[Fedora-directory-commits] ldapserver/ldap/servers/slapd ssl.c, 1.22, 1.23
Richard Allen Megginson
rmeggins at fedoraproject.org
Wed Jan 28 21:59:43 UTC 2009
- Previous message (by thread): [Fedora-directory-commits] adminserver/admserv/newinst/src AdminServer.pm.in, 1.14, 1.15 adminserver.map.in, 1.10, 1.11
- Next message (by thread): [Fedora-directory-commits] ldapserver/ldap/servers/slapd/tools/rsearch rsearch.c, 1.5, 1.6 rsearch.h, 1.4, 1.5 searchthread.c, 1.6, 1.7
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv27785/ldapserver/ldap/servers/slapd
Modified Files:
ssl.c
Log Message:
Resolves: bug 482909
Bug Description: server seg fault if doing SSLCLIENTAUTH without being an ssl server
Reviewed by: nkinder (Thanks!)
Fix Description: When I changed the code to allow the DS to be an SSL client without having to be an SSL server, I missed the svrcore setup for EXTERNAL (ssl client auth). The fix is to check to see if svrcore has been set up, and initialize it if not, before attempting to use it.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
Index: ssl.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/ssl.c,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -r1.22 -r1.23
--- ssl.c 13 Jan 2009 19:01:10 -0000 1.22
+++ ssl.c 28 Jan 2009 21:59:41 -0000 1.23
@@ -473,18 +473,11 @@
return rv;
}
-/*
- * slapd_ssl_init() is called from main() if we plan to listen
- * on a secure port.
- */
-int
-slapd_ssl_init() {
+static int
+svrcore_setup()
+{
PRErrorCode errorCode;
- char ** family_list;
- char *val = NULL;
- char cipher_string[1024];
int rv = 0;
- PK11SlotInfo *slot;
#ifndef _WIN32
SVRCOREStdPinObj *StdPinObj;
#else
@@ -492,40 +485,11 @@
SVRCOREAltPinObj *AltPinObj;
SVRCORENTUserPinObj *NTUserPinObj;
#endif
- Slapi_Entry *entry = NULL;
-
- /* Get general information */
-
- getConfigEntry( configDN, &entry );
-
- val = slapi_entry_attr_get_charptr( entry, "nssslSessionTimeout" );
- ciphers = slapi_entry_attr_get_charptr( entry, "nsssl3ciphers" );
-
- /* We are currently using the value of sslSessionTimeout
- for ssl3SessionTimeout, see SSL_ConfigServerSessionIDCache() */
- /* Note from Tom Weinstein on the meaning of the timeout:
-
- Timeouts are in seconds. '0' means use the default, which is
- 24hrs for SSL3 and 100 seconds for SSL2.
- */
-
- if(!val) {
- errorCode = PR_GetError();
- slapd_SSL_warn("Security Initialization: Failed to retrieve SSL "
- "configuration information ("
- SLAPI_COMPONENT_NAME_NSPR " error %d - %s): "
- "nssslSessionTimeout: %s ",
- errorCode, slapd_pr_strerror(errorCode),
- (val ? "found" : "not found"));
- slapi_ch_free((void **) &val);
- slapi_ch_free((void **) &ciphers);
- return -1;
- }
-
- stimeout = atoi(val);
- slapi_ch_free((void **) &val);
-
#ifndef _WIN32
+ StdPinObj = (SVRCOREStdPinObj *)SVRCORE_GetRegisteredPinObj();
+ if (StdPinObj) {
+ return 0; /* already registered */
+ }
if ( SVRCORE_CreateStdPinObj(&StdPinObj, dongle_file_name, PR_TRUE) !=
SVRCORE_Success) {
errorCode = PR_GetError();
@@ -536,6 +500,10 @@
}
SVRCORE_RegisterPinObj((SVRCOREPinObj *)StdPinObj);
#else
+ AltPinObj = (SVRCOREAltPinObj *)SVRCORE_GetRegisteredPinObj();
+ if (AltPinObj) {
+ return 0; /* already registered */
+ }
if (SVRCORE_CreateFilePinObj(&FilePinObj, dongle_file_name) !=
SVRCORE_Success) {
errorCode = PR_GetError();
@@ -563,6 +531,58 @@
#endif /* _WIN32 */
+ return rv;
+}
+
+/*
+ * slapd_ssl_init() is called from main() if we plan to listen
+ * on a secure port.
+ */
+int
+slapd_ssl_init() {
+ PRErrorCode errorCode;
+ char ** family_list;
+ char *val = NULL;
+ char cipher_string[1024];
+ int rv = 0;
+ PK11SlotInfo *slot;
+ Slapi_Entry *entry = NULL;
+
+ /* Get general information */
+
+ getConfigEntry( configDN, &entry );
+
+ val = slapi_entry_attr_get_charptr( entry, "nssslSessionTimeout" );
+ ciphers = slapi_entry_attr_get_charptr( entry, "nsssl3ciphers" );
+
+ /* We are currently using the value of sslSessionTimeout
+ for ssl3SessionTimeout, see SSL_ConfigServerSessionIDCache() */
+ /* Note from Tom Weinstein on the meaning of the timeout:
+
+ Timeouts are in seconds. '0' means use the default, which is
+ 24hrs for SSL3 and 100 seconds for SSL2.
+ */
+
+ if(!val) {
+ errorCode = PR_GetError();
+ slapd_SSL_warn("Security Initialization: Failed to retrieve SSL "
+ "configuration information ("
+ SLAPI_COMPONENT_NAME_NSPR " error %d - %s): "
+ "nssslSessionTimeout: %s ",
+ errorCode, slapd_pr_strerror(errorCode),
+ (val ? "found" : "not found"));
+ slapi_ch_free((void **) &val);
+ slapi_ch_free((void **) &ciphers);
+ return -1;
+ }
+
+ stimeout = atoi(val);
+ slapi_ch_free((void **) &val);
+
+ if (svrcore_setup()) {
+ return -1;
+ }
+
if((family_list = getChildren(configDN))) {
char **family;
char *token;
@@ -687,6 +707,10 @@
#ifndef _WIN32
SVRCOREStdPinObj *StdPinObj;
+ if (svrcore_setup()) {
+ return 1;
+ }
+
StdPinObj = (SVRCOREStdPinObj *)SVRCORE_GetRegisteredPinObj();
SVRCORE_SetStdPinInteractive(StdPinObj, PR_FALSE);
#endif
@@ -1159,35 +1183,37 @@
/* Free config data */
+ if (!svrcore_setup()) {
#ifndef _WIN32
- StdPinObj = (SVRCOREStdPinObj *)SVRCORE_GetRegisteredPinObj();
- err = SVRCORE_StdPinGetPin( &pw, StdPinObj, token );
+ StdPinObj = (SVRCOREStdPinObj *)SVRCORE_GetRegisteredPinObj();
+ err = SVRCORE_StdPinGetPin( &pw, StdPinObj, token );
#else
- AltPinObj = (SVRCOREAltPinObj *)SVRCORE_GetRegisteredPinObj();
- pw = SVRCORE_GetPin( (SVRCOREPinObj *)AltPinObj, token, PR_FALSE);
+ AltPinObj = (SVRCOREAltPinObj *)SVRCORE_GetRegisteredPinObj();
+ pw = SVRCORE_GetPin( (SVRCOREPinObj *)AltPinObj, token, PR_FALSE);
#endif
- if ( err != SVRCORE_Success || pw == NULL) {
- errorCode = PR_GetError();
- slapd_SSL_warn("SSL client authentication cannot be used "
- "(no password). (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
- errorCode, slapd_pr_strerror(errorCode));
- } else {
- rc = ldapssl_enable_clientauth (ld, SERVER_KEY_NAME, pw, cert_name);
- if (rc != 0) {
+ if ( err != SVRCORE_Success || pw == NULL) {
errorCode = PR_GetError();
- slapd_SSL_warn("ldapssl_enable_clientauth(%s, %s) %i ("
- SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
- SERVER_KEY_NAME, cert_name, rc,
- errorCode, slapd_pr_strerror(errorCode));
+ slapd_SSL_warn("SSL client authentication cannot be used "
+ "(no password). (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
+ errorCode, slapd_pr_strerror(errorCode));
} else {
- /* We cannot allow NSS to cache outgoing client auth connections -
- each client auth connection must have it's own non-shared SSL
- connection to the peer so that it will go through the
- entire handshake protocol every time including the use of its
- own unique client cert - see bug 605457
- */
+ rc = ldapssl_enable_clientauth (ld, SERVER_KEY_NAME, pw, cert_name);
+ if (rc != 0) {
+ errorCode = PR_GetError();
+ slapd_SSL_warn("ldapssl_enable_clientauth(%s, %s) %i ("
+ SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
+ SERVER_KEY_NAME, cert_name, rc,
+ errorCode, slapd_pr_strerror(errorCode));
+ } else {
+ /* We cannot allow NSS to cache outgoing client auth connections -
+ each client auth connection must have it's own non-shared SSL
+ connection to the peer so that it will go through the
+ entire handshake protocol every time including the use of its
+ own unique client cert - see bug 605457
+ */
- ldapssl_set_option(ld, SSL_NO_CACHE, PR_TRUE);
+ ldapssl_set_option(ld, SSL_NO_CACHE, PR_TRUE);
+ }
}
}
- Previous message (by thread): [Fedora-directory-commits] adminserver/admserv/newinst/src AdminServer.pm.in, 1.14, 1.15 adminserver.map.in, 1.10, 1.11
- Next message (by thread): [Fedora-directory-commits] ldapserver/ldap/servers/slapd/tools/rsearch rsearch.c, 1.5, 1.6 rsearch.h, 1.4, 1.5 searchthread.c, 1.6, 1.7
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Fedora-directory-commits
mailing list