pool/mozilla-nss
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1218810 from mozilla:Factory

Browse Source 
- update to NSS 3.105
  * bmo#1915792 - Allow importing PKCS#8 private EC keys missing public key
  * bmo#1909768 - UBSAN fix: applying zero offset to null pointer in sslsnce.c
  * bmo#1919577 - set KRML_MUSTINLINE=inline in makefile builds
  * bmo#1918965 - Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys
  * bmo#1918767 - override default definition of KRML_MUSTINLINE
  * bmo#1916525 - libssl support for mlkem768x25519
  * bmo#1916524 - support for ML-KEM-768 in softoken and pk11wrap
  * bmo#1866841 - Add Libcrux implementation of ML-KEM 768 to FreeBL
  * bmo#1911912 - Avoid misuse of ctype(3) functions
  * bmo#1917311 - part 2: run clang-format
  * bmo#1917311 - part 1: upgrade to clang-format 13
  * bmo#1916953 - clang-format fuzz
  * bmo#1910370 - DTLS client message buffer may not empty be on retransmit
  * bmo#1916413 - Optionally print config for TLS client and server
                  fuzz target
  * bmo#1916059 - Fix some simple documentation issues in NSS.
  * bmo#1915439 - improve performance of NSC_FindObjectsInit when
                  template has CKA_TOKEN attr
  * bmo#1912828 - define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN

OBS-URL: https://build.opensuse.org/request/show/1218810
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=223
This commit is contained in:
Ana Guerrero 2024-10-29 13:32:09 +00:00 committed by Git OBS Bridge
commit a7fdbb3a4f
11 changed files with 82 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
mozilla-nss.changes
View File

@ -1,3 +1,27 @@
-------------------------------------------------------------------
Sat Oct 26 08:07:03 UTC 2024 - Wolfgang Rosenauer <wr@rosenauer.org>
- update to NSS 3.105
* bmo#1915792 - Allow importing PKCS#8 private EC keys missing public key
* bmo#1909768 - UBSAN fix: applying zero offset to null pointer in sslsnce.c
* bmo#1919577 - set KRML_MUSTINLINE=inline in makefile builds
* bmo#1918965 - Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys
* bmo#1918767 - override default definition of KRML_MUSTINLINE
* bmo#1916525 - libssl support for mlkem768x25519
* bmo#1916524 - support for ML-KEM-768 in softoken and pk11wrap
* bmo#1866841 - Add Libcrux implementation of ML-KEM 768 to FreeBL
* bmo#1911912 - Avoid misuse of ctype(3) functions
* bmo#1917311 - part 2: run clang-format
* bmo#1917311 - part 1: upgrade to clang-format 13
* bmo#1916953 - clang-format fuzz
* bmo#1910370 - DTLS client message buffer may not empty be on retransmit
* bmo#1916413 - Optionally print config for TLS client and server
fuzz target
* bmo#1916059 - Fix some simple documentation issues in NSS.
* bmo#1915439 - improve performance of NSC_FindObjectsInit when
template has CKA_TOKEN attr
* bmo#1912828 - define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN
-------------------------------------------------------------------
Sun Sep 29 10:12:09 UTC 2024 - ecsos <ecsos@opensuse.org>

6
mozilla-nss.spec
View File

@ -17,15 +17,15 @@
#
%global nss_softokn_fips_version 3.104
%global nss_softokn_fips_version 3.105
%define NSPR_min_version 4.35
%define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
%define nssdbdir %{_sysconfdir}/pki/nssdb
%global crypto_policies_version 20210218
Name: mozilla-nss
Version: 3.104
Version: 3.105
Release: 0
%define underscore_version 3_104
%define underscore_version 3_105
Summary: Network Security Services
License: MPL-2.0
Group: System/Libraries

3
nss-3.104.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e2763223622d1e76b98a43030873856f248af0a41b03b2fa2ca06a91bc50ac8e
size 76468542

3
nss-3.105.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:8e8e4c8c88ca5c828b207cfaf66c6188e7f96c97cc18946d3db7da4c0d395619
size 76620664

12
nss-fips-aes-keywrap-post.patch
View File

@ -57,11 +57,11 @@ Index: nss/lib/freebl/fipsfreebl.c
+ };
+
const PRUint8 *aes_ecb_known_ciphertext =
(aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_ecb128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_ecb192_known_ciphertext : aes_ecb256_known_ciphertext;
@@ -374,11 +399,15 @@ freebl_fips_AES_PowerUpSelfTest(int aes_
const PRUint8 *aes_cmac_known_ciphertext =
(aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_cmac128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_cmac192_known_ciphertext : aes_cmac256_known_ciphertext;
(aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_ecb128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_ecb192_known_ciphertext
: aes_ecb256_known_ciphertext;
@@ -378,11 +403,15 @@ freebl_fips_AES_PowerUpSelfTest(int aes_
(aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_cmac128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_cmac192_known_ciphertext
: aes_cmac256_known_ciphertext;
+ const PRUint8 *aes_keywrap_known_ciphertext =
+ (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_kw128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_kw192_known_ciphertext : aes_kw256_known_ciphertext;
@ -75,7 +75,7 @@ Index: nss/lib/freebl/fipsfreebl.c
unsigned int aes_bytes_encrypted;
unsigned int aes_bytes_decrypted;
CK_NSS_GCM_PARAMS gcmParams;
@@ -604,6 +633,52 @@ freebl_fips_AES_PowerUpSelfTest(int aes_
@@ -608,6 +637,52 @@ freebl_fips_AES_PowerUpSelfTest(int aes_
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return (SECFailure);
}

21
nss-fips-approved-crypto-non-ec.patch
View File

@ -405,7 +405,7 @@ Index: nss/lib/softoken/pkcs11c.c
/* RSA */
int public_modulus_bits = 0;
@@ -6036,11 +6041,11 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
@@ -6038,11 +6043,11 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
* created and linked.
*/
crv = sftk_handleObject(publicKey, session);
@ -418,7 +418,7 @@ Index: nss/lib/softoken/pkcs11c.c
return crv;
}
if (sftk_isTrue(privateKey, CKA_SENSITIVE)) {
@@ -6084,13 +6089,19 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
@@ -6086,13 +6091,19 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
sftk_FreeObject(publicKey);
NSC_DestroyObject(hSession, privateKey->handle);
sftk_FreeObject(privateKey);
@ -438,7 +438,7 @@ Index: nss/lib/softoken/pkcs11c.c
return CKR_OK;
}
@@ -7282,6 +7293,14 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
@@ -7284,6 +7295,14 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
return CKR_TEMPLATE_INCONSISTENT;
}
@ -453,7 +453,7 @@ Index: nss/lib/softoken/pkcs11c.c
/* sourceKey is NULL if we are called from the POST, skip the
* sensitiveCheck */
if (sourceKey != NULL) {
@@ -7330,7 +7349,8 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
@@ -7332,7 +7351,8 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
mech.pParameter = params;
mech.ulParameterLen = sizeof(*params);
key->isFIPS = sftk_operationIsFIPS(saltKey->slot, &mech,
@ -463,7 +463,7 @@ Index: nss/lib/softoken/pkcs11c.c
}
saltKey_att = sftk_FindAttribute(saltKey, CKA_VALUE);
if (saltKey_att == NULL) {
@@ -7372,7 +7392,7 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
@@ -7374,7 +7394,7 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
/* HKDF-Expand */
if (!params->bExpand) {
okm = prk;
@ -472,7 +472,7 @@ Index: nss/lib/softoken/pkcs11c.c
} else {
/* T(1) = HMAC-Hash(prk, "" | info | 0x01)
* T(n) = HMAC-Hash(prk, T(n-1) | info | n
@@ -7595,7 +7615,8 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
@@ -7597,7 +7617,8 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
return CKR_KEY_HANDLE_INVALID;
}
}
@ -482,7 +482,7 @@ Index: nss/lib/softoken/pkcs11c.c
switch (mechanism) {
/* get a public key from a private key. nsslowkey_ConvertToPublickey()
@@ -7796,7 +7817,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
@@ -7798,7 +7819,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
} else {
/* now allocate the hash contexts */
md5 = MD5_NewContext();
@ -491,7 +491,7 @@ Index: nss/lib/softoken/pkcs11c.c
PORT_Memset(crsrdata, 0, sizeof crsrdata);
crv = CKR_HOST_MEMORY;
break;
@@ -8185,6 +8206,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
@@ -8187,6 +8208,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
PORT_Assert(i <= sizeof key_block);
}
@ -931,8 +931,7 @@ Index: nss/lib/softoken/pkcs11u.c
+ }
+
/* we've already handled the curve selection in the 'getlength'
- * function */
+ * function */
* function */
return PR_TRUE;
+ }
case SFTKFIPSAEAD: {
@ -1070,7 +1069,7 @@ Index: nss/lib/softoken/pkcs11.c
===================================================================
--- nss.orig/lib/softoken/pkcs11.c
+++ nss/lib/softoken/pkcs11.c
@@ -574,17 +574,17 @@ static const struct mechanismList mechan
@@ -575,17 +575,17 @@ static const struct mechanismList mechan
{ CKM_TLS_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE },
{ CKM_TLS12_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE },
{ CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256,

6
nss-fips-cavs-dsa-fixes.patch
View File

@ -20,9 +20,9 @@ Index: nss/cmd/fipstest/fipstest.c
{
- char buf[800]; /* holds one line from the input REQUEST file
+ char buf[2048]; /* holds one line from the input REQUEST file
* or to the output RESPONSE file.
* 800 to hold seed = (384 public key (x2 for HEX)
*/
* or to the output RESPONSE file.
* 800 to hold seed = (384 public key (x2 for HEX)
*/
@@ -5591,6 +5591,13 @@ dsa_pqggen_test(char *reqfn)
PQGVerify *vfy = NULL;
unsigned int keySizeIndex = 0;

63
nss-fips-constructor-self-tests.patch
View File

@ -21,7 +21,7 @@ Index: nss/cmd/shlibsign/shlibsign.c
===================================================================
--- nss.orig/cmd/shlibsign/shlibsign.c
+++ nss/cmd/shlibsign/shlibsign.c
@@ -814,10 +814,12 @@ shlibSignDSA(CK_FUNCTION_LIST_PTR pFunct
@@ -818,10 +818,12 @@ shlibSignDSA(CK_FUNCTION_LIST_PTR pFunct
return crv;
}
@ -63,9 +63,9 @@ Index: nss/lib/freebl/blapi.h
/*********************************************************************/
extern const SECHashObject *HASH_GetRawHashObject(HASH_HashType hashType);
@@ -1944,6 +1944,9 @@ extern SECStatus ED_DerivePublicKey(cons
extern SECStatus X25519_DerivePublicKey(SECItem *privateKey, SECItem *publicKey);
@@ -1947,6 +1947,9 @@ extern SECStatus X25519_DerivePublicKey(
/* Public key derivation is supported only for the curves supporting pt_mul method. */
extern SECStatus EC_DerivePublicKey(const SECItem *privateKey, const ECParams *ecParams, SECItem *publicKey);
+/* Unconditionally run the integrity check. */
+extern void BL_FIPSRepeatIntegrityCheck(void);
@ -483,7 +483,7 @@ Index: nss/lib/freebl/fipsfreebl.c
/*
* different platforms have different ways of calling and initial entry point
* when the dll/.so is loaded. Most platforms support either a posix pragma
@@ -1663,38 +1670,39 @@ freebl_fips_DH_PowerUpSelfTest(void)
@@ -1667,38 +1674,39 @@ freebl_fips_DH_PowerUpSelfTest(void)
{
/* DH Known P (2048-bits) */
static const PRUint8 dh_known_P[] = {
@ -555,7 +555,7 @@ Index: nss/lib/freebl/fipsfreebl.c
};
static const PRUint8 dh_known_Y_1[] = {
@@ -1740,10 +1748,10 @@ freebl_fips_DH_PowerUpSelfTest(void)
@@ -1744,10 +1752,10 @@ freebl_fips_DH_PowerUpSelfTest(void)
};
static const PRUint8 dh_known_hash_result[] = {
@ -570,7 +570,7 @@ Index: nss/lib/freebl/fipsfreebl.c
};
/* DH variables. */
@@ -1807,17 +1815,19 @@ freebl_fips_RNG_PowerUpSelfTest(void)
@@ -1811,17 +1819,19 @@ freebl_fips_RNG_PowerUpSelfTest(void)
return (SECSuccess);
}
@ -591,7 +591,7 @@ Index: nss/lib/freebl/fipsfreebl.c
#define DO_FREEBL 1
#define DO_REST 2
@@ -1929,11 +1939,13 @@ static PRBool self_tests_ran = PR_FALSE;
@@ -1933,11 +1943,13 @@ static PRBool self_tests_ran = PR_FALSE;
static PRBool self_tests_freebl_success = PR_FALSE;
static PRBool self_tests_success = PR_FALSE;
@ -606,7 +606,7 @@ Index: nss/lib/freebl/fipsfreebl.c
{
SECStatus rv;
/* if the freebl self tests didn't run, there is something wrong with
@@ -1946,7 +1958,7 @@ BL_POSTRan(PRBool freebl_only)
@@ -1950,7 +1962,7 @@ BL_POSTRan(PRBool freebl_only)
return PR_TRUE;
}
/* if we only care about the freebl tests, we are good */
@ -615,7 +615,7 @@ Index: nss/lib/freebl/fipsfreebl.c
return PR_TRUE;
}
/* run the rest of the self tests */
@@ -1965,32 +1977,16 @@ BL_POSTRan(PRBool freebl_only)
@@ -1969,32 +1981,16 @@ BL_POSTRan(PRBool freebl_only)
return PR_TRUE;
}
@ -653,7 +653,7 @@ Index: nss/lib/freebl/fipsfreebl.c
self_tests_freebl_ran = PR_TRUE; /* we are running the tests */
if (!freebl_only) {
@@ -2002,20 +1998,55 @@ bl_startup_tests(void)
@@ -2006,20 +2002,55 @@ bl_startup_tests(void)
/* always run the post tests */
rv = freebl_fipsPowerUpSelfTest(freebl_only ? DO_FREEBL : DO_FREEBL | DO_REST);
if (rv != SECSuccess) {
@ -711,7 +711,7 @@ Index: nss/lib/freebl/fipsfreebl.c
}
/*
@@ -2024,19 +2055,12 @@ bl_startup_tests(void)
@@ -2028,19 +2059,12 @@ bl_startup_tests(void)
* power on selftest failed.
*/
SECStatus
@ -720,11 +720,11 @@ Index: nss/lib/freebl/fipsfreebl.c
{
-#ifdef NSS_NO_INIT_SUPPORT
- /* this should only be set on platforms that can't handle one of the INIT
- * schemes. This code allows those platforms to continue to function,
- * though they don't meet the strict NIST requirements. If NSS_NO_INIT_SUPPORT
- * is not set, and init support has not been properly enabled, freebl
- * will always fail because of the test below
- */
- * schemes. This code allows those platforms to continue to function,
- * though they don't meet the strict NIST requirements. If NSS_NO_INIT_SUPPORT
- * is not set, and init support has not been properly enabled, freebl
- * will always fail because of the test below
- */
+ /* For platforms that don't support on-load constructors */
if (!self_tests_freebl_ran) {
bl_startup_tests();
@ -733,7 +733,7 @@ Index: nss/lib/freebl/fipsfreebl.c
if (rerun) {
/* reset the flags */
self_tests_freebl_ran = PR_FALSE;
@@ -2050,10 +2074,89 @@ BL_FIPSEntryOK(PRBool freebl_only, PRBoo
@@ -2054,10 +2078,89 @@ BL_FIPSEntryOK(PRBool freebl_only, PRBoo
return SECSuccess;
}
/* standalone freebl can initialize */
@ -910,7 +910,7 @@ Index: nss/lib/freebl/loader.h
/* Version 3.013 came to here */
@@ -930,6 +930,9 @@ struct FREEBLVectorStr {
@@ -933,6 +933,9 @@ struct FREEBLVectorStr {
/* Add new function pointers at the end of this struct and bump
* FREEBL_VERSION at the beginning of this file. */
@ -962,7 +962,7 @@ Index: nss/lib/freebl/shvfy.c
static char *
mkCheckFileName(const char *libName)
{
@@ -288,19 +288,19 @@ readItem(PRFileDesc *fd, SECItem *item)
@@ -288,10 +288,10 @@ readItem(PRFileDesc *fd, SECItem *item)
return SECSuccess;
}
@ -974,10 +974,8 @@ Index: nss/lib/freebl/shvfy.c
+blapi_SHVerify(const char *name, PRFuncPtr addr, PRBool self, PRBool rerun, int *err)
{
PRBool result = PR_FALSE; /* if anything goes wrong,
- * the signature does not verify */
+ * the signature does not verify */
/* find our shared library name */
char *shName = PR_GetLibraryFilePathname(name, addr);
* the signature does not verify */
@@ -300,7 +300,7 @@ blapi_SHVerify(const char *name, PRFuncP
if (!shName) {
goto loser;
}
@ -1025,15 +1023,6 @@ Index: nss/lib/freebl/shvfy.c
{
char *checkName = NULL;
PRFileDesc *checkFD = NULL;
@@ -446,7 +446,7 @@ blapi_SHVerifyFile(const char *shName, P
int pid = 0;
#endif
PRBool result = PR_FALSE; /* if anything goes wrong,
- * the signature does not verify */
+ * the signature does not verify */
NSSSignChkHeader header;
#ifndef NSS_STRICT_INTEGRITY
DSAPublicKey key;
@@ -473,14 +473,17 @@ blapi_SHVerifyFile(const char *shName, P
/* open the check File */
checkFD = PR_Open(checkName, PR_RDONLY, 0);
@ -1085,7 +1074,7 @@ Index: nss/lib/freebl/shvfy.c
if (name == NULL) {
/*
@@ -640,7 +643,7 @@ BLAPI_VerifySelf(const char *name)
*/
*/
return PR_TRUE;
}
- return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE, PR_FALSE);
@ -1541,10 +1530,10 @@ Index: nss/lib/freebl/ldvector.c
===================================================================
--- nss.orig/lib/freebl/ldvector.c
+++ nss/lib/freebl/ldvector.c
@@ -446,6 +446,9 @@ static const struct FREEBLVectorStr vect
@@ -449,6 +449,9 @@ static const struct FREEBLVectorStr vect
X25519_DerivePublicKey,
/* End of version 3.029 */
EC_DerivePublicKey,
/* End of version 3.030 */
+
+ /* SUSE patch: Goes last */
+ BL_FIPSRepeatIntegrityCheck

10
nss-fips-detect-fips-mode-fixes.patch
View File

@ -62,15 +62,7 @@ Index: nss/lib/sysinit/nsssysinit.c
===================================================================
--- nss.orig/lib/sysinit/nsssysinit.c
+++ nss/lib/sysinit/nsssysinit.c
@@ -178,16 +178,16 @@ getFIPSMode(void)
f = fopen("/proc/sys/crypto/fips_enabled", "r");
if (!f) {
/* if we don't have a proc flag, fall back to the
- * environment variable */
+ * environment variable */
return getFIPSEnv();
}
@@ -185,9 +185,9 @@ getFIPSMode(void)
size = fread(&d, 1, 1, f);
fclose(f);
if (size != 1)

2
nss-fips-pairwise-consistency-check.patch
View File

@ -25,7 +25,7 @@ Index: nss/lib/softoken/pkcs11c.c
/*
* FIPS 140-2 pairwise consistency check utilized to validate key pair.
@@ -6075,6 +6075,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
@@ -6077,6 +6077,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
(PRUint32)crv);
sftk_LogAuditMessage(NSS_AUDIT_ERROR, NSS_AUDIT_SELF_TEST, msg);
}

10
nss-fips-safe-memset.patch
View File

@ -58,7 +58,7 @@ Index: nss/lib/freebl/drbg.c
===================================================================
--- nss.orig/lib/freebl/drbg.c
+++ nss/lib/freebl/drbg.c
@@ -259,7 +259,7 @@ prng_initEntropy(void)
@@ -218,7 +218,7 @@ prng_initEntropy(void)
SHA256_Update(&ctx, block, sizeof(block));
SHA256_End(&ctx, globalrng->previousEntropyHash, NULL,
sizeof(globalrng->previousEntropyHash));
@ -67,7 +67,7 @@ Index: nss/lib/freebl/drbg.c
SHA256_DestroyContext(&ctx, PR_FALSE);
coRNGInitEntropy.status = PR_SUCCESS;
__sync_synchronize ();
@@ -311,8 +311,8 @@ prng_getEntropy(PRUint8 *buffer, size_t
@@ -270,8 +270,8 @@ prng_getEntropy(PRUint8 *buffer, size_t
}
out:
@ -78,7 +78,7 @@ Index: nss/lib/freebl/drbg.c
return rv;
}
@@ -458,8 +458,8 @@ prng_Hashgen(RNGContext *rng, PRUint8 *r
@@ -417,8 +417,8 @@ prng_Hashgen(RNGContext *rng, PRUint8 *r
PRNG_ADD_CARRY_ONLY(data, (sizeof data) - 1, carry);
SHA256_DestroyContext(&ctx, PR_FALSE);
}
@ -89,7 +89,7 @@ Index: nss/lib/freebl/drbg.c
}
/*
@@ -520,7 +520,7 @@ prng_generateNewBytes(RNGContext *rng,
@@ -479,7 +479,7 @@ prng_generateNewBytes(RNGContext *rng,
PRNG_ADD_CARRY_ONLY(rng->reseed_counter, (sizeof rng->reseed_counter) - 1, carry);
/* if the prng failed, don't return any output, signal softoken */
@ -266,7 +266,7 @@ Index: nss/lib/freebl/pqg.c
mp_clear(&c);
@@ -1221,7 +1221,7 @@ makeGfromIndex(HASH_HashType hashtype,
/* step 11.
* return valid G */
* return valid G */
cleanup:
- PORT_Memset(data, 0, sizeof(data));
+ PORT_SafeZero(data, sizeof(data));