--- mod_nss-1.0-orig/nss_engine_pphrase.c 7 Apr 2006 20:17:12 -0000 1.5
+++ mod_nss-1.0/nss_engine_pphrase.c 2 Jul 2008 03:41:05 -0000
@@ -62,6 +62,13 @@
{
PK11SlotInfo *slot = listEntry->slot;
+ /* This is needed to work around a bug in NSS while in FIPS mode.
+ * The first login will succeed but NSS_Shutdown() isn't cleaning
+ * something up causing subsequent logins to be skipped making
+ * keys and certs unavailable.
+ */
+ PK11_Logout(slot);
+
if (PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) {
if (slot == PK11_GetInternalKeySlot()) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
@@ -298,7 +305,12 @@
fprintf(output, "non-alphabetic characters\n");
continue;
}
- return (char*) PORT_Strdup((char*)phrase);
+ if (PK11_IsFIPS() && strlen(phrase) == 0) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL,
+ "The FIPS security policy requires that a password be set.");
+ nss_die();
+ } else
+ return (char*) PORT_Strdup((char*)phrase);
}
}
--- mod_nss-1.0-orig/nss_pcache.c 18 Nov 2005 16:10:23 -0000 1.8
+++ mod_nss-1.0/nss_pcache.c 2 Jul 2008 03:41:05 -0000
@@ -378,7 +378,6 @@
if (tokenName && tokenpw) {
node = (Node*)malloc(sizeof (Node));
if (!node) { err = PIN_NOMEMORY; }
-
node->tokenName = strdup(tokenName);
node->store = 0;
node->next = 0;
@@ -410,7 +409,10 @@
for (node = pinList; node != NULL; node = node->next) {
if (!strcmp(node->tokenName, tokenName)) {
if (Pk11StoreGetPin(&pin, node->store) == SECSuccess) {
- PR_Write(out, pin, strlen(pin));
+ if (strlen(pin) == 0)
+ PR_Write(out, "", 1);
+ else
+ PR_Write(out, pin, strlen(pin));
memset(pin, 0, strlen(pin));
free(pin);
found = PR_TRUE;
@@ -452,7 +454,7 @@
while (*s) {
if (*s == '\t' || *peek == '\0') {
if (i == el) {
- if (*peek != '\0')
+ if (*peek != '\0' || *s == '\t')
*s = '\0';
r = strdup(t);
free(work);
--- mod_nss-1.0.7-orig/nss_engine_init.c 2008-07-02 19:22:11.000000000 -0400
+++ mod_nss-1.0.7/nss_engine_init.c 2008-07-02 19:12:01.000000000 -0400
@@ -148,9 +148,8 @@
const char * ocspurl = NULL;
const char * ocspname = NULL;
- sc = mySrvConfig(base_server);
-
for (s = base_server; s; s = s->next) {
+ sc = mySrvConfig(s);
if (sc->fips == TRUE) {
fipsenabled = TRUE;
}