From c409805d4536aa2be445d7c60121ee21203d14ca Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Tue, 17 May 2011 09:07:55 -0700 Subject: [PATCH] - Fix crmf hard-coded maximum size for wrapped private keys (#703658) - Use the safer bound off - ( ( RSA_MAX_MODULUS_BITS / 8 ) *8 ) = RSA_MAX_MODULUS_BITS - which will accomodate other algorithms --- nss-703658.patch | 47 +++++++++++++++++++++++++++++++++++++++++++++++ nss.spec | 7 ++++++- 2 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 nss-703658.patch diff --git a/nss-703658.patch b/nss-703658.patch new file mode 100644 index 0000000..182a593 --- /dev/null +++ b/nss-703658.patch @@ -0,0 +1,47 @@ +Index: mozilla/security/nss/lib/crmf/crmfi.h +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/lib/crmf/crmfi.h,v +retrieving revision 1.4 +diff -u -u -r1.4 crmfi.h +--- mozilla/security/nss/lib/crmf/crmfi.h 15 Jan 2011 19:47:11 -0000 1.4 ++++ mozilla/security/nss/lib/crmf/crmfi.h 11 May 2011 20:06:26 -0000 +@@ -46,10 +46,38 @@ + #include "secasn1.h" + #include "crmfit.h" + #include "secerr.h" ++#include "blapit.h" + + #define CRMF_DEFAULT_ARENA_SIZE 1024 +-#define MAX_WRAPPED_KEY_LEN 2048 + ++/* ++ * Explanation for the definition of MAX_WRAPPED_KEY_LEN: ++ * ++ * It's used for internal buffers to transport a wrapped private key. ++ * The value is in BYTES. ++ * We want to define a reasonable upper bound for this value. ++ * Ideally this could be calculated, but in order to simplify the code ++ * we want to estimate the maximum requires size. ++ * See also mozilla bug 655850 for the full explanation. ++ * ++ * We know the largest wrapped keys are RSA keys. ++ * We'll estimate the maximum size needed for wrapped RSA keys, ++ * and assume it's sufficient for wrapped keys of any type we support. ++ * ++ * The maximum size of RSA keys in bits is defined elsewhere as ++ * RSA_MAX_MODULUS_BITS ++ * ++ * The idea is to define MAX_WRAPPED_KEY_LEN based on the above. ++ * ++ * A wrapped RSA key requires about ++ * ( ( RSA_MAX_MODULUS_BITS / 8 ) * 5.5) + 65 ++ * bytes. ++ * ++ * Therefore, a safe upper bound is: ++ * ( ( RSA_MAX_MODULUS_BITS / 8 ) *8 ) = RSA_MAX_MODULUS_BITS ++ * ++ */ ++#define MAX_WRAPPED_KEY_LEN RSA_MAX_MODULUS_BITS + + #define CRMF_BITS_TO_BYTES(bits) (((bits)+7)/8) + #define CRMF_BYTES_TO_BITS(bytes) ((bytes)*8) diff --git a/nss.spec b/nss.spec index ed98692..8d50765 100644 --- a/nss.spec +++ b/nss.spec @@ -6,7 +6,7 @@ Summary: Network Security Services Name: nss Version: 3.12.10 -Release: 1%{?dist} +Release: 2%{?dist} License: MPLv1.1 or GPLv2+ or LGPLv2+ URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -44,6 +44,7 @@ Patch6: nss-enable-pem.patch Patch7: nsspem-642433.patch Patch8: 0001-Bug-695011-PEM-logging.patch Patch16: nss-539183.patch +Patch17: nss-703658.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -118,6 +119,7 @@ low level services. %patch7 -p0 -b .642433 %patch8 -p1 -b .695011 %patch16 -p0 -b .539183 +%patch17 -p0 -b .703658 %build @@ -511,6 +513,9 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h %changelog +* Tue May 17 2011 Elio Maldonado - 3.12.10-2 +- Fix crmf hard-coded maximum size for wrapped private keys (#703658) + * Fri May 06 2011 Elio Maldonado - 3.12.10-1 - Update to NSS_3_12_10_RTM