From 37a7c09eecbd17e9a72d39878d806f689ac1746f Mon Sep 17 00:00:00 2001

From: Rich Megginson <rmeggins@redhat.com>

Date: Tue, 26 Nov 2013 08:14:07 -0700

Subject: [PATCH 149/225] Ticket #47596 attrcrypt fails to find unlocked key

https://fedorahosted.org/389/ticket/47596

Reviewed by: nkinder (Thanks!)

Branch: 389-ds-base-1.2.11

Fix Description: Additional fix to the previous fix.  As it turns out, the

function PK11_IsLoggedIn() only returns true if the slot has been unlocked

with a pin or password.  If the slot does not need a login at all, because

the cert/key db has no password, PK11_IsLoggedIn will return false.  The code

must check for PK11_NeedLogin too.

Platforms tested: RHEL6 x86_64

Flag Day: no

Doc impact: no

(cherry picked from commit e66c4cecc47eff659a72a51c1e1722fb41c1dfbc)

(cherry picked from commit f608a943745e51fe4b5dbfb18bada2e2d13e0d6a)

(cherry picked from commit 5d2a20b4881d5374a9088ed1504b2d7e753976bb)

(cherry picked from commit 33df11ea7a9cbef5f78fe0d43da8a1c77b0a6c98)

(cherry picked from commit 326d636ed48142acd418073c1e22061e6b7757cc)

---

 ldap/servers/slapd/ssl.c | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c

index 8b80acb..61809aa 100644

--- a/ldap/servers/slapd/ssl.c

+++ b/ldap/servers/slapd/ssl.c

@@ -1602,7 +1602,7 @@ slapd_get_unlocked_key_for_cert(CERTCertificate *cert, void *pin_arg)

 			slapi_log_error(SLAPI_LOG_TRACE, "slapd_get_unlocked_key_for_cert",

 					"Missing slot for slot list element for certificate [%s]\n",

 					certsubject);

-		} else if (PK11_IsLoggedIn(slot, pin_arg)) {

+		} else if (!PK11_NeedLogin(slot) || PK11_IsLoggedIn(slot, pin_arg)) {

 			key = PK11_FindKeyByDERCert(slot, cert, pin_arg);

 			slapi_log_error(SLAPI_LOG_TRACE, "slapd_get_unlocked_key_for_cert",

 					"Found unlocked slot [%s] token [%s] for certificate [%s]\n",

-- 

1.8.1.4