From 270f23d1492a91d9f5e733f94ad392f3abfdc21b Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Tue, 12 Jul 2016 20:25:49 -0700 Subject: [PATCH] Implement changes requested in upstream review and pushed upstream (#1157720) - merge the two policy related patches --- nss-check-policy-file.patch | 87 ++++++++++++++------ nss-conditionally-ignore-system-policy.patch | 63 -------------- nss.spec | 8 +- 3 files changed, 66 insertions(+), 92 deletions(-) delete mode 100644 nss-conditionally-ignore-system-policy.patch diff --git a/nss-check-policy-file.patch b/nss-check-policy-file.patch index 6b0bf58..f7e3c43 100644 --- a/nss-check-policy-file.patch +++ b/nss-check-policy-file.patch @@ -1,7 +1,6 @@ -diff --git a/lib/nss/config.mk b/lib/nss/config.mk ---- a/lib/nss/config.mk -+++ b/lib/nss/config.mk -@@ -95,8 +95,12 @@ SHARED_LIBRARY_DIRS = \ +--- ./lib/nss/config.mk.check_policy_file 2016-07-12 09:11:01.198867052 -0700 ++++ ./lib/nss/config.mk 2016-07-12 09:15:58.739946540 -0700 +@@ -99,8 +99,15 @@ ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET))) ifndef NS_USE_GCC # Export 'mktemp' to be backward compatible with NSS 3.2.x and 3.3.x @@ -12,12 +11,14 @@ diff --git a/lib/nss/config.mk b/lib/nss/config.mk endif + +ifdef POLICY_FILE ++ifndef POLICY_PATH ++$(error You must define POLICY_PATH if you set POLICY_FILE) ++endif +DEFINES += -DPOLICY_FILE=\"$(POLICY_FILE)\" -DPOLICY_PATH=\"$(POLICY_PATH)\" +endif -diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c ---- a/lib/nss/nssinit.c -+++ b/lib/nss/nssinit.c -@@ -330,47 +330,47 @@ nss_FindExternalRoot(const char *dbpath, +--- ./lib/nss/nssinit.c.check_policy_file 2016-06-20 10:11:28.000000000 -0700 ++++ ./lib/nss/nssinit.c 2016-07-12 09:18:14.821671331 -0700 +@@ -330,47 +330,47 @@ /* * see nss_Init for definitions of the various options. @@ -69,7 +70,7 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c lconfigdir = NSSUTIL_DoubleEscape(configdir, '\'', '\"'); if (lconfigdir == NULL) { goto loser; -@@ -427,24 +427,26 @@ loser: +@@ -427,24 +427,24 @@ if (lsecmodName) PORT_Free(lsecmodName); if (lupdateDir) PORT_Free(lupdateDir); if (lupdCertPrefix) PORT_Free(lupdCertPrefix); @@ -79,15 +80,13 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c if (moduleSpec) { - SECMODModule *module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE); -+ module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE); ++ module = SECMOD_LoadModule(moduleSpec, NULL, PR_TRUE); PR_smprintf_free(moduleSpec); - if (module) { +- if (module) { - if (module->loaded) rv=SECSuccess; -- SECMOD_DestroyModule(module); -+ if (!module->loaded) { -+ SECMOD_DestroyModule(module); -+ module = NULL; -+ } ++ if (module && !module->loaded) { + SECMOD_DestroyModule(module); ++ return NULL; } } - return rv; @@ -100,10 +99,23 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c * configdir - base directory where all the cert, key, and module datbases live. * certPrefix - prefix added to the beginning of the cert database example: " * "https-server1-" -@@ -520,17 +522,17 @@ nss_Init(const char *configdir, const ch +@@ -509,41 +509,44 @@ + return PR_FAILURE; + } + return PR_SUCCESS; + } + + + static SECStatus + nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix, +- const char *secmodName, const char *updateDir, ++ const char *secmodName, const char *updateDir, + const char *updCertPrefix, const char *updKeyPrefix, + const char *updateID, const char *updateName, NSSInitContext ** initContextPtr, NSSInitParameters *initParams, - PRBool readOnly, PRBool noCertDB, +- PRBool readOnly, PRBool noCertDB, ++ PRBool readOnly, PRBool noCertDB, PRBool noModDB, PRBool forceOpen, PRBool noRootInit, PRBool optimizeSpace, PRBool noSingleThreadedModules, PRBool allowAlreadyInitializedModules, @@ -117,9 +129,26 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c char *configStrings = NULL; char *configName = NULL; PRBool passwordRequired = PR_FALSE; ++#ifdef POLICY_FILE ++ char *ignoreVar; ++#endif /* if we are trying to init with a traditional NSS_Init call, maintain -@@ -630,23 +632,23 @@ nss_Init(const char *configdir, const ch + * the traditional idempotent behavior. */ + if (!initContextPtr && nssIsInitted) { + return SECSuccess; + } +- ++ + /* make sure our lock and condition variable are initialized one and only + * one time */ + if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) { + return SECFailure; + } + + /* + * if we haven't done basic initialization, single thread the +@@ -630,23 +633,23 @@ configStrings = pk11_config_strings; configName = pk11_config_name; passwordRequired = pk11_password_required; @@ -129,10 +158,12 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c * to init with noCertDB and noModDB */ if (!(isReallyInitted && noCertDB && noModDB)) { - rv = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName, +- updateDir, updCertPrefix, updKeyPrefix, updateID, + parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName, - updateDir, updCertPrefix, updKeyPrefix, updateID, ++ updateDir, updCertPrefix, updKeyPrefix, updateID, updateName, configName, configStrings, passwordRequired, - readOnly, noCertDB, noModDB, forceOpen, optimizeSpace, +- readOnly, noCertDB, noModDB, forceOpen, optimizeSpace, ++ readOnly, noCertDB, noModDB, forceOpen, optimizeSpace, (initContextPtr != NULL)); - if (rv != SECSuccess) { @@ -145,7 +176,7 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c /* finish up initialization */ if (!isReallyInitted) { if (SECOID_Init() != SECSuccess) { -@@ -675,17 +677,34 @@ nss_Init(const char *configdir, const ch +@@ -675,17 +678,40 @@ * path. Skip it */ dbpath = NULL; } @@ -156,14 +187,19 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c } - +#ifdef POLICY_FILE -+ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) { ++ /* Load the system crypto policy file if it exists, ++ * unless the NSS_IGNORE_SYSTEM_POLICY environment ++ * variable has been set to 1. */ ++ ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY"); ++ if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) { ++ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) { + SECMODModule *module = SECMOD_LoadModule( + "name=\"Policy File\" " + "parameters=\"configdir='sql:" POLICY_PATH "' " + "secmod='" POLICY_FILE "' " + "flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" " + "NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"", -+ parent, PR_TRUE); ++ parent, PR_TRUE); + if (module) { + PRBool isLoaded = module->loaded; + SECMOD_DestroyModule(module); @@ -172,6 +208,7 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c + } + } + } ++ } +#endif pk11sdr_Init(); cert_CreateSubjectKeyIDHashTable(); @@ -181,7 +218,7 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c PKIX_MINOR_VERSION, &actualMinorVersion, &plContext); if (pkixError != NULL) { -@@ -716,32 +735,38 @@ nss_Init(const char *configdir, const ch +@@ -716,32 +742,38 @@ nssIsInInit--; /* now that we are inited, all waiters can move forward */ PZ_NotifyAllCondVar(nssInitCondition); diff --git a/nss-conditionally-ignore-system-policy.patch b/nss-conditionally-ignore-system-policy.patch deleted file mode 100644 index 69ae0df..0000000 --- a/nss-conditionally-ignore-system-policy.patch +++ /dev/null @@ -1,63 +0,0 @@ ---- ./lib/nss/nssinit.c.cond_ignore 2016-07-01 16:09:21.187499579 -0700 -+++ ./lib/nss/nssinit.c 2016-07-01 16:19:16.095862425 -0700 -@@ -529,16 +529,19 @@ - { - SECMODModule *parent = NULL; - PKIX_UInt32 actualMinorVersion = 0; - PKIX_Error *pkixError = NULL; - PRBool isReallyInitted; - char *configStrings = NULL; - char *configName = NULL; - PRBool passwordRequired = PR_FALSE; -+#ifdef POLICY_FILE -+ char *ignoreVar; -+#endif - - /* if we are trying to init with a traditional NSS_Init call, maintain - * the traditional idempotent behavior. */ - if (!initContextPtr && nssIsInitted) { - return SECSuccess; - } - - /* make sure our lock and condition variable are initialized one and only -@@ -678,32 +681,38 @@ - dbpath = NULL; - } - if (dbpath) { - nss_FindExternalRoot(dbpath, secmodName); - } - } - } - #ifdef POLICY_FILE -- if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) { -+ /* Load the system crypo policy file if it exists, -+ * unless the NSS_IGNORE_SYSTEM_POLICY environment -+ * variable has been set to 1. */ -+ ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY"); -+ if (ignoreVar == NULL || strncmp(ignoreVar, "1", strlen("1")) != 0) { -+ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) { - SECMODModule *module = SECMOD_LoadModule( - "name=\"Policy File\" " - "parameters=\"configdir='sql:" POLICY_PATH "' " - "secmod='" POLICY_FILE "' " - "flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" " - "NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"", -- parent, PR_TRUE); -+ parent, PR_TRUE); - if (module) { - PRBool isLoaded = module->loaded; - SECMOD_DestroyModule(module); - if (!isLoaded) { - goto loser; - } - } - } -+ } - #endif - pk11sdr_Init(); - cert_CreateSubjectKeyIDHashTable(); - - pkixError = PKIX_Initialize - (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION, - PKIX_MINOR_VERSION, &actualMinorVersion, &plContext); - diff --git a/nss.spec b/nss.spec index d203fe5..3f6b748 100644 --- a/nss.spec +++ b/nss.spec @@ -21,7 +21,7 @@ Name: nss Version: 3.25.0 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 5%{?dist} +Release: 6%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -94,8 +94,6 @@ Patch50: iquote.patch Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520 Patch59: nss-check-policy-file.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520 -Patch60: nss-conditionally-ignore-system-policy.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1280846 Patch62: nss-skip-util-gtest.patch # TODO: file a bug upstream similar to the one for rsaperf @@ -182,7 +180,6 @@ low level services. %patch58 -p0 -b .1185708_3des pushd nss %patch59 -p1 -b .check_policy_file -%patch60 -p1 -b .cond_ignore %patch62 -p0 -b .skip_util_gtest %patch70 -p1 -b .skip_ecperf popd @@ -794,6 +791,9 @@ fi %changelog +* Wed Jul 13 2016 Elio Maldonado - 3.25.0-6 +- Implement changes requested in upstream review and pushed upstream (#1157720) + * Fri Jul 01 2016 Elio Maldonado - 3.25.0-5 - Add support for conditionally ignoring the system policy (#1157720) - Remove unneeded test scripts patches in order to run more tests