From 72648118471c4848f11212d85d0f57da800321d6 Mon Sep 17 00:00:00 2001
From: Matúš Honěk <mhonek@redhat.com>
Date: Feb 07 2018 17:01:42 +0000
Subject: MozNSS Compat. Layer: fix incorrect parsing of CACertDir


NSS DB type prefix was not taken into account at all. Due to this the
path might not have been stat-ed. Thus, last part of the path would
have been considered an NSS DB name prefix which would be incorrect.

(cherry picked from commit 7f41b4a1ffe61c03d65896d82fc6b72a2710c492)
(originally #1533955)

Related: #1400570

---

diff --git a/openldap-tlsmc.patch b/openldap-tlsmc.patch
index dc5ce33..b498a41 100644
--- a/openldap-tlsmc.patch
+++ b/openldap-tlsmc.patch
@@ -1,7 +1,7 @@
 MozNSS Interception Code
 
 Author: Matus Honek <mhonek@redhat.com>
-Date: Wed Jan 31 21:44:47 CET 2018
+Date: Wed Jan 31 22:08:28 CET 2018
 diff --git a/configure.in b/configure.in
 --- a/configure.in
 +++ b/configure.in
@@ -283,7 +283,7 @@ diff --git a/libraries/libldap/tls_mc.c b/libraries/libldap/tls_mc.c
 new file mode 100644
 --- /dev/null
 +++ b/libraries/libldap/tls_mc.c
-@@ -0,0 +1,1316 @@
+@@ -0,0 +1,1345 @@
 +#include "portable.h"
 +
 +#ifdef HAVE_MOZNSS_COMPATIBILITY
@@ -484,33 +484,61 @@ new file mode 100644
 +
 +/* BORROWED FROM tls_m.c */
 +static void
-+tlsmc_get_certdb_prefix( const char *certdir, char **realcertdir, char **prefix )
++tlsmc_get_certdb_prefix( const char *certdir, char **nsscertdir, char **realcertdir, char **prefix )
 +{
 +	char sep = PR_GetDirectorySeparator();
 +	char *ptr = NULL;
++	char *chkpath = NULL;
 +	struct PRFileInfo prfi;
 +	PRStatus prc;
 +
 +	*realcertdir = (char *)certdir; /* default is the one passed in */
++
++	/* if certdir is not given, just return */
 +	if ( !certdir ) return;
 +
-+	prc = PR_GetFileInfo( certdir, &prfi );
++	*nsscertdir = certdir;
++
++	/* ignore database type prefix (e.g. sql:, dbm:) if provided */
++	if ( NULL != ( chkpath = strchr( certdir, ':' ) ) ) {
++		*realcertdir = chkpath + 1;
++	}
++
 +	/* if certdir exists (file or directory) then it cannot specify a prefix */
++	prc = PR_GetFileInfo( *realcertdir, &prfi );
 +	if ( prc == PR_SUCCESS ) {
-+		/* and drop potential last '/' */
-+		ptr = strrchr( *realcertdir, sep );
-+		if ( ptr && (! *(ptr+1) ) ) {
-+			*ptr = '\0';
-+		}
-+		return;
++		goto finish;
 +	}
 +
 +	/* if certdir was given, and there is a '/' in certdir, see if there
 +	   is anything after the last '/' - if so, assume it is the prefix */
-+	if ( ( ( ptr = strrchr( certdir, sep ) ) ) && *(ptr+1) ) {
-+		*realcertdir = PL_strndup( certdir, ptr-certdir );
-+		*prefix = PL_strdup( ptr+1 );
++	/* if ( ( ( ptr = strrchr( *realcertdir, sep ) ) ) && *(ptr + 1) ) { */
++	/* 	*realcertdir = PL_strndup( *realcertdir, ptr - (*realcertdir) ); */
++	/* 	*prefix = PL_strdup( ptr + 1 ); */
++	/* } */
++
++
++	if ( ptr = strrchr( *realcertdir, sep ) ) {
++		if ( *(ptr + 1) ) {
++			*ptr = '\0';
++			*prefix = ptr + 1;
++		} else {
++			*prefix = *realcertdir + strlen( *realcertdir );  // empty string
++		}
++	} else {
++		*prefix = *realcertdir;
++		*realcertdir = *prefix + strlen( *prefix );  //  empty string
 +	}
++finish:
++	/* drop potential last '/' from realcertdir */
++	do {
++		ptr = strrchr( *realcertdir, sep );
++		if ( ptr && (! *(ptr+1) ) ) {
++			*ptr = '\0';
++		} else {
++			break;
++		}
++	} while (1);
 +
 +	return;
 +}
@@ -748,17 +776,18 @@ new file mode 100644
 +	for ( ii = 0; !done && ( ii < SECURITYDIRS_COUNT ); ++ii ) {
 +		// get certdb prefix
 +		const char *securitydir = securitydirs[ii];
++		char *nsscertdir = NULL;
 +		char *realcertdir = NULL;
 +		const char *defprefix = "";
 +		char *prefix = (char *)defprefix;
 +		if ( securitydir == NULL ) continue;
-+		tlsmc_get_certdb_prefix( securitydir, &realcertdir, &prefix );  //FIXME
++		tlsmc_get_certdb_prefix( securitydir, &nsscertdir, &realcertdir, &prefix );
 +		*out_nssdb_dir = strdup( realcertdir );
 +		*out_nssdb_prefix = strdup( prefix );
 +
 +		Debug( LDAP_DEBUG_TRACE,
 +		       "tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `%s` prefix `%s`.\n",
-+		       realcertdir, prefix, NULL);
++		       nsscertdir, prefix, NULL);
 +
 +		// init context
 +		NSSInitContext *initctx = NULL;
@@ -766,7 +795,7 @@ new file mode 100644
 +		memset( &initparams, 0, sizeof( initparams ) );
 +		initparams.length = sizeof( initparams );
 +
-+		initctx = NSS_InitContext( realcertdir,
++		initctx = NSS_InitContext( nsscertdir,
 +		                           prefix,
 +		                           prefix,
 +		                           SECMOD_DB,
diff --git a/openldap.spec b/openldap.spec
index 449b06f..4dc831e 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -518,6 +518,7 @@ exit 0
 %changelog
 * Wed Feb  7 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-7
 - MozNSS Compat. Layer fixes (#1400570)
+  - fix incorrect parsing of CACertDir (orig. #1533955)
   - fix PIN disclaimer not always shown (orig. #1516409)
   - fix recursive directory deletion (orig. #1516409)
   - Ensure consistency of a PEM dir before usage (orig. #1516409)