From 2ec4745f30257f9f70907b687cac30b88c10099a Mon Sep 17 00:00:00 2001
From: Bob Relyea <rrelyea@redhat.com>
Date: Mon, 4 Nov 2019 13:51:40 -0800
Subject: [PATCH] Resolves: rhbz#1768652 NSS softoken does not include
 CKM_NSS_IKE1_APP_B_PRF_DERIVE in it's mechanism list, causing libreswan to
 crash.

---
 nss-3.47-ike-fix.patch | 22 ++++++++++++++++++++++
 nss.spec               |  7 ++++++-
 2 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 nss-3.47-ike-fix.patch

diff --git a/nss-3.47-ike-fix.patch b/nss-3.47-ike-fix.patch
new file mode 100644
index 0000000..2de0aee
--- /dev/null
+++ b/nss-3.47-ike-fix.patch
@@ -0,0 +1,22 @@
+diff -up ./lib/softoken/pkcs11.c.ike_fix ./lib/softoken/pkcs11.c
+--- ./lib/softoken/pkcs11.c.ike_fix	2019-11-04 10:15:08.022176945 -0800
++++ ./lib/softoken/pkcs11.c	2019-11-04 10:17:35.396733750 -0800
+@@ -330,7 +330,7 @@ static const struct mechanismList mechan
+     { CKM_AES_CTS, { 16, 32, CKF_EN_DE }, PR_TRUE },
+     { CKM_AES_CTR, { 16, 32, CKF_EN_DE }, PR_TRUE },
+     { CKM_AES_GCM, { 16, 32, CKF_EN_DE }, PR_TRUE },
+-    { CKM_AES_XCBC_MAC_96, { 16, 16, CKF_SN_VR }, PR_TRUE },
++    { CKM_AES_XCBC_MAC_96, { 12, 12, CKF_SN_VR }, PR_TRUE },
+     { CKM_AES_XCBC_MAC, { 16, 16, CKF_SN_VR }, PR_TRUE },
+     /* ------------------------- Camellia Operations --------------------- */
+     { CKM_CAMELLIA_KEY_GEN, { 16, 32, CKF_GENERATE }, PR_TRUE },
+@@ -518,7 +518,8 @@ static const struct mechanismList mechan
+     /* --------------------IPSEC ----------------------- */
+     { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE },
+     { CKM_NSS_IKE_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE },
+-    { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE }
++    { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE },
++    { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE }
+ };
+ static const CK_ULONG mechanismCount = sizeof(mechanisms) / sizeof(mechanisms[0]);
+ 
diff --git a/nss.spec b/nss.spec
index dbb4a98..8d35636 100644
--- a/nss.spec
+++ b/nss.spec
@@ -43,7 +43,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          2%{?dist}
+Release:          3%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}
@@ -105,6 +105,8 @@ Patch2:           nss-539183.patch
 # Once the buildroot aha been bootstrapped the patch may be removed
 # but it doesn't hurt to keep it.
 Patch4:           iquote.patch
+# add missing ike mechanism to softoken
+Patch10:          nss-3.47-ike-fix.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -870,6 +872,9 @@ update-crypto-policies &> /dev/null || :
 
 
 %changelog
+* Mon Nov 7 2019 Bob Relyea <rrelyea@redhat.com> - 3.47.0-3
+- Include ike mechanism fix
+
 * Wed Oct 23 2019 Daiki Ueno <dueno@redhat.com> - 3.47.0-2
 - Install cmac.h required by blapi.h (#1764513)