From 612496b72d5703fff72e6514f6d53f67be100055 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Sat, 22 Jan 2011 09:39:22 -0800 Subject: [PATCH] Bug 633043 - nss trusts certificates it shouldn't, fixed - Add patch to honor the user's cert trust preferences (#633043) - Rename nss-sysinit-fix-trustorder.patch honor-user-trust-preferences.patch - Remove nss-sysinit-userdb-first.patch, it's obsoleted by current patch --- honor-user-trust-preferences.patch | 133 +++++++++++++++++++++++++++++ nss-sysinit-fix-trustorder.patch | 30 ------- nss-sysinit-userdb-first.patch | 78 ----------------- nss.spec | 12 +-- 4 files changed, 140 insertions(+), 113 deletions(-) create mode 100644 honor-user-trust-preferences.patch delete mode 100644 nss-sysinit-fix-trustorder.patch delete mode 100755 nss-sysinit-userdb-first.patch diff --git a/honor-user-trust-preferences.patch b/honor-user-trust-preferences.patch new file mode 100644 index 0000000..e9414de --- /dev/null +++ b/honor-user-trust-preferences.patch @@ -0,0 +1,133 @@ +Index: ./mozilla/security/nss/lib/pk11wrap/pk11load.c +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11load.c,v +retrieving revision 1.30 +diff -u -p -r1.30 pk11load.c +--- ./mozilla/security/nss/lib/pk11wrap/pk11load.c 30 Apr 2010 07:22:54 -0000 1.30 ++++ ./mozilla/security/nss/lib/pk11wrap/pk11load.c 22 Jan 2011 05:39:07 -0000 +@@ -178,8 +178,8 @@ secmod_handleReload(SECMODModule *oldMod + char *oldModuleSpec; + + if (secmod_IsInternalKeySlot(newModule)) { +- pk11_SetInternalKeySlot(slot); +- } ++ pk11_FirstInternalKeySlot(slot); ++ } + newID = slot->slotID; + PK11_FreeSlot(slot); + for (thisChild=children, thisID=ids; thisChild && *thisChild; +@@ -550,6 +550,11 @@ secmod_LoadPKCS11Module(SECMODModule *mo + /* look down the slot info table */ + PK11_LoadSlotList(mod->slots[i],mod->slotInfo,mod->slotInfoCount); + SECMOD_SetRootCerts(mod->slots[i],mod); ++ /* explicitly mark the internal slot as such if IsInternalKeySlot() ++ * is set */ ++ if (secmod_IsInternalKeySlot(mod) && (i == (mod->isFIPS ? 0 : 1))) { ++ pk11_FirstInternalKeySlot(mod->slots[i]); ++ } + } + mod->slotCount = slotCount; + mod->slotInfoCount = 0; +Index: ./mozilla/security/nss/lib/pk11wrap/pk11priv.h +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11priv.h,v +retrieving revision 1.13 +diff -u -p -r1.13 pk11priv.h +--- ./mozilla/security/nss/lib/pk11wrap/pk11priv.h 27 Oct 2009 23:04:46 -0000 1.13 ++++ ./mozilla/security/nss/lib/pk11wrap/pk11priv.h 22 Jan 2011 05:39:07 -0000 +@@ -115,6 +115,7 @@ void PK11_InitSlot(SECMODModule *mod,CK_ + PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot); + SECStatus PK11_ReadSlotCerts(PK11SlotInfo *slot); + void pk11_SetInternalKeySlot(PK11SlotInfo *slot); ++void pk11_FirstInternalKeySlot(PK11SlotInfo *slot); + + /********************************************************************* + * Mechanism Mapping functions +Index: ./mozilla/security/nss/lib/pk11wrap/pk11slot.c +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11slot.c,v +retrieving revision 1.101 +diff -u -p -r1.101 pk11slot.c +--- ./mozilla/security/nss/lib/pk11wrap/pk11slot.c 3 Apr 2010 18:27:31 -0000 1.101 ++++ ./mozilla/security/nss/lib/pk11wrap/pk11slot.c 22 Jan 2011 05:39:08 -0000 +@@ -1735,6 +1735,15 @@ pk11_SetInternalKeySlot(PK11SlotInfo *sl + pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL; + } + ++void ++pk11_FirstInternalKeySlot(PK11SlotInfo *slot) ++{ ++ if (pk11InternalKeySlot) { ++ return; ++ } ++ pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL; ++} ++ + + /* get the internal key slot. FIPS has only one slot for both key slots and + * default slots */ +Index: ./mozilla/security/nss/lib/sysinit/nsssysinit.c +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/lib/sysinit/nsssysinit.c,v +retrieving revision 1.2 +diff -u -p -r1.2 nsssysinit.c +--- ./mozilla/security/nss/lib/sysinit/nsssysinit.c 6 Feb 2010 04:56:37 -0000 1.2 ++++ ./mozilla/security/nss/lib/sysinit/nsssysinit.c 22 Jan 2011 05:39:08 -0000 +@@ -221,7 +221,7 @@ getFIPSMode(void) + * 2 for the key slot, and + * 3 for the crypto operations slot fips + */ +-#define ORDER_FLAGS "trustOrder=75 cipherOrder=100" ++#define ORDER_FLAGS "cipherOrder=100" + #define SLOT_FLAGS \ + "[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM" \ + " askpw=any timeout=30 ]" +@@ -270,7 +270,7 @@ get_list(char *filename, char *stripped_ + "library= " + "module=\"NSS User database\" " + "parameters=\"configdir='sql:%s' %s tokenDescription='NSS user database'\" " +- "NSS=\"%sflags=internal%s\"", ++ "NSS=\"trustOrder=75 %sflags=internal%s\"", + userdb, stripped_parameters, nssflags, + isFIPS ? ",FIPS" : ""); + +@@ -284,30 +284,6 @@ get_list(char *filename, char *stripped_ + userdb, stripped_parameters); + } + +-#if 0 +- /* This doesn't actually work. If we register +- both this and the sysdb (in either order) +- then only one of them actually shows up */ +- +- /* Using a NULL filename as a Boolean flag to +- * prevent registering both an application-defined +- * db and the system db. rhbz #546211. +- */ +- PORT_Assert(filename); +- if (sysdb && PL_CompareStrings(filename, sysdb)) +- filename = NULL; +- else if (userdb && PL_CompareStrings(filename, userdb)) +- filename = NULL; +- +- if (filename && !userIsRoot()) { +- module_list[next++] = PR_smprintf( +- "library= " +- "module=\"NSS database\" " +- "parameters=\"configdir='sql:%s' tokenDescription='NSS database sql:%s'\" " +- "NSS=\"%sflags=internal\"",filename, filename, nssflags); +- } +-#endif +- + /* now the system database (always read only unless it's root) */ + if (sysdb) { + const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly"; +@@ -315,7 +291,7 @@ get_list(char *filename, char *stripped_ + "library= " + "module=\"NSS system database\" " + "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" " +- "NSS=\"%sflags=internal,critical\"",sysdb, readonly, nssflags); ++ "NSS=\"trustOrder=80 %sflags=internal,critical\"",sysdb, readonly, nssflags); + } + + /* that was the last module */ diff --git a/nss-sysinit-fix-trustorder.patch b/nss-sysinit-fix-trustorder.patch deleted file mode 100644 index fe50deb..0000000 --- a/nss-sysinit-fix-trustorder.patch +++ /dev/null @@ -1,30 +0,0 @@ -diff -up ./mozilla/security/nss/lib/sysinit/nsssysinit.c.fixtrust ./mozilla/security/nss/lib/sysinit/nsssysinit.c ---- ./mozilla/security/nss/lib/sysinit/nsssysinit.c.fixtrust 2010-10-15 12:02:51.445637701 -0700 -+++ ./mozilla/security/nss/lib/sysinit/nsssysinit.c 2010-10-15 12:06:52.731762282 -0700 -@@ -221,7 +221,7 @@ getFIPSMode(void) - * 2 for the key slot, and - * 3 for the crypto operations slot fips - */ --#define ORDER_FLAGS "trustOrder=75 cipherOrder=100" -+#define ORDER_FLAGS "cipherOrder=100" - #define SLOT_FLAGS \ - "[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM" \ - " askpw=any timeout=30 ]" -@@ -270,7 +270,7 @@ get_list(char *filename, char *stripped_ - "library= " - "module=\"NSS User database\" " - "parameters=\"configdir='sql:%s' %s tokenDescription='NSS user database'\" " -- "NSS=\"%sflags=internal%s\"", -+ "NSS=\"trustOrder=75 %sflags=internal%s\"", - userdb, stripped_parameters, nssflags, - isFIPS ? ",FIPS" : ""); - -@@ -315,7 +315,7 @@ get_list(char *filename, char *stripped_ - "library= " - "module=\"NSS system database\" " - "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" " -- "NSS=\"%sflags=internal,critical\"",sysdb, readonly, nssflags); -+ "NSS=\"trustOrder=80 %sflags=internal,critical\"",sysdb, readonly, nssflags); - } - - /* that was the last module */ diff --git a/nss-sysinit-userdb-first.patch b/nss-sysinit-userdb-first.patch deleted file mode 100755 index f3ea0ab..0000000 --- a/nss-sysinit-userdb-first.patch +++ /dev/null @@ -1,78 +0,0 @@ -diff -up ./mozilla/security/nss/lib/sysinit/nsssysinit.c.603313 ./mozilla/security/nss/lib/sysinit/nsssysinit.c ---- ./mozilla/security/nss/lib/sysinit/nsssysinit.c.603313 2010-10-15 13:57:42.719738316 -0700 -+++ ./mozilla/security/nss/lib/sysinit/nsssysinit.c 2010-10-15 14:07:51.704637349 -0700 -@@ -263,16 +263,26 @@ get_list(char *filename, char *stripped_ - sysdb = getSystemDB(); - userdb = getUserDB(); - -- /* Don't open root's user DB */ -+ /* return a list of databases to open. First the system database */ -+ if (sysdb) { -+ const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly"; -+ module_list[next++] = PR_smprintf( -+ "library= " -+ "module=\"NSS system database\" " -+ "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" " -+ "NSS=\"trustOrder=80 %sflags=internal,critical\"", -+ sysdb, readonly, nssflags); -+ } -+ -+ /* Next the user database, but not for root. */ - if (userdb != NULL && !userIsRoot()) { -- /* return a list of databases to open. First the user Database */ - module_list[next++] = PR_smprintf( - "library= " - "module=\"NSS User database\" " - "parameters=\"configdir='sql:%s' %s tokenDescription='NSS user database'\" " -- "NSS=\"trustOrder=75 %sflags=internal%s\"", -- userdb, stripped_parameters, nssflags, -- isFIPS ? ",FIPS" : ""); -+ "NSS=\"trustOrder=75 %sflags=internal%s\"", -+ userdb, stripped_parameters, nssflags, -+ isFIPS ? ",FIPS" : ""); - - /* now open the user's defined PKCS #11 modules */ - /* skip the local user DB entry */ -@@ -281,41 +291,7 @@ get_list(char *filename, char *stripped_ - "module=\"NSS User database\" " - "parameters=\"configdir='sql:%s' %s\" " - "NSS=\"flags=internal,moduleDBOnly,defaultModDB,skipFirst\"", -- userdb, stripped_parameters); -- } -- --#if 0 -- /* This doesn't actually work. If we register -- both this and the sysdb (in either order) -- then only one of them actually shows up */ -- -- /* Using a NULL filename as a Boolean flag to -- * prevent registering both an application-defined -- * db and the system db. rhbz #546211. -- */ -- PORT_Assert(filename); -- if (sysdb && PL_CompareStrings(filename, sysdb)) -- filename = NULL; -- else if (userdb && PL_CompareStrings(filename, userdb)) -- filename = NULL; -- -- if (filename && !userIsRoot()) { -- module_list[next++] = PR_smprintf( -- "library= " -- "module=\"NSS database\" " -- "parameters=\"configdir='sql:%s' tokenDescription='NSS database sql:%s'\" " -- "NSS=\"%sflags=internal\"",filename, filename, nssflags); -- } --#endif -- -- /* now the system database (always read only unless it's root) */ -- if (sysdb) { -- const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly"; -- module_list[next++] = PR_smprintf( -- "library= " -- "module=\"NSS system database\" " -- "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" " -- "NSS=\"trustOrder=80 %sflags=internal,critical\"",sysdb, readonly, nssflags); -+ userdb, stripped_parameters); - } - - /* that was the last module */ diff --git a/nss.spec b/nss.spec index 1602000..8c53cbb 100644 --- a/nss.spec +++ b/nss.spec @@ -6,7 +6,7 @@ Summary: Network Security Services Name: nss Version: 3.12.9 -Release: 1%{?dist} +Release: 2%{?dist} License: MPLv1.1 or GPLv2+ or LGPLv2+ URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -42,8 +42,7 @@ Source12: %{name}-pem-20101125.tar.bz2 Patch3: renegotiate-transitional.patch Patch6: nss-enable-pem.patch Patch7: nsspem-642433.patch -Patch11: nss-sysinit-fix-trustorder.patch -Patch12: nss-sysinit-userdb-first.patch +Patch11: honor-user-trust-preferences.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -116,7 +115,6 @@ low level services. %patch6 -p0 -b .libpem %patch7 -p0 -b .642433 %patch11 -p1 -b .643134 -%patch12 -p0 -b .603313 %build @@ -249,7 +247,7 @@ cd ./mozilla/security/nss/tests/ # nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr # nss_ssl_run: cov auth stress # -# Disable the ssl test suites untl Bug 539183 gets resolved +# Disable the ssl test suites until Bug 539183 is resolved %global nss_ssl_tests " " %global nss_ssl_run " " @@ -492,6 +490,10 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h %{_libdir}/libnssckfw.a %changelog +* Wed Jan 19 2011 Elio Maldonado - 3.12.9-2 +- Fix to honor the user's cert trust preferences (#633043) +- Remove obsoleted patch + * Wed Jan 12 2011 Elio Maldonado - 3.12.9-1 - Update to 3.12.9