fix update: restart NSS modules after fork

version bump 2.4.23-8 Resolves: #636956
2011-02-02 12:55:23 +01:00 · 2011-02-02 12:55:23 +01:00 · 8e5df252b6
commit 8e5df252b6
parent b791235bfc
2 changed files with 45 additions and 3 deletions
--- a/openldap-nss-disable-nofork.patch
+++ b/openldap-nss-disable-nofork.patch
@ -0,0 +1,39 @@
+fix: OpenLDAP can't use TLS after a fork()
+
+Mozilla NSS - disable pkcs11 fork checking for the software token
+
+Resolves: #636956
+Upstream ITS: #6811, follows #6802
+Author: Rich Megginson <rmeggins@redhat.com>
+
+diff -uNPrp openldap-2.4.23.old/libraries/libldap/tls_m.c openldap-2.4.23.new/libraries/libldap/tls_m.c
+--- openldap-2.4.23.old/libraries/libldap/tls_m.c	2011-02-02 12:21:27.576280756 +0100
+++ openldap-2.4.23.new/libraries/libldap/tls_m.c	2011-02-02 12:38:24.785682347 +0100
+@@ -2884,10 +2884,27 @@ static const PRIOMethods tlsm_PR_methods
+ static int
+ tlsm_init( void )
+ {
+	char *nofork = PR_GetEnv( "NSS_STRICT_NOFORK" );
+
+ 	PR_Init(0, 0, 0);
+ 
+ 	tlsm_layer_id = PR_GetUniqueIdentity( "OpenLDAP" );
+ 
+	/*
+	 * There are some applications that acquire a crypto context in the parent process
+	 * and expect that crypto context to work after a fork().  This does not work
+	 * with NSS using strict PKCS11 compliance mode.  We set this environment
+	 * variable here to tell the software encryption module/token to allow crypto
+	 * contexts to persist across a fork().  However, if you are using some other
+	 * module or encryption device that supports and expects full PKCS11 semantics,
+	 * the only recourse is to rewrite the application with atfork() handlers to save
+	 * the crypto context in the parent and restore (and SECMOD_RestartModules) the
+	 * context in the child.
+	 */
+	if ( !nofork ) {
+		PR_SetEnv( "NSS_STRICT_NOFORK=DISABLED" );
+	}
+
+ 	return 0;
+ }
+ 
--- a/openldap.spec
+++ b/openldap.spec
@ -7,7 +7,7 @@

 Name: openldap
 Version: 2.4.23
-Release: 7%{?dist}
+Release: 8%{?dist}
 Summary: LDAP support libraries
 Group: System Environment/Daemons
 License: OpenLDAP
@ -39,10 +39,9 @@ Patch105: openldap-cacertdir-hash-only.patch
 Patch106: openldap-improve-trace-messages.patch
 Patch107: openldap-nss-non-blocking.patch
 Patch108: openldap-verify-self-issued-certs.patch
-
-# patches sent upstream
 Patch109: openldap-nss-cipher-suites.patch
 Patch110: openldap-nss-restart-modules-fork.patch
+Patch111: openldap-nss-disable-nofork.patch

 # patches for the evolution library (see README.evolution)
 Patch200: openldap-evolution-ntlm.patch
@ -155,6 +154,7 @@ pushd openldap-%{version}
 %patch108 -p1 -b .verify-self-issued-certs
 %patch109 -p1 -b .nss-cipher-suites
 %patch110 -p1 -b .nss-restart-modules-fork
+%patch111 -p1 -b .nss-disable-nofork

 cp %{_datadir}/libtool/config/config.{sub,guess} build/

@ -676,6 +676,9 @@ exit 0
 %attr(0644,root,root)      %{evolution_connector_libdir}/*.a

 %changelog
+* Wed Feb 02 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.23-8
+- fix update: openldap can't use TLS after a fork() (#636956)
+
 * Tue Jan 25 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.23-7
 - fix: openldap can't use TLS after a fork() (#636956)
 - fix: openldap-server upgrade gets stuck when the database is damaged (#664433)