diff --git a/debian/changelog b/debian/changelog index 17ab37b..a0918f2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +nss-pam-ldapd (0.7.13+nmu1) unstable; urgency=low + + * Non-maintainer upload. + * added nslcd.ssl.patch + + -- Stefan Völkel Fri, 05 Aug 2011 14:45:32 +0200 + nss-pam-ldapd (0.7.13) unstable; urgency=low * fix handling of idle_timelimit option diff --git a/debian/patches/nslcd.ssl.patch b/debian/patches/nslcd.ssl.patch new file mode 100644 index 0000000..f58b2e6 --- /dev/null +++ b/debian/patches/nslcd.ssl.patch @@ -0,0 +1,131 @@ +--- a/nslcd/cfg.c ++++ b/nslcd/cfg.c +@@ -110,6 +110,7 @@ + cfg->ldc_bind_timelimit=10; + cfg->ldc_timelimit=LDAP_NO_LIMIT; + cfg->ldc_idle_timelimit=0; ++ cfg->ldc_sock_timelimit=0; + cfg->ldc_reconnect_sleeptime=1; + cfg->ldc_reconnect_retrytime=10; + #ifdef LDAP_OPT_X_TLS +@@ -909,6 +910,11 @@ + get_int(filename,lnr,keyword,&line,&cfg->ldc_idle_timelimit); + get_eol(filename,lnr,keyword,&line); + } ++ else if (strcasecmp(keyword,"sock_timelimit")==0) ++ { ++ get_int(filename,lnr,keyword,&line,&cfg->ldc_sock_timelimit); ++ get_eol(filename,lnr,keyword,&line); ++ } + else if (strcasecmp(keyword,"reconnect_tries")==0) + log_log(LOG_WARNING,"%s:%d: option %s has been removed and will be ignored",filename,lnr,keyword); + else if (!strcasecmp(keyword,"reconnect_sleeptime")) +--- a/nslcd/cfg.h ++++ b/nslcd/cfg.h +@@ -119,6 +119,8 @@ + int ldc_timelimit; + /* idle timeout */ + int ldc_idle_timelimit; ++ /* socket timeout */ ++ int ldc_sock_timelimit; + /* seconds to sleep; doubled until max */ + int ldc_reconnect_sleeptime; + /* maximum seconds to sleep */ +--- a/nslcd/myldap.c ++++ b/nslcd/myldap.c +@@ -473,6 +473,51 @@ + } + #endif /* HAVE_LDAP_SET_REBIND_PROC */ + ++/* set a recieve and send timeout on a socket */ ++int set_socket_timeout(int sd, long int sec) ++{ ++ struct timeval tv; ++ int ret; ++ ++ log_log(LOG_DEBUG, "set_socket_timeout(%d, %li)", sd, sec); ++ ++ memset(&tv, 0, sizeof(tv)); ++ tv.tv_sec = sec; ++ ++ ret = setsockopt(sd, SOL_SOCKET, SO_RCVTIMEO, (void *)&tv, sizeof(tv)); ++ if (ret) ++ { ++ log_log(LOG_ERR, "set_socket_timeout(SO_RCVTIMEO): %s", strerror(errno)); ++ return -1; ++ } ++ ++ ret = setsockopt(sd, SOL_SOCKET, SO_SNDTIMEO, (void *)&tv, sizeof(tv)); ++ if (ret) ++ { ++ log_log(LOG_ERR, "set_socket_timeout(SO_SNDTIMEO,): %s", strerror(errno)); ++ return -1; ++ } ++ ++ return 0; ++} ++ ++/* gets called from the ldab lib, once a connec()ion was made to the server. we ++ set a timeout on the socket here, to catch netzwork timeouts during the ssl ++ handshake phase */ ++int tls_connect_cb( struct ldap *ld, void *ssl, void *ctx, void *arg ) ++{ ++ int ret; ++ int sd; ++ ++ if (ldap_get_option(ld, LDAP_OPT_DESC, &sd) != LDAP_SUCCESS) ++ { ++ log_log(LOG_ERR,"tls_cb() could not get socket from session"); ++ return -1; ++ } ++ ++ return set_socket_timeout(sd, nslcd_cfg->ldc_sock_timelimit); ++} ++ + /* This function sets a number of properties on the connection, based + what is configured in the configfile. This function returns an + LDAP status code. */ +@@ -536,6 +581,9 @@ + i=LDAP_OPT_X_TLS_HARD; + log_log(LOG_DEBUG,"ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)"); + LDAP_SET_OPTION(session->ld,LDAP_OPT_X_TLS,&i); ++ ++ log_log(LOG_DEBUG, "ldap_set_option(LDAP_OPT_X_TLS_CONNECT_CB)"); ++ LDAP_SET_OPTION(session->ld, LDAP_OPT_X_TLS_CONNECT_CB, tls_connect_cb); + } + #endif /* LDAP_OPT_X_TLS */ + /* if nothing above failed, everything should be fine */ +--- a/nslcd.conf ++++ b/nslcd.conf +@@ -58,6 +58,10 @@ + # server has not been contacted for the number of seconds. + #idle_timelimit 3600 + ++# Socket timelimit. Number of seconds to wait when sending/recieving from a socket. ++# 0 means to wait forever. ++# sock_timelimit 0 ++ + # Use StartTLS without verifying the server certificate. + #ssl start_tls + #tls_reqcert never +--- a/man/nslcd.conf.5.xml ++++ b/man/nslcd.conf.5.xml +@@ -149,6 +149,18 @@ + + + ++ ++ SECONDS ++ ++ ++ Number of seconds to wait when sending/receiving on a socket. Zero means ++ to wait forever. This can be used to detect hung SSL handshakes by ++ setting it to something other than zero. ++ Defaults to 0. ++ ++ ++ ++ + + VERSION + diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..1ad3e80 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +nslcd.ssl.patch