- Fix rhbz#230545, failure to enable FIPS mode

- Fix rhbz#220542, make NSS more tolerant of resets when in the middle of prompting for a user password.
2007-03-02 18:53:44 +00:00 · 2007-03-02 18:53:44 +00:00 · 7d533dae82
commit 7d533dae82
parent 7f17142907
2 changed files with 99 additions and 9 deletions
--- a/nss-smartcard-auth.patch
+++ b/nss-smartcard-auth.patch
@ -0,0 +1,83 @@
+Index: mozilla/security/nss/lib/pk11wrap/pk11auth.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11auth.c,v
+retrieving revision 1.5
+diff -u -r1.5 pk11auth.c
+--- mozilla/security/nss/lib/pk11wrap/pk11auth.c	29 Sep 2005 23:44:39 -0000	1.5
+++ mozilla/security/nss/lib/pk11wrap/pk11auth.c	12 Jan 2007 01:23:20 -0000
+@@ -84,6 +84,8 @@
+     CK_RV crv;
+     SECStatus rv;
+     int64 currtime = PR_Now();
+    PRBool mustRetry;
+    int retry = 0;
+ 
+     if (slot->protectedAuthPath) {
+ 	len = 0;
+@@ -95,27 +97,46 @@
+ 	len = PORT_Strlen(pw);
+     }
+ 
+-    PK11_EnterSlotMonitor(slot);
+-    crv = PK11_GETTAB(slot)->C_Login(slot->session,CKU_USER,
+    do {
+	PK11_EnterSlotMonitor(slot);
+	crv = PK11_GETTAB(slot)->C_Login(slot->session,CKU_USER,
+ 						(unsigned char *)pw,len);
+-    slot->lastLoginCheck = 0;
+-    PK11_ExitSlotMonitor(slot);
+-    switch (crv) {
+-    /* if we're already logged in, we're good to go */
+-    case CKR_OK:
+-	slot->authTransact = PK11_Global.transaction;
+-    case CKR_USER_ALREADY_LOGGED_IN:
+-	slot->authTime = currtime;
+-	rv = SECSuccess;
+-	break;
+-    case CKR_PIN_INCORRECT:
+-	PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+-	rv = SECWouldBlock; /* everything else is ok, only the pin is bad */
+-	break;
+-    default:
+-	PORT_SetError(PK11_MapError(crv));
+-	rv = SECFailure; /* some failure we can't fix by retrying */
+-    }
+	slot->lastLoginCheck = 0;
+	mustRetry = PR_FALSE;
+	PK11_ExitSlotMonitor(slot);
+	switch (crv) {
+	/* if we're already logged in, we're good to go */
+	case CKR_OK:
+	    slot->authTransact = PK11_Global.transaction;
+	case CKR_USER_ALREADY_LOGGED_IN:
+	    slot->authTime = currtime;
+	    rv = SECSuccess;
+	    break;
+	case CKR_PIN_INCORRECT:
+	    PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+	    rv = SECWouldBlock; /* everything else is ok, only the pin is bad */
+	    break;
+	/* someone called reset while we fetched the password, try again once
+	 * if the token is still there. */
+	case CKR_SESSION_HANDLE_INVALID:
+	case CKR_SESSION_CLOSED:
+	    if (retry++ == 0) {
+		rv = PK11_InitToken(slot,PR_FALSE);
+		if (rv == SECSuccess) {
+		    if (slot->session != CK_INVALID_SESSION) {
+			mustRetry = PR_TRUE;
+		    } else {
+			PORT_SetError(PK11_MapError(crv));
+			rv = SECFailure;
+		    }
+		}
+		break;
+	    }
+	default:
+		PORT_SetError(PK11_MapError(crv));
+		rv = SECFailure; /* some failure we can't fix by retrying */
+	}
+    } while (mustRetry);
+     return rv;
+ }
+ 
--- a/nss.spec
+++ b/nss.spec
@ -4,7 +4,7 @@
 Summary:          Network Security Services
 Name:             nss
 Version:          3.11.5
-Release:          1%{?dist}
+Release:          2%{?dist}
 License:          MPL/GPL/LGPL
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@ -25,6 +25,7 @@ Source5:          blank-secmod.db
 Source6:	  nss-clobber.sh

 Patch1:           nss-no-rpath.patch
+Patch2:           nss-smartcard-auth.patch

 %description
 Network Security Services (NSS) is a set of libraries designed to
@ -76,6 +77,7 @@ low level services.
 %setup -q
 sh %{SOURCE6} > /dev/null
 %patch1  -p0
+%patch2 -p0 -b .smartcard-auth.patch

 %build

@ -160,11 +162,9 @@ do
  %{__install} -m 755 mozilla/dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
 done

-# Copy the chk files we want
-for file in libsoftokn3.chk libfreebl3.chk
-do
-  %{__install} -m 644 mozilla/dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
-done
+# These ghost files will be generated in the post step
+touch $RPM_BUILD_ROOT/%{_libdir}/libsoftokn3.chk
+touch $RPM_BUILD_ROOT/%{_libdir}/libfreebl3.chk

 # Install the empty NSS db files
 %{__mkdir_p} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb
@ -203,6 +203,8 @@ done

 %post
 /sbin/ldconfig >/dev/null 2>/dev/null
+%{unsupported_tools_directory}/shlibsign -i %{_libdir}/libsoftokn3.so >/dev/null 2>/dev/null
+%{unsupported_tools_directory}/shlibsign -i %{_libdir}/libfreebl3.so >/dev/null 2>/dev/null


 %postun
@ -215,10 +217,11 @@ done
 %{_libdir}/libssl3.so
 %{_libdir}/libsmime3.so
 %{_libdir}/libsoftokn3.so
-%{_libdir}/libsoftokn3.chk
 %{_libdir}/libnssckbi.so
 %{_libdir}/libfreebl3.so
-%{_libdir}/libfreebl3.chk
+%{unsupported_tools_directory}/shlibsign
+%ghost %{_libdir}/libsoftokn3.chk
+%ghost %{_libdir}/libfreebl3.chk
 %dir %{_sysconfdir}/pki/nssdb
 %config(noreplace) %{_sysconfdir}/pki/nssdb/cert8.db
 %config(noreplace) %{_sysconfdir}/pki/nssdb/key3.db
@ -240,7 +243,6 @@ done
 %{unsupported_tools_directory}/ocspclnt
 %{unsupported_tools_directory}/pp
 %{unsupported_tools_directory}/selfserv
-%{unsupported_tools_directory}/shlibsign
 %{unsupported_tools_directory}/strsclnt
 %{unsupported_tools_directory}/symkeyutil
 %{unsupported_tools_directory}/tstclnt
@ -353,6 +355,11 @@ done


 %changelog
+* Fri Mar 02 2007 Kai Engert <kengert@redhat.com> - 3.11.5-2
+- Fix rhbz#230545, failure to enable FIPS mode
+- Fix rhbz#220542, make NSS more tolerant of resets when in the 
+  middle of prompting for a user password.
+
 * Sat Feb 24 2007 Kai Engert <kengert@redhat.com> - 3.11.5-1
 - Update to 3.11.5
 - This update fixes two security vulnerabilities with SSL 2