rpms/openldap
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Mozilla NSS - delay token auth until needed (#616552)

Browse Source 
Mozilla NSS - support use of self signed CA certs as server certs (#614545)
This commit is contained in:
jvcelak 2010-07-22 08:11:30 +00:00
parent 13c47e0e20
commit 6468aa6a54
3 changed files with 104 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
openldap-2.4.22-initauthtoken.patch Normal file
View File

@ -0,0 +1,44 @@
#616552 Mozilla NSS - delay token auth until needed
upstream: http://www.openldap.org/its/index.cgi issue 6595
diff -urNP openldap-2.4.22.old/libraries/libldap/tls_m.c openldap-2.4.22.new/libraries/libldap/tls_m.c
--- openldap-2.4.22.old/libraries/libldap/tls_m.c 2010-07-22 09:56:58.984806148 +0200
+++ openldap-2.4.22.new/libraries/libldap/tls_m.c 2010-07-22 09:58:19.030686912 +0200
@@ -930,26 +930,6 @@
return rc;
}
-static int
-tlsm_init_tokens( tlsm_ctx *ctx )
-{
- PK11SlotList *slotList;
- PK11SlotListElement *listEntry;
- int rc = 0;
-
- slotList = PK11_GetAllTokens( CKM_INVALID_MECHANISM, PR_FALSE, PR_TRUE, NULL );
-
- for ( listEntry = PK11_GetFirstSafe( slotList ); !rc && listEntry;
- listEntry = PK11_GetNextSafe( slotList, listEntry, PR_FALSE ) ) {
- PK11SlotInfo *slot = listEntry->slot;
- rc = tlsm_authenticate_to_slot( ctx, slot );
- }
-
- PK11_FreeSlotList( slotList );
-
- return rc;
-}
-
static SECStatus
tlsm_nss_shutdown_cb( void *appData, void *nssData )
{
@@ -1365,10 +1345,6 @@
PK11_SetPasswordFunc( tlsm_pin_prompt );
- if ( tlsm_init_tokens( ctx ) ) {
- return -1;
- }
-
/* register cleanup function */
/* delete the old one, if any */
NSS_UnregisterShutdown( tlsm_nss_shutdown_cb, NULL );

51
openldap-2.4.23-selfsignedcacert.patch Normal file
View File

@ -0,0 +1,51 @@
#614545 Mozilla NSS - support use of self signed CA certs as server certs
upstream: http://www.openldap.org/its/index.cgi issue 6589
diff -urNP openldap-2.4.22.old/libraries/libldap/tls_m.c openldap-2.4.22.new/libraries/libldap/tls_m.c
--- openldap-2.4.22.old/libraries/libldap/tls_m.c 2010-04-15 23:26:00.000000000 +0200
+++ openldap-2.4.22.new/libraries/libldap/tls_m.c 2010-07-22 09:56:58.984806148 +0200
@@ -1491,11 +1491,40 @@
status = CERT_VerifyCertificateNow( ctx->tc_certdb, cert,
checkSig, certUsage,
pin_arg, NULL );
- if (status != SECSuccess) {
+ if ( status != SECSuccess ) {
+ /* NSS doesn't like self-signed CA certs that are also used for
+ TLS/SSL server certs (such as generated by openssl req -x509)
+ CERT_VerifyCertificateNow returns SEC_ERROR_UNTRUSTED_ISSUER in that case
+ so, see if the cert and issuer are the same cert
+ */
PRErrorCode errcode = PR_GetError();
- Debug( LDAP_DEBUG_ANY,
- "TLS: error: the certificate %s is not valid - error %d:%s\n",
- certname, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
+
+ if ( errcode == SEC_ERROR_UNTRUSTED_ISSUER ) {
+ CERTCertificate *issuer = CERT_FindCertIssuer( cert, PR_Now(), certUsageSSLServer );
+ if ( NULL == issuer ) {
+ /* no issuer - warn and allow */
+ status = SECSuccess;
+ rc = 0;
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: warning: the server certificate %s has no issuer - "
+ "please check this certificate for validity\n",
+ certname, 0, 0 );
+ } else if ( CERT_CompareCerts( cert, issuer ) ) {
+ /* self signed - warn and allow */
+ status = SECSuccess;
+ rc = 0;
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: warning: using self-signed server certificate %s\n",
+ certname, 0, 0 );
+ }
+ CERT_DestroyCertificate( issuer );
+ }
+
+ if ( status != SECSuccess ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: error: the certificate %s is not valid - error %d:%s\n",
+ certname, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
+ }
} else {
rc = 0; /* success */
}

10
openldap.spec
View File

@ -11,7 +11,7 @@
Summary: LDAP support libraries Summary: LDAP support libraries
Name: openldap Name: openldap
Version: %{version} Version: %{version}
Release: 6%{?dist} Release: 7%{?dist}
License: OpenLDAP License: OpenLDAP
Group: System Environment/Daemons Group: System Environment/Daemons
Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz
@ -39,6 +39,8 @@ Patch12: openldap-2.4.21-dn2id-segfault.patch
Patch13: openldap-2.4.22-ldif_h.patch Patch13: openldap-2.4.22-ldif_h.patch
Patch14: openldap-2.4.22-libldif.patch Patch14: openldap-2.4.22-libldif.patch
Patch15: openldap-2.4.22-modrdn-segfault.patch Patch15: openldap-2.4.22-modrdn-segfault.patch
Patch16: openldap-2.4.23-selfsignedcacert.patch
Patch17: openldap-2.4.22-initauthtoken.patch
# Patches for the evolution library # Patches for the evolution library
Patch200: openldap-2.4.6-evolution-ntlm.patch Patch200: openldap-2.4.6-evolution-ntlm.patch
@ -139,6 +141,8 @@ pushd openldap-%{version}
%patch13 -p1 -b .ldif_h %patch13 -p1 -b .ldif_h
%patch14 -p1 -b .libldif %patch14 -p1 -b .libldif
%patch15 -p1 -b .modrdn-segfault %patch15 -p1 -b .modrdn-segfault
%patch16 -p1 -b .selfsignedcacert
%patch17 -p1 -b .initauthtoken
cp %{_datadir}/libtool/config/config.{sub,guess} build/ cp %{_datadir}/libtool/config/config.{sub,guess} build/
popd popd
@ -671,6 +675,10 @@ fi
%attr(0644,root,root) %{evolution_connector_libdir}/*.a %attr(0644,root,root) %{evolution_connector_libdir}/*.a
%changelog %changelog
* Thu Jul 22 2010 Jan Vcelak <jvcelak@redhat.com> 2.4.22-7
- Mozilla NSS - delay token auth until needed (#616552)
- Mozilla NSS - support use of self signed CA certs as server certs (#614545)
* Tue Jul 20 2010 Jan Vcelak <jvcelak@redhat.com> - 2.4.22-6 * Tue Jul 20 2010 Jan Vcelak <jvcelak@redhat.com> - 2.4.22-6
- CVE-2010-0211 openldap: modrdn processing uninitialized pointer free (#605448) - CVE-2010-0211 openldap: modrdn processing uninitialized pointer free (#605448)
- CVE-2010-0212 openldap: modrdn processing IA5StringNormalize NULL pointer dereference (#605452) - CVE-2010-0212 openldap: modrdn processing IA5StringNormalize NULL pointer dereference (#605452)