diff --git a/nss-check-policy-file.patch b/nss-check-policy-file.patch index 6b0bf58..0e8c03d 100644 --- a/nss-check-policy-file.patch +++ b/nss-check-policy-file.patch @@ -1,7 +1,7 @@ diff --git a/lib/nss/config.mk b/lib/nss/config.mk --- a/lib/nss/config.mk +++ b/lib/nss/config.mk -@@ -95,8 +95,12 @@ SHARED_LIBRARY_DIRS = \ +@@ -95,8 +95,15 @@ SHARED_LIBRARY_DIRS = \ ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET))) ifndef NS_USE_GCC # Export 'mktemp' to be backward compatible with NSS 3.2.x and 3.3.x @@ -12,6 +12,9 @@ diff --git a/lib/nss/config.mk b/lib/nss/config.mk endif + +ifdef POLICY_FILE ++ifndef POLICY_PATH ++$(error You must define POLICY_PATH if you set POLICY_FILE) ++endif +DEFINES += -DPOLICY_FILE=\"$(POLICY_FILE)\" -DPOLICY_PATH=\"$(POLICY_PATH)\" +endif diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c diff --git a/nss-conditionally-ignore-system-policy.patch b/nss-conditionally-ignore-system-policy.patch index d5f87f7..dc03f48 100644 --- a/nss-conditionally-ignore-system-policy.patch +++ b/nss-conditionally-ignore-system-policy.patch @@ -1,11 +1,54 @@ -<<<<<<< HEAD ---- ./lib/nss/nssinit.c.ignore_system_policy 2016-06-06 07:57:54.924457084 -0700 -+++ ./lib/nss/nssinit.c 2016-06-06 08:01:27.753830455 -0700 -@@ -678,17 +678,18 @@ -======= ---- ./lib/nss/nssinit.c.cond_ignore 2016-07-01 16:09:21.187499579 -0700 -+++ ./lib/nss/nssinit.c 2016-07-01 16:19:16.095862425 -0700 -@@ -529,16 +529,19 @@ +--- ./lib/nss/nssinit.c.cond_ignore 2016-07-14 06:07:08.607951998 -0700 ++++ ./lib/nss/nssinit.c 2016-07-14 06:11:07.698966728 -0700 +@@ -427,23 +427,21 @@ + if (lsecmodName) PORT_Free(lsecmodName); + if (lupdateDir) PORT_Free(lupdateDir); + if (lupdCertPrefix) PORT_Free(lupdCertPrefix); + if (lupdKeyPrefix) PORT_Free(lupdKeyPrefix); + if (lupdateID) PORT_Free(lupdateID); + if (lupdateName) PORT_Free(lupdateName); + + if (moduleSpec) { +- module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE); ++ module = SECMOD_LoadModule(moduleSpec, NULL, PR_TRUE); + PR_smprintf_free(moduleSpec); +- if (module) { +- if (!module->loaded) { +- SECMOD_DestroyModule(module); +- module = NULL; +- } ++ if (module && !module->loaded) { ++ SECMOD_DestroyModule(module); ++ return NULL; + } + } + return module; + } + + /* + * OK there are now lots of options here, lets go through them all: + * +@@ -511,41 +509,44 @@ + return PR_FAILURE; + } + return PR_SUCCESS; + } + + + static SECStatus + nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix, +- const char *secmodName, const char *updateDir, ++ const char *secmodName, const char *updateDir, + const char *updCertPrefix, const char *updKeyPrefix, + const char *updateID, const char *updateName, + NSSInitContext ** initContextPtr, + NSSInitParameters *initParams, +- PRBool readOnly, PRBool noCertDB, ++ PRBool readOnly, PRBool noCertDB, + PRBool noModDB, PRBool forceOpen, PRBool noRootInit, + PRBool optimizeSpace, PRBool noSingleThreadedModules, + PRBool allowAlreadyInitializedModules, + PRBool dontFinalizeModules) { SECMODModule *parent = NULL; PKIX_UInt32 actualMinorVersion = 0; @@ -23,10 +66,41 @@ if (!initContextPtr && nssIsInitted) { return SECSuccess; } - +- ++ /* make sure our lock and condition variable are initialized one and only -@@ -678,32 +681,38 @@ ->>>>>>> origin/private-rebase-work-fedora-rawhide + * one time */ + if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) { + return SECFailure; + } + + /* + * if we haven't done basic initialization, single thread the +@@ -632,20 +633,20 @@ + configStrings = pk11_config_strings; + configName = pk11_config_name; + passwordRequired = pk11_password_required; + } + + /* Skip the module init if we are already initted and we are trying + * to init with noCertDB and noModDB */ + if (!(isReallyInitted && noCertDB && noModDB)) { +- parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName, +- updateDir, updCertPrefix, updKeyPrefix, updateID, ++ parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName, ++ updateDir, updCertPrefix, updKeyPrefix, updateID, + updateName, configName, configStrings, passwordRequired, +- readOnly, noCertDB, noModDB, forceOpen, optimizeSpace, ++ readOnly, noCertDB, noModDB, forceOpen, optimizeSpace, + (initContextPtr != NULL)); + + if (parent == NULL) { + goto loser; + } + } + + +@@ -678,50 +679,54 @@ dbpath = NULL; } if (dbpath) { @@ -36,27 +110,18 @@ } #ifdef POLICY_FILE - if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) { -<<<<<<< HEAD -+ if (!PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY") && -+ PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) { -======= -+ /* Load the system crypo policy file if it exists, ++ /* Load the system crypto policy file if it exists, + * unless the NSS_IGNORE_SYSTEM_POLICY environment + * variable has been set to 1. */ + ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY"); -+ if (ignoreVar == NULL || strncmp(ignoreVar, "1", strlen("1")) != 0) { -+ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) { ->>>>>>> origin/private-rebase-work-fedora-rawhide ++ if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) { ++ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) { SECMODModule *module = SECMOD_LoadModule( "name=\"Policy File\" " "parameters=\"configdir='sql:" POLICY_PATH "' " "secmod='" POLICY_FILE "' " "flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" " "NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"", -<<<<<<< HEAD - parent, PR_TRUE); - if (module) { -======= - parent, PR_TRUE); + parent, PR_TRUE); if (module) { @@ -76,4 +141,21 @@ (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION, PKIX_MINOR_VERSION, &actualMinorVersion, &plContext); ->>>>>>> origin/private-rebase-work-fedora-rawhide + if (pkixError != NULL) { + goto loser; + } else { + char *ev = PR_GetEnvSecure("NSS_ENABLE_PKIX_VERIFY"); + if (ev && ev[0]) { + CERT_SetUsePKIXForValidation(PR_TRUE); + } + } +- +- + } + + /* + * Now mark the appropriate init state. If initContextPtr was passed + * in, then return the new context pointer and add it to the + * nssInitContextList. Otherwise set the global nss_isInitted flag + */ + PZ_Lock(nssInitLock); diff --git a/nss.spec b/nss.spec index d912b56..fecaf5f 100644 --- a/nss.spec +++ b/nss.spec @@ -4,9 +4,6 @@ %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv" -# uncomment to make nss ignore the system policy file -%global nss_ignore_system_policy 1 - # solution taken from icedtea-web.spec %define multilib_arches %{power64} sparc64 x86_64 mips64 mips64el %ifarch %{multilib_arches} @@ -97,26 +94,11 @@ Patch50: iquote.patch Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520 Patch59: nss-check-policy-file.patch -<<<<<<< HEAD -# TODO: file a bug usptream -# Upstream commit that caused problems with gtests -# https://git.fedorahosted.org/cgit/nss-pem.git/commit/ -Patch62: nss-skip-util-gtest.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520 -Patch63: tests-check-policy-file.patch -# TODO: Under test and could be merged with nss-check-policy-file.patch -Patch64: nss-conditionally-ignore-system-policy.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520 -Patch65: tests-data-adjust-for-policy.patch -Patch66: listsuites-do-queries.patch -# TODO: file a bug upstream -======= # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520 Patch60: nss-conditionally-ignore-system-policy.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1280846 Patch62: nss-skip-util-gtest.patch # TODO: file a bug upstream similar to the one for rsaperf ->>>>>>> origin/private-rebase-work-fedora-rawhide Patch70: nss-skip-ecperf.patch Patch71: listsuites-do-queries.patch @@ -203,14 +185,8 @@ pushd nss %patch59 -p1 -b .check_policy_file %patch60 -p1 -b .cond_ignore %patch62 -p0 -b .skip_util_gtest -<<<<<<< HEAD -%patch63 -p1 -b .check_policy -%patch64 -p0 -b .ignore_system_policy -%patch66 -p1 -b .do_queries -======= %patch70 -p1 -b .skip_ecperf %patch71 -p1 -b .do_queries ->>>>>>> origin/private-rebase-work-fedora-rawhide popd ######################################################### @@ -326,17 +302,6 @@ export POLICY_FILE="nss.config" # location of the policy file export POLICY_PATH="/etc/crypto-policies/back-ends" -# to keep nss from loading the policy file -%if %{nss_ignore_system_policy} -export NSS_IGNORE_SYSTEM_POLICY=1 -%else -# system policy is enforced -pushd nss -# change some sslauth.txt entries to expect failure when enforcing policy -patch -p1 -b .expected_result < %{PATCH65} -popd -%endif - # nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c # need nss/lib/util/verref.h which is exported privately, # copy the one we saved during prep so it they can find it. @@ -439,11 +404,6 @@ export NSS_BLTEST_NOT_AVAILABLE=1 # needed for the fips mangling test export SOFTOKEN_LIB_DIR=%{_libdir} -# tests need to know we kept nss from loading the policy file -%if %{nss_ignore_system_policy} -export NSS_IGNORE_SYSTEM_POLICY=1 -%endif - # End -- copied from the build section export NSS_IGNORE_SYSTEM_POLICY=1 @@ -836,8 +796,8 @@ fi %changelog -* Fri Jul 08 2016 Elio Maldonado - 3.25.0-6 -- Add support to listsuites to list ciphers allowed by policy +* Thu Jul 14 2016 Elio Maldonado - 3.25.0-6 +- Incorporate some changes requested in upstream review and commited upstream (#1157720) * Fri Jul 01 2016 Elio Maldonado - 3.25.0-5 - Add support for conditionally ignoring the system policy (#1157720) @@ -852,7 +812,6 @@ fi * Fri Jun 24 2016 Elio Maldonado - 3.25.0-2 - Rebase to nss 3.25 -- Add support for conditionally ignoring the system policy (#1157720) * Thu Jun 16 2016 Kamil Dudka - 3.24.0-3 - decouple nss-pem from the nss package (#1347336) @@ -867,7 +826,7 @@ fi - Resolves: Bug 1342158 - nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails * Sun May 29 2016 Elio Maldonado - 3.24.0-2.1 -- Rebase to NSS 3.24.0 +- Rebase to NSS 3.24.0 - Restore setting the policy file location - Make ssl tests scripts aware of policy - Ajust tests data expected result for policy