If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Crypto policy configuration files require empty line at end of file

RESOLVED FIXED in 3.29

Status

NSS
Libraries
RESOLVED FIXED
10 months ago
9 months ago

People

(Reporter: Hubert Kario, Assigned: ueno)

Tracking

3.27
3.29

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

10 months ago
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0
Build ID: 20161114215630

Steps to reproduce:

Created a crypto-policy file that disallows sha1 signatures:

cat > policy.txt <<EOF
library=
name=Policy
NSS=flags=policyOnly,moduleDB
config="disallow=sha1"
EOF'


Actual results:

SHA-1 signatures were still accepted by tstclnt and selfserv


Expected results:

the policy file should have the same meaning if it includes the empty line at the end of a single section as well as when it excludes it.

IOW, this works as expected:
cat > policy.txt <<EOF
library=
name=Policy
NSS=flags=policyOnly,moduleDB
config="disallow=sha1"

EOF'

Updated

10 months ago
Assignee: nobody → dueno

Updated

10 months ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Assignee)

Comment 1

10 months ago
Created attachment 8814398 [details] [diff] [review]
proposed patch

This patch changes the pkcs11.txt parser, which is also used for parsing policy files, to recognize the final stanza even if it doesn't end with an empty newline.
Attachment #8814398 - Flags: review?(rrelyea)

Comment 2

10 months ago
Comment on attachment 8814398 [details] [diff] [review]
proposed patch

Review of attachment 8814398 [details] [diff] [review]:
-----------------------------------------------------------------

r+ rrelyea
Attachment #8814398 - Flags: review?(rrelyea) → review+

Comment 3

9 months ago
Bob, Daiki,

since Daiki doesn't have commit access yet, either the reviewer must do the commit, or if they don't do it, you must remember to explicitly ask someone with access to do the commit.

Comment 4

9 months ago
try build:
https://treeherder.mozilla.org/#/jobs?repo=nss-try&revision=e6b34c65fe3bab58ea67ae021c480d8c37e5f64d

Comment 5

9 months ago
https://hg.mozilla.org/projects/nss/rev/35ecce237181
Status: NEW → RESOLVED
Last Resolved: 9 months ago
Resolution: --- → FIXED
Target Milestone: --- → 3.29
You need to log in before you can comment on or make changes to this bug.