From 270f23d1492a91d9f5e733f94ad392f3abfdc21b Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Tue, 12 Jul 2016 20:25:49 -0700 Subject: [PATCH 1/3] Implement changes requested in upstream review and pushed upstream (#1157720) - merge the two policy related patches --- nss-check-policy-file.patch | 87 ++++++++++++++------ nss-conditionally-ignore-system-policy.patch | 63 -------------- nss.spec | 8 +- 3 files changed, 66 insertions(+), 92 deletions(-) delete mode 100644 nss-conditionally-ignore-system-policy.patch diff --git a/nss-check-policy-file.patch b/nss-check-policy-file.patch index 6b0bf58..f7e3c43 100644 --- a/nss-check-policy-file.patch +++ b/nss-check-policy-file.patch @@ -1,7 +1,6 @@ -diff --git a/lib/nss/config.mk b/lib/nss/config.mk ---- a/lib/nss/config.mk -+++ b/lib/nss/config.mk -@@ -95,8 +95,12 @@ SHARED_LIBRARY_DIRS = \ +--- ./lib/nss/config.mk.check_policy_file 2016-07-12 09:11:01.198867052 -0700 ++++ ./lib/nss/config.mk 2016-07-12 09:15:58.739946540 -0700 +@@ -99,8 +99,15 @@ ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET))) ifndef NS_USE_GCC # Export 'mktemp' to be backward compatible with NSS 3.2.x and 3.3.x @@ -12,12 +11,14 @@ diff --git a/lib/nss/config.mk b/lib/nss/config.mk endif + +ifdef POLICY_FILE ++ifndef POLICY_PATH ++$(error You must define POLICY_PATH if you set POLICY_FILE) ++endif +DEFINES += -DPOLICY_FILE=\"$(POLICY_FILE)\" -DPOLICY_PATH=\"$(POLICY_PATH)\" +endif -diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c ---- a/lib/nss/nssinit.c -+++ b/lib/nss/nssinit.c -@@ -330,47 +330,47 @@ nss_FindExternalRoot(const char *dbpath, +--- ./lib/nss/nssinit.c.check_policy_file 2016-06-20 10:11:28.000000000 -0700 ++++ ./lib/nss/nssinit.c 2016-07-12 09:18:14.821671331 -0700 +@@ -330,47 +330,47 @@ /* * see nss_Init for definitions of the various options. @@ -69,7 +70,7 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c lconfigdir = NSSUTIL_DoubleEscape(configdir, '\'', '\"'); if (lconfigdir == NULL) { goto loser; -@@ -427,24 +427,26 @@ loser: +@@ -427,24 +427,24 @@ if (lsecmodName) PORT_Free(lsecmodName); if (lupdateDir) PORT_Free(lupdateDir); if (lupdCertPrefix) PORT_Free(lupdCertPrefix); @@ -79,15 +80,13 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c if (moduleSpec) { - SECMODModule *module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE); -+ module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE); ++ module = SECMOD_LoadModule(moduleSpec, NULL, PR_TRUE); PR_smprintf_free(moduleSpec); - if (module) { +- if (module) { - if (module->loaded) rv=SECSuccess; -- SECMOD_DestroyModule(module); -+ if (!module->loaded) { -+ SECMOD_DestroyModule(module); -+ module = NULL; -+ } ++ if (module && !module->loaded) { + SECMOD_DestroyModule(module); ++ return NULL; } } - return rv; @@ -100,10 +99,23 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c * configdir - base directory where all the cert, key, and module datbases live. * certPrefix - prefix added to the beginning of the cert database example: " * "https-server1-" -@@ -520,17 +522,17 @@ nss_Init(const char *configdir, const ch +@@ -509,41 +509,44 @@ + return PR_FAILURE; + } + return PR_SUCCESS; + } + + + static SECStatus + nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix, +- const char *secmodName, const char *updateDir, ++ const char *secmodName, const char *updateDir, + const char *updCertPrefix, const char *updKeyPrefix, + const char *updateID, const char *updateName, NSSInitContext ** initContextPtr, NSSInitParameters *initParams, - PRBool readOnly, PRBool noCertDB, +- PRBool readOnly, PRBool noCertDB, ++ PRBool readOnly, PRBool noCertDB, PRBool noModDB, PRBool forceOpen, PRBool noRootInit, PRBool optimizeSpace, PRBool noSingleThreadedModules, PRBool allowAlreadyInitializedModules, @@ -117,9 +129,26 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c char *configStrings = NULL; char *configName = NULL; PRBool passwordRequired = PR_FALSE; ++#ifdef POLICY_FILE ++ char *ignoreVar; ++#endif /* if we are trying to init with a traditional NSS_Init call, maintain -@@ -630,23 +632,23 @@ nss_Init(const char *configdir, const ch + * the traditional idempotent behavior. */ + if (!initContextPtr && nssIsInitted) { + return SECSuccess; + } +- ++ + /* make sure our lock and condition variable are initialized one and only + * one time */ + if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) { + return SECFailure; + } + + /* + * if we haven't done basic initialization, single thread the +@@ -630,23 +633,23 @@ configStrings = pk11_config_strings; configName = pk11_config_name; passwordRequired = pk11_password_required; @@ -129,10 +158,12 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c * to init with noCertDB and noModDB */ if (!(isReallyInitted && noCertDB && noModDB)) { - rv = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName, +- updateDir, updCertPrefix, updKeyPrefix, updateID, + parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName, - updateDir, updCertPrefix, updKeyPrefix, updateID, ++ updateDir, updCertPrefix, updKeyPrefix, updateID, updateName, configName, configStrings, passwordRequired, - readOnly, noCertDB, noModDB, forceOpen, optimizeSpace, +- readOnly, noCertDB, noModDB, forceOpen, optimizeSpace, ++ readOnly, noCertDB, noModDB, forceOpen, optimizeSpace, (initContextPtr != NULL)); - if (rv != SECSuccess) { @@ -145,7 +176,7 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c /* finish up initialization */ if (!isReallyInitted) { if (SECOID_Init() != SECSuccess) { -@@ -675,17 +677,34 @@ nss_Init(const char *configdir, const ch +@@ -675,17 +678,40 @@ * path. Skip it */ dbpath = NULL; } @@ -156,14 +187,19 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c } - +#ifdef POLICY_FILE -+ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) { ++ /* Load the system crypto policy file if it exists, ++ * unless the NSS_IGNORE_SYSTEM_POLICY environment ++ * variable has been set to 1. */ ++ ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY"); ++ if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) { ++ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) { + SECMODModule *module = SECMOD_LoadModule( + "name=\"Policy File\" " + "parameters=\"configdir='sql:" POLICY_PATH "' " + "secmod='" POLICY_FILE "' " + "flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" " + "NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"", -+ parent, PR_TRUE); ++ parent, PR_TRUE); + if (module) { + PRBool isLoaded = module->loaded; + SECMOD_DestroyModule(module); @@ -172,6 +208,7 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c + } + } + } ++ } +#endif pk11sdr_Init(); cert_CreateSubjectKeyIDHashTable(); @@ -181,7 +218,7 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c PKIX_MINOR_VERSION, &actualMinorVersion, &plContext); if (pkixError != NULL) { -@@ -716,32 +735,38 @@ nss_Init(const char *configdir, const ch +@@ -716,32 +742,38 @@ nssIsInInit--; /* now that we are inited, all waiters can move forward */ PZ_NotifyAllCondVar(nssInitCondition); diff --git a/nss-conditionally-ignore-system-policy.patch b/nss-conditionally-ignore-system-policy.patch deleted file mode 100644 index 69ae0df..0000000 --- a/nss-conditionally-ignore-system-policy.patch +++ /dev/null @@ -1,63 +0,0 @@ ---- ./lib/nss/nssinit.c.cond_ignore 2016-07-01 16:09:21.187499579 -0700 -+++ ./lib/nss/nssinit.c 2016-07-01 16:19:16.095862425 -0700 -@@ -529,16 +529,19 @@ - { - SECMODModule *parent = NULL; - PKIX_UInt32 actualMinorVersion = 0; - PKIX_Error *pkixError = NULL; - PRBool isReallyInitted; - char *configStrings = NULL; - char *configName = NULL; - PRBool passwordRequired = PR_FALSE; -+#ifdef POLICY_FILE -+ char *ignoreVar; -+#endif - - /* if we are trying to init with a traditional NSS_Init call, maintain - * the traditional idempotent behavior. */ - if (!initContextPtr && nssIsInitted) { - return SECSuccess; - } - - /* make sure our lock and condition variable are initialized one and only -@@ -678,32 +681,38 @@ - dbpath = NULL; - } - if (dbpath) { - nss_FindExternalRoot(dbpath, secmodName); - } - } - } - #ifdef POLICY_FILE -- if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) { -+ /* Load the system crypo policy file if it exists, -+ * unless the NSS_IGNORE_SYSTEM_POLICY environment -+ * variable has been set to 1. */ -+ ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY"); -+ if (ignoreVar == NULL || strncmp(ignoreVar, "1", strlen("1")) != 0) { -+ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) { - SECMODModule *module = SECMOD_LoadModule( - "name=\"Policy File\" " - "parameters=\"configdir='sql:" POLICY_PATH "' " - "secmod='" POLICY_FILE "' " - "flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" " - "NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"", -- parent, PR_TRUE); -+ parent, PR_TRUE); - if (module) { - PRBool isLoaded = module->loaded; - SECMOD_DestroyModule(module); - if (!isLoaded) { - goto loser; - } - } - } -+ } - #endif - pk11sdr_Init(); - cert_CreateSubjectKeyIDHashTable(); - - pkixError = PKIX_Initialize - (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION, - PKIX_MINOR_VERSION, &actualMinorVersion, &plContext); - diff --git a/nss.spec b/nss.spec index d203fe5..3f6b748 100644 --- a/nss.spec +++ b/nss.spec @@ -21,7 +21,7 @@ Name: nss Version: 3.25.0 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 5%{?dist} +Release: 6%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -94,8 +94,6 @@ Patch50: iquote.patch Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520 Patch59: nss-check-policy-file.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520 -Patch60: nss-conditionally-ignore-system-policy.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1280846 Patch62: nss-skip-util-gtest.patch # TODO: file a bug upstream similar to the one for rsaperf @@ -182,7 +180,6 @@ low level services. %patch58 -p0 -b .1185708_3des pushd nss %patch59 -p1 -b .check_policy_file -%patch60 -p1 -b .cond_ignore %patch62 -p0 -b .skip_util_gtest %patch70 -p1 -b .skip_ecperf popd @@ -794,6 +791,9 @@ fi %changelog +* Wed Jul 13 2016 Elio Maldonado - 3.25.0-6 +- Implement changes requested in upstream review and pushed upstream (#1157720) + * Fri Jul 01 2016 Elio Maldonado - 3.25.0-5 - Add support for conditionally ignoring the system policy (#1157720) - Remove unneeded test scripts patches in order to run more tests From ff192a931af132c902707bfc13ff72fcc9fe57f4 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Wed, 13 Jul 2016 17:44:26 -0700 Subject: [PATCH 2/3] Incorporate some changes requested in upstream review and commited upstream (#1157720) --- nss-check-policy-file.patch | 84 ++++++-------------- nss-conditionally-ignore-system-policy.patch | 63 +++++++++++++++ nss.spec | 5 +- 3 files changed, 92 insertions(+), 60 deletions(-) create mode 100644 nss-conditionally-ignore-system-policy.patch diff --git a/nss-check-policy-file.patch b/nss-check-policy-file.patch index f7e3c43..0e8c03d 100644 --- a/nss-check-policy-file.patch +++ b/nss-check-policy-file.patch @@ -1,6 +1,7 @@ ---- ./lib/nss/config.mk.check_policy_file 2016-07-12 09:11:01.198867052 -0700 -+++ ./lib/nss/config.mk 2016-07-12 09:15:58.739946540 -0700 -@@ -99,8 +99,15 @@ +diff --git a/lib/nss/config.mk b/lib/nss/config.mk +--- a/lib/nss/config.mk ++++ b/lib/nss/config.mk +@@ -95,8 +95,15 @@ SHARED_LIBRARY_DIRS = \ ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET))) ifndef NS_USE_GCC # Export 'mktemp' to be backward compatible with NSS 3.2.x and 3.3.x @@ -16,9 +17,10 @@ +endif +DEFINES += -DPOLICY_FILE=\"$(POLICY_FILE)\" -DPOLICY_PATH=\"$(POLICY_PATH)\" +endif ---- ./lib/nss/nssinit.c.check_policy_file 2016-06-20 10:11:28.000000000 -0700 -+++ ./lib/nss/nssinit.c 2016-07-12 09:18:14.821671331 -0700 -@@ -330,47 +330,47 @@ +diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c +--- a/lib/nss/nssinit.c ++++ b/lib/nss/nssinit.c +@@ -330,47 +330,47 @@ nss_FindExternalRoot(const char *dbpath, /* * see nss_Init for definitions of the various options. @@ -70,7 +72,7 @@ lconfigdir = NSSUTIL_DoubleEscape(configdir, '\'', '\"'); if (lconfigdir == NULL) { goto loser; -@@ -427,24 +427,24 @@ +@@ -427,24 +427,26 @@ loser: if (lsecmodName) PORT_Free(lsecmodName); if (lupdateDir) PORT_Free(lupdateDir); if (lupdCertPrefix) PORT_Free(lupdCertPrefix); @@ -80,13 +82,15 @@ if (moduleSpec) { - SECMODModule *module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE); -+ module = SECMOD_LoadModule(moduleSpec, NULL, PR_TRUE); ++ module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE); PR_smprintf_free(moduleSpec); -- if (module) { + if (module) { - if (module->loaded) rv=SECSuccess; -+ if (module && !module->loaded) { - SECMOD_DestroyModule(module); -+ return NULL; +- SECMOD_DestroyModule(module); ++ if (!module->loaded) { ++ SECMOD_DestroyModule(module); ++ module = NULL; ++ } } } - return rv; @@ -99,23 +103,10 @@ * configdir - base directory where all the cert, key, and module datbases live. * certPrefix - prefix added to the beginning of the cert database example: " * "https-server1-" -@@ -509,41 +509,44 @@ - return PR_FAILURE; - } - return PR_SUCCESS; - } - - - static SECStatus - nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix, -- const char *secmodName, const char *updateDir, -+ const char *secmodName, const char *updateDir, - const char *updCertPrefix, const char *updKeyPrefix, - const char *updateID, const char *updateName, +@@ -520,17 +522,17 @@ nss_Init(const char *configdir, const ch NSSInitContext ** initContextPtr, NSSInitParameters *initParams, -- PRBool readOnly, PRBool noCertDB, -+ PRBool readOnly, PRBool noCertDB, + PRBool readOnly, PRBool noCertDB, PRBool noModDB, PRBool forceOpen, PRBool noRootInit, PRBool optimizeSpace, PRBool noSingleThreadedModules, PRBool allowAlreadyInitializedModules, @@ -129,26 +120,9 @@ char *configStrings = NULL; char *configName = NULL; PRBool passwordRequired = PR_FALSE; -+#ifdef POLICY_FILE -+ char *ignoreVar; -+#endif /* if we are trying to init with a traditional NSS_Init call, maintain - * the traditional idempotent behavior. */ - if (!initContextPtr && nssIsInitted) { - return SECSuccess; - } -- -+ - /* make sure our lock and condition variable are initialized one and only - * one time */ - if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) { - return SECFailure; - } - - /* - * if we haven't done basic initialization, single thread the -@@ -630,23 +633,23 @@ +@@ -630,23 +632,23 @@ nss_Init(const char *configdir, const ch configStrings = pk11_config_strings; configName = pk11_config_name; passwordRequired = pk11_password_required; @@ -158,12 +132,10 @@ * to init with noCertDB and noModDB */ if (!(isReallyInitted && noCertDB && noModDB)) { - rv = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName, -- updateDir, updCertPrefix, updKeyPrefix, updateID, + parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName, -+ updateDir, updCertPrefix, updKeyPrefix, updateID, + updateDir, updCertPrefix, updKeyPrefix, updateID, updateName, configName, configStrings, passwordRequired, -- readOnly, noCertDB, noModDB, forceOpen, optimizeSpace, -+ readOnly, noCertDB, noModDB, forceOpen, optimizeSpace, + readOnly, noCertDB, noModDB, forceOpen, optimizeSpace, (initContextPtr != NULL)); - if (rv != SECSuccess) { @@ -176,7 +148,7 @@ /* finish up initialization */ if (!isReallyInitted) { if (SECOID_Init() != SECSuccess) { -@@ -675,17 +678,40 @@ +@@ -675,17 +677,34 @@ nss_Init(const char *configdir, const ch * path. Skip it */ dbpath = NULL; } @@ -187,19 +159,14 @@ } - +#ifdef POLICY_FILE -+ /* Load the system crypto policy file if it exists, -+ * unless the NSS_IGNORE_SYSTEM_POLICY environment -+ * variable has been set to 1. */ -+ ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY"); -+ if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) { -+ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) { ++ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) { + SECMODModule *module = SECMOD_LoadModule( + "name=\"Policy File\" " + "parameters=\"configdir='sql:" POLICY_PATH "' " + "secmod='" POLICY_FILE "' " + "flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" " + "NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"", -+ parent, PR_TRUE); ++ parent, PR_TRUE); + if (module) { + PRBool isLoaded = module->loaded; + SECMOD_DestroyModule(module); @@ -208,7 +175,6 @@ + } + } + } -+ } +#endif pk11sdr_Init(); cert_CreateSubjectKeyIDHashTable(); @@ -218,7 +184,7 @@ PKIX_MINOR_VERSION, &actualMinorVersion, &plContext); if (pkixError != NULL) { -@@ -716,32 +742,38 @@ +@@ -716,32 +735,38 @@ nss_Init(const char *configdir, const ch nssIsInInit--; /* now that we are inited, all waiters can move forward */ PZ_NotifyAllCondVar(nssInitCondition); diff --git a/nss-conditionally-ignore-system-policy.patch b/nss-conditionally-ignore-system-policy.patch new file mode 100644 index 0000000..69ae0df --- /dev/null +++ b/nss-conditionally-ignore-system-policy.patch @@ -0,0 +1,63 @@ +--- ./lib/nss/nssinit.c.cond_ignore 2016-07-01 16:09:21.187499579 -0700 ++++ ./lib/nss/nssinit.c 2016-07-01 16:19:16.095862425 -0700 +@@ -529,16 +529,19 @@ + { + SECMODModule *parent = NULL; + PKIX_UInt32 actualMinorVersion = 0; + PKIX_Error *pkixError = NULL; + PRBool isReallyInitted; + char *configStrings = NULL; + char *configName = NULL; + PRBool passwordRequired = PR_FALSE; ++#ifdef POLICY_FILE ++ char *ignoreVar; ++#endif + + /* if we are trying to init with a traditional NSS_Init call, maintain + * the traditional idempotent behavior. */ + if (!initContextPtr && nssIsInitted) { + return SECSuccess; + } + + /* make sure our lock and condition variable are initialized one and only +@@ -678,32 +681,38 @@ + dbpath = NULL; + } + if (dbpath) { + nss_FindExternalRoot(dbpath, secmodName); + } + } + } + #ifdef POLICY_FILE +- if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) { ++ /* Load the system crypo policy file if it exists, ++ * unless the NSS_IGNORE_SYSTEM_POLICY environment ++ * variable has been set to 1. */ ++ ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY"); ++ if (ignoreVar == NULL || strncmp(ignoreVar, "1", strlen("1")) != 0) { ++ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) { + SECMODModule *module = SECMOD_LoadModule( + "name=\"Policy File\" " + "parameters=\"configdir='sql:" POLICY_PATH "' " + "secmod='" POLICY_FILE "' " + "flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" " + "NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"", +- parent, PR_TRUE); ++ parent, PR_TRUE); + if (module) { + PRBool isLoaded = module->loaded; + SECMOD_DestroyModule(module); + if (!isLoaded) { + goto loser; + } + } + } ++ } + #endif + pk11sdr_Init(); + cert_CreateSubjectKeyIDHashTable(); + + pkixError = PKIX_Initialize + (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION, + PKIX_MINOR_VERSION, &actualMinorVersion, &plContext); + diff --git a/nss.spec b/nss.spec index 3f6b748..e6ce21b 100644 --- a/nss.spec +++ b/nss.spec @@ -94,6 +94,8 @@ Patch50: iquote.patch Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520 Patch59: nss-check-policy-file.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520 +Patch60: nss-conditionally-ignore-system-policy.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1280846 Patch62: nss-skip-util-gtest.patch # TODO: file a bug upstream similar to the one for rsaperf @@ -180,6 +182,7 @@ low level services. %patch58 -p0 -b .1185708_3des pushd nss %patch59 -p1 -b .check_policy_file +%patch60 -p1 -b .cond_ignore %patch62 -p0 -b .skip_util_gtest %patch70 -p1 -b .skip_ecperf popd @@ -792,7 +795,7 @@ fi %changelog * Wed Jul 13 2016 Elio Maldonado - 3.25.0-6 -- Implement changes requested in upstream review and pushed upstream (#1157720) +- Incorporate some changes requested in upstream review and commited upstream (#1157720) * Fri Jul 01 2016 Elio Maldonado - 3.25.0-5 - Add support for conditionally ignoring the system policy (#1157720) From 7854e70d7e418df1fbc132f16e49de6de30bd635 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Thu, 14 Jul 2016 10:41:00 -0700 Subject: [PATCH 3/3] Incorporate more changes requested in upstream review and commited upstream (#1157720) - still keeping two separate patches --- nss-conditionally-ignore-system-policy.patch | 114 +++++++++++++++++-- nss.spec | 4 +- 2 files changed, 108 insertions(+), 10 deletions(-) diff --git a/nss-conditionally-ignore-system-policy.patch b/nss-conditionally-ignore-system-policy.patch index 69ae0df..dc03f48 100644 --- a/nss-conditionally-ignore-system-policy.patch +++ b/nss-conditionally-ignore-system-policy.patch @@ -1,6 +1,54 @@ ---- ./lib/nss/nssinit.c.cond_ignore 2016-07-01 16:09:21.187499579 -0700 -+++ ./lib/nss/nssinit.c 2016-07-01 16:19:16.095862425 -0700 -@@ -529,16 +529,19 @@ +--- ./lib/nss/nssinit.c.cond_ignore 2016-07-14 06:07:08.607951998 -0700 ++++ ./lib/nss/nssinit.c 2016-07-14 06:11:07.698966728 -0700 +@@ -427,23 +427,21 @@ + if (lsecmodName) PORT_Free(lsecmodName); + if (lupdateDir) PORT_Free(lupdateDir); + if (lupdCertPrefix) PORT_Free(lupdCertPrefix); + if (lupdKeyPrefix) PORT_Free(lupdKeyPrefix); + if (lupdateID) PORT_Free(lupdateID); + if (lupdateName) PORT_Free(lupdateName); + + if (moduleSpec) { +- module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE); ++ module = SECMOD_LoadModule(moduleSpec, NULL, PR_TRUE); + PR_smprintf_free(moduleSpec); +- if (module) { +- if (!module->loaded) { +- SECMOD_DestroyModule(module); +- module = NULL; +- } ++ if (module && !module->loaded) { ++ SECMOD_DestroyModule(module); ++ return NULL; + } + } + return module; + } + + /* + * OK there are now lots of options here, lets go through them all: + * +@@ -511,41 +509,44 @@ + return PR_FAILURE; + } + return PR_SUCCESS; + } + + + static SECStatus + nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix, +- const char *secmodName, const char *updateDir, ++ const char *secmodName, const char *updateDir, + const char *updCertPrefix, const char *updKeyPrefix, + const char *updateID, const char *updateName, + NSSInitContext ** initContextPtr, + NSSInitParameters *initParams, +- PRBool readOnly, PRBool noCertDB, ++ PRBool readOnly, PRBool noCertDB, + PRBool noModDB, PRBool forceOpen, PRBool noRootInit, + PRBool optimizeSpace, PRBool noSingleThreadedModules, + PRBool allowAlreadyInitializedModules, + PRBool dontFinalizeModules) { SECMODModule *parent = NULL; PKIX_UInt32 actualMinorVersion = 0; @@ -18,9 +66,41 @@ if (!initContextPtr && nssIsInitted) { return SECSuccess; } - +- ++ /* make sure our lock and condition variable are initialized one and only -@@ -678,32 +681,38 @@ + * one time */ + if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) { + return SECFailure; + } + + /* + * if we haven't done basic initialization, single thread the +@@ -632,20 +633,20 @@ + configStrings = pk11_config_strings; + configName = pk11_config_name; + passwordRequired = pk11_password_required; + } + + /* Skip the module init if we are already initted and we are trying + * to init with noCertDB and noModDB */ + if (!(isReallyInitted && noCertDB && noModDB)) { +- parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName, +- updateDir, updCertPrefix, updKeyPrefix, updateID, ++ parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName, ++ updateDir, updCertPrefix, updKeyPrefix, updateID, + updateName, configName, configStrings, passwordRequired, +- readOnly, noCertDB, noModDB, forceOpen, optimizeSpace, ++ readOnly, noCertDB, noModDB, forceOpen, optimizeSpace, + (initContextPtr != NULL)); + + if (parent == NULL) { + goto loser; + } + } + + +@@ -678,50 +679,54 @@ dbpath = NULL; } if (dbpath) { @@ -30,12 +110,12 @@ } #ifdef POLICY_FILE - if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) { -+ /* Load the system crypo policy file if it exists, ++ /* Load the system crypto policy file if it exists, + * unless the NSS_IGNORE_SYSTEM_POLICY environment + * variable has been set to 1. */ + ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY"); -+ if (ignoreVar == NULL || strncmp(ignoreVar, "1", strlen("1")) != 0) { -+ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) { ++ if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) { ++ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) { SECMODModule *module = SECMOD_LoadModule( "name=\"Policy File\" " "parameters=\"configdir='sql:" POLICY_PATH "' " @@ -61,3 +141,21 @@ (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION, PKIX_MINOR_VERSION, &actualMinorVersion, &plContext); + if (pkixError != NULL) { + goto loser; + } else { + char *ev = PR_GetEnvSecure("NSS_ENABLE_PKIX_VERIFY"); + if (ev && ev[0]) { + CERT_SetUsePKIXForValidation(PR_TRUE); + } + } +- +- + } + + /* + * Now mark the appropriate init state. If initContextPtr was passed + * in, then return the new context pointer and add it to the + * nssInitContextList. Otherwise set the global nss_isInitted flag + */ + PZ_Lock(nssInitLock); diff --git a/nss.spec b/nss.spec index e6ce21b..ae59b85 100644 --- a/nss.spec +++ b/nss.spec @@ -794,7 +794,7 @@ fi %changelog -* Wed Jul 13 2016 Elio Maldonado - 3.25.0-6 +* Thu Jul 14 2016 Elio Maldonado - 3.25.0-6 - Incorporate some changes requested in upstream review and commited upstream (#1157720) * Fri Jul 01 2016 Elio Maldonado - 3.25.0-5 @@ -824,7 +824,7 @@ fi - Resolves: Bug 1342158 - nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails * Sun May 29 2016 Elio Maldonado - 3.24.0-2.1 -- Rebase to NSS 3.24.0 +- Rebase to NSS 3.24.0 - Restore setting the policy file location - Make ssl tests scripts aware of policy - Ajust tests data expected result for policy