Jan Vcelak
parent
9ee41aa9a4
commit
af7e905857
96
openldap-nss-handshake-threadsafe.patch
Normal file
96
openldap-nss-handshake-threadsafe.patch
Normal file
@ -0,0 +1,96 @@
|
|||||||
|
Use mutex for connection handshake when using PEM nss
|
||||||
|
|
||||||
|
PEM nss is not thread safe when establishing the initial connection
|
||||||
|
using SSL_ForceHandshake. Create a new mutex - tlsm_pem_mutex - to
|
||||||
|
protect this function call.
|
||||||
|
The call to SSL_ConfigServerSessionIDCache() is not thread-safe - move it
|
||||||
|
to the init section and protect it with the init mutex.
|
||||||
|
|
||||||
|
Author: Rich Megginson <rmeggins@redhat.com>
|
||||||
|
Resolves: #701678
|
||||||
|
Upstream ITS: #7034
|
||||||
|
---
|
||||||
|
libraries/libldap/tls_m.c | 30 ++++++++++++++++++++++++------
|
||||||
|
1 files changed, 24 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
||||||
|
index c85d322..9447db2 100644
|
||||||
|
--- a/libraries/libldap/tls_m.c
|
||||||
|
+++ b/libraries/libldap/tls_m.c
|
||||||
|
@@ -135,6 +135,7 @@ static int tlsm_init( void );
|
||||||
|
to wrap the mutex creation in a prcallonce
|
||||||
|
*/
|
||||||
|
static ldap_pvt_thread_mutex_t tlsm_init_mutex;
|
||||||
|
+static ldap_pvt_thread_mutex_t tlsm_pem_mutex;
|
||||||
|
static PRCallOnceType tlsm_init_mutex_callonce = {0,0};
|
||||||
|
|
||||||
|
static PRStatus PR_CALLBACK
|
||||||
|
@@ -146,6 +147,12 @@ tlsm_thr_init_callonce( void )
|
||||||
|
return PR_FAILURE;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if ( ldap_pvt_thread_mutex_init( &tlsm_pem_mutex ) ) {
|
||||||
|
+ Debug( LDAP_DEBUG_ANY,
|
||||||
|
+ "TLS: could not create mutex for PEM module: %d\n", errno, 0, 0 );
|
||||||
|
+ return PR_FAILURE;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
return PR_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1728,6 +1735,14 @@ tlsm_deferred_init( void *arg )
|
||||||
|
errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ if ( ctx->tc_is_server ) {
|
||||||
|
+ LDAP_MUTEX_LOCK( &tlsm_init_mutex );
|
||||||
|
+ /* 0 means use the defaults here */
|
||||||
|
+ SSL_ConfigServerSessionIDCache( 0, 0, 0, NULL );
|
||||||
|
+ LDAP_MUTEX_UNLOCK( &tlsm_init_mutex );
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
#ifndef HAVE_NSS_INITCONTEXT
|
||||||
|
}
|
||||||
|
#endif /* HAVE_NSS_INITCONTEXT */
|
||||||
|
@@ -1941,6 +1956,7 @@ tlsm_destroy( void )
|
||||||
|
{
|
||||||
|
#ifdef LDAP_R_COMPILE
|
||||||
|
ldap_pvt_thread_mutex_destroy( &tlsm_init_mutex );
|
||||||
|
+ ldap_pvt_thread_mutex_destroy( &tlsm_pem_mutex );
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -2433,11 +2449,6 @@ tlsm_session_new ( tls_ctx * ctx, int is_server )
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if ( is_server ) {
|
||||||
|
- /* 0 means use the defaults here */
|
||||||
|
- SSL_ConfigServerSessionIDCache( 0, 0, 0, NULL );
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
rc = SSL_ResetHandshake( session, is_server );
|
||||||
|
if ( rc ) {
|
||||||
|
PRErrorCode err = PR_GetError();
|
||||||
|
@@ -2457,9 +2468,16 @@ static int
|
||||||
|
tlsm_session_accept_or_connect( tls_session *session, int is_accept )
|
||||||
|
{
|
||||||
|
tlsm_session *s = (tlsm_session *)session;
|
||||||
|
- int rc = SSL_ForceHandshake( s );
|
||||||
|
+ int rc;
|
||||||
|
const char *op = is_accept ? "accept" : "connect";
|
||||||
|
|
||||||
|
+ if ( pem_module ) {
|
||||||
|
+ LDAP_MUTEX_LOCK( &tlsm_pem_mutex );
|
||||||
|
+ }
|
||||||
|
+ rc = SSL_ForceHandshake( s );
|
||||||
|
+ if ( pem_module ) {
|
||||||
|
+ LDAP_MUTEX_UNLOCK( &tlsm_pem_mutex );
|
||||||
|
+ }
|
||||||
|
if ( rc ) {
|
||||||
|
PRErrorCode err = PR_GetError();
|
||||||
|
rc = -1;
|
||||||
|
--
|
||||||
|
1.7.1
|
||||||
|
|
||||||
@ -9,7 +9,7 @@
|
|||||||
|
|
||||||
Name: openldap
|
Name: openldap
|
||||||
Version: 2.4.26
|
Version: 2.4.26
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
Summary: LDAP support libraries
|
Summary: LDAP support libraries
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
License: OpenLDAP
|
License: OpenLDAP
|
||||||
@ -40,6 +40,7 @@ Patch14: openldap-man-slapo-unique.patch
|
|||||||
Patch15: openldap-nss-wildcards.patch
|
Patch15: openldap-nss-wildcards.patch
|
||||||
Patch16: openldap-dns-priority.patch
|
Patch16: openldap-dns-priority.patch
|
||||||
Patch17: openldap-man-ldap-sync.patch
|
Patch17: openldap-man-ldap-sync.patch
|
||||||
|
Patch18: openldap-nss-handshake-threadsafe.patch
|
||||||
|
|
||||||
# patches for the evolution library (see README.evolution)
|
# patches for the evolution library (see README.evolution)
|
||||||
Patch200: openldap-evolution-ntlm.patch
|
Patch200: openldap-evolution-ntlm.patch
|
||||||
@ -150,6 +151,7 @@ pushd openldap-%{version}
|
|||||||
%patch15 -p1 -b .nss-wildcards
|
%patch15 -p1 -b .nss-wildcards
|
||||||
%patch16 -p1 -b .dns-priority
|
%patch16 -p1 -b .dns-priority
|
||||||
%patch17 -p1 -b .man-ldap-sync
|
%patch17 -p1 -b .man-ldap-sync
|
||||||
|
%patch18 -p1 -b .nss-handshake-threadsafe
|
||||||
|
|
||||||
cp %{_datadir}/libtool/config/config.{sub,guess} build/
|
cp %{_datadir}/libtool/config/config.{sub,guess} build/
|
||||||
|
|
||||||
@ -673,6 +675,9 @@ exit 0
|
|||||||
%attr(0644,root,root) %{evolution_connector_libdir}/*.a
|
%attr(0644,root,root) %{evolution_connector_libdir}/*.a
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Sep 12 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.26-3
|
||||||
|
- fix: SSL_ForceHandshake function is not thread safe (#701678)
|
||||||
|
|
||||||
* Wed Aug 24 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.26-2
|
* Wed Aug 24 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.26-2
|
||||||
- security hardening: library needs partial RELRO support added (#733071)
|
- security hardening: library needs partial RELRO support added (#733071)
|
||||||
- fix: NSS_Init* functions are not thread safe (#731112)
|
- fix: NSS_Init* functions are not thread safe (#731112)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user