From 0cda8087e0aab963998326e3b128fb6065e614a9 Mon Sep 17 00:00:00 2001
From: Jan Vcelak <jvcelak@redhat.com>
Date: Wed, 27 Jun 2012 13:36:51 +0200
Subject: [PATCH] fix: TLS error messages overwriting in tlsm_verify_cert()

Resolves: #810462
---
 ...nss-dont-overwrite-verify-cert-error.patch | 35 +++++++++++++++++++
 openldap.spec                                 |  3 ++
 2 files changed, 38 insertions(+)
 create mode 100644 openldap-nss-dont-overwrite-verify-cert-error.patch

diff --git a/openldap-nss-dont-overwrite-verify-cert-error.patch b/openldap-nss-dont-overwrite-verify-cert-error.patch
new file mode 100644
index 0000000..71e7d25
--- /dev/null
+++ b/openldap-nss-dont-overwrite-verify-cert-error.patch
@@ -0,0 +1,35 @@
+MozNSS: do not overwrite error in tlsm_verify_cert
+
+Author: Jan Vcelak <jvcelak@redhat.com>
+Resolves: #810462
+Upstream ITS: #7287
+Upstream commit: dc3842fca318f00da20a8be1cfb5d690ccc7d482
+
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index b608551..4c18360 100644
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -1019,6 +1019,10 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
+ 				   is self issued */
+ 				if ( ( node->error == SEC_ERROR_CA_CERT_INVALID ) &&
+ 					 tlsm_cert_is_self_issued( node->cert ) ) {
++
++					PRErrorCode orig_error = PR_GetError();
++					PRInt32 orig_oserror = PR_GetOSError();
++
+ 					CERTBasicConstraints basicConstraint;
+ 					SECStatus rv = tlsm_get_basic_constraint_extension( node->cert, &basicConstraint );
+ 					if ( ( rv == SECSuccess ) && ( basicConstraint.isCA == PR_FALSE ) ) {
+@@ -1032,6 +1036,9 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
+ 							   "TLS: certificate [%s] is not valid - CA cert is not valid\n",
+ 							   name, 0, 0 );
+ 					}
++
++					PR_SetError(orig_error, orig_oserror);
++
+ 				} else if ( errorToIgnore && ( node->error == errorToIgnore ) ) {
+ 					Debug( debug_level,
+ 						   "TLS: Warning: ignoring error for certificate [%s] - error %ld:%s.\n",
+-- 
+1.7.10.4
+
diff --git a/openldap.spec b/openldap.spec
index aebaa3c..741bbd3 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -41,6 +41,7 @@ Patch9: openldap-constraint-count.patch
 Patch10: openldap-man-sasl-nocanon.patch
 Patch11: openldap-nss-allow-ca-dbdir-pemfile.patch
 Patch12: openldap-tls-unbind-shutdown-order.patch
+Patch13: openldap-nss-dont-overwrite-verify-cert-error.patch
 
 # Fedora specific patches
 Patch100: openldap-fedora-systemd.patch
@@ -149,6 +150,7 @@ pushd openldap-%{version}
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
+%patch13 -p1
 
 %patch100 -p1
 
@@ -663,6 +665,7 @@ exit 0
 * Wed Jun 27 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-3
 - update fix: count constraint broken when using multiple modifications (#795766)
 - fix: invalid order of TLS shutdown operations (#808464)
+- fix: TLS error messages overwriting in tlsm_verify_cert() (#810462)
 
 * Fri May 18 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-2
 - fix: nss-tools package is required by the base package, not the server subpackage