- Work around btrfs/sqlite bug

- Disable new policy entries until crypto-polices has been updated
2020-12-12 10:10:46 -08:00 · 2020-12-12 10:10:46 -08:00 · 4ecb833a82
commit 4ecb833a82
parent 8f25129254
3 changed files with 66 additions and 1 deletions
--- a/nss-3.53.1-revert_rhel8_unsafe_policy_change.patch
+++ b/nss-3.53.1-revert_rhel8_unsafe_policy_change.patch
@ -0,0 +1,39 @@
 diff -up ./lib/pk11wrap/pk11pars.c.policy_revert ./lib/pk11wrap/pk11pars.c
 --- ./lib/pk11wrap/pk11pars.c.policy_revert	2020-11-04 10:26:59.085300799 -0800
 +++ ./lib/pk11wrap/pk11pars.c	2020-11-04 10:29:52.774239468 -0800
@@ -391,12 +391,6 @@ static const oidValDef signOptList[] = {
     /* Signatures */
     { CIPHER_NAME("DSA"), SEC_OID_ANSIX9_DSA_SIGNATURE,
       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
 -    { CIPHER_NAME("RSA-PKCS"), SEC_OID_PKCS1_RSA_ENCRYPTION,
 -      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
 -    { CIPHER_NAME("RSA-PSS"), SEC_OID_PKCS1_RSA_PSS_SIGNATURE,
 -      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
 -    { CIPHER_NAME("ECDSA"), SEC_OID_ANSIX962_EC_PUBLIC_KEY,
 -      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
 };
 typedef struct {
@@ -412,7 +406,7 @@ static const algListsDef algOptLists[] =
     { macOptList, PR_ARRAY_SIZE(macOptList), "MAC", PR_FALSE },
     { cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER", PR_FALSE },
     { kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX", PR_FALSE },
 -    { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_FALSE },
 +    { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_TRUE },
 };
 static const optionFreeDef sslOptList[] = {
 diff -up ./tests/ssl/sslpolicy.txt.policy_revert ./tests/ssl/sslpolicy.txt
 --- ./tests/ssl/sslpolicy.txt.policy_revert	2020-11-04 10:31:20.837715397 -0800
 +++ ./tests/ssl/sslpolicy.txt	2020-11-04 10:33:19.598357223 -0800
@@ -193,7 +193,9 @@
   1 noECC  SSL3   d    disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow
   1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:ecdsa/all:dsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly
   0 noECC  SSL3   d    disallow=dsa Disallow DSA Signatures Explicitly
 -  1 noECC  SSL3   d    disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
 +# rsa-pkcs, rsa-pss, and ecdsa policy checking reverted in rhel8 for binary
 +# compatibility reasons
 +#  1 noECC  SSL3   d    disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
 # test default settings
 # NOTE: tstclient will attempt to overide the defaults, so we detect we
 # were successful by locking in our settings
--- a/nss-fedora-btrf-sql-hack.patch
+++ b/nss-fedora-btrf-sql-hack.patch
@ -0,0 +1,18 @@
 diff -up ./lib/softoken/sdb.c.orig ./lib/softoken/sdb.c
 --- ./lib/softoken/sdb.c.orig   2020-12-11 22:49:26.961726193 -0500
 +++ ./lib/softoken/sdb.c        2020-12-11 23:01:30.739122494 -0500
@@ -690,8 +690,14 @@ sdb_openDB(const char *name, sqlite3 **s
         openFlags = SQLITE_OPEN_READONLY;
     } else {
         openFlags = SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE;
 +        /* btrfs and sqlite seem to incorrectly open readwrite.
 +        * when the file is readonly explicitly reject that issue here */
 +        if ((_NSSUTIL_Access(name, PR_ACCESS_EXISTS) == PR_SUCCESS)  && (_NSSUTIL_Access(name, PR_ACCESS_WRITE_OK) != PR_SUCCESS)) {
 +            return SQLITE_READONLY;
 +        }
     }
 +
     /* Requires SQLite 3.5.0 or newer. */
     sqlerr = sqlite3_open_v2(name, sqlDB, openFlags, NULL);
     if (sqlerr != SQLITE_OK) {
--- a/nss.spec
+++ b/nss.spec
@ -53,7 +53,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          1%{?dist}
+Release:          2%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}
@ -122,6 +122,10 @@ Patch12:          nss-signtool-format.patch
 Patch20:          nss-gcm-param-default-pkcs11v2.patch
 %endif
 %endif
 # can drop this patch when the underlying btrfs/sqlite issue is solved
 Patch30:          nss-fedora-btrf-sql-hack.patch
 # can drop this patch once crypto-policies has been updated
 Patch31:          nss-3.53.1-revert_rhel8_unsafe_policy_change.patch
 Patch100:         nspr-config-pc.patch
 Patch101:         nspr-gcc-atomics.patch
@ -1043,6 +1047,10 @@ update-crypto-policies &> /dev/null || :
 %changelog
 * Fri Dec 11 2020 Bob Relyea <rrelyea@redhat.com> - 3.59.0-2
 - Work around btrfs/sqlite bug
 - Disable new policy entries until crypto-polices has been updated
 * Thu Dec 10 2020 Daiki Ueno <dueno@redhat.com> - 3.59.0-1
 - Update to NSS 3.59
 - Remove unused quilt BR