fix update: restart NSS modules after fork

version bump 2.4.23-8 Resolves: #636956
2011-02-02 12:55:23 +01:00 · 2011-02-02 12:55:23 +01:00 · 8e5df252b6
commit 8e5df252b6
parent b791235bfc
2 changed files with 45 additions and 3 deletions
--- a/openldap-nss-disable-nofork.patch
+++ b/openldap-nss-disable-nofork.patch
@ -0,0 +1,39 @@
 fix: OpenLDAP can't use TLS after a fork()
 Mozilla NSS - disable pkcs11 fork checking for the software token
 Resolves: #636956
 Upstream ITS: #6811, follows #6802
 Author: Rich Megginson <rmeggins@redhat.com>
 diff -uNPrp openldap-2.4.23.old/libraries/libldap/tls_m.c openldap-2.4.23.new/libraries/libldap/tls_m.c
 --- openldap-2.4.23.old/libraries/libldap/tls_m.c	2011-02-02 12:21:27.576280756 +0100
 +++ openldap-2.4.23.new/libraries/libldap/tls_m.c	2011-02-02 12:38:24.785682347 +0100
@@ -2884,10 +2884,27 @@ static const PRIOMethods tlsm_PR_methods
 static int
 tlsm_init( void )
 {
 +	char *nofork = PR_GetEnv( "NSS_STRICT_NOFORK" );
 +
 	PR_Init(0, 0, 0);
 	tlsm_layer_id = PR_GetUniqueIdentity( "OpenLDAP" );
 +	/*
 +	 * There are some applications that acquire a crypto context in the parent process
 +	 * and expect that crypto context to work after a fork().  This does not work
 +	 * with NSS using strict PKCS11 compliance mode.  We set this environment
 +	 * variable here to tell the software encryption module/token to allow crypto
 +	 * contexts to persist across a fork().  However, if you are using some other
 +	 * module or encryption device that supports and expects full PKCS11 semantics,
 +	 * the only recourse is to rewrite the application with atfork() handlers to save
 +	 * the crypto context in the parent and restore (and SECMOD_RestartModules) the
 +	 * context in the child.
 +	 */
 +	if ( !nofork ) {
 +		PR_SetEnv( "NSS_STRICT_NOFORK=DISABLED" );
 +	}
 +
 	return 0;
 }
--- a/openldap.spec
+++ b/openldap.spec
@ -7,7 +7,7 @@
 Name: openldap
 Version: 2.4.23
-Release: 7%{?dist}
+Release: 8%{?dist}
 Summary: LDAP support libraries
 Group: System Environment/Daemons
 License: OpenLDAP
@ -39,10 +39,9 @@ Patch105: openldap-cacertdir-hash-only.patch
 Patch106: openldap-improve-trace-messages.patch
 Patch107: openldap-nss-non-blocking.patch
 Patch108: openldap-verify-self-issued-certs.patch
 # patches sent upstream
 Patch109: openldap-nss-cipher-suites.patch
 Patch110: openldap-nss-restart-modules-fork.patch
 Patch111: openldap-nss-disable-nofork.patch
 # patches for the evolution library (see README.evolution)
 Patch200: openldap-evolution-ntlm.patch
@ -155,6 +154,7 @@ pushd openldap-%{version}
 %patch108 -p1 -b .verify-self-issued-certs
 %patch109 -p1 -b .nss-cipher-suites
 %patch110 -p1 -b .nss-restart-modules-fork
 %patch111 -p1 -b .nss-disable-nofork
 cp %{_datadir}/libtool/config/config.{sub,guess} build/
@ -676,6 +676,9 @@ exit 0
 %attr(0644,root,root)      %{evolution_connector_libdir}/*.a
 %changelog
 * Wed Feb 02 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.23-8
 - fix update: openldap can't use TLS after a fork() (#636956)
 * Tue Jan 25 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.23-7
 - fix: openldap can't use TLS after a fork() (#636956)
 - fix: openldap-server upgrade gets stuck when the database is damaged (#664433)