nss/553638.patch

98 lines
3.5 KiB
Diff
Raw Normal View History

diff -up nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.553638 nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c
2010-01-25 22:10:27 +00:00
--- nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.553638 2010-01-25 08:58:42.358325102 -0800
+++ nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c 2010-01-25 09:07:20.028324059 -0800
@@ -36,6 +36,7 @@
#include "seccomon.h"
#include "prio.h"
#include "prprf.h"
+#include "plhash.h"
/*
* The following provides a default example for operating systems to set up
@@ -212,6 +213,25 @@ getFIPSMode(void)
#define NSS_DEFAULT_FLAGS "flags=readonly"
+/* configuration flags according to
+ * https://developer.mozilla.org/en/PKCS11_Module_Specs
+ * As stated there the slotParams start with a slot name which is a slotID
+ * Slots 1 through 3 are reserved for the nss internal modules as follows:
+ * 1 for crypto operations slot non-fips,
+ * 2 for the key slot, and
+ * 3 for the crypto operations slot fips
+ */
+#define ORDER_FLAGS "trustOrder=75 cipherOrder=100"
+#define SLOT_FLAGS \
2010-01-25 22:10:27 +00:00
+ "[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM" \
+ " askpw=any timeout=30 ]"
+
+static const char *nssDefaultFlags =
+ ORDER_FLAGS " slotParams={0x00000001=" SLOT_FLAGS " } ";
+
+static const char *nssDefaultFIPSFlags =
+ ORDER_FLAGS " slotParams={0x00000003=" SLOT_FLAGS " } ";
+
/*
* This function builds the list of databases and modules to load, and sets
* their configuration. For the sample we have a fixed set.
@@ -226,13 +246,6 @@ getFIPSMode(void)
* the decision making process.
*
*/
-static const char *nssDefaultFlags = "trustOrder=75 cipherOrder=100 \
-slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM \
-askpw=any timeout=30 ] } ";
-static const char *nssDefaultFIPSFlags = "trustOrder=75 cipherOrder=100 \
-slotParams={0x00000003=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM \
-askpw=any timeout=30 ] } ";
-
static char **
get_list(char *filename, char *stripped_parameters)
{
2010-01-25 22:10:27 +00:00
@@ -250,11 +263,6 @@ get_list(char *filename, char *stripped_
sysdb = getSystemDB();
userdb = getUserDB();
- if (sysdb && !strcmp(filename, sysdb))
- filename = NULL;
- if (userdb && !strcmp(filename, userdb))
- filename = NULL;
2010-01-25 22:10:27 +00:00
-
/* Don't open root's user DB */
if (userdb != NULL && !userIsRoot()) {
2010-01-25 22:10:27 +00:00
/* return a list of databases to open. First the user Database */
@@ -276,16 +284,29 @@ get_list(char *filename, char *stripped_
userdb, stripped_parameters);
}
2010-01-25 22:10:27 +00:00
- if (filename && !userIsRoot() && 0
- /* This doesn't actually work. If we register
- both this and the sysdb (in either order)
- then only one of them actually shows up */) {
2010-01-25 22:10:27 +00:00
+#if 0
+ /* This doesn't actually work. If we register
2010-01-25 22:10:27 +00:00
+ both this and the sysdb (in either order)
+ then only one of them actually shows up */
+
+ /* Using a NULL filename as a Boolean flag to
+ * prevent registering both an application-defined
+ * db and the system db. rhbz #546211.
+ */
+ PORT_Assert(filename);
+ if (sysdb && PL_CompareStrings(filename, sysdb))
+ filename = NULL;
+ else if (userdb && PL_CompareStrings(filename, userdb))
+ filename = NULL;
+
+ if (filename && !userIsRoot()) {
module_list[next++] = PR_smprintf(
"library= "
"module=\"NSS database\" "
"parameters=\"configdir='sql:%s' tokenDescription='NSS database sql:%s'\" "
2010-01-25 22:10:27 +00:00
"NSS=\"%sflags=internal\"",filename, filename, nssflags);
}
+#endif
/* now the system database (always read only unless it's root) */
if (sysdb) {