diff --git a/openldap-autoconf-pkgconfig-nss.patch b/openldap-autoconf-pkgconfig-nss.patch deleted file mode 100644 index 8b4bb19..0000000 --- a/openldap-autoconf-pkgconfig-nss.patch +++ /dev/null @@ -1,49 +0,0 @@ -Use pkg-config for Mozilla NSS library detection - -Author: Jan Vcelak - ---- - configure.in | 22 +++++----------------- - 1 file changed, 5 insertions(+), 17 deletions(-) - -diff --git a/configure.in b/configure.in -index ecffe30..2a9cfb4 100644 ---- a/configure.in -+++ b/configure.in -@@ -1223,28 +1223,16 @@ if test $ol_link_tls = no ; then - fi - fi - --dnl NOTE: caller must specify -I/path/to/nspr4 and -I/path/to/nss3 --dnl and -L/path/to/nspr4 libs and -L/path/to/nss3 libs if those libs --dnl are not in the default system location - if test $ol_link_tls = no ; then - if test $ol_with_tls = moznss || test $ol_with_tls = auto ; then -- have_moznss=no -- AC_CHECK_HEADERS([nssutil.h]) -- if test "$ac_cv_header_nssutil_h" = yes ; then -- AC_CHECK_LIB([nss3], [NSS_Initialize], -- [ have_moznss=yes ], [ have_moznss=no ]) -- fi -+ PKG_CHECK_MODULES(MOZNSS, [nss nspr], [have_moznss=yes], [have_moznss=no]) - -- if test "$have_moznss" = yes ; then -+ if test $have_moznss = yes ; then - ol_with_tls=moznss - ol_link_tls=yes -- AC_DEFINE(HAVE_MOZNSS, 1, -- [define if you have MozNSS]) -- TLS_LIBS="-lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4" -- else -- if test $ol_with_tls = moznss ; then -- AC_MSG_ERROR([MozNSS not found - please specify the location to the NSPR and NSS header files in CPPFLAGS and the location to the NSPR and NSS libraries in LDFLAGS (if not in the system location)]) -- fi -+ AC_DEFINE(HAVE_MOZNSS, 1, [define if you have MozNSS]) -+ TLS_LIBS="$MOZNSS_LIBS" -+ CFLAGS="$CFLAGS $MOZNSS_CFLAGS" - fi - fi - fi --- -1.7.11.7 - diff --git a/openldap-nss-allow-certname-with-token-name.patch b/openldap-nss-allow-certname-with-token-name.patch deleted file mode 100644 index a75e84f..0000000 --- a/openldap-nss-allow-certname-with-token-name.patch +++ /dev/null @@ -1,47 +0,0 @@ -Accept nss certificate name in the form of tokenname:certnickname - -Author: Rich Megginson -Upstream ITS: #7360 - -diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c -index 5022efb..7377bb1 100644 ---- a/libraries/libldap/tls_m.c -+++ b/libraries/libldap/tls_m.c -@@ -2102,6 +2102,22 @@ tlsm_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) - return 0; - } - -+/* returns true if the given string looks like -+ "tokenname" ":" "certnickname" -+ This is true if there is a ':' colon character -+ in the string and the colon is not the first -+ or the last character in the string -+*/ -+static int -+tlsm_is_tokenname_certnick( const char *certfile ) -+{ -+ if ( certfile ) { -+ const char *ptr = PL_strchr( certfile, ':' ); -+ return ptr && (ptr != certfile) && (*(ptr+1)); -+ } -+ return 0; -+} -+ - static int - tlsm_deferred_ctx_init( void *arg ) - { -@@ -2268,7 +2284,10 @@ tlsm_deferred_ctx_init( void *arg ) - } else { - char *tmp_certname; - -- if (ctx->tc_certdb_slot) { -+ if (tlsm_is_tokenname_certnick(lt->lt_certfile)) { -+ /* assume already in form tokenname:certnickname */ -+ tmp_certname = PL_strdup(lt->lt_certfile); -+ } else if (ctx->tc_certdb_slot) { - tmp_certname = PR_smprintf(TLSM_CERTDB_DESC_FMT ":%s", ctx->tc_unique, lt->lt_certfile); - } else { - tmp_certname = PR_smprintf("%s", lt->lt_certfile); --- -1.7.11.4 - diff --git a/openldap-nss-certs-from-certdb-fallback-pem.patch b/openldap-nss-certs-from-certdb-fallback-pem.patch deleted file mode 100644 index d20e48a..0000000 --- a/openldap-nss-certs-from-certdb-fallback-pem.patch +++ /dev/null @@ -1,86 +0,0 @@ -MozNSS: load certificates from certdb, fallback to PEM - -If TLS_CACERT pointed to a PEM file and TLS_CACERTDIR was set to NSS -certificate database, the backend assumed that the certificate is always -located in the certificate database. This assumption might be wrong. - -This patch makes the library to try to load the certificate from NSS -database and fallback to PEM file if unsuccessfull. - -Author: Jan Vcelak -Upstream ITS: #7389 -Resolves: #857455 - -diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c -index 6847bea..8339391 100644 ---- a/libraries/libldap/tls_m.c -+++ b/libraries/libldap/tls_m.c -@@ -1412,7 +1412,7 @@ tlsm_ctx_load_private_key( tlsm_ctx *ctx ) - /* prefer unlocked key, then key from opened certdb, then any other */ - if ( unlocked_key ) - ctx->tc_private_key = unlocked_key; -- else if ( ctx->tc_certdb_slot ) -+ else if ( ctx->tc_certdb_slot && !ctx->tc_using_pem ) - ctx->tc_private_key = PK11_FindKeyByDERCert( ctx->tc_certdb_slot, ctx->tc_certificate, pin_arg ); - else - ctx->tc_private_key = PK11_FindKeyByAnyCert( ctx->tc_certificate, pin_arg ); -@@ -1909,8 +1909,6 @@ tlsm_deferred_init( void *arg ) - } - return -1; - } -- -- ctx->tc_using_pem = PR_TRUE; - } - - NSS_SetDomesticPolicy(); -@@ -2363,15 +2361,9 @@ tlsm_deferred_ctx_init( void *arg ) - - /* set up our cert and key, if any */ - if ( lt->lt_certfile ) { -- /* if using the PEM module, load the PEM file specified by lt_certfile */ -- /* otherwise, assume this is the name of a cert already in the db */ -- if ( ctx->tc_using_pem ) { -- /* this sets ctx->tc_certificate to the correct value */ -- int rc = tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE ); -- if ( rc ) { -- return rc; -- } -- } else { -+ -+ /* first search in certdb (lt_certfile is nickname) */ -+ if ( ctx->tc_certdb ) { - char *tmp_certname; - - if ( tlsm_is_tokenname_certnick( lt->lt_certfile )) { -@@ -2391,8 +2383,31 @@ tlsm_deferred_ctx_init( void *arg ) - Debug( LDAP_DEBUG_ANY, - "TLS: error: the certificate '%s' could not be found in the database - error %d:%s.\n", - lt->lt_certfile, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); -+ } -+ } -+ -+ /* fallback to PEM module (lt_certfile is filename) */ -+ if ( !ctx->tc_certificate ) { -+ if ( !pem_module && tlsm_init_pem_module() ) { -+ int pem_errcode = PORT_GetError(); -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: fallback to PEM impossible, module cannot be loaded - error %d:%s.\n", -+ pem_errcode, PR_ErrorToString( pem_errcode, PR_LANGUAGE_I_DEFAULT ), 0 ); - return -1; - } -+ -+ /* this sets ctx->tc_certificate to the correct value */ -+ if ( !tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE ) ) { -+ ctx->tc_using_pem = PR_TRUE; -+ } -+ } -+ -+ if ( ctx->tc_certificate ) { -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: certificate '%s' successfully loaded from %s.\n", lt->lt_certfile, -+ ctx->tc_using_pem ? "PEM file" : "moznss database", 0); -+ } else { -+ return -1; - } - } - diff --git a/openldap-nss-default-cipher-suite-always-selected.patch b/openldap-nss-default-cipher-suite-always-selected.patch deleted file mode 100644 index 10c3523..0000000 --- a/openldap-nss-default-cipher-suite-always-selected.patch +++ /dev/null @@ -1,34 +0,0 @@ -MozNSS: default cipher suite always selected - -Author: Tim Strobell -Upstream ITS: #7285 -Upstream commit: 2c2bb2e7aee1b2167f383a8344985a1cf66aff3f -Resolves: #828790 - -diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c -index 23d843c..b608551 100644 ---- a/libraries/libldap/tls_m.c -+++ b/libraries/libldap/tls_m.c -@@ -2218,12 +2218,13 @@ tlsm_deferred_ctx_init( void *arg ) - return -1; - } - -- if ( lt->lt_ciphersuite && -- tlsm_parse_ciphers( ctx, lt->lt_ciphersuite )) { -- Debug( LDAP_DEBUG_ANY, -- "TLS: could not set cipher list %s.\n", -- lt->lt_ciphersuite, 0, 0 ); -- return -1; -+ if ( lt->lt_ciphersuite ) { -+ if ( tlsm_parse_ciphers( ctx, lt->lt_ciphersuite ) ) { -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: could not set cipher list %s.\n", -+ lt->lt_ciphersuite, 0, 0 ); -+ return -1; -+ } - } else if ( tlsm_parse_ciphers( ctx, "DEFAULT" ) ) { - Debug( LDAP_DEBUG_ANY, - "TLS: could not set cipher list DEFAULT.\n", --- -1.7.10.4 - diff --git a/openldap-nss-ignore-certdb-type-prefix.patch b/openldap-nss-ignore-certdb-type-prefix.patch deleted file mode 100644 index 2fab916..0000000 --- a/openldap-nss-ignore-certdb-type-prefix.patch +++ /dev/null @@ -1,47 +0,0 @@ -MozNSS: ignore certdb database type prefix when checking existence of the directory - -If the certdb is specified including the database type prefix (e.g. -sql:, dbm:), the prefix has to be ignored when checking the -certificate directory existence. - -Author: Jan Vcelak -Upstream ITS: #7388 -Resolves: #857373 - ---- - libraries/libldap/tls_m.c | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c -index 49a3f8f..5ee21a2 100644 ---- a/libraries/libldap/tls_m.c -+++ b/libraries/libldap/tls_m.c -@@ -1633,6 +1633,7 @@ tlsm_get_certdb_prefix( const char *certdir, char **realcertdir, char **prefix ) - { - char sep = PR_GetDirectorySeparator(); - char *ptr = NULL; -+ char *chkpath = NULL; - struct PRFileInfo prfi; - PRStatus prc; - -@@ -1643,8 +1644,16 @@ tlsm_get_certdb_prefix( const char *certdir, char **realcertdir, char **prefix ) - return; - } - -- prc = PR_GetFileInfo( certdir, &prfi ); -+ /* ignore database type prefix (e.g. sql:, dbm:) if provided */ -+ chkpath = strchr( certdir, ':' ); -+ if ( chkpath != NULL ) { -+ chkpath += 1; -+ } else { -+ chkpath = certdir; -+ } -+ - /* if certdir exists (file or directory) then it cannot specify a prefix */ -+ prc = PR_GetFileInfo( chkpath, &prfi ); - if ( prc == PR_SUCCESS ) { - return; - } --- -1.7.11.7 - diff --git a/openldap-nss-multiple-tls-contexts.patch b/openldap-nss-multiple-tls-contexts.patch deleted file mode 100644 index bf008f4..0000000 --- a/openldap-nss-multiple-tls-contexts.patch +++ /dev/null @@ -1,1029 +0,0 @@ -MozNSS: TLS fixes which should resolve problems with applications using multiple TLS contexts - - - context specific token description for certdb - - store certificate object instead of nickname in in ctx - - lock whole init and clenaup process - - do not authenticate to a slot manually - - do not retry when reading the pin from file - -Author: Jan Vcelak -Upstream ITS: #7312 #7313 #7314 #7315 #7316 -Upstream commit: 87132b8 d07779e 3531c34 a171237 2db5195 -Resolves: #795763 (and possibly other) - -diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c -index 2e755eb..4b5727b 100644 ---- a/libraries/libldap/tls_m.c -+++ b/libraries/libldap/tls_m.c -@@ -81,16 +81,18 @@ - typedef struct tlsm_ctx { - PRFileDesc *tc_model; - int tc_refcnt; -+ int tc_unique; /* unique number associated with this ctx */ - PRBool tc_verify_cert; - CERTCertDBHandle *tc_certdb; -- char *tc_certname; -+ PK11SlotInfo *tc_certdb_slot; -+ CERTCertificate *tc_certificate; -+ SECKEYPrivateKey *tc_private_key; - char *tc_pin_file; - struct ldaptls *tc_config; - int tc_is_server; - int tc_require_cert; - PRCallOnceType tc_callonce; - PRBool tc_using_pem; -- char *tc_slotname; /* if using pem */ - #ifdef HAVE_NSS_INITCONTEXT - NSSInitContext *tc_initctx; /* the NSS context */ - #endif -@@ -104,10 +106,16 @@ typedef struct tlsm_ctx { - - typedef PRFileDesc tlsm_session; - -+static int tlsm_ctx_count; -+#define TLSM_CERTDB_DESC_FMT "ldap(%d)" -+ - static PRDescIdentity tlsm_layer_id; - - static const PRIOMethods tlsm_PR_methods; - -+#define CERTDB_NONE NULL -+#define PREFIX_NONE NULL -+ - #define PEM_LIBRARY "nsspem" - #define PEM_MODULE "PEM" - /* hash files for use with cacertdir have this file name suffix */ -@@ -117,13 +125,11 @@ static const PRIOMethods tlsm_PR_methods; - static SECMODModule *pem_module; - - #define DEFAULT_TOKEN_NAME "default" --/* sprintf format used to create token name */ --#define TLSM_PEM_TOKEN_FMT "PEM Token #%ld" -+#define TLSM_PEM_SLOT_CACERTS "PEM Token #0" -+#define TLSM_PEM_SLOT_CERTS "PEM Token #1" - --static int tlsm_slot_count; -- --#define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \ -- (x)->pValue=(v); (x)->ulValueLen = (l); -+#define PK11_SETATTRS(x,id,v,l) (x).type = (id); \ -+ (x).pValue=(v); (x).ulValueLen = (l); - - /* forward declaration */ - static int tlsm_init( void ); -@@ -134,6 +140,7 @@ static int tlsm_init( void ); - tlsm_thr_init in a non-threaded context - so we have - to wrap the mutex creation in a prcallonce - */ -+static ldap_pvt_thread_mutex_t tlsm_ctx_count_mutex; - static ldap_pvt_thread_mutex_t tlsm_init_mutex; - static ldap_pvt_thread_mutex_t tlsm_pem_mutex; - static PRCallOnceType tlsm_init_mutex_callonce = {0,0}; -@@ -141,6 +148,12 @@ static PRCallOnceType tlsm_init_mutex_callonce = {0,0}; - static PRStatus PR_CALLBACK - tlsm_thr_init_callonce( void ) - { -+ if ( ldap_pvt_thread_mutex_init( &tlsm_ctx_count_mutex ) ) { -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: could not create mutex for context counter: %d\n", errno, 0, 0 ); -+ return PR_FAILURE; -+ } -+ - if ( ldap_pvt_thread_mutex_init( &tlsm_init_mutex ) ) { - Debug( LDAP_DEBUG_ANY, - "TLS: could not create mutex for moznss initialization: %d\n", errno, 0, 0 ); -@@ -890,6 +903,8 @@ tlsm_get_pin(PK11SlotInfo *slot, PRBool retry, tlsm_ctx *ctx) - */ - if ( ctx->tc_pin_file ) { - pwdstr = tlsm_get_pin_from_file( token_name, ctx ); -+ if (retry && pwdstr != NULL) -+ return NULL; - } - #endif /* RETRIEVE_PASSWORD_FROM_FILE */ - #ifdef READ_PASSWORD_FROM_STDIN -@@ -932,6 +947,15 @@ tlsm_pin_prompt(PK11SlotInfo *slot, PRBool retry, void *arg) - return tlsm_get_pin( slot, retry, ctx ); - } - -+static char * -+tlsm_ctx_subject_name(tlsm_ctx *ctx) -+{ -+ if (!ctx || !ctx->tc_certificate) -+ return "(unknown)"; -+ -+ return ctx->tc_certificate->subjectName; -+} -+ - static SECStatus - tlsm_get_basic_constraint_extension( CERTCertificate *cert, - CERTBasicConstraints *cbcval ) -@@ -1088,25 +1112,6 @@ tlsm_auth_cert_handler(void *arg, PRFileDesc *fd, - return ret; - } - --static int --tlsm_authenticate_to_slot( tlsm_ctx *ctx, PK11SlotInfo *slot ) --{ -- int rc = -1; -- -- if ( SECSuccess != PK11_Authenticate( slot, PR_FALSE, ctx ) ) { -- char *token_name = PK11_GetTokenName( slot ); -- PRErrorCode errcode = PR_GetError(); -- Debug( LDAP_DEBUG_ANY, -- "TLS: could not authenticate to the security token %s - error %d:%s.\n", -- token_name ? token_name : DEFAULT_TOKEN_NAME, errcode, -- PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); -- } else { -- rc = 0; /* success */ -- } -- -- return rc; --} -- - static SECStatus - tlsm_nss_shutdown_cb( void *appData, void *nssData ) - { -@@ -1196,22 +1201,18 @@ tlsm_free_pem_objs( tlsm_ctx *ctx ) - } - - static int --tlsm_add_cert_from_file( tlsm_ctx *ctx, const char *filename, PRBool isca, PRBool istrusted ) -+tlsm_add_cert_from_file( tlsm_ctx *ctx, const char *filename, PRBool isca ) - { -- CK_SLOT_ID slotID; -- PK11SlotInfo *slot = NULL; -- PK11GenericObject *rv; -- CK_ATTRIBUTE *attrs; -- CK_ATTRIBUTE theTemplate[20]; -+ PK11SlotInfo *slot; -+ PK11GenericObject *cert; -+ CK_ATTRIBUTE attrs[4]; - CK_BBOOL cktrue = CK_TRUE; - CK_BBOOL ckfalse = CK_FALSE; - CK_OBJECT_CLASS objClass = CKO_CERTIFICATE; -- char tmpslotname[64]; -- char *slotname = NULL; -- const char *ptr = NULL; -- char sep = PR_GetDirectorySeparator(); -+ char *slotname; - PRFileInfo fi; - PRStatus status; -+ SECItem certDER = { 0, NULL, 0 }; - - memset( &fi, 0, sizeof(fi) ); - status = PR_GetFileInfo( filename, &fi ); -@@ -1232,87 +1233,96 @@ tlsm_add_cert_from_file( tlsm_ctx *ctx, const char *filename, PRBool isca, PRBoo - return -1; - } - -- attrs = theTemplate; -+ slotname = isca ? TLSM_PEM_SLOT_CACERTS : TLSM_PEM_SLOT_CERTS; -+ slot = PK11_FindSlotByName( slotname ); - -- if ( isca ) { -- slotID = 0; /* CA and trust objects use slot 0 */ -- PR_snprintf( tmpslotname, sizeof(tmpslotname), TLSM_PEM_TOKEN_FMT, slotID ); -- slotname = tmpslotname; -- istrusted = PR_TRUE; -- } else { -- if ( ctx->tc_slotname == NULL ) { /* need new slot */ -- if ( istrusted ) { -- slotID = 0; -- } else { -- slotID = ++tlsm_slot_count; -- } -- ctx->tc_slotname = PR_smprintf( TLSM_PEM_TOKEN_FMT, slotID ); -- } -- slotname = ctx->tc_slotname; -- -- if ( ( ptr = PL_strrchr( filename, sep ) ) ) { -- PL_strfree( ctx->tc_certname ); -- ++ptr; -- if ( istrusted ) { -- /* pemnss conflates trusted certs with CA certs - since there can -- be more than one CA cert in a file (e.g. ca-bundle.crt) pemnss -- numbers each trusted cert - in the case of a server cert, there will be -- only one, so it will be number 0 */ -- ctx->tc_certname = PR_smprintf( "%s:%s - 0", slotname, ptr ); -- } else { -- ctx->tc_certname = PR_smprintf( "%s:%s", slotname, ptr ); -- } -- } -+ if ( !slot ) { -+ PRErrorCode errcode = PR_GetError(); -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: could not find the slot for the certificate '%s' - error %d:%s.\n", -+ filename, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); -+ return -1; - } - -- slot = PK11_FindSlotByName( slotname ); -+ PK11_SETATTRS( attrs[0], CKA_CLASS, &objClass, sizeof(objClass) ); -+ PK11_SETATTRS( attrs[1], CKA_TOKEN, &cktrue, sizeof(CK_BBOOL) ); -+ PK11_SETATTRS( attrs[2], CKA_LABEL, (unsigned char *)filename, strlen(filename)+1 ); -+ PK11_SETATTRS( attrs[3], CKA_TRUST, isca ? &cktrue : &ckfalse, sizeof(CK_BBOOL) ); - -- if ( !slot ) { -+ cert = PK11_CreateGenericObject( slot, attrs, 4, PR_FALSE /* isPerm */ ); -+ -+ if ( !cert ) { - PRErrorCode errcode = PR_GetError(); - Debug( LDAP_DEBUG_ANY, -- "TLS: could not find the slot for certificate %s - error %d:%s.\n", -- ctx->tc_certname, errcode, -- PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); -+ "TLS: could not add the certificate '%s' - error %d:%s.\n", -+ filename, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); -+ PK11_FreeSlot( slot ); - return -1; - } - -- PK11_SETATTRS( attrs, CKA_CLASS, &objClass, sizeof(objClass) ); attrs++; -- PK11_SETATTRS( attrs, CKA_TOKEN, &cktrue, sizeof(CK_BBOOL) ); attrs++; -- PK11_SETATTRS( attrs, CKA_LABEL, (unsigned char *)filename, strlen(filename)+1 ); attrs++; -- if ( istrusted ) { -- PK11_SETATTRS( attrs, CKA_TRUST, &cktrue, sizeof(CK_BBOOL) ); attrs++; -- } else { -- PK11_SETATTRS( attrs, CKA_TRUST, &ckfalse, sizeof(CK_BBOOL) ); attrs++; -+ /* if not CA, we store the certificate in ctx->tc_certificate */ -+ if ( !isca ) { -+ if ( PK11_ReadRawAttribute( PK11_TypeGeneric, cert, CKA_VALUE, &certDER ) != SECSuccess ) { -+ PRErrorCode errcode = PR_GetError(); -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: could not get DER of the '%s' certificate - error %d:%s.\n", -+ filename, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); -+ PK11_DestroyGenericObject( cert ); -+ PK11_FreeSlot( slot ); -+ return -1; -+ } -+ -+ ctx->tc_certificate = PK11_FindCertFromDERCertItem( slot, &certDER, NULL ); -+ SECITEM_FreeItem( &certDER, PR_FALSE ); -+ -+ if ( !ctx->tc_certificate ) { -+ PRErrorCode errcode = PR_GetError(); -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: could not get certificate '%s' using DER - error %d:%s.\n", -+ filename, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); -+ PK11_DestroyGenericObject( cert ); -+ PK11_FreeSlot( slot ); -+ return -1; -+ } - } -- /* This loads the certificate in our PEM module into the appropriate -- * slot. -- */ -- rv = PK11_CreateGenericObject( slot, theTemplate, 4, PR_FALSE /* isPerm */ ); -+ -+ tlsm_add_pem_obj( ctx, cert ); - - PK11_FreeSlot( slot ); - -- if ( !rv ) { -+ return 0; -+} -+ -+static int -+tlsm_ctx_load_private_key(tlsm_ctx *ctx) -+{ -+ if (!ctx->tc_certificate) -+ return -1; -+ -+ if (ctx->tc_private_key) -+ return 0; -+ -+ void *pin_arg = SSL_RevealPinArg(ctx->tc_model); -+ -+ ctx->tc_private_key = PK11_FindKeyByAnyCert(ctx->tc_certificate, pin_arg); -+ if (!ctx->tc_private_key) { - PRErrorCode errcode = PR_GetError(); -- Debug( LDAP_DEBUG_ANY, -- "TLS: could not add the certificate %s - error %d:%s.\n", -- ctx->tc_certname, errcode, -- PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); -+ Debug(LDAP_DEBUG_ANY, -+ "TLS: cannot find private key for certificate '%s' (error %d: %s)", -+ tlsm_ctx_subject_name(ctx), errcode, -+ PR_ErrorToString(errcode, PR_LANGUAGE_I_DEFAULT)); - return -1; - } - -- tlsm_add_pem_obj( ctx, rv ); -- - return 0; - } - - static int - tlsm_add_key_from_file( tlsm_ctx *ctx, const char *filename ) - { -- CK_SLOT_ID slotID; - PK11SlotInfo * slot = NULL; -- PK11GenericObject *rv; -- CK_ATTRIBUTE *attrs; -- CK_ATTRIBUTE theTemplate[20]; -+ PK11GenericObject *key; -+ CK_ATTRIBUTE attrs[3]; - CK_BBOOL cktrue = CK_TRUE; - CK_OBJECT_CLASS objClass = CKO_PRIVATE_KEY; - int retcode = 0; -@@ -1338,48 +1348,40 @@ tlsm_add_key_from_file( tlsm_ctx *ctx, const char *filename ) - return -1; - } - -- attrs = theTemplate; -- -- if ( ctx->tc_slotname == NULL ) { /* need new slot */ -- slotID = ++tlsm_slot_count; -- ctx->tc_slotname = PR_smprintf( TLSM_PEM_TOKEN_FMT, slotID ); -- } -- slot = PK11_FindSlotByName( ctx->tc_slotname ); -+ slot = PK11_FindSlotByName( TLSM_PEM_SLOT_CERTS ); - - if ( !slot ) { - PRErrorCode errcode = PR_GetError(); - Debug( LDAP_DEBUG_ANY, -- "TLS: could not find the slot %s for the private key - error %d:%s.\n", -- ctx->tc_slotname, errcode, -- PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); -+ "TLS: could not find the slot for the private key '%s' - error %d:%s.\n", -+ filename, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); - return -1; - } - -- PK11_SETATTRS( attrs, CKA_CLASS, &objClass, sizeof(objClass) ); attrs++; -- PK11_SETATTRS( attrs, CKA_TOKEN, &cktrue, sizeof(CK_BBOOL) ); attrs++; -- PK11_SETATTRS( attrs, CKA_LABEL, (unsigned char *)filename, strlen(filename)+1 ); attrs++; -- rv = PK11_CreateGenericObject( slot, theTemplate, 3, PR_FALSE /* isPerm */ ); -+ PK11_SETATTRS( attrs[0], CKA_CLASS, &objClass, sizeof(objClass) ); -+ PK11_SETATTRS( attrs[1], CKA_TOKEN, &cktrue, sizeof(CK_BBOOL) ); -+ PK11_SETATTRS( attrs[2], CKA_LABEL, (unsigned char *)filename, strlen(filename)+1 ); -+ -+ key = PK11_CreateGenericObject( slot, attrs, 3, PR_FALSE /* isPerm */ ); - -- if ( !rv ) { -+ if ( !key ) { - PRErrorCode errcode = PR_GetError(); - Debug( LDAP_DEBUG_ANY, -- "TLS: could not add the certificate %s - error %d:%s.\n", -- ctx->tc_certname, errcode, -- PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); -+ "TLS: could not add the private key '%s' - error %d:%s.\n", -+ filename, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); - retcode = -1; - } else { -+ tlsm_add_pem_obj( ctx, key ); -+ retcode = 0; -+ - /* When adding an encrypted key the PKCS#11 will be set as removed */ - /* This will force the token to be seen as re-inserted */ - SECMOD_WaitForAnyTokenEvent( pem_module, 0, 0 ); - PK11_IsPresent( slot ); -- retcode = 0; - } - - PK11_FreeSlot( slot ); - -- if ( !retcode ) { -- tlsm_add_pem_obj( ctx, rv ); -- } - return retcode; - } - -@@ -1396,7 +1398,7 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir - } - - if ( cacertfile ) { -- int rc = tlsm_add_cert_from_file( ctx, cacertfile, isca, PR_TRUE ); -+ int rc = tlsm_add_cert_from_file( ctx, cacertfile, isca ); - if ( rc ) { - errcode = PR_GetError(); - Debug( LDAP_DEBUG_ANY, -@@ -1470,7 +1472,7 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir - continue; - } - fullpath = PR_smprintf( "%s/%s", cacertdir, entry->name ); -- if ( !tlsm_add_cert_from_file( ctx, fullpath, isca, PR_TRUE ) ) { -+ if ( !tlsm_add_cert_from_file( ctx, fullpath, isca ) ) { - Debug( LDAP_DEBUG_TRACE, - "TLS: loaded CA certificate file %s from CA certificate directory %s.\n", - fullpath, cacertdir, 0 ); -@@ -1534,6 +1536,45 @@ tlsm_get_certdb_prefix( const char *certdir, char **realcertdir, char **prefix ) - } - - /* -+ * Currently mutiple MozNSS contexts share one certificate storage. When the -+ * certdb is being opened, only new certificates are added to the storage. -+ * When different databases are used, conflicting nicknames make the -+ * certificate lookup by the nickname impossible. In addition a token -+ * description might be prepended in certain conditions. -+ * -+ * In order to make the certificate lookup by nickname possible, we explicitly -+ * open each database using SECMOD_OpenUserDB and assign it the token -+ * description. The token description is generated using ctx->tc_unique value, -+ * which is unique for each context. -+ */ -+static PK11SlotInfo * -+tlsm_init_open_certdb(tlsm_ctx *ctx, const char *dbdir, const char *prefix) -+{ -+ PK11SlotInfo *slot = NULL; -+ char *token_desc = NULL; -+ char *config = NULL; -+ -+ token_desc = PR_smprintf(TLSM_CERTDB_DESC_FMT, ctx->tc_unique); -+ config = PR_smprintf("configDir='%s' tokenDescription='%s' certPrefix='%s' keyPrefix='%s' flags=readOnly", -+ dbdir, token_desc, prefix, prefix); -+ Debug(LDAP_DEBUG_TRACE, "TLS: certdb config: %s\n", config, 0, 0); -+ -+ slot = SECMOD_OpenUserDB(config); -+ if (!slot) { -+ PRErrorCode errcode = PR_GetError(); -+ Debug(LDAP_DEBUG_TRACE, "TLS: cannot open certdb '%s', error %d:%s\n", dbdir, errcode, -+ PR_ErrorToString(errcode, PR_LANGUAGE_I_DEFAULT)); -+ } -+ -+ if (token_desc) -+ PR_smprintf_free(token_desc); -+ if (config) -+ PR_smprintf_free(config); -+ -+ return slot; -+} -+ -+/* - * This is the part of the init we defer until we get the - * actual security configuration information. This is - * only called once, protected by a PRCallOnce -@@ -1553,6 +1594,7 @@ tlsm_deferred_init( void *arg ) - #ifdef HAVE_NSS_INITCONTEXT - NSSInitParameters initParams; - NSSInitContext *initctx = NULL; -+ PK11SlotInfo *certdb_slot = NULL; - #endif - SECStatus rc; - int done = 0; -@@ -1613,28 +1655,37 @@ tlsm_deferred_init( void *arg ) - } - - tlsm_get_certdb_prefix( securitydir, &realcertdir, &prefix ); -- LDAP_MUTEX_LOCK( &tlsm_init_mutex ); - -+ /* initialize only moddb; certdb will be initialized explicitly */ - #ifdef HAVE_NSS_INITCONTEXT - #ifdef INITCONTEXT_HACK - if ( !NSS_IsInitialized() && ctx->tc_is_server ) { - rc = NSS_Initialize( realcertdir, prefix, prefix, SECMOD_DB, NSS_INIT_READONLY ); - } else { - initctx = NSS_InitContext( realcertdir, prefix, prefix, SECMOD_DB, -- &initParams, NSS_INIT_READONLY ); -- rc = (initctx == NULL) ? SECFailure : SECSuccess; -+ &initParams, NSS_INIT_READONLY|NSS_INIT_NOCERTDB ); - } - #else - initctx = NSS_InitContext( realcertdir, prefix, prefix, SECMOD_DB, -- &initParams, NSS_INIT_READONLY ); -- rc = (initctx == NULL) ? SECFailure : SECSuccess; -+ &initParams, NSS_INIT_READONLY|NSS_INIT_NOCERTDB ); - #endif -+ rc = SECFailure; -+ -+ if (initctx != NULL) { -+ certdb_slot = tlsm_init_open_certdb(ctx, realcertdir, prefix); -+ if (certdb_slot) { -+ rc = SECSuccess; -+ ctx->tc_initctx = initctx; -+ ctx->tc_certdb_slot = certdb_slot; -+ } else { -+ NSS_ShutdownContext(initctx); -+ initctx = NULL; -+ } -+ } - #else - rc = NSS_Initialize( realcertdir, prefix, prefix, SECMOD_DB, NSS_INIT_READONLY ); - #endif - -- LDAP_MUTEX_UNLOCK( &tlsm_init_mutex ); -- - if ( rc != SECSuccess ) { - errcode = PORT_GetError(); - if ( securitydirs[ii] != lt->lt_cacertdir) { -@@ -1658,26 +1709,29 @@ tlsm_deferred_init( void *arg ) - } - - if ( errcode ) { /* no moznss db found, or not using moznss db */ -- LDAP_MUTEX_LOCK( &tlsm_init_mutex ); - #ifdef HAVE_NSS_INITCONTEXT - int flags = NSS_INIT_READONLY|NSS_INIT_NOCERTDB|NSS_INIT_NOMODDB; - #ifdef INITCONTEXT_HACK - if ( !NSS_IsInitialized() && ctx->tc_is_server ) { - rc = NSS_NoDB_Init( NULL ); - } else { -- initctx = NSS_InitContext( "", "", "", SECMOD_DB, -+ initctx = NSS_InitContext( CERTDB_NONE, PREFIX_NONE, PREFIX_NONE, SECMOD_DB, - &initParams, flags ); - rc = (initctx == NULL) ? SECFailure : SECSuccess; - } - #else -- initctx = NSS_InitContext( "", "", "", SECMOD_DB, -+ initctx = NSS_InitContext( CERTDB_NONE, PREFIX_NONE, PREFIX_NONE, SECMOD_DB, - &initParams, flags ); -- rc = (initctx == NULL) ? SECFailure : SECSuccess; -+ if (initctx) { -+ ctx->tc_initctx = initctx; -+ rc = SECSuccess; -+ } else { -+ rc = SECFailure; -+ } - #endif - #else - rc = NSS_NoDB_Init( NULL ); - #endif -- LDAP_MUTEX_UNLOCK( &tlsm_init_mutex ); - if ( rc != SECSuccess ) { - errcode = PORT_GetError(); - Debug( LDAP_DEBUG_ANY, -@@ -1685,18 +1739,11 @@ tlsm_deferred_init( void *arg ) - errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 ); - return -1; - } -- --#ifdef HAVE_NSS_INITCONTEXT -- ctx->tc_initctx = initctx; --#endif -- - } - - if ( errcode || lt->lt_cacertfile ) { - /* initialize the PEM module */ -- LDAP_MUTEX_LOCK( &tlsm_init_mutex ); - if ( tlsm_init_pem_module() ) { -- LDAP_MUTEX_UNLOCK( &tlsm_init_mutex ); - int pem_errcode = PORT_GetError(); - Debug( LDAP_DEBUG_ANY, - "TLS: could not initialize moznss PEM module - error %d:%s.\n", -@@ -1708,7 +1755,6 @@ tlsm_deferred_init( void *arg ) - } else if ( !errcode ) { - tlsm_init_ca_certs( ctx, lt->lt_cacertfile, NULL ); - } -- LDAP_MUTEX_UNLOCK( &tlsm_init_mutex ); - } - - if ( errcode ) { -@@ -1734,12 +1780,6 @@ tlsm_deferred_init( void *arg ) - ctx->tc_using_pem = PR_TRUE; - } - --#ifdef HAVE_NSS_INITCONTEXT -- if ( !ctx->tc_initctx ) { -- ctx->tc_initctx = initctx; -- } --#endif -- - NSS_SetDomesticPolicy(); - - PK11_SetPasswordFunc( tlsm_pin_prompt ); -@@ -1754,10 +1794,8 @@ tlsm_deferred_init( void *arg ) - } - - if ( ctx->tc_is_server ) { -- LDAP_MUTEX_LOCK( &tlsm_init_mutex ); - /* 0 means use the defaults here */ - SSL_ConfigServerSessionIDCache( 0, 0, 0, NULL ); -- LDAP_MUTEX_UNLOCK( &tlsm_init_mutex ); - } - - #ifndef HAVE_NSS_INITCONTEXT -@@ -1767,137 +1805,34 @@ tlsm_deferred_init( void *arg ) - return 0; - } - --static int --tlsm_authenticate( tlsm_ctx *ctx, const char *certname, const char *pininfo ) --{ -- const char *colon = NULL; -- char *token_name = NULL; -- PK11SlotInfo *slot = NULL; -- int rc = -1; -- -- if ( !certname || !*certname ) { -- return 0; -- } -- -- if ( ( colon = PL_strchr( certname, ':' ) ) ) { -- token_name = PL_strndup( certname, colon-certname ); -- } -- -- if ( token_name ) { -- slot = PK11_FindSlotByName( token_name ); -- } else { -- slot = PK11_GetInternalKeySlot(); -- } -- -- if ( !slot ) { -- PRErrorCode errcode = PR_GetError(); -- Debug( LDAP_DEBUG_ANY, -- "TLS: could not find the slot for security token %s - error %d:%s.\n", -- token_name ? token_name : DEFAULT_TOKEN_NAME, errcode, -- PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); -- goto done; -- } -- -- rc = tlsm_authenticate_to_slot( ctx, slot ); -- --done: -- PL_strfree( token_name ); -- if ( slot ) { -- PK11_FreeSlot( slot ); -- } -- -- return rc; --} -- - /* - * Find and verify the certificate. -- * Either fd is given, in which case the cert will be taken from it via SSL_PeerCertificate -- * or certname is given, and it will be searched for by name -+ * The key is loaded and stored in ctx->tc_private_key - */ - static int --tlsm_find_and_verify_cert_key(tlsm_ctx *ctx, PRFileDesc *fd, const char *certname, int isServer, CERTCertificate **pRetCert, SECKEYPrivateKey **pRetKey) -+tlsm_find_and_verify_cert_key(tlsm_ctx *ctx) - { -- CERTCertificate *cert = NULL; -- int rc = -1; -- void *pin_arg = NULL; -- SECKEYPrivateKey *key = NULL; -+ SECCertificateUsage certUsage; -+ PRBool checkSig; -+ SECStatus status; -+ int errorToIgnore; -+ void *pin_arg; - -- pin_arg = SSL_RevealPinArg( fd ); -- if ( certname ) { -- cert = PK11_FindCertFromNickname( certname, pin_arg ); -- if ( !cert ) { -- PRErrorCode errcode = PR_GetError(); -- Debug( LDAP_DEBUG_ANY, -- "TLS: error: the certificate %s could not be found in the database - error %d:%s\n", -- certname, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); -- return -1; -- } -- } else { -- /* we are verifying the peer cert -- we also need to swap the isServer meaning */ -- cert = SSL_PeerCertificate( fd ); -- if ( !cert ) { -- PRErrorCode errcode = PR_GetError(); -- Debug( LDAP_DEBUG_ANY, -- "TLS: error: could not get the certificate from the peer connection - error %d:%s\n", -- errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), NULL ); -- return -1; -- } -- isServer = !isServer; /* verify the peer's cert instead */ -- } -- -- if ( ctx->tc_slotname ) { -- PK11SlotInfo *slot = PK11_FindSlotByName( ctx->tc_slotname ); -- key = PK11_FindPrivateKeyFromCert( slot, cert, NULL ); -- PK11_FreeSlot( slot ); -- } else { -- key = PK11_FindKeyByAnyCert( cert, pin_arg ); -- } -- -- if (key) { -- SECCertificateUsage certUsage; -- PRBool checkSig = PR_TRUE; -- SECStatus status; -- /* may not have a CA cert - ok - ignore SEC_ERROR_UNKNOWN_ISSUER */ -- int errorToIgnore = SEC_ERROR_UNKNOWN_ISSUER; -+ if (tlsm_ctx_load_private_key(ctx)) -+ return -1; - -- if ( pRetKey ) { -- *pRetKey = key; /* caller will deal with this */ -- } else { -- SECKEY_DestroyPrivateKey( key ); -- } -- if ( isServer ) { -- certUsage = certificateUsageSSLServer; -- } else { -- certUsage = certificateUsageSSLClient; -- } -- if ( ctx->tc_verify_cert ) { -- checkSig = PR_TRUE; -- } else { -- checkSig = PR_FALSE; -- } -- if ( ctx->tc_warn_only ) { -- errorToIgnore = -1; -- } -- status = tlsm_verify_cert( ctx->tc_certdb, cert, pin_arg, -- checkSig, certUsage, errorToIgnore ); -- if ( status == SECSuccess ) { -- rc = 0; -- } -- } else { -- PRErrorCode errcode = PR_GetError(); -- Debug( LDAP_DEBUG_ANY, -- "TLS: error: could not find the private key for certificate %s - error %d:%s\n", -- certname, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); -- } -+ pin_arg = SSL_RevealPinArg(ctx->tc_model); -+ certUsage = ctx->tc_is_server ? certificateUsageSSLServer : certificateUsageSSLClient; -+ checkSig = ctx->tc_verify_cert ? PR_TRUE : PR_FALSE; -+ if ( ctx->tc_warn_only ) -+ errorToIgnore = -1; -+ else -+ errorToIgnore = SEC_ERROR_UNKNOWN_ISSUER; /* may not have a CA cert */ - -- if ( pRetCert ) { -- *pRetCert = cert; /* caller will deal with this */ -- } else { -- CERT_DestroyCertificate( cert ); -- } -+ status = tlsm_verify_cert( ctx->tc_certdb, ctx->tc_certificate, pin_arg, -+ checkSig, certUsage, errorToIgnore ); - -- return rc; -+ return status == SECSuccess ? 0 : -1; - } - - static int -@@ -1906,39 +1841,18 @@ tlsm_get_client_auth_data( void *arg, PRFileDesc *fd, - SECKEYPrivateKey **pRetKey ) - { - tlsm_ctx *ctx = (tlsm_ctx *)arg; -- int rc; -- PRBool saveval; - -- /* don't need caNames - this function will call CERT_VerifyCertificateNow -- which will verify the cert against the known CAs */ -- saveval = ctx->tc_warn_only; -- ctx->tc_warn_only = PR_TRUE; -- rc = tlsm_find_and_verify_cert_key( ctx, fd, ctx->tc_certname, 0, pRetCert, pRetKey ); -- ctx->tc_warn_only = saveval; -- if ( rc ) { -- Debug( LDAP_DEBUG_ANY, -- "TLS: error: unable to perform client certificate authentication for " -- "certificate named %s\n", ctx->tc_certname, 0, 0 ); -- if ( pRetKey && *pRetKey ) { -- SECKEY_DestroyPrivateKey( *pRetKey ); -- *pRetKey = NULL; -- } -- if ( pRetCert && *pRetCert ) { -- CERT_DestroyCertificate( *pRetCert ); -- *pRetCert = NULL; -- } -- return SECFailure; -- } -+ if (pRetCert) -+ *pRetCert = CERT_DupCertificate(ctx->tc_certificate); -+ -+ if (pRetKey) -+ *pRetKey = SECKEY_CopyPrivateKey(ctx->tc_private_key); - - return SECSuccess; - } - - /* - * ctx must have a tc_model that is valid -- * certname is in the form [:] -- * where is the name of the PKCS11 token -- * and is the nickname of the cert/key in -- * the database - */ - static int - tlsm_clientauth_init( tlsm_ctx *ctx ) -@@ -1949,12 +1863,12 @@ tlsm_clientauth_init( tlsm_ctx *ctx ) - - saveval = ctx->tc_warn_only; - ctx->tc_warn_only = PR_TRUE; -- rc = tlsm_find_and_verify_cert_key( ctx, ctx->tc_model, ctx->tc_certname, 0, NULL, NULL ); -+ rc = tlsm_find_and_verify_cert_key(ctx); - ctx->tc_warn_only = saveval; - if ( rc ) { - Debug( LDAP_DEBUG_ANY, - "TLS: error: unable to set up client certificate authentication for " -- "certificate named %s\n", ctx->tc_certname, 0, 0 ); -+ "certificate named %s\n", tlsm_ctx_subject_name(ctx), 0, 0 ); - return -1; - } - -@@ -1972,6 +1886,7 @@ static void - tlsm_destroy( void ) - { - #ifdef LDAP_R_COMPILE -+ ldap_pvt_thread_mutex_destroy( &tlsm_ctx_count_mutex ); - ldap_pvt_thread_mutex_destroy( &tlsm_init_mutex ); - ldap_pvt_thread_mutex_destroy( &tlsm_pem_mutex ); - #endif -@@ -2048,16 +1963,20 @@ tlsm_ctx_new ( struct ldapoptions *lo ) - #ifdef LDAP_R_COMPILE - ldap_pvt_thread_mutex_init( &ctx->tc_refmutex ); - #endif -+ LDAP_MUTEX_LOCK( &tlsm_ctx_count_mutex ); -+ ctx->tc_unique = tlsm_ctx_count++; -+ LDAP_MUTEX_UNLOCK( &tlsm_ctx_count_mutex ); - ctx->tc_config = NULL; /* populated later by tlsm_ctx_init */ - ctx->tc_certdb = NULL; -- ctx->tc_certname = NULL; -+ ctx->tc_certdb_slot = NULL; -+ ctx->tc_certificate = NULL; -+ ctx->tc_private_key = NULL; - ctx->tc_pin_file = NULL; - ctx->tc_model = NULL; - memset(&ctx->tc_callonce, 0, sizeof(ctx->tc_callonce)); - ctx->tc_require_cert = lo->ldo_tls_require_cert; - ctx->tc_verify_cert = PR_FALSE; - ctx->tc_using_pem = PR_FALSE; -- ctx->tc_slotname = NULL; - #ifdef HAVE_NSS_INITCONTEXT - ctx->tc_initctx = NULL; - #endif /* HAVE_NSS_INITCONTEXT */ -@@ -2090,28 +2009,38 @@ tlsm_ctx_free ( tls_ctx *ctx ) - LDAP_MUTEX_UNLOCK( &c->tc_refmutex ); - if ( refcount ) - return; -+ -+ LDAP_MUTEX_LOCK( &tlsm_init_mutex ); - if ( c->tc_model ) - PR_Close( c->tc_model ); -+ if (c->tc_certificate) -+ CERT_DestroyCertificate(c->tc_certificate); -+ if (c->tc_private_key) -+ SECKEY_DestroyPrivateKey(c->tc_private_key); - c->tc_certdb = NULL; /* if not the default, may have to clean up */ -- PL_strfree( c->tc_certname ); -- c->tc_certname = NULL; -+ if ( c->tc_certdb_slot ) { -+ if ( SECMOD_CloseUserDB( c->tc_certdb_slot ) ) { -+ PRErrorCode errcode = PR_GetError(); -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: could not close certdb slot - error %d:%s.\n", -+ errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 ); -+ } -+ } - PL_strfree( c->tc_pin_file ); - c->tc_pin_file = NULL; -- PL_strfree( c->tc_slotname ); - tlsm_free_pem_objs( c ); - #ifdef HAVE_NSS_INITCONTEXT - if ( c->tc_initctx ) { -- LDAP_MUTEX_LOCK( &tlsm_init_mutex ); - if ( NSS_ShutdownContext( c->tc_initctx ) ) { - PRErrorCode errcode = PR_GetError(); - Debug( LDAP_DEBUG_ANY, - "TLS: could not shutdown NSS - error %d:%s.\n", - errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 ); - } -- LDAP_MUTEX_UNLOCK( &tlsm_init_mutex ); - } - c->tc_initctx = NULL; - #endif /* HAVE_NSS_INITCONTEXT */ -+ LDAP_MUTEX_UNLOCK( &tlsm_init_mutex ); - #ifdef LDAP_R_COMPILE - ldap_pvt_thread_mutex_destroy( &c->tc_refmutex ); - #endif -@@ -2173,6 +2102,12 @@ tlsm_deferred_ctx_init( void *arg ) - return -1; - } - -+ if ( SSL_SetPKCS11PinArg(ctx->tc_model, ctx) ) { -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: could not set pin prompt argument\n", 0, 0, 0); -+ return -1; -+ } -+ - if ( SECSuccess != SSL_OptionSet( ctx->tc_model, SSL_SECURITY, PR_TRUE ) ) { - Debug( LDAP_DEBUG_ANY, - "TLS: could not set secure mode on.\n", -@@ -2287,14 +2222,30 @@ tlsm_deferred_ctx_init( void *arg ) - /* if using the PEM module, load the PEM file specified by lt_certfile */ - /* otherwise, assume this is the name of a cert already in the db */ - if ( ctx->tc_using_pem ) { -- /* this sets ctx->tc_certname to the correct value */ -- int rc = tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE, PR_TRUE ); -+ /* this sets ctx->tc_certificate to the correct value */ -+ int rc = tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE ); - if ( rc ) { - return rc; - } - } else { -- PL_strfree( ctx->tc_certname ); -- ctx->tc_certname = PL_strdup( lt->lt_certfile ); -+ char *tmp_certname; -+ -+ if (ctx->tc_certdb_slot) { -+ tmp_certname = PR_smprintf(TLSM_CERTDB_DESC_FMT ":%s", ctx->tc_unique, lt->lt_certfile); -+ } else { -+ tmp_certname = PR_smprintf("%s", lt->lt_certfile); -+ } -+ -+ ctx->tc_certificate = PK11_FindCertFromNickname(tmp_certname, SSL_RevealPinArg(ctx->tc_model)); -+ PR_smprintf_free(tmp_certname); -+ -+ if (!ctx->tc_certificate) { -+ PRErrorCode errcode = PR_GetError(); -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: error: the certificate '%s' could not be found in the database - error %d:%s.\n", -+ lt->lt_certfile, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); -+ return -1; -+ } - } - } - -@@ -2302,7 +2253,6 @@ tlsm_deferred_ctx_init( void *arg ) - /* if using the PEM module, load the PEM file specified by lt_keyfile */ - /* otherwise, assume this is the pininfo for the key */ - if ( ctx->tc_using_pem ) { -- /* this sets ctx->tc_certname to the correct value */ - int rc = tlsm_add_key_from_file( ctx, lt->lt_keyfile ); - if ( rc ) { - return rc; -@@ -2334,66 +2284,42 @@ tlsm_deferred_ctx_init( void *arg ) - /* - since a cert has been specified, assume the client wants to do cert auth - */ -- if ( ctx->tc_certname ) { -- if ( tlsm_authenticate( ctx, ctx->tc_certname, ctx->tc_pin_file ) ) { -- Debug( LDAP_DEBUG_ANY, -- "TLS: error: unable to authenticate to the security device for certificate %s\n", -- ctx->tc_certname, 0, 0 ); -- return -1; -- } -+ if ( ctx->tc_certificate ) { - if ( tlsm_clientauth_init( ctx ) ) { - Debug( LDAP_DEBUG_ANY, -- "TLS: error: unable to set up client certificate authentication using %s\n", -- ctx->tc_certname, 0, 0 ); -+ "TLS: error: unable to set up client certificate authentication using '%s'\n", -+ tlsm_ctx_subject_name(ctx), 0, 0 ); - return -1; - } - } - } else { /* set up secure server */ - SSLKEAType certKEA; -- CERTCertificate *serverCert = NULL; -- SECKEYPrivateKey *serverKey = NULL; - SECStatus status; - - /* must have a certificate for the server to use */ -- if ( !ctx->tc_certname ) { -+ if ( !ctx->tc_certificate ) { - Debug( LDAP_DEBUG_ANY, - "TLS: error: no server certificate: must specify a certificate for the server to use\n", - 0, 0, 0 ); - return -1; - } - -- /* authenticate to the server's token - this will do nothing -- if the key/cert db is not password protected */ -- if ( tlsm_authenticate( ctx, ctx->tc_certname, ctx->tc_pin_file ) ) { -- Debug( LDAP_DEBUG_ANY, -- "TLS: error: unable to authenticate to the security device for certificate %s\n", -- ctx->tc_certname, 0, 0 ); -- return -1; -- } -- -- /* get the server's key and cert */ -- if ( tlsm_find_and_verify_cert_key( ctx, ctx->tc_model, ctx->tc_certname, ctx->tc_is_server, -- &serverCert, &serverKey ) ) { -+ if (tlsm_find_and_verify_cert_key(ctx)) { - Debug( LDAP_DEBUG_ANY, - "TLS: error: unable to find and verify server's cert and key for certificate %s\n", -- ctx->tc_certname, 0, 0 ); -- CERT_DestroyCertificate( serverCert ); -- SECKEY_DestroyPrivateKey( serverKey ); -+ tlsm_ctx_subject_name(ctx), 0, 0 ); - return -1; - } - -- certKEA = NSS_FindCertKEAType( serverCert ); - /* configure the socket to be a secure server socket */ -- status = SSL_ConfigSecureServer( ctx->tc_model, serverCert, serverKey, certKEA ); -- /* SSL_ConfigSecureServer copies these */ -- CERT_DestroyCertificate( serverCert ); -- SECKEY_DestroyPrivateKey( serverKey ); -+ certKEA = NSS_FindCertKEAType( ctx->tc_certificate ); -+ status = SSL_ConfigSecureServer( ctx->tc_model, ctx->tc_certificate, ctx->tc_private_key, certKEA ); - - if ( SECSuccess != status ) { - PRErrorCode err = PR_GetError(); - Debug( LDAP_DEBUG_ANY, -- "TLS: error: unable to configure secure server using certificate %s - error %d:%s\n", -- ctx->tc_certname, err, PR_ErrorToString( err, PR_LANGUAGE_I_DEFAULT ) ); -+ "TLS: error: unable to configure secure server using certificate '%s' - error %d:%s\n", -+ tlsm_ctx_subject_name(ctx), err, PR_ErrorToString( err, PR_LANGUAGE_I_DEFAULT ) ); - return -1; - } - } -@@ -2515,7 +2441,9 @@ tlsm_session_new ( tls_ctx * ctx, int is_server ) - int rc; - - c->tc_is_server = is_server; -+ LDAP_MUTEX_LOCK( &tlsm_init_mutex ); - status = PR_CallOnceWithArg( &c->tc_callonce, tlsm_deferred_ctx_init, c ); -+ LDAP_MUTEX_UNLOCK( &tlsm_init_mutex ); - if ( PR_SUCCESS != status ) { - PRErrorCode err = PR_GetError(); - Debug( LDAP_DEBUG_ANY, diff --git a/openldap-nss-pk11-freeslot.patch b/openldap-nss-pk11-freeslot.patch deleted file mode 100644 index ca657c8..0000000 --- a/openldap-nss-pk11-freeslot.patch +++ /dev/null @@ -1,23 +0,0 @@ -Resolves: #929357 - -Upstream commit: 6330d1b87a45b447f33fe8ffd6fbbce9e60bb0ec -Author: Rich Megginson -Date: Thu, 28 Mar 2013 19:05:02 -0600 -Modified by: Jan Synacek - -This patch has been re-diffed so it clearly applies to OpenLDAP 2.4.39. - -diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c -index 072d41d..c59d303 100644 ---- a/libraries/libldap/tls_m.c -+++ b/libraries/libldap/tls_m.c -@@ -2151,6 +2151,8 @@ - "TLS: could not close certdb slot - error %d:%s.\n", - errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 ); - } -+ PK11_FreeSlot( c->tc_certdb_slot ); -+ c->tc_certdb_slot = NULL; - } - if ( c->tc_pin_file ) { - PL_strfree( c->tc_pin_file ); - diff --git a/openldap-nss-regex-search-hashed-cacert-dir.patch b/openldap-nss-regex-search-hashed-cacert-dir.patch deleted file mode 100644 index 03493db..0000000 --- a/openldap-nss-regex-search-hashed-cacert-dir.patch +++ /dev/null @@ -1,91 +0,0 @@ -MozNSS: better file name matching for hashed CA certificate directory - -CA certificate files in OpenSSL compatible CACERTDIR were loaded if the file extension was '.0'. However the file name -should be 8 letters long certificate hash of the certificate subject name, followed by a numeric suffix which is used -to differentiate between two certificates with the same subject name. - -Wit this patch, certificate file names are matched correctly (using regular expressions). - -Author: Jan Vcelak -Upstream ITS: #7374 -Resolves: #852786 - -diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c -index 5e49fc5..61d71d4 100644 ---- a/libraries/libldap/tls_m.c -+++ b/libraries/libldap/tls_m.c -@@ -38,6 +38,7 @@ - #include - #include - #include -+#include - - #include "ldap-int.h" - #include "ldap-tls.h" -@@ -118,9 +119,7 @@ static const PRIOMethods tlsm_PR_methods; - - #define PEM_LIBRARY "nsspem" - #define PEM_MODULE "PEM" --/* hash files for use with cacertdir have this file name suffix */ --#define PEM_CA_HASH_FILE_SUFFIX ".0" --#define PEM_CA_HASH_FILE_SUFFIX_LEN 2 -+#define PEM_CA_HASH_FILE_REGEX "^[0-9a-f]{8}\\.[0-9]+$" - - static SECMODModule *pem_module; - -@@ -1541,6 +1540,7 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir - PRDir *dir; - PRDirEntry *entry; - PRStatus fistatus = PR_FAILURE; -+ regex_t hashfile_re; - - memset( &fi, 0, sizeof(fi) ); - fistatus = PR_GetFileInfo( cacertdir, &fi ); -@@ -1570,20 +1570,30 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir - goto done; - } - -+ if ( regcomp( &hashfile_re, PEM_CA_HASH_FILE_REGEX, REG_NOSUB|REG_EXTENDED ) != 0 ) { -+ Debug( LDAP_DEBUG_ANY, "TLS: cannot compile regex for CA hash files matching\n", 0, 0, 0 ); -+ goto done; -+ } -+ - do { - entry = PR_ReadDir( dir, PR_SKIP_BOTH | PR_SKIP_HIDDEN ); - if ( ( NULL != entry ) && ( NULL != entry->name ) ) { - char *fullpath = NULL; -- char *ptr; -+ int match; - -- ptr = PL_strrstr( entry->name, PEM_CA_HASH_FILE_SUFFIX ); -- if ( ( ptr == NULL ) || ( *(ptr + PEM_CA_HASH_FILE_SUFFIX_LEN) != '\0' ) ) { -+ match = regexec( &hashfile_re, entry->name, 0, NULL, 0 ); -+ if ( match == REG_NOMATCH ) { - Debug( LDAP_DEBUG_TRACE, -- "TLS: file %s does not end in [%s] - does not appear to be a CA certificate " -- "directory file with a properly hashed file name - skipping.\n", -- entry->name, PEM_CA_HASH_FILE_SUFFIX, 0 ); -+ "TLS: skipping '%s' - filename does not have expected format " -+ "(certificate hash with numeric suffix)\n", entry->name, 0, 0 ); -+ continue; -+ } else if ( match != 0 ) { -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: cannot execute regex for CA hash file matching (%d).\n", -+ match, 0, 0 ); - continue; - } -+ - fullpath = PR_smprintf( "%s/%s", cacertdir, entry->name ); - if ( !tlsm_add_cert_from_file( ctx, fullpath, isca ) ) { - Debug( LDAP_DEBUG_TRACE, -@@ -1599,6 +1609,7 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir - PR_smprintf_free( fullpath ); - } - } while ( NULL != entry ); -+ regfree ( &hashfile_re ); - PR_CloseDir( dir ); - } - done: --- -1.7.11.4 - diff --git a/openldap-nss-update-list-of-ciphers.patch b/openldap-nss-update-list-of-ciphers.patch deleted file mode 100644 index d5986c0..0000000 --- a/openldap-nss-update-list-of-ciphers.patch +++ /dev/null @@ -1,193 +0,0 @@ -MozNSS: update list of supported cipher suites - -The updated list includes all ciphers implemented in Mozilla NSS 3.13.15 - -Author: Jan Vcelak -Upstream ITS: #7374 - -diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c -index 1422ce2..5e49fc5 100644 ---- a/libraries/libldap/tls_m.c -+++ b/libraries/libldap/tls_m.c -@@ -211,27 +211,34 @@ typedef struct { - int num; /* The cipher id */ - int attr; /* cipher attributes: algorithms, etc */ - int version; /* protocol version valid for this cipher */ -- int bits; /* bits of strength */ -- int alg_bits; /* bits of the algorithm */ - int strength; /* LOW, MEDIUM, HIGH */ - int enabled; /* Enabled by default? */ - } cipher_properties; - - /* cipher attributes */ --#define SSL_kRSA 0x00000001L --#define SSL_aRSA 0x00000002L --#define SSL_aDSS 0x00000004L --#define SSL_DSS SSL_aDSS --#define SSL_eNULL 0x00000008L --#define SSL_DES 0x00000010L --#define SSL_3DES 0x00000020L --#define SSL_RC4 0x00000040L --#define SSL_RC2 0x00000080L --#define SSL_AES 0x00000100L --#define SSL_MD5 0x00000200L --#define SSL_SHA1 0x00000400L --#define SSL_SHA SSL_SHA1 --#define SSL_RSA (SSL_kRSA|SSL_aRSA) -+#define SSL_kRSA 0x00000001L -+#define SSL_aRSA 0x00000002L -+#define SSL_RSA (SSL_kRSA|SSL_aRSA) -+#define SSL_aDSA 0x00000004L -+#define SSL_DSA SSL_aDSA -+#define SSL_eNULL 0x00000008L -+#define SSL_DES 0x00000010L -+#define SSL_3DES 0x00000020L -+#define SSL_RC4 0x00000040L -+#define SSL_RC2 0x00000080L -+#define SSL_AES128 0x00000100L -+#define SSL_AES256 0x00000200L -+#define SSL_AES (SSL_AES128|SSL_AES256) -+#define SSL_MD5 0x00000400L -+#define SSL_SHA1 0x00000800L -+#define SSL_kEDH 0x00001000L -+#define SSL_CAMELLIA128 0x00002000L -+#define SSL_CAMELLIA256 0x00004000L -+#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256) -+#define SSL_SEED 0x00008000L -+#define SSL_kECDH 0x00010000L -+#define SSL_kECDHE 0x00020000L -+#define SSL_aECDSA 0x00040000L - - /* cipher strength */ - #define SSL_NULL 0x00000001L -@@ -248,29 +255,70 @@ typedef struct { - - /* Cipher translation */ - static cipher_properties ciphers_def[] = { -- /* SSL 2 ciphers */ -- {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, 168, 168, SSL_HIGH, SSL_ALLOWED}, -- {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED}, -- {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED}, -- {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, 56, 56, SSL_LOW, SSL_ALLOWED}, -- {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED}, -- {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED}, -- -- /* SSL3 ciphers */ -- {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED}, -- {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED}, -- {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, 168, 168, SSL_HIGH, SSL_ALLOWED}, -- {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, 56, 56, SSL_LOW, SSL_ALLOWED}, -- {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 40, 128, SSL_EXPORT40, SSL_ALLOWED}, -- {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, 0, 0, SSL_EXPORT40, SSL_ALLOWED}, -- {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED}, -- {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED}, -+ -+ /* -+ * Use the same DEFAULT cipher list as OpenSSL, which is defined as: ALL:!aNULL:!eNULL:!SSLv2 -+ */ -+ -+ /* SSLv2 ciphers */ -+ {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, SSL_LOW, SSL_NOT_ALLOWED}, -+ {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, SSL_HIGH, SSL_NOT_ALLOWED}, -+ {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_MEDIUM, SSL_NOT_ALLOWED}, -+ {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_MEDIUM, SSL_NOT_ALLOWED}, -+ {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_EXPORT40, SSL_NOT_ALLOWED}, -+ {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_EXPORT40, SSL_NOT_ALLOWED}, -+ -+ /* SSLv3 ciphers */ -+ {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, SSL_NULL, SSL_NOT_ALLOWED}, -+ {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, SSL_NULL, SSL_NOT_ALLOWED}, -+ {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED}, -+ {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED}, -+ {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_MEDIUM, SSL_ALLOWED}, -+ {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, SSL_MEDIUM, SSL_ALLOWED}, -+ {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, SSL_EXPORT40, SSL_ALLOWED}, -+ {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_EXPORT40, SSL_ALLOWED}, -+ {"EDH-RSA-DES-CBC-SHA", SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED}, -+ {"EDH-RSA-DES-CBC3-SHA", SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED}, -+ {"EDH-DSS-DES-CBC-SHA", SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED}, -+ {"EDH-DSS-DES-CBC3-SHA", SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED}, - - /* TLSv1 ciphers */ -- {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED}, -- {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED}, -- {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_ALLOWED}, -- {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_ALLOWED}, -+ {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, TLS1, SSL_EXPORT56, SSL_ALLOWED}, -+ {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_EXPORT56, SSL_ALLOWED}, -+ {"SEED-SHA", TLS_RSA_WITH_SEED_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_SEED|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED}, -+ {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"CAMELLIA256-SHA", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"CAMELLIA128-SHA", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"DHE-RSA-CAMELLIA128-SHA", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"DHE-RSA-CAMELLIA256-SHA", TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"DHE-DSS-RC4-SHA", TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_kEDH|SSL_aDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED}, -+ {"DHE-DSS-AES128-SHA", TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"DHE-DSS-AES256-SHA", TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"DHE-DSS-CAMELLIA128-SHA", TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"DHE-DSS-CAMELLIA256-SHA", TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDH-RSA-NULL-SHA", TLS_ECDH_RSA_WITH_NULL_SHA, SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED}, -+ {"ECDH-RSA-RC4-SHA", TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED}, -+ {"ECDH-RSA-DES-CBC3-SHA", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDH-RSA-AES128-SHA", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDH-RSA-AES256-SHA", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDH-ECDSA-NULL-SHA", TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED}, -+ {"ECDH-ECDSA-RC4-SHA", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED}, -+ {"ECDH-ECDSA-DES-CBC3-SHA", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDH-ECDSA-AES128-SHA", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDH-ECDSA-AES256-SHA", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDHE-RSA-NULL-SHA", TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED}, -+ {"ECDHE-RSA-RC4-SHA", TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED}, -+ {"ECDHE-RSA-DES-CBC3-SHA", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDHE-ECDSA-NULL-SHA", TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED}, -+ {"ECDHE-ECDSA-RC4-SHA", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED}, -+ {"ECDHE-ECDSA-DES-CBC3-SHA", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, - }; - - #define ciphernum (sizeof(ciphers_def)/sizeof(cipher_properties)) -@@ -577,6 +625,10 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) - mask |= SSL_RSA; - } else if ((!strcmp(cipher, "NULL")) || (!strcmp(cipher, "eNULL"))) { - mask |= SSL_eNULL; -+ } else if (!strcmp(cipher, "AES128")) { -+ mask |= SSL_AES128; -+ } else if (!strcmp(cipher, "AES256")) { -+ mask |= SSL_AES256; - } else if (!strcmp(cipher, "AES")) { - mask |= SSL_AES; - } else if (!strcmp(cipher, "3DES")) { -@@ -591,6 +643,24 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) - mask |= SSL_MD5; - } else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) { - mask |= SSL_SHA1; -+ } else if (!strcmp(cipher, "EDH")) { -+ mask |= SSL_kEDH; -+ } else if (!strcmp(cipher, "DSS")) { -+ mask |= SSL_aDSA; -+ } else if (!strcmp(cipher, "CAMELLIA128")) { -+ mask |= SSL_CAMELLIA128; -+ } else if (!strcmp(cipher, "CAMELLIA256")) { -+ mask |= SSL_CAMELLIA256; -+ } else if (!strcmp(cipher, "CAMELLIA")) { -+ mask |= SSL_CAMELLIA; -+ } else if (!strcmp(cipher, "SEED")) { -+ mask |= SSL_SEED; -+ } else if (!strcmp(cipher, "ECDH")) { -+ mask |= SSL_kECDH; -+ } else if (!strcmp(cipher, "ECDHE")) { -+ mask |= SSL_kECDHE; -+ } else if (!strcmp(cipher, "ECDSA")) { -+ mask |= SSL_aECDSA; - } else if (!strcmp(cipher, "SSLv2")) { - protocol |= SSL2; - } else if (!strcmp(cipher, "SSLv3")) { --- -1.7.11.4 - diff --git a/openldap-support-tlsv1-and-later.patch b/openldap-support-tlsv1-and-later.patch index b8cc0f8..a6c50fd 100644 --- a/openldap-support-tlsv1-and-later.patch +++ b/openldap-support-tlsv1-and-later.patch @@ -5,18 +5,19 @@ Backported-by: Jan Synacek Upstream ITS: #7979 Upstream commit: 7a7d9419432954cac18a582bed85a7c489d90f00 ---- openldap-2.4.40/libraries/libldap/tls_m.c 2014-11-14 09:02:39.489493061 +0100 -+++ openldap-2.4.40/libraries/libldap/tls_m.c 2014-11-14 09:23:07.239463097 +0100 -@@ -790,7 +790,7 @@ tlsm_bad_cert_handler(void *arg, PRFileD - case SSL_ERROR_BAD_CERT_DOMAIN: - break; - default: -- success = SECFailure; -+ success = SECFailure; - break; - } +--- openldap-2.4.40/include/ldap.h 2014-09-19 03:48:49.000000000 +0200 ++++ openldap-2.4.40/include/ldap.h 2015-01-27 14:52:42.741364186 +0100 +@@ -176,6 +176,7 @@ LDAP_BEGIN_DECL + #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_0 ((3 << 8) + 1) + #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1 ((3 << 8) + 2) + #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 ((3 << 8) + 3) ++#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_3 ((3 << 8) + 4) -@@ -1729,6 +1729,8 @@ tlsm_deferred_init( void *arg ) + /* OpenLDAP SASL options */ + #define LDAP_OPT_X_SASL_MECH 0x6100 +--- openldap-2.4.40/libraries/libldap/tls_m.c 2014-09-19 03:48:49.000000000 +0200 ++++ openldap-2.4.40/libraries/libldap/tls_m.c 2015-01-27 14:57:25.702243542 +0100 +@@ -1639,6 +1639,8 @@ tlsm_deferred_init( void *arg ) NSSInitContext *initctx = NULL; PK11SlotInfo *certdb_slot = NULL; #endif @@ -25,8 +26,8 @@ Upstream commit: 7a7d9419432954cac18a582bed85a7c489d90f00 SECStatus rc; int done = 0; -@@ -1911,6 +1913,16 @@ tlsm_deferred_init( void *arg ) - } +@@ -1823,7 +1825,17 @@ tlsm_deferred_init( void *arg ) + ctx->tc_using_pem = PR_TRUE; } + /* @@ -39,16 +40,7 @@ Upstream commit: 7a7d9419432954cac18a582bed85a7c489d90f00 + variant = ssl_variant_stream; + SSL_VersionRangeSetDefault(variant, &range); + - NSS_SetDomesticPolicy(); + NSS_SetDomesticPolicy(); PK11_SetPasswordFunc( tlsm_pin_prompt ); ---- openldap-2.4.40/include/ldap.h 2014-09-19 03:48:49.000000000 +0200 -+++ openldap-2.4.40/include/ldap.h 2014-11-14 09:25:54.560801030 +0100 -@@ -176,6 +176,7 @@ LDAP_BEGIN_DECL - #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_0 ((3 << 8) + 1) - #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1 ((3 << 8) + 2) - #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 ((3 << 8) + 3) -+#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_3 ((3 << 8) + 4) - /* OpenLDAP SASL options */ - #define LDAP_OPT_X_SASL_MECH 0x6100 diff --git a/openldap.spec b/openldap.spec index f12a1b4..f63a80b 100644 --- a/openldap.spec +++ b/openldap.spec @@ -5,7 +5,7 @@ Name: openldap Version: 2.4.40 -Release: 7%{?dist} +Release: 8%{?dist} Summary: LDAP support libraries Group: System Environment/Daemons License: OpenLDAP @@ -28,13 +28,6 @@ Patch2: openldap-reentrant-gethostby.patch Patch3: openldap-smbk5pwd-overlay.patch Patch4: openldap-man-sasl-nocanon.patch Patch5: openldap-ai-addrconfig.patch -# nss patches, unlikely to ever get upstreamed -Patch11: openldap-nss-update-list-of-ciphers.patch -Patch12: openldap-tls-no-reuse-of-tls_session.patch -Patch13: openldap-nss-regex-search-hashed-cacert-dir.patch -Patch14: openldap-nss-ignore-certdb-type-prefix.patch -Patch15: openldap-nss-certs-from-certdb-fallback-pem.patch -Patch16: openldap-nss-pk11-freeslot.patch # fix back_perl problems with lt_dlopen() # might cause crashes because of symbol collisions @@ -50,14 +43,10 @@ Patch21: openldap-support-tlsv1-and-later.patch Patch90: check-password-makefile.patch Patch91: check-password.patch -# Fedora specific patches -Patch100: openldap-autoconf-pkgconfig-nss.patch - -BuildRequires: cyrus-sasl-devel, nss-devel, krb5-devel, tcp_wrappers-devel, unixODBC-devel +BuildRequires: cyrus-sasl-devel, krb5-devel, tcp_wrappers-devel, unixODBC-devel BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl, perl-devel, perl(ExtUtils::Embed) # smbk5pwd overlay: BuildRequires: openssl-devel -Requires: nss-tools %description OpenLDAP is an open source suite of LDAP (Lightweight Directory Access @@ -123,13 +112,6 @@ programs needed for accessing and modifying OpenLDAP directories. pushd openldap-%{version} -# use pkg-config for Mozilla NSS library -%patch100 -p1 - -# alternative include paths for Mozilla NSS -ln -s %{_includedir}/nss3 include/nss -ln -s %{_includedir}/nspr4 include/nspr - AUTOMAKE=%{_bindir}/true autoreconf -fi %patch0 -p1 @@ -138,12 +120,6 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi %patch3 -p1 %patch4 -p1 %patch5 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 -%patch16 -p1 %patch19 -p1 %patch20 -p1 %patch21 -p1 @@ -212,7 +188,6 @@ pushd openldap-%{version} --without-fetch \ --with-threads \ --with-pic \ - --with-tls=moznss \ --with-gnu-ld \ \ --libexecdir=%{_libdir} @@ -540,6 +515,9 @@ exit 0 %{_mandir}/man3/* %changelog +* Tue Jan 27 2015 Jan Synáček - 2.4.40-8 +- link against openssl by default + * Mon Jan 26 2015 Jan Synáček - 2.4.40-7 - remove tmpfiles config since it's no longer needed - fix invalid ldif diff --git a/slapd.ldif b/slapd.ldif index 4105131..a6c6bfc 100644 --- a/slapd.ldif +++ b/slapd.ldif @@ -9,9 +9,9 @@ cn: config # # TLS settings # -olcTLSCACertificatePath: /etc/openldap/certs -olcTLSCertificateFile: "OpenLDAP Server" -olcTLSCertificateKeyFile: /etc/openldap/certs/password +#olcTLSCACertificatePath: /etc/openldap/certs/cacert.pem +#olcTLSCertificateFile: /etc/openldap/certs/servercert.pem +#olcTLSCertificateKeyFile: /etc/openldap/certs/serverkey.pem # # Do not enable referrals until AFTER you have a working directory