Commit 6753a945 authored by Rocky Automation's avatar Rocky Automation 📺
Browse files

import 389-ds-base-1.4.1.3-7.module+el8.1.0+4150+5b8c2c1f

parent 869e9558
3a3a21c4189ba8c71fc0ddf06f8bf49f592e8cc5 SOURCES/389-ds-base-1.4.0.20-10.tar.bz2
92fdc0b38680aaee1fa7ccd89cbf1af61224ff46 SOURCES/jemalloc-5.1.0.tar.bz2
50c525db2c9adfc7cca119ed13110a42d88d079c SOURCES/389-ds-base-1.4.1.3.tar.bz2
5a5255f7bca3e79a063f26f292cf93f17fe3b14f SOURCES/jemalloc-5.2.0.tar.bz2
SOURCES/389-ds-base-1.4.0.20-10.tar.bz2
SOURCES/jemalloc-5.1.0.tar.bz2
SOURCES/389-ds-base-1.4.1.3.tar.bz2
SOURCES/jemalloc-5.2.0.tar.bz2
From 5b36c591ef0e79ee1fd4a0db4644d9d0e8d183ca Mon Sep 17 00:00:00 2001
From: Matus Honek <mhonek@redhat.com>
Date: Mon, 27 May 2019 10:59:03 +0000
Subject: [PATCH] Issue 49875 - Move SystemD service config to a drop-in file
Bug Description:
Runtime configuration options are mixed into the service specification
which should seldom be changed by users.
Fix Description:
Move the runtime configuration options into a drop-in file. These options
are then automatically pulled in by SystemD.
Additional Info:
Erasing the default values of the mentioned options to implicitly pull in
system defaults which are more sane nowadays.
The .service file is now common for xsan and non-xsan builds, the former
differring only by an additional drop-in file.
Related https://pagure.io/389-ds-base/issue/49875
Author: Matus Honek <mhonek@redhat.com>
Review by: firstyear, mreynolds, vashirov (thanks!)
---
Makefile.am | 23 ++++--
configure.ac | 2 +
.../systemd.template.service.custom.conf.in | 52 +++++++++++++
wrappers/systemd.template.service.in | 57 +-------------
.../systemd.template.service.xsan.conf.in | 11 +++
wrappers/systemd.template.xsan.service.in | 77 -------------------
6 files changed, 85 insertions(+), 137 deletions(-)
create mode 100644 wrappers/systemd.template.service.custom.conf.in
create mode 100644 wrappers/systemd.template.service.xsan.conf.in
delete mode 100644 wrappers/systemd.template.xsan.service.in
diff --git a/Makefile.am b/Makefile.am
index 01ac3a04d..de9e0c460 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -300,6 +300,7 @@ serverdir = $(libdir)/@serverdir@
serverplugindir = $(libdir)@serverplugindir@
taskdir = $(datadir)@scripttemplatedir@
systemdsystemunitdir = @with_systemdsystemunitdir@
+systemdsystemunitdropindir = @with_systemdsystemunitdir@/$(PACKAGE_NAME)@.service.d
systemdsystemconfdir = @with_systemdsystemconfdir@
systemdgroupname = @with_systemdgroupname@
initdir = @initdir@
@@ -880,6 +881,11 @@ if SYSTEMD
systemdsystemunit_DATA = wrappers/$(PACKAGE_NAME)@.service \
wrappers/$(systemdgroupname) \
wrappers/$(PACKAGE_NAME)-snmp.service
+
+systemdsystemunitdropin_DATA = wrappers/$(PACKAGE_NAME)@.service.d/custom.conf
+if with_sanitizer
+systemdsystemunitdropin_DATA += wrappers/$(PACKAGE_NAME)@.service.d/xsan.conf
+endif
else
if INITDDIR
init_SCRIPTS = wrappers/$(PACKAGE_NAME) \
@@ -2314,12 +2320,17 @@ endif
# yes, that is an @ in the filename . . .
%/$(PACKAGE_NAME)@.service: %/systemd.template.service.in
if [ ! -d $(dir $@) ] ; then mkdir -p $(dir $@) ; fi
- if [ ! -z ${SANITIZER} ] ; then \
- service_template=$(shell echo $^ | sed 's/template/template.xsan/g'); \
- else \
- service_template=$^; \
- fi; \
- $(fixupcmd) $$service_template > $@
+ $(fixupcmd) $^ > $@
+
+%/$(PACKAGE_NAME)@.service.d/custom.conf: %/systemd.template.service.custom.conf.in
+ if [ ! -d $(dir $@) ] ; then mkdir -p $(dir $@) ; fi
+ $(fixupcmd) $^ > $@
+
+if with_sanitizer
+%/$(PACKAGE_NAME)@.service.d/xsan.conf: %/systemd.template.service.xsan.conf.in
+ if [ ! -d $(dir $@) ] ; then mkdir -p $(dir $@) ; fi
+ $(fixupcmd) $^ > $@
+endif
%/$(systemdgroupname): %/systemd.group.in
if [ ! -d $(dir $@) ] ; then mkdir -p $(dir $@) ; fi
diff --git a/configure.ac b/configure.ac
index 3660e6816..d329e84a9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -196,6 +196,8 @@ AC_SUBST([ubsan_cflags])
AC_SUBST([ubsan_rust_defs])
AM_CONDITIONAL(enable_ubsan,test "$enable_ubsan" = "yes")
+AM_CONDITIONAL(with_sanitizer,test "$enable_asan" = "yes" -o "$enable_msan" = "yes" -o "$enable_tsan" = "yes" -o "$enable_ubsan" = "yes")
+
# Enable CLANG
AC_MSG_CHECKING(for --enable-clang)
AC_ARG_ENABLE(clang, AS_HELP_STRING([--enable-clang], [Enable clang (default: no)]),
diff --git a/wrappers/systemd.template.service.custom.conf.in b/wrappers/systemd.template.service.custom.conf.in
new file mode 100644
index 000000000..0dce62826
--- /dev/null
+++ b/wrappers/systemd.template.service.custom.conf.in
@@ -0,0 +1,52 @@
+# To change any of the below values, please use a drop-in file in which
+# you can declare overrides according to systemd.unit(5), either of:
+# - applying to all instances:
+# /etc/systemd/system/dirsrv@.service.d/custom.conf
+# - applying to a single instance (overriding the above):
+# /etc/systemd/system/dirsrv@<instance>.service.d/custom.conf
+#
+# Some of the most interesting coniguration options are mentioned below.
+# See systemd.service(5) and systemd.exec(5) for the respective documentation.
+#
+# After updating the service configuration, do not forget to apply the changes:
+# - reload systemd configuration: systemctl daemon-reload
+# - restart the service: systemctl restart @package_name@@<instance>.service
+
+[Service]
+TimeoutStartSec=0
+TimeoutStopSec=600
+
+# These are from man systemd.exec and man systemd.resource-control
+
+# This controls the resources to the direct child of systemd, in
+# this case ns-slapd. Because we are type notify we recieve these
+# limits correctly.
+
+# This controls the number of file handles avaliable. File handles
+# correlate to sockets for the process, and our access to logs and
+# databases. Note, the configuration setting in Directory Server,
+# "nsslapd-maxdescriptors", can override this limit.
+#LimitNOFILE=
+
+# You can limit the memory in the cgroup with these, and ns-slapd
+# will account for them in it's autotuning.
+# Memory account may be controlled by DefaultMemoryAccounting= in systemd-system.conf
+#MemoryAccounting=yes
+#MemoryLimit=<bytes>
+
+# Limits on the size of coredump that may be produced by the process. It's not
+# specified how this interacts with coredumpd.
+# 0 means not to produce cores.
+#LimitCORE=<bytes>
+
+# Limit number of processes (threads) we may spawn. We don't advise you change
+# this as DS will autodetect your threads / cpus and adjust as needed.
+#LimitNPROC=
+
+# Possible hardening options:
+#PrivateDevices=yes
+#ProtectSystem=yes
+#ProtectHome=yes
+#PrivateTmp=yes
+
+
diff --git a/wrappers/systemd.template.service.in b/wrappers/systemd.template.service.in
index 7142c3492..2ac6f978f 100644
--- a/wrappers/systemd.template.service.in
+++ b/wrappers/systemd.template.service.in
@@ -1,17 +1,6 @@
-# you usually do not want to edit this file - instead, edit the
-# @initconfigdir@/@package_name@.systemd file instead - otherwise,
-# do not edit this file in /lib/systemd/system - instead, do the following:
-# cp /lib/systemd/system/dirsrv\@.service /etc/systemd/system/dirsrv\@.service
-# mkdir -p /etc/systemd/system/@systemdgroupname@.wants
-# edit /etc/systemd/system/dirsrv\@.service - uncomment the LimitNOFILE=8192 line
-# where %i is the name of the instance
-# you may already have a symlink in
-# /etc/systemd/system/@systemdgroupname@.wants/dirsrv@%i.service pointing to
-# /lib/systemd/system/dirsrv\@.service - you will have to change it to link
-# to /etc/systemd/system/dirsrv\@.service instead
-# ln -s /etc/systemd/system/dirsrv\@.service /etc/systemd/system/@systemdgroupname@.wants/dirsrv@%i.service
-# systemctl daemon-reload
-# systemctl (re)start @systemdgroupname@
+# You should not need to edit this file. Instead, use a drop-in file as described in:
+# /usr/lib/systemd/system/@package_name@@.service.d/custom.conf
+
[Unit]
Description=@capbrand@ Directory Server %i.
PartOf=@systemdgroupname@
@@ -21,51 +10,11 @@ Before=radiusd.service
[Service]
Type=notify
NotifyAccess=all
-TimeoutStartSec=0
-TimeoutStopSec=600
EnvironmentFile=-@initconfigdir@/@package_name@
EnvironmentFile=-@initconfigdir@/@package_name@-%i
PIDFile=@localstatedir@/run/@package_name@/slapd-%i.pid
ExecStartPre=@libexecdir@/ds_systemd_ask_password_acl @instconfigdir@/slapd-%i/dse.ldif
ExecStart=@sbindir@/ns-slapd -D @instconfigdir@/slapd-%i -i @localstatedir@/run/@package_name@/slapd-%i.pid
-#### To change any of these values or directives, you should use a drop in file
-# such as: /etc/systemd/system/dirsrv@<instance>.d/custom.conf
-
-# These are from man systemd.exec and man systemd.resource-control
-
-# This controls the resources to the direct child of systemd, in
-# this case ns-slapd. Because we are type notify we recieve these
-# limits correctly.
-
-# This controls the number of file handles avaliable. File handles
-# correlate to sockets for the process, and our access to logs and
-# databases. Note, the configuration setting in Directory Server,
-# "nsslapd-maxdescriptors", can override this limit.
-LimitNOFILE=16384
-
-# You can limit the memory in the cgroup with these, and ns-slapd
-# will account for them in it's autotuning.
-# Memory account may be controlled by DefaultMemoryAccounting= in systemd-system.conf
-# MemoryAccounting=true
-# MemoryLimit=bytes
-
-# Limits on the size of coredump that may be produced by the process. It's not
-# specified how this interacts with coredumpd.
-# 0 means not to produce cores.
-# This value is 64G
-LimitCORE=68719476736
-
-# Limit number of processes (threads) we may spawn. We don't advise you change
-# this as DS will autodetect your threads / cpus and adjust as needed.
-# LimitNPROC=
-
-# Hardening options:
-# PrivateDevices=true
-# ProtectSystem=true
-# ProtectHome=true
-# PrivateTmp=true
-
[Install]
WantedBy=multi-user.target
-
diff --git a/wrappers/systemd.template.service.xsan.conf.in b/wrappers/systemd.template.service.xsan.conf.in
new file mode 100644
index 000000000..f4bf809b9
--- /dev/null
+++ b/wrappers/systemd.template.service.xsan.conf.in
@@ -0,0 +1,11 @@
+# This file is present because the server has been built with a sanitizer.
+# It is not meant for a production usage.
+[Unit]
+Description=@capbrand@ Directory Server with @SANITIZER@ %i.
+
+[Service]
+# We can't symbolize here, as llvm symbolize crashes when it goes near systemd.
+Environment=ASAN_OPTIONS=log_path=@localstatedir@/run/@package_name@/ns-slapd-%i.asan:print_stacktrace=1
+Environment=TSAN_OPTIONS=log_path=@localstatedir@/run/@package_name@/ns-slapd-%i.tsan:print_stacktrace=1:second_deadlock_stack=1:history_size=7
+Environment=MSAN_OPTIONS=log_path=@localstatedir@/run/@package_name@/ns-slapd-%i.msan:print_stacktrace=1
+Environment=UBSAN_OPTIONS=log_path=@localstatedir@/run/@package_name@/ns-slapd-%i.ubsan:print_stacktrace=1
diff --git a/wrappers/systemd.template.xsan.service.in b/wrappers/systemd.template.xsan.service.in
deleted file mode 100644
index 541392ff8..000000000
--- a/wrappers/systemd.template.xsan.service.in
+++ /dev/null
@@ -1,77 +0,0 @@
-# you usually do not want to edit this file - instead, edit the
-# @initconfigdir@/@package_name@.systemd file instead - otherwise,
-# do not edit this file in /lib/systemd/system - instead, do the following:
-# cp /lib/systemd/system/dirsrv\@.service /etc/systemd/system/dirsrv\@.service
-# mkdir -p /etc/systemd/system/@systemdgroupname@.wants
-# edit /etc/systemd/system/dirsrv\@.service - uncomment the LimitNOFILE=8192 line
-# where %i is the name of the instance
-# you may already have a symlink in
-# /etc/systemd/system/@systemdgroupname@.wants/dirsrv@%i.service pointing to
-# /lib/systemd/system/dirsrv\@.service - you will have to change it to link
-# to /etc/systemd/system/dirsrv\@.service instead
-# ln -s /etc/systemd/system/dirsrv\@.service /etc/systemd/system/@systemdgroupname@.wants/dirsrv@%i.service
-# systemctl daemon-reload
-# systemctl (re)start @systemdgroupname@
-[Unit]
-Description=@capbrand@ Directory Server with @SANITIZER@ %i.
-PartOf=@systemdgroupname@
-After=chronyd.service ntpd.service network-online.target syslog.target
-Before=radiusd.service
-
-[Service]
-Type=notify
-NotifyAccess=all
-TimeoutStartSec=0
-TimeoutStopSec=600
-EnvironmentFile=@initconfigdir@/@package_name@
-EnvironmentFile=@initconfigdir@/@package_name@-%i
-PIDFile=@localstatedir@/run/@package_name@/slapd-%i.pid
-# We can't symbolize here, as llvm symbolize crashes when it goes near systemd.
-Environment=ASAN_OPTIONS=log_path=@localstatedir@/run/@package_name@/ns-slapd-%i.asan:print_stacktrace=1
-Environment=TSAN_OPTIONS=log_path=@localstatedir@/run/@package_name@/ns-slapd-%i.tsan:print_stacktrace=1:second_deadlock_stack=1:history_size=7
-Environment=MSAN_OPTIONS=log_path=@localstatedir@/run/@package_name@/ns-slapd-%i.msan:print_stacktrace=1
-Environment=UBSAN_OPTIONS=log_path=@localstatedir@/run/@package_name@/ns-slapd-%i.ubsan:print_stacktrace=1
-LimitCORE=infinity
-ExecStartPre=@libexecdir@/ds_systemd_ask_password_acl @instconfigdir@/slapd-%i/dse.ldif
-ExecStart=@sbindir@/ns-slapd -D @instconfigdir@/slapd-%i -i @localstatedir@/run/@package_name@/slapd-%i.pid
-
-#### To change any of these values or directives, you should use a drop in file
-# such as: /etc/systemd/system/dirsrv@<instance>.d/custom.conf
-
-# These are from man systemd.exec and man systemd.resource-control
-
-# This controls the resources to the direct child of systemd, in
-# this case ns-slapd. Because we are type notify we recieve these
-# limits correctly.
-
-# This controls the number of file handles avaliable. File handles
-# correlate to sockets for the process, and our access to logs and
-# databases.
-LimitNOFILE=16384
-
-# You can limit the memory in the cgroup with these, and ns-slapd
-# will account for them in it's autotuning.
-# Memory account may be controlled by DefaultMemoryAccounting= in systemd-system.conf
-# MemoryAccounting=true
-# MemoryLimit=bytes
-
-# Limits on the size of coredump that may be produced by the process. It's not
-# specified how this interacts with coredumpd.
-# 0 means not to produce cores.
-# This value is 64G
-LimitCORE=68719476736
-
-# Limit number of processes (threads) we may spawn. We don't advise you change
-# this as DS will autodetect your threads / cpus and adjust as needed.
-# LimitNPROC=
-
-# Hardening options:
-# PrivateDevices=true
-# ProtectSystem=true
-# ProtectHome=true
-# PrivateTmp=true
-
-
-[Install]
-WantedBy=multi-user.target
-
--
2.21.0
From 9208a7d1a9869a963c29d11def4a31a85eeaeeec Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 14 May 2019 16:58:55 -0400
Subject: [PATCH] Ticket 50355 - NSS can change the requested SSL min and max
versions
Description: If we try and set a min and max SSL version in the server,
it is actually only a request. After setting the min and
max, you need to retrieve the min and max to see what NSS
did. Then you have to reset the min and max versions one
more time to actually set the valid range. So yes, you do
have to do a set() -> get() -> set().
There also another outstanding issue with NSS where it says
the default max SSL version in FIPS mode is 1.3, but in fact
it is 1.2. So this patch has a hack fix to workaround that
bug. It should be able to be removed soon...
https://pagure.io/389-ds-base/issue/50355
Reviewed by: mhonek(Thanks!)
---
ldap/servers/slapd/ssl.c | 95 ++++++++++++++++++++++++----------------
1 file changed, 57 insertions(+), 38 deletions(-)
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index a7c3ab7b1..2d7bc2bd6 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -41,15 +41,15 @@
* Default SSL Version Rule
* Old SSL version attributes:
* nsSSL3: off -- nsSSL3 == SSL_LIBRARY_VERSION_3_0
- * nsTLS1: on -- nsTLS1 == SSL_LIBRARY_VERSION_TLS_1_0 and greater
+ * nsTLS1: on -- nsTLS1 == SSL_LIBRARY_VERSION_TLS_1_2 and greater
* Note: TLS1.0 is defined in RFC2246, which is close to SSL 3.0.
* New SSL version attributes:
- * sslVersionMin: TLS1.0
+ * sslVersionMin: TLS1.2
* sslVersionMax: max ssl version supported by NSS
******************************************************************************/
-#define DEFVERSION "TLS1.0"
-#define CURRENT_DEFAULT_SSL_VERSION SSL_LIBRARY_VERSION_TLS_1_0
+#define DEFVERSION "TLS1.2"
+#define CURRENT_DEFAULT_SSL_VERSION SSL_LIBRARY_VERSION_TLS_1_2
extern char *slapd_SSL3ciphers;
extern symbol_t supported_ciphers[];
@@ -435,8 +435,13 @@ getSSLVersionRange(char **min, char **max)
return -1;
}
if (!slapd_ssl_listener_is_initialized()) {
+ /*
+ * We have not initialized NSS yet, so we will set the default for
+ * now. Then it will get adjusted to NSS's default min and max once
+ * we complete the security initialization in slapd_ssl_init2()
+ */
if (min) {
- *min = slapi_getSSLVersion_str(LDAP_OPT_X_TLS_PROTOCOL_TLS1_0, NULL, 0);
+ *min = slapi_getSSLVersion_str(LDAP_OPT_X_TLS_PROTOCOL_TLS1_2, NULL, 0);
}
if (max) {
*max = slapi_getSSLVersion_str(LDAP_OPT_X_TLS_PROTOCOL_TLS1_2, NULL, 0);
@@ -457,7 +462,7 @@ getSSLVersionRangeOL(int *min, int *max)
{
/* default range values */
if (min) {
- *min = LDAP_OPT_X_TLS_PROTOCOL_TLS1_0;
+ *min = LDAP_OPT_X_TLS_PROTOCOL_TLS1_2;
}
if (max) {
*max = LDAP_OPT_X_TLS_PROTOCOL_TLS1_2;
@@ -2099,43 +2104,57 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
}
}
- if (NSSVersionMin > 0) {
- /* Use new NSS API SSL_VersionRangeSet (NSS3.14 or newer) */
- slapdNSSVersions.min = NSSVersionMin;
- slapdNSSVersions.max = NSSVersionMax;
- restrict_SSLVersionRange();
- (void)slapi_getSSLVersion_str(slapdNSSVersions.min, mymin, sizeof(mymin));
- (void)slapi_getSSLVersion_str(slapdNSSVersions.max, mymax, sizeof(mymax));
- slapi_log_err(SLAPI_LOG_INFO, "Security Initialization",
- "slapd_ssl_init2 - Configured SSL version range: min: %s, max: %s\n",
- mymin, mymax);
+ /* Handle the SSL version range */
+ slapdNSSVersions.min = NSSVersionMin;
+ slapdNSSVersions.max = NSSVersionMax;
+ restrict_SSLVersionRange();
+ (void)slapi_getSSLVersion_str(slapdNSSVersions.min, mymin, sizeof(mymin));
+ (void)slapi_getSSLVersion_str(slapdNSSVersions.max, mymax, sizeof(mymax));
+ slapi_log_err(SLAPI_LOG_INFO, "Security Initialization",
+ "slapd_ssl_init2 - Configured SSL version range: min: %s, max: %s\n",
+ mymin, mymax);
+ sslStatus = SSL_VersionRangeSet(pr_sock, &slapdNSSVersions);
+ if (sslStatus != SECSuccess) {
+ errorCode = PR_GetError();
+ slapd_SSL_error("Security Initialization - "
+ "slapd_ssl_init2 - Failed to set SSL range: min: %s, max: %s - error %d (%s)\n",
+ mymin, mymax, errorCode, slapd_pr_strerror(errorCode));
+ }
+ /*
+ * Get the version range as NSS might have adjusted our requested range. FIPS mode is
+ * pretty picky about this stuff.
+ */
+ sslStatus = SSL_VersionRangeGet(pr_sock, &slapdNSSVersions);
+ if (sslStatus == SECSuccess) {
+ if (slapdNSSVersions.max > LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 && slapd_pk11_isFIPS()) {
+ /*
+ * FIPS & NSS currently only support a max version of TLS1.2
+ * (although NSS advertises 1.3 as a max range in FIPS mode),
+ * hopefully this code block can be removed soon...
+ */
+ slapdNSSVersions.max = LDAP_OPT_X_TLS_PROTOCOL_TLS1_2;
+ }
+ /* Reset request range */
sslStatus = SSL_VersionRangeSet(pr_sock, &slapdNSSVersions);
if (sslStatus == SECSuccess) {
- /* Set the restricted value to the cn=encryption entry */
+ (void)slapi_getSSLVersion_str(slapdNSSVersions.min, mymin, sizeof(mymin));
+ (void)slapi_getSSLVersion_str(slapdNSSVersions.max, mymax, sizeof(mymax));
+ slapi_log_err(SLAPI_LOG_INFO, "Security Initialization",
+ "slapd_ssl_init2 - NSS adjusted SSL version range: min: %s, max: %s\n",
+ mymin, mymax);
} else {
+ errorCode = PR_GetError();
+ (void)slapi_getSSLVersion_str(slapdNSSVersions.min, mymin, sizeof(mymin));
+ (void)slapi_getSSLVersion_str(slapdNSSVersions.max, mymax, sizeof(mymax));
slapd_SSL_error("Security Initialization - "
- "slapd_ssl_init2 - Failed to set SSL range: min: %s, max: %s\n",
- mymin, mymax);
+ "slapd_ssl_init2 - Failed to set SSL range: min: %s, max: %s - error %d (%s)\n",
+ mymin, mymax, errorCode, slapd_pr_strerror(errorCode));
}
} else {
- /* deprecated code */
- sslStatus = SSL_OptionSet(pr_sock, SSL_ENABLE_SSL3, enableSSL3);
- if (sslStatus != SECSuccess) {
- errorCode = PR_GetError();
- slapd_SSL_warn("Failed to %s SSLv3 "
- "on the imported socket (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
- enableSSL3 ? "enable" : "disable",
- errorCode, slapd_pr_strerror(errorCode));
- }
-
- sslStatus = SSL_OptionSet(pr_sock, SSL_ENABLE_TLS, enableTLS1);
- if (sslStatus != SECSuccess) {
- errorCode = PR_GetError();
- slapd_SSL_warn("Failed to %s TLSv1 "
- "on the imported socket (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
- enableTLS1 ? "enable" : "disable",
- errorCode, slapd_pr_strerror(errorCode));
- }
+ errorCode = PR_GetError();
+ slapd_SSL_error("Security Initialization - ",
+ "slapd_ssl_init2 - Failed to get SSL range from socket - error %d (%s)\n",
+ errorCode, slapd_pr_strerror(errorCode));
}
val = NULL;
@@ -2221,7 +2240,7 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
* that matters. */
if (!startTLS)
- _ssl_listener_initialized = 1; /* --ugaston */
+ _ssl_listener_initialized = 1;
return 0;
}
--
2.21.0
This diff is collapsed.
From 6aa839f96f5ac880d45b0e98ed05445784476745 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Thu, 13 Jun 2019 17:55:25 -0400
Subject: [PATCH] Issue 50431 - Fix regression from coverity fix
Description: Fix a regression from the initial coverity commit
where we did not allow NULL pointers to set into
the pblock. They were false positives reported by
covscan.
https://pagure.io/389-ds-base/issue/50431
Reviewed by: mreynolds (one line commit rule)
---
ldap/servers/plugins/acl/acleffectiverights.c | 4 +---
ldap/servers/plugins/views/views.c | 4 +---
ldap/servers/slapd/back-ldbm/vlv_srch.c | 3 ++-
ldap/servers/slapd/dse.c | 6 ++----
ldap/servers/slapd/opshared.c | 3 +--
ldap/servers/slapd/plugin_internal_op.c | 3 +--
ldap/servers/slapd/plugin_syntax.c | 4 +---
7 files changed, 9 insertions(+), 18 deletions(-)
diff --git a/ldap/servers/plugins/acl/acleffectiverights.c b/ldap/servers/plugins/acl/acleffectiverights.c
index 5dd46a064..8a34ac5eb 100644
--- a/ldap/servers/plugins/acl/acleffectiverights.c
+++ b/ldap/servers/plugins/acl/acleffectiverights.c
@@ -1030,9 +1030,7 @@ bailout:
* slapi_pblock_set() will free any previous data, and
* pblock_done() will free SLAPI_PB_RESULT_TEXT.
*/
- if (gerstr) {
- slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, gerstr);
- }
+ slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, gerstr);
if (!iscritical) {
/*
diff --git a/ldap/servers/plugins/views/views.c b/ldap/servers/plugins/views/views.c
index 5d8464761..64e305a3f 100644
--- a/ldap/servers/plugins/views/views.c
+++ b/ldap/servers/plugins/views/views.c
@@ -1760,9 +1760,7 @@ view_search_rewrite_callback(Slapi_PBlock *pb)
#endif
/* make it happen */
- if (outFilter) {
- slapi_pblock_set(pb, SLAPI_SEARCH_FILTER, outFilter);
- }
+ slapi_pblock_set(pb, SLAPI_SEARCH_FILTER, outFilter);
ret = -2;
diff --git a/ldap/servers/slapd/back-ldbm/vlv_srch.c b/ldap/servers/slapd/back-ldbm/vlv_srch.c
index 1ac3e009e..65b876647 100644
--- a/ldap/servers/slapd/back-ldbm/vlv_srch.c
+++ b/ldap/servers/slapd/back-ldbm/vlv_srch.c
@@ -168,8 +168,9 @@ vlvSearch_init(struct vlvSearch *p, Slapi_PBlock *pb, const Slapi_Entry *e, ldbm
/* switch context back to the DSE backend */
slapi_pblock_set(pb, SLAPI_BACKEND, oldbe);
- if (oldbe)
+ if (oldbe) {
slapi_pblock_set(pb, SLAPI_PLUGIN, oldbe->be_database);
+ }
}
/* make (&(parentid=idofbase)(|(originalfilter)(objectclass=referral))) */
diff --git a/ldap/servers/slapd/dse.c b/ldap/servers/slapd/dse.c
index 125684329..8f2a14c9a 100644
--- a/ldap/servers/slapd/dse.c