Cherry-pick from master branch and add modifications to listsuites
This commit is contained in:
parent
0ee7d5581e
commit
91a8b7f9ac
|
@ -0,0 +1,111 @@
|
|||
--- ./cmd/listsuites/listsuites.c.do_queries 2016-05-17 00:58:45.000000000 -0700
|
||||
+++ ./cmd/listsuites/listsuites.c 2016-06-23 09:39:10.563925342 -0700
|
||||
@@ -7,19 +7,48 @@
|
||||
*
|
||||
* Try: ./listsuites | grep -v : | sort -b +4rn -5 +1 -2 +2 -3 +3 -4 +5r -6
|
||||
*/
|
||||
|
||||
#include <errno.h>
|
||||
#include <stdio.h>
|
||||
#include "secport.h"
|
||||
#include "ssl.h"
|
||||
+#include "plgetopt.h"
|
||||
+#include "secutil.h"
|
||||
+#include "utilpars.h"
|
||||
+#include "nspr.h"
|
||||
+#include "nss.h"
|
||||
+
|
||||
+static const char *progName = "listsuites";
|
||||
+char *ignoreVar;
|
||||
+
|
||||
+static char *policy_file_path(char *path)
|
||||
+{
|
||||
+ return (PR_Access(path, PR_ACCESS_READ_OK) == PR_SUCCESS) ? path : "";
|
||||
+}
|
||||
+
|
||||
+static char *ignore_system_policy_value(char *var)
|
||||
+{
|
||||
+ ignoreVar = PR_GetEnvSecure(var);
|
||||
+ return ignoreVar != NULL ? ignoreVar : "";
|
||||
+}
|
||||
+
|
||||
+void Usage(const char *progName)
|
||||
+{
|
||||
+ fprintf(stderr,
|
||||
+ "\nList cipher suites or parse a policy file or query\n"
|
||||
+ "Usage: %s [-i policy_file] file to parse (default is list)\n",
|
||||
+ progName);
|
||||
+ exit(1);
|
||||
+}
|
||||
+
|
||||
|
||||
int
|
||||
-main(int argc, char **argv)
|
||||
+list_suites(void)
|
||||
{
|
||||
const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
|
||||
int i;
|
||||
int errCount = 0;
|
||||
|
||||
fputs("This version of libSSL supports these cipher suites:\n\n", stdout);
|
||||
|
||||
/* disable all the SSL3 cipher suites */
|
||||
@@ -56,8 +85,58 @@
|
||||
info.effectiveKeyBits, info.macAlgorithmName,
|
||||
enabled ? "Enabled" : "Disabled",
|
||||
info.isFIPS ? "FIPS" : "",
|
||||
info.isExportable ? "Export" : "Domestic",
|
||||
info.nonStandard ? "nonStandard" : "");
|
||||
}
|
||||
return errCount;
|
||||
}
|
||||
+
|
||||
+int
|
||||
+main(int argc, char **argv)
|
||||
+{
|
||||
+ PLOptState *optstate = NULL;
|
||||
+ PLOptStatus status;
|
||||
+ SECStatus rv;
|
||||
+ FILE *inFile;
|
||||
+ char *ev, *path;
|
||||
+
|
||||
+ optstate = PL_CreateOptState(argc, argv, "?hi:p:q:lL");
|
||||
+ while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
|
||||
+ switch (optstate->option) {
|
||||
+ case '?':
|
||||
+ case 'h':
|
||||
+ Usage(progName);
|
||||
+ break;
|
||||
+ case 'p':
|
||||
+ path = (char *)optstate->value;
|
||||
+ fprintf(stdout, "%s=%s\n", path, policy_file_path(path));
|
||||
+ break;
|
||||
+ case 'q':
|
||||
+ ev = (char *)optstate->value;
|
||||
+ fprintf(stdout, "%s=%s\n", ev, ignore_system_policy_value(ev));
|
||||
+ break;
|
||||
+ case 'i':
|
||||
+ rv = SECSuccess;
|
||||
+ inFile = fopen(optstate->value, "r");
|
||||
+ if (!inFile) {
|
||||
+ fprintf(stderr,
|
||||
+ "%s: unable to open \"%s\" for reading\n",
|
||||
+ progName, optstate->value);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ rv = SECFailure;/*ParseCryptoPolicy(optstate->value);*/
|
||||
+ fclose(inFile);
|
||||
+ return (rv == SECSuccess) ? 0 : 1;
|
||||
+ break;
|
||||
+ case 'l':
|
||||
+ case 'L':
|
||||
+ return list_suites();
|
||||
+ break;
|
||||
+ default:
|
||||
+ Usage(progName);
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
|
@ -1,6 +1,26 @@
|
|||
--- ./lib/nss/nssinit.c.ignore_system_policy 2016-06-06 07:57:54.924457084 -0700
|
||||
+++ ./lib/nss/nssinit.c 2016-06-06 08:01:27.753830455 -0700
|
||||
@@ -678,17 +678,18 @@
|
||||
--- ./lib/nss/nssinit.c.cond_ignore 2016-07-01 16:09:21.187499579 -0700
|
||||
+++ ./lib/nss/nssinit.c 2016-07-01 16:19:16.095862425 -0700
|
||||
@@ -529,16 +529,19 @@
|
||||
{
|
||||
SECMODModule *parent = NULL;
|
||||
PKIX_UInt32 actualMinorVersion = 0;
|
||||
PKIX_Error *pkixError = NULL;
|
||||
PRBool isReallyInitted;
|
||||
char *configStrings = NULL;
|
||||
char *configName = NULL;
|
||||
PRBool passwordRequired = PR_FALSE;
|
||||
+#ifdef POLICY_FILE
|
||||
+ char *ignoreVar;
|
||||
+#endif
|
||||
|
||||
/* if we are trying to init with a traditional NSS_Init call, maintain
|
||||
* the traditional idempotent behavior. */
|
||||
if (!initContextPtr && nssIsInitted) {
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
/* make sure our lock and condition variable are initialized one and only
|
||||
@@ -678,32 +681,38 @@
|
||||
dbpath = NULL;
|
||||
}
|
||||
if (dbpath) {
|
||||
|
@ -10,13 +30,34 @@
|
|||
}
|
||||
#ifdef POLICY_FILE
|
||||
- if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
|
||||
+ if (!PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY") &&
|
||||
+ PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
|
||||
+ /* Load the system crypo policy file if it exists,
|
||||
+ * unless the NSS_IGNORE_SYSTEM_POLICY environment
|
||||
+ * variable has been set to 1. */
|
||||
+ ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
|
||||
+ if (ignoreVar == NULL || strncmp(ignoreVar, "1", strlen("1")) != 0) {
|
||||
+ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
|
||||
SECMODModule *module = SECMOD_LoadModule(
|
||||
"name=\"Policy File\" "
|
||||
"parameters=\"configdir='sql:" POLICY_PATH "' "
|
||||
"secmod='" POLICY_FILE "' "
|
||||
"flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
|
||||
"NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
|
||||
parent, PR_TRUE);
|
||||
- parent, PR_TRUE);
|
||||
+ parent, PR_TRUE);
|
||||
if (module) {
|
||||
PRBool isLoaded = module->loaded;
|
||||
SECMOD_DestroyModule(module);
|
||||
if (!isLoaded) {
|
||||
goto loser;
|
||||
}
|
||||
}
|
||||
}
|
||||
+ }
|
||||
#endif
|
||||
pk11sdr_Init();
|
||||
cert_CreateSubjectKeyIDHashTable();
|
||||
|
||||
pkixError = PKIX_Initialize
|
||||
(PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
|
||||
PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
diff -up ./nss/cmd/manifest.mn.skip_ecperf ./nss/cmd/manifest.mn
|
||||
--- ./nss/cmd/manifest.mn.noecperf 2016-06-24 08:04:53.891106841 -0700
|
||||
+++ ./nss/cmd/manifest.mn 2016-06-24 08:06:57.186887403 -0700
|
||||
diff -up ./cmd/manifest.mn.skip_ecperf ./cmd/manifest.mn
|
||||
--- ./cmd/manifest.mn.noecperf 2016-06-24 08:04:53.891106841 -0700
|
||||
+++ ./cmd/manifest.mn 2016-06-24 08:06:57.186887403 -0700
|
||||
@@ -42,7 +42,6 @@ NSS_SRCDIRS = \
|
||||
dbtest \
|
||||
derdump \
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
diff -up ./external_tests/manifest.mn.skip_util_gtest ./external_tests/manifest.mn
|
||||
--- ./external_tests/manifest.mn.skip_util_gtest 2016-05-21 21:34:56.156346633 -0700
|
||||
+++ ./external_tests/manifest.mn 2016-05-21 21:35:23.408854282 -0700
|
||||
@@ -8,7 +8,6 @@ DEPTH = ..
|
||||
DIRS = \
|
||||
diff -up ./external_tests/manifest.mn.skip_util_pk11_ssl_gtest ./external_tests/manifest.mn
|
||||
--- ./external_tests/manifest.mn.skip_util_pk11_ssl_gtest 2016-06-20 10:11:28.000000000 -0700
|
||||
+++ ./external_tests/manifest.mn 2016-06-26 10:09:55.429858648 -0700
|
||||
@@ -9,7 +9,4 @@ DIRS = \
|
||||
google_test \
|
||||
der_gtest \
|
||||
common \
|
||||
der_gtest \
|
||||
- util_gtest \
|
||||
pk11_gtest \
|
||||
ssl_gtest \
|
||||
- pk11_gtest \
|
||||
- ssl_gtest \
|
||||
$(NULL)
|
||||
|
|
82
nss.spec
82
nss.spec
|
@ -4,9 +4,6 @@
|
|||
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
|
||||
%global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
|
||||
|
||||
# uncomment to make nss ignore the system policy file
|
||||
%global nss_ignore_system_policy 1
|
||||
|
||||
# solution taken from icedtea-web.spec
|
||||
%define multilib_arches %{power64} sparc64 x86_64 mips64 mips64el
|
||||
%ifarch %{multilib_arches}
|
||||
|
@ -24,7 +21,7 @@ Name: nss
|
|||
Version: 3.25.0
|
||||
# for Rawhide, please always use release >= 2
|
||||
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
||||
Release: 2%{?dist}
|
||||
Release: 6%{?dist}
|
||||
License: MPLv2.0
|
||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||
Group: System Environment/Libraries
|
||||
|
@ -97,19 +94,13 @@ Patch50: iquote.patch
|
|||
Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
|
||||
Patch59: nss-check-policy-file.patch
|
||||
# TODO: file a bug usptream
|
||||
# Upstream commit that caused problems with gtests
|
||||
# https://git.fedorahosted.org/cgit/nss-pem.git/commit/
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
|
||||
Patch60: nss-conditionally-ignore-system-policy.patch
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1280846
|
||||
Patch62: nss-skip-util-gtest.patch
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
|
||||
Patch63: tests-check-policy-file.patch
|
||||
# TODO: Under test and could be merged with nss-check-policy-file.patch
|
||||
Patch64: nss-conditionally-ignore-system-policy.patch
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
|
||||
Patch65: tests-data-adjust-for-policy.patch
|
||||
# TODO: file a bug upstream
|
||||
# TODO: file a bug upstream similar to the one for rsaperf
|
||||
Patch70: nss-skip-ecperf.patch
|
||||
|
||||
Patch71: listsuites-do-queries.patch
|
||||
|
||||
%description
|
||||
Network Security Services (NSS) is a set of libraries designed to
|
||||
|
@ -192,12 +183,11 @@ low level services.
|
|||
%patch58 -p0 -b .1185708_3des
|
||||
pushd nss
|
||||
%patch59 -p1 -b .check_policy_file
|
||||
#%patch62 -p0 -b .skip_util_gtest
|
||||
%patch63 -p1 -b .check_policy
|
||||
%patch64 -p0 -b .ignore_system_policy
|
||||
%patch60 -p1 -b .cond_ignore
|
||||
%patch62 -p0 -b .skip_util_gtest
|
||||
%patch70 -p1 -b .skip_ecperf
|
||||
%patch71 -p1 -b .do_queries
|
||||
popd
|
||||
# temporary
|
||||
%patch70 -p0 -b .skip_ecperf
|
||||
|
||||
#########################################################
|
||||
# Higher-level libraries and test tools need access to
|
||||
|
@ -209,9 +199,11 @@ popd
|
|||
# Upstream https://bugzilla.mozilla.org/show_bug.cgi?id=820207
|
||||
%{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf
|
||||
%{__cp} ./nss/lib/softoken/lowkeyti.h ./nss/cmd/rsaperf
|
||||
# TODO: similar problem as descrived above
|
||||
# similar problem to the one described above
|
||||
# ./nss/lib/freebl/ec.h, ./nss/lib/freebl/ecl/ecl-curve.h
|
||||
# the last one requires that NSS_ECC_MORE_THAN_SUITE_B not be defined
|
||||
%{__cp} ./nss/lib/freebl/ec.h ./nss/cmd/ecperf
|
||||
%{__cp} ./nss/lib/freebl/ecl/ecl-curve.h ./nss/cmd/ecperf
|
||||
|
||||
# Before removing util directory we must save verref.h
|
||||
# as it will be needed later during the build phase.
|
||||
|
@ -234,9 +226,6 @@ popd
|
|||
|
||||
%build
|
||||
|
||||
# TODO: remove this when we solve the problems
|
||||
export NSS_DISABLE_GTESTS=1
|
||||
|
||||
NSS_NO_PKCS11_BYPASS=1
|
||||
export NSS_NO_PKCS11_BYPASS
|
||||
|
||||
|
@ -308,23 +297,11 @@ export NSS_BLTEST_NOT_AVAILABLE=1
|
|||
%{__make} -C ./nss/lib/dbm
|
||||
|
||||
# Set the policy file location
|
||||
# if set NSS will always check for the policy file and load it if it exists
|
||||
# TODO: restore the POLICY_FILE and POLICY_PATH exports
|
||||
# if set NSS will always check for the policy file and load if it exists
|
||||
export POLICY_FILE="nss.config"
|
||||
# location of the policy file
|
||||
export POLICY_PATH="/etc/crypto-policies/back-ends"
|
||||
|
||||
# to keep nss from loading the policy file
|
||||
%if %{nss_ignore_system_policy}
|
||||
export NSS_IGNORE_SYSTEM_POLICY=1
|
||||
%else
|
||||
# system policy is enforced
|
||||
pushd nss
|
||||
# change some sslauth.txt entries to expect failure when enforcing policy
|
||||
patch -p1 -b .expected_result < %{PATCH65}
|
||||
popd
|
||||
%endif
|
||||
|
||||
# nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c
|
||||
# need nss/lib/util/verref.h which is exported privately,
|
||||
# copy the one we saved during prep so it they can find it.
|
||||
|
@ -410,10 +387,6 @@ fi
|
|||
|
||||
# Begin -- copied from the build section
|
||||
|
||||
# inform the ssl test scripts that policy is enabled
|
||||
export POLICY_FILE="nss.config"
|
||||
export POLICY_PATH="/etc/crypto-policies/back-ends"
|
||||
|
||||
FREEBL_NO_DEPEND=1
|
||||
export FREEBL_NO_DEPEND
|
||||
|
||||
|
@ -431,13 +404,10 @@ export NSS_BLTEST_NOT_AVAILABLE=1
|
|||
# needed for the fips mangling test
|
||||
export SOFTOKEN_LIB_DIR=%{_libdir}
|
||||
|
||||
# tests need to know we kept nss from loading the policy file
|
||||
%if %{nss_ignore_system_policy}
|
||||
export NSS_IGNORE_SYSTEM_POLICY=1
|
||||
%endif
|
||||
|
||||
# End -- copied from the build section
|
||||
|
||||
export NSS_IGNORE_SYSTEM_POLICY=1
|
||||
|
||||
# enable the following line to force a test failure
|
||||
# find ./nss -name \*.chk | xargs rm -f
|
||||
|
||||
|
@ -481,15 +451,14 @@ pushd ./nss/tests/
|
|||
# nss_cycles: standard pkix upgradedb sharedb
|
||||
# the full list from all.sh is:
|
||||
# "cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
|
||||
# TODO: Add ssl_gtests when we rebase to nss-3.25
|
||||
%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
|
||||
# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
|
||||
# nss_ssl_run: cov auth stress
|
||||
# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr policy
|
||||
# nss_ssl_run: cov auth stapling stress
|
||||
#
|
||||
# Uncomment these lines if you need to temporarily
|
||||
# disable some test suites for faster test builds
|
||||
# global nss_ssl_tests "normal_fips"
|
||||
# global nss_ssl_run "cov auth"
|
||||
# % define nss_ssl_tests "normal_fips"
|
||||
# % define nss_ssl_run "cov"
|
||||
|
||||
SKIP_NSS_TEST_SUITE=`echo $SKIP_NSS_TEST_SUITE`
|
||||
|
||||
|
@ -827,6 +796,17 @@ fi
|
|||
|
||||
|
||||
%changelog
|
||||
* Fri Jul 08 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-6
|
||||
- Cherry-pick merge from master branch
|
||||
- Add support for conditionally ignoring the system policy (#1157720)
|
||||
- Remove unneeded test scripts patches in order to run more tests
|
||||
- Remove unneeded test data modifications from the spec file
|
||||
- Remove obsolete patch and spurious lines from the spec file (#1347336)
|
||||
- Add support to listsuites to list ciphers allowed by policy
|
||||
|
||||
* Sun Jun 26 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-3
|
||||
- Cleanup spec file and patches and add references to bugs filed upstream
|
||||
|
||||
* Fri Jun 24 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-2
|
||||
- Rebase to nss 3.25
|
||||
|
||||
|
|
Loading…
Reference in New Issue