Bug 1002205

Summary: PEM module trashes private keys if login fails
Product: Red Hat Enterprise Linux 6 Reporter: Elio Maldonado Batiz <emaldona>
Component: nssAssignee: Elio Maldonado Batiz <emaldona>
Status: CLOSED ERRATA QA Contact: Alicja Kario <hkario>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.5CC: emaldona, hkario, kdudka, kengert, ksrot, nalin, rmainz, rrelyea
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nss-3.16.1-3.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 896651 Environment:
Last Closed: 2014-10-14 05:02:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 896651    
Bug Blocks: 1002204    
Attachments:
Description Flags
all changes to update pem source tar ball and get rid of old pem patches
rrelyea: review+
spec file changes in patch format rrelyea: review+

Description Elio Maldonado Batiz 2013-08-28 15:36:57 UTC 
+++ This bug was initially created as a clone of Bug #896651 +++

Description of problem:
When an encrypted private key is imported into a slot in the PEM module, the module sets the slot's needsLogin flag to signal that a password is required.

When the application attempts to log in to the token, the module attempts to decrypt the private key, but after decryption, it overwrites the encrypted key data with the decrypted data before verifying that the decrypted data isn't just the garbage that you get when you decrypt with an incorrect key.  After that, there's no way to recover the data.

It really should wait until after SEC_QuickDERDecodeItem() succeeds before modifying the contents of io->u.key.key.privateKey.

Version-Release number of selected component (if applicable):
nss-3.14.1-2.fc18

--- Additional comment from Nalin Dahyabhai on 2013-01-17 11:55:54 EST ---



--- Additional comment from Kamil Dudka on 2013-01-21 06:33:33 EST ---

> --- mozilla/security/nss/lib/ckfw/pem/psession.c
> +++ mozilla/security/nss/lib/ckfw/pem/psession.c
> @@ -230,6 +230,7 @@ pem_mdSession_Login
>      unsigned int len = 0;
>      NSSLOWKEYPrivateKey *lpk = NULL;
>      PLArenaPool *arena;
> +    SECItem plain;
>      int i;
>  
>      fwSlot = NSSCKFWToken_GetFWSlot(fwToken);
> @@ -306,23 +321,31 @@ pem_mdSession_Login
>      lpk->keyType = NSSLOWKEYRSAKey;
>      prepare_low_rsa_priv_key_for_asn1(lpk);
>  
> -    nss_ZFreeIf(io->u.key.key.privateKey->data);
> -    io->u.key.key.privateKey->len = len - output[len - 1];
> -    io->u.key.key.privateKey->data =
> -        (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len);
> -    memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]);
> +    if (output[len - 1] > 8) {
> +        rv = CKR_GENERAL_ERROR;
> +        /* goto loser; */
> +    }

Why is the goto statement commented out?  It makes the assignment redundant.
It would also help to put there a comment saying which error case is being
handled by the condition.

--- Additional comment from Nalin Dahyabhai on 2013-01-23 11:30:49 EST ---

(In reply to comment #2)
> Comment on attachment 680373 [details]
> patch to only replace the encrypted data with decrypted data after it's
> vetted
> 
> > --- mozilla/security/nss/lib/ckfw/pem/psession.c
> > +++ mozilla/security/nss/lib/ckfw/pem/psession.c
> > @@ -230,6 +230,7 @@ pem_mdSession_Login
> >      unsigned int len = 0;
> >      NSSLOWKEYPrivateKey *lpk = NULL;
> >      PLArenaPool *arena;
> > +    SECItem plain;
> >      int i;
> >  
> >      fwSlot = NSSCKFWToken_GetFWSlot(fwToken);
> > @@ -306,23 +321,31 @@ pem_mdSession_Login
> >      lpk->keyType = NSSLOWKEYRSAKey;
> >      prepare_low_rsa_priv_key_for_asn1(lpk);
> >  
> > -    nss_ZFreeIf(io->u.key.key.privateKey->data);
> > -    io->u.key.key.privateKey->len = len - output[len - 1];
> > -    io->u.key.key.privateKey->data =
> > -        (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len);
> > -    memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]);
> > +    if (output[len - 1] > 8) {
> > +        rv = CKR_GENERAL_ERROR;
> > +        /* goto loser; */
> > +    }
> 
> Why is the goto statement commented out?  It makes the assignment redundant.

My early assumption that the size of the padding would always be smaller than the cipher block size proved to be incorrect.  Feel free to drop that part.

--- Additional comment from Nalin Dahyabhai on 2013-02-13 13:33:47 EST ---



--- Additional comment from Fedora Update System on 2013-02-22 14:33:30 EST ---

nss-3.14.3-1.fc18,nss-softokn-3.14.3-1.fc18,nss-util-3.14.3-1.fc18,nspr-4.9.5-2.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/nss-3.14.3-1.fc18,nss-softokn-3.14.3-1.fc18,nss-util-3.14.3-1.fc18,nspr-4.9.5-2.fc18

--- Additional comment from Fedora Update System on 2013-02-24 03:41:59 EST ---

Package nss-3.14.3-1.fc18, nss-softokn-3.14.3-1.fc18, nss-util-3.14.3-1.fc18, nspr-4.9.5-2.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing nss-3.14.3-1.fc18 nss-softokn-3.14.3-1.fc18 nss-util-3.14.3-1.fc18 nspr-4.9.5-2.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-2929/nss-3.14.3-1.fc18,nss-softokn-3.14.3-1.fc18,nss-util-3.14.3-1.fc18,nspr-4.9.5-2.fc18
then log in and leave karma (feedback).

--- Additional comment from Fedora Update System on 2013-02-25 13:50:01 EST ---

nss-3.14.3-1.fc17,nss-softokn-3.14.3-1.fc17,nss-util-3.14.3-1.fc17,nspr-4.9.5-2.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/nss-3.14.3-1.fc17,nss-softokn-3.14.3-1.fc17,nss-util-3.14.3-1.fc17,nspr-4.9.5-2.fc17

--- Additional comment from Fedora Update System on 2013-02-28 02:04:25 EST ---

nss-3.14.3-1.fc18, nss-softokn-3.14.3-1.fc18, nss-util-3.14.3-1.fc18, nspr-4.9.5-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

--- Additional comment from Fedora Update System on 2013-03-13 22:40:07 EDT ---

nss-3.14.3-1.fc17, nss-softokn-3.14.3-1.fc17, nss-util-3.14.3-1.fc17, nspr-4.9.5-2.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 2 RHEL Program Management 2013-10-14 02:30:37 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 4 Elio Maldonado Batiz 2014-02-16 17:28:33 UTC 
This has been fixed with a patch from Nalin which was incorprated in the intermon pem upstream. See the bottom enry in  https://git.fedorahosted.org/git/nss-pem.git
As we did for rhel-7.0, we should update pem sources to current upstream.
Not only do we get the fix for this bug but also we can get rid of several patches which have already been accepted upstream.
Comment 16 Elio Maldonado Batiz 2014-06-13 22:33:34 UTC 
Created attachment 908712 [details]
all changes to update pem source tar ball and get rid of old pem patches

Not always easy on the eyes, so let me extract the spec file changes and give a full explanation on why the patches are rendered obsolete next.
Comment 17 Elio Maldonado Batiz 2014-06-13 22:40:22 UTC 
Created attachment 908713 [details]
spec file changes in patch format

Updates the pem source tar ball to the same one we used for rhel-7.0. Doing so enables us to remove various pem patches which have aready been applied upstream - that is to the interim pem git repo.

The deleted patches, with their corresponding pem upstream commit, are:

Patch44: 0001-sync-up-with-upstream-softokn-changes.patch
https://git.fedorahosted.org/cgit/nss-pem.git/commit/?id=3ade37c5c4ca5a6094e3f4b2e4591405db1867dd

Patch45: Bug-896651-pem-dont-trash-keys-on-failed-login.patch
https://git.fedorahosted.org/cgit/nss-pem.git/commit/?id=023c1199d4958de3fb891066e6c49cf27bcd9d67

Patch51: Bug-702083-dont-require-unique-file-basenames.patch
https://git.fedorahosted.org/cgit/nss-pem.git/commit/?id=570c5a036e6f97e70cf22b47e6a45c35c3425376

Patch59: 0001-RHBZ-895339.patch
https://git.fedorahosted.org/cgit/nss-pem.git/commit/?id=b754c62f815409fc276b70c114fb63a3a863a79d

Patch64: 0001-pinst-make-derEncodingsMatch-work-with-encrypted-key.patch
https://git.fedorahosted.org/cgit/nss-pem.git/commit/?id=cefb1e6d8448b3227b35ca063041743d9664e7a0

The update also picks up a fix for a compile-time warning in LinkSharedKeyObject
gcc gave while working I was working on Bug 1002271
https://git.fedorahosted.org/cgit/nss-pem.git/commit/?id=4b40b45d097e6e786a8aa6ab971edeea7a8050c7
Comment 18 Bob Relyea 2014-06-17 17:24:10 UTC 
Comment on attachment 908712 [details]
all changes to update pem source tar ball and get rid of old pem patches

r+, though this kind of change doesn't really need a review from me.
Comment 20 errata-xmlrpc 2014-10-14 05:02:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1378.html