From 5c8d0c9dc85608f58f77ceed1735e53ba8732f39 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Tue, 3 Jul 2018 13:48:10 +0200 Subject: [PATCH] Update to NSS 3.38 --- .gitignore | 1 + nss-load-policy-file.patch | 79 ++++++++++++++++++++++++++++++++++++++ nss.spec | 11 ++++-- sources | 2 +- 4 files changed, 89 insertions(+), 4 deletions(-) create mode 100644 nss-load-policy-file.patch diff --git a/.gitignore b/.gitignore index 850c383..c7566e0 100644 --- a/.gitignore +++ b/.gitignore @@ -26,3 +26,4 @@ TestUser51.cert /nss-3.36.0.tar.gz /nss-3.36.1.tar.gz /nss-3.37.3.tar.gz +/nss-3.38.0.tar.gz diff --git a/nss-load-policy-file.patch b/nss-load-policy-file.patch new file mode 100644 index 0000000..3d8691c --- /dev/null +++ b/nss-load-policy-file.patch @@ -0,0 +1,79 @@ +# HG changeset patch +# User David Woodhouse +# Date 1529655250 -7200 +# Fri Jun 22 10:14:10 2018 +0200 +# Node ID d99e54ca9b6df33025ee9a196b8b942428bbff91 +# Parent 1a13c19d7fab53fd62786e05d6546a4abf66e48d +Bug 1296263 - Fix loading of PKCS#11 modules from system policy file, r=rrelyea + +We currently load the policy file after calling +STAN_LoadDefaultNSS3TrustDomain(), which causes problems because any +tokens in the newly-added modules don't get initialised. + +Move it up by a few lines and fix up the indentation while we're at it. + +diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c +--- a/lib/nss/nssinit.c ++++ b/lib/nss/nssinit.c +@@ -702,6 +702,30 @@ nss_Init(const char *configdir, const ch + if (SECOID_Init() != SECSuccess) { + goto loser; + } ++#ifdef POLICY_FILE ++ /* Load the system crypto policy file if it exists, ++ * unless the NSS_IGNORE_SYSTEM_POLICY environment ++ * variable has been set to 1. */ ++ ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY"); ++ if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) { ++ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) { ++ SECMODModule *module = SECMOD_LoadModule( ++ "name=\"Policy File\" " ++ "parameters=\"configdir='sql:" POLICY_PATH "' " ++ "secmod='" POLICY_FILE "' " ++ "flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" " ++ "NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"", ++ parent, PR_TRUE); ++ if (module) { ++ PRBool isLoaded = module->loaded; ++ SECMOD_DestroyModule(module); ++ if (!isLoaded) { ++ goto loser; ++ } ++ } ++ } ++ } ++#endif + if (STAN_LoadDefaultNSS3TrustDomain() != PR_SUCCESS) { + goto loser; + } +@@ -730,30 +754,6 @@ nss_Init(const char *configdir, const ch + } + } + } +-#ifdef POLICY_FILE +- /* Load the system crypto policy file if it exists, +- * unless the NSS_IGNORE_SYSTEM_POLICY environment +- * variable has been set to 1. */ +- ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY"); +- if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) { +- if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) { +- SECMODModule *module = SECMOD_LoadModule( +- "name=\"Policy File\" " +- "parameters=\"configdir='sql:" POLICY_PATH "' " +- "secmod='" POLICY_FILE "' " +- "flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" " +- "NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"", +- parent, PR_TRUE); +- if (module) { +- PRBool isLoaded = module->loaded; +- SECMOD_DestroyModule(module); +- if (!isLoaded) { +- goto loser; +- } +- } +- } +- } +-#endif + pk11sdr_Init(); + cert_CreateSubjectKeyIDHashTable(); + diff --git a/nss.spec b/nss.spec index 5ef762e..61a1012 100644 --- a/nss.spec +++ b/nss.spec @@ -1,6 +1,6 @@ %global nspr_version 4.19.0 -%global nss_util_version 3.37.3 -%global nss_softokn_version 3.37.3 +%global nss_util_version 3.38.0 +%global nss_softokn_version 3.38.0 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv" @@ -18,7 +18,7 @@ Summary: Network Security Services Name: nss -Version: 3.37.3 +Version: 3.38.0 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) Release: 1.0%{?dist} @@ -116,6 +116,7 @@ Patch50: iquote.patch Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520 Patch59: nss-check-policy-file.patch +Patch60: nss-load-policy-file.patch Patch62: nss-skip-util-gtest.patch Patch63: nss-sql-default.patch @@ -200,6 +201,7 @@ low level services. %patch58 -p0 -b .1185708_3des pushd nss %patch59 -p1 -b .check_policy_file +%patch60 -p1 -b .load_policy_file %patch62 -p1 -b .skip_util_gtest %patch63 -p1 -R -b .sql-default popd @@ -809,6 +811,9 @@ fi %changelog +* Tue Jul 3 2018 Daiki Ueno - 3.38.0-1.0 +- Update to NSS 3.38 + * Tue Jun 5 2018 Daiki Ueno - 3.37.3-1.0 - Update to NSS 3.37.3 diff --git a/sources b/sources index 3eeef13..8c91f7f 100644 --- a/sources +++ b/sources @@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403 SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310 -SHA512 (nss-3.37.3.tar.gz) = 11b21818f9fcff11d0e7f4c066ae9fbce0052a30a6b30df9a20022792039b5348554834a472e1b1195e467b9902067f9719678d5ca32efb4e60f1df161feed6f +SHA512 (nss-3.38.0.tar.gz) = eb63f1c44adbbd97dc766e8545c72303f3cb18f1bfb2af67c33cdb1a1a9a1cc432a64afbafabd7a5bb3f08cb36db74ed81e5cfa1fc4bd35ae76e183f3205afed