[arch-commits] Commit in nss/trunk (PKGBUILD nss-3.47-certdb-temp-cert.patch)

Jan Steffens heftig at archlinux.org
Wed Dec 4 14:52:58 UTC 2019


    Date: Wednesday, December 4, 2019 @ 14:52:57
  Author: heftig
Revision: 370381

3.47.1-5

Modified:
  nss/trunk/PKGBUILD
  nss/trunk/nss-3.47-certdb-temp-cert.patch

---------------------------------+
 PKGBUILD                        |    4 ++--
 nss-3.47-certdb-temp-cert.patch |   29 ++++++++++++++---------------
 2 files changed, 16 insertions(+), 17 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2019-12-04 12:43:52 UTC (rev 370380)
+++ PKGBUILD	2019-12-04 14:52:57 UTC (rev 370381)
@@ -3,7 +3,7 @@
 pkgbase=nss
 pkgname=(nss ca-certificates-mozilla)
 pkgver=3.47.1
-pkgrel=4
+pkgrel=5
 pkgdesc="Network Security Services"
 url="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS"
 arch=(x86_64)
@@ -15,7 +15,7 @@
         nss-3.47-certdb-temp-cert.patch
         certdata2pem.py bundle.sh)
 sha256sums=('1ae3d1cb1de345b258788f2ef6b10a460068034c3fd64f42427a183d8342a6fb'
-            'd2a0631328883bdee211d02f0748c97d72ef1462f28415e85efcfb0a6d066dd3'
+            'e4d7c7d6ac8c8cccd5bb23c217402922aafc1c104e46ae17a39f3c13b0e96002'
             '0be02cecc27a6e55e1cad1783033b147f502b26f9fb1bb5a53e7a43bbcb68fa0'
             '3bfadf722da6773bdabdd25bdf78158648043d1b7e57615574f189a88ca865dd')
 

Modified: nss-3.47-certdb-temp-cert.patch
===================================================================
--- nss-3.47-certdb-temp-cert.patch	2019-12-04 12:43:52 UTC (rev 370380)
+++ nss-3.47-certdb-temp-cert.patch	2019-12-04 14:52:57 UTC (rev 370381)
@@ -1,20 +1,15 @@
 # HG changeset patch
 # User Daiki Ueno <dueno at redhat.com>
-# Date 1575381287 -3600
-#      Tue Dec 03 14:54:47 2019 +0100
-# Node ID 5ad40d3c760edac96d22b99e4e3e916b74f903fe
+# Date 1575450841 -3600
+#      Wed Dec 04 10:14:01 2019 +0100
+# Node ID 017097f0a0eaea1a3d849f3de79475c9bc28fcc2
 # Parent  d64102b76a437f24d98a20480dcc9f1655143e7c
-Bug 1593167, certdb: prefer perm certs over temp certs when trust is not available
+Bug 1593167, certdb: propagate trust information if trust module is loaded afterwards
 
 Summary:
-When a builtin root module is loaded after some temp certs being
-loaded, our certificate lookup logic preferred those temp certs over
-perm certs stored on the root module.  This was a problem because such
-temp certs are usually not accompanied with trust information.
+When the builtin trust module is loaded after some temp certs being created, these temp certs are usually not accompanied by trust information. This causes a problem in Firefox as it loads the module from a separate thread while accessing the network cache which populates temp certs.
 
-This makes the certificate lookup logic capable of handling such
-situations by checking if the trust information is attached to temp
-certs and otherwise falling back to perm certs.
+This change makes it properly roll up the trust information, if a temp cert doesn't have trust information.
 
 Reviewers: rrelyea, keeler
 
@@ -29,7 +24,7 @@
 diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c
 --- a/lib/pki/pki3hack.c
 +++ b/lib/pki/pki3hack.c
-@@ -921,14 +921,24 @@ stan_GetCERTCertificate(NSSCertificate *
+@@ -921,14 +921,28 @@ stan_GetCERTCertificate(NSSCertificate *
      }
      if (!cc->nssCertificate || forceUpdate) {
          fill_CERTCertificateFields(c, cc, forceUpdate);
@@ -49,9 +44,9 @@
 +             */
 +            trust = nssTrust_GetCERTCertTrustForCert(c, cc);
 +        } else {
-+            /* If it's a temp cert, it might have been stored before
-+             * the builtin module is loaded, so look for the trust
-+             * again, but not set the empty trust if not found.
++            /* If it's a temp cert, it might have been stored before the
++             * builtin trust module is loaded, so look for the trust
++             * again, but don't set the empty trust if it is not found.
 +             */
 +            NSSTrust *t = nssTrustDomain_FindTrustForCertificate(c->object.cryptoContext->td, c);
 +            if (!t) {
@@ -58,6 +53,10 @@
 +                goto loser;
 +            }
 +            trust = cert_trust_from_stan_trust(t, cc->arena);
++            nssTrust_Destroy(t);
++            if (!trust) {
++                goto loser;
++            }
 +        }
  
          CERT_LockCertTrust(cc);



More information about the arch-commits mailing list