TLS_CACERTDIR takes precedence over TLS_CACERTFILE
Resolves: #652304
Upstream ITS: #6704
Author: Rich Megginson (rmeggins@redhat.com)
diff -uNPrp openldap-2.4.23.old/libraries/libldap/tls_m.c openldap-2.4.23.new/libraries/libldap/tls_m.c
--- openldap-2.4.23.old/libraries/libldap/tls_m.c 2010-11-18 11:01:36.129392116 +0100
+++ openldap-2.4.23.new/libraries/libldap/tls_m.c 2010-11-18 11:02:19.466387205 +0100
@@ -1031,6 +1031,7 @@ tlsm_add_cert_from_file( tlsm_ctx *ctx,
}
if ( fi.type != PR_FILE_FILE ) {
+ PR_SetError(PR_IS_DIRECTORY_ERROR, 0);
Debug( LDAP_DEBUG_ANY,
"TLS: error: the certificate file %s is not a file.\n",
filename, 0 ,0 );
@@ -1123,6 +1124,7 @@ tlsm_add_key_from_file( tlsm_ctx *ctx, c
}
if ( fi.type != PR_FILE_FILE ) {
+ PR_SetError(PR_IS_DIRECTORY_ERROR, 0);
Debug( LDAP_DEBUG_ANY,
"TLS: error: the key file %s is not a file.\n",
filename, 0 ,0 );
@@ -1178,69 +1180,91 @@ static int
tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir )
{
PRBool isca = PR_TRUE;
+ PRStatus status = PR_FAILURE;
+ PRErrorCode errcode = PR_SUCCESS;
if ( cacertfile ) {
int rc = tlsm_add_cert_from_file( ctx, cacertfile, isca );
if ( rc ) {
- return rc;
+ errcode = PR_GetError();
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: %s is not a valid CA certificate file - error %d:%s.\n",
+ cacertfile, errcode,
+ PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
+ } else {
+ Debug( LDAP_DEBUG_TRACE,
+ "TLS: loaded CA certificate file %s.\n",
+ cacertfile, 0, 0 );
+ status = PR_SUCCESS; /* have at least one good CA - we can proceed */
}
}
if ( cacertdir ) {
PRFileInfo fi;
- PRStatus status;
PRDir *dir;
PRDirEntry *entry;
+ PRStatus fistatus = PR_FAILURE;
memset( &fi, 0, sizeof(fi) );
- status = PR_GetFileInfo( cacertdir, &fi );
- if ( PR_SUCCESS != status) {
- PRErrorCode errcode = PR_GetError();
+ fistatus = PR_GetFileInfo( cacertdir, &fi );
+ if ( PR_SUCCESS != fistatus) {
+ errcode = PR_GetError();
Debug( LDAP_DEBUG_ANY,
"TLS: could not get info about the CA certificate directory %s - error %d:%s.\n",
cacertdir, errcode,
PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
- return -1;
+ goto done;
}
if ( fi.type != PR_FILE_DIRECTORY ) {
Debug( LDAP_DEBUG_ANY,
"TLS: error: the CA certificate directory %s is not a directory.\n",
cacertdir, 0 ,0 );
- return -1;
+ goto done;
}
dir = PR_OpenDir( cacertdir );
if ( NULL == dir ) {
- PRErrorCode errcode = PR_GetError();
+ errcode = PR_GetError();
Debug( LDAP_DEBUG_ANY,
"TLS: could not open the CA certificate directory %s - error %d:%s.\n",
cacertdir, errcode,
PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
- return -1;
+ goto done;
}
- status = -1;
do {
entry = PR_ReadDir( dir, PR_SKIP_BOTH | PR_SKIP_HIDDEN );
if ( NULL != entry ) {
char *fullpath = PR_smprintf( "%s/%s", cacertdir, entry->name );
if ( !tlsm_add_cert_from_file( ctx, fullpath, isca ) ) {
- status = 0; /* found at least 1 valid CA file in the dir */
+ Debug( LDAP_DEBUG_TRACE,
+ "TLS: loaded CA certificate file %s from CA certificate directory %s.\n",
+ fullpath, cacertdir, 0 );
+ status = PR_SUCCESS; /* found at least 1 valid CA file in the dir */
+ } else {
+ errcode = PR_GetError();
+ Debug( LDAP_DEBUG_TRACE,
+ "TLS: %s is not a valid CA certificate file - error %d:%s.\n",
+ fullpath, errcode,
+ PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
}
PR_smprintf_free( fullpath );
}
} while ( NULL != entry );
PR_CloseDir( dir );
-
- if ( status ) {
- PRErrorCode errcode = PR_GetError();
- Debug( LDAP_DEBUG_ANY,
- "TLS: did not find any valid CA certificate files in the CA certificate directory %s - error %d:%s.\n",
- cacertdir, errcode,
- PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
- return -1;
+ }
+done:
+ if ( status != PR_SUCCESS ) {
+ const char *fmtstr = NULL;
+ if ( cacertfile && cacertdir ) {
+ fmtstr = "TLS: did not find any valid CA certificates in %s or %s\n";
+ } else {
+ fmtstr = "TLS: did not find any valid CA certificates in %s%s\n";
}
+ Debug( LDAP_DEBUG_ANY, fmtstr, cacertdir ? cacertdir : "",
+ cacertfile ? cacertfile : "", 0 );
+ return -1;
}
return 0;