From 4ecb833a82b0039b0eebfcb5dc921e516f47ac2b Mon Sep 17 00:00:00 2001 From: Bob Relyea Date: Sat, 12 Dec 2020 10:10:46 -0800 Subject: [PATCH] - Work around btrfs/sqlite bug - Disable new policy entries until crypto-polices has been updated --- ....1-revert_rhel8_unsafe_policy_change.patch | 39 +++++++++++++++++++ nss-fedora-btrf-sql-hack.patch | 18 +++++++++ nss.spec | 10 ++++- 3 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 nss-3.53.1-revert_rhel8_unsafe_policy_change.patch create mode 100644 nss-fedora-btrf-sql-hack.patch diff --git a/nss-3.53.1-revert_rhel8_unsafe_policy_change.patch b/nss-3.53.1-revert_rhel8_unsafe_policy_change.patch new file mode 100644 index 0000000..9e39df7 --- /dev/null +++ b/nss-3.53.1-revert_rhel8_unsafe_policy_change.patch @@ -0,0 +1,39 @@ +diff -up ./lib/pk11wrap/pk11pars.c.policy_revert ./lib/pk11wrap/pk11pars.c +--- ./lib/pk11wrap/pk11pars.c.policy_revert 2020-11-04 10:26:59.085300799 -0800 ++++ ./lib/pk11wrap/pk11pars.c 2020-11-04 10:29:52.774239468 -0800 +@@ -391,12 +391,6 @@ static const oidValDef signOptList[] = { + /* Signatures */ + { CIPHER_NAME("DSA"), SEC_OID_ANSIX9_DSA_SIGNATURE, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, +- { CIPHER_NAME("RSA-PKCS"), SEC_OID_PKCS1_RSA_ENCRYPTION, +- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, +- { CIPHER_NAME("RSA-PSS"), SEC_OID_PKCS1_RSA_PSS_SIGNATURE, +- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, +- { CIPHER_NAME("ECDSA"), SEC_OID_ANSIX962_EC_PUBLIC_KEY, +- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, + }; + + typedef struct { +@@ -412,7 +406,7 @@ static const algListsDef algOptLists[] = + { macOptList, PR_ARRAY_SIZE(macOptList), "MAC", PR_FALSE }, + { cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER", PR_FALSE }, + { kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX", PR_FALSE }, +- { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_FALSE }, ++ { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_TRUE }, + }; + + static const optionFreeDef sslOptList[] = { +diff -up ./tests/ssl/sslpolicy.txt.policy_revert ./tests/ssl/sslpolicy.txt +--- ./tests/ssl/sslpolicy.txt.policy_revert 2020-11-04 10:31:20.837715397 -0800 ++++ ./tests/ssl/sslpolicy.txt 2020-11-04 10:33:19.598357223 -0800 +@@ -193,7 +193,9 @@ + 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow + 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:ecdsa/all:dsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly + 0 noECC SSL3 d disallow=dsa Disallow DSA Signatures Explicitly +- 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly ++# rsa-pkcs, rsa-pss, and ecdsa policy checking reverted in rhel8 for binary ++# compatibility reasons ++# 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly + # test default settings + # NOTE: tstclient will attempt to overide the defaults, so we detect we + # were successful by locking in our settings diff --git a/nss-fedora-btrf-sql-hack.patch b/nss-fedora-btrf-sql-hack.patch new file mode 100644 index 0000000..db60cc2 --- /dev/null +++ b/nss-fedora-btrf-sql-hack.patch @@ -0,0 +1,18 @@ +diff -up ./lib/softoken/sdb.c.orig ./lib/softoken/sdb.c +--- ./lib/softoken/sdb.c.orig 2020-12-11 22:49:26.961726193 -0500 ++++ ./lib/softoken/sdb.c 2020-12-11 23:01:30.739122494 -0500 +@@ -690,8 +690,14 @@ sdb_openDB(const char *name, sqlite3 **s + openFlags = SQLITE_OPEN_READONLY; + } else { + openFlags = SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE; ++ /* btrfs and sqlite seem to incorrectly open readwrite. ++ * when the file is readonly explicitly reject that issue here */ ++ if ((_NSSUTIL_Access(name, PR_ACCESS_EXISTS) == PR_SUCCESS) && (_NSSUTIL_Access(name, PR_ACCESS_WRITE_OK) != PR_SUCCESS)) { ++ return SQLITE_READONLY; ++ } + } + ++ + /* Requires SQLite 3.5.0 or newer. */ + sqlerr = sqlite3_open_v2(name, sqlDB, openFlags, NULL); + if (sqlerr != SQLITE_OK) { diff --git a/nss.spec b/nss.spec index 53377b2..3e27158 100644 --- a/nss.spec +++ b/nss.spec @@ -53,7 +53,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM", Summary: Network Security Services Name: nss Version: %{nss_version} -Release: 1%{?dist} +Release: 2%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Requires: nspr >= %{nspr_version} @@ -122,6 +122,10 @@ Patch12: nss-signtool-format.patch Patch20: nss-gcm-param-default-pkcs11v2.patch %endif %endif +# can drop this patch when the underlying btrfs/sqlite issue is solved +Patch30: nss-fedora-btrf-sql-hack.patch +# can drop this patch once crypto-policies has been updated +Patch31: nss-3.53.1-revert_rhel8_unsafe_policy_change.patch Patch100: nspr-config-pc.patch Patch101: nspr-gcc-atomics.patch @@ -1043,6 +1047,10 @@ update-crypto-policies &> /dev/null || : %changelog +* Fri Dec 11 2020 Bob Relyea - 3.59.0-2 +- Work around btrfs/sqlite bug +- Disable new policy entries until crypto-polices has been updated + * Thu Dec 10 2020 Daiki Ueno - 3.59.0-1 - Update to NSS 3.59 - Remove unused quilt BR