openldap/openldap-nss-disable-nofork.patch

fix: OpenLDAP can't use TLS after a fork()

Mozilla NSS - disable pkcs11 fork checking for the software token

Resolves: #636956
Upstream ITS: #6811, follows #6802
Author: Rich Megginson <rmeggins@redhat.com>

diff -uNPrp openldap-2.4.23.old/libraries/libldap/tls_m.c openldap-2.4.23.new/libraries/libldap/tls_m.c
--- openldap-2.4.23.old/libraries/libldap/tls_m.c	2011-02-02 12:21:27.576280756 +0100
+++ openldap-2.4.23.new/libraries/libldap/tls_m.c	2011-02-02 12:38:24.785682347 +0100
@@ -2884,10 +2884,27 @@ static const PRIOMethods tlsm_PR_methods
 static int
 tlsm_init( void )
 {
+	char *nofork = PR_GetEnv( "NSS_STRICT_NOFORK" );
+
 	PR_Init(0, 0, 0);
 
 	tlsm_layer_id = PR_GetUniqueIdentity( "OpenLDAP" );
 
+	/*
+	 * There are some applications that acquire a crypto context in the parent process
+	 * and expect that crypto context to work after a fork().  This does not work
+	 * with NSS using strict PKCS11 compliance mode.  We set this environment
+	 * variable here to tell the software encryption module/token to allow crypto
+	 * contexts to persist across a fork().  However, if you are using some other
+	 * module or encryption device that supports and expects full PKCS11 semantics,
+	 * the only recourse is to rewrite the application with atfork() handlers to save
+	 * the crypto context in the parent and restore (and SECMOD_RestartModules) the
+	 * context in the child.
+	 */
+	if ( !nofork ) {
+		PR_SetEnv( "NSS_STRICT_NOFORK=DISABLED" );
+	}
+
 	return 0;
 }
fix update: restart NSS modules after fork version bump 2.4.23-8 Resolves: #636956 2011-02-02 11:55:23 +00:00			`fix: OpenLDAP can't use TLS after a fork()`

			`Mozilla NSS - disable pkcs11 fork checking for the software token`

			`Resolves: #636956`
			`Upstream ITS: #6811, follows #6802`
			`Author: Rich Megginson <rmeggins@redhat.com>`

			`diff -uNPrp openldap-2.4.23.old/libraries/libldap/tls_m.c openldap-2.4.23.new/libraries/libldap/tls_m.c`
			`--- openldap-2.4.23.old/libraries/libldap/tls_m.c 2011-02-02 12:21:27.576280756 +0100`
			`+++ openldap-2.4.23.new/libraries/libldap/tls_m.c 2011-02-02 12:38:24.785682347 +0100`
			`@@ -2884,10 +2884,27 @@ static const PRIOMethods tlsm_PR_methods`
			`static int`
			`tlsm_init( void )`
			`{`
			`+ char *nofork = PR_GetEnv( "NSS_STRICT_NOFORK" );`
			`+`
			`PR_Init(0, 0, 0);`

			`tlsm_layer_id = PR_GetUniqueIdentity( "OpenLDAP" );`

			`+ /*`
			`+ * There are some applications that acquire a crypto context in the parent process`
			`+ * and expect that crypto context to work after a fork(). This does not work`
			`+ * with NSS using strict PKCS11 compliance mode. We set this environment`
			`+ * variable here to tell the software encryption module/token to allow crypto`
			`+ * contexts to persist across a fork(). However, if you are using some other`
			`+ * module or encryption device that supports and expects full PKCS11 semantics,`
			`+ * the only recourse is to rewrite the application with atfork() handlers to save`
			`+ * the crypto context in the parent and restore (and SECMOD_RestartModules) the`
			`+ * context in the child.`
			`+ */`
			`+ if ( !nofork ) {`
			`+ PR_SetEnv( "NSS_STRICT_NOFORK=DISABLED" );`
			`+ }`
			`+`
			`return 0;`
			`}`