rpms/openldap
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

MozNSS Compat. Layer: Ensure consistency of a PEM dir before usage

Browse Source 
+ Warn just before use of a PIN about key file extraction

(cherry picked from commit 856ec5d38c45ffe71774a4d86a36177d3c4ca372)
(originally #1516409)

Related: #1400570
This commit is contained in:
Matúš Honěk 2018-01-11 01:11:09 +01:00
parent 68ef0e0238
commit 716f3439ac
2 changed files with 110 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

119
openldap-tlsmc.patch
View File

@ -1,7 +1,7 @@
MozNSS Interception Code
Author: Matus Honek <mhonek@redhat.com>
Date: Wed Jan 10 23:30:56 CET 2018
Date: Thu Jan 11 01:00:55 CET 2018
diff --git a/configure.in b/configure.in
--- a/configure.in
+++ b/configure.in
@ -283,7 +283,7 @@ diff --git a/libraries/libldap/tls_mc.c b/libraries/libldap/tls_mc.c
new file mode 100644
--- /dev/null
+++ b/libraries/libldap/tls_mc.c
@@ -0,0 +1,1211 @@
@@ -0,0 +1,1308 @@
+#include "portable.h"
+
+#ifdef HAVE_MOZNSS_COMPATIBILITY
@ -392,6 +392,88 @@ new file mode 100644
+}
+
+
+int
+tlsmc_remove_dir_recursively( char *dir_name )
+{
+ int rv = 0;
+ PRDir *dir = NULL;
+ PRDirEntry *entry = NULL;
+ char *full_path = NULL;
+
+ Debug( LDAP_DEBUG_TRACE,
+ "tlsmc_remove_dir_recursively: INFO: starting recursively removing directory `%s'.\n",
+ dir_name, 0, 0 );
+ if ( NULL == ( dir = PR_OpenDir( dir_name ) ) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "tlsmc_remove_dir_recursively: WARN: could not open directory `%s'.\n",
+ dir_name, 0, 0 );
+ rv = 0;
+ goto bail;
+ }
+
+ while ( NULL != ( entry = PR_ReadDir( dir, PR_SKIP_BOTH ) ) ) {
+ PRFileInfo info;
+ PRStatus prv;
+
+ full_path = NULL;
+ full_path = PR_smprintf( "%s/%s", dir_name, entry->name );
+
+ if ( ( PR_SUCCESS == ( prv = PR_GetFileInfo( full_path, &info ) ) ) ) {
+ if ( PR_FILE_DIRECTORY == info.type ) {
+ Debug( LDAP_DEBUG_TRACE,
+ "tlsmc_remove_dir_recursively: INFO: stepping in directory `%s'.\n",
+ full_path, 0, 0 );
+ if ( 0 == tlsmc_remove_dir_recursively( full_path ) ) {
+ rv = 0;
+ goto bail;
+ }
+ } else {
+ Debug( LDAP_DEBUG_TRACE,
+ "tlsmc_remove_dir_recursively: INFO: removing file `%s'.\n",
+ full_path, 0, 0 );
+ if ( PR_FAILURE == PR_Delete( full_path ) ) {
+ rv = 0;
+ goto bail;
+ }
+ }
+ }
+
+ if ( full_path ) {
+ PR_smprintf_free( full_path );
+ full_path = NULL;
+ }
+
+ }
+ Debug( LDAP_DEBUG_TRACE,
+ "tlsmc_remove_dir_recursively: INFO: stepping out of directory `%s'.\n",
+ dir_name, 0, 0 );
+ if ( PR_FAILURE == PR_CloseDir( dir ) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "tlsmc_remove_dir_recursively: WARN: could not close directory `%s'.\n",
+ dir_name, 0, 0 );
+ rv = 0;
+ goto bail;
+ }
+
+ Debug( LDAP_DEBUG_TRACE,
+ "tlsmc_remove_dir_recursively: INFO: removing the directory `%s'.\n",
+ dir_name, 0, 0 );
+ if ( PR_FAILURE == PR_RmDir( dir_name ) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "tlsmc_remove_dir_recursively: WARN: could not remove the directory `%s'.\n",
+ dir_name, 0, 0 );
+ rv = 0;
+ goto bail;
+ }
+
+ rv = 1;
+
+bail:
+ if ( full_path ) PR_smprintf_free( full_path );
+ return rv;
+}
+
+
+/* BORROWED FROM tls_m.c */
+static void
+tlsmc_get_certdb_prefix( const char *certdir, char **realcertdir, char **prefix )
@ -552,6 +634,10 @@ new file mode 100644
+ char *token_name = NULL;
+ char *pwdstr = NULL;
+
+ Debug( LDAP_DEBUG_ANY,
+ "tlsmc_get_pin: INFO: Please note the extracted key file will not be protected with a PIN any more, however it will be still protected at least by file permissions.\n",
+ 0, 0, 0 );
+
+ token_name = PK11_GetTokenName( slot );
+ /* Try to get the passwords from the password file if it exists.
+ * THIS IS UNSAFE and is provided for convenience only. Without this
@ -1258,7 +1344,6 @@ new file mode 100644
+ Debug( LDAP_DEBUG_ANY,
+ "tlsmc_extract_nssdb: ERROR: could not export user cert and/or key.\n",
+ 0, 0, 0 );
+ rv = -1;
+ goto bail;
+ }
+
@ -1339,6 +1424,12 @@ new file mode 100644
+ 0, 0, 0 );
+ goto bail;
+ }
+ if ( NULL == ( readme_path = PR_smprintf( "%s/" TLSMC_README_FILE_NAME, pem_dir ) ) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "tlsmc_convert: FATAL: could not allocate memory.\n",
+ 0, 0, 0 );
+ goto bail;
+ }
+ Debug( LDAP_DEBUG_TRACE,
+ "tlsmc_convert: INFO: trying with PEM dir = `%s'.\n",
+ pem_dir, 0, 0 );
@ -1347,7 +1438,19 @@ new file mode 100644
+ Debug( LDAP_DEBUG_TRACE,
+ "tlsmc_convert: INFO: using the existing PEM dir.\n",
+ 0, 0, 0 );
+ goto pem_dir_exists;
+ if ( 0 == stat( readme_path, &stat_buf ) ) {
+ goto pem_dir_exists;
+ } else {
+ Debug( LDAP_DEBUG_ANY,
+ "tlsmc_convert: ERROR: the PEM dir found does not contain README file. Will remove the PEM dir and try to recreate it.\n",
+ 0, 0, 0 );
+ if ( 0 == tlsmc_remove_dir_recursively( pem_dir ) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "tlsmc_convert: FATAL: could not remove the PEM dir. Cannot properly set TLS.\n",
+ 0, 0, 0 );
+ goto bail;
+ }
+ }
+ } else {
+ Debug( LDAP_DEBUG_ANY,
+ "tlsmc_convert: FATAL: tried to stat the PEM dir but it is not a directory.\n",
@ -1356,7 +1459,7 @@ new file mode 100644
+ }
+ }
+ Debug( LDAP_DEBUG_TRACE,
+ "tlsmc_convert: WARN: could not find the PEM dir, will try to create it.\n",
+ "tlsmc_convert: WARN: will try to create PEM dir.\n",
+ 0, 0, 0 );
+ if ( 0 == tlsmc_prepare_dir( pem_dir ) ) {
+ Debug( LDAP_DEBUG_ANY,
@ -1370,12 +1473,6 @@ new file mode 100644
+ 0, 0, 0 );
+ goto bail;
+ }
+ if ( NULL == ( readme_path = PR_smprintf( "%s/" TLSMC_README_FILE_NAME, pem_dir ) ) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "tlsmc_convert: FATAL: could not allocate memory.\n",
+ 0, 0, 0 );
+ goto bail;
+ }
+ if ( 0 == tlsmc_write_file( readme_path, data, S_IRUSR ) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "tlsmc_convert: ERROR: could not create README file.\n",

2
openldap.spec
View File

@ -518,6 +518,8 @@ exit 0
%changelog
* Wed Feb 7 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-7
- MozNSS Compat. Layer fixes (#1400570)
- Ensure consistency of a PEM dir before usage (orig. #1516409)
+ Warn just before use of a PIN about key file extraction
- Enable usage of NSS DB with PEM cert/key (orig. #1525485)
+ Fix a possible invalid dereference (covscan)