diff --git a/Bug-896651-pem-dont-trash-keys-on-failed-login.patch b/Bug-896651-pem-dont-trash-keys-on-failed-login.patch new file mode 100644 index 0000000..c7a301f --- /dev/null +++ b/Bug-896651-pem-dont-trash-keys-on-failed-login.patch @@ -0,0 +1,44 @@ +--- mozilla/security/nss/lib/ckfw/pem/psession.c ++++ mozilla/security/nss/lib/ckfw/pem/psession.c +@@ -230,6 +230,7 @@ pem_mdSession_Login + unsigned int len = 0; + NSSLOWKEYPrivateKey *lpk = NULL; + PLArenaPool *arena; ++ SECItem plain; + int i; + + fwSlot = NSSCKFWToken_GetFWSlot(fwToken); +@@ -306,23 +321,27 @@ pem_mdSession_Login + lpk->keyType = NSSLOWKEYRSAKey; + prepare_low_rsa_priv_key_for_asn1(lpk); + +- nss_ZFreeIf(io->u.key.key.privateKey->data); +- io->u.key.key.privateKey->len = len - output[len - 1]; +- io->u.key.key.privateKey->data = +- (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len); +- memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]); + + /* Decode the resulting blob and see if it is a decodable DER that fits + * our private key template. If so we declare success and move on. If not + * then we return an error. + */ ++ memset(&plain, 0, sizeof(plain)); ++ plain.data = output; ++ plain.len = len - output[len - 1]; + rv = SEC_QuickDERDecodeItem(arena, lpk, pem_RSAPrivateKeyTemplate, +- io->u.key.key.privateKey); ++ &plain); + pem_DestroyPrivateKey(lpk); + arena = NULL; + if (rv != SECSuccess) + goto loser; + ++ nss_ZFreeIf(io->u.key.key.privateKey->data); ++ io->u.key.key.privateKey->len = len - output[len - 1]; ++ io->u.key.key.privateKey->data = ++ (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len); ++ memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]); ++ + rv = CKR_OK; + + loser: diff --git a/nss.spec b/nss.spec index 2df2406..5993ca8 100644 --- a/nss.spec +++ b/nss.spec @@ -79,6 +79,7 @@ Patch40: nss-3.14.0.0-disble-ocsp-test.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=835919 Patch43: no-softoken-freebl-tests.patch Patch44: 0001-sync-up-with-upstream-softokn-changes.patch +Patch45: Bug-896651-pem-dont-trash-keys-on-failed-login.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -164,6 +165,7 @@ low level services. %patch40 -p1 -b .noocsptest %patch43 -p0 -b .nosoftokentests %patch44 -p1 -b .syncupwithupstream +%patch45 -p0 -b .notrash %build @@ -204,7 +206,7 @@ export USE_SYSTEM_FREEBL=1 NSS_USE_SYSTEM_SQLITE=1 export NSS_USE_SYSTEM_SQLITE -%ifarch x86_64 ppc64 ia64 s390x sparc64 +%ifarch x86_64 ppc64 ia64 s390x sparc64 aarch64 USE_64=1 export USE_64 %endif @@ -299,7 +301,7 @@ export FREEBL_NO_DEPEND BUILD_OPT=1 export BUILD_OPT -%ifarch x86_64 ppc64 ia64 s390x sparc64 +%ifarch x86_64 ppc64 ia64 s390x sparc64 aarch64 USE_64=1 export USE_64 %endif @@ -612,6 +614,9 @@ rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h * Fri Feb 15 2013 Elio Maldonado - 3.14.3-1 - Update to NSS_3_14_3_RTM - sync up pem rsawrapr.c with softoken upstream changes for nss-3.14.3 +- Resolves: rhbz#896651 - PEM module trashes private keys if login fails +- Resolves: rhbz#909775 - specfile support for AArch64 +- Resolves: rhbz#910584 - certutil -a does not produce ASCII output * Mon Feb 04 2013 Elio Maldonado - 3.14.2-2 - Allow building nss against older system sqlite