diff --git a/openldap-nss-certs-from-certdb-fallback-pem.patch b/openldap-nss-certs-from-certdb-fallback-pem.patch new file mode 100644 index 0000000..dad03c7 --- /dev/null +++ b/openldap-nss-certs-from-certdb-fallback-pem.patch @@ -0,0 +1,80 @@ +MozNSS: load certificates from certdb, fallback to PEM + +If TLS_CACERT pointed to a PEM file and TLS_CACERTDIR was set to NSS certificate database, the backend assumed that +the certificate is always located in the certificate database. This assumption might be wrong. This patch makes the +library to try to load the certificate from NSS database and fallback to PEM file if unsuccessfull. + +Author: Jan Vcelak +Upstream ITS: #7389 +Resolves: #857455 + +diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c +index 7ebcd24..634f9d9 100644 +--- a/libraries/libldap/tls_m.c ++++ b/libraries/libldap/tls_m.c +@@ -1412,7 +1412,7 @@ tlsm_ctx_load_private_key(tlsm_ctx *ctx) + /* prefer unlocked key, then key from opened certdb, then any other */ + if (unlocked_key) + ctx->tc_private_key = unlocked_key; +- else if (ctx->tc_certdb_slot) ++ else if ( ctx->tc_certdb_slot && !ctx->tc_using_pem ) + ctx->tc_private_key = PK11_FindKeyByDERCert(ctx->tc_certdb_slot, ctx->tc_certificate, pin_arg); + else + ctx->tc_private_key = PK11_FindKeyByAnyCert(ctx->tc_certificate, pin_arg); +@@ -1906,8 +1906,6 @@ tlsm_deferred_init( void *arg ) + } + return -1; + } +- +- ctx->tc_using_pem = PR_TRUE; + } + + NSS_SetDomesticPolicy(); +@@ -2360,15 +2358,9 @@ tlsm_deferred_ctx_init( void *arg ) + + /* set up our cert and key, if any */ + if ( lt->lt_certfile ) { +- /* if using the PEM module, load the PEM file specified by lt_certfile */ +- /* otherwise, assume this is the name of a cert already in the db */ +- if ( ctx->tc_using_pem ) { +- /* this sets ctx->tc_certificate to the correct value */ +- int rc = tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE ); +- if ( rc ) { +- return rc; +- } +- } else { ++ ++ /* first search in certdb (lt_certfile is nickname) */ ++ if ( ctx->tc_certdb ) { + char *tmp_certname; + + if (tlsm_is_tokenname_certnick(lt->lt_certfile)) { +@@ -2388,9 +2380,24 @@ tlsm_deferred_ctx_init( void *arg ) + Debug( LDAP_DEBUG_ANY, + "TLS: error: the certificate '%s' could not be found in the database - error %d:%s.\n", + lt->lt_certfile, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); +- return -1; + } + } ++ ++ /* fallback to PEM module (lt_certfile is filename) */ ++ if ( !ctx->tc_certificate && pem_module ) { ++ /* this sets ctx->tc_certificate to the correct value */ ++ if ( !tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE ) ) { ++ ctx->tc_using_pem = PR_TRUE; ++ } ++ } ++ ++ if ( ctx->tc_certificate ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: certificate '%s' successfully loaded from %s.\n", lt->lt_certfile, ++ ctx->tc_using_pem ? "PEM file" : "moznss database", 0); ++ } else { ++ return -1; ++ } + } + + if ( lt->lt_keyfile ) { +-- +1.7.11.4 + diff --git a/openldap.spec b/openldap.spec index 70a742d..975855e 100644 --- a/openldap.spec +++ b/openldap.spec @@ -46,6 +46,7 @@ Patch14: openldap-nss-update-list-of-ciphers.patch Patch15: openldap-tls-no-reuse-of-tls_session.patch Patch16: openldap-nss-regex-search-hashed-cacert-dir.patch Patch17: openldap-nss-ignore-certdb-sql-prefix.patch +Patch18: openldap-nss-certs-from-certdb-fallback-pem.patch # Fedora specific patches Patch100: openldap-autoconf-pkgconfig-nss.patch @@ -165,6 +166,7 @@ ln -s %{_includedir}/nspr4 include/nspr %patch15 -p1 %patch16 -p1 %patch17 -p1 +%patch18 -p1 %patch101 -p1 @@ -627,6 +629,7 @@ exit 0 - fix: connection hangs after fallback to second server when certificate hostname verification fails (#852476) - fix: not all certificates in OpenSSL compatible CA certificate directory format are loaded (#852786) - fix: MozNSS certificate database in SQL format cannot be used (#857390) +- fix: libldap does not load PEM certificate if certdb is used as TLS_CACERTDIR (#857455) * Mon Aug 20 2012 Jan Vcelak 2.4.32-2 - enhancement: TLS, prefer private keys from authenticated slots