Bug(s) fixed: 147886

Bug Description: customer requests that the server warns that the files are missing (the current errors are generic about being unable to retrieve server-cert)
Reviewed by: Nathan and Noriko (Thanks!)
Files: ssl.c
Branch: HEAD
Fix Description: Basically just check to see if the specified files are readable.  If not, check for newer versions e.g. if the customer hasn't changed the cert filename from *-cert7.db to *-cert8.db yet.  Also threw in key4.db in case that changes in the future (not likely).  Log a warning if the files do not exist (most likely the server will fail to start in this case).
Platforms tested: RHEL3
Flag Day: no
Doc impact: no, I don't think so
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none

1 files changed, 62 insertions, 0 deletions

diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 5a9445b4..896389ae 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -342,6 +342,65 @@ freeChildren( char **list ) {
 	}
 }
 
+static void
+warn_if_no_cert_file(const char *filename)
+{
+	PRStatus status = PR_Access(filename, PR_ACCESS_READ_OK);
+	if (PR_SUCCESS != status) {
+		/* if file ends in -cert7.db and the corresponding -cert8.db exists, just
+		   warn */
+		char *cert8 = slapi_ch_strdup(filename);
+		char *ptr;
+		if ((ptr = PL_strrstr(cert8, "-cert7.db"))) {
+			strcpy(ptr, "-cert8.db");
+			status = PR_Access(cert8, PR_ACCESS_READ_OK);
+			if (PR_SUCCESS == status) {
+				slapi_log_error(SLAPI_LOG_FATAL, "SSL Initialization",
+								"Notice: certificate DB file %s does not exist but %s does - suggest updating nscertfile\n",
+								filename, cert8);
+			}
+		}
+		slapi_ch_free_string(&cert8);
+
+		if (PR_SUCCESS != status) {
+			slapi_log_error(SLAPI_LOG_FATAL, "SSL Initialization",
+							"Warning: certificate DB file %s does not exist - SSL initialization will likely fail\n",
+							filename);
+		}
+	}
+}
+
+static void
+warn_if_no_key_file(const char *path, const char *name)
+{
+	char last = path[strlen(path)-1];
+	char *filename = slapi_ch_smprintf("%s%s%s", path, ((last == '/' || last == '\\') ? "" : "/"), name);
+	PRStatus status = PR_Access(filename, PR_ACCESS_READ_OK);
+	if (PR_SUCCESS != status) {
+		/* if file ends in -key3.db and the corresponding -key4.db exists, just
+		   warn */
+		char *key4 = slapi_ch_strdup(filename);
+		char *ptr;
+		if ((ptr = PL_strrstr(key4, "-key3.db"))) {
+			strcpy(ptr, "-key4.db");
+			status = PR_Access(key4, PR_ACCESS_READ_OK);
+			if (PR_SUCCESS == status) {
+				slapi_log_error(SLAPI_LOG_FATAL, "SSL Initialization",
+								"Notice: key DB file %s does not exist but %s does - suggest updating nskeyfile\n",
+								filename, key4);
+			}
+		}
+		slapi_ch_free_string(&key4);
+
+		if (PR_SUCCESS != status) {
+			slapi_log_error(SLAPI_LOG_FATAL, "SSL Initialization",
+							"Warning: key DB file %s does not exist - SSL initialization will likely fail\n",
+							filename);
+		}
+	}
+
+	slapi_ch_free_string(&filename);
+}
 
 /*
  * slapd_nss_init() is always called from main(), even if we do not
@@ -397,6 +456,7 @@ slapd_nss_init(int init_ssl, int config_available)
 
 	if(keyfn && certfn) {
 		if (is_abspath(certfn)) {
+			warn_if_no_cert_file(certfn);
 			/* first, initialize path from the certfn */
 			PL_strncpyz(path, certfn, sizeof(path));
 			/* extract path from cert db filename */
@@ -410,6 +470,7 @@ slapd_nss_init(int init_ssl, int config_available)
 			PL_strncpyz(certPref, val, sizeof(certPref));
 		} else {
 			PL_strncpyz(val, certfn, sizeof(path)-(val-path));
+			warn_if_no_cert_file(path); /* assumes certfn is relative to server root */
 			val = strrchr(path, '/');
 			if (!val) {
 				val = strrchr(path, '\\');
@@ -438,6 +499,7 @@ slapd_nss_init(int init_ssl, int config_available)
 			val = keyfn;
 		}
 		PL_strncpyz(keyPref, val, sizeof(keyPref));
+		warn_if_no_key_file(path, keyPref);
 		/* richm - use strrstr to get the last occurance of -key in the string, in case
 		   the instance is named slapd-key - the keydb name will be slapd-key-key3.db
 		*/