ITS#6802

CHANGES

@@ -38,6 +38,7 @@ OpenLDAP 2.4.24 Engineering
 	Fixed libldap sync checking for BER errors (ITS#6738)	
 	Fixed libldap MozNSS default cipher suites (ITS#6790)
 	Fixed libldap MozNSS cert usage types/values (ITS#6791)
+	Fixed libldap MozNSS restart module (ITS#6802)
 	Fixed liblutil getpass prompts (ITS#6702)
 	Fixed ldapsearch segfault with deref (ITS#6638)
 	Fixed ldapsearch multiple controls parsing (ITS#6651)

libraries/libldap/tls_m.c

@@ -68,6 +68,13 @@
 #define HAVE_NSS_INITCONTEXT 1
 #endif
 
+/* NSS 3.12.9 and later have SECMOD_RestartModules */
+#if NSS_VMAJOR <= 3 && NSS_VMINOR <= 12 && NSS_VPATCH < 9
+/* do nothing */
+#else
+#define HAVE_SECMOD_RESTARTMODULES 1
+#endif
+
 /* InitContext does not currently work in server mode */
 /* #define INITCONTEXT_HACK 1 */
 
@@ -1482,6 +1489,24 @@ tlsm_deferred_init( void *arg )
 	SECStatus rc;
 	int done = 0;
 
+#ifdef HAVE_SECMOD_RESTARTMODULES
+	/* NSS enforces the pkcs11 requirement that modules should be unloaded after
+	   a fork() - since there is no portable way to determine if NSS has been
+	   already initialized in a parent process, we just call SECMOD_RestartModules
+	   with force == FALSE - if the module has been unloaded due to a fork, it will
+	   be reloaded, otherwise, it is a no-op */
+	if ( SECFailure == ( rc = SECMOD_RestartModules(PR_FALSE /* do not force */) ) ) {
+		errcode = PORT_GetError();
+		if ( errcode != SEC_ERROR_NOT_INITIALIZED ) {
+			Debug( LDAP_DEBUG_TRACE,
+				   "TLS: could not restart the security modules: %d:%s\n",
+				   errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
+		} else {
+			errcode = 1;
+		}
+	}
+#endif
+
 #ifdef HAVE_NSS_INITCONTEXT
 	memset( &initParams, 0, sizeof( initParams ) );
 	initParams.length = sizeof( initParams );