summaryrefslogtreecommitdiff
path: root/dev-libs/nss
diff options
context:
space:
mode:
Diffstat (limited to 'dev-libs/nss')
-rw-r--r--dev-libs/nss/Manifest3
-rw-r--r--dev-libs/nss/files/nss-3.59-dont-hold-slot-lock-when-taking-session-lock.patch93
-rw-r--r--dev-libs/nss/nss-3.59-r1.ebuild (renamed from dev-libs/nss/nss-3.59.ebuild)1
3 files changed, 96 insertions, 1 deletions
diff --git a/dev-libs/nss/Manifest b/dev-libs/nss/Manifest
index d34c255c9f8a..c6fbfc651aa5 100644
--- a/dev-libs/nss/Manifest
+++ b/dev-libs/nss/Manifest
@@ -3,11 +3,12 @@ AUX nss-3.23-hppa-byte_order.patch 460 BLAKE2B 97358cc8fbea0b0d3beee0697833e48ef
AUX nss-3.53-fix-building-on-ppc.patch 1206 BLAKE2B e6189802769197b290fd332ee2b7d074c0bacf47313998117734dafd1eb6a536db19bc8a329944d9fad51a6f9f90f81d98181272e0068bf852fea7ca928d2713 SHA512 859162070aa3c5e6e8be259f5e6648d37a5194a02958310f8caf56ff772dcaa4ebb26e4d754c99608fc7a45b641c5088cccd9e2c7d9c92c5ccc85c6b47320720
AUX nss-3.53-gentoo-fixups.patch 6886 BLAKE2B 1c605d8db02ebe0492c41955207368197a79990e43e219a71962cb28ac0cecd9e0acc2b76e16f5b116fdb8bf8790d96046cb4f376df9b8634ac48e54924589f8 SHA512 51031f92519f57d4b57a547cf549f2d5da1c5a7212d4b304fb0d71d6a85a5aefd64724ec9075c14c9b49c1e99c3ffe91cbec501c3504985aa9b16eacf2aa15ed
AUX nss-3.58-always-tolerate-the-first-CCS-in-TLS1.3.patch 8546 BLAKE2B 25c222f44f714226364dbda760989e7e255ab93a79121238ccce2962c346c37971a8440e8cc16ac5555f78c15b7a1b72e7311a7b7257b254fefe7e9a75d94924 SHA512 79fff678895a5643b34c42a0b0d34299b1b63c19baf0bbeb43fcee6b7f01bb24baf7047261b16e913d39fe9e69a637c7dc2bba0fec9ceedd43fa4f5dcc99f38f
+AUX nss-3.59-dont-hold-slot-lock-when-taking-session-lock.patch 4053 BLAKE2B d4a9a30c8cbea3b37d8d72cf87c55485cd12caa3f68daaf9bcfd06e945386191549e3cab6a5c637b7e6ea598bba3c0f2cb86bdf51cae9d860bbb614b896402a5 SHA512 5af11e79e4f395e7037aa50d33db7f4fd2fecfdfe33c38865dcf1bad9de731e6d0d859720e8684b5d5ea194c1e86360428a98553fe5115a069ddd1fc95f4cb84
DIST nss-3.56.tar.gz 81706176 BLAKE2B 84c3b9fd649ce38ad843725b180982692dcac34e851734813b959734054f2e9ebfad66496de320f46e861381f6d5f52db0cc4c0953f7504b79f6b529b871f173 SHA512 f2eed8252c13b38a4d80a11203136d22a521205f814b6d954cc119ccf8921fcb8f689d919944bea4739d1575e9bda7e13cf2ad054ac91d51e049abe246efc845
DIST nss-3.58.tar.gz 81846254 BLAKE2B f8e7d0b231916b197ad21706a057d055f8377059d76d4f09aff523cc4cd071a3184f02dc488259df22109b70be7b8a5d5fa7ea2273a830de825cc9a8c95dcca9 SHA512 03d2ab1517ac07620ea3f02dcf680cf019e0129006ff2559b2d0a047036340c20b98c9679b17a594e5502aa30e158caf309f046901b9ec7c7adeeaa13ec50b80
DIST nss-3.59.tar.gz 82141516 BLAKE2B 74959b14ec42b4628dfc3365af00420cdbd41d202541e9379f6a4448c4496b76307af48c9ec405b370f8770327ce56742b4382f8cd49724b42732ce5cc5b0779 SHA512 8963e846f2ff7222457ae59f042672cf4e44f7752807226f46c215a772fd1cbd65d0ce634da4afb698eabd4eb1c1e78146cc2a089339ada11da03d259c609a38
DIST nss-cacert-class1-class3.patch 22950 BLAKE2B 9d5e60df5f161a3c27c41e5a9419440a54f888eda454e3cde5ebe626d4075b65cf9938b5144d0fb022377f4bd415bff5e5c67d104409860aa9391b3eb8872c68 SHA512 a5aa740bf110a3f0262e3f1ef2fc739ac2b44f042e220039d48aee8e97cd764d5c10718220364f4098aba955882bd02cadb5481512388971a8290312f88a7df0
EBUILD nss-3.56.ebuild 9192 BLAKE2B 159708f6fc8c0b2e55404b95bbe688798f3f691ecb6e62a87e9ae32b08c9e9ae6693bb959a7af3232694ee0c97e5b8bef1981156152c17d8ea4a7c121885bfc3 SHA512 56597eeacea300e066177e9fd83d646a0bc5f84e580ac4dfd952ffcfb67ab77f738126b21cae44966d12ec6bb6e9b50f44a8ac9cf2304bb2f95b41fbe144b78f
EBUILD nss-3.58-r2.ebuild 9258 BLAKE2B dc108ae1b31d12f42c34b1938e99438d4f7c7c62cc681c880f458ee8c90ae7b5e0374fa80528c95b1372489c7537059af68570901a72094d240ddb3860297eca SHA512 34c05b3c3cf11ab13b32c68e859aa23f573f4875be76279c6b814e2f750c7bc5329cc6b180e83b4322debfac5f48e0296af3611a23b83682f4d5e472309c0ac8
-EBUILD nss-3.59.ebuild 9195 BLAKE2B 863b9a0187c0cff4ece023fcc84e90ba4560ad27a59b561ee48b2d2d3866ceea0b7fdfe6ee3ea8865264f98f4b44491f65ce7ef955064cb9606e21eaccb072a4 SHA512 5c5fa7be3f3e080310868e8458b64973f2c849eb28663bc7f7eced5fe8415a06fd5005c676a28eb494d0e7eda32fa05c1f5b3fea275b0fa8d0282e9f5e76e055
+EBUILD nss-3.59-r1.ebuild 9272 BLAKE2B b7d26f3774c79e31054f4281eb33686801369f3ee134e27d7d09aad84dd9ce841f8629470ac2790728fb52aff903cb515bfa4c9426ba1eaf161209f5ab8ef97b SHA512 c780d53c01fbc80ea6e6429ebec1ea56e088887411b898a7b8dd2f79df4ba8d35ba38efb70dff32cacaec5da6e0deddce0b2c2d29c3baea55db7b8c7287d1e6b
MISC metadata.xml 515 BLAKE2B a63fb05a1a3e1b06f929f963ab0794ec1230e89903fc97a7c7db81a0b3c7b7e8b9277eaa7440f8929738ec0f805d8a8dd51c8262e569fb9be2fa0938b08ad7a2 SHA512 6bec952825416ba0ab8282669483eb75935f6b4a3052e0f78dad911c0246b8d8ce245c86cbd82b292d49338848fa50fb2009fb4a9def1ac8d81bf9a3320cd2b0
diff --git a/dev-libs/nss/files/nss-3.59-dont-hold-slot-lock-when-taking-session-lock.patch b/dev-libs/nss/files/nss-3.59-dont-hold-slot-lock-when-taking-session-lock.patch
new file mode 100644
index 000000000000..be4ebfe47961
--- /dev/null
+++ b/dev-libs/nss/files/nss-3.59-dont-hold-slot-lock-when-taking-session-lock.patch
@@ -0,0 +1,93 @@
+
+# HG changeset patch
+# User Kevin Jacobs <kjacobs@mozilla.com>
+# Date 1606813429 0
+# Node ID 19585ccc7a1f0f4e9a8d2b9c5ceeb408ea90acb9
+# Parent f1e48fbead3d9e69500d7aedc1ef6e4bf334f41e
+Bug 1679290 - Don't hold slot lock when taking session lock r=bbeurdouche
+
+[[ https://hg.mozilla.org/projects/nss/rev/0ed11a5835ac1556ff978362cd61069d48f4c5db | 0ed11a5835ac1556ff978362cd61069d48f4c5db ]] fixed a number of race conditions related to NSSSlot member accesses. Unfortunately the locking order that was imposed by that patch has been found to cause problems for at least one PKCS11 module, libnsspem.
+
+This patch drops nested locking in favor of unlocking/re-locking. While this isn't perfect, the original problem in bug 1663661 was that `slot->token` could become NULL, which we can easily check after reacquiring.
+
+Differential Revision: https://phabricator.services.mozilla.com/D98247
+
+diff --git a/lib/dev/devslot.c b/lib/dev/devslot.c
+--- a/lib/dev/devslot.c
++++ b/lib/dev/devslot.c
+@@ -183,25 +183,32 @@ nssSlot_IsTokenPresent(
+ if ((slot->ckFlags & CKF_TOKEN_PRESENT) == 0) {
+ if (!slot->token) {
+ /* token was never present */
+ isPresent = PR_FALSE;
+ goto done; /* slot lock held */
+ }
+ session = nssToken_GetDefaultSession(slot->token);
+ if (session) {
++ nssSlot_ExitMonitor(slot);
+ nssSession_EnterMonitor(session);
+ /* token is not present */
+ if (session->handle != CK_INVALID_HANDLE) {
+ /* session is valid, close and invalidate it */
+ CKAPI(epv)
+ ->C_CloseSession(session->handle);
+ session->handle = CK_INVALID_HANDLE;
+ }
+ nssSession_ExitMonitor(session);
++ nssSlot_EnterMonitor(slot);
++ if (!slot->token) {
++ /* Check token presence after re-acquiring lock */
++ isPresent = PR_FALSE;
++ goto done; /* slot lock held */
++ }
+ }
+ if (slot->token->base.name[0] != 0) {
+ /* notify the high-level cache that the token is removed */
+ slot->token->base.name[0] = 0; /* XXX */
+ nssToken_NotifyCertsNotVisible(slot->token);
+ }
+ slot->token->base.name[0] = 0; /* XXX */
+ /* clear the token cache */
+@@ -218,34 +225,41 @@ nssSlot_IsTokenPresent(
+ }
+
+ /* token is present, use the session info to determine if the card
+ * has been removed and reinserted.
+ */
+ session = nssToken_GetDefaultSession(slot->token);
+ if (session) {
+ PRBool tokenRemoved;
++ nssSlot_ExitMonitor(slot);
+ nssSession_EnterMonitor(session);
+ if (session->handle != CK_INVALID_HANDLE) {
+ CK_SESSION_INFO sessionInfo;
+ ckrv = CKAPI(epv)->C_GetSessionInfo(session->handle, &sessionInfo);
+ if (ckrv != CKR_OK) {
+ /* session is screwy, close and invalidate it */
+ CKAPI(epv)
+ ->C_CloseSession(session->handle);
+ session->handle = CK_INVALID_HANDLE;
+ }
+ }
+ tokenRemoved = (session->handle == CK_INVALID_HANDLE);
+ nssSession_ExitMonitor(session);
++ nssSlot_EnterMonitor(slot);
+ /* token not removed, finished */
+ if (!tokenRemoved) {
+ isPresent = PR_TRUE;
+ goto done; /* slot lock held */
+ }
++ if (!slot->token) {
++ /* Check token presence after re-acquiring lock */
++ isPresent = PR_FALSE;
++ goto done; /* slot lock held */
++ }
+ }
+ /* the token has been removed, and reinserted, or the slot contains
+ * a token it doesn't recognize. invalidate all the old
+ * information we had on this token, if we can't refresh, clear
+ * the present flag */
+ nssToken_NotifyCertsNotVisible(slot->token);
+ nssToken_Remove(slot->token);
+ /* token has been removed, need to refresh with new session */
+
diff --git a/dev-libs/nss/nss-3.59.ebuild b/dev-libs/nss/nss-3.59-r1.ebuild
index 37ab7c58696f..82184ff8a710 100644
--- a/dev-libs/nss/nss-3.59.ebuild
+++ b/dev-libs/nss/nss-3.59-r1.ebuild
@@ -40,6 +40,7 @@ PATCHES=(
"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
"${FILESDIR}/${PN}-3.53-fix-building-on-ppc.patch"
+ "${FILESDIR}/${PN}-3.59-dont-hold-slot-lock-when-taking-session-lock.patch"
)
src_prepare() {