From 6323f67e20cbea31b829c1819b9a7a24496f6282 Mon Sep 17 00:00:00 2001 From: "Jan F. Chadima" Date: Fri, 27 Nov 2009 13:22:15 +0000 Subject: [PATCH] Prepare NSS key patch for future SEC_ERROR_LOCKED_PASSWORD --- openssh-5.3p1-nss-keys.patch | 58 +++++++++++++++++++----------------- openssh.spec | 5 +++- 2 files changed, 34 insertions(+), 29 deletions(-) diff --git a/openssh-5.3p1-nss-keys.patch b/openssh-5.3p1-nss-keys.patch index bd9156c..1bb4376 100644 --- a/openssh-5.3p1-nss-keys.patch +++ b/openssh-5.3p1-nss-keys.patch @@ -1,6 +1,6 @@ diff -up openssh-5.3p1/authfd.c.nss-keys openssh-5.3p1/authfd.c --- openssh-5.3p1/authfd.c.nss-keys 2006-09-01 07:38:36.000000000 +0200 -+++ openssh-5.3p1/authfd.c 2009-11-24 14:18:12.000000000 +0100 ++++ openssh-5.3p1/authfd.c 2009-11-27 13:43:00.000000000 +0100 @@ -626,6 +626,45 @@ ssh_update_card(AuthenticationConnection return decode_reply(type); } @@ -49,7 +49,7 @@ diff -up openssh-5.3p1/authfd.c.nss-keys openssh-5.3p1/authfd.c * by normal applications. diff -up openssh-5.3p1/authfd.h.nss-keys openssh-5.3p1/authfd.h --- openssh-5.3p1/authfd.h.nss-keys 2006-08-05 04:39:39.000000000 +0200 -+++ openssh-5.3p1/authfd.h 2009-11-24 14:18:12.000000000 +0100 ++++ openssh-5.3p1/authfd.h 2009-11-27 13:43:01.000000000 +0100 @@ -49,6 +49,12 @@ #define SSH2_AGENTC_ADD_ID_CONSTRAINED 25 #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26 @@ -73,9 +73,9 @@ diff -up openssh-5.3p1/authfd.h.nss-keys openssh-5.3p1/authfd.h int ssh_decrypt_challenge(AuthenticationConnection *, Key *, BIGNUM *, u_char[16], diff -up openssh-5.3p1/configure.ac.nss-keys openssh-5.3p1/configure.ac ---- openssh-5.3p1/configure.ac.nss-keys 2009-11-24 14:18:05.000000000 +0100 -+++ openssh-5.3p1/configure.ac 2009-11-24 14:18:12.000000000 +0100 -@@ -3526,6 +3526,20 @@ AC_ARG_WITH(kerberos5, +--- openssh-5.3p1/configure.ac.nss-keys 2009-11-27 13:42:57.000000000 +0100 ++++ openssh-5.3p1/configure.ac 2009-11-27 13:48:44.000000000 +0100 +@@ -3526,6 +3526,21 @@ AC_ARG_WITH(kerberos5, ] ) @@ -89,6 +89,7 @@ diff -up openssh-5.3p1/configure.ac.nss-keys openssh-5.3p1/configure.ac + CPPFLAGS="$CPPFLAGS -I/usr/include/nss3 -I/usr/include/nspr4" + AC_CHECK_HEADERS(pk11pub.h) + LIBS="$LIBS -lnss3" ++ AC_CHECK_DECLS([SEC_ERROR_LOCKED_PASSWORD], [], [], [#include ]) + fi + ]) +AC_SUBST(LIBNSS) @@ -96,7 +97,7 @@ diff -up openssh-5.3p1/configure.ac.nss-keys openssh-5.3p1/configure.ac # Looking for programs, paths and files PRIVSEP_PATH=/var/empty -@@ -4253,6 +4267,7 @@ echo " TCP Wrappers support +@@ -4253,6 +4269,7 @@ echo " TCP Wrappers support echo " MD5 password support: $MD5_MSG" echo " libedit support: $LIBEDIT_MSG" echo " Solaris process contract support: $SPC_MSG" @@ -106,7 +107,7 @@ diff -up openssh-5.3p1/configure.ac.nss-keys openssh-5.3p1/configure.ac echo " BSD Auth support: $BSD_AUTH_MSG" diff -up openssh-5.3p1/key.c.nss-keys openssh-5.3p1/key.c --- openssh-5.3p1/key.c.nss-keys 2008-11-03 09:24:17.000000000 +0100 -+++ openssh-5.3p1/key.c 2009-11-24 14:18:12.000000000 +0100 ++++ openssh-5.3p1/key.c 2009-11-27 13:43:01.000000000 +0100 @@ -96,6 +96,54 @@ key_new(int type) return k; } @@ -184,7 +185,7 @@ diff -up openssh-5.3p1/key.c.nss-keys openssh-5.3p1/key.c diff -up openssh-5.3p1/key.h.nss-keys openssh-5.3p1/key.h --- openssh-5.3p1/key.h.nss-keys 2008-06-12 20:40:35.000000000 +0200 -+++ openssh-5.3p1/key.h 2009-11-24 14:18:12.000000000 +0100 ++++ openssh-5.3p1/key.h 2009-11-27 13:43:01.000000000 +0100 @@ -29,11 +29,17 @@ #include #include @@ -236,7 +237,7 @@ diff -up openssh-5.3p1/key.h.nss-keys openssh-5.3p1/key.h int key_equal(const Key *, const Key *); diff -up openssh-5.3p1/Makefile.in.nss-keys openssh-5.3p1/Makefile.in --- openssh-5.3p1/Makefile.in.nss-keys 2009-08-28 02:47:38.000000000 +0200 -+++ openssh-5.3p1/Makefile.in 2009-11-24 14:18:12.000000000 +0100 ++++ openssh-5.3p1/Makefile.in 2009-11-27 13:43:01.000000000 +0100 @@ -71,7 +71,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ @@ -247,9 +248,9 @@ diff -up openssh-5.3p1/Makefile.in.nss-keys openssh-5.3p1/Makefile.in SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect1.o sshconnect2.o mux.o \ diff -up /dev/null openssh-5.3p1/nsskeys.c ---- /dev/null 2009-11-18 14:38:34.628561123 +0100 -+++ openssh-5.3p1/nsskeys.c 2009-11-24 14:30:23.000000000 +0100 -@@ -0,0 +1,442 @@ +--- /dev/null 2009-11-27 11:08:21.619709673 +0100 ++++ openssh-5.3p1/nsskeys.c 2009-11-27 13:45:42.000000000 +0100 +@@ -0,0 +1,443 @@ +/* + * Copyright (c) 2001 Markus Friedl. All rights reserved. + * Copyright (c) 2007 Red Hat, Inc. All rights reserved. @@ -531,11 +532,12 @@ diff -up /dev/null openssh-5.3p1/nsskeys.c + case SEC_ERROR_BAD_DATA: + debug2("Invalid passphrase, try again..."); + break; -+//This nss error is currently undefined -+// case SEC_ERROR_LOCKED_PASSWORD: -+// error("Unable to authenticate, token passphrase is locked"); -+// quit = 1; -+// break; ++#if HAVE_SEC_ERROR_LOCKED_PASSWORD ++ case SEC_ERROR_LOCKED_PASSWORD: ++ error("Unable to authenticate, token passphrase is locked"); ++ quit = 1; ++ break; ++#endif + default: + error("Failure while authenticating against token"); + quit = 1; @@ -693,8 +695,8 @@ diff -up /dev/null openssh-5.3p1/nsskeys.c + +#endif /* HAVE_LIBNSS */ diff -up /dev/null openssh-5.3p1/nsskeys.h ---- /dev/null 2009-11-18 14:38:34.628561123 +0100 -+++ openssh-5.3p1/nsskeys.h 2009-11-24 14:18:13.000000000 +0100 +--- /dev/null 2009-11-27 11:08:21.619709673 +0100 ++++ openssh-5.3p1/nsskeys.h 2009-11-27 13:43:01.000000000 +0100 @@ -0,0 +1,39 @@ +/* + * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -737,7 +739,7 @@ diff -up /dev/null openssh-5.3p1/nsskeys.h +#endif diff -up openssh-5.3p1/readconf.c.nss-keys openssh-5.3p1/readconf.c --- openssh-5.3p1/readconf.c.nss-keys 2009-07-05 23:12:27.000000000 +0200 -+++ openssh-5.3p1/readconf.c 2009-11-24 14:18:13.000000000 +0100 ++++ openssh-5.3p1/readconf.c 2009-11-27 13:43:01.000000000 +0100 @@ -124,6 +124,7 @@ typedef enum { oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, @@ -812,7 +814,7 @@ diff -up openssh-5.3p1/readconf.c.nss-keys openssh-5.3p1/readconf.c if (options->rekey_limit == -1) diff -up openssh-5.3p1/readconf.h.nss-keys openssh-5.3p1/readconf.h --- openssh-5.3p1/readconf.h.nss-keys 2009-07-05 23:12:27.000000000 +0200 -+++ openssh-5.3p1/readconf.h 2009-11-24 14:18:13.000000000 +0100 ++++ openssh-5.3p1/readconf.h 2009-11-27 13:43:01.000000000 +0100 @@ -85,6 +85,10 @@ typedef struct { char *preferred_authentications; char *bind_address; /* local socket address for connection to sshd */ @@ -826,7 +828,7 @@ diff -up openssh-5.3p1/readconf.h.nss-keys openssh-5.3p1/readconf.h int num_identity_files; /* Number of files for RSA/DSA identities. */ diff -up openssh-5.3p1/ssh-add.c.nss-keys openssh-5.3p1/ssh-add.c --- openssh-5.3p1/ssh-add.c.nss-keys 2008-02-28 09:13:52.000000000 +0100 -+++ openssh-5.3p1/ssh-add.c 2009-11-24 14:18:13.000000000 +0100 ++++ openssh-5.3p1/ssh-add.c 2009-11-27 13:43:01.000000000 +0100 @@ -44,6 +44,14 @@ #include #include "openbsd-compat/openssl-compat.h" @@ -1066,7 +1068,7 @@ diff -up openssh-5.3p1/ssh-add.c.nss-keys openssh-5.3p1/ssh-add.c struct passwd *pw; diff -up openssh-5.3p1/ssh-agent.c.nss-keys openssh-5.3p1/ssh-agent.c --- openssh-5.3p1/ssh-agent.c.nss-keys 2009-06-21 09:50:15.000000000 +0200 -+++ openssh-5.3p1/ssh-agent.c 2009-11-24 14:18:13.000000000 +0100 ++++ openssh-5.3p1/ssh-agent.c 2009-11-27 13:43:01.000000000 +0100 @@ -80,6 +80,10 @@ #include "scard.h" #endif @@ -1211,7 +1213,7 @@ diff -up openssh-5.3p1/ssh-agent.c.nss-keys openssh-5.3p1/ssh-agent.c error("Unknown message %d", type); diff -up openssh-5.3p1/ssh.c.nss-keys openssh-5.3p1/ssh.c --- openssh-5.3p1/ssh.c.nss-keys 2009-07-05 23:16:56.000000000 +0200 -+++ openssh-5.3p1/ssh.c 2009-11-24 14:18:13.000000000 +0100 ++++ openssh-5.3p1/ssh.c 2009-11-27 13:43:01.000000000 +0100 @@ -105,6 +105,9 @@ #ifdef SMARTCARD #include "scard.h" @@ -1267,7 +1269,7 @@ diff -up openssh-5.3p1/ssh.c.nss-keys openssh-5.3p1/ssh.c pwname = xstrdup(pw->pw_name); diff -up openssh-5.3p1/ssh-dss.c.nss-keys openssh-5.3p1/ssh-dss.c --- openssh-5.3p1/ssh-dss.c.nss-keys 2006-11-07 13:14:42.000000000 +0100 -+++ openssh-5.3p1/ssh-dss.c 2009-11-24 14:18:13.000000000 +0100 ++++ openssh-5.3p1/ssh-dss.c 2009-11-27 13:43:01.000000000 +0100 @@ -39,6 +39,10 @@ #include "log.h" #include "key.h" @@ -1327,7 +1329,7 @@ diff -up openssh-5.3p1/ssh-dss.c.nss-keys openssh-5.3p1/ssh-dss.c *lenp = SIGBLOB_LEN; diff -up openssh-5.3p1/ssh.h.nss-keys openssh-5.3p1/ssh.h --- openssh-5.3p1/ssh.h.nss-keys 2006-08-05 04:39:41.000000000 +0200 -+++ openssh-5.3p1/ssh.h 2009-11-24 14:18:13.000000000 +0100 ++++ openssh-5.3p1/ssh.h 2009-11-27 13:43:01.000000000 +0100 @@ -28,6 +28,12 @@ #define SSH_MAX_IDENTITY_FILES 100 @@ -1343,7 +1345,7 @@ diff -up openssh-5.3p1/ssh.h.nss-keys openssh-5.3p1/ssh.h * some room for options and comments. diff -up openssh-5.3p1/ssh-keygen.c.nss-keys openssh-5.3p1/ssh-keygen.c --- openssh-5.3p1/ssh-keygen.c.nss-keys 2009-06-22 08:11:07.000000000 +0200 -+++ openssh-5.3p1/ssh-keygen.c 2009-11-24 14:18:13.000000000 +0100 ++++ openssh-5.3p1/ssh-keygen.c 2009-11-27 13:43:01.000000000 +0100 @@ -53,6 +53,11 @@ #include "scard.h" #endif @@ -1447,7 +1449,7 @@ diff -up openssh-5.3p1/ssh-keygen.c.nss-keys openssh-5.3p1/ssh-keygen.c if (download) diff -up openssh-5.3p1/ssh-rsa.c.nss-keys openssh-5.3p1/ssh-rsa.c --- openssh-5.3p1/ssh-rsa.c.nss-keys 2006-09-01 07:38:37.000000000 +0200 -+++ openssh-5.3p1/ssh-rsa.c 2009-11-24 14:18:13.000000000 +0100 ++++ openssh-5.3p1/ssh-rsa.c 2009-11-27 13:43:01.000000000 +0100 @@ -32,6 +32,10 @@ #include "compat.h" #include "ssh.h" diff --git a/openssh.spec b/openssh.spec index 14cc65c..78da237 100644 --- a/openssh.spec +++ b/openssh.spec @@ -69,7 +69,7 @@ Summary: An open source implementation of SSH protocol versions 1 and 2 Name: openssh Version: 5.3p1 -Release: 10%{?dist}%{?rescue_rel} +Release: 11%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #URL1: http://pamsshauth.sourceforge.net #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz @@ -525,6 +525,9 @@ fi %endif %changelog +* Fri Nov 27 2009 Jan F. Chadima - 5.3p1-11 +- Prepare NSS key patch for future SEC_ERROR_LOCKED_PASSWORD (#537411) + * Tue Nov 24 2009 Jan F. Chadima - 5.3p1-10 - Update NSS key patch (#537411, #356451)