Related: RHEL-33511

- Fix PKCS #12 md5 issue
2024-07-19 15:19:38 -07:00 · 2024-07-19 15:19:38 -07:00 · 8324a0ed92
commit 8324a0ed92
parent 65ad00a57f
3 changed files with 48 additions and 1 deletions
--- a/nss-3.101-fix-pkcs12-md5-decode.patch
+++ b/nss-3.101-fix-pkcs12-md5-decode.patch
@ -0,0 +1,43 @@
+diff --git a/lib/util/nsshash.c b/lib/util/nsshash.c
+--- a/lib/util/nsshash.c
+++ b/lib/util/nsshash.c
+@@ -102,16 +102,19 @@ HASH_GetHashOidTagByHashType(HASH_HashTy
+ SECOidTag
+ HASH_GetHashOidTagByHMACOidTag(SECOidTag hmacOid)
+ {
+     SECOidTag hashOid = SEC_OID_UNKNOWN;
+ 
+     switch (hmacOid) {
+         /* no oid exists for HMAC_MD2 */
+         /* NSS does not define a oid for HMAC_MD4 */
+        case SEC_OID_HMAC_MD5:
+            hashOid = SEC_OID_MD5;
+            break;
+         case SEC_OID_HMAC_SHA1:
+             hashOid = SEC_OID_SHA1;
+             break;
+         case SEC_OID_HMAC_SHA224:
+             hashOid = SEC_OID_SHA224;
+             break;
+         case SEC_OID_HMAC_SHA256:
+             hashOid = SEC_OID_SHA256;
+@@ -145,16 +148,19 @@ HASH_GetHashOidTagByHMACOidTag(SECOidTag
+ SECOidTag
+ HASH_GetHMACOidTagByHashOidTag(SECOidTag hashOid)
+ {
+     SECOidTag hmacOid = SEC_OID_UNKNOWN;
+ 
+     switch (hashOid) {
+         /* no oid exists for HMAC_MD2 */
+         /* NSS does not define a oid for HMAC_MD4 */
+        case SEC_OID_MD5:
+            hmacOid = SEC_OID_HMAC_MD5;
+            break;
+         case SEC_OID_SHA1:
+             hmacOid = SEC_OID_HMAC_SHA1;
+             break;
+         case SEC_OID_SHA224:
+             hmacOid = SEC_OID_HMAC_SHA224;
+             break;
+         case SEC_OID_SHA256:
+             hmacOid = SEC_OID_HMAC_SHA256;
--- a/nss-3.101-skip-ocsp-if-not-connected.patch
+++ b/nss-3.101-skip-ocsp-if-not-connected.patch
@ -8,7 +8,7 @@ diff -up ./tests/ssl/ssl.sh.disable_ocsp_policy ./tests/ssl/ssl.sh
 +  # if we are running on a build machine that can't tolerate external
 +  # references don't run.
 +  vfyserv -o wrong.host.badssl.com -d ${P_R_SERVERDIR} > ${P_R_SERVERDIR}/vfy2.out 2>&1
-+  RET=$? ; cat ${P_R_SERVERDIR}/vfy2.out" 
+  RET=$? ; cat "${P_R_SERVERDIR}/vfy2.out" 
 +  # 5961 reset by peer
 +  grep 5961 ${P_R_SERVERDIR}/vfy2.out
 +  GRET=$?  ; echo "OCSP: RET=$RET GRET=$GRET"
--- a/nss.spec
+++ b/nss.spec
@ -182,6 +182,7 @@ Patch74:          nss-3.90-dh-test-update.patch
 Patch75:          nss-3.90-ppc_no_init.patch
 Patch76:          nss-3.101-enable-kyber-policy.patch
 Patch77:          nss-3.101-fix-rsa-policy-test.patch
+Patch78:          nss-3.101-fix-pkcs12-md5-decode.patch

 # RHEL-10 specific
 Patch90:          nss-3.101-disable_dsa.patch
@ -1168,6 +1169,9 @@ update-crypto-policies &> /dev/null || :


 %changelog
+* Thu Jul 18 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-4
+- Fix MD-5 decode issue in pkcs #12
+
 * Mon Jul 15 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-3
 - Add FIPS 140-3 defines to sec file