rpms / nss

Clone
Source Code
GIT

Blame SOURCES/nss-3.66-disable-signature-policies.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c8 c8-beta c8-sig-altarch-armhfp c8s c9 c9-beta
  1.   c2a015fc32b6b9aa9be94f6a0dd8378aee6206aa
  2.   SOURCES
  3.   nss-3.66-disable-signature-policies.patch
Blob History Raw
c2a015 
diff -up ./lib/pk11wrap/pk11pars.c.no_signature_policy ./lib/pk11wrap/pk11pars.c
c2a015 
--- ./lib/pk11wrap/pk11pars.c.no_signature_policy	2021-06-03 10:08:49.988118880 -0700
c2a015 
+++ ./lib/pk11wrap/pk11pars.c	2021-06-03 10:16:26.059935708 -0700
c2a015 
@@ -391,12 +391,9 @@ static const oidValDef signOptList[] = {
8b3762 
     /* Signatures */
8b3762 
     { CIPHER_NAME("DSA"), SEC_OID_ANSIX9_DSA_SIGNATURE,
8b3762 
       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
8b3762 
-    { CIPHER_NAME("RSA-PKCS"), SEC_OID_PKCS1_RSA_ENCRYPTION,
8b3762 
-      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
8b3762 
-    { CIPHER_NAME("RSA-PSS"), SEC_OID_PKCS1_RSA_PSS_SIGNATURE,
8b3762 
-      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
8b3762 
-    { CIPHER_NAME("ECDSA"), SEC_OID_ANSIX962_EC_PUBLIC_KEY,
8b3762 
-      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
c2a015 
+    { CIPHER_NAME("RSA-PKCS"), SEC_OID_PKCS1_RSA_ENCRYPTION, 0},
c2a015 
+    { CIPHER_NAME("RSA-PSS"), SEC_OID_PKCS1_RSA_PSS_SIGNATURE, 0},
c2a015 
+    { CIPHER_NAME("ECDSA"), SEC_OID_ANSIX962_EC_PUBLIC_KEY, 0},
8b3762 
 };
8b3762
8b3762 
 typedef struct {
c2a015 
@@ -412,7 +409,7 @@ static const algListsDef algOptLists[] =
8b3762 
     { macOptList, PR_ARRAY_SIZE(macOptList), "MAC", PR_FALSE },
8b3762 
     { cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER", PR_FALSE },
8b3762 
     { kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX", PR_FALSE },
8b3762 
-    { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_FALSE },
8b3762 
+    { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_TRUE },
8b3762 
 };
8b3762
8b3762 
 static const optionFreeDef sslOptList[] = {
8b3762 
diff -up ./tests/ssl/sslpolicy.txt.policy_revert ./tests/ssl/sslpolicy.txt
8b3762 
--- ./tests/ssl/sslpolicy.txt.policy_revert	2020-11-04 10:31:20.837715397 -0800
8b3762 
+++ ./tests/ssl/sslpolicy.txt	2020-11-04 10:33:19.598357223 -0800
8b3762 
@@ -193,7 +193,9 @@
8b3762 
   1 noECC  SSL3   d    disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow
8b3762 
   1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:ecdsa/all:dsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly
8b3762 
   0 noECC  SSL3   d    disallow=dsa Disallow DSA Signatures Explicitly
8b3762 
-  1 noECC  SSL3   d    disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
8b3762 
+# rsa-pkcs, rsa-pss, and ecdsa policy checking reverted in rhel8 for binary
8b3762 
+# compatibility reasons
8b3762 
+#  1 noECC  SSL3   d    disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
8b3762 
 # test default settings
8b3762 
 # NOTE: tstclient will attempt to overide the defaults, so we detect we
8b3762 
 # were successful by locking in our settings

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation