rpms/nss_compat_ossl/F-9 nss_compat_ossl-rootcert.patch, NONE, 1.1 nss_compat_ossl.spec, 1.12, 1.13
Robert Crittenden
rcritten at fedoraproject.org
Wed Apr 29 14:02:42 UTC 2009
- Previous message: rpms/python-foolscap/devel import.log, NONE, 1.1 python-foolscap.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Next message: comps comps-f11.xml.in,1.201,1.202
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: rcritten
Update of /cvs/extras/rpms/nss_compat_ossl/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv20371
Modified Files:
nss_compat_ossl.spec
Added Files:
nss_compat_ossl-rootcert.patch
Log Message:
Resolve BZ 497788, implement default loading of root CAs
nss_compat_ossl-rootcert.patch:
--- NEW FILE nss_compat_ossl-rootcert.patch ---
diff -ruNp nss_compat_ossl-0.9.5.orig/ChangeLog nss_compat_ossl-0.9.5/ChangeLog
--- nss_compat_ossl-0.9.5.orig/ChangeLog 2009-04-20 11:02:22.000000000 -0400
+++ nss_compat_ossl-0.9.5/ChangeLog 2009-04-29 09:47:29.000000000 -0400
@@ -1,3 +1,17 @@
+2009-04-29 Rob Crittenden <rcritten at redhat.com>
+
+ * Implement SSL_CTX_set_default_verify_paths()
+
+2009-04-20 Rob Crittenden <rcritten at redhat.com>
+
+ * nss_compat_ossl 0.9.5 released.
+
+2009-04-20 Rob Crittenden <rcritten at redhat.com>
+ * Ensure that an SSL context exists before doing anything. Since
+ we can't catch NSS initialization failures at init time we have
+ to catch them later (like this).
+
+
2009-03-06 Rich Megginson <rmeggins at redhat.com>
* Change license to MIT style license
diff -ruNp nss_compat_ossl-0.9.5.orig/ChangeLog.orig nss_compat_ossl-0.9.5/ChangeLog.orig
--- nss_compat_ossl-0.9.5.orig/ChangeLog.orig 1969-12-31 19:00:00.000000000 -0500
+++ nss_compat_ossl-0.9.5/ChangeLog.orig 2009-04-20 11:02:22.000000000 -0400
@@ -0,0 +1,163 @@
+2009-03-06 Rich Megginson <rmeggins at redhat.com>
+
+ * Change license to MIT style license
+
+2008-09-12 Rob Crittenden <rcritten at redhat.com>
+
+ * Use proper NSPR header file (even though marked as private)
+ * Don't use PR_GetRandomNoise(), it isn't truly random. Use
+ PK11_GenerateRandom()
+
+2008-07-02 Rob Crittenden <rcritten at redhat.com>
+
+ * nss_compat_ossl has some BIO emulation code that links a BIO object
+ in as an NSPR layer. This code 1) did not implement enough of the
+ layer to make SSL happy, and 2) linked the layer at the wrong point
+ in the stack. (453651) Contributed by Bob Relyea
+
+2007-10-16 Rob Crittenden <rcritten at redhat.com>
+
+ * Use pkg-config to get the list of NSPR and NSS libraries to link with.
+
+2007-10-13 Rob Crittenden <rcritten at redhat.com>
+
+ * Don't explicitly link with libsoftokn3.so (330091)
+
+2007-10-13 Rob Crittenden <rcritten at redhat.com>
+
+ * Reverting change to remove #define CERT_NewTempCertificate (306711)
+ This needs to be there otherwise there is an undefined symbol
+
+2007-09-20 Rob Crittenden <rcritten at redhat.com>
+
+ * nss_compat_ossl 0.9.2 released.
+
+2007-09-20 Rob Crittenden <rcritten at redhat.com>
+
+ * Fix some compiler warnings
+
+2007-09-20 Rob Crittenden <rcritten at redhat.com>
+
+ * The license is LGPLv2.1. I had wrongly included both a LGPL
+ LICENSE file AND the GPL 2 COPYING file. LICENSE was removed
+ in a separate update, this fixes COPYING.
+
+2007-09-20 Rob Crittenden <rcritten at redhat.com>
+
+ * Patch submitted by Miloslav Trmac (259901)
+ * Define PEM_BUFSIZE
+ * Use a better X509_STORE_CTX (with ->current_cert, ->error)
+ * Add a dummy PEM_def_callback
+ * Add SSLv2_server_method
+ * Add X509_LU_X509, X509_STORE_get_by_subject
+ * Add SSL_get_ex_data_X509_STORE_CTX_idx, and a stub for
+ X509_STORE_CTX_get_ex_data
+ * Uncomment declaration of SSL_state_string_long. Return at least
+ some string instead of NULL.
+ * Fix prototype of CRYPTO_set_locking_callback
+ * Use PK11_GenerateRandom, not PR_GetRandomNoise for RAND_write_file:
+ RAND_write_file is used to keep a persistent random seed across
+ stunnel runs, it is not really necessary to generate a truly random
+ seed each time. Besides, reading 1024 bytes from /dev/random takes
+ way too long.
+ * Don't call fclose(NULL) in RAND_write_file
+ * Return NULL from SSL_get_peer_certificate if no peer certificate is
+ available
+ * Decide whether to allocate memory in X509_NAME_oneline based on
+ the passed buffer, not its size
+
+2007-09-14 Rob Crittenden <rcritten at redhat.com>
+
+ * Change name of PKCS#11 module to libnsspem.so
+ * Import some improvements made during curl development
+
+2007-08-29 Rob Crittenden <rcritten at redhat.com>
+
+ * nss_compat_ossl 0.9.1 released.
+
+2007-08-06 Rob Crittenden <rcritten at redhat.com>
+
+ * Remove conflicting LICENSE file (the library is LGPL, not GPL).
+ The file COPYING was correct.
+ * Provide a more usable README
+
+2007-07-25 Rob Crittenden <rcritten at redhat.com>
+
+ * Import into repository. Lost 17 revisions of the history in the
+ migration.
+
+2007-05-29 Rob Crittenden <rcritten at redhat.com>
+
+ * Handle the SSL verify modes for clients as well
+
+2007-05-29 Rob Crittenden <rcritten at redhat.com>
+
+ * In X509_NAME_oneline() use the certificate arena to allocate memory
+
+2007-05-24 Rob Crittenden <rcritten at redhat.com>
+
+ * Handle authenticating a PKCS#11 PEM token. If an encrypted key PEM is
+ provided then the module will correctly prompt for the PIN
+ * Initialize the certificate nickname to NULL
+ * Check the return result of PK11_CreateGenericObject()
+ * After a certificate is selected make sure it exists. Better to catch
+ this earlier than later
+ * Fix SSL_want() to return a legal value (SSL_NOTHING)
+ * Fix some compiler warnings
+
+2007-05-14 Rob Crittenden <rcritten at redhat.com>
+
+ * First cut at loading PEM files on the fly by using a PKCS#11 module
+ that can read them. This is currently disabled as it requires the
+ NSS tip (3.12) and some additional patches.
+ If a filename does not contain a slash (/) then it is considered
+ to be a regular NSS nickname and the NSS Certificate DB token is
+ used.
+
+2007-05-11 Rob Crittenden <rcritten at redhat.com>
+
+ * Patch from Bob Relyea
+ * Adds support for some of the BIO API
+
+2007-04-25 Rob Crittenden <rcritten at redhat.com>
+
+ * A few casts to eliminate some compiler warnings.
+
+2007-04-25 Rob Crittenden <rcritten at redhat.com>
+
+ * Don't allow SSL_library_init to be called more than once
+ * Enable the SSL cache for servers
+
+2007-04-24 Rob Crittenden <rcritten at redhat.com>
+
+ * Cobbled function sftk_newPinCheck() from NSS to do password type and
+ length enforcemen when in FIPS mode
+ * For some reason I had disabled setting ciphers. Re-enabled that and
+ now enforce only FIPS-approved ciphers when the token is in FIPS mode.
+
+2007-04-24 Rob Crittenden <rcritten at redhat.com>
+
+ * Should use PR_USER_THREAD in PR_Init
+ * Add a close method for our layer
+
+2007-04-24 Rob Crittenden <rcritten at redhat.com>
+
+ * Implement SSL_CIPHER_get_version (possibly wrongly) and
+ SSL_CIPHER_get_bits
+ * Fix using an NSS database with a password. Freeing the slot list
+ was bad.
+
+2007-04-23 Rob Crittenden <rcritten at redhat.com>
+
+ * If a certificate cannot be found set an appropriate error so an
+ OpenSSL app reports the right problem.
+ * Look in /etc/pki/nssdb if SSL_DIR is not set
+ * Implement the DEFAULT cipher keyword
+
+2007-04-23 Rob Crittenden <rcritten at redhat.com>
+
+ * Fill in some more of the RAND_ API
+
+2007-04-20 Rob Crittenden <rcritten at redhat.com>
+
+ * Start of project
diff -ruNp nss_compat_ossl-0.9.5.orig/src/ssl.c nss_compat_ossl-0.9.5/src/ssl.c
--- nss_compat_ossl-0.9.5.orig/src/ssl.c 2009-04-20 11:02:22.000000000 -0400
+++ nss_compat_ossl-0.9.5/src/ssl.c 2009-04-29 09:47:29.000000000 -0400
@@ -80,8 +80,10 @@ static int nss_set_private(PRFileDesc *f
int is_initialized = 0;
static const char* pem_library = "libnsspem.so";
+static const char* root_certs_library = "libnssckbi.so";
-static SECMODModule* mod = NULL;
+static SECMODModule* pemMod = NULL;
+static SECMODModule* rootMod = NULL;
CK_SLOT_ID slotCount = 1;
#define DEF_SSL2_TIMEOUT 100L /* seconds */
@@ -1002,7 +1004,7 @@ nss_set_server_cert(SSL_CTX *ctx, const
if (n) {
n++;
}
- if (mod == NULL) /* we have a file-based cert but no PEM module */
+ if (pemMod == NULL) /* we have a file-based cert but no PEM module */
return 1;
} else {
if (cacert)
@@ -1278,11 +1280,11 @@ int SSL_library_init(void)
PR_snprintf(configstring, 4096, "library=%s name=PEM parameters=\"\"", pem_library);
- mod = SECMOD_LoadUserModule(configstring, NULL, PR_FALSE);
- if (!mod || !mod->loaded) {
- if (mod) {
- SECMOD_DestroyModule(mod);
- mod = NULL;
+ pemMod = SECMOD_LoadUserModule(configstring, NULL, PR_FALSE);
+ if (!pemMod || !pemMod->loaded) {
+ if (pemMod) {
+ SECMOD_DestroyModule(pemMod);
+ pemMod = NULL;
}
free(configstring);
return 1;
@@ -2112,7 +2114,7 @@ int SSL_CTX_use_PrivateKey_file(SSL_CTX
}
/* This will force the token to be seen as re-inserted */
- SECMOD_WaitForAnyTokenEvent(mod, 0, 0);
+ SECMOD_WaitForAnyTokenEvent(pemMod, 0, 0);
PK11_IsPresent(slot);
if (PK11_Authenticate(slot, PR_TRUE, &retryCount) != SECSuccess) {
@@ -2724,7 +2726,17 @@ int SSL_CTX_load_verify_locations(SSL_CT
}
int SSL_CTX_set_default_verify_paths(SSL_CTX * ctx) {
- return 0;
+ if (PR_FALSE == SECMOD_HasRootCerts()) {
+ char configstring[64];
+
+ /* try to load root certs module */
+ PR_snprintf(configstring, 64, "library=%s name=\"Root Certs\" parameters=\"\"", root_certs_library);
+ rootMod = SECMOD_LoadUserModule(configstring, NULL, PR_FALSE);
+ if (rootMod || !rootMod->loaded) {
+ SECMOD_DestroyModule(rootMod);
+ rootMod = NULL;
+ }
+ }
}
void SSL_set_verify(SSL *ssl, int mode,
Index: nss_compat_ossl.spec
===================================================================
RCS file: /cvs/extras/rpms/nss_compat_ossl/F-9/nss_compat_ossl.spec,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -p -r1.12 -r1.13
--- nss_compat_ossl.spec 20 Apr 2009 15:16:07 -0000 1.12
+++ nss_compat_ossl.spec 29 Apr 2009 14:02:41 -0000 1.13
@@ -1,6 +1,6 @@
Name: nss_compat_ossl
Version: 0.9.5
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: Source-level compatibility library for OpenSSL to NSS porting
Group: System Environment/Libraries
@@ -8,6 +8,7 @@ License: MIT
URL: http://rcritten.fedorapeople.org/nss_compat_ossl.html
Source0: http://rcritten.fedorapeople.org/%{name}-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+Patch1: nss_compat_ossl-rootcert.patch
# Need > 3.11.7-7 so we have the NSS PKCS#11 flat-file reader available
BuildRequires: nss-devel > 3.11.7-7
@@ -27,6 +28,7 @@ Header and library files for doing porti
%prep
%setup -q
+%patch1 -p1 -b .rootcert
%build
@@ -65,6 +67,9 @@ rm -rf $RPM_BUILD_ROOT
%postun -p /sbin/ldconfig
%changelog
+* Wed Apr 29 2009 Rob Crittenden <rcritten at redhat.com> - 0.9.5-2
+- Resolve BZ 497788, implement default loading of root CAs
+
* Mon Apr 20 2009 Rob Crittenden <rcritten at redhat.com> - 0.9.5-1
- Update to 0.9.5
- License changed to MIT
- Previous message: rpms/python-foolscap/devel import.log, NONE, 1.1 python-foolscap.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Next message: comps comps-f11.xml.in,1.201,1.202
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list