# HG changeset patch # User Robert Relyea # Date 1752603075 25200 # Tue Jul 15 11:11:15 2025 -0700 # Branch RHEL_8 # Node ID 688a6b5db483a4168d15e09d5b243fca79b5b01d # Parent a87aba54de420d418961245be6e55d354bebd77b nss-3.101-revert-libpkix-default.patch diff --git a/lib/certhigh/certvfypkix.c b/lib/certhigh/certvfypkix.c --- a/lib/certhigh/certvfypkix.c +++ b/lib/certhigh/certvfypkix.c @@ -34,17 +34,17 @@ extern PKIX_UInt32 pkix_pl_lifecycle_ObjectLeakCheck(int *); extern SECStatus pkix_pl_lifecycle_ObjectTableUpdate(int *objCountTable); PRInt32 parallelFnInvocationCount; #endif /* PKIX_OBJECT_LEAK_TEST */ -static PRBool usePKIXValidationEngine = PR_TRUE; +static PRBool usePKIXValidationEngine = PR_FALSE; #endif /* NSS_DISABLE_LIBPKIX */ /* * FUNCTION: CERT_SetUsePKIXForValidation * DESCRIPTION: * * Enables or disables use of libpkix for certificate validation * diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c --- a/lib/nss/nssinit.c +++ b/lib/nss/nssinit.c @@ -759,19 +759,19 @@ nss_Init(const char *configdir, const ch #ifndef NSS_DISABLE_LIBPKIX pkixError = PKIX_Initialize(PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION, PKIX_MINOR_VERSION, &actualMinorVersion, &plContext); if (pkixError != NULL) { goto loser; } else { - char *ev = PR_GetEnvSecure("NSS_DISABLE_PKIX_VERIFY"); + char *ev = PR_GetEnvSecure("NSS_ENABLE_PKIX_VERIFY"); if (ev && ev[0]) { - CERT_SetUsePKIXForValidation(PR_FALSE); + CERT_SetUsePKIXForValidation(PR_TRUE); } } #endif /* NSS_DISABLE_LIBPKIX */ } /* * Now mark the appropriate init state. If initContextPtr was passed * in, then return the new context pointer and add it to the diff --git a/tests/all.sh b/tests/all.sh --- a/tests/all.sh +++ b/tests/all.sh @@ -138,28 +138,23 @@ run_tests() ########################## run_cycle_standard ########################## # run test suites with sql database (no PKIX) ######################################################################## run_cycle_standard() { TEST_MODE=STANDARD - NSS_DISABLE_LIBPKIX_VERIFY="1" - export NSS_DISABLE_LIBPKIX_VERIFY - TESTS="${ALL_TESTS}" TESTS_SKIP="libpkix pkits" NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE:-"sql"} export NSS_DEFAULT_DB_TYPE run_tests - - unset NSS_DISABLE_LIBPKIX_VERIFY } ############################ run_cycle_pkix ############################ # run test suites with PKIX enabled ######################################################################## run_cycle_pkix() { TEST_MODE=PKIX @@ -167,16 +162,19 @@ run_cycle_pkix() TABLE_ARGS="bgcolor=cyan" html_head "Testing with PKIX" html "
" HOSTDIR="${HOSTDIR}/pkix" mkdir -p "${HOSTDIR}" init_directories + NSS_ENABLE_PKIX_VERIFY="1" + export NSS_ENABLE_PKIX_VERIFY + TESTS="${ALL_TESTS}" TESTS_SKIP="cipher dbtests sdr crmf smime merge multinit" export -n NSS_SSL_RUN # use the default format. (unset for the shell, export -n for binaries) export -n NSS_DEFAULT_DB_TYPE unset NSS_DEFAULT_DB_TYPE diff --git a/tests/common/init.sh b/tests/common/init.sh --- a/tests/common/init.sh +++ b/tests/common/init.sh @@ -135,18 +135,18 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU { echo "HOSTDIR=\"${HOSTDIR}\"" echo "TABLE_ARGS=" echo "NSS_TEST_DISABLE_CRL=${NSS_TEST_DISABLE_CRL}" echo "NSS_SSL_TESTS=\"${NSS_SSL_TESTS}\"" echo "NSS_SSL_RUN=\"${NSS_SSL_RUN}\"" echo "NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE}" echo "export NSS_DEFAULT_DB_TYPE" - echo "NSS_DISABLE_PKIX_VERIFY=${NSS_DISABLE_PKIX_VERIFY}" - echo "export NSS_DISABLE_PKIX_VERIFY" + echo "NSS_ENABLE_PKIX_VERIFY=${NSS_ENABLE_PKIX_VERIFY}" + echo "export NSS_ENABLE_PKIX_VERIFY" echo "init_directories" } # Exit shellfunction to clean up at exit (error, regular or signal) Exit() { if [ -n "$1" ] ; then echo "$SCRIPTNAME: Exit: $* - FAILED" diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh --- a/tests/ssl/ssl.sh +++ b/tests/ssl/ssl.sh @@ -957,18 +957,19 @@ ssl_policy_listsuites() html "
" } ssl_policy_pkix_ocsp() { #verbose="-v" html_head "Check that OCSP doesn't break if we disable sha1 $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" - PKIX_SAVE=${NSS_DISABLE_LIBPKIX_VERIFY-"unset"} - unset NSS_DISABLE_LIBPKIX_VERIFY + PKIX_SAVE=${NSS_ENABLE_PKIX_VERIFY-"unset"} + NSS_ENABLE_PKIX_VERIFY="1" + export NSS_ENABLE_PKIX_VERIFY testname="" if [ ! -f "${P_R_SERVERDIR}/pkcs11.txt" ] ; then html_failed "${SCRIPTNAME}: ${P_R_SERVERDIR} is not initialized" return 1; fi @@ -983,20 +984,22 @@ ssl_policy_pkix_ocsp() vfyserv -o wrong.host.badssl.com -d ${P_R_SERVERDIR} 2>&1 | tee ${P_R_SERVERDIR}/vfy.out # make sure we have the domain mismatch, not bad signature error echo "grep -E '12276|5961' ${P_R_SERVERDIR}/vfy.out" grep -E '12276|5961' ${P_R_SERVERDIR}/vfy.out RET=$? html_msg $RET $RET_EXP "${testname}" \ "produced a returncode of $RET, expected is $RET_EXP" - if [ "{PKIX_SAVE}" != "unset" ]; then - export NSS_DISABLE_LIBPKIX_VERIFY=${PKIX_SAVE} + if [ "${PKIX_SAVE}" = "unset" ]; then + unset NSS_ENABLE_PKIX_VERIFY + else + NSS_ENABLE_PKIX_VERIFY=${PKIX_SAVE} + export NSS_ENABLE_PKIX_VERIFY fi - cp ${P_R_SERVERDIR}/pkcs11.txt.sav ${P_R_SERVERDIR}/pkcs11.txt html "
" } ############################## ssl_policy_selfserv ##################### # local shell function to perform SSL Policy tests, using selfserv