From 882fcb9fcf0e440b8d614257d78749fc10f3fd74 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Fri, 11 Feb 2011 07:56:25 -0800 Subject: [PATCH] Fix fips mode switch handling bug detected while running JSS tests Fix NSS to swap the internal key slot on fips mode switches Fix white space usage in cpp reserved words patch per reviewer request --- dont-use-cpp-reserved-words.patch | 2 +- nss.spec | 3 + swap-internal-key-slot.patch | 97 +++++++++++++++++++++++++++++++ 3 files changed, 101 insertions(+), 1 deletion(-) create mode 100644 swap-internal-key-slot.patch diff --git a/dont-use-cpp-reserved-words.patch b/dont-use-cpp-reserved-words.patch index 8c7d336..c476494 100644 --- a/dont-use-cpp-reserved-words.patch +++ b/dont-use-cpp-reserved-words.patch @@ -12,7 +12,7 @@ diff -up ./mozilla/security/nss/lib/smime/cmscinfo.c.676036 ./mozilla/security/n - cinfo->private = PORT_ZNew(NSSCMSContentInfoPrivate); - return (cinfo->private) ? SECSuccess: SECFailure; + cinfo->privateInfo = PORT_ZNew(NSSCMSContentInfoPrivate); -+ return (cinfo->privateInfo) ? SECSuccess: SECFailure; ++ return (cinfo->privateInfo) ? SECSuccess : SECFailure; } diff --git a/nss.spec b/nss.spec index 7c4f4b4..afcb629 100644 --- a/nss.spec +++ b/nss.spec @@ -46,6 +46,7 @@ Patch11: honor-user-trust-preferences.patch Patch12: allow-content-types-beyond-smime.patch Patch13: nss-recurse.patch Patch14: dont-use-cpp-reserved-words.patch +Patch15: swap-internal-key-slot.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -121,6 +122,7 @@ low level services. %patch12 -p1 -b .contenttypes %patch13 -p1 -b .recurse %patch14 -p1 -b .676036 +%patch15 -p1 -b .jss %build @@ -500,6 +502,7 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h * Thu Feb 10 2011 Elio Maldonado - 3.12.9-10 - Fix cms headers to not use c++ reserved words (#676036) - Reenabling Bug 499444 patches +- Fix to swap internal key slot on fips mode switches * Tue Feb 08 2011 Elio Maldonado - 3.12.9-9 - Revert patches for 499444 until all c++ reserved words are found and extirpated diff --git a/swap-internal-key-slot.patch b/swap-internal-key-slot.patch new file mode 100644 index 0000000..ead072e --- /dev/null +++ b/swap-internal-key-slot.patch @@ -0,0 +1,97 @@ +diff -up ./mozilla/security/nss/lib/pk11wrap/pk11pars.c.jss ./mozilla/security/nss/lib/pk11wrap/pk11pars.c +--- ./mozilla/security/nss/lib/pk11wrap/pk11pars.c.jss 2011-02-11 07:45:38.324083242 -0800 ++++ ./mozilla/security/nss/lib/pk11wrap/pk11pars.c 2011-02-11 07:48:14.514166538 -0800 +@@ -258,6 +258,19 @@ secmod_IsInternalKeySlot(SECMODModule *m + return (flags & SECMOD_FLAG_INTERNAL_KEY_SLOT) ? PR_TRUE : PR_FALSE; + } + ++void ++secmod_SetInternalKeySlotFlag(SECMODModule *mod, PRBool val) ++{ ++ char flags = (char) mod->internal; ++ ++ if (val) { ++ flags |= SECMOD_FLAG_INTERNAL_KEY_SLOT; ++ } else { ++ flags &= ~SECMOD_FLAG_INTERNAL_KEY_SLOT; ++ } ++ mod->internal = flags; ++} ++ + /* forward declarations */ + static int secmod_escapeSize(const char *string, char quote); + static char *secmod_addEscape(const char *string, char quote); +diff -up ./mozilla/security/nss/lib/pk11wrap/pk11priv.h.jss ./mozilla/security/nss/lib/pk11wrap/pk11priv.h +--- ./mozilla/security/nss/lib/pk11wrap/pk11priv.h.jss 2011-02-11 07:47:45.037226877 -0800 ++++ ./mozilla/security/nss/lib/pk11wrap/pk11priv.h 2011-02-11 07:48:28.854164207 -0800 +@@ -115,6 +115,7 @@ void PK11_InitSlot(SECMODModule *mod,CK_ + PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot); + SECStatus PK11_ReadSlotCerts(PK11SlotInfo *slot); + void pk11_SetInternalKeySlot(PK11SlotInfo *slot); ++PK11SlotInfo *pk11_SwapInternalKeySlot(PK11SlotInfo *slot); + void pk11_SetInternalKeySlotIfFirst(PK11SlotInfo *slot); + + /********************************************************************* +diff -up ./mozilla/security/nss/lib/pk11wrap/pk11slot.c.jss ./mozilla/security/nss/lib/pk11wrap/pk11slot.c +--- ./mozilla/security/nss/lib/pk11wrap/pk11slot.c.jss 2011-02-11 07:41:11.258746774 -0800 ++++ ./mozilla/security/nss/lib/pk11wrap/pk11slot.c 2011-02-11 07:48:51.291595867 -0800 +@@ -1755,6 +1755,18 @@ pk11_SetInternalKeySlotIfFirst(PK11SlotI + pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL; + } + ++/* ++ * Swap out a default internal keyslot. Caller owns the Slot Reference ++ */ ++PK11SlotInfo * ++pk11_SwapInternalKeySlot(PK11SlotInfo *slot) ++{ ++ PK11SlotInfo *swap = pk11InternalKeySlot; ++ ++ pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL; ++ return swap; ++} ++ + + /* get the internal key slot. FIPS has only one slot for both key slots and + * default slots */ +diff -up ./mozilla/security/nss/lib/pk11wrap/pk11util.c.jss ./mozilla/security/nss/lib/pk11wrap/pk11util.c +--- ./mozilla/security/nss/lib/pk11wrap/pk11util.c.jss 2011-02-11 07:40:23.748066635 -0800 ++++ ./mozilla/security/nss/lib/pk11wrap/pk11util.c 2011-02-11 07:49:19.674611909 -0800 +@@ -483,13 +483,25 @@ SECMOD_DeleteInternalModule(const char * + NULL, SECMOD_FIPS_FLAGS); + } + if (newModule) { ++ PK11SlotInfo *slot; + newModule->libraryParams = + PORT_ArenaStrdup(newModule->arena,mlp->module->libraryParams); ++ /* if an explicit internal key slot has been set, reset it */ ++ slot = pk11_SwapInternalKeySlot(NULL); ++ if (slot) { ++ secmod_SetInternalKeySlotFlag(newModule, PR_TRUE); ++ } + rv = SECMOD_AddModule(newModule); + if (rv != SECSuccess) { ++ /* load failed, restore the internal key slot */ ++ pk11_SetInternalKeySlot(slot); + SECMOD_DestroyModule(newModule); + newModule = NULL; + } ++ /* free the old explicit internal key slot, we now have a new one */ ++ if (slot) { ++ PK11_FreeSlot(slot); ++ } + } + if (newModule == NULL) { + SECMODModuleList *last = NULL,*mlp2; +diff -up ./mozilla/security/nss/lib/pk11wrap/secmodi.h.jss ./mozilla/security/nss/lib/pk11wrap/secmodi.h +--- ./mozilla/security/nss/lib/pk11wrap/secmodi.h.jss 2011-02-11 07:39:04.685590962 -0800 ++++ ./mozilla/security/nss/lib/pk11wrap/secmodi.h 2011-02-11 07:49:28.120021571 -0800 +@@ -90,6 +90,8 @@ SECStatus secmod_LoadPKCS11Module(SECMOD + SECStatus SECMOD_UnloadModule(SECMODModule *); + void SECMOD_SetInternalModule(SECMODModule *); + PRBool secmod_IsInternalKeySlot(SECMODModule *); ++void secmod_SetInternalKeySlotFlag(SECMODModule *mod, PRBool val); ++ + + /* tools for checking if we are loading the same database twice */ + typedef struct SECMODConfigListStr SECMODConfigList;