Mozilla NSS - delay token auth until needed (#616552)

Mozilla NSS - support use of self signed CA certs as server certs (#614545)
2010-07-22 08:11:30 +00:00 · 2010-07-22 08:11:30 +00:00 · 6468aa6a54
commit 6468aa6a54
parent 13c47e0e20
3 changed files with 104 additions and 1 deletions
--- a/openldap-2.4.22-initauthtoken.patch
+++ b/openldap-2.4.22-initauthtoken.patch
@ -0,0 +1,44 @@
+#616552 Mozilla NSS - delay token auth until needed
+upstream: http://www.openldap.org/its/index.cgi issue 6595
+
+diff -urNP openldap-2.4.22.old/libraries/libldap/tls_m.c openldap-2.4.22.new/libraries/libldap/tls_m.c
+--- openldap-2.4.22.old/libraries/libldap/tls_m.c	2010-07-22 09:56:58.984806148 +0200
+++ openldap-2.4.22.new/libraries/libldap/tls_m.c	2010-07-22 09:58:19.030686912 +0200
+@@ -930,26 +930,6 @@
+ 	return rc;
+ }
+ 
+-static int
+-tlsm_init_tokens( tlsm_ctx *ctx )
+-{
+-	PK11SlotList *slotList;
+-	PK11SlotListElement *listEntry;
+-	int rc = 0;
+-
+-	slotList = PK11_GetAllTokens( CKM_INVALID_MECHANISM, PR_FALSE, PR_TRUE, NULL );
+-
+-	for ( listEntry = PK11_GetFirstSafe( slotList ); !rc && listEntry;
+-		  listEntry = PK11_GetNextSafe( slotList, listEntry, PR_FALSE ) ) {
+-		PK11SlotInfo *slot = listEntry->slot;
+-		rc = tlsm_authenticate_to_slot( ctx, slot );
+-	}
+-
+-	PK11_FreeSlotList( slotList );
+-
+-	return rc;
+-}
+-
+ static SECStatus
+ tlsm_nss_shutdown_cb( void *appData, void *nssData )
+ {
+@@ -1365,10 +1345,6 @@
+ 
+ 		PK11_SetPasswordFunc( tlsm_pin_prompt );
+ 
+-		if ( tlsm_init_tokens( ctx ) ) {
+-			return -1;
+-		}
+-
+ 		/* register cleanup function */
+ 		/* delete the old one, if any */
+ 		NSS_UnregisterShutdown( tlsm_nss_shutdown_cb, NULL );
--- a/openldap-2.4.23-selfsignedcacert.patch
+++ b/openldap-2.4.23-selfsignedcacert.patch
@ -0,0 +1,51 @@
+#614545 Mozilla NSS - support use of self signed CA certs as server certs 
+upstream: http://www.openldap.org/its/index.cgi issue 6589
+
+diff -urNP openldap-2.4.22.old/libraries/libldap/tls_m.c openldap-2.4.22.new/libraries/libldap/tls_m.c
+--- openldap-2.4.22.old/libraries/libldap/tls_m.c	2010-04-15 23:26:00.000000000 +0200
+++ openldap-2.4.22.new/libraries/libldap/tls_m.c	2010-07-22 09:56:58.984806148 +0200
+@@ -1491,11 +1491,40 @@
+ 		status = CERT_VerifyCertificateNow( ctx->tc_certdb, cert,
+ 											checkSig, certUsage,
+ 											pin_arg, NULL );
+-		if (status != SECSuccess) {
+		if ( status != SECSuccess ) {
+			/* NSS doesn't like self-signed CA certs that are also used for 
+			   TLS/SSL server certs (such as generated by openssl req -x509)
+			   CERT_VerifyCertificateNow returns SEC_ERROR_UNTRUSTED_ISSUER in that case
+			   so, see if the cert and issuer are the same cert
+			*/
+ 			PRErrorCode errcode = PR_GetError();
+-			Debug( LDAP_DEBUG_ANY,
+-				   "TLS: error: the certificate %s is not valid - error %d:%s\n",
+-				   certname, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
+
+			if ( errcode == SEC_ERROR_UNTRUSTED_ISSUER ) {
+				CERTCertificate *issuer = CERT_FindCertIssuer( cert, PR_Now(), certUsageSSLServer );
+				if ( NULL == issuer ) {
+					/* no issuer - warn and allow */
+					status = SECSuccess;
+					rc = 0;
+					Debug( LDAP_DEBUG_ANY,
+						   "TLS: warning: the server certificate %s has no issuer - "
+						   "please check this certificate for validity\n",
+						   certname, 0, 0 );
+				} else if ( CERT_CompareCerts( cert, issuer ) ) {
+					/* self signed - warn and allow */
+					status = SECSuccess;
+					rc = 0;
+					Debug( LDAP_DEBUG_ANY,
+						   "TLS: warning: using self-signed server certificate %s\n",
+						   certname, 0, 0 );
+				}
+				CERT_DestroyCertificate( issuer );
+			}
+
+			if ( status != SECSuccess ) {
+				Debug( LDAP_DEBUG_ANY,
+					   "TLS: error: the certificate %s is not valid - error %d:%s\n",
+					   certname, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
+			}
+ 		} else {
+ 			rc = 0; /* success */
+ 		}
--- a/openldap.spec
+++ b/openldap.spec
@ -11,7 +11,7 @@
 Summary: LDAP support libraries
 Name: openldap
 Version: %{version}
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: OpenLDAP
 Group: System Environment/Daemons
 Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz
@ -39,6 +39,8 @@ Patch12: openldap-2.4.21-dn2id-segfault.patch
 Patch13: openldap-2.4.22-ldif_h.patch
 Patch14: openldap-2.4.22-libldif.patch
 Patch15: openldap-2.4.22-modrdn-segfault.patch
+Patch16: openldap-2.4.23-selfsignedcacert.patch
+Patch17: openldap-2.4.22-initauthtoken.patch

 # Patches for the evolution library
 Patch200: openldap-2.4.6-evolution-ntlm.patch
@ -139,6 +141,8 @@ pushd openldap-%{version}
 %patch13 -p1 -b .ldif_h
 %patch14 -p1 -b .libldif
 %patch15 -p1 -b .modrdn-segfault
+%patch16 -p1 -b .selfsignedcacert
+%patch17 -p1 -b .initauthtoken

 cp %{_datadir}/libtool/config/config.{sub,guess} build/
 popd
@ -671,6 +675,10 @@ fi
 %attr(0644,root,root)      %{evolution_connector_libdir}/*.a

 %changelog
+* Thu Jul 22 2010 Jan Vcelak <jvcelak@redhat.com> 2.4.22-7
+- Mozilla NSS - delay token auth until needed (#616552)
+- Mozilla NSS - support use of self signed CA certs as server certs (#614545)
+
 * Tue Jul 20 2010 Jan Vcelak <jvcelak@redhat.com> - 2.4.22-6
 - CVE-2010-0211 openldap: modrdn processing uninitialized pointer free (#605448)
 - CVE-2010-0212 openldap: modrdn processing IA5StringNormalize NULL pointer dereference (#605452)