ce2de9613d
- reject non-file keyfiles in TLS_CACERTDIR (#652315) - TLS_CACERTDIR precedence over TLS_CACERT (#652304) - accept only files in hash.0 format in TLS_CACERTDIR (#650288) - improve SSL/TLS trace messages (#652818) - add support for multiple prefixed Mozilla NSS database files in TLS_CACERTDIR Resolves: #652315 #652304 #650288 #652818
61 lines
2.2 KiB
Diff
61 lines
2.2 KiB
Diff
Openldap should ignore files not in the openssl c_rehash format (hash.0) in TLS_CACERTDIR
|
|
|
|
Resolves: #650288
|
|
Upstream ITS: #6705
|
|
Author: Rich Megginson (rmeggins@redhat.com)
|
|
|
|
--- openldap.old/libraries/libldap/tls_m.c.2 2010-11-11 15:21:05.000000000 -0700
|
|
+++ openldap.new/libraries/libldap/tls_m.c 2010-11-11 15:29:08.000000000 -0700
|
|
@@ -100,16 +100,19 @@
|
|
typedef PRFileDesc tlsm_session;
|
|
|
|
static PRDescIdentity tlsm_layer_id;
|
|
|
|
static const PRIOMethods tlsm_PR_methods;
|
|
|
|
#define PEM_LIBRARY "nsspem"
|
|
#define PEM_MODULE "PEM"
|
|
+/* hash files for use with cacertdir have this file name suffix */
|
|
+#define PEM_CA_HASH_FILE_SUFFIX ".0"
|
|
+#define PEM_CA_HASH_FILE_SUFFIX_LEN 2
|
|
|
|
static SECMODModule *pem_module;
|
|
|
|
#define DEFAULT_TOKEN_NAME "default"
|
|
/* sprintf format used to create token name */
|
|
#define TLSM_PEM_TOKEN_FMT "PEM Token #%ld"
|
|
|
|
static int tlsm_slot_count;
|
|
@@ -1230,18 +1233,29 @@
|
|
"TLS: could not open the CA certificate directory %s - error %d:%s.\n",
|
|
cacertdir, errcode,
|
|
PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
|
|
goto done;
|
|
}
|
|
|
|
do {
|
|
entry = PR_ReadDir( dir, PR_SKIP_BOTH | PR_SKIP_HIDDEN );
|
|
- if ( NULL != entry ) {
|
|
- char *fullpath = PR_smprintf( "%s/%s", cacertdir, entry->name );
|
|
+ if ( ( NULL != entry ) && ( NULL != entry->name ) ) {
|
|
+ char *fullpath = NULL;
|
|
+ char *ptr;
|
|
+
|
|
+ ptr = PL_strrstr( entry->name, PEM_CA_HASH_FILE_SUFFIX );
|
|
+ if ( ( ptr == NULL ) || ( *(ptr + PEM_CA_HASH_FILE_SUFFIX_LEN) != '\0' ) ) {
|
|
+ Debug( LDAP_DEBUG_TRACE,
|
|
+ "TLS: file %s does not end in [%s] - does not appear to be a CA certificate "
|
|
+ "directory file with a properly hashed file name - skipping.\n",
|
|
+ entry->name, PEM_CA_HASH_FILE_SUFFIX, 0 );
|
|
+ continue;
|
|
+ }
|
|
+ fullpath = PR_smprintf( "%s/%s", cacertdir, entry->name );
|
|
if ( !tlsm_add_cert_from_file( ctx, fullpath, isca ) ) {
|
|
Debug( LDAP_DEBUG_TRACE,
|
|
"TLS: loaded CA certificate file %s from CA certificate directory %s.\n",
|
|
fullpath, cacertdir, 0 );
|
|
status = PR_SUCCESS; /* found at least 1 valid CA file in the dir */
|
|
} else {
|
|
errcode = PR_GetError();
|
|
Debug( LDAP_DEBUG_TRACE,
|