Bug 806588
| Summary: | Disable SSL PKCS #11 bypass at build time | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Elio Maldonado Batiz <emaldona> |
| Component: | nss | Assignee: | Elio Maldonado Batiz <emaldona> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | emaldona, kdudka, kengert |
| Target Milestone: | --- | Keywords: | Patch |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | nss-3.14-9.fc19, nss-3.14-6.fc18 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-11-27 05:03:50 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 689918, 689919 | ||
| Attachments: | |||
|
Description
Elio Maldonado Batiz
2012-03-25 04:52:52 UTC
Created attachment 572564 [details]
Disables ssl bypass at build time
Comment on attachment 572564 [details]
Disables ssl bypass at build time
My own comment: NSS_ALLOW_SSLBYPASS is too long, no need for the NSS_ in front to disambiguate as this is not a runtime environment variable but a build time variable.
Created attachment 574100 [details]
Disable ssl pkcs11 layer bypass at build time
Comment on attachment 574100 [details]
Disable ssl pkcs11 layer bypass at build time
One must add export NSS_NOSSLBYPASS=1
to the %build section of nss.spec to trigger CFLAGS +=NOSSLBYPASS
Created attachment 577475 [details]
Disable sslbypass at build time
Elio, I reviewed the patch in the upstream bug, is that sufficient? Kai, I don't think so. That's because this patch for Fedora disables SSLBYPASS unconditionally whereas the upstream patch requires the package maintainer to setting the build time environment variable to activate the disabling. Thanks for the prompt review on the upstream one. On second thought, for the sake of consistency I should rely on the upstream patch instead. I should submit the upstream one suitably one adapted for 3.13.4 and with the modifications that Kai suggested upstream. It makes life easier. Comment on attachment 577475 [details] Disable sslbypass at build time (In reply to comment #8) > for the sake of consistency I should rely on the upstream patch instead I understand this patch is now obsolete. Created attachment 584430 [details]
Disable ssl pkcs11 bypass at build time and preserve ABI
Submitting for upstream review as well.
Comment on attachment 584430 [details]
Disable ssl pkcs11 bypass at build time and preserve ABI
Cancelling the request for review due to upstream feedback.
After modifications and expansion the patch has been approved and committed upstream for nss-3.14. Created attachment 594623 [details]
Disable ssl pkcs #11 bypass at buitime
This is a backport to nss-3.13.5 of the changes committed upstream for nss-3.14.
Requires adding 'export NSS_NO_PKCS11_BYPASS=1' to the %build section of nss.spec for it to take effect as the default is to allow bypass to occur as before.
Created attachment 594787 [details]
Disable ssl pkcs #11 bypass at buildtime
Follows the upstream one a bit more closely.
Comment on attachment 594787 [details]
Disable ssl pkcs #11 bypass at buildtime
r-
Well this would work, sort of, but rather than
if (bypass) {
#ifndef NO_BYPASS
code
#endif
} else {
I'd like to see
#ifdef NO_BYPASS
if (bypass) {
code
} else
#endif
{
Bob, please make those comments also in the bug https://bugzilla.mozilla.org/show_bug.cgi?id=745281 The multicolor explanation on a whiteboard of the three styles was very clear and to the point. The upstram bug https://bugzilla.mozilla.org/show_bug.cgi?id=745281 was fixed in nss-3.14 to which we have rebased nss in fedora. That is the bulck of the work but a small part remains. The upstream fix was to provide the option of disabling SSL PKCS #11 bypass at build time. What remains is mostly for the downstream nss packager maintainer exersize his option. Add to the %build section of the nss.spc file: NSS_NO_PKCS11_BYPASS=1 export NSS_NO_PKCS11_BYPASS Created attachment 641885 [details]
Return failure if caller mistakenly requests bypass at runtime
Besides disabling bypass at buildtime, also protect user from mistajenly trying to enable it via the environment variable. Fedora has never supported bypass so compatibility is not an issue
nss-softokn-3.14-1.fc18, nss-util-3.14-1.fc18, nss-3.14-6.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/FEDORA-2012-17351/nss-3.14-6.fc18,nss-softokn-3.14-1.fc18,nss-util-3.14-1.fc18 Package nss-softokn-3.14-1.fc18, nss-util-3.14-1.fc18, nss-3.14-6.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing nss-softokn-3.14-1.fc18 nss-util-3.14-1.fc18 nss-3.14-6.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-17351/nss-3.14-6.fc18,nss-softokn-3.14-1.fc18,nss-util-3.14-1.fc18 then log in and leave karma (feedback). Package nss-util-3.14-1.fc18, nss-3.14-7.fc18, nss-softokn-3.14-5.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing nss-util-3.14-1.fc18 nss-3.14-7.fc18 nss-softokn-3.14-5.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-17351/nss-3.14-7.fc18,nss-softokn-3.14-5.fc18,nss-util-3.14-1.fc18 then log in and leave karma (feedback). nss-util-3.14-1.fc17,nss-softokn-3.14-5.fc17,nss-3.14-7.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/nss-util-3.14-1.fc17,nss-softokn-3.14-5.fc17,nss-3.14-7.fc17 nss-util-3.14-1.fc18, nss-3.14-7.fc18, nss-softokn-3.14-5.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. nss-util-3.14-1.fc17, nss-softokn-3.14-5.fc17, nss-3.14-7.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. nss-util-3.14-1.fc16,nss-softokn-3.14-5.fc16,nss-3.14-7.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/nss-util-3.14-1.fc16,nss-softokn-3.14-5.fc16,nss-3.14-7.fc16 |