[arch-commits] Commit in lib32-nss/trunk (PKGBUILD nss-3.47-certdb-temp-cert.patch)
Jan Steffens
heftig at archlinux.org
Tue Dec 3 15:06:29 UTC 2019
Date: Tuesday, December 3, 2019 @ 15:06:29
Author: heftig
Revision: 534957
3.47.1-4: update temp cert patch
Modified:
lib32-nss/trunk/PKGBUILD
lib32-nss/trunk/nss-3.47-certdb-temp-cert.patch
---------------------------------+
PKGBUILD | 4 +-
nss-3.47-certdb-temp-cert.patch | 61 ++++++++++++++++++++++++++++++++------
2 files changed, 54 insertions(+), 11 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2019-12-03 14:43:31 UTC (rev 534956)
+++ PKGBUILD 2019-12-03 15:06:29 UTC (rev 534957)
@@ -4,7 +4,7 @@
pkgname=lib32-nss
pkgver=3.47.1
-pkgrel=3
+pkgrel=4
pkgdesc="Network Security Services (32-bit)"
url="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS"
arch=(x86_64)
@@ -16,7 +16,7 @@
nss-3.47-certdb-temp-cert.patch
no-plt.diff)
sha256sums=('1ae3d1cb1de345b258788f2ef6b10a460068034c3fd64f42427a183d8342a6fb'
- '82d7924d7c3491de04f42c240fef6dd6e80fc5004ab44f55e6f03571d2d02e58'
+ 'd2a0631328883bdee211d02f0748c97d72ef1462f28415e85efcfb0a6d066dd3'
'ea8e1b871c0f1dd29cdea1b1a2e7f47bf4713e2ae7b947ec832dba7dfcc67daa')
prepare() {
Modified: nss-3.47-certdb-temp-cert.patch
===================================================================
--- nss-3.47-certdb-temp-cert.patch 2019-12-03 14:43:31 UTC (rev 534956)
+++ nss-3.47-certdb-temp-cert.patch 2019-12-03 15:06:29 UTC (rev 534957)
@@ -1,7 +1,35 @@
+# HG changeset patch
+# User Daiki Ueno <dueno at redhat.com>
+# Date 1575381287 -3600
+# Tue Dec 03 14:54:47 2019 +0100
+# Node ID 5ad40d3c760edac96d22b99e4e3e916b74f903fe
+# Parent d64102b76a437f24d98a20480dcc9f1655143e7c
+Bug 1593167, certdb: prefer perm certs over temp certs when trust is not available
+
+Summary:
+When a builtin root module is loaded after some temp certs being
+loaded, our certificate lookup logic preferred those temp certs over
+perm certs stored on the root module. This was a problem because such
+temp certs are usually not accompanied with trust information.
+
+This makes the certificate lookup logic capable of handling such
+situations by checking if the trust information is attached to temp
+certs and otherwise falling back to perm certs.
+
+Reviewers: rrelyea, keeler
+
+Reviewed By: rrelyea
+
+Subscribers: reviewbot, heftig
+
+Bug #: 1593167
+
+Differential Revision: https://phabricator.services.mozilla.com/D54726
+
diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c
--- a/lib/pki/pki3hack.c
+++ b/lib/pki/pki3hack.c
-@@ -921,11 +921,11 @@
+@@ -921,14 +921,24 @@ stan_GetCERTCertificate(NSSCertificate *
}
if (!cc->nssCertificate || forceUpdate) {
fill_CERTCertificateFields(c, cc, forceUpdate);
@@ -10,12 +38,27 @@
- /* if it's a perm cert, it might have been stored before the
- * trust, so look for the trust again. But a temp cert can be
- * ignored.
+- */
+- CERTCertTrust *trust = NULL;
+- trust = nssTrust_GetCERTCertTrustForCert(c, cc);
+ } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess) {
-+ /* If it's a perm cert, it might have been stored before the
-+ * trust, so look for the trust again. If it's a temp cert, it
-+ * might have been stored before the builtin module is loaded,
-+ * so still need to look for the trust again.
- */
- CERTCertTrust *trust = NULL;
- trust = nssTrust_GetCERTCertTrustForCert(c, cc);
-
++ CERTCertTrust *trust;
++ if (!c->object.cryptoContext) {
++ /* If it's a perm cert, it might have been stored before the
++ * trust, so look for the trust again.
++ */
++ trust = nssTrust_GetCERTCertTrustForCert(c, cc);
++ } else {
++ /* If it's a temp cert, it might have been stored before
++ * the builtin module is loaded, so look for the trust
++ * again, but not set the empty trust if not found.
++ */
++ NSSTrust *t = nssTrustDomain_FindTrustForCertificate(c->object.cryptoContext->td, c);
++ if (!t) {
++ goto loser;
++ }
++ trust = cert_trust_from_stan_trust(t, cc->arena);
++ }
+
+ CERT_LockCertTrust(cc);
+ cc->trust = trust;
More information about the arch-commits
mailing list