rpms/mod_nss/F-9 mod_nss-fips.patch,1.1,1.2 mod_nss.spec,1.11,1.12

Robert Crittenden (rcritten) fedora-extras-commits at redhat.com
Wed Jul 2 14:28:01 UTC 2008


Author: rcritten

Update of /cvs/extras/rpms/mod_nss/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv18502

Modified Files:
	mod_nss-fips.patch mod_nss.spec 
Log Message:
Update the patch for FIPS to include fixes for nss_pcache, enforce
the security policy and properly initialize the FIPS token.


mod_nss-fips.patch:

Index: mod_nss-fips.patch
===================================================================
RCS file: /cvs/extras/rpms/mod_nss/F-9/mod_nss-fips.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- mod_nss-fips.patch	30 Jun 2008 19:46:45 -0000	1.1
+++ mod_nss-fips.patch	2 Jul 2008 14:27:28 -0000	1.2
@@ -1,5 +1,5 @@
---- mod_nss-1.0-orig/nss_engine_pphrase.c        22 Feb 2007 16:50:14 -0000      1.10
-+++ mod_nss-1.0/nss_engine_pphrase.c        16 May 2008 15:16:02 -0000      1.11
+--- mod_nss-1.0-orig/nss_engine_pphrase.c        7 Apr 2006 20:17:12 -0000       1.5
++++ mod_nss-1.0/nss_engine_pphrase.c        2 Jul 2008 03:41:05 -0000
 @@ -62,6 +62,13 @@
      {
          PK11SlotInfo *slot = listEntry->slot;
@@ -14,4 +14,62 @@
          if (PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) {
              if (slot == PK11_GetInternalKeySlot()) {
                  ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+@@ -298,7 +305,12 @@
+             fprintf(output, "non-alphabetic characters\n");
+             continue; 
+         }
+-        return (char*) PORT_Strdup((char*)phrase);
++        if (PK11_IsFIPS() && strlen(phrase) == 0) {
++            ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
++                "The FIPS security policy requires that a password be set.");
++            nss_die();
++        } else
++            return (char*) PORT_Strdup((char*)phrase);
+     }
+ }
+ 
+--- mod_nss-1.0-orig/nss_pcache.c        18 Nov 2005 16:10:23 -0000      1.8
++++ mod_nss-1.0/nss_pcache.c        2 Jul 2008 03:41:05 -0000
+@@ -378,7 +378,6 @@
+                 if (tokenName && tokenpw) {
+                     node = (Node*)malloc(sizeof (Node));
+                     if (!node) { err = PIN_NOMEMORY; }
+-
+                     node->tokenName = strdup(tokenName);
+                     node->store = 0; 
+                     node->next = 0; 
+@@ -410,7 +409,10 @@
+                 for (node = pinList; node != NULL; node = node->next) {
+                     if (!strcmp(node->tokenName, tokenName)) {
+                         if (Pk11StoreGetPin(&pin, node->store) == SECSuccess) {
+-                            PR_Write(out, pin, strlen(pin));
++                            if (strlen(pin) == 0)
++                                PR_Write(out, "", 1);
++                            else
++                                PR_Write(out, pin, strlen(pin));
+                             memset(pin, 0, strlen(pin));
+                             free(pin);
+                             found = PR_TRUE;
+@@ -452,7 +454,7 @@
+     while (*s) {
+         if (*s == '\t' || *peek == '\0') {
+             if (i == el) {
+-                if (*peek != '\0')
++                if (*peek != '\0' || *s == '\t')
+                     *s = '\0';
+                 r = strdup(t);
+                 free(work);
+--- mod_nss-1.0.7-orig/nss_engine_init.c     2008-07-02 19:22:11.000000000 -0400
++++ mod_nss-1.0.7/nss_engine_init.c        2008-07-02 19:12:01.000000000 -0400
+@@ -148,9 +148,8 @@
+     const char * ocspurl = NULL;
+     const char * ocspname = NULL;
+ 
+-    sc = mySrvConfig(base_server);
+-
+     for (s = base_server; s; s = s->next) {
++        sc = mySrvConfig(s);
+         if (sc->fips == TRUE) {
+             fipsenabled = TRUE;
+         }
 


Index: mod_nss.spec
===================================================================
RCS file: /cvs/extras/rpms/mod_nss/F-9/mod_nss.spec,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- mod_nss.spec	30 Jun 2008 19:46:45 -0000	1.11
+++ mod_nss.spec	2 Jul 2008 14:27:28 -0000	1.12
@@ -1,6 +1,6 @@
 Name: mod_nss
 Version: 1.0.7
-Release: 6%{?dist}
+Release: 7%{?dist}
 Summary: SSL/TLS module for the Apache HTTP server
 Group: System Environment/Daemons
 License: Apache Software License
@@ -114,6 +114,10 @@
 %{_sbindir}/gencert
 
 %changelog
+* Wed Jul  2 2008 Rob Crittenden <rcritten at redhat.com> - 1.0.7-7
+- Update the patch for FIPS to include fixes for nss_pcache, enforce
+  the security policy and properly initialize the FIPS token.
+
 * Mon Jun 30 2008 Rob Crittenden <rcritten at redhat.com> - 1.0.7-6
 - Include patch to fix NSSFIPS (446851)
 




More information about the fedora-extras-commits mailing list