137 lines
4.4 KiB
Diff
137 lines
4.4 KiB
Diff
|
TLS_CACERTDIR takes precedence over TLS_CACERTFILE
|
|||
|
|
|
|||
|
|
Resolves: #652304
|
|||
|
|
Upstream ITS: #6704
|
|||
|
|
Author: Rich Megginson (rmeggins@redhat.com)
|
|||
|
|
|
|||
|
|
diff -uNPrp openldap-2.4.23.old/libraries/libldap/tls_m.c openldap-2.4.23.new/libraries/libldap/tls_m.c
|
|||
|
|
--- openldap-2.4.23.old/libraries/libldap/tls_m.c 2010-11-18 11:01:36.129392116 +0100
|
|||
|
|
+++ openldap-2.4.23.new/libraries/libldap/tls_m.c 2010-11-18 11:02:19.466387205 +0100
|
|||
|
|
@@ -1031,6 +1031,7 @@ tlsm_add_cert_from_file( tlsm_ctx *ctx,
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
if ( fi.type != PR_FILE_FILE ) {
|
|||
|
|
+ PR_SetError(PR_IS_DIRECTORY_ERROR, 0);
|
|||
|
|
Debug( LDAP_DEBUG_ANY,
|
|||
|
|
"TLS: error: the certificate file %s is not a file.\n",
|
|||
|
|
filename, 0 ,0 );
|
|||
|
|
@@ -1123,6 +1124,7 @@ tlsm_add_key_from_file( tlsm_ctx *ctx, c
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
if ( fi.type != PR_FILE_FILE ) {
|
|||
|
|
+ PR_SetError(PR_IS_DIRECTORY_ERROR, 0);
|
|||
|
|
Debug( LDAP_DEBUG_ANY,
|
|||
|
|
"TLS: error: the key file %s is not a file.\n",
|
|||
|
|
filename, 0 ,0 );
|
|||
|
|
@@ -1178,69 +1180,91 @@ static int
|
|||
|
|
tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir )
|
|||
|
|
{
|
|||
|
|
PRBool isca = PR_TRUE;
|
|||
|
|
+ PRStatus status = PR_FAILURE;
|
|||
|
|
+ PRErrorCode errcode = PR_SUCCESS;
|
|||
|
|
|
|||
|
|
if ( cacertfile ) {
|
|||
|
|
int rc = tlsm_add_cert_from_file( ctx, cacertfile, isca );
|
|||
|
|
if ( rc ) {
|
|||
|
|
- return rc;
|
|||
|
|
+ errcode = PR_GetError();
|
|||
|
|
+ Debug( LDAP_DEBUG_ANY,
|
|||
|
|
+ "TLS: %s is not a valid CA certificate file - error %d:%s.\n",
|
|||
|
|
+ cacertfile, errcode,
|
|||
|
|
+ PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
|
|||
|
|
+ } else {
|
|||
|
|
+ Debug( LDAP_DEBUG_TRACE,
|
|||
|
|
+ "TLS: loaded CA certificate file %s.\n",
|
|||
|
|
+ cacertfile, 0, 0 );
|
|||
|
|
+ status = PR_SUCCESS; /* have at least one good CA - we can proceed */
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
if ( cacertdir ) {
|
|||
|
|
PRFileInfo fi;
|
|||
|
|
- PRStatus status;
|
|||
|
|
PRDir *dir;
|
|||
|
|
PRDirEntry *entry;
|
|||
|
|
+ PRStatus fistatus = PR_FAILURE;
|
|||
|
|
|
|||
|
|
memset( &fi, 0, sizeof(fi) );
|
|||
|
|
- status = PR_GetFileInfo( cacertdir, &fi );
|
|||
|
|
- if ( PR_SUCCESS != status) {
|
|||
|
|
- PRErrorCode errcode = PR_GetError();
|
|||
|
|
+ fistatus = PR_GetFileInfo( cacertdir, &fi );
|
|||
|
|
+ if ( PR_SUCCESS != fistatus) {
|
|||
|
|
+ errcode = PR_GetError();
|
|||
|
|
Debug( LDAP_DEBUG_ANY,
|
|||
|
|
"TLS: could not get info about the CA certificate directory %s - error %d:%s.\n",
|
|||
|
|
cacertdir, errcode,
|
|||
|
|
PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
|
|||
|
|
- return -1;
|
|||
|
|
+ goto done;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
if ( fi.type != PR_FILE_DIRECTORY ) {
|
|||
|
|
Debug( LDAP_DEBUG_ANY,
|
|||
|
|
"TLS: error: the CA certificate directory %s is not a directory.\n",
|
|||
|
|
cacertdir, 0 ,0 );
|
|||
|
|
- return -1;
|
|||
|
|
+ goto done;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
dir = PR_OpenDir( cacertdir );
|
|||
|
|
if ( NULL == dir ) {
|
|||
|
|
- PRErrorCode errcode = PR_GetError();
|
|||
|
|
+ errcode = PR_GetError();
|
|||
|
|
Debug( LDAP_DEBUG_ANY,
|
|||
|
|
"TLS: could not open the CA certificate directory %s - error %d:%s.\n",
|
|||
|
|
cacertdir, errcode,
|
|||
|
|
PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
|
|||
|
|
- return -1;
|
|||
|
|
+ goto done;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
- status = -1;
|
|||
|
|
do {
|
|||
|
|
entry = PR_ReadDir( dir, PR_SKIP_BOTH | PR_SKIP_HIDDEN );
|
|||
|
|
if ( NULL != entry ) {
|
|||
|
|
char *fullpath = PR_smprintf( "%s/%s", cacertdir, entry->name );
|
|||
|
|
if ( !tlsm_add_cert_from_file( ctx, fullpath, isca ) ) {
|
|||
|
|
- status = 0; /* found at least 1 valid CA file in the dir */
|
|||
|
|
+ Debug( LDAP_DEBUG_TRACE,
|
|||
|
|
+ "TLS: loaded CA certificate file %s from CA certificate directory %s.\n",
|
|||
|
|
+ fullpath, cacertdir, 0 );
|
|||
|
|
+ status = PR_SUCCESS; /* found at least 1 valid CA file in the dir */
|
|||
|
|
+ } else {
|
|||
|
|
+ errcode = PR_GetError();
|
|||
|
|
+ Debug( LDAP_DEBUG_TRACE,
|
|||
|
|
+ "TLS: %s is not a valid CA certificate file - error %d:%s.\n",
|
|||
|
|
+ fullpath, errcode,
|
|||
|
|
+ PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
|
|||
|
|
}
|
|||
|
|
PR_smprintf_free( fullpath );
|
|||
|
|
}
|
|||
|
|
} while ( NULL != entry );
|
|||
|
|
PR_CloseDir( dir );
|
|||
|
|
-
|
|||
|
|
- if ( status ) {
|
|||
|
|
- PRErrorCode errcode = PR_GetError();
|
|||
|
|
- Debug( LDAP_DEBUG_ANY,
|
|||
|
|
- "TLS: did not find any valid CA certificate files in the CA certificate directory %s - error %d:%s.\n",
|
|||
|
|
- cacertdir, errcode,
|
|||
|
|
- PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
|
|||
|
|
- return -1;
|
|||
|
|
+ }
|
|||
|
|
+done:
|
|||
|
|
+ if ( status != PR_SUCCESS ) {
|
|||
|
|
+ const char *fmtstr = NULL;
|
|||
|
|
+ if ( cacertfile && cacertdir ) {
|
|||
|
|
+ fmtstr = "TLS: did not find any valid CA certificates in %s or %s\n";
|
|||
|
|
+ } else {
|
|||
|
|
+ fmtstr = "TLS: did not find any valid CA certificates in %s%s\n";
|
|||
|
|
}
|
|||
|
|
+ Debug( LDAP_DEBUG_ANY, fmtstr, cacertdir ? cacertdir : "",
|
|||
|
|
+ cacertfile ? cacertfile : "", 0 );
|
|||
|
|
+ return -1;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
return 0;
|