From 716f3439ac316da68943eb3b2192f84932cd35e7 Mon Sep 17 00:00:00 2001 From: Matúš Honěk Date: Feb 07 2018 16:36:46 +0000 Subject: MozNSS Compat. Layer: Ensure consistency of a PEM dir before usage + Warn just before use of a PIN about key file extraction (cherry picked from commit 856ec5d38c45ffe71774a4d86a36177d3c4ca372) (originally #1516409) Related: #1400570 --- diff --git a/openldap-tlsmc.patch b/openldap-tlsmc.patch index c6957d8..8261e6b 100644 --- a/openldap-tlsmc.patch +++ b/openldap-tlsmc.patch @@ -1,7 +1,7 @@ MozNSS Interception Code Author: Matus Honek -Date: Wed Jan 10 23:30:56 CET 2018 +Date: Thu Jan 11 01:00:55 CET 2018 diff --git a/configure.in b/configure.in --- a/configure.in +++ b/configure.in @@ -283,7 +283,7 @@ diff --git a/libraries/libldap/tls_mc.c b/libraries/libldap/tls_mc.c new file mode 100644 --- /dev/null +++ b/libraries/libldap/tls_mc.c -@@ -0,0 +1,1211 @@ +@@ -0,0 +1,1308 @@ +#include "portable.h" + +#ifdef HAVE_MOZNSS_COMPATIBILITY @@ -392,6 +392,88 @@ new file mode 100644 +} + + ++int ++tlsmc_remove_dir_recursively( char *dir_name ) ++{ ++ int rv = 0; ++ PRDir *dir = NULL; ++ PRDirEntry *entry = NULL; ++ char *full_path = NULL; ++ ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_remove_dir_recursively: INFO: starting recursively removing directory `%s'.\n", ++ dir_name, 0, 0 ); ++ if ( NULL == ( dir = PR_OpenDir( dir_name ) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_remove_dir_recursively: WARN: could not open directory `%s'.\n", ++ dir_name, 0, 0 ); ++ rv = 0; ++ goto bail; ++ } ++ ++ while ( NULL != ( entry = PR_ReadDir( dir, PR_SKIP_BOTH ) ) ) { ++ PRFileInfo info; ++ PRStatus prv; ++ ++ full_path = NULL; ++ full_path = PR_smprintf( "%s/%s", dir_name, entry->name ); ++ ++ if ( ( PR_SUCCESS == ( prv = PR_GetFileInfo( full_path, &info ) ) ) ) { ++ if ( PR_FILE_DIRECTORY == info.type ) { ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_remove_dir_recursively: INFO: stepping in directory `%s'.\n", ++ full_path, 0, 0 ); ++ if ( 0 == tlsmc_remove_dir_recursively( full_path ) ) { ++ rv = 0; ++ goto bail; ++ } ++ } else { ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_remove_dir_recursively: INFO: removing file `%s'.\n", ++ full_path, 0, 0 ); ++ if ( PR_FAILURE == PR_Delete( full_path ) ) { ++ rv = 0; ++ goto bail; ++ } ++ } ++ } ++ ++ if ( full_path ) { ++ PR_smprintf_free( full_path ); ++ full_path = NULL; ++ } ++ ++ } ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_remove_dir_recursively: INFO: stepping out of directory `%s'.\n", ++ dir_name, 0, 0 ); ++ if ( PR_FAILURE == PR_CloseDir( dir ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_remove_dir_recursively: WARN: could not close directory `%s'.\n", ++ dir_name, 0, 0 ); ++ rv = 0; ++ goto bail; ++ } ++ ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_remove_dir_recursively: INFO: removing the directory `%s'.\n", ++ dir_name, 0, 0 ); ++ if ( PR_FAILURE == PR_RmDir( dir_name ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_remove_dir_recursively: WARN: could not remove the directory `%s'.\n", ++ dir_name, 0, 0 ); ++ rv = 0; ++ goto bail; ++ } ++ ++ rv = 1; ++ ++bail: ++ if ( full_path ) PR_smprintf_free( full_path ); ++ return rv; ++} ++ ++ +/* BORROWED FROM tls_m.c */ +static void +tlsmc_get_certdb_prefix( const char *certdir, char **realcertdir, char **prefix ) @@ -552,6 +634,10 @@ new file mode 100644 + char *token_name = NULL; + char *pwdstr = NULL; + ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_get_pin: INFO: Please note the extracted key file will not be protected with a PIN any more, however it will be still protected at least by file permissions.\n", ++ 0, 0, 0 ); ++ + token_name = PK11_GetTokenName( slot ); + /* Try to get the passwords from the password file if it exists. + * THIS IS UNSAFE and is provided for convenience only. Without this @@ -1258,7 +1344,6 @@ new file mode 100644 + Debug( LDAP_DEBUG_ANY, + "tlsmc_extract_nssdb: ERROR: could not export user cert and/or key.\n", + 0, 0, 0 ); -+ rv = -1; + goto bail; + } + @@ -1339,6 +1424,12 @@ new file mode 100644 + 0, 0, 0 ); + goto bail; + } ++ if ( NULL == ( readme_path = PR_smprintf( "%s/" TLSMC_README_FILE_NAME, pem_dir ) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_convert: FATAL: could not allocate memory.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } + Debug( LDAP_DEBUG_TRACE, + "tlsmc_convert: INFO: trying with PEM dir = `%s'.\n", + pem_dir, 0, 0 ); @@ -1347,7 +1438,19 @@ new file mode 100644 + Debug( LDAP_DEBUG_TRACE, + "tlsmc_convert: INFO: using the existing PEM dir.\n", + 0, 0, 0 ); -+ goto pem_dir_exists; ++ if ( 0 == stat( readme_path, &stat_buf ) ) { ++ goto pem_dir_exists; ++ } else { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_convert: ERROR: the PEM dir found does not contain README file. Will remove the PEM dir and try to recreate it.\n", ++ 0, 0, 0 ); ++ if ( 0 == tlsmc_remove_dir_recursively( pem_dir ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_convert: FATAL: could not remove the PEM dir. Cannot properly set TLS.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ } + } else { + Debug( LDAP_DEBUG_ANY, + "tlsmc_convert: FATAL: tried to stat the PEM dir but it is not a directory.\n", @@ -1356,7 +1459,7 @@ new file mode 100644 + } + } + Debug( LDAP_DEBUG_TRACE, -+ "tlsmc_convert: WARN: could not find the PEM dir, will try to create it.\n", ++ "tlsmc_convert: WARN: will try to create PEM dir.\n", + 0, 0, 0 ); + if ( 0 == tlsmc_prepare_dir( pem_dir ) ) { + Debug( LDAP_DEBUG_ANY, @@ -1370,12 +1473,6 @@ new file mode 100644 + 0, 0, 0 ); + goto bail; + } -+ if ( NULL == ( readme_path = PR_smprintf( "%s/" TLSMC_README_FILE_NAME, pem_dir ) ) ) { -+ Debug( LDAP_DEBUG_ANY, -+ "tlsmc_convert: FATAL: could not allocate memory.\n", -+ 0, 0, 0 ); -+ goto bail; -+ } + if ( 0 == tlsmc_write_file( readme_path, data, S_IRUSR ) ) { + Debug( LDAP_DEBUG_ANY, + "tlsmc_convert: ERROR: could not create README file.\n", diff --git a/openldap.spec b/openldap.spec index 86a6c9a..8fdf626 100644 --- a/openldap.spec +++ b/openldap.spec @@ -518,6 +518,8 @@ exit 0 %changelog * Wed Feb 7 2018 Matus Honek - 2.4.45-7 - MozNSS Compat. Layer fixes (#1400570) + - Ensure consistency of a PEM dir before usage (orig. #1516409) + + Warn just before use of a PIN about key file extraction - Enable usage of NSS DB with PEM cert/key (orig. #1525485) + Fix a possible invalid dereference (covscan)