rpms/nss
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: RHEL-57111

Browse Source 
- Fix abi issue in S/MIME code.
 - Fix long password issue in pkcs12 when using pbmac
This commit is contained in:
Robert Relyea 2024-09-16 11:02:07 -07:00
parent c464b872b2
commit d7183778e6
4 changed files with 149 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
nss-3.101-fix-cavs-test.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up ./tests/fips/cavs_scripts/validate1.sh.fix_cavs ./tests/fips/cavs_scripts/validate1.sh
--- ./tests/fips/cavs_scripts/validate1.sh.fix_cavs 2024-09-12 14:39:41.421586862 -0700
+++ ./tests/fips/cavs_scripts/validate1.sh 2024-09-12 14:39:55.036747283 -0700
@@ -21,7 +21,7 @@ name=`basename $request .req`
echo ">>>>> $name"
sed -e 's; ;;g' -e 's; ; ;g' -e '/^#/d' $extraneous_response ${TESTDIR}/resp/${name}.rsp > /tmp/y1
# if we didn't generate any output, flag that as an error
-size=`sum /tmp/y1 | awk '{ print $NF }'`
+size=`sum /tmp/y1 | awk '{ print $1 }'`
if [ $size -eq 0 ]; then
echo "${TESTDIR}/resp/${name}.rsp: empty"
exit 1;

115
nss-3.101-fix-cms-abi-break.patch Normal file
View File

@ -0,0 +1,115 @@
diff -up ./lib/smime/cmsasn1.c.restore_abi ./lib/smime/cmsasn1.c
--- ./lib/smime/cmsasn1.c.restore_abi 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/smime/cmsasn1.c 2024-09-06 18:05:27.808338289 -0700
@@ -350,7 +350,7 @@ static const SEC_ASN1Template NSSCMSKeyA
{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
offsetof(NSSCMSKeyAgreeRecipientInfo, ukm),
- SEC_ASN1_SUB(SEC_OctetStringTemplate) },
+ SEC_ASN1_SUB(SEC_PointerToOctetStringTemplate) },
{ SEC_ASN1_INLINE | SEC_ASN1_XTRN,
offsetof(NSSCMSKeyAgreeRecipientInfo, keyEncAlg),
SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
diff -up ./lib/smime/cmslocal.h.restore_abi ./lib/smime/cmslocal.h
--- ./lib/smime/cmslocal.h.restore_abi 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/smime/cmslocal.h 2024-09-06 18:04:47.647863624 -0700
@@ -174,7 +174,7 @@ NSS_CMSUtil_DecryptSymKey_RSA_OAEP(SECKE
extern SECStatus
NSS_CMSUtil_EncryptSymKey_ESECDH(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key,
- SECItem *encKey, PRBool genUkm, SECItem *ukm,
+ SECItem *encKey, PRBool genUkm, SECItem **ukm,
SECAlgorithmID *keyEncAlg, SECItem *originatorPubKey, void *wincx);
PK11SymKey *
diff -up ./lib/smime/cmspubkey.c.restore_abi ./lib/smime/cmspubkey.c
--- ./lib/smime/cmspubkey.c.restore_abi 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/smime/cmspubkey.c 2024-09-06 18:04:47.647863624 -0700
@@ -292,9 +292,15 @@ Create_ECC_CMS_SharedInfo(PLArenaPool *p
unsigned char suppPubInfo[4] = { 0 };
SI.keyInfo = keyInfo;
- SI.entityUInfo.type = ukm->type;
- SI.entityUInfo.data = ukm->data;
- SI.entityUInfo.len = ukm->len;
+ if (ukm) {
+ SI.entityUInfo.type = ukm->type;
+ SI.entityUInfo.data = ukm->data;
+ SI.entityUInfo.len = ukm->len;
+ } else {
+ SI.entityUInfo.type = siBuffer;
+ SI.entityUInfo.data = NULL;
+ SI.entityUInfo.len = 0;
+ }
SI.suppPubInfo.type = siBuffer;
SI.suppPubInfo.data = suppPubInfo;
@@ -322,7 +328,7 @@ Create_ECC_CMS_SharedInfo(PLArenaPool *p
SECStatus
NSS_CMSUtil_EncryptSymKey_ESECDH(PLArenaPool *poolp, CERTCertificate *cert,
PK11SymKey *bulkkey, SECItem *encKey,
- PRBool genUkm, SECItem *ukm,
+ PRBool genUkm, SECItem **ukmp,
SECAlgorithmID *keyEncAlg, SECItem *pubKey,
void *wincx)
{
@@ -337,10 +343,11 @@ NSS_CMSUtil_EncryptSymKey_ESECDH(PLArena
SECAlgorithmID keyWrapAlg;
SECOidTag keyEncAlgtag;
SECItem keyWrapAlg_params, *keyEncAlg_params, *SharedInfo;
+ SECItem *ukm = *ukmp;
CK_MECHANISM_TYPE keyDerivationType, keyWrapMech;
CK_ULONG kdf;
- if (genUkm && (ukm->len != 0 || ukm->data != NULL)) {
+ if (genUkm && (ukm != NULL)) {
PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
return SECFailure;
}
@@ -427,17 +434,17 @@ NSS_CMSUtil_EncryptSymKey_ESECDH(PLArena
* contain 512 bits for Diffie-Hellman key agreement. */
if (genUkm) {
- ukm->type = siBuffer;
- ukm->len = 64;
- ukm->data = (unsigned char *)PORT_ArenaAlloc(poolp, ukm->len);
-
- if (ukm->data == NULL) {
+ ukm = SECITEM_AllocItem(poolp, NULL, 64);
+ if (ukm == NULL) {
goto loser;
}
+ ukm->type = siBuffer;
+
rv = PK11_GenerateRandom(ukm->data, ukm->len);
if (rv != SECSuccess) {
goto loser;
}
+ *ukmp = ukm; /* return it */
}
SharedInfo = Create_ECC_CMS_SharedInfo(poolp, &keyWrapAlg,
diff -up ./lib/smime/cmsrecinfo.c.restore_abi ./lib/smime/cmsrecinfo.c
--- ./lib/smime/cmsrecinfo.c.restore_abi 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/smime/cmsrecinfo.c 2024-09-06 18:04:47.647863624 -0700
@@ -582,7 +582,7 @@ NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCM
parameters = &(ri->ri.keyAgreeRecipientInfo.keyEncAlg.parameters);
enckey = &(ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[subIndex]->encKey);
oiok = &(ri->ri.keyAgreeRecipientInfo.originatorIdentifierOrKey);
- ukm = &(ri->ri.keyAgreeRecipientInfo.ukm);
+ ukm = ri->ri.keyAgreeRecipientInfo.ukm;
break;
case NSSCMSRecipientInfoID_KEK:
algid = &(ri->ri.kekRecipientInfo.keyEncAlg);
diff -up ./lib/smime/cmst.h.restore_abi ./lib/smime/cmst.h
--- ./lib/smime/cmst.h.restore_abi 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/smime/cmst.h 2024-09-06 18:04:47.647863624 -0700
@@ -376,7 +376,7 @@ typedef struct NSSCMSRecipientEncryptedK
struct NSSCMSKeyAgreeRecipientInfoStr {
SECItem version;
NSSCMSOriginatorIdentifierOrKey originatorIdentifierOrKey;
- SECItem ukm; /* optional */
+ SECItem *ukm; /* optional */
SECAlgorithmID keyEncAlg;
NSSCMSRecipientEncryptedKey **recipientEncryptedKeys;
};

12
nss-3.101-long-pwd-fix.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up ./lib/pkcs12/p12local.c.long_pw_fix ./lib/pkcs12/p12local.c
--- ./lib/pkcs12/p12local.c.long_pw_fix 2024-09-06 17:58:39.905517185 -0700
+++ ./lib/pkcs12/p12local.c 2024-09-06 17:59:19.568985976 -0700
@@ -102,7 +102,7 @@ sec_pkcs12_integrity_key(PK11SlotInfo *s
*hmacMech = PK11_AlgtagToMechanism(hmacAlg);
/* pkcs12v2 hmac uses UTF8 rather than unicode */
if (!sec_pkcs12_convert_item_to_unicode(NULL, &utf8Pw, pwitem,
- PR_TRUE, PR_FALSE, PR_FALSE)) {
+ PR_FALSE, PR_FALSE, PR_FALSE)) {
return NULL;
}
symKey = PK11_PBEKeyGen(slot, prfAlgid, &utf8Pw, PR_FALSE, pwarg);

12
nss.spec
View File

@ -3,7 +3,7 @@
# NOTE: To avoid NVR clashes of nspr* packages:
# - reset %%{nspr_release} to 1, when updating %%{nspr_version}
# - increment %%{nspr_version}, when updating the NSS part only
%global baserelease 6
%global baserelease 7
%global nss_release %baserelease
# use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
# release number between nss and nspr are different.
@ -186,6 +186,10 @@ Patch81: nss-3.101-fix-missing-size-checks.patch
Patch82: nss-3.101-chacha-timing-fix.patch
Patch83: nss-3.101-add-certificate-compression-test.patch
Patch84: nss-3.101-fix-pkcs12-pbkdf1-encoding.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=676100
Patch85: nss-3.101-fix-cms-abi-break.patch
Patch86: nss-3.101-long-pwd-fix.patch
Patch87: nss-3.101-fix-cavs-test.patch
# RHEL-10 specific
Patch90: nss-3.101-disable_dsa.patch
@ -1164,6 +1168,10 @@ fi
%changelog
* Wed Sep 4 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-7
- fix cms abi breakage
- fix long password issue on pbmac encodings
* Thu Aug 1 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-6
- fix param encoding in pkcs12 pbamac encoding
- add support for certificate compression in selfserv and tstclient
@ -1230,7 +1238,7 @@ fi
https://bugzilla.mozilla.org/show_bug.cgi?id=1836925
* Mon Jun 5 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-1
- Update %patch syntax
- Update %%patch syntax
* Mon Jun 5 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-1
- Update NSS to 3.90.0