OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Software Bugs/5577
Full headers

From: arno@natisbad.org
Subject: [BUG,PATCH] slapd unable to import CRL using GnuTLS backend
Compose comment
Download message
State:
0 replies:
1 followups: 1

Major security issue: yes  no

Notes:

Notification:


Date: Tue, 24 Jun 2008 16:43:54 GMT
From: arno@natisbad.org
To: openldap-its@OpenLDAP.org
Subject: [BUG,PATCH] slapd unable to import CRL using GnuTLS backend
Full_Name: Arnaud Ebalard
Version: 2.4.10
OS: Linux (Debian unstable)
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (213.215.50.138)


Hi,

When openldap is linked with gnutls for TLS support, a file containing
CRL in PEM format can be provided (in slapd.conf, using TLSCRLFile
parameter).

The following code in ldap_int_tls_init_ctx() (librairies/libldap/tls.c)
prevents the daemon to start when the option is used:

        if ( lo->ldo_tls_crlfile ) {
                rc = gnutls_certificate_set_x509_crl_file( 
                        ((tls_ctx*) lo->ldo_tls_ctx)->cred,
                        crlfile,
                        GNUTLS_X509_FMT_PEM );
                if ( rc < 0 ) goto error_exit;
        }

because gnutls_certificate_set_x509_crl_file() returns the number of CRL
files that have been imported which is stored in rc and returned later
in the function. Caller expects 0, otherwise it reports an error, the
value of rc (below, with 3 CRL in the file) and slapd fails to start:

   ....  main TLS init def ctx failed: 3

The patch below is for 2.4.10, but should apply against all versions (it
applies fine against current Debian version available under Unstable).
Tell me if you have issues. 

I recompiled the Debian version with the patch applied and it works as
expected.

Cheers,

a+

The patch is IMHO short enough to inline it here:

Index: openldap-2.4.10/libraries/libldap/tls.c
===================================================================
--- openldap-2.4.10.orig/libraries/libldap/tls.c	2008-06-24 16:10:00.128945991
+0200
+++ openldap-2.4.10/libraries/libldap/tls.c	2008-06-24 16:11:46.804929042 +0200
@@ -754,7 +754,10 @@
 			((tls_ctx*) lo->ldo_tls_ctx)->cred,
 			crlfile,
 			GNUTLS_X509_FMT_PEM );
-		if ( rc < 0 ) goto error_exit;
+		if ( rc < 0 )
+			goto error_exit;
+		else
+			rc = 0;
 	}
 	if ( is_server ) {
 		gnutls_dh_params_init (&((tls_ctx*) 



Followup 1

Download message
Date: Tue, 24 Jun 2008 11:15:00 -0700
From: Howard Chu <hyc@symas.com>
To: arno@natisbad.org
CC: openldap-its@openldap.org
Subject: Re: (ITS#5577) [BUG,	PATCH] slapd unable to import CRL using GnuTLS
 backend
arno@natisbad.org wrote:
> Full_Name: Arnaud Ebalard
> Version: 2.4.10
> OS: Linux (Debian unstable)
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (213.215.50.138)
>
>
> Hi,
>
> When openldap is linked with gnutls for TLS support, a file containing
> CRL in PEM format can be provided (in slapd.conf, using TLSCRLFile
> parameter).
>
> The following code in ldap_int_tls_init_ctx() (librairies/libldap/tls.c)
> prevents the daemon to start when the option is used:
>
>          if ( lo->ldo_tls_crlfile ) {
>                  rc = gnutls_certificate_set_x509_crl_file(
>                          ((tls_ctx*) lo->ldo_tls_ctx)->cred,
>                          crlfile,
>                          GNUTLS_X509_FMT_PEM );
>                  if ( rc<  0 ) goto error_exit;
>          }
>
> because gnutls_certificate_set_x509_crl_file() returns the number of CRL
> files that have been imported which is stored in rc and returned later
> in the function. Caller expects 0, otherwise it reports an error, the
> value of rc (below, with 3 CRL in the file) and slapd fails to start:
>
>     ....  main TLS init def ctx failed: 3

Thanks, fixed in HEAD.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org