Fix fips mode switch handling bug detected while running JSS tests

Fix NSS to swap the internal key slot on fips mode switches
Fix white space usage in cpp reserved words patch per reviewer request
This commit is contained in:
Elio Maldonado 2011-02-11 07:56:25 -08:00
parent 4c53349943
commit 882fcb9fcf
3 changed files with 101 additions and 1 deletions

View File

@ -12,7 +12,7 @@ diff -up ./mozilla/security/nss/lib/smime/cmscinfo.c.676036 ./mozilla/security/n
- cinfo->private = PORT_ZNew(NSSCMSContentInfoPrivate);
- return (cinfo->private) ? SECSuccess: SECFailure;
+ cinfo->privateInfo = PORT_ZNew(NSSCMSContentInfoPrivate);
+ return (cinfo->privateInfo) ? SECSuccess: SECFailure;
+ return (cinfo->privateInfo) ? SECSuccess : SECFailure;
}

View File

@ -46,6 +46,7 @@ Patch11: honor-user-trust-preferences.patch
Patch12: allow-content-types-beyond-smime.patch
Patch13: nss-recurse.patch
Patch14: dont-use-cpp-reserved-words.patch
Patch15: swap-internal-key-slot.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@ -121,6 +122,7 @@ low level services.
%patch12 -p1 -b .contenttypes
%patch13 -p1 -b .recurse
%patch14 -p1 -b .676036
%patch15 -p1 -b .jss
%build
@ -500,6 +502,7 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
* Thu Feb 10 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-10
- Fix cms headers to not use c++ reserved words (#676036)
- Reenabling Bug 499444 patches
- Fix to swap internal key slot on fips mode switches
* Tue Feb 08 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-9
- Revert patches for 499444 until all c++ reserved words are found and extirpated

View File

@ -0,0 +1,97 @@
diff -up ./mozilla/security/nss/lib/pk11wrap/pk11pars.c.jss ./mozilla/security/nss/lib/pk11wrap/pk11pars.c
--- ./mozilla/security/nss/lib/pk11wrap/pk11pars.c.jss 2011-02-11 07:45:38.324083242 -0800
+++ ./mozilla/security/nss/lib/pk11wrap/pk11pars.c 2011-02-11 07:48:14.514166538 -0800
@@ -258,6 +258,19 @@ secmod_IsInternalKeySlot(SECMODModule *m
return (flags & SECMOD_FLAG_INTERNAL_KEY_SLOT) ? PR_TRUE : PR_FALSE;
}
+void
+secmod_SetInternalKeySlotFlag(SECMODModule *mod, PRBool val)
+{
+ char flags = (char) mod->internal;
+
+ if (val) {
+ flags |= SECMOD_FLAG_INTERNAL_KEY_SLOT;
+ } else {
+ flags &= ~SECMOD_FLAG_INTERNAL_KEY_SLOT;
+ }
+ mod->internal = flags;
+}
+
/* forward declarations */
static int secmod_escapeSize(const char *string, char quote);
static char *secmod_addEscape(const char *string, char quote);
diff -up ./mozilla/security/nss/lib/pk11wrap/pk11priv.h.jss ./mozilla/security/nss/lib/pk11wrap/pk11priv.h
--- ./mozilla/security/nss/lib/pk11wrap/pk11priv.h.jss 2011-02-11 07:47:45.037226877 -0800
+++ ./mozilla/security/nss/lib/pk11wrap/pk11priv.h 2011-02-11 07:48:28.854164207 -0800
@@ -115,6 +115,7 @@ void PK11_InitSlot(SECMODModule *mod,CK_
PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot);
SECStatus PK11_ReadSlotCerts(PK11SlotInfo *slot);
void pk11_SetInternalKeySlot(PK11SlotInfo *slot);
+PK11SlotInfo *pk11_SwapInternalKeySlot(PK11SlotInfo *slot);
void pk11_SetInternalKeySlotIfFirst(PK11SlotInfo *slot);
/*********************************************************************
diff -up ./mozilla/security/nss/lib/pk11wrap/pk11slot.c.jss ./mozilla/security/nss/lib/pk11wrap/pk11slot.c
--- ./mozilla/security/nss/lib/pk11wrap/pk11slot.c.jss 2011-02-11 07:41:11.258746774 -0800
+++ ./mozilla/security/nss/lib/pk11wrap/pk11slot.c 2011-02-11 07:48:51.291595867 -0800
@@ -1755,6 +1755,18 @@ pk11_SetInternalKeySlotIfFirst(PK11SlotI
pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL;
}
+/*
+ * Swap out a default internal keyslot. Caller owns the Slot Reference
+ */
+PK11SlotInfo *
+pk11_SwapInternalKeySlot(PK11SlotInfo *slot)
+{
+ PK11SlotInfo *swap = pk11InternalKeySlot;
+
+ pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL;
+ return swap;
+}
+
/* get the internal key slot. FIPS has only one slot for both key slots and
* default slots */
diff -up ./mozilla/security/nss/lib/pk11wrap/pk11util.c.jss ./mozilla/security/nss/lib/pk11wrap/pk11util.c
--- ./mozilla/security/nss/lib/pk11wrap/pk11util.c.jss 2011-02-11 07:40:23.748066635 -0800
+++ ./mozilla/security/nss/lib/pk11wrap/pk11util.c 2011-02-11 07:49:19.674611909 -0800
@@ -483,13 +483,25 @@ SECMOD_DeleteInternalModule(const char *
NULL, SECMOD_FIPS_FLAGS);
}
if (newModule) {
+ PK11SlotInfo *slot;
newModule->libraryParams =
PORT_ArenaStrdup(newModule->arena,mlp->module->libraryParams);
+ /* if an explicit internal key slot has been set, reset it */
+ slot = pk11_SwapInternalKeySlot(NULL);
+ if (slot) {
+ secmod_SetInternalKeySlotFlag(newModule, PR_TRUE);
+ }
rv = SECMOD_AddModule(newModule);
if (rv != SECSuccess) {
+ /* load failed, restore the internal key slot */
+ pk11_SetInternalKeySlot(slot);
SECMOD_DestroyModule(newModule);
newModule = NULL;
}
+ /* free the old explicit internal key slot, we now have a new one */
+ if (slot) {
+ PK11_FreeSlot(slot);
+ }
}
if (newModule == NULL) {
SECMODModuleList *last = NULL,*mlp2;
diff -up ./mozilla/security/nss/lib/pk11wrap/secmodi.h.jss ./mozilla/security/nss/lib/pk11wrap/secmodi.h
--- ./mozilla/security/nss/lib/pk11wrap/secmodi.h.jss 2011-02-11 07:39:04.685590962 -0800
+++ ./mozilla/security/nss/lib/pk11wrap/secmodi.h 2011-02-11 07:49:28.120021571 -0800
@@ -90,6 +90,8 @@ SECStatus secmod_LoadPKCS11Module(SECMOD
SECStatus SECMOD_UnloadModule(SECMODModule *);
void SECMOD_SetInternalModule(SECMODModule *);
PRBool secmod_IsInternalKeySlot(SECMODModule *);
+void secmod_SetInternalKeySlotFlag(SECMODModule *mod, PRBool val);
+
/* tools for checking if we are loading the same database twice */
typedef struct SECMODConfigListStr SECMODConfigList;