[nss] - Fix crmf hard-coded maximum size for wrapped private keys (#703658)
Elio Maldonado
emaldonado at fedoraproject.org
Tue May 17 16:14:01 UTC 2011
commit c409805d4536aa2be445d7c60121ee21203d14ca
Author: Elio Maldonado <emaldona at ruminate4fedora.localdomain>
Date: Tue May 17 09:07:55 2011 -0700
- Fix crmf hard-coded maximum size for wrapped private keys (#703658)
- Use the safer bound off
- ( ( RSA_MAX_MODULUS_BITS / 8 ) *8 ) = RSA_MAX_MODULUS_BITS
- which will accomodate other algorithms
nss-703658.patch | 47 +++++++++++++++++++++++++++++++++++++++++++++++
nss.spec | 7 ++++++-
2 files changed, 53 insertions(+), 1 deletions(-)
---
diff --git a/nss-703658.patch b/nss-703658.patch
new file mode 100644
index 0000000..182a593
--- /dev/null
+++ b/nss-703658.patch
@@ -0,0 +1,47 @@
+Index: mozilla/security/nss/lib/crmf/crmfi.h
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/crmf/crmfi.h,v
+retrieving revision 1.4
+diff -u -u -r1.4 crmfi.h
+--- mozilla/security/nss/lib/crmf/crmfi.h 15 Jan 2011 19:47:11 -0000 1.4
++++ mozilla/security/nss/lib/crmf/crmfi.h 11 May 2011 20:06:26 -0000
+@@ -46,10 +46,38 @@
+ #include "secasn1.h"
+ #include "crmfit.h"
+ #include "secerr.h"
++#include "blapit.h"
+
+ #define CRMF_DEFAULT_ARENA_SIZE 1024
+-#define MAX_WRAPPED_KEY_LEN 2048
+
++/*
++ * Explanation for the definition of MAX_WRAPPED_KEY_LEN:
++ *
++ * It's used for internal buffers to transport a wrapped private key.
++ * The value is in BYTES.
++ * We want to define a reasonable upper bound for this value.
++ * Ideally this could be calculated, but in order to simplify the code
++ * we want to estimate the maximum requires size.
++ * See also mozilla bug 655850 for the full explanation.
++ *
++ * We know the largest wrapped keys are RSA keys.
++ * We'll estimate the maximum size needed for wrapped RSA keys,
++ * and assume it's sufficient for wrapped keys of any type we support.
++ *
++ * The maximum size of RSA keys in bits is defined elsewhere as
++ * RSA_MAX_MODULUS_BITS
++ *
++ * The idea is to define MAX_WRAPPED_KEY_LEN based on the above.
++ *
++ * A wrapped RSA key requires about
++ * ( ( RSA_MAX_MODULUS_BITS / 8 ) * 5.5) + 65
++ * bytes.
++ *
++ * Therefore, a safe upper bound is:
++ * ( ( RSA_MAX_MODULUS_BITS / 8 ) *8 ) = RSA_MAX_MODULUS_BITS
++ *
++ */
++#define MAX_WRAPPED_KEY_LEN RSA_MAX_MODULUS_BITS
+
+ #define CRMF_BITS_TO_BYTES(bits) (((bits)+7)/8)
+ #define CRMF_BYTES_TO_BITS(bytes) ((bytes)*8)
diff --git a/nss.spec b/nss.spec
index ed98692..8d50765 100644
--- a/nss.spec
+++ b/nss.spec
@@ -6,7 +6,7 @@
Summary: Network Security Services
Name: nss
Version: 3.12.10
-Release: 1%{?dist}
+Release: 2%{?dist}
License: MPLv1.1 or GPLv2+ or LGPLv2+
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
@@ -44,6 +44,7 @@ Patch6: nss-enable-pem.patch
Patch7: nsspem-642433.patch
Patch8: 0001-Bug-695011-PEM-logging.patch
Patch16: nss-539183.patch
+Patch17: nss-703658.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@@ -118,6 +119,7 @@ low level services.
%patch7 -p0 -b .642433
%patch8 -p1 -b .695011
%patch16 -p0 -b .539183
+%patch17 -p0 -b .703658
%build
@@ -511,6 +513,9 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
%changelog
+* Tue May 17 2011 Elio Maldonado <emaldona at redhat.com> - 3.12.10-2
+- Fix crmf hard-coded maximum size for wrapped private keys (#703658)
+
* Fri May 06 2011 Elio Maldonado <emaldona at redhat.com> - 3.12.10-1
- Update to NSS_3_12_10_RTM
More information about the scm-commits
mailing list