From 5f7dfcf00d4876f6f9aa0c6d05fdfded6753800e Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Wed, 26 Jan 2011 10:59:29 -0800 Subject: [PATCH] Update the cacert trust patch per upstream review (#633043) - Add comments to the new internal functions - Rename macro to better reflect purpose and fix typos - Patch matches the code as checked in upstream --- honor-user-trust-preferences.patch | 76 ++++++++++++++++++++++++++---- nss.spec | 5 +- 2 files changed, 72 insertions(+), 9 deletions(-) diff --git a/honor-user-trust-preferences.patch b/honor-user-trust-preferences.patch index e9414de..093d1c1 100644 --- a/honor-user-trust-preferences.patch +++ b/honor-user-trust-preferences.patch @@ -4,7 +4,7 @@ RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11load.c,v retrieving revision 1.30 diff -u -p -r1.30 pk11load.c --- ./mozilla/security/nss/lib/pk11wrap/pk11load.c 30 Apr 2010 07:22:54 -0000 1.30 -+++ ./mozilla/security/nss/lib/pk11wrap/pk11load.c 22 Jan 2011 05:39:07 -0000 ++++ ./mozilla/security/nss/lib/pk11wrap/pk11load.c 26 Jan 2011 18:11:57 -0000 @@ -178,8 +178,8 @@ secmod_handleReload(SECMODModule *oldMod char *oldModuleSpec; @@ -34,7 +34,7 @@ RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11priv.h,v retrieving revision 1.13 diff -u -p -r1.13 pk11priv.h --- ./mozilla/security/nss/lib/pk11wrap/pk11priv.h 27 Oct 2009 23:04:46 -0000 1.13 -+++ ./mozilla/security/nss/lib/pk11wrap/pk11priv.h 22 Jan 2011 05:39:07 -0000 ++++ ./mozilla/security/nss/lib/pk11wrap/pk11priv.h 26 Jan 2011 18:11:47 -0000 @@ -115,6 +115,7 @@ void PK11_InitSlot(SECMODModule *mod,CK_ PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot); SECStatus PK11_ReadSlotCerts(PK11SlotInfo *slot); @@ -49,11 +49,38 @@ RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11slot.c,v retrieving revision 1.101 diff -u -p -r1.101 pk11slot.c --- ./mozilla/security/nss/lib/pk11wrap/pk11slot.c 3 Apr 2010 18:27:31 -0000 1.101 -+++ ./mozilla/security/nss/lib/pk11wrap/pk11slot.c 22 Jan 2011 05:39:08 -0000 -@@ -1735,6 +1735,15 @@ pk11_SetInternalKeySlot(PK11SlotInfo *sl ++++ ./mozilla/security/nss/lib/pk11wrap/pk11slot.c 26 Jan 2011 18:11:20 -0000 +@@ -1349,7 +1349,7 @@ pk11_isRootSlot(PK11SlotInfo *slot) + * times as tokens are removed and re-inserted. + */ + void +-PK11_InitSlot(SECMODModule *mod,CK_SLOT_ID slotID,PK11SlotInfo *slot) ++PK11_InitSlot(SECMODModule *mod, CK_SLOT_ID slotID, PK11SlotInfo *slot) + { + SECStatus rv; + char *tmp; +@@ -1726,6 +1726,12 @@ PK11_NeedUserInit(PK11SlotInfo *slot) + } + + static PK11SlotInfo *pk11InternalKeySlot = NULL; ++ ++/* ++ * Set a new default internal keyslot. If one has already been set, clear it. ++ * passing NULL falls back the NSS normally selected default internal key ++ * slot ++ */ + void + pk11_SetInternalKeySlot(PK11SlotInfo *slot) + { +@@ -1735,6 +1741,20 @@ pk11_SetInternalKeySlot(PK11SlotInfo *sl pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL; } ++/* ++ * Set a new default internal keyslot if the normal key slot has not already ++ * been overrided. Subsequent calls to this function will be ignored unless ++ * pk11_SetInternalKeySlot is used to clear the current default. ++ */ +void +pk11_FirstInternalKeySlot(PK11SlotInfo *slot) +{ @@ -70,18 +97,30 @@ Index: ./mozilla/security/nss/lib/sysinit/nsssysinit.c =================================================================== RCS file: /cvsroot/mozilla/security/nss/lib/sysinit/nsssysinit.c,v retrieving revision 1.2 -diff -u -p -r1.2 nsssysinit.c +retrieving revision 1.2.2.2 +diff -u -p -r1.2 -r1.2.2.2 --- ./mozilla/security/nss/lib/sysinit/nsssysinit.c 6 Feb 2010 04:56:37 -0000 1.2 -+++ ./mozilla/security/nss/lib/sysinit/nsssysinit.c 22 Jan 2011 05:39:08 -0000 -@@ -221,7 +221,7 @@ getFIPSMode(void) ++++ ./mozilla/security/nss/lib/sysinit/nsssysinit.c 26 Jan 2011 00:52:31 -0000 1.2.2.2 +@@ -221,16 +221,16 @@ getFIPSMode(void) * 2 for the key slot, and * 3 for the crypto operations slot fips */ -#define ORDER_FLAGS "trustOrder=75 cipherOrder=100" -+#define ORDER_FLAGS "cipherOrder=100" ++#define CIPHER_ORDER_FLAGS "cipherOrder=100" #define SLOT_FLAGS \ "[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM" \ " askpw=any timeout=30 ]" + + static const char *nssDefaultFlags = +- ORDER_FLAGS " slotParams={0x00000001=" SLOT_FLAGS " } "; ++ CIPHER_ORDER_FLAGS " slotParams={0x00000001=" SLOT_FLAGS " } "; + + static const char *nssDefaultFIPSFlags = +- ORDER_FLAGS " slotParams={0x00000003=" SLOT_FLAGS " } "; ++ CIPHER_ORDER_FLAGS " slotParams={0x00000003=" SLOT_FLAGS " } "; + + /* + * This function builds the list of databases and modules to load, and sets @@ -270,7 +270,7 @@ get_list(char *filename, char *stripped_ "library= " "module=\"NSS User database\" " @@ -131,3 +170,24 @@ diff -u -p -r1.2 nsssysinit.c } /* that was the last module */ +@@ -372,9 +348,9 @@ overlapstrcpy(char *target, char *src) + + /* determine what options the user was trying to open this database with */ + /* filename is the directory pointed to by configdir= */ +-/* stripped is the rest of the paramters with configdir= stripped out */ ++/* stripped is the rest of the parameters with configdir= stripped out */ + static SECStatus +-parse_paramters(char *parameters, char **filename, char **stripped) ++parse_parameters(char *parameters, char **filename, char **stripped) + { + char *sourcePrev; + char *sourceCurr; +@@ -423,7 +399,7 @@ NSS_ReturnModuleSpecData(unsigned long f + char **retString = NULL; + SECStatus rv; + +- rv = parse_paramters(parameters, &filename, &stripped); ++ rv = parse_parameters(parameters, &filename, &stripped); + if (rv != SECSuccess) { + /* use defaults */ + filename = getSystemDB(); diff --git a/nss.spec b/nss.spec index 8c53cbb..a096f5d 100644 --- a/nss.spec +++ b/nss.spec @@ -6,7 +6,7 @@ Summary: Network Security Services Name: nss Version: 3.12.9 -Release: 2%{?dist} +Release: 3%{?dist} License: MPLv1.1 or GPLv2+ or LGPLv2+ URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -490,6 +490,9 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h %{_libdir}/libnssckfw.a %changelog +* Wed Jan 26 2011 Elio Maldonado - 3.12.9-3 +- Update the cacert trust patch per upstream review (#633043) + * Wed Jan 19 2011 Elio Maldonado - 3.12.9-2 - Fix to honor the user's cert trust preferences (#633043) - Remove obsoleted patch