From 990d7378d4c8555c2bc2ec1c311126d5b9f17ab9 Mon Sep 17 00:00:00 2001
From: William Brown <firstyear@redhat.com>
Date: Fri, 25 Aug 2017 10:30:53 +1000
Subject: [PATCH] Ticket 49275 - fix tls auth regression

Bug Description:  Durinc the GCC 7 fix I broke a case-switch in
ssl.c. This statement set cert auth request to true, followed by
required to true if require was also true.

Fix Description:  Make the case-switch statement clearer by having
each branch set it's options directly without relying on fallthrough
logic.

https://pagure.io/389-ds-base/issue/49275

Author: wibrown

Review by: ???
---
 ldap/servers/slapd/ssl.c | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 941d32c..062bcb2 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -2240,23 +2240,41 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
         int err;
         switch (slapd_SSLclientAuth) {
         case SLAPD_SSLCLIENTAUTH_ALLOWED:
-#ifdef SSL_REQUIRE_CERTIFICATE /* new feature */
+            /*
+             * REQUEST is true
+             * REQUIRED is false
+             */
+            if ((err = SSL_OptionSet(pr_sock, SSL_REQUEST_CERTIFICATE, PR_TRUE)) < 0) {
+                PRErrorCode prerr = PR_GetError();
+                slapi_log_err(SLAPI_LOG_ERR, "Security Initialization",
+                              "SSL_OptionSet(SSL_REQUEST_CERTIFICATE,PR_TRUE) %d " SLAPI_COMPONENT_NAME_NSPR " error %d (%s)\n",
+                              err, prerr, slapd_pr_strerror(prerr));
+            }
             if ((err = SSL_OptionSet(pr_sock, SSL_REQUIRE_CERTIFICATE, PR_FALSE)) < 0) {
                 PRErrorCode prerr = PR_GetError();
                 slapi_log_err(SLAPI_LOG_ERR, "Security Initialization",
                               "SSL_OptionSet(SSL_REQUIRE_CERTIFICATE,PR_FALSE) %d " SLAPI_COMPONENT_NAME_NSPR " error %d (%s)\n",
                               err, prerr, slapd_pr_strerror(prerr));
             }
-#endif
             break;
-        /* Give the client a clear opportunity to send her certificate: */
         case SLAPD_SSLCLIENTAUTH_REQUIRED:
+            /* Give the client a clear opportunity to send her certificate: */
+            /*
+             * REQUEST is true
+             * REQUIRED is true
+             */
             if ((err = SSL_OptionSet(pr_sock, SSL_REQUEST_CERTIFICATE, PR_TRUE)) < 0) {
                 PRErrorCode prerr = PR_GetError();
                 slapi_log_err(SLAPI_LOG_ERR, "Security Initialization",
                               "SSL_OptionSet(SSL_REQUEST_CERTIFICATE,PR_TRUE) %d " SLAPI_COMPONENT_NAME_NSPR " error %d (%s)\n",
                               err, prerr, slapd_pr_strerror(prerr));
             }
+            if ((err = SSL_OptionSet(pr_sock, SSL_REQUIRE_CERTIFICATE, PR_TRUE)) < 0) {
+                PRErrorCode prerr = PR_GetError();
+                slapi_log_err(SLAPI_LOG_ERR, "Security Initialization",
+                              "SSL_OptionSet(SSL_REQUIRE_CERTIFICATE,PR_FALSE) %d " SLAPI_COMPONENT_NAME_NSPR " error %d (%s)\n",
+                              err, prerr, slapd_pr_strerror(prerr));
+            }
             break;
         default:
             break;
-- 
1.8.3.1