184 lines
5.7 KiB
Diff
184 lines
5.7 KiB
Diff
# HG changeset patch
|
|
# User Robert Relyea <rrelyea@redhat.com>
|
|
# Date 1752603075 25200
|
|
# Tue Jul 15 11:11:15 2025 -0700
|
|
# Branch RHEL_8
|
|
# Node ID 688a6b5db483a4168d15e09d5b243fca79b5b01d
|
|
# Parent a87aba54de420d418961245be6e55d354bebd77b
|
|
nss-3.101-revert-libpkix-default.patch
|
|
|
|
diff --git a/lib/certhigh/certvfypkix.c b/lib/certhigh/certvfypkix.c
|
|
--- a/lib/certhigh/certvfypkix.c
|
|
+++ b/lib/certhigh/certvfypkix.c
|
|
@@ -34,17 +34,17 @@ extern PKIX_UInt32
|
|
pkix_pl_lifecycle_ObjectLeakCheck(int *);
|
|
|
|
extern SECStatus
|
|
pkix_pl_lifecycle_ObjectTableUpdate(int *objCountTable);
|
|
|
|
PRInt32 parallelFnInvocationCount;
|
|
#endif /* PKIX_OBJECT_LEAK_TEST */
|
|
|
|
-static PRBool usePKIXValidationEngine = PR_TRUE;
|
|
+static PRBool usePKIXValidationEngine = PR_FALSE;
|
|
#endif /* NSS_DISABLE_LIBPKIX */
|
|
|
|
/*
|
|
* FUNCTION: CERT_SetUsePKIXForValidation
|
|
* DESCRIPTION:
|
|
*
|
|
* Enables or disables use of libpkix for certificate validation
|
|
*
|
|
diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
|
|
--- a/lib/nss/nssinit.c
|
|
+++ b/lib/nss/nssinit.c
|
|
@@ -759,19 +759,19 @@ nss_Init(const char *configdir, const ch
|
|
|
|
#ifndef NSS_DISABLE_LIBPKIX
|
|
pkixError = PKIX_Initialize(PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
|
|
PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
|
|
|
|
if (pkixError != NULL) {
|
|
goto loser;
|
|
} else {
|
|
- char *ev = PR_GetEnvSecure("NSS_DISABLE_PKIX_VERIFY");
|
|
+ char *ev = PR_GetEnvSecure("NSS_ENABLE_PKIX_VERIFY");
|
|
if (ev && ev[0]) {
|
|
- CERT_SetUsePKIXForValidation(PR_FALSE);
|
|
+ CERT_SetUsePKIXForValidation(PR_TRUE);
|
|
}
|
|
}
|
|
#endif /* NSS_DISABLE_LIBPKIX */
|
|
}
|
|
|
|
/*
|
|
* Now mark the appropriate init state. If initContextPtr was passed
|
|
* in, then return the new context pointer and add it to the
|
|
diff --git a/tests/all.sh b/tests/all.sh
|
|
--- a/tests/all.sh
|
|
+++ b/tests/all.sh
|
|
@@ -138,28 +138,23 @@ run_tests()
|
|
|
|
########################## run_cycle_standard ##########################
|
|
# run test suites with sql database (no PKIX)
|
|
########################################################################
|
|
run_cycle_standard()
|
|
{
|
|
TEST_MODE=STANDARD
|
|
|
|
- NSS_DISABLE_LIBPKIX_VERIFY="1"
|
|
- export NSS_DISABLE_LIBPKIX_VERIFY
|
|
-
|
|
TESTS="${ALL_TESTS}"
|
|
TESTS_SKIP="libpkix pkits"
|
|
|
|
NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE:-"sql"}
|
|
export NSS_DEFAULT_DB_TYPE
|
|
|
|
run_tests
|
|
-
|
|
- unset NSS_DISABLE_LIBPKIX_VERIFY
|
|
}
|
|
|
|
############################ run_cycle_pkix ############################
|
|
# run test suites with PKIX enabled
|
|
########################################################################
|
|
run_cycle_pkix()
|
|
{
|
|
TEST_MODE=PKIX
|
|
@@ -167,16 +162,19 @@ run_cycle_pkix()
|
|
TABLE_ARGS="bgcolor=cyan"
|
|
html_head "Testing with PKIX"
|
|
html "</TABLE><BR>"
|
|
|
|
HOSTDIR="${HOSTDIR}/pkix"
|
|
mkdir -p "${HOSTDIR}"
|
|
init_directories
|
|
|
|
+ NSS_ENABLE_PKIX_VERIFY="1"
|
|
+ export NSS_ENABLE_PKIX_VERIFY
|
|
+
|
|
TESTS="${ALL_TESTS}"
|
|
TESTS_SKIP="cipher dbtests sdr crmf smime merge multinit"
|
|
|
|
export -n NSS_SSL_RUN
|
|
|
|
# use the default format. (unset for the shell, export -n for binaries)
|
|
export -n NSS_DEFAULT_DB_TYPE
|
|
unset NSS_DEFAULT_DB_TYPE
|
|
diff --git a/tests/common/init.sh b/tests/common/init.sh
|
|
--- a/tests/common/init.sh
|
|
+++ b/tests/common/init.sh
|
|
@@ -135,18 +135,18 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
|
|
{
|
|
echo "HOSTDIR=\"${HOSTDIR}\""
|
|
echo "TABLE_ARGS="
|
|
echo "NSS_TEST_DISABLE_CRL=${NSS_TEST_DISABLE_CRL}"
|
|
echo "NSS_SSL_TESTS=\"${NSS_SSL_TESTS}\""
|
|
echo "NSS_SSL_RUN=\"${NSS_SSL_RUN}\""
|
|
echo "NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE}"
|
|
echo "export NSS_DEFAULT_DB_TYPE"
|
|
- echo "NSS_DISABLE_PKIX_VERIFY=${NSS_DISABLE_PKIX_VERIFY}"
|
|
- echo "export NSS_DISABLE_PKIX_VERIFY"
|
|
+ echo "NSS_ENABLE_PKIX_VERIFY=${NSS_ENABLE_PKIX_VERIFY}"
|
|
+ echo "export NSS_ENABLE_PKIX_VERIFY"
|
|
echo "init_directories"
|
|
}
|
|
|
|
# Exit shellfunction to clean up at exit (error, regular or signal)
|
|
Exit()
|
|
{
|
|
if [ -n "$1" ] ; then
|
|
echo "$SCRIPTNAME: Exit: $* - FAILED"
|
|
diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
|
|
--- a/tests/ssl/ssl.sh
|
|
+++ b/tests/ssl/ssl.sh
|
|
@@ -957,18 +957,19 @@ ssl_policy_listsuites()
|
|
html "</TABLE><BR>"
|
|
}
|
|
|
|
ssl_policy_pkix_ocsp()
|
|
{
|
|
#verbose="-v"
|
|
html_head "Check that OCSP doesn't break if we disable sha1 $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
|
|
|
|
- PKIX_SAVE=${NSS_DISABLE_LIBPKIX_VERIFY-"unset"}
|
|
- unset NSS_DISABLE_LIBPKIX_VERIFY
|
|
+ PKIX_SAVE=${NSS_ENABLE_PKIX_VERIFY-"unset"}
|
|
+ NSS_ENABLE_PKIX_VERIFY="1"
|
|
+ export NSS_ENABLE_PKIX_VERIFY
|
|
|
|
testname=""
|
|
|
|
if [ ! -f "${P_R_SERVERDIR}/pkcs11.txt" ] ; then
|
|
html_failed "${SCRIPTNAME}: ${P_R_SERVERDIR} is not initialized"
|
|
return 1;
|
|
fi
|
|
|
|
@@ -983,20 +984,22 @@ ssl_policy_pkix_ocsp()
|
|
vfyserv -o wrong.host.badssl.com -d ${P_R_SERVERDIR} 2>&1 | tee ${P_R_SERVERDIR}/vfy.out
|
|
# make sure we have the domain mismatch, not bad signature error
|
|
echo "grep -E '12276|5961' ${P_R_SERVERDIR}/vfy.out"
|
|
grep -E '12276|5961' ${P_R_SERVERDIR}/vfy.out
|
|
RET=$?
|
|
html_msg $RET $RET_EXP "${testname}" \
|
|
"produced a returncode of $RET, expected is $RET_EXP"
|
|
|
|
- if [ "{PKIX_SAVE}" != "unset" ]; then
|
|
- export NSS_DISABLE_LIBPKIX_VERIFY=${PKIX_SAVE}
|
|
+ if [ "${PKIX_SAVE}" = "unset" ]; then
|
|
+ unset NSS_ENABLE_PKIX_VERIFY
|
|
+ else
|
|
+ NSS_ENABLE_PKIX_VERIFY=${PKIX_SAVE}
|
|
+ export NSS_ENABLE_PKIX_VERIFY
|
|
fi
|
|
-
|
|
cp ${P_R_SERVERDIR}/pkcs11.txt.sav ${P_R_SERVERDIR}/pkcs11.txt
|
|
|
|
html "</TABLE><BR>"
|
|
|
|
}
|
|
|
|
############################## ssl_policy_selfserv #####################
|
|
# local shell function to perform SSL Policy tests, using selfserv
|