Resolves: rhbz#1978038

Allow NSS to use databases which have been updated from dbm to sql
on an unpacked version of nss. (prevented pesign from working).

nss-3.67-fix-private-key-mac.patch

@@ -1,12 +1,7 @@
-diff --git a/lib/softoken/sftkpwd.c b/lib/softoken/sftkpwd.c
+diff -up ./lib/softoken/sftkpwd.c.orig ./lib/softoken/sftkpwd.c
---- a/lib/softoken/sftkpwd.c
+--- ./lib/softoken/sftkpwd.c.orig	2021-06-10 05:33:12.000000000 -0700
-+++ b/lib/softoken/sftkpwd.c
++++ ./lib/softoken/sftkpwd.c	2021-07-01 14:04:34.068596942 -0700
-@@ -277,17 +277,19 @@ sftkdb_DecryptAttribute(SFTKDBHandle *ha
+@@ -287,9 +287,12 @@ sftkdb_DecryptAttribute(SFTKDBHandle *ha
-     *plain = nsspkcs5_CipherData(cipherValue.param, passKey, &cipherValue.value,
-                                  PR_FALSE, NULL);
-     if (*plain == NULL) {
-         rv = SECFailure;
-         goto loser;
      }
  
      /* If we are using aes 256, we need to check authentication as well.*/
@@ -16,29 +11,38 @@ diff --git a/lib/softoken/sftkpwd.c b/lib/softoken/sftkpwd.c
 +        (cipherValue.param->encAlg == SEC_OID_AES_256_CBC)) {
          SECItem signature;
          unsigned char signData[SDB_MAX_META_DATA_LEN];
++        CK_RV crv;
  
          /* if we get here from the old legacy db, there is clearly an
           * error, don't return the plaintext */
-         if (handle == NULL) {
+@@ -301,15 +304,28 @@ sftkdb_DecryptAttribute(SFTKDBHandle *ha
-             rv = SECFailure;
+ 
-             PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+         signature.data = signData;
-@@ -299,17 +301,27 @@ sftkdb_DecryptAttribute(SFTKDBHandle *ha
+         signature.len = sizeof(signData);
-         rv = sftkdb_GetAttributeSignature(handle, handle, id, type,
+-        rv = sftkdb_GetAttributeSignature(handle, handle, id, type,
++        rv = SECFailure;
++        /* sign sftkdb_GetAttriibuteSignature returns a crv, not an rv */
++        crv = sftkdb_GetAttributeSignature(handle, handle, id, type,
                                            &signature);
-         if (rv != SECSuccess) {
+-        if (rv != SECSuccess) {
-             goto loser;
+-            goto loser;
++        if (crv == CKR_OK) {
++            rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE,
++                                        type, *plain, &signature);
          }
-         rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE, type,
+-        rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE, type,
-                                     *plain, &signature);
+-                                    *plain, &signature);
          if (rv != SECSuccess) {
 -            goto loser;
 +            /*  handle a bug where old versions of NSS misfiled the signature
 +             *  attribute on password update */
 +            id |= SFTK_KEYDB_TYPE|SFTK_TOKEN_TYPE;
 +            signature.len = sizeof(signData);
-+            rv = sftkdb_GetAttributeSignature(handle, handle, id, type,
++            crv = sftkdb_GetAttributeSignature(handle, handle, id, type,
 +                                              &signature);
-+            if (rv != SECSuccess) {
++            if (crv != CKR_OK) {
++                rv = SECFailure;
++                PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
 +                goto loser;
 +            }
 +            rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE,
@@ -46,17 +50,7 @@ diff --git a/lib/softoken/sftkpwd.c b/lib/softoken/sftkpwd.c
          }
      }
  
- loser:
+@@ -1198,6 +1214,7 @@ sftk_updateEncrypted(PLArenaPool *arena,
-     if (cipherValue.param) {
-         nsspkcs5_DestroyPBEParameter(cipherValue.param);
-     }
-     if (cipherValue.arena) {
-@@ -1186,16 +1198,17 @@ sftk_updateEncrypted(PLArenaPool *arena,
-     };
-     const CK_ULONG privAttrCount = sizeof(privAttrTypes) / sizeof(privAttrTypes[0]);
- 
-     // We don't know what attributes this object has, so we update them one at a
-     // time.
      unsigned int i;
      for (i = 0; i < privAttrCount; i++) {
          // Read the old attribute in the clear.
@@ -64,17 +58,7 @@ diff --git a/lib/softoken/sftkpwd.c b/lib/softoken/sftkpwd.c
          CK_ATTRIBUTE privAttr = { privAttrTypes[i], NULL, 0 };
          CK_RV crv = sftkdb_GetAttributeValue(keydb, id, &privAttr, 1);
          if (crv != CKR_OK) {
-             continue;
+@@ -1222,7 +1239,7 @@ sftk_updateEncrypted(PLArenaPool *arena,
-         }
-         if ((privAttr.ulValueLen == -1) || (privAttr.ulValueLen == 0)) {
-             continue;
-         }
-@@ -1210,30 +1223,29 @@ sftk_updateEncrypted(PLArenaPool *arena,
-         if ((privAttr.ulValueLen == -1) || (privAttr.ulValueLen == 0)) {
-             return CKR_GENERAL_ERROR;
-         }
-         SECItem plainText;
-         SECItem *result;
          plainText.data = privAttr.pValue;
          plainText.len = privAttr.ulValueLen;
          if (sftkdb_EncryptAttribute(arena, keydb, keydb->db, newKey,
@@ -83,9 +67,7 @@ diff --git a/lib/softoken/sftkpwd.c b/lib/softoken/sftkpwd.c
                                      &plainText, &result) != SECSuccess) {
              return CKR_GENERAL_ERROR;
          }
-         privAttr.pValue = result->data;
+@@ -1232,10 +1249,9 @@ sftk_updateEncrypted(PLArenaPool *arena,
-         privAttr.ulValueLen = result->len;
-         // Clear sensitive data.
          PORT_Memset(plainText.data, 0, plainText.len);
  
          // Write the newly encrypted attributes out directly.
@@ -97,8 +79,3 @@ diff --git a/lib/softoken/sftkpwd.c b/lib/softoken/sftkpwd.c
          keydb->newKey = NULL;
          if (crv != CKR_OK) {
              return crv;
-         }
-     }
- 
-     return CKR_OK;
- }

nss.spec

@@ -56,7 +56,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          4%{?dist}
+Release:          5%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}
@@ -139,7 +139,7 @@ Patch33:          nss-no-dbm-man-page.patch
 # Need upstream bug
 Patch50:         nss-3.44-kbkdf-coverity.patch
 # no upsteam bug yet
-Patch51:         nss-3.53-fix-private_key_mac.patch
+Patch51:         nss-3.67-fix-private-key-mac.patch
 # no upstream bug yet
 Patch52:         nss-3.53.1-measure-fix.patch
 # no upstream bug yet
@@ -330,6 +330,7 @@ find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \;
 # TODO: This phase can be done by the NSS build process if we switch
 # to using "make nss_build_all".  For now, however, we need some
 # adjustment in the NSS build process.
+export LDFLAGS=$RPM_LD_FLAGS
 mkdir -p nspr_build
 pushd nspr_build
 ../nspr/configure \
@@ -402,9 +403,7 @@ export XCFLAGS="$XCFLAGS -Wno-error=maybe-uninitialized"
 # Similarly, but for gcc-11
 export XCFLAGS="$XCFLAGS -Wno-array-parameter"
 
-export LDFLAGS=$RPM_LD_FLAGS
+export DSO_LDFLAGS=$RPM_LD_FLAGS
-
-export DSO_LDOPTS=$RPM_LD_FLAGS
 
 export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
 export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
@@ -1072,6 +1071,11 @@ update-crypto-policies &> /dev/null || :
 
 
 %changelog
+* Thu Jul 1 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-5
+- fix error when trying to read keys from updated databases when updated
+  from unpatched versions of NSS (like on fedora or upstream).
+- fix spelling of LD_OPTFLAGS which prevents relro from working.
+
 * Fri Jun 18 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-4
 - update nspr man page files to only pick up nspr man pages