[Date Prev][Date Next] [Chronological] [Thread] [Top]

[BUG,PATCH] slapd unable to import CRL using GnuTLS backend



Hi,

When openldap is linked with gnutls for TLS support, a file containing
CRL in PEM format can be provided (in slapd.conf, using TLSCRLFile
parameter).

The following code in ldap_int_tls_init_ctx() (librairies/libldap/tls.c)
prevents the daemon to start when the option is used:

        if ( lo->ldo_tls_crlfile ) {
                rc = gnutls_certificate_set_x509_crl_file( 
                        ((tls_ctx*) lo->ldo_tls_ctx)->cred,
                        crlfile,
                        GNUTLS_X509_FMT_PEM );
                if ( rc < 0 ) goto error_exit;
        }

because gnutls_certificate_set_x509_crl_file() returns the number of CRL
files that have been imported which is stored in rc and returned later
in the function. Caller expects 0, otherwise it reports an error, the
value of rc (below, with 3 CRL in the file) and slapd fails to start:

   ....  main TLS init def ctx failed: 3

The patch below is for 2.4.10, but should apply against all versions (it
applies fine against current Debian version available under Unstable).
Tell me if you have issues. 

I recompiled the Debian version with the patch applied and it works as
expected.

Cheers,

a+

Index: openldap-2.4.10/libraries/libldap/tls.c
===================================================================
--- openldap-2.4.10.orig/libraries/libldap/tls.c	2008-06-24 16:10:00.128945991 +0200
+++ openldap-2.4.10/libraries/libldap/tls.c	2008-06-24 16:11:46.804929042 +0200
@@ -754,7 +754,10 @@
 			((tls_ctx*) lo->ldo_tls_ctx)->cred,
 			crlfile,
 			GNUTLS_X509_FMT_PEM );
-		if ( rc < 0 ) goto error_exit;
+		if ( rc < 0 )
+			goto error_exit;
+		else
+			rc = 0;
 	}
 	if ( is_server ) {
 		gnutls_dh_params_init (&((tls_ctx*) 

Attachment: pgpcaaOd62UkU.pgp
Description: PGP signature