diff options
| author | mharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-06-24 23:53:23 +0000 |
|---|---|---|
| committer | mharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-06-24 23:53:23 +0000 |
| commit | af85398eb2bdd8fe2e732969c7a8a4acf42fabbb (patch) | |
| tree | 223b559c92214e296a10c3a210716168b99e2627 | |
| parent | 3674360c6f4c11ac06dbc42cbbbfe903f67ed9ef (diff) | |
| download | pki-af85398eb2bdd8fe2e732969c7a8a4acf42fabbb.tar.gz pki-af85398eb2bdd8fe2e732969c7a8a4acf42fabbb.tar.xz pki-af85398eb2bdd8fe2e732969c7a8a4acf42fabbb.zip | |
Bugzilla Bug #507746 - Configure TPS/RA to listen on Ipv4 and Ipv6.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@653 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
| -rw-r--r-- | pki/base/native-tools/src/bulkissuance/bulkissuance.c | 110 | ||||
| -rw-r--r-- | pki/base/native-tools/src/revoker/revoker.c | 110 | ||||
| -rw-r--r-- | pki/base/native-tools/src/setpin/setpin.c | 5 | ||||
| -rw-r--r-- | pki/base/native-tools/src/sslget/sslget.c | 107 | ||||
| -rw-r--r-- | pki/base/ra/apache/conf/httpd.conf | 2 | ||||
| -rw-r--r-- | pki/base/ra/apache/conf/nss.conf | 4 | ||||
| -rwxr-xr-x | pki/base/ra/etc/init.d/httpd | 8 | ||||
| -rw-r--r-- | pki/base/tps/apache/conf/httpd.conf | 2 | ||||
| -rw-r--r-- | pki/base/tps/apache/conf/nss.conf | 4 | ||||
| -rwxr-xr-x | pki/base/tps/etc/init.d/httpd | 8 | ||||
| -rw-r--r-- | pki/base/tps/src/authentication/LDAP_Authentication.cpp | 7 | ||||
| -rw-r--r-- | pki/base/tps/src/include/tus/tus_db.h | 1 | ||||
| -rw-r--r-- | pki/base/tps/src/tus/tus_db.c | 4 | ||||
| -rw-r--r-- | pki/base/tps/tools/tus/test.c | 5 |
14 files changed, 254 insertions, 123 deletions
diff --git a/pki/base/native-tools/src/bulkissuance/bulkissuance.c b/pki/base/native-tools/src/bulkissuance/bulkissuance.c index 310dca06f..1517b20df 100644 --- a/pki/base/native-tools/src/bulkissuance/bulkissuance.c +++ b/pki/base/native-tools/src/bulkissuance/bulkissuance.c @@ -444,47 +444,62 @@ do_connect( { PRFileDesc * ssl_sock; PRFileDesc * tcp_sock; - PRStatus prStatus; - SECStatus result; - int rv = SECSuccess; + PRStatus prStatus; + SECStatus result; + int rv = SECSuccess; PRSocketOptionData opt; - tcp_sock = PR_NewTCPSocket(); + int family = PR_NetAddrFamily( addr ); + + tcp_sock = PR_OpenTCPSocket( family ); if (tcp_sock == NULL) { - errExit("PR_NewTCPSocket"); + errExit("PR_OpenTCPSocket on tcp socket"); } opt.option = PR_SockOpt_Nonblocking; opt.value.non_blocking = PR_FALSE; prStatus = PR_SetSocketOption(tcp_sock, &opt); if (prStatus != PR_SUCCESS) { - PR_Close(tcp_sock); - return SECSuccess; + if( tcp_sock != NULL ) { + PR_Close(tcp_sock); + tcp_sock = NULL; + } + /* Don't return SECFailure? */ + return SECSuccess; } prStatus = PR_Connect(tcp_sock, addr, PR_SecondsToInterval(3)); if (prStatus != PR_SUCCESS) { - errWarn("PR_Connect"); + errWarn("PR_Connect"); + if( tcp_sock != NULL ) { + PR_Close(tcp_sock); + tcp_sock = NULL; + } exit(6); } ssl_sock = SSL_ImportFD(model_sock, tcp_sock); /* XXX if this import fails, close tcp_sock and return. */ if (!ssl_sock) { - PR_Close(tcp_sock); - exit(7); - return SECFailure; + if( tcp_sock != NULL ) { + PR_Close(tcp_sock); + tcp_sock = NULL; + } + exit(7); } rv = SSL_ResetHandshake(ssl_sock, /* asServer */ 0); if (rv != SECSuccess) { - errWarn("SSL_ResetHandshake"); - exit(8); + errWarn("SSL_ResetHandshake"); + exit(8); } result = do_io( ssl_sock, connection); - PR_Close(ssl_sock); + if( ssl_sock != NULL ) { + PR_Close(ssl_sock); + ssl_sock = NULL; + } return SECSuccess; } @@ -520,57 +535,81 @@ client_main( int connections, SECKEYPrivateKey ** privKey, CERTCertificate ** cert, - const char * hostName, - char * nickName) + const char * hostName, + char * nickName) { - PRFileDesc *model_sock = NULL; + PRFileDesc *model_sock = NULL; int rv; - PRUint32 ipAddress; /* in host byte order */ - PRNetAddr addr; - /* Assemble NetAddr struct for connections. */ - ipAddress = getIPAddress(hostName); FPRINTF(stderr, "port: %d\n", port); - addr.inet.family = PR_AF_INET; - addr.inet.port = PR_htons(port); - addr.inet.ip = PR_htonl(ipAddress); - /* all suites except RSA_NULL_MD5 are enabled by Domestic Policy */ NSS_SetDomesticPolicy(); /* all the SSL2 and SSL3 cipher suites are enabled by default. */ + /* SSL_CipherPrefSetDefault(0xC005 /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */, PR_TRUE); */ + + /* + * Rifle through the values for the host + */ + + PRAddrInfo *ai; + void *iter; + PRNetAddr addr; + int family = PR_AF_INET; + + ai = PR_GetAddrInfoByName(hostName, PR_AF_UNSPEC, PR_AI_ADDRCONFIG); + if (ai) { + FPRINTF( stderr, "addr='%s'\n", PR_GetCanonNameFromAddrInfo( ai ) ); + iter = NULL; + while ((iter = PR_EnumerateAddrInfo(iter, ai, 0, &addr)) != NULL) { + family = PR_NetAddrFamily(&addr); + FPRINTF( stderr, "family='%d'\n", family ); + break; + } + PR_FreeAddrInfo(ai); + } - /* configure model SSL socket. */ + PR_SetNetAddr( PR_IpAddrNull, family, port, &addr ); - model_sock = PR_NewTCPSocket(); + model_sock = PR_OpenTCPSocket( family ); if (model_sock == NULL) { - errExit("PR_NewTCPSocket on model socket"); + errExit("PR_OpenTCPSocket on tcp socket"); } + /* Should we really be re-using the same socket? */ model_sock = SSL_ImportFD(NULL, model_sock); + + + /* check on success of call to SSL_ImportFD() */ if (model_sock == NULL) { - errExit("SSL_ImportFD"); + errExit("SSL_ImportFD"); } + /* enable ECC cipher also */ + /* do SSL configuration. */ rv = SSL_OptionSet(model_sock, SSL_SECURITY, 1); if (rv < 0) { - errExit("SSL_OptionSet SSL_SECURITY"); + if( model_sock != NULL ) { + PR_Close( model_sock ); + model_sock = NULL; + } + errExit("SSL_OptionSet SSL_SECURITY"); } SSL_SetURL(model_sock, hostName); SSL_AuthCertificateHook(model_sock, mySSLAuthCertificate, - (void *)CERT_GetDefaultCertDB()); + (void *)CERT_GetDefaultCertDB()); SSL_BadCertHook(model_sock, myBadCertHandler, NULL); SSL_GetClientAuthDataHook(model_sock, - (SSLGetClientAuthData)my_GetClientAuthData, - nickName); + (SSLGetClientAuthData)my_GetClientAuthData, + nickName); /* I'm not going to set the HandshakeCallback function. */ @@ -578,7 +617,10 @@ client_main( rv = do_connect(&addr, model_sock, 1); - PR_Close(model_sock); + if( model_sock != NULL ) { + PR_Close( model_sock ); + model_sock = NULL; + } } diff --git a/pki/base/native-tools/src/revoker/revoker.c b/pki/base/native-tools/src/revoker/revoker.c index 08a002436..0aa6407b1 100644 --- a/pki/base/native-tools/src/revoker/revoker.c +++ b/pki/base/native-tools/src/revoker/revoker.c @@ -427,47 +427,62 @@ do_connect( { PRFileDesc * ssl_sock; PRFileDesc * tcp_sock; - PRStatus prStatus; - SECStatus result; - int rv = SECSuccess; + PRStatus prStatus; + SECStatus result; + int rv = SECSuccess; PRSocketOptionData opt; - tcp_sock = PR_NewTCPSocket(); + int family = PR_NetAddrFamily( addr ); + + tcp_sock = PR_OpenTCPSocket( family ); if (tcp_sock == NULL) { - errExit("PR_NewTCPSocket"); + errExit("PR_OpenTCPSocket on tcp socket"); } opt.option = PR_SockOpt_Nonblocking; opt.value.non_blocking = PR_FALSE; prStatus = PR_SetSocketOption(tcp_sock, &opt); if (prStatus != PR_SUCCESS) { - PR_Close(tcp_sock); - return SECSuccess; + if( tcp_sock != NULL ) { + PR_Close(tcp_sock); + tcp_sock = NULL; + } + /* Don't return SECFailure? */ + return SECSuccess; } prStatus = PR_Connect(tcp_sock, addr, PR_SecondsToInterval(3)); if (prStatus != PR_SUCCESS) { - errWarn("PR_Connect"); + errWarn("PR_Connect"); + if( tcp_sock != NULL ) { + PR_Close(tcp_sock); + tcp_sock = NULL; + } exit(6); } ssl_sock = SSL_ImportFD(model_sock, tcp_sock); /* XXX if this import fails, close tcp_sock and return. */ if (!ssl_sock) { - PR_Close(tcp_sock); - exit(7); - return SECFailure; + if( tcp_sock != NULL ) { + PR_Close(tcp_sock); + tcp_sock = NULL; + } + exit(7); } rv = SSL_ResetHandshake(ssl_sock, /* asServer */ 0); if (rv != SECSuccess) { - errWarn("SSL_ResetHandshake"); - exit(8); + errWarn("SSL_ResetHandshake"); + exit(8); } result = do_io( ssl_sock, connection); - PR_Close(ssl_sock); + if( ssl_sock != NULL ) { + PR_Close(ssl_sock); + ssl_sock = NULL; + } return SECSuccess; } @@ -503,57 +518,81 @@ client_main( int connections, SECKEYPrivateKey ** privKey, CERTCertificate ** cert, - const char * hostName, - char * nickName) + const char * hostName, + char * nickName) { - PRFileDesc *model_sock = NULL; + PRFileDesc *model_sock = NULL; int rv; - PRUint32 ipAddress; /* in host byte order */ - PRNetAddr addr; - /* Assemble NetAddr struct for connections. */ - ipAddress = getIPAddress(hostName); FPRINTF(stderr, "port: %d\n", port); - addr.inet.family = PR_AF_INET; - addr.inet.port = PR_htons(port); - addr.inet.ip = PR_htonl(ipAddress); - /* all suites except RSA_NULL_MD5 are enabled by Domestic Policy */ NSS_SetDomesticPolicy(); /* all the SSL2 and SSL3 cipher suites are enabled by default. */ + /* SSL_CipherPrefSetDefault(0xC005 /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */, PR_TRUE); */ + + /* + * Rifle through the values for the host + */ + + PRAddrInfo *ai; + void *iter; + PRNetAddr addr; + int family = PR_AF_INET; + + ai = PR_GetAddrInfoByName(hostName, PR_AF_UNSPEC, PR_AI_ADDRCONFIG); + if (ai) { + FPRINTF( stderr, "addr='%s'\n", PR_GetCanonNameFromAddrInfo( ai ) ); + iter = NULL; + while ((iter = PR_EnumerateAddrInfo(iter, ai, 0, &addr)) != NULL) { + family = PR_NetAddrFamily(&addr); + FPRINTF( stderr, "family='%d'\n", family ); + break; + } + PR_FreeAddrInfo(ai); + } - /* configure model SSL socket. */ + PR_SetNetAddr( PR_IpAddrNull, family, port, &addr ); - model_sock = PR_NewTCPSocket(); + model_sock = PR_OpenTCPSocket( family ); if (model_sock == NULL) { - errExit("PR_NewTCPSocket on model socket"); + errExit("PR_OpenTCPSocket on tcp socket"); } + /* Should we really be re-using the same socket? */ model_sock = SSL_ImportFD(NULL, model_sock); + + + /* check on success of call to SSL_ImportFD() */ if (model_sock == NULL) { - errExit("SSL_ImportFD"); + errExit("SSL_ImportFD"); } + /* enable ECC cipher also */ + /* do SSL configuration. */ rv = SSL_OptionSet(model_sock, SSL_SECURITY, 1); if (rv < 0) { - errExit("SSL_OptionSet SSL_SECURITY"); + if( model_sock != NULL ) { + PR_Close( model_sock ); + model_sock = NULL; + } + errExit("SSL_OptionSet SSL_SECURITY"); } SSL_SetURL(model_sock, hostName); SSL_AuthCertificateHook(model_sock, mySSLAuthCertificate, - (void *)CERT_GetDefaultCertDB()); + (void *)CERT_GetDefaultCertDB()); SSL_BadCertHook(model_sock, myBadCertHandler, NULL); SSL_GetClientAuthDataHook(model_sock, - (SSLGetClientAuthData)my_GetClientAuthData, - nickName); + (SSLGetClientAuthData)my_GetClientAuthData, + nickName); /* I'm not going to set the HandshakeCallback function. */ @@ -561,7 +600,10 @@ client_main( rv = do_connect(&addr, model_sock, 1); - PR_Close(model_sock); + if( model_sock != NULL ) { + PR_Close( model_sock ); + model_sock = NULL; + } } diff --git a/pki/base/native-tools/src/setpin/setpin.c b/pki/base/native-tools/src/setpin/setpin.c index 06306beb4..a0179c63e 100644 --- a/pki/base/native-tools/src/setpin/setpin.c +++ b/pki/base/native-tools/src/setpin/setpin.c @@ -47,6 +47,7 @@ #include <ldap.h> #include <ldap_ssl.h> +#include <ldappr.h> #define USE_NSS_RANDOM @@ -610,7 +611,7 @@ void doLDAPBind() { /* ld = ldapssl_init(o_host,port,LDAPSSL_AUTH_CNCHECK); */ } else { - ld = ldap_init(o_host,port); + ld = prldap_init(o_host,port,1); } if (ld == NULL) { errcode=4; @@ -618,7 +619,7 @@ void doLDAPBind() { } if (o_debug) { - fprintf(stderr,"# ldap_init completed\n"); + fprintf(stderr,"# prldap_init completed\n"); } r = ldap_simple_bind_s(ld,o_binddn,o_bindpw); diff --git a/pki/base/native-tools/src/sslget/sslget.c b/pki/base/native-tools/src/sslget/sslget.c index d08a9cf4c..6a8abda23 100644 --- a/pki/base/native-tools/src/sslget/sslget.c +++ b/pki/base/native-tools/src/sslget/sslget.c @@ -417,47 +417,62 @@ do_connect( { PRFileDesc * ssl_sock; PRFileDesc * tcp_sock; - PRStatus prStatus; - SECStatus result; - int rv = SECSuccess; + PRStatus prStatus; + SECStatus result; + int rv = SECSuccess; PRSocketOptionData opt; - tcp_sock = PR_NewTCPSocket(); + int family = PR_NetAddrFamily( addr ); + + tcp_sock = PR_OpenTCPSocket( family ); if (tcp_sock == NULL) { - errExit("PR_NewTCPSocket"); + errExit("PR_OpenTCPSocket on tcp socket"); } opt.option = PR_SockOpt_Nonblocking; opt.value.non_blocking = PR_FALSE; prStatus = PR_SetSocketOption(tcp_sock, &opt); if (prStatus != PR_SUCCESS) { - PR_Close(tcp_sock); - return SECSuccess; + if( tcp_sock != NULL ) { + PR_Close(tcp_sock); + tcp_sock = NULL; + } + /* Don't return SECFailure? */ + return SECSuccess; } prStatus = PR_Connect(tcp_sock, addr, PR_SecondsToInterval(3)); if (prStatus != PR_SUCCESS) { - errWarn("PR_Connect"); + errWarn("PR_Connect"); + if( tcp_sock != NULL ) { + PR_Close(tcp_sock); + tcp_sock = NULL; + } exit(6); } ssl_sock = SSL_ImportFD(model_sock, tcp_sock); /* XXX if this import fails, close tcp_sock and return. */ if (!ssl_sock) { - PR_Close(tcp_sock); - exit(7); - return SECFailure; + if( tcp_sock != NULL ) { + PR_Close(tcp_sock); + tcp_sock = NULL; + } + exit(7); } rv = SSL_ResetHandshake(ssl_sock, /* asServer */ 0); if (rv != SECSuccess) { - errWarn("SSL_ResetHandshake"); - exit(8); + errWarn("SSL_ResetHandshake"); + exit(8); } result = do_io( ssl_sock, connection); - PR_Close(ssl_sock); + if( ssl_sock != NULL ) { + PR_Close(ssl_sock); + ssl_sock = NULL; + } return SECSuccess; } @@ -493,39 +508,56 @@ client_main( int connections, SECKEYPrivateKey ** privKey, CERTCertificate ** cert, - const char * hostName, - char * nickName) + const char * hostName, + char * nickName) { - PRFileDesc *model_sock = NULL; + PRFileDesc *model_sock = NULL; int rv; - PRUint32 ipAddress; /* in host byte order */ - PRNetAddr addr; - /* Assemble NetAddr struct for connections. */ - ipAddress = getIPAddress(hostName); FPRINTF(stderr, "port: %d\n", port); - addr.inet.family = PR_AF_INET; - addr.inet.port = PR_htons(port); - addr.inet.ip = PR_htonl(ipAddress); - /* all suites except RSA_NULL_MD5 are enabled by Domestic Policy */ NSS_SetDomesticPolicy(); /* all the SSL2 and SSL3 cipher suites are enabled by default. */ SSL_CipherPrefSetDefault(0xC005 /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */, PR_TRUE); - /* configure model SSL socket. */ + /* + * Rifle through the values for the host + */ + + PRAddrInfo *ai; + void *iter; + PRNetAddr addr; + int family = PR_AF_INET; + + ai = PR_GetAddrInfoByName(hostName, PR_AF_UNSPEC, PR_AI_ADDRCONFIG); + if (ai) { + FPRINTF( stderr, "addr='%s'\n", PR_GetCanonNameFromAddrInfo( ai ) ); + iter = NULL; + while ((iter = PR_EnumerateAddrInfo(iter, ai, 0, &addr)) != NULL) { + family = PR_NetAddrFamily(&addr); + FPRINTF( stderr, "family='%d'\n", family ); + break; + } + PR_FreeAddrInfo(ai); + } + + PR_SetNetAddr( PR_IpAddrNull, family, port, &addr ); - model_sock = PR_NewTCPSocket(); + model_sock = PR_OpenTCPSocket( family ); if (model_sock == NULL) { - errExit("PR_NewTCPSocket on model socket"); + errExit("PR_OpenTCPSocket on tcp socket"); } + /* Should we really be re-using the same socket? */ model_sock = SSL_ImportFD(NULL, model_sock); + + + /* check on success of call to SSL_ImportFD() */ if (model_sock == NULL) { - errExit("SSL_ImportFD"); + errExit("SSL_ImportFD"); } /* enable ECC cipher also */ @@ -534,19 +566,23 @@ client_main( rv = SSL_OptionSet(model_sock, SSL_SECURITY, 1); if (rv < 0) { - errExit("SSL_OptionSet SSL_SECURITY"); + if( model_sock != NULL ) { + PR_Close( model_sock ); + model_sock = NULL; + } + errExit("SSL_OptionSet SSL_SECURITY"); } SSL_SetURL(model_sock, hostName); SSL_AuthCertificateHook(model_sock, mySSLAuthCertificate, - (void *)CERT_GetDefaultCertDB()); + (void *)CERT_GetDefaultCertDB()); SSL_BadCertHook(model_sock, myBadCertHandler, NULL); SSL_GetClientAuthDataHook(model_sock, - (SSLGetClientAuthData)my_GetClientAuthData, - nickName); + (SSLGetClientAuthData)my_GetClientAuthData, + nickName); /* I'm not going to set the HandshakeCallback function. */ @@ -554,7 +590,10 @@ client_main( rv = do_connect(&addr, model_sock, 1); - PR_Close(model_sock); + if( model_sock != NULL ) { + PR_Close( model_sock ); + model_sock = NULL; + } } diff --git a/pki/base/ra/apache/conf/httpd.conf b/pki/base/ra/apache/conf/httpd.conf index 7362d80ce..4e6d2151f 100644 --- a/pki/base/ra/apache/conf/httpd.conf +++ b/pki/base/ra/apache/conf/httpd.conf @@ -217,7 +217,7 @@ MaxRequestsPerChild 0 # #Listen 12.34.56.78:80 -Listen 0.0.0.0:[PORT] +Listen [PORT] # # Dynamic Shared Object (DSO) Support diff --git a/pki/base/ra/apache/conf/nss.conf b/pki/base/ra/apache/conf/nss.conf index 2d8ad8720..668074e4c 100644 --- a/pki/base/ra/apache/conf/nss.conf +++ b/pki/base/ra/apache/conf/nss.conf @@ -15,9 +15,9 @@ # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two # Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" # -Listen 0.0.0.0:[SECURE_PORT] +Listen [SECURE_PORT] -Listen 0.0.0.0:[NON_CLIENTAUTH_SECURE_PORT] +Listen [NON_CLIENTAUTH_SECURE_PORT] ## ## SSL Global Context diff --git a/pki/base/ra/etc/init.d/httpd b/pki/base/ra/etc/init.d/httpd index 77c60966c..bacfeb214 100755 --- a/pki/base/ra/etc/init.d/httpd +++ b/pki/base/ra/etc/init.d/httpd @@ -231,7 +231,7 @@ get_pki_status_definitions() if [ "$head" == "$listen_statement" ] ; then # once the 'unsecure' listen statement has been found, # extract the numeric port information - port=`echo $line | cut -d: -f2` + port=`echo $line | cut -b8-` UNSECURE_PORT=$port echo " Unsecure Port = http://[SERVER_NAME]:${UNSECURE_PORT}" total_ports=`expr ${total_ports} + 1` @@ -251,7 +251,7 @@ get_pki_status_definitions() [ ${total_ports} -eq 2 ] ; then # once the 'non-clientauth' listen statement has been found, # extract the numeric port information - non_clientauth_port=`echo $line | cut -d: -f2` + non_clientauth_port=`echo $line | cut -b8-` NON_CLIENTAUTH_PORT=$non_clientauth_port echo " Secure Non-Clientauth Port = https://[SERVER_NAME]:${NON_CLIENTAUTH_PORT}" total_ports=`expr ${total_ports} + 1` @@ -261,7 +261,7 @@ get_pki_status_definitions() [ ${total_ports} -eq 1 ] ; then # once the 'clientauth' listen statement has been found, # extract the numeric port information - clientauth_port=`echo $line | cut -d: -f2` + clientauth_port=`echo $line | cut -b8-` CLIENTAUTH_PORT=$clientauth_port echo " Secure Clientauth Port = https://[SERVER_NAME]:${CLIENTAUTH_PORT}" total_ports=`expr ${total_ports} + 1` @@ -483,7 +483,7 @@ get_pki_secure_port() if [ "$head" == "$listen_statement" ] ; then # once the 'clientauth' listen statement has been found, # extract the numeric port information - port=`echo $line | cut -d: -f2` + port=`echo $line | cut -b8-` SECURE_PORT=$port return 0 fi diff --git a/pki/base/tps/apache/conf/httpd.conf b/pki/base/tps/apache/conf/httpd.conf index a5dcf8390..7d1e8acdf 100644 --- a/pki/base/tps/apache/conf/httpd.conf +++ b/pki/base/tps/apache/conf/httpd.conf @@ -217,7 +217,7 @@ MaxRequestsPerChild 0 # #Listen 12.34.56.78:80 -Listen 0.0.0.0:[PORT] +Listen [PORT] # # Dynamic Shared Object (DSO) Support diff --git a/pki/base/tps/apache/conf/nss.conf b/pki/base/tps/apache/conf/nss.conf index c619ec26e..70c64116f 100644 --- a/pki/base/tps/apache/conf/nss.conf +++ b/pki/base/tps/apache/conf/nss.conf @@ -15,9 +15,9 @@ # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two # Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" # -Listen 0.0.0.0:[SECURE_PORT] +Listen [SECURE_PORT] -Listen 0.0.0.0:[NON_CLIENTAUTH_SECURE_PORT] +Listen [NON_CLIENTAUTH_SECURE_PORT] ## ## SSL Global Context diff --git a/pki/base/tps/etc/init.d/httpd b/pki/base/tps/etc/init.d/httpd index 567381c6e..5c3611f77 100755 --- a/pki/base/tps/etc/init.d/httpd +++ b/pki/base/tps/etc/init.d/httpd @@ -234,7 +234,7 @@ get_pki_status_definitions() if [ "$head" == "$listen_statement" ] ; then # once the 'unsecure' listen statement has been found, # extract the numeric port information - port=`echo $line | cut -d: -f2` + port=`echo $line | cut -b8-` UNSECURE_PORT=$port echo " Unsecure Port = http://[SERVER_NAME]:${UNSECURE_PORT}/cgi-bin/so/enroll.cgi" echo " (ESC Security Officer Enrollment)" @@ -257,7 +257,7 @@ get_pki_status_definitions() [ ${total_ports} -eq 2 ] ; then # once the 'non-clientauth' listen statement has been found, # extract the numeric port information - non_clientauth_port=`echo $line | cut -d: -f2` + non_clientauth_port=`echo $line | cut -b8-` NON_CLIENTAUTH_PORT=$non_clientauth_port echo " Secure Non-Clientauth Port = https://[SERVER_NAME]:${NON_CLIENTAUTH_PORT}/cgi-bin/so/enroll.cgi" echo " (ESC Security Officer Enrollment)" @@ -270,7 +270,7 @@ get_pki_status_definitions() [ ${total_ports} -eq 1 ] ; then # once the 'clientauth' listen statement has been found, # extract the numeric port information - clientauth_port=`echo $line | cut -d: -f2` + clientauth_port=`echo $line | cut -b8-` CLIENTAUTH_PORT=$clientauth_port echo " Secure Clientauth Port = https://[SERVER_NAME]:${CLIENTAUTH_PORT}/cgi-bin/sow/welcome.cgi" echo " (ESC Security Officer Workstation)" @@ -494,7 +494,7 @@ get_pki_secure_port() if [ "$head" == "$listen_statement" ] ; then # once the 'clientauth' listen statement has been found, # extract the numeric port information - port=`echo $line | cut -d: -f2` + port=`echo $line | cut -b8-` SECURE_PORT=$port return 0 fi diff --git a/pki/base/tps/src/authentication/LDAP_Authentication.cpp b/pki/base/tps/src/authentication/LDAP_Authentication.cpp index da32898c4..22796b360 100644 --- a/pki/base/tps/src/authentication/LDAP_Authentication.cpp +++ b/pki/base/tps/src/authentication/LDAP_Authentication.cpp @@ -25,6 +25,7 @@ #include "engine/RA.h" #include "ldap.h" #include "ldap_ssl.h" +#include "ldappr.h" #include "authentication/LDAP_Authentication.h" #include "authentication/Authentication.h" #include "main/Memory.h" @@ -181,13 +182,15 @@ int LDAP_Authentication::Authenticate(AuthParams *params) /* handling of SSL */ ld = ldapssl_init(host, port, 1); } else { - ld = ldap_init(host, port); + /* NOTE: ldapssl_init() already utilizes */ + /* prldap (IPv6) functionality. */ + ld = prldap_init(host, port, 1); } while (ld == NULL && retries < m_connectRetries) { RA::IncrementAuthCurrentIndex(m_connInfo->GetHostPortListLen()); GetHostPort(&host, &portStr); port = atoi(portStr); - ld = ldap_init(host, port); + ld = prldap_init(host, port, 1); retries++; } diff --git a/pki/base/tps/src/include/tus/tus_db.h b/pki/base/tps/src/include/tus/tus_db.h index d56ebb27c..f468a82ab 100644 --- a/pki/base/tps/src/include/tus/tus_db.h +++ b/pki/base/tps/src/include/tus/tus_db.h @@ -45,6 +45,7 @@ #include "ldap.h" #include "ldap_ssl.h" +#include "ldappr.h" #include "pk11func.h" #include "cryptohi.h" #include "keyhi.h" diff --git a/pki/base/tps/src/tus/tus_db.c b/pki/base/tps/src/tus/tus_db.c index 63d4958ac..b2c72adc4 100644 --- a/pki/base/tps/src/tus/tus_db.c +++ b/pki/base/tps/src/tus/tus_db.c @@ -884,7 +884,9 @@ static int tus_check_conn() /* enabling SSL */ ld = ldapssl_init(host, port, 1); } else { - ld = ldap_init(host, port); + /* NOTE: ldapssl_init() already utilizes */ + /* prldap (IPv6) functionality. */ + ld = prldap_init(host, port, 1); } if (ld == NULL) { return status; diff --git a/pki/base/tps/tools/tus/test.c b/pki/base/tps/tools/tus/test.c index 8def4b390..b73415d1b 100644 --- a/pki/base/tps/tools/tus/test.c +++ b/pki/base/tps/tools/tus/test.c @@ -36,6 +36,7 @@ #include <stdio.h> #include "ldap.h" +#include "ldappr.h" /* Specify the search criteria here. */ #define HOSTNAME "localhost" @@ -57,8 +58,8 @@ main( int argc, char **argv ) /* STEP 1: Get a handle to an LDAP connection and set any session preferences. */ - if ( (ld = ldap_init( HOSTNAME, PORTNUMBER )) == NULL ) { - perror( "ldap_init" ); + if ( (ld = prldap_init( HOSTNAME, PORTNUMBER, 1 )) == NULL ) { + perror( "prldap_init" ); return( 1 ); } |