Resolves: rhbz#1768652

NSS softoken does not include CKM_NSS_IKE1_APP_B_PRF_DERIVE in it's mechanism list, causing libreswan to crash.
This commit is contained in:
Bob Relyea 2019-11-04 13:51:40 -08:00
parent 626f1941fd
commit 2ec4745f30
2 changed files with 28 additions and 1 deletions

22
nss-3.47-ike-fix.patch Normal file
View File

@ -0,0 +1,22 @@
diff -up ./lib/softoken/pkcs11.c.ike_fix ./lib/softoken/pkcs11.c
--- ./lib/softoken/pkcs11.c.ike_fix 2019-11-04 10:15:08.022176945 -0800
+++ ./lib/softoken/pkcs11.c 2019-11-04 10:17:35.396733750 -0800
@@ -330,7 +330,7 @@ static const struct mechanismList mechan
{ CKM_AES_CTS, { 16, 32, CKF_EN_DE }, PR_TRUE },
{ CKM_AES_CTR, { 16, 32, CKF_EN_DE }, PR_TRUE },
{ CKM_AES_GCM, { 16, 32, CKF_EN_DE }, PR_TRUE },
- { CKM_AES_XCBC_MAC_96, { 16, 16, CKF_SN_VR }, PR_TRUE },
+ { CKM_AES_XCBC_MAC_96, { 12, 12, CKF_SN_VR }, PR_TRUE },
{ CKM_AES_XCBC_MAC, { 16, 16, CKF_SN_VR }, PR_TRUE },
/* ------------------------- Camellia Operations --------------------- */
{ CKM_CAMELLIA_KEY_GEN, { 16, 32, CKF_GENERATE }, PR_TRUE },
@@ -518,7 +518,8 @@ static const struct mechanismList mechan
/* --------------------IPSEC ----------------------- */
{ CKM_NSS_IKE_PRF_PLUS_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE },
{ CKM_NSS_IKE_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE },
- { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE }
+ { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE },
+ { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE }
};
static const CK_ULONG mechanismCount = sizeof(mechanisms) / sizeof(mechanisms[0]);

View File

@ -43,7 +43,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
Summary: Network Security Services
Name: nss
Version: %{nss_version}
Release: 2%{?dist}
Release: 3%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Requires: nspr >= %{nspr_version}
@ -105,6 +105,8 @@ Patch2: nss-539183.patch
# Once the buildroot aha been bootstrapped the patch may be removed
# but it doesn't hurt to keep it.
Patch4: iquote.patch
# add missing ike mechanism to softoken
Patch10: nss-3.47-ike-fix.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@ -870,6 +872,9 @@ update-crypto-policies &> /dev/null || :
%changelog
* Mon Nov 7 2019 Bob Relyea <rrelyea@redhat.com> - 3.47.0-3
- Include ike mechanism fix
* Wed Oct 23 2019 Daiki Ueno <dueno@redhat.com> - 3.47.0-2
- Install cmac.h required by blapi.h (#1764513)