From af7e90585773596fe5104df33dfff3f636468260 Mon Sep 17 00:00:00 2001 From: Jan Vcelak Date: Mon, 12 Sep 2011 15:35:09 +0200 Subject: [PATCH] fix: SSL_ForceHandshake function is not thread safe Resolves: #701678 --- openldap-nss-handshake-threadsafe.patch | 96 +++++++++++++++++++++++++ openldap.spec | 7 +- 2 files changed, 102 insertions(+), 1 deletion(-) create mode 100644 openldap-nss-handshake-threadsafe.patch diff --git a/openldap-nss-handshake-threadsafe.patch b/openldap-nss-handshake-threadsafe.patch new file mode 100644 index 0000000..7062f45 --- /dev/null +++ b/openldap-nss-handshake-threadsafe.patch @@ -0,0 +1,96 @@ +Use mutex for connection handshake when using PEM nss + +PEM nss is not thread safe when establishing the initial connection +using SSL_ForceHandshake. Create a new mutex - tlsm_pem_mutex - to +protect this function call. +The call to SSL_ConfigServerSessionIDCache() is not thread-safe - move it +to the init section and protect it with the init mutex. + +Author: Rich Megginson +Resolves: #701678 +Upstream ITS: #7034 +--- + libraries/libldap/tls_m.c | 30 ++++++++++++++++++++++++------ + 1 files changed, 24 insertions(+), 6 deletions(-) + +diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c +index c85d322..9447db2 100644 +--- a/libraries/libldap/tls_m.c ++++ b/libraries/libldap/tls_m.c +@@ -135,6 +135,7 @@ static int tlsm_init( void ); + to wrap the mutex creation in a prcallonce + */ + static ldap_pvt_thread_mutex_t tlsm_init_mutex; ++static ldap_pvt_thread_mutex_t tlsm_pem_mutex; + static PRCallOnceType tlsm_init_mutex_callonce = {0,0}; + + static PRStatus PR_CALLBACK +@@ -146,6 +147,12 @@ tlsm_thr_init_callonce( void ) + return PR_FAILURE; + } + ++ if ( ldap_pvt_thread_mutex_init( &tlsm_pem_mutex ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: could not create mutex for PEM module: %d\n", errno, 0, 0 ); ++ return PR_FAILURE; ++ } ++ + return PR_SUCCESS; + } + +@@ -1728,6 +1735,14 @@ tlsm_deferred_init( void *arg ) + errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 ); + return -1; + } ++ ++ if ( ctx->tc_is_server ) { ++ LDAP_MUTEX_LOCK( &tlsm_init_mutex ); ++ /* 0 means use the defaults here */ ++ SSL_ConfigServerSessionIDCache( 0, 0, 0, NULL ); ++ LDAP_MUTEX_UNLOCK( &tlsm_init_mutex ); ++ } ++ + #ifndef HAVE_NSS_INITCONTEXT + } + #endif /* HAVE_NSS_INITCONTEXT */ +@@ -1941,6 +1956,7 @@ tlsm_destroy( void ) + { + #ifdef LDAP_R_COMPILE + ldap_pvt_thread_mutex_destroy( &tlsm_init_mutex ); ++ ldap_pvt_thread_mutex_destroy( &tlsm_pem_mutex ); + #endif + } + +@@ -2433,11 +2449,6 @@ tlsm_session_new ( tls_ctx * ctx, int is_server ) + return NULL; + } + +- if ( is_server ) { +- /* 0 means use the defaults here */ +- SSL_ConfigServerSessionIDCache( 0, 0, 0, NULL ); +- } +- + rc = SSL_ResetHandshake( session, is_server ); + if ( rc ) { + PRErrorCode err = PR_GetError(); +@@ -2457,9 +2468,16 @@ static int + tlsm_session_accept_or_connect( tls_session *session, int is_accept ) + { + tlsm_session *s = (tlsm_session *)session; +- int rc = SSL_ForceHandshake( s ); ++ int rc; + const char *op = is_accept ? "accept" : "connect"; + ++ if ( pem_module ) { ++ LDAP_MUTEX_LOCK( &tlsm_pem_mutex ); ++ } ++ rc = SSL_ForceHandshake( s ); ++ if ( pem_module ) { ++ LDAP_MUTEX_UNLOCK( &tlsm_pem_mutex ); ++ } + if ( rc ) { + PRErrorCode err = PR_GetError(); + rc = -1; +-- +1.7.1 + diff --git a/openldap.spec b/openldap.spec index 452fb45..70dbc85 100644 --- a/openldap.spec +++ b/openldap.spec @@ -9,7 +9,7 @@ Name: openldap Version: 2.4.26 -Release: 2%{?dist} +Release: 3%{?dist} Summary: LDAP support libraries Group: System Environment/Daemons License: OpenLDAP @@ -40,6 +40,7 @@ Patch14: openldap-man-slapo-unique.patch Patch15: openldap-nss-wildcards.patch Patch16: openldap-dns-priority.patch Patch17: openldap-man-ldap-sync.patch +Patch18: openldap-nss-handshake-threadsafe.patch # patches for the evolution library (see README.evolution) Patch200: openldap-evolution-ntlm.patch @@ -150,6 +151,7 @@ pushd openldap-%{version} %patch15 -p1 -b .nss-wildcards %patch16 -p1 -b .dns-priority %patch17 -p1 -b .man-ldap-sync +%patch18 -p1 -b .nss-handshake-threadsafe cp %{_datadir}/libtool/config/config.{sub,guess} build/ @@ -673,6 +675,9 @@ exit 0 %attr(0644,root,root) %{evolution_connector_libdir}/*.a %changelog +* Mon Sep 12 2011 Jan Vcelak 2.4.26-3 +- fix: SSL_ForceHandshake function is not thread safe (#701678) + * Wed Aug 24 2011 Jan Vcelak 2.4.26-2 - security hardening: library needs partial RELRO support added (#733071) - fix: NSS_Init* functions are not thread safe (#731112)