From 7d533dae8289f740e4faf51a2e857144125748d2 Mon Sep 17 00:00:00 2001 From: Kai Engert Date: Fri, 2 Mar 2007 18:53:44 +0000 Subject: [PATCH] - Fix rhbz#230545, failure to enable FIPS mode - Fix rhbz#220542, make NSS more tolerant of resets when in the middle of prompting for a user password. --- nss-smartcard-auth.patch | 83 ++++++++++++++++++++++++++++++++++++++++ nss.spec | 25 +++++++----- 2 files changed, 99 insertions(+), 9 deletions(-) create mode 100644 nss-smartcard-auth.patch diff --git a/nss-smartcard-auth.patch b/nss-smartcard-auth.patch new file mode 100644 index 0000000..66c4567 --- /dev/null +++ b/nss-smartcard-auth.patch @@ -0,0 +1,83 @@ +Index: mozilla/security/nss/lib/pk11wrap/pk11auth.c +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11auth.c,v +retrieving revision 1.5 +diff -u -r1.5 pk11auth.c +--- mozilla/security/nss/lib/pk11wrap/pk11auth.c 29 Sep 2005 23:44:39 -0000 1.5 ++++ mozilla/security/nss/lib/pk11wrap/pk11auth.c 12 Jan 2007 01:23:20 -0000 +@@ -84,6 +84,8 @@ + CK_RV crv; + SECStatus rv; + int64 currtime = PR_Now(); ++ PRBool mustRetry; ++ int retry = 0; + + if (slot->protectedAuthPath) { + len = 0; +@@ -95,27 +97,46 @@ + len = PORT_Strlen(pw); + } + +- PK11_EnterSlotMonitor(slot); +- crv = PK11_GETTAB(slot)->C_Login(slot->session,CKU_USER, ++ do { ++ PK11_EnterSlotMonitor(slot); ++ crv = PK11_GETTAB(slot)->C_Login(slot->session,CKU_USER, + (unsigned char *)pw,len); +- slot->lastLoginCheck = 0; +- PK11_ExitSlotMonitor(slot); +- switch (crv) { +- /* if we're already logged in, we're good to go */ +- case CKR_OK: +- slot->authTransact = PK11_Global.transaction; +- case CKR_USER_ALREADY_LOGGED_IN: +- slot->authTime = currtime; +- rv = SECSuccess; +- break; +- case CKR_PIN_INCORRECT: +- PORT_SetError(SEC_ERROR_BAD_PASSWORD); +- rv = SECWouldBlock; /* everything else is ok, only the pin is bad */ +- break; +- default: +- PORT_SetError(PK11_MapError(crv)); +- rv = SECFailure; /* some failure we can't fix by retrying */ +- } ++ slot->lastLoginCheck = 0; ++ mustRetry = PR_FALSE; ++ PK11_ExitSlotMonitor(slot); ++ switch (crv) { ++ /* if we're already logged in, we're good to go */ ++ case CKR_OK: ++ slot->authTransact = PK11_Global.transaction; ++ case CKR_USER_ALREADY_LOGGED_IN: ++ slot->authTime = currtime; ++ rv = SECSuccess; ++ break; ++ case CKR_PIN_INCORRECT: ++ PORT_SetError(SEC_ERROR_BAD_PASSWORD); ++ rv = SECWouldBlock; /* everything else is ok, only the pin is bad */ ++ break; ++ /* someone called reset while we fetched the password, try again once ++ * if the token is still there. */ ++ case CKR_SESSION_HANDLE_INVALID: ++ case CKR_SESSION_CLOSED: ++ if (retry++ == 0) { ++ rv = PK11_InitToken(slot,PR_FALSE); ++ if (rv == SECSuccess) { ++ if (slot->session != CK_INVALID_SESSION) { ++ mustRetry = PR_TRUE; ++ } else { ++ PORT_SetError(PK11_MapError(crv)); ++ rv = SECFailure; ++ } ++ } ++ break; ++ } ++ default: ++ PORT_SetError(PK11_MapError(crv)); ++ rv = SECFailure; /* some failure we can't fix by retrying */ ++ } ++ } while (mustRetry); + return rv; + } + diff --git a/nss.spec b/nss.spec index cb647b5..1901980 100644 --- a/nss.spec +++ b/nss.spec @@ -4,7 +4,7 @@ Summary: Network Security Services Name: nss Version: 3.11.5 -Release: 1%{?dist} +Release: 2%{?dist} License: MPL/GPL/LGPL URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -25,6 +25,7 @@ Source5: blank-secmod.db Source6: nss-clobber.sh Patch1: nss-no-rpath.patch +Patch2: nss-smartcard-auth.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -76,6 +77,7 @@ low level services. %setup -q sh %{SOURCE6} > /dev/null %patch1 -p0 +%patch2 -p0 -b .smartcard-auth.patch %build @@ -160,11 +162,9 @@ do %{__install} -m 755 mozilla/dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} done -# Copy the chk files we want -for file in libsoftokn3.chk libfreebl3.chk -do - %{__install} -m 644 mozilla/dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} -done +# These ghost files will be generated in the post step +touch $RPM_BUILD_ROOT/%{_libdir}/libsoftokn3.chk +touch $RPM_BUILD_ROOT/%{_libdir}/libfreebl3.chk # Install the empty NSS db files %{__mkdir_p} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb @@ -203,6 +203,8 @@ done %post /sbin/ldconfig >/dev/null 2>/dev/null +%{unsupported_tools_directory}/shlibsign -i %{_libdir}/libsoftokn3.so >/dev/null 2>/dev/null +%{unsupported_tools_directory}/shlibsign -i %{_libdir}/libfreebl3.so >/dev/null 2>/dev/null %postun @@ -215,10 +217,11 @@ done %{_libdir}/libssl3.so %{_libdir}/libsmime3.so %{_libdir}/libsoftokn3.so -%{_libdir}/libsoftokn3.chk %{_libdir}/libnssckbi.so %{_libdir}/libfreebl3.so -%{_libdir}/libfreebl3.chk +%{unsupported_tools_directory}/shlibsign +%ghost %{_libdir}/libsoftokn3.chk +%ghost %{_libdir}/libfreebl3.chk %dir %{_sysconfdir}/pki/nssdb %config(noreplace) %{_sysconfdir}/pki/nssdb/cert8.db %config(noreplace) %{_sysconfdir}/pki/nssdb/key3.db @@ -240,7 +243,6 @@ done %{unsupported_tools_directory}/ocspclnt %{unsupported_tools_directory}/pp %{unsupported_tools_directory}/selfserv -%{unsupported_tools_directory}/shlibsign %{unsupported_tools_directory}/strsclnt %{unsupported_tools_directory}/symkeyutil %{unsupported_tools_directory}/tstclnt @@ -353,6 +355,11 @@ done %changelog +* Fri Mar 02 2007 Kai Engert - 3.11.5-2 +- Fix rhbz#230545, failure to enable FIPS mode +- Fix rhbz#220542, make NSS more tolerant of resets when in the + middle of prompting for a user password. + * Sat Feb 24 2007 Kai Engert - 3.11.5-1 - Update to 3.11.5 - This update fixes two security vulnerabilities with SSL 2