diff --git a/nss-conditionally-ignore-system-policy.patch b/nss-conditionally-ignore-system-policy.patch index 69ae0df..dc03f48 100644 --- a/nss-conditionally-ignore-system-policy.patch +++ b/nss-conditionally-ignore-system-policy.patch @@ -1,6 +1,54 @@ ---- ./lib/nss/nssinit.c.cond_ignore 2016-07-01 16:09:21.187499579 -0700 -+++ ./lib/nss/nssinit.c 2016-07-01 16:19:16.095862425 -0700 -@@ -529,16 +529,19 @@ +--- ./lib/nss/nssinit.c.cond_ignore 2016-07-14 06:07:08.607951998 -0700 ++++ ./lib/nss/nssinit.c 2016-07-14 06:11:07.698966728 -0700 +@@ -427,23 +427,21 @@ + if (lsecmodName) PORT_Free(lsecmodName); + if (lupdateDir) PORT_Free(lupdateDir); + if (lupdCertPrefix) PORT_Free(lupdCertPrefix); + if (lupdKeyPrefix) PORT_Free(lupdKeyPrefix); + if (lupdateID) PORT_Free(lupdateID); + if (lupdateName) PORT_Free(lupdateName); + + if (moduleSpec) { +- module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE); ++ module = SECMOD_LoadModule(moduleSpec, NULL, PR_TRUE); + PR_smprintf_free(moduleSpec); +- if (module) { +- if (!module->loaded) { +- SECMOD_DestroyModule(module); +- module = NULL; +- } ++ if (module && !module->loaded) { ++ SECMOD_DestroyModule(module); ++ return NULL; + } + } + return module; + } + + /* + * OK there are now lots of options here, lets go through them all: + * +@@ -511,41 +509,44 @@ + return PR_FAILURE; + } + return PR_SUCCESS; + } + + + static SECStatus + nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix, +- const char *secmodName, const char *updateDir, ++ const char *secmodName, const char *updateDir, + const char *updCertPrefix, const char *updKeyPrefix, + const char *updateID, const char *updateName, + NSSInitContext ** initContextPtr, + NSSInitParameters *initParams, +- PRBool readOnly, PRBool noCertDB, ++ PRBool readOnly, PRBool noCertDB, + PRBool noModDB, PRBool forceOpen, PRBool noRootInit, + PRBool optimizeSpace, PRBool noSingleThreadedModules, + PRBool allowAlreadyInitializedModules, + PRBool dontFinalizeModules) { SECMODModule *parent = NULL; PKIX_UInt32 actualMinorVersion = 0; @@ -18,9 +66,41 @@ if (!initContextPtr && nssIsInitted) { return SECSuccess; } - +- ++ /* make sure our lock and condition variable are initialized one and only -@@ -678,32 +681,38 @@ + * one time */ + if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) { + return SECFailure; + } + + /* + * if we haven't done basic initialization, single thread the +@@ -632,20 +633,20 @@ + configStrings = pk11_config_strings; + configName = pk11_config_name; + passwordRequired = pk11_password_required; + } + + /* Skip the module init if we are already initted and we are trying + * to init with noCertDB and noModDB */ + if (!(isReallyInitted && noCertDB && noModDB)) { +- parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName, +- updateDir, updCertPrefix, updKeyPrefix, updateID, ++ parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName, ++ updateDir, updCertPrefix, updKeyPrefix, updateID, + updateName, configName, configStrings, passwordRequired, +- readOnly, noCertDB, noModDB, forceOpen, optimizeSpace, ++ readOnly, noCertDB, noModDB, forceOpen, optimizeSpace, + (initContextPtr != NULL)); + + if (parent == NULL) { + goto loser; + } + } + + +@@ -678,50 +679,54 @@ dbpath = NULL; } if (dbpath) { @@ -30,12 +110,12 @@ } #ifdef POLICY_FILE - if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) { -+ /* Load the system crypo policy file if it exists, ++ /* Load the system crypto policy file if it exists, + * unless the NSS_IGNORE_SYSTEM_POLICY environment + * variable has been set to 1. */ + ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY"); -+ if (ignoreVar == NULL || strncmp(ignoreVar, "1", strlen("1")) != 0) { -+ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) { ++ if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) { ++ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) { SECMODModule *module = SECMOD_LoadModule( "name=\"Policy File\" " "parameters=\"configdir='sql:" POLICY_PATH "' " @@ -61,3 +141,21 @@ (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION, PKIX_MINOR_VERSION, &actualMinorVersion, &plContext); + if (pkixError != NULL) { + goto loser; + } else { + char *ev = PR_GetEnvSecure("NSS_ENABLE_PKIX_VERIFY"); + if (ev && ev[0]) { + CERT_SetUsePKIXForValidation(PR_TRUE); + } + } +- +- + } + + /* + * Now mark the appropriate init state. If initContextPtr was passed + * in, then return the new context pointer and add it to the + * nssInitContextList. Otherwise set the global nss_isInitted flag + */ + PZ_Lock(nssInitLock); diff --git a/nss.spec b/nss.spec index e6ce21b..ae59b85 100644 --- a/nss.spec +++ b/nss.spec @@ -794,7 +794,7 @@ fi %changelog -* Wed Jul 13 2016 Elio Maldonado - 3.25.0-6 +* Thu Jul 14 2016 Elio Maldonado - 3.25.0-6 - Incorporate some changes requested in upstream review and commited upstream (#1157720) * Fri Jul 01 2016 Elio Maldonado - 3.25.0-5 @@ -824,7 +824,7 @@ fi - Resolves: Bug 1342158 - nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails * Sun May 29 2016 Elio Maldonado - 3.24.0-2.1 -- Rebase to NSS 3.24.0 +- Rebase to NSS 3.24.0 - Restore setting the policy file location - Make ssl tests scripts aware of policy - Ajust tests data expected result for policy