rpms/openldap
7
0
Fork 0
Code Issues Pull Requests Releases Activity

fix: TLS error messages overwriting in tlsm_verify_cert()

Browse Source 
Resolves: #810462
This commit is contained in:
Jan Vcelak 2012-06-27 13:36:51 +02:00
parent ac8a31ed53
commit 0cda8087e0
2 changed files with 38 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
openldap-nss-dont-overwrite-verify-cert-error.patch Normal file
View File

@ -0,0 +1,35 @@
MozNSS: do not overwrite error in tlsm_verify_cert
Author: Jan Vcelak <jvcelak@redhat.com>
Resolves: #810462
Upstream ITS: #7287
Upstream commit: dc3842fca318f00da20a8be1cfb5d690ccc7d482
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index b608551..4c18360 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -1019,6 +1019,10 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
is self issued */
if ( ( node->error == SEC_ERROR_CA_CERT_INVALID ) &&
tlsm_cert_is_self_issued( node->cert ) ) {
+
+ PRErrorCode orig_error = PR_GetError();
+ PRInt32 orig_oserror = PR_GetOSError();
+
CERTBasicConstraints basicConstraint;
SECStatus rv = tlsm_get_basic_constraint_extension( node->cert, &basicConstraint );
if ( ( rv == SECSuccess ) && ( basicConstraint.isCA == PR_FALSE ) ) {
@@ -1032,6 +1036,9 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
"TLS: certificate [%s] is not valid - CA cert is not valid\n",
name, 0, 0 );
}
+
+ PR_SetError(orig_error, orig_oserror);
+
} else if ( errorToIgnore && ( node->error == errorToIgnore ) ) {
Debug( debug_level,
"TLS: Warning: ignoring error for certificate [%s] - error %ld:%s.\n",
--
1.7.10.4

3
openldap.spec
View File

@ -41,6 +41,7 @@ Patch9: openldap-constraint-count.patch
Patch10: openldap-man-sasl-nocanon.patch
Patch11: openldap-nss-allow-ca-dbdir-pemfile.patch
Patch12: openldap-tls-unbind-shutdown-order.patch
Patch13: openldap-nss-dont-overwrite-verify-cert-error.patch
# Fedora specific patches
Patch100: openldap-fedora-systemd.patch
@ -149,6 +150,7 @@ pushd openldap-%{version}
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch100 -p1
@ -663,6 +665,7 @@ exit 0
* Wed Jun 27 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-3
- update fix: count constraint broken when using multiple modifications (#795766)
- fix: invalid order of TLS shutdown operations (#808464)
- fix: TLS error messages overwriting in tlsm_verify_cert() (#810462)
* Fri May 18 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-2
- fix: nss-tools package is required by the base package, not the server subpackage