rpms/openssh/F-12 openssh-5.3p1-nss-keys.patch, 1.1, 1.2 openssh.spec, 1.173, 1.174

Mon Nov 30 10:09:12 UTC 2009

Author: jfch2222

Update of /cvs/pkgs/rpms/openssh/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv8300

Modified Files:
	openssh-5.3p1-nss-keys.patch openssh.spec 
Log Message:
Update NSS key patch including future SEC_ERROR_LOCKED_PASSWORD


openssh-5.3p1-nss-keys.patch:
 Makefile.in  |    2 
 authfd.c     |   39 +++++
 authfd.h     |    8 +
 configure.ac |   16 ++
 key.c        |   61 ++++++++
 key.h        |   20 ++
 nsskeys.c    |  443 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 nsskeys.h    |   39 +++++
 readconf.c   |   37 ++++
 readconf.h   |    4 
 ssh-add.c    |  181 +++++++++++++++++++++++-
 ssh-agent.c  |  121 ++++++++++++++++
 ssh-dss.c    |   36 ++++
 ssh-keygen.c |   51 ++++++
 ssh-rsa.c    |   42 +++++
 ssh.c        |   30 +++
 ssh.h        |    6 
 17 files changed, 1124 insertions(+), 12 deletions(-)

Index: openssh-5.3p1-nss-keys.patch
===================================================================
RCS file: /cvs/pkgs/rpms/openssh/F-12/openssh-5.3p1-nss-keys.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2

--- openssh-5.3p1-nss-keys.patch	20 Nov 2009 17:01:48 -0000	1.1
+++ openssh-5.3p1-nss-keys.patch	30 Nov 2009 10:09:11 -0000	1.2
@@ -1,6 +1,6 @@
 diff -up openssh-5.3p1/authfd.c.nss-keys openssh-5.3p1/authfd.c
 --- openssh-5.3p1/authfd.c.nss-keys	2006-09-01 07:38:36.000000000 +0200
-+++ openssh-5.3p1/authfd.c	2009-10-02 14:09:01.000000000 +0200
++++ openssh-5.3p1/authfd.c	2009-11-27 13:43:00.000000000 +0100
 @@ -626,6 +626,45 @@ ssh_update_card(AuthenticationConnection
  	return decode_reply(type);
  }
@@ -49,7 +49,7 @@ diff -up openssh-5.3p1/authfd.c.nss-keys
   * by normal applications.
 diff -up openssh-5.3p1/authfd.h.nss-keys openssh-5.3p1/authfd.h
 --- openssh-5.3p1/authfd.h.nss-keys	2006-08-05 04:39:39.000000000 +0200
-+++ openssh-5.3p1/authfd.h	2009-10-02 14:09:01.000000000 +0200
++++ openssh-5.3p1/authfd.h	2009-11-27 13:43:01.000000000 +0100
 @@ -49,6 +49,12 @@
  #define SSH2_AGENTC_ADD_ID_CONSTRAINED		25
  #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
@@ -73,9 +73,9 @@ diff -up openssh-5.3p1/authfd.h.nss-keys
  int
  ssh_decrypt_challenge(AuthenticationConnection *, Key *, BIGNUM *, u_char[16],
 diff -up openssh-5.3p1/configure.ac.nss-keys openssh-5.3p1/configure.ac
---- openssh-5.3p1/configure.ac.nss-keys	2009-10-02 14:09:01.000000000 +0200
-+++ openssh-5.3p1/configure.ac	2009-10-02 14:09:01.000000000 +0200
-@@ -3514,6 +3514,20 @@ AC_ARG_WITH(kerberos5,
+--- openssh-5.3p1/configure.ac.nss-keys	2009-11-27 13:42:57.000000000 +0100
++++ openssh-5.3p1/configure.ac	2009-11-27 13:48:44.000000000 +0100
+@@ -3526,6 +3526,21 @@ AC_ARG_WITH(kerberos5,
  	]
  )
  
@@ -89,6 +89,7 @@ diff -up openssh-5.3p1/configure.ac.nss-
 +		CPPFLAGS="$CPPFLAGS -I/usr/include/nss3 -I/usr/include/nspr4"
 +		AC_CHECK_HEADERS(pk11pub.h)
 +		LIBS="$LIBS -lnss3"
++		AC_CHECK_DECLS([SEC_ERROR_LOCKED_PASSWORD], [], [], [#include <secerr.h>])
 +	fi
 +	])
 +AC_SUBST(LIBNSS)
@@ -96,7 +97,7 @@ diff -up openssh-5.3p1/configure.ac.nss-
  # Looking for programs, paths and files
  
  PRIVSEP_PATH=/var/empty
-@@ -4240,6 +4254,7 @@ echo "              TCP Wrappers support
+@@ -4253,6 +4269,7 @@ echo "              TCP Wrappers support
  echo "              MD5 password support: $MD5_MSG"
  echo "                   libedit support: $LIBEDIT_MSG"
  echo "  Solaris process contract support: $SPC_MSG"
@@ -106,7 +107,7 @@ diff -up openssh-5.3p1/configure.ac.nss-
  echo "                  BSD Auth support: $BSD_AUTH_MSG"
 diff -up openssh-5.3p1/key.c.nss-keys openssh-5.3p1/key.c
 --- openssh-5.3p1/key.c.nss-keys	2008-11-03 09:24:17.000000000 +0100
-+++ openssh-5.3p1/key.c	2009-10-02 14:09:01.000000000 +0200
++++ openssh-5.3p1/key.c	2009-11-27 13:43:01.000000000 +0100
 @@ -96,6 +96,54 @@ key_new(int type)
  	return k;
  }
@@ -184,7 +185,7 @@ diff -up openssh-5.3p1/key.c.nss-keys op
  
 diff -up openssh-5.3p1/key.h.nss-keys openssh-5.3p1/key.h
 --- openssh-5.3p1/key.h.nss-keys	2008-06-12 20:40:35.000000000 +0200
-+++ openssh-5.3p1/key.h	2009-10-02 14:09:01.000000000 +0200
++++ openssh-5.3p1/key.h	2009-11-27 13:43:01.000000000 +0100
 @@ -29,11 +29,17 @@
  #include <openssl/rsa.h>
  #include <openssl/dsa.h>
@@ -236,7 +237,7 @@ diff -up openssh-5.3p1/key.h.nss-keys op
  int		 key_equal(const Key *, const Key *);
 diff -up openssh-5.3p1/Makefile.in.nss-keys openssh-5.3p1/Makefile.in
 --- openssh-5.3p1/Makefile.in.nss-keys	2009-08-28 02:47:38.000000000 +0200
-+++ openssh-5.3p1/Makefile.in	2009-10-02 14:09:53.000000000 +0200
++++ openssh-5.3p1/Makefile.in	2009-11-27 13:43:01.000000000 +0100
 @@ -71,7 +71,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
  	atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
  	monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
@@ -247,12 +248,13 @@ diff -up openssh-5.3p1/Makefile.in.nss-k
  SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
  	sshconnect.o sshconnect1.o sshconnect2.o mux.o \
 diff -up /dev/null openssh-5.3p1/nsskeys.c
---- /dev/null	2009-09-11 09:35:58.778798825 +0200
-+++ openssh-5.3p1/nsskeys.c	2009-10-02 14:09:01.000000000 +0200
-@@ -0,0 +1,327 @@
+--- /dev/null	2009-11-27 11:08:21.619709673 +0100
++++ openssh-5.3p1/nsskeys.c	2009-11-27 13:45:42.000000000 +0100
+@@ -0,0 +1,443 @@
 +/*
 + * Copyright (c) 2001 Markus Friedl.  All rights reserved.
 + * Copyright (c) 2007 Red Hat, Inc. All rights reserved.
++ * Copyright (c) 2009 Pierre Ossman for Cendio AB
 + *
 + * Redistribution and use in source and binary forms, with or without
 + * modification, are permitted provided that the following conditions
@@ -290,6 +292,8 @@ diff -up /dev/null openssh-5.3p1/nsskeys
 +#include <keyhi.h>
 +#include <pk11pub.h>
 +#include <cert.h>
++#include <secmod.h>
++#include <secerr.h>
 +
 +#include "xmalloc.h"
 +#include "key.h"
@@ -328,8 +332,11 @@ diff -up /dev/null openssh-5.3p1/nsskeys
 +		dbpath = buf;
 +	}
 +
-+	if (NSS_Init(dbpath) != SECSuccess)
-+		return -1;
++	if (NSS_Init(dbpath) != SECSuccess) {
++		debug("Failed to initialize NSS library. Attempting without DB...");
++		if (NSS_NoDB_Init(NULL) != SECSuccess)
++			return -1;
++	}
 +
 +	if (pwfn == NULL) {
 +		pwfn = password_cb;
@@ -340,6 +347,25 @@ diff -up /dev/null openssh-5.3p1/nsskeys
 +	return 0;
 +}
 +
++int
++nss_load_module(const char *modpath)
++{
++	char spec[MAXPATHLEN + 40];
++	SECMODModule *module;
++
++	debug("loading PKCS#11 module '%s'", modpath);
++
++	snprintf(spec, sizeof(spec), "library=\"%s\" name=\"Foobar\"", modpath);
++	module = SECMOD_LoadUserModule(spec, NULL, PR_FALSE);
++	if (!module || !module->loaded) {
++		if (module)
++			SECMOD_DestroyModule(module);
++		return -1;
++	}
++
++	return 0;
++}
++
 +static Key *
 +make_key_from_privkey(SECKEYPrivateKey *privk, char *password)
 +{
@@ -442,9 +468,100 @@ diff -up /dev/null openssh-5.3p1/nsskeys
 +	return 0;
 +}
 +
++static int
++nss_authenticate(PK11SlotInfo *slot, char *password, int pwprompts, char **output)
++{
++	int i, quit;
++
++	*output = NULL;
++
++	if (!PK11_NeedLogin(slot))
++		return 0;
++
++	for (i = 0; i < pwprompts; i++) {
++		SECStatus rv;
++		CK_TOKEN_INFO info;
++
++		rv = PK11_GetTokenInfo(slot, &info);
++		if (rv != SECSuccess) {
++			error("Failed to get information for token %s",
++				PK11_GetTokenName(slot));
++			return -1;
++		}
++
++		if (info.flags & CKF_USER_PIN_LOCKED) {
++			error("Passphrase for token %s is locked",
++				PK11_GetTokenName(slot));
++			return -1;
++		}
++
++		if (info.flags & CKF_USER_PIN_FINAL_TRY)
++			debug2("Final passphrase attempt for token %s",
++				PK11_GetTokenName(slot));
++		else if (info.flags & CKF_USER_PIN_COUNT_LOW)
++			debug2("Previous failed passphrase attempt for token %s",
++				PK11_GetTokenName(slot));
++
++		if (password != NULL)
++			*output = xstrdup(password);
++		else {
++			char *prompt;
++			if (asprintf(&prompt, "Enter passphrase for token %s: ",
++				PK11_GetTokenName(slot)) < 0)
++				fatal("password_cb: asprintf failed");
++			*output = read_passphrase(prompt, RP_ALLOW_STDIN);
++		}
++
++		if (strcmp(*output, "") == 0) {
++			debug2("no passphrase given, ignoring slot");
++			quit = 1;
++			goto cleanup;
++		}
++
++		quit = 0;
++
++		rv = PK11_Authenticate(slot, PR_TRUE, *output);
++		if (rv == SECSuccess)
++			return 0;
++
++		switch (PORT_GetError()) {
++		case SEC_ERROR_BAD_PASSWORD:
++			debug2("Incorrect passphrase, try again...");
++			break;
++		case SEC_ERROR_INVALID_ARGS:
++		case SEC_ERROR_BAD_DATA:
++			debug2("Invalid passphrase, try again...");
++			break;
++#if HAVE_SEC_ERROR_LOCKED_PASSWORD
++		case SEC_ERROR_LOCKED_PASSWORD:
++			error("Unable to authenticate, token passphrase is locked");
++			quit = 1;
++			break;
++#endif
++		default:
++			error("Failure while authenticating against token");
++			quit = 1;
++		}
++
++cleanup:
++		memset(*output, 0, strlen(*output));
++		xfree(*output);
++		*output = NULL;
++
++		/* No point in retrying the same password */
++		if (password != NULL)
++			break;
++
++		if (quit)
++			break;
++	}
++
++	return -1;
++}
++
 +static Key **
 +nss_find_privkeys(const char *tokenname, const char *keyname,
-+    char *password)
++    char *password, int pwprompts)
 +{
 +	Key *k = NULL;
 +	Key **keys = NULL;
@@ -465,18 +582,10 @@ diff -up /dev/null openssh-5.3p1/nsskeys
 +	for (sle = slots->head; sle; sle = sle->next) {
 +		SECKEYPrivateKeyList *list;
 +		SECKEYPrivateKeyListNode *node;
-+		char *tmppass = password;
-+				
-+		if (PK11_NeedLogin(sle->slot)) {
-+			if (password == NULL) {
-+				char *prompt;
-+				if (asprintf(&prompt, "Enter passphrase for token %s: ",
-+					PK11_GetTokenName(sle->slot)) < 0)
-+					fatal("password_cb: asprintf failed");
-+				tmppass = read_passphrase(prompt, RP_ALLOW_STDIN);
-+			}
-+			PK11_Authenticate(sle->slot, PR_TRUE, tmppass);
-+		}
++		char *tmppass;
++
++		if (nss_authenticate(sle->slot, password, pwprompts, &tmppass) == -1)
++			break;
 +
 +		debug("Looking for: %s:%s", tokenname, keyname);
 +		list = PK11_ListPrivKeysInSlot(sle->slot, (char *)keyname,
@@ -521,7 +630,7 @@ diff -up /dev/null openssh-5.3p1/nsskeys
 +			SECKEY_DestroyPrivateKeyList(list);
 +		}
 +cleanup:
-+		if (password == NULL && tmppass != NULL) {
++		if (tmppass != NULL) {
 +			memset(tmppass, 0, strlen(tmppass));
 +			xfree(tmppass);
 +		}
@@ -533,8 +642,9 @@ diff -up /dev/null openssh-5.3p1/nsskeys
 +
 +Key **
 +nss_get_keys(const char *tokenname, const char *keyname,
-+    char *password)
++    char *password, int pwprompts, int num_modules, const char **modules)
 +{
++	int i;
 +	Key **keys;
 +
 +	if (nss_init(NULL) == -1) {
@@ -542,7 +652,14 @@ diff -up /dev/null openssh-5.3p1/nsskeys
 +		return NULL;
 +	}
 +
-+	keys = nss_find_privkeys(tokenname, keyname, password);
++	for (i = 0;i < num_modules;i++) {
++		if (nss_load_module(modules[i]) == -1) {
++			error("Failed to load PKCS#11 module '%s'", modules[i]);
++			return NULL;
++		}
++	}
++
++	keys = nss_find_privkeys(tokenname, keyname, password, pwprompts);
 +	if (keys == NULL && keyname != NULL) {
 +		error("Cannot find key in nss, token removed");
 +		return NULL;
@@ -578,8 +695,8 @@ diff -up /dev/null openssh-5.3p1/nsskeys
 +
 +#endif /* HAVE_LIBNSS */
 diff -up /dev/null openssh-5.3p1/nsskeys.h
---- /dev/null	2009-09-11 09:35:58.778798825 +0200
-+++ openssh-5.3p1/nsskeys.h	2009-10-02 14:09:01.000000000 +0200
+--- /dev/null	2009-11-27 11:08:21.619709673 +0100
++++ openssh-5.3p1/nsskeys.h	2009-11-27 13:43:01.000000000 +0100
 @@ -0,0 +1,39 @@
 +/*
 + * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -613,7 +730,7 @@ diff -up /dev/null openssh-5.3p1/nsskeys
 +#include <prtypes.h>
 +
 +int	nss_init(PK11PasswordFunc);
-+Key	**nss_get_keys(const char *, const char *, char *);
++Key	**nss_get_keys(const char *, const char *, char *, int , int , const char **);
 +char	*nss_get_key_label(Key *);
 +/*void	 sc_close(void);*/
 +/*int	 sc_put_key(Key *, const char *);*/
@@ -622,30 +739,32 @@ diff -up /dev/null openssh-5.3p1/nsskeys
 +#endif
 diff -up openssh-5.3p1/readconf.c.nss-keys openssh-5.3p1/readconf.c
 --- openssh-5.3p1/readconf.c.nss-keys	2009-07-05 23:12:27.000000000 +0200
-+++ openssh-5.3p1/readconf.c	2009-10-02 14:09:01.000000000 +0200
++++ openssh-5.3p1/readconf.c	2009-11-27 13:43:01.000000000 +0100
 @@ -124,6 +124,7 @@ typedef enum {
  	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
  	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
  	oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
-+	oUseNSS, oNSSToken,
++	oUseNSS, oNSSToken, oNSSModule,
  	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
  	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
  	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
-@@ -210,6 +211,13 @@ static struct {
+@@ -210,6 +211,15 @@ static struct {
  #else
  	{ "smartcarddevice", oUnsupported },
  #endif
 +#ifdef HAVE_LIBNSS
 +	{ "usenss", oUseNSS },
 +	{ "nsstoken", oNSSToken },
++	{ "nssmodule", oNSSModule },
 +#else
 +	{ "usenss", oUnsupported },
 +	{ "nsstoken", oNSSToken },
++	{ "nssmodule", oUnsupported },
 +#endif
  	{ "clearallforwardings", oClearAllForwardings },
  	{ "enablesshkeysign", oEnableSSHKeysign },
  	{ "verifyhostkeydns", oVerifyHostKeyDNS },
-@@ -613,6 +621,14 @@ parse_string:
+@@ -613,6 +623,28 @@ parse_string:
  		charptr = &options->smartcard_device;
  		goto parse_string;
  
@@ -657,19 +776,34 @@ diff -up openssh-5.3p1/readconf.c.nss-ke
 +		charptr = &options->nss_token;
 +		goto parse_command;
 +
++	case oNSSModule:
++		arg = strdelim(&s);
++		if (!arg || *arg == '\0')
++			fatal("%.200s line %d: Missing argument.", filename, linenum);
++		if (*activep) {
++			intptr = &options->num_nss_modules;
++			if (*intptr >= SSH_MAX_NSS_MODULES)
++				fatal("%.200s line %d: Too many PKCS#11 modules specified (max %d).",
++				    filename, linenum, SSH_MAX_NSS_MODULES);
++			charptr = &options->nss_modules[*intptr];
++			*charptr = xstrdup(arg);
++			*intptr = *intptr + 1;
++		}
++		break;
  	case oProxyCommand:
  		charptr = &options->proxy_command;
  parse_command:
-@@ -1052,6 +1068,8 @@ initialize_options(Options * options)
+@@ -1052,6 +1084,9 @@ initialize_options(Options * options)
  	options->preferred_authentications = NULL;
  	options->bind_address = NULL;
  	options->smartcard_device = NULL;
 +	options->use_nss = -1;
 +	options->nss_token = NULL;
++	options->num_nss_modules = 0;
  	options->enable_ssh_keysign = - 1;
  	options->no_host_authentication_for_localhost = - 1;
  	options->identities_only = - 1;
-@@ -1183,6 +1201,8 @@ fill_default_options(Options * options)
+@@ -1183,6 +1218,8 @@ fill_default_options(Options * options)
  		options->no_host_authentication_for_localhost = 0;
  	if (options->identities_only == -1)
  		options->identities_only = 0;
@@ -680,19 +814,21 @@ diff -up openssh-5.3p1/readconf.c.nss-ke
  	if (options->rekey_limit == -1)
 diff -up openssh-5.3p1/readconf.h.nss-keys openssh-5.3p1/readconf.h
 --- openssh-5.3p1/readconf.h.nss-keys	2009-07-05 23:12:27.000000000 +0200
-+++ openssh-5.3p1/readconf.h	2009-10-02 14:09:01.000000000 +0200
-@@ -85,6 +85,8 @@ typedef struct {
++++ openssh-5.3p1/readconf.h	2009-11-27 13:43:01.000000000 +0100
+@@ -85,6 +85,10 @@ typedef struct {
  	char   *preferred_authentications;
  	char   *bind_address;	/* local socket address for connection to sshd */
  	char   *smartcard_device; /* Smartcard reader device */
 +	int     use_nss;        /* Use NSS library for keys */
 +	char   *nss_token;      /* Look for NSS keys on token */
++	int     num_nss_modules; /* Number of PCKS#11 modules. */
++	char   *nss_modules[SSH_MAX_NSS_MODULES];
  	int	verify_host_key_dns;	/* Verify host key using DNS */
  
  	int     num_identity_files;	/* Number of files for RSA/DSA identities. */
 diff -up openssh-5.3p1/ssh-add.c.nss-keys openssh-5.3p1/ssh-add.c
 --- openssh-5.3p1/ssh-add.c.nss-keys	2008-02-28 09:13:52.000000000 +0100
-+++ openssh-5.3p1/ssh-add.c	2009-10-02 14:09:01.000000000 +0200
++++ openssh-5.3p1/ssh-add.c	2009-11-27 13:43:01.000000000 +0100
 @@ -44,6 +44,14 @@
  #include <openssl/evp.h>
  #include "openbsd-compat/openssl-compat.h"
@@ -932,7 +1068,7 @@ diff -up openssh-5.3p1/ssh-add.c.nss-key
  		struct passwd *pw;
 diff -up openssh-5.3p1/ssh-agent.c.nss-keys openssh-5.3p1/ssh-agent.c
 --- openssh-5.3p1/ssh-agent.c.nss-keys	2009-06-21 09:50:15.000000000 +0200
-+++ openssh-5.3p1/ssh-agent.c	2009-10-02 14:09:01.000000000 +0200
++++ openssh-5.3p1/ssh-agent.c	2009-11-27 13:43:01.000000000 +0100
 @@ -80,6 +80,10 @@
  #include "scard.h"
  #endif
@@ -977,7 +1113,7 @@ diff -up openssh-5.3p1/ssh-agent.c.nss-k
 +	if (lifetime && !death)
 +		death = time(NULL) + lifetime;
 +
-+	keys = nss_get_keys(tokenname, keyname, password);
++	keys = nss_get_keys(tokenname, keyname, password, 1, 0, NULL);
 +	/* password is owned by keys[0] now */
 +	xfree(tokenname);
 +	xfree(keyname);
@@ -1026,7 +1162,7 @@ diff -up openssh-5.3p1/ssh-agent.c.nss-k
 +	keyname = buffer_get_string(&e->request, NULL);
 +	password = buffer_get_string(&e->request, NULL);
 +
-+	keys = nss_get_keys(tokenname, keyname, password);
++	keys = nss_get_keys(tokenname, keyname, password, 1, 0, NULL);
 +	xfree(tokenname);
 +	xfree(keyname);
 +	xfree(password);
@@ -1077,7 +1213,7 @@ diff -up openssh-5.3p1/ssh-agent.c.nss-k
  		error("Unknown message %d", type);
 diff -up openssh-5.3p1/ssh.c.nss-keys openssh-5.3p1/ssh.c
 --- openssh-5.3p1/ssh.c.nss-keys	2009-07-05 23:16:56.000000000 +0200
-+++ openssh-5.3p1/ssh.c	2009-10-02 14:09:01.000000000 +0200
++++ openssh-5.3p1/ssh.c	2009-11-27 13:43:01.000000000 +0100
 @@ -105,6 +105,9 @@
  #ifdef SMARTCARD
  #include "scard.h"
@@ -1101,14 +1237,16 @@ diff -up openssh-5.3p1/ssh.c.nss-keys op
  	if (options.smartcard_device != NULL &&
  	    options.num_identity_files < SSH_MAX_IDENTITY_FILES &&
  	    (keys = sc_get_keys(options.smartcard_device, NULL)) != NULL) {
-@@ -1259,6 +1264,27 @@ load_public_identity_files(void)
+@@ -1259,6 +1264,29 @@ load_public_identity_files(void)
  		xfree(keys);
  	}
  #endif /* SMARTCARD */
 +#ifdef HAVE_LIBNSS
 +	if (options.use_nss &&
 +	    options.num_identity_files < SSH_MAX_IDENTITY_FILES &&
-+	    (keys = nss_get_keys(options.nss_token, NULL, NULL)) != NULL) {
++	    (keys = nss_get_keys(options.nss_token, NULL, NULL, 
++	    	options.number_of_password_prompts, options.num_nss_modules,
++	    	options.nss_modules)) != NULL) {
 +		int count;
 +		for (count = 0; keys[count] != NULL; count++) {
 +			memmove(&options.identity_files[1], &options.identity_files[0],
@@ -1131,7 +1269,7 @@ diff -up openssh-5.3p1/ssh.c.nss-keys op
  	pwname = xstrdup(pw->pw_name);
 diff -up openssh-5.3p1/ssh-dss.c.nss-keys openssh-5.3p1/ssh-dss.c
 --- openssh-5.3p1/ssh-dss.c.nss-keys	2006-11-07 13:14:42.000000000 +0100
-+++ openssh-5.3p1/ssh-dss.c	2009-10-02 14:09:01.000000000 +0200
++++ openssh-5.3p1/ssh-dss.c	2009-11-27 13:43:01.000000000 +0100
 @@ -39,6 +39,10 @@
  #include "log.h"
  #include "key.h"
@@ -1189,9 +1327,25 @@ diff -up openssh-5.3p1/ssh-dss.c.nss-key
  	if (datafellows & SSH_BUG_SIGBLOB) {
  		if (lenp != NULL)
  			*lenp = SIGBLOB_LEN;
+diff -up openssh-5.3p1/ssh.h.nss-keys openssh-5.3p1/ssh.h
+--- openssh-5.3p1/ssh.h.nss-keys	2006-08-05 04:39:41.000000000 +0200
++++ openssh-5.3p1/ssh.h	2009-11-27 13:43:01.000000000 +0100
+@@ -28,6 +28,12 @@
+ #define SSH_MAX_IDENTITY_FILES		100
+ 
+ /*
++ * Maximum number of PKCS#11 modules that can be specified in configuration
++ * files or on the command line.
++ */
++#define SSH_MAX_NSS_MODULES			10
++
++/*
+  * Maximum length of lines in authorized_keys file.
+  * Current value permits 16kbit RSA and RSA1 keys and 8kbit DSA keys, with
+  * some room for options and comments.
 diff -up openssh-5.3p1/ssh-keygen.c.nss-keys openssh-5.3p1/ssh-keygen.c
 --- openssh-5.3p1/ssh-keygen.c.nss-keys	2009-06-22 08:11:07.000000000 +0200
-+++ openssh-5.3p1/ssh-keygen.c	2009-10-02 14:09:01.000000000 +0200
++++ openssh-5.3p1/ssh-keygen.c	2009-11-27 13:43:01.000000000 +0100
 @@ -53,6 +53,11 @@
  #include "scard.h"
  #endif
@@ -1215,7 +1369,7 @@ diff -up openssh-5.3p1/ssh-keygen.c.nss-
 +	Key **keys = NULL;
 +	int i;
 +	
-+	keys = nss_get_keys(tokenname, keyname, NULL);
++	keys = nss_get_keys(tokenname, keyname, NULL, 1, 0, NULL);
 +	if (keys == NULL)
 +		fatal("cannot find public key in NSS");
 +	for (i = 0; keys[i]; i++) {
@@ -1295,7 +1449,7 @@ diff -up openssh-5.3p1/ssh-keygen.c.nss-
  		if (download)
 diff -up openssh-5.3p1/ssh-rsa.c.nss-keys openssh-5.3p1/ssh-rsa.c
 --- openssh-5.3p1/ssh-rsa.c.nss-keys	2006-09-01 07:38:37.000000000 +0200
-+++ openssh-5.3p1/ssh-rsa.c	2009-10-02 14:09:01.000000000 +0200
++++ openssh-5.3p1/ssh-rsa.c	2009-11-27 13:43:01.000000000 +0100
 @@ -32,6 +32,10 @@
  #include "compat.h"
  #include "ssh.h"
@@ -1366,43 +1520,3 @@ diff -up openssh-5.3p1/ssh-rsa.c.nss-key
  	/* encode signature */
  	buffer_init(&b);
  	buffer_put_cstring(&b, "ssh-rsa");
-diff -up /dev/null openssh-5.2p1/README.nss
---- /dev/null	2008-11-17 17:51:52.160001870 +0100
-+++ openssh-5.2p1/README.nss	2008-11-18 19:11:41.000000000 +0100
-@@ -0,0 +1,36 @@
-+How to use NSS tokens with OpenSSH?
-+
-+This version of OpenSSH contains experimental support for authentication using
-+keys stored in tokens stored in NSS database. This for example includes any
-+PKCS#11 tokens which are installed in your NSS database.
-+
-+As the code is experimental and preliminary only SSH protocol 2 is supported.
-+The NSS certificate and token databases are looked for in the ~/.ssh
-+directory or in a directory specified by environment variable NSS_DB_PATH.
-+
-+Common operations:
-+
-+(1) tell the ssh client to use the NSS keys:
-+
-+	$ ssh -o 'UseNSS yes' otherhost
-+	
-+	if you want to use a specific token:
-+	
-+	$ ssh -o 'UseNSS yes' -o 'NSS Token My PKCS11 Token' otherhost
-+
-+(2) or tell the agent to use the NSS keys:
-+
-+	$ ssh-add -n
-+	
-+	if you want to use a specific token:
-+	
-+	$ ssh-add -n -T 'My PKCS11 Token'
-+
-+(3) extract the public key from token so it can be added to the
-+server:
-+
-+	$ ssh-keygen -n
-+	
-+	if you want to use a specific token and/or key:
-+	
-+	$ ssh-keygen -n -D 'My PKCS11 Token' 'My Key ID'


Index: openssh.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openssh/F-12/openssh.spec,v
retrieving revision 1.173
retrieving revision 1.174
diff -u -p -r1.173 -r1.174
--- openssh.spec	20 Nov 2009 17:01:48 -0000	1.173
+++ openssh.spec	30 Nov 2009 10:09:11 -0000	1.174
@@ -69,7 +69,7 @@
 Summary: An open source implementation of SSH protocol versions 1 and 2
 Name: openssh
 Version: 5.3p1
-Release: 9%{?dist}%{?rescue_rel}
+Release: 11%{?dist}%{?rescue_rel}
 URL: http://www.openssh.com/portable.html
 #URL1: http://pamsshauth.sourceforge.net
 #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
@@ -525,7 +525,10 @@ fi
 %endif
 
 %changelog
-* Fri Nov 20 2009 Jan F. Chadima <jchadima at redhat.com> - 5.3p1-8
+* Mon Nov 30 2009 Jan F. Chadima <jchadima at redhat.com> - 5.3p1-11
+- Update NSS key patch including future SEC_ERROR_LOCKED_PASSWORD (#537411, #356451)
+
+* Fri Nov 20 2009 Jan F. Chadima <jchadima at redhat.com> - 5.3p1-9
 - Add gssapi key exchange patch (#455351)
 
 * Fri Nov 20 2009 Jan F. Chadima <jchadima at redhat.com> - 5.3p1-8


