From 1c8bfbe5416bf7c5749d9277e7a6b00a4980dd25 Mon Sep 17 00:00:00 2001 From: Quanah Gibson-Mount Date: Mon, 31 Jan 2011 20:22:47 +0000 Subject: [PATCH] ITS#6802,ITS#6811 --- CHANGES | 2 +- libraries/libldap/tls_m.c | 17 +++++++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 03e90817ff..4807643dcd 100644 --- a/CHANGES +++ b/CHANGES @@ -41,7 +41,7 @@ OpenLDAP 2.4.24 Engineering Fixed libldap variable usage (ITS#6813) Fixed libldap MozNSS default cipher suites (ITS#6790) Fixed libldap MozNSS cert usage types/values (ITS#6791) - Fixed libldap MozNSS restart module after fork() (ITS#6802) + Fixed libldap MozNSS restart module after fork() (ITS#6802,ITS#6811) Fixed liblutil getpass prompts (ITS#6702) Fixed ldapsearch segfault with deref (ITS#6638) Fixed ldapsearch multiple controls parsing (ITS#6651) diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c index 8c7ecf872e..6d1c0a4ca1 100644 --- a/libraries/libldap/tls_m.c +++ b/libraries/libldap/tls_m.c @@ -2872,10 +2872,27 @@ static const PRIOMethods tlsm_PR_methods = { static int tlsm_init( void ) { + char *nofork = PR_GetEnv( "NSS_STRICT_NOFORK" ); + PR_Init(0, 0, 0); tlsm_layer_id = PR_GetUniqueIdentity( "OpenLDAP" ); + /* + * There are some applications that acquire a crypto context in the parent process + * and expect that crypto context to work after a fork(). This does not work + * with NSS using strict PKCS11 compliance mode. We set this environment + * variable here to tell the software encryption module/token to allow crypto + * contexts to persist across a fork(). However, if you are using some other + * module or encryption device that supports and expects full PKCS11 semantics, + * the only recourse is to rewrite the application with atfork() handlers to save + * the crypto context in the parent and restore (and SECMOD_RestartModules) the + * context in the child. + */ + if ( !nofork ) { + PR_SetEnv( "NSS_STRICT_NOFORK=DISABLED" ); + } + return 0; } -- 2.39.5