[openldap] fix update: libldap does not load PEM certificate if certdb is used as TLS_CACERTDIR

jvcelak jvcelak at fedoraproject.org
Wed Oct 31 11:51:00 UTC 2012 

commit 4b460cc8c89541dfa3896be95d900d427a83c751
Author: Jan Vcelak <jvcelak at redhat.com>
Date:   Wed Oct 31 12:50:15 2012 +0100

    fix update: libldap does not load PEM certificate if certdb is used as TLS_CACERTDIR
    
    Resolves: #857455

 openldap-nss-certs-from-certdb-fallback-pem.patch |   26 +++++++++++---------
 openldap.spec                                     |    5 +++-
 2 files changed, 18 insertions(+), 13 deletions(-)
---
diff --git a/openldap-nss-certs-from-certdb-fallback-pem.patch b/openldap-nss-certs-from-certdb-fallback-pem.patch
index 6a81d94..d58b76a 100644
--- a/openldap-nss-certs-from-certdb-fallback-pem.patch
+++ b/openldap-nss-certs-from-certdb-fallback-pem.patch
@@ -11,12 +11,8 @@ Author: Jan Vcelak <jvcelak at redhat.com>
 Upstream ITS: #7389
 Resolves: #857455
 
----
- libraries/libldap/tls_m.c | 33 ++++++++++++++++++++-------------
- 1 file changed, 20 insertions(+), 13 deletions(-)
-
 diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
-index 61d71d4..49a3f8f 100644
+index 61d71d4..f15f0bc 100644
 --- a/libraries/libldap/tls_m.c
 +++ b/libraries/libldap/tls_m.c
 @@ -1412,7 +1412,7 @@ tlsm_ctx_load_private_key( tlsm_ctx *ctx )
@@ -56,16 +52,23 @@ index 61d71d4..49a3f8f 100644
  			char *tmp_certname;
  
  			if ( tlsm_is_tokenname_certnick( lt->lt_certfile )) {
-@@ -2382,9 +2374,24 @@ tlsm_deferred_ctx_init( void *arg )
+@@ -2382,8 +2374,31 @@ tlsm_deferred_ctx_init( void *arg )
  				Debug( LDAP_DEBUG_ANY,
  					   "TLS: error: the certificate '%s' could not be found in the database - error %d:%s.\n",
  					   lt->lt_certfile, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
--				return -1;
- 			}
- 		}
++			}
++		}
 +
 +		/* fallback to PEM module (lt_certfile is filename) */
-+		if ( !ctx->tc_certificate && pem_module ) {
++		if ( !ctx->tc_certificate ) {
++			if ( !pem_module && tlsm_init_pem_module() ) {
++				int pem_errcode = PORT_GetError();
++				Debug( LDAP_DEBUG_ANY,
++					   "TLS: fallback to PEM impossible, module cannot be loaded - error %d:%s.\n",
++					   pem_errcode, PR_ErrorToString( pem_errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
+ 				return -1;
+ 			}
++
 +			/* this sets ctx->tc_certificate to the correct value */
 +			if ( !tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE ) ) {
 +				ctx->tc_using_pem = PR_TRUE;
@@ -78,10 +81,9 @@ index 61d71d4..49a3f8f 100644
 +				   ctx->tc_using_pem ? "PEM file" : "moznss database", 0);
 +		} else {
 +			return -1;
-+		}
+ 		}
  	}
  
- 	if ( lt->lt_keyfile ) {
 -- 
 1.7.11.7
 
diff --git a/openldap.spec b/openldap.spec
index 2975b8e..2344d51 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -8,7 +8,7 @@
 
 Name: openldap
 Version: 2.4.33
-Release: 2%{?dist}
+Release: 3%{?dist}
 Summary: LDAP support libraries
 Group: System Environment/Daemons
 License: OpenLDAP
@@ -620,6 +620,9 @@ exit 0
 %{evolution_connector_prefix}/
 
 %changelog
+* Wed Oct 31 2012 Jan Vcelak <jvcelak at redhat.com> 2.4.33-3
+- fix update: libldap does not load PEM certificate if certdb is used as TLS_CACERTDIR (#857455)
+
 * Fri Oct 12 2012 Jan Vcelak <jvcelak at redhat.com> 2.4.33-2
 - fix: slapd with rwm overlay segfault following ldapmodify (#865685)

More information about the scm-commits mailing list