From 8e1aafaab129c39f7e3e46c95bec3721a5e8a293 Mon Sep 17 00:00:00 2001 From: Bob Relyea Date: Thu, 1 Jul 2021 15:12:42 -0700 Subject: [PATCH] Resolves: rhbz#1978038 Allow NSS to use databases which have been updated from dbm to sql on an unpacked version of nss. (prevented pesign from working). --- ...atch => nss-3.67-fix-private-key-mac.patch | 77 +++++++------------ nss.spec | 14 ++-- 2 files changed, 36 insertions(+), 55 deletions(-) rename nss-3.53-fix-private_key_mac.patch => nss-3.67-fix-private-key-mac.patch (56%) diff --git a/nss-3.53-fix-private_key_mac.patch b/nss-3.67-fix-private-key-mac.patch similarity index 56% rename from nss-3.53-fix-private_key_mac.patch rename to nss-3.67-fix-private-key-mac.patch index 60df7d5..d211940 100644 --- a/nss-3.53-fix-private_key_mac.patch +++ b/nss-3.67-fix-private-key-mac.patch @@ -1,12 +1,7 @@ -diff --git a/lib/softoken/sftkpwd.c b/lib/softoken/sftkpwd.c ---- a/lib/softoken/sftkpwd.c -+++ b/lib/softoken/sftkpwd.c -@@ -277,17 +277,19 @@ sftkdb_DecryptAttribute(SFTKDBHandle *ha - *plain = nsspkcs5_CipherData(cipherValue.param, passKey, &cipherValue.value, - PR_FALSE, NULL); - if (*plain == NULL) { - rv = SECFailure; - goto loser; +diff -up ./lib/softoken/sftkpwd.c.orig ./lib/softoken/sftkpwd.c +--- ./lib/softoken/sftkpwd.c.orig 2021-06-10 05:33:12.000000000 -0700 ++++ ./lib/softoken/sftkpwd.c 2021-07-01 14:04:34.068596942 -0700 +@@ -287,9 +287,12 @@ sftkdb_DecryptAttribute(SFTKDBHandle *ha } /* If we are using aes 256, we need to check authentication as well.*/ @@ -16,29 +11,38 @@ diff --git a/lib/softoken/sftkpwd.c b/lib/softoken/sftkpwd.c + (cipherValue.param->encAlg == SEC_OID_AES_256_CBC)) { SECItem signature; unsigned char signData[SDB_MAX_META_DATA_LEN]; ++ CK_RV crv; /* if we get here from the old legacy db, there is clearly an * error, don't return the plaintext */ - if (handle == NULL) { - rv = SECFailure; - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); -@@ -299,17 +301,27 @@ sftkdb_DecryptAttribute(SFTKDBHandle *ha - rv = sftkdb_GetAttributeSignature(handle, handle, id, type, +@@ -301,15 +304,28 @@ sftkdb_DecryptAttribute(SFTKDBHandle *ha + + signature.data = signData; + signature.len = sizeof(signData); +- rv = sftkdb_GetAttributeSignature(handle, handle, id, type, ++ rv = SECFailure; ++ /* sign sftkdb_GetAttriibuteSignature returns a crv, not an rv */ ++ crv = sftkdb_GetAttributeSignature(handle, handle, id, type, &signature); - if (rv != SECSuccess) { - goto loser; +- if (rv != SECSuccess) { +- goto loser; ++ if (crv == CKR_OK) { ++ rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE, ++ type, *plain, &signature); } - rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE, type, - *plain, &signature); +- rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE, type, +- *plain, &signature); if (rv != SECSuccess) { - goto loser; + /* handle a bug where old versions of NSS misfiled the signature + * attribute on password update */ + id |= SFTK_KEYDB_TYPE|SFTK_TOKEN_TYPE; + signature.len = sizeof(signData); -+ rv = sftkdb_GetAttributeSignature(handle, handle, id, type, ++ crv = sftkdb_GetAttributeSignature(handle, handle, id, type, + &signature); -+ if (rv != SECSuccess) { ++ if (crv != CKR_OK) { ++ rv = SECFailure; ++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + goto loser; + } + rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE, @@ -46,17 +50,7 @@ diff --git a/lib/softoken/sftkpwd.c b/lib/softoken/sftkpwd.c } } - loser: - if (cipherValue.param) { - nsspkcs5_DestroyPBEParameter(cipherValue.param); - } - if (cipherValue.arena) { -@@ -1186,16 +1198,17 @@ sftk_updateEncrypted(PLArenaPool *arena, - }; - const CK_ULONG privAttrCount = sizeof(privAttrTypes) / sizeof(privAttrTypes[0]); - - // We don't know what attributes this object has, so we update them one at a - // time. +@@ -1198,6 +1214,7 @@ sftk_updateEncrypted(PLArenaPool *arena, unsigned int i; for (i = 0; i < privAttrCount; i++) { // Read the old attribute in the clear. @@ -64,17 +58,7 @@ diff --git a/lib/softoken/sftkpwd.c b/lib/softoken/sftkpwd.c CK_ATTRIBUTE privAttr = { privAttrTypes[i], NULL, 0 }; CK_RV crv = sftkdb_GetAttributeValue(keydb, id, &privAttr, 1); if (crv != CKR_OK) { - continue; - } - if ((privAttr.ulValueLen == -1) || (privAttr.ulValueLen == 0)) { - continue; - } -@@ -1210,30 +1223,29 @@ sftk_updateEncrypted(PLArenaPool *arena, - if ((privAttr.ulValueLen == -1) || (privAttr.ulValueLen == 0)) { - return CKR_GENERAL_ERROR; - } - SECItem plainText; - SECItem *result; +@@ -1222,7 +1239,7 @@ sftk_updateEncrypted(PLArenaPool *arena, plainText.data = privAttr.pValue; plainText.len = privAttr.ulValueLen; if (sftkdb_EncryptAttribute(arena, keydb, keydb->db, newKey, @@ -83,9 +67,7 @@ diff --git a/lib/softoken/sftkpwd.c b/lib/softoken/sftkpwd.c &plainText, &result) != SECSuccess) { return CKR_GENERAL_ERROR; } - privAttr.pValue = result->data; - privAttr.ulValueLen = result->len; - // Clear sensitive data. +@@ -1232,10 +1249,9 @@ sftk_updateEncrypted(PLArenaPool *arena, PORT_Memset(plainText.data, 0, plainText.len); // Write the newly encrypted attributes out directly. @@ -97,8 +79,3 @@ diff --git a/lib/softoken/sftkpwd.c b/lib/softoken/sftkpwd.c keydb->newKey = NULL; if (crv != CKR_OK) { return crv; - } - } - - return CKR_OK; - } diff --git a/nss.spec b/nss.spec index e1f5134..b4fc55d 100644 --- a/nss.spec +++ b/nss.spec @@ -56,7 +56,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM", Summary: Network Security Services Name: nss Version: %{nss_version} -Release: 4%{?dist} +Release: 5%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Requires: nspr >= %{nspr_version} @@ -139,7 +139,7 @@ Patch33: nss-no-dbm-man-page.patch # Need upstream bug Patch50: nss-3.44-kbkdf-coverity.patch # no upsteam bug yet -Patch51: nss-3.53-fix-private_key_mac.patch +Patch51: nss-3.67-fix-private-key-mac.patch # no upstream bug yet Patch52: nss-3.53.1-measure-fix.patch # no upstream bug yet @@ -330,6 +330,7 @@ find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \; # TODO: This phase can be done by the NSS build process if we switch # to using "make nss_build_all". For now, however, we need some # adjustment in the NSS build process. +export LDFLAGS=$RPM_LD_FLAGS mkdir -p nspr_build pushd nspr_build ../nspr/configure \ @@ -402,9 +403,7 @@ export XCFLAGS="$XCFLAGS -Wno-error=maybe-uninitialized" # Similarly, but for gcc-11 export XCFLAGS="$XCFLAGS -Wno-array-parameter" -export LDFLAGS=$RPM_LD_FLAGS - -export DSO_LDOPTS=$RPM_LD_FLAGS +export DSO_LDFLAGS=$RPM_LD_FLAGS export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1 export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1 @@ -1072,6 +1071,11 @@ update-crypto-policies &> /dev/null || : %changelog +* Thu Jul 1 2021 Bob Relyea - 3.67.0-5 +- fix error when trying to read keys from updated databases when updated + from unpatched versions of NSS (like on fedora or upstream). +- fix spelling of LD_OPTFLAGS which prevents relro from working. + * Fri Jun 18 2021 Bob Relyea - 3.67.0-4 - update nspr man page files to only pick up nspr man pages