Merge branch 'master' into private-emaldona-crypto-policy-work

This commit is contained in:
Elio Maldonado 2016-07-14 15:17:42 -07:00
commit d07560c593
3 changed files with 113 additions and 69 deletions

View File

@ -1,7 +1,7 @@
diff --git a/lib/nss/config.mk b/lib/nss/config.mk
--- a/lib/nss/config.mk
+++ b/lib/nss/config.mk
@@ -95,8 +95,12 @@ SHARED_LIBRARY_DIRS = \
@@ -95,8 +95,15 @@ SHARED_LIBRARY_DIRS = \
ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET)))
ifndef NS_USE_GCC
# Export 'mktemp' to be backward compatible with NSS 3.2.x and 3.3.x
@ -12,6 +12,9 @@ diff --git a/lib/nss/config.mk b/lib/nss/config.mk
endif
+
+ifdef POLICY_FILE
+ifndef POLICY_PATH
+$(error You must define POLICY_PATH if you set POLICY_FILE)
+endif
+DEFINES += -DPOLICY_FILE=\"$(POLICY_FILE)\" -DPOLICY_PATH=\"$(POLICY_PATH)\"
+endif
diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c

View File

@ -1,11 +1,54 @@
<<<<<<< HEAD
--- ./lib/nss/nssinit.c.ignore_system_policy 2016-06-06 07:57:54.924457084 -0700
+++ ./lib/nss/nssinit.c 2016-06-06 08:01:27.753830455 -0700
@@ -678,17 +678,18 @@
=======
--- ./lib/nss/nssinit.c.cond_ignore 2016-07-01 16:09:21.187499579 -0700
+++ ./lib/nss/nssinit.c 2016-07-01 16:19:16.095862425 -0700
@@ -529,16 +529,19 @@
--- ./lib/nss/nssinit.c.cond_ignore 2016-07-14 06:07:08.607951998 -0700
+++ ./lib/nss/nssinit.c 2016-07-14 06:11:07.698966728 -0700
@@ -427,23 +427,21 @@
if (lsecmodName) PORT_Free(lsecmodName);
if (lupdateDir) PORT_Free(lupdateDir);
if (lupdCertPrefix) PORT_Free(lupdCertPrefix);
if (lupdKeyPrefix) PORT_Free(lupdKeyPrefix);
if (lupdateID) PORT_Free(lupdateID);
if (lupdateName) PORT_Free(lupdateName);
if (moduleSpec) {
- module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE);
+ module = SECMOD_LoadModule(moduleSpec, NULL, PR_TRUE);
PR_smprintf_free(moduleSpec);
- if (module) {
- if (!module->loaded) {
- SECMOD_DestroyModule(module);
- module = NULL;
- }
+ if (module && !module->loaded) {
+ SECMOD_DestroyModule(module);
+ return NULL;
}
}
return module;
}
/*
* OK there are now lots of options here, lets go through them all:
*
@@ -511,41 +509,44 @@
return PR_FAILURE;
}
return PR_SUCCESS;
}
static SECStatus
nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
- const char *secmodName, const char *updateDir,
+ const char *secmodName, const char *updateDir,
const char *updCertPrefix, const char *updKeyPrefix,
const char *updateID, const char *updateName,
NSSInitContext ** initContextPtr,
NSSInitParameters *initParams,
- PRBool readOnly, PRBool noCertDB,
+ PRBool readOnly, PRBool noCertDB,
PRBool noModDB, PRBool forceOpen, PRBool noRootInit,
PRBool optimizeSpace, PRBool noSingleThreadedModules,
PRBool allowAlreadyInitializedModules,
PRBool dontFinalizeModules)
{
SECMODModule *parent = NULL;
PKIX_UInt32 actualMinorVersion = 0;
@ -23,10 +66,41 @@
if (!initContextPtr && nssIsInitted) {
return SECSuccess;
}
-
+
/* make sure our lock and condition variable are initialized one and only
@@ -678,32 +681,38 @@
>>>>>>> origin/private-rebase-work-fedora-rawhide
* one time */
if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) {
return SECFailure;
}
/*
* if we haven't done basic initialization, single thread the
@@ -632,20 +633,20 @@
configStrings = pk11_config_strings;
configName = pk11_config_name;
passwordRequired = pk11_password_required;
}
/* Skip the module init if we are already initted and we are trying
* to init with noCertDB and noModDB */
if (!(isReallyInitted && noCertDB && noModDB)) {
- parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName,
- updateDir, updCertPrefix, updKeyPrefix, updateID,
+ parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName,
+ updateDir, updCertPrefix, updKeyPrefix, updateID,
updateName, configName, configStrings, passwordRequired,
- readOnly, noCertDB, noModDB, forceOpen, optimizeSpace,
+ readOnly, noCertDB, noModDB, forceOpen, optimizeSpace,
(initContextPtr != NULL));
if (parent == NULL) {
goto loser;
}
}
@@ -678,50 +679,54 @@
dbpath = NULL;
}
if (dbpath) {
@ -36,27 +110,18 @@
}
#ifdef POLICY_FILE
- if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
<<<<<<< HEAD
+ if (!PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY") &&
+ PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
=======
+ /* Load the system crypo policy file if it exists,
+ /* Load the system crypto policy file if it exists,
+ * unless the NSS_IGNORE_SYSTEM_POLICY environment
+ * variable has been set to 1. */
+ ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
+ if (ignoreVar == NULL || strncmp(ignoreVar, "1", strlen("1")) != 0) {
+ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
>>>>>>> origin/private-rebase-work-fedora-rawhide
+ if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) {
+ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
SECMODModule *module = SECMOD_LoadModule(
"name=\"Policy File\" "
"parameters=\"configdir='sql:" POLICY_PATH "' "
"secmod='" POLICY_FILE "' "
"flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
"NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
<<<<<<< HEAD
parent, PR_TRUE);
if (module) {
=======
- parent, PR_TRUE);
+ parent, PR_TRUE);
if (module) {
@ -76,4 +141,21 @@
(PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
>>>>>>> origin/private-rebase-work-fedora-rawhide
if (pkixError != NULL) {
goto loser;
} else {
char *ev = PR_GetEnvSecure("NSS_ENABLE_PKIX_VERIFY");
if (ev && ev[0]) {
CERT_SetUsePKIXForValidation(PR_TRUE);
}
}
-
-
}
/*
* Now mark the appropriate init state. If initContextPtr was passed
* in, then return the new context pointer and add it to the
* nssInitContextList. Otherwise set the global nss_isInitted flag
*/
PZ_Lock(nssInitLock);

View File

@ -4,9 +4,6 @@
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
%global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
# uncomment to make nss ignore the system policy file
%global nss_ignore_system_policy 1
# solution taken from icedtea-web.spec
%define multilib_arches %{power64} sparc64 x86_64 mips64 mips64el
%ifarch %{multilib_arches}
@ -97,26 +94,11 @@ Patch50: iquote.patch
Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
Patch59: nss-check-policy-file.patch
<<<<<<< HEAD
# TODO: file a bug usptream
# Upstream commit that caused problems with gtests
# https://git.fedorahosted.org/cgit/nss-pem.git/commit/
Patch62: nss-skip-util-gtest.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
Patch63: tests-check-policy-file.patch
# TODO: Under test and could be merged with nss-check-policy-file.patch
Patch64: nss-conditionally-ignore-system-policy.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
Patch65: tests-data-adjust-for-policy.patch
Patch66: listsuites-do-queries.patch
# TODO: file a bug upstream
=======
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
Patch60: nss-conditionally-ignore-system-policy.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1280846
Patch62: nss-skip-util-gtest.patch
# TODO: file a bug upstream similar to the one for rsaperf
>>>>>>> origin/private-rebase-work-fedora-rawhide
Patch70: nss-skip-ecperf.patch
Patch71: listsuites-do-queries.patch
@ -203,14 +185,8 @@ pushd nss
%patch59 -p1 -b .check_policy_file
%patch60 -p1 -b .cond_ignore
%patch62 -p0 -b .skip_util_gtest
<<<<<<< HEAD
%patch63 -p1 -b .check_policy
%patch64 -p0 -b .ignore_system_policy
%patch66 -p1 -b .do_queries
=======
%patch70 -p1 -b .skip_ecperf
%patch71 -p1 -b .do_queries
>>>>>>> origin/private-rebase-work-fedora-rawhide
popd
#########################################################
@ -326,17 +302,6 @@ export POLICY_FILE="nss.config"
# location of the policy file
export POLICY_PATH="/etc/crypto-policies/back-ends"
# to keep nss from loading the policy file
%if %{nss_ignore_system_policy}
export NSS_IGNORE_SYSTEM_POLICY=1
%else
# system policy is enforced
pushd nss
# change some sslauth.txt entries to expect failure when enforcing policy
patch -p1 -b .expected_result < %{PATCH65}
popd
%endif
# nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c
# need nss/lib/util/verref.h which is exported privately,
# copy the one we saved during prep so it they can find it.
@ -439,11 +404,6 @@ export NSS_BLTEST_NOT_AVAILABLE=1
# needed for the fips mangling test
export SOFTOKEN_LIB_DIR=%{_libdir}
# tests need to know we kept nss from loading the policy file
%if %{nss_ignore_system_policy}
export NSS_IGNORE_SYSTEM_POLICY=1
%endif
# End -- copied from the build section
export NSS_IGNORE_SYSTEM_POLICY=1
@ -836,8 +796,8 @@ fi
%changelog
* Fri Jul 08 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-6
- Add support to listsuites to list ciphers allowed by policy
* Thu Jul 14 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-6
- Incorporate some changes requested in upstream review and commited upstream (#1157720)
* Fri Jul 01 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-5
- Add support for conditionally ignoring the system policy (#1157720)
@ -852,7 +812,6 @@ fi
* Fri Jun 24 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-2
- Rebase to nss 3.25
- Add support for conditionally ignoring the system policy (#1157720)
* Thu Jun 16 2016 Kamil Dudka <kdudka@redhat.com> - 3.24.0-3
- decouple nss-pem from the nss package (#1347336)
@ -867,7 +826,7 @@ fi
- Resolves: Bug 1342158 - nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails
* Sun May 29 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-2.1
- Rebase to NSS 3.24.0
- Rebase to NSS 3.24.0
- Restore setting the policy file location
- Make ssl tests scripts aware of policy
- Ajust tests data expected result for policy