rpms/openldap/devel openldap-2.4.22-initauthtoken.patch, NONE, 1.1 openldap-2.4.23-selfsignedcacert.patch, NONE, 1.1 openldap.spec, 1.167, 1.168
jvcelak
jvcelak at fedoraproject.org
Thu Jul 22 08:11:31 UTC 2010
Author: jvcelak
Update of /cvs/pkgs/rpms/openldap/devel
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv7587
Modified Files:
openldap.spec
Added Files:
openldap-2.4.22-initauthtoken.patch
openldap-2.4.23-selfsignedcacert.patch
Log Message:
Mozilla NSS - delay token auth until needed (#616552)
Mozilla NSS - support use of self signed CA certs as server certs (#614545)
openldap-2.4.22-initauthtoken.patch:
tls_m.c | 24 ------------------------
1 file changed, 24 deletions(-)
--- NEW FILE openldap-2.4.22-initauthtoken.patch ---
#616552 Mozilla NSS - delay token auth until needed
upstream: http://www.openldap.org/its/index.cgi issue 6595
diff -urNP openldap-2.4.22.old/libraries/libldap/tls_m.c openldap-2.4.22.new/libraries/libldap/tls_m.c
--- openldap-2.4.22.old/libraries/libldap/tls_m.c 2010-07-22 09:56:58.984806148 +0200
+++ openldap-2.4.22.new/libraries/libldap/tls_m.c 2010-07-22 09:58:19.030686912 +0200
@@ -930,26 +930,6 @@
return rc;
}
-static int
-tlsm_init_tokens( tlsm_ctx *ctx )
-{
- PK11SlotList *slotList;
- PK11SlotListElement *listEntry;
- int rc = 0;
-
- slotList = PK11_GetAllTokens( CKM_INVALID_MECHANISM, PR_FALSE, PR_TRUE, NULL );
-
- for ( listEntry = PK11_GetFirstSafe( slotList ); !rc && listEntry;
- listEntry = PK11_GetNextSafe( slotList, listEntry, PR_FALSE ) ) {
- PK11SlotInfo *slot = listEntry->slot;
- rc = tlsm_authenticate_to_slot( ctx, slot );
- }
-
- PK11_FreeSlotList( slotList );
-
- return rc;
-}
-
static SECStatus
tlsm_nss_shutdown_cb( void *appData, void *nssData )
{
@@ -1365,10 +1345,6 @@
PK11_SetPasswordFunc( tlsm_pin_prompt );
- if ( tlsm_init_tokens( ctx ) ) {
- return -1;
- }
-
/* register cleanup function */
/* delete the old one, if any */
NSS_UnregisterShutdown( tlsm_nss_shutdown_cb, NULL );
openldap-2.4.23-selfsignedcacert.patch:
tls_m.c | 37 +++++++++++++++++++++++++++++++++----
1 file changed, 33 insertions(+), 4 deletions(-)
--- NEW FILE openldap-2.4.23-selfsignedcacert.patch ---
#614545 Mozilla NSS - support use of self signed CA certs as server certs
upstream: http://www.openldap.org/its/index.cgi issue 6589
diff -urNP openldap-2.4.22.old/libraries/libldap/tls_m.c openldap-2.4.22.new/libraries/libldap/tls_m.c
--- openldap-2.4.22.old/libraries/libldap/tls_m.c 2010-04-15 23:26:00.000000000 +0200
+++ openldap-2.4.22.new/libraries/libldap/tls_m.c 2010-07-22 09:56:58.984806148 +0200
@@ -1491,11 +1491,40 @@
status = CERT_VerifyCertificateNow( ctx->tc_certdb, cert,
checkSig, certUsage,
pin_arg, NULL );
- if (status != SECSuccess) {
+ if ( status != SECSuccess ) {
+ /* NSS doesn't like self-signed CA certs that are also used for
+ TLS/SSL server certs (such as generated by openssl req -x509)
+ CERT_VerifyCertificateNow returns SEC_ERROR_UNTRUSTED_ISSUER in that case
+ so, see if the cert and issuer are the same cert
+ */
PRErrorCode errcode = PR_GetError();
- Debug( LDAP_DEBUG_ANY,
- "TLS: error: the certificate %s is not valid - error %d:%s\n",
- certname, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
+
+ if ( errcode == SEC_ERROR_UNTRUSTED_ISSUER ) {
+ CERTCertificate *issuer = CERT_FindCertIssuer( cert, PR_Now(), certUsageSSLServer );
+ if ( NULL == issuer ) {
+ /* no issuer - warn and allow */
+ status = SECSuccess;
+ rc = 0;
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: warning: the server certificate %s has no issuer - "
+ "please check this certificate for validity\n",
+ certname, 0, 0 );
+ } else if ( CERT_CompareCerts( cert, issuer ) ) {
+ /* self signed - warn and allow */
+ status = SECSuccess;
+ rc = 0;
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: warning: using self-signed server certificate %s\n",
+ certname, 0, 0 );
+ }
+ CERT_DestroyCertificate( issuer );
+ }
+
+ if ( status != SECSuccess ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: error: the certificate %s is not valid - error %d:%s\n",
+ certname, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
+ }
} else {
rc = 0; /* success */
}
Index: openldap.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openldap/devel/openldap.spec,v
retrieving revision 1.167
retrieving revision 1.168
diff -u -p -r1.167 -r1.168
--- openldap.spec 20 Jul 2010 14:58:07 -0000 1.167
+++ openldap.spec 22 Jul 2010 08:11:30 -0000 1.168
@@ -11,7 +11,7 @@
Summary: LDAP support libraries
Name: openldap
Version: %{version}
-Release: 6%{?dist}
+Release: 7%{?dist}
License: OpenLDAP
Group: System Environment/Daemons
Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz
@@ -39,6 +39,8 @@ Patch12: openldap-2.4.21-dn2id-segfault.
Patch13: openldap-2.4.22-ldif_h.patch
Patch14: openldap-2.4.22-libldif.patch
Patch15: openldap-2.4.22-modrdn-segfault.patch
+Patch16: openldap-2.4.23-selfsignedcacert.patch
+Patch17: openldap-2.4.22-initauthtoken.patch
# Patches for the evolution library
Patch200: openldap-2.4.6-evolution-ntlm.patch
@@ -139,6 +141,8 @@ pushd openldap-%{version}
%patch13 -p1 -b .ldif_h
%patch14 -p1 -b .libldif
%patch15 -p1 -b .modrdn-segfault
+%patch16 -p1 -b .selfsignedcacert
+%patch17 -p1 -b .initauthtoken
cp %{_datadir}/libtool/config/config.{sub,guess} build/
popd
@@ -671,6 +675,10 @@ fi
%attr(0644,root,root) %{evolution_connector_libdir}/*.a
%changelog
+* Thu Jul 22 2010 Jan Vcelak <jvcelak at redhat.com> 2.4.22-7
+- Mozilla NSS - delay token auth until needed (#616552)
+- Mozilla NSS - support use of self signed CA certs as server certs (#614545)
+
* Tue Jul 20 2010 Jan Vcelak <jvcelak at redhat.com> - 2.4.22-6
- CVE-2010-0211 openldap: modrdn processing uninitialized pointer free (#605448)
- CVE-2010-0212 openldap: modrdn processing IA5StringNormalize NULL pointer dereference (#605452)
More information about the scm-commits
mailing list