[nss] Bug 633043 - nss trusts certificates it shouldn't, fixed
Elio Maldonado
emaldonado at fedoraproject.org
Sat Jan 22 17:45:28 UTC 2011
commit 612496b72d5703fff72e6514f6d53f67be100055
Author: Elio Maldonado <emaldona at redhat.com>
Date: Sat Jan 22 09:39:22 2011 -0800
Bug 633043 - nss trusts certificates it shouldn't, fixed
- Add patch to honor the user's cert trust preferences (#633043)
- Rename nss-sysinit-fix-trustorder.patch honor-user-trust-preferences.patch
- Remove nss-sysinit-userdb-first.patch, it's obsoleted by current patch
honor-user-trust-preferences.patch | 133 ++++++++++++++++++++++++++++++++++++
nss-sysinit-fix-trustorder.patch | 30 --------
nss-sysinit-userdb-first.patch | 78 ---------------------
nss.spec | 12 ++--
4 files changed, 140 insertions(+), 113 deletions(-)
---
diff --git a/honor-user-trust-preferences.patch b/honor-user-trust-preferences.patch
new file mode 100644
index 0000000..e9414de
--- /dev/null
+++ b/honor-user-trust-preferences.patch
@@ -0,0 +1,133 @@
+Index: ./mozilla/security/nss/lib/pk11wrap/pk11load.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11load.c,v
+retrieving revision 1.30
+diff -u -p -r1.30 pk11load.c
+--- ./mozilla/security/nss/lib/pk11wrap/pk11load.c 30 Apr 2010 07:22:54 -0000 1.30
++++ ./mozilla/security/nss/lib/pk11wrap/pk11load.c 22 Jan 2011 05:39:07 -0000
+@@ -178,8 +178,8 @@ secmod_handleReload(SECMODModule *oldMod
+ char *oldModuleSpec;
+
+ if (secmod_IsInternalKeySlot(newModule)) {
+- pk11_SetInternalKeySlot(slot);
+- }
++ pk11_FirstInternalKeySlot(slot);
++ }
+ newID = slot->slotID;
+ PK11_FreeSlot(slot);
+ for (thisChild=children, thisID=ids; thisChild && *thisChild;
+@@ -550,6 +550,11 @@ secmod_LoadPKCS11Module(SECMODModule *mo
+ /* look down the slot info table */
+ PK11_LoadSlotList(mod->slots[i],mod->slotInfo,mod->slotInfoCount);
+ SECMOD_SetRootCerts(mod->slots[i],mod);
++ /* explicitly mark the internal slot as such if IsInternalKeySlot()
++ * is set */
++ if (secmod_IsInternalKeySlot(mod) && (i == (mod->isFIPS ? 0 : 1))) {
++ pk11_FirstInternalKeySlot(mod->slots[i]);
++ }
+ }
+ mod->slotCount = slotCount;
+ mod->slotInfoCount = 0;
+Index: ./mozilla/security/nss/lib/pk11wrap/pk11priv.h
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11priv.h,v
+retrieving revision 1.13
+diff -u -p -r1.13 pk11priv.h
+--- ./mozilla/security/nss/lib/pk11wrap/pk11priv.h 27 Oct 2009 23:04:46 -0000 1.13
++++ ./mozilla/security/nss/lib/pk11wrap/pk11priv.h 22 Jan 2011 05:39:07 -0000
+@@ -115,6 +115,7 @@ void PK11_InitSlot(SECMODModule *mod,CK_
+ PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot);
+ SECStatus PK11_ReadSlotCerts(PK11SlotInfo *slot);
+ void pk11_SetInternalKeySlot(PK11SlotInfo *slot);
++void pk11_FirstInternalKeySlot(PK11SlotInfo *slot);
+
+ /*********************************************************************
+ * Mechanism Mapping functions
+Index: ./mozilla/security/nss/lib/pk11wrap/pk11slot.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11slot.c,v
+retrieving revision 1.101
+diff -u -p -r1.101 pk11slot.c
+--- ./mozilla/security/nss/lib/pk11wrap/pk11slot.c 3 Apr 2010 18:27:31 -0000 1.101
++++ ./mozilla/security/nss/lib/pk11wrap/pk11slot.c 22 Jan 2011 05:39:08 -0000
+@@ -1735,6 +1735,15 @@ pk11_SetInternalKeySlot(PK11SlotInfo *sl
+ pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL;
+ }
+
++void
++pk11_FirstInternalKeySlot(PK11SlotInfo *slot)
++{
++ if (pk11InternalKeySlot) {
++ return;
++ }
++ pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL;
++}
++
+
+ /* get the internal key slot. FIPS has only one slot for both key slots and
+ * default slots */
+Index: ./mozilla/security/nss/lib/sysinit/nsssysinit.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/sysinit/nsssysinit.c,v
+retrieving revision 1.2
+diff -u -p -r1.2 nsssysinit.c
+--- ./mozilla/security/nss/lib/sysinit/nsssysinit.c 6 Feb 2010 04:56:37 -0000 1.2
++++ ./mozilla/security/nss/lib/sysinit/nsssysinit.c 22 Jan 2011 05:39:08 -0000
+@@ -221,7 +221,7 @@ getFIPSMode(void)
+ * 2 for the key slot, and
+ * 3 for the crypto operations slot fips
+ */
+-#define ORDER_FLAGS "trustOrder=75 cipherOrder=100"
++#define ORDER_FLAGS "cipherOrder=100"
+ #define SLOT_FLAGS \
+ "[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM" \
+ " askpw=any timeout=30 ]"
+@@ -270,7 +270,7 @@ get_list(char *filename, char *stripped_
+ "library= "
+ "module=\"NSS User database\" "
+ "parameters=\"configdir='sql:%s' %s tokenDescription='NSS user database'\" "
+- "NSS=\"%sflags=internal%s\"",
++ "NSS=\"trustOrder=75 %sflags=internal%s\"",
+ userdb, stripped_parameters, nssflags,
+ isFIPS ? ",FIPS" : "");
+
+@@ -284,30 +284,6 @@ get_list(char *filename, char *stripped_
+ userdb, stripped_parameters);
+ }
+
+-#if 0
+- /* This doesn't actually work. If we register
+- both this and the sysdb (in either order)
+- then only one of them actually shows up */
+-
+- /* Using a NULL filename as a Boolean flag to
+- * prevent registering both an application-defined
+- * db and the system db. rhbz #546211.
+- */
+- PORT_Assert(filename);
+- if (sysdb && PL_CompareStrings(filename, sysdb))
+- filename = NULL;
+- else if (userdb && PL_CompareStrings(filename, userdb))
+- filename = NULL;
+-
+- if (filename && !userIsRoot()) {
+- module_list[next++] = PR_smprintf(
+- "library= "
+- "module=\"NSS database\" "
+- "parameters=\"configdir='sql:%s' tokenDescription='NSS database sql:%s'\" "
+- "NSS=\"%sflags=internal\"",filename, filename, nssflags);
+- }
+-#endif
+-
+ /* now the system database (always read only unless it's root) */
+ if (sysdb) {
+ const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly";
+@@ -315,7 +291,7 @@ get_list(char *filename, char *stripped_
+ "library= "
+ "module=\"NSS system database\" "
+ "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" "
+- "NSS=\"%sflags=internal,critical\"",sysdb, readonly, nssflags);
++ "NSS=\"trustOrder=80 %sflags=internal,critical\"",sysdb, readonly, nssflags);
+ }
+
+ /* that was the last module */
diff --git a/nss.spec b/nss.spec
index 1602000..8c53cbb 100644
--- a/nss.spec
+++ b/nss.spec
@@ -6,7 +6,7 @@
Summary: Network Security Services
Name: nss
Version: 3.12.9
-Release: 1%{?dist}
+Release: 2%{?dist}
License: MPLv1.1 or GPLv2+ or LGPLv2+
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
@@ -42,8 +42,7 @@ Source12: %{name}-pem-20101125.tar.bz2
Patch3: renegotiate-transitional.patch
Patch6: nss-enable-pem.patch
Patch7: nsspem-642433.patch
-Patch11: nss-sysinit-fix-trustorder.patch
-Patch12: nss-sysinit-userdb-first.patch
+Patch11: honor-user-trust-preferences.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@@ -116,7 +115,6 @@ low level services.
%patch6 -p0 -b .libpem
%patch7 -p0 -b .642433
%patch11 -p1 -b .643134
-%patch12 -p0 -b .603313
%build
@@ -249,7 +247,7 @@ cd ./mozilla/security/nss/tests/
# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
# nss_ssl_run: cov auth stress
#
-# Disable the ssl test suites untl Bug 539183 gets resolved
+# Disable the ssl test suites until Bug 539183 is resolved
%global nss_ssl_tests " "
%global nss_ssl_run " "
@@ -492,6 +490,10 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
%{_libdir}/libnssckfw.a
%changelog
+* Wed Jan 19 2011 Elio Maldonado <emaldona at redhat.com> - 3.12.9-2
+- Fix to honor the user's cert trust preferences (#633043)
+- Remove obsoleted patch
+
* Wed Jan 12 2011 Elio Maldonado <emaldona at redhat.com> - 3.12.9-1
- Update to 3.12.9
More information about the scm-commits
mailing list