MozNSS Compat. Layer: fix incorrect parsing of CACertDir

NSS DB type prefix was not taken into account at all. Due to this the path might not have been stat-ed. Thus, last part of the path would have been considered an NSS DB name prefix which would be incorrect. (cherry picked from commit 7f41b4a1ffe61c03d65896d82fc6b72a2710c492) (originally #1533955) Related: #1400570
2018-01-31 22:11:45 +01:00 · 2018-01-31 22:11:45 +01:00 · 7264811847
commit 7264811847
parent 8c29eeec6a
2 changed files with 46 additions and 16 deletions
--- a/openldap-tlsmc.patch
+++ b/openldap-tlsmc.patch
@ -1,7 +1,7 @@
 MozNSS Interception Code

 Author: Matus Honek <mhonek@redhat.com>
-Date: Wed Jan 31 21:44:47 CET 2018
+Date: Wed Jan 31 22:08:28 CET 2018
 diff --git a/configure.in b/configure.in
 --- a/configure.in
 +++ b/configure.in
@ -283,7 +283,7 @@ diff --git a/libraries/libldap/tls_mc.c b/libraries/libldap/tls_mc.c
 new file mode 100644
 --- /dev/null
 +++ b/libraries/libldap/tls_mc.c
-@@ -0,0 +1,1316 @@
+@@ -0,0 +1,1345 @@
 +#include "portable.h"
 +
 +#ifdef HAVE_MOZNSS_COMPATIBILITY
@ -484,33 +484,61 @@ new file mode 100644
 +
 +/* BORROWED FROM tls_m.c */
 +static void
-+tlsmc_get_certdb_prefix( const char *certdir, char **realcertdir, char **prefix )
+tlsmc_get_certdb_prefix( const char *certdir, char **nsscertdir, char **realcertdir, char **prefix )
 +{
 +	char sep = PR_GetDirectorySeparator();
 +	char *ptr = NULL;
+	char *chkpath = NULL;
 +	struct PRFileInfo prfi;
 +	PRStatus prc;
 +
 +	*realcertdir = (char *)certdir; /* default is the one passed in */
+
+	/* if certdir is not given, just return */
 +	if ( !certdir ) return;
 +
-+	prc = PR_GetFileInfo( certdir, &prfi );
+	*nsscertdir = certdir;
+
+	/* ignore database type prefix (e.g. sql:, dbm:) if provided */
+	if ( NULL != ( chkpath = strchr( certdir, ':' ) ) ) {
+		*realcertdir = chkpath + 1;
+	}
+
 +	/* if certdir exists (file or directory) then it cannot specify a prefix */
+	prc = PR_GetFileInfo( *realcertdir, &prfi );
 +	if ( prc == PR_SUCCESS ) {
-+		/* and drop potential last '/' */
-+		ptr = strrchr( *realcertdir, sep );
-+		if ( ptr && (! *(ptr+1) ) ) {
-+			*ptr = '\0';
-+		}
-+		return;
+		goto finish;
 +	}
 +
 +	/* if certdir was given, and there is a '/' in certdir, see if there
 +	   is anything after the last '/' - if so, assume it is the prefix */
-+	if ( ( ( ptr = strrchr( certdir, sep ) ) ) && *(ptr+1) ) {
-+		*realcertdir = PL_strndup( certdir, ptr-certdir );
-+		*prefix = PL_strdup( ptr+1 );
+	/* if ( ( ( ptr = strrchr( *realcertdir, sep ) ) ) && *(ptr + 1) ) { */
+	/* 	*realcertdir = PL_strndup( *realcertdir, ptr - (*realcertdir) ); */
+	/* 	*prefix = PL_strdup( ptr + 1 ); */
+	/* } */
+
+
+	if ( ptr = strrchr( *realcertdir, sep ) ) {
+		if ( *(ptr + 1) ) {
+			*ptr = '\0';
+			*prefix = ptr + 1;
+		} else {
+			*prefix = *realcertdir + strlen( *realcertdir );  // empty string
+		}
+	} else {
+		*prefix = *realcertdir;
+		*realcertdir = *prefix + strlen( *prefix );  //  empty string
 +	}
+finish:
+	/* drop potential last '/' from realcertdir */
+	do {
+		ptr = strrchr( *realcertdir, sep );
+		if ( ptr && (! *(ptr+1) ) ) {
+			*ptr = '\0';
+		} else {
+			break;
+		}
+	} while (1);
 +
 +	return;
 +}
@ -748,17 +776,18 @@ new file mode 100644
 +	for ( ii = 0; !done && ( ii < SECURITYDIRS_COUNT ); ++ii ) {
 +		// get certdb prefix
 +		const char *securitydir = securitydirs[ii];
+		char *nsscertdir = NULL;
 +		char *realcertdir = NULL;
 +		const char *defprefix = "";
 +		char *prefix = (char *)defprefix;
 +		if ( securitydir == NULL ) continue;
-+		tlsmc_get_certdb_prefix( securitydir, &realcertdir, &prefix );  //FIXME
+		tlsmc_get_certdb_prefix( securitydir, &nsscertdir, &realcertdir, &prefix );
 +		*out_nssdb_dir = strdup( realcertdir );
 +		*out_nssdb_prefix = strdup( prefix );
 +
 +		Debug( LDAP_DEBUG_TRACE,
 +		       "tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `%s` prefix `%s`.\n",
-+		       realcertdir, prefix, NULL);
+		       nsscertdir, prefix, NULL);
 +
 +		// init context
 +		NSSInitContext *initctx = NULL;
@ -766,7 +795,7 @@ new file mode 100644
 +		memset( &initparams, 0, sizeof( initparams ) );
 +		initparams.length = sizeof( initparams );
 +
-+		initctx = NSS_InitContext( realcertdir,
+		initctx = NSS_InitContext( nsscertdir,
 +		                           prefix,
 +		                           prefix,
 +		                           SECMOD_DB,
--- a/openldap.spec
+++ b/openldap.spec
@ -518,6 +518,7 @@ exit 0
 %changelog
 * Wed Feb  7 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-7
 - MozNSS Compat. Layer fixes (#1400570)
+  - fix incorrect parsing of CACertDir (orig. #1533955)
  - fix PIN disclaimer not always shown (orig. #1516409)
  - fix recursive directory deletion (orig. #1516409)
  - Ensure consistency of a PEM dir before usage (orig. #1516409)