rpms/nss
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: RHEL-103370

Browse Source 
- restore CONCATENATE functions accidentally remvoed in the last patch
- fix big endian issue in tstclnt and selfserv in certificate compression
This commit is contained in:
Robert Relyea 2025-08-01 11:02:59 -07:00
parent 9a73b38b2d
commit 79c4ab2fd8
3 changed files with 84 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
fips_algorithms.h
View File

@ -200,5 +200,12 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
offsetof(CK_SP800_108_KDF_PARAMS, prfType) }, offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
{ CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHashSp800, { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHashSp800,
offsetof(CK_SP800_108_KDF_PARAMS, prfType) }, offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
/* concatentate fuctions used in hybrid operations */
/* The following functions add data at the end of a base key. If the base
* key is FIPS, and the resulting keys are strong enough, then the
* resulting key will also be FIPS and the resulting operations will be
* FIPS approved. */
{ CKM_CONCATENATE_BASE_AND_KEY, { 112, CK_MAX, CKF_DERIVE }, 1, SFTKFIPSNone },
{ CKM_CONCATENATE_BASE_AND_DATA, { 112, CK_MAX, CKF_DERIVE }, 1, SFTKFIPSNone },
}; };
const int SFTK_NUMBER_FIPS_ALGORITHMS = PR_ARRAY_SIZE(sftk_fips_mechs); const int SFTK_NUMBER_FIPS_ALGORITHMS = PR_ARRAY_SIZE(sftk_fips_mechs);

71
nss-3.112-big-endian-compression-fix.patch Normal file
View File

@ -0,0 +1,71 @@
diff --git a/cmd/selfserv/selfserv.c b/cmd/selfserv/selfserv.c
--- a/cmd/selfserv/selfserv.c
+++ b/cmd/selfserv/selfserv.c
@@ -2078,13 +2078,13 @@
if (!input || !input->data || input->len == 0 || !output || outputLen == 0) {
PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
return SECFailure;
}
- *usedLen = outputLen;
-
- int ret = uncompress(output, (unsigned long *)usedLen, input->data, input->len);
+ unsigned long outputLenUL = outputLen;
+ int ret = uncompress(output, &outputLenUL, input->data, input->len);
+ *usedLen = outputLenUL;
if (ret != Z_OK) {
PR_SetError(SEC_ERROR_BAD_DATA, 0);
return SECFailure;
}
@@ -2100,11 +2100,13 @@
}
unsigned long maxCompressedLen = compressBound(input->len);
SECITEM_AllocItem(NULL, output, maxCompressedLen);
- int ret = compress(output->data, (unsigned long *)&output->len, input->data, input->len);
+ unsigned long outputLenUL = output->len;
+ int ret = compress(output->data, &outputLenUL, input->data, input->len);
+ output->len = outputLenUL;
if (ret != Z_OK) {
PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);
return SECFailure;
}
diff --git a/cmd/tstclnt/tstclnt.c b/cmd/tstclnt/tstclnt.c
--- a/cmd/tstclnt/tstclnt.c
+++ b/cmd/tstclnt/tstclnt.c
@@ -1375,11 +1375,13 @@
}
unsigned long maxCompressedLen = compressBound(input->len);
SECITEM_AllocItem(NULL, output, maxCompressedLen);
- int ret = compress(output->data, (unsigned long *)&output->len, input->data, input->len);
+ unsigned long outputLenUL = output->len;
+ int ret = compress(output->data, &outputLenUL, input->data, input->len);
+ output->len = outputLenUL;
if (ret != Z_OK) {
PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);
return SECFailure;
}
@@ -1394,13 +1396,13 @@
if (!input || !input->data || input->len == 0 || !output || outputLen == 0) {
PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
return SECFailure;
}
- *usedLen = outputLen;
-
- int ret = uncompress(output, (unsigned long *)usedLen, input->data, input->len);
+ unsigned long outputLenUL = outputLen;
+ int ret = uncompress(output, &outputLenUL, input->data, input->len);
+ *usedLen = outputLenUL;
if (ret != Z_OK) {
PR_SetError(SEC_ERROR_BAD_DATA, 0);
return SECFailure;
}

7
nss.spec
View File

@ -1,6 +1,6 @@
%global nss_version 3.112.0 %global nss_version 3.112.0
%global nspr_version 4.36.0 %global nspr_version 4.36.0
%global baserelease 2 %global baserelease 3
%global nss_release %baserelease %global nss_release %baserelease
# NOTE: To avoid NVR clashes of nspr* packages: # NOTE: To avoid NVR clashes of nspr* packages:
# use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
@ -188,6 +188,7 @@ Patch93: nss-3.112-add-ml-dsa-base-dsa.patch
Patch94: nss-3.112-add-ml-dsa-gtests-dsa.patch Patch94: nss-3.112-add-ml-dsa-gtests-dsa.patch
Patch95: nss-3.112-add-ml-dsa-ssl-support-dsa.patch Patch95: nss-3.112-add-ml-dsa-ssl-support-dsa.patch
Patch96: nss-3.112-fips-and-fixes.patch Patch96: nss-3.112-fips-and-fixes.patch
Patch97: nss-3.112-big-endian-compression-fix.patch
Patch100: nspr-config-pc.patch Patch100: nspr-config-pc.patch
Patch101: nspr-gcc-atomics.patch Patch101: nspr-gcc-atomics.patch
@ -1194,6 +1195,10 @@ update-crypto-policies &> /dev/null || :
%changelog %changelog
* Fri Aug 1 2025 Bob Relyea <rrelyea@redhat.com> - 3.112.0-3
- restore CONCATENATE functions accidentally remvoed in the last patch
- fix big endian issue in tstclnt and selfserv in certificate compression
* Wed Jul 30 2025 Bob Relyea <rrelyea@redhat.com> - 3.112.0-2 * Wed Jul 30 2025 Bob Relyea <rrelyea@redhat.com> - 3.112.0-2
- add fips required changes. - add fips required changes.
- fix bugs found by QE - fix bugs found by QE