Closed Bug 1541284 Opened 5 years ago Closed 5 years ago

potentially add PR_LOAD_LIBRARY_ERROR to the list of reasons to recreate pkcs11.txt in InitializeNSSWithFallbacks

Categories

(Core :: Security: PSM, defect, P5)

Product:
Core
Component:
Security: PSM
Version:
68 Branch
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: info, Unassigned, NeedInfo)

Details

(Whiteboard: [psm-backlog])

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Steps to reproduce:

I share my Nightly profile between Windows and Linux on my dual-boot laptop, stored on an NTFS volume. Yes I know this isn't supported, but it has worked for decades. The same tabs and history and preferences reopen when I switch O.S. \o/ ! Except...

  1. Saved Logins doesn't work, my existing username/password combos aren't offered and the hanger prompt to save new ones silently fails. The list of logins Preferences > Privacy & Security > Saved Logins... is empty on Linux.
  2. Firefox Sync doesn't seem to work (I sync my desktop Firefox with Firefox for Android). about:sync-log has errors.

Actual results:

Every time I click [Saved Logins...], Browser Console (thanks Mossop!) repeats hundreds of
NS_ERROR_FAILURE: Couldn't decrypt string crypto-SDR.js:181
I stepped through the JS and storage-json.js:_decryptLogins() calls crypto-SDR.js:decrypt() to decrypt the saved login's username, which in turn calls the ?? XPC/native C code: this._decoderRing.decryptString(), which throws the error.

When I enable Sync, Browser Console displays a few of the same errors plus
NS_ERROR_ABORT: User canceled master password entry crypto-SDR.js:85
I don't have a master password, I'm not prompted for it under either O.S. This might be a mis-attributed error when encrypt() fails. I haven't stepped through this code path in the debugger.

Expected results:

I understand sharing a profile across O.S. isn't a supported configuration, that we're supposed to use Firefox Sync instead, and Mossop mentioned "we may be changing to using OS crypto stuff which will mean sharing a profile will definitely mean logins are inaccessible" (is there a tracking bug for this change?). But sharing a profile is a useful feature documented in several old web pages.

I would be happy to debug this more and delve into NSS. Where is the source for _decoderRing.decryptString()? Is there some way to trigger debugging information from NSS or to to exercise the same code outside Firefox?

FWIW, I pointed the tool https://github.com/lclevy/firepwd at copies of my key3.db, key4.db, and logins.json files from Windows and it was able to decrypt my saved logins successfully, which suggests there's nothing inherently platform-specific in the login encryption and storage.

Also (minor enhancements): perhaps Saved Logins... should notify the user in UI if it fails to decrypt every saved login, and the error about "User canceled master password entry" is wrong or misleading. Let me know if I should file separate bugs.

Moving over to a component related to passwords. Takes to much time to set-up but hopefully, developers will answer and help you debug further.

Thanks for the report!

Component: Untriaged → Password Manager
Product: Firefox → Toolkit

Your issue may be with the line-endings in pkcs11.txt. Try delete the file and see if that fixes the issue for the OS you're running on.

(In reply to skierpage from comment #0)

I understand sharing a profile across O.S. isn't a supported configuration, that we're supposed to use Firefox Sync instead, and Mossop mentioned "we may be changing to using OS crypto stuff which will mean sharing a profile will definitely mean logins are inaccessible" (is there a tracking bug for this change?). But sharing a profile is a useful feature documented in several old web pages.

This is one of the reasons we haven't switched to OS key storage yet.

I would be happy to debug this more and delve into NSS. Where is the source for _decoderRing.decryptString()?

You can use https://www.searchfox.org to find it…

https://searchfox.org/mozilla-central/search?q=decryptString points to SecretDecoderRing.cpp#185

Is there some way to trigger debugging information from NSS or to to exercise the same code outside Firefox?

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Reference/NSS_environment_variables may have some pointers but I'll let someone on that team give more info…

Component: Password Manager → Security: PSM
Product: Toolkit → Core

(In reply to Matthew N. [:MattN] (away until Apr. 14) from comment #2)

Thank you very much for responding!

Your issue may be with the line-endings in pkcs11.txt. Try delete the file and see if that fixes the issue for the OS you're running on.

It didn't, still no saved logins in Linux and the same error from crypto-SDR.js. My existing file from Nov 2017 had Unix-style newlines (\n). The recreated pkcs11.txt is the same but has a shorter parameters= line.

FWIW I noticed another error later in the Browser Console:
Failed to update CertDB: [Exception... "Component returned failure code: 0x805a1fe8 [nsIX509CertDB.addCert]" nsresult: "0x805a1fe8 (<unknown>)" location: "JS frame :: resource://gre/modules/psm/RemoteSecuritySettings.jsm :: maybeDownloadAttachment/< :: line 245" data: no] 100 RemoteSecuritySettings.jsm:247

I think I'll have to step through SecretDecoderRing.cpp in gdb to see where it fails.
Thanks again for all you do.

Try running Firefox with the environment variable MOZ_LOG set to pipnss:4. I suspect NSS is getting initialized in no-DB mode, which means it won't have access to the private key that encrypts/decrypts your logins/sync key.

Flags: needinfo?(info)
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → INCOMPLETE

Hi, thanks so much, sorry for my delay, and you are right! With a default profile the log contains
D/pipnss initialized NSS in r/w mode
but with my shared profile it contains
D/pipnss failed to initialize NSS with codes -5977 -5977
D/pipnss last-resort NSS_NoDB_Init

Here's the diff:
[Parent <PID>: Main Thread]: D/pipnss NSS Initialization beginning
-[Parent <PID>: Main Thread]: D/pipnss NSS profile at '/home/spage/.mozilla/firefox/blahblah1.default'
+[Parent <PID>: Main Thread]: D/pipnss NSS profile at '/media/Windows/Users/spage/Firefox_profiles/blahblah2.spage1'
[Parent <PID>: Main Thread]: D/pipnss not setting NSS_SDB_USE_CACHE
[Parent <PID>: Main Thread]: D/pipnss inSafeMode: 0
-[Parent <PID>: Main Thread]: D/pipnss initialized NSS in r/w mode
+[Parent <PID>: Main Thread]: D/pipnss failed to initialize NSS with codes -5977 -5977
+[Parent <PID>: Main Thread]: D/pipnss last-resort NSS_NoDB_Init
[Parent <PID>: Main Thread]: D/pipnss NSS Initialization done

I see the code in mozilla-central/security/manager/ssl/nsNSSComponent.cpp. I think -5977 is
#define PR_LOAD_LIBRARY_ERROR (-5977L)
and I think this is coming from nss_Init(). Now to learn gdb...

Status: RESOLVED → REOPENED
Ever confirmed: true
Flags: needinfo?(info)
Resolution: INCOMPLETE → ---

Can you share the contents of /media/Windows/Users/spage/Firefox_profiles/blahblah2.spage1/pkcs11.txt?
Also, is there a file libsoftokn3.so in that directory?

Flags: needinfo?(info)

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #6)

Can you share the contents of /media/Windows/Users/spage/Firefox_profiles/blahblah2.spage1/pkcs11.txt?
There's the problem. I screwed up in comment #3 and deleted pkcs11.txt in my default empty profile, not my shared one.
In my problematic shared profile, the third line of pkcs11.txt started with
parameters=configdir='sql:C:\Users\spage\FIREFO1\BLAHBL1.SPA'...
which looks like trouble under Linux. I deleted pkcs11.txt and restarted, and now the third line starts with
parameters=configdir='sql:/media/Windows/Users/spage/Firefox_profiles/blahblah2.spage1'...
and now Saved Logins is populated! \o/. Platform-independence lives on to fight another day. I'll try rebooting into Windows, I suspect Windows will now have similar issues. I assume there's no way to express the configdir in a platform-independent manner? Then if you're fool enough to try to share a profile, you need to delete pkcs11.txt each time you switch; I'll look to add this caution to whatever old web page discusses this.

Also, is there a file libsoftokn3.so in that directory?
No, it's only in the directory containing my nightly binary.

Thanks so much for your help ❤

Flags: needinfo?(info)

Great!

Maybe we should add PR_LOAD_LIBRARY_ERROR to the list of error codes for which we'll try to reset pkcs11.txt: https://searchfox.org/mozilla-central/rev/b4e790d05f5a146d186c238bac5601a553581d23/security/manager/ssl/nsNSSComponent.cpp#1622

Priority: -- → P2
Summary: Saved Logins is empty and Sync failures in NSS decoderRing when sharing Windows profile with Linux dual-boot (NSS decrypt errors?) → potentially add PR_LOAD_LIBRARY_ERROR to the list of reasons to recreate pkcs11.txt in InitializeNSSWithFallbacks
Whiteboard: [psm-backlog]

In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #8)

Maybe we should add PR_LOAD_LIBRARY_ERROR to the list of error codes for which we'll try to reset pkcs11.txt: https://searchfox.org/mozilla-central/rev/b4e790d05f5a146d186c238bac5601a553581d23/security/manager/ssl/nsNSSComponent.cpp#1622

That seems worthwhile. Another approach would be to default to a profile-relative path for configdir, i.e. missing or blank would just openat() the profile directory and wouldn't write out the absolute path. FWIW I tried changing
parameters=configdir='sql:/path/to/my/profile/blahblah.name' ...
to
parameters=configdir='sql:' ...
(an empty path) and Firefox rewrote pkcs11.txt to reset configdir to the absolute Linux path.

I updated "Windows and Linux using same Firefox profile" to mention this issue and workaround of deleting pkcs11.txt, https://superuser.com/questions/1258469/windows-and-linux-using-same-firefox-profile/1432343#1432343 ; there are several other Q&As on the same subject on the web.

BTW I tried stepping through the Fedora Firefox binary but gdb grew to 9 GB RSS and I only have 8GB RAM! :)

A patch was created in BUG 1564284.
I believe this BUG is very related to the same problem, but as it is classified outside the NSS, I would like a confirmation.

Could somebody confirm if this was solved, please?

Flags: needinfo?(info)

(In reply to Marcus Burghardt from comment #10)

A patch was created in BUG 1564284.
I believe this BUG is very related to the same problem, but as it is classified outside the NSS, I would like a confirmation.

Maybe, this seems different. The problem here, as I said in comment #7, seems to be that pkcs11.txt stores an O.S. dependent path in configdir.

Could somebody confirm if this was solved, please?
It doesn't look as if @Dana Keeler implemented the fix she proposed in comment #8.
However, my hack in comment #9 of changing configdir to just 'sql:' with no path has been working under Linux since May 2019, despite what I wrote \o/ . I don't know what if anything's changed.
Furthermore, I can no longer reproduce the bug. I created a new profile in Linux on my NTFS volume, so pkcs11.txt contains a Linux path, and added a few saved passwords; but when I added the profile to my Windows Firefox profile.ini and ran Firefox with this profile, Firefox found the saved logins despite the Linux path in pkcs11.txt being invalid for Windows.

So my bug has gone away, but I'm not sure why.

All right. So, I believe we can close this bug now as this operation is not officially supported, although there is some unofficial workaround, and this problem could not be reproduced anymore.

Status: REOPENED → RESOLVED
Closed: 5 years ago5 years ago
Priority: P2 → P5
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.