ITS#6802,ITS#6811

1c8bfbe5 · Quanah Gibson-Mount · 971b71d4 · 1c8bfbe5 · 1c8bfbe5
Commit 1c8bfbe5 authored Jan 31, 2011 by Quanah Gibson-Mount
--- a/CHANGES
+++ b/CHANGES
@@ -41,7 +41,7 @@ OpenLDAP 2.4.24 Engineering
 	Fixed libldap variable usage (ITS#6813)
 	Fixed libldap MozNSS default cipher suites (ITS#6790)
 	Fixed libldap MozNSS cert usage types/values (ITS#6791)
-	Fixed libldap MozNSS restart module after fork() (ITS#6802)
+	Fixed libldap MozNSS restart module after fork() (ITS#6802,ITS#6811)
 	Fixed liblutil getpass prompts (ITS#6702)
 	Fixed ldapsearch segfault with deref (ITS#6638)
 	Fixed ldapsearch multiple controls parsing (ITS#6651)

--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -2872,10 +2872,27 @@ static const PRIOMethods tlsm_PR_methods = {
 static int
 tlsm_init( void )
 {
+	char *nofork = PR_GetEnv( "NSS_STRICT_NOFORK" );
+
 	PR_Init(0, 0, 0);

 	tlsm_layer_id = PR_GetUniqueIdentity( "OpenLDAP" );

+	/*
+	 * There are some applications that acquire a crypto context in the parent process
+	 * and expect that crypto context to work after a fork().  This does not work
+	 * with NSS using strict PKCS11 compliance mode.  We set this environment
+	 * variable here to tell the software encryption module/token to allow crypto
+	 * contexts to persist across a fork().  However, if you are using some other
+	 * module or encryption device that supports and expects full PKCS11 semantics,
+	 * the only recourse is to rewrite the application with atfork() handlers to save
+	 * the crypto context in the parent and restore (and SECMOD_RestartModules) the
+	 * context in the child.
+	 */
+	if ( !nofork ) {
+		PR_SetEnv( "NSS_STRICT_NOFORK=DISABLED" );
+	}
+
 	return 0;
 }