Resolves: rhbz#1768652

NSS softoken does not include CKM_NSS_IKE1_APP_B_PRF_DERIVE in it's mechanism list, causing libreswan to crash.
2019-11-04 13:51:40 -08:00 · 2019-11-04 13:51:40 -08:00 · 2ec4745f30
commit 2ec4745f30
parent 626f1941fd
2 changed files with 28 additions and 1 deletions
--- a/nss-3.47-ike-fix.patch
+++ b/nss-3.47-ike-fix.patch
@ -0,0 +1,22 @@
 diff -up ./lib/softoken/pkcs11.c.ike_fix ./lib/softoken/pkcs11.c
 --- ./lib/softoken/pkcs11.c.ike_fix	2019-11-04 10:15:08.022176945 -0800
 +++ ./lib/softoken/pkcs11.c	2019-11-04 10:17:35.396733750 -0800
@@ -330,7 +330,7 @@ static const struct mechanismList mechan
     { CKM_AES_CTS, { 16, 32, CKF_EN_DE }, PR_TRUE },
     { CKM_AES_CTR, { 16, 32, CKF_EN_DE }, PR_TRUE },
     { CKM_AES_GCM, { 16, 32, CKF_EN_DE }, PR_TRUE },
 -    { CKM_AES_XCBC_MAC_96, { 16, 16, CKF_SN_VR }, PR_TRUE },
 +    { CKM_AES_XCBC_MAC_96, { 12, 12, CKF_SN_VR }, PR_TRUE },
     { CKM_AES_XCBC_MAC, { 16, 16, CKF_SN_VR }, PR_TRUE },
     /* ------------------------- Camellia Operations --------------------- */
     { CKM_CAMELLIA_KEY_GEN, { 16, 32, CKF_GENERATE }, PR_TRUE },
@@ -518,7 +518,8 @@ static const struct mechanismList mechan
     /* --------------------IPSEC ----------------------- */
     { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE },
     { CKM_NSS_IKE_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE },
 -    { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE }
 +    { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE },
 +    { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE }
 };
 static const CK_ULONG mechanismCount = sizeof(mechanisms) / sizeof(mechanisms[0]);
--- a/nss.spec
+++ b/nss.spec
@ -43,7 +43,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          2%{?dist}
+Release:          3%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}
@ -105,6 +105,8 @@ Patch2:           nss-539183.patch
 # Once the buildroot aha been bootstrapped the patch may be removed
 # but it doesn't hurt to keep it.
 Patch4:           iquote.patch
 # add missing ike mechanism to softoken
 Patch10:          nss-3.47-ike-fix.patch
 %description
 Network Security Services (NSS) is a set of libraries designed to
@ -870,6 +872,9 @@ update-crypto-policies &> /dev/null || :
 %changelog
 * Mon Nov 7 2019 Bob Relyea <rrelyea@redhat.com> - 3.47.0-3
 - Include ike mechanism fix
 * Wed Oct 23 2019 Daiki Ueno <dueno@redhat.com> - 3.47.0-2
 - Install cmac.h required by blapi.h (#1764513)