Hide Forgot
+++ This bug was initially created as a clone of Bug #896651 +++ Description of problem: When an encrypted private key is imported into a slot in the PEM module, the module sets the slot's needsLogin flag to signal that a password is required. When the application attempts to log in to the token, the module attempts to decrypt the private key, but after decryption, it overwrites the encrypted key data with the decrypted data before verifying that the decrypted data isn't just the garbage that you get when you decrypt with an incorrect key. After that, there's no way to recover the data. It really should wait until after SEC_QuickDERDecodeItem() succeeds before modifying the contents of io->u.key.key.privateKey. Version-Release number of selected component (if applicable): nss-3.14.1-2.fc18 --- Additional comment from Nalin Dahyabhai on 2013-01-17 11:55:54 EST --- --- Additional comment from Kamil Dudka on 2013-01-21 06:33:33 EST --- > --- mozilla/security/nss/lib/ckfw/pem/psession.c > +++ mozilla/security/nss/lib/ckfw/pem/psession.c > @@ -230,6 +230,7 @@ pem_mdSession_Login > unsigned int len = 0; > NSSLOWKEYPrivateKey *lpk = NULL; > PLArenaPool *arena; > + SECItem plain; > int i; > > fwSlot = NSSCKFWToken_GetFWSlot(fwToken); > @@ -306,23 +321,31 @@ pem_mdSession_Login > lpk->keyType = NSSLOWKEYRSAKey; > prepare_low_rsa_priv_key_for_asn1(lpk); > > - nss_ZFreeIf(io->u.key.key.privateKey->data); > - io->u.key.key.privateKey->len = len - output[len - 1]; > - io->u.key.key.privateKey->data = > - (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len); > - memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]); > + if (output[len - 1] > 8) { > + rv = CKR_GENERAL_ERROR; > + /* goto loser; */ > + } Why is the goto statement commented out? It makes the assignment redundant. It would also help to put there a comment saying which error case is being handled by the condition. --- Additional comment from Nalin Dahyabhai on 2013-01-23 11:30:49 EST --- (In reply to comment #2) > Comment on attachment 680373 [details] > patch to only replace the encrypted data with decrypted data after it's > vetted > > > --- mozilla/security/nss/lib/ckfw/pem/psession.c > > +++ mozilla/security/nss/lib/ckfw/pem/psession.c > > @@ -230,6 +230,7 @@ pem_mdSession_Login > > unsigned int len = 0; > > NSSLOWKEYPrivateKey *lpk = NULL; > > PLArenaPool *arena; > > + SECItem plain; > > int i; > > > > fwSlot = NSSCKFWToken_GetFWSlot(fwToken); > > @@ -306,23 +321,31 @@ pem_mdSession_Login > > lpk->keyType = NSSLOWKEYRSAKey; > > prepare_low_rsa_priv_key_for_asn1(lpk); > > > > - nss_ZFreeIf(io->u.key.key.privateKey->data); > > - io->u.key.key.privateKey->len = len - output[len - 1]; > > - io->u.key.key.privateKey->data = > > - (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len); > > - memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]); > > + if (output[len - 1] > 8) { > > + rv = CKR_GENERAL_ERROR; > > + /* goto loser; */ > > + } > > Why is the goto statement commented out? It makes the assignment redundant. My early assumption that the size of the padding would always be smaller than the cipher block size proved to be incorrect. Feel free to drop that part. --- Additional comment from Nalin Dahyabhai on 2013-02-13 13:33:47 EST --- --- Additional comment from Fedora Update System on 2013-02-22 14:33:30 EST --- nss-3.14.3-1.fc18,nss-softokn-3.14.3-1.fc18,nss-util-3.14.3-1.fc18,nspr-4.9.5-2.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/nss-3.14.3-1.fc18,nss-softokn-3.14.3-1.fc18,nss-util-3.14.3-1.fc18,nspr-4.9.5-2.fc18 --- Additional comment from Fedora Update System on 2013-02-24 03:41:59 EST --- Package nss-3.14.3-1.fc18, nss-softokn-3.14.3-1.fc18, nss-util-3.14.3-1.fc18, nspr-4.9.5-2.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing nss-3.14.3-1.fc18 nss-softokn-3.14.3-1.fc18 nss-util-3.14.3-1.fc18 nspr-4.9.5-2.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-2929/nss-3.14.3-1.fc18,nss-softokn-3.14.3-1.fc18,nss-util-3.14.3-1.fc18,nspr-4.9.5-2.fc18 then log in and leave karma (feedback). --- Additional comment from Fedora Update System on 2013-02-25 13:50:01 EST --- nss-3.14.3-1.fc17,nss-softokn-3.14.3-1.fc17,nss-util-3.14.3-1.fc17,nspr-4.9.5-2.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/nss-3.14.3-1.fc17,nss-softokn-3.14.3-1.fc17,nss-util-3.14.3-1.fc17,nspr-4.9.5-2.fc17 --- Additional comment from Fedora Update System on 2013-02-28 02:04:25 EST --- nss-3.14.3-1.fc18, nss-softokn-3.14.3-1.fc18, nss-util-3.14.3-1.fc18, nspr-4.9.5-2.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. --- Additional comment from Fedora Update System on 2013-03-13 22:40:07 EDT --- nss-3.14.3-1.fc17, nss-softokn-3.14.3-1.fc17, nss-util-3.14.3-1.fc17, nspr-4.9.5-2.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux.
This has been fixed with a patch from Nalin which was incorprated in the intermon pem upstream. See the bottom enry in https://git.fedorahosted.org/git/nss-pem.git As we did for rhel-7.0, we should update pem sources to current upstream. Not only do we get the fix for this bug but also we can get rid of several patches which have already been accepted upstream.
Created attachment 908712 [details] all changes to update pem source tar ball and get rid of old pem patches Not always easy on the eyes, so let me extract the spec file changes and give a full explanation on why the patches are rendered obsolete next.
Created attachment 908713 [details] spec file changes in patch format Updates the pem source tar ball to the same one we used for rhel-7.0. Doing so enables us to remove various pem patches which have aready been applied upstream - that is to the interim pem git repo. The deleted patches, with their corresponding pem upstream commit, are: Patch44: 0001-sync-up-with-upstream-softokn-changes.patch https://git.fedorahosted.org/cgit/nss-pem.git/commit/?id=3ade37c5c4ca5a6094e3f4b2e4591405db1867dd Patch45: Bug-896651-pem-dont-trash-keys-on-failed-login.patch https://git.fedorahosted.org/cgit/nss-pem.git/commit/?id=023c1199d4958de3fb891066e6c49cf27bcd9d67 Patch51: Bug-702083-dont-require-unique-file-basenames.patch https://git.fedorahosted.org/cgit/nss-pem.git/commit/?id=570c5a036e6f97e70cf22b47e6a45c35c3425376 Patch59: 0001-RHBZ-895339.patch https://git.fedorahosted.org/cgit/nss-pem.git/commit/?id=b754c62f815409fc276b70c114fb63a3a863a79d Patch64: 0001-pinst-make-derEncodingsMatch-work-with-encrypted-key.patch https://git.fedorahosted.org/cgit/nss-pem.git/commit/?id=cefb1e6d8448b3227b35ca063041743d9664e7a0 The update also picks up a fix for a compile-time warning in LinkSharedKeyObject gcc gave while working I was working on Bug 1002271 https://git.fedorahosted.org/cgit/nss-pem.git/commit/?id=4b40b45d097e6e786a8aa6ab971edeea7a8050c7
Comment on attachment 908712 [details] all changes to update pem source tar ball and get rid of old pem patches r+, though this kind of change doesn't really need a review from me.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1378.html