fix: SSL_ForceHandshake function is not thread safe

Resolves: #701678

openldap-nss-handshake-threadsafe.patch

@@ -0,0 +1,96 @@
+Use mutex for connection handshake when using PEM nss
+
+PEM nss is not thread safe when establishing the initial connection
+using SSL_ForceHandshake.  Create a new mutex - tlsm_pem_mutex - to
+protect this function call.
+The call to SSL_ConfigServerSessionIDCache() is not thread-safe - move it
+to the init section and protect it with the init mutex.
+
+Author: Rich Megginson <rmeggins@redhat.com>
+Resolves: #701678
+Upstream ITS: #7034
+---
+ libraries/libldap/tls_m.c |   30 ++++++++++++++++++++++++------
+ 1 files changed, 24 insertions(+), 6 deletions(-)
+
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index c85d322..9447db2 100644
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -135,6 +135,7 @@ static int tlsm_init( void );
+    to wrap the mutex creation in a prcallonce
+ */
+ static ldap_pvt_thread_mutex_t tlsm_init_mutex;
++static ldap_pvt_thread_mutex_t tlsm_pem_mutex;
+ static PRCallOnceType tlsm_init_mutex_callonce = {0,0};
+ 
+ static PRStatus PR_CALLBACK
+@@ -146,6 +147,12 @@ tlsm_thr_init_callonce( void )
+ 		return PR_FAILURE;
+ 	}
+ 
++	if ( ldap_pvt_thread_mutex_init( &tlsm_pem_mutex ) ) {
++		Debug( LDAP_DEBUG_ANY,
++			   "TLS: could not create mutex for PEM module: %d\n", errno, 0, 0 );
++		return PR_FAILURE;
++	}
++
+ 	return PR_SUCCESS;
+ }
+ 
+@@ -1728,6 +1735,14 @@ tlsm_deferred_init( void *arg )
+ 				   errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
+ 			return -1;
+ 		}
++
++		if  ( ctx->tc_is_server ) {
++			LDAP_MUTEX_LOCK( &tlsm_init_mutex );
++			/* 0 means use the defaults here */
++			SSL_ConfigServerSessionIDCache( 0, 0, 0, NULL );
++			LDAP_MUTEX_UNLOCK( &tlsm_init_mutex );
++		}
++
+ #ifndef HAVE_NSS_INITCONTEXT
+ 	}
+ #endif /* HAVE_NSS_INITCONTEXT */
+@@ -1941,6 +1956,7 @@ tlsm_destroy( void )
+ {
+ #ifdef LDAP_R_COMPILE
+ 	ldap_pvt_thread_mutex_destroy( &tlsm_init_mutex );
++	ldap_pvt_thread_mutex_destroy( &tlsm_pem_mutex );
+ #endif
+ }
+ 
+@@ -2433,11 +2449,6 @@ tlsm_session_new ( tls_ctx * ctx, int is_server )
+ 		return NULL;
+ 	}
+ 
+-	if ( is_server ) {
+-		/* 0 means use the defaults here */
+-		SSL_ConfigServerSessionIDCache( 0, 0, 0, NULL );
+-	}
+-
+ 	rc = SSL_ResetHandshake( session, is_server );
+ 	if ( rc ) {
+ 		PRErrorCode err = PR_GetError();
+@@ -2457,9 +2468,16 @@ static int
+ tlsm_session_accept_or_connect( tls_session *session, int is_accept )
+ {
+ 	tlsm_session *s = (tlsm_session *)session;
+-	int rc = SSL_ForceHandshake( s );
++	int rc;
+ 	const char *op = is_accept ? "accept" : "connect";
+ 
++	if ( pem_module ) {
++		LDAP_MUTEX_LOCK( &tlsm_pem_mutex );
++	}
++	rc = SSL_ForceHandshake( s );
++	if ( pem_module ) {
++		LDAP_MUTEX_UNLOCK( &tlsm_pem_mutex );
++	}
+ 	if ( rc ) {
+ 		PRErrorCode err = PR_GetError();
+ 		rc = -1;
+-- 
+1.7.1
+

openldap.spec

@@ -9,7 +9,7 @@
 
 Name: openldap
 Version: 2.4.26
-Release: 2%{?dist}
+Release: 3%{?dist}
 Summary: LDAP support libraries
 Group: System Environment/Daemons
 License: OpenLDAP
@@ -40,6 +40,7 @@ Patch14: openldap-man-slapo-unique.patch
 Patch15: openldap-nss-wildcards.patch
 Patch16: openldap-dns-priority.patch
 Patch17: openldap-man-ldap-sync.patch
+Patch18: openldap-nss-handshake-threadsafe.patch
 
 # patches for the evolution library (see README.evolution)
 Patch200: openldap-evolution-ntlm.patch
@@ -150,6 +151,7 @@ pushd openldap-%{version}
 %patch15 -p1 -b .nss-wildcards
 %patch16 -p1 -b .dns-priority
 %patch17 -p1 -b .man-ldap-sync
+%patch18 -p1 -b .nss-handshake-threadsafe
 
 cp %{_datadir}/libtool/config/config.{sub,guess} build/
 
@@ -673,6 +675,9 @@ exit 0
 %attr(0644,root,root)      %{evolution_connector_libdir}/*.a
 
 %changelog
+* Mon Sep 12 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.26-3
+- fix: SSL_ForceHandshake function is not thread safe (#701678)
+
 * Wed Aug 24 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.26-2
 - security hardening: library needs partial RELRO support added (#733071)
 - fix: NSS_Init* functions are not thread safe (#731112)