From f328a1aae72e0adfc0dc390aa105cc4b8562230e Mon Sep 17 00:00:00 2001
From: Zhao Hang <wb-zh951434@alibaba-inc.com>
Date: Fri, 3 Dec 2021 10:44:19 +0800
Subject: [PATCH 1/2] update to nss-3.67.0-7.el8_4.src.rpm

Signed-off-by: Zhao Hang <wb-zh951434@alibaba-inc.com>
---
 nss-3.67-cve-2021-43527-test.patch | 325 +++++++++++++++++++++++++++++
 nss-3.67-cve-2021-43527.patch      | 279 +++++++++++++++++++++++++
 nss.spec                           |   9 +-
 3 files changed, 612 insertions(+), 1 deletion(-)
 create mode 100644 nss-3.67-cve-2021-43527-test.patch
 create mode 100644 nss-3.67-cve-2021-43527.patch

diff --git a/nss-3.67-cve-2021-43527-test.patch b/nss-3.67-cve-2021-43527-test.patch
new file mode 100644
index 0000000..51cb8e0
--- /dev/null
+++ b/nss-3.67-cve-2021-43527-test.patch
@@ -0,0 +1,325 @@
+diff --git a/tests/cert/Leaf-bogus-dsa.crt b/tests/cert/Leaf-bogus-dsa.crt
+new file mode 100644
+--- /dev/null
++++ b/tests/cert/Leaf-bogus-dsa.crt
+@@ -0,0 +1,143 @@
++-----BEGIN CERTIFICATE-----
++MIIaZzCCCkWgAwIBAgIBATALBgcqhkjOOAQDBQAwMTEvMC0GA1UEAxMmZGVjb2Rl
++RUNvckRTQVNpZ25hdHVyZS10ZXN0Q2FzZS90YXZpc28wHhcNMjEwMTAxMDAwMDAw
++WhcNNDEwMTAxMDAwMDAwWjAxMS8wLQYDVQQDEyZkZWNvZGVFQ29yRFNBU2lnbmF0
++dXJlLXRlc3RDYXNlL3RhdmlzbzCCCaYwggkaBgcqhkjOOAQBMIIJDQKBgQCqqqqq
++qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
++qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
++qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqgKCCAEAu7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7sCgYEAzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM
++zMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM
++zMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM
++zMzMzMwDgYUAAoGB3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d
++3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d
++3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3dMAkG
++ByqGSM44BAMDghAPADCCEAoCgggBAO7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7uAoIIAQD/////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++/////////////////////////////////////////////////////////w==
++-----END CERTIFICATE-----
+diff --git a/tests/cert/Leaf-bogus-rsa-pss.crt b/tests/cert/Leaf-bogus-rsa-pss.crt
+new file mode 100644
+--- /dev/null
++++ b/tests/cert/Leaf-bogus-rsa-pss.crt
+@@ -0,0 +1,126 @@
++-----BEGIN CERTIFICATE-----
++MIIXODCCC/WgAwIBAgIBAjApBgkqhkiG9w0BAQowHKACMAChETAPBQAwCwYJYIZI
++AWUDBAIBogMCASAwNzEgMB4GCSqGSIb3DQEJARYRdGF2aXNvQGdvb2dsZS5jb20x
++EzARBgNVBAMTCmJ1ZzE3Mzc0NzAwHhcNMjAwMTAxMDAwMDAwWhcNNDAwMTAxMDAw
++MDAwWjA3MSAwHgYJKoZIhvcNAQkBFhF0YXZpc29AZ29vZ2xlLmNvbTETMBEGA1UE
++AxMKYnVnMTczNzQ3MDCCCywwDQYJKoZIhvcNAQEBBQADggsZADCCCxQCggsLAMRE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERQIDAQABMC4G
++CSqGSIb3DQEBCjAhoRowGAYJKoZIhvcNAQEIMAsGCSqGSIb3DQEBCqIDAgEgA4IL
++CwAAxVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVU=
++-----END CERTIFICATE-----
+diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh
+--- a/tests/cert/cert.sh
++++ b/tests/cert/cert.sh
+@@ -114,16 +114,28 @@ certu()
+         cert_log "ERROR: ${CU_ACTION} failed $RET"
+     else
+         html_passed "${CU_ACTION}"
+     fi
+ 
+     return $RET
+ }
+ 
++cert_test_vfy()
++{
++  echo "$SCRIPTNAME: Verify large rsa pss signature --------------"
++  echo " vfychain -a  Leaf-bogus-dsa.crt"
++  vfychain -a  ${QADIR}/cert/Leaf-bogus-dsa.crt
++  html_msg $? 1 "Verify large dsa signature"
++  echo "$SCRIPTNAME: Verify large rsa pss signature --------------"
++  echo " vfychain -a  Leaf-bogus-rsa-pss.crt"
++  vfychain -a  ${QADIR}/cert/Leaf-bogus-rsa-pss.crt
++  html_msg $? 1 "Verify large rsa pss signature"
++}
++
+ ################################ crlu #################################
+ # local shell function to call crlutil, also: writes action and options to
+ # stdout, sets variable RET and writes results to the html file results
+ ########################################################################
+ crlu()
+ {
+     echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
+     
+@@ -2640,11 +2652,13 @@ if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
+ else
+     echo "$SCRIPTNAME: Skipping CRL Tests"
+ fi
+ 
+ if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then
+     cert_stresscerts
+ fi
+ 
++cert_test_vfy
++
+ cert_iopr_setup
+ 
+ cert_cleanup
diff --git a/nss-3.67-cve-2021-43527.patch b/nss-3.67-cve-2021-43527.patch
new file mode 100644
index 0000000..8fc81d3
--- /dev/null
+++ b/nss-3.67-cve-2021-43527.patch
@@ -0,0 +1,279 @@
+diff --git a/lib/cryptohi/secvfy.c b/lib/cryptohi/secvfy.c
+--- a/lib/cryptohi/secvfy.c
++++ b/lib/cryptohi/secvfy.c
+@@ -164,6 +164,37 @@
+         PR_FALSE /*XXX: unsafeAllowMissingParameters*/);
+ }
+ 
++static unsigned int
++checkedSignatureLen(const SECKEYPublicKey *pubk)
++{
++    unsigned int sigLen = SECKEY_SignatureLen(pubk);
++    if (sigLen == 0) {
++        /* Error set by SECKEY_SignatureLen */
++        return sigLen;
++    }
++    unsigned int maxSigLen;
++    switch (pubk->keyType) {
++        case rsaKey:
++        case rsaPssKey:
++            maxSigLen = (RSA_MAX_MODULUS_BITS + 7) / 8;
++            break;
++        case dsaKey:
++            maxSigLen = DSA_MAX_SIGNATURE_LEN;
++            break;
++        case ecKey:
++            maxSigLen = 2 * MAX_ECKEY_LEN;
++            break;
++        default:
++            PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
++            return 0;
++    }
++    if (sigLen > maxSigLen) {
++        PORT_SetError(SEC_ERROR_INVALID_KEY);
++        return 0;
++    }
++    return sigLen;
++}
++
+ /*
+  * decode the ECDSA or DSA signature from it's DER wrapping.
+  * The unwrapped/raw signature is placed in the buffer pointed
+@@ -174,38 +205,38 @@
+                        unsigned int len)
+ {
+     SECItem *dsasig = NULL; /* also used for ECDSA */
+-    SECStatus rv = SECSuccess;
+ 
+-    if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
+-        (algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
+-        if (sig->len != len) {
+-            PORT_SetError(SEC_ERROR_BAD_DER);
+-            return SECFailure;
++    /* Safety: Ensure algId is as expected and that signature size is within maxmimums */
++    if (algid == SEC_OID_ANSIX9_DSA_SIGNATURE) {
++        if (len > DSA_MAX_SIGNATURE_LEN) {
++            goto loser;
+         }
+-
+-        PORT_Memcpy(dsig, sig->data, sig->len);
+-        return SECSuccess;
++    } else if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
++        if (len > MAX_ECKEY_LEN * 2) {
++            goto loser;
++        }
++    } else {
++        goto loser;
+     }
+ 
+-    if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
+-        if (len > MAX_ECKEY_LEN * 2) {
+-            PORT_SetError(SEC_ERROR_BAD_DER);
+-            return SECFailure;
+-        }
++    /* Decode and pad to length */
++    dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
++    if (dsasig == NULL) {
++        goto loser;
+     }
+-    dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
+-
+-    if ((dsasig == NULL) || (dsasig->len != len)) {
+-        rv = SECFailure;
+-    } else {
+-        PORT_Memcpy(dsig, dsasig->data, dsasig->len);
++    if (dsasig->len != len) {
++        SECITEM_FreeItem(dsasig, PR_TRUE);
++        goto loser;
+     }
+ 
+-    if (dsasig != NULL)
+-        SECITEM_FreeItem(dsasig, PR_TRUE);
+-    if (rv == SECFailure)
+-        PORT_SetError(SEC_ERROR_BAD_DER);
+-    return rv;
++    PORT_Memcpy(dsig, dsasig->data, len);
++    SECITEM_FreeItem(dsasig, PR_TRUE);
++
++    return SECSuccess;
++
++loser:
++    PORT_SetError(SEC_ERROR_BAD_DER);
++    return SECFailure;
+ }
+ 
+ const SEC_ASN1Template hashParameterTemplate[] =
+@@ -281,7 +312,7 @@
+ sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
+                  const SECItem *param, SECOidTag *encalgp, SECOidTag *hashalg)
+ {
+-    int len;
++    unsigned int len;
+     PLArenaPool *arena;
+     SECStatus rv;
+     SECItem oid;
+@@ -466,48 +497,52 @@
+     cx->pkcs1RSADigestInfo = NULL;
+     rv = SECSuccess;
+     if (sig) {
+-        switch (type) {
+-            case rsaKey:
+-                rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
+-                                            &cx->pkcs1RSADigestInfo,
+-                                            &cx->pkcs1RSADigestInfoLen,
+-                                            cx->key,
+-                                            sig, wincx);
+-                break;
+-            case rsaPssKey:
+-                sigLen = SECKEY_SignatureLen(key);
+-                if (sigLen == 0) {
+-                    /* error set by SECKEY_SignatureLen */
+-                    rv = SECFailure;
++        rv = SECFailure;
++        if (type == rsaKey) {
++            rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
++                                        &cx->pkcs1RSADigestInfo,
++                                        &cx->pkcs1RSADigestInfoLen,
++                                        cx->key,
++                                        sig, wincx);
++        } else {
++            sigLen = checkedSignatureLen(key);
++            /* Check signature length is within limits */
++            if (sigLen == 0) {
++                /* error set by checkedSignatureLen */
++                rv = SECFailure;
++                goto loser;
++            }
++            if (sigLen > sizeof(cx->u)) {
++                PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++                rv = SECFailure;
++                goto loser;
++            }
++            switch (type) {
++                case rsaPssKey:
++                    if (sig->len != sigLen) {
++                        PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++                        rv = SECFailure;
++                        goto loser;
++                    }
++                    PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
++                    rv = SECSuccess;
+                     break;
+-                }
+-                if (sig->len != sigLen) {
+-                    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++                case ecKey:
++                case dsaKey:
++                    /* decodeECorDSASignature will check sigLen == sig->len after padding */
++                    rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
++                    break;
++                default:
++                    /* Unreachable */
+                     rv = SECFailure;
+-                    break;
+-                }
+-                PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
+-                break;
+-            case dsaKey:
+-            case ecKey:
+-                sigLen = SECKEY_SignatureLen(key);
+-                if (sigLen == 0) {
+-                    /* error set by SECKEY_SignatureLen */
+-                    rv = SECFailure;
+-                    break;
+-                }
+-                rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
+-                break;
+-            default:
+-                rv = SECFailure;
+-                PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+-                break;
++                    goto loser;
++            }
++        }
++        if (rv != SECSuccess) {
++            goto loser;
+         }
+     }
+ 
+-    if (rv)
+-        goto loser;
+-
+     /* check hash alg again, RSA may have changed it.*/
+     if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) {
+         /* error set by HASH_GetHashTypeByOidTag */
+@@ -650,11 +685,16 @@
+     switch (cx->key->keyType) {
+         case ecKey:
+         case dsaKey:
+-            dsasig.data = cx->u.buffer;
+-            dsasig.len = SECKEY_SignatureLen(cx->key);
++            dsasig.len = checkedSignatureLen(cx->key);
+             if (dsasig.len == 0) {
+                 return SECFailure;
+             }
++            if (dsasig.len > sizeof(cx->u)) {
++                PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++                return SECFailure;
++            }
++            dsasig.data = cx->u.buffer;
++
+             if (sig) {
+                 rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data,
+                                             dsasig.len);
+@@ -686,8 +726,13 @@
+                 }
+ 
+                 rsasig.data = cx->u.buffer;
+-                rsasig.len = SECKEY_SignatureLen(cx->key);
++                rsasig.len = checkedSignatureLen(cx->key);
+                 if (rsasig.len == 0) {
++                    /* Error set by checkedSignatureLen */
++                    return SECFailure;
++                }
++                if (rsasig.len > sizeof(cx->u)) {
++                    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+                     return SECFailure;
+                 }
+                 if (sig) {
+@@ -749,7 +794,6 @@
+     SECStatus rv;
+     VFYContext *cx;
+     SECItem dsasig; /* also used for ECDSA */
+-
+     rv = SECFailure;
+ 
+     cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx);
+@@ -757,19 +801,25 @@
+         switch (key->keyType) {
+             case rsaKey:
+                 rv = verifyPKCS1DigestInfo(cx, digest);
++                /* Error (if any) set by verifyPKCS1DigestInfo */
+                 break;
+-            case dsaKey:
+             case ecKey:
++            case dsaKey:
+                 dsasig.data = cx->u.buffer;
+-                dsasig.len = SECKEY_SignatureLen(cx->key);
++                dsasig.len = checkedSignatureLen(cx->key);
+                 if (dsasig.len == 0) {
++                    /* Error set by checkedSignatureLen */
++                    rv = SECFailure;
+                     break;
+                 }
+-                if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx) !=
+-                    SECSuccess) {
++                if (dsasig.len > sizeof(cx->u)) {
+                     PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+-                } else {
+-                    rv = SECSuccess;
++                    rv = SECFailure;
++                    break;
++                }
++                rv = PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx);
++                if (rv != SECSuccess) {
++                    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+                 }
+                 break;
+             default:
+
diff --git a/nss.spec b/nss.spec
index f4b6b5d..3f000bc 100644
--- a/nss.spec
+++ b/nss.spec
@@ -47,7 +47,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          6%{?dist}
+Release:          7%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}
@@ -157,6 +157,10 @@ Patch233:         nss-3.67-fix-coverity-issues.patch
 Patch234:         nss-3.67-fix-sdb-timeout.patch
 # no upstream bug yet
 Patch235:         nss-3.67-fix-ssl-alerts.patch
+Patch300:         nss-3.67-cve-2021-43527.patch
+Patch301:         nss-3.67-cve-2021-43527-test.patch
+
+
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -928,6 +932,9 @@ update-crypto-policies --no-reload &> /dev/null || :
 
 
 %changelog
+* Thu Nov 18 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-7
+- Fix CVE 2021 43527
+
 * Tue Jul 6 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-6
 - Fix ssl alert issue
 
-- 
Gitee


From 8c557cfcfa89a916202aa3c02b42a9de2738ee7b Mon Sep 17 00:00:00 2001
From: Liwei Ge <geliwei@openanolis.org>
Date: Thu, 11 Feb 2021 08:54:01 +0800
Subject: [PATCH 2/2] build: renew two chains libpkix test certificates

https://github.com/nss-dev/nss/commit/e24c7f21749e4d203e0e0f8a3433ca021ae11bda

Signed-off-by: Liwei Ge <geliwei@openanolis.org>
Change-Id: Ide40fcbed416d86363267393380a97a727ab7191
(cherry picked from commit 91cadf3c7a89341f2782b9f87cc43b7a742ebef6)
Signed-off-by: zhangbinchen <zhangbinchen@openanolis.org>
(cherry picked from commit 85caea6630cc3abb4bb56ecbb7a4195dc185bc25)
Signed-off-by: zhangbinchen <zhangbinchen@openanolis.org>
---
 0001-nss-anolis-nameconstraints.patch |  30 ++++++++++++++++++++++++++
 NameConstraints.ipaca.cert            | Bin 0 -> 1000 bytes
 NameConstraints.ocsp1.cert            | Bin 0 -> 956 bytes
 nss.spec                              |  15 ++++++++++++-
 4 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 0001-nss-anolis-nameconstraints.patch
 create mode 100644 NameConstraints.ipaca.cert
 create mode 100644 NameConstraints.ocsp1.cert

diff --git a/0001-nss-anolis-nameconstraints.patch b/0001-nss-anolis-nameconstraints.patch
new file mode 100644
index 0000000..a2ae8a2
--- /dev/null
+++ b/0001-nss-anolis-nameconstraints.patch
@@ -0,0 +1,30 @@
+--- a/tests/chains/scenarios/nameconstraints.cfg
++++ b/tests/chains/scenarios/nameconstraints.cfg
+@@ -154,17 +154,25 @@ verify NameConstraints.server17:x
+ # Subject: "C = US, ST=CA, O=Foo CN=foo.example.com"
+ verify NameConstraints.dcissblocked:x
+   result fail
+ 
+ # Subject: "C = US, ST=CA, O=Foo CN=foo.example.fr"
+ verify NameConstraints.dcissallowed:x
+   result pass
+ 
+-# Subject: "O = IPA.LOCAL 201901211552, CN = OCSP Subsystem"
++# Subject: "O = IPA.LOCAL 20200120, CN = OCSP and IPSEC"
++# EKUs: OCSPSigning,ipsecUser
+ #
+ # This tests that a non server certificate (i.e. id-kp-serverAuth
+ # not present in EKU) does *NOT* have CN treated as dnsName for
+-# purposes of Name Constraints validation
++# purposes of Name Constraints validation (certificateUsageStatusResponder)
++# https://hg.mozilla.org/projects/nss/rev/0b30eb1c3650
+ verify NameConstraints.ocsp1:x
+   usage 10
+   result pass
+ 
++# This tests that a non server certificate (i.e. id-kp-serverAuth
++# not present in EKU) does *NOT* have CN treated as dnsName for
++# purposes of Name Constraints validation (certificateUsageIPsec)
++verify NameConstraints.ocsp1:x
++ usage 12
++ result pass
diff --git a/NameConstraints.ipaca.cert b/NameConstraints.ipaca.cert
new file mode 100644
index 0000000000000000000000000000000000000000..4a451f3429d25ab6d3a9cb00b2f005118f7cac08
GIT binary patch
literal 1000
zcmXqLVt!)K#B^o>GZP~d6DPy|^k+KryEhsc@Un4gwRyCC=VfH%W@Rw&GL$xuWMd9x
z;Sv_|3~<!*@ppFgQ7|$vGBhwWGBD&e-~>ss2{VNT8_F5TfH=&;qRy#BC7EfN$%!SY
z3XY{E8Tmz-C6xvW;=EvOMg|6kmc}Mg68uIWGmMNZp#oI3t%*?y*)xo+49rc8{0s(7
zj9g4jjEoG=^1s)l`)r?{?G*K{efrz@^y51jSY#?Qrv7h?HS|xJwyR@Kb#XoSS;k@`
zsnyQM3ryGy#WsHSVY$Dg^{G_h`%Mr31m-(W;crQ1^qduS#_$YF{p|^7gJ%S~&q!HW
zm(3G@CaCp?<;oYmA#W!&GCx=N{6P0c-oNwp#+pmdoLYZ0GCC^kL&QoMpHn;Sj(>Qe
z^hQm=O0D0%H-6Ih3kIU0fhJcnWwxL0RlXc-l2#_+w#?P(S@YRe@9B#!@pBZMNXePs
z#64l9Oa=R2fe+QeDM|AR{Ml+s&wNX=u{yg}=;L43N9z-pu=4KysD4%b=6dyoUg<0!
z52apDsQdXg`^iRm&1dslnV1<F7#BC5GH5(*zypjoSz#7d17=3X{|2%k9v_Psi-^sH
zi!Zxc-CjtXDEVu|>eyHr_^;KV3M8$}QfyGzfK|alza>7@jL9aX)Co#pvT{I2vIrRn
zEZ{TXY2wn$EJ)PL$xlwqL5^-<+66{8BSWu1di8`|O}m!dVwtxpYDH(l^O)n^EA4l3
z2Rcm5V9HPnT;@5OTT`YgmH*njX#oeAOsrSN+As3`-O|vv$fQhr`L8dpcAUF7(@-ym
zp*GO$s#)TcbR|ob^_L{HZ|84+p?QqM+2n2c1(x(BcbIl*#%b-UdvaBi_t0<N_q$hp
z`d>78nTmLQ-nt@LY0vHRrzwT}_?+z8Sn%C=^~-miMw^$+=01`oQa<@mMQC2xlwb3s
zR5$K8d`&sC<Z{H~&IqqdBBEWV{@i{cGUZ(Q)<c#vi!KMAN*2}IW;jd#lT7cn#>uu8
oe}au0v=w%&75+F|gzv*HC4Yeh^Q0HMr%t--6)E;wBf+r-0MfH^bpQYW

literal 0
HcmV?d00001

diff --git a/NameConstraints.ocsp1.cert b/NameConstraints.ocsp1.cert
new file mode 100644
index 0000000000000000000000000000000000000000..817faafe3d2b5cd197a5c1dbeaf1db48ff37e689
GIT binary patch
literal 956
zcmXqLV%}lU#I#@mGZP~d6C<AiFB_*;n@8JsUPeZ4Rt5tvLums^Hs(+kE@2_h07pF^
ze`iM@1tS9^Ljyx214C{DPLL#<FjHu-p`3vXh{G%_>YQ3sl9`s7oLG{o;8<FckzbTq
zQfZ(d&I{HC)NN#FY!M~FZ)5~C!^prCDq!G@Y9L;##SKIuw(<Ep2L~u5=A|fj1_Zl0
z8#FO0A^U=nm4Ug5k)Hu5&c)Qk$jESNh9H+_`=WNQg?pt+eyBa#f0Dt~!(pf5h6$d*
zCsh`A&6Ow(Ouu`l{*?X_&6l6+-^-TOhG|)APYBhT_*yKJXGi3bU*1LznRBKbmHe*p
z*6~BLyubd-`a^;?OAj206$$+z&%1}WEHAPDKpyj?FJIPd=WRJ1BYE=K!<CJ3*J5Ot
zs*6l=?p`<8WdD)j>Ac;~-c6dZEaac<<uAR#x_+vU<}H`LdwGl3)~)<{>eaGrw!hs1
zgg3m&C^9fMpJc|U*m+dr%fr>x(`6WMAJORRJm<6F&-=_Tr;4sQRNqM5+4iER$MVO7
zwChE|+i&@vdEGD0{JLUa1aD?9_r2PEpCo3@TRCO!V<u)s2FAsWYYiG#fn!frn1#uJ
z!GI4KnzH<ijQ?3!n3>oP7$|`Fsvy3Yfe0IiHX9==D?2kMoW*V+3sS+yBE}-3Iz=Hn
zCpT)Eh^%<Dp_uFjshq?e2G%g8jEpS$2D%2?Funm}n|ww|Nr9EVer7?UZgQd?kkZS^
zPfpCyPfpa&PcAMn;Ai86*l57W%EAOph^Xlj7^92~JNE9FDY0Nzg!wzi4bzt$J+?2L
zw`)<UcIyLvordxYZypHE_;x3+NLQnCXUq9FH>UCNYsNQno#Yh1#I<RS%r58f_Uww)
z311APmvOS3oZ);-@ba7PJRSMdrw*QLF<g?dAn9cK<mUfotf!AZYH44*?s4}#(GA)v
z#V71_9xXdl>3Hpy*TuuT*d88?4VfwNLUQ`o&2f9Ir#WocdfMjS#%!<h6lcdJtBkvr
zZ+W;}HDEgb+Rv`K+<M}&zuX$^qrbntbNmU5z0?1zPd!h~+v%ySc7ES~y`%CKuPxqK
vMps(vMjNSSC6$HV517@Gyyu`~$MngkA8c=z6N#P`Q1tN0;&PF0A@=|PwAobl

literal 0
HcmV?d00001

diff --git a/nss.spec b/nss.spec
index 3f000bc..8b98f63 100644
--- a/nss.spec
+++ b/nss.spec
@@ -6,6 +6,7 @@
 %global dracutlibdir %{_prefix}/lib/dracut
 %global dracut_modules_dir %{dracutlibdir}/modules.d/05nss-softokn/
 %global dracut_conf_dir %{dracutlibdir}/dracut.conf.d
+%define anolis_release .0.1
 
 # The timestamp of our downstream manual pages, e.g., nss-config.1
 %global manual_date "Nov 13 2013"
@@ -47,7 +48,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          7%{?dist}
+Release:          7%{anolis_release}%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}
@@ -94,6 +95,8 @@ Source26:         key4.db.xml
 Source27:         secmod.db.xml
 Source28:         nss-p11-kit.config
 Source30:         PayPalEE.cert
+Source31:         NameConstraints.ipaca.cert
+Source32:         NameConstraints.ocsp1.cert
 
 # To inject hardening flags for DSO
 Patch1:           nss-dso-ldflags.patch
@@ -161,6 +164,10 @@ Patch300:         nss-3.67-cve-2021-43527.patch
 Patch301:         nss-3.67-cve-2021-43527-test.patch
 
 
+# Add by Anolis
+#https://github.com/nss-dev/nss/commit/e24c7f21749e4d203e0e0f8a3433ca021ae11bda
+Patch1000:        0001-nss-anolis-nameconstraints.patch
+# End
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -290,6 +297,8 @@ Header and library files for doing development with Network Security Services.
 %prep
 %autosetup -N -n %{name}-%{nss_archive_version}
 pushd nss
+cp -a %{SOURCE31} tests/libpkix/certs/
+cp -a %{SOURCE32} tests/libpkix/certs/
 %autopatch -p1
 popd
 
@@ -932,6 +941,10 @@ update-crypto-policies --no-reload &> /dev/null || :
 
 
 %changelog
+* Fri Dec 3 2021 zhangbinchen <zhangbinchen@openanolis.org> - 3.67.0-7.0.1
+- Renew two chains libpkix test certificates
+- cherry-pick [85caea6]
+
 * Thu Nov 18 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-7
 - Fix CVE 2021 43527
 
-- 
Gitee