Cherry-pick from master branch and add modifications to listsuites

2016-07-08 11:59:51 -07:00 · 2016-07-08 11:59:51 -07:00 · 91a8b7f9ac
parent 0ee7d5581e
commit 91a8b7f9ac
5 changed files with 200 additions and 68 deletions
--- a/listsuites-do-queries.patch
+++ b/listsuites-do-queries.patch
@ -0,0 +1,111 @@
+--- ./cmd/listsuites/listsuites.c.do_queries	2016-05-17 00:58:45.000000000 -0700
+++ ./cmd/listsuites/listsuites.c	2016-06-23 09:39:10.563925342 -0700
+@@ -7,19 +7,48 @@
+  *
+  * Try: ./listsuites | grep -v : | sort -b +4rn -5 +1 -2 +2 -3 +3 -4 +5r -6
+  */
+ 
+ #include <errno.h>
+ #include <stdio.h>
+ #include "secport.h"
+ #include "ssl.h"
+#include "plgetopt.h"
+#include "secutil.h"
+#include "utilpars.h"
+#include "nspr.h"
+#include "nss.h"
+
+static const char *progName = "listsuites";
+char *ignoreVar;
+
+static char *policy_file_path(char *path)
+{
+    return (PR_Access(path, PR_ACCESS_READ_OK) == PR_SUCCESS) ? path : "";
+}
+
+static char *ignore_system_policy_value(char *var)
+{
+    ignoreVar = PR_GetEnvSecure(var);
+    return ignoreVar != NULL ? ignoreVar : "";
+}
+
+void Usage(const char *progName)
+{
+    fprintf(stderr,
+            "\nList cipher suites or parse a policy file or query\n"
+            "Usage: %s [-i policy_file] file to parse (default is list)\n",
+            progName);
+    exit(1);
+}
+
+ 
+ int
+-main(int argc, char **argv)
+list_suites(void)
+ {
+     const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
+     int i;
+     int errCount = 0;
+ 
+     fputs("This version of libSSL supports these cipher suites:\n\n", stdout);
+ 
+     /* disable all the SSL3 cipher suites */
+@@ -56,8 +85,58 @@
+                 info.effectiveKeyBits, info.macAlgorithmName,
+                 enabled ? "Enabled" : "Disabled",
+                 info.isFIPS ? "FIPS" : "",
+                 info.isExportable ? "Export" : "Domestic",
+                 info.nonStandard ? "nonStandard" : "");
+     }
+     return errCount;
+ }
+
+int
+main(int argc, char **argv)
+{
+    PLOptState *optstate = NULL;
+    PLOptStatus status;
+    SECStatus rv;
+    FILE *inFile;
+    char *ev, *path;
+
+    optstate = PL_CreateOptState(argc, argv, "?hi:p:q:lL");
+    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+        switch (optstate->option) {
+            case '?':
+            case 'h':
+                Usage(progName);
+                break;
+            case 'p':
+                path = (char *)optstate->value;
+                fprintf(stdout, "%s=%s\n", path, policy_file_path(path));
+                break;
+            case 'q':
+                ev = (char *)optstate->value;
+                fprintf(stdout, "%s=%s\n", ev, ignore_system_policy_value(ev));
+                break;
+            case 'i':
+                rv = SECSuccess;
+                inFile = fopen(optstate->value, "r");
+                if (!inFile) {
+                    fprintf(stderr,
+                            "%s: unable to open \"%s\" for reading\n",
+                            progName, optstate->value);
+                            return -1;
+                }
+                rv = SECFailure;/*ParseCryptoPolicy(optstate->value);*/
+                fclose(inFile);
+                return (rv == SECSuccess) ? 0 : 1;
+                break;
+            case 'l':
+            case 'L':
+                return list_suites();
+                break;
+            default:
+                Usage(progName);
+             break;
+        }
+    }
+
+    return 0;
+}
--- a/nss-conditionally-ignore-system-policy.patch
+++ b/nss-conditionally-ignore-system-policy.patch
@ -1,6 +1,26 @@
--- ./lib/nss/nssinit.c.ignore_system_policy	2016-06-06 07:57:54.924457084 -0700
-+++ ./lib/nss/nssinit.c	2016-06-06 08:01:27.753830455 -0700
-@@ -678,17 +678,18 @@
+--- ./lib/nss/nssinit.c.cond_ignore	2016-07-01 16:09:21.187499579 -0700
+++ ./lib/nss/nssinit.c	2016-07-01 16:19:16.095862425 -0700
+@@ -529,16 +529,19 @@
+ {
+     SECMODModule *parent = NULL;
+     PKIX_UInt32 actualMinorVersion = 0;
+     PKIX_Error *pkixError = NULL;
+     PRBool isReallyInitted;
+     char *configStrings = NULL;
+     char *configName = NULL;
+     PRBool passwordRequired = PR_FALSE;
+#ifdef POLICY_FILE
+    char *ignoreVar;
+#endif
+ 
+     /* if we are trying to init with a traditional NSS_Init call, maintain
+      * the traditional idempotent behavior. */
+     if (!initContextPtr && nssIsInitted) {
+ 	return SECSuccess;
+     }
+   
+     /* make sure our lock and condition variable are initialized one and only
+@@ -678,32 +681,38 @@
 		    dbpath = NULL;
 		}
 		if (dbpath) {
@ -10,13 +30,34 @@
 	}
 #ifdef POLICY_FILE
 -        if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
-+        if (!PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY") &&
-+            PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
+	/* Load the system crypo policy file if it exists,
+	 * unless the NSS_IGNORE_SYSTEM_POLICY environment
+	 * variable has been set to 1. */
+	ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
+	if (ignoreVar == NULL || strncmp(ignoreVar, "1", strlen("1")) != 0) {
+	    if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
 	    SECMODModule *module = SECMOD_LoadModule(
 		"name=\"Policy File\" "
 		"parameters=\"configdir='sql:" POLICY_PATH "' "
 		"secmod='" POLICY_FILE "' "
 		"flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
 		"NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
- 		parent, PR_TRUE); 
+-		parent, PR_TRUE); 
+		parent, PR_TRUE);
 	    if (module) {
+ 		PRBool isLoaded = module->loaded;
+ 		SECMOD_DestroyModule(module);
+ 		if (!isLoaded) {
+ 		    goto loser;
+ 		}
+ 	    }
+ 	}
+    }
+ #endif
+ 	pk11sdr_Init();
+ 	cert_CreateSubjectKeyIDHashTable();
+ 
+ 	pkixError = PKIX_Initialize
+ 	    (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
+ 	    PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
+ 
--- a/nss-skip-ecperf.patch
+++ b/nss-skip-ecperf.patch
@ -1,6 +1,6 @@
-diff -up ./nss/cmd/manifest.mn.skip_ecperf ./nss/cmd/manifest.mn
--- ./nss/cmd/manifest.mn.noecperf	2016-06-24 08:04:53.891106841 -0700
-+++ ./nss/cmd/manifest.mn	2016-06-24 08:06:57.186887403 -0700
+diff -up ./cmd/manifest.mn.skip_ecperf ./cmd/manifest.mn
+--- ./cmd/manifest.mn.noecperf	2016-06-24 08:04:53.891106841 -0700
+++ ./cmd/manifest.mn	2016-06-24 08:06:57.186887403 -0700
@@ -42,7 +42,6 @@ NSS_SRCDIRS = \
  dbtest \
  derdump  \
--- a/nss-skip-util-gtest.patch
+++ b/nss-skip-util-gtest.patch
@ -1,11 +1,11 @@
-diff -up ./external_tests/manifest.mn.skip_util_gtest ./external_tests/manifest.mn
--- ./external_tests/manifest.mn.skip_util_gtest	2016-05-21 21:34:56.156346633 -0700
-+++ ./external_tests/manifest.mn	2016-05-21 21:35:23.408854282 -0700
-@@ -8,7 +8,6 @@ DEPTH      = ..
- DIRS = \
+diff -up ./external_tests/manifest.mn.skip_util_pk11_ssl_gtest ./external_tests/manifest.mn
+--- ./external_tests/manifest.mn.skip_util_pk11_ssl_gtest	2016-06-20 10:11:28.000000000 -0700
+++ ./external_tests/manifest.mn	2016-06-26 10:09:55.429858648 -0700
+@@ -9,7 +9,4 @@ DIRS = \
 	google_test \
-         der_gtest \
+ 	common \
+ 	der_gtest \
 -	util_gtest \
-         pk11_gtest \
-         ssl_gtest \
+-	pk11_gtest \
+-	ssl_gtest \
 	$(NULL)
--- a/nss.spec
+++ b/nss.spec
@ -4,9 +4,6 @@
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"

-# uncomment to make nss ignore the system policy file
-%global nss_ignore_system_policy 1
-
 # solution taken from icedtea-web.spec
 %define multilib_arches %{power64} sparc64 x86_64 mips64 mips64el
 %ifarch %{multilib_arches}
@ -24,7 +21,7 @@ Name:             nss
 Version:          3.25.0
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release:          2%{?dist}
+Release:          6%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@ -97,19 +94,13 @@ Patch50:          iquote.patch
 Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
 Patch59: nss-check-policy-file.patch
-# TODO: file a bug usptream
-# Upstream commit that caused problems with gtests
-# https://git.fedorahosted.org/cgit/nss-pem.git/commit/
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
+Patch60: nss-conditionally-ignore-system-policy.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1280846
 Patch62: nss-skip-util-gtest.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
-Patch63: tests-check-policy-file.patch
-# TODO: Under test and could be merged with nss-check-policy-file.patch
-Patch64: nss-conditionally-ignore-system-policy.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
-Patch65: tests-data-adjust-for-policy.patch
-# TODO: file a bug upstream
+# TODO: file a bug upstream similar to the one for rsaperf
 Patch70: nss-skip-ecperf.patch
-
+Patch71: listsuites-do-queries.patch

 %description
 Network Security Services (NSS) is a set of libraries designed to
@ -192,12 +183,11 @@ low level services.
 %patch58 -p0 -b .1185708_3des
 pushd nss
 %patch59 -p1 -b .check_policy_file
-#%patch62 -p0 -b .skip_util_gtest
-%patch63 -p1 -b .check_policy
-%patch64 -p0 -b .ignore_system_policy
+%patch60 -p1 -b .cond_ignore
+%patch62 -p0 -b .skip_util_gtest
+%patch70 -p1 -b .skip_ecperf
+%patch71 -p1 -b .do_queries
 popd
-# temporary
-%patch70 -p0 -b .skip_ecperf

 #########################################################
 # Higher-level libraries and test tools need access to
@ -209,9 +199,11 @@ popd
 # Upstream https://bugzilla.mozilla.org/show_bug.cgi?id=820207
 %{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf
 %{__cp} ./nss/lib/softoken/lowkeyti.h ./nss/cmd/rsaperf
-# TODO: similar problem as descrived above
+# similar problem to the one described above
 # ./nss/lib/freebl/ec.h, ./nss/lib/freebl/ecl/ecl-curve.h
 # the last one requires that NSS_ECC_MORE_THAN_SUITE_B not be defined
+%{__cp} ./nss/lib/freebl/ec.h ./nss/cmd/ecperf
+%{__cp} ./nss/lib/freebl/ecl/ecl-curve.h ./nss/cmd/ecperf

 # Before removing util directory we must save verref.h
 # as it will be needed later during the build phase.
@ -234,9 +226,6 @@ popd

 %build

-# TODO: remove this when we solve the problems
-export NSS_DISABLE_GTESTS=1
-
 NSS_NO_PKCS11_BYPASS=1
 export NSS_NO_PKCS11_BYPASS

@ -308,23 +297,11 @@ export NSS_BLTEST_NOT_AVAILABLE=1
 %{__make} -C ./nss/lib/dbm

 # Set the policy file location
-# if set NSS will always check for the policy file and load it if it exists
-# TODO: restore the POLICY_FILE and POLICY_PATH exports
+# if set NSS will always check for the policy file and load if it exists
 export POLICY_FILE="nss.config"
 # location of the policy file
 export POLICY_PATH="/etc/crypto-policies/back-ends"

-# to keep nss from loading the policy file
-%if %{nss_ignore_system_policy}
-export NSS_IGNORE_SYSTEM_POLICY=1
-%else
-# system policy is enforced
-pushd nss
-# change some sslauth.txt entries to expect failure when enforcing policy
-patch -p1 -b .expected_result < %{PATCH65}
-popd
-%endif
-
 # nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c
 # need nss/lib/util/verref.h which is exported privately,
 # copy the one we saved during prep so it they can find it.
@ -410,10 +387,6 @@ fi

 # Begin -- copied from the build section

-# inform the ssl test scripts that policy is enabled
-export POLICY_FILE="nss.config"
-export POLICY_PATH="/etc/crypto-policies/back-ends"
-
 FREEBL_NO_DEPEND=1
 export FREEBL_NO_DEPEND

@ -431,13 +404,10 @@ export NSS_BLTEST_NOT_AVAILABLE=1
 # needed for the fips mangling test
 export SOFTOKEN_LIB_DIR=%{_libdir}

-# tests need to know we kept nss from loading the policy file
-%if %{nss_ignore_system_policy}
-export NSS_IGNORE_SYSTEM_POLICY=1
-%endif
-
 # End -- copied from the build section

+export NSS_IGNORE_SYSTEM_POLICY=1
+
 # enable the following line to force a test failure
 # find ./nss -name \*.chk | xargs rm -f

@ -481,15 +451,14 @@ pushd ./nss/tests/
 #  nss_cycles: standard pkix upgradedb sharedb
 #  the full list from all.sh is:
 #  "cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
-# TODO: Add ssl_gtests when we rebase to nss-3.25
 %define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
-#  nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
-#  nss_ssl_run: cov auth stress
+#  nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr policy
+#  nss_ssl_run: cov auth stapling stress
 #
 # Uncomment these lines if you need to temporarily
 # disable some test suites for faster test builds
-# global nss_ssl_tests "normal_fips"
-# global nss_ssl_run "cov auth"
+# % define nss_ssl_tests "normal_fips"
+# % define nss_ssl_run "cov"

 SKIP_NSS_TEST_SUITE=`echo $SKIP_NSS_TEST_SUITE`

@ -827,6 +796,17 @@ fi


 %changelog
+* Fri Jul 08 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-6
+- Cherry-pick merge from master branch
+- Add support for conditionally ignoring the system policy (#1157720)
+- Remove unneeded test scripts patches in order to run more tests
+- Remove unneeded test data modifications from the spec file
+- Remove obsolete patch and spurious lines from the spec file (#1347336)
+- Add support to listsuites to list ciphers allowed by policy
+
+* Sun Jun 26 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-3
+- Cleanup spec file and patches and add references to bugs filed upstream
+
 * Fri Jun 24 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-2
 - Rebase to nss 3.25