rpms/nss
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: RHEL-103353

Browse Source 
- restore CONCATENATE functions accidentally remvoed in the last patch
- fix big endian issue in tstclnt and selfserv in certificate compression
This commit is contained in:
Robert Relyea 2025-08-01 10:55:51 -07:00
parent ee453ce71d
commit a829743482
3 changed files with 84 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
fips_algorithms.h
View File

@ -200,5 +200,12 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
offsetof(CK_SP800_108_KDF_PARAMS, prfType) }, offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
{ CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHashSp800, { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHashSp800,
offsetof(CK_SP800_108_KDF_PARAMS, prfType) }, offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
/* concatentate fuctions used in hybrid operations */
/* The following functions add data at the end of a base key. If the base
* key is FIPS, and the resulting keys are strong enough, then the
* resulting key will also be FIPS and the resulting operations will be
* FIPS approved. */
{ CKM_CONCATENATE_BASE_AND_KEY, { 112, CK_MAX, CKF_DERIVE }, 1, SFTKFIPSNone },
{ CKM_CONCATENATE_BASE_AND_DATA, { 112, CK_MAX, CKF_DERIVE }, 1, SFTKFIPSNone },
}; };
const int SFTK_NUMBER_FIPS_ALGORITHMS = PR_ARRAY_SIZE(sftk_fips_mechs); const int SFTK_NUMBER_FIPS_ALGORITHMS = PR_ARRAY_SIZE(sftk_fips_mechs);

71
nss-3.112-big-endian-compression-fix.patch Normal file
View File

@ -0,0 +1,71 @@
diff --git a/cmd/selfserv/selfserv.c b/cmd/selfserv/selfserv.c
--- a/cmd/selfserv/selfserv.c
+++ b/cmd/selfserv/selfserv.c
@@ -2078,13 +2078,13 @@
if (!input || !input->data || input->len == 0 || !output || outputLen == 0) {
PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
return SECFailure;
}
- *usedLen = outputLen;
-
- int ret = uncompress(output, (unsigned long *)usedLen, input->data, input->len);
+ unsigned long outputLenUL = outputLen;
+ int ret = uncompress(output, &outputLenUL, input->data, input->len);
+ *usedLen = outputLenUL;
if (ret != Z_OK) {
PR_SetError(SEC_ERROR_BAD_DATA, 0);
return SECFailure;
}
@@ -2100,11 +2100,13 @@
}
unsigned long maxCompressedLen = compressBound(input->len);
SECITEM_AllocItem(NULL, output, maxCompressedLen);
- int ret = compress(output->data, (unsigned long *)&output->len, input->data, input->len);
+ unsigned long outputLenUL = output->len;
+ int ret = compress(output->data, &outputLenUL, input->data, input->len);
+ output->len = outputLenUL;
if (ret != Z_OK) {
PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);
return SECFailure;
}
diff --git a/cmd/tstclnt/tstclnt.c b/cmd/tstclnt/tstclnt.c
--- a/cmd/tstclnt/tstclnt.c
+++ b/cmd/tstclnt/tstclnt.c
@@ -1375,11 +1375,13 @@
}
unsigned long maxCompressedLen = compressBound(input->len);
SECITEM_AllocItem(NULL, output, maxCompressedLen);
- int ret = compress(output->data, (unsigned long *)&output->len, input->data, input->len);
+ unsigned long outputLenUL = output->len;
+ int ret = compress(output->data, &outputLenUL, input->data, input->len);
+ output->len = outputLenUL;
if (ret != Z_OK) {
PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);
return SECFailure;
}
@@ -1394,13 +1396,13 @@
if (!input || !input->data || input->len == 0 || !output || outputLen == 0) {
PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
return SECFailure;
}
- *usedLen = outputLen;
-
- int ret = uncompress(output, (unsigned long *)usedLen, input->data, input->len);
+ unsigned long outputLenUL = outputLen;
+ int ret = uncompress(output, &outputLenUL, input->data, input->len);
+ *usedLen = outputLenUL;
if (ret != Z_OK) {
PR_SetError(SEC_ERROR_BAD_DATA, 0);
return SECFailure;
}

7
nss.spec
View File

@ -3,7 +3,7 @@
# NOTE: To avoid NVR clashes of nspr* packages: # NOTE: To avoid NVR clashes of nspr* packages:
# - reset %%{nspr_release} to 1, when updating %%{nspr_version} # - reset %%{nspr_release} to 1, when updating %%{nspr_version}
# - increment %%{nspr_version}, when updating the NSS part only # - increment %%{nspr_version}, when updating the NSS part only
%global baserelease 2 %global baserelease 3
%global nss_release %baserelease %global nss_release %baserelease
# use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
# release number between nss and nspr are different. # release number between nss and nspr are different.
@ -179,6 +179,7 @@ Patch93: nss-3.112-add-ml-dsa-base.patch
Patch94: nss-3.112-add-ml-dsa-gtests.patch Patch94: nss-3.112-add-ml-dsa-gtests.patch
Patch95: nss-3.112-add-ml-dsa-ssl-support.patch Patch95: nss-3.112-add-ml-dsa-ssl-support.patch
Patch96: nss-3.112-fips-and-fixes-el10.patch Patch96: nss-3.112-fips-and-fixes-el10.patch
Patch97: nss-3.112-big-endian-compression-fix.patch
# NSS reverse patches # NSS reverse patches
Patch300: nss-3.79-distrusted-certs.patch Patch300: nss-3.79-distrusted-certs.patch
@ -1162,6 +1163,10 @@ fi
%changelog %changelog
* Fri Aug 1 2025 Bob Relyea <rrelyea@redhat.com> - 3.112.0-3
- restore CONCATENATE functions accidentally remvoed in the last patch
- fix big endian issue in tstclnt and selfserv in certificate compression
* Wed Jul 30 2025 Bob Relyea <rrelyea@redhat.com> - 3.112.0-2 * Wed Jul 30 2025 Bob Relyea <rrelyea@redhat.com> - 3.112.0-2
- add fips required changes. - add fips required changes.
- fix bugs found by QE - fix bugs found by QE