[nss/f14/master] - Fix to swap internal key slot on fips mode switches, related to #633043 - Fixes a side effect of t
Elio Maldonado
emaldonado at fedoraproject.org
Fri Feb 11 17:45:30 UTC 2011
commit 41067b8b405f05fdec061b15352ff8f817cad7d8
Author: Elio Maldonado <emaldona at redhat.com>
Date: Fri Feb 11 09:44:12 2011 -0800
- Fix to swap internal key slot on fips mode switches, related to #633043
- Fixes a side effect of the fix for #633043 detcted by the JSS test suite
nss.spec | 7 +++-
swap-internal-key-slot.patch | 97 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 103 insertions(+), 1 deletions(-)
---
diff --git a/nss.spec b/nss.spec
index a7c41d4..f62d6aa 100644
--- a/nss.spec
+++ b/nss.spec
@@ -6,7 +6,7 @@
Summary: Network Security Services
Name: nss
Version: 3.12.9
-Release: 5%{?dist}
+Release: 6%{?dist}
License: MPLv1.1 or GPLv2+ or LGPLv2+
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
@@ -43,6 +43,7 @@ Patch3: renegotiate-transitional.patch
Patch6: nss-enable-pem.patch
Patch7: nsspem-642433.patch
Patch11: honor-user-trust-preferences.patch
+Patch15: swap-internal-key-slot.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@@ -115,6 +116,7 @@ low level services.
%patch6 -p0 -b .libpem
%patch7 -p0 -b .642433
%patch11 -p1 -b .643134
+%patch15 -p1 -b .jss
%build
@@ -491,6 +493,9 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
%{_libdir}/libnssckfw.a
%changelog
+* Thu Feb 10 2011 Elio Maldonado <emaldona at redhat.com> - 3.12.9-6
+- Fix to swap internal key slot on fips mode switches, related to #633043
+
* Mon Feb 07 2011 Elio Maldonado <emaldona at redhat.com> - 3.12.9-5
- Remove a header that now nss-softokn-freebl-devel ships, related to #675196
- Backing out earlier patch until further testing from upstream for 3.12.10
diff --git a/swap-internal-key-slot.patch b/swap-internal-key-slot.patch
new file mode 100644
index 0000000..ead072e
--- /dev/null
+++ b/swap-internal-key-slot.patch
@@ -0,0 +1,97 @@
+diff -up ./mozilla/security/nss/lib/pk11wrap/pk11pars.c.jss ./mozilla/security/nss/lib/pk11wrap/pk11pars.c
+--- ./mozilla/security/nss/lib/pk11wrap/pk11pars.c.jss 2011-02-11 07:45:38.324083242 -0800
++++ ./mozilla/security/nss/lib/pk11wrap/pk11pars.c 2011-02-11 07:48:14.514166538 -0800
+@@ -258,6 +258,19 @@ secmod_IsInternalKeySlot(SECMODModule *m
+ return (flags & SECMOD_FLAG_INTERNAL_KEY_SLOT) ? PR_TRUE : PR_FALSE;
+ }
+
++void
++secmod_SetInternalKeySlotFlag(SECMODModule *mod, PRBool val)
++{
++ char flags = (char) mod->internal;
++
++ if (val) {
++ flags |= SECMOD_FLAG_INTERNAL_KEY_SLOT;
++ } else {
++ flags &= ~SECMOD_FLAG_INTERNAL_KEY_SLOT;
++ }
++ mod->internal = flags;
++}
++
+ /* forward declarations */
+ static int secmod_escapeSize(const char *string, char quote);
+ static char *secmod_addEscape(const char *string, char quote);
+diff -up ./mozilla/security/nss/lib/pk11wrap/pk11priv.h.jss ./mozilla/security/nss/lib/pk11wrap/pk11priv.h
+--- ./mozilla/security/nss/lib/pk11wrap/pk11priv.h.jss 2011-02-11 07:47:45.037226877 -0800
++++ ./mozilla/security/nss/lib/pk11wrap/pk11priv.h 2011-02-11 07:48:28.854164207 -0800
+@@ -115,6 +115,7 @@ void PK11_InitSlot(SECMODModule *mod,CK_
+ PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot);
+ SECStatus PK11_ReadSlotCerts(PK11SlotInfo *slot);
+ void pk11_SetInternalKeySlot(PK11SlotInfo *slot);
++PK11SlotInfo *pk11_SwapInternalKeySlot(PK11SlotInfo *slot);
+ void pk11_SetInternalKeySlotIfFirst(PK11SlotInfo *slot);
+
+ /*********************************************************************
+diff -up ./mozilla/security/nss/lib/pk11wrap/pk11slot.c.jss ./mozilla/security/nss/lib/pk11wrap/pk11slot.c
+--- ./mozilla/security/nss/lib/pk11wrap/pk11slot.c.jss 2011-02-11 07:41:11.258746774 -0800
++++ ./mozilla/security/nss/lib/pk11wrap/pk11slot.c 2011-02-11 07:48:51.291595867 -0800
+@@ -1755,6 +1755,18 @@ pk11_SetInternalKeySlotIfFirst(PK11SlotI
+ pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL;
+ }
+
++/*
++ * Swap out a default internal keyslot. Caller owns the Slot Reference
++ */
++PK11SlotInfo *
++pk11_SwapInternalKeySlot(PK11SlotInfo *slot)
++{
++ PK11SlotInfo *swap = pk11InternalKeySlot;
++
++ pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL;
++ return swap;
++}
++
+
+ /* get the internal key slot. FIPS has only one slot for both key slots and
+ * default slots */
+diff -up ./mozilla/security/nss/lib/pk11wrap/pk11util.c.jss ./mozilla/security/nss/lib/pk11wrap/pk11util.c
+--- ./mozilla/security/nss/lib/pk11wrap/pk11util.c.jss 2011-02-11 07:40:23.748066635 -0800
++++ ./mozilla/security/nss/lib/pk11wrap/pk11util.c 2011-02-11 07:49:19.674611909 -0800
+@@ -483,13 +483,25 @@ SECMOD_DeleteInternalModule(const char *
+ NULL, SECMOD_FIPS_FLAGS);
+ }
+ if (newModule) {
++ PK11SlotInfo *slot;
+ newModule->libraryParams =
+ PORT_ArenaStrdup(newModule->arena,mlp->module->libraryParams);
++ /* if an explicit internal key slot has been set, reset it */
++ slot = pk11_SwapInternalKeySlot(NULL);
++ if (slot) {
++ secmod_SetInternalKeySlotFlag(newModule, PR_TRUE);
++ }
+ rv = SECMOD_AddModule(newModule);
+ if (rv != SECSuccess) {
++ /* load failed, restore the internal key slot */
++ pk11_SetInternalKeySlot(slot);
+ SECMOD_DestroyModule(newModule);
+ newModule = NULL;
+ }
++ /* free the old explicit internal key slot, we now have a new one */
++ if (slot) {
++ PK11_FreeSlot(slot);
++ }
+ }
+ if (newModule == NULL) {
+ SECMODModuleList *last = NULL,*mlp2;
+diff -up ./mozilla/security/nss/lib/pk11wrap/secmodi.h.jss ./mozilla/security/nss/lib/pk11wrap/secmodi.h
+--- ./mozilla/security/nss/lib/pk11wrap/secmodi.h.jss 2011-02-11 07:39:04.685590962 -0800
++++ ./mozilla/security/nss/lib/pk11wrap/secmodi.h 2011-02-11 07:49:28.120021571 -0800
+@@ -90,6 +90,8 @@ SECStatus secmod_LoadPKCS11Module(SECMOD
+ SECStatus SECMOD_UnloadModule(SECMODModule *);
+ void SECMOD_SetInternalModule(SECMODModule *);
+ PRBool secmod_IsInternalKeySlot(SECMODModule *);
++void secmod_SetInternalKeySlotFlag(SECMODModule *mod, PRBool val);
++
+
+ /* tools for checking if we are loading the same database twice */
+ typedef struct SECMODConfigListStr SECMODConfigList;
More information about the scm-commits
mailing list