[openldap/f16] fix: TLS error messages overwriting in tlsm_verify_cert()

Wed Jun 27 15:22:14 UTC 2012

commit 1d29df319c38b4cd90f717955ec38a5e2b072443
Author: Jan Vcelak <jvcelak at redhat.com>
Date:   Wed Jun 27 16:34:58 2012 +0200

    fix: TLS error messages overwriting in tlsm_verify_cert()
    
    Resolves: #810462

 ...ldap-nss-dont-overwrite-verify-cert-error.patch |   35 ++++++++++++++++++++
 openldap.spec                                      |    7 +++-
 2 files changed, 41 insertions(+), 1 deletions(-)
---

diff --git a/openldap-nss-dont-overwrite-verify-cert-error.patch b/openldap-nss-dont-overwrite-verify-cert-error.patch
new file mode 100644
index 0000000..71e7d25
--- /dev/null
+++ b/openldap-nss-dont-overwrite-verify-cert-error.patch
@@ -0,0 +1,35 @@
+MozNSS: do not overwrite error in tlsm_verify_cert
+
+Author: Jan Vcelak <jvcelak at redhat.com>
+Resolves: #810462
+Upstream ITS: #7287
+Upstream commit: dc3842fca318f00da20a8be1cfb5d690ccc7d482
+
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index b608551..4c18360 100644
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -1019,6 +1019,10 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
+ 				   is self issued */
+ 				if ( ( node->error == SEC_ERROR_CA_CERT_INVALID ) &&
+ 					 tlsm_cert_is_self_issued( node->cert ) ) {
++
++					PRErrorCode orig_error = PR_GetError();
++					PRInt32 orig_oserror = PR_GetOSError();
++
+ 					CERTBasicConstraints basicConstraint;
+ 					SECStatus rv = tlsm_get_basic_constraint_extension( node->cert, &basicConstraint );
+ 					if ( ( rv == SECSuccess ) && ( basicConstraint.isCA == PR_FALSE ) ) {
+@@ -1032,6 +1036,9 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
+ 							   "TLS: certificate [%s] is not valid - CA cert is not valid\n",
+ 							   name, 0, 0 );
+ 					}
++
++					PR_SetError(orig_error, orig_oserror);
++
+ 				} else if ( errorToIgnore && ( node->error == errorToIgnore ) ) {
+ 					Debug( debug_level,
+ 						   "TLS: Warning: ignoring error for certificate [%s] - error %ld:%s.\n",
+-- 
+1.7.10.4
+
diff --git a/openldap.spec b/openldap.spec
index 90ed8ae..53b0a03 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -9,7 +9,7 @@
 
 Name: openldap
 Version: 2.4.26
-Release: 7%{?dist}
+Release: 8%{?dist}
 Summary: LDAP support libraries
 Group: System Environment/Daemons
 License: OpenLDAP
@@ -45,6 +45,7 @@ Patch19: openldap-syncrepl-unset-tls-options.patch
 Patch20: openldap-nss-deferred-init-copy-params.patch
 Patch21: openldap-nss-segfault-key-not-set.patch
 Patch22: openldap-ld_defconn-rebind.patch
+Patch23: openldap-nss-dont-overwrite-verify-cert-error.patch
 
 # patches for the evolution library (see README.evolution)
 Patch200: openldap-evolution-ntlm.patch
@@ -160,6 +161,7 @@ pushd openldap-%{version}
 %patch20 -p1 -b .nss-deferred-init-copy-params
 %patch21 -p1 -b .nss-segfault-key-not-set
 %patch22 -p1 -b .ld_defconn-rebind
+%patch23 -p1 -b .nss-dont-overwrite-verify-cert-error
 
 cp %{_datadir}/libtool/config/config.{sub,guess} build/
 
@@ -685,6 +687,9 @@ exit 0
 %attr(0644,root,root)      %{evolution_connector_libdir}/*.a
 
 %changelog
+* Wed Jun 27 2012 Jan Vcelak <jvcelak at redhat.com> 2.4.26-8
+- fix: TLS error messages overwriting in tlsm_verify_cert() (#810462)
+
 * Mon Mar 26 2012 Jan Synáček <jsynacek at redhat.com> 2.4.26-7
 - fix: Re-binding to a failed connection can segfault (#784989)
 
