Change the POLICY_PATH to "/etc/crypto-policies/back-ends"
- Regenerate the check policy patch with hg to provide more context - the nss-util portion included though not applied here but in nss-util - todo: file bug upstream once we have done some testing
This commit is contained in:
parent
b9c9bc550c
commit
21d9cd13e1
@ -1,7 +1,12 @@
|
||||
diff -up ./nss/lib/nss/config.mk.check_policy_file ./nss/lib/nss/config.mk
|
||||
--- ./nss/lib/nss/config.mk.check_policy_file 2016-03-16 14:44:30.254078910 -0700
|
||||
+++ ./nss/lib/nss/config.mk 2016-03-16 14:44:30.290079522 -0700
|
||||
@@ -104,3 +104,7 @@ DEFINES += -DWIN32_NSS3_DLL_COMPAT
|
||||
diff --git a/lib/nss/config.mk b/lib/nss/config.mk
|
||||
--- a/lib/nss/config.mk
|
||||
+++ b/lib/nss/config.mk
|
||||
@@ -95,8 +95,12 @@ SHARED_LIBRARY_DIRS = \
|
||||
ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET)))
|
||||
ifndef NS_USE_GCC
|
||||
# Export 'mktemp' to be backward compatible with NSS 3.2.x and 3.3.x
|
||||
# but do not put it in the import library. See bug 142575.
|
||||
DEFINES += -DWIN32_NSS3_DLL_COMPAT
|
||||
DLLFLAGS += -EXPORT:mktemp=nss_mktemp,PRIVATE
|
||||
endif
|
||||
endif
|
||||
@ -9,10 +14,15 @@ diff -up ./nss/lib/nss/config.mk.check_policy_file ./nss/lib/nss/config.mk
|
||||
+ifdef POLICY_FILE
|
||||
+DEFINES += -DPOLICY_FILE=\"$(POLICY_FILE)\" -DPOLICY_PATH=\"$(POLICY_PATH)\"
|
||||
+endif
|
||||
diff -up ./nss/lib/nss/nssinit.c.check_policy_file ./nss/lib/nss/nssinit.c
|
||||
--- ./nss/lib/nss/nssinit.c.check_policy_file 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/lib/nss/nssinit.c 2016-03-16 15:08:54.455301088 -0700
|
||||
@@ -335,7 +335,7 @@ nss_FindExternalRoot(const char *dbpath,
|
||||
diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
|
||||
--- a/lib/nss/nssinit.c
|
||||
+++ b/lib/nss/nssinit.c
|
||||
@@ -330,47 +330,47 @@ nss_FindExternalRoot(const char *dbpath,
|
||||
|
||||
/*
|
||||
* see nss_Init for definitions of the various options.
|
||||
*
|
||||
* this function builds a moduleSpec string from the options and previously
|
||||
* set statics (from PKCS11_Configure, for instance), and uses it to kick off
|
||||
* the loading of the various PKCS #11 modules.
|
||||
*/
|
||||
@ -21,7 +31,9 @@ diff -up ./nss/lib/nss/nssinit.c.check_policy_file ./nss/lib/nss/nssinit.c
|
||||
nss_InitModules(const char *configdir, const char *certPrefix,
|
||||
const char *keyPrefix, const char *secmodName,
|
||||
const char *updateDir, const char *updCertPrefix,
|
||||
@@ -345,7 +345,7 @@ nss_InitModules(const char *configdir, c
|
||||
const char *updKeyPrefix, const char *updateID,
|
||||
const char *updateName, char *configName, char *configStrings,
|
||||
PRBool pwRequired, PRBool readOnly, PRBool noCertDB,
|
||||
PRBool noModDB, PRBool forceOpen, PRBool optimizeSpace,
|
||||
PRBool isContextInit)
|
||||
{
|
||||
@ -30,7 +42,14 @@ diff -up ./nss/lib/nss/nssinit.c.check_policy_file ./nss/lib/nss/nssinit.c
|
||||
char *moduleSpec = NULL;
|
||||
char *flags = NULL;
|
||||
char *lconfigdir = NULL;
|
||||
@@ -360,12 +360,12 @@ nss_InitModules(const char *configdir, c
|
||||
char *lcertPrefix = NULL;
|
||||
char *lkeyPrefix = NULL;
|
||||
char *lsecmodName = NULL;
|
||||
char *lupdateDir = NULL;
|
||||
char *lupdCertPrefix = NULL;
|
||||
char *lupdKeyPrefix = NULL;
|
||||
char *lupdateID = NULL;
|
||||
char *lupdateName = NULL;
|
||||
|
||||
if (NSS_InitializePRErrorTable() != SECSuccess) {
|
||||
PORT_SetError(SEC_ERROR_NO_MEMORY);
|
||||
@ -45,7 +64,17 @@ diff -up ./nss/lib/nss/nssinit.c.check_policy_file ./nss/lib/nss/nssinit.c
|
||||
|
||||
/*
|
||||
* configdir is double nested, and Windows uses the same character
|
||||
@@ -432,14 +432,16 @@ loser:
|
||||
* for file seps as we use for escapes! (sigh).
|
||||
*/
|
||||
lconfigdir = NSSUTIL_DoubleEscape(configdir, '\'', '\"');
|
||||
if (lconfigdir == NULL) {
|
||||
goto loser;
|
||||
@@ -427,24 +427,26 @@ loser:
|
||||
if (lsecmodName) PORT_Free(lsecmodName);
|
||||
if (lupdateDir) PORT_Free(lupdateDir);
|
||||
if (lupdCertPrefix) PORT_Free(lupdCertPrefix);
|
||||
if (lupdKeyPrefix) PORT_Free(lupdKeyPrefix);
|
||||
if (lupdateID) PORT_Free(lupdateID);
|
||||
if (lupdateName) PORT_Free(lupdateName);
|
||||
|
||||
if (moduleSpec) {
|
||||
@ -66,7 +95,17 @@ diff -up ./nss/lib/nss/nssinit.c.check_policy_file ./nss/lib/nss/nssinit.c
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -525,7 +527,7 @@ nss_Init(const char *configdir, const ch
|
||||
* OK there are now lots of options here, lets go through them all:
|
||||
*
|
||||
* configdir - base directory where all the cert, key, and module datbases live.
|
||||
* certPrefix - prefix added to the beginning of the cert database example: "
|
||||
* "https-server1-"
|
||||
@@ -520,17 +522,17 @@ nss_Init(const char *configdir, const ch
|
||||
NSSInitContext ** initContextPtr,
|
||||
NSSInitParameters *initParams,
|
||||
PRBool readOnly, PRBool noCertDB,
|
||||
PRBool noModDB, PRBool forceOpen, PRBool noRootInit,
|
||||
PRBool optimizeSpace, PRBool noSingleThreadedModules,
|
||||
PRBool allowAlreadyInitializedModules,
|
||||
PRBool dontFinalizeModules)
|
||||
{
|
||||
@ -75,7 +114,17 @@ diff -up ./nss/lib/nss/nssinit.c.check_policy_file ./nss/lib/nss/nssinit.c
|
||||
PKIX_UInt32 actualMinorVersion = 0;
|
||||
PKIX_Error *pkixError = NULL;
|
||||
PRBool isReallyInitted;
|
||||
@@ -635,13 +637,13 @@ nss_Init(const char *configdir, const ch
|
||||
char *configStrings = NULL;
|
||||
char *configName = NULL;
|
||||
PRBool passwordRequired = PR_FALSE;
|
||||
|
||||
/* if we are trying to init with a traditional NSS_Init call, maintain
|
||||
@@ -630,23 +632,23 @@ nss_Init(const char *configdir, const ch
|
||||
configStrings = pk11_config_strings;
|
||||
configName = pk11_config_name;
|
||||
passwordRequired = pk11_password_required;
|
||||
}
|
||||
|
||||
/* Skip the module init if we are already initted and we are trying
|
||||
* to init with noCertDB and noModDB */
|
||||
if (!(isReallyInitted && noCertDB && noModDB)) {
|
||||
@ -91,7 +140,17 @@ diff -up ./nss/lib/nss/nssinit.c.check_policy_file ./nss/lib/nss/nssinit.c
|
||||
goto loser;
|
||||
}
|
||||
}
|
||||
@@ -680,7 +682,24 @@ nss_Init(const char *configdir, const ch
|
||||
|
||||
|
||||
/* finish up initialization */
|
||||
if (!isReallyInitted) {
|
||||
if (SECOID_Init() != SECSuccess) {
|
||||
@@ -675,17 +677,34 @@ nss_Init(const char *configdir, const ch
|
||||
* path. Skip it */
|
||||
dbpath = NULL;
|
||||
}
|
||||
if (dbpath) {
|
||||
nss_FindExternalRoot(dbpath, secmodName);
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -117,7 +176,17 @@ diff -up ./nss/lib/nss/nssinit.c.check_policy_file ./nss/lib/nss/nssinit.c
|
||||
pk11sdr_Init();
|
||||
cert_CreateSubjectKeyIDHashTable();
|
||||
|
||||
@@ -721,6 +740,9 @@ nss_Init(const char *configdir, const ch
|
||||
pkixError = PKIX_Initialize
|
||||
(PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
|
||||
PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
|
||||
|
||||
if (pkixError != NULL) {
|
||||
@@ -716,32 +735,38 @@ nss_Init(const char *configdir, const ch
|
||||
nssIsInInit--;
|
||||
/* now that we are inited, all waiters can move forward */
|
||||
PZ_NotifyAllCondVar(nssInitCondition);
|
||||
PZ_Unlock(nssInitLock);
|
||||
|
||||
if (initContextPtr && configStrings) {
|
||||
PR_smprintf_free(configStrings);
|
||||
}
|
||||
@ -127,7 +196,16 @@ diff -up ./nss/lib/nss/nssinit.c.check_policy_file ./nss/lib/nss/nssinit.c
|
||||
|
||||
return SECSuccess;
|
||||
|
||||
@@ -737,6 +759,9 @@ loser:
|
||||
loser:
|
||||
if (initContextPtr && *initContextPtr) {
|
||||
PORT_Free(*initContextPtr);
|
||||
*initContextPtr = NULL;
|
||||
if (configStrings) {
|
||||
PR_smprintf_free(configStrings);
|
||||
}
|
||||
}
|
||||
PZ_Lock(nssInitLock);
|
||||
nssIsInInit--;
|
||||
/* We failed to init, allow one to move forward */
|
||||
PZ_NotifyCondVar(nssInitCondition);
|
||||
PZ_Unlock(nssInitLock);
|
||||
@ -137,10 +215,20 @@ diff -up ./nss/lib/nss/nssinit.c.check_policy_file ./nss/lib/nss/nssinit.c
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
diff -up ./nss/lib/pk11wrap/pk11pars.c.check_policy_file ./nss/lib/pk11wrap/pk11pars.c
|
||||
--- ./nss/lib/pk11wrap/pk11pars.c.check_policy_file 2016-02-26 12:51:11.000000000 -0800
|
||||
+++ ./nss/lib/pk11wrap/pk11pars.c 2016-03-16 14:44:30.291079539 -0700
|
||||
@@ -110,6 +110,7 @@ secmod_NewModule(void)
|
||||
|
||||
SECStatus
|
||||
NSS_Init(const char *configdir)
|
||||
{
|
||||
return nss_Init(configdir, "", "", SECMOD_DB, "", "", "", "", "", NULL,
|
||||
diff --git a/lib/pk11wrap/pk11pars.c b/lib/pk11wrap/pk11pars.c
|
||||
--- a/lib/pk11wrap/pk11pars.c
|
||||
+++ b/lib/pk11wrap/pk11pars.c
|
||||
@@ -105,16 +105,17 @@ secmod_NewModule(void)
|
||||
* This allows system NSS to delegate those changes to the user's module DB,
|
||||
* preserving the user's ability to load new PKCS #11 modules (which only
|
||||
* affect him), from existing applications like Firefox.
|
||||
*/
|
||||
#define SECMOD_FLAG_MODULE_DB_IS_MODULE_DB 0x01 /* must be set if any of the
|
||||
*other flags are set */
|
||||
#define SECMOD_FLAG_MODULE_DB_SKIP_FIRST 0x02
|
||||
#define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04
|
||||
@ -148,7 +236,17 @@ diff -up ./nss/lib/pk11wrap/pk11pars.c.check_policy_file ./nss/lib/pk11wrap/pk11
|
||||
|
||||
|
||||
/* private flags for internal (field in SECMODModule). */
|
||||
@@ -704,6 +705,9 @@ SECMOD_CreateModuleEx(const char *librar
|
||||
/* The meaing of these flags is as follows:
|
||||
*
|
||||
* SECMOD_FLAG_INTERNAL_IS_INTERNAL - This is a marks the the module is
|
||||
* the internal module (that is, softoken). This bit is the same as the
|
||||
* already existing meaning of internal = PR_TRUE. None of the other
|
||||
@@ -699,16 +700,19 @@ SECMOD_CreateModuleEx(const char *librar
|
||||
if (mod->isModuleDB) {
|
||||
char flags = SECMOD_FLAG_MODULE_DB_IS_MODULE_DB;
|
||||
if (NSSUTIL_ArgHasFlag("flags","skipFirst",nssc)) {
|
||||
flags |= SECMOD_FLAG_MODULE_DB_SKIP_FIRST;
|
||||
}
|
||||
if (NSSUTIL_ArgHasFlag("flags","defaultModDB",nssc)) {
|
||||
flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB;
|
||||
}
|
||||
@ -158,7 +256,17 @@ diff -up ./nss/lib/pk11wrap/pk11pars.c.check_policy_file ./nss/lib/pk11wrap/pk11
|
||||
/* additional moduleDB flags could be added here in the future */
|
||||
mod->isModuleDB = (PRBool) flags;
|
||||
}
|
||||
@@ -743,6 +747,14 @@ SECMOD_GetDefaultModDBFlag(SECMODModule
|
||||
|
||||
if (mod->internal) {
|
||||
char flags = SECMOD_FLAG_INTERNAL_IS_INTERNAL;
|
||||
|
||||
if (NSSUTIL_ArgHasFlag("flags", "internalKeySlot", nssc)) {
|
||||
@@ -738,16 +742,24 @@ PRBool
|
||||
SECMOD_GetDefaultModDBFlag(SECMODModule *mod)
|
||||
{
|
||||
char flags = (char) mod->isModuleDB;
|
||||
|
||||
return (flags & SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB) ? PR_TRUE : PR_FALSE;
|
||||
}
|
||||
|
||||
PRBool
|
||||
@ -173,7 +281,17 @@ diff -up ./nss/lib/pk11wrap/pk11pars.c.check_policy_file ./nss/lib/pk11wrap/pk11
|
||||
secmod_IsInternalKeySlot(SECMODModule *mod)
|
||||
{
|
||||
char flags = (char) mod->internal;
|
||||
@@ -1526,6 +1538,12 @@ SECMOD_LoadModule(char *modulespec,SECMO
|
||||
|
||||
return (flags & SECMOD_FLAG_INTERNAL_KEY_SLOT) ? PR_TRUE : PR_FALSE;
|
||||
}
|
||||
|
||||
void
|
||||
@@ -1521,16 +1533,22 @@ SECMOD_LoadModule(char *modulespec,SECMO
|
||||
if (library) PORT_Free(library);
|
||||
if (moduleName) PORT_Free(moduleName);
|
||||
if (parameters) PORT_Free(parameters);
|
||||
if (nss) PORT_Free(nss);
|
||||
if (config) PORT_Free(config);
|
||||
if (!module) {
|
||||
goto loser;
|
||||
}
|
||||
@ -186,3 +304,31 @@ diff -up ./nss/lib/pk11wrap/pk11pars.c.check_policy_file ./nss/lib/pk11wrap/pk11
|
||||
if (parent) {
|
||||
module->parent = SECMOD_ReferenceModule(parent);
|
||||
if (module->internal && secmod_IsInternalKeySlot(parent)) {
|
||||
module->internal = parent->internal;
|
||||
}
|
||||
}
|
||||
|
||||
/* load it */
|
||||
diff --git a/lib/util/utilpars.c b/lib/util/utilpars.c
|
||||
--- a/lib/util/utilpars.c
|
||||
+++ b/lib/util/utilpars.c
|
||||
@@ -1139,17 +1139,18 @@ char *
|
||||
*dbType = NSS_DB_TYPE_SQL;
|
||||
PORT_Free(*filename);
|
||||
*filename = NULL;
|
||||
*rw = PR_FALSE;
|
||||
}
|
||||
|
||||
/* only use the renamed secmod for legacy databases */
|
||||
if ((*dbType != NSS_DB_TYPE_LEGACY) &&
|
||||
- (*dbType != NSS_DB_TYPE_MULTIACCESS)) {
|
||||
+ (*dbType != NSS_DB_TYPE_MULTIACCESS) &&
|
||||
+ !NSSUTIL_ArgHasFlag("flags", "forceSecmodChoice", save_params)) {
|
||||
secmodName="pkcs11.txt";
|
||||
}
|
||||
|
||||
if (noModDB) {
|
||||
value = NULL;
|
||||
} else if (lconfigdir && lconfigdir[0] != '\0') {
|
||||
value = PR_smprintf("%s" NSSUTIL_PATH_SEPARATOR "%s",
|
||||
lconfigdir,secmodName);
|
||||
|
10
nss.spec
10
nss.spec
@ -21,7 +21,7 @@ Name: nss
|
||||
Version: 3.23.0
|
||||
# for Rawhide, please always use release >= 2
|
||||
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
||||
Release: 6%{?dist}
|
||||
Release: 7%{?dist}
|
||||
License: MPLv2.0
|
||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||
Group: System Environment/Libraries
|
||||
@ -189,7 +189,9 @@ popd
|
||||
%patch54 -p0 -b .ssl2_off
|
||||
%patch55 -p1 -b .skip_stress_tls_rc4_128_with_md5
|
||||
%patch58 -p0 -b .1185708_3des
|
||||
pushd nss
|
||||
%patch59 -p1 -b .check_policy_file
|
||||
popd
|
||||
|
||||
#########################################################
|
||||
# Higher-level libraries and test tools need access to
|
||||
@ -308,7 +310,7 @@ export NSS_BLTEST_NOT_AVAILABLE=1
|
||||
# if set NSS will always check for the policy file and load it if it exists
|
||||
export POLICY_FILE="policy.cfg"
|
||||
# location of the policy file
|
||||
export POLICY_PATH="/etc/pki/nssdb"
|
||||
export POLICY_PATH="/etc/crypto-policies/back-ends"
|
||||
|
||||
# nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c
|
||||
# need nss/lib/util/verref.h which is which is exported privately,
|
||||
@ -824,6 +826,10 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed Apr 20 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-7
|
||||
- Change the POLICY_PATH to "/etc/crypto-policies/back-ends"
|
||||
- Regenerate the check policy patch with hg to provide more context
|
||||
|
||||
* Thu Apr 14 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-6
|
||||
- Fix typo in the last %%changelog entry
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user