rpms/nss
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Implement changes requested in upstream review and pushed upstream (#1157720)

Browse Source 
- merge the two policy related patches
This commit is contained in:
Elio Maldonado 2016-07-12 20:25:49 -07:00
parent e666a29edf
commit 270f23d149
3 changed files with 66 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
nss-check-policy-file.patch
View File

@ -1,7 +1,6 @@
diff --git a/lib/nss/config.mk b/lib/nss/config.mk --- ./lib/nss/config.mk.check_policy_file 2016-07-12 09:11:01.198867052 -0700
--- a/lib/nss/config.mk +++ ./lib/nss/config.mk 2016-07-12 09:15:58.739946540 -0700
+++ b/lib/nss/config.mk @@ -99,8 +99,15 @@
@@ -95,8 +95,12 @@ SHARED_LIBRARY_DIRS = \
ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET))) ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET)))
ifndef NS_USE_GCC ifndef NS_USE_GCC
# Export 'mktemp' to be backward compatible with NSS 3.2.x and 3.3.x # Export 'mktemp' to be backward compatible with NSS 3.2.x and 3.3.x
@ -12,12 +11,14 @@ diff --git a/lib/nss/config.mk b/lib/nss/config.mk
endif endif
+ +
+ifdef POLICY_FILE +ifdef POLICY_FILE
+ifndef POLICY_PATH
+$(error You must define POLICY_PATH if you set POLICY_FILE)
+endif
+DEFINES += -DPOLICY_FILE=\"$(POLICY_FILE)\" -DPOLICY_PATH=\"$(POLICY_PATH)\" +DEFINES += -DPOLICY_FILE=\"$(POLICY_FILE)\" -DPOLICY_PATH=\"$(POLICY_PATH)\"
+endif +endif
diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c --- ./lib/nss/nssinit.c.check_policy_file 2016-06-20 10:11:28.000000000 -0700
--- a/lib/nss/nssinit.c +++ ./lib/nss/nssinit.c 2016-07-12 09:18:14.821671331 -0700
+++ b/lib/nss/nssinit.c @@ -330,47 +330,47 @@
@@ -330,47 +330,47 @@ nss_FindExternalRoot(const char *dbpath,
/* /*
* see nss_Init for definitions of the various options. * see nss_Init for definitions of the various options.
@ -69,7 +70,7 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
lconfigdir = NSSUTIL_DoubleEscape(configdir, '\'', '\"'); lconfigdir = NSSUTIL_DoubleEscape(configdir, '\'', '\"');
if (lconfigdir == NULL) { if (lconfigdir == NULL) {
goto loser; goto loser;
@@ -427,24 +427,26 @@ loser: @@ -427,24 +427,24 @@
if (lsecmodName) PORT_Free(lsecmodName); if (lsecmodName) PORT_Free(lsecmodName);
if (lupdateDir) PORT_Free(lupdateDir); if (lupdateDir) PORT_Free(lupdateDir);
if (lupdCertPrefix) PORT_Free(lupdCertPrefix); if (lupdCertPrefix) PORT_Free(lupdCertPrefix);
@ -79,15 +80,13 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
if (moduleSpec) { if (moduleSpec) {
- SECMODModule *module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE); - SECMODModule *module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE);
+ module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE); + module = SECMOD_LoadModule(moduleSpec, NULL, PR_TRUE);
PR_smprintf_free(moduleSpec); PR_smprintf_free(moduleSpec);
if (module) { - if (module) {
- if (module->loaded) rv=SECSuccess; - if (module->loaded) rv=SECSuccess;
- SECMOD_DestroyModule(module); + if (module && !module->loaded) {
+ if (!module->loaded) { SECMOD_DestroyModule(module);
+ SECMOD_DestroyModule(module); + return NULL;
+ module = NULL;
+ }
} }
} }
- return rv; - return rv;
@ -100,10 +99,23 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
* configdir - base directory where all the cert, key, and module datbases live. * configdir - base directory where all the cert, key, and module datbases live.
* certPrefix - prefix added to the beginning of the cert database example: " * certPrefix - prefix added to the beginning of the cert database example: "
* "https-server1-" * "https-server1-"
@@ -520,17 +522,17 @@ nss_Init(const char *configdir, const ch @@ -509,41 +509,44 @@
return PR_FAILURE;
}
return PR_SUCCESS;
}
static SECStatus
nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
- const char *secmodName, const char *updateDir,
+ const char *secmodName, const char *updateDir,
const char *updCertPrefix, const char *updKeyPrefix,
const char *updateID, const char *updateName,
NSSInitContext ** initContextPtr, NSSInitContext ** initContextPtr,
NSSInitParameters *initParams, NSSInitParameters *initParams,
PRBool readOnly, PRBool noCertDB, - PRBool readOnly, PRBool noCertDB,
+ PRBool readOnly, PRBool noCertDB,
PRBool noModDB, PRBool forceOpen, PRBool noRootInit, PRBool noModDB, PRBool forceOpen, PRBool noRootInit,
PRBool optimizeSpace, PRBool noSingleThreadedModules, PRBool optimizeSpace, PRBool noSingleThreadedModules,
PRBool allowAlreadyInitializedModules, PRBool allowAlreadyInitializedModules,
@ -117,9 +129,26 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
char *configStrings = NULL; char *configStrings = NULL;
char *configName = NULL; char *configName = NULL;
PRBool passwordRequired = PR_FALSE; PRBool passwordRequired = PR_FALSE;
+#ifdef POLICY_FILE
+ char *ignoreVar;
+#endif
/* if we are trying to init with a traditional NSS_Init call, maintain /* if we are trying to init with a traditional NSS_Init call, maintain
@@ -630,23 +632,23 @@ nss_Init(const char *configdir, const ch * the traditional idempotent behavior. */
if (!initContextPtr && nssIsInitted) {
return SECSuccess;
}
-
+
/* make sure our lock and condition variable are initialized one and only
* one time */
if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) {
return SECFailure;
}
/*
* if we haven't done basic initialization, single thread the
@@ -630,23 +633,23 @@
configStrings = pk11_config_strings; configStrings = pk11_config_strings;
configName = pk11_config_name; configName = pk11_config_name;
passwordRequired = pk11_password_required; passwordRequired = pk11_password_required;
@ -129,10 +158,12 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
* to init with noCertDB and noModDB */ * to init with noCertDB and noModDB */
if (!(isReallyInitted && noCertDB && noModDB)) { if (!(isReallyInitted && noCertDB && noModDB)) {
- rv = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName, - rv = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName,
- updateDir, updCertPrefix, updKeyPrefix, updateID,
+ parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName, + parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName,
updateDir, updCertPrefix, updKeyPrefix, updateID, + updateDir, updCertPrefix, updKeyPrefix, updateID,
updateName, configName, configStrings, passwordRequired, updateName, configName, configStrings, passwordRequired,
readOnly, noCertDB, noModDB, forceOpen, optimizeSpace, - readOnly, noCertDB, noModDB, forceOpen, optimizeSpace,
+ readOnly, noCertDB, noModDB, forceOpen, optimizeSpace,
(initContextPtr != NULL)); (initContextPtr != NULL));
- if (rv != SECSuccess) { - if (rv != SECSuccess) {
@ -145,7 +176,7 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
/* finish up initialization */ /* finish up initialization */
if (!isReallyInitted) { if (!isReallyInitted) {
if (SECOID_Init() != SECSuccess) { if (SECOID_Init() != SECSuccess) {
@@ -675,17 +677,34 @@ nss_Init(const char *configdir, const ch @@ -675,17 +678,40 @@
* path. Skip it */ * path. Skip it */
dbpath = NULL; dbpath = NULL;
} }
@ -156,14 +187,19 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
} }
- -
+#ifdef POLICY_FILE +#ifdef POLICY_FILE
+ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) { + /* Load the system crypto policy file if it exists,
+ * unless the NSS_IGNORE_SYSTEM_POLICY environment
+ * variable has been set to 1. */
+ ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
+ if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) {
+ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
+ SECMODModule *module = SECMOD_LoadModule( + SECMODModule *module = SECMOD_LoadModule(
+ "name=\"Policy File\" " + "name=\"Policy File\" "
+ "parameters=\"configdir='sql:" POLICY_PATH "' " + "parameters=\"configdir='sql:" POLICY_PATH "' "
+ "secmod='" POLICY_FILE "' " + "secmod='" POLICY_FILE "' "
+ "flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" " + "flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
+ "NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"", + "NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
+ parent, PR_TRUE); + parent, PR_TRUE);
+ if (module) { + if (module) {
+ PRBool isLoaded = module->loaded; + PRBool isLoaded = module->loaded;
+ SECMOD_DestroyModule(module); + SECMOD_DestroyModule(module);
@ -172,6 +208,7 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
+ } + }
+ } + }
+ } + }
+ }
+#endif +#endif
pk11sdr_Init(); pk11sdr_Init();
cert_CreateSubjectKeyIDHashTable(); cert_CreateSubjectKeyIDHashTable();
@ -181,7 +218,7 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
PKIX_MINOR_VERSION, &actualMinorVersion, &plContext); PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
if (pkixError != NULL) { if (pkixError != NULL) {
@@ -716,32 +735,38 @@ nss_Init(const char *configdir, const ch @@ -716,32 +742,38 @@
nssIsInInit--; nssIsInInit--;
/* now that we are inited, all waiters can move forward */ /* now that we are inited, all waiters can move forward */
PZ_NotifyAllCondVar(nssInitCondition); PZ_NotifyAllCondVar(nssInitCondition);

63
nss-conditionally-ignore-system-policy.patch
View File

@ -1,63 +0,0 @@
--- ./lib/nss/nssinit.c.cond_ignore 2016-07-01 16:09:21.187499579 -0700
+++ ./lib/nss/nssinit.c 2016-07-01 16:19:16.095862425 -0700
@@ -529,16 +529,19 @@
{
SECMODModule *parent = NULL;
PKIX_UInt32 actualMinorVersion = 0;
PKIX_Error *pkixError = NULL;
PRBool isReallyInitted;
char *configStrings = NULL;
char *configName = NULL;
PRBool passwordRequired = PR_FALSE;
+#ifdef POLICY_FILE
+ char *ignoreVar;
+#endif
/* if we are trying to init with a traditional NSS_Init call, maintain
* the traditional idempotent behavior. */
if (!initContextPtr && nssIsInitted) {
return SECSuccess;
}
/* make sure our lock and condition variable are initialized one and only
@@ -678,32 +681,38 @@
dbpath = NULL;
}
if (dbpath) {
nss_FindExternalRoot(dbpath, secmodName);
}
}
}
#ifdef POLICY_FILE
- if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
+ /* Load the system crypo policy file if it exists,
+ * unless the NSS_IGNORE_SYSTEM_POLICY environment
+ * variable has been set to 1. */
+ ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
+ if (ignoreVar == NULL || strncmp(ignoreVar, "1", strlen("1")) != 0) {
+ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
SECMODModule *module = SECMOD_LoadModule(
"name=\"Policy File\" "
"parameters=\"configdir='sql:" POLICY_PATH "' "
"secmod='" POLICY_FILE "' "
"flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
"NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
- parent, PR_TRUE);
+ parent, PR_TRUE);
if (module) {
PRBool isLoaded = module->loaded;
SECMOD_DestroyModule(module);
if (!isLoaded) {
goto loser;
}
}
}
+ }
#endif
pk11sdr_Init();
cert_CreateSubjectKeyIDHashTable();
pkixError = PKIX_Initialize
(PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);

8
nss.spec
View File

@ -21,7 +21,7 @@ Name: nss
Version: 3.25.0 Version: 3.25.0
# for Rawhide, please always use release >= 2 # for Rawhide, please always use release >= 2
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...) # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
Release: 5%{?dist} Release: 6%{?dist}
License: MPLv2.0 License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/ URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries Group: System Environment/Libraries
@ -94,8 +94,6 @@ Patch50: iquote.patch
Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
Patch59: nss-check-policy-file.patch Patch59: nss-check-policy-file.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
Patch60: nss-conditionally-ignore-system-policy.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1280846 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1280846
Patch62: nss-skip-util-gtest.patch Patch62: nss-skip-util-gtest.patch
# TODO: file a bug upstream similar to the one for rsaperf # TODO: file a bug upstream similar to the one for rsaperf
@ -182,7 +180,6 @@ low level services.
%patch58 -p0 -b .1185708_3des %patch58 -p0 -b .1185708_3des
pushd nss pushd nss
%patch59 -p1 -b .check_policy_file %patch59 -p1 -b .check_policy_file
%patch60 -p1 -b .cond_ignore
%patch62 -p0 -b .skip_util_gtest %patch62 -p0 -b .skip_util_gtest
%patch70 -p1 -b .skip_ecperf %patch70 -p1 -b .skip_ecperf
popd popd
@ -794,6 +791,9 @@ fi
%changelog %changelog
* Wed Jul 13 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-6
- Implement changes requested in upstream review and pushed upstream (#1157720)
* Fri Jul 01 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-5 * Fri Jul 01 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-5
- Add support for conditionally ignoring the system policy (#1157720) - Add support for conditionally ignoring the system policy (#1157720)
- Remove unneeded test scripts patches in order to run more tests - Remove unneeded test scripts patches in order to run more tests