rpms/nss
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Disable bypass code at build time and return failure on attempts to enable at runtime

Browse Source 
- Bug 806588 - Disable SSL PKCS #11 bypass at build time
This commit is contained in:
Elio Maldonado 2012-11-09 17:20:07 -08:00
parent fef81756fd
commit 19ad65d608
2 changed files with 26 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
nss-ssl-enforce-no-pkcs11-bypass.path Normal file
View File

@ -0,0 +1,15 @@
diff -up ./mozilla/security/nss/lib/ssl/derive.c.nobypass ./mozilla/security/nss/lib/ssl/derive.c
diff -up ./mozilla/security/nss/lib/ssl/sslsock.c.nobypass ./mozilla/security/nss/lib/ssl/sslsock.c
--- ./mozilla/security/nss/lib/ssl/sslsock.c.nobypass 2012-10-07 15:12:25.455307540 -0700
+++ ./mozilla/security/nss/lib/ssl/sslsock.c 2012-10-07 15:21:27.229346754 -0700
@@ -547,8 +547,8 @@ static PRStatus SSL_BypassRegisterShutdo
static PRStatus SSL_BypassSetup(void)
{
#ifdef NO_PKCS11_BYPASS
- /* Guarantee binary compatibility */
- return PR_SUCCESS;
+ /* We can safely return failure as we have never supported it */
+ return PR_FALSE;
#else
return PR_CallOnce(&setupBypassOnce, &SSL_BypassRegisterShutdown);
#endif

12
nss.spec
View File

@ -7,7 +7,7 @@
Summary: Network Security Services Summary: Network Security Services
Name: nss Name: nss
Version: 3.14 Version: 3.14
Release: 8%{?dist} Release: 9%{?dist}
License: MPLv2.0 License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/ URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries Group: System Environment/Libraries
@ -64,6 +64,8 @@ Patch18: nss-646045.patch
Patch25: nsspem-use-system-freebl.patch Patch25: nsspem-use-system-freebl.patch
# This patch is currently meant for stable branches # This patch is currently meant for stable branches
Patch29: nss-ssl-cbc-random-iv-off-by-default.patch Patch29: nss-ssl-cbc-random-iv-off-by-default.patch
# Prevent users from trying to enable ssl pkcs11 bypass
Patch39: nss-ssl-enforce-no-pkcs11-bypass.path
# TODO: Remove this patch when the ocsp test are fixed # TODO: Remove this patch when the ocsp test are fixed
Patch40: nss-3.14.0.0-disble-ocsp-test.patch Patch40: nss-3.14.0.0-disble-ocsp-test.patch
@ -150,11 +152,15 @@ low level services.
%patch25 -p0 -b .systemfreebl %patch25 -p0 -b .systemfreebl
# activate for stable and beta branches # activate for stable and beta branches
#%patch29 -p0 -b .770682 #%patch29 -p0 -b .770682
%patch39 -p1 -b .nobypass
%patch40 -p1 -b .noocsptest %patch40 -p1 -b .noocsptest
%patch41 -p0 -b .872124 %patch41 -p0 -b .872124
%build %build
NSS_NO_PKCS11_BYPASS=1
export NSS_NO_PKCS11_BYPASS
FREEBL_NO_DEPEND=1 FREEBL_NO_DEPEND=1
export FREEBL_NO_DEPEND export FREEBL_NO_DEPEND
@ -584,6 +590,10 @@ rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
%changelog %changelog
* Sat Nov 10 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-9
- Disable bypass code at build time and return failure on attempts to enable at runtime
- Bug 806588 - Disable SSL PKCS #11 bypass at build time
* Sun Nov 04 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-8 * Sun Nov 04 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-8
- Fix pk11wrap locking which fixes 'fedpkg new-sources' and 'fedpkg update' hangs - Fix pk11wrap locking which fixes 'fedpkg new-sources' and 'fedpkg update' hangs
- Bug 872124 - nss-3.14 breaks fedpkg new-sources - Bug 872124 - nss-3.14 breaks fedpkg new-sources