Resolves: rhbz#1978038

Allow NSS to use databases which have been updated from dbm to sql on an unpacked version of nss. (prevented pesign from working).
2021-07-01 15:12:42 -07:00 · 2021-07-01 15:12:42 -07:00 · 8e1aafaab1
commit 8e1aafaab1
parent 4c08989645
2 changed files with 36 additions and 55 deletions
--- a/nss-3.67-fix-private-key-mac.patch
+++ b/nss-3.67-fix-private-key-mac.patch
@ -1,12 +1,7 @@
-diff --git a/lib/softoken/sftkpwd.c b/lib/softoken/sftkpwd.c
--- a/lib/softoken/sftkpwd.c
-+++ b/lib/softoken/sftkpwd.c
-@@ -277,17 +277,19 @@ sftkdb_DecryptAttribute(SFTKDBHandle *ha
-     *plain = nsspkcs5_CipherData(cipherValue.param, passKey, &cipherValue.value,
-                                  PR_FALSE, NULL);
-     if (*plain == NULL) {
-         rv = SECFailure;
-         goto loser;
+diff -up ./lib/softoken/sftkpwd.c.orig ./lib/softoken/sftkpwd.c
+--- ./lib/softoken/sftkpwd.c.orig	2021-06-10 05:33:12.000000000 -0700
+++ ./lib/softoken/sftkpwd.c	2021-07-01 14:04:34.068596942 -0700
+@@ -287,9 +287,12 @@ sftkdb_DecryptAttribute(SFTKDBHandle *ha
     }
 
     /* If we are using aes 256, we need to check authentication as well.*/
@ -16,29 +11,38 @@ diff --git a/lib/softoken/sftkpwd.c b/lib/softoken/sftkpwd.c
 +        (cipherValue.param->encAlg == SEC_OID_AES_256_CBC)) {
         SECItem signature;
         unsigned char signData[SDB_MAX_META_DATA_LEN];
+        CK_RV crv;
 
         /* if we get here from the old legacy db, there is clearly an
          * error, don't return the plaintext */
-         if (handle == NULL) {
-             rv = SECFailure;
-             PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-@@ -299,17 +301,27 @@ sftkdb_DecryptAttribute(SFTKDBHandle *ha
-         rv = sftkdb_GetAttributeSignature(handle, handle, id, type,
+@@ -301,15 +304,28 @@ sftkdb_DecryptAttribute(SFTKDBHandle *ha
+ 
+         signature.data = signData;
+         signature.len = sizeof(signData);
+-        rv = sftkdb_GetAttributeSignature(handle, handle, id, type,
+        rv = SECFailure;
+        /* sign sftkdb_GetAttriibuteSignature returns a crv, not an rv */
+        crv = sftkdb_GetAttributeSignature(handle, handle, id, type,
                                           &signature);
-         if (rv != SECSuccess) {
-             goto loser;
+-        if (rv != SECSuccess) {
+-            goto loser;
+        if (crv == CKR_OK) {
+            rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE,
+                                        type, *plain, &signature);
         }
-         rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE, type,
-                                     *plain, &signature);
+-        rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE, type,
+-                                    *plain, &signature);
         if (rv != SECSuccess) {
 -            goto loser;
 +            /*  handle a bug where old versions of NSS misfiled the signature
 +             *  attribute on password update */
 +            id |= SFTK_KEYDB_TYPE|SFTK_TOKEN_TYPE;
 +            signature.len = sizeof(signData);
-+            rv = sftkdb_GetAttributeSignature(handle, handle, id, type,
+            crv = sftkdb_GetAttributeSignature(handle, handle, id, type,
 +                                              &signature);
-+            if (rv != SECSuccess) {
+            if (crv != CKR_OK) {
+                rv = SECFailure;
+                PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
 +                goto loser;
 +            }
 +            rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE,
@ -46,17 +50,7 @@ diff --git a/lib/softoken/sftkpwd.c b/lib/softoken/sftkpwd.c
         }
     }
 
- loser:
-     if (cipherValue.param) {
-         nsspkcs5_DestroyPBEParameter(cipherValue.param);
-     }
-     if (cipherValue.arena) {
-@@ -1186,16 +1198,17 @@ sftk_updateEncrypted(PLArenaPool *arena,
-     };
-     const CK_ULONG privAttrCount = sizeof(privAttrTypes) / sizeof(privAttrTypes[0]);
- 
-     // We don't know what attributes this object has, so we update them one at a
-     // time.
+@@ -1198,6 +1214,7 @@ sftk_updateEncrypted(PLArenaPool *arena,
     unsigned int i;
     for (i = 0; i < privAttrCount; i++) {
         // Read the old attribute in the clear.
@ -64,17 +58,7 @@ diff --git a/lib/softoken/sftkpwd.c b/lib/softoken/sftkpwd.c
         CK_ATTRIBUTE privAttr = { privAttrTypes[i], NULL, 0 };
         CK_RV crv = sftkdb_GetAttributeValue(keydb, id, &privAttr, 1);
         if (crv != CKR_OK) {
-             continue;
-         }
-         if ((privAttr.ulValueLen == -1) || (privAttr.ulValueLen == 0)) {
-             continue;
-         }
-@@ -1210,30 +1223,29 @@ sftk_updateEncrypted(PLArenaPool *arena,
-         if ((privAttr.ulValueLen == -1) || (privAttr.ulValueLen == 0)) {
-             return CKR_GENERAL_ERROR;
-         }
-         SECItem plainText;
-         SECItem *result;
+@@ -1222,7 +1239,7 @@ sftk_updateEncrypted(PLArenaPool *arena,
         plainText.data = privAttr.pValue;
         plainText.len = privAttr.ulValueLen;
         if (sftkdb_EncryptAttribute(arena, keydb, keydb->db, newKey,
@ -83,9 +67,7 @@ diff --git a/lib/softoken/sftkpwd.c b/lib/softoken/sftkpwd.c
                                     &plainText, &result) != SECSuccess) {
             return CKR_GENERAL_ERROR;
         }
-         privAttr.pValue = result->data;
-         privAttr.ulValueLen = result->len;
-         // Clear sensitive data.
+@@ -1232,10 +1249,9 @@ sftk_updateEncrypted(PLArenaPool *arena,
         PORT_Memset(plainText.data, 0, plainText.len);
 
         // Write the newly encrypted attributes out directly.
@ -97,8 +79,3 @@ diff --git a/lib/softoken/sftkpwd.c b/lib/softoken/sftkpwd.c
         keydb->newKey = NULL;
         if (crv != CKR_OK) {
             return crv;
-         }
-     }
- 
-     return CKR_OK;
- }
--- a/nss.spec
+++ b/nss.spec
@ -56,7 +56,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          4%{?dist}
+Release:          5%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}
@ -139,7 +139,7 @@ Patch33:          nss-no-dbm-man-page.patch
 # Need upstream bug
 Patch50:         nss-3.44-kbkdf-coverity.patch
 # no upsteam bug yet
-Patch51:         nss-3.53-fix-private_key_mac.patch
+Patch51:         nss-3.67-fix-private-key-mac.patch
 # no upstream bug yet
 Patch52:         nss-3.53.1-measure-fix.patch
 # no upstream bug yet
@ -330,6 +330,7 @@ find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \;
 # TODO: This phase can be done by the NSS build process if we switch
 # to using "make nss_build_all".  For now, however, we need some
 # adjustment in the NSS build process.
+export LDFLAGS=$RPM_LD_FLAGS
 mkdir -p nspr_build
 pushd nspr_build
 ../nspr/configure \
@ -402,9 +403,7 @@ export XCFLAGS="$XCFLAGS -Wno-error=maybe-uninitialized"
 # Similarly, but for gcc-11
 export XCFLAGS="$XCFLAGS -Wno-array-parameter"

-export LDFLAGS=$RPM_LD_FLAGS
-
-export DSO_LDOPTS=$RPM_LD_FLAGS
+export DSO_LDFLAGS=$RPM_LD_FLAGS

 export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
 export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
@ -1072,6 +1071,11 @@ update-crypto-policies &> /dev/null || :


 %changelog
+* Thu Jul 1 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-5
+- fix error when trying to read keys from updated databases when updated
+  from unpatched versions of NSS (like on fedora or upstream).
+- fix spelling of LD_OPTFLAGS which prevents relro from working.
+
 * Fri Jun 18 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-4
 - update nspr man page files to only pick up nspr man pages