[Fedora-directory-commits] ldapserver/ldap/servers/slapd ssl.c, 1.12, 1.13

[Richard Allen Megginson (rmeggins)]

Author: rmeggins

Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv5728/ldapserver/ldap/servers/slapd

Modified Files:
	ssl.c 
Log Message:
Resolves: bug 147886
Description: Warn if cert or key file is missing
Fix Description: My fix for https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=224672 reopened
this bug.  I think the correct way to address this problem is this:
If using security, the key and cert db files must exist i.e. there must already
be a server cert for the server.
If not using security, there may not be a key/cert db, but NSS will create them
if the directory is writable.
Reviewed by: nhosoi (Thanks!)



Index: ssl.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/ssl.c,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- ssl.c	29 Jan 2007 16:46:25 -0000	1.12
+++ ssl.c	29 Jan 2007 23:44:49 -0000	1.13
@@ -359,62 +359,28 @@
 }
 
 static void
-warn_if_no_cert_file(const char *filename)
+warn_if_no_cert_file(const char *dir)
 {
+    char *filename = slapi_ch_smprintf("%s/cert8.db", dir);
 	PRStatus status = PR_Access(filename, PR_ACCESS_READ_OK);
 	if (PR_SUCCESS != status) {
-		/* if file ends in -cert7.db and the corresponding -cert8.db exists, just
-		   warn */
-		char *cert8 = slapi_ch_strdup(filename);
-		char *ptr;
-		if ((ptr = PL_strrstr(cert8, "-cert7.db"))) {
-			strcpy(ptr, "-cert8.db");
-			status = PR_Access(cert8, PR_ACCESS_READ_OK);
-			if (PR_SUCCESS == status) {
-				slapi_log_error(SLAPI_LOG_FATAL, "SSL Initialization",
-								"Notice: certificate DB file %s does not exist but %s does - suggest updating nscertfile\n",
-								filename, cert8);
-			}
-		}
-		slapi_ch_free_string(&cert8);
-
-		if (PR_SUCCESS != status) {
-			slapi_log_error(SLAPI_LOG_FATAL, "SSL Initialization",
-							"Warning: certificate DB file %s does not exist - SSL initialization will likely fail\n",
-							filename);
-		}
+        slapi_log_error(SLAPI_LOG_FATAL, "SSL Initialization",
+                        "Warning: certificate DB file %s does not exist - SSL initialization will likely fail\n",
+                        filename);
 	}
+    slapi_ch_free_string(&filename);
 }
 
 static void
-warn_if_no_key_file(const char *path, const char *name)
+warn_if_no_key_file(const char *dir)
 {
-	char last = path[strlen(path)-1];
-	char *filename = slapi_ch_smprintf("%s%s%s", path, ((last == '/' || last == '\\') ? "" : "/"), name);
+	char *filename = slapi_ch_smprintf("%s/key3.db", dir);
 	PRStatus status = PR_Access(filename, PR_ACCESS_READ_OK);
 	if (PR_SUCCESS != status) {
-		/* if file ends in -key3.db and the corresponding -key4.db exists, just
-		   warn */
-		char *key4 = slapi_ch_strdup(filename);
-		char *ptr;
-		if ((ptr = PL_strrstr(key4, "-key3.db"))) {
-			strcpy(ptr, "-key4.db");
-			status = PR_Access(key4, PR_ACCESS_READ_OK);
-			if (PR_SUCCESS == status) {
-				slapi_log_error(SLAPI_LOG_FATAL, "SSL Initialization",
-								"Notice: key DB file %s does not exist but %s does - suggest updating nskeyfile\n",
-								filename, key4);
-			}
-		}
-		slapi_ch_free_string(&key4);
-
-		if (PR_SUCCESS != status) {
-			slapi_log_error(SLAPI_LOG_FATAL, "SSL Initialization",
-							"Warning: key DB file %s does not exist - SSL initialization will likely fail\n",
-							filename);
-		}
+        slapi_log_error(SLAPI_LOG_FATAL, "SSL Initialization",
+                        "Warning: key DB file %s does not exist - SSL initialization will likely fail\n",
+                        filename);
 	}
-
 	slapi_ch_free_string(&filename);
 }
 
@@ -450,20 +416,26 @@
 		certdir[len-1] = '\0';
 	}
 
-    /* we open the key/cert db in rw mode, so make sure the directory 
-       is writable */
-    if (PR_SUCCESS != (status = PR_Access(certdir, PR_ACCESS_WRITE_OK))) {
-        char *serveruser = "unknown";
+    /* If the server is configured to use SSL, we must have a key and cert db */
+    if (config_get_security()) {
+        warn_if_no_cert_file(certdir);
+        warn_if_no_key_file(certdir);
+    } else { /* otherwise, NSS will create empty databases */
+        /* we open the key/cert db in rw mode, so make sure the directory 
+           is writable */
+        if (PR_SUCCESS != (status = PR_Access(certdir, PR_ACCESS_WRITE_OK))) {
+            char *serveruser = "unknown";
 #ifndef _WIN32
-        serveruser = config_get_localuser();
+            serveruser = config_get_localuser();
 #endif
-        slapi_log_error(SLAPI_LOG_FATAL, "SSL Initialization",
-                        "Warning: The key/cert database directory [%s] is not writable by "
-                        "the server uid [%s]: initialization likely to fail.\n",
-                        certdir, serveruser);
+            slapi_log_error(SLAPI_LOG_FATAL, "SSL Initialization",
+                            "Warning: The key/cert database directory [%s] is not writable by "
+                            "the server uid [%s]: initialization likely to fail.\n",
+                            certdir, serveruser);
 #ifndef _WIN32
-        slapi_ch_free_string(&serveruser);
+            slapi_ch_free_string(&serveruser);
 #endif
+        }
     }
 
     /******** Initialise NSS *********/