From 60d09d71cf0971afa40b5c5af070ba1e12dc06cd Mon Sep 17 00:00:00 2001 From: Jan Vcelak Date: May 18 2012 10:47:45 +0000 Subject: fix: MozNSS CA certdir does not work together with PEM CA cert file Resolves: #819536 --- diff --git a/openldap-nss-allow-ca-dbdir-pemfile.patch b/openldap-nss-allow-ca-dbdir-pemfile.patch new file mode 100644 index 0000000..d7d9a7b --- /dev/null +++ b/openldap-nss-allow-ca-dbdir-pemfile.patch @@ -0,0 +1,56 @@ +MozNSS: allow CA certdb together with PEM CA bundle file + +Prior to this patch, if TLS_CACERTDIR was set to Mozilla NSS certificate +database and TLS_CACERT was set to a PEM bundle file with CA +certificates, the PEM file content was not loaded. + +With this patch and the same settings, OpenLDAP can verify certificates +which are signed by CAs stored both in certdb and PEM bundle file. + +Author: Jan Vcelak +Resolves: #819536 +Upstream ITS: #7276 + +--- + libraries/libldap/tls_m.c | 16 +++++++++++++--- + 1 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c +index 50c03dd..23d843c 100644 +--- a/libraries/libldap/tls_m.c ++++ b/libraries/libldap/tls_m.c +@@ -1683,18 +1683,28 @@ tlsm_deferred_init( void *arg ) + ctx->tc_initctx = initctx; + #endif + ++ } ++ ++ if ( errcode || lt->lt_cacertfile ) { + /* initialize the PEM module */ + LDAP_MUTEX_LOCK( &tlsm_init_mutex ); + if ( tlsm_init_pem_module() ) { + LDAP_MUTEX_UNLOCK( &tlsm_init_mutex ); +- errcode = PORT_GetError(); ++ int pem_errcode = PORT_GetError(); + Debug( LDAP_DEBUG_ANY, + "TLS: could not initialize moznss PEM module - error %d:%s.\n", +- errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 ); +- return -1; ++ pem_errcode, PR_ErrorToString( pem_errcode, PR_LANGUAGE_I_DEFAULT ), 0 ); ++ ++ if ( errcode ) /* PEM is required */ ++ return -1; ++ ++ } else if ( !errcode ) { ++ tlsm_init_ca_certs( ctx, lt->lt_cacertfile, NULL ); + } + LDAP_MUTEX_UNLOCK( &tlsm_init_mutex ); ++ } + ++ if ( errcode ) { + if ( tlsm_init_ca_certs( ctx, lt->lt_cacertfile, lt->lt_cacertdir ) ) { + /* if we tried to use lt->lt_cacertdir as an NSS key/cert db, errcode + will be a value other than 1 - print an error message so that the +-- +1.7.7.6 + diff --git a/openldap.spec b/openldap.spec index a3c8677..230efff 100644 --- a/openldap.spec +++ b/openldap.spec @@ -39,6 +39,7 @@ Patch7: openldap-dns-priority.patch Patch8: openldap-syncrepl-unset-tls-options.patch Patch9: openldap-constraint-count.patch Patch10: openldap-man-sasl-nocanon.patch +Patch11: openldap-nss-allow-ca-dbdir-pemfile.patch # Fedora specific patches Patch100: openldap-fedora-systemd.patch @@ -145,6 +146,7 @@ pushd openldap-%{version} %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 %patch100 -p1 @@ -658,6 +660,7 @@ exit 0 %changelog * Fri May 18 2012 Jan Vcelak 2.4.31-2 - fix: nss-tools package is required by the base package, not the server subpackage +- fix: MozNSS CA certdir does not work together with PEM CA cert file (#819536) * Tue Apr 24 2012 Jan Vcelak 2.4.31-1 - new upstream release