Apply CMAC fixes from upstream
This commit is contained in:
parent
aa7d80b11e
commit
7f30e21d0f
75
nss-cmac-fixes.patch
Normal file
75
nss-cmac-fixes.patch
Normal file
@ -0,0 +1,75 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# User Robert Relyea <rrelyea@redhat.com>
|
||||||
|
# Date 1581383641 28800
|
||||||
|
# Mon Feb 10 17:14:01 2020 -0800
|
||||||
|
# Node ID df142975f4f695f84a662abdd27219c21c87c8d1
|
||||||
|
# Parent 046a6f5bfb271ed03ed6a93e3f879d57905999c5
|
||||||
|
Bug 1611209 - Value of CKM_AES_CMAC and CKM_AES_CMAC_GENERAL are swapped r=rrelyea
|
||||||
|
|
||||||
|
diff --git a/lib/util/pkcs11t.h b/lib/util/pkcs11t.h
|
||||||
|
--- a/lib/util/pkcs11t.h
|
||||||
|
+++ b/lib/util/pkcs11t.h
|
||||||
|
@@ -898,8 +898,8 @@ typedef CK_ULONG CK_MECHANISM_TYPE;
|
||||||
|
#define CKM_AES_CCM 0x00001088
|
||||||
|
#define CKM_AES_CTS 0x00001089
|
||||||
|
/* AES-CMAC values copied from v2.40 errata 1 header file */
|
||||||
|
-#define CKM_AES_CMAC_GENERAL 0x0000108A
|
||||||
|
-#define CKM_AES_CMAC 0x0000108B
|
||||||
|
+#define CKM_AES_CMAC 0x0000108A
|
||||||
|
+#define CKM_AES_CMAC_GENERAL 0x0000108B
|
||||||
|
#define CKM_AES_XCBC_MAC 0x0000108C
|
||||||
|
#define CKM_AES_XCBC_MAC_96 0x0000108D
|
||||||
|
|
||||||
|
# HG changeset patch
|
||||||
|
# User Robert Relyea <rrelyea@redhat.com>
|
||||||
|
# Date 1581371554 28800
|
||||||
|
# Mon Feb 10 13:52:34 2020 -0800
|
||||||
|
# Node ID 046a6f5bfb271ed03ed6a93e3f879d57905999c5
|
||||||
|
# Parent f161f15f8c8d37070aa5763a1edd91cbbc7c54fb
|
||||||
|
Bug 1610687 - Crash on unaligned CMACContext.aes.keySchedule when using AES-NI intrinsics r=kjacobs
|
||||||
|
https://phabricator.services.mozilla.com/D60699
|
||||||
|
|
||||||
|
diff --git a/lib/freebl/cmac.c b/lib/freebl/cmac.c
|
||||||
|
--- a/lib/freebl/cmac.c
|
||||||
|
+++ b/lib/freebl/cmac.c
|
||||||
|
@@ -22,7 +22,7 @@ struct CMACContextStr {
|
||||||
|
* add a new Context pointer to the cipher union with the correct type. */
|
||||||
|
CMACCipher cipherType;
|
||||||
|
union {
|
||||||
|
- AESContext aes;
|
||||||
|
+ AESContext *aes;
|
||||||
|
} cipher;
|
||||||
|
int blockSize;
|
||||||
|
|
||||||
|
@@ -62,7 +62,7 @@ cmac_Encrypt(CMACContext *ctx, unsigned
|
||||||
|
{
|
||||||
|
if (ctx->cipherType == CMAC_AES) {
|
||||||
|
unsigned int tmpOutputLen;
|
||||||
|
- SECStatus rv = AES_Encrypt(&ctx->cipher.aes, output, &tmpOutputLen,
|
||||||
|
+ SECStatus rv = AES_Encrypt(ctx->cipher.aes, output, &tmpOutputLen,
|
||||||
|
ctx->blockSize, input, inputLen);
|
||||||
|
|
||||||
|
/* Assumption: AES_Encrypt (when in ECB mode) always returns an
|
||||||
|
@@ -156,8 +156,9 @@ CMAC_Init(CMACContext *ctx, CMACCipher t
|
||||||
|
|
||||||
|
ctx->blockSize = AES_BLOCK_SIZE;
|
||||||
|
ctx->cipherType = CMAC_AES;
|
||||||
|
- if (AES_InitContext(&ctx->cipher.aes, key, key_len, NULL, NSS_AES, 1,
|
||||||
|
- ctx->blockSize) != SECSuccess) {
|
||||||
|
+ ctx->cipher.aes = AES_CreateContext(key, NULL, NSS_AES, 1, key_len,
|
||||||
|
+ ctx->blockSize);
|
||||||
|
+ if (ctx->cipher.aes == NULL) {
|
||||||
|
return SECFailure;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -308,8 +309,8 @@ CMAC_Destroy(CMACContext *ctx, PRBool fr
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (ctx->cipherType == CMAC_AES) {
|
||||||
|
- AES_DestroyContext(&ctx->cipher.aes, PR_FALSE);
|
||||||
|
+ if (ctx->cipherType == CMAC_AES && ctx->cipher.aes != NULL) {
|
||||||
|
+ AES_DestroyContext(ctx->cipher.aes, PR_TRUE);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Destroy everything in the context. This includes sensitive data in
|
8
nss.spec
8
nss.spec
@ -43,7 +43,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
|
|||||||
Summary: Network Security Services
|
Summary: Network Security Services
|
||||||
Name: nss
|
Name: nss
|
||||||
Version: %{nss_version}
|
Version: %{nss_version}
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
License: MPLv2.0
|
License: MPLv2.0
|
||||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||||
Requires: nspr >= %{nspr_version}
|
Requires: nspr >= %{nspr_version}
|
||||||
@ -115,6 +115,9 @@ Patch11: nss-tls13-default.patch
|
|||||||
Patch12: nss-signtool-format.patch
|
Patch12: nss-signtool-format.patch
|
||||||
# https://github.com/FStarLang/kremlin/issues/166
|
# https://github.com/FStarLang/kremlin/issues/166
|
||||||
Patch13: nss-kremlin-ppc64le.patch
|
Patch13: nss-kremlin-ppc64le.patch
|
||||||
|
# https://bugzilla.mozilla.org/show_bug.cgi?id=1611209
|
||||||
|
# https://bugzilla.mozilla.org/show_bug.cgi?id=1610687
|
||||||
|
Patch14: nss-cmac-fixes.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Network Security Services (NSS) is a set of libraries designed to
|
Network Security Services (NSS) is a set of libraries designed to
|
||||||
@ -886,6 +889,9 @@ update-crypto-policies &> /dev/null || :
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Mar 5 2020 Daiki Ueno <dueno@redhat.com> - 3.50.0-2
|
||||||
|
- Apply CMAC fixes from upstream
|
||||||
|
|
||||||
* Mon Feb 17 2020 Daiki Ueno <dueno@redhat.com> - 3.50.0-1
|
* Mon Feb 17 2020 Daiki Ueno <dueno@redhat.com> - 3.50.0-1
|
||||||
- Update to NSS 3.50
|
- Update to NSS 3.50
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user