From 6468aa6a54e7d31da886090372fc1db41a7f0b14 Mon Sep 17 00:00:00 2001
From: jvcelak <jvcelak@fedoraproject.org>
Date: Jul 22 2010 08:11:30 +0000
Subject: Mozilla NSS - delay token auth until needed (#616552)

Mozilla NSS - support use of self signed CA certs as server certs (#614545)

---

diff --git a/openldap-2.4.22-initauthtoken.patch b/openldap-2.4.22-initauthtoken.patch
new file mode 100644
index 0000000..69a2e08
--- /dev/null
+++ b/openldap-2.4.22-initauthtoken.patch
@@ -0,0 +1,44 @@
+#616552 Mozilla NSS - delay token auth until needed
+upstream: http://www.openldap.org/its/index.cgi issue 6595
+
+diff -urNP openldap-2.4.22.old/libraries/libldap/tls_m.c openldap-2.4.22.new/libraries/libldap/tls_m.c
+--- openldap-2.4.22.old/libraries/libldap/tls_m.c	2010-07-22 09:56:58.984806148 +0200
++++ openldap-2.4.22.new/libraries/libldap/tls_m.c	2010-07-22 09:58:19.030686912 +0200
+@@ -930,26 +930,6 @@
+ 	return rc;
+ }
+ 
+-static int
+-tlsm_init_tokens( tlsm_ctx *ctx )
+-{
+-	PK11SlotList *slotList;
+-	PK11SlotListElement *listEntry;
+-	int rc = 0;
+-
+-	slotList = PK11_GetAllTokens( CKM_INVALID_MECHANISM, PR_FALSE, PR_TRUE, NULL );
+-
+-	for ( listEntry = PK11_GetFirstSafe( slotList ); !rc && listEntry;
+-		  listEntry = PK11_GetNextSafe( slotList, listEntry, PR_FALSE ) ) {
+-		PK11SlotInfo *slot = listEntry->slot;
+-		rc = tlsm_authenticate_to_slot( ctx, slot );
+-	}
+-
+-	PK11_FreeSlotList( slotList );
+-
+-	return rc;
+-}
+-
+ static SECStatus
+ tlsm_nss_shutdown_cb( void *appData, void *nssData )
+ {
+@@ -1365,10 +1345,6 @@
+ 
+ 		PK11_SetPasswordFunc( tlsm_pin_prompt );
+ 
+-		if ( tlsm_init_tokens( ctx ) ) {
+-			return -1;
+-		}
+-
+ 		/* register cleanup function */
+ 		/* delete the old one, if any */
+ 		NSS_UnregisterShutdown( tlsm_nss_shutdown_cb, NULL );
diff --git a/openldap-2.4.23-selfsignedcacert.patch b/openldap-2.4.23-selfsignedcacert.patch
new file mode 100644
index 0000000..52d91d9
--- /dev/null
+++ b/openldap-2.4.23-selfsignedcacert.patch
@@ -0,0 +1,51 @@
+#614545 Mozilla NSS - support use of self signed CA certs as server certs 
+upstream: http://www.openldap.org/its/index.cgi issue 6589
+
+diff -urNP openldap-2.4.22.old/libraries/libldap/tls_m.c openldap-2.4.22.new/libraries/libldap/tls_m.c
+--- openldap-2.4.22.old/libraries/libldap/tls_m.c	2010-04-15 23:26:00.000000000 +0200
++++ openldap-2.4.22.new/libraries/libldap/tls_m.c	2010-07-22 09:56:58.984806148 +0200
+@@ -1491,11 +1491,40 @@
+ 		status = CERT_VerifyCertificateNow( ctx->tc_certdb, cert,
+ 											checkSig, certUsage,
+ 											pin_arg, NULL );
+-		if (status != SECSuccess) {
++		if ( status != SECSuccess ) {
++			/* NSS doesn't like self-signed CA certs that are also used for 
++			   TLS/SSL server certs (such as generated by openssl req -x509)
++			   CERT_VerifyCertificateNow returns SEC_ERROR_UNTRUSTED_ISSUER in that case
++			   so, see if the cert and issuer are the same cert
++			*/
+ 			PRErrorCode errcode = PR_GetError();
+-			Debug( LDAP_DEBUG_ANY,
+-				   "TLS: error: the certificate %s is not valid - error %d:%s\n",
+-				   certname, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
++
++			if ( errcode == SEC_ERROR_UNTRUSTED_ISSUER ) {
++				CERTCertificate *issuer = CERT_FindCertIssuer( cert, PR_Now(), certUsageSSLServer );
++				if ( NULL == issuer ) {
++					/* no issuer - warn and allow */
++					status = SECSuccess;
++					rc = 0;
++					Debug( LDAP_DEBUG_ANY,
++						   "TLS: warning: the server certificate %s has no issuer - "
++						   "please check this certificate for validity\n",
++						   certname, 0, 0 );
++				} else if ( CERT_CompareCerts( cert, issuer ) ) {
++					/* self signed - warn and allow */
++					status = SECSuccess;
++					rc = 0;
++					Debug( LDAP_DEBUG_ANY,
++						   "TLS: warning: using self-signed server certificate %s\n",
++						   certname, 0, 0 );
++				}
++				CERT_DestroyCertificate( issuer );
++			}
++
++			if ( status != SECSuccess ) {
++				Debug( LDAP_DEBUG_ANY,
++					   "TLS: error: the certificate %s is not valid - error %d:%s\n",
++					   certname, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
++			}
+ 		} else {
+ 			rc = 0; /* success */
+ 		}
diff --git a/openldap.spec b/openldap.spec
index 3de7edf..c1f5ba2 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -11,7 +11,7 @@
 Summary: LDAP support libraries
 Name: openldap
 Version: %{version}
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: OpenLDAP
 Group: System Environment/Daemons
 Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz
@@ -39,6 +39,8 @@ Patch12: openldap-2.4.21-dn2id-segfault.patch
 Patch13: openldap-2.4.22-ldif_h.patch
 Patch14: openldap-2.4.22-libldif.patch
 Patch15: openldap-2.4.22-modrdn-segfault.patch
+Patch16: openldap-2.4.23-selfsignedcacert.patch
+Patch17: openldap-2.4.22-initauthtoken.patch
 
 # Patches for the evolution library
 Patch200: openldap-2.4.6-evolution-ntlm.patch
@@ -139,6 +141,8 @@ pushd openldap-%{version}
 %patch13 -p1 -b .ldif_h
 %patch14 -p1 -b .libldif
 %patch15 -p1 -b .modrdn-segfault
+%patch16 -p1 -b .selfsignedcacert
+%patch17 -p1 -b .initauthtoken
 
 cp %{_datadir}/libtool/config/config.{sub,guess} build/
 popd
@@ -671,6 +675,10 @@ fi
 %attr(0644,root,root)      %{evolution_connector_libdir}/*.a
 
 %changelog
+* Thu Jul 22 2010 Jan Vcelak <jvcelak@redhat.com> 2.4.22-7
+- Mozilla NSS - delay token auth until needed (#616552)
+- Mozilla NSS - support use of self signed CA certs as server certs (#614545)
+
 * Tue Jul 20 2010 Jan Vcelak <jvcelak@redhat.com> - 2.4.22-6
 - CVE-2010-0211 openldap: modrdn processing uninitialized pointer free (#605448)
 - CVE-2010-0212 openldap: modrdn processing IA5StringNormalize NULL pointer dereference (#605452)