MozNSS Compat. Layer: Enable usage of NSS DB with PEM cert/key

+ Fix a possible invalid dereference (covscan) (cherry picked from commit 7abf6fbae6df9bc7cfdd9d28cc52f7676a123d9b) (originally #1525485) Related: #1400570
2018-01-10 23:36:58 +01:00 · 2018-01-10 23:36:58 +01:00 · 68ef0e0238
commit 68ef0e0238
parent 1a23456530
2 changed files with 72 additions and 35 deletions
--- a/openldap-tlsmc.patch
+++ b/openldap-tlsmc.patch
@ -1,7 +1,7 @@
 MozNSS Interception Code

 Author: Matus Honek <mhonek@redhat.com>
-Date: Mon Nov 27 16:03:42 CET 2017
+Date: Wed Jan 10 23:30:56 CET 2018
 diff --git a/configure.in b/configure.in
 --- a/configure.in
 +++ b/configure.in
@ -236,10 +236,11 @@ diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
 	if ( is_server && !lts.lt_certfile && !lts.lt_keyfile &&
 		!lts.lt_cacertfile && !lts.lt_cacertdir ) {
 		/* minimum configuration not provided */
-@@ -573,6 +598,21 @@ ldap_int_tls_config( LDAP *ld, int option, const char *arg )
+@@ -572,6 +597,21 @@ ldap_int_tls_config( LDAP *ld, int option, const char *arg )
+ 			return ldap_pvt_tls_set_option( ld, option, &i );
 		}
 		return -1;
- #endif
+#endif
 +#ifdef HAVE_MOZNSS_COMPATIBILITY
 +	case LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY:
 +		i = -1;
@ -254,10 +255,9 @@ diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
 +			i = LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY_DISABLED;
 +		}
 +		return ldap_pvt_tls_set_option( ld, option, &i );
-+#endif
+ #endif
 	}
 	return -1;
- }
@@ -675,6 +715,9 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
 	case LDAP_OPT_X_TLS_CONNECT_ARG:
 		*(void **)arg = lo->ldo_tls_connect_arg;
@ -283,7 +283,7 @@ diff --git a/libraries/libldap/tls_mc.c b/libraries/libldap/tls_mc.c
 new file mode 100644
 --- /dev/null
 +++ b/libraries/libldap/tls_mc.c
-@@ -0,0 +1,1179 @@
+@@ -0,0 +1,1211 @@
 +#include "portable.h"
 +
 +#ifdef HAVE_MOZNSS_COMPATIBILITY
@ -742,6 +742,7 @@ new file mode 100644
 +{
 +	int rv = 0;
 +	char *data = NULL;
+	char *checksum = NULL;
 +
 +	/* gather data */
 +	data = PR_sprintf_append( data,
@ -777,7 +778,6 @@ new file mode 100644
 +	}
 +
 +	/* compute data checksum */
-+	char *checksum = NULL;
 +	if ( 1 != tlsmc_hash( &checksum, (const char*) data ) ) {
 +		checksum = NULL;
 +		goto bail;
@ -1060,6 +1060,11 @@ new file mode 100644
 +	CERTCertificate *cert = NULL;
 +	char *cert_file_path = NULL;
 +	char *key_file_path = NULL;
+	char *file_realpath = NULL;
+
+
+	cert_file_path = PR_smprintf( "%s/cert.pem", dir_name );
+	key_file_path = PR_smprintf( "%s/key.pem", dir_name );
 +
 +	if ( NULL == nickname ) {
 +		Debug( LDAP_DEBUG_ANY,
@ -1075,40 +1080,65 @@ new file mode 100644
 +		       0, 0, 0 );
 +		goto bail;
 +	}
-+	if ( NULL == ( cert = PK11_FindCertFromNickname(nickname, NULL) ) ) {
+	if ( NULL != ( cert = PK11_FindCertFromNickname(nickname, NULL) ) ) {
+		/* extract cert/key from NSS db */
+
+		Debug( LDAP_DEBUG_TRACE,
+		       "tlsmc_extract_cert_key_pair: INFO: extracting certificate `%s' to file `%s'.\n",
+		       nickname, cert_file_path, 0 );
+		if ( 0 == tlsmc_extract_cert_to_file(certHandle, cert, cert_file_path) ) {
+			Debug( LDAP_DEBUG_ANY,
+			       "tlsmc_extract_cert_key_pair: ERROR: could not extract certificate.\n",
+			       0, 0, 0 );
+			goto bail;
+		}
+
+		Debug( LDAP_DEBUG_TRACE,
+		       "tlsmc_extract_cert_key_pair: INFO: extracting associated PK to file `%s'.\n",
+		       key_file_path, 0, 0 );
+		if ( 0 == tlsmc_extract_key_of_cert_to_file( cert, pin_filename, key_file_path ) ) {
+			Debug( LDAP_DEBUG_ANY,
+			       "tlsmc_extract_cert_key_pair: ERROR: could not extract PK.\n",
+			       0, 0, 0 );
+			goto bail;
+		}
+	} else {
+		/* symlink PEM cert/key PEM files */
+
 +		Debug( LDAP_DEBUG_ANY,
-+		       "tlsmc_extract_cert_key_pair: ERROR: could not find certificate with nickname `%s'.\n",
+		       "tlsmc_extract_cert_key_pair: INFO: could not find certificate with nickname `%s', expecting a PEM file.\n",
 +		       nickname, 0, 0 );
-+		goto bail;
-+	}
 +
-+	/* cert */
-+	cert_file_path = PR_smprintf( "%s/cert.pem", dir_name );
-+	Debug( LDAP_DEBUG_TRACE,
-+	       "tlsmc_extract_cert_key_pair: INFO: extracting certificate `%s' to file `%s'.\n",
-+	       nickname, cert_file_path, 0 );
-+	if ( 0 == tlsmc_extract_cert_to_file(certHandle, cert, cert_file_path) ) {
-+		Debug( LDAP_DEBUG_ANY,
-+		       "tlsmc_extract_cert_key_pair: ERROR: could not extract certificate.\n",
-+		       0, 0, 0 );
-+		goto bail;
-+	}
+		Debug( LDAP_DEBUG_TRACE,
+		       "tlsmc_extract_cert_key_pair: INFO: symlinking certificate file `%s' to file `%s'.\n",
+		       nickname, cert_file_path, 0 );
+		if ( NULL == ( file_realpath = realpath( nickname, NULL ) ) ) {
+			perror( "Could not get the realpath" );
+			goto bail;
+		}
+		if ( -1 == symlink( file_realpath, cert_file_path ) ) {
+			perror( "Could not create a symlink" );
+			goto bail;
+		}
+		if ( file_realpath ) free( file_realpath );
 +
-+	/* key */
-+	key_file_path = PR_smprintf( "%s/key.pem", dir_name );
-+	Debug( LDAP_DEBUG_TRACE,
-+	       "tlsmc_extract_cert_key_pair: INFO: extracting associated PK to file `%s'.\n",
-+	       key_file_path, 0, 0 );
-+	if ( 0 == tlsmc_extract_key_of_cert_to_file( cert, pin_filename, key_file_path ) ) {
-+		Debug( LDAP_DEBUG_ANY,
-+		       "tlsmc_extract_cert_key_pair: ERROR: could not extract PK.\n",
-+		       0, 0, 0 );
-+		goto bail;
+		Debug( LDAP_DEBUG_TRACE,
+		       "tlsmc_extract_cert_key_pair: INFO: symlinking PK file `%s' to file `%s'.\n",
+		       pin_filename, key_file_path, 0 );
+		if ( NULL == ( file_realpath = realpath( pin_filename, NULL ) ) ) {
+			perror( "Could not get the realpath" );
+			goto bail;
+		}
+		if ( -1 == symlink( file_realpath, key_file_path ) ) {
+			perror( "Could not create a symlink" );
+			goto bail;
+		}
 +	}
 +
 +	rv = 1;
 +
 +bail:
+	if (file_realpath) free(file_realpath);
 +	if (key_file_path) PR_smprintf_free(key_file_path);
 +	if (cert_file_path) PR_smprintf_free(cert_file_path);
 +	if (cert) CERT_DestroyCertificate(cert);
@ -1366,7 +1396,8 @@ new file mode 100644
 +	if (*ld_cert) free(*ld_cert);
 +	*ld_cert = PR_smprintf( "%s/" TLSMC_CERT_FILE_NAME, pem_dir );
 +	if ( ! ( ( 0 == stat( *ld_cert, &stat_buf ) )
-+	         && S_ISREG(stat_buf.st_mode) ) ) {
+	         && ( S_ISREG(stat_buf.st_mode)
+	              || S_ISLNK(stat_buf.st_mode) ) ) ) {
 +		Debug( LDAP_DEBUG_ANY,
 +		       "tlsmc_convert: WARN: extracted cert file is not present.\n",
 +		       0, 0, 0 );
@ -1376,7 +1407,8 @@ new file mode 100644
 +	if (*ld_key) free(*ld_key);
 +	*ld_key = PR_smprintf( "%s/" TLSMC_KEY_FILE_NAME, pem_dir );
 +	if ( ! ( ( 0 == stat( *ld_key, &stat_buf ) )
-+	         && S_ISREG(stat_buf.st_mode) ) ) {
+	         && ( S_ISREG(stat_buf.st_mode)
+	              || S_ISLNK(stat_buf.st_mode) ) ) ) {
 +		Debug( LDAP_DEBUG_ANY,
 +		       "tlsmc_convert: WARN: extracted key file is not present.\n",
 +		       0, 0, 0 );
--- a/openldap.spec
+++ b/openldap.spec
@ -5,7 +5,7 @@

 Name: openldap
 Version: 2.4.45
-Release: 6%{?dist}
+Release: 7%{?dist}
 Summary: LDAP support libraries
 Group: System Environment/Daemons
 License: OpenLDAP
@ -516,6 +516,11 @@ exit 0
 %{_mandir}/man3/*

 %changelog
+* Wed Feb  7 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-7
+- MozNSS Compat. Layer fixes (#1400570)
+  - Enable usage of NSS DB with PEM cert/key (orig. #1525485)
+    + Fix a possible invalid dereference (covscan)
+
 * Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 2.4.45-6
 - Rebuilt for switch to libxcrypt