Closed
Bug 1453372
Opened 7 years ago
Closed 6 years ago
nss doesn't handle dos-style line endings in pkcs11.txt on linux
Categories
(NSS :: Libraries, defect, P3)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 1564284
People
(Reporter: robwu, Unassigned)
References
Details
A user migrated their Firefox profile from Windows to Linux, and after doing that they reported that the password manager was not working.
I have received a copy of the profile directory for debugging, and found the following in Firefox 59.0.2 on Linux (and also Nightly):
1. Upon visiting a page for which the password manager has credentials, the following message appears in global JS console:
NS_ERROR_FAILURE: Couldn't decrypt string crypto-SDR.js:136
2. Upon login, Firefox's doorhanger shows up and the above error is logged 4 more times.
3. Upon clicking the "Save" button in the doorhanger, the password manager does not save the username/password either. There are no signals from the UI (no warnings or dialogs), and the global JS console contains the following errors:
NS_ERROR_ABORT: User canceled master password entry crypto-SDR.js:86
NS_ERROR_ABORT: User canceled master password entry crypto-SDR.js:86
NS_ERROR_ABORT: User canceled master password entry crypto-SDR.js:86
[Exception... "User canceled master password entry" nsresult: "0x80004004 (NS_ERROR_ABORT)" location: "JS frame :: jar:file:///usr/lib/firefox/omni.ja!/components/crypto-SDR.js :: encrypt :: line 86" data: no]
encrypt jar:file:///usr/lib/firefox/omni.ja!/components/crypto-SDR.js:86:15
_encryptLogin jar:file:///usr/lib/firefox/omni.ja!/components/storage-json.js:484:23
addLogin jar:file:///usr/lib/firefox/omni.ja!/components/storage-json.js:108:47
addLogin jar:file:///usr/lib/firefox/omni.ja!/components/nsLoginManager.js:307:12
persistData jar:file:///usr/lib/firefox/omni.ja!/components/nsLoginManagerPrompter.js:928:9
callback jar:file:///usr/lib/firefox/omni.ja!/components/nsLoginManagerPrompter.js:958:9
_onButtonEvent resource://gre/modules/PopupNotifications.jsm:1518:9
oncommand chrome://browser/content/browser.xul:1:1
4. Deleting key4.db and logins.json (in case they were corrupt) did not work.
5. The Master password cannot be set or reset in the presence of this bug.
When I try to set a master password, it fails and a dialog shows "Unable to change Master Password".
To debug, I started Firefox with MOZ_LOG=pipnss:4 and stdout shows:
[20027:Main Thread]: D/pipnss nsNSSComponent::ctor
[20027:Main Thread]: D/pipnss Beginning NSS initialization
[20027:Main Thread]: D/pipnss nsNSSComponent::InitializeNSS
[20027:Main Thread]: D/pipnss NSS Initialization beginning
[20027:Main Thread]: D/pipnss NSS profile at '/tmp/brokenprofiledir'
[20027:Main Thread]: D/pipnss inSafeMode: 0
[20027:Main Thread]: D/pipnss failed to initialize NSS with codes -5977 -5977
[20027:Main Thread]: D/pipnss last-resort NSS_NoDB_Init
[20027:Main Thread]: D/pipnss NSS Initialization done
In contrast, in a profile that works, the log shows:
[18768:Main Thread]: D/pipnss nsNSSComponent::ctor
[18768:Main Thread]: D/pipnss Beginning NSS initialization
[18768:Main Thread]: D/pipnss nsNSSComponent::InitializeNSS
[18768:Main Thread]: D/pipnss NSS Initialization beginning
[18768:Main Thread]: D/pipnss NSS profile at '/tmp/workingprofiledir'
[18768:Main Thread]: D/pipnss inSafeMode: 0
[18768:Main Thread]: D/pipnss initialized NSS in r/w mode
[18768:Main Thread]: D/pipnss NSS Initialization done
To turn the broken profile in a working profile, I had to delete /tmp/brokenprofiledir/pkcs11.txt
For reference, this was /tmp/brokenprofiledir/pkcs11.txt
library=
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:C:\\Users\\USERNA~1\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\123456~1.ABC' certPrefix='' keyPrefix='' secmod='secmod.db' flags=optimizeSpace updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' manufacturerID='Mozilla.org' libraryDescription='PSM Internal Crypto Services' cryptoTokenDescription='Generic Crypto Services' dbTokenDescription='Software Security Device' cryptoSlotDescription='PSM Internal Cryptographic Services' dbSlotDescription='PSM Private Keys' FIPSSlotDescription='FIPS 140 Cryptographic, Key and Certificate Services' FIPSTokenDescription='Software Security Device (FIPS)' minPS=0
NSS=trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,SHA256,SHA512,Camellia,SEED,RANDOM askpw=any timeout=30 ] } Flags=internal,critical
After removal, it was autogenerated again. The new pkcs11.txt looks very similar, except the configdir parameter is:
parameters=configdir='sql:/tmp/brokenprofiledir' ...
Firefox profile directories should be portable, so Firefox/NSS should be able to fall back to the profile directory if configdir is invalid.
|
||
Comment 1•7 years ago
|
||
Looks like `configdir` shouldn't be using an absolute path. We generally avoid absolute paths in Gecko/Firefox so that profiles are portable.
Component: Password Manager → Security: PSM
Product: Toolkit → Core
|
||
Comment 2•7 years ago
|
||
Did the broken profile work after removing pkcs11.txt?
Assignee: nobody → nobody
Component: Security: PSM → Libraries
Flags: needinfo?(rob)
Product: Core → NSS
Version: 60 Branch → other
|
|
||
Comment 3•7 years ago
|
||
I didn't mean to actually move this yet.
Assignee: nobody → nobody
Component: Libraries → Security: PSM
Product: NSS → Core
Version: other → unspecified
|
Reporter | |
Comment 4•7 years ago
|
||
(In reply to David Keeler [:keeler] (use needinfo) from comment #2)
> Did the broken profile work after removing pkcs11.txt?
Yes. From the report:
> To turn the broken profile in a working profile, I had to delete /tmp/brokenprofiledir/pkcs11.txt
I have now also confirmed with the user that manually editing configdir in pkcs11.txt fixes the problem.
Flags: needinfo?(rob)
|
|
||
Comment 5•7 years ago
|
||
Ok - cool. In general, that file isn't actually portable across systems. It (again, in general) contains a list of binary PKCS#11 libraries for NSS to load (and if that sounds like a bad idea, your instincts are correct), and certainly won't work cross-platform, and probably isn't reliable cross-system. (In this case the issue seems specific to an NSS-internal aspect of this code, but I suspect if the user had had any 3rd-party modules they would have caused loading to fail as well.) I guess the options are a) modify NSS to tolerate not being able to find the configdir, if that even makes sense (not sure it does) or b) implement a fallback in PSM like we did in bug 1337950 (that is, try to initialize NSS by renaming files until it works).
|
|
||
Updated•7 years ago
|
Priority: -- → P3
Whiteboard: [psm-backlog]
Thank you for reporting this issue. I am experiencing the exact same behavior, as well. Deleting (I renamed it) the pkcs11.txt file solved the issue for now (most likely until the next reboot to different OS.
I would love to see that bug fixed in a not so distant version (in my theory it must not be to difficult to build in those aforementioned "workarounds".
|
||
Comment 9•7 years ago
|
||
why is there a need to use absolute path since it points to the profile folder anyway?
|
|
||
Comment 10•7 years ago
|
||
Rob, is this still happening? I'm trying to reproduce this and for me, having a nonexistent or nonsensical configdir parameter in pkcs11.txt makes no difference (as in, it works either way for me). I even tried copying the pkcs11.txt file from comment 0 and it still worked. Was there anything else in that pkcs11.txt file? Also, are there any .so files in the profile directory?
Flags: needinfo?(rob)
|
|
Reporter | |
Comment 11•7 years ago
|
||
| str | ||
I think that configdir might have been a red herring: The bug does not reproduce when I create a profile from scratch and modify configdir.
But I can still reproduce the original bug with a backup of the original profile directory.
Besides configdir, another difference is the use of CRLF instead LF as line terminators, and the bug does indeed reproduce if I use the following STR:
STR:
1. Create a new directory "prof".
2. Start Firefox to generate the profile: firefox --no-remote -profile prof
3. Close Firefox.
4. Replace LF with CRLF:
sed -i 's/$/\r/' prof/pkcs11.txt
5. Start Firefox again:
MOZ_LOG=pipnss:4 firefox --no-remote -profile prof/ |& head -n10
Result (as in comment #0):
[29787:Main Thread]: D/pipnss nsNSSComponent::ctor
[29787:Main Thread]: D/pipnss Beginning NSS initialization
[29787:Main Thread]: D/pipnss nsNSSComponent::InitializeNSS
[29787:Main Thread]: D/pipnss NSS Initialization beginning
[29787:Main Thread]: D/pipnss NSS profile at '/tmp/prof'
[29787:Main Thread]: D/pipnss not setting NSS_SDB_USE_CACHE
[29787:Main Thread]: D/pipnss inSafeMode: 0
[29787:Main Thread]: D/pipnss failed to initialize NSS with codes -5977 -5977
[29787:Main Thread]: D/pipnss last-resort NSS_NoDB_Init
[29787:Main Thread]: D/pipnss NSS Initialization done
Tested with Firefox 61.0.1 and Firefox Nightly 63.0a1.
Flags: needinfo?(rob)
|
|
||
Comment 12•7 years ago
|
||
Ah - I'm seeing the same behavior. Thanks!
Assignee: nobody → nobody
Component: Security: PSM → Libraries
Priority: P3 → --
Product: Core → NSS
Summary: Password manager unusable after profile migration because of configdir parameter in pkcs11.txt → nss doesn't handle dos-style line endings in pkcs11.txt on linux
Version: unspecified → other
|
|
||
Updated•7 years ago
|
Whiteboard: [psm-backlog]
|
|
Reporter | |
Comment 13•7 years ago
|
||
I wonder whether the reverse is broken too, i.e. whether LF line endings in pkcs11.txt is supported on Windows. Can anyone test that and report back?
|
|
||
Comment 14•7 years ago
|
||
i've just tested this. it seems that changing the line ending to linux format its working both on windows and linux for same profile folder that i'm using since a few years ago
|
||
Updated•7 years ago
|
QA Contact: franziskuskiefer
|
||
Updated•7 years ago
|
Priority: -- → P3
|
||
Comment 15•6 years ago
•
|
||
Looks the same problem fixed by the BUG 1564284.
Marking as duplicate.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•