diff --git a/openldap-tlsmc.patch b/openldap-tlsmc.patch index b05847a..dc5ce33 100644 --- a/openldap-tlsmc.patch +++ b/openldap-tlsmc.patch @@ -1,7 +1,7 @@ MozNSS Interception Code Author: Matus Honek -Date: Tue Jan 30 17:46:02 CET 2018 +Date: Wed Jan 31 21:44:47 CET 2018 diff --git a/configure.in b/configure.in --- a/configure.in +++ b/configure.in @@ -642,10 +642,6 @@ new file mode 100644 + char *token_name = NULL; + char *pwdstr = NULL; + -+ Debug( LDAP_DEBUG_ANY, -+ "tlsmc_get_pin: INFO: Please note the extracted key file will not be protected with a PIN any more, however it will be still protected at least by file permissions.\n", -+ 0, 0, 0 ); -+ + token_name = PK11_GetTokenName( slot ); + /* Try to get the passwords from the password file if it exists. + * THIS IS UNSAFE and is provided for convenience only. Without this @@ -653,6 +649,8 @@ new file mode 100644 + * if using an encrypted key. + */ + if ( filename ) { ++ fprintf( stderr, ++ "tlsmc_get_pin: INFO: Please note the extracted key file will not be protected with a PIN any more, however it will be still protected at least by file permissions.\n"); + pwdstr = tlsmc_get_pin_from_file( token_name, (char *)filename ); + if ( retry && pwdstr != NULL ) + return NULL; @@ -663,6 +661,8 @@ new file mode 100644 + unsigned char phrase[200]; + /* Prompt for password */ + if ( isTTY ) { ++ fprintf( stderr, ++ "tlsmc_get_pin: INFO: Please note the extracted key file will not be protected with a PIN any more, however it will be still protected at least by file permissions.\n"); + fprintf( stdout, + "Please enter pin, password, or pass phrase for security token '%s': ", + token_name ? token_name : DEFAULT_TOKEN_NAME ); diff --git a/openldap.spec b/openldap.spec index 1de9d70..449b06f 100644 --- a/openldap.spec +++ b/openldap.spec @@ -518,6 +518,7 @@ exit 0 %changelog * Wed Feb 7 2018 Matus Honek - 2.4.45-7 - MozNSS Compat. Layer fixes (#1400570) + - fix PIN disclaimer not always shown (orig. #1516409) - fix recursive directory deletion (orig. #1516409) - Ensure consistency of a PEM dir before usage (orig. #1516409) + Warn just before use of a PIN about key file extraction