- Fix crmf hard-coded maximum size for wrapped private keys (#703658)

- Use the safer bound off - ( ( RSA_MAX_MODULUS_BITS / 8 ) *8 ) = RSA_MAX_MODULUS_BITS - which will accomodate other algorithms
2011-05-17 09:07:55 -07:00 · 2011-05-17 09:07:55 -07:00 · c409805d45
commit c409805d45
parent 656b5456ab
2 changed files with 53 additions and 1 deletions
--- a/nss-703658.patch
+++ b/nss-703658.patch
@ -0,0 +1,47 @@
+Index: mozilla/security/nss/lib/crmf/crmfi.h
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/crmf/crmfi.h,v
+retrieving revision 1.4
+diff -u -u -r1.4 crmfi.h
+--- mozilla/security/nss/lib/crmf/crmfi.h	15 Jan 2011 19:47:11 -0000	1.4
+++ mozilla/security/nss/lib/crmf/crmfi.h	11 May 2011 20:06:26 -0000
+@@ -46,10 +46,38 @@
+ #include "secasn1.h"
+ #include "crmfit.h"
+ #include "secerr.h"
+#include "blapit.h"
+ 
+ #define CRMF_DEFAULT_ARENA_SIZE   1024
+-#define MAX_WRAPPED_KEY_LEN       2048
+ 
+/*
+ * Explanation for the definition of MAX_WRAPPED_KEY_LEN:
+ * 
+ * It's used for internal buffers to transport a wrapped private key.
+ * The value is in BYTES.
+ * We want to define a reasonable upper bound for this value.
+ * Ideally this could be calculated, but in order to simplify the code
+ * we want to estimate the maximum requires size.
+ * See also mozilla bug 655850 for the full explanation.
+ * 
+ * We know the largest wrapped keys are RSA keys.
+ * We'll estimate the maximum size needed for wrapped RSA keys,
+ * and assume it's sufficient for wrapped keys of any type we support.
+ * 
+ * The maximum size of RSA keys in bits is defined elsewhere as
+ *   RSA_MAX_MODULUS_BITS
+ * 
+ * The idea is to define MAX_WRAPPED_KEY_LEN based on the above.
+ * 
+ * A wrapped RSA key requires about
+ *   ( ( RSA_MAX_MODULUS_BITS / 8 ) * 5.5) + 65
+ * bytes.
+ * 
+ * Therefore, a safe upper bound is:
+ *   ( ( RSA_MAX_MODULUS_BITS / 8 ) *8 ) = RSA_MAX_MODULUS_BITS
+ * 
+ */
+#define MAX_WRAPPED_KEY_LEN       RSA_MAX_MODULUS_BITS
+ 
+ #define CRMF_BITS_TO_BYTES(bits) (((bits)+7)/8)
+ #define CRMF_BYTES_TO_BITS(bytes) ((bytes)*8)
--- a/nss.spec
+++ b/nss.spec
@ -6,7 +6,7 @@
 Summary:          Network Security Services
 Name:             nss
 Version:          3.12.10
-Release:          1%{?dist}
+Release:          2%{?dist}
 License:          MPLv1.1 or GPLv2+ or LGPLv2+
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@ -44,6 +44,7 @@ Patch6:           nss-enable-pem.patch
 Patch7:           nsspem-642433.patch
 Patch8:           0001-Bug-695011-PEM-logging.patch
 Patch16:          nss-539183.patch
+Patch17:          nss-703658.patch

 %description
 Network Security Services (NSS) is a set of libraries designed to
@ -118,6 +119,7 @@ low level services.
 %patch7 -p0 -b .642433
 %patch8 -p1 -b .695011          
 %patch16 -p0 -b .539183
+%patch17 -p0 -b .703658


 %build
@ -511,6 +513,9 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h


 %changelog
+* Tue May 17 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.10-2
+- Fix crmf hard-coded maximum size for wrapped private keys (#703658)
+
 * Fri May 06 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.10-1
 - Update to NSS_3_12_10_RTM