[Pkg-fedora-ds-maintainers] 389-admin: Changes to 'upstream-unstable'
Timo Aaltonen
tjaalton-guest at alioth.debian.org
Tue Oct 8 09:05:59 UTC 2013
.gitignore | 4
Makefile.am | 3
Makefile.in | 219 +++-----
VERSION.sh | 2
aclocal.m4 | 395 ++++++++-------
admserv/cfgstuff/httpd-2.4.conf.in | 742 ++++++++++++++++++++++++++++++
admserv/cgi-src40/admpw.c | 4
admserv/cgi-src40/config.c | 9
admserv/cgi-src40/dsconfig.c | 1
admserv/cgi-src40/htmladmin.c | 1
admserv/cgi-src40/monreplication.c | 1
admserv/cgi-src40/restartsrv.c | 5
admserv/cgi-src40/sec-activate.c | 31 -
admserv/cgi-src40/security.c | 118 +++-
admserv/cgi-src40/security.properties | 6
admserv/cgi-src40/statpingserv.c | 1
admserv/cgi-src40/stopsrv.c | 1
admserv/cgi-src40/ugdsconfig.c | 1
admserv/cgi-src40/viewdata.c | 1
admserv/cgi-src40/viewlog.c | 1
admserv/newinst/src/AdminServer.pm.in | 33 +
admserv/newinst/src/remove-ds-admin.pl.in | 8
compile | 3
config.guess | 4
config.sub | 11
configure | 162 +++---
depcomp | 3
include/libadmin/dbtlibadmin.h | 2
install-sh | 14
lib/base/file.cpp | 8
lib/base/nscputil.cpp | 5
lib/libadmin/util.c | 88 +--
lib/libdsa/dsalib_confs.c | 16
lib/libdsa/dsalib_util.c | 8
m4/adminutil.m4 | 4
m4/httpd.m4 | 2
missing | 99 +---
mod_admserv/mod_admserv.c | 69 +-
wrappers/initscript.in | 3
39 files changed, 1457 insertions(+), 631 deletions(-)
New commits:
commit 463ed9a71dfcdb801e58c24b06cd3e99d6f1a6c9
Author: Rich Megginson <rmeggins at redhat.com>
Date: Tue Aug 20 11:07:54 2013 -0600
bump version to 1.1.35
diff --git a/VERSION.sh b/VERSION.sh
index c4173c4..de6b8d0 100644
--- a/VERSION.sh
+++ b/VERSION.sh
@@ -11,7 +11,7 @@ vendorurl=http://port389.org
# PACKAGE_VERSION is constructed from these
VERSION_MAJOR=1
VERSION_MINOR=1
-VERSION_MAINT=34
+VERSION_MAINT=35
# if this is a PRERELEASE, set VERSION_PREREL
# otherwise, comment it out
# be sure to include the dot prefix in the prerel
commit 0417dc764a38a5e34c402754ed699a60caea86fa
Author: Rich Megginson <rmeggins at redhat.com>
Date: Fri Aug 16 10:53:13 2013 -0600
add Eclipse and patch files
diff --git a/.gitignore b/.gitignore
index b2642d7..d9fa51e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,5 @@
autom4te.cache
.project
.cproject
+.autotools
+*.patch
commit f2004eab1a9821c716a99a6efa925079d30ee457
Author: Rich Megginson <rmeggins at redhat.com>
Date: Fri Aug 16 10:51:55 2013 -0600
compiler warning - ldif_read_record lineno type depends on openldap version
Reviewed by: nkinder (Thanks!)
diff --git a/lib/libdsa/dsalib_confs.c b/lib/libdsa/dsalib_confs.c
index 36d9356..b4a1f4c 100644
--- a/lib/libdsa/dsalib_confs.c
+++ b/lib/libdsa/dsalib_confs.c
@@ -38,6 +38,18 @@
#include "nspr.h"
#include "plstr.h"
+/* ldif_read_record lineno argument type depends on openldap version */
+#if defined(USE_OPENLDAP)
+#include <ldap_features.h>
+#if LDAP_VENDOR_VERSION >= 20434 /* changed in 2.4.34 */
+typedef unsigned long int ldif_record_lineno_t;
+#else
+typedef int ldif_record_lineno_t;
+#endif
+#else
+typedef int ldif_record_lineno_t;
+#endif
+
int
dsalib_ldif_parse_line(
char *line,
@@ -75,11 +87,11 @@ ds_get_conf_from_file(FILE *conf)
int listsize = 0;
char **conf_list = NULL;
char *entry = 0;
- int lineno = 0;
- int i = 0;
#if defined(USE_OPENLDAP)
int buflen = 0;
#endif
+ ldif_record_lineno_t lineno;
+ int i = 0;
#if defined(USE_OPENLDAP)
while (ldif_read_record(conf, &lineno, &entry, &buflen)) {
commit c6e18768092c55d916548fc090c91b079c0d3c8a
Author: Rich Megginson <rmeggins at redhat.com>
Date: Fri Aug 16 10:49:44 2013 -0600
Ticket #47413 389-admin fails to build with latest httpd
https://fedorahosted.org/389/ticket/47413
Reviewed by: nkinder (Thanks!)
Branch: master
Fix Description: Use awk to parse out MIMEMagicFile from httpd.conf
Platforms tested: RHEL6 x86_64, Fedora 20
Flag Day: no
Doc impact: no
diff --git a/configure b/configure
index 881d344..bf81905 100755
--- a/configure
+++ b/configure
@@ -18085,7 +18085,7 @@ esac
httpdconf=${httpd_root}/${httpd_conf_rel}
-mimemagic=`grep MIMEMagicFile $httpdconf|grep -v \^# | awk '{print $2}'`
+mimemagic=`awk '"MIMEMagicFile" == $1" {print $2}' $httpdconf`
if test ! -f "$mimemagic" ; then
# assume relative to root
mimemagic=${httpd_root}/${mimemagic}
diff --git a/m4/httpd.m4 b/m4/httpd.m4
index f106e2a..b72054c 100644
--- a/m4/httpd.m4
+++ b/m4/httpd.m4
@@ -61,7 +61,7 @@ esac
httpdconf=${httpd_root}/${httpd_conf_rel}
-mimemagic=`grep MIMEMagicFile $httpdconf|grep -v \^# | awk '{print $2}'`
+mimemagic=`awk '"MIMEMagicFile" == $1" {print $2}' $httpdconf`
if test ! -f "$mimemagic" ; then
# assume relative to root
mimemagic=${httpd_root}/${mimemagic}
commit 2a67826ff30226436edff1653088924ef983f5a6
Author: Rich Megginson <rmeggins at redhat.com>
Date: Thu Aug 15 15:06:09 2013 -0600
add more debugging for SSL connection problems
diff --git a/mod_admserv/mod_admserv.c b/mod_admserv/mod_admserv.c
index 744364c..eacf1e8 100644
--- a/mod_admserv/mod_admserv.c
+++ b/mod_admserv/mod_admserv.c
@@ -779,6 +779,8 @@ static int
sslinit(AdmldapInfo info, const char *configdir)
{
if (!NSS_IsInitialized()) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0 /* status */, NULL,
+ "sslinit: doing NSS initialization");
/* mod_nss is used when we are a TLS/SSL server - mod_nss starts up before we do
and will set up all of the TLS/SSL stuff */
/* if we are acting as simply a TLS/SSL client to the directory server,
@@ -2088,6 +2090,11 @@ host_ip_init(apr_pool_t *p, apr_pool_t *plog,
if (admldapGetSecurity(info)) {
sslinit(info, configdir);
if (admldapBuildInfoSSL(info, &error)) {
+ if (error != ADMUTIL_OP_OK) {
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server,
+ "host_ip_init(): problem creating secure AdmldapInfo (error code = %d)",
+ error);
+ }
} else {
ap_log_error(APLOG_MARK, APLOG_CRIT, 0, base_server,
"host_ip_init(): unable to create secure AdmldapInfo (error code = %d)",
@@ -2095,6 +2102,10 @@ host_ip_init(apr_pool_t *p, apr_pool_t *plog,
destroyAdmldap(info);
return DONE;
}
+ } else {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, base_server,
+ "host_ip_init(): secure connection not enabled, skipping sslinit");
+
}
destroyAdmldap(info);
@@ -2261,6 +2272,11 @@ apr_status_t mod_admserv_unload(void *data)
{
if (NSS_IsInitialized()) {
SSL_ClearSessionCache();
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL,
+ "mod_admserv_unload: cleared SSL session cache");
+ } else {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL,
+ "mod_admserv_unload: cannot clear cache - NSS not initialized");
}
return OK;
}
commit 6da58f7ef8aacfc926c2fbb1ec5cda79d2b8d002
Author: Rich Megginson <rmeggins at redhat.com>
Date: Thu Aug 15 15:04:29 2013 -0600
Ticket #47465 problem with 389-adminutil detection in m4/adminutil.m4 in 389-admin and 389-dsgw
https://fedorahosted.org/389/ticket/47465
Reviewed by: nhosoi (Thanks!)
Branch: master
Fix Description: Do not need to check for defined adminutil_lib and
adminutil_inc - pkg-config will fail if they cannot be determined.
Platforms tested: RHEL6 x86_64, Fedora 20
Flag Day: no
Doc impact: no
diff --git a/configure b/configure
index 5039a51..881d344 100755
--- a/configure
+++ b/configure
@@ -19725,10 +19725,6 @@ fi
fi
fi
-if test -z "$adminutil_inc" -o -z "$adminutil_lib"; then
- as_fn_error $? "ADMINUTIL not found, specify with --with-adminutil." "$LINENO" 5
-fi
-
# BEGIN COPYRIGHT BLOCK
# Copyright (C) 2007 Red Hat, Inc.
# All rights reserved.
diff --git a/m4/adminutil.m4 b/m4/adminutil.m4
index 1d5900b..c5d4893 100644
--- a/m4/adminutil.m4
+++ b/m4/adminutil.m4
@@ -62,7 +62,3 @@ if test -z "$adminutil_inc" -o -z "$adminutil_lib"; then
fi
fi
fi
-
-if test -z "$adminutil_inc" -o -z "$adminutil_lib"; then
- AC_MSG_ERROR([ADMINUTIL not found, specify with --with-adminutil.])
-fi
commit ebb0765b60b287f6b7f44188f4337076e8c3aa9d
Author: Rich Megginson <rmeggins at redhat.com>
Date: Thu Aug 15 15:03:44 2013 -0600
Ticket #47486 compiler warnings in adminutil, admin, dsgw
fix compiler warnings
Reviewed by: nhosoi (Thanks!)
Platforms tested: RHEL 6, Fedora 20
diff --git a/admserv/cgi-src40/admpw.c b/admserv/cgi-src40/admpw.c
index ff0dc6c..e695881 100644
--- a/admserv/cgi-src40/admpw.c
+++ b/admserv/cgi-src40/admpw.c
@@ -73,11 +73,10 @@ sha1_pw_enc(const char *pwd)
unsigned char hash[SHA1_LENGTH];
char *enc;
char *retval;
- SECStatus rc;
int32 pwdlen = strlen(pwd);
/* SHA1 hash the user's key */
- rc = PK11_HashBuf(SEC_OID_SHA1, hash, (unsigned char *)pwd, pwdlen);
+ PK11_HashBuf(SEC_OID_SHA1, hash, (unsigned char *)pwd, pwdlen);
/* convert to base64 */
if (!(enc = BTOA_DataToAscii(hash, sizeof(hash)))) {
return NULL;
@@ -181,6 +180,7 @@ int main(int argc, char *argv[])
int errorcode = 0;
char *configdir = util_get_conf_dir();
+ (void)_ai; /* get rid of unused variable warning */
logMsg(" In %s\n", argv[0]);
i18nInit();
diff --git a/admserv/cgi-src40/config.c b/admserv/cgi-src40/config.c
index 74e0a0c..ddb4af3 100644
--- a/admserv/cgi-src40/config.c
+++ b/admserv/cgi-src40/config.c
@@ -155,9 +155,8 @@ int main(int argc, char *argv[])
char **inputs = 0;
char *operation = 0;
char *qs = 0;
- char *nameptr, *valptr, *val;
+ char *nameptr, *valptr;
char error_info[128];
- char *valsbuf[2];
int setFlag = 0, getFlag = 0, forceSetFlag = 0;
int ignorePsetErrors = 0;
AttributeList resultList, nvl;
@@ -176,11 +175,9 @@ int main(int argc, char *argv[])
while (waitforever);
#endif
+ (void)_ai; /* get rid of unused variable warning */
i18nResource = res_find_and_init_resource(PROPERTYDIR, RESOURCE_FILE);
- valsbuf[0] = NULL;
- valsbuf[1] = NULL;
-
memset((void *)errp, 0, sizeof(int));
method = getenv("REQUEST_METHOD");
@@ -620,7 +617,7 @@ int main(int argc, char *argv[])
#endif
errorCode = PSET_OP_OK;
- val = psetGetAttrSingleValue(pset, nameptr, &errorCode);
+ (void)psetGetAttrSingleValue(pset, nameptr, &errorCode);
if (errorCode && !ignorePsetErrors) {
if (forceSetFlag)
addSingleValueAttribute(addList, j++, nameptr, valptr);
diff --git a/admserv/cgi-src40/dsconfig.c b/admserv/cgi-src40/dsconfig.c
index 899836b..b35826e 100644
--- a/admserv/cgi-src40/dsconfig.c
+++ b/admserv/cgi-src40/dsconfig.c
@@ -159,6 +159,7 @@ int main(int argc, char *argv[])
logMsg(" In %s\n", argv[0]);
+ (void)_ai; /* get rid of unused variable warning */
i18nInit();
/* GET or POST method */
diff --git a/admserv/cgi-src40/htmladmin.c b/admserv/cgi-src40/htmladmin.c
index 7110526..b168ce7 100644
--- a/admserv/cgi-src40/htmladmin.c
+++ b/admserv/cgi-src40/htmladmin.c
@@ -1582,6 +1582,7 @@ int main(int argc, char *argv[])
const char *configdir = util_get_conf_dir();
const char *secdir = util_get_security_dir();
+ (void)_ai; /* get rid of unused variable warning */
i18nResource = res_find_and_init_resource(PROPERTYDIR, RESOURCE_FILE);
acceptLanguage = "en";
if (lang) acceptLanguage = strdup(lang);
diff --git a/admserv/cgi-src40/monreplication.c b/admserv/cgi-src40/monreplication.c
index 253dcaf..2b07038 100644
--- a/admserv/cgi-src40/monreplication.c
+++ b/admserv/cgi-src40/monreplication.c
@@ -85,6 +85,7 @@ int main(int argc, char *argv[])
char configfile[256] = {'\0'};
char *resstr;
+ (void)_ai; /* get rid of unused variable warning */
i18nInit();
fprintf(stdout, "Content-type: text/html;charset=utf-8\n\n");
diff --git a/admserv/cgi-src40/restartsrv.c b/admserv/cgi-src40/restartsrv.c
index 87e76bf..69d8853 100644
--- a/admserv/cgi-src40/restartsrv.c
+++ b/admserv/cgi-src40/restartsrv.c
@@ -125,6 +125,7 @@ int main(int argc, char *argv[])
char *acceptLanguage = (char*)"en", *lang=getenv((char*)"HTTP_ACCEPT_LANGUAGE");
Resource *i18nResource = NULL;
+ (void)_ai; /* get rid of unused variable warning */
i18nResource = res_find_and_init_resource(PROPERTYDIR, RESOURCE_FILE);
if (lang) acceptLanguage = strdup(lang);
diff --git a/admserv/cgi-src40/sec-activate.c b/admserv/cgi-src40/sec-activate.c
index a36f75f..6ae70ed 100644
--- a/admserv/cgi-src40/sec-activate.c
+++ b/admserv/cgi-src40/sec-activate.c
@@ -499,6 +499,7 @@ int main(int argc, char *argv[])
AdmldapInfo ldapInfo = NULL;
char *lang;
+ (void)_ai; /* get rid of unused variable warning */
memset((void *)errp, 0, sizeof(int));
method = getenv("REQUEST_METHOD");
diff --git a/admserv/cgi-src40/statpingserv.c b/admserv/cgi-src40/statpingserv.c
index d6e55f7..3fc5616 100644
--- a/admserv/cgi-src40/statpingserv.c
+++ b/admserv/cgi-src40/statpingserv.c
@@ -75,6 +75,7 @@ int main(int argc, char *argv[])
char *portstr;
struct PRFileInfo64 prfileinfo;
+ (void)_ai; /* get rid of unused variable warning */
m = getenv("REQUEST_METHOD");
if(!strcmp(m, "GET")) {
diff --git a/admserv/cgi-src40/stopsrv.c b/admserv/cgi-src40/stopsrv.c
index 436989e..b2b83c9 100644
--- a/admserv/cgi-src40/stopsrv.c
+++ b/admserv/cgi-src40/stopsrv.c
@@ -85,6 +85,7 @@ int main(int argc, char *argv[])
char *return_format = NULL;
char *qs = 0;
+ (void)_ai; /* get rid of unused variable warning */
i18nResource = res_find_and_init_resource(PROPERTYDIR, RESOURCE_FILE);
if (lang) acceptLanguage = strdup(lang);
diff --git a/admserv/cgi-src40/ugdsconfig.c b/admserv/cgi-src40/ugdsconfig.c
index 9be5332..0b23d93 100644
--- a/admserv/cgi-src40/ugdsconfig.c
+++ b/admserv/cgi-src40/ugdsconfig.c
@@ -179,6 +179,7 @@ int main(int argc, char *argv[])
const char *configdir = util_get_conf_dir();
const char *secdir = util_get_security_dir();
+ (void)_ai; /* get rid of unused variable warning */
logMsg(" In %s\n", argv[0]);
i18nInit();
diff --git a/admserv/cgi-src40/viewdata.c b/admserv/cgi-src40/viewdata.c
index 7dd5d80..5cba168 100644
--- a/admserv/cgi-src40/viewdata.c
+++ b/admserv/cgi-src40/viewdata.c
@@ -412,6 +412,7 @@ int main(int argc, char *argv[])
AdmldapInfo ldapInfo = get_adm_ldapinfo(configdir, secdir);
+ (void)_ai; /* get rid of unused variable warning */
i18nInit();
if(!get_bindinfo(&binddn, &bindpw))
diff --git a/admserv/cgi-src40/viewlog.c b/admserv/cgi-src40/viewlog.c
index e4ec208..4a36780 100644
--- a/admserv/cgi-src40/viewlog.c
+++ b/admserv/cgi-src40/viewlog.c
@@ -341,6 +341,7 @@ int main(int argc, char *argv[])
int rc = 0;
char *configdir = NULL;
+ (void)_ai; /* get rid of unused variable warning */
i18nInit();
fprintf(stdout, "Content-type: text/html;charset=utf-8\n\n");
diff --git a/include/libadmin/dbtlibadmin.h b/include/libadmin/dbtlibadmin.h
index 24048c7..9c40647 100644
--- a/include/libadmin/dbtlibadmin.h
+++ b/include/libadmin/dbtlibadmin.h
@@ -21,8 +21,6 @@
#define LIBRARY_NAME "libadmin"
-static char dbtlibadminid[] = "$DBT: libadmin referenced v1 $";
-
#include "i18n.h"
BEGIN_STR(libadmin)
diff --git a/lib/base/file.cpp b/lib/base/file.cpp
index ac2ece6..0ca4c9b 100644
--- a/lib/base/file.cpp
+++ b/lib/base/file.cpp
@@ -483,19 +483,11 @@ NSAPI_PUBLIC int system_errmsg_fn(char **buff, size_t maxlen)
char static_error[128];
char *lmsg = 0; /* Local message pointer */
size_t msglen = 0;
- int sys_error = 0;
PRErrorCode nscp_error;
#ifdef XP_WIN32
LPTSTR sysmsg = 0;
#endif
-
- /* Grab the OS error message */
-#ifdef XP_WIN32
- sys_error = GetLastError();
-#else
- sys_error = errno;
-#endif
nscp_error = PR_GetError();
/* If there is a NSPR error, but it is "unknown", try to get the OSError
diff --git a/lib/base/nscputil.cpp b/lib/base/nscputil.cpp
index 77e7a6e..1fb6a27 100644
--- a/lib/base/nscputil.cpp
+++ b/lib/base/nscputil.cpp
@@ -833,11 +833,12 @@ util_waitpid(pid_t pid, int *statptr, int options)
for(rv = 0; !rv; PR_Sleep(500)) {
rv = waitpid(pid, statptr, options | WNOHANG);
if (rv == -1) {
- if (errno == EINTR)
+ if (errno == EINTR) {
rv = 0; /* sleep and try again */
- else
+ } else {
// ereport(LOG_WARN, "waitpid failed for pid %d:%s", pid, system_errmsg());
;
+ }
}
}
return rv;
diff --git a/lib/libadmin/util.c b/lib/libadmin/util.c
index be651b4..29c77b5 100644
--- a/lib/libadmin/util.c
+++ b/lib/libadmin/util.c
@@ -1558,17 +1558,19 @@ util_ldap_init(
if (secure > 0) {
#if defined(USE_OPENLDAP)
int optval = 0;
+#else
+ LDAP *myld = NULL;
#endif /* !USE_OPENLDAP */
int ssl_strength = 0;
- LDAP *myld = NULL;
+#if !defined(USE_OPENLDAP)
/* we can only use the set functions below with a real
LDAP* if it has already gone through ldapssl_init -
so, use NULL if using starttls */
if (secure == 1) {
myld = ld;
}
-
+#endif
/* verify certificate only */
#if defined(USE_OPENLDAP)
ssl_strength = LDAP_OPT_X_TLS_NEVER;
@@ -1683,55 +1685,12 @@ util_ldap_bind(
{
int rc = LDAP_SUCCESS;
int err = LDAP_SUCCESS;
- int secure = 0;
struct berval bvcreds = {0, NULL};
LDAPMessage *result = NULL;
struct berval *servercredp = NULL;
-#if defined(USE_OPENLDAP)
- /* openldap doesn't have a SSL/TLS yes/no flag - so grab the
- ldapurl, parse it, and see if it is a secure one */
- char *ldapurl = NULL;
-
- ldap_get_option(ld, LDAP_OPT_URI, &ldapurl);
- if (ldapurl && !PL_strncasecmp(ldapurl, "ldaps", 5)) {
- secure = 1;
- }
- PL_strfree(ldapurl);
- ldapurl = NULL;
-#else /* !USE_OPENLDAP */
- ldap_get_option(ld, LDAP_OPT_SSL, &secure);
-#endif
-#ifdef EXTERNAL_AUTH_SUPPORTED
- if (secure && mech && !strcmp(mech, LDAP_SASL_EXTERNAL)) {
- /* SSL connections will use the server's security context
- and cert for client auth */
- rc = slapd_SSL_client_auth(ld);
-
- if (rc != 0) {
-#ifdef DEBUG
- fprintf(stderr, "util_ldap_bind: "
- "Error: could not configure the server for cert "
- "auth - error %d - make sure the server is "
- "correctly configured for SSL/TLS\n", rc);
-#endif
- goto done;
- } else {
-#ifdef DEBUG
- fprintf(stderr, "util_ldap_bind: "
- "Set up conn to use client auth\n");
-#endif
- }
- bvcreds.bv_val = NULL; /* ignore username and passed in creds */
- bvcreds.bv_len = 0; /* for external auth */
- bindid = NULL;
- } else { /* other type of auth */
-#endif /* EXTERNAL_AUTH_SUPPORTED */
- bvcreds.bv_val = (char *)creds;
- bvcreds.bv_len = creds ? strlen(creds) : 0;
-#ifdef EXTERNAL_AUTH_SUPPORTED
- }
-#endif /* EXTERNAL_AUTH_SUPPORTED */
+ bvcreds.bv_val = (char *)creds;
+ bvcreds.bv_len = creds ? strlen(creds) : 0;
/* The connection has been set up - now do the actual bind, depending on
the mechanism and arguments */
diff --git a/lib/libdsa/dsalib_util.c b/lib/libdsa/dsalib_util.c
index da875df..803f86d 100644
--- a/lib/libdsa/dsalib_util.c
+++ b/lib/libdsa/dsalib_util.c
@@ -402,18 +402,10 @@ ds_system_errmsg(void)
static char static_error[BUFSIZ];
char *lmsg = 0; /* Local message pointer */
size_t msglen = 0;
- int sys_error = 0;
#ifdef XP_WIN32
LPTSTR sysmsg = 0;
#endif
- /* Grab the OS error message */
-#ifdef XP_WIN32
- sys_error = GetLastError();
-#else
- sys_error = errno;
-#endif
-
#if defined(XP_WIN32)
msglen = FormatMessage(
FORMAT_MESSAGE_FROM_SYSTEM|FORMAT_MESSAGE_ALLOCATE_BUFFER,
diff --git a/mod_admserv/mod_admserv.c b/mod_admserv/mod_admserv.c
index 9eca803..744364c 100644
--- a/mod_admserv/mod_admserv.c
+++ b/mod_admserv/mod_admserv.c
@@ -2641,7 +2641,7 @@ static int
authenticate_user(LdapServerData *data, char *baseDN, char *user, const char *pw, request_rec *r)
{
LDAP *server;
- char *uid, *userdn, *ldapURL;
+ char *userdn, *ldapURL;
int ldapError = LDAP_SUCCESS;
int pw_expiring = 0;
int tries = 0;
@@ -2686,13 +2686,10 @@ authenticate_user(LdapServerData *data, char *baseDN, char *user, const char *pw
return DECLINED; /* fall back to final check against admpw */
}
-
- uid = user;
} else {
/* it's a DN */
userdn = user;
- uid = NULL;
/* strip the leading "ldap:", if present */
commit 14b1bf927e6b0ac47273a48ea4cbb58d12237dfc
Author: Rich Megginson <rmeggins at redhat.com>
Date: Thu Aug 15 15:02:16 2013 -0600
ignore files generated by Eclipse
diff --git a/.gitignore b/.gitignore
index c0b150c..b2642d7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,4 @@
*~
autom4te.cache
+.project
+.cproject
commit 0de39490d43897ea3e53e7128b1dab02f36b7506
Author: Nathan Kinder <nkinder at redhat.com>
Date: Wed Aug 14 11:30:28 2013 -0700
Ticket 47467 - Improve CRL import error messages
The error messages returned by the security CGI when failing to
import a CRL aren't helpful. Specifically, we don't indicate
that the CRL file must be specifed as a plain filename that exists
in the server security directory. When we fail to find a valid
CRL, we don't indicate that the expected format is PEM. This
patch improves the error messages that are returned for display in
the Console.
diff --git a/admserv/cgi-src40/security.properties b/admserv/cgi-src40/security.properties
index 183bad0..289eef5 100644
--- a/admserv/cgi-src40/security.properties
+++ b/admserv/cgi-src40/security.properties
@@ -58,7 +58,7 @@ security43 { "Unable to delete the certificate specified." }
security44 { "Unable to delete the CRL or CKL specified." }
security45 { "Unable to find the CRL or CKL specified." }
//#/* module operation */
-security50 { "Could not open file %s. File does not exist or filename is invalid." }
+security50 { "Could not open file %s. File does not exist or filename is invalid. A filename that exists in the server security directory must be specified. Absolute or relative paths should not be specified." }
security51 { "Could not add module found in file %s." }
security52 { "The module has been successfully added. Please restart the console for changes to take effect." }
security53 { "No file specified. Enter the full path of a file." }
@@ -96,7 +96,7 @@ security103 { "Unable to init the internal (software) token." }
security110 { "Error decoding the CRL/CKL file. Please make sure it is valid." }
security111 { "Error deleting the existing CRL/CKL in replacement process." }
security112 { "Error writing the new CRL/CKL into the certificate database." }
-security113 { "The file %s does not contain a valid CRL/CKL" }
+security113 { "The file %s does not contain a valid CRL/CKL. Please make sure it is in the PEM format (base64 encoded DER)." }
//#/* key/cert migration */
security120 { "Alias" }
security121 { "Key or Certificate database doesn't exist in the old server root specified" }
commit 4555aff338e70d646d4867460f37cfdd49b7f456
Author: Nathan Kinder <nkinder at redhat.com>
Date: Tue Aug 13 15:47:47 2013 -0700
Ticket 362 - Directory Console generates insufficient key strength
The security CGI that is called by the Console is limited terms of
key generation and the signing algorithm used for the request. The
RSA key size is limited to 1024 bit or less, and the signing algorithm
is hardcoded to MD5.
This patch increases the maximum RSA key size to 4096 and uses a
default of 2048 if the caller doesn't specify a key size. The default
signing algorithm is changed to SHA-1, and a new CGI parameter has been
added to allow the caller to alternatively choose SHA-256, SHA-384, or
SHA-512.
diff --git a/admserv/cgi-src40/security.c b/admserv/cgi-src40/security.c
index 1cee29d..3664d70 100644
--- a/admserv/cgi-src40/security.c
+++ b/admserv/cgi-src40/security.c
@@ -73,11 +73,8 @@ extern "C" {
}
#endif
-#ifdef NS_DOMESTIC
-#define MAX_KEY_BITS 1024/*2048*/
-#else
-#define MAX_KEY_BITS 512/*1024*/
-#endif
+#define DEFAULT_KEY_BITS 2048
+#define MAX_KEY_BITS 4096
#define SUBJECT_NEW "Certificate request"
#define SUBJECT_OLD "Certificate renewal"
@@ -1064,6 +1061,8 @@ generateCertificateRequest(SECKEYPrivateKey* privateKey, SECKEYPublicKey* pubKey
PRArenaPool *arena = NULL;
PRBool error = PR_FALSE;
char *line;
+ char *sSignAlgo = NULL;
+ int signAlgo = 0;
/*DebugBreak();*/
/* convert subject name(DN) */
certName = CERT_AsciiToName(subjectName);
@@ -1101,8 +1100,25 @@ generateCertificateRequest(SECKEYPrivateKey* privateKey, SECKEYPublicKey* pubKey
/* Encode the result will get a "request blob" */
der = (SECItem *)SEC_ASN1EncodeItem(arena, result, request, SEC_ASN1_GET(CERT_CertificateRequestTemplate));
+ /* Determine the signing algorithm to use. We default
+ * to SHA-1 and support SHA-256, SHA-384, and SHA-512. */
+ sSignAlgo = get_cgi_var("signingalgo", NULL, NULL);
+
+ if (!sSignAlgo || !PORT_Strcmp(sSignAlgo, "SHA-1")) {
+ signAlgo = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
+ } else if (!PORT_Strcmp(sSignAlgo, "SHA-256")) {
+ signAlgo = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
+ } else if (!PORT_Strcmp(sSignAlgo, "SHA-384")) {
+ signAlgo = SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION;
+ } else if (!PORT_Strcmp(sSignAlgo, "SHA-512")) {
+ signAlgo = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;
+ } else {
+ /* Unknown algorithm, so just use the default. */
+ signAlgo = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
+ }
+
/* Sign certificate request(the blob) with private key */
- if (SEC_DerSignData(arena, result, der->data, der->len, privateKey, SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION) != SECSuccess) {
+ if (SEC_DerSignData(arena, result, der->data, der->len, privateKey, signAlgo) != SECSuccess) {
rpt_err(GENERAL_FAILURE,
getResourceString(DBT_INTERNAL_ERROR),
getResourceString(DBT_CSR_GEN_FAIL),
@@ -1172,16 +1188,16 @@ generateKey(SECKEYPublicKey** publicKey, char* tokenName)
/* generate key pair */
{
-
char *sKeySize = get_cgi_var("keysize", NULL, NULL);
int keySize = 0;
if (sKeySize) {
keySize = atoi(sKeySize);
}
-
- if ((keySize > MAX_KEY_BITS) || (keySize <=0)) {
+ if (keySize > MAX_KEY_BITS) {
params.keySizeInBits = MAX_KEY_BITS;
+ } else if (keySize <= 0) {
+ params.keySizeInBits = DEFAULT_KEY_BITS;
} else {
params.keySizeInBits = keySize;
}
commit 5c52dd525901f6458d9d47cc6f3e809538d6982a
Author: Nathan Kinder <nkinder at redhat.com>
Date: Tue Aug 13 22:14:06 2013 -0700
Ticket 47466 - Importing CA cert with existing name crashes security CGI
When a CA certificate is imported through the Console, but a CA certificate
with the same name already exists in the certdb, the security CGI crashes.
We are not checking the return value of CERT_ImportCerts(), which leads to
a NULL dereference.
This patch checks the return value of CERT_ImportCerts for an error, and
we return an appropriate error back to the caller. The functions we were
using to get the error text for NSS errors was returning garbage. We
need to use PR_ErrorToString() to get the proper error strings.
diff --git a/admserv/cgi-src40/security.c b/admserv/cgi-src40/security.c
index fef3bea..1cee29d 100644
--- a/admserv/cgi-src40/security.c
+++ b/admserv/cgi-src40/security.c
@@ -1194,12 +1194,7 @@ generateKey(SECKEYPublicKey** publicKey, char* tokenName)
loser:
if (privateKey==NULL) {
- char *tmpLine = NULL;
-
- tmpLine = (char *)PR_Malloc(PR_GetErrorTextLength()+1);
- PR_GetErrorText(tmpLine);
- PR_snprintf(line, sizeof(line), "%d:%s", PR_GetError(), tmpLine);
- PR_Free(tmpLine);
+ PR_snprintf(line, sizeof(line), "%d:%s", PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_EN));
rpt_err(GENERAL_FAILURE,
getResourceString(DBT_INTERNAL_ERROR),
@@ -1324,7 +1319,7 @@ static CERTDERCerts* decodeDERCert(char *derCertBase64) {
* Decode and display a DER certificate.
*/
static void printDERCert(int isCACert) {
-
+ SECStatus rv;
char *derCertBase64 = getParameter("dercert",getResourceString(DBT_DER_CERT));
CERTDERCerts *collectArgs = decodeDERCert(derCertBase64);
@@ -1341,12 +1336,23 @@ static void printDERCert(int isCACert) {
char *nickname = NULL;
/*add all cert to temp */
- CERT_ImportCerts(certdb, certUsageSSLServer,
+ rv = CERT_ImportCerts(certdb, certUsageSSLServer,
collectArgs->numcerts, &collectArgs->rawCerts,
&retCerts, keepCerts,
caOnly, nickname);
- printCert(retCerts[collectArgs->numcerts-1], /*showDetail=*/PR_TRUE, certType);
+ if (rv == SECSuccess) {
+ printCert(retCerts[collectArgs->numcerts-1], /*showDetail=*/PR_TRUE, certType);
+ } else {
+ PR_snprintf(line, sizeof(line), "%d:%s", PR_GetError(),
+ PR_ErrorToString(PR_GetError(), PR_LANGUAGE_EN));
+
+ /* if unable to import report error */
+ rpt_err(SYSTEM_ERROR,
+ getResourceString(DBT_INTERNAL_ERROR),
+ getResourceString(DBT_INSTALL_FAIL),
+ line);
+ }
}
}
@@ -1378,11 +1384,15 @@ installServerCert(char *tokenName, char *certname)
PRBool caOnly = PR_FALSE;
char *nickname = certname;
- CERT_ImportCerts(certdb, certUsageSSLServer,
+ rv = CERT_ImportCerts(certdb, certUsageSSLServer,
ncerts, &collectArgs->rawCerts,
&retCerts, keepCerts,
caOnly, nickname);
+ if (rv != SECSuccess) {
+ goto bail;
+ }
+
cert = retCerts[0];
}
@@ -1420,19 +1430,15 @@ installServerCert(char *tokenName, char *certname)
/* import certificate to the PKCS11 module */
rv = PK11_ImportCertForKeyToSlot(slot, cert, certname, PR_TRUE, 0);
+bail:
if (rv != SECSuccess) {
- {
- char *tmpLine;
+ PR_snprintf(line, sizeof(line), "%d:%s", PR_GetError(),
+ PR_ErrorToString(PR_GetError(), PR_LANGUAGE_EN));
- tmpLine = (char *)PR_Malloc(PR_GetErrorTextLength()+1);
- PR_GetErrorText(tmpLine);
- PR_snprintf(line, sizeof(line), "%d:%s", PR_GetError(), tmpLine);
- PR_Free(tmpLine);
- }
/* if unable to import report error */
- rpt_err(SYSTEM_ERROR,
- getResourceString(DBT_INTERNAL_ERROR),
- getResourceString(DBT_INSTALL_FAIL),
+ rpt_err(SYSTEM_ERROR,
+ getResourceString(DBT_INTERNAL_ERROR),
+ getResourceString(DBT_INSTALL_FAIL),
line);
}
}
@@ -1482,14 +1488,20 @@ installCACert(char *tokenName, char *certname)
rc = CERT_ImportCerts(certdb, (trustedCA ? certUsageSSLCA : certUsageAnyCA),
collectArgs->numcerts, &collectArgs->rawCerts,
&retCerts, keepCerts, caOnly, nickname);
+
+ if (rc != SECSuccess) {
+ goto bail;
+ }
+
CERT_FindCertByDERCert(certdb, collectArgs->rawCerts);
cert = retCerts[0];
rc = PK11_ImportCert(slot, cert, CK_INVALID_HANDLE, certname, PR_FALSE);
+
+bail:
if (rc != SECSuccess) {
- char *tmpLine = (char *)PR_Malloc(PR_GetErrorTextLength()+1);
- PR_GetErrorText(tmpLine);
- PR_snprintf(line, sizeof(line), "%d:%s", PR_GetError(), tmpLine);
- PR_Free(tmpLine);
+ PR_snprintf(line, sizeof(line), "%d:%s", PR_GetError(),
+ PR_ErrorToString(PR_GetError(), PR_LANGUAGE_EN));
+
/* if unable to import report error */
rpt_err(SYSTEM_ERROR, getResourceString(DBT_INTERNAL_ERROR),
getResourceString(DBT_INSTALL_FAIL), line);
diff --git a/admserv/cgi-src40/security.properties b/admserv/cgi-src40/security.properties
index fd4f91b..183bad0 100644
--- a/admserv/cgi-src40/security.properties
+++ b/admserv/cgi-src40/security.properties
@@ -39,7 +39,7 @@ security11 { "Unable to read alias directory." }
security20 { "Slot not found." }
security21 { "Unable to decode the certificate." }
security22 { "Private key not found." }
-security23 { "Fail to install certificate." }
+security23 { "Failed to install certificate." }
security24 { "Either this certificate is for another server, or this certificate was not requested using this server and the selected security device \"%s\"." }
security25 { "Invalid DER certificate." }
security26 { "Unable to extract any certificates." }
commit ec879b64efc6f2956dffa8ba0e004e4865364f17
Author: Nathan Kinder <nkinder at redhat.com>
Date: Tue Aug 13 19:51:49 2013 -0700
Ticket 47468 - Change security password validation error is out of order
When changing the NSS security database password from Console, the
input validation errors that are returned by Admin Server are out of
order from teh UI elements in the Console. The way we were calling
the function to fetch parameters were causing the calling order to
process the input fields from the bottom up as viewed in the UI. This
makes the error message that is returned to the user look a bit odd.
This patch simply forces the parameters to be fetched in the same
order as they are displayed in the UI in Console.
diff --git a/admserv/cgi-src40/security.c b/admserv/cgi-src40/security.c
index 31da45d..fef3bea 100644
--- a/admserv/cgi-src40/security.c
+++ b/admserv/cgi-src40/security.c
@@ -2184,8 +2184,15 @@ int main(int argc, char *argv[])
} else if (!PORT_Strcmp(operation, "INIT_PIN")) {
/* initialize internal token pin */
- initPin(getParameter("newpwd",getResourceString(DBT_PASSWORD)),
- getParameter("confirmpwd",getResourceString(DBT_PASSWORD)));
+
+ /* We fetch the paramters here for the benefit of the Console. If we call
+ * getParameter() as an argument to initPin, the calling order causes the
+ * error message that is returned to be out of order with the display in
+ * the UI. */
+ char *newpwd = getParameter("newpwd",getResourceString(DBT_PASSWORD));
+ char *confirmpwd = getParameter("confirmpwd",getResourceString(DBT_PASSWORD));
+
+ initPin(newpwd, confirmpwd);
} else if (!PORT_Strcmp(operation, "DELETE_CACERT")) {
/* remove a ca certificate */
@@ -2218,9 +2225,16 @@ int main(int argc, char *argv[])
/* currently change password only apply to key3.db, and we do
not deal with change password for external token. User can
do that via the software that comes with the hardware */
- changePassword(getParameter("oldpwd", getResourceString(DBT_OLD_PWD)),
- getParameter("newpwd", getResourceString(DBT_NEW_PWD)),
- getParameter("confirmpwd", getResourceString(DBT_CONFIRM_PWD)));
+
+ /* We fetch the paramters here for the benefit of the Console. If we call
+ * getParameter() as an argument to initPin, the calling order causes the
+ * error message that is returned to be out of order with the display in
+ * the UI. */
+ char *oldpwd = getParameter("oldpwd", getResourceString(DBT_OLD_PWD));
+ char *newpwd = getParameter("newpwd", getResourceString(DBT_NEW_PWD));
+ char *confirmpwd = getParameter("confirmpwd", getResourceString(DBT_CONFIRM_PWD));
+
+ changePassword(oldpwd, newpwd, confirmpwd);
} else if (!PORT_Strcmp(operation, "INSTALL_CRL_CKL")) {
More information about the Pkg-fedora-ds-maintainers
mailing list