From 21d9cd13e15c0db167554728c8bd9a7a39738840 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Wed, 20 Apr 2016 08:49:00 -0700 Subject: [PATCH] Change the POLICY_PATH to "/etc/crypto-policies/back-ends" - Regenerate the check policy patch with hg to provide more context - the nss-util portion included though not applied here but in nss-util - todo: file bug upstream once we have done some testing --- nss-check-policy-file.patch | 194 +++++++++++++++++++++++++++++++----- nss.spec | 10 +- 2 files changed, 178 insertions(+), 26 deletions(-) diff --git a/nss-check-policy-file.patch b/nss-check-policy-file.patch index 51db5bf..6b0bf58 100644 --- a/nss-check-policy-file.patch +++ b/nss-check-policy-file.patch @@ -1,7 +1,12 @@ -diff -up ./nss/lib/nss/config.mk.check_policy_file ./nss/lib/nss/config.mk ---- ./nss/lib/nss/config.mk.check_policy_file 2016-03-16 14:44:30.254078910 -0700 -+++ ./nss/lib/nss/config.mk 2016-03-16 14:44:30.290079522 -0700 -@@ -104,3 +104,7 @@ DEFINES += -DWIN32_NSS3_DLL_COMPAT +diff --git a/lib/nss/config.mk b/lib/nss/config.mk +--- a/lib/nss/config.mk ++++ b/lib/nss/config.mk +@@ -95,8 +95,12 @@ SHARED_LIBRARY_DIRS = \ + ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET))) + ifndef NS_USE_GCC + # Export 'mktemp' to be backward compatible with NSS 3.2.x and 3.3.x + # but do not put it in the import library. See bug 142575. + DEFINES += -DWIN32_NSS3_DLL_COMPAT DLLFLAGS += -EXPORT:mktemp=nss_mktemp,PRIVATE endif endif @@ -9,10 +14,15 @@ diff -up ./nss/lib/nss/config.mk.check_policy_file ./nss/lib/nss/config.mk +ifdef POLICY_FILE +DEFINES += -DPOLICY_FILE=\"$(POLICY_FILE)\" -DPOLICY_PATH=\"$(POLICY_PATH)\" +endif -diff -up ./nss/lib/nss/nssinit.c.check_policy_file ./nss/lib/nss/nssinit.c ---- ./nss/lib/nss/nssinit.c.check_policy_file 2016-02-26 12:51:11.000000000 -0800 -+++ ./nss/lib/nss/nssinit.c 2016-03-16 15:08:54.455301088 -0700 -@@ -335,7 +335,7 @@ nss_FindExternalRoot(const char *dbpath, +diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c +--- a/lib/nss/nssinit.c ++++ b/lib/nss/nssinit.c +@@ -330,47 +330,47 @@ nss_FindExternalRoot(const char *dbpath, + + /* + * see nss_Init for definitions of the various options. + * + * this function builds a moduleSpec string from the options and previously * set statics (from PKCS11_Configure, for instance), and uses it to kick off * the loading of the various PKCS #11 modules. */ @@ -21,7 +31,9 @@ diff -up ./nss/lib/nss/nssinit.c.check_policy_file ./nss/lib/nss/nssinit.c nss_InitModules(const char *configdir, const char *certPrefix, const char *keyPrefix, const char *secmodName, const char *updateDir, const char *updCertPrefix, -@@ -345,7 +345,7 @@ nss_InitModules(const char *configdir, c + const char *updKeyPrefix, const char *updateID, + const char *updateName, char *configName, char *configStrings, + PRBool pwRequired, PRBool readOnly, PRBool noCertDB, PRBool noModDB, PRBool forceOpen, PRBool optimizeSpace, PRBool isContextInit) { @@ -30,7 +42,14 @@ diff -up ./nss/lib/nss/nssinit.c.check_policy_file ./nss/lib/nss/nssinit.c char *moduleSpec = NULL; char *flags = NULL; char *lconfigdir = NULL; -@@ -360,12 +360,12 @@ nss_InitModules(const char *configdir, c + char *lcertPrefix = NULL; + char *lkeyPrefix = NULL; + char *lsecmodName = NULL; + char *lupdateDir = NULL; + char *lupdCertPrefix = NULL; + char *lupdKeyPrefix = NULL; + char *lupdateID = NULL; + char *lupdateName = NULL; if (NSS_InitializePRErrorTable() != SECSuccess) { PORT_SetError(SEC_ERROR_NO_MEMORY); @@ -45,7 +64,17 @@ diff -up ./nss/lib/nss/nssinit.c.check_policy_file ./nss/lib/nss/nssinit.c /* * configdir is double nested, and Windows uses the same character -@@ -432,14 +432,16 @@ loser: + * for file seps as we use for escapes! (sigh). + */ + lconfigdir = NSSUTIL_DoubleEscape(configdir, '\'', '\"'); + if (lconfigdir == NULL) { + goto loser; +@@ -427,24 +427,26 @@ loser: + if (lsecmodName) PORT_Free(lsecmodName); + if (lupdateDir) PORT_Free(lupdateDir); + if (lupdCertPrefix) PORT_Free(lupdCertPrefix); + if (lupdKeyPrefix) PORT_Free(lupdKeyPrefix); + if (lupdateID) PORT_Free(lupdateID); if (lupdateName) PORT_Free(lupdateName); if (moduleSpec) { @@ -66,7 +95,17 @@ diff -up ./nss/lib/nss/nssinit.c.check_policy_file ./nss/lib/nss/nssinit.c } /* -@@ -525,7 +527,7 @@ nss_Init(const char *configdir, const ch + * OK there are now lots of options here, lets go through them all: + * + * configdir - base directory where all the cert, key, and module datbases live. + * certPrefix - prefix added to the beginning of the cert database example: " + * "https-server1-" +@@ -520,17 +522,17 @@ nss_Init(const char *configdir, const ch + NSSInitContext ** initContextPtr, + NSSInitParameters *initParams, + PRBool readOnly, PRBool noCertDB, + PRBool noModDB, PRBool forceOpen, PRBool noRootInit, + PRBool optimizeSpace, PRBool noSingleThreadedModules, PRBool allowAlreadyInitializedModules, PRBool dontFinalizeModules) { @@ -75,7 +114,17 @@ diff -up ./nss/lib/nss/nssinit.c.check_policy_file ./nss/lib/nss/nssinit.c PKIX_UInt32 actualMinorVersion = 0; PKIX_Error *pkixError = NULL; PRBool isReallyInitted; -@@ -635,13 +637,13 @@ nss_Init(const char *configdir, const ch + char *configStrings = NULL; + char *configName = NULL; + PRBool passwordRequired = PR_FALSE; + + /* if we are trying to init with a traditional NSS_Init call, maintain +@@ -630,23 +632,23 @@ nss_Init(const char *configdir, const ch + configStrings = pk11_config_strings; + configName = pk11_config_name; + passwordRequired = pk11_password_required; + } + /* Skip the module init if we are already initted and we are trying * to init with noCertDB and noModDB */ if (!(isReallyInitted && noCertDB && noModDB)) { @@ -91,7 +140,17 @@ diff -up ./nss/lib/nss/nssinit.c.check_policy_file ./nss/lib/nss/nssinit.c goto loser; } } -@@ -680,7 +682,24 @@ nss_Init(const char *configdir, const ch + + + /* finish up initialization */ + if (!isReallyInitted) { + if (SECOID_Init() != SECSuccess) { +@@ -675,17 +677,34 @@ nss_Init(const char *configdir, const ch + * path. Skip it */ + dbpath = NULL; + } + if (dbpath) { + nss_FindExternalRoot(dbpath, secmodName); } } } @@ -117,7 +176,17 @@ diff -up ./nss/lib/nss/nssinit.c.check_policy_file ./nss/lib/nss/nssinit.c pk11sdr_Init(); cert_CreateSubjectKeyIDHashTable(); -@@ -721,6 +740,9 @@ nss_Init(const char *configdir, const ch + pkixError = PKIX_Initialize + (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION, + PKIX_MINOR_VERSION, &actualMinorVersion, &plContext); + + if (pkixError != NULL) { +@@ -716,32 +735,38 @@ nss_Init(const char *configdir, const ch + nssIsInInit--; + /* now that we are inited, all waiters can move forward */ + PZ_NotifyAllCondVar(nssInitCondition); + PZ_Unlock(nssInitLock); + if (initContextPtr && configStrings) { PR_smprintf_free(configStrings); } @@ -127,7 +196,16 @@ diff -up ./nss/lib/nss/nssinit.c.check_policy_file ./nss/lib/nss/nssinit.c return SECSuccess; -@@ -737,6 +759,9 @@ loser: + loser: + if (initContextPtr && *initContextPtr) { + PORT_Free(*initContextPtr); + *initContextPtr = NULL; + if (configStrings) { + PR_smprintf_free(configStrings); + } + } + PZ_Lock(nssInitLock); + nssIsInInit--; /* We failed to init, allow one to move forward */ PZ_NotifyCondVar(nssInitCondition); PZ_Unlock(nssInitLock); @@ -137,10 +215,20 @@ diff -up ./nss/lib/nss/nssinit.c.check_policy_file ./nss/lib/nss/nssinit.c return SECFailure; } -diff -up ./nss/lib/pk11wrap/pk11pars.c.check_policy_file ./nss/lib/pk11wrap/pk11pars.c ---- ./nss/lib/pk11wrap/pk11pars.c.check_policy_file 2016-02-26 12:51:11.000000000 -0800 -+++ ./nss/lib/pk11wrap/pk11pars.c 2016-03-16 14:44:30.291079539 -0700 -@@ -110,6 +110,7 @@ secmod_NewModule(void) + + SECStatus + NSS_Init(const char *configdir) + { + return nss_Init(configdir, "", "", SECMOD_DB, "", "", "", "", "", NULL, +diff --git a/lib/pk11wrap/pk11pars.c b/lib/pk11wrap/pk11pars.c +--- a/lib/pk11wrap/pk11pars.c ++++ b/lib/pk11wrap/pk11pars.c +@@ -105,16 +105,17 @@ secmod_NewModule(void) + * This allows system NSS to delegate those changes to the user's module DB, + * preserving the user's ability to load new PKCS #11 modules (which only + * affect him), from existing applications like Firefox. + */ + #define SECMOD_FLAG_MODULE_DB_IS_MODULE_DB 0x01 /* must be set if any of the *other flags are set */ #define SECMOD_FLAG_MODULE_DB_SKIP_FIRST 0x02 #define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04 @@ -148,17 +236,37 @@ diff -up ./nss/lib/pk11wrap/pk11pars.c.check_policy_file ./nss/lib/pk11wrap/pk11 /* private flags for internal (field in SECMODModule). */ -@@ -704,6 +705,9 @@ SECMOD_CreateModuleEx(const char *librar + /* The meaing of these flags is as follows: + * + * SECMOD_FLAG_INTERNAL_IS_INTERNAL - This is a marks the the module is + * the internal module (that is, softoken). This bit is the same as the + * already existing meaning of internal = PR_TRUE. None of the other +@@ -699,16 +700,19 @@ SECMOD_CreateModuleEx(const char *librar + if (mod->isModuleDB) { + char flags = SECMOD_FLAG_MODULE_DB_IS_MODULE_DB; + if (NSSUTIL_ArgHasFlag("flags","skipFirst",nssc)) { + flags |= SECMOD_FLAG_MODULE_DB_SKIP_FIRST; + } if (NSSUTIL_ArgHasFlag("flags","defaultModDB",nssc)) { flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB; } -+ if (NSSUTIL_ArgHasFlag("flags","policyOnly",nssc)) { ++ if (NSSUTIL_ArgHasFlag("flags", "policyOnly", nssc)) { + flags |= SECMOD_FLAG_MODULE_DB_POLICY_ONLY; + } /* additional moduleDB flags could be added here in the future */ mod->isModuleDB = (PRBool) flags; } -@@ -743,6 +747,14 @@ SECMOD_GetDefaultModDBFlag(SECMODModule + + if (mod->internal) { + char flags = SECMOD_FLAG_INTERNAL_IS_INTERNAL; + + if (NSSUTIL_ArgHasFlag("flags", "internalKeySlot", nssc)) { +@@ -738,16 +742,24 @@ PRBool + SECMOD_GetDefaultModDBFlag(SECMODModule *mod) + { + char flags = (char) mod->isModuleDB; + + return (flags & SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB) ? PR_TRUE : PR_FALSE; } PRBool @@ -173,7 +281,17 @@ diff -up ./nss/lib/pk11wrap/pk11pars.c.check_policy_file ./nss/lib/pk11wrap/pk11 secmod_IsInternalKeySlot(SECMODModule *mod) { char flags = (char) mod->internal; -@@ -1526,6 +1538,12 @@ SECMOD_LoadModule(char *modulespec,SECMO + + return (flags & SECMOD_FLAG_INTERNAL_KEY_SLOT) ? PR_TRUE : PR_FALSE; + } + + void +@@ -1521,16 +1533,22 @@ SECMOD_LoadModule(char *modulespec,SECMO + if (library) PORT_Free(library); + if (moduleName) PORT_Free(moduleName); + if (parameters) PORT_Free(parameters); + if (nss) PORT_Free(nss); + if (config) PORT_Free(config); if (!module) { goto loser; } @@ -186,3 +304,31 @@ diff -up ./nss/lib/pk11wrap/pk11pars.c.check_policy_file ./nss/lib/pk11wrap/pk11 if (parent) { module->parent = SECMOD_ReferenceModule(parent); if (module->internal && secmod_IsInternalKeySlot(parent)) { + module->internal = parent->internal; + } + } + + /* load it */ +diff --git a/lib/util/utilpars.c b/lib/util/utilpars.c +--- a/lib/util/utilpars.c ++++ b/lib/util/utilpars.c +@@ -1139,17 +1139,18 @@ char * + *dbType = NSS_DB_TYPE_SQL; + PORT_Free(*filename); + *filename = NULL; + *rw = PR_FALSE; + } + + /* only use the renamed secmod for legacy databases */ + if ((*dbType != NSS_DB_TYPE_LEGACY) && +- (*dbType != NSS_DB_TYPE_MULTIACCESS)) { ++ (*dbType != NSS_DB_TYPE_MULTIACCESS) && ++ !NSSUTIL_ArgHasFlag("flags", "forceSecmodChoice", save_params)) { + secmodName="pkcs11.txt"; + } + + if (noModDB) { + value = NULL; + } else if (lconfigdir && lconfigdir[0] != '\0') { + value = PR_smprintf("%s" NSSUTIL_PATH_SEPARATOR "%s", + lconfigdir,secmodName); diff --git a/nss.spec b/nss.spec index 6f6650b..56b24d3 100644 --- a/nss.spec +++ b/nss.spec @@ -21,7 +21,7 @@ Name: nss Version: 3.23.0 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 6%{?dist} +Release: 7%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -189,7 +189,9 @@ popd %patch54 -p0 -b .ssl2_off %patch55 -p1 -b .skip_stress_tls_rc4_128_with_md5 %patch58 -p0 -b .1185708_3des +pushd nss %patch59 -p1 -b .check_policy_file +popd ######################################################### # Higher-level libraries and test tools need access to @@ -308,7 +310,7 @@ export NSS_BLTEST_NOT_AVAILABLE=1 # if set NSS will always check for the policy file and load it if it exists export POLICY_FILE="policy.cfg" # location of the policy file -export POLICY_PATH="/etc/pki/nssdb" +export POLICY_PATH="/etc/crypto-policies/back-ends" # nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c # need nss/lib/util/verref.h which is which is exported privately, @@ -824,6 +826,10 @@ fi %changelog +* Wed Apr 20 2016 Elio Maldonado - 3.23.0-7 +- Change the POLICY_PATH to "/etc/crypto-policies/back-ends" +- Regenerate the check policy patch with hg to provide more context + * Thu Apr 14 2016 Elio Maldonado - 3.23.0-6 - Fix typo in the last %%changelog entry