September 2010 - 389-commits - Fedora Mailing-Lists

Changes to 'refs/tags/389-ds-base-1.2.6.1'

by Richard Allen Megginson

Changes since 389-ds-base-1.2.6: Nathan Kinder (1): Bug 612264 - ACI issue with (targetattr='userPassword') Noriko Hosoi (4): Bug 631862 - crash - delete entries not in cache + referint Bug 606920 - anonymous resource limit- nstimelimit - Bug 635987 - Incorrect sub scope search result with Bug 635987 - Incorrect sub scope search result with ACL containing ldap:///self Rich Megginson (2): Bug 634561 - Server crushes when using Windows Sync Agreement bump version to 1.2.6.1 --- VERSION.sh | 2 ldap/servers/plugins/replication/windows_connection.c | 2 ldap/servers/plugins/replication/windows_inc_protocol.c | 6 ldap/servers/plugins/replication/windows_protocol_util.c | 4 ldap/servers/plugins/replication/windows_tot_protocol.c | 10 - ldap/servers/slapd/back-ldbm/back-ldbm.h | 3 ldap/servers/slapd/back-ldbm/id2entry.c | 126 ++++++++++----- ldap/servers/slapd/back-ldbm/ldbm_add.c | 17 -- ldap/servers/slapd/back-ldbm/ldbm_search.c | 10 - ldap/servers/slapd/back-ldbm/proto-back-ldbm.h | 2 ldap/servers/slapd/modify.c | 15 + ldap/servers/slapd/opshared.c | 36 ++-- 12 files changed, 148 insertions(+), 85 deletions(-) ---

12 years, 12 months

1
0
0 / 0

Branch '389-ds-base-1.2.6' - 7 commits - ldap/servers VERSION.sh

by Richard Allen Megginson

VERSION.sh | 2 ldap/servers/plugins/replication/windows_connection.c | 2 ldap/servers/plugins/replication/windows_inc_protocol.c | 6 ldap/servers/plugins/replication/windows_protocol_util.c | 4 ldap/servers/plugins/replication/windows_tot_protocol.c | 10 - ldap/servers/slapd/back-ldbm/back-ldbm.h | 3 ldap/servers/slapd/back-ldbm/id2entry.c | 126 ++++++++++----- ldap/servers/slapd/back-ldbm/ldbm_add.c | 17 -- ldap/servers/slapd/back-ldbm/ldbm_search.c | 10 - ldap/servers/slapd/back-ldbm/proto-back-ldbm.h | 2 ldap/servers/slapd/modify.c | 15 + ldap/servers/slapd/opshared.c | 36 ++-- 12 files changed, 148 insertions(+), 85 deletions(-) New commits: commit 53f788bbae3f6c0a27466764c50b1858a69d1220 Author: Noriko Hosoi <nhosoi(a)redhat.com> Date: Fri Sep 24 11:42:31 2010 -0700 Bug 635987 - Incorrect sub scope search result with ACL containing ldap:///self https://bugzilla.redhat.com/show_bug.cgi?id=635987 Description: This commit made for the bug 635987 introduced a bug to replication. commit 8ac525e5ac997378f4f2a386e9b96568c8d66db5 Author: Noriko Hosoi <nhosoi(a)redhat.com> Date: Tue Sep 21 15:12:07 2010 -0700 subtree_candidates (ldbm_search.c) If you do have a tombstone filter, descendants will be NULL, and idl_intersection of candidates and descendents will wipe out all of the candidates, leaving just the one entry, e->ep_id. Changed to call idl_intersection only when the filter is not for tombstone or entryrdn_get_noancestorid (false, by default). (cherry picked from commit a7de5f2a4323d224c63f722172eee8b63752fb45) diff --git a/ldap/servers/slapd/back-ldbm/ldbm_search.c b/ldap/servers/slapd/back-ldbm/ldbm_search.c index 478d18b..1b7c2e9 100644 --- a/ldap/servers/slapd/back-ldbm/ldbm_search.c +++ b/ldap/servers/slapd/back-ldbm/ldbm_search.c @@ -945,13 +945,17 @@ subtree_candidates( *err = entryrdn_get_subordinates(be, slapi_entry_get_sdn_const(e->ep_entry), e->ep_id, &descendants, NULL); + idl_insert(&descendants, e->ep_id); + candidates = idl_intersection(be, candidates, descendants); + idl_free(tmp); + idl_free(descendants); } else if (!has_tombstone_filter) { *err = ldbm_ancestorid_read(be, NULL, e->ep_id, &descendants); - } - idl_insert(&descendants, e->ep_id); - candidates = idl_intersection(be, candidates, descendants); - idl_free(tmp); - idl_free(descendants); + idl_insert(&descendants, e->ep_id); + candidates = idl_intersection(be, candidates, descendants); + idl_free(tmp); + idl_free(descendants); + } /* else == has_tombstone_filter: do nothing */ } return( candidates ); commit 343bb5840e0367524cd39fc4ab99bf22d63dc89f Author: Noriko Hosoi <nhosoi(a)redhat.com> Date: Tue Sep 21 15:12:07 2010 -0700 Bug 635987 - Incorrect sub scope search result with ACL containing ldap:///self https://bugzilla.redhat.com/show_bug.cgi?id=635987 Description: When a basedn has no descendants, the code to take an intersection of idl (which was returned from the filter search -- filter_candidates) and the basedn was skipped in subtree_candidates (ldbm_search.c). Regardless of descendants, the intersection should be taken for the idl and a tree starting with the basedn. Note: This bug was introduced with entryrdn. (cherry picked from commit 8ac525e5ac997378f4f2a386e9b96568c8d66db5) diff --git a/ldap/servers/slapd/back-ldbm/ldbm_search.c b/ldap/servers/slapd/back-ldbm/ldbm_search.c index 0010a58..478d18b 100644 --- a/ldap/servers/slapd/back-ldbm/ldbm_search.c +++ b/ldap/servers/slapd/back-ldbm/ldbm_search.c @@ -948,12 +948,10 @@ subtree_candidates( } else if (!has_tombstone_filter) { *err = ldbm_ancestorid_read(be, NULL, e->ep_id, &descendants); } - if (descendants) { - idl_insert(&descendants, e->ep_id); - candidates = idl_intersection(be, candidates, descendants); - idl_free(tmp); - idl_free(descendants); - } + idl_insert(&descendants, e->ep_id); + candidates = idl_intersection(be, candidates, descendants); + idl_free(tmp); + idl_free(descendants); } return( candidates ); commit 2ad2d36ca4cf9de5b79382ac3a906a254ddb20c2 Author: Nathan Kinder <nkinder(a)redhat.com> Date: Wed Sep 1 10:13:13 2010 -0700 Bug 612264 - ACI issue with (targetattr='userPassword') If an ACI has a targetattr of userPassword and uses the USERDN keyword, the ACI may not be evaluated correctly for password change operations. This is caused by the fact that we use a dummy target entry to check if the pasword change is allowed early in the operation. This dummy entry will not have any attributes that the ACI may use. The fix is to actually fetch the target entry with all of it's attributes. We still create a dummy entry if the target doesn't exist to prevent returning a no such entry error when we should be returning an access denied or insufficient access error. (cherry picked from commit 0b9b5e89b5c79d3253e152e1153719a2a5ef8e09) diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c index ead066d..444ebb5 100644 --- a/ldap/servers/slapd/modify.c +++ b/ldap/servers/slapd/modify.c @@ -965,11 +965,16 @@ static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old mods[0] = mod; mods[1] = NULL; - /* Create a bogus entry with just the target dn. This will - * only be used for checking the ACIs. */ - e = slapi_entry_alloc(); - slapi_entry_init( e, NULL, NULL ); - slapi_sdn_set_dn_byref(slapi_entry_get_sdn(e), dn); + /* We need to actually fetch the target here to use for ACI checking. */ + slapi_search_internal_get_entry(&sdn, NULL, &e, (void *)plugin_get_default_component_id()); + + /* Create a bogus entry with just the target dn if we were unable to + * find the actual entry. This will only be used for checking the ACIs. */ + if (e == NULL) { + e = slapi_entry_alloc(); + slapi_entry_init( e, NULL, NULL ); + slapi_sdn_set_dn_byref(slapi_entry_get_sdn(e), dn); + } /* Set the backend in the pblock. The slapi_access_allowed function * needs this set to work properly. */ commit 0db11169171d97cdea7a875b03146f5d15d2b101 Author: Noriko Hosoi <nhosoi(a)redhat.com> Date: Wed Sep 22 16:28:59 2010 -0700 Bug 606920 - anonymous resource limit- nstimelimit - also applied to "cn=directory manager" https://bugzilla.redhat.com/show_bug.cgi?id=606920 Description: Client side sizelimit / timelimit request should be honoured by the Directory Manager, too. Changing the time/ sizelimit evaluation so that if client side request exists, the value is set even if the bind user is the directory manager. (cherry picked from commit f980ff61da122b39d33bf83bc20f2b7a81b6be24) diff --git a/ldap/servers/slapd/opshared.c b/ldap/servers/slapd/opshared.c index d06dd2d..29bb3ce 100644 --- a/ldap/servers/slapd/opshared.c +++ b/ldap/servers/slapd/opshared.c @@ -1370,12 +1370,18 @@ compute_limits (Slapi_PBlock *pb) } } - if ( isroot ) { - timelimit = max_timelimit = -1; /* no limit */ - } else if ( requested_timelimit == 0 ) { - timelimit = ( max_timelimit == -1 ) ? -1 : max_timelimit; - } else if ( max_timelimit == -1 || requested_timelimit < max_timelimit ) { - timelimit = requested_timelimit; + if ( requested_timelimit ) { + /* requested limit should be applied to all (including root) */ + if ( isroot ) { + timelimit = requested_timelimit; + } else if ( (max_timelimit == -1) || + (requested_timelimit < max_timelimit) ) { + timelimit = requested_timelimit; + } else { + timelimit = max_timelimit; + } + } else if ( isroot ) { + timelimit = -1; /* no limit */ } else { timelimit = max_timelimit; } @@ -1401,12 +1407,18 @@ compute_limits (Slapi_PBlock *pb) } } - if ( isroot ) { - sizelimit = max_sizelimit = -1; - } else if ( requested_sizelimit == 0 ) { - sizelimit = ( max_sizelimit == -1 ) ? -1 : max_sizelimit; - } else if ( max_sizelimit == -1 || requested_sizelimit < max_sizelimit ) { - sizelimit = requested_sizelimit; + if ( requested_sizelimit ) { + /* requested limit should be applied to all (including root) */ + if ( isroot ) { + sizelimit = requested_sizelimit; + } else if ( (max_sizelimit == -1) || + (requested_sizelimit < max_sizelimit) ) { + sizelimit = requested_sizelimit; + } else { + sizelimit = max_sizelimit; + } + } else if ( isroot ) { + sizelimit = -1; /* no limit */ } else { sizelimit = max_sizelimit; } commit d623b5e729d8dfda5cb6de0589b89c6bedb6183b Author: Noriko Hosoi <nhosoi(a)redhat.com> Date: Tue Sep 14 13:46:42 2010 -0700 Bug 631862 - crash - delete entries not in cache + referint https://bugzilla.redhat.com/show_bug.cgi?id=631862 Resolves: bug 631862 Bug Description: crash - delete entries not in cache + referint Reviewed by: rmeggins and nhosoi Branch: 389-ds-base-1.2.6 Fix Description: When deleting an entry, the referential integrity (referint) plugin does an internal search to find references to this entry (e.g. in group entries) and removes them. The search code wants to ensure that the entrydn attribute is present in the entry when using entryrdn (subtree rename). The search code sets a flag to tell the id2entry code to add the entrydn attribute if it is not present. However, it was doing this to an entry in the cache, which may be in use by another thread. The solution is to add the entrydn attribute before adding the entry to the cache. In the id2entry code, this is after the entry has been read from the id2entry db successfully, but before the entry is added to the cache. In the LDAP ADD code, this is done when the other computed operational attributes are added to the new entry. In addition to the above fix by rmeggins(a)redhat.com, following changes are made: 1) entrydn attribute is always added to the entry in memory before putting it in the entry cache, and the attribute is removed before writing the entry to the database. 2) eliminating id2entry_ext, which was introduced to pass flags, but it is no longer needed since only a flag ID2ENTRY_ADD_ENTRYDN was removed. Platforms tested: RHEL5 x86_64 Flag Day: no Doc impact: no diff --git a/ldap/servers/slapd/back-ldbm/back-ldbm.h b/ldap/servers/slapd/back-ldbm/back-ldbm.h index f0e290e..200e950 100644 --- a/ldap/servers/slapd/back-ldbm/back-ldbm.h +++ b/ldap/servers/slapd/back-ldbm/back-ldbm.h @@ -828,9 +828,6 @@ typedef struct _back_search_result_set /* whether we call fat lock or not [608146] */ #define SERIALLOCK(li) (li->li_fat_lock) -/* id2entry_ext flags */ -#define ID2ENTRY_ADD_ENTRYDN 0x1 - /* * 0: SUCCESS * libdb returns negative error codes diff --git a/ldap/servers/slapd/back-ldbm/id2entry.c b/ldap/servers/slapd/back-ldbm/id2entry.c index 31d3b72..9306813 100644 --- a/ldap/servers/slapd/back-ldbm/id2entry.c +++ b/ldap/servers/slapd/back-ldbm/id2entry.c @@ -60,6 +60,7 @@ id2entry_add_ext( backend *be, struct backentry *e, back_txn *txn, int encrypt int len, rc; char temp_id[sizeof(ID)]; struct backentry *encrypted_entry = NULL; + char *entrydn = NULL; LDAPDebug( LDAP_DEBUG_TRACE, "=> id2entry_add( %lu, \"%s\" )\n", (u_long)e->ep_id, backentry_get_ndn(e), 0 ); @@ -92,6 +93,7 @@ id2entry_add_ext( backend *be, struct backentry *e, back_txn *txn, int encrypt memset(&data, 0, sizeof(data)); if (entryrdn_get_switch()) { + Slapi_Attr *eattr = NULL; struct backdn *oldbdn = NULL; Slapi_DN *sdn = slapi_sdn_dup(slapi_entry_get_sdn_const(e->ep_entry)); @@ -100,7 +102,14 @@ id2entry_add_ext( backend *be, struct backentry *e, back_txn *txn, int encrypt /* If the ID already exists in the DN cache, replace it. */ if (CACHE_ADD( &inst->inst_dncache, bdn, &oldbdn ) == 1) { - cache_replace( &inst->inst_dncache, oldbdn, bdn ); + if (slapi_sdn_compare(sdn, oldbdn->dn_sdn)) { + if (cache_replace( &inst->inst_dncache, oldbdn, bdn ) != 0) { + /* The entry was not in the cache for some reason (this + * should not happen since CACHE_ADD said it existed above). */ + LDAPDebug( LDAP_DEBUG_ANY, "id2entry_add_ext(): Entry disappeared " + "from cache (%s)\n", oldbdn->dn_sdn, 0, 0 ); + } + } CACHE_RETURN(&inst->inst_dncache, &oldbdn); /* to free oldbdn */ } @@ -108,6 +117,13 @@ id2entry_add_ext( backend *be, struct backentry *e, back_txn *txn, int encrypt LDAPDebug( LDAP_DEBUG_TRACE, "=> id2entry_add (dncache) ( %lu, \"%s\" )\n", (u_long)e->ep_id, slapi_entry_get_dn_const(e->ep_entry), 0 ); + /* If entrydn exists in the entry, we have to remove it before + * writing the entry to the database. */ + if (0 == slapi_entry_attr_find(e->ep_entry, + LDBM_ENTRYDN_STR, &eattr)) { + /* entrydn exists in the entry. let's removed it. */ + slapi_entry_delete_values(e->ep_entry, LDBM_ENTRYDN_STR, NULL); + } } data.dptr = slapi_entry2str_with_options(entry_to_use, &len, options); data.dsize = len + 1; @@ -133,10 +149,54 @@ id2entry_add_ext( backend *be, struct backentry *e, back_txn *txn, int encrypt if (0 == rc) { - /* DBDB the fact that we don't check the return code here is - * indicitive that there may be a latent race condition lurking - * ---what happens if the entry is already in the cache by this point? - */ + if (entryrdn_get_switch()) { + struct backentry *parententry = NULL; + ID parentid = slapi_entry_attr_get_ulong(e->ep_entry, "parentid"); + const char *myrdn = slapi_entry_get_rdn_const(e->ep_entry); + const char *parentdn = NULL; + char *myparentdn = NULL; + Slapi_Attr *eattr = NULL; + /* If the parent is in the cache, check the parent's DN and + * adjust to it if they don't match. (bz628300) */ + if (parentid && myrdn) { + parententry = cache_find_id(&inst->inst_cache, parentid); + if (parententry) { + parentdn = slapi_entry_get_dn_const(parententry->ep_entry); + if (parentdn) { + myparentdn = + slapi_dn_parent(slapi_entry_get_dn_const(e->ep_entry)); + if (myparentdn && PL_strcmp(parentdn, myparentdn)) { + Slapi_DN *sdn = slapi_entry_get_sdn(e->ep_entry); + char *newdn = NULL; + slapi_sdn_done(sdn); + newdn = slapi_ch_smprintf("%s,%s", myrdn, parentdn); + slapi_sdn_init_dn_passin(sdn, newdn); + slapi_sdn_get_ndn(sdn); /* to set ndn */ + } + slapi_ch_free_string(&myparentdn); + } + CACHE_RETURN(&inst->inst_cache, &parententry); + } + } + /* + * Adding entrydn attribute value to the entry, + * which should be done before adding the entry to the entry cache. + * Note: since we removed entrydn from the entry before writing + * it to the database, it is guaranteed not in the entry. + */ + /* slapi_ch_strdup and slapi_dn_ignore_case never returns NULL */ + entrydn = slapi_ch_strdup(slapi_entry_get_dn_const(e->ep_entry)); + entrydn = slapi_dn_ignore_case(entrydn); + slapi_entry_attr_set_charptr (e->ep_entry, + LDBM_ENTRYDN_STR, entrydn); + if (0 == slapi_entry_attr_find(e->ep_entry, + LDBM_ENTRYDN_STR, &eattr)) { + /* now entrydn should exist in the entry */ + /* Set it to operational attribute */ + eattr->a_flags = SLAPI_ATTR_FLAG_OPATTR; + } + slapi_ch_free_string(&entrydn); + } /* * For ldbm_back_add and ldbm_back_modify, this entry had been already * reserved as a tentative entry. So, it should be safe. @@ -208,7 +268,7 @@ id2entry_delete( backend *be, struct backentry *e, back_txn *txn ) } struct backentry * -id2entry_ext( backend *be, ID id, back_txn *txn, int *err, int flags ) +id2entry( backend *be, ID id, back_txn *txn, int *err ) { ldbm_instance *inst = (ldbm_instance *) be->be_instance_info; DB *db = NULL; @@ -350,6 +410,30 @@ id2entry_ext( backend *be, ID id, back_txn *txn, int *err, int flags ) "attrcrypt_decrypt_entry failed in id2entry\n"); } + /* + * If return entry exists AND entryrdn switch is on, + * add the entrydn value. + */ + if (entryrdn_get_switch()) { + Slapi_Attr *eattr = NULL; + /* Check if entrydn is in the entry or not */ + if (slapi_entry_attr_find(e->ep_entry, LDBM_ENTRYDN_STR, &eattr)) { + /* entrydn does not exist in the entry */ + char *entrydn = NULL; + /* slapi_ch_strdup and slapi_dn_ignore_case never returns NULL */ + entrydn = slapi_ch_strdup(slapi_entry_get_dn_const(e->ep_entry)); + entrydn = slapi_dn_ignore_case(entrydn); + slapi_entry_attr_set_charptr (e->ep_entry, + LDBM_ENTRYDN_STR, entrydn); + if (0 == slapi_entry_attr_find(e->ep_entry, + LDBM_ENTRYDN_STR, &eattr)) { + /* now entrydn should exist in the entry */ + /* Set it to operational attribute */ + eattr->a_flags = SLAPI_ATTR_FLAG_OPATTR; + } + slapi_ch_free_string(&entrydn); + } + } retval = CACHE_ADD( &inst->inst_cache, e, &imposter ); if (1 == retval) { /* This means that someone else put the entry in the cache @@ -376,29 +460,6 @@ id2entry_ext( backend *be, ID id, back_txn *txn, int *err, int flags ) } bail: - /* - * If return entry exists AND adding entrydn is requested AND - * entryrdn switch is on, add the entrydn value. - */ - if (e && e->ep_entry && (flags & ID2ENTRY_ADD_ENTRYDN) && - entryrdn_get_switch()) { - Slapi_Attr *eattr = NULL; - /* Check if entrydn is in the entry or not */ - if (slapi_entry_attr_find(e->ep_entry, "entrydn", &eattr)) { - /* entrydn does not exist in the entry */ - char *entrydn = NULL; - /* slapi_ch_strdup and slapi_dn_ignore_case never returns NULL */ - entrydn = slapi_ch_strdup(slapi_entry_get_dn_const(e->ep_entry)); - entrydn = slapi_dn_ignore_case(entrydn); - slapi_entry_attr_set_charptr (e->ep_entry, "entrydn", entrydn); - if (0 == slapi_entry_attr_find(e->ep_entry, "entrydn", &eattr)) { - /* now entrydn should exist in the entry */ - /* Set it to operational attribute */ - eattr->a_flags = SLAPI_ATTR_FLAG_OPATTR; - } - slapi_ch_free_string(&entrydn); - } - } slapi_ch_free( &(data.data) ); dblayer_release_id2entry( be, db ); @@ -407,10 +468,3 @@ bail: "<= id2entry( %lu ) %p (disk)\n", (u_long)id, e); return( e ); } - -struct backentry * -id2entry( backend *be, ID id, back_txn *txn, int *err ) -{ - return id2entry_ext(be, id, txn, err, 0); -} - diff --git a/ldap/servers/slapd/back-ldbm/ldbm_add.c b/ldap/servers/slapd/back-ldbm/ldbm_add.c index d2d6197..c2e86f2 100644 --- a/ldap/servers/slapd/back-ldbm/ldbm_add.c +++ b/ldap/servers/slapd/back-ldbm/ldbm_add.c @@ -575,17 +575,12 @@ ldbm_back_add( Slapi_PBlock *pb ) if(is_resurect_operation) { - if (!entryrdn_get_switch()) { /* subtree-rename: off */ - /* add the entrydn operational attributes to the addingentry */ - add_update_entrydn_operational_attributes(addingentry); - } + add_update_entrydn_operational_attributes(addingentry); } else if (is_tombstone_operation) { - if (!entryrdn_get_switch()) { /* subtree-rename: off */ - /* Remove the entrydn operational attributes from the addingentry */ - delete_update_entrydn_operational_attributes(addingentry); - } + /* Remove the entrydn operational attributes from the addingentry */ + delete_update_entrydn_operational_attributes(addingentry); } else { @@ -978,10 +973,8 @@ add_update_entry_operational_attributes(struct backentry *ep, ID pid) bv.bv_len = strlen( buf ); entry_replace_values( ep->ep_entry, "entryid", bvp ); - if (!entryrdn_get_switch()) { /* subtree-rename: off */ - /* add the entrydn operational attribute to the entry. */ - add_update_entrydn_operational_attributes(ep); - } + /* add the entrydn operational attribute to the entry. */ + add_update_entrydn_operational_attributes(ep); } /* diff --git a/ldap/servers/slapd/back-ldbm/ldbm_search.c b/ldap/servers/slapd/back-ldbm/ldbm_search.c index 9a4925f..0010a58 100644 --- a/ldap/servers/slapd/back-ldbm/ldbm_search.c +++ b/ldap/servers/slapd/back-ldbm/ldbm_search.c @@ -1241,7 +1241,7 @@ ldbm_back_next_search_entry_ext( Slapi_PBlock *pb, int use_extension ) ++sr->sr_lookthroughcount; /* checked above */ /* get the entry */ - e = id2entry_ext( be, id, NULL, &err, ID2ENTRY_ADD_ENTRYDN ); + e = id2entry( be, id, NULL, &err ); if ( e == NULL ) { if ( err != 0 && err != DB_NOTFOUND ) diff --git a/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h b/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h index 90ac570..c7b8154 100644 --- a/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h +++ b/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h @@ -214,8 +214,6 @@ int id2entry_add( backend *be, struct backentry *e, back_txn *txn ); int id2entry_add_ext( backend *be, struct backentry *e, back_txn *txn, int encrypt ); int id2entry_delete( backend *be, struct backentry *e, back_txn *txn ); struct backentry * id2entry( backend *be, ID id, back_txn *txn, int *err ); -struct backentry * id2entry_ext( backend *be, ID id, back_txn *txn, int *err, int flags ); - /* * idl.c commit 78283014e4fc7151c2f37fa9dc2123a778133697 Author: Rich Megginson <rmeggins(a)redhat.com> Date: Wed Sep 22 17:14:17 2010 -0600 bump version to 1.2.6.1 diff --git a/VERSION.sh b/VERSION.sh index be232cb..af18f3c 100644 --- a/VERSION.sh +++ b/VERSION.sh @@ -10,7 +10,7 @@ vendor="389 Project" # PACKAGE_VERSION is constructed from these VERSION_MAJOR=1 VERSION_MINOR=2 -VERSION_MAINT=6 +VERSION_MAINT=6.1 # if this is a PRERELEASE, set VERSION_PREREL # otherwise, comment it out # be sure to include the dot prefix in the prerel commit 4bd78323d0bb1299a19e0ed1feebc79ff997c92f Author: Rich Megginson <rmeggins(a)redhat.com> Date: Wed Sep 22 15:56:14 2010 -0600 Bug 634561 - Server crushes when using Windows Sync Agreement https://bugzilla.redhat.com/show_bug.cgi?id=634561 Resolves: bug 634561 Bug Description: Server crushes when using Windows Sync Agreement Reviewed by: ??? Branch: 389-ds-base-1.2.6 Fix Description: The regular replication protocol and the windows sync protocol have two completely different struct repl_connection. They are almost the same, almost identical fields, but they are different. When additional fields were added to the struct repl_connection, not at the end of the structure, and identical changes were not made to the struct repl_connection in windows_connection.c, the structures got out of sync. The authors tried to anticipate this condition by providing windows_ versions of all of the conn_ functions. We were not using the windows_ versions of these functions in all places in the winsync code. The fix is to use the windows_ versions of these functions throughout the winsync code, and to make the struct repl_connection the same size up through the char *plain field. If additional fields are added to either structure at the end, this problem should not occur in the future. Platforms tested: RHEL5 x86_64 Flag Day: no Doc impact: no diff --git a/ldap/servers/plugins/replication/windows_connection.c b/ldap/servers/plugins/replication/windows_connection.c index a1e74c4..80dcd3b 100644 --- a/ldap/servers/plugins/replication/windows_connection.c +++ b/ldap/servers/plugins/replication/windows_connection.c @@ -75,6 +75,8 @@ typedef struct repl_connection int supports_ldapv3; /* 1 if does, 0 if doesn't, -1 if not determined */ int supports_ds50_repl; /* 1 if does, 0 if doesn't, -1 if not determined */ int supports_ds40_repl; /* 1 if does, 0 if doesn't, -1 if not determined */ + int supports_ds71_repl; /* 1 if does, 0 if doesn't, -1 if not determined */ + int supports_ds90_repl; /* 1 if does, 0 if doesn't, -1 if not determined */ int linger_time; /* time in seconds to leave an idle connection open */ int supports_dirsync; /* 1 if does, 0 if doesn't, -1 if not determined */ PRBool linger_active; diff --git a/ldap/servers/plugins/replication/windows_inc_protocol.c b/ldap/servers/plugins/replication/windows_inc_protocol.c index f2e9034..2b41276 100644 --- a/ldap/servers/plugins/replication/windows_inc_protocol.c +++ b/ldap/servers/plugins/replication/windows_inc_protocol.c @@ -988,9 +988,9 @@ windows_inc_run(Private_Repl_Protocol *prp) /* remove_protocol_callbacks(prp); */ prp->stopped = 1; /* Cancel any linger timer that might be in effect... */ - conn_cancel_linger(prp->conn); + windows_conn_cancel_linger(prp->conn); /* ... and disconnect, if currently connected */ - conn_disconnect(prp->conn); + windows_conn_disconnect(prp->conn); LDAPDebug0Args( LDAP_DEBUG_TRACE, "<= windows_inc_run\n" ); } @@ -1294,7 +1294,7 @@ send_updates(Private_Repl_Protocol *prp, RUV *remote_update_vector, PRUint32 *nu if (CONN_OPERATION_SUCCESS != replay_crc) { int operation, error; - conn_get_error(prp->conn, &operation, &error); + windows_conn_get_error(prp->conn, &operation, &error); csn_as_string(entry.op->csn, PR_FALSE, csn_str); /* Figure out what to do next */ if (CONN_OPERATION_FAILED == replay_crc) diff --git a/ldap/servers/plugins/replication/windows_protocol_util.c b/ldap/servers/plugins/replication/windows_protocol_util.c index f69cb7a..06d2cad 100644 --- a/ldap/servers/plugins/replication/windows_protocol_util.c +++ b/ldap/servers/plugins/replication/windows_protocol_util.c @@ -1553,7 +1553,7 @@ windows_replay_update(Private_Repl_Protocol *prp, slapi_operation_parameters *op if (CONN_OPERATION_FAILED == return_value) { int operation = 0; int error = 0; - conn_get_error(prp->conn, &operation, &error); + windows_conn_get_error(prp->conn, &operation, &error); /* The remote entry is missing. Let's add the renamed entry. */ if (LDAP_NO_SUCH_OBJECT == error) { return_value = process_replay_add(prp, @@ -4494,7 +4494,7 @@ windows_process_total_add(Private_Repl_Protocol *prp,Slapi_Entry *e, Slapi_DN* r int operation = 0; int error = 0; - conn_get_error(prp->conn, &operation, &error); + windows_conn_get_error(prp->conn, &operation, &error); if (windows_ignore_error_and_keep_going(error)) { retval = CONN_OPERATION_SUCCESS; diff --git a/ldap/servers/plugins/replication/windows_tot_protocol.c b/ldap/servers/plugins/replication/windows_tot_protocol.c index 9c22b8d..47bb3d0 100644 --- a/ldap/servers/plugins/replication/windows_tot_protocol.c +++ b/ldap/servers/plugins/replication/windows_tot_protocol.c @@ -120,7 +120,7 @@ windows_tot_run(Private_Repl_Protocol *prp) goto done; } - conn_set_timeout(prp->conn, agmt_get_timeout(prp->agmt)); + windows_conn_set_timeout(prp->conn, agmt_get_timeout(prp->agmt)); /* acquire remote replica */ agmt_set_last_init_start(prp->agmt, current_time()); @@ -132,14 +132,14 @@ windows_tot_run(Private_Repl_Protocol *prp) if (rc != ACQUIRE_SUCCESS) { int optype, ldaprc; - conn_get_error(prp->conn, &optype, &ldaprc); + windows_conn_get_error(prp->conn, &optype, &ldaprc); agmt_set_last_init_status(prp->agmt, ldaprc, prp->last_acquire_response_code, NULL); goto done; } else if (prp->terminate) { - conn_disconnect(prp->conn); + windows_conn_disconnect(prp->conn); prp->stopped = 1; goto done; } @@ -272,7 +272,7 @@ windows_tot_stop(Private_Repl_Protocol *prp) "protocol not stopped after waiting for %d seconds " "for agreement %s\n", PR_IntervalToSeconds(now-start), agmt_get_long_name(prp->agmt)); - conn_disconnect(prp->conn); + windows_conn_disconnect(prp->conn); return_value = -1; } else @@ -383,7 +383,7 @@ int send_entry (Slapi_Entry *e, void *cb_data) if (prp->terminate) { - conn_disconnect(prp->conn); + windows_conn_disconnect(prp->conn); prp->stopped = 1; ((callback_data*)cb_data)->rc = -1; LDAPDebug0Args( LDAP_DEBUG_TRACE, "<= send_entry\n" );

12 years, 12 months

1
0
0 / 0

ldap/servers

by Noriko Hosoi

ldap/servers/slapd/back-ldbm/ldbm_search.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) New commits: commit a7de5f2a4323d224c63f722172eee8b63752fb45 Author: Noriko Hosoi <nhosoi(a)redhat.com> Date: Fri Sep 24 11:42:31 2010 -0700 Bug 635987 - Incorrect sub scope search result with ACL containing ldap:///self https://bugzilla.redhat.com/show_bug.cgi?id=635987 Description: This commit made for the bug 635987 introduced a bug to replication. commit 8ac525e5ac997378f4f2a386e9b96568c8d66db5 Author: Noriko Hosoi <nhosoi(a)redhat.com> Date: Tue Sep 21 15:12:07 2010 -0700 subtree_candidates (ldbm_search.c) If you do have a tombstone filter, descendants will be NULL, and idl_intersection of candidates and descendents will wipe out all of the candidates, leaving just the one entry, e->ep_id. Changed to call idl_intersection only when the filter is not for tombstone or entryrdn_get_noancestorid (false, by default). diff --git a/ldap/servers/slapd/back-ldbm/ldbm_search.c b/ldap/servers/slapd/back-ldbm/ldbm_search.c index 3067496..568d32c 100644 --- a/ldap/servers/slapd/back-ldbm/ldbm_search.c +++ b/ldap/servers/slapd/back-ldbm/ldbm_search.c @@ -957,13 +957,17 @@ subtree_candidates( *err = entryrdn_get_subordinates(be, slapi_entry_get_sdn_const(e->ep_entry), e->ep_id, &descendants, NULL); + idl_insert(&descendants, e->ep_id); + candidates = idl_intersection(be, candidates, descendants); + idl_free(tmp); + idl_free(descendants); } else if (!has_tombstone_filter) { *err = ldbm_ancestorid_read(be, NULL, e->ep_id, &descendants); - } - idl_insert(&descendants, e->ep_id); - candidates = idl_intersection(be, candidates, descendants); - idl_free(tmp); - idl_free(descendants); + idl_insert(&descendants, e->ep_id); + candidates = idl_intersection(be, candidates, descendants); + idl_free(tmp); + idl_free(descendants); + } /* else == has_tombstone_filter: do nothing */ } return( candidates );

13 years

1
0
0 / 0

lib/libaccess

by Nathan Kinder

lib/libaccess/acl.tab.cpp | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) New commits: commit dcfd94bd55a5e07f870f9ab1ea9d84a3f171b899 Author: Nathan Kinder <nkinder(a)redhat.com> Date: Fri Sep 24 10:04:12 2010 -0700 Bug 630091 - (cov#11973) Array overrun in libaccess When going through the exceptions table in libaccess, we don't check if we are at the last pair of elements in the array before incrementing to the next pair. This patch adds checks to see if we are at the last pair of elements and avoids the increment if necessary. diff --git a/lib/libaccess/acl.tab.cpp b/lib/libaccess/acl.tab.cpp index ddf40a6..ad828ac 100644 --- a/lib/libaccess/acl.tab.cpp +++ b/lib/libaccess/acl.tab.cpp @@ -962,14 +962,20 @@ int acl_Parse() { register int *aclxi = aclexca; - while ( ( *aclxi != -1 ) || - ( aclxi[1] != acl_state ) ) + /* The first element of the last pair is -2, so we + * need to make sure we don't increment past it. */ + while ( (*aclxi != -2) && ((*aclxi != -1) || + (aclxi[1] != acl_state)) ) { aclxi += 2; } - while ( ( *(aclxi += 2) >= 0 ) && - ( *aclxi != aclchar ) ) + + while ( (*aclxi != -2) && (*(aclxi += 2) >= 0) && + (*aclxi != aclchar) ) + { ; + } + if ( ( acl_n = aclxi[1] ) < 0 ) ACLACCEPT; }

13 years

1
0
0 / 0

mod_nss nss_engine_io.c,1.11,1.12

by Rob Crittenden

Author: rcritten Update of /cvs/dirsec/mod_nss In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv7448 Modified Files: nss_engine_io.c Log Message: Revert PR_WOULD_BLOCK change and reset the NSPR error value before callling PR_Read(). In testing with TPS from dogtag this really seems to fix #620856 this time. Index: nss_engine_io.c =================================================================== RCS file: /cvs/dirsec/mod_nss/nss_engine_io.c,v retrieving revision 1.11 retrieving revision 1.12 diff -u -r1.11 -r1.12 --- nss_engine_io.c 17 Sep 2010 19:39:27 -0000 1.11 +++ nss_engine_io.c 24 Sep 2010 02:06:57 -0000 1.12 @@ -259,8 +259,7 @@ */ if (APR_STATUS_IS_EAGAIN(inctx->rc) || APR_STATUS_IS_EINTR(inctx->rc) || (inctx->rc == APR_SUCCESS && APR_BRIGADE_EMPTY(inctx->bb))) { - nspr_filter_out_ctx_t *outctx = filter_ctx->outctx; - inctx->rc = outctx->rc; + PR_SetError(PR_WOULD_BLOCK_ERROR, 0); return -1; } @@ -350,6 +349,7 @@ break; } + PR_SetError(0, 0); rc = PR_Read(inctx->filter_ctx->pssl, buf + bytes, wanted - bytes); if (rc > 0) {

13 years

1
0
0 / 0

ldap/servers

by Richard Allen Megginson

ldap/servers/plugins/replication/windows_connection.c | 2 ++ ldap/servers/plugins/replication/windows_inc_protocol.c | 6 +++--- ldap/servers/plugins/replication/windows_protocol_util.c | 4 ++-- ldap/servers/plugins/replication/windows_tot_protocol.c | 10 +++++----- 4 files changed, 12 insertions(+), 10 deletions(-) New commits: commit 3561044171c4905659a2680658d9208eab5bd35e Author: Rich Megginson <rmeggins(a)redhat.com> Date: Wed Sep 22 15:56:14 2010 -0600 Bug 634561 - Server crushes when using Windows Sync Agreement https://bugzilla.redhat.com/show_bug.cgi?id=634561 Resolves: bug 634561 Bug Description: Server crushes when using Windows Sync Agreement Reviewed by: ??? Branch: master Fix Description: The regular replication protocol and the windows sync protocol have two completely different struct repl_connection. They are almost the same, almost identical fields, but they are different. When additional fields were added to the struct repl_connection, not at the end of the structure, and identical changes were not made to the struct repl_connection in windows_connection.c, the structures got out of sync. The authors tried to anticipate this condition by providing windows_ versions of all of the conn_ functions. We were not using the windows_ versions of these functions in all places in the winsync code. The fix is to use the windows_ versions of these functions throughout the winsync code, and to make the struct repl_connection the same size up through the char *plain field. If additional fields are added to either structure at the end, this problem should not occur in the future. Platforms tested: RHEL5 x86_64 Flag Day: no Doc impact: no (cherry picked from commit 4bd78323d0bb1299a19e0ed1feebc79ff997c92f) diff --git a/ldap/servers/plugins/replication/windows_connection.c b/ldap/servers/plugins/replication/windows_connection.c index b341171..f0b8237 100644 --- a/ldap/servers/plugins/replication/windows_connection.c +++ b/ldap/servers/plugins/replication/windows_connection.c @@ -75,6 +75,8 @@ typedef struct repl_connection int supports_ldapv3; /* 1 if does, 0 if doesn't, -1 if not determined */ int supports_ds50_repl; /* 1 if does, 0 if doesn't, -1 if not determined */ int supports_ds40_repl; /* 1 if does, 0 if doesn't, -1 if not determined */ + int supports_ds71_repl; /* 1 if does, 0 if doesn't, -1 if not determined */ + int supports_ds90_repl; /* 1 if does, 0 if doesn't, -1 if not determined */ int linger_time; /* time in seconds to leave an idle connection open */ int supports_dirsync; /* 1 if does, 0 if doesn't, -1 if not determined */ PRBool linger_active; diff --git a/ldap/servers/plugins/replication/windows_inc_protocol.c b/ldap/servers/plugins/replication/windows_inc_protocol.c index 7ff47fa..b6e1da3 100644 --- a/ldap/servers/plugins/replication/windows_inc_protocol.c +++ b/ldap/servers/plugins/replication/windows_inc_protocol.c @@ -1003,9 +1003,9 @@ windows_inc_run(Private_Repl_Protocol *prp) /* remove_protocol_callbacks(prp); */ prp->stopped = 1; /* Cancel any linger timer that might be in effect... */ - conn_cancel_linger(prp->conn); + windows_conn_cancel_linger(prp->conn); /* ... and disconnect, if currently connected */ - conn_disconnect(prp->conn); + windows_conn_disconnect(prp->conn); LDAPDebug0Args( LDAP_DEBUG_TRACE, "<= windows_inc_run\n" ); } @@ -1309,7 +1309,7 @@ send_updates(Private_Repl_Protocol *prp, RUV *remote_update_vector, PRUint32 *nu if (CONN_OPERATION_SUCCESS != replay_crc) { int operation, error; - conn_get_error(prp->conn, &operation, &error); + windows_conn_get_error(prp->conn, &operation, &error); csn_as_string(entry.op->csn, PR_FALSE, csn_str); /* Figure out what to do next */ if (CONN_OPERATION_FAILED == replay_crc) diff --git a/ldap/servers/plugins/replication/windows_protocol_util.c b/ldap/servers/plugins/replication/windows_protocol_util.c index 3fe42cf..5fb6e7b 100644 --- a/ldap/servers/plugins/replication/windows_protocol_util.c +++ b/ldap/servers/plugins/replication/windows_protocol_util.c @@ -1562,7 +1562,7 @@ windows_replay_update(Private_Repl_Protocol *prp, slapi_operation_parameters *op if (CONN_OPERATION_FAILED == return_value) { int operation = 0; int error = 0; - conn_get_error(prp->conn, &operation, &error); + windows_conn_get_error(prp->conn, &operation, &error); /* The remote entry is missing. Let's add the renamed entry. */ if (LDAP_NO_SUCH_OBJECT == error) { return_value = process_replay_add(prp, @@ -4508,7 +4508,7 @@ windows_process_total_add(Private_Repl_Protocol *prp,Slapi_Entry *e, Slapi_DN* r int operation = 0; int error = 0; - conn_get_error(prp->conn, &operation, &error); + windows_conn_get_error(prp->conn, &operation, &error); if (windows_ignore_error_and_keep_going(error)) { retval = CONN_OPERATION_SUCCESS; diff --git a/ldap/servers/plugins/replication/windows_tot_protocol.c b/ldap/servers/plugins/replication/windows_tot_protocol.c index cb2987b..1390e8f 100644 --- a/ldap/servers/plugins/replication/windows_tot_protocol.c +++ b/ldap/servers/plugins/replication/windows_tot_protocol.c @@ -120,7 +120,7 @@ windows_tot_run(Private_Repl_Protocol *prp) goto done; } - conn_set_timeout(prp->conn, agmt_get_timeout(prp->agmt)); + windows_conn_set_timeout(prp->conn, agmt_get_timeout(prp->agmt)); /* acquire remote replica */ agmt_set_last_init_start(prp->agmt, current_time()); @@ -132,14 +132,14 @@ windows_tot_run(Private_Repl_Protocol *prp) if (rc != ACQUIRE_SUCCESS) { int optype, ldaprc; - conn_get_error(prp->conn, &optype, &ldaprc); + windows_conn_get_error(prp->conn, &optype, &ldaprc); agmt_set_last_init_status(prp->agmt, ldaprc, prp->last_acquire_response_code, NULL); goto done; } else if (prp->terminate) { - conn_disconnect(prp->conn); + windows_conn_disconnect(prp->conn); prp->stopped = 1; goto done; } @@ -273,7 +273,7 @@ windows_tot_stop(Private_Repl_Protocol *prp) "protocol not stopped after waiting for %d seconds " "for agreement %s\n", PR_IntervalToSeconds(now-start), agmt_get_long_name(prp->agmt)); - conn_disconnect(prp->conn); + windows_conn_disconnect(prp->conn); return_value = -1; } else @@ -402,7 +402,7 @@ int send_entry (Slapi_Entry *e, void *cb_data) if (prp->terminate) { - conn_disconnect(prp->conn); + windows_conn_disconnect(prp->conn); prp->stopped = 1; ((callback_data*)cb_data)->rc = -1; LDAPDebug0Args( LDAP_DEBUG_TRACE, "<= send_entry\n" );

13 years

1
0
0 / 0

ldap/servers

by Noriko Hosoi

ldap/servers/slapd/opshared.c | 36 ++++++++++++++++++++++++------------ 1 file changed, 24 insertions(+), 12 deletions(-) New commits: commit f980ff61da122b39d33bf83bc20f2b7a81b6be24 Author: Noriko Hosoi <nhosoi(a)redhat.com> Date: Wed Sep 22 16:28:59 2010 -0700 Bug 606920 - anonymous resource limit- nstimelimit - also applied to "cn=directory manager" https://bugzilla.redhat.com/show_bug.cgi?id=606920 Description: Client side sizelimit / timelimit request should be honoured by the Directory Manager, too. Changing the time/ sizelimit evaluation so that if client side request exists, the value is set even if the bind user is the directory manager. diff --git a/ldap/servers/slapd/opshared.c b/ldap/servers/slapd/opshared.c index 858bc8f..7aec791 100644 --- a/ldap/servers/slapd/opshared.c +++ b/ldap/servers/slapd/opshared.c @@ -1388,12 +1388,18 @@ compute_limits (Slapi_PBlock *pb) } } - if ( isroot ) { - timelimit = max_timelimit = -1; /* no limit */ - } else if ( requested_timelimit == 0 ) { - timelimit = ( max_timelimit == -1 ) ? -1 : max_timelimit; - } else if ( max_timelimit == -1 || requested_timelimit < max_timelimit ) { - timelimit = requested_timelimit; + if ( requested_timelimit ) { + /* requested limit should be applied to all (including root) */ + if ( isroot ) { + timelimit = requested_timelimit; + } else if ( (max_timelimit == -1) || + (requested_timelimit < max_timelimit) ) { + timelimit = requested_timelimit; + } else { + timelimit = max_timelimit; + } + } else if ( isroot ) { + timelimit = -1; /* no limit */ } else { timelimit = max_timelimit; } @@ -1419,12 +1425,18 @@ compute_limits (Slapi_PBlock *pb) } } - if ( isroot ) { - sizelimit = max_sizelimit = -1; - } else if ( requested_sizelimit == 0 ) { - sizelimit = ( max_sizelimit == -1 ) ? -1 : max_sizelimit; - } else if ( max_sizelimit == -1 || requested_sizelimit < max_sizelimit ) { - sizelimit = requested_sizelimit; + if ( requested_sizelimit ) { + /* requested limit should be applied to all (including root) */ + if ( isroot ) { + sizelimit = requested_sizelimit; + } else if ( (max_sizelimit == -1) || + (requested_sizelimit < max_sizelimit) ) { + sizelimit = requested_sizelimit; + } else { + sizelimit = max_sizelimit; + } + } else if ( isroot ) { + sizelimit = -1; /* no limit */ } else { sizelimit = max_sizelimit; }

13 years

1
0
0 / 0

mod_nss ChangeLog,1.5,1.6

by Rob Crittenden

Author: rcritten Update of /cvs/dirsec/mod_nss In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv13477 Modified Files: ChangeLog Log Message: Bring up to date. Index: ChangeLog =================================================================== RCS file: /cvs/dirsec/mod_nss/ChangeLog,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- ChangeLog 14 May 2010 15:49:33 -0000 1.5 +++ ChangeLog 22 Sep 2010 21:20:55 -0000 1.6 @@ -1,3 +1,18 @@ +2010-09-22 Rob Crittenden <rcritten(a)redhat.com> + * Only call PK11_ListCerts once and pass it when configuring each + virtual server. This saves considerable time when there are a lot + of certificates and/or virtual servers. (#635324) + * Change enforce so that we only check the validity of the certificate + if enforcecerts is enabled (the default). + Patch contributed by Wolter Eldering <wolter.eldering(a)vanad.com.cn> + +2010-09-17 Rob Crittenden <rcritten(a)redhat.com> + * Fix endless read loop in some situations when handling POST data + (#620856) + This was discovered in the dogtag TPS subsystem. I haven't been able + to duplicate it outside of that but it is trivial inside. This seems + to fix it and brings the code closer to what mod_ssl does here as well. + 2010-05-14 Rob Crittenden <rcritten(a)redhat.com> * Ignore SIGHUP in nss_pcache (#591889). Contributed by Joshua Roys <roysjosh(a)gmail.com> @@ -5,7 +20,17 @@ 2010-05-13 Rob Crittenden <rcritten(a)redhat.com> * Compare CN value of remote host with requested host in reverse proxy. * Add configuration option to disable this, defaulting to on. (#591224) - * Based on patch from Joshua Roys <roysjosh(a)gmail.com + Based on patch from Joshua Roys <roysjosh(a)gmail.com> + +2010-03-22 Rob Crittenden <rcritten(a)redhat.com> + * Update list of errors we translate + +2010-03-02 Rob Crittenden <rcritten(a)redhat.com> + * Add controls for managing SSL renegotiation + NSS is introducing some new controls in response to CVE-2009-3555, + MITM attacks via session renegotiation. This patch adds some tuning + so these options can be set at run time. + Patch contributed by Kai Engert <kengert(a)redhat.com> 2008-07-21 Rob Crittenden <rcritten(a)redhat.com> * mod_nss 1.0.8

13 years

1
0
0 / 0

mod_nss mod_nss.h, 1.22, 1.23 nss_engine_init.c, 1.35, 1.36

by Rob Crittenden

Author: rcritten Update of /cvs/dirsec/mod_nss In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv13379 Modified Files: mod_nss.h nss_engine_init.c Log Message: Only call PK11_ListCerts once and pass it when configuring each virtual server. This saves considerable time when there are a lot of certificates and/or virtual servers. Change enforce so that we only check the validity of the certificate if enforcecerts is enabled (the default). Patch contributed by Wolter Eldering <wolter.eldering(a)vanad.com.cn> bug 635324 Index: mod_nss.h =================================================================== RCS file: /cvs/dirsec/mod_nss/mod_nss.h,v retrieving revision 1.22 retrieving revision 1.23 diff -u -r1.22 -r1.23 --- mod_nss.h 13 May 2010 15:21:25 -0000 1.22 +++ mod_nss.h 22 Sep 2010 21:19:24 -0000 1.23 @@ -416,7 +416,7 @@ /* module initialization */ int nss_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *); void nss_init_Child(apr_pool_t *, server_rec *); -void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *); +void nss_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *, const CERTCertList*); apr_status_t nss_init_ModuleKill(void *data); apr_status_t nss_init_ChildKill(void *data); int nss_parse_ciphers(server_rec *s, char *ciphers, PRBool cipher_list[ciphernum]); Index: nss_engine_init.c =================================================================== RCS file: /cvs/dirsec/mod_nss/nss_engine_init.c,v retrieving revision 1.35 retrieving revision 1.36 diff -u -r1.35 -r1.36 --- nss_engine_init.c 2 Mar 2010 20:12:05 -0000 1.35 +++ nss_engine_init.c 22 Sep 2010 21:19:24 -0000 1.36 @@ -26,7 +26,7 @@ static SECStatus ownBadCertHandler(void *arg, PRFileDesc * socket); static SECStatus ownHandshakeCallback(PRFileDesc * socket, void *arg); static SECStatus NSSHandshakeCallback(PRFileDesc *socket, void *arg); -static CERTCertificate* FindServerCertFromNickname(const char* name); +static CERTCertificate* FindServerCertFromNickname(const char* name, const CERTCertList* clist); SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer); /* @@ -485,6 +485,8 @@ ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server, "Init: Initializing (virtual) servers for SSL"); + CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL); + for (s = base_server; s; s = s->next) { sc = mySrvConfig(s); /* @@ -496,7 +498,11 @@ /* * Read the server certificate and key */ - nss_init_ConfigureServer(s, p, ptemp, sc); + nss_init_ConfigureServer(s, p, ptemp, sc, clist); + } + + if (clist) { + CERT_DestroyCertList(clist); } } @@ -898,7 +904,8 @@ SECKEYPrivateKey **serverkey, SSLKEAType *KEAtype, PRFileDesc *model, - int enforce) + int enforce, + const CERTCertList* clist) { SECCertTimeValidity certtimestatus; SECStatus secstatus; @@ -912,17 +919,15 @@ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "Using nickname %s.", nickname); - *servercert = FindServerCertFromNickname(nickname); + *servercert = FindServerCertFromNickname(nickname, clist); /* Verify the certificate chain. */ if (*servercert != NULL) { SECCertificateUsage usage = certificateUsageSSLServer; - if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "Certificate not verified: '%s'", nickname); + if (enforce) { + if (CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), *servercert, PR_TRUE, usage, NULL, NULL) != SECSuccess) { nss_log_nss_error(APLOG_MARK, APLOG_ERR, s); - if (enforce) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "Unable to verify certificate '%s'. Add \"NSSEnforceValidCerts off\" to nss.conf so the server can start until the problem can be resolved.", nickname); nss_die(); @@ -1012,7 +1017,8 @@ static void nss_init_server_certs(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, - modnss_ctx_t *mctx) + modnss_ctx_t *mctx, + const CERTCertList* clist) { SECStatus secstatus; @@ -1033,11 +1039,11 @@ nss_init_certificate(s, mctx->nickname, &mctx->servercert, &mctx->serverkey, &mctx->serverKEAType, - mctx->model, mctx->enforce); + mctx->model, mctx->enforce, clist); #ifdef NSS_ENABLE_ECC nss_init_certificate(s, mctx->eccnickname, &mctx->eccservercert, &mctx->eccserverkey, &mctx->eccserverKEAType, - mctx->model, mctx->enforce); + mctx->model, mctx->enforce, clist); #endif } @@ -1061,23 +1067,25 @@ static void nss_init_proxy_ctx(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, - SSLSrvConfigRec *sc) + SSLSrvConfigRec *sc, + const CERTCertList* clist) { nss_init_ctx(s, p, ptemp, sc->proxy); - nss_init_server_certs(s, p, ptemp, sc->proxy); + nss_init_server_certs(s, p, ptemp, sc->proxy, clist); } static void nss_init_server_ctx(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, - SSLSrvConfigRec *sc) + SSLSrvConfigRec *sc, + const CERTCertList* clist) { nss_init_server_check(s, p, ptemp, sc->server); nss_init_ctx(s, p, ptemp, sc->server); - nss_init_server_certs(s, p, ptemp, sc->server); + nss_init_server_certs(s, p, ptemp, sc->server, clist); } /* @@ -1086,18 +1094,19 @@ void nss_init_ConfigureServer(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, - SSLSrvConfigRec *sc) + SSLSrvConfigRec *sc, + const CERTCertList* clist) { if (sc->enabled == TRUE) { ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "Configuring server for SSL protocol"); - nss_init_server_ctx(s, p, ptemp, sc); + nss_init_server_ctx(s, p, ptemp, sc, clist); } if (sc->proxy_enabled == TRUE) { ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "Enabling proxy."); - nss_init_proxy_ctx(s, p, ptemp, sc); + nss_init_proxy_ctx(s, p, ptemp, sc, clist); } } @@ -1149,10 +1158,14 @@ nss_init_SSLLibrary(base_server); /* Configure all virtual servers */ + CERTCertList* clist = PK11_ListCerts(PK11CertListUser, NULL); for (s = base_server; s; s = s->next) { sc = mySrvConfig(s); if (sc->server->servercert == NULL && NSS_IsInitialized()) - nss_init_ConfigureServer(s, p, mc->ptemp, sc); + nss_init_ConfigureServer(s, p, mc->ptemp, sc, clist); + } + if (clist) { + CERT_DestroyCertList(clist); } /* @@ -1341,9 +1354,8 @@ * newest, valid server certificate. */ static CERTCertificate* -FindServerCertFromNickname(const char* name) +FindServerCertFromNickname(const char* name, const CERTCertList* clist) { - CERTCertList* clist; CERTCertificate* bestcert = NULL; CERTCertListNode *cln; @@ -1353,8 +1365,6 @@ if (name == NULL) return NULL; - clist = PK11_ListCerts(PK11CertListUser, NULL); - for (cln = CERT_LIST_HEAD(clist); !CERT_LIST_END(cln,clist); cln = CERT_LIST_NEXT(cln)) { CERTCertificate* cert = cln->cert; @@ -1419,9 +1429,6 @@ if (bestcert) { bestcert = CERT_DupCertificate(bestcert); } - if (clist) { - CERT_DestroyCertList(clist); - } return bestcert; }

13 years

1
0
0 / 0

ldap/servers

by Noriko Hosoi

ldap/servers/slapd/back-ldbm/ldbm_search.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) New commits: commit 8ac525e5ac997378f4f2a386e9b96568c8d66db5 Author: Noriko Hosoi <nhosoi(a)redhat.com> Date: Tue Sep 21 15:12:07 2010 -0700 Bug 635987 - Incorrect sub scope search result with ACL containing ldap:///self https://bugzilla.redhat.com/show_bug.cgi?id=635987 Description: When a basedn has no descendants, the code to take an intersection of idl (which was returned from the filter search -- filter_candidates) and the basedn was skipped in subtree_candidates (ldbm_search.c). Regardless of descendants, the intersection should be taken for the idl and a tree starting with the basedn. Note: This bug was introduced with entryrdn. diff --git a/ldap/servers/slapd/back-ldbm/ldbm_search.c b/ldap/servers/slapd/back-ldbm/ldbm_search.c index 9a8dd0f..3067496 100644 --- a/ldap/servers/slapd/back-ldbm/ldbm_search.c +++ b/ldap/servers/slapd/back-ldbm/ldbm_search.c @@ -960,12 +960,10 @@ subtree_candidates( } else if (!has_tombstone_filter) { *err = ldbm_ancestorid_read(be, NULL, e->ep_id, &descendants); } - if (descendants) { - idl_insert(&descendants, e->ep_id); - candidates = idl_intersection(be, candidates, descendants); - idl_free(tmp); - idl_free(descendants); - } + idl_insert(&descendants, e->ep_id); + candidates = idl_intersection(be, candidates, descendants); + idl_free(tmp); + idl_free(descendants); } return( candidates );

13 years

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-commits September 2010