diff options
| author | rrelyea%redhat.com <devnull@localhost> | 2011-02-09 23:49:55 +0000 |
|---|---|---|
| committer | rrelyea%redhat.com <devnull@localhost> | 2011-02-09 23:49:55 +0000 |
| commit | 841a6c7f3fd14b751423ccc7f0cfcc098415defe (patch) | |
| tree | 0bf2719d9bbd244c6ccda67c6bf3b5a5ddcc493e | |
| parent | 28fd1d98896515aa37d82a90724aebb2d285b56a (diff) | |
| download | nss-hg-841a6c7f3fd14b751423ccc7f0cfcc098415defe.tar.gz | |
Fix tinderbox from patch to Bug 595988 - NSS trusts CAs it shouldn't (trusts system db over user db)
patch by rrrelyea
r=elmaldona.
* The NSS trusts patch causes explicit internal tokens to be set in almost all cases. When we switch to FIPS mode we need to reset those explicit internal tokens.
| -rw-r--r-- | security/nss/lib/pk11wrap/pk11pars.c | 13 | ||||
| -rw-r--r-- | security/nss/lib/pk11wrap/pk11priv.h | 1 | ||||
| -rw-r--r-- | security/nss/lib/pk11wrap/pk11slot.c | 12 | ||||
| -rw-r--r-- | security/nss/lib/pk11wrap/pk11util.c | 12 | ||||
| -rw-r--r-- | security/nss/lib/pk11wrap/secmodi.h | 2 |
5 files changed, 40 insertions, 0 deletions
diff --git a/security/nss/lib/pk11wrap/pk11pars.c b/security/nss/lib/pk11wrap/pk11pars.c index 585508475..5b50580b1 100644 --- a/security/nss/lib/pk11wrap/pk11pars.c +++ b/security/nss/lib/pk11wrap/pk11pars.c @@ -258,6 +258,19 @@ secmod_IsInternalKeySlot(SECMODModule *mod) return (flags & SECMOD_FLAG_INTERNAL_KEY_SLOT) ? PR_TRUE : PR_FALSE; } +void +secmod_SetInternalKeySlotFlag(SECMODModule *mod, PRBool val) +{ + char flags = (char) mod->internal; + + if (val) { + flags |= SECMOD_FLAG_INTERNAL_KEY_SLOT; + } else { + flags &= ~SECMOD_FLAG_INTERNAL_KEY_SLOT; + } + mod->internal = flags; +} + /* forward declarations */ static int secmod_escapeSize(const char *string, char quote); static char *secmod_addEscape(const char *string, char quote); diff --git a/security/nss/lib/pk11wrap/pk11priv.h b/security/nss/lib/pk11wrap/pk11priv.h index 23ed49a8e..0ce3c5e9e 100644 --- a/security/nss/lib/pk11wrap/pk11priv.h +++ b/security/nss/lib/pk11wrap/pk11priv.h @@ -115,6 +115,7 @@ void PK11_InitSlot(SECMODModule *mod,CK_SLOT_ID slotID,PK11SlotInfo *slot); PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot); SECStatus PK11_ReadSlotCerts(PK11SlotInfo *slot); void pk11_SetInternalKeySlot(PK11SlotInfo *slot); +PK11SlotInfo *pk11_SwapInternalKeySlot(PK11SlotInfo *slot); void pk11_SetInternalKeySlotIfFirst(PK11SlotInfo *slot); /********************************************************************* diff --git a/security/nss/lib/pk11wrap/pk11slot.c b/security/nss/lib/pk11wrap/pk11slot.c index 805bded63..65d807d0f 100644 --- a/security/nss/lib/pk11wrap/pk11slot.c +++ b/security/nss/lib/pk11wrap/pk11slot.c @@ -1755,6 +1755,18 @@ pk11_SetInternalKeySlotIfFirst(PK11SlotInfo *slot) pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL; } +/* + * Swap out a default internal keyslot. Caller owns the Slot Reference + */ +PK11SlotInfo * +pk11_SwapInternalKeySlot(PK11SlotInfo *slot) +{ + PK11SlotInfo *swap = pk11InternalKeySlot; + + pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL; + return swap; +} + /* get the internal key slot. FIPS has only one slot for both key slots and * default slots */ diff --git a/security/nss/lib/pk11wrap/pk11util.c b/security/nss/lib/pk11wrap/pk11util.c index f8828d465..03d3c09d9 100644 --- a/security/nss/lib/pk11wrap/pk11util.c +++ b/security/nss/lib/pk11wrap/pk11util.c @@ -483,13 +483,25 @@ SECMOD_DeleteInternalModule(const char *name) NULL, SECMOD_FIPS_FLAGS); } if (newModule) { + PK11SlotInfo *slot; newModule->libraryParams = PORT_ArenaStrdup(newModule->arena,mlp->module->libraryParams); + /* if an explicit internal key slot has been set, reset it */ + slot = pk11_SwapInternalKeySlot(NULL); + if (slot) { + secmod_SetInternalKeySlotFlag(newModule, PR_TRUE); + } rv = SECMOD_AddModule(newModule); if (rv != SECSuccess) { + /* load failed, restore the internal key slot */ + pk11_SetInternalKeySlot(slot); SECMOD_DestroyModule(newModule); newModule = NULL; } + /* free the old explicit internal key slot, we now have a new one */ + if (slot) { + PK11_FreeSlot(slot); + } } if (newModule == NULL) { SECMODModuleList *last = NULL,*mlp2; diff --git a/security/nss/lib/pk11wrap/secmodi.h b/security/nss/lib/pk11wrap/secmodi.h index b67e6df99..168d99719 100644 --- a/security/nss/lib/pk11wrap/secmodi.h +++ b/security/nss/lib/pk11wrap/secmodi.h @@ -90,6 +90,8 @@ SECStatus secmod_LoadPKCS11Module(SECMODModule *, SECMODModule **oldModule); SECStatus SECMOD_UnloadModule(SECMODModule *); void SECMOD_SetInternalModule(SECMODModule *); PRBool secmod_IsInternalKeySlot(SECMODModule *); +void secmod_SetInternalKeySlotFlag(SECMODModule *mod, PRBool val); + /* tools for checking if we are loading the same database twice */ typedef struct SECMODConfigListStr SECMODConfigList; |