[nss] Disable bypass code at build time and return failure on attempts to enable at runtime

[Elio Maldonado]

commit 19ad65d608057ce9a2402fc0091e90f26c8a6080
Author: Elio Maldonado <emaldona at redhat.com>
Date:   Fri Nov 9 17:20:07 2012 -0800

    Disable bypass code at build time and return failure on attempts to enable at runtime
    
    - Bug 806588 - Disable SSL PKCS #11 bypass at build time

 nss-ssl-enforce-no-pkcs11-bypass.path |   15 +++++++++++++++
 nss.spec                              |   12 +++++++++++-
 2 files changed, 26 insertions(+), 1 deletions(-)
---
diff --git a/nss-ssl-enforce-no-pkcs11-bypass.path b/nss-ssl-enforce-no-pkcs11-bypass.path
new file mode 100644
index 0000000..ee4e9df
--- /dev/null
+++ b/nss-ssl-enforce-no-pkcs11-bypass.path
@@ -0,0 +1,15 @@
+diff -up ./mozilla/security/nss/lib/ssl/derive.c.nobypass ./mozilla/security/nss/lib/ssl/derive.c
+diff -up ./mozilla/security/nss/lib/ssl/sslsock.c.nobypass ./mozilla/security/nss/lib/ssl/sslsock.c
+--- ./mozilla/security/nss/lib/ssl/sslsock.c.nobypass	2012-10-07 15:12:25.455307540 -0700
++++ ./mozilla/security/nss/lib/ssl/sslsock.c	2012-10-07 15:21:27.229346754 -0700
+@@ -547,8 +547,8 @@ static PRStatus SSL_BypassRegisterShutdo
+ static PRStatus SSL_BypassSetup(void)
+ {
+ #ifdef NO_PKCS11_BYPASS
+-    /* Guarantee binary compatibility */
+-    return PR_SUCCESS;
++    /* We can safely return failure as we have never supported it */
++    return PR_FALSE;
+ #else
+     return PR_CallOnce(&setupBypassOnce, &SSL_BypassRegisterShutdown);
+ #endif
diff --git a/nss.spec b/nss.spec
index 15984b4..3d02f85 100644
--- a/nss.spec
+++ b/nss.spec
@@ -7,7 +7,7 @@
 Summary:          Network Security Services
 Name:             nss
 Version:          3.14
-Release:          8%{?dist}
+Release:          9%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -64,6 +64,8 @@ Patch18:          nss-646045.patch
 Patch25:          nsspem-use-system-freebl.patch
 # This patch is currently meant for stable branches
 Patch29:          nss-ssl-cbc-random-iv-off-by-default.patch
+# Prevent users from trying to enable ssl pkcs11 bypass
+Patch39:          nss-ssl-enforce-no-pkcs11-bypass.path
 # TODO: Remove this patch when the ocsp test are fixed
 Patch40:          nss-3.14.0.0-disble-ocsp-test.patch
 
@@ -150,11 +152,15 @@ low level services.
 %patch25 -p0 -b .systemfreebl
 # activate for stable and beta branches
 #%patch29 -p0 -b .770682
+%patch39 -p1 -b .nobypass
 %patch40 -p1 -b .noocsptest
 %patch41 -p0 -b .872124
 
 %build
 
+NSS_NO_PKCS11_BYPASS=1
+export NSS_NO_PKCS11_BYPASS
+
 FREEBL_NO_DEPEND=1
 export FREEBL_NO_DEPEND
 
@@ -584,6 +590,10 @@ rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
 
 
 %changelog
+* Sat Nov 10 2012 Elio Maldonado <emaldona at redhat.com> - 3.14-9
+- Disable bypass code at build time and return failure on attempts to enable at runtime
+- Bug 806588 - Disable SSL PKCS #11 bypass at build time
+
 * Sun Nov 04 2012 Elio Maldonado <emaldona at redhat.com> - 3.14-8
 - Fix pk11wrap locking which fixes 'fedpkg new-sources' and 'fedpkg update' hangs
 - Bug 872124 - nss-3.14 breaks fedpkg new-sources