diff options
author | Alex Dupre <ale@FreeBSD.org> | 2010-06-25 15:36:28 +0000 |
---|---|---|
committer | Alex Dupre <ale@FreeBSD.org> | 2010-06-25 15:36:28 +0000 |
commit | 7a21291cd6bf8e4216b85debc27154ce4bf6b6ed (patch) | |
tree | 261427c4c2ab897bdca51eac80d8d70ab04a80c4 /security | |
parent | f9a10d9ad02ef08c11d5e114368de6a791a1d7cb (diff) | |
download | ports-7a21291cd6bf8e4216b85debc27154ce4bf6b6ed.tar.gz ports-7a21291cd6bf8e4216b85debc27154ce4bf6b6ed.zip |
Fix race condition in sqlite3 backend (Bug#564011).
Approved by: mezz
Feature safe: yes
Notes
Notes:
svn path=/head/; revision=256957
Diffstat (limited to 'security')
-rw-r--r-- | security/nss/Makefile | 2 | ||||
-rw-r--r-- | security/nss/files/patch-lib_softoken_sftkdb.c | 101 |
2 files changed, 98 insertions, 5 deletions
diff --git a/security/nss/Makefile b/security/nss/Makefile index 53acbb37015a..54b047b9fa4f 100644 --- a/security/nss/Makefile +++ b/security/nss/Makefile @@ -7,7 +7,7 @@ PORTNAME= nss PORTVERSION= ${_MAJOR}.${_MINOR}.${_PATCH} -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= security MASTER_SITES= ${MASTER_SITE_MOZILLA} MASTER_SITE_SUBDIR= security/nss/releases/NSS_${PORTVERSION:S/./_/g}_RTM/src diff --git a/security/nss/files/patch-lib_softoken_sftkdb.c b/security/nss/files/patch-lib_softoken_sftkdb.c index 494ea115fe83..cb0d02f16346 100644 --- a/security/nss/files/patch-lib_softoken_sftkdb.c +++ b/security/nss/files/patch-lib_softoken_sftkdb.c @@ -1,6 +1,99 @@ ---- lib/softoken/sftkdb.c.orig 2010-05-18 16:12:16.000000000 +0200 -+++ lib/softoken/sftkdb.c 2010-05-18 16:14:37.000000000 +0200 -@@ -766,6 +766,11 @@ +--- lib/softoken/sftkdb.c.orig 2010-06-24 13:58:26.000000000 +0200 ++++ lib/softoken/sftkdb.c 2010-06-24 13:58:37.000000000 +0200 +@@ -509,18 +509,23 @@ + CK_ULONG count) + { + int i; ++ CK_RV crv; + SFTKDBHandle *keyHandle = handle; + SDB *keyTarget = NULL; ++ PRBool usingPeerDB = PR_FALSE; ++ PRBool inPeerDBTransaction = PR_FALSE; + + PORT_Assert(handle); + + if (handle->type != SFTK_KEYDB_TYPE) { + keyHandle = handle->peerDB; ++ usingPeerDB = PR_TRUE; + } + + /* no key DB defined? then no need to sign anything */ + if (keyHandle == NULL) { +- return CKR_OK; ++ crv = CKR_OK; ++ goto loser; + } + + /* When we are in a middle of an update, we have an update database set, +@@ -532,7 +537,17 @@ + + /* skip the the database does not support meta data */ + if ((keyTarget->sdb_flags & SDB_HAS_META) == 0) { +- return CKR_OK; ++ crv = CKR_OK; ++ goto loser; ++ } ++ ++ /* If we had to switch databases, we need to initialize a transaction. */ ++ if (usingPeerDB) { ++ crv = (*keyTarget->sdb_Begin)(keyTarget); ++ if (crv != CKR_OK) { ++ goto loser; ++ } ++ inPeerDBTransaction = PR_TRUE; + } + + for (i=0; i < count; i ++) { +@@ -546,23 +561,44 @@ + PZ_Lock(keyHandle->passwordLock); + if (keyHandle->passwordKey.data == NULL) { + PZ_Unlock(keyHandle->passwordLock); +- return CKR_USER_NOT_LOGGED_IN; ++ crv = CKR_USER_NOT_LOGGED_IN; ++ goto loser; + } + rv = sftkdb_SignAttribute(arena, &keyHandle->passwordKey, + objectID, template[i].type, + &plainText, &signText); + PZ_Unlock(keyHandle->passwordLock); + if (rv != SECSuccess) { +- return CKR_GENERAL_ERROR; /* better error code here? */ ++ crv = CKR_GENERAL_ERROR; /* better error code here? */ ++ goto loser; + } + rv = sftkdb_PutAttributeSignature(handle, keyTarget, + objectID, template[i].type, signText); + if (rv != SECSuccess) { +- return CKR_GENERAL_ERROR; /* better error code here? */ ++ crv = CKR_GENERAL_ERROR; /* better error code here? */ ++ goto loser; + } + } + } +- return CKR_OK; ++ crv = CKR_OK; ++ ++ /* If necessary, commit the transaction */ ++ if (inPeerDBTransaction) { ++ crv = (*keyTarget->sdb_Commit)(keyTarget); ++ if (crv != CKR_OK) { ++ goto loser; ++ } ++ inPeerDBTransaction = PR_FALSE; ++ } ++ ++loser: ++ if (inPeerDBTransaction) { ++ /* The transaction must have failed. Abort. */ ++ (*keyTarget->sdb_Abort)(keyTarget); ++ PORT_Assert(crv != CKR_OK); ++ if (crv == CKR_OK) crv = CKR_GENERAL_ERROR; ++ } ++ return crv; + } + + static CK_RV +@@ -766,6 +802,11 @@ if (attr == NULL) { return CKR_TEMPLATE_INCOMPLETE; } @@ -12,7 +105,7 @@ findTemplate[1] = *attr; count = 2; break; -@@ -827,6 +832,11 @@ +@@ -827,6 +868,11 @@ } crv = sftkdb_getFindTemplate(objectType, objTypeData, findTemplate, &count, ptemplate, len); |