diff --git a/SOURCES/nss-3.79-pkcs12-fips-defaults.patch b/SOURCES/nss-3.79-pkcs12-fips-defaults.patch new file mode 100644 index 0000000..fd8cb4d --- /dev/null +++ b/SOURCES/nss-3.79-pkcs12-fips-defaults.patch @@ -0,0 +1,25 @@ +diff -up ./cmd/pk12util/pk12util.c.pkcs12_fips_defaults ./cmd/pk12util/pk12util.c +--- ./cmd/pk12util/pk12util.c.pkcs12_fips_defaults 2022-07-20 13:40:24.152212683 -0700 ++++ ./cmd/pk12util/pk12util.c 2022-07-20 13:42:40.031094190 -0700 +@@ -1146,6 +1146,11 @@ main(int argc, char **argv) + goto done; + } + ++ if (PK11_IsFIPS()) { ++ cipher = SEC_OID_AES_256_CBC; ++ certCipher = SEC_OID_AES_128_CBC; ++ } ++ + if (pk12util.options[opt_Cipher].activated) { + char *cipherString = pk12util.options[opt_Cipher].arg; + +@@ -1160,9 +1165,6 @@ main(int argc, char **argv) + } + } + +- if (PK11_IsFIPS()) { +- certCipher = SEC_OID_UNKNOWN; +- } + if (pk12util.options[opt_CertCipher].activated) { + char *cipherString = pk12util.options[opt_CertCipher].arg; + diff --git a/SOURCES/nss-3.79-pkcs12-fix-null-password.patch b/SOURCES/nss-3.79-pkcs12-fix-null-password.patch new file mode 100644 index 0000000..1195e5c --- /dev/null +++ b/SOURCES/nss-3.79-pkcs12-fix-null-password.patch @@ -0,0 +1,21 @@ +diff -up ./lib/pkcs12/p12local.c.fix_null_password ./lib/pkcs12/p12local.c +--- ./lib/pkcs12/p12local.c.fix_null_password 2022-07-20 14:15:45.081009438 -0700 ++++ ./lib/pkcs12/p12local.c 2022-07-20 14:19:40.856546963 -0700 +@@ -968,15 +968,14 @@ sec_pkcs12_convert_item_to_unicode(PLAre + if (zeroTerm) { + /* unicode adds two nulls at the end */ + if (toUnicode) { +- if ((dest->len >= 2) && +- (dest->data[dest->len - 1] || dest->data[dest->len - 2])) { ++ if ((dest->len < 2) || dest->data[dest->len - 1] || dest->data[dest->len - 2]) { + /* we've already allocated space for these new NULLs */ + PORT_Assert(dest->len + 2 <= bufferSize); + dest->len += 2; + dest->data[dest->len - 1] = dest->data[dest->len - 2] = 0; + } + /* ascii/utf-8 adds just 1 */ +- } else if ((dest->len >= 1) && dest->data[dest->len - 1]) { ++ } else if (!dest->len || dest->data[dest->len - 1]) { + PORT_Assert(dest->len + 1 <= bufferSize); + dest->len++; + dest->data[dest->len - 1] = 0; diff --git a/SPECS/nss.spec b/SPECS/nss.spec index 238cbf8..dd32c68 100644 --- a/SPECS/nss.spec +++ b/SPECS/nss.spec @@ -63,7 +63,7 @@ print(string.sub(hash, 0, 16)) Summary: Network Security Services Name: nss Version: %{nss_version} -Release: 7%{?dist} +Release: 8%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Requires: nspr >= %{nspr_version}%{nspr_release} @@ -153,6 +153,8 @@ Patch45: nss-3.66-disable-external-host-test.patch Patch50: nss-3.66-restore-old-pkcs12-default.patch # Local Patch: restore expired distrusted certs for now Patch51: nss-3.79-revert-distrusted-certs.patch +# Local Patch: update fipsdefaults to AES +Patch52: nss-3.79-pkcs12-fips-defaults.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1774659 Patch60: nss-3.79-dbtool.patch @@ -163,8 +165,7 @@ Patch63: nss-3.79-fix-client-cert-crash.patch Patch64: nss-3.79-rhel-8-fips-signature-policy.patch Patch65: nss-3.79-enable-POST-rerun.patch Patch66: nss-3.79-increase-pbe-cache.patch - - +Patch67: /nss-3.79-pkcs12-fix-null-password.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -941,6 +942,10 @@ update-crypto-policies --no-reload &> /dev/null || : %changelog +* Wed Jul 13 2022 Bob Relyea - 3.79.0-8 +- Update fips default for pk12util to AES rather than TDES +- Fix bug in pkcs12 files with null passwords + * Wed Jul 6 2022 Bob Relyea - 3.79.0-7 - Better fix for test regressions