rpms/nss
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: RHEL-33511

Browse Source 
Fix QE discovered issues:
    1) need parameter to test certificate compression in selfserv and
       tstclient.
    2) pkcs12 encoding for pbamac adding a spurious IV as a parameter
       instead of an NULL.
This commit is contained in:
Robert Relyea 2024-08-01 09:40:19 -07:00
parent 47ca464b01
commit 7ca545e8ec
3 changed files with 1511 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1383
nss-3.101-add-certificate-compression-test.patch Normal file
View File

File diff suppressed because it is too large Load Diff

121
nss-3.101-fix-pkcs12-pbkdf1-encoding.patch Normal file
View File

@ -0,0 +1,121 @@
diff --git a/lib/pk11wrap/pk11mech.c b/lib/pk11wrap/pk11mech.c
--- a/lib/pk11wrap/pk11mech.c
+++ b/lib/pk11wrap/pk11mech.c
@@ -1710,20 +1710,26 @@ PK11_ParamToAlgid(SECOidTag algTag, SECI
case CKM_BATON_ECB96:
case CKM_BATON_CBC128:
case CKM_BATON_COUNTER:
case CKM_BATON_SHUFFLE:
case CKM_JUNIPER_ECB128:
case CKM_JUNIPER_CBC128:
case CKM_JUNIPER_COUNTER:
case CKM_JUNIPER_SHUFFLE:
- newParams = SEC_ASN1EncodeItem(NULL, NULL, param,
- SEC_ASN1_GET(SEC_OctetStringTemplate));
- if (newParams == NULL)
- break;
+ /* if no parameters have been supplied, then encode a NULL params
+ */
+ if (param && param->len > 0) {
+ newParams = SEC_ASN1EncodeItem(NULL, NULL, param,
+ SEC_ASN1_GET(SEC_OctetStringTemplate));
+ if (newParams == NULL)
+ break;
+ } else {
+ newParams = NULL;
+ }
rv = SECSuccess;
break;
}
if (rv != SECSuccess) {
if (newParams)
SECITEM_FreeItem(newParams, PR_TRUE);
return rv;
diff --git a/lib/pk11wrap/pk11pbe.c b/lib/pk11wrap/pk11pbe.c
--- a/lib/pk11wrap/pk11pbe.c
+++ b/lib/pk11wrap/pk11pbe.c
@@ -765,45 +765,53 @@ sec_pkcs5CreateAlgorithmID(SECOidTag alg
* algorithm is). We use choose this algorithm oid based on the
* cipherAlgorithm to determine what this should be (MAC1 or PBES2).
*/
if (algorithm == SEC_OID_PKCS5_PBKDF2) {
/* choose mac or pbes */
algorithm = sec_pkcs5v2_get_pbe(cipherAlgorithm);
}
+ SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm);
+
/* set the PKCS5v2 specific parameters */
if (keyLength == 0) {
- SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm);
if (hashAlg != SEC_OID_UNKNOWN) {
keyLength = HASH_ResultLenByOidTag(hashAlg);
} else {
keyLength = sec_pkcs5v2_default_key_length(cipherAlgorithm);
}
if (keyLength <= 0) {
goto loser;
}
}
/* currently SEC_OID_HMAC_SHA1 is the default */
if (prfAlg == SEC_OID_UNKNOWN) {
prfAlg = SEC_OID_HMAC_SHA1;
}
- /* build the PKCS5v2 cipher algorithm id */
- cipherParams = pk11_GenerateNewParamWithKeyLen(
- PK11_AlgtagToMechanism(cipherAlgorithm), keyLength);
- if (!cipherParams) {
- goto loser;
+ /* build the PKCS5v2 cipher algorithm id, if cipher
+ * is an HMAC, the cipherParams should be NULL */
+ if (hashAlg == SEC_OID_UNKNOWN) {
+ cipherParams = pk11_GenerateNewParamWithKeyLen(
+ PK11_AlgtagToMechanism(cipherAlgorithm), keyLength);
+ if (!cipherParams) {
+ goto loser;
+ }
+ } else {
+ cipherParams = NULL;
}
PORT_Memset(&pbeV2_param, 0, sizeof(pbeV2_param));
rv = PK11_ParamToAlgid(cipherAlgorithm, cipherParams,
poolp, &pbeV2_param.cipherAlgId);
- SECITEM_FreeItem(cipherParams, PR_TRUE);
+ if (cipherParams) {
+ SECITEM_FreeItem(cipherParams, PR_TRUE);
+ }
if (rv != SECSuccess) {
goto loser;
}
}
/* generate the parameter */
pbe_param = sec_pkcs5_create_pbe_parameter(pbeAlgorithm, salt, iteration,
keyLength, prfAlg);
diff --git a/lib/util/secalgid.c b/lib/util/secalgid.c
--- a/lib/util/secalgid.c
+++ b/lib/util/secalgid.c
@@ -50,17 +50,18 @@ SECOID_SetAlgorithmID(PLArenaPool *arena
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
return SECFailure;
}
if (SECITEM_CopyItem(arena, &id->algorithm, &oiddata->oid))
return SECFailure;
if ((secoid_IsRSAPKCS1(which)) ||
- (HASH_GetHashTypeByOidTag(which) != HASH_AlgNULL)) {
+ (HASH_GetHashTypeByOidTag(which) != HASH_AlgNULL) /* ||
+ (HASH_GetHashOidTagByHMACOidTag(which) != SEC_OID_UNKNOWN) */) {
add_null_param = PR_TRUE;
} else {
add_null_param = PR_FALSE;
}
if (params) {
/*
* I am specifically *not* enforcing the following assertion

8
nss.spec
View File

@ -3,7 +3,7 @@
# NOTE: To avoid NVR clashes of nspr* packages: # NOTE: To avoid NVR clashes of nspr* packages:
# - reset %%{nspr_release} to 1, when updating %%{nspr_version} # - reset %%{nspr_release} to 1, when updating %%{nspr_version}
# - increment %%{nspr_version}, when updating the NSS part only # - increment %%{nspr_version}, when updating the NSS part only
%global baserelease 5 %global baserelease 6
%global nss_release %baserelease %global nss_release %baserelease
# use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
# release number between nss and nspr are different. # release number between nss and nspr are different.
@ -184,6 +184,8 @@ Patch78: nss-3.101-fix-pkcs12-md5-decode.patch
Patch81: nss-3.101-fix-missing-size-checks.patch Patch81: nss-3.101-fix-missing-size-checks.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=1905691 # https://bugzilla.mozilla.org/show_bug.cgi?id=1905691
Patch82: nss-3.101-chacha-timing-fix.patch Patch82: nss-3.101-chacha-timing-fix.patch
Patch83: nss-3.101-add-certificate-compression-test.patch
Patch84: nss-3.101-fix-pkcs12-pbkdf1-encoding.patch
# RHEL-10 specific # RHEL-10 specific
Patch90: nss-3.101-disable_dsa.patch Patch90: nss-3.101-disable_dsa.patch
@ -1162,6 +1164,10 @@ fi
%changelog %changelog
* Thu Aug 1 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-6
- fix param encoding in pkcs12 pbamac encoding
- add support for certificate compression in selfserv and tstclient
* Wed Jul 24 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-5 * Wed Jul 24 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-5
- Fix missing and inaccurate key length checks - Fix missing and inaccurate key length checks
- Fix chacha timing issue - Fix chacha timing issue