- Fix to swap internal key slot on fips mode switches, related to #633043
- Fixes a side effect of the fix for #633043 detcted by the JSS test suite
This commit is contained in:
parent
5abae289d8
commit
41067b8b40
7
nss.spec
7
nss.spec
|
@ -6,7 +6,7 @@
|
|||
Summary: Network Security Services
|
||||
Name: nss
|
||||
Version: 3.12.9
|
||||
Release: 5%{?dist}
|
||||
Release: 6%{?dist}
|
||||
License: MPLv1.1 or GPLv2+ or LGPLv2+
|
||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||
Group: System Environment/Libraries
|
||||
|
@ -43,6 +43,7 @@ Patch3: renegotiate-transitional.patch
|
|||
Patch6: nss-enable-pem.patch
|
||||
Patch7: nsspem-642433.patch
|
||||
Patch11: honor-user-trust-preferences.patch
|
||||
Patch15: swap-internal-key-slot.patch
|
||||
|
||||
%description
|
||||
Network Security Services (NSS) is a set of libraries designed to
|
||||
|
@ -115,6 +116,7 @@ low level services.
|
|||
%patch6 -p0 -b .libpem
|
||||
%patch7 -p0 -b .642433
|
||||
%patch11 -p1 -b .643134
|
||||
%patch15 -p1 -b .jss
|
||||
|
||||
|
||||
%build
|
||||
|
@ -491,6 +493,9 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
|
|||
%{_libdir}/libnssckfw.a
|
||||
|
||||
%changelog
|
||||
* Thu Feb 10 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-6
|
||||
- Fix to swap internal key slot on fips mode switches, related to #633043
|
||||
|
||||
* Mon Feb 07 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-5
|
||||
- Remove a header that now nss-softokn-freebl-devel ships, related to #675196
|
||||
- Backing out earlier patch until further testing from upstream for 3.12.10
|
||||
|
|
|
@ -0,0 +1,97 @@
|
|||
diff -up ./mozilla/security/nss/lib/pk11wrap/pk11pars.c.jss ./mozilla/security/nss/lib/pk11wrap/pk11pars.c
|
||||
--- ./mozilla/security/nss/lib/pk11wrap/pk11pars.c.jss 2011-02-11 07:45:38.324083242 -0800
|
||||
+++ ./mozilla/security/nss/lib/pk11wrap/pk11pars.c 2011-02-11 07:48:14.514166538 -0800
|
||||
@@ -258,6 +258,19 @@ secmod_IsInternalKeySlot(SECMODModule *m
|
||||
return (flags & SECMOD_FLAG_INTERNAL_KEY_SLOT) ? PR_TRUE : PR_FALSE;
|
||||
}
|
||||
|
||||
+void
|
||||
+secmod_SetInternalKeySlotFlag(SECMODModule *mod, PRBool val)
|
||||
+{
|
||||
+ char flags = (char) mod->internal;
|
||||
+
|
||||
+ if (val) {
|
||||
+ flags |= SECMOD_FLAG_INTERNAL_KEY_SLOT;
|
||||
+ } else {
|
||||
+ flags &= ~SECMOD_FLAG_INTERNAL_KEY_SLOT;
|
||||
+ }
|
||||
+ mod->internal = flags;
|
||||
+}
|
||||
+
|
||||
/* forward declarations */
|
||||
static int secmod_escapeSize(const char *string, char quote);
|
||||
static char *secmod_addEscape(const char *string, char quote);
|
||||
diff -up ./mozilla/security/nss/lib/pk11wrap/pk11priv.h.jss ./mozilla/security/nss/lib/pk11wrap/pk11priv.h
|
||||
--- ./mozilla/security/nss/lib/pk11wrap/pk11priv.h.jss 2011-02-11 07:47:45.037226877 -0800
|
||||
+++ ./mozilla/security/nss/lib/pk11wrap/pk11priv.h 2011-02-11 07:48:28.854164207 -0800
|
||||
@@ -115,6 +115,7 @@ void PK11_InitSlot(SECMODModule *mod,CK_
|
||||
PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot);
|
||||
SECStatus PK11_ReadSlotCerts(PK11SlotInfo *slot);
|
||||
void pk11_SetInternalKeySlot(PK11SlotInfo *slot);
|
||||
+PK11SlotInfo *pk11_SwapInternalKeySlot(PK11SlotInfo *slot);
|
||||
void pk11_SetInternalKeySlotIfFirst(PK11SlotInfo *slot);
|
||||
|
||||
/*********************************************************************
|
||||
diff -up ./mozilla/security/nss/lib/pk11wrap/pk11slot.c.jss ./mozilla/security/nss/lib/pk11wrap/pk11slot.c
|
||||
--- ./mozilla/security/nss/lib/pk11wrap/pk11slot.c.jss 2011-02-11 07:41:11.258746774 -0800
|
||||
+++ ./mozilla/security/nss/lib/pk11wrap/pk11slot.c 2011-02-11 07:48:51.291595867 -0800
|
||||
@@ -1755,6 +1755,18 @@ pk11_SetInternalKeySlotIfFirst(PK11SlotI
|
||||
pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Swap out a default internal keyslot. Caller owns the Slot Reference
|
||||
+ */
|
||||
+PK11SlotInfo *
|
||||
+pk11_SwapInternalKeySlot(PK11SlotInfo *slot)
|
||||
+{
|
||||
+ PK11SlotInfo *swap = pk11InternalKeySlot;
|
||||
+
|
||||
+ pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL;
|
||||
+ return swap;
|
||||
+}
|
||||
+
|
||||
|
||||
/* get the internal key slot. FIPS has only one slot for both key slots and
|
||||
* default slots */
|
||||
diff -up ./mozilla/security/nss/lib/pk11wrap/pk11util.c.jss ./mozilla/security/nss/lib/pk11wrap/pk11util.c
|
||||
--- ./mozilla/security/nss/lib/pk11wrap/pk11util.c.jss 2011-02-11 07:40:23.748066635 -0800
|
||||
+++ ./mozilla/security/nss/lib/pk11wrap/pk11util.c 2011-02-11 07:49:19.674611909 -0800
|
||||
@@ -483,13 +483,25 @@ SECMOD_DeleteInternalModule(const char *
|
||||
NULL, SECMOD_FIPS_FLAGS);
|
||||
}
|
||||
if (newModule) {
|
||||
+ PK11SlotInfo *slot;
|
||||
newModule->libraryParams =
|
||||
PORT_ArenaStrdup(newModule->arena,mlp->module->libraryParams);
|
||||
+ /* if an explicit internal key slot has been set, reset it */
|
||||
+ slot = pk11_SwapInternalKeySlot(NULL);
|
||||
+ if (slot) {
|
||||
+ secmod_SetInternalKeySlotFlag(newModule, PR_TRUE);
|
||||
+ }
|
||||
rv = SECMOD_AddModule(newModule);
|
||||
if (rv != SECSuccess) {
|
||||
+ /* load failed, restore the internal key slot */
|
||||
+ pk11_SetInternalKeySlot(slot);
|
||||
SECMOD_DestroyModule(newModule);
|
||||
newModule = NULL;
|
||||
}
|
||||
+ /* free the old explicit internal key slot, we now have a new one */
|
||||
+ if (slot) {
|
||||
+ PK11_FreeSlot(slot);
|
||||
+ }
|
||||
}
|
||||
if (newModule == NULL) {
|
||||
SECMODModuleList *last = NULL,*mlp2;
|
||||
diff -up ./mozilla/security/nss/lib/pk11wrap/secmodi.h.jss ./mozilla/security/nss/lib/pk11wrap/secmodi.h
|
||||
--- ./mozilla/security/nss/lib/pk11wrap/secmodi.h.jss 2011-02-11 07:39:04.685590962 -0800
|
||||
+++ ./mozilla/security/nss/lib/pk11wrap/secmodi.h 2011-02-11 07:49:28.120021571 -0800
|
||||
@@ -90,6 +90,8 @@ SECStatus secmod_LoadPKCS11Module(SECMOD
|
||||
SECStatus SECMOD_UnloadModule(SECMODModule *);
|
||||
void SECMOD_SetInternalModule(SECMODModule *);
|
||||
PRBool secmod_IsInternalKeySlot(SECMODModule *);
|
||||
+void secmod_SetInternalKeySlotFlag(SECMODModule *mod, PRBool val);
|
||||
+
|
||||
|
||||
/* tools for checking if we are loading the same database twice */
|
||||
typedef struct SECMODConfigListStr SECMODConfigList;
|
Loading…
Reference in New Issue