rpms/nss
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: rhbz#1926367

Browse Source 
Restore RHEL-8 patch to prevent MD5 and MD4 hash operations
This commit is contained in:
Bob Relyea 2021-04-16 14:12:00 -07:00
parent fd919dd3b5
commit 88a947fc0b
3 changed files with 69 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
nss-disable-md5.patch Normal file
View File

@ -0,0 +1,41 @@
diff -r 699541a7793b lib/pk11wrap/pk11pars.c
--- a/lib/pk11wrap/pk11pars.c Tue Jun 16 23:03:22 2020 +0000
+++ b/lib/pk11wrap/pk11pars.c Thu Jun 25 14:33:09 2020 +0200
@@ -323,11 +323,11 @@
static const oidValDef hashOptList[] = {
/* Hashes */
{ CIPHER_NAME("MD2"), SEC_OID_MD2,
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
+ 0 },
{ CIPHER_NAME("MD4"), SEC_OID_MD4,
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
+ 0 },
{ CIPHER_NAME("MD5"), SEC_OID_MD5,
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
+ 0 },
{ CIPHER_NAME("SHA1"), SEC_OID_SHA1,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
{ CIPHER_NAME("SHA224"), SEC_OID_SHA224,
diff -r 699541a7793b lib/util/secoid.c
--- a/lib/util/secoid.c Tue Jun 16 23:03:22 2020 +0000
+++ b/lib/util/secoid.c Thu Jun 25 14:33:09 2020 +0200
@@ -2042,6 +2042,19 @@
int i;
for (i = 1; i < SEC_OID_TOTAL; i++) {
+ switch (i) {
+ case SEC_OID_MD2:
+ case SEC_OID_MD4:
+ case SEC_OID_MD5:
+ case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
+ case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
+ case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
+ case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
+ case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
+ continue;
+ default:
+ break;
+ }
if (oids[i].desc && strstr(arg, oids[i].desc)) {
xOids[i].notPolicyFlags = notEnable |
(xOids[i].notPolicyFlags & ~(DEF_FLAGS));

13
nss-dso-ldflags.patch Normal file
View File

@ -0,0 +1,13 @@
Index: nss/coreconf/Linux.mk
===================================================================
--- nss.orig/coreconf/Linux.mk
+++ nss/coreconf/Linux.mk
@@ -144,7 +144,7 @@ ifdef USE_PTHREADS
endif
DSO_CFLAGS = -fPIC
-DSO_LDOPTS = -shared $(ARCHFLAG) -Wl,--gc-sections
+DSO_LDOPTS = -shared $(ARCHFLAG) -Wl,--gc-sections $(DSO_LDFLAGS)
# The linker on Red Hat Linux 7.2 and RHEL 2.1 (GNU ld version 2.11.90.0.8)
# incorrectly reports undefined references in the libraries we link with, so
# we don't use -z defs there.

21
nss.spec
View File

@ -2,7 +2,7 @@
# NOTE: To avoid NVR clashes of nspr* packages: # NOTE: To avoid NVR clashes of nspr* packages:
# - reset %%{nspr_release} to 1, when updating %%{nspr_version} # - reset %%{nspr_release} to 1, when updating %%{nspr_version}
# - increment %%{nspr_version}, when updating the NSS part only # - increment %%{nspr_version}, when updating the NSS part only
%global nspr_release 1 %global nspr_release 2
%global nss_version 3.63.0 %global nss_version 3.63.0
# only need to update this as we added new # only need to update this as we added new
# algorithms under nss policy control # algorithms under nss policy control
@ -56,7 +56,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
Summary: Network Security Services Summary: Network Security Services
Name: nss Name: nss
Version: %{nss_version} Version: %{nss_version}
Release: 2%{?dist} Release: 3%{?dist}
License: MPLv2.0 License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/ URL: http://www.mozilla.org/projects/security/pki/nss/
Requires: nspr >= %{nspr_version} Requires: nspr >= %{nspr_version}
@ -129,6 +129,10 @@ Patch20: nss-gcm-param-default-pkcs11v2.patch
%endif %endif
# can drop this patch when the underlying btrfs/sqlite issue is solved # can drop this patch when the underlying btrfs/sqlite issue is solved
Patch30: nss-fedora-btrf-sql-hack.patch Patch30: nss-fedora-btrf-sql-hack.patch
# connect our shared library to the build root loader flags (needed for -relro)
Patch31: nss-dso-ldflags.patch
# keep RHEL 8 semantics of disabling md4 and md5 even if the env variable is set
Patch32: nss-disable-md5.patch
Patch100: nspr-config-pc.patch Patch100: nspr-config-pc.patch
Patch101: nspr-gcc-atomics.patch Patch101: nspr-gcc-atomics.patch
@ -259,7 +263,7 @@ Header and library files for doing development with Network Security Services.
%package -n nspr %package -n nspr
Summary: Netscape Portable Runtime Summary: Netscape Portable Runtime
Version: %{nspr_version} Version: %{nspr_version}
Release: %{nspr_release}%{?dist}.1 Release: %{nspr_release}%{?dist}
License: MPLv2.0 License: MPLv2.0
URL: http://www.mozilla.org/projects/nspr/ URL: http://www.mozilla.org/projects/nspr/
Conflicts: filesystem < 3 Conflicts: filesystem < 3
@ -274,7 +278,7 @@ memory management (malloc and free) and shared library linking.
%package -n nspr-devel %package -n nspr-devel
Summary: Development libraries for the Netscape Portable Runtime Summary: Development libraries for the Netscape Portable Runtime
Version: %{nspr_version} Version: %{nspr_version}
Release: %{nspr_release}%{?dist}.1 Release: %{nspr_release}%{?dist}
Requires: nspr%{?_isa} = %{nspr_version}-%{nspr_release}%{?dist} Requires: nspr%{?_isa} = %{nspr_version}-%{nspr_release}%{?dist}
Requires: pkgconfig Requires: pkgconfig
BuildRequires: xmlto BuildRequires: xmlto
@ -1052,8 +1056,13 @@ update-crypto-policies &> /dev/null || :
%changelog %changelog
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> * Fri Apr 16 2021 Bob Relyea <rrelyea@redhat.com> - 3.63.0-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 - prevent MD5 from being enabled even with the environment variables
and policy. This mirrors the rhel8 semantics.
- add DSO_LDFLAGS support so we pick up system LDFLAGS in our shared libraries
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.63.0-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Mar 24 2021 Bob Relyea <rrelyea@redhat.com> - 3.63.0-1 * Wed Mar 24 2021 Bob Relyea <rrelyea@redhat.com> - 3.63.0-1
- Update NSS to 3.62 - Update NSS to 3.62