[openldap] fix: restart NSS modules after fork

Tue Jan 25 13:13:07 UTC 2011

commit 2bfd76d18fdcf8032203bd91cf0338cebd12bcce
Author: Jan Vcelak <jvcelak at redhat.com>
Date:   Tue Jan 25 11:35:17 2011 +0100

    fix: restart NSS modules after fork
    
    Resolves: #636956

 openldap-nss-restart-modules-fork.patch |   48 +++++++++++++++++++++++++++++++
 openldap.spec                           |    2 +
 2 files changed, 50 insertions(+), 0 deletions(-)
---

diff --git a/openldap-nss-restart-modules-fork.patch b/openldap-nss-restart-modules-fork.patch
new file mode 100644
index 0000000..4bebac5
--- /dev/null
+++ b/openldap-nss-restart-modules-fork.patch
@@ -0,0 +1,48 @@
+fix: OpenLDAP can't use TLS after a fork()
+
+Resolves: #636956
+Upstream ITS: #6802
+Author: Rich Megginson <rmeggins at redhat.com>
+
+diff -uNPrp openldap-2.4.23/libraries/libldap/tls_m.c openldap-2.4.23/libraries/libldap/tls_m.c
+--- openldap-2.4.23/libraries/libldap/tls_m.c	2011-01-25 11:12:59.407964217 +0100
++++ openldap-2.4.23/libraries/libldap/tls_m.c	2011-01-25 11:15:50.020176376 +0100
+@@ -72,6 +72,13 @@
+ #define HAVE_NSS_INITCONTEXT 1
+ #endif
+ 
++/* NSS 3.12.9 and later have SECMOD_RestartModules */
++#if NSS_VMAJOR <= 3 && NSS_VMINOR <= 12 && NSS_VPATCH < 9
++/* do nothing */
++#else
++#define HAVE_SECMOD_RESTARTMODULES 1
++#endif
++
+ /* InitContext does not currently work in server mode */
+ /* #define INITCONTEXT_HACK 1 */
+ 
+@@ -1486,6 +1493,24 @@ tlsm_deferred_init( void *arg )
+ 	SECStatus rc;
+ 	int done = 0;
+ 
++#ifdef HAVE_SECMOD_RESTARTMODULES
++	/* NSS enforces the pkcs11 requirement that modules should be unloaded after
++	   a fork() - since there is no portable way to determine if NSS has been
++	   already initialized in a parent process, we just call SECMOD_RestartModules
++	   with force == FALSE - if the module has been unloaded due to a fork, it will
++	   be reloaded, otherwise, it is a no-op */
++	if ( SECFailure == ( rc = SECMOD_RestartModules(PR_FALSE /* do not force */) ) ) {
++		errcode = PORT_GetError();
++		if ( errcode != SEC_ERROR_NOT_INITIALIZED ) {
++			Debug( LDAP_DEBUG_TRACE,
++				   "TLS: could not restart the security modules: %d:%s\n",
++				   errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
++		} else {
++			errcode = 1;
++		}
++	}
++#endif
++
+ #ifdef HAVE_NSS_INITCONTEXT
+ 	memset( &initParams, 0, sizeof( initParams ) );
+ 	initParams.length = sizeof( initParams );
diff --git a/openldap.spec b/openldap.spec
index 99e1274..768bf44 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -42,6 +42,7 @@ Patch108: openldap-verify-self-issued-certs.patch
 
 # patches sent upstream
 Patch109: openldap-nss-cipher-suites.patch
+Patch110: openldap-nss-restart-modules-fork.patch
 
 # patches for the evolution library (see README.evolution)
 Patch200: openldap-evolution-ntlm.patch
@@ -153,6 +154,7 @@ pushd openldap-%{version}
 %patch107 -p1 -b .nss-non-blocking
 %patch108 -p1 -b .verify-self-issued-certs
 %patch109 -p1 -b .nss-cipher-suites
+%patch110 -p1 -b .nss-restart-modules-fork
 
 cp %{_datadir}/libtool/config/config.{sub,guess} build/
 
