openldap/sme9/openldap-nss-hashed-cacertdir-filename-matching.patch

fix: not all certificates in OpenSSL compatible CA certificate directory format are loaded

CA certificate files in OpenSSL compatible CACERTDIR were loaded if the
file extension was '.0'. However the file name should be 8 letters long
certificate hash of the certificate subject name, followed by a numeric
suffix which is used to differentiate between two certificates with the
same subject name.

Wit this patch, certificate file names are matched correctly (using
regular expressions).

Author: Jan Vcelak <jvcelak@redhat.com>
Upstream ITS: #7374
Resolves: #811468

diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 5e49fc5..61d71d4 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -38,6 +38,7 @@
 #include <ac/unistd.h>
 #include <ac/param.h>
 #include <ac/dirent.h>
+#include <ac/regex.h>
 
 #include "ldap-int.h"
 #include "ldap-tls.h"
@@ -118,9 +119,7 @@ static const PRIOMethods tlsm_PR_methods;
 
 #define PEM_LIBRARY    "nsspem"
 #define PEM_MODULE     "PEM"
-/* hash files for use with cacertdir have this file name suffix */
-#define PEM_CA_HASH_FILE_SUFFIX        ".0"
-#define PEM_CA_HASH_FILE_SUFFIX_LEN 2
+#define PEM_CA_HASH_FILE_REGEX "^[0-9a-f]{8}\\.[0-9]+$"
 
 static SECMODModule *pem_module;
 
@@ -1541,6 +1540,7 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
                PRDir *dir;
                PRDirEntry *entry;
                PRStatus fistatus = PR_FAILURE;
+               regex_t hashfile_re;
 
                memset( &fi, 0, sizeof(fi) );
                fistatus = PR_GetFileInfo( cacertdir, &fi );
@@ -1570,20 +1570,30 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
                        goto done;
                }
 
+               if ( regcomp( &hashfile_re, PEM_CA_HASH_FILE_REGEX, REG_NOSUB|REG_EXTENDED ) != 0 ) {
+                       Debug( LDAP_DEBUG_ANY, "TLS: cannot compile regex for CA hash files matching\n", 0, 0, 0 );
+                       goto done;
+               }
+
                do {
                        entry = PR_ReadDir( dir, PR_SKIP_BOTH | PR_SKIP_HIDDEN );
                        if ( ( NULL != entry ) && ( NULL != entry->name ) ) {
                                char *fullpath = NULL;
-                               char *ptr;
+                               int match;
 
-                               ptr = PL_strrstr( entry->name, PEM_CA_HASH_FILE_SUFFIX );
-                               if ( ( ptr == NULL ) || ( *(ptr + PEM_CA_HASH_FILE_SUFFIX_LEN) != '\0' ) ) {
+                               match = regexec( &hashfile_re, entry->name, 0, NULL, 0 );
+                               if ( match == REG_NOMATCH ) {
                                        Debug( LDAP_DEBUG_TRACE,
-                                                  "TLS: file %s does not end in [%s] - does not appear to be a CA certificate "
-                                                  "directory file with a properly hashed file name - skipping.\n",
-                                                  entry->name, PEM_CA_HASH_FILE_SUFFIX, 0 );
+                                                  "TLS: skipping '%s' - filename does not have expected format "
+                                                  "(certificate hash with numeric suffix)\n", entry->name, 0, 0 );
+                                       continue;
+                               } else if ( match != 0 ) {
+                                       Debug( LDAP_DEBUG_ANY,
+                                                  "TLS: cannot execute regex for CA hash file matching (%d).\n",
+                                                  match, 0, 0 );
                                        continue;
                                }
+
                                fullpath = PR_smprintf( "%s/%s", cacertdir, entry->name );
                                if ( !tlsm_add_cert_from_file( ctx, fullpath, isca ) ) {
                                        Debug( LDAP_DEBUG_TRACE,
@@ -1599,6 +1609,7 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
                                PR_smprintf_free( fullpath );
                        }
                } while ( NULL != entry );
+               regfree ( &hashfile_re );
                PR_CloseDir( dir );
        }
 done:
-- 
1.7.11.4

1	vip-ire	1.1	fix: not all certificates in OpenSSL compatible CA certificate directory format are loaded
2
3			CA certificate files in OpenSSL compatible CACERTDIR were loaded if the
4			file extension was '.0'. However the file name should be 8 letters long
5			certificate hash of the certificate subject name, followed by a numeric
6			suffix which is used to differentiate between two certificates with the
7			same subject name.
8
9			Wit this patch, certificate file names are matched correctly (using
10			regular expressions).
11
12			Author: Jan Vcelak <jvcelak@redhat.com>
13			Upstream ITS: #7374
14			Resolves: #811468
15
16			diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
17			index 5e49fc5..61d71d4 100644
18			--- a/libraries/libldap/tls_m.c
19			+++ b/libraries/libldap/tls_m.c
20			@@ -38,6 +38,7 @@
21			#include <ac/unistd.h>
22			#include <ac/param.h>
23			#include <ac/dirent.h>
24			+#include <ac/regex.h>
25
26			#include "ldap-int.h"
27			#include "ldap-tls.h"
28			@@ -118,9 +119,7 @@ static const PRIOMethods tlsm_PR_methods;
29
30			#define PEM_LIBRARY "nsspem"
31			#define PEM_MODULE "PEM"
32			-/* hash files for use with cacertdir have this file name suffix */
33			-#define PEM_CA_HASH_FILE_SUFFIX ".0"
34			-#define PEM_CA_HASH_FILE_SUFFIX_LEN 2
35			+#define PEM_CA_HASH_FILE_REGEX "^[0-9a-f]{8}\\.[0-9]+$"
36
37			static SECMODModule *pem_module;
38
39			@@ -1541,6 +1540,7 @@ tlsm_init_ca_certs( tlsm_ctx ctx, const char cacertfile, const char *cacertdir
40			PRDir *dir;
41			PRDirEntry *entry;
42			PRStatus fistatus = PR_FAILURE;
43			+ regex_t hashfile_re;
44
45			memset( &fi, 0, sizeof(fi) );
46			fistatus = PR_GetFileInfo( cacertdir, &fi );
47			@@ -1570,20 +1570,30 @@ tlsm_init_ca_certs( tlsm_ctx ctx, const char cacertfile, const char *cacertdir
48			goto done;
49			}
50
51			+ if ( regcomp( &hashfile_re, PEM_CA_HASH_FILE_REGEX, REG_NOSUB\|REG_EXTENDED ) != 0 ) {
52			+ Debug( LDAP_DEBUG_ANY, "TLS: cannot compile regex for CA hash files matching\n", 0, 0, 0 );
53			+ goto done;
54			+ }
55			+
56			do {
57			entry = PR_ReadDir( dir, PR_SKIP_BOTH \| PR_SKIP_HIDDEN );
58			if ( ( NULL != entry ) && ( NULL != entry->name ) ) {
59			char *fullpath = NULL;
60			- char *ptr;
61			+ int match;
62
63			- ptr = PL_strrstr( entry->name, PEM_CA_HASH_FILE_SUFFIX );
64			- if ( ( ptr == NULL ) \|\| ( *(ptr + PEM_CA_HASH_FILE_SUFFIX_LEN) != '\0' ) ) {
65			+ match = regexec( &hashfile_re, entry->name, 0, NULL, 0 );
66			+ if ( match == REG_NOMATCH ) {
67			Debug( LDAP_DEBUG_TRACE,
68			- "TLS: file %s does not end in [%s] - does not appear to be a CA certificate "
69			- "directory file with a properly hashed file name - skipping.\n",
70			- entry->name, PEM_CA_HASH_FILE_SUFFIX, 0 );
71			+ "TLS: skipping '%s' - filename does not have expected format "
72			+ "(certificate hash with numeric suffix)\n", entry->name, 0, 0 );
73			+ continue;
74			+ } else if ( match != 0 ) {
75			+ Debug( LDAP_DEBUG_ANY,
76			+ "TLS: cannot execute regex for CA hash file matching (%d).\n",
77			+ match, 0, 0 );
78			continue;
79			}
80			+
81			fullpath = PR_smprintf( "%s/%s", cacertdir, entry->name );
82			if ( !tlsm_add_cert_from_file( ctx, fullpath, isca ) ) {
83			Debug( LDAP_DEBUG_TRACE,
84			@@ -1599,6 +1609,7 @@ tlsm_init_ca_certs( tlsm_ctx ctx, const char cacertfile, const char *cacertdir
85			PR_smprintf_free( fullpath );
86			}
87			} while ( NULL != entry );
88			+ regfree ( &hashfile_re );
89			PR_CloseDir( dir );
90			}
91			done:
92			--
93			1.7.11.4
94