[Fedora-directory-commits] adminserver/admserv/newinst/src AdminUtil.pm.in, 1.19, 1.20
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/adminserver/admserv/newinst/src
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv2070/adminserver/admserv/newinst/src
Modified Files:
AdminUtil.pm.in
Log Message:
Resolves: bug 468474
Bug Description: migration results in incomplete admin server sie
Reviewed by: nkinder (Thanks!)
Fix Description: This is a redesign of one of the core pieces of the setup/migration code - the code that adds the LDAP entries in various places. For starters, I removed the code that would implicitly delete existing trees. This is the root cause of this bug, and other similar problems with setup/instance creation that have been reported. We should never implicitly delete entries. Instead, we should explicitly delete entries by using the changetype: delete in an LDIF template file.
Another source of problems was that to update an entry, we would delete it and add it back. This caused some configuration settings to be wiped out (e.g. encryption settings). We cannot do this any more. The LDIF template entries have been modified to have two sets of information for each entry that requires update - the entry to add if no entry exists (the full entry) or the changes to make to the entry if it does exist. The code in Util.pm has been changed to ignore duplicate entries and to ignore changes made to entries that do not exist.
Another source of problems with migration is that the error checking was not adequate, especially with FileConn and dse.ldif reading. The fix is to add better error checking and reporting in these areas of code, including error messages.
Yet another problem is the run_dir handling. On many platforms the run_dir is shared among all DS instances and the admin server. Older versions of the software allowed you to run the servers as root. We have to make sure run_dir is usable by the least privileged user of all of the servers.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
Index: AdminUtil.pm.in
===================================================================
RCS file: /cvs/dirsec/adminserver/admserv/newinst/src/AdminUtil.pm.in,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -r1.19 -r1.20
--- AdminUtil.pm.in 24 Jul 2008 16:00:20 -0000 1.19
+++ AdminUtil.pm.in 24 Feb 2009 14:25:42 -0000 1.20
@@ -128,7 +128,11 @@
sub getCertDir {
my $configdir = shift;
- # for now, same as admin server config dir
+ # if configdir already ends in admin-serv, just use it
+ if ($configdir =~ /admin-serv$/) {
+ return $configdir;
+ }
+ # otherwise, assume configdir is the directory containing admin-serv
return "$configdir/admin-serv";
}
@@ -169,6 +173,7 @@
# first try anon bind
# 3 is LDAPv3 - 1 means use nspr
+ debug(3, "Attempting connection to " . $h->{host} . ":" . $h->{port} . " certdir $certdir configdir $configdir\n");
my $conn = new Mozilla::LDAP::Conn($h->{host}, $h->{port}, "", "",
$certdir);
@@ -363,6 +368,10 @@
my $dseldif = "$dsconfdir/dse.ldif";
my $conn = new FileConn($dseldif);
+ if (!$conn) {
+ @{$errs} = ('error_opening_dseldif', $dseldif, $!);
+ return 0;
+ }
return internalCreateSubDS($conn, $inf, $errs);
}
15 years, 1 month
[Fedora-directory-commits] adminserver/admserv/cgi-src40 ds_remove.in, 1.7, 1.8
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/adminserver/admserv/cgi-src40
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv2070/adminserver/admserv/cgi-src40
Modified Files:
ds_remove.in
Log Message:
Resolves: bug 468474
Bug Description: migration results in incomplete admin server sie
Reviewed by: nkinder (Thanks!)
Fix Description: This is a redesign of one of the core pieces of the setup/migration code - the code that adds the LDAP entries in various places. For starters, I removed the code that would implicitly delete existing trees. This is the root cause of this bug, and other similar problems with setup/instance creation that have been reported. We should never implicitly delete entries. Instead, we should explicitly delete entries by using the changetype: delete in an LDIF template file.
Another source of problems was that to update an entry, we would delete it and add it back. This caused some configuration settings to be wiped out (e.g. encryption settings). We cannot do this any more. The LDIF template entries have been modified to have two sets of information for each entry that requires update - the entry to add if no entry exists (the full entry) or the changes to make to the entry if it does exist. The code in Util.pm has been changed to ignore duplicate entries and to ignore changes made to entries that do not exist.
Another source of problems with migration is that the error checking was not adequate, especially with FileConn and dse.ldif reading. The fix is to add better error checking and reporting in these areas of code, including error messages.
Yet another problem is the run_dir handling. On many platforms the run_dir is shared among all DS instances and the admin server. Older versions of the software allowed you to run the servers as root. We have to make sure run_dir is usable by the least privileged user of all of the servers.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
Index: ds_remove.in
===================================================================
RCS file: /cvs/dirsec/adminserver/admserv/cgi-src40/ds_remove.in,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- ds_remove.in 14 Jul 2008 20:27:02 -0000 1.7
+++ ds_remove.in 24 Feb 2009 14:25:42 -0000 1.8
@@ -172,6 +172,13 @@
# read the config file to find out the paths
my $dseldif = "@instconfigdir(a)/$instname/dse.ldif";
my $conn = new FileConn($dseldif);
+if (!$conn) {
+ print "Content-type: text/plain\n\n";
+ print "NMC_ErrInfo: Could not open $dseldif: Error: $!\n";
+ print "NMC_Status: 1\n";
+ print STDERR "Error: Could not open $dseldif: Error: $!\n";
+ exit 1;
+}
my $dn = "cn=config";
my $entry = $conn->search($dn, "base", "(cn=*)", 0);
15 years, 1 month
[Fedora-directory-commits] ldapserver/ldap/admin/src/scripts DSCreate.pm.in, 1.15, 1.16 DSMigration.pm.in, 1.26, 1.27 FileConn.pm, 1.4, 1.5 Util.pm.in, 1.18, 1.19 remove-ds.pl.in, 1.1, 1.2 setup-ds.res.in, 1.14, 1.15
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/admin/src/scripts
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv1668/ldapserver/ldap/admin/src/scripts
Modified Files:
DSCreate.pm.in DSMigration.pm.in FileConn.pm Util.pm.in
remove-ds.pl.in setup-ds.res.in
Log Message:
Resolves: bug 468474
Bug Description: migration results in incomplete admin server sie
Reviewed by: nkinder (Thanks!)
Fix Description: This is a redesign of one of the core pieces of the setup/migration code - the code that adds the LDAP entries in various places. For starters, I removed the code that would implicitly delete existing trees. This is the root cause of this bug, and other similar problems with setup/instance creation that have been reported. We should never implicitly delete entries. Instead, we should explicitly delete entries by using the changetype: delete in an LDIF template file.
Another source of problems was that to update an entry, we would delete it and add it back. This caused some configuration settings to be wiped out (e.g. encryption settings). We cannot do this any more. The LDIF template entries have been modified to have two sets of information for each entry that requires update - the entry to add if no entry exists (the full entry) or the changes to make to the entry if it does exist. The code in Util.pm has been changed to ignore duplicate entries and to ignore changes made to entries that do not exist.
Another source of problems with migration is that the error checking was not adequate, especially with FileConn and dse.ldif reading. The fix is to add better error checking and reporting in these areas of code, including error messages.
Yet another problem is the run_dir handling. On many platforms the run_dir is shared among all DS instances and the admin server. Older versions of the software allowed you to run the servers as root. We have to make sure run_dir is usable by the least privileged user of all of the servers.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
Index: DSCreate.pm.in
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/admin/src/scripts/DSCreate.pm.in,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- DSCreate.pm.in 17 Dec 2008 17:22:22 -0000 1.15
+++ DSCreate.pm.in 24 Feb 2009 14:24:46 -0000 1.16
@@ -215,6 +215,28 @@
return @errs;
}
}
+ # run_dir is a special case because it is usually shared among
+ # all instances and the admin server
+ # all instances must be able to write to it
+ # if the SuiteSpotUserID is root or 0, we can just skip
+ # this because root will have access to it - we really
+ # shouldn't be using root anyway, primarily just for
+ # legacy migration support
+ # if there are two different user IDs that need access
+ # to this directory, then SuiteSpotGroup must be defined,
+ # and both users must be members of the SuiteSpotGroup
+ if (($inf->{General}->{SuiteSpotUserID} eq 'root') ||
+ (defined($inf->{General}->{SuiteSpotUserID}) &&
+ ($inf->{General}->{SuiteSpotUserID} =~ /^0$/))) {
+ # skip
+ debug(3, "Root user " . $inf->{General}->{SuiteSpotUserID} . " already has access to $inf->{slapd}->{run_dir} - skipping\n");
+ } else {
+ my $dir = $inf->{slapd}->{run_dir};
+ # rwx by user only, or by user & group if a group is defined
+ @errs = changeOwnerMode($inf, 7, $dir, 7);
+ debug(3, "Changed owner of $dir to " . $inf->{General}->{SuiteSpotUserID} . ": error @errs\n");
+ debug(3, "\t" . `/bin/ls -ld $dir`);
+ }
# set the group of the parent dir of config_dir and inst_dir
if (defined($inf->{General}->{SuiteSpotGroup})) {
for (qw(inst_dir config_dir)) {
@@ -372,7 +394,10 @@
}
}
- $conn->write($conffile);
+ if (!$conn->write($conffile)) {
+ $conn->close();
+ return ("error_writing_ldif", $conffile, $!);
+ }
$conn->close();
if (@errs = changeOwnerMode($inf, 6, $conffile)) {
@@ -506,11 +531,21 @@
my ($fh, $templdif) = tempfile("ldifXXXXXX", SUFFIX => ".ldif", OPEN => 0,
DIR => File::Spec->tmpdir);
+ if (!$templdif) {
+ return ('error_creating_templdif', $!);
+ }
my $conn = new FileConn;
$conn->setNamingContext($inf->{slapd}->{Suffix});
getMappedEntries($mapper, \@ldiffiles, \@errs, \&check_and_add_entry,
[$conn]);
- $conn->write($templdif);
+ if (@errs) {
+ $conn->close();
+ return @errs;
+ }
+ if (!$conn->write($templdif)) {
+ $conn->close();
+ return ('error_writing_ldif', $templdif, $!);
+ }
$conn->close();
if (@errs) {
return @errs;
Index: DSMigration.pm.in
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/admin/src/scripts/DSMigration.pm.in,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -r1.26 -r1.27
--- DSMigration.pm.in 17 Feb 2009 15:47:48 -0000 1.26
+++ DSMigration.pm.in 24 Feb 2009 14:24:47 -0000 1.27
@@ -938,11 +938,15 @@
# extract the information needed for ds_newinst.pl
my $oldconfigdir = "$mig->{oldsroot}/$inst/config";
my $inf = createInfFromConfig($oldconfigdir, $inst, \@errs);
- debug(2, "Using inffile $inf->{filename} created from $oldconfigdir\n");
if (@errs) {
$mig->msg(@errs);
return 0;
}
+ if (!$inf) {
+ $mig->msg($FATAL, 'error_opening_dseldif', "$oldconfigdir/dse.ldif", $!);
+ return 0;
+ }
+ debug(2, "Using inffile $inf->{filename} created from $oldconfigdir\n");
# create servers but do not start them until after databases
# have been migrated
@@ -960,7 +964,16 @@
}
my $src = new FileConn("$oldconfigdir/dse.ldif", 1); # read-only
+ if (!$src) {
+ $mig->msg($FATAL, 'error_opening_dseldif', "$oldconfigdir/dse.ldif", $!);
+ return 0;
+ }
my $dest = new FileConn("$mig->{configdir}/$inst/dse.ldif");
+ if (!$dest) {
+ $src->close();
+ $mig->msg($FATAL, 'error_opening_dseldif', "$mig->{configdir}/$inst/dse.ldif", $!);
+ return 0;
+ }
@errs = migrateDSInstance($mig, $inst, $src, $dest);
$src->close();
Index: FileConn.pm
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/admin/src/scripts/FileConn.pm,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- FileConn.pm 14 Sep 2007 02:41:13 -0000 1.4
+++ FileConn.pm 24 Feb 2009 14:24:47 -0000 1.5
@@ -67,7 +67,9 @@
$self->setNamingContext($_);
}
$self->setNamingContext(""); # root DSE
- $self->read($filename);
+ if (!$self->read($filename)) {
+ return;
+ }
return $self;
}
@@ -90,10 +92,14 @@
}
if (!$self->{filename}) {
- return;
+ return 1; # no filename given - ok
+ }
+
+ if (!open( MYLDIF, "$filename" )) {
+ confess "Can't open $filename: $!";
+ return 0;
}
- open( MYLDIF, "$filename" ) || confess "Can't open $filename: $!";
my $in = new Mozilla::LDAP::LDIF(*MYLDIF);
$self->{reading} = 1;
while ($ent = readOneEntry $in) {
@@ -103,6 +109,8 @@
}
delete $self->{reading};
close( MYLDIF );
+
+ return 1;
}
sub setNamingContext {
@@ -175,16 +183,22 @@
}
if (!$self->{filename} or $self->{readonly} or $self->{reading}) {
- return;
+ return 1; # ok - no filename given - just ignore
+ }
+
+ if (!open( MYLDIF, ">$filename" )) {
+ confess "Can't write $filename: $!";
+ return 0;
}
- open( MYLDIF, ">$filename" ) || confess "Can't write $filename: $!";
$self->iterate("", LDAP_SCOPE_SUBTREE, \&writecb, \*MYLDIF);
for (keys %{$self->{namingContexts}}) {
next if (!$_); # skip "" - we already did that
$self->iterate($_, LDAP_SCOPE_SUBTREE, \&writecb, \*MYLDIF);
}
close( MYLDIF );
+
+ return 1;
}
sub setErrorCode {
@@ -372,8 +386,7 @@
if ($self->isNamingContext($ndn) and
!exists($self->{$ndn}->{data})) {
$self->{$ndn}->{data} = $entry;
- $self->write();
- return 1;
+ return $self->write();
}
if (exists($self->{$ndn})) {
@@ -415,9 +428,7 @@
# process omits the deleted attrs via the Entry FETCH, FIRSTKEY, and NEXTKEY
# methods
$self->{$ndn}->{data} = cloneEntry($entry);
- $self->write();
-
- return 1;
+ return $self->write();
}
sub delete {
@@ -464,8 +475,7 @@
# delete this node
delete $self->{$ndn};
- $self->write();
- return 1;
+ return $self->write();
}
1;
Index: Util.pm.in
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/admin/src/scripts/Util.pm.in,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- Util.pm.in 17 Dec 2008 17:22:22 -0000 1.18
+++ Util.pm.in 24 Feb 2009 14:24:47 -0000 1.19
@@ -40,7 +40,7 @@
use Mozilla::LDAP::Conn;
use Mozilla::LDAP::Utils qw(normalizeDN);
-use Mozilla::LDAP::API; # Direct access to C API
+use Mozilla::LDAP::API qw(:constant ldap_explode_dn ldap_err2string) ; # Direct access to C API
use Mozilla::LDAP::LDIF;
require Exporter;
@@ -172,85 +172,6 @@
return 0;
}
-my %ignorelist = (
- "nsslapd-directory", "nsslapd-directory",
- "nsslapd-require-index", "nsslapd-require-index",
- "nsslapd-readonly", "nsslapd-readonly",
- "modifytimestamp", "modifyTimestamp",
- "createtimestamp", "createTimestamp",
- "installationtimestamp", "installationTimestamp",
- "creatorsname", "creatorsName",
- "modifiersname", "modifiersName",
- "numsubordinates", "numSubordinates"
-);
-
-my %speciallist = (
- "uniquemember", 1,
- "aci", 1
-);
-
-# compare 2 entries
-# return 0 if they match 100% (exception: %ignorelist).
-# return 1 if they match except %speciallist.
-# return -1 if they do not match.
-sub comp_entries
-{
- my ($e0, $e1) = @_;
- my $rc = 0;
- foreach my $akey ( keys %{$e0} )
- {
- next if ( $ignorelist{lc($akey)} );
- my $aval0 = $e0->{$akey};
- my $aval1 = $e1->{$akey};
- my $a0max = $#{$aval0};
- my $a1max = $#{$aval1};
- my $amin = $#{$aval0};
- if ( $a0max != $a1max )
- {
- if ( $speciallist{lc($akey)} )
- {
- $rc = 1;
- if ( $a0max < $a1max )
- {
- $amin = $a0max;
- }
- else
- {
- $amin = $a1max;
- }
- }
- else
- {
- $rc = -1;
- return $rc;
- }
- }
- my @sval0 = sort { $a cmp $b } @{$aval0};
- my @sval1 = sort { $a cmp $b } @{$aval1};
- for ( my $i = 0; $i <= $amin; $i++ )
- {
- my $isspecial = -1;
- if ( $sval0[$i] ne $sval1[$i] )
- {
- if ( 0 > $isspecial )
- {
- $isspecial = $speciallist{lc($akey)};
- }
- if ( $isspecial )
- {
- $rc = 1;
- }
- else
- {
- $rc = -1;
- return $rc;
- }
- }
- }
- }
- return $rc;
-}
-
# if the entry does not exist on the server, add the entry.
# otherwise, do nothing
# you can use this as the callback to getMappedEntries, so
@@ -272,9 +193,18 @@
my $sentry = $conn->search($aentry->{dn}, "base", "(objectclass=*)", 0, ("*", "aci"));
if ($sentry) {
debug(3, "check_and_add_entry: Found entry " . $sentry->getDN() . "\n");
+ if (! @ctypes) { # entry exists, and this is not a modify op
+ debug(3, "check_and_add_entry: skipping entry " . $sentry->getDN() . "\n");
+ return 1; # ignore - return success
+ }
} else {
debug(3, "check_and_add_entry: Entry not found " . $aentry->{dn} .
" error " . $conn->getErrorString() . "\n");
+ if (@ctypes) { # uh oh - attempt to del/mod an entry that doesn't exist
+ debug(3, "check_and_add_entry: attepting to @ctypes the entry " . $aentry->{dn} .
+ " that does not exist\n");
+ return 1; # ignore - return success
+ }
}
do
{
@@ -289,39 +219,7 @@
my $op = $OP_NONE;
if ( 0 > $#ctypes ) # aentry: complete entry
{
- $op = $OP_ADD;
-
- my $rc = -1;
- if ( $sentry && !$fresh )
- {
- $rc = comp_entries( $sentry, $aentry );
- }
- if ( 0 == $rc && !$fresh )
- {
- # the identical entry exists on the configuration DS.
- # no need to add the entry.
- $op = $OP_NONE;
- goto out;
- }
- elsif ( (1 == $rc) && !$fresh )
- {
- $op = $OP_MOD;
- @addtypes = keys %{$aentry}; # add all attrs
- }
- elsif ( $sentry && $sentry->{dn} )
- {
- # $fresh || $rc == -1
- # an entry having the same DN exists, but the attributes do not
- # match. remove the entry and the subtree underneath.
- debug(1, "Deleting an entry dn: $sentry->{dn} ...\n");
- $rc = delete_all($conn, $sentry);
- if ( 0 != $rc )
- {
- push @{$errs}, 'error_deleteall_entries', $sentry->{dn}, $conn->getErrorString();
- debug(1, "Error deleting $sentry->{dn}\n");
- return 0;
- }
- }
+ $op = $OP_ADD; # just add the entry
}
else # aentry: modify format
{
@@ -371,9 +269,13 @@
}
debug(1, "Entry $aentry->{dn} is deleted\n");
}
- elsif ( 0 < $op ) # $sentry exists
+ elsif ( 0 < $op ) # modify op
{
my $attr;
+ my @errsToIgnore;
+ if (@addtypes) {
+ push @errsToIgnore, LDAP_TYPE_OR_VALUE_EXISTS;
+ }
foreach $attr ( @addtypes )
{
foreach my $val ($aentry->getValues($attr))
@@ -388,6 +290,9 @@
debug(3, "Replacing attr=$attr values=" . $aentry->getValues($attr) . " to entry $aentry->{dn}\n");
$sentry->setValues($attr, @vals);
}
+ if (@deltypes) {
+ push @errsToIgnore, LDAP_NO_SUCH_ATTRIBUTE;
+ }
foreach $attr ( @deltypes )
{
# removeValue takes a single value only
@@ -410,11 +315,15 @@
if ( $rc != 0 )
{
my $string = $conn->getErrorString();
- push @{$errs}, 'error_updating_entry', $sentry->{dn}, $string;
debug(1, "ERROR: updating an entry $sentry->{dn} failed, error: $string\n");
- $aentry->printLDIF();
- $conn->close();
- return 0;
+ if (grep /^$rc$/, @errsToIgnore) {
+ debug(1, "Ignoring error $rc returned by adding @addtypes deleting @deltypes\n");
+ } else {
+ push @{$errs}, 'error_updating_entry', $sentry->{dn}, $string;
+ $aentry->printLDIF();
+ $conn->close();
+ return 0;
+ }
}
}
if ( $sentry )
@@ -793,19 +702,32 @@
my $fname = "$configdir/dse.ldif";
my $id;
($id = $inst) =~ s/^slapd-//;
- if (! -f $fname) {
+ if (! -f $fname || ! -r $fname) {
push @{$errs}, "error_opening_dseldif", $fname, $!;
return 0;
}
my $conn = new FileConn($fname, 1);
+ if (!$conn) {
+ push @{$errs}, "error_opening_dseldif", $fname, $!;
+ return 0;
+ }
my $ent = $conn->search("cn=config", "base", "(objectclass=*)");
if (!$ent) {
push @{$errs}, "error_opening_dseldif", $fname, $!;
+ $conn->close();
return 0;
}
my ($outfh, $inffile) = tempfile(SUFFIX => '.inf');
+ if (!$outfh || !$inffile) {
+ push @{$errs}, "error_opening_tempinf", $fname, $!;
+ if ($outfh) {
+ close $outfh;
+ }
+ $conn->close();
+ return 0;
+ }
print $outfh "[General]\n";
print $outfh "FullMachineName = ", $ent->getValues('nsslapd-localhost'), "\n";
print $outfh "SuiteSpotUserID = ", $ent->getValues('nsslapd-localuser'), "\n";
Index: remove-ds.pl.in
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/admin/src/scripts/remove-ds.pl.in,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- remove-ds.pl.in 13 Feb 2009 20:05:59 -0000 1.1
+++ remove-ds.pl.in 24 Feb 2009 14:24:47 -0000 1.2
@@ -162,6 +162,10 @@
# read the config file to find out the paths
my $dseldif = "@instconfigdir(a)/$instname/dse.ldif";
my $conn = new FileConn($dseldif);
+if (!$conn) {
+ print STDERR "Error: Could not open config file $dseldif: Error $!\n";
+ exit 1;
+}
my $dn = "cn=config";
my $entry = $conn->search($dn, "base", "(cn=*)", 0);
Index: setup-ds.res.in
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/admin/src/scripts/setup-ds.res.in,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- setup-ds.res.in 17 Dec 2008 18:58:21 -0000 1.14
+++ setup-ds.res.in 24 Feb 2009 14:24:47 -0000 1.15
@@ -127,3 +127,7 @@
or use a different ServerIdentifier to create another instance.\n
error_opening_init_ldif = Could not open the initial LDIF file '%s'.\
The file was not found or could not be read.\n
+error_opening_dseldif = Could not open the DSE config file '%s'. Error: %s\n
+error_opening_tempinf = Could not create temporary .inf file for config. Error: %s\n
+error_writing_ldif = Could not write the LDIF file '%s'. Error: %s\n
+error_creating_templdif = Could not create temporary LDIF file. Error: %s\n
15 years, 1 month
[Fedora-directory-commits] ldapserver/wrappers initscript.in, 1.12, 1.13
by Nathan Kinder
Author: nkinder
Update of /cvs/dirsec/ldapserver/wrappers
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv5437/wrappers
Modified Files:
initscript.in
Log Message:
Resolves: 245894
Summary: Check process name in initscript in a more cross-platform manner.
Index: initscript.in
===================================================================
RCS file: /cvs/dirsec/ldapserver/wrappers/initscript.in,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- initscript.in 17 Feb 2009 23:21:05 -0000 1.12
+++ initscript.in 20 Feb 2009 00:14:34 -0000 1.13
@@ -139,9 +139,8 @@
if [ -f $pidfile ]; then
pid=`cat $pidfile`
instlockfile="@localstatedir@/lock/@package_name@/slapd-$instance/server/$pid"
- if kill -0 $pid && \
- [ $(awk '{print $2}' /proc/$pid/stat) = "(ns-slapd)" ] \
- > /dev/null 2>&1 ; then
+ name=`ps -p $pid | tail -1 | awk '{ print $4 }'`
+ if kill -0 $pid && [ $name = "ns-slapd" ]; then
echo_n " already running"
success; echo
successes=`expr $successes + 1`
15 years, 2 months
[Fedora-directory-commits] ldapserver/ldap/servers/plugins/replication windows_protocol_util.c, 1.51, 1.52
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/replication
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv1393
Modified Files:
windows_protocol_util.c
Log Message:
Resolves: bug 486191
Description: slapd hang during cs80 cloning setup.
Fix Description: Not exactly related to the bug, but Noriko found a couple of places during investigation of internal add operations where the Slapi_Entry* could be leaked upon error. These fixes ensure that the entry is properly freed in case of error.
Index: windows_protocol_util.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/windows_protocol_util.c,v
retrieving revision 1.51
retrieving revision 1.52
diff -u -r1.51 -r1.52
--- windows_protocol_util.c 4 Feb 2009 20:40:34 -0000 1.51
+++ windows_protocol_util.c 19 Feb 2009 23:39:50 -0000 1.52
@@ -3477,6 +3477,7 @@
pb = slapi_pblock_new();
slapi_add_entry_internal_set_pb(pb, local_entry, NULL,repl_get_plugin_identity(PLUGIN_MULTIMASTER_REPLICATION),0);
slapi_add_internal_pb(pb);
+ local_entry = NULL; /* consumed by add */
slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &retval);
if (retval) {
@@ -3484,6 +3485,7 @@
"add operation of entry %s returned: %d\n", slapi_sdn_get_dn(local_sdn), retval);
}
error:
+ slapi_entry_free(local_entry);
slapi_ch_free_string(&guid_str);
if (pb)
{
15 years, 2 months
[Fedora-directory-commits] ldapserver/ldap/servers/plugins/replication cl4_api.c, 1.6, 1.7
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/replication
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv1289
Modified Files:
cl4_api.c
Log Message:
Resolves: bug 486191
Description: slapd hang during cs80 cloning setup.
Fix Description: Not exactly related to the bug, but Noriko found a couple of places during investigation of internal add operations where the Slapi_Entry* could be leaked upon error. These fixes ensure that the entry is properly freed in case of error.
Index: cl4_api.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/cl4_api.c,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- cl4_api.c 10 Nov 2006 23:45:17 -0000 1.6
+++ cl4_api.c 19 Feb 2009 23:39:14 -0000 1.7
@@ -263,7 +263,7 @@
{
int rc = CL4_SUCCESS, res;
char *changeEntryDN, *timeStr;
- Slapi_Entry *e;
+ Slapi_Entry *e = NULL;
Slapi_PBlock *pb = NULL;
Slapi_Value *values[3];
char s[CSN_STRSIZE];
@@ -364,6 +364,7 @@
pb = slapi_pblock_new (pb);
slapi_add_entry_internal_set_pb (pb, e, NULL, repl_get_plugin_identity (PLUGIN_LEGACY_REPLICATION), 0);
slapi_add_internal_pb (pb);
+ e = NULL; /* add consumes entry */
slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &res);
slapi_pblock_destroy(pb);
@@ -380,6 +381,7 @@
}
done:
+ slapi_entry_free(e);
if (changeEntryDN)
slapi_ch_free((void **) &changeEntryDN);
15 years, 2 months
[Fedora-directory-commits] ldapserver/ldap/servers/plugins/replication repl5_replica.c, 1.21, 1.22
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/replication
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv16590/ldapserver/ldap/servers/plugins/replication
Modified Files:
repl5_replica.c
Log Message:
Resolves: bug 486191
Bug Description: slapd hang during cs80 cloning setup.
Reviewed by: nhosoi (Thanks!)
Fix Description: If replication code attempts to add the RUV entry during replica configuration, and the add operation returns an error, the code will attempt to free the entry. This causes a double free. Internal add operations always consume and free the entry, success or failure. The solution is to set the entry to NULL just after adding it so the clean up code will not be able to free it again.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
Index: repl5_replica.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/repl5_replica.c,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- repl5_replica.c 5 Dec 2008 22:41:52 -0000 1.21
+++ repl5_replica.c 19 Feb 2009 21:28:01 -0000 1.22
@@ -2654,7 +2654,7 @@
{
int return_value = LDAP_LOCAL_ERROR;
char *root_entry_str;
- Slapi_Entry *e;
+ Slapi_Entry *e = NULL;
const char *purl = NULL;
RUV *ruv;
struct berval **bvals = NULL;
@@ -2744,15 +2744,13 @@
OP_FLAG_TOMBSTONE_ENTRY | OP_FLAG_REPLICATED | OP_FLAG_REPL_FIXUP |
OP_FLAG_REPL_RUV);
slapi_add_internal_pb(pb);
+ e = NULL; /* add consumes e, upon success or failure */
slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &return_value);
if (return_value == LDAP_SUCCESS)
r->repl_ruv_dirty = PR_FALSE;
done:
- if (return_value != LDAP_SUCCESS)
- {
- slapi_entry_free (e);
- }
+ slapi_entry_free (e);
if (bvals)
ber_bvecfree(bvals);
15 years, 2 months
[Fedora-directory-commits] mod_nss nss_engine_io.c,1.8,1.9
by Rob Crittenden
Author: rcritten
Update of /cvs/dirsec/mod_nss
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv3518
Modified Files:
nss_engine_io.c
Log Message:
Return -1 on a read failure and set the appropriate NSPR error message.
This bug has lingered for so long since mod_nss wasn't able to be used
with mod_proxy until now. What one would see with this bug is sometimes
a page would work, sometimes not (just the headers would be retrieved).
The problem was we were return 0 which means EOF and was interpreted
by upper levels to mean the transfer was done rather than no data being
available.
484380
Index: nss_engine_io.c
===================================================================
RCS file: /cvs/dirsec/mod_nss/nss_engine_io.c,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- nss_engine_io.c 31 May 2007 21:36:03 -0000 1.8
+++ nss_engine_io.c 19 Feb 2009 02:31:18 -0000 1.9
@@ -259,7 +259,8 @@
*/
if (APR_STATUS_IS_EAGAIN(inctx->rc) || APR_STATUS_IS_EINTR(inctx->rc)
|| (inctx->rc == APR_SUCCESS && APR_BRIGADE_EMPTY(inctx->bb))) {
- return 0;
+ PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
+ return -1;
}
if (inctx->rc != APR_SUCCESS) {
15 years, 2 months
[Fedora-directory-commits] coolkey/applet/src/com/redhat/ckey/applet CardEdge.java, 1.4.2.1, 1.4.2.2
by Jack Magne
Author: jmagne
Update of /cvs/dirsec/coolkey/applet/src/com/redhat/ckey/applet
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv29729
Modified Files:
Tag: COOLKEY_330J_BRANCH
CardEdge.java
Log Message:
Add support for 2048 bit keys, #485829.
Index: CardEdge.java
===================================================================
RCS file: /cvs/dirsec/coolkey/applet/src/com/redhat/ckey/applet/CardEdge.java,v
retrieving revision 1.4.2.1
retrieving revision 1.4.2.2
diff -u -r1.4.2.1 -r1.4.2.2
--- CardEdge.java 24 Jan 2009 00:54:20 -0000 1.4.2.1
+++ CardEdge.java 19 Feb 2009 02:06:31 -0000 1.4.2.2
@@ -123,8 +123,8 @@
private static final byte VERSION_PROTOCOL_MINOR = 1;
private static final byte VERSION_APPLET_MAJOR = 1;
private static final byte VERSION_APPLET_MINOR = 4;
- private static final short BUILDID_MAJOR = (short) 0x4979;
- private static final short BUILDID_MINOR = (short) 0x178d;
+ private static final short BUILDID_MAJOR = (short) 0x498f;
+ private static final short BUILDID_MINOR = (short) 0xa85f;
private static final short ZEROS = 0;
// * Enable pin size check
@@ -405,17 +405,18 @@
private static final short OFFSET_IMP_KEY_ENC_WRAP_KEY = 5;
- private static final short MAX_RSA_MOD_BITS = 1024;
- private static final short MAX_RSA_MOD_BYTES = 128;
+ private static final short MAX_RSA_MOD_BITS = 2048;
+ private static final short MAX_RSA_MOD_BYTES = 256;
// 554 = 2 bytes for explicit length,
// 512 bytes for data
// 40 bytes for two sha digest buffers.
- private static final short IOBUF_ALLOC = 554;
+ //private static final short IOBUF_ALLOC = 554;
+ private static final short IOBUF_ALLOC = 1200;
// offsets in iobuf used by CryptProcessFinal()
- private static final short VFY_OFF = 258;
- private static final short VFY_MD_0 = 514;
- private static final short VFY_MD_1 = 534;
+ private static final short VFY_OFF = 558;
+ private static final short VFY_MD_0 = 1014;
+ private static final short VFY_MD_1 = 1034;
// how many ms to delay when a bad password is detected
private static final short BAD_PASSWD_DELAY = 1000;
@@ -508,7 +509,7 @@
//Save offset of the instance aid length.
byte remainingLength = bLength;
- short mem_size = (short)6000;
+ short mem_size = (short)5000;
create_object_ACL = RA_ACL;
create_key_ACL = RA_ACL;
create_pin_ACL = RA_ACL;
@@ -2052,12 +2053,12 @@
LogoutAllIdentity(pin_nb);
}
- private short outputRSAPublicKey(short key_nb, byte[] buf, short offset) {
+ private short outputRSAPublicKey(short key_nb, byte[] buf, short offset, short key_size) {
buf[offset] = ZEROB; // plaintext
offset++;
buf[offset] = (byte) 1; // RSA public key
offset++;
- Util.setShort(buf, offset, (short)(1024)); // 1024-bit key
+ Util.setShort(buf, offset, (short)(key_size)); // Key Size.
offset+=2;
RSAPublicKey key = (RSAPublicKey) keys[key_nb];
@@ -2081,6 +2082,7 @@
byte owner = (byte) ((buffer[ISO7816.OFFSET_P1] >> 4) & 0xf) ;
byte usage = (byte) ((buffer[ISO7816.OFFSET_P2] >> 4) & 0xf);
short acl = 0;
+ short key_size = Util.getShort(buffer, (short)(ISO7816.OFFSET_CDATA+1));
if ((buffer[ISO7816.OFFSET_P1] == 0)
&& (buffer[ISO7816.OFFSET_P2] == 0)) {
@@ -2129,7 +2131,9 @@
GenerateKeyPairRSA(apdu, buffer, prv_key_nb, pub_key_nb, acl);
// copy public key to output object
- short pubkeysize = outputRSAPublicKey(pub_key_nb, iobuf, (short)2);
+ short pubkeysize = outputRSAPublicKey(pub_key_nb, iobuf, (short)2, (short) key_size);
+ short modsize = (short) ((short)key_size / (short) 8);
+
Util.setShort(iobuf, ZEROS, pubkeysize);
// Compute digest over public key and decrypted challenge.
@@ -2137,31 +2141,32 @@
Util.arrayCopyNonAtomic(buffer, (short)11, iobuf,
(short)(2 + pubkeysize), (short)16);
doDigest(iobuf, (short)2, (short)(16+pubkeysize),
- iobuf, (short)(2+pubkeysize+128) );
-
+ iobuf, (short)(2+pubkeysize+modsize) );
// Sign the digest, writing the signature over the digest in the iobuf
- short sigsize = handSign(prv_key_nb, iobuf, (short) (2+pubkeysize+128),
- (short)shaDigest.getLength(), iobuf, (short)(2+pubkeysize+2));
+ short sigsize = handSign(prv_key_nb, iobuf, (short) (2+pubkeysize+modsize),
+ (short)shaDigest.getLength(), iobuf, (short)(2+pubkeysize+2), modsize);
+
Util.setShort(iobuf, (short)(2 + pubkeysize), sigsize);
iobuf_size = (short) (2 + pubkeysize + 2 + sigsize);
Util.setShort(buffer, ZEROS, iobuf_size);
apdu.setOutgoingAndSend(ZEROS, (short)2);
+
}
//
// HandSign hard codes SHA1.
//
private short handSign(byte key_nb, byte inbuf[], short inOffset,
- short len, byte outbuf[], short outOffset)
+ short len, byte outbuf[], short outOffset, short modsize)
{
short index;
//
// build the signed data
//
// Hard coded for SHA1
- index = (short)(outOffset+108);
+ index = (short)(outOffset+modsize-(short)20);
Util.arrayCopyNonAtomic(inbuf, inOffset, outbuf, index, (short)20);
index = (short) (index - sha1encodeLen);
Util.arrayCopyNonAtomic(sha1encode,ZEROS,outbuf,index,sha1encodeLen);
@@ -2173,7 +2178,7 @@
outbuf[outOffset] = 0;
Cipher ciph = getCipher(key_nb, Cipher.ALG_RSA_NOPAD);
ciph.init(keys[key_nb], (byte) Cipher.MODE_ENCRYPT);
- return ciph.doFinal(outbuf, outOffset, (short)128,
+ return ciph.doFinal(outbuf, outOffset, modsize,
outbuf, outOffset);
}
15 years, 2 months
[Fedora-directory-commits] coolkey/src/coolkey slot.cpp, 1.10, 1.11 slot.h, 1.2, 1.3
by Jack Magne
Author: jmagne
Update of /cvs/dirsec/coolkey/src/coolkey
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv29194
Modified Files:
slot.cpp slot.h
Log Message:
Add support for 2048 bit keys, #485829.
Index: slot.cpp
===================================================================
RCS file: /cvs/dirsec/coolkey/src/coolkey/slot.cpp,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- slot.cpp 14 Feb 2008 23:48:19 -0000 1.10
+++ slot.cpp 19 Feb 2009 02:04:13 -0000 1.11
@@ -1331,6 +1331,19 @@
}
};
+class KeyNumMatch {
+ private:
+ CKYByte keyNum;
+ const Slot &slot;
+ public:
+ KeyNumMatch(CKYByte keyNum_, const Slot &s) : keyNum(keyNum_), slot(s) { }
+ bool operator() (const PKCS11Object& obj) {
+ unsigned long objID = obj.getMuscleObjID();
+ return (slot.getObjectClass(objID) == 'k')
+ && (slot.getObjectIndex(objID) == keyNum);
+ }
+};
+
class ObjectCertCKAIDMatch {
private:
CKYByte cka_id;
@@ -3066,8 +3079,9 @@
CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
CK_ULONG_PTR pulSignatureLen)
{
+ RSASignatureParams params(CryptParams::DEFAULT_KEY_SIZE);
cryptRSA(suffix, pData, ulDataLen, pSignature, pulSignatureLen,
- RSASignatureParams(CryptParams::FIXED_KEY_SIZE));
+ params);
}
void
@@ -3075,14 +3089,15 @@
CK_ULONG ulDataLen, CK_BYTE_PTR pDecryptedData,
CK_ULONG_PTR pulDecryptedDataLen)
{
+ RSADecryptParams params(CryptParams::DEFAULT_KEY_SIZE);
cryptRSA(suffix, pData, ulDataLen, pDecryptedData, pulDecryptedDataLen,
- RSADecryptParams(CryptParams::FIXED_KEY_SIZE));
+ params);
}
void
Slot::cryptRSA(SessionHandleSuffix suffix, CK_BYTE_PTR pInput,
CK_ULONG ulInputLen, CK_BYTE_PTR pOutput,
- CK_ULONG_PTR pulOutputLen, const CryptParams& params)
+ CK_ULONG_PTR pulOutputLen, CryptParams& params)
{
refreshTokenState();
SessionIter session = findSession(suffix);
@@ -3100,6 +3115,11 @@
CKYBuffer *result = &opState.result;
CKYByte keyNum = opState.keyNum;
+ unsigned int keySize = getKeySize(keyNum);
+
+ if(keySize != CryptParams::DEFAULT_KEY_SIZE)
+ params.setKeySize(keySize);
+
if( CKYBuffer_Size(result) == 0 ) {
// we haven't already peformed the decryption, so do it now.
if( pInput == NULL || ulInputLen == 0) {
@@ -3302,3 +3322,36 @@
throw PKCS11Exception(CKR_DEVICE_ERROR);
}
}
+
+#define MAX_NUM_KEYS 8
+unsigned int
+Slot::getKeySize(CKYByte keyNum)
+{
+ unsigned int keySize = CryptParams::DEFAULT_KEY_SIZE;
+ int modSize = 0;
+
+ if(keyNum >= MAX_NUM_KEYS) {
+ return keySize;
+ }
+
+ ObjectConstIter iter;
+ iter = find_if(tokenObjects.begin(), tokenObjects.end(),
+ KeyNumMatch(keyNum,*this));
+
+ if( iter == tokenObjects.end() ) {
+ return keySize;
+ }
+
+ CKYBuffer const *modulus = iter->getAttribute(CKA_MODULUS);
+
+ if(modulus) {
+ modSize = CKYBuffer_Size(modulus);
+ if(CKYBuffer_GetChar(modulus,0) == 0x0) {
+ modSize--;
+ }
+ if(modSize > 0)
+ keySize = modSize * 8;
+ }
+
+ return keySize;
+}
Index: slot.h
===================================================================
RCS file: /cvs/dirsec/coolkey/src/coolkey/slot.h,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- slot.h 16 Oct 2007 00:05:31 -0000 1.2
+++ slot.h 19 Feb 2009 02:04:13 -0000 1.3
@@ -270,10 +270,9 @@
protected:
unsigned int getKeySize() const { return keySize; }
public:
- // !!!XXX hack. The right way to get the key size is to get all the
- // key information from the token with MSCListKeys, the same way
- // we get all the object information with MSCListObjects.
- enum { FIXED_KEY_SIZE = 1024 };
+ // set the actual key size obtained from the card
+ void setKeySize(unsigned int newKeySize) { keySize = newKeySize; }
+ enum { DEFAULT_KEY_SIZE = 1024 };
CryptParams(unsigned int keySize_) : keySize(keySize_) { }
@@ -422,7 +421,7 @@
void cryptRSA(SessionHandleSuffix suffix, CK_BYTE_PTR pInput,
CK_ULONG ulInputLen, CK_BYTE_PTR pOutput,
- CK_ULONG_PTR pulOutputLen, const CryptParams& params);
+ CK_ULONG_PTR pulOutputLen, CryptParams& params);
void performRSAOp(CKYBuffer *out, const CKYBuffer *input, CKYByte keyNum,
CKYByte direction);
@@ -460,6 +459,8 @@
return (char )((objectID >> 16) & 0xff) - '0';
}
+ // actually get the size of a key in bits from the card
+ unsigned int getKeySize(CKYByte keyNum);
SessionHandleSuffix openSession(Session::Type type);
void closeSession(SessionHandleSuffix handleSuffix);
15 years, 2 months