diff --git a/.gitignore b/.gitignore index e0402b4..3055693 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -/openldap-2.4.23.tgz +/openldap-2.4.24.tgz diff --git a/openldap-cacertdir-hash-only.patch b/openldap-cacertdir-hash-only.patch deleted file mode 100644 index 70060a9..0000000 --- a/openldap-cacertdir-hash-only.patch +++ /dev/null @@ -1,60 +0,0 @@ -Openldap should ignore files not in the openssl c_rehash format (hash.0) in TLS_CACERTDIR - -Resolves: #650288 -Upstream ITS: #6705 -Author: Rich Megginson (rmeggins@redhat.com) - ---- openldap.old/libraries/libldap/tls_m.c.2 2010-11-11 15:21:05.000000000 -0700 -+++ openldap.new/libraries/libldap/tls_m.c 2010-11-11 15:29:08.000000000 -0700 -@@ -100,16 +100,19 @@ - typedef PRFileDesc tlsm_session; - - static PRDescIdentity tlsm_layer_id; - - static const PRIOMethods tlsm_PR_methods; - - #define PEM_LIBRARY "nsspem" - #define PEM_MODULE "PEM" -+/* hash files for use with cacertdir have this file name suffix */ -+#define PEM_CA_HASH_FILE_SUFFIX ".0" -+#define PEM_CA_HASH_FILE_SUFFIX_LEN 2 - - static SECMODModule *pem_module; - - #define DEFAULT_TOKEN_NAME "default" - /* sprintf format used to create token name */ - #define TLSM_PEM_TOKEN_FMT "PEM Token #%ld" - - static int tlsm_slot_count; -@@ -1230,18 +1233,29 @@ - "TLS: could not open the CA certificate directory %s - error %d:%s.\n", - cacertdir, errcode, - PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); - goto done; - } - - do { - entry = PR_ReadDir( dir, PR_SKIP_BOTH | PR_SKIP_HIDDEN ); -- if ( NULL != entry ) { -- char *fullpath = PR_smprintf( "%s/%s", cacertdir, entry->name ); -+ if ( ( NULL != entry ) && ( NULL != entry->name ) ) { -+ char *fullpath = NULL; -+ char *ptr; -+ -+ ptr = PL_strrstr( entry->name, PEM_CA_HASH_FILE_SUFFIX ); -+ if ( ( ptr == NULL ) || ( *(ptr + PEM_CA_HASH_FILE_SUFFIX_LEN) != '\0' ) ) { -+ Debug( LDAP_DEBUG_TRACE, -+ "TLS: file %s does not end in [%s] - does not appear to be a CA certificate " -+ "directory file with a properly hashed file name - skipping.\n", -+ entry->name, PEM_CA_HASH_FILE_SUFFIX, 0 ); -+ continue; -+ } -+ fullpath = PR_smprintf( "%s/%s", cacertdir, entry->name ); - if ( !tlsm_add_cert_from_file( ctx, fullpath, isca ) ) { - Debug( LDAP_DEBUG_TRACE, - "TLS: loaded CA certificate file %s from CA certificate directory %s.\n", - fullpath, cacertdir, 0 ); - status = PR_SUCCESS; /* found at least 1 valid CA file in the dir */ - } else { - errcode = PR_GetError(); - Debug( LDAP_DEBUG_TRACE, diff --git a/openldap-improve-trace-messages.patch b/openldap-improve-trace-messages.patch deleted file mode 100644 index 314bb36..0000000 --- a/openldap-improve-trace-messages.patch +++ /dev/null @@ -1,176 +0,0 @@ -Improve misleading SSL/TLS trace messages. - -Resolves: #652818 -Upstream ITS: #6706 -Author: Rich Megginson (rmeggins@redhat.com) - ---- openldap.old/libraries/libldap/tls_m.c.3 2010-11-11 18:39:48.000000000 -0700 -+++ openldap.new/libraries/libldap/tls_m.c 2010-11-11 20:17:35.000000000 -0700 -@@ -709,16 +709,22 @@ - Debug( LDAP_DEBUG_TRACE, - "cache hits: %ld, cache misses: %ld, cache not reusable: %ld\n", - ssl3stats->hch_sid_cache_hits, ssl3stats->hch_sid_cache_misses, - ssl3stats->hch_sid_cache_not_ok ); - - return ""; - } - -+static void -+tlsm_handshake_complete_cb( PRFileDesc *fd, void *client_data ) -+{ -+ tlsm_dump_security_status( fd ); -+} -+ - #ifdef READ_PASSWORD_FROM_FILE - static char * - tlsm_get_pin_from_file(const char *token_name, tlsm_ctx *ctx) - { - char *pwdstr = NULL; - char *contents = NULL; - char *lasts = NULL; - char *line = NULL; -@@ -894,26 +900,32 @@ - } - - static SECStatus - tlsm_auth_cert_handler(void *arg, PRFileDesc *fd, - PRBool checksig, PRBool isServer) - { - SECStatus ret = SSL_AuthCertificate(arg, fd, checksig, isServer); - -- tlsm_dump_security_status( fd ); -- Debug( LDAP_DEBUG_TRACE, -- "TLS certificate verification: %s\n", -- ret == SECSuccess ? "ok" : "bad", 0, 0 ); -- - if ( ret != SECSuccess ) { - PRErrorCode errcode = PORT_GetError(); -- Debug( LDAP_DEBUG_ANY, -- "TLS certificate verification: Error, %d: %s\n", -- errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 ) ; -+ /* we bypass NSS's hostname checks and do our own - tlsm_session_chkhost will handle it */ -+ if ( errcode == SSL_ERROR_BAD_CERT_DOMAIN ) { -+ Debug( LDAP_DEBUG_TRACE, -+ "TLS certificate verification: defer\n", -+ 0, 0, 0 ); -+ } else { -+ Debug( LDAP_DEBUG_ANY, -+ "TLS certificate verification: Error, %d: %s\n", -+ errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 ) ; -+ } -+ } else { -+ Debug( LDAP_DEBUG_TRACE, -+ "TLS certificate verification: ok\n", -+ 0, 0, 0 ); - } - - return ret; - } - - static int - tlsm_authenticate_to_slot( tlsm_ctx *ctx, PK11SlotInfo *slot ) - { -@@ -1181,16 +1193,21 @@ - - static int - tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir ) - { - PRBool isca = PR_TRUE; - PRStatus status = PR_FAILURE; - PRErrorCode errcode = PR_SUCCESS; - -+ if ( !cacertfile && !cacertdir ) { -+ /* no checking - not good, but allowed */ -+ return 0; -+ } -+ - if ( cacertfile ) { - int rc = tlsm_add_cert_from_file( ctx, cacertfile, isca ); - if ( rc ) { - errcode = PR_GetError(); - Debug( LDAP_DEBUG_ANY, - "TLS: %s is not a valid CA certificate file - error %d:%s.\n", - cacertfile, errcode, - PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); -@@ -1394,19 +1411,21 @@ - rc = (initctx == NULL) ? SECFailure : SECSuccess; - #endif - #else - rc = NSS_Initialize( realcertdir, prefix, prefix, SECMOD_DB, NSS_INIT_READONLY ); - #endif - - if ( rc != SECSuccess ) { - errcode = PORT_GetError(); -- Debug( LDAP_DEBUG_TRACE, -- "TLS: could not initialize moznss using security dir %s prefix %s - error %d.\n", -- realcertdir, prefix, errcode ); -+ if ( securitydirs[ii] != lt->lt_cacertdir) { -+ Debug( LDAP_DEBUG_TRACE, -+ "TLS: could not initialize moznss using security dir %s prefix %s - error %d.\n", -+ realcertdir, prefix, errcode ); -+ } - } else { - /* success */ - Debug( LDAP_DEBUG_TRACE, "TLS: using moznss security dir %s prefix %s.\n", - realcertdir, prefix, 0 ); - errcode = 0; - done = 1; - } - if ( realcertdir != securitydir ) { -@@ -1453,16 +1472,31 @@ - errcode = PORT_GetError(); - Debug( LDAP_DEBUG_ANY, - "TLS: could not initialize moznss PEM module - error %d:%s.\n", - errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 ); - return -1; - } - - if ( tlsm_init_ca_certs( ctx, lt->lt_cacertfile, lt->lt_cacertdir ) ) { -+ /* if we tried to use lt->lt_cacertdir as an NSS key/cert db, errcode -+ will be a value other than 1 - print an error message so that the -+ user will know that failed too */ -+ if ( ( errcode != 1 ) && ( lt->lt_cacertdir ) ) { -+ char *realcertdir = NULL; -+ char *prefix = NULL; -+ tlsm_get_certdb_prefix( lt->lt_cacertdir, &realcertdir, &prefix ); -+ Debug( LDAP_DEBUG_TRACE, -+ "TLS: could not initialize moznss using security dir %s prefix %s - error %d.\n", -+ realcertdir, prefix ? prefix : "", errcode ); -+ if ( realcertdir != lt->lt_cacertdir ) { -+ PL_strfree( realcertdir ); -+ } -+ PL_strfree( prefix ); -+ } - return -1; - } - - ctx->tc_using_pem = PR_TRUE; - } - - #ifdef HAVE_NSS_INITCONTEXT - if ( !ctx->tc_initctx ) { -@@ -2040,16 +2074,24 @@ - ctx->tc_certdb ) != SECSuccess ) { - PRErrorCode err = PR_GetError(); - Debug( LDAP_DEBUG_ANY, - "TLS: error: could not set auth cert handler for moznss - error %d:%s\n", - err, PR_ErrorToString( err, PR_LANGUAGE_I_DEFAULT ), NULL ); - return -1; - } - -+ if ( SSL_HandshakeCallback( ctx->tc_model, tlsm_handshake_complete_cb, ctx ) ) { -+ PRErrorCode err = PR_GetError(); -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: error: could not set handshake callback for moznss - error %d:%s\n", -+ err, PR_ErrorToString( err, PR_LANGUAGE_I_DEFAULT ), NULL ); -+ return -1; -+ } -+ - return 0; - } - - struct tls_data { - tlsm_session *session; - Sockbuf_IO_Desc *sbiod; - /* there seems to be no portable way to determine if the - sockbuf sd has been set to nonblocking mode - the diff --git a/openldap-nss-ca-selfsigned.patch b/openldap-nss-ca-selfsigned.patch deleted file mode 100644 index 071eaf0..0000000 --- a/openldap-nss-ca-selfsigned.patch +++ /dev/null @@ -1,54 +0,0 @@ -#614545 Mozilla NSS - support use of self signed CA certs as server certs - -Resolves: #614545 -Upstream: ITS #6589 -Author: Rich Megginson - -diff -urNP openldap-2.4.22.old/libraries/libldap/tls_m.c openldap-2.4.22.new/libraries/libldap/tls_m.c ---- openldap-2.4.22.old/libraries/libldap/tls_m.c 2010-04-15 23:26:00.000000000 +0200 -+++ openldap-2.4.22.new/libraries/libldap/tls_m.c 2010-07-22 09:56:58.984806148 +0200 -@@ -1491,11 +1491,40 @@ - status = CERT_VerifyCertificateNow( ctx->tc_certdb, cert, - checkSig, certUsage, - pin_arg, NULL ); -- if (status != SECSuccess) { -+ if ( status != SECSuccess ) { -+ /* NSS doesn't like self-signed CA certs that are also used for -+ TLS/SSL server certs (such as generated by openssl req -x509) -+ CERT_VerifyCertificateNow returns SEC_ERROR_UNTRUSTED_ISSUER in that case -+ so, see if the cert and issuer are the same cert -+ */ - PRErrorCode errcode = PR_GetError(); -- Debug( LDAP_DEBUG_ANY, -- "TLS: error: the certificate %s is not valid - error %d:%s\n", -- certname, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); -+ -+ if ( errcode == SEC_ERROR_UNTRUSTED_ISSUER ) { -+ CERTCertificate *issuer = CERT_FindCertIssuer( cert, PR_Now(), certUsageSSLServer ); -+ if ( NULL == issuer ) { -+ /* no issuer - warn and allow */ -+ status = SECSuccess; -+ rc = 0; -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: warning: the server certificate %s has no issuer - " -+ "please check this certificate for validity\n", -+ certname, 0, 0 ); -+ } else if ( CERT_CompareCerts( cert, issuer ) ) { -+ /* self signed - warn and allow */ -+ status = SECSuccess; -+ rc = 0; -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: warning: using self-signed server certificate %s\n", -+ certname, 0, 0 ); -+ } -+ CERT_DestroyCertificate( issuer ); -+ } -+ -+ if ( status != SECSuccess ) { -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: error: the certificate %s is not valid - error %d:%s\n", -+ certname, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); -+ } - } else { - rc = 0; /* success */ - } diff --git a/openldap-nss-cipher-suites.patch b/openldap-nss-cipher-suites.patch deleted file mode 100644 index 0be02f6..0000000 --- a/openldap-nss-cipher-suites.patch +++ /dev/null @@ -1,43 +0,0 @@ -Makes tls_m use the "DEFAULT" list and adds more cipher suites to the default list. - -Upstream ITS: #6790 -Resolves: #669446 -Author: Rich Megginson - -diff -uNrp openldap-2.4.23/libraries/libldap/tls_m.c openldap-2.4.23/libraries/libldap/tls_m.c ---- openldap-2.4.23/libraries/libldap/tls_m.c 2011-01-20 16:23:45.326428779 +0100 -+++ openldap-2.4.23/libraries/libldap/tls_m.c 2011-01-20 16:25:05.667128309 +0100 -@@ -214,7 +214,7 @@ static cipher_properties ciphers_def[] = - - /* SSL3 ciphers */ - {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED}, -- {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_NOT_ALLOWED}, -+ {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED}, - {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, 168, 168, SSL_HIGH, SSL_ALLOWED}, - {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, 56, 56, SSL_LOW, SSL_ALLOWED}, - {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 40, 128, SSL_EXPORT40, SSL_ALLOWED}, -@@ -225,8 +225,8 @@ static cipher_properties ciphers_def[] = - /* TLSv1 ciphers */ - {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED}, - {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED}, -- {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_NOT_ALLOWED}, -- {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_NOT_ALLOWED}, -+ {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_ALLOWED}, -+ {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_ALLOWED}, - }; - - #define ciphernum (sizeof(ciphers_def)/sizeof(cipher_properties)) -@@ -2016,7 +2016,12 @@ tlsm_deferred_ctx_init( void *arg ) - "TLS: could not set cipher list %s.\n", - lt->lt_ciphersuite, 0, 0 ); - return -1; -- } -+ } else if ( tlsm_parse_ciphers( ctx, "DEFAULT" ) ) { -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: could not set cipher list DEFAULT.\n", -+ 0, 0, 0 ); -+ return -1; -+ } - - if ( ctx->tc_require_cert ) { - request_cert = PR_TRUE; diff --git a/openldap-nss-db-prefix.patch b/openldap-nss-db-prefix.patch deleted file mode 100644 index cb0b846..0000000 --- a/openldap-nss-db-prefix.patch +++ /dev/null @@ -1,286 +0,0 @@ -Enhancement, support multiple cert/key databases in tha same directory with another prefix. - -Upstream ITS: #6689 - ---- openldap.old/libraries/libldap/tls_m.c 21 Jul 2010 20:57:01 -0000 1.18 -+++ openldap.new/libraries/libldap/tls_m.c 28 Oct 2010 19:55:51 -0000 -@@ -1202,16 +1202,55 @@ - return -1; - } - } - - return 0; - } - - /* -+ * NSS supports having multiple cert/key databases in the same -+ * directory, each one having a unique string prefix e.g. -+ * slapd-01-cert8.db - the prefix here is "slapd-01-" -+ * this function examines the given certdir - if it looks like -+ * /path/to/directory/prefix it will return the -+ * /path/to/directory part in realcertdir, and the prefix in prefix -+ */ -+static void -+tlsm_get_certdb_prefix( const char *certdir, char **realcertdir, char **prefix ) -+{ -+ char sep = PR_GetDirectorySeparator(); -+ char *ptr = NULL; -+ struct PRFileInfo prfi; -+ PRStatus prc; -+ -+ *realcertdir = (char *)certdir; /* default is the one passed in */ -+ -+ /* if certdir is not given, just return */ -+ if ( !certdir ) { -+ return; -+ } -+ -+ prc = PR_GetFileInfo( certdir, &prfi ); -+ /* if certdir exists (file or directory) then it cannot specify a prefix */ -+ if ( prc == PR_SUCCESS ) { -+ return; -+ } -+ -+ /* if certdir was given, and there is a '/' in certdir, see if there -+ is anything after the last '/' - if so, assume it is the prefix */ -+ if ( ( ( ptr = strrchr( certdir, sep ) ) ) && *(ptr+1) ) { -+ *realcertdir = PL_strndup( certdir, ptr-certdir ); -+ *prefix = PL_strdup( ptr+1 ); -+ } -+ -+ return; -+} -+ -+/* - * This is the part of the init we defer until we get the - * actual security configuration information. This is - * only called once, protected by a PRCallOnce - * NOTE: This must be done before the first call to SSL_ImportFD, - * especially the setting of the policy - * NOTE: This must be called after fork() - */ - static int -@@ -1223,16 +1262,17 @@ - int ii; - int nn; - PRErrorCode errcode = 1; - #ifdef HAVE_NSS_INITCONTEXT - NSSInitParameters initParams; - NSSInitContext *initctx = NULL; - #endif - SECStatus rc; -+ int done = 0; - - #ifdef HAVE_NSS_INITCONTEXT - memset( &initParams, 0, sizeof( initParams ) ); - initParams.length = sizeof( initParams ); - #endif /* HAVE_NSS_INITCONTEXT */ - - #ifndef HAVE_NSS_INITCONTEXT - if ( !NSS_IsInitialized() ) { -@@ -1246,50 +1286,61 @@ - DEFAULT_MOZNSS_DIR will only be used if the code cannot - find a security dir to use based on the current - settings - */ - nn = 0; - securitydirs[nn++] = PR_GetEnv( "MOZNSS_DIR" ); - securitydirs[nn++] = lt->lt_cacertdir; - securitydirs[nn++] = PR_GetEnv( "DEFAULT_MOZNSS_DIR" ); -- for ( ii = 0; ii < nn; ++ii ) { -+ for ( ii = 0; !done && ( ii < nn ); ++ii ) { -+ char *realcertdir = NULL; -+ const char *defprefix = ""; -+ char *prefix = (char *)defprefix; - const char *securitydir = securitydirs[ii]; - if ( NULL == securitydir ) { - continue; - } -+ -+ tlsm_get_certdb_prefix( securitydir, &realcertdir, &prefix ); - #ifdef HAVE_NSS_INITCONTEXT - #ifdef INITCONTEXT_HACK - if ( !NSS_IsInitialized() && ctx->tc_is_server ) { -- rc = NSS_Initialize( securitydir, "", "", SECMOD_DB, NSS_INIT_READONLY ); -+ rc = NSS_Initialize( realcertdir, prefix, prefix, SECMOD_DB, NSS_INIT_READONLY ); - } else { -- initctx = NSS_InitContext( securitydir, "", "", SECMOD_DB, -+ initctx = NSS_InitContext( realcertdir, prefix, prefix, SECMOD_DB, - &initParams, NSS_INIT_READONLY ); - rc = (initctx == NULL) ? SECFailure : SECSuccess; - } - #else -- initctx = NSS_InitContext( securitydir, "", "", SECMOD_DB, -+ initctx = NSS_InitContext( realcertdir, prefix, prefix, SECMOD_DB, - &initParams, NSS_INIT_READONLY ); - rc = (initctx == NULL) ? SECFailure : SECSuccess; - #endif - #else -- rc = NSS_Initialize( securitydir, "", "", SECMOD_DB, NSS_INIT_READONLY ); -+ rc = NSS_Initialize( realcertdir, prefix, prefix, SECMOD_DB, NSS_INIT_READONLY ); - #endif - - if ( rc != SECSuccess ) { - errcode = PORT_GetError(); - Debug( LDAP_DEBUG_TRACE, -- "TLS: could not initialize moznss using security dir %s - error %d:%s.\n", -- securitydir, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); -+ "TLS: could not initialize moznss using security dir %s prefix %s - error %d.\n", -+ realcertdir, prefix, errcode ); - } else { - /* success */ -- Debug( LDAP_DEBUG_TRACE, "TLS: using moznss security dir %s.\n", -- securitydir, 0, 0 ); -+ Debug( LDAP_DEBUG_TRACE, "TLS: using moznss security dir %s prefix %s.\n", -+ realcertdir, prefix, 0 ); - errcode = 0; -- break; -+ done = 1; -+ } -+ if ( realcertdir != securitydir ) { -+ PL_strfree( realcertdir ); -+ } -+ if ( prefix != defprefix ) { -+ PL_strfree( prefix ); - } - } - - if ( errcode ) { /* no moznss db found, or not using moznss db */ - #ifdef HAVE_NSS_INITCONTEXT - int flags = NSS_INIT_READONLY|NSS_INIT_NOCERTDB|NSS_INIT_NOMODDB; - #ifdef INITCONTEXT_HACK - if ( !NSS_IsInitialized() && ctx->tc_is_server ) { -@@ -2038,19 +2089,16 @@ - - errno = 0; - rc = SSL_ForceHandshake( s ); - if (rc == SECSuccess) { - rc = 0; - break; /* done */ - } - err = PR_GetError(); -- Debug( LDAP_DEBUG_TRACE, -- "TLS: error: accept - force handshake failure %d - error %d waitcounter %d\n", -- errno, err, waitcounter ); - if ( errno == EAGAIN || errno == EWOULDBLOCK ) { - waitcounter++; - in_flags = PR_POLL_READ | PR_POLL_EXCEPT; - out_flags = 0; - errno = 0; - filesReady = tlsm_is_io_ready( s, in_flags, &out_flags ); - if ( filesReady < 0 ) { - err = PR_GetError(); -@@ -2155,49 +2203,49 @@ - tlsm_session_my_dn( tls_session *session, struct berval *der_dn ) - { - tlsm_session *s = (tlsm_session *)session; - CERTCertificate *cert; - - cert = SSL_LocalCertificate( s ); - if (!cert) return LDAP_INVALID_CREDENTIALS; - -- der_dn->bv_val = cert->derSubject.data; -+ der_dn->bv_val = (char *)cert->derSubject.data; - der_dn->bv_len = cert->derSubject.len; - CERT_DestroyCertificate( cert ); - return 0; - } - - static int - tlsm_session_peer_dn( tls_session *session, struct berval *der_dn ) - { - tlsm_session *s = (tlsm_session *)session; - CERTCertificate *cert; - - cert = SSL_PeerCertificate( s ); - if (!cert) return LDAP_INVALID_CREDENTIALS; - -- der_dn->bv_val = cert->derSubject.data; -+ der_dn->bv_val = (char *)cert->derSubject.data; - der_dn->bv_len = cert->derSubject.len; - CERT_DestroyCertificate( cert ); - return 0; - } - - /* what kind of hostname were we given? */ - #define IS_DNS 0 - #define IS_IP4 1 - #define IS_IP6 2 - - static int - tlsm_session_chkhost( LDAP *ld, tls_session *session, const char *name_in ) - { - tlsm_session *s = (tlsm_session *)session; - CERTCertificate *cert; - const char *name, *domain = NULL, *ptr; -- int i, ret, ntype = IS_DNS, nlen, dlen; -+ int ret, ntype = IS_DNS, nlen, dlen; - #ifdef LDAP_PF_INET6 - struct in6_addr addr; - #else - struct in_addr addr; - #endif - SECItem altname; - SECStatus rv; - -@@ -2259,17 +2307,17 @@ - - do { - char *host; - int hlen; - - /* ignore empty */ - if ( !cur->name.other.len ) continue; - -- host = cur->name.other.data; -+ host = (char *)cur->name.other.data; - hlen = cur->name.other.len; - - if ( cur->type == certDNSName ) { - if ( ntype != IS_DNS ) continue; - - /* is this an exact match? */ - if ( nlen == hlen && !strncasecmp( name, host, nlen )) { - ret = LDAP_SUCCESS; -@@ -2317,21 +2365,21 @@ - while ( avas && ( ava = *avas++ )) { - if ( CERT_GetAVATag( ava ) == SEC_OID_AVA_COMMON_NAME ) - lastava = ava; - } - } - if ( lastava ) { - SECItem *av = CERT_DecodeAVAValue( &lastava->value ); - if ( av ) { -- if ( av->len == nlen && !strncasecmp( name, av->data, nlen )) { -+ if ( av->len == nlen && !strncasecmp( name, (char *)av->data, nlen )) { - ret = LDAP_SUCCESS; - } else if ( av->data[0] == '*' && av->data[1] == '.' && - domain && dlen == av->len - 1 && !strncasecmp( name, -- av->data+1, dlen )) { -+ (char *)(av->data+1), dlen )) { - ret = LDAP_SUCCESS; - } else { - int len = av->len; - if ( len >= sizeof(buf) ) - len = sizeof(buf)-1; - memcpy( buf, av->data, len ); - buf[len] = '\0'; - } -@@ -2479,17 +2527,16 @@ - { - return tlsm_PR_Send( fd, buf, len, 0, PR_INTERVAL_NO_TIMEOUT ); - } - - static PRStatus PR_CALLBACK - tlsm_PR_GetPeerName(PRFileDesc *fd, PRNetAddr *addr) - { - struct tls_data *p; -- int rc; - ber_socklen_t len; - - p = (struct tls_data *)fd->secret; - - if ( p == NULL || p->sbiod == NULL ) { - return PR_FAILURE; - } - len = sizeof(PRNetAddr); diff --git a/openldap-nss-delay-token-auth.patch b/openldap-nss-delay-token-auth.patch deleted file mode 100644 index 1b8e25f..0000000 --- a/openldap-nss-delay-token-auth.patch +++ /dev/null @@ -1,47 +0,0 @@ -Mozilla NSS - delay token auth until needed - -Resolves: #616552 -Upstream: ITS #6595 -Author: Rich Megginson - -diff -urNP openldap-2.4.22.old/libraries/libldap/tls_m.c openldap-2.4.22.new/libraries/libldap/tls_m.c ---- openldap-2.4.22.old/libraries/libldap/tls_m.c 2010-07-22 09:56:58.984806148 +0200 -+++ openldap-2.4.22.new/libraries/libldap/tls_m.c 2010-07-22 09:58:19.030686912 +0200 -@@ -930,26 +930,6 @@ - return rc; - } - --static int --tlsm_init_tokens( tlsm_ctx *ctx ) --{ -- PK11SlotList *slotList; -- PK11SlotListElement *listEntry; -- int rc = 0; -- -- slotList = PK11_GetAllTokens( CKM_INVALID_MECHANISM, PR_FALSE, PR_TRUE, NULL ); -- -- for ( listEntry = PK11_GetFirstSafe( slotList ); !rc && listEntry; -- listEntry = PK11_GetNextSafe( slotList, listEntry, PR_FALSE ) ) { -- PK11SlotInfo *slot = listEntry->slot; -- rc = tlsm_authenticate_to_slot( ctx, slot ); -- } -- -- PK11_FreeSlotList( slotList ); -- -- return rc; --} -- - static SECStatus - tlsm_nss_shutdown_cb( void *appData, void *nssData ) - { -@@ -1365,10 +1345,6 @@ - - PK11_SetPasswordFunc( tlsm_pin_prompt ); - -- if ( tlsm_init_tokens( ctx ) ) { -- return -1; -- } -- - /* register cleanup function */ - /* delete the old one, if any */ - NSS_UnregisterShutdown( tlsm_nss_shutdown_cb, NULL ); diff --git a/openldap-nss-disable-nofork.patch b/openldap-nss-disable-nofork.patch deleted file mode 100644 index ad1f509..0000000 --- a/openldap-nss-disable-nofork.patch +++ /dev/null @@ -1,39 +0,0 @@ -fix: OpenLDAP can't use TLS after a fork() - -Mozilla NSS - disable pkcs11 fork checking for the software token - -Resolves: #636956 -Upstream ITS: #6811, follows #6802 -Author: Rich Megginson - -diff -uNPrp openldap-2.4.23.old/libraries/libldap/tls_m.c openldap-2.4.23.new/libraries/libldap/tls_m.c ---- openldap-2.4.23.old/libraries/libldap/tls_m.c 2011-02-02 12:21:27.576280756 +0100 -+++ openldap-2.4.23.new/libraries/libldap/tls_m.c 2011-02-02 12:38:24.785682347 +0100 -@@ -2884,10 +2884,27 @@ static const PRIOMethods tlsm_PR_methods - static int - tlsm_init( void ) - { -+ char *nofork = PR_GetEnv( "NSS_STRICT_NOFORK" ); -+ - PR_Init(0, 0, 0); - - tlsm_layer_id = PR_GetUniqueIdentity( "OpenLDAP" ); - -+ /* -+ * There are some applications that acquire a crypto context in the parent process -+ * and expect that crypto context to work after a fork(). This does not work -+ * with NSS using strict PKCS11 compliance mode. We set this environment -+ * variable here to tell the software encryption module/token to allow crypto -+ * contexts to persist across a fork(). However, if you are using some other -+ * module or encryption device that supports and expects full PKCS11 semantics, -+ * the only recourse is to rewrite the application with atfork() handlers to save -+ * the crypto context in the parent and restore (and SECMOD_RestartModules) the -+ * context in the child. -+ */ -+ if ( !nofork ) { -+ PR_SetEnv( "NSS_STRICT_NOFORK=DISABLED" ); -+ } -+ - return 0; - } - diff --git a/openldap-nss-non-blocking.patch b/openldap-nss-non-blocking.patch deleted file mode 100644 index 38508f3..0000000 --- a/openldap-nss-non-blocking.patch +++ /dev/null @@ -1,361 +0,0 @@ -Mozilla NSS - implement full non-blocking semantics - -Resolves: #652822 -Upstream ITS: #6714 -Author: Rich Megginson (rmeggins@redhat.com) - -diff -u -uNPrp openldap-2.4.23/libraries/libldap/tls_m.c openldap-2.4.23.new/libraries/libldap/tls_m.c ---- openldap-2.4.23/libraries/libldap/tls_m.c 2010-11-22 15:50:48.752386500 +0100 -+++ openldap-2.4.23.new/libraries/libldap/tls_m.c 2010-11-22 15:53:44.936512466 +0100 -@@ -2105,49 +2105,74 @@ struct tls_data { - we will just see if the IO op returns EAGAIN or EWOULDBLOCK, - and just set this flag */ - PRBool nonblock; -+ /* -+ * NSS tries hard to be backwards compatible with SSLv2 clients, or -+ * clients that send an SSLv2 client hello. This message is not -+ * tagged in any way, so NSS has no way to know if the incoming -+ * message is a valid SSLv2 client hello or just some bogus data -+ * (or cleartext LDAP). We store the first byte read from the -+ * client here. The most common case will be a client sending -+ * LDAP data instead of SSL encrypted LDAP data. This can happen, -+ * for example, if using ldapsearch -Z - if the starttls fails, -+ * the client will fallback to plain cleartext LDAP. So if we -+ * see that the firstbyte is a valid LDAP tag, we can be -+ * pretty sure this is happening. -+ */ -+ ber_tag_t firsttag; -+ /* -+ * NSS doesn't return SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE, etc. -+ * when it is blocked, so we have to set a flag in the wrapped send -+ * and recv calls that tells us what operation NSS was last blocked -+ * on -+ */ -+#define TLSM_READ 1 -+#define TLSM_WRITE 2 -+ int io_flag; - }; - --static int --tlsm_is_io_ready( PRFileDesc *fd, PRInt16 in_flags, PRInt16 *out_flags ) -+static struct tls_data * -+tlsm_get_pvt_tls_data( PRFileDesc *fd ) - { - struct tls_data *p; -- PRFileDesc *pollfd = NULL; - PRFileDesc *myfd; -- PRPollDesc polldesc; -- int rc; -+ -+ if ( !fd ) { -+ return NULL; -+ } - - myfd = PR_GetIdentitiesLayer( fd, tlsm_layer_id ); - - if ( !myfd ) { -- return 0; -+ return NULL; - } - - p = (struct tls_data *)myfd->secret; - -+ return p; -+} -+ -+static int -+tlsm_is_non_ssl_message( PRFileDesc *fd, ber_tag_t *thebyte ) -+{ -+ struct tls_data *p; -+ -+ if ( thebyte ) { -+ *thebyte = LBER_DEFAULT; -+ } -+ -+ p = tlsm_get_pvt_tls_data( fd ); - if ( p == NULL || p->sbiod == NULL ) { - return 0; - } - -- /* wrap the sockbuf fd with a NSPR FD created especially -- for use with polling, and only with polling */ -- pollfd = PR_CreateSocketPollFd( p->sbiod->sbiod_sb->sb_fd ); -- polldesc.fd = pollfd; -- polldesc.in_flags = in_flags; -- polldesc.out_flags = 0; -- -- /* do the poll - no waiting, no blocking */ -- rc = PR_Poll( &polldesc, 1, PR_INTERVAL_NO_WAIT ); -- -- /* unwrap the socket */ -- PR_DestroySocketPollFd( pollfd ); -- -- /* rc will be either 1 if IO is ready, 0 if IO is not -- ready, or -1 if there was some error (and the caller -- should use PR_GetError() to figure out what */ -- if (out_flags) { -- *out_flags = polldesc.out_flags; -+ if ( p->firsttag == LBER_SEQUENCE ) { -+ if ( *thebyte ) { -+ *thebyte = p->firsttag; -+ } -+ return 1; - } -- return rc; -+ -+ return 0; - } - - static tls_session * -@@ -2157,6 +2182,7 @@ tlsm_session_new ( tls_ctx * ctx, int is - tlsm_session *session; - PRFileDesc *fd; - PRStatus status; -+ int rc; - - c->tc_is_server = is_server; - status = PR_CallOnceWithArg( &c->tc_callonce, tlsm_deferred_ctx_init, c ); -@@ -2184,121 +2210,80 @@ tlsm_session_new ( tls_ctx * ctx, int is - SSL_ConfigServerSessionIDCache( 0, 0, 0, NULL ); - } - -+ rc = SSL_ResetHandshake( session, is_server ); -+ if ( rc ) { -+ PRErrorCode err = PR_GetError(); -+ Debug( LDAP_DEBUG_TRACE, -+ "TLS: error: new session - reset handshake failure %d - error %d:%s\n", -+ rc, err, -+ err ? PR_ErrorToString( err, PR_LANGUAGE_I_DEFAULT ) : "unknown" ); -+ PR_DELETE( fd ); -+ PR_Close( session ); -+ session = NULL; -+ } -+ - return (tls_session *)session; - } - - static int --tlsm_session_accept( tls_session *session ) -+tlsm_session_accept_or_connect( tls_session *session, int is_accept ) - { - tlsm_session *s = (tlsm_session *)session; -- int rc; -- PRErrorCode err; -- int waitcounter = 0; -- -- rc = SSL_ResetHandshake( s, PR_TRUE /* server */ ); -- if (rc) { -- err = PR_GetError(); -- Debug( LDAP_DEBUG_TRACE, -- "TLS: error: accept - reset handshake failure %d - error %d:%s\n", -- rc, err, -- err ? PR_ErrorToString( err, PR_LANGUAGE_I_DEFAULT ) : "unknown" ); -- } -+ int rc = SSL_ForceHandshake( s ); -+ const char *op = is_accept ? "accept" : "connect"; - -- do { -- PRInt32 filesReady; -- PRInt16 in_flags; -- PRInt16 out_flags; -- -- errno = 0; -- rc = SSL_ForceHandshake( s ); -- if (rc == SECSuccess) { -- rc = 0; -- break; /* done */ -- } -- err = PR_GetError(); -- if ( errno == EAGAIN || errno == EWOULDBLOCK ) { -- waitcounter++; -- in_flags = PR_POLL_READ | PR_POLL_EXCEPT; -- out_flags = 0; -- errno = 0; -- filesReady = tlsm_is_io_ready( s, in_flags, &out_flags ); -- if ( filesReady < 0 ) { -- err = PR_GetError(); -- Debug( LDAP_DEBUG_ANY, -- "TLS: error: accept - error waiting for socket to be ready: %d - error %d:%s\n", -- errno, err, -- err ? PR_ErrorToString( err, PR_LANGUAGE_I_DEFAULT ) : "unknown" ); -- rc = -1; -- break; /* hard error */ -- } else if ( out_flags & PR_POLL_NVAL ) { -- PR_SetError(PR_BAD_DESCRIPTOR_ERROR, 0); -- Debug( LDAP_DEBUG_ANY, -- "TLS: error: accept failure - invalid socket\n", -- NULL, NULL, NULL ); -- rc = -1; -- break; -- } else if ( out_flags & PR_POLL_EXCEPT ) { -- err = PR_GetError(); -+ if ( rc ) { -+ PRErrorCode err = PR_GetError(); -+ rc = -1; -+ if ( err == PR_WOULD_BLOCK_ERROR ) { -+ ber_tag_t thetag = LBER_DEFAULT; -+ /* see if we are blocked because of a bogus packet */ -+ if ( tlsm_is_non_ssl_message( s, &thetag ) ) { /* see if we received a non-SSL message */ - Debug( LDAP_DEBUG_ANY, -- "TLS: error: accept - error waiting for socket to be ready: %d - error %d:%s\n", -- errno, err, -- err ? PR_ErrorToString( err, PR_LANGUAGE_I_DEFAULT ) : "unknown" ); -- rc = -1; -- break; /* hard error */ -+ "TLS: error: %s - error - received non-SSL message [0x%x]\n", -+ op, (unsigned int)thetag, 0 ); -+ /* reset error to something more descriptive */ -+ PR_SetError( SSL_ERROR_RX_MALFORMED_HELLO_REQUEST, EPROTO ); - } -- } else { /* hard error */ -- err = PR_GetError(); -+ } else { - Debug( LDAP_DEBUG_ANY, -- "TLS: error: accept - force handshake failure: %d - error %d:%s\n", -- errno, err, -- err ? PR_ErrorToString( err, PR_LANGUAGE_I_DEFAULT ) : "unknown" ); -- rc = -1; -- break; /* hard error */ -+ "TLS: error: %s - force handshake failure: errno %d - moznss error %d\n", -+ op, errno, err ); - } -- } while (rc == SECFailure); -- -- Debug( LDAP_DEBUG_TRACE, -- "TLS: accept completed after %d waits\n", waitcounter, NULL, NULL ); -+ } - - return rc; - } -+static int -+tlsm_session_accept( tls_session *session ) -+{ -+ return tlsm_session_accept_or_connect( session, 1 ); -+} - - static int - tlsm_session_connect( LDAP *ld, tls_session *session ) - { -- tlsm_session *s = (tlsm_session *)session; -- int rc; -- PRErrorCode err; -- -- rc = SSL_ResetHandshake( s, PR_FALSE /* server */ ); -- if (rc) { -- err = PR_GetError(); -- Debug( LDAP_DEBUG_TRACE, -- "TLS: error: connect - reset handshake failure %d - error %d:%s\n", -- rc, err, -- err ? PR_ErrorToString( err, PR_LANGUAGE_I_DEFAULT ) : "unknown" ); -- } -- -- rc = SSL_ForceHandshake( s ); -- if (rc) { -- err = PR_GetError(); -- Debug( LDAP_DEBUG_TRACE, -- "TLS: error: connect - force handshake failure %d - error %d:%s\n", -- rc, err, -- err ? PR_ErrorToString( err, PR_LANGUAGE_I_DEFAULT ) : "unknown" ); -- } -- -- return rc; -+ return tlsm_session_accept_or_connect( session, 0 ); - } - - static int - tlsm_session_upflags( Sockbuf *sb, tls_session *session, int rc ) - { -- /* Should never happen */ -- rc = PR_GetError(); -+ int prerror = PR_GetError(); -+ -+ if ( ( prerror == PR_PENDING_INTERRUPT_ERROR ) || ( prerror == PR_WOULD_BLOCK_ERROR ) ) { -+ tlsm_session *s = (tlsm_session *)session; -+ struct tls_data *p = tlsm_get_pvt_tls_data( s ); -+ -+ if ( p && ( p->io_flag == TLSM_READ ) ) { -+ sb->sb_trans_needs_read = 1; -+ return 1; -+ } else if ( p && ( p->io_flag == TLSM_WRITE ) ) { -+ sb->sb_trans_needs_write = 1; -+ return 1; -+ } -+ } - -- if ( rc != PR_PENDING_INTERRUPT_ERROR && rc != PR_WOULD_BLOCK_ERROR ) -- return 0; - return 0; - } - -@@ -2587,7 +2572,7 @@ tlsm_PR_Recv(PRFileDesc *fd, void *buf, - - if ( buf == NULL || len <= 0 ) return 0; - -- p = (struct tls_data *)fd->secret; -+ p = tlsm_get_pvt_tls_data( fd ); - - if ( p == NULL || p->sbiod == NULL ) { - return 0; -@@ -2603,7 +2588,10 @@ tlsm_PR_Recv(PRFileDesc *fd, void *buf, - "TLS: error: tlsm_PR_Recv returned %d - error %d:%s\n", - rc, errno, STRERROR(errno) ); - } -+ } else if ( ( rc > 0 ) && ( len > 0 ) && ( p->firsttag == LBER_DEFAULT ) ) { -+ p->firsttag = (ber_tag_t)*((char *)buf); - } -+ p->io_flag = TLSM_READ; - - return rc; - } -@@ -2617,7 +2605,7 @@ tlsm_PR_Send(PRFileDesc *fd, const void - - if ( buf == NULL || len <= 0 ) return 0; - -- p = (struct tls_data *)fd->secret; -+ p = tlsm_get_pvt_tls_data( fd ); - - if ( p == NULL || p->sbiod == NULL ) { - return 0; -@@ -2634,6 +2622,7 @@ tlsm_PR_Send(PRFileDesc *fd, const void - rc, errno, STRERROR(errno) ); - } - } -+ p->io_flag = TLSM_WRITE; - - return rc; - } -@@ -2656,7 +2645,7 @@ tlsm_PR_GetPeerName(PRFileDesc *fd, PRNe - struct tls_data *p; - ber_socklen_t len; - -- p = (struct tls_data *)fd->secret; -+ p = tlsm_get_pvt_tls_data( fd ); - - if ( p == NULL || p->sbiod == NULL ) { - return PR_FAILURE; -@@ -2669,7 +2658,7 @@ static PRStatus PR_CALLBACK - tlsm_PR_GetSocketOption(PRFileDesc *fd, PRSocketOptionData *data) - { - struct tls_data *p; -- p = (struct tls_data *)fd->secret; -+ p = tlsm_get_pvt_tls_data( fd ); - - if ( !data ) { - return PR_FAILURE; -@@ -2804,6 +2793,7 @@ tlsm_sb_setup( Sockbuf_IO_Desc *sbiod, v - fd->secret = (PRFilePrivate *)p; - p->session = session; - p->sbiod = sbiod; -+ p->firsttag = LBER_DEFAULT; - sbiod->sbiod_pvt = p; - return 0; - } -@@ -2851,7 +2841,7 @@ tlsm_sb_ctrl( Sockbuf_IO_Desc *sbiod, in - return 1; - - } else if ( opt == LBER_SB_OPT_DATA_READY ) { -- if ( tlsm_is_io_ready( p->session, PR_POLL_READ, NULL ) > 0 ) { -+ if ( p && ( SSL_DataPending( p->session ) > 0 ) ) { - return 1; - } - diff --git a/openldap-nss-restart-modules-fork.patch b/openldap-nss-restart-modules-fork.patch deleted file mode 100644 index 4bebac5..0000000 --- a/openldap-nss-restart-modules-fork.patch +++ /dev/null @@ -1,48 +0,0 @@ -fix: OpenLDAP can't use TLS after a fork() - -Resolves: #636956 -Upstream ITS: #6802 -Author: Rich Megginson - -diff -uNPrp openldap-2.4.23/libraries/libldap/tls_m.c openldap-2.4.23/libraries/libldap/tls_m.c ---- openldap-2.4.23/libraries/libldap/tls_m.c 2011-01-25 11:12:59.407964217 +0100 -+++ openldap-2.4.23/libraries/libldap/tls_m.c 2011-01-25 11:15:50.020176376 +0100 -@@ -72,6 +72,13 @@ - #define HAVE_NSS_INITCONTEXT 1 - #endif - -+/* NSS 3.12.9 and later have SECMOD_RestartModules */ -+#if NSS_VMAJOR <= 3 && NSS_VMINOR <= 12 && NSS_VPATCH < 9 -+/* do nothing */ -+#else -+#define HAVE_SECMOD_RESTARTMODULES 1 -+#endif -+ - /* InitContext does not currently work in server mode */ - /* #define INITCONTEXT_HACK 1 */ - -@@ -1486,6 +1493,24 @@ tlsm_deferred_init( void *arg ) - SECStatus rc; - int done = 0; - -+#ifdef HAVE_SECMOD_RESTARTMODULES -+ /* NSS enforces the pkcs11 requirement that modules should be unloaded after -+ a fork() - since there is no portable way to determine if NSS has been -+ already initialized in a parent process, we just call SECMOD_RestartModules -+ with force == FALSE - if the module has been unloaded due to a fork, it will -+ be reloaded, otherwise, it is a no-op */ -+ if ( SECFailure == ( rc = SECMOD_RestartModules(PR_FALSE /* do not force */) ) ) { -+ errcode = PORT_GetError(); -+ if ( errcode != SEC_ERROR_NOT_INITIALIZED ) { -+ Debug( LDAP_DEBUG_TRACE, -+ "TLS: could not restart the security modules: %d:%s\n", -+ errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 ); -+ } else { -+ errcode = 1; -+ } -+ } -+#endif -+ - #ifdef HAVE_NSS_INITCONTEXT - memset( &initParams, 0, sizeof( initParams ) ); - initParams.length = sizeof( initParams ); diff --git a/openldap-reject-non-file-keyfiles.patch b/openldap-reject-non-file-keyfiles.patch deleted file mode 100644 index 5d2ff92..0000000 --- a/openldap-reject-non-file-keyfiles.patch +++ /dev/null @@ -1,84 +0,0 @@ -This workarounds Mozilla NSS bug. libldap crashes when TLS_CACERTDIR contains a subdirectory. -Skip all non-file entries in CA_CERTDIR. - -Resolves: #652315 -Upstream ITS: #6703 -Author: Rich Megginson (rmeggins@redhat.com) - -diff -u -8 -r1.19 tls_m.c ---- openldap.old/libraries/libldap/tls_m.c 29 Oct 2010 08:30:30 -0000 1.19 -+++ openldap.new/libraries/libldap/tls_m.c 11 Nov 2010 20:18:20 -0000 -@@ -1011,16 +1011,36 @@ - CK_ATTRIBUTE theTemplate[20]; - CK_BBOOL cktrue = CK_TRUE; - CK_BBOOL ckfalse = CK_FALSE; - CK_OBJECT_CLASS objClass = CKO_CERTIFICATE; - char tmpslotname[64]; - char *slotname = NULL; - const char *ptr = NULL; - char sep = PR_GetDirectorySeparator(); -+ PRFileInfo fi; -+ PRStatus status; -+ -+ memset( &fi, 0, sizeof(fi) ); -+ status = PR_GetFileInfo( filename, &fi ); -+ if ( PR_SUCCESS != status) { -+ PRErrorCode errcode = PR_GetError(); -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: could not read certificate file %s - error %d:%s.\n", -+ filename, errcode, -+ PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); -+ return -1; -+ } -+ -+ if ( fi.type != PR_FILE_FILE ) { -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: error: the certificate file %s is not a file.\n", -+ filename, 0 ,0 ); -+ return -1; -+ } - - attrs = theTemplate; - - if ( isca ) { - slotID = 0; /* CA and trust objects use slot 0 */ - PR_snprintf( tmpslotname, sizeof(tmpslotname), TLSM_PEM_TOKEN_FMT, slotID ); - slotname = tmpslotname; - } else { -@@ -1083,16 +1103,36 @@ - CK_SLOT_ID slotID; - PK11SlotInfo * slot = NULL; - PK11GenericObject *rv; - CK_ATTRIBUTE *attrs; - CK_ATTRIBUTE theTemplate[20]; - CK_BBOOL cktrue = CK_TRUE; - CK_OBJECT_CLASS objClass = CKO_PRIVATE_KEY; - int retcode = 0; -+ PRFileInfo fi; -+ PRStatus status; -+ -+ memset( &fi, 0, sizeof(fi) ); -+ status = PR_GetFileInfo( filename, &fi ); -+ if ( PR_SUCCESS != status) { -+ PRErrorCode errcode = PR_GetError(); -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: could not read key file %s - error %d:%s.\n", -+ filename, errcode, -+ PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); -+ return -1; -+ } -+ -+ if ( fi.type != PR_FILE_FILE ) { -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: error: the key file %s is not a file.\n", -+ filename, 0 ,0 ); -+ return -1; -+ } - - attrs = theTemplate; - - if ( ctx->tc_slotname == NULL ) { /* need new slot */ - slotID = ++tlsm_slot_count; - ctx->tc_slotname = PR_smprintf( TLSM_PEM_TOKEN_FMT, slotID ); - } - slot = PK11_FindSlotByName( ctx->tc_slotname ); diff --git a/openldap-use-cacert-dir-and-file.patch b/openldap-use-cacert-dir-and-file.patch deleted file mode 100644 index 0d1cf56..0000000 --- a/openldap-use-cacert-dir-and-file.patch +++ /dev/null @@ -1,136 +0,0 @@ -TLS_CACERTDIR takes precedence over TLS_CACERTFILE - -Resolves: #652304 -Upstream ITS: #6704 -Author: Rich Megginson (rmeggins@redhat.com) - -diff -uNPrp openldap-2.4.23.old/libraries/libldap/tls_m.c openldap-2.4.23.new/libraries/libldap/tls_m.c ---- openldap-2.4.23.old/libraries/libldap/tls_m.c 2010-11-18 11:01:36.129392116 +0100 -+++ openldap-2.4.23.new/libraries/libldap/tls_m.c 2010-11-18 11:02:19.466387205 +0100 -@@ -1031,6 +1031,7 @@ tlsm_add_cert_from_file( tlsm_ctx *ctx, - } - - if ( fi.type != PR_FILE_FILE ) { -+ PR_SetError(PR_IS_DIRECTORY_ERROR, 0); - Debug( LDAP_DEBUG_ANY, - "TLS: error: the certificate file %s is not a file.\n", - filename, 0 ,0 ); -@@ -1123,6 +1124,7 @@ tlsm_add_key_from_file( tlsm_ctx *ctx, c - } - - if ( fi.type != PR_FILE_FILE ) { -+ PR_SetError(PR_IS_DIRECTORY_ERROR, 0); - Debug( LDAP_DEBUG_ANY, - "TLS: error: the key file %s is not a file.\n", - filename, 0 ,0 ); -@@ -1178,69 +1180,91 @@ static int - tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir ) - { - PRBool isca = PR_TRUE; -+ PRStatus status = PR_FAILURE; -+ PRErrorCode errcode = PR_SUCCESS; - - if ( cacertfile ) { - int rc = tlsm_add_cert_from_file( ctx, cacertfile, isca ); - if ( rc ) { -- return rc; -+ errcode = PR_GetError(); -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: %s is not a valid CA certificate file - error %d:%s.\n", -+ cacertfile, errcode, -+ PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); -+ } else { -+ Debug( LDAP_DEBUG_TRACE, -+ "TLS: loaded CA certificate file %s.\n", -+ cacertfile, 0, 0 ); -+ status = PR_SUCCESS; /* have at least one good CA - we can proceed */ - } - } - - if ( cacertdir ) { - PRFileInfo fi; -- PRStatus status; - PRDir *dir; - PRDirEntry *entry; -+ PRStatus fistatus = PR_FAILURE; - - memset( &fi, 0, sizeof(fi) ); -- status = PR_GetFileInfo( cacertdir, &fi ); -- if ( PR_SUCCESS != status) { -- PRErrorCode errcode = PR_GetError(); -+ fistatus = PR_GetFileInfo( cacertdir, &fi ); -+ if ( PR_SUCCESS != fistatus) { -+ errcode = PR_GetError(); - Debug( LDAP_DEBUG_ANY, - "TLS: could not get info about the CA certificate directory %s - error %d:%s.\n", - cacertdir, errcode, - PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); -- return -1; -+ goto done; - } - - if ( fi.type != PR_FILE_DIRECTORY ) { - Debug( LDAP_DEBUG_ANY, - "TLS: error: the CA certificate directory %s is not a directory.\n", - cacertdir, 0 ,0 ); -- return -1; -+ goto done; - } - - dir = PR_OpenDir( cacertdir ); - if ( NULL == dir ) { -- PRErrorCode errcode = PR_GetError(); -+ errcode = PR_GetError(); - Debug( LDAP_DEBUG_ANY, - "TLS: could not open the CA certificate directory %s - error %d:%s.\n", - cacertdir, errcode, - PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); -- return -1; -+ goto done; - } - -- status = -1; - do { - entry = PR_ReadDir( dir, PR_SKIP_BOTH | PR_SKIP_HIDDEN ); - if ( NULL != entry ) { - char *fullpath = PR_smprintf( "%s/%s", cacertdir, entry->name ); - if ( !tlsm_add_cert_from_file( ctx, fullpath, isca ) ) { -- status = 0; /* found at least 1 valid CA file in the dir */ -+ Debug( LDAP_DEBUG_TRACE, -+ "TLS: loaded CA certificate file %s from CA certificate directory %s.\n", -+ fullpath, cacertdir, 0 ); -+ status = PR_SUCCESS; /* found at least 1 valid CA file in the dir */ -+ } else { -+ errcode = PR_GetError(); -+ Debug( LDAP_DEBUG_TRACE, -+ "TLS: %s is not a valid CA certificate file - error %d:%s.\n", -+ fullpath, errcode, -+ PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); - } - PR_smprintf_free( fullpath ); - } - } while ( NULL != entry ); - PR_CloseDir( dir ); -- -- if ( status ) { -- PRErrorCode errcode = PR_GetError(); -- Debug( LDAP_DEBUG_ANY, -- "TLS: did not find any valid CA certificate files in the CA certificate directory %s - error %d:%s.\n", -- cacertdir, errcode, -- PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); -- return -1; -+ } -+done: -+ if ( status != PR_SUCCESS ) { -+ const char *fmtstr = NULL; -+ if ( cacertfile && cacertdir ) { -+ fmtstr = "TLS: did not find any valid CA certificates in %s or %s\n"; -+ } else { -+ fmtstr = "TLS: did not find any valid CA certificates in %s%s\n"; - } -+ Debug( LDAP_DEBUG_ANY, fmtstr, cacertdir ? cacertdir : "", -+ cacertfile ? cacertfile : "", 0 ); -+ return -1; - } - - return 0; diff --git a/openldap-verify-self-issued-certs.patch b/openldap-verify-self-issued-certs.patch deleted file mode 100644 index 4995b4c..0000000 --- a/openldap-verify-self-issued-certs.patch +++ /dev/null @@ -1,324 +0,0 @@ -openldap does not trust certs with Basic Constraint ext. with CA == FALSE - -Resolves: #657984, #668899 -Upstream: ITS #6742, #6791 -Author: Rich Megginson - -diff -uNPrp openldap-2.4.23/libraries/libldap/tls_m.c openldap-2.4.23/libraries/libldap/tls_m.c ---- openldap-2.4.23/libraries/libldap/tls_m.c 2011-01-20 16:06:56.461937417 +0100 -+++ openldap-2.4.23/libraries/libldap/tls_m.c 2011-01-20 16:07:58.494922870 +0100 -@@ -63,6 +63,7 @@ - #include - #include - #include -+#include - - /* NSS 3.12.5 and later have NSS_InitContext */ - #if NSS_VMAJOR <= 3 && NSS_VMINOR <= 12 && NSS_VPATCH < 5 -@@ -900,29 +901,137 @@ tlsm_pin_prompt(PK11SlotInfo *slot, PRBo - } - - static SECStatus --tlsm_auth_cert_handler(void *arg, PRFileDesc *fd, -- PRBool checksig, PRBool isServer) -+tlsm_get_basic_constraint_extension( CERTCertificate *cert, -+ CERTBasicConstraints *cbcval ) - { -- SECStatus ret = SSL_AuthCertificate(arg, fd, checksig, isServer); -+ SECItem encodedVal = { 0, NULL }; -+ SECStatus rc; - -- if ( ret != SECSuccess ) { -- PRErrorCode errcode = PORT_GetError(); -- /* we bypass NSS's hostname checks and do our own - tlsm_session_chkhost will handle it */ -- if ( errcode == SSL_ERROR_BAD_CERT_DOMAIN ) { -- Debug( LDAP_DEBUG_TRACE, -- "TLS certificate verification: defer\n", -- 0, 0, 0 ); -- } else { -+ rc = CERT_FindCertExtension( cert, SEC_OID_X509_BASIC_CONSTRAINTS, -+ &encodedVal); -+ if ( rc != SECSuccess ) { -+ return rc; -+ } -+ -+ rc = CERT_DecodeBasicConstraintValue( cbcval, &encodedVal ); -+ -+ /* free the raw extension data */ -+ PORT_Free( encodedVal.data ); -+ -+ return rc; -+} -+ -+static PRBool -+tlsm_cert_is_self_issued( CERTCertificate *cert ) -+{ -+ /* A cert is self-issued if its subject and issuer are equal and -+ * both are of non-zero length. -+ */ -+ PRBool is_self_issued = cert && -+ (PRBool)SECITEM_ItemsAreEqual( &cert->derIssuer, -+ &cert->derSubject ) && -+ cert->derSubject.len > 0; -+ return is_self_issued; -+} -+ -+static SECStatus -+tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg, -+ PRBool checksig, SECCertificateUsage certUsage, int errorToIgnore ) -+{ -+ CERTVerifyLog verifylog; -+ SECStatus ret = SECSuccess; -+ const char *name; -+ -+ /* the log captures information about every cert in the chain, so we can tell -+ which cert caused the problem and what the problem was */ -+ memset( &verifylog, 0, sizeof( verifylog ) ); -+ verifylog.arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE ); -+ if ( verifylog.arena == NULL ) { -+ Debug( LDAP_DEBUG_ANY, -+ "TLS certificate verification: Out of memory for certificate verification logger\n", -+ 0, 0, 0 ); -+ return SECFailure; -+ } -+ ret = CERT_VerifyCertificate( handle, cert, checksig, certUsage, PR_Now(), pinarg, &verifylog, -+ NULL ); -+ if ( ( name = cert->subjectName ) == NULL ) { -+ name = cert->nickname; -+ } -+ if ( verifylog.head == NULL ) { -+ /* it is possible for CERT_VerifyCertificate return with an error with no logging */ -+ if ( ret != SECSuccess ) { -+ PRErrorCode errcode = PR_GetError(); - Debug( LDAP_DEBUG_ANY, -- "TLS certificate verification: Error, %d: %s\n", -- errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 ) ; -+ "TLS: certificate [%s] is not valid - error %d:%s.\n", -+ name ? name : "(unknown)", -+ errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); - } - } else { -- Debug( LDAP_DEBUG_TRACE, -- "TLS certificate verification: ok\n", -- 0, 0, 0 ); -+ const char *name; -+ CERTVerifyLogNode *node; -+ -+ ret = SECSuccess; /* reset */ -+ node = verifylog.head; -+ while ( node ) { -+ if ( ( name = node->cert->subjectName ) == NULL ) { -+ name = node->cert->nickname; -+ } -+ if ( node->error ) { -+ /* NSS does not like CA certs that have the basic constraints extension -+ with the CA flag set to FALSE - openssl doesn't check if the cert -+ is self issued */ -+ if ( ( node->error == SEC_ERROR_CA_CERT_INVALID ) && -+ tlsm_cert_is_self_issued( node->cert ) ) { -+ CERTBasicConstraints basicConstraint; -+ SECStatus rv = tlsm_get_basic_constraint_extension( node->cert, &basicConstraint ); -+ if ( ( rv == SECSuccess ) && ( basicConstraint.isCA == PR_FALSE ) ) { -+ Debug( LDAP_DEBUG_TRACE, -+ "TLS: certificate [%s] is not correct because it is a CA cert and the " -+ "BasicConstraint CA flag is set to FALSE - allowing for now, but " -+ "please fix your certs if possible\n", name, 0, 0 ); -+ } else { /* does not have basicconstraint, or some other error */ -+ ret = SECFailure; -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: certificate [%s] is not valid - CA cert is not valid\n", -+ name, 0, 0 ); -+ } -+ } else if ( errorToIgnore && ( node->error == errorToIgnore ) ) { -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: Warning: ignoring error for certificate [%s] - error %ld:%s.\n", -+ name, node->error, PR_ErrorToString( node->error, PR_LANGUAGE_I_DEFAULT ) ); -+ } else { -+ ret = SECFailure; -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: certificate [%s] is not valid - error %ld:%s.\n", -+ name, node->error, PR_ErrorToString( node->error, PR_LANGUAGE_I_DEFAULT ) ); -+ } -+ } -+ CERT_DestroyCertificate( node->cert ); -+ node = node->next; -+ } - } - -+ PORT_FreeArena( verifylog.arena, PR_FALSE ); -+ -+ if ( ret == SECSuccess ) { -+ Debug( LDAP_DEBUG_TRACE, -+ "TLS: certificate [%s] is valid\n", name, 0, 0 ); -+ } -+ -+ return ret; -+} -+ -+static SECStatus -+tlsm_auth_cert_handler(void *arg, PRFileDesc *fd, -+ PRBool checksig, PRBool isServer) -+{ -+ SECCertificateUsage certUsage = isServer ? certificateUsageSSLClient : certificateUsageSSLServer; -+ SECStatus ret = SECSuccess; -+ -+ ret = tlsm_verify_cert( (CERTCertDBHandle *)arg, SSL_PeerCertificate( fd ), -+ SSL_RevealPinArg( fd ), -+ checksig, certUsage, 0 ); -+ - return ret; - } - -@@ -1017,7 +1126,7 @@ tlsm_free_pem_objs( tlsm_ctx *ctx ) - } - - static int --tlsm_add_cert_from_file( tlsm_ctx *ctx, const char *filename, PRBool isca ) -+tlsm_add_cert_from_file( tlsm_ctx *ctx, const char *filename, PRBool isca, PRBool istrusted ) - { - CK_SLOT_ID slotID; - PK11SlotInfo *slot = NULL; -@@ -1059,9 +1168,14 @@ tlsm_add_cert_from_file( tlsm_ctx *ctx, - slotID = 0; /* CA and trust objects use slot 0 */ - PR_snprintf( tmpslotname, sizeof(tmpslotname), TLSM_PEM_TOKEN_FMT, slotID ); - slotname = tmpslotname; -+ istrusted = PR_TRUE; - } else { - if ( ctx->tc_slotname == NULL ) { /* need new slot */ -- slotID = ++tlsm_slot_count; -+ if ( istrusted ) { -+ slotID = 0; -+ } else { -+ slotID = ++tlsm_slot_count; -+ } - ctx->tc_slotname = PR_smprintf( TLSM_PEM_TOKEN_FMT, slotID ); - } - slotname = ctx->tc_slotname; -@@ -1069,7 +1183,15 @@ tlsm_add_cert_from_file( tlsm_ctx *ctx, - if ( ( ptr = PL_strrchr( filename, sep ) ) ) { - PL_strfree( ctx->tc_certname ); - ++ptr; -- ctx->tc_certname = PR_smprintf( "%s:%s", slotname, ptr ); -+ if ( istrusted ) { -+ /* pemnss conflates trusted certs with CA certs - since there can -+ be more than one CA cert in a file (e.g. ca-bundle.crt) pemnss -+ numbers each trusted cert - in the case of a server cert, there will be -+ only one, so it will be number 0 */ -+ ctx->tc_certname = PR_smprintf( "%s:%s - 0", slotname, ptr ); -+ } else { -+ ctx->tc_certname = PR_smprintf( "%s:%s", slotname, ptr ); -+ } - } - } - -@@ -1087,7 +1209,7 @@ tlsm_add_cert_from_file( tlsm_ctx *ctx, - PK11_SETATTRS( attrs, CKA_CLASS, &objClass, sizeof(objClass) ); attrs++; - PK11_SETATTRS( attrs, CKA_TOKEN, &cktrue, sizeof(CK_BBOOL) ); attrs++; - PK11_SETATTRS( attrs, CKA_LABEL, (unsigned char *)filename, strlen(filename)+1 ); attrs++; -- if ( isca ) { -+ if ( istrusted ) { - PK11_SETATTRS( attrs, CKA_TRUST, &cktrue, sizeof(CK_BBOOL) ); attrs++; - } else { - PK11_SETATTRS( attrs, CKA_TRUST, &ckfalse, sizeof(CK_BBOOL) ); attrs++; -@@ -1204,7 +1326,7 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const - } - - if ( cacertfile ) { -- int rc = tlsm_add_cert_from_file( ctx, cacertfile, isca ); -+ int rc = tlsm_add_cert_from_file( ctx, cacertfile, isca, PR_TRUE ); - if ( rc ) { - errcode = PR_GetError(); - Debug( LDAP_DEBUG_ANY, -@@ -1268,7 +1390,7 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const - continue; - } - fullpath = PR_smprintf( "%s/%s", cacertdir, entry->name ); -- if ( !tlsm_add_cert_from_file( ctx, fullpath, isca ) ) { -+ if ( !tlsm_add_cert_from_file( ctx, fullpath, isca, PR_TRUE ) ) { - Debug( LDAP_DEBUG_TRACE, - "TLS: loaded CA certificate file %s from CA certificate directory %s.\n", - fullpath, cacertdir, 0 ); -@@ -1627,45 +1749,11 @@ tlsm_find_and_verify_cert_key(tlsm_ctx * - } else { - checkSig = PR_FALSE; - } -- status = CERT_VerifyCertificateNow( ctx->tc_certdb, cert, -- checkSig, certUsage, -- pin_arg, NULL ); -- if ( status != SECSuccess ) { -- /* NSS doesn't like self-signed CA certs that are also used for -- TLS/SSL server certs (such as generated by openssl req -x509) -- CERT_VerifyCertificateNow returns SEC_ERROR_UNTRUSTED_ISSUER in that case -- so, see if the cert and issuer are the same cert -- */ -- PRErrorCode errcode = PR_GetError(); -- -- if ( errcode == SEC_ERROR_UNTRUSTED_ISSUER ) { -- CERTCertificate *issuer = CERT_FindCertIssuer( cert, PR_Now(), certUsageSSLServer ); -- if ( NULL == issuer ) { -- /* no issuer - warn and allow */ -- status = SECSuccess; -- rc = 0; -- Debug( LDAP_DEBUG_ANY, -- "TLS: warning: the server certificate %s has no issuer - " -- "please check this certificate for validity\n", -- certname, 0, 0 ); -- } else if ( CERT_CompareCerts( cert, issuer ) ) { -- /* self signed - warn and allow */ -- status = SECSuccess; -- rc = 0; -- Debug( LDAP_DEBUG_ANY, -- "TLS: warning: using self-signed server certificate %s\n", -- certname, 0, 0 ); -- } -- CERT_DestroyCertificate( issuer ); -- } -- -- if ( status != SECSuccess ) { -- Debug( LDAP_DEBUG_ANY, -- "TLS: error: the certificate %s is not valid - error %d:%s\n", -- certname, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); -- } -- } else { -- rc = 0; /* success */ -+ /* may not have a CA cert - ok - ignore SEC_ERROR_UNKNOWN_ISSUER */ -+ status = tlsm_verify_cert( ctx->tc_certdb, cert, pin_arg, -+ checkSig, certUsage, SEC_ERROR_UNKNOWN_ISSUER ); -+ if ( status == SECSuccess ) { -+ rc = 0; - } - } else { - PRErrorCode errcode = PR_GetError(); -@@ -1963,7 +2051,7 @@ tlsm_deferred_ctx_init( void *arg ) - /* otherwise, assume this is the name of a cert already in the db */ - if ( ctx->tc_using_pem ) { - /* this sets ctx->tc_certname to the correct value */ -- int rc = tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE /* not a ca */ ); -+ int rc = tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE, PR_TRUE ); - if ( rc ) { - return rc; - } -@@ -2291,8 +2379,8 @@ static char * - tlsm_session_errmsg( tls_session *sess, int rc, char *buf, size_t len ) - { - int i; -+ int prerror = PR_GetError(); - -- rc = PR_GetError(); - i = PR_GetErrorTextLength(); - if ( i > len ) { - char *msg = LDAP_MALLOC( i+1 ); -@@ -2301,9 +2389,12 @@ tlsm_session_errmsg( tls_session *sess, - LDAP_FREE( msg ); - } else if ( i ) { - PR_GetErrorText( buf ); -+ } else if ( prerror ) { -+ i = PR_snprintf( buf, len, "TLS error %d:%s", -+ prerror, PR_ErrorToString( prerror, PR_LANGUAGE_I_DEFAULT ) ); - } - -- return i ? buf : NULL; -+ return ( i > 0 ) ? buf : NULL; - } - - static int diff --git a/openldap.spec b/openldap.spec index 8a272d5..3d07cbc 100644 --- a/openldap.spec +++ b/openldap.spec @@ -29,20 +29,6 @@ Patch6: openldap-smbk5pwd-overlay.patch Patch7: openldap-ldaprc-currentdir.patch Patch8: openldap-userconfig-setgid.patch -# already merged upstream -Patch100: openldap-nss-ca-selfsigned.patch -Patch101: openldap-nss-delay-token-auth.patch -Patch102: openldap-nss-db-prefix.patch -Patch103: openldap-reject-non-file-keyfiles.patch -Patch104: openldap-use-cacert-dir-and-file.patch -Patch105: openldap-cacertdir-hash-only.patch -Patch106: openldap-improve-trace-messages.patch -Patch107: openldap-nss-non-blocking.patch -Patch108: openldap-verify-self-issued-certs.patch -Patch109: openldap-nss-cipher-suites.patch -Patch110: openldap-nss-restart-modules-fork.patch -Patch111: openldap-nss-disable-nofork.patch - # patches for the evolution library (see README.evolution) Patch200: openldap-evolution-ntlm.patch @@ -143,19 +129,6 @@ pushd openldap-%{version} %patch7 -p1 -b .ldaprc-currentdir %patch8 -p1 -b .userconfig-setgid -%patch100 -p1 -b .nss-ca-selfsigned -%patch101 -p1 -b .nss-delay-token-auth -%patch102 -p1 -b .nss-db-prefix -%patch103 -p1 -b .reject-non-file-keyfiles -%patch104 -p1 -b .use-cacert-dir-and-file-dir -%patch105 -p1 -b .cacertdir-hash-only -%patch106 -p1 -b .improve-trace-messages -%patch107 -p1 -b .nss-non-blocking -%patch108 -p1 -b .verify-self-issued-certs -%patch109 -p1 -b .nss-cipher-suites -%patch110 -p1 -b .nss-restart-modules-fork -%patch111 -p1 -b .nss-disable-nofork - cp %{_datadir}/libtool/config/config.{sub,guess} build/ for subdir in build-servers build-clients ; do diff --git a/sources b/sources index 278210e..d4acaf8 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -90150b8c0d0192e10b30157e68844ddf openldap-2.4.23.tgz +116fe1e23a7b67686d5e62274367e6c0 openldap-2.4.24.tgz