/[smeserver]/rpms/openldap/sme9/openldap-nss-hashed-cacertdir-filename-matching.patch
ViewVC logotype

Contents of /rpms/openldap/sme9/openldap-nss-hashed-cacertdir-filename-matching.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Tue Nov 11 00:46:15 2014 UTC (10 years ago) by vip-ire
Branch: MAIN
CVS Tags: openldap-2_4_39-8_el6_sme, HEAD
Import openldap

1 fix: not all certificates in OpenSSL compatible CA certificate directory format are loaded
2
3 CA certificate files in OpenSSL compatible CACERTDIR were loaded if the
4 file extension was '.0'. However the file name should be 8 letters long
5 certificate hash of the certificate subject name, followed by a numeric
6 suffix which is used to differentiate between two certificates with the
7 same subject name.
8
9 Wit this patch, certificate file names are matched correctly (using
10 regular expressions).
11
12 Author: Jan Vcelak <jvcelak@redhat.com>
13 Upstream ITS: #7374
14 Resolves: #811468
15
16 diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
17 index 5e49fc5..61d71d4 100644
18 --- a/libraries/libldap/tls_m.c
19 +++ b/libraries/libldap/tls_m.c
20 @@ -38,6 +38,7 @@
21 #include <ac/unistd.h>
22 #include <ac/param.h>
23 #include <ac/dirent.h>
24 +#include <ac/regex.h>
25
26 #include "ldap-int.h"
27 #include "ldap-tls.h"
28 @@ -118,9 +119,7 @@ static const PRIOMethods tlsm_PR_methods;
29
30 #define PEM_LIBRARY "nsspem"
31 #define PEM_MODULE "PEM"
32 -/* hash files for use with cacertdir have this file name suffix */
33 -#define PEM_CA_HASH_FILE_SUFFIX ".0"
34 -#define PEM_CA_HASH_FILE_SUFFIX_LEN 2
35 +#define PEM_CA_HASH_FILE_REGEX "^[0-9a-f]{8}\\.[0-9]+$"
36
37 static SECMODModule *pem_module;
38
39 @@ -1541,6 +1540,7 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
40 PRDir *dir;
41 PRDirEntry *entry;
42 PRStatus fistatus = PR_FAILURE;
43 + regex_t hashfile_re;
44
45 memset( &fi, 0, sizeof(fi) );
46 fistatus = PR_GetFileInfo( cacertdir, &fi );
47 @@ -1570,20 +1570,30 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
48 goto done;
49 }
50
51 + if ( regcomp( &hashfile_re, PEM_CA_HASH_FILE_REGEX, REG_NOSUB|REG_EXTENDED ) != 0 ) {
52 + Debug( LDAP_DEBUG_ANY, "TLS: cannot compile regex for CA hash files matching\n", 0, 0, 0 );
53 + goto done;
54 + }
55 +
56 do {
57 entry = PR_ReadDir( dir, PR_SKIP_BOTH | PR_SKIP_HIDDEN );
58 if ( ( NULL != entry ) && ( NULL != entry->name ) ) {
59 char *fullpath = NULL;
60 - char *ptr;
61 + int match;
62
63 - ptr = PL_strrstr( entry->name, PEM_CA_HASH_FILE_SUFFIX );
64 - if ( ( ptr == NULL ) || ( *(ptr + PEM_CA_HASH_FILE_SUFFIX_LEN) != '\0' ) ) {
65 + match = regexec( &hashfile_re, entry->name, 0, NULL, 0 );
66 + if ( match == REG_NOMATCH ) {
67 Debug( LDAP_DEBUG_TRACE,
68 - "TLS: file %s does not end in [%s] - does not appear to be a CA certificate "
69 - "directory file with a properly hashed file name - skipping.\n",
70 - entry->name, PEM_CA_HASH_FILE_SUFFIX, 0 );
71 + "TLS: skipping '%s' - filename does not have expected format "
72 + "(certificate hash with numeric suffix)\n", entry->name, 0, 0 );
73 + continue;
74 + } else if ( match != 0 ) {
75 + Debug( LDAP_DEBUG_ANY,
76 + "TLS: cannot execute regex for CA hash file matching (%d).\n",
77 + match, 0, 0 );
78 continue;
79 }
80 +
81 fullpath = PR_smprintf( "%s/%s", cacertdir, entry->name );
82 if ( !tlsm_add_cert_from_file( ctx, fullpath, isca ) ) {
83 Debug( LDAP_DEBUG_TRACE,
84 @@ -1599,6 +1609,7 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
85 PR_smprintf_free( fullpath );
86 }
87 } while ( NULL != entry );
88 + regfree ( &hashfile_re );
89 PR_CloseDir( dir );
90 }
91 done:
92 --
93 1.7.11.4
94

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed