestedData *digd)
{
/* everything's in a pool, so don't worry about the storage */
- NSS_CMSContentInfo_Destroy(&(digd->contentInfo));
+ if (digd != NULL) {
+ NSS_CMSContentInfo_Destroy(&(digd->contentInfo));
+ }
return;
}
diff --git a/lib/smime/cmsencdata.c b/lib/smime/cmsencdata.c
index d2fc335..f2a2746 100644
--- a/lib/smime/cmsencdata.c
+++ b/lib/smime/cmsencdata.c
@@ -87,7 +87,9 @@ void
NSS_CMSEncryptedData_Destroy(NSSCMSEncryptedData *encd)
{
/* everything's in a pool, so don't worry about the storage */
- NSS_CMSContentInfo_Destroy(&(encd->contentInfo));
+ if (encd != NULL) {
+ NSS_CMSContentInfo_Destroy(&(encd->contentInfo));
+ }
return;
}
diff --git a/lib/smime/cmsenvdata.c b/lib/smime/cmsenvdata.c
index d5d5c41..95b3fb9 100644
--- a/lib/smime/cmsenvdata.c
+++ b/lib/smime/cmsenvdata.c
@@ -144,6 +144,11 @@ NSS_CMSEnvelopedData_Encode_BeforeStart(NSSCMSEnvelopedData *envd)
poolp = envd->cmsg->poolp;
cinfo = &(envd->contentInfo);
+ if (cinfo == NULL) {
+ PORT_SetError(SEC_ERROR_BAD_DATA);
+ goto loser;
+ }
+
recipientinfos = envd->recipientInfos;
if (recipientinfos == NULL) {
PORT_SetError(SEC_ERROR_BAD_DATA);
diff --git a/lib/smime/cmsmessage.c b/lib/smime/cmsmessage.c
index f41a432..366b71a 100644
--- a/lib/smime/cmsmessage.c
+++ b/lib/smime/cmsmessage.c
@@ -96,6 +96,9 @@ NSS_CMSMessage_SetEncodingParams(NSSCMSMessage *cmsg,
void
NSS_CMSMessage_Destroy(NSSCMSMessage *cmsg)
{
+ if (cmsg == NULL)
+ return;
+
PORT_Assert(cmsg->refCount > 0);
if (cmsg->refCount <= 0) { /* oops */
return;
diff --git a/lib/smime/cmsudf.c b/lib/smime/cmsudf.c
index 3ef4268..5c8a81e 100644
--- a/lib/smime/cmsudf.c
+++ b/lib/smime/cmsudf.c
@@ -239,7 +239,7 @@ NSS_CMSGenericWrapperData_Destroy(SECOidTag type, NSSCMSGenericWrapperData *gd)
{
const nsscmstypeInfo *typeInfo = nss_cmstype_lookup(type);
- if (typeInfo && typeInfo->destroy) {
+ if (typeInfo && (typeInfo->destroy) && (gd != NULL)) {
(*typeInfo->destroy)(gd);
}
}
--
1.7.12.4

26
fix-core-dump-when-sigd-signerInfos-is-NULL.patch
View File

@ -1,26 +0,0 @@
From 0641f1a9351fdb06d7e5d19a48ad7fe6175713e7 Mon Sep 17 00:00:00 2001
From: guoxiaoqi <guoxiaoqi2@huawei.com>
Date: Thu, 30 Apr 2020 09:40:20 +0800
Subject: [PATCH] fix core dump when sigd->signerInfos is NULL
Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
---
nss/lib/smime/cmssigdata.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/nss/lib/smime/cmssigdata.c b/nss/lib/smime/cmssigdata.c
index 7dd6ea4..32a8166 100644
--- a/nss/lib/smime/cmssigdata.c
+++ b/nss/lib/smime/cmssigdata.c
@@ -476,7 +476,7 @@ NSS_CMSSignedData_SignerInfoCount(NSSCMSSignedData *sigd)
NSSCMSSignerInfo *
NSS_CMSSignedData_GetSignerInfo(NSSCMSSignedData *sigd, int i)
{
- if (!sigd) {
+ if (!sigd || !sigd->signerInfos) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return NULL;
}
--
1.8.3.1

BIN
nss-3.40.1.tar.gz
View File

Binary file not shown.

BIN
nss-3.54.tar.gz Normal file
View File

Binary file not shown.

4
nss-config
View File

@ -3,8 +3,8 @@
prefix=/usr
major_version=3
minor_version=40
patch_version=1
minor_version=54
patch_version=0
usage()
{

4
nss-softokn-config
View File

@ -3,8 +3,8 @@
prefix=/usr
major_version=3
minor_version=40
patch_version=1
minor_version=54
patch_version=0
usage()
{

4
nss-softokn.pc
View File

@ -5,7 +5,7 @@ includedir=/usr/include/nss3
Name: NSS-SOFTOKN
Description: Network Security Services Softoken PKCS #11 Module
Version: 3.40.1
Requires: nspr >= 4.20.0, nss-util >= 3.40.1
Version: 3.54
Requires: nspr >= 4.20.0, nss-util >= 3.54
Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3
Cflags: -I${includedir}

4
nss-util-config
View File

@ -3,8 +3,8 @@
prefix=/usr
major_version=3
minor_version=40
patch_version=1
minor_version=54
patch_version=0
usage()
{

2
nss-util.pc
View File

@ -5,7 +5,7 @@ includedir=/usr/include/nss3
Name: NSS-UTIL
Description: Network Security Services Utility Library
Version: 3.40.1
Version: 3.54
Requires: nspr >= 4.20.0
Libs: -L${libdir} -lnssutil3
Cflags: -I${includedir}

4
nss.pc
View File

@ -5,7 +5,7 @@ includedir=/usr/include/nss3
Name: NSS
Description: Network Security Services
Version: 3.40.1
Requires: nspr >= 4.20.0, nss-util >= 3.40.1
Version: 3.54
Requires: nspr >= 4.20.0, nss-util >= 3.54
Libs: -L${libdir} -lssl3 -lsmime3 -lnss3
Cflags: -I${includedir}

39
nss.spec
View File

@ -1,5 +1,5 @@
%global nspr_version 4.20.0
%global nss_version 3.40.1
%global nss_version 3.54
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
%global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
@ -8,11 +8,12 @@
%global dracut_conf_dir %{dracutlibdir}/dracut.conf.d
%bcond_with test
%bcond_without dbm
Summary: Network Security Services
Name: nss
Version: %{nss_version}
Release: 12
Release: 1
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Provides: nss-system-init
@ -38,10 +39,6 @@ Source14: blank-key4.db
Source15: system-pkcs11.txt
Source16: setup-nsssysinit.sh
Patch0: nss-539183.patch
Patch1: Bug-1412829-reject-empty-supported_signature_algorit.patch
Patch2: Bug-1507135-Add-additional-null-checks-to-CMS-messag.patch
Patch3: Bug-1507174-Add-additional-null-checks-to-other-CMS-.patch
Patch4: fix-core-dump-when-sigd-signerInfos-is-NULL.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@ -126,14 +123,6 @@ Help document for NSS
%patch0 -p0 -b .539183
pushd nss
%patch1 -p1
%patch2 -p1
%patch3 -p1
popd
%patch4 -p1
%build
export NSS_FORCE_FIPS=1
@ -168,15 +157,17 @@ export NSPR_LIB_DIR=%{_libdir}
export NSS_USE_SYSTEM_SQLITE=1
export NSS_ALLOW_SSLKEYLOGFILE=1
%if %{with dbm}
%else
export NSS_DISABLE_DBM=1
%endif
%ifnarch noarch
%if 0%{__isa_bits} == 64
export USE_64=1
%endif
%endif
##### phase 2: build the rest of nss
make -C ./nss/coreconf
make -C ./nss/lib/dbm
# Set the policy file location
# if set NSS will always check for the policy file and load if it exists
@ -184,7 +175,8 @@ export POLICY_FILE="nss.config"
# location of the policy file
export POLICY_PATH="/etc/crypto-policies/back-ends"
make -C ./nss
make -C ./nss all
make -C ./nss latest
# build the man pages clean
pushd ./nss
@ -324,7 +316,7 @@ install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db
install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt
# Copy the binary libraries we want
for file in libnssutil3.so libsoftokn3.so libnssdbm3.so libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so
for file in libnssutil3.so libsoftokn3.so %{?with_dbm:libnssdbm3.so} libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so
do
install -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
done
@ -390,10 +382,10 @@ install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_mandir}/man1/pp.1
#$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libnssdbm3.so
%post
update-crypto-policies
update-crypto-policies &> /dev/null || :
%postun
update-crypto-policies
update-crypto-policies &>/dev/null||:
%files
%{!?_licensedir:%global license %%doc}
@ -516,8 +508,10 @@ update-crypto-policies
#%{_libdir}/libfreebl3.chk
%{_libdir}/libfreeblpriv3.so
#%{_libdir}/libfreeblpriv3.chk
%if %{with dbm}
%{_libdir}/libnssdbm3.so
#%{_libdir}/libnssdbm3.chk
%endif
%{_libdir}/libsoftokn3.so
#%{_libdir}/libsoftokn3.chk
%dir %{_libdir}/nss
@ -548,6 +542,9 @@ update-crypto-policies
%doc %{_mandir}/man*
%changelog
* Sat Aug 1 2020 Liquor <lirui130@huawei.com> - 3.54-1
- update to 3.54
* Thu Apr 30 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.40.1-12
- fix core dump when sigd-signerInfos is NULL