openldap/openldap-reject-non-file-keyfiles.patch
Jan Vcelak ce2de9613d various TLS bugfixes
- reject non-file keyfiles in TLS_CACERTDIR (#652315)
- TLS_CACERTDIR precedence over TLS_CACERT (#652304)
- accept only files in hash.0 format in TLS_CACERTDIR (#650288)
- improve SSL/TLS trace messages (#652818)
- add support for multiple prefixed Mozilla NSS database files in TLS_CACERTDIR

Resolves: #652315 #652304 #650288 #652818
2010-11-18 11:28:30 +01:00

85 lines
2.4 KiB
Diff

This workarounds Mozilla NSS bug. libldap crashes when TLS_CACERTDIR contains a subdirectory.
Skip all non-file entries in CA_CERTDIR.
Resolves: #652315
Upstream ITS: #6703
Author: Rich Megginson (rmeggins@redhat.com)
diff -u -8 -r1.19 tls_m.c
--- openldap.old/libraries/libldap/tls_m.c 29 Oct 2010 08:30:30 -0000 1.19
+++ openldap.new/libraries/libldap/tls_m.c 11 Nov 2010 20:18:20 -0000
@@ -1011,16 +1011,36 @@
CK_ATTRIBUTE theTemplate[20];
CK_BBOOL cktrue = CK_TRUE;
CK_BBOOL ckfalse = CK_FALSE;
CK_OBJECT_CLASS objClass = CKO_CERTIFICATE;
char tmpslotname[64];
char *slotname = NULL;
const char *ptr = NULL;
char sep = PR_GetDirectorySeparator();
+ PRFileInfo fi;
+ PRStatus status;
+
+ memset( &fi, 0, sizeof(fi) );
+ status = PR_GetFileInfo( filename, &fi );
+ if ( PR_SUCCESS != status) {
+ PRErrorCode errcode = PR_GetError();
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: could not read certificate file %s - error %d:%s.\n",
+ filename, errcode,
+ PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
+ return -1;
+ }
+
+ if ( fi.type != PR_FILE_FILE ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: error: the certificate file %s is not a file.\n",
+ filename, 0 ,0 );
+ return -1;
+ }
attrs = theTemplate;
if ( isca ) {
slotID = 0; /* CA and trust objects use slot 0 */
PR_snprintf( tmpslotname, sizeof(tmpslotname), TLSM_PEM_TOKEN_FMT, slotID );
slotname = tmpslotname;
} else {
@@ -1083,16 +1103,36 @@
CK_SLOT_ID slotID;
PK11SlotInfo * slot = NULL;
PK11GenericObject *rv;
CK_ATTRIBUTE *attrs;
CK_ATTRIBUTE theTemplate[20];
CK_BBOOL cktrue = CK_TRUE;
CK_OBJECT_CLASS objClass = CKO_PRIVATE_KEY;
int retcode = 0;
+ PRFileInfo fi;
+ PRStatus status;
+
+ memset( &fi, 0, sizeof(fi) );
+ status = PR_GetFileInfo( filename, &fi );
+ if ( PR_SUCCESS != status) {
+ PRErrorCode errcode = PR_GetError();
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: could not read key file %s - error %d:%s.\n",
+ filename, errcode,
+ PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
+ return -1;
+ }
+
+ if ( fi.type != PR_FILE_FILE ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: error: the key file %s is not a file.\n",
+ filename, 0 ,0 );
+ return -1;
+ }
attrs = theTemplate;
if ( ctx->tc_slotname == NULL ) { /* need new slot */
slotID = ++tlsm_slot_count;
ctx->tc_slotname = PR_smprintf( TLSM_PEM_TOKEN_FMT, slotID );
}
slot = PK11_FindSlotByName( ctx->tc_slotname );