ce2de9613d
- reject non-file keyfiles in TLS_CACERTDIR (#652315) - TLS_CACERTDIR precedence over TLS_CACERT (#652304) - accept only files in hash.0 format in TLS_CACERTDIR (#650288) - improve SSL/TLS trace messages (#652818) - add support for multiple prefixed Mozilla NSS database files in TLS_CACERTDIR Resolves: #652315 #652304 #650288 #652818
137 lines
4.4 KiB
Diff
137 lines
4.4 KiB
Diff
TLS_CACERTDIR takes precedence over TLS_CACERTFILE
|
||
|
||
Resolves: #652304
|
||
Upstream ITS: #6704
|
||
Author: Rich Megginson (rmeggins@redhat.com)
|
||
|
||
diff -uNPrp openldap-2.4.23.old/libraries/libldap/tls_m.c openldap-2.4.23.new/libraries/libldap/tls_m.c
|
||
--- openldap-2.4.23.old/libraries/libldap/tls_m.c 2010-11-18 11:01:36.129392116 +0100
|
||
+++ openldap-2.4.23.new/libraries/libldap/tls_m.c 2010-11-18 11:02:19.466387205 +0100
|
||
@@ -1031,6 +1031,7 @@ tlsm_add_cert_from_file( tlsm_ctx *ctx,
|
||
}
|
||
|
||
if ( fi.type != PR_FILE_FILE ) {
|
||
+ PR_SetError(PR_IS_DIRECTORY_ERROR, 0);
|
||
Debug( LDAP_DEBUG_ANY,
|
||
"TLS: error: the certificate file %s is not a file.\n",
|
||
filename, 0 ,0 );
|
||
@@ -1123,6 +1124,7 @@ tlsm_add_key_from_file( tlsm_ctx *ctx, c
|
||
}
|
||
|
||
if ( fi.type != PR_FILE_FILE ) {
|
||
+ PR_SetError(PR_IS_DIRECTORY_ERROR, 0);
|
||
Debug( LDAP_DEBUG_ANY,
|
||
"TLS: error: the key file %s is not a file.\n",
|
||
filename, 0 ,0 );
|
||
@@ -1178,69 +1180,91 @@ static int
|
||
tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir )
|
||
{
|
||
PRBool isca = PR_TRUE;
|
||
+ PRStatus status = PR_FAILURE;
|
||
+ PRErrorCode errcode = PR_SUCCESS;
|
||
|
||
if ( cacertfile ) {
|
||
int rc = tlsm_add_cert_from_file( ctx, cacertfile, isca );
|
||
if ( rc ) {
|
||
- return rc;
|
||
+ errcode = PR_GetError();
|
||
+ Debug( LDAP_DEBUG_ANY,
|
||
+ "TLS: %s is not a valid CA certificate file - error %d:%s.\n",
|
||
+ cacertfile, errcode,
|
||
+ PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
|
||
+ } else {
|
||
+ Debug( LDAP_DEBUG_TRACE,
|
||
+ "TLS: loaded CA certificate file %s.\n",
|
||
+ cacertfile, 0, 0 );
|
||
+ status = PR_SUCCESS; /* have at least one good CA - we can proceed */
|
||
}
|
||
}
|
||
|
||
if ( cacertdir ) {
|
||
PRFileInfo fi;
|
||
- PRStatus status;
|
||
PRDir *dir;
|
||
PRDirEntry *entry;
|
||
+ PRStatus fistatus = PR_FAILURE;
|
||
|
||
memset( &fi, 0, sizeof(fi) );
|
||
- status = PR_GetFileInfo( cacertdir, &fi );
|
||
- if ( PR_SUCCESS != status) {
|
||
- PRErrorCode errcode = PR_GetError();
|
||
+ fistatus = PR_GetFileInfo( cacertdir, &fi );
|
||
+ if ( PR_SUCCESS != fistatus) {
|
||
+ errcode = PR_GetError();
|
||
Debug( LDAP_DEBUG_ANY,
|
||
"TLS: could not get info about the CA certificate directory %s - error %d:%s.\n",
|
||
cacertdir, errcode,
|
||
PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
|
||
- return -1;
|
||
+ goto done;
|
||
}
|
||
|
||
if ( fi.type != PR_FILE_DIRECTORY ) {
|
||
Debug( LDAP_DEBUG_ANY,
|
||
"TLS: error: the CA certificate directory %s is not a directory.\n",
|
||
cacertdir, 0 ,0 );
|
||
- return -1;
|
||
+ goto done;
|
||
}
|
||
|
||
dir = PR_OpenDir( cacertdir );
|
||
if ( NULL == dir ) {
|
||
- PRErrorCode errcode = PR_GetError();
|
||
+ errcode = PR_GetError();
|
||
Debug( LDAP_DEBUG_ANY,
|
||
"TLS: could not open the CA certificate directory %s - error %d:%s.\n",
|
||
cacertdir, errcode,
|
||
PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
|
||
- return -1;
|
||
+ goto done;
|
||
}
|
||
|
||
- status = -1;
|
||
do {
|
||
entry = PR_ReadDir( dir, PR_SKIP_BOTH | PR_SKIP_HIDDEN );
|
||
if ( NULL != entry ) {
|
||
char *fullpath = PR_smprintf( "%s/%s", cacertdir, entry->name );
|
||
if ( !tlsm_add_cert_from_file( ctx, fullpath, isca ) ) {
|
||
- status = 0; /* found at least 1 valid CA file in the dir */
|
||
+ Debug( LDAP_DEBUG_TRACE,
|
||
+ "TLS: loaded CA certificate file %s from CA certificate directory %s.\n",
|
||
+ fullpath, cacertdir, 0 );
|
||
+ status = PR_SUCCESS; /* found at least 1 valid CA file in the dir */
|
||
+ } else {
|
||
+ errcode = PR_GetError();
|
||
+ Debug( LDAP_DEBUG_TRACE,
|
||
+ "TLS: %s is not a valid CA certificate file - error %d:%s.\n",
|
||
+ fullpath, errcode,
|
||
+ PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
|
||
}
|
||
PR_smprintf_free( fullpath );
|
||
}
|
||
} while ( NULL != entry );
|
||
PR_CloseDir( dir );
|
||
-
|
||
- if ( status ) {
|
||
- PRErrorCode errcode = PR_GetError();
|
||
- Debug( LDAP_DEBUG_ANY,
|
||
- "TLS: did not find any valid CA certificate files in the CA certificate directory %s - error %d:%s.\n",
|
||
- cacertdir, errcode,
|
||
- PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
|
||
- return -1;
|
||
+ }
|
||
+done:
|
||
+ if ( status != PR_SUCCESS ) {
|
||
+ const char *fmtstr = NULL;
|
||
+ if ( cacertfile && cacertdir ) {
|
||
+ fmtstr = "TLS: did not find any valid CA certificates in %s or %s\n";
|
||
+ } else {
|
||
+ fmtstr = "TLS: did not find any valid CA certificates in %s%s\n";
|
||
}
|
||
+ Debug( LDAP_DEBUG_ANY, fmtstr, cacertdir ? cacertdir : "",
|
||
+ cacertfile ? cacertfile : "", 0 );
|
||
+ return -1;
|
||
}
|
||
|
||
return 0;
|