rpms/openldap
5
0
Fork 0
Code Issues Pull Requests Releases Activity

MozNSS Compat. Layer: Enable usage of NSS DB with PEM cert/key

Browse Source 
+ Fix a possible invalid dereference (covscan)

(cherry picked from commit 7abf6fbae6df9bc7cfdd9d28cc52f7676a123d9b)
(originally #1525485)

Related: #1400570
This commit is contained in:
Matúš Honěk 2018-01-10 23:36:58 +01:00
parent 1a23456530
commit 68ef0e0238
2 changed files with 72 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
openldap-tlsmc.patch
View File

@ -1,7 +1,7 @@
MozNSS Interception Code MozNSS Interception Code
Author: Matus Honek <mhonek@redhat.com> Author: Matus Honek <mhonek@redhat.com>
Date: Mon Nov 27 16:03:42 CET 2017 Date: Wed Jan 10 23:30:56 CET 2018
diff --git a/configure.in b/configure.in diff --git a/configure.in b/configure.in
--- a/configure.in --- a/configure.in
+++ b/configure.in +++ b/configure.in
@ -236,10 +236,11 @@ diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
if ( is_server && !lts.lt_certfile && !lts.lt_keyfile && if ( is_server && !lts.lt_certfile && !lts.lt_keyfile &&
!lts.lt_cacertfile && !lts.lt_cacertdir ) { !lts.lt_cacertfile && !lts.lt_cacertdir ) {
/* minimum configuration not provided */ /* minimum configuration not provided */
@@ -573,6 +598,21 @@ ldap_int_tls_config( LDAP *ld, int option, const char *arg ) @@ -572,6 +597,21 @@ ldap_int_tls_config( LDAP *ld, int option, const char *arg )
return ldap_pvt_tls_set_option( ld, option, &i );
} }
return -1; return -1;
#endif +#endif
+#ifdef HAVE_MOZNSS_COMPATIBILITY +#ifdef HAVE_MOZNSS_COMPATIBILITY
+ case LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY: + case LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY:
+ i = -1; + i = -1;
@ -254,10 +255,9 @@ diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
+ i = LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY_DISABLED; + i = LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY_DISABLED;
+ } + }
+ return ldap_pvt_tls_set_option( ld, option, &i ); + return ldap_pvt_tls_set_option( ld, option, &i );
+#endif #endif
} }
return -1; return -1;
}
@@ -675,6 +715,9 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg ) @@ -675,6 +715,9 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
case LDAP_OPT_X_TLS_CONNECT_ARG: case LDAP_OPT_X_TLS_CONNECT_ARG:
*(void **)arg = lo->ldo_tls_connect_arg; *(void **)arg = lo->ldo_tls_connect_arg;
@ -283,7 +283,7 @@ diff --git a/libraries/libldap/tls_mc.c b/libraries/libldap/tls_mc.c
new file mode 100644 new file mode 100644
--- /dev/null --- /dev/null
+++ b/libraries/libldap/tls_mc.c +++ b/libraries/libldap/tls_mc.c
@@ -0,0 +1,1179 @@ @@ -0,0 +1,1211 @@
+#include "portable.h" +#include "portable.h"
+ +
+#ifdef HAVE_MOZNSS_COMPATIBILITY +#ifdef HAVE_MOZNSS_COMPATIBILITY
@ -742,6 +742,7 @@ new file mode 100644
+{ +{
+ int rv = 0; + int rv = 0;
+ char *data = NULL; + char *data = NULL;
+ char *checksum = NULL;
+ +
+ /* gather data */ + /* gather data */
+ data = PR_sprintf_append( data, + data = PR_sprintf_append( data,
@ -777,7 +778,6 @@ new file mode 100644
+ } + }
+ +
+ /* compute data checksum */ + /* compute data checksum */
+ char *checksum = NULL;
+ if ( 1 != tlsmc_hash( &checksum, (const char*) data ) ) { + if ( 1 != tlsmc_hash( &checksum, (const char*) data ) ) {
+ checksum = NULL; + checksum = NULL;
+ goto bail; + goto bail;
@ -1060,6 +1060,11 @@ new file mode 100644
+ CERTCertificate *cert = NULL; + CERTCertificate *cert = NULL;
+ char *cert_file_path = NULL; + char *cert_file_path = NULL;
+ char *key_file_path = NULL; + char *key_file_path = NULL;
+ char *file_realpath = NULL;
+
+
+ cert_file_path = PR_smprintf( "%s/cert.pem", dir_name );
+ key_file_path = PR_smprintf( "%s/key.pem", dir_name );
+ +
+ if ( NULL == nickname ) { + if ( NULL == nickname ) {
+ Debug( LDAP_DEBUG_ANY, + Debug( LDAP_DEBUG_ANY,
@ -1075,15 +1080,9 @@ new file mode 100644
+ 0, 0, 0 ); + 0, 0, 0 );
+ goto bail; + goto bail;
+ } + }
+ if ( NULL == ( cert = PK11_FindCertFromNickname(nickname, NULL) ) ) { + if ( NULL != ( cert = PK11_FindCertFromNickname(nickname, NULL) ) ) {
+ Debug( LDAP_DEBUG_ANY, + /* extract cert/key from NSS db */
+ "tlsmc_extract_cert_key_pair: ERROR: could not find certificate with nickname `%s'.\n",
+ nickname, 0, 0 );
+ goto bail;
+ }
+ +
+ /* cert */
+ cert_file_path = PR_smprintf( "%s/cert.pem", dir_name );
+ Debug( LDAP_DEBUG_TRACE, + Debug( LDAP_DEBUG_TRACE,
+ "tlsmc_extract_cert_key_pair: INFO: extracting certificate `%s' to file `%s'.\n", + "tlsmc_extract_cert_key_pair: INFO: extracting certificate `%s' to file `%s'.\n",
+ nickname, cert_file_path, 0 ); + nickname, cert_file_path, 0 );
@ -1094,8 +1093,6 @@ new file mode 100644
+ goto bail; + goto bail;
+ } + }
+ +
+ /* key */
+ key_file_path = PR_smprintf( "%s/key.pem", dir_name );
+ Debug( LDAP_DEBUG_TRACE, + Debug( LDAP_DEBUG_TRACE,
+ "tlsmc_extract_cert_key_pair: INFO: extracting associated PK to file `%s'.\n", + "tlsmc_extract_cert_key_pair: INFO: extracting associated PK to file `%s'.\n",
+ key_file_path, 0, 0 ); + key_file_path, 0, 0 );
@ -1105,10 +1102,43 @@ new file mode 100644
+ 0, 0, 0 ); + 0, 0, 0 );
+ goto bail; + goto bail;
+ } + }
+ } else {
+ /* symlink PEM cert/key PEM files */
+
+ Debug( LDAP_DEBUG_ANY,
+ "tlsmc_extract_cert_key_pair: INFO: could not find certificate with nickname `%s', expecting a PEM file.\n",
+ nickname, 0, 0 );
+
+ Debug( LDAP_DEBUG_TRACE,
+ "tlsmc_extract_cert_key_pair: INFO: symlinking certificate file `%s' to file `%s'.\n",
+ nickname, cert_file_path, 0 );
+ if ( NULL == ( file_realpath = realpath( nickname, NULL ) ) ) {
+ perror( "Could not get the realpath" );
+ goto bail;
+ }
+ if ( -1 == symlink( file_realpath, cert_file_path ) ) {
+ perror( "Could not create a symlink" );
+ goto bail;
+ }
+ if ( file_realpath ) free( file_realpath );
+
+ Debug( LDAP_DEBUG_TRACE,
+ "tlsmc_extract_cert_key_pair: INFO: symlinking PK file `%s' to file `%s'.\n",
+ pin_filename, key_file_path, 0 );
+ if ( NULL == ( file_realpath = realpath( pin_filename, NULL ) ) ) {
+ perror( "Could not get the realpath" );
+ goto bail;
+ }
+ if ( -1 == symlink( file_realpath, key_file_path ) ) {
+ perror( "Could not create a symlink" );
+ goto bail;
+ }
+ }
+ +
+ rv = 1; + rv = 1;
+ +
+bail: +bail:
+ if (file_realpath) free(file_realpath);
+ if (key_file_path) PR_smprintf_free(key_file_path); + if (key_file_path) PR_smprintf_free(key_file_path);
+ if (cert_file_path) PR_smprintf_free(cert_file_path); + if (cert_file_path) PR_smprintf_free(cert_file_path);
+ if (cert) CERT_DestroyCertificate(cert); + if (cert) CERT_DestroyCertificate(cert);
@ -1366,7 +1396,8 @@ new file mode 100644
+ if (*ld_cert) free(*ld_cert); + if (*ld_cert) free(*ld_cert);
+ *ld_cert = PR_smprintf( "%s/" TLSMC_CERT_FILE_NAME, pem_dir ); + *ld_cert = PR_smprintf( "%s/" TLSMC_CERT_FILE_NAME, pem_dir );
+ if ( ! ( ( 0 == stat( *ld_cert, &stat_buf ) ) + if ( ! ( ( 0 == stat( *ld_cert, &stat_buf ) )
+ && S_ISREG(stat_buf.st_mode) ) ) { + && ( S_ISREG(stat_buf.st_mode)
+ || S_ISLNK(stat_buf.st_mode) ) ) ) {
+ Debug( LDAP_DEBUG_ANY, + Debug( LDAP_DEBUG_ANY,
+ "tlsmc_convert: WARN: extracted cert file is not present.\n", + "tlsmc_convert: WARN: extracted cert file is not present.\n",
+ 0, 0, 0 ); + 0, 0, 0 );
@ -1376,7 +1407,8 @@ new file mode 100644
+ if (*ld_key) free(*ld_key); + if (*ld_key) free(*ld_key);
+ *ld_key = PR_smprintf( "%s/" TLSMC_KEY_FILE_NAME, pem_dir ); + *ld_key = PR_smprintf( "%s/" TLSMC_KEY_FILE_NAME, pem_dir );
+ if ( ! ( ( 0 == stat( *ld_key, &stat_buf ) ) + if ( ! ( ( 0 == stat( *ld_key, &stat_buf ) )
+ && S_ISREG(stat_buf.st_mode) ) ) { + && ( S_ISREG(stat_buf.st_mode)
+ || S_ISLNK(stat_buf.st_mode) ) ) ) {
+ Debug( LDAP_DEBUG_ANY, + Debug( LDAP_DEBUG_ANY,
+ "tlsmc_convert: WARN: extracted key file is not present.\n", + "tlsmc_convert: WARN: extracted key file is not present.\n",
+ 0, 0, 0 ); + 0, 0, 0 );

7
openldap.spec
View File

@ -5,7 +5,7 @@
Name: openldap Name: openldap
Version: 2.4.45 Version: 2.4.45
Release: 6%{?dist} Release: 7%{?dist}
Summary: LDAP support libraries Summary: LDAP support libraries
Group: System Environment/Daemons Group: System Environment/Daemons
License: OpenLDAP License: OpenLDAP
@ -516,6 +516,11 @@ exit 0
%{_mandir}/man3/* %{_mandir}/man3/*
%changelog %changelog
* Wed Feb 7 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-7
- MozNSS Compat. Layer fixes (#1400570)
- Enable usage of NSS DB with PEM cert/key (orig. #1525485)
+ Fix a possible invalid dereference (covscan)
* Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 2.4.45-6 * Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 2.4.45-6
- Rebuilt for switch to libxcrypt - Rebuilt for switch to libxcrypt