- Work around btrfs/sqlite bug

- Disable new policy entries until crypto-polices has been updated
2020-12-12 10:10:46 -08:00 · 2020-12-12 10:10:46 -08:00 · 4ecb833a82
parent 8f25129254
commit 4ecb833a82
3 changed files with 66 additions and 1 deletions
--- a/nss-3.53.1-revert_rhel8_unsafe_policy_change.patch
+++ b/nss-3.53.1-revert_rhel8_unsafe_policy_change.patch
@ -0,0 +1,39 @@
+diff -up ./lib/pk11wrap/pk11pars.c.policy_revert ./lib/pk11wrap/pk11pars.c
+--- ./lib/pk11wrap/pk11pars.c.policy_revert	2020-11-04 10:26:59.085300799 -0800
+++ ./lib/pk11wrap/pk11pars.c	2020-11-04 10:29:52.774239468 -0800
+@@ -391,12 +391,6 @@ static const oidValDef signOptList[] = {
+     /* Signatures */
+     { CIPHER_NAME("DSA"), SEC_OID_ANSIX9_DSA_SIGNATURE,
+       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+-    { CIPHER_NAME("RSA-PKCS"), SEC_OID_PKCS1_RSA_ENCRYPTION,
+-      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+-    { CIPHER_NAME("RSA-PSS"), SEC_OID_PKCS1_RSA_PSS_SIGNATURE,
+-      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+-    { CIPHER_NAME("ECDSA"), SEC_OID_ANSIX962_EC_PUBLIC_KEY,
+-      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+ };
+ 
+ typedef struct {
+@@ -412,7 +406,7 @@ static const algListsDef algOptLists[] =
+     { macOptList, PR_ARRAY_SIZE(macOptList), "MAC", PR_FALSE },
+     { cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER", PR_FALSE },
+     { kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX", PR_FALSE },
+-    { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_FALSE },
+    { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_TRUE },
+ };
+ 
+ static const optionFreeDef sslOptList[] = {
+diff -up ./tests/ssl/sslpolicy.txt.policy_revert ./tests/ssl/sslpolicy.txt
+--- ./tests/ssl/sslpolicy.txt.policy_revert	2020-11-04 10:31:20.837715397 -0800
+++ ./tests/ssl/sslpolicy.txt	2020-11-04 10:33:19.598357223 -0800
+@@ -193,7 +193,9 @@
+   1 noECC  SSL3   d    disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow
+   1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:ecdsa/all:dsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly
+   0 noECC  SSL3   d    disallow=dsa Disallow DSA Signatures Explicitly
+-  1 noECC  SSL3   d    disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
+# rsa-pkcs, rsa-pss, and ecdsa policy checking reverted in rhel8 for binary
+# compatibility reasons
+#  1 noECC  SSL3   d    disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
+ # test default settings
+ # NOTE: tstclient will attempt to overide the defaults, so we detect we
+ # were successful by locking in our settings
--- a/nss-fedora-btrf-sql-hack.patch
+++ b/nss-fedora-btrf-sql-hack.patch
@ -0,0 +1,18 @@
+diff -up ./lib/softoken/sdb.c.orig ./lib/softoken/sdb.c
+--- ./lib/softoken/sdb.c.orig   2020-12-11 22:49:26.961726193 -0500
+++ ./lib/softoken/sdb.c        2020-12-11 23:01:30.739122494 -0500
+@@ -690,8 +690,14 @@ sdb_openDB(const char *name, sqlite3 **s
+         openFlags = SQLITE_OPEN_READONLY;
+     } else {
+         openFlags = SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE;
+        /* btrfs and sqlite seem to incorrectly open readwrite.
+        * when the file is readonly explicitly reject that issue here */
+        if ((_NSSUTIL_Access(name, PR_ACCESS_EXISTS) == PR_SUCCESS)  && (_NSSUTIL_Access(name, PR_ACCESS_WRITE_OK) != PR_SUCCESS)) {
+            return SQLITE_READONLY;
+        }
+     }
+
+
+     /* Requires SQLite 3.5.0 or newer. */
+     sqlerr = sqlite3_open_v2(name, sqlDB, openFlags, NULL);
+     if (sqlerr != SQLITE_OK) {
--- a/nss.spec
+++ b/nss.spec
@ -53,7 +53,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          1%{?dist}
+Release:          2%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}
@ -122,6 +122,10 @@ Patch12:          nss-signtool-format.patch
 Patch20:          nss-gcm-param-default-pkcs11v2.patch
 %endif
 %endif
+# can drop this patch when the underlying btrfs/sqlite issue is solved
+Patch30:          nss-fedora-btrf-sql-hack.patch
+# can drop this patch once crypto-policies has been updated
+Patch31:          nss-3.53.1-revert_rhel8_unsafe_policy_change.patch

 Patch100:         nspr-config-pc.patch
 Patch101:         nspr-gcc-atomics.patch
@ -1043,6 +1047,10 @@ update-crypto-policies &> /dev/null || :


 %changelog
+* Fri Dec 11 2020 Bob Relyea <rrelyea@redhat.com> - 3.59.0-2
+- Work around btrfs/sqlite bug
+- Disable new policy entries until crypto-polices has been updated
+
 * Thu Dec 10 2020 Daiki Ueno <dueno@redhat.com> - 3.59.0-1
 - Update to NSS 3.59
 - Remove unused quilt BR