Incorporate some changes requested in upstream review and commited upstream (#1157720)
This commit is contained in:
parent
270f23d149
commit
ff192a931a
@ -1,6 +1,7 @@
|
|||||||
--- ./lib/nss/config.mk.check_policy_file 2016-07-12 09:11:01.198867052 -0700
|
diff --git a/lib/nss/config.mk b/lib/nss/config.mk
|
||||||
+++ ./lib/nss/config.mk 2016-07-12 09:15:58.739946540 -0700
|
--- a/lib/nss/config.mk
|
||||||
@@ -99,8 +99,15 @@
|
+++ b/lib/nss/config.mk
|
||||||
|
@@ -95,8 +95,15 @@ SHARED_LIBRARY_DIRS = \
|
||||||
ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET)))
|
ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET)))
|
||||||
ifndef NS_USE_GCC
|
ifndef NS_USE_GCC
|
||||||
# Export 'mktemp' to be backward compatible with NSS 3.2.x and 3.3.x
|
# Export 'mktemp' to be backward compatible with NSS 3.2.x and 3.3.x
|
||||||
@ -16,9 +17,10 @@
|
|||||||
+endif
|
+endif
|
||||||
+DEFINES += -DPOLICY_FILE=\"$(POLICY_FILE)\" -DPOLICY_PATH=\"$(POLICY_PATH)\"
|
+DEFINES += -DPOLICY_FILE=\"$(POLICY_FILE)\" -DPOLICY_PATH=\"$(POLICY_PATH)\"
|
||||||
+endif
|
+endif
|
||||||
--- ./lib/nss/nssinit.c.check_policy_file 2016-06-20 10:11:28.000000000 -0700
|
diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
|
||||||
+++ ./lib/nss/nssinit.c 2016-07-12 09:18:14.821671331 -0700
|
--- a/lib/nss/nssinit.c
|
||||||
@@ -330,47 +330,47 @@
|
+++ b/lib/nss/nssinit.c
|
||||||
|
@@ -330,47 +330,47 @@ nss_FindExternalRoot(const char *dbpath,
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* see nss_Init for definitions of the various options.
|
* see nss_Init for definitions of the various options.
|
||||||
@ -70,7 +72,7 @@
|
|||||||
lconfigdir = NSSUTIL_DoubleEscape(configdir, '\'', '\"');
|
lconfigdir = NSSUTIL_DoubleEscape(configdir, '\'', '\"');
|
||||||
if (lconfigdir == NULL) {
|
if (lconfigdir == NULL) {
|
||||||
goto loser;
|
goto loser;
|
||||||
@@ -427,24 +427,24 @@
|
@@ -427,24 +427,26 @@ loser:
|
||||||
if (lsecmodName) PORT_Free(lsecmodName);
|
if (lsecmodName) PORT_Free(lsecmodName);
|
||||||
if (lupdateDir) PORT_Free(lupdateDir);
|
if (lupdateDir) PORT_Free(lupdateDir);
|
||||||
if (lupdCertPrefix) PORT_Free(lupdCertPrefix);
|
if (lupdCertPrefix) PORT_Free(lupdCertPrefix);
|
||||||
@ -82,11 +84,13 @@
|
|||||||
- SECMODModule *module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE);
|
- SECMODModule *module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE);
|
||||||
+ module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE);
|
+ module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE);
|
||||||
PR_smprintf_free(moduleSpec);
|
PR_smprintf_free(moduleSpec);
|
||||||
- if (module) {
|
if (module) {
|
||||||
- if (module->loaded) rv=SECSuccess;
|
- if (module->loaded) rv=SECSuccess;
|
||||||
+ if (module && !module->loaded) {
|
- SECMOD_DestroyModule(module);
|
||||||
SECMOD_DestroyModule(module);
|
+ if (!module->loaded) {
|
||||||
+ return NULL;
|
+ SECMOD_DestroyModule(module);
|
||||||
|
+ module = NULL;
|
||||||
|
+ }
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
- return rv;
|
- return rv;
|
||||||
@ -99,23 +103,10 @@
|
|||||||
* configdir - base directory where all the cert, key, and module datbases live.
|
* configdir - base directory where all the cert, key, and module datbases live.
|
||||||
* certPrefix - prefix added to the beginning of the cert database example: "
|
* certPrefix - prefix added to the beginning of the cert database example: "
|
||||||
* "https-server1-"
|
* "https-server1-"
|
||||||
@@ -509,41 +509,44 @@
|
@@ -520,17 +522,17 @@ nss_Init(const char *configdir, const ch
|
||||||
return PR_FAILURE;
|
|
||||||
}
|
|
||||||
return PR_SUCCESS;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
static SECStatus
|
|
||||||
nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
|
|
||||||
- const char *secmodName, const char *updateDir,
|
|
||||||
+ const char *secmodName, const char *updateDir,
|
|
||||||
const char *updCertPrefix, const char *updKeyPrefix,
|
|
||||||
const char *updateID, const char *updateName,
|
|
||||||
NSSInitContext ** initContextPtr,
|
NSSInitContext ** initContextPtr,
|
||||||
NSSInitParameters *initParams,
|
NSSInitParameters *initParams,
|
||||||
- PRBool readOnly, PRBool noCertDB,
|
PRBool readOnly, PRBool noCertDB,
|
||||||
+ PRBool readOnly, PRBool noCertDB,
|
|
||||||
PRBool noModDB, PRBool forceOpen, PRBool noRootInit,
|
PRBool noModDB, PRBool forceOpen, PRBool noRootInit,
|
||||||
PRBool optimizeSpace, PRBool noSingleThreadedModules,
|
PRBool optimizeSpace, PRBool noSingleThreadedModules,
|
||||||
PRBool allowAlreadyInitializedModules,
|
PRBool allowAlreadyInitializedModules,
|
||||||
@ -129,26 +120,9 @@
|
|||||||
char *configStrings = NULL;
|
char *configStrings = NULL;
|
||||||
char *configName = NULL;
|
char *configName = NULL;
|
||||||
PRBool passwordRequired = PR_FALSE;
|
PRBool passwordRequired = PR_FALSE;
|
||||||
+#ifdef POLICY_FILE
|
|
||||||
+ char *ignoreVar;
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
/* if we are trying to init with a traditional NSS_Init call, maintain
|
/* if we are trying to init with a traditional NSS_Init call, maintain
|
||||||
* the traditional idempotent behavior. */
|
@@ -630,23 +632,23 @@ nss_Init(const char *configdir, const ch
|
||||||
if (!initContextPtr && nssIsInitted) {
|
|
||||||
return SECSuccess;
|
|
||||||
}
|
|
||||||
-
|
|
||||||
+
|
|
||||||
/* make sure our lock and condition variable are initialized one and only
|
|
||||||
* one time */
|
|
||||||
if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) {
|
|
||||||
return SECFailure;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
* if we haven't done basic initialization, single thread the
|
|
||||||
@@ -630,23 +633,23 @@
|
|
||||||
configStrings = pk11_config_strings;
|
configStrings = pk11_config_strings;
|
||||||
configName = pk11_config_name;
|
configName = pk11_config_name;
|
||||||
passwordRequired = pk11_password_required;
|
passwordRequired = pk11_password_required;
|
||||||
@ -158,12 +132,10 @@
|
|||||||
* to init with noCertDB and noModDB */
|
* to init with noCertDB and noModDB */
|
||||||
if (!(isReallyInitted && noCertDB && noModDB)) {
|
if (!(isReallyInitted && noCertDB && noModDB)) {
|
||||||
- rv = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName,
|
- rv = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName,
|
||||||
- updateDir, updCertPrefix, updKeyPrefix, updateID,
|
|
||||||
+ parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName,
|
+ parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName,
|
||||||
+ updateDir, updCertPrefix, updKeyPrefix, updateID,
|
updateDir, updCertPrefix, updKeyPrefix, updateID,
|
||||||
updateName, configName, configStrings, passwordRequired,
|
updateName, configName, configStrings, passwordRequired,
|
||||||
- readOnly, noCertDB, noModDB, forceOpen, optimizeSpace,
|
readOnly, noCertDB, noModDB, forceOpen, optimizeSpace,
|
||||||
+ readOnly, noCertDB, noModDB, forceOpen, optimizeSpace,
|
|
||||||
(initContextPtr != NULL));
|
(initContextPtr != NULL));
|
||||||
|
|
||||||
- if (rv != SECSuccess) {
|
- if (rv != SECSuccess) {
|
||||||
@ -176,7 +148,7 @@
|
|||||||
/* finish up initialization */
|
/* finish up initialization */
|
||||||
if (!isReallyInitted) {
|
if (!isReallyInitted) {
|
||||||
if (SECOID_Init() != SECSuccess) {
|
if (SECOID_Init() != SECSuccess) {
|
||||||
@@ -675,17 +678,40 @@
|
@@ -675,17 +677,34 @@ nss_Init(const char *configdir, const ch
|
||||||
* path. Skip it */
|
* path. Skip it */
|
||||||
dbpath = NULL;
|
dbpath = NULL;
|
||||||
}
|
}
|
||||||
@ -187,11 +159,6 @@
|
|||||||
}
|
}
|
||||||
-
|
-
|
||||||
+#ifdef POLICY_FILE
|
+#ifdef POLICY_FILE
|
||||||
+ /* Load the system crypto policy file if it exists,
|
|
||||||
+ * unless the NSS_IGNORE_SYSTEM_POLICY environment
|
|
||||||
+ * variable has been set to 1. */
|
|
||||||
+ ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
|
|
||||||
+ if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) {
|
|
||||||
+ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
|
+ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
|
||||||
+ SECMODModule *module = SECMOD_LoadModule(
|
+ SECMODModule *module = SECMOD_LoadModule(
|
||||||
+ "name=\"Policy File\" "
|
+ "name=\"Policy File\" "
|
||||||
@ -208,7 +175,6 @@
|
|||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+ }
|
|
||||||
+#endif
|
+#endif
|
||||||
pk11sdr_Init();
|
pk11sdr_Init();
|
||||||
cert_CreateSubjectKeyIDHashTable();
|
cert_CreateSubjectKeyIDHashTable();
|
||||||
@ -218,7 +184,7 @@
|
|||||||
PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
|
PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
|
||||||
|
|
||||||
if (pkixError != NULL) {
|
if (pkixError != NULL) {
|
||||||
@@ -716,32 +742,38 @@
|
@@ -716,32 +735,38 @@ nss_Init(const char *configdir, const ch
|
||||||
nssIsInInit--;
|
nssIsInInit--;
|
||||||
/* now that we are inited, all waiters can move forward */
|
/* now that we are inited, all waiters can move forward */
|
||||||
PZ_NotifyAllCondVar(nssInitCondition);
|
PZ_NotifyAllCondVar(nssInitCondition);
|
||||||
|
63
nss-conditionally-ignore-system-policy.patch
Normal file
63
nss-conditionally-ignore-system-policy.patch
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
--- ./lib/nss/nssinit.c.cond_ignore 2016-07-01 16:09:21.187499579 -0700
|
||||||
|
+++ ./lib/nss/nssinit.c 2016-07-01 16:19:16.095862425 -0700
|
||||||
|
@@ -529,16 +529,19 @@
|
||||||
|
{
|
||||||
|
SECMODModule *parent = NULL;
|
||||||
|
PKIX_UInt32 actualMinorVersion = 0;
|
||||||
|
PKIX_Error *pkixError = NULL;
|
||||||
|
PRBool isReallyInitted;
|
||||||
|
char *configStrings = NULL;
|
||||||
|
char *configName = NULL;
|
||||||
|
PRBool passwordRequired = PR_FALSE;
|
||||||
|
+#ifdef POLICY_FILE
|
||||||
|
+ char *ignoreVar;
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
/* if we are trying to init with a traditional NSS_Init call, maintain
|
||||||
|
* the traditional idempotent behavior. */
|
||||||
|
if (!initContextPtr && nssIsInitted) {
|
||||||
|
return SECSuccess;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* make sure our lock and condition variable are initialized one and only
|
||||||
|
@@ -678,32 +681,38 @@
|
||||||
|
dbpath = NULL;
|
||||||
|
}
|
||||||
|
if (dbpath) {
|
||||||
|
nss_FindExternalRoot(dbpath, secmodName);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#ifdef POLICY_FILE
|
||||||
|
- if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
|
||||||
|
+ /* Load the system crypo policy file if it exists,
|
||||||
|
+ * unless the NSS_IGNORE_SYSTEM_POLICY environment
|
||||||
|
+ * variable has been set to 1. */
|
||||||
|
+ ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
|
||||||
|
+ if (ignoreVar == NULL || strncmp(ignoreVar, "1", strlen("1")) != 0) {
|
||||||
|
+ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
|
||||||
|
SECMODModule *module = SECMOD_LoadModule(
|
||||||
|
"name=\"Policy File\" "
|
||||||
|
"parameters=\"configdir='sql:" POLICY_PATH "' "
|
||||||
|
"secmod='" POLICY_FILE "' "
|
||||||
|
"flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
|
||||||
|
"NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
|
||||||
|
- parent, PR_TRUE);
|
||||||
|
+ parent, PR_TRUE);
|
||||||
|
if (module) {
|
||||||
|
PRBool isLoaded = module->loaded;
|
||||||
|
SECMOD_DestroyModule(module);
|
||||||
|
if (!isLoaded) {
|
||||||
|
goto loser;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+ }
|
||||||
|
#endif
|
||||||
|
pk11sdr_Init();
|
||||||
|
cert_CreateSubjectKeyIDHashTable();
|
||||||
|
|
||||||
|
pkixError = PKIX_Initialize
|
||||||
|
(PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
|
||||||
|
PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
|
||||||
|
|
5
nss.spec
5
nss.spec
@ -94,6 +94,8 @@ Patch50: iquote.patch
|
|||||||
Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
|
Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
|
||||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
|
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
|
||||||
Patch59: nss-check-policy-file.patch
|
Patch59: nss-check-policy-file.patch
|
||||||
|
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
|
||||||
|
Patch60: nss-conditionally-ignore-system-policy.patch
|
||||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1280846
|
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1280846
|
||||||
Patch62: nss-skip-util-gtest.patch
|
Patch62: nss-skip-util-gtest.patch
|
||||||
# TODO: file a bug upstream similar to the one for rsaperf
|
# TODO: file a bug upstream similar to the one for rsaperf
|
||||||
@ -180,6 +182,7 @@ low level services.
|
|||||||
%patch58 -p0 -b .1185708_3des
|
%patch58 -p0 -b .1185708_3des
|
||||||
pushd nss
|
pushd nss
|
||||||
%patch59 -p1 -b .check_policy_file
|
%patch59 -p1 -b .check_policy_file
|
||||||
|
%patch60 -p1 -b .cond_ignore
|
||||||
%patch62 -p0 -b .skip_util_gtest
|
%patch62 -p0 -b .skip_util_gtest
|
||||||
%patch70 -p1 -b .skip_ecperf
|
%patch70 -p1 -b .skip_ecperf
|
||||||
popd
|
popd
|
||||||
@ -792,7 +795,7 @@ fi
|
|||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Wed Jul 13 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-6
|
* Wed Jul 13 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-6
|
||||||
- Implement changes requested in upstream review and pushed upstream (#1157720)
|
- Incorporate some changes requested in upstream review and commited upstream (#1157720)
|
||||||
|
|
||||||
* Fri Jul 01 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-5
|
* Fri Jul 01 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-5
|
||||||
- Add support for conditionally ignoring the system policy (#1157720)
|
- Add support for conditionally ignoring the system policy (#1157720)
|
||||||
|
Loading…
Reference in New Issue
Block a user