diff --git a/CVE-2019-13057-1.patch b/CVE-2019-13057-1.patch new file mode 100644 index 0000000000000000000000000000000000000000..4444eec668069db4cbdf03bfc9fa05cf66082017 --- /dev/null +++ b/CVE-2019-13057-1.patch @@ -0,0 +1,35 @@ +From f120d0e461178b5974694876ba2d2bdba4f7d122 Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Wed, 19 Jun 2019 12:29:02 +0100 +Subject: [PATCH] ITS#9038 restrict rootDN proxyauthz to its own DBs. + +Treat as normal user for any other DB. +--- + servers/slapd/saslauthz.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c +index 64c7053..b3727ea 100644 +--- a/servers/slapd/saslauthz.c ++++ b/servers/slapd/saslauthz.c +@@ -2062,12 +2062,13 @@ int slap_sasl_authorized( Operation *op, + goto DONE; + } + +- /* Allow the manager to authorize as any DN. */ +- if( op->o_conn->c_authz_backend && +- be_isroot_dn( op->o_conn->c_authz_backend, authcDN )) ++ /* Allow the manager to authorize as any DN in its own DBs. */ + { +- rc = LDAP_SUCCESS; +- goto DONE; ++ Backend *zbe = select_backend( authzDN, 1 ); ++ if ( zbe && be_isroot_dn( zbe, authcDN )) { ++ rc = LDAP_SUCCESS; ++ goto DONE; ++ } + } + + /* Check source rules */ +-- +1.7.10.4 diff --git a/CVE-2019-13057-2.patch b/CVE-2019-13057-2.patch new file mode 100644 index 0000000000000000000000000000000000000000..394d2d9c964d5adf83108df89006893555991dff --- /dev/null +++ b/CVE-2019-13057-2.patch @@ -0,0 +1,102 @@ +From ce5869c89a0cf1a9ec23bde014cb4c11f4d0360c Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= +Date: Wed, 19 Jun 2019 18:47:32 +0200 +Subject: [PATCH] ITS#9038 Update test028 to test this is enforced + +--- + tests/data/idassert.out | 5 +++++ + tests/data/slapd-idassert.conf | 1 + + tests/data/test-idassert1.ldif | 6 ++++++ + tests/scripts/test028-idassert | 24 ++++++++++++++++++++++++ + 4 files changed, 36 insertions(+) + +diff --git a/tests/data/idassert.out b/tests/data/idassert.out +index 53d76bb..fa51c25 100644 +--- a/tests/data/idassert.out ++++ b/tests/data/idassert.out +@@ -4,6 +4,11 @@ objectClass: dcObject + o: Example, Inc. + dc: example + ++dn: cn=Manager,o=Example,c=US ++objectClass: inetOrgPerson ++cn: Manager ++sn: Parson ++ + dn: ou=People,o=Example,c=US + objectClass: organizationalUnit + ou: People +diff --git a/tests/data/slapd-idassert.conf b/tests/data/slapd-idassert.conf +index 88d66a3..561c5cc 100644 +--- a/tests/data/slapd-idassert.conf ++++ b/tests/data/slapd-idassert.conf +@@ -36,6 +36,7 @@ argsfile @TESTDIR@/slapd.1.args + ####################################################################### + + authz-policy both ++authz-regexp "^uid=manager,.+" "cn=Manager,dc=example,dc=com" + authz-regexp "^uid=admin/([^,]+),.+" "ldap:///ou=Admin,dc=example,dc=com??sub?(cn=$1)" + authz-regexp "^uid=it/([^,]+),.+" "ldap:///ou=People,dc=example,dc=it??sub?(uid=$1)" + authz-regexp "^uid=(us/)?([^,]+),.+" "ldap:///ou=People,dc=example,dc=com??sub?(uid=$2)" +diff --git a/tests/data/test-idassert1.ldif b/tests/data/test-idassert1.ldif +index 063d6ec..3ccbd1a 100644 +--- a/tests/data/test-idassert1.ldif ++++ b/tests/data/test-idassert1.ldif +@@ -4,6 +4,12 @@ objectClass: dcObject + o: Example, Inc. + dc: example + ++dn: cn=Manager,dc=example,dc=com ++objectClass: inetOrgPerson ++cn: Manager ++sn: Parson ++userPassword: secret ++ + dn: ou=People,dc=example,dc=com + objectClass: organizationalUnit + ou: People +diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert +index b1e1674..9e5e107 100755 +--- a/tests/scripts/test028-idassert ++++ b/tests/scripts/test028-idassert +@@ -191,6 +191,17 @@ if test $RC != 0 ; then + exit $RC + fi + ++AUTHZID="u:it/jaj" ++echo "Checking another DB's rootdn can't assert identity from another DB..." ++$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD -e\!"authzid=$AUTHZID" ++ ++RC=$? ++if test $RC != 1 ; then ++ echo "ldapwhoami should have failed ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++ + ID="uid=jaj,ou=People,dc=example,dc=it" + BASE="o=Example,c=US" + echo "Testing ldapsearch as $ID for \"$BASE\"..." +@@ -231,6 +242,19 @@ if test $USE_SASL != "no" ; then + exit $RC + fi + ++ ID="manager" ++ AUTHZID="u:it/jaj" ++ echo "Checking another DB's rootdn can't assert in another (with SASL bind this time)..." ++ $LDAPSASLWHOAMI -h $LOCALHOST -p $PORT1 \ ++ -Q -U "$ID" -w $PASSWD -Y $MECH -X $AUTHZID ++ ++ RC=$? ++ if test $RC != 50 ; then ++ echo "ldapwhoami should have failed ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++ fi ++ + echo "Filtering ldapsearch results..." + $LDIFFILTER < $SEARCHOUT > $SEARCHFLT + echo "Filtering original ldif used to create database..." +-- +1.7.10.4 + diff --git a/CVE-2019-13057-3.patch b/CVE-2019-13057-3.patch new file mode 100644 index 0000000000000000000000000000000000000000..a1317d321a7bfe6d024a11a332fb0fd98ab84b3b --- /dev/null +++ b/CVE-2019-13057-3.patch @@ -0,0 +1,25 @@ +From c064d45c5d4551f2321276c3a5ed25b1c08e115d Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= +Date: Mon, 24 Jun 2019 16:37:23 +0200 +Subject: [PATCH] ITS#9038 Fix typo in test script + +--- + tests/scripts/test028-idassert | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert +index 9e5e107..564a615 100755 +--- a/tests/scripts/test028-idassert ++++ b/tests/scripts/test028-idassert +@@ -199,7 +199,7 @@ RC=$? + if test $RC != 1 ; then + echo "ldapwhoami should have failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit $RC ++ exit 1 + fi + + ID="uid=jaj,ou=People,dc=example,dc=it" +-- +1.7.10.4 + diff --git a/CVE-2019-13057-4.patch b/CVE-2019-13057-4.patch new file mode 100644 index 0000000000000000000000000000000000000000..99086c6044fa25e975c4d88519697d1690442802 --- /dev/null +++ b/CVE-2019-13057-4.patch @@ -0,0 +1,25 @@ +From 0832ec02f0679cf0862dca2cca5280be1e4fdb37 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= +Date: Thu, 27 Jun 2019 00:45:29 +0200 +Subject: [PATCH] ITS#9038 Another test028 typo + +--- + tests/scripts/test028-idassert | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert +index 564a615..dacd68d 100755 +--- a/tests/scripts/test028-idassert ++++ b/tests/scripts/test028-idassert +@@ -252,7 +252,7 @@ if test $USE_SASL != "no" ; then + if test $RC != 50 ; then + echo "ldapwhoami should have failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit $RC ++ exit 1 + fi + + echo "Filtering ldapsearch results..." +-- +1.7.10.4 + diff --git a/CVE-2019-13565.patch b/CVE-2019-13565.patch new file mode 100644 index 0000000000000000000000000000000000000000..57c37b0ae7d69835ec132bbf986c6fa0b53feeba --- /dev/null +++ b/CVE-2019-13565.patch @@ -0,0 +1,24 @@ +From 744a46a1acb93798f4e027290191d6a11dd4c18c Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Wed, 10 Jul 2019 21:29:39 +0100 +Subject: [PATCH] ITS#9052 zero out sasl_ssf in connection_init + +--- + servers/slapd/connection.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c +index b85bcb4..704067c 100644 +--- a/servers/slapd/connection.c ++++ b/servers/slapd/connection.c +@@ -554,7 +554,7 @@ Connection * connection_init( + c->c_close_reason = "?"; /* should never be needed */ + + c->c_ssf = c->c_transport_ssf = ssf; +- c->c_tls_ssf = 0; ++ c->c_tls_ssf = c->c_sasl_ssf = 0; + + #ifdef HAVE_TLS + if ( flags & CONN_IS_TLS ) { +-- +1.7.10.4 diff --git a/Fix-calls-to-SLAP_DEVPOLL_SOCK_LX-for-multi-listener.patch b/Fix-calls-to-SLAP_DEVPOLL_SOCK_LX-for-multi-listener.patch new file mode 100644 index 0000000000000000000000000000000000000000..4567f321b9823323ecad0dba5e1c103abd46ba2a --- /dev/null +++ b/Fix-calls-to-SLAP_DEVPOLL_SOCK_LX-for-multi-listener.patch @@ -0,0 +1,15 @@ +diff --git a/servers/slapd/daemon.c b/servers/slapd/daemon.c +index a3e8713..329ed6d 100644 +--- a/servers/slapd/daemon.c ++++ b/servers/slapd/daemon.c +@@ -438,8 +438,8 @@ static slap_daemon_st slap_daemon[SLAPD_MAX_DAEMON_THREADS]; + + # define SLAP_EVENT_IS_READ(i) SLAP_DEVPOLL_EVENT_CHK((i), POLLIN) + # define SLAP_EVENT_IS_WRITE(i) SLAP_DEVPOLL_EVENT_CHK((i), POLLOUT) +-# define SLAP_EVENT_IS_LISTENER(t,i) SLAP_DEVPOLL_EV_LISTENER(SLAP_DEVPOLL_SOCK_LX(SLAP_EVENT_FD(t,(i)))) +-# define SLAP_EVENT_LISTENER(t,i) SLAP_DEVPOLL_SOCK_LX(SLAP_EVENT_FD(t,(i))) ++# define SLAP_EVENT_IS_LISTENER(t,i) SLAP_DEVPOLL_EV_LISTENER(SLAP_DEVPOLL_SOCK_LX(t, SLAP_EVENT_FD(t,(i)))) ++# define SLAP_EVENT_LISTENER(t,i) SLAP_DEVPOLL_SOCK_LX(t, SLAP_EVENT_FD(t,(i))) + + # define SLAP_SOCK_INIT(t) do { \ + slap_daemon[t].sd_pollfd = ch_calloc( 1, \ diff --git a/Fix-index-delete.patch b/Fix-index-delete.patch new file mode 100644 index 0000000000000000000000000000000000000000..8f38fba95546d0015b382ecee93c5da45221c0fa --- /dev/null +++ b/Fix-index-delete.patch @@ -0,0 +1,48 @@ +From 86bd2da6ac69acc2df956260d081d03421116828 Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Fri, 31 Aug 2018 14:28:22 +0100 +Subject: [PATCH 034/109] Fix index delete + +Deleting all indices should also reset default mask +--- + servers/slapd/back-bdb/config.c | 3 ++- + servers/slapd/back-mdb/config.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/servers/slapd/back-bdb/config.c b/servers/slapd/back-bdb/config.c +index a1cd0d605..24c4753ba 100644 +--- a/servers/slapd/back-bdb/config.c ++++ b/servers/slapd/back-bdb/config.c +@@ -602,10 +602,11 @@ bdb_cf_gen( ConfigArgs *c ) + if ( c->valx == -1 ) { + int i; + +- /* delete all (FIXME) */ ++ /* delete all */ + for ( i = 0; i < bdb->bi_nattrs; i++ ) { + bdb->bi_attrs[i]->ai_indexmask |= BDB_INDEX_DELETING; + } ++ bdb->bi_defaultmask = 0; + bdb->bi_flags |= BDB_DEL_INDEX; + c->cleanup = bdb_cf_cleanup; + +diff --git a/servers/slapd/back-mdb/config.c b/servers/slapd/back-mdb/config.c +index d4c6f96aa..ded7a087c 100644 +--- a/servers/slapd/back-mdb/config.c ++++ b/servers/slapd/back-mdb/config.c +@@ -423,10 +423,11 @@ mdb_cf_gen( ConfigArgs *c ) + if ( c->valx == -1 ) { + int i; + +- /* delete all (FIXME) */ ++ /* delete all */ + for ( i = 0; i < mdb->mi_nattrs; i++ ) { + mdb->mi_attrs[i]->ai_indexmask |= MDB_INDEX_DELETING; + } ++ mdb->mi_defaultmask = 0; + mdb->mi_flags |= MDB_DEL_INDEX; + c->cleanup = mdb_cf_cleanup; + +-- +2.19.1 + diff --git a/Fix-quoting-example.patch b/Fix-quoting-example.patch new file mode 100644 index 0000000000000000000000000000000000000000..875f937dd87047bc7a5f1cb68ea0d6a49642479c --- /dev/null +++ b/Fix-quoting-example.patch @@ -0,0 +1,25 @@ +From 4626a7d0edf687c63452dc671a2fbb7f44aa64b8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= +Date: Thu, 14 Jun 2018 16:08:36 +0100 +Subject: [PATCH 018/109] Fix quoting example + +--- + doc/man/man5/ldap.conf.5 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 +index 0c8ec8a0e..8c67bc0ae 100644 +--- a/doc/man/man5/ldap.conf.5 ++++ b/doc/man/man5/ldap.conf.5 +@@ -85,7 +85,7 @@ For example, + # Right - DN syntax needs quoting for Example, Inc: + BASE ou=IT staff,o="Example, Inc",c=US + # or: +- BASE ou=IT staff,o=Example2C Inc,c=US ++ BASE ou=IT staff,o=Example\\2C Inc,c=US + + # Wrong - comment on same line as option: + DEREF never # Never follow aliases +-- +2.19.1 + diff --git a/Fixup-for-binary-config-attrs.patch b/Fixup-for-binary-config-attrs.patch new file mode 100644 index 0000000000000000000000000000000000000000..c2a320b01a3d64ec8a2f4630d71b53e43cded8c5 --- /dev/null +++ b/Fixup-for-binary-config-attrs.patch @@ -0,0 +1,13 @@ +diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c +index 250f141..5aabcef 100644 +--- a/servers/slapd/bconfig.c ++++ b/servers/slapd/bconfig.c +@@ -4313,6 +4313,8 @@ config_find_table( ConfigOCs **colst, int nocs, AttributeDescription *ad, + ConfigArgs *ca ) + { + int i, j; ++ if (ad->ad_flags & SLAP_DESC_BINARY) ++ ad = ad->ad_type->sat_ad; + + for (j=0; jco_table[i].name; i++) diff --git a/ITS-8472-only-do-index-cleanup-if-DB-is-running.patch b/ITS-8472-only-do-index-cleanup-if-DB-is-running.patch new file mode 100644 index 0000000000000000000000000000000000000000..f8a34848b2165ffcd449ff8e314ba61190e29101 --- /dev/null +++ b/ITS-8472-only-do-index-cleanup-if-DB-is-running.patch @@ -0,0 +1,34 @@ +From 55daae4afc3cd2ee6dcbd97a73260113935d2676 Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Fri, 25 Jan 2019 18:11:58 +0000 +Subject: [PATCH 096/109] ITS#8472 only do index cleanup if DB is running + +--- + servers/slapd/back-mdb/config.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/servers/slapd/back-mdb/config.c b/servers/slapd/back-mdb/config.c +index df9db5edd..c404e58e7 100644 +--- a/servers/slapd/back-mdb/config.c ++++ b/servers/slapd/back-mdb/config.c +@@ -260,6 +260,7 @@ mdb_cf_cleanup( ConfigArgs *c ) + } + + if ( mdb->mi_flags & MDB_OPEN_INDEX ) { ++ mdb->mi_flags ^= MDB_OPEN_INDEX; + rc = mdb_attr_dbs_open( c->be, NULL, &c->reply ); + if ( rc ) + rc = LDAP_OTHER; +@@ -631,8 +632,8 @@ mdb_cf_gen( ConfigArgs *c ) + c->argc - 1, &c->argv[1], &c->reply); + + if( rc != LDAP_SUCCESS ) return 1; +- mdb->mi_flags |= MDB_OPEN_INDEX; + if ( mdb->mi_flags & MDB_IS_OPEN ) { ++ mdb->mi_flags |= MDB_OPEN_INDEX; + c->cleanup = mdb_cf_cleanup; + if ( !mdb->mi_index_task ) { + /* Start the task as soon as we finish here. Set a long +-- +2.19.1 + diff --git a/ITS-8663-Fix-memberof-SLAP_CONFIG_EMIT.patch b/ITS-8663-Fix-memberof-SLAP_CONFIG_EMIT.patch new file mode 100644 index 0000000000000000000000000000000000000000..57ffc1d94acf3b93bda3ffe22282c1cbba826f6e --- /dev/null +++ b/ITS-8663-Fix-memberof-SLAP_CONFIG_EMIT.patch @@ -0,0 +1,34 @@ +From 7553afa6fd524181bd5d7c5fa8808bbd0fc09864 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= +Date: Mon, 14 Jan 2019 11:44:35 +0000 +Subject: [PATCH 086/109] ITS#8663 Fix memberof SLAP_CONFIG_EMIT + +--- + servers/slapd/overlays/memberof.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/servers/slapd/overlays/memberof.c b/servers/slapd/overlays/memberof.c +index 54c24682a..7e0c8f22b 100644 +--- a/servers/slapd/overlays/memberof.c ++++ b/servers/slapd/overlays/memberof.c +@@ -1895,15 +1895,11 @@ mo_cf_gen( ConfigArgs *c ) + break; + + case MO_MEMBER_AD: +- if ( mo->mo_ad_member != NULL ){ +- value_add_one( &c->rvalue_vals, &mo->mo_ad_member->ad_cname ); +- } ++ c->value_ad = mo->mo_ad_member; + break; + + case MO_MEMBER_OF_AD: +- if ( mo->mo_ad_memberof != NULL ){ +- value_add_one( &c->rvalue_vals, &mo->mo_ad_memberof->ad_cname ); +- } ++ c->value_ad = mo->mo_ad_memberof; + break; + + default: +-- +2.19.1 + diff --git a/ITS-8667-Do-not-finish-glue-initialisation-in-tool-m.patch b/ITS-8667-Do-not-finish-glue-initialisation-in-tool-m.patch new file mode 100644 index 0000000000000000000000000000000000000000..26d3d02c738a2266e8330ba55a4d3d437d4851cc --- /dev/null +++ b/ITS-8667-Do-not-finish-glue-initialisation-in-tool-m.patch @@ -0,0 +1,26 @@ +From 8c09d9a132d148ebad1e7f303ae99d357815ffff Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= +Date: Wed, 27 Jun 2018 10:32:04 +0100 +Subject: [PATCH 021/109] ITS#8667 Do not finish glue initialisation in tool + mode unless requested + +--- + servers/slapd/backglue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/servers/slapd/backglue.c b/servers/slapd/backglue.c +index 53c92448f..c2cfed45c 100644 +--- a/servers/slapd/backglue.c ++++ b/servers/slapd/backglue.c +@@ -1312,7 +1312,7 @@ glue_db_init( + + SLAP_DBFLAGS( be ) |= SLAP_DBFLAG_GLUE_INSTANCE; + +- if ( ga_list ) { ++ if ( ga_list && ( slapMode & SLAP_SERVER_MODE ) ) { + be->bd_info = (BackendInfo *)oi; + glue_sub_attach( 1 ); + } +-- +2.19.1 + diff --git a/ITS-8727-plug-ber-leaks.patch b/ITS-8727-plug-ber-leaks.patch new file mode 100644 index 0000000000000000000000000000000000000000..70cff8ea5331a96ed6b094840e73741cb331b973 --- /dev/null +++ b/ITS-8727-plug-ber-leaks.patch @@ -0,0 +1,32 @@ +From 11320a9156e1306c251b27443439dc2e1db0107b Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Tue, 17 Jan 2017 11:35:54 +0000 +Subject: [PATCH 076/109] ITS#8727 plug ber leaks + +--- + libraries/libldap/request.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libraries/libldap/request.c b/libraries/libldap/request.c +index 31145432f..7d2d7a458 100644 +--- a/libraries/libldap/request.c ++++ b/libraries/libldap/request.c +@@ -315,6 +315,7 @@ ldap_send_server_request( + LDAP_MUTEX_UNLOCK( &ld->ld_options.ldo_mutex ); + if ( rc == -1 ) { + ld->ld_errno = LDAP_ENCODING_ERROR; ++ ber_free( ber, 1 ); + LDAP_CONN_UNLOCK_IF(m_noconn); + return rc; + } +@@ -334,6 +335,7 @@ ldap_send_server_request( + rc = -1; + } + if ( rc ) { ++ ber_free( ber, 1 ); + LDAP_CONN_UNLOCK_IF(m_noconn); + return rc; + } +-- +2.19.1 + diff --git a/ITS-8752-maybe-related.patch b/ITS-8752-maybe-related.patch new file mode 100644 index 0000000000000000000000000000000000000000..c9fa50e77a360076eefdbf34423e1bfade8dd015 --- /dev/null +++ b/ITS-8752-maybe-related.patch @@ -0,0 +1,68 @@ +From 09aea7d84492dbfe61adf197214f206d99b43469 Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Wed, 5 Dec 2018 10:41:47 +0000 +Subject: [PATCH 062/109] ITS#8752 (maybe related) + +Avoid incremental access to user-supplied bv in dupbv +--- + libraries/liblber/memory.c | 27 ++++++++++++++++----------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +diff --git a/libraries/liblber/memory.c b/libraries/liblber/memory.c +index a99f5044c..aa1d1e123 100644 +--- a/libraries/liblber/memory.c ++++ b/libraries/liblber/memory.c +@@ -482,7 +482,7 @@ struct berval * + ber_dupbv_x( + struct berval *dst, struct berval *src, void *ctx ) + { +- struct berval *new; ++ struct berval *new, tmp; + + if( src == NULL ) { + ber_errno = LBER_ERROR_PARAM; +@@ -490,7 +490,7 @@ ber_dupbv_x( + } + + if ( dst ) { +- new = dst; ++ new = &tmp; + } else { + if(( new = ber_memalloc_x( sizeof(struct berval), ctx )) == NULL ) { + return NULL; +@@ -500,18 +500,23 @@ ber_dupbv_x( + if ( src->bv_val == NULL ) { + new->bv_val = NULL; + new->bv_len = 0; +- return new; +- } ++ } else { + +- if(( new->bv_val = ber_memalloc_x( src->bv_len + 1, ctx )) == NULL ) { +- if ( !dst ) +- ber_memfree_x( new, ctx ); +- return NULL; ++ if(( new->bv_val = ber_memalloc_x( src->bv_len + 1, ctx )) == NULL ) { ++ if ( !dst ) ++ ber_memfree_x( new, ctx ); ++ return NULL; ++ } ++ ++ AC_MEMCPY( new->bv_val, src->bv_val, src->bv_len ); ++ new->bv_val[src->bv_len] = '\0'; ++ new->bv_len = src->bv_len; + } + +- AC_MEMCPY( new->bv_val, src->bv_val, src->bv_len ); +- new->bv_val[src->bv_len] = '\0'; +- new->bv_len = src->bv_len; ++ if ( dst ) { ++ *dst = *new; ++ new = dst; ++ } + + return new; + } +-- +2.19.1 + diff --git a/ITS-8756-remove-loose-pg-from-dirty-list-in-freelist.patch b/ITS-8756-remove-loose-pg-from-dirty-list-in-freelist.patch new file mode 100644 index 0000000000000000000000000000000000000000..0568235f27a663626caec310cad5354c80dc8bfd --- /dev/null +++ b/ITS-8756-remove-loose-pg-from-dirty-list-in-freelist.patch @@ -0,0 +1,60 @@ +From 1f33a6d9109792c0a2c88793092264080fe856b0 Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Fri, 22 Jun 2018 16:30:13 +0100 +Subject: [PATCH 038/109] ITS#8756 remove loose pg from dirty list in + freelist_save + +--- + libraries/liblmdb/mdb.c | 33 ++++++++++++++++++++++++++++++++- + 1 file changed, 32 insertions(+), 1 deletion(-) + +diff --git a/libraries/liblmdb/mdb.c b/libraries/liblmdb/mdb.c +index 0662f2d8b..e12af4482 100644 +--- a/libraries/liblmdb/mdb.c ++++ b/libraries/liblmdb/mdb.c +@@ -3094,10 +3094,41 @@ mdb_freelist_save(MDB_txn *txn) + * we may be unable to return them to me_pghead. + */ + MDB_page *mp = txn->mt_loose_pgs; ++ MDB_ID2 *dl = txn->mt_u.dirty_list; ++ unsigned x; + if ((rc = mdb_midl_need(&txn->mt_free_pgs, txn->mt_loose_count)) != 0) + return rc; +- for (; mp; mp = NEXT_LOOSE_PAGE(mp)) ++ for (; mp; mp = NEXT_LOOSE_PAGE(mp)) { + mdb_midl_xappend(txn->mt_free_pgs, mp->mp_pgno); ++ /* must also remove from dirty list */ ++ if (txn->mt_flags & MDB_TXN_WRITEMAP) { ++ for (x=1; x<=dl[0].mid; x++) ++ if (dl[x].mid == mp->mp_pgno) ++ break; ++ mdb_tassert(txn, x <= dl[0].mid); ++ } else { ++ x = mdb_mid2l_search(dl, mp->mp_pgno); ++ mdb_tassert(txn, dl[x].mid == mp->mp_pgno); ++ } ++ dl[x].mptr = NULL; ++ mdb_dpage_free(env, mp); ++ } ++ { ++ /* squash freed slots out of the dirty list */ ++ unsigned y; ++ for (y=1; dl[y].mptr && y <= dl[0].mid; y++); ++ if (y <= dl[0].mid) { ++ for(x=y, y++;;) { ++ while (!dl[y].mptr && y <= dl[0].mid) y++; ++ if (y > dl[0].mid) break; ++ dl[x++] = dl[y++]; ++ } ++ dl[0].mid = x-1; ++ } else { ++ /* all slots freed */ ++ dl[0].mid = 0; ++ } ++ } + txn->mt_loose_pgs = NULL; + txn->mt_loose_count = 0; + } +-- +2.19.1 + diff --git a/ITS-8840-Fix-domainScope-control-to-ensure-the-contr.patch b/ITS-8840-Fix-domainScope-control-to-ensure-the-contr.patch new file mode 100644 index 0000000000000000000000000000000000000000..e507234e7ae5b7fd9c386196051c36a8ab869832 --- /dev/null +++ b/ITS-8840-Fix-domainScope-control-to-ensure-the-contr.patch @@ -0,0 +1,29 @@ +From 59681e0eb305262aeb93675c66f21727bfc7ab98 Mon Sep 17 00:00:00 2001 +From: Quanah Gibson-Mount +Date: Mon, 30 Apr 2018 17:27:36 +0000 +Subject: [PATCH 009/109] ITS#8840 Fix domainScope control to ensure the + control value is absent as per Microsoft specification + (https://msdn.microsoft.com/en-us/library/aa366979%28v=vs.85%29.aspx). + +--- + servers/slapd/controls.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c +index b8edd39bc..16b580633 100644 +--- a/servers/slapd/controls.c ++++ b/servers/slapd/controls.c +@@ -1660,8 +1660,8 @@ static int parseDomainScope ( + return LDAP_PROTOCOL_ERROR; + } + +- if ( BER_BVISNULL( &ctrl->ldctl_value )) { +- rs->sr_text = "domainScope control value not empty"; ++ if ( !BER_BVISNULL( &ctrl->ldctl_value )) { ++ rs->sr_text = "domainScope control value not absent"; + return LDAP_PROTOCOL_ERROR; + } + +-- +2.19.1 + diff --git a/ITS-8842-Do-some-printability-checks-on-the-dc-RDN.patch b/ITS-8842-Do-some-printability-checks-on-the-dc-RDN.patch new file mode 100644 index 0000000000000000000000000000000000000000..f6847797a0fab68b44bce51f5e55f28823d15564 --- /dev/null +++ b/ITS-8842-Do-some-printability-checks-on-the-dc-RDN.patch @@ -0,0 +1,36 @@ +From 849f937d0aaf5911d438c49ccde2b036b62362d5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= +Date: Thu, 21 Jun 2018 16:01:43 +0100 +Subject: [PATCH 025/109] ITS#8842 Do some printability checks on the dc RDN + +--- + libraries/libldap/getdn.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/libraries/libldap/getdn.c b/libraries/libldap/getdn.c +index 16ecd3055..69ff62ac8 100644 +--- a/libraries/libldap/getdn.c ++++ b/libraries/libldap/getdn.c +@@ -27,6 +27,7 @@ + + #include "ldap-int.h" + #include "ldap_schema.h" ++#include "ldif.h" + + /* extension to UFN that turns trailing "dc=value" rdns in DNS style, + * e.g. "ou=People,dc=openldap,dc=org" => "People, openldap.org" */ +@@ -2478,6 +2479,11 @@ dn2domain( LDAPDN dn, struct berval *bv, int pos, int *iRDN ) + break; + } + ++ if ( ldif_is_not_printable( ava->la_value.bv_val, ava->la_value.bv_len ) ) { ++ domain = 0; ++ break; ++ } ++ + domain = 1; + + if ( first ) { +-- +2.19.1 + diff --git a/ITS-8843-check-for-NULL-modlist.patch b/ITS-8843-check-for-NULL-modlist.patch new file mode 100644 index 0000000000000000000000000000000000000000..657d5255283a97bcbf51832b976c68aa63fc24a0 --- /dev/null +++ b/ITS-8843-check-for-NULL-modlist.patch @@ -0,0 +1,24 @@ +From cc24cf620470e600d31fd68f63decae82b9745f3 Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Wed, 2 May 2018 16:51:49 +0100 +Subject: [PATCH 011/109] ITS#8843 check for NULL modlist + +--- + servers/slapd/overlays/syncprov.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/servers/slapd/overlays/syncprov.c b/servers/slapd/overlays/syncprov.c +index 684421fb9..9051ec9c9 100644 +--- a/servers/slapd/overlays/syncprov.c ++++ b/servers/slapd/overlays/syncprov.c +@@ -1924,6 +1924,7 @@ syncprov_op_response( Operation *op, SlapReply *rs ) + /* Don't do any processing for consumer contextCSN updates */ + if ( SLAPD_SYNC_IS_SYNCCONN( op->o_connid ) && + op->o_tag == LDAP_REQ_MODIFY && ++ op->orm_modlist && + op->orm_modlist->sml_op == LDAP_MOD_REPLACE && + op->orm_modlist->sml_desc == slap_schema.si_ad_contextCSN ) { + /* Catch contextCSN updates from syncrepl. We have to look at +-- +2.19.1 + diff --git a/ITS-8864-Fix-ber_realloc-after-a-partial-ber_flush.patch b/ITS-8864-Fix-ber_realloc-after-a-partial-ber_flush.patch new file mode 100644 index 0000000000000000000000000000000000000000..52f081b3c4b31ee07a1b0bdc05babd3923b4d4bc --- /dev/null +++ b/ITS-8864-Fix-ber_realloc-after-a-partial-ber_flush.patch @@ -0,0 +1,30 @@ +diff --git a/libraries/liblber/io.c b/libraries/liblber/io.c +index e44a46c..8477794 100644 +--- a/libraries/liblber/io.c ++++ b/libraries/liblber/io.c +@@ -128,7 +128,7 @@ ber_write( + int + ber_realloc( BerElement *ber, ber_len_t len ) + { +- ber_len_t total, offset, sos_offset; ++ ber_len_t total, offset, sos_offset, rw_offset; + char *buf; + + assert( ber != NULL ); +@@ -165,6 +165,7 @@ ber_realloc( BerElement *ber, ber_len_t len ) + offset = ber->ber_ptr - buf; + sos_offset = ber->ber_sos_ptr ? ber->ber_sos_ptr - buf : 0; + /* if ber_sos_ptr != NULL, it is > ber_buf so that sos_offset > 0 */ ++ rw_offset = ber->ber_rwptr ? ber->ber_rwptr - buf : 0; + + buf = (char *) ber_memrealloc_x( buf, total, ber->ber_memctx ); + if ( buf == NULL ) { +@@ -176,6 +177,8 @@ ber_realloc( BerElement *ber, ber_len_t len ) + ber->ber_ptr = buf + offset; + if ( sos_offset ) + ber->ber_sos_ptr = buf + sos_offset; ++ if ( ber->ber_rwptr ) ++ ber->ber_rwptr = buf + rw_offset; + + return( 0 ); + } diff --git a/ITS-8878-Include-the-first-character-in-the-transfor.patch b/ITS-8878-Include-the-first-character-in-the-transfor.patch new file mode 100644 index 0000000000000000000000000000000000000000..51239a8ede41147fb804eb6305d174770d7e251f --- /dev/null +++ b/ITS-8878-Include-the-first-character-in-the-transfor.patch @@ -0,0 +1,35 @@ +From 110409ea828b6806c2003702b300652f2290d3d4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= +Date: Thu, 8 Nov 2018 11:09:38 +0000 +Subject: [PATCH 054/109] ITS#8878 Include the first character in the + transformation + +--- + contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c b/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c +index 262534b7d..5f4a0271f 100644 +--- a/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c ++++ b/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c +@@ -59,15 +59,14 @@ const struct berval pbkdf2_sha512_scheme = BER_BVC("{PBKDF2-SHA512}"); + static int b64_to_ab64(char *str) + { + char *p = str; +- while(*p++){ ++ do { + if(*p == '+'){ + *p = '.'; + } + if(*p == '='){ + *p = '\0'; +- break; + } +- } ++ } while(*p++); + return 0; + } + +-- +2.19.1 + diff --git a/ITS-8909-additional-tweak.patch b/ITS-8909-additional-tweak.patch new file mode 100644 index 0000000000000000000000000000000000000000..506a3684963f4ef6d6506b228b8de2cf8d7f381f --- /dev/null +++ b/ITS-8909-additional-tweak.patch @@ -0,0 +1,26 @@ +From 324fdd0c41fca50bd0bfacead6b5b7583ac233dc Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Wed, 29 Aug 2018 02:02:13 +0100 +Subject: [PATCH 033/109] ITS#8909 additional tweak + +Set error code on failure +--- + servers/slapd/saslauthz.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c +index e4a74ea7f..d80370ff9 100644 +--- a/servers/slapd/saslauthz.c ++++ b/servers/slapd/saslauthz.c +@@ -2075,6 +2075,8 @@ int slap_sasl_authorized( Operation *op, + rc = slap_sasl_check_authz( op, authcDN, authzDN, + slap_schema.si_ad_saslAuthzTo, authcDN ); + if(( rc == LDAP_SUCCESS ) ^ (( authz_policy & SASL_AUTHZ_AND) != 0)) { ++ if( rc != LDAP_SUCCESS ) ++ rc = LDAP_INAPPROPRIATE_AUTH; + goto DONE; + } + } +-- +2.19.1 + diff --git a/ITS-8909-fix-authz-policy-all-condition.patch b/ITS-8909-fix-authz-policy-all-condition.patch new file mode 100644 index 0000000000000000000000000000000000000000..893ed79b1b76b6c788b1250669e202f98835453f --- /dev/null +++ b/ITS-8909-fix-authz-policy-all-condition.patch @@ -0,0 +1,26 @@ +From 37df43786bbb1918e28f3fb0117e58dd9d96cd1c Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Wed, 29 Aug 2018 01:13:05 +0100 +Subject: [PATCH 031/109] ITS#8909 fix "authz-policy all" condition + +Broken since original commit 113727ba +--- + servers/slapd/saslauthz.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c +index e1ea0a1e9..e4a74ea7f 100644 +--- a/servers/slapd/saslauthz.c ++++ b/servers/slapd/saslauthz.c +@@ -2074,7 +2074,7 @@ int slap_sasl_authorized( Operation *op, + if( authz_policy & SASL_AUTHZ_TO ) { + rc = slap_sasl_check_authz( op, authcDN, authzDN, + slap_schema.si_ad_saslAuthzTo, authcDN ); +- if( rc == LDAP_SUCCESS && !(authz_policy & SASL_AUTHZ_AND) ) { ++ if(( rc == LDAP_SUCCESS ) ^ (( authz_policy & SASL_AUTHZ_AND) != 0)) { + goto DONE; + } + } +-- +2.19.1 + diff --git a/ITS-8918-fix-typo.patch b/ITS-8918-fix-typo.patch new file mode 100644 index 0000000000000000000000000000000000000000..1da5b4ea490e831e06cac2e0f2f66dcd16da5ca3 --- /dev/null +++ b/ITS-8918-fix-typo.patch @@ -0,0 +1,25 @@ +From 83ade79c715dd9516dd2ba0675094b86d630c7b8 Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Mon, 24 Sep 2018 13:47:09 +0100 +Subject: [PATCH 046/109] ITS#8918 fix typo + +--- + servers/slapd/sasl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c +index 73ac2a8a8..64e64d1d9 100644 +--- a/servers/slapd/sasl.c ++++ b/servers/slapd/sasl.c +@@ -323,7 +323,7 @@ slap_auxprop_lookup( + + /* we don't know anything about this, ignore it */ + if ( !conn ) { +- rc == LDAP_SUCCESS; ++ rc = LDAP_SUCCESS; + goto done; + } + +-- +2.19.1 + diff --git a/ITS-8923-fix-dyngroup-NO_SUCH_OBJECT-error-handling.patch b/ITS-8923-fix-dyngroup-NO_SUCH_OBJECT-error-handling.patch new file mode 100644 index 0000000000000000000000000000000000000000..99ccef116525745d2e757a504519ba23ddb4dc63 --- /dev/null +++ b/ITS-8923-fix-dyngroup-NO_SUCH_OBJECT-error-handling.patch @@ -0,0 +1,70 @@ +From 84e0958b28fccb5cc36de90094aebc6902145c07 Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Wed, 3 Oct 2018 21:58:32 +0100 +Subject: [PATCH 049/109] ITS#8923 fix dyngroup NO_SUCH_OBJECT error handling + +--- + servers/slapd/backend.c | 2 +- + tests/data/dynlist.out | 3 +++ + tests/scripts/test044-dynlist | 9 +++++---- + 3 files changed, 9 insertions(+), 5 deletions(-) + +diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c +index 445a2cb57..0a3dafab8 100644 +--- a/servers/slapd/backend.c ++++ b/servers/slapd/backend.c +@@ -1520,7 +1520,7 @@ fe_acl_group( + op->o_private = o_priv; + if ( rc2 != 0 ) { + /* give up... */ +- rc = LDAP_OTHER; ++ rc = (rc2 == LDAP_NO_SUCH_OBJECT) ? rc2 : LDAP_OTHER; + goto loopit; + } + } +diff --git a/tests/data/dynlist.out b/tests/data/dynlist.out +index 429039b67..8caf0e22f 100644 +--- a/tests/data/dynlist.out ++++ b/tests/data/dynlist.out +@@ -198,6 +198,9 @@ memberURL: ldap:///ou=People,dc=example,dc=com??sub?(objectClass=person) + # Testing list compare... + TRUE + ++# Testing list compare... (should return FALSE) ++FALSE ++ + # Testing list compare (should return FALSE)... + FALSE + +diff --git a/tests/scripts/test044-dynlist b/tests/scripts/test044-dynlist +index e5a0c47dc..8caf50ded 100755 +--- a/tests/scripts/test044-dynlist ++++ b/tests/scripts/test044-dynlist +@@ -477,12 +477,12 @@ $LDAPCOMPARE -h $LOCALHOST -p $PORT1 \ + RC=$? + case $RC in + 5) +- echo "ldapcompare returned FALSE ($RC)!" +- test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit $RC ++ echo "ldapcompare returned FALSE ($RC)" + ;; + 6) +- echo "ldapcompare returned TRUE ($RC)" ++ echo "ldapcompare returned TRUE ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC + ;; + 0) + echo "ldapcompare returned success ($RC)!" +@@ -497,6 +497,7 @@ case $RC in + esac + echo "" >> $SEARCHOUT + ++CMPDN="$BJORNSDN" + echo "Testing list compare (should return FALSE)..." + echo "# Testing list compare (should return FALSE)..." >> $SEARCHOUT + $LDAPCOMPARE -h $LOCALHOST -p $PORT1 \ +-- +2.19.1 + diff --git a/ITS-8932-check-rdnNormalize-success.patch b/ITS-8932-check-rdnNormalize-success.patch new file mode 100644 index 0000000000000000000000000000000000000000..2ef91e5158252b5310698541b452cc4f3a3ed219 --- /dev/null +++ b/ITS-8932-check-rdnNormalize-success.patch @@ -0,0 +1,29 @@ +From 84a844cfd294a93b4fa2516a82d4f0e35e2c3d3d Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Fri, 9 Nov 2018 21:16:10 +0000 +Subject: [PATCH 066/109] ITS#8932 check rdnNormalize success + +--- + servers/slapd/bconfig.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c +index 250f14100..4c7d53935 100644 +--- a/servers/slapd/bconfig.c ++++ b/servers/slapd/bconfig.c +@@ -4609,7 +4609,11 @@ config_renumber_one( Operation *op, SlapReply *rs, CfEntryInfo *parent, + /* Do the equivalent of ModRDN */ + /* Replace DN / NDN */ + newrdn.bv_len = ptr1 - newrdn.bv_val; +- rdnNormalize( 0, NULL, NULL, &newrdn, &nnewrdn, NULL ); ++ rc = rdnNormalize( 0, NULL, NULL, &newrdn, &nnewrdn, NULL ); ++ if ( rc ) { ++ free( newrdn.bv_val ); ++ return LDAP_NAMING_VIOLATION; ++ } + rc = config_rename_one( op, rs, e, parent, a, &newrdn, &nnewrdn, use_ldif ); + + free( nnewrdn.bv_val ); +-- +2.19.1 + diff --git a/ITS-8948-Fix-BDB-lib-to-only-be-linked-with-static-b.patch b/ITS-8948-Fix-BDB-lib-to-only-be-linked-with-static-b.patch new file mode 100644 index 0000000000000000000000000000000000000000..9dd7aee1cdaeed82958bd74149275eeb03ef4a34 --- /dev/null +++ b/ITS-8948-Fix-BDB-lib-to-only-be-linked-with-static-b.patch @@ -0,0 +1,32 @@ +From 42d441c810d7b6a6d72625d919e944a38363d6c8 Mon Sep 17 00:00:00 2001 +From: Quanah Gibson-Mount +Date: Mon, 31 Dec 2018 18:24:12 +0000 +Subject: [PATCH 078/109] ITS#8948 - Fix BDB lib to only be linked with static + backend + +--- + configure.in | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/configure.in b/configure.in +index 2a4d29f78..2bd2a4382 100644 +--- a/configure.in ++++ b/configure.in +@@ -1899,7 +1899,13 @@ if test $ol_enable_bdb/$ol_enable_hdb != no/no; then + BDB_LIBS="$BDB_LIBS $ol_cv_lib_db" + fi + +- SLAPD_LIBS="$SLAPD_LIBS \$(BDB_LIBS)" ++ dnl link BDB library to slapd when there is a ++ dnl static BDB based backend in use ++ if test $ol_enable_bdb/$ol_enable_hdb != mod/mod ; then ++ if test $ol_enable_bdb = yes -o $ol_enable_hdb = yes ; then ++ SLAPD_LIBS="$SLAPD_LIBS \$(BDB_LIBS)" ++ fi ++ fi + + ol_link_bdb=yes + fi +-- +2.19.1 + diff --git a/ITS-8957-Fix-ASYNC-TLS.patch b/ITS-8957-Fix-ASYNC-TLS.patch new file mode 100644 index 0000000000000000000000000000000000000000..eebaed711afc1dcb01dd80a4c299ccc27b2dfd2b --- /dev/null +++ b/ITS-8957-Fix-ASYNC-TLS.patch @@ -0,0 +1,26 @@ +From a5a8739b4436b27387c652a8f423b582516d841a Mon Sep 17 00:00:00 2001 +From: Quanah Gibson-Mount +Date: Thu, 31 Jan 2019 02:33:17 +0000 +Subject: [PATCH 100/109] ITS#8957 - Fix ASYNC TLS + +Fix ASYNC TLS by correctly handling a return code of -2 in addition to 0 +--- + libraries/libldap/open.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libraries/libldap/open.c b/libraries/libldap/open.c +index 67a9353f9..5d70678d6 100644 +--- a/libraries/libldap/open.c ++++ b/libraries/libldap/open.c +@@ -440,7 +440,7 @@ ldap_int_open_connection( + #endif + + #ifdef HAVE_TLS +- if (rc == 0 && ( ld->ld_options.ldo_tls_mode == LDAP_OPT_X_TLS_HARD || ++ if ((rc == 0 || rc == -2) && ( ld->ld_options.ldo_tls_mode == LDAP_OPT_X_TLS_HARD || + strcmp( srv->lud_scheme, "ldaps" ) == 0 )) + { + ++conn->lconn_refcnt; /* avoid premature free */ +-- +2.19.1 + diff --git a/ITS-8980-fix-async-connections-with-non-blocking-TLS.patch b/ITS-8980-fix-async-connections-with-non-blocking-TLS.patch new file mode 100644 index 0000000000000000000000000000000000000000..f98fa17b2cf8436c444d34a4597f262702610f43 --- /dev/null +++ b/ITS-8980-fix-async-connections-with-non-blocking-TLS.patch @@ -0,0 +1,102 @@ +From d4a0a9b3a65bd1ce721d55845d4240942d17538b Mon Sep 17 00:00:00 2001 +From: Vernon Smith +Date: Tue, 19 Feb 2019 05:57:00 +0000 +Subject: [PATCH 109/109] ITS#8980 fix async connections with non-blocking TLS + +--- + libraries/libldap/os-ip.c | 2 +- + libraries/libldap/tls2.c | 17 ++++++++++++----- + libraries/libldap/tls_o.c | 14 +++++++++++++- + 3 files changed, 26 insertions(+), 7 deletions(-) + +diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c +index a823cc626..cb7b0a3b2 100644 +--- a/libraries/libldap/os-ip.c ++++ b/libraries/libldap/os-ip.c +@@ -443,7 +443,7 @@ ldap_pvt_connect(LDAP *ld, ber_socket_t s, + if ( connect(s, sin, addrlen) != AC_SOCKET_ERROR ) { + osip_debug(ld, "connect success\n", 0, 0, 0); + +- if ( opt_tv && ldap_pvt_ndelay_off(ld, s) == -1 ) ++ if ( !async && opt_tv && ldap_pvt_ndelay_off(ld, s) == -1 ) + return ( -1 ); + return ( 0 ); + } +diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c +index 96da4d421..bc93e4d63 100644 +--- a/libraries/libldap/tls2.c ++++ b/libraries/libldap/tls2.c +@@ -826,7 +826,7 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) + Sockbuf *sb; + char *host; + void *ssl; +- int ret; ++ int ret, async; + #ifdef LDAP_USE_NON_BLOCKING_TLS + struct timeval start_time_tv, tv, tv0; + ber_socket_t sd = AC_SOCKET_ERROR; +@@ -853,8 +853,12 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) + /* + * Use non-blocking io during SSL Handshake when a timeout is configured + */ ++ async = LDAP_BOOL_GET( &ld->ld_options, LDAP_BOOL_CONNECT_ASYNC ); + if ( ld->ld_options.ldo_tm_net.tv_sec >= 0 ) { +- ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, (void*)1 ); ++ if ( !async ) { ++ /* if async, this has already been set */ ++ ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, (void*)1 ); ++ } + ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_FD, &sd ); + tv = ld->ld_options.ldo_tm_net; + tv0 = tv; +@@ -888,8 +892,10 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) + ld->ld_errno = LDAP_TIMEOUT; + break; + } else { +- /* ldap_int_poll called ldap_pvt_ndelay_off */ +- ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, (void*)1 ); ++ /* ldap_int_poll called ldap_pvt_ndelay_off if not async */ ++ if ( !async ) { ++ ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, (void*)1 ); ++ } + ret = ldap_int_tls_connect( ld, conn, host ); + if ( ret > 0 ) { /* need to call tls_connect once more */ + struct timeval curr_time_tv, delta_tv; +@@ -936,7 +942,8 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) + } + } + } +- if ( ld->ld_options.ldo_tm_net.tv_sec >= 0 ) { ++ /* Leave it nonblocking if async */ ++ if ( !async && ld->ld_options.ldo_tm_net.tv_sec >= 0 ) { + ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, NULL ); + } + #endif /* LDAP_USE_NON_BLOCKING_TLS */ +diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c +index 2b0c021a6..b10121d3a 100644 +--- a/libraries/libldap/tls_o.c ++++ b/libraries/libldap/tls_o.c +@@ -452,7 +452,19 @@ tlso_session_connect( LDAP *ld, tls_session *sess ) + tlso_session *s = (tlso_session *)sess; + + /* Caller expects 0 = success, OpenSSL returns 1 = success */ +- return SSL_connect( s ) - 1; ++ int rc = SSL_connect( s ) - 1; ++#ifdef LDAP_USE_NON_BLOCKING_TLS ++ if ( rc < 0 ) { ++ int sockerr = sock_errno(); ++ int sslerr = SSL_get_error( s, rc+1 ); ++ if ( sslerr == SSL_ERROR_WANT_READ || sslerr == SSL_ERROR_WANT_WRITE ) { ++ rc = 0; ++ } else if ( sslerr == SSL_ERROR_SYSCALL && ++ ( sockerr == EAGAIN || sockerr == ENOTCONN )) { ++ rc = 0; ++ } ++ } ++#endif /* LDAP_USE_NON_BLOCKING_TLS */ + } + + static int +-- +2.19.1 + diff --git a/bugfix-openldap-autoconf-pkgconfig-nss.patch b/bugfix-openldap-autoconf-pkgconfig-nss.patch new file mode 100644 index 0000000000000000000000000000000000000000..a975e71cbb49ccf72e5d4bbd07f4bd98fcef762e --- /dev/null +++ b/bugfix-openldap-autoconf-pkgconfig-nss.patch @@ -0,0 +1,38 @@ +diff --git a/configure.in b/configure.in +index 2134171..c643891 100644 +--- a/configure.in ++++ b/configure.in +@@ -1230,28 +1230,16 @@ if test $ol_link_tls = no ; then + fi + fi + +-dnl NOTE: caller must specify -I/path/to/nspr4 and -I/path/to/nss3 +-dnl and -L/path/to/nspr4 libs and -L/path/to/nss3 libs if those libs +-dnl are not in the default system location + if test $ol_link_tls = no ; then + if test $ol_with_tls = moznss || test $ol_with_tls = auto ; then +- have_moznss=no +- AC_CHECK_HEADERS([nssutil.h]) +- if test "$ac_cv_header_nssutil_h" = yes ; then +- AC_CHECK_LIB([nss3], [NSS_Initialize], +- [ have_moznss=yes ], [ have_moznss=no ]) +- fi ++ PKG_CHECK_MODULES(MOZNSS, [nss nspr], [have_moznss=yes], [have_moznss=no]) + +- if test "$have_moznss" = yes ; then ++ if test $have_moznss = yes ; then + ol_with_tls=moznss + ol_link_tls=yes +- AC_DEFINE(HAVE_MOZNSS, 1, +- [define if you have MozNSS]) +- TLS_LIBS="-lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4" +- else +- if test $ol_with_tls = moznss ; then +- AC_MSG_ERROR([MozNSS not found - please specify the location to the NSPR and NSS header files in CPPFLAGS and the location to the NSPR and NSS libraries in LDFLAGS (if not in the system location)]) +- fi ++ AC_DEFINE(HAVE_MOZNSS, 1, [define if you have MozNSS]) ++ TLS_LIBS="$MOZNSS_LIBS" ++ CFLAGS="$CFLAGS $MOZNSS_CFLAGS" + fi + fi + fi diff --git a/bugfix-openldap-nss-ciphers-use-nss-defaults.patch b/bugfix-openldap-nss-ciphers-use-nss-defaults.patch new file mode 100644 index 0000000000000000000000000000000000000000..9a418daa742546fa5a77f53c911ca2fd19748675 --- /dev/null +++ b/bugfix-openldap-nss-ciphers-use-nss-defaults.patch @@ -0,0 +1,22 @@ +diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c +index fb5554e..7d5ffea 100644 +--- a/libraries/libldap/tls_m.c ++++ b/libraries/libldap/tls_m.c +@@ -557,7 +557,16 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) + } + } else if (!strcmp(cipher, "DEFAULT")) { + for (i=0; itc_certdb_slot ); ++ c->tc_certdb_slot = NULL; + } + if ( c->tc_pin_file ) { + PL_strfree( c->tc_pin_file ); diff --git a/bugfix-openldap-nss-protocol-version-new-api.patch b/bugfix-openldap-nss-protocol-version-new-api.patch new file mode 100644 index 0000000000000000000000000000000000000000..3b715267114af0711ddc386b083ad68f68f97bba --- /dev/null +++ b/bugfix-openldap-nss-protocol-version-new-api.patch @@ -0,0 +1,63 @@ +diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c +index d69b186..7f92783 100644 +--- a/libraries/libldap/tls_m.c ++++ b/libraries/libldap/tls_m.c +@@ -2238,6 +2238,58 @@ tlsm_deferred_ctx_init( void *arg ) + 0, 0, 0 ); + return -1; + } ++ if ( lt->lt_protocol_min >= LDAP_OPT_X_TLS_PROTOCOL_SSL3 ) { ++ SSLVersionRange supported_range, default_range, selected_range; ++ if ( SECSuccess != SSL_VersionRangeGetSupported(ssl_variant_stream, &supported_range) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: error: could not get SSL supported version range (SSL_VersionRangeGetSupported).\n", ++ 0, 0, 0 ); ++ return -1; ++ } else { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: info: SSL supported protocol version range is (%#04x, %#04x) (SSL_VersionRangeGetSupported).\n", ++ supported_range.min, supported_range.max, 0); ++ } ++ if ( SECSuccess != SSL_VersionRangeGetDefault(ssl_variant_stream, &default_range) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: error: could not get SSL default protocol version range (SSL_VersionRangeGetDefault).\n", ++ 0, 0, 0 ); ++ return -1; ++ } else { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: info: SSL default protocol version range is (%#04x, %#04x) (SSL_VersionRangeGetDefault).\n", ++ default_range.min, default_range.max, 0); ++ } ++ selected_range.min = lt->lt_protocol_min; ++ selected_range.max = supported_range.max; ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: info: TLS configured protocol minimal version is %#04x.\n", ++ selected_range.min, selected_range.max, 0); ++ if ( (selected_range.min > supported_range.max) || ++ (selected_range.max < supported_range.min) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: error: selected protocol version range out of NSS-supported version range.\n", ++ 0, 0, 0); ++ return -1; ++ } else { ++ if ( SECSuccess != SSL_VersionRangeSet(ctx->tc_model, &selected_range) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: error: could not set protocol version range (SSL_VersionRangeSet).\n", ++ 0, 0, 0); ++ return -1; ++ } ++ if ( SECSuccess != SSL_VersionRangeGet(ctx->tc_model, &selected_range) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: error: could not get protocol version range (SSL_VersionRangeGet).\n", ++ 0, 0, 0); ++ return -1; ++ } else { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: info: SSL set protocol version range is (%#04x, %#04x) (SSL_VersionRangeGet).\n", ++ selected_range.min, selected_range.max, 0); ++ } ++ } ++ } + + if ( SECSuccess != SSL_OptionSet( ctx->tc_model, SSL_HANDSHAKE_AS_CLIENT, !ctx->tc_is_server ) ) { + Debug( LDAP_DEBUG_ANY, diff --git a/bugfix-openldap-nss-unregister-on-unload.patch b/bugfix-openldap-nss-unregister-on-unload.patch new file mode 100644 index 0000000000000000000000000000000000000000..44a8320b7cf0f846076acbbb9380fad44bd32630 --- /dev/null +++ b/bugfix-openldap-nss-unregister-on-unload.patch @@ -0,0 +1,36 @@ +diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c +index 9b877a9..9a8d661 100644 +--- a/libraries/libldap/init.c ++++ b/libraries/libldap/init.c +@@ -473,7 +473,7 @@ static void openldap_ldap_init_w_env( + * Sorry, don't know how to handle this for non-GCC environments. + */ + static void ldap_int_destroy_global_options(void) +- __attribute__ ((destructor)); ++ __attribute__ ((destructor (2))); + #endif + + static void +diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c +index 7f92783..f6c27de 100644 +--- a/libraries/libldap/tls_m.c ++++ b/libraries/libldap/tls_m.c +@@ -1951,6 +1951,18 @@ tlsm_clientauth_init( tlsm_ctx *ctx ) + return ( status == SECSuccess ? 0 : -1 ); + } + ++#if defined(__GNUC__) ++static void ++tlsm_destroy_on_unload(void) __attribute__ ((destructor (1))); ++ ++static void ++tlsm_destroy_on_unload(void) ++{ ++ if (NSS_IsInitialized()) ++ NSS_UnregisterShutdown(tlsm_nss_shutdown_cb, NULL); ++} ++#endif ++ + /* + * Tear down the TLS subsystem. Should only be called once. + */ diff --git a/bugfix-openldap-nss-update-list-of-ciphers.patch b/bugfix-openldap-nss-update-list-of-ciphers.patch new file mode 100644 index 0000000000000000000000000000000000000000..55facd67dcbdb8dafc47c193301748ff612d1f5f --- /dev/null +++ b/bugfix-openldap-nss-update-list-of-ciphers.patch @@ -0,0 +1,257 @@ +diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c +index f6c27de..bba215a 100644 +--- a/libraries/libldap/tls_m.c ++++ b/libraries/libldap/tls_m.c +@@ -76,6 +76,11 @@ + #define HAVE_SECMOD_RESTARTMODULES 1 + #endif + ++/* NSS 3.20.0 and later have SHA384 ciphers */ ++#if NSS_VERSION_INT >= 0x03140000 ++#define HAVE_SHA384_CIPHERS 1 ++#endif ++ + /* InitContext does not currently work in server mode */ + /* #define INITCONTEXT_HACK 1 */ + +@@ -210,27 +215,36 @@ typedef struct { + int num; /* The cipher id */ + int attr; /* cipher attributes: algorithms, etc */ + int version; /* protocol version valid for this cipher */ +- int bits; /* bits of strength */ +- int alg_bits; /* bits of the algorithm */ + int strength; /* LOW, MEDIUM, HIGH */ + int enabled; /* Enabled by default? */ + } cipher_properties; + + /* cipher attributes */ +-#define SSL_kRSA 0x00000001L +-#define SSL_aRSA 0x00000002L +-#define SSL_aDSS 0x00000004L +-#define SSL_DSS SSL_aDSS +-#define SSL_eNULL 0x00000008L +-#define SSL_DES 0x00000010L +-#define SSL_3DES 0x00000020L +-#define SSL_RC4 0x00000040L +-#define SSL_RC2 0x00000080L +-#define SSL_AES 0x00000100L +-#define SSL_MD5 0x00000200L +-#define SSL_SHA1 0x00000400L +-#define SSL_SHA SSL_SHA1 +-#define SSL_RSA (SSL_kRSA|SSL_aRSA) ++#define SSL_kRSA 0x00000001L ++#define SSL_aRSA 0x00000002L ++#define SSL_RSA (SSL_kRSA|SSL_aRSA) ++#define SSL_aDSA 0x00000004L ++#define SSL_DSA SSL_aDSA ++#define SSL_eNULL 0x00000008L ++#define SSL_DES 0x00000010L ++#define SSL_3DES 0x00000020L ++#define SSL_RC4 0x00000040L ++#define SSL_RC2 0x00000080L ++#define SSL_AES128 0x00000100L ++#define SSL_AES256 0x00000200L ++#define SSL_AES (SSL_AES128|SSL_AES256) ++#define SSL_MD5 0x00000400L ++#define SSL_SHA1 0x00000800L ++#define SSL_kEDH 0x00001000L ++#define SSL_CAMELLIA128 0x00002000L ++#define SSL_CAMELLIA256 0x00004000L ++#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256) ++#define SSL_SEED 0x00008000L ++#define SSL_kECDH 0x00010000L ++#define SSL_kECDHE 0x00020000L ++#define SSL_aECDSA 0x00040000L ++#define SSL_SHA256 0x00080000L ++#define SSL_SHA384 0x00100000L + + /* cipher strength */ + #define SSL_NULL 0x00000001L +@@ -244,32 +258,120 @@ typedef struct { + #define SSL3 0x00000002L + /* OpenSSL treats SSL3 and TLSv1 the same */ + #define TLS1 SSL3 ++#define TLS1_2 0x00000004L + + /* Cipher translation */ + static cipher_properties ciphers_def[] = { +- /* SSL 2 ciphers */ +- {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, 168, 168, SSL_HIGH, SSL_ALLOWED}, +- {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED}, +- {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED}, +- {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, 56, 56, SSL_LOW, SSL_ALLOWED}, +- {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED}, +- {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED}, +- +- /* SSL3 ciphers */ +- {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED}, +- {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED}, +- {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, 168, 168, SSL_HIGH, SSL_ALLOWED}, +- {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, 56, 56, SSL_LOW, SSL_ALLOWED}, +- {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 40, 128, SSL_EXPORT40, SSL_ALLOWED}, +- {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, 0, 0, SSL_EXPORT40, SSL_ALLOWED}, +- {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED}, +- {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED}, ++ ++ /* ++ * Use the same DEFAULT cipher list as OpenSSL, which is defined as: ALL:!aNULL:!eNULL:!SSLv2 ++ */ ++ ++ /* SSLv2 ciphers */ ++ {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, SSL_LOW}, ++ {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, SSL_HIGH}, ++ {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_MEDIUM}, ++ {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_MEDIUM}, ++ {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_EXPORT40}, ++ {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_EXPORT40}, ++ ++ /* SSLv3 ciphers */ ++ {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, SSL_NULL}, ++ {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, SSL_NULL}, ++ {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW}, ++ {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH}, ++ {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_MEDIUM}, ++ {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, SSL_MEDIUM}, ++ {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, SSL_EXPORT40}, ++ {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_EXPORT40}, ++ {"EDH-RSA-DES-CBC-SHA", SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW}, ++ {"EDH-RSA-DES-CBC3-SHA", SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH}, ++ {"EDH-DSS-DES-CBC-SHA", SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW}, ++ {"EDH-DSS-DES-CBC3-SHA", SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH}, + + /* TLSv1 ciphers */ +- {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED}, +- {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED}, +- {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_ALLOWED}, +- {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_ALLOWED}, ++ {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, TLS1, SSL_EXPORT56}, ++ {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_EXPORT56}, ++ {"SEED-SHA", TLS_RSA_WITH_SEED_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_SEED|SSL_SHA1, TLS1, SSL_MEDIUM}, ++ {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"CAMELLIA256-SHA", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"CAMELLIA128-SHA", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"DHE-RSA-CAMELLIA128-SHA", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"DHE-RSA-CAMELLIA256-SHA", TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"DHE-DSS-RC4-SHA", TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_kEDH|SSL_aDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM}, ++ {"DHE-DSS-AES128-SHA", TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"DHE-DSS-AES256-SHA", TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"DHE-DSS-CAMELLIA128-SHA", TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"DHE-DSS-CAMELLIA256-SHA", TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"ECDH-RSA-NULL-SHA", TLS_ECDH_RSA_WITH_NULL_SHA, SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL}, ++ {"ECDH-RSA-RC4-SHA", TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM}, ++ {"ECDH-RSA-DES-CBC3-SHA", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"ECDH-RSA-AES128-SHA", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"ECDH-RSA-AES256-SHA", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"ECDH-ECDSA-NULL-SHA", TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL}, ++ {"ECDH-ECDSA-RC4-SHA", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM}, ++ {"ECDH-ECDSA-DES-CBC3-SHA", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"ECDH-ECDSA-AES128-SHA", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"ECDH-ECDSA-AES256-SHA", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"ECDHE-RSA-NULL-SHA", TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL}, ++ {"ECDHE-RSA-RC4-SHA", TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM}, ++ {"ECDHE-RSA-DES-CBC3-SHA", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"ECDHE-ECDSA-NULL-SHA", TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL}, ++ {"ECDHE-ECDSA-RC4-SHA", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM}, ++ {"ECDHE-ECDSA-DES-CBC3-SHA", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH}, ++ ++/* conditional on one of the newer defs */ ++#ifdef TLS_RSA_WITH_AES_128_GCM_SHA256 ++ /* TLSv1.2 ciphers */ ++ /* The following ciphers appear in the openssl sources as TLSv1.2 but currently have no NSS equivalent ++ ++ DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD ++ ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD ++ ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD ++ ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384 ++ ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384 ++ ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD ++ ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD ++ ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256 ++ ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256 ++ ++ */ ++ {"NULL-SHA256", TLS_RSA_WITH_NULL_SHA256, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA256, TLS1_2, SSL_NULL}, ++ {"AES128-SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH}, ++ {"AES256-SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA256, TLS1_2, SSL_HIGH}, ++ {"AES128-GCM-SHA256", TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, ++ {"AES256-GCM-SHA384", TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, ++ ++ {"DHE-RSA-AES256-SHA256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA256, TLS1_2, SSL_HIGH}, ++ {"DHE-RSA-AES128-SHA256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH}, ++ {"DHE-RSA-AES128-GCM-SHA256", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, ++ {"DHE-RSA-AES256-GCM-SHA384", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, ++ ++ {"DHE-DSS-AES128-SHA256", TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH}, ++ {"DHE-DSS-AES256-SHA256", TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA256, TLS1_2, SSL_HIGH}, ++ {"DHE-DSS-AES128-GCM-SHA256", TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, ++ {"DHE-DSS-AES256-GCM-SHA384", TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, ++ ++ {"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH}, ++ {"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH}, ++ {"ECDHE-ECDSA-AES128-GCM-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, ++ {"ECDHE-RSA-AES128-GCM-SHA256", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, ++ {"ECDHE-ECDSA-AES256-GCM-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, ++ {"ECDHE-RSA-AES256-GCM-SHA384", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, ++ {"ECDHE-ECDSA-AES256-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA384, TLS1_2, SSL_HIGH}, ++ {"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA384, TLS1_2, SSL_HIGH}, ++#endif ++ ++ {"ECDHE-RSA-CHACHA20-POLY1305", 0xcca8 /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kECDHE|SSL_aRSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH}, ++ {"ECDHE-ECDSA-CHACHA20-POLY1305", 0xcca9 /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kECDHE|SSL_aECDSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH}, ++ {"DHE-RSA-CHACHA20-POLY1305", 0xccaa /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kEDH|SSL_aRSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH}, + }; + + #define ciphernum (sizeof(ciphers_def)/sizeof(cipher_properties)) +@@ -585,6 +687,10 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) + mask |= SSL_RSA; + } else if ((!strcmp(cipher, "NULL")) || (!strcmp(cipher, "eNULL"))) { + mask |= SSL_eNULL; ++ } else if (!strcmp(cipher, "AES128")) { ++ mask |= SSL_AES128; ++ } else if (!strcmp(cipher, "AES256")) { ++ mask |= SSL_AES256; + } else if (!strcmp(cipher, "AES")) { + mask |= SSL_AES; + } else if (!strcmp(cipher, "3DES")) { +@@ -599,12 +705,34 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) + mask |= SSL_MD5; + } else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) { + mask |= SSL_SHA1; ++ } else if (!strcmp(cipher, "SHA256")) { ++ mask |= SSL_SHA256; ++ } else if (!strcmp(cipher, "EDH")) { ++ mask |= SSL_kEDH; ++ } else if (!strcmp(cipher, "DSS")) { ++ mask |= SSL_aDSA; ++ } else if (!strcmp(cipher, "CAMELLIA128")) { ++ mask |= SSL_CAMELLIA128; ++ } else if (!strcmp(cipher, "CAMELLIA256")) { ++ mask |= SSL_CAMELLIA256; ++ } else if (!strcmp(cipher, "CAMELLIA")) { ++ mask |= SSL_CAMELLIA; ++ } else if (!strcmp(cipher, "SEED")) { ++ mask |= SSL_SEED; ++ } else if (!strcmp(cipher, "ECDH")) { ++ mask |= SSL_kECDH; ++ } else if (!strcmp(cipher, "ECDHE")) { ++ mask |= SSL_kECDHE; ++ } else if (!strcmp(cipher, "ECDSA")) { ++ mask |= SSL_aECDSA; + } else if (!strcmp(cipher, "SSLv2")) { + protocol |= SSL2; + } else if (!strcmp(cipher, "SSLv3")) { + protocol |= SSL3; + } else if (!strcmp(cipher, "TLSv1")) { + protocol |= TLS1; ++ } else if (!strcmp(cipher, "TLSv1.2")) { ++ protocol |= TLS1_2; + } else if (!strcmp(cipher, "HIGH")) { + strength |= SSL_HIGH; + } else if (!strcmp(cipher, "MEDIUM")) { diff --git a/bugfix-openldap-ssl-deadlock-revert.patch b/bugfix-openldap-ssl-deadlock-revert.patch new file mode 100644 index 0000000000000000000000000000000000000000..102b9f8839d5ec329327b256b33990e617e0dae0 --- /dev/null +++ b/bugfix-openldap-ssl-deadlock-revert.patch @@ -0,0 +1,51 @@ +diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c +index 3139eaf..49dc9b1 100644 +--- a/libraries/libldap/tls_m.c ++++ b/libraries/libldap/tls_m.c +@@ -146,7 +146,6 @@ static int tlsm_init( void ); + */ + static ldap_pvt_thread_mutex_t tlsm_ctx_count_mutex; + static ldap_pvt_thread_mutex_t tlsm_init_mutex; +-static ldap_pvt_thread_mutex_t tlsm_pem_mutex; + static PRCallOnceType tlsm_init_mutex_callonce = {0,0}; + + static PRStatus PR_CALLBACK +@@ -164,12 +163,6 @@ tlsm_thr_init_callonce( void ) + return PR_FAILURE; + } + +- if ( ldap_pvt_thread_mutex_init( &tlsm_pem_mutex ) ) { +- Debug( LDAP_DEBUG_ANY, +- "TLS: could not create mutex for PEM module: %d\n", errno, 0, 0 ); +- return PR_FAILURE; +- } +- + return PR_SUCCESS; + } + +@@ -2153,7 +2146,6 @@ tlsm_destroy( void ) + #ifdef LDAP_R_COMPILE + ldap_pvt_thread_mutex_destroy( &tlsm_ctx_count_mutex ); + ldap_pvt_thread_mutex_destroy( &tlsm_init_mutex ); +- ldap_pvt_thread_mutex_destroy( &tlsm_pem_mutex ); + #endif + } + +@@ -2840,16 +2832,9 @@ static int + tlsm_session_accept_or_connect( tls_session *session, int is_accept ) + { + tlsm_session *s = (tlsm_session *)session; +- int rc; ++ int rc = SSL_ForceHandshake( s ); + const char *op = is_accept ? "accept" : "connect"; + +- if ( pem_module ) { +- LDAP_MUTEX_LOCK( &tlsm_pem_mutex ); +- } +- rc = SSL_ForceHandshake( s ); +- if ( pem_module ) { +- LDAP_MUTEX_UNLOCK( &tlsm_pem_mutex ); +- } + if ( rc ) { + PRErrorCode err = PR_GetError(); + rc = -1; diff --git a/bugfix-openldap-support-tlsv1-and-later.patch b/bugfix-openldap-support-tlsv1-and-later.patch new file mode 100644 index 0000000000000000000000000000000000000000..622278006eb46430b53b97c75c26b13ed3e8084e --- /dev/null +++ b/bugfix-openldap-support-tlsv1-and-later.patch @@ -0,0 +1,42 @@ +diff --git a/include/ldap.h b/include/ldap.h +index c245651..149b9ea 100644 +--- a/include/ldap.h ++++ b/include/ldap.h +@@ -176,6 +176,7 @@ LDAP_BEGIN_DECL + #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_0 ((3 << 8) + 1) + #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1 ((3 << 8) + 2) + #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 ((3 << 8) + 3) ++#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_3 ((3 << 8) + 4) + + /* OpenLDAP SASL options */ + #define LDAP_OPT_X_SASL_MECH 0x6100 +diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c +index 49dc9b1..9e825c9 100644 +--- a/libraries/libldap/tls_m.c ++++ b/libraries/libldap/tls_m.c +@@ -1849,6 +1849,8 @@ tlsm_deferred_init( void *arg ) + NSSInitContext *initctx = NULL; + PK11SlotInfo *certdb_slot = NULL; + #endif ++ SSLVersionRange range; ++ SSLProtocolVariant variant; + SECStatus rc; + int done = 0; + +@@ -2031,6 +2033,16 @@ tlsm_deferred_init( void *arg ) + } + } + ++ /* ++ * Set the SSL version range. MozNSS SSL versions are the same as openldap's: ++ * ++ * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_* ++ */ ++ SSL_VersionRangeGetSupported(ssl_variant_stream, &range); /* this sets the max */ ++ range.min = lt->lt_protocol_min ? lt->lt_protocol_min : range.min; ++ variant = ssl_variant_stream; ++ SSL_VersionRangeSetDefault(variant, &range); ++ + NSS_SetDomesticPolicy(); + + PK11_SetPasswordFunc( tlsm_pin_prompt ); diff --git a/bugfix-openldap-temporary-ssl-thr-init-race.patch b/bugfix-openldap-temporary-ssl-thr-init-race.patch new file mode 100644 index 0000000000000000000000000000000000000000..c94d060266bfb404d64cbc3df037a4406a209cec --- /dev/null +++ b/bugfix-openldap-temporary-ssl-thr-init-race.patch @@ -0,0 +1,35 @@ +diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c +index d25c190..94399d7 100644 +--- a/libraries/libldap/tls2.c ++++ b/libraries/libldap/tls2.c +@@ -149,6 +149,9 @@ ldap_pvt_tls_destroy( void ) + tls_imp->ti_tls_destroy(); + } + ++#ifdef LDAP_R_COMPILE ++static pthread_once_t tlsm_initialized = PTHREAD_ONCE_INIT; ++#endif + /* + * Initialize a particular TLS implementation. + * Called once per implementation. +@@ -158,6 +161,10 @@ tls_init(tls_impl *impl ) + { + static int tls_initialized = 0; + ++#ifdef LDAP_R_COMPILE ++ (void)pthread_once(&tlsm_initialized, impl->ti_thr_init); ++#endif ++ + if ( !tls_initialized++ ) { + #ifdef LDAP_R_COMPILE + ldap_pvt_thread_mutex_init( &tls_def_ctx_mutex ); +@@ -166,9 +173,6 @@ tls_init(tls_impl *impl ) + + if ( impl->ti_inited++ ) return 0; + +-#ifdef LDAP_R_COMPILE +- impl->ti_thr_init(); +-#endif + return impl->ti_tls_init(); + } + diff --git a/check-password-makefile.patch b/check-password-makefile.patch new file mode 100644 index 0000000000000000000000000000000000000000..f39ba818bd299c82f07a8e109dcf59f6bfd6444f --- /dev/null +++ b/check-password-makefile.patch @@ -0,0 +1,41 @@ +--- a/Makefile 2009-10-31 18:59:06.000000000 +0100 ++++ b/Makefile 2014-12-17 09:42:37.586079225 +0100 +@@ -13,22 +13,11 @@ + # + CONFIG=/etc/openldap/check_password.conf + +-OPT=-g -O2 -Wall -fpic \ +- -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \ +- -DCONFIG_FILE="\"$(CONFIG)\"" \ ++CFLAGS+=-fpic \ ++ -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \ ++ -DCONFIG_FILE="\"$(CONFIG)\"" \ + -DDEBUG + +-# Where to find the OpenLDAP headers. +-# +-LDAP_INC=-I/home/pyb/tmp/openldap-2.3.39/include \ +- -I/home/pyb/tmp/openldap-2.3.39/servers/slapd +- +-# Where to find the CrackLib headers. +-# +-CRACK_INC= +- +-INCS=$(LDAP_INC) $(CRACK_INC) +- + LDAP_LIB=-lldap_r -llber + + # Comment out this line if you do NOT want to use the cracklib. +@@ -45,10 +34,10 @@ + all: check_password + + check_password.o: +- $(CC) $(OPT) -c $(INCS) check_password.c ++ $(CC) $(CFLAGS) -c $(LDAP_INC) check_password.c + + check_password: clean check_password.o +- $(CC) -shared -o check_password.so check_password.o $(CRACKLIB_LIB) ++ $(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB) + + install: check_password + cp -f check_password.so ../../../usr/lib/openldap/modules/ diff --git a/check-password.patch b/check-password.patch new file mode 100644 index 0000000000000000000000000000000000000000..7a79e954bed3bc47018eb7e56cdc29142119f4fe --- /dev/null +++ b/check-password.patch @@ -0,0 +1,321 @@ +--- a/check_password.c 2009-10-31 18:59:06.000000000 +0100 ++++ b/check_password.c 2014-12-17 12:25:00.148900907 +0100 +@@ -10,7 +10,7 @@ + #include + + #ifdef HAVE_CRACKLIB +-#include "crack.h" ++#include + #endif + + #if defined(DEBUG) +@@ -34,18 +34,77 @@ + #define PASSWORD_TOO_SHORT_SZ \ + "Password for dn=\"%s\" is too short (%d/6)" + #define PASSWORD_QUALITY_SZ \ +- "Password for dn=\"%s\" does not pass required number of strength checks (%d of %d)" ++ "Password for dn=\"%s\" does not pass required number of strength checks for the required character sets (%d of %d)" + #define BAD_PASSWORD_SZ \ + "Bad password for dn=\"%s\" because %s" ++#define UNKNOWN_ERROR_SZ \ ++ "An unknown error occurred, please see your systems administrator" + + typedef int (*validator) (char*); +-static int read_config_file (char *); ++static int read_config_file (); + static validator valid_word (char *); + static int set_quality (char *); + static int set_cracklib (char *); + + int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry); + ++struct config_entry { ++ char* key; ++ char* value; ++ char* def_value; ++} config_entries[] = { { "minPoints", NULL, "3"}, ++ { "useCracklib", NULL, "1"}, ++ { "minUpper", NULL, "0"}, ++ { "minLower", NULL, "0"}, ++ { "minDigit", NULL, "0"}, ++ { "minPunct", NULL, "0"}, ++ { NULL, NULL, NULL }}; ++ ++int get_config_entry_int(char* entry) { ++ struct config_entry* centry = config_entries; ++ ++ int i = 0; ++ char* key = centry[i].key; ++ while (key != NULL) { ++ if ( strncmp(key, entry, strlen(key)) == 0 ) { ++ if ( centry[i].value == NULL ) { ++ return atoi(centry[i].def_value); ++ } ++ else { ++ return atoi(centry[i].value); ++ } ++ } ++ i++; ++ key = centry[i].key; ++ } ++ ++ return -1; ++} ++ ++void dealloc_config_entries() { ++ struct config_entry* centry = config_entries; ++ ++ int i = 0; ++ while (centry[i].key != NULL) { ++ if ( centry[i].value != NULL ) { ++ ber_memfree(centry[i].value); ++ } ++ i++; ++ } ++} ++ ++char* chomp(char *s) ++{ ++ char* t = ber_memalloc(strlen(s)+1); ++ strncpy (t,s,strlen(s)+1); ++ ++ if ( t[strlen(t)-1] == '\n' ) { ++ t[strlen(t)-1] = '\0'; ++ } ++ ++ return t; ++} ++ + static int set_quality (char *value) + { + #if defined(DEBUG) +@@ -84,12 +143,12 @@ + char * parameter; + validator dealer; + } list[] = { { "minPoints", set_quality }, +- { "useCracklib", set_cracklib }, +- { "minUpper", set_digit }, +- { "minLower", set_digit }, +- { "minDigit", set_digit }, +- { "minPunct", set_digit }, +- { NULL, NULL } }; ++ { "useCracklib", set_cracklib }, ++ { "minUpper", set_digit }, ++ { "minLower", set_digit }, ++ { "minDigit", set_digit }, ++ { "minPunct", set_digit }, ++ { NULL, NULL } }; + int index = 0; + + #if defined(DEBUG) +@@ -98,7 +157,7 @@ + + while (list[index].parameter != NULL) { + if (strlen(word) == strlen(list[index].parameter) && +- strcmp(list[index].parameter, word) == 0) { ++ strcmp(list[index].parameter, word) == 0) { + #if defined(DEBUG) + syslog(LOG_NOTICE, "check_password: Parameter accepted."); + #endif +@@ -114,13 +173,15 @@ + return NULL; + } + +-static int read_config_file (char *keyWord) ++static int read_config_file () + { + FILE * config; + char * line; + int returnValue = -1; + +- if ((line = ber_memcalloc(260, sizeof(char))) == NULL) { ++ line = ber_memcalloc(260, sizeof(char)); ++ ++ if ( line == NULL ) { + return returnValue; + } + +@@ -133,6 +194,8 @@ + return returnValue; + } + ++ returnValue = 0; ++ + while (fgets(line, 256, config) != NULL) { + char *start = line; + char *word, *value; +@@ -145,23 +208,40 @@ + + while (isspace(*start) && isascii(*start)) start++; + +- if (! isascii(*start)) ++ /* If we've got punctuation, just skip the line. */ ++ if ( ispunct(*start)) { ++#if defined(DEBUG) ++ /* Debug traces to syslog. */ ++ syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line); ++#endif + continue; ++ } + +- if ((word = strtok(start, " \t")) && (dealer = valid_word(word)) && (strcmp(keyWord,word)==0)) { +- if ((value = strtok(NULL, " \t")) == NULL) +- continue; ++ if( isascii(*start)) { ++ ++ struct config_entry* centry = config_entries; ++ int i = 0; ++ char* keyWord = centry[i].key; ++ if ((word = strtok(start, " \t")) && (value = strtok(NULL, " \t"))) { ++ while ( keyWord != NULL ) { ++ if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) { + + #if defined(DEBUG) +- syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value); ++ syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value); + #endif + +- returnValue = (*dealer)(value); ++ centry[i].value = chomp(value); ++ break; ++ } ++ i++; ++ keyWord = centry[i].key; ++ } ++ } + } + } +- + fclose(config); + ber_memfree(line); ++ + return returnValue; + } + +@@ -170,7 +250,7 @@ + if (curlen < nextlen + MEMORY_MARGIN) { + #if defined(DEBUG) + syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to %d", +- curlen, nextlen + MEMORY_MARGIN); ++ curlen, nextlen + MEMORY_MARGIN); + #endif + ber_memfree(*target); + curlen = nextlen + MEMORY_MARGIN; +@@ -180,7 +260,7 @@ + return curlen; + } + +- int ++int + check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) + { + +@@ -210,20 +290,22 @@ + nLen = strlen (pPasswd); + if ( nLen < 6) { + mem_len = realloc_error_message(&szErrStr, mem_len, +- strlen(PASSWORD_TOO_SHORT_SZ) + +- strlen(pEntry->e_name.bv_val) + 1); ++ strlen(PASSWORD_TOO_SHORT_SZ) + ++ strlen(pEntry->e_name.bv_val) + 1); + sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen); + goto fail; + } + +- /* Read config file */ +- minQuality = read_config_file("minPoints"); ++ if (read_config_file() == -1) { ++ syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE); ++ } + +- useCracklib = read_config_file("useCracklib"); +- minUpper = read_config_file("minUpper"); +- minLower = read_config_file("minLower"); +- minDigit = read_config_file("minDigit"); +- minPunct = read_config_file("minPunct"); ++ minQuality = get_config_entry_int("minPoints"); ++ useCracklib = get_config_entry_int("useCracklib"); ++ minUpper = get_config_entry_int("minUpper"); ++ minLower = get_config_entry_int("minLower"); ++ minDigit = get_config_entry_int("minDigit"); ++ minPunct = get_config_entry_int("minPunct"); + + /** The password must have at least minQuality strength points with one + * point for the first occurrance of a lower, upper, digit and +@@ -232,8 +314,6 @@ + + for ( i = 0; i < nLen; i++ ) { + +- if ( nQuality >= minQuality ) break; +- + if ( islower (pPasswd[i]) ) { + minLower--; + if ( !nLower && (minLower < 1)) { +@@ -279,12 +359,23 @@ + } + } + +- if ( nQuality < minQuality ) { ++ /* ++ * If you have a required field, then it should be required in the strength ++ * checks. ++ */ ++ ++ if ( ++ (minLower > 0 ) || ++ (minUpper > 0 ) || ++ (minDigit > 0 ) || ++ (minPunct > 0 ) || ++ (nQuality < minQuality) ++ ) { + mem_len = realloc_error_message(&szErrStr, mem_len, +- strlen(PASSWORD_QUALITY_SZ) + +- strlen(pEntry->e_name.bv_val) + 2); ++ strlen(PASSWORD_QUALITY_SZ) + ++ strlen(pEntry->e_name.bv_val) + 2); + sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val, +- nQuality, minQuality); ++ nQuality, minQuality); + goto fail; + } + +@@ -306,7 +397,7 @@ + for ( j = 0; j < 3; j++ ) { + + snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \ +- CRACKLIB_DICTPATH, ext[j]); ++ CRACKLIB_DICTPATH, ext[j]); + + if (( fp = fopen ( filename, "r")) == NULL ) { + +@@ -326,9 +417,9 @@ + r = (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH); + if ( r != NULL ) { + mem_len = realloc_error_message(&szErrStr, mem_len, +- strlen(BAD_PASSWORD_SZ) + +- strlen(pEntry->e_name.bv_val) + +- strlen(r)); ++ strlen(BAD_PASSWORD_SZ) + ++ strlen(pEntry->e_name.bv_val) + ++ strlen(r)); + sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r); + goto fail; + } +@@ -342,15 +433,15 @@ + } + + #endif +- ++ dealloc_config_entries(); + *ppErrStr = strdup (""); + ber_memfree(szErrStr); + return (LDAP_SUCCESS); + + fail: ++ dealloc_config_entries(); + *ppErrStr = strdup (szErrStr); + ber_memfree(szErrStr); + return (EXIT_FAILURE); + + } +- diff --git a/ldap.conf b/ldap.conf new file mode 100644 index 0000000000000000000000000000000000000000..02c595f243b9a89c9d3076747f945be6f4cee2e8 --- /dev/null +++ b/ldap.conf @@ -0,0 +1,28 @@ +# +# LDAP Defaults +# + +# See ldap.conf(5) for details +# This file should be world readable but not world writable. + +#BASE dc=example,dc=com +#URI ldap://ldap.example.com ldap://ldap-master.example.com:666 + +#SIZELIMIT 12 +#TIMELIMIT 15 +#DEREF never + +# When no CA certificates are specified the Shared System Certificates +# are in use. In order to have these available along with the ones specified +# by TLS_CACERTDIR one has to include them explicitly: +#TLS_CACERT /etc/pki/tls/cert.pem + +# System-wide Crypto Policies provide up to date cipher suite which should +# be used unless one needs a finer grinded selection of ciphers. Hence, the +# PROFILE=SYSTEM value represents the default behavior which is in place +# when no explicit setting is used. (see openssl-ciphers(1) for more info) +#TLS_CIPHER_SUITE PROFILE=SYSTEM + +# Turning this off breaks GSSAPI used with krb5 when rdns = false +SASL_NOCANON on + diff --git a/libexec-check-config.sh b/libexec-check-config.sh new file mode 100644 index 0000000000000000000000000000000000000000..87e377f035ed99612063f077804958c5e1e12e70 --- /dev/null +++ b/libexec-check-config.sh @@ -0,0 +1,91 @@ +#!/bin/sh +# Author: Jan Vcelak + +. /usr/libexec/openldap/functions + +function check_config_syntax() +{ + retcode=0 + tmp_slaptest=`mktemp --tmpdir=/var/run/openldap` + run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &>$tmp_slaptest + if [ $? -ne 0 ]; then + error "Checking configuration file failed:" + cat $tmp_slaptest >&2 + retcode=1 + fi + rm $tmp_slaptest + return $retcode +} + +function check_certs_perms() +{ + retcode=0 + for cert in `certificates`; do + run_as_ldap "/usr/bin/test -e \"$cert\"" + if [ $? -ne 0 ]; then + error "TLS certificate/key/DB '%s' was not found." "$cert" + retcoder=1 + continue + fi + run_as_ldap "/usr/bin/test -r \"$cert\"" + if [ $? -ne 0 ]; then + error "TLS certificate/key/DB '%s' is not readable." "$cert" + retcode=1 + fi + done + return $retcode +} + +function check_db_perms() +{ + retcode=0 + for dbdir in `databases`; do + [ -d "$dbdir" ] || continue + for dbfile in `find ${dbdir} -maxdepth 1 -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name "alock"`; do + run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\"" + if [ $? -ne 0 ]; then + error "Read/write permissions for DB file '%s' are required." "$dbfile" + retcode=1 + fi + done + done + return $retcode +} + +function check_everything() +{ + retcode=0 + check_config_syntax || retcode=1 + # TODO: need support for Mozilla NSS, disabling temporarily + #check_certs_perms || retcode=1 + check_db_perms || retcode=1 + return $retcode +} + +if [ `id -u` -ne 0 ]; then + error "You have to be root to run this script." + exit 4 +fi + +load_sysconfig + +if [ -n "$SLAPD_CONFIG_DIR" ]; then + if [ ! -d "$SLAPD_CONFIG_DIR" ]; then + error "Configuration directory '%s' does not exist." "$SLAPD_CONFIG_DIR" + else + check_everything + exit $? + fi +fi + +if [ -n "$SLAPD_CONFIG_FILE" ]; then + if [ ! -f "$SLAPD_CONFIG_FILE" ]; then + error "Configuration file '%s' does not exist." "$SLAPD_CONFIG_FILE" + else + error "Warning: Usage of a configuration file is obsolete!" + check_everything + exit $? + fi +fi + +exit 1 diff --git a/libexec-functions b/libexec-functions new file mode 100644 index 0000000000000000000000000000000000000000..990d2b80ada27d3a67a42a66ee70cfd0f0e91df2 --- /dev/null +++ b/libexec-functions @@ -0,0 +1,134 @@ +# Author: Jan Vcelak + +SLAPD_USER= +SLAPD_CONFIG_FILE= +SLAPD_CONFIG_DIR= +SLAPD_CONFIG_CUSTOM= +SLAPD_GLOBAL_OPTIONS= +SLAPD_SYSCONFIG_FILE= + +function default_config() +{ + SLAPD_USER=ldap + SLAPD_CONFIG_FILE=/etc/openldap/slapd.conf + SLAPD_CONFIG_DIR=/etc/openldap/slapd.d + SLAPD_CONFIG_CUSTOM= + SLAPD_GLOBAL_OPTIONS= + SLAPD_SYSCONFIG_FILE=/etc/sysconfig/slapd +} + +function parse_config_options() +{ + user= + config_file= + config_dir= + while getopts :u:f:F: opt; do + case "$opt" in + u) + user="$OPTARG" + ;; + f) + config_file="$OPTARG" + ;; + F) + config_dir="$OPTARG" + ;; + esac + done + + if [ -n "$user" ]; then + SLAPD_USER="$user" + fi + + if [ -n "$config_dir" ]; then + SLAPD_CONFIG_DIR="$config_dir" + SLAPD_CONFIG_FILE= + SLAPD_CONFIG_CUSTOM=1 + SLAPD_GLOBAL_OPTIONS="-F '$config_dir'" + elif [ -n "$config_file" ]; then + SLAPD_CONFIG_DIR= + SLAPD_CONFIG_FILE="$config_file" + SLAPD_CONFIG_CUSTOM=1 + SLAPD_GLOBAL_OPTIONS="-f '$config_file'" + fi +} + +function uses_new_config() +{ + [ -n "$SLAPD_CONFIG_DIR" ] + return $? +} + +function run_as_ldap() +{ + /sbin/runuser --shell /bin/sh --session-command "$1" "$SLAPD_USER" + return $? +} + +function ldif_unbreak() +{ + sed ':a;N;s/\n //;ta;P;D' +} + +function ldif_value() +{ + sed 's/^[^:]*: //' +} + +function databases_new() +{ + slapcat $SLAPD_GLOBAL_OPTIONS -c \ + -H 'ldap:///cn=config???(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig))' 2>/dev/null | \ + ldif_unbreak | \ + grep '^olcDbDirectory: ' | \ + ldif_value +} + +function databases_old() +{ + awk 'begin { database="" } + $1 == "database" { database=$2 } + $1 == "directory" { if (database == "bdb" || database == "hdb") print $2}' \ + "$SLAPD_CONFIG_FILE" +} + +function certificates_new() +{ + slapcat $SLAPD_GLOBAL_OPTIONS -c -H 'ldap:///cn=config???(cn=config)' 2>/dev/null | \ + ldif_unbreak | \ + grep '^olcTLS\(CACertificateFile\|CACertificatePath\|CertificateFile\|CertificateKeyFile\): ' | \ + ldif_value +} + +function certificates_old() +{ + awk '$1 ~ "^TLS(CACertificate(File|Path)|CertificateFile|CertificateKeyFile)$" { print $2 } ' \ + "$SLAPD_CONFIG_FILE" +} + +function certificates() +{ + uses_new_config && certificates_new || certificates_old +} + +function databases() +{ + uses_new_config && databases_new || databases_old +} + + +function error() +{ + format="$1\n"; shift + printf "$format" $@ >&2 +} + +function load_sysconfig() +{ + [ -r "$SLAPD_SYSCONFIG_FILE" ] || return + + . "$SLAPD_SYSCONFIG_FILE" + [ -n "$SLAPD_OPTIONS" ] && parse_config_options $SLAPD_OPTIONS +} + +default_config diff --git a/libexec-upgrade-db.sh b/libexec-upgrade-db.sh new file mode 100644 index 0000000000000000000000000000000000000000..1543c80b408f1c991f93d4e4a009d08a2fed4792 --- /dev/null +++ b/libexec-upgrade-db.sh @@ -0,0 +1,40 @@ +#!/bin/sh +# Author: Jan Vcelak + +. /usr/libexec/openldap/functions + +if [ `id -u` -ne 0 ]; then + error "You have to be root to run this command." + exit 4 +fi + +load_sysconfig +retcode=0 + +for dbdir in `databases`; do + upgrade_log="$dbdir/db_upgrade.`date +%Y%m%d%H%M%S`.log" + bdb_files=`find "$dbdir" -maxdepth 1 -name "*.bdb" -printf '"%f" '` + + # skip uninitialized database + [ -z "$bdb_files"] || continue + + printf "Updating '%s', logging into '%s'\n" "$dbdir" "$upgrade_log" + + # perform the update + for command in \ + "/usr/bin/db_recover -v -h \"$dbdir\"" \ + "/usr/bin/db_upgrade -v -h \"$dbdir\" $bdb_files" \ + "/usr/bin/db_checkpoint -v -h \"$dbdir\" -1" \ + ; do + printf "Executing: %s\n" "$command" &>>$upgrade_log + run_as_ldap "$command" &>>$upgrade_log + result=$? + printf "Exit code: %d\n" $result >>"$upgrade_log" + if [ $result -ne 0 ]; then + printf "Upgrade failed: %d\n" $result + retcode=1 + fi + done +done + +exit $retcode diff --git a/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz b/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..83544f5f1bb7e418befbffac1ea1472138c313b7 Binary files /dev/null and b/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz differ diff --git a/openldap-2.4.46.tgz b/openldap-2.4.46.tgz new file mode 100644 index 0000000000000000000000000000000000000000..04c6e7983ccead86af65b4ffcfd6e284433e4425 Binary files /dev/null and b/openldap-2.4.46.tgz differ diff --git a/openldap-ai-addrconfig.patch b/openldap-ai-addrconfig.patch new file mode 100644 index 0000000000000000000000000000000000000000..0858fac24e2ca11ddce8c84d545c0cfafed8606e --- /dev/null +++ b/openldap-ai-addrconfig.patch @@ -0,0 +1,20 @@ +use AI_ADDRCONFIG if defined in the environment + +Author: Jan Vcelak +Upstream ITS: #7326 +Resolves: #835013 + +diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c +index b31e05d..fa361ab 100644 +--- a/libraries/libldap/os-ip.c ++++ b/libraries/libldap/os-ip.c +@@ -594,8 +594,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb, + + #if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP ) + memset( &hints, '\0', sizeof(hints) ); +-#ifdef USE_AI_ADDRCONFIG /* FIXME: configure test needed */ +- /* Use AI_ADDRCONFIG only on systems where its known to be needed. */ ++#ifdef AI_ADDRCONFIG + hints.ai_flags = AI_ADDRCONFIG; + #endif + hints.ai_family = ldap_int_inet4or6; diff --git a/openldap-allop-overlay.patch b/openldap-allop-overlay.patch new file mode 100644 index 0000000000000000000000000000000000000000..608ee44d0e03acaa958f8458ff97f1c1bbd12d68 --- /dev/null +++ b/openldap-allop-overlay.patch @@ -0,0 +1,40 @@ +Compile AllOp together with other overlays. + +Author: Matus Honek +Resolves: #1319782 + +diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in +--- a/servers/slapd/overlays/Makefile.in ++++ b/servers/slapd/overlays/Makefile.in +@@ -33,7 +33,8 @@ SRCS = overlays.c \ + translucent.c \ + unique.c \ + valsort.c \ +- smbk5pwd.c ++ smbk5pwd.c \ ++ allop.c + OBJS = statover.o \ + @SLAPD_STATIC_OVERLAYS@ \ + overlays.o +@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) + UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) + + LIBRARY = ../liboverlays.a +-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la ++PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la + + XINCPATH = -I.. -I$(srcdir)/.. + XDEFS = $(MODULES_CPPFLAGS) +@@ -125,6 +126,12 @@ unique.la : unique.lo + smbk5pwd.la : smbk5pwd.lo + $(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs) + ++allop.lo : allop.c ++ $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $< ++ ++allop.la : allop.lo ++ $(LTLINK_MOD) -module -o $@ allop.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs) ++ + install-local: $(PROGRAMS) + @if test -n "$?" ; then \ + $(MKDIR) $(DESTDIR)$(moduledir); \ diff --git a/openldap-ldapi-sasl.patch b/openldap-ldapi-sasl.patch new file mode 100644 index 0000000000000000000000000000000000000000..058cc1c32eb9eb1b7a49783a15251706d796b065 --- /dev/null +++ b/openldap-ldapi-sasl.patch @@ -0,0 +1,55 @@ +From 69709289b083c53ba41d2cef7d65120220f8c59b Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 7 May 2013 17:02:57 +0200 +Subject: [PATCH] LDAPI SASL fix + +Resolves: #960222 +--- + libraries/libldap/cyrus.c | 19 ++++++++++++++++--- + 1 Datei geändert, 16 Zeilen hinzugefügt(+), 3 Zeilen entfernt(-) + +diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c +index 28c241b..a9acf36 100644 +--- a/libraries/libldap/cyrus.c ++++ b/libraries/libldap/cyrus.c +@@ -394,6 +394,8 @@ ldap_int_sasl_bind( + struct berval ccred = BER_BVNULL; + int saslrc, rc; + unsigned credlen; ++ char my_hostname[HOST_NAME_MAX + 1]; ++ int free_saslhost = 0; + + Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_bind: %s\n", + mechs ? mechs : "", 0, 0 ); +@@ -454,14 +456,25 @@ ldap_int_sasl_bind( + + /* If we don't need to canonicalize just use the host + * from the LDAP URI. ++ * Always use the result of gethostname() for LDAPI. + */ +- if ( nocanon ) ++ if (ld->ld_defconn->lconn_server->lud_scheme != NULL && ++ strcmp("ldapi", ld->ld_defconn->lconn_server->lud_scheme) == 0) { ++ rc = gethostname(my_hostname, HOST_NAME_MAX + 1); ++ if (rc == 0) { ++ saslhost = my_hostname; ++ } else { ++ saslhost = "localhost"; ++ } ++ } else if ( nocanon ) + saslhost = ld->ld_defconn->lconn_server->lud_host; +- else ++ else { + saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb, + "localhost" ); ++ free_saslhost = 1; ++ } + rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost ); +- if ( !nocanon ) ++ if ( free_saslhost ) + LDAP_FREE( saslhost ); + } + +-- +1.7.11.7 + diff --git a/openldap-manpages.patch b/openldap-manpages.patch new file mode 100644 index 0000000000000000000000000000000000000000..b69a3919d6f47e7911938ea4b4c26cc3165a4541 --- /dev/null +++ b/openldap-manpages.patch @@ -0,0 +1,73 @@ +Various manual pages changes: +* removes LIBEXECDIR from slapd.8 +* removes references to non-existing manpages (bz 624616) + +diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1 +index 3def6da..466c772 100644 +--- a/doc/man/man1/ldapmodify.1 ++++ b/doc/man/man1/ldapmodify.1 +@@ -397,8 +397,7 @@ exit status and a diagnostic message being written to standard error. + .BR ldap_add_ext (3), + .BR ldap_delete_ext (3), + .BR ldap_modify_ext (3), +-.BR ldap_modrdn_ext (3), +-.BR ldif (5). ++.BR ldif (5) + .SH AUTHOR + The OpenLDAP Project + .SH ACKNOWLEDGEMENTS +diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 +index cfde143..63592cb 100644 +--- a/doc/man/man5/ldap.conf.5 ++++ b/doc/man/man5/ldap.conf.5 +@@ -317,6 +317,7 @@ certificates in separate individual files. The + .B TLS_CACERT + is always used before + .B TLS_CACERTDIR. ++The specified directory must be managed with the OpenSSL c_rehash utility. + This parameter is ignored with GnuTLS. + + When using Mozilla NSS, may contain a Mozilla NSS cert/key +diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8 +index b739f4d..e2a1a00 100644 +--- a/doc/man/man8/slapd.8 ++++ b/doc/man/man8/slapd.8 +@@ -5,7 +5,7 @@ + .SH NAME + slapd \- Stand-alone LDAP Daemon + .SH SYNOPSIS +-.B LIBEXECDIR/slapd ++.B slapd + [\c + .BR \-4 | \-6 ] + [\c +@@ -317,7 +317,7 @@ the LDAP databases defined in the default config file, just type: + .LP + .nf + .ft tt +- LIBEXECDIR/slapd ++ slapd + .ft + .fi + .LP +@@ -328,7 +328,7 @@ on voluminous debugging which will be printed on standard error, type: + .LP + .nf + .ft tt +- LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255 ++ slapd -f /var/tmp/slapd.conf -d 255 + .ft + .fi + .LP +@@ -336,7 +336,7 @@ To test whether the configuration file is correct or not, type: + .LP + .nf + .ft tt +- LIBEXECDIR/slapd \-Tt ++ slapd -Tt + .ft + .fi + .LP +-- +1.8.1.4 + diff --git a/openldap-openssl-allow-ssl3.patch b/openldap-openssl-allow-ssl3.patch new file mode 100644 index 0000000000000000000000000000000000000000..2a8e56d4cce0c123af97c8990e4a391046db537f --- /dev/null +++ b/openldap-openssl-allow-ssl3.patch @@ -0,0 +1,24 @@ +Ensure SSLv3 is enabled when necessary + +Either at compilation time, or as a system-wide configuration, OpenSSL +may have disabled SSLv3 protocol by default. This change ensures the +protocol NO flag is cleared when necessary, hence allowing for the +protocol to be used. + +Author: Matus Honek + +diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c +--- a/libraries/libldap/tls_o.c ++++ b/libraries/libldap/tls_o.c +@@ -297,8 +297,10 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) + #endif + if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL3 ) + SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 ); +- else if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL2 ) ++ else if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL2 ) { + SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 ); ++ SSL_CTX_clear_options( ctx, SSL_OP_NO_SSLv3 ); ++ } + + if ( lo->ldo_tls_ciphersuite && + !SSL_CTX_set_cipher_list( ctx, lt->lt_ciphersuite ) ) diff --git a/openldap-reentrant-gethostby.patch b/openldap-reentrant-gethostby.patch new file mode 100644 index 0000000000000000000000000000000000000000..140b6e3381fbad62fb772a5c9ce7a3749e881516 --- /dev/null +++ b/openldap-reentrant-gethostby.patch @@ -0,0 +1,33 @@ +The non-reentrant gethostbyXXXX() functions deadlock if called recursively, for +example if libldap needs to be initialized from within gethostbyXXXX() (which +actually happens if nss_ldap is used for hostname resolution and earlier +modules can't resolve the local host name), so use the reentrant versions of +the functions, even if we're not being compiled for use in libldap_r + +Resolves: #179730 +Author: Jeffery Layton + +diff --git a/libraries/libldap/util-int.c b/libraries/libldap/util-int.c +index 373c81c..a012062 100644 +--- a/libraries/libldap/util-int.c ++++ b/libraries/libldap/util-int.c +@@ -52,8 +52,8 @@ extern int h_errno; + #ifndef LDAP_R_COMPILE + # undef HAVE_REENTRANT_FUNCTIONS + # undef HAVE_CTIME_R +-# undef HAVE_GETHOSTBYNAME_R +-# undef HAVE_GETHOSTBYADDR_R ++/* # undef HAVE_GETHOSTBYNAME_R */ ++/* # undef HAVE_GETHOSTBYADDR_R */ + + #else + # include +@@ -317,7 +317,7 @@ ldap_pvt_csnstr(char *buf, size_t len, unsigned int replica, unsigned int mod) + #define BUFSTART (1024-32) + #define BUFMAX (32*1024-32) + +-#if defined(LDAP_R_COMPILE) ++#if defined(LDAP_R_COMPILE) || defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R) + static char *safe_realloc( char **buf, int len ); + + #if !(defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R)) diff --git a/openldap-smbk5pwd-overlay.patch b/openldap-smbk5pwd-overlay.patch new file mode 100644 index 0000000000000000000000000000000000000000..88ebc445f54a0615b9fe7dcb8ba1718daacefe69 --- /dev/null +++ b/openldap-smbk5pwd-overlay.patch @@ -0,0 +1,49 @@ +Compile smbk5pwd together with other overlays. + +Author: Jan Šafránek +Resolves: #550895 + +Update to link against OpenSSL + +Author: Jan Vcelak +Resolves: #841560 + +diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in +index 3af20e8..ef73663 100644 +--- a/servers/slapd/overlays/Makefile.in ++++ b/servers/slapd/overlays/Makefile.in +@@ -33,7 +33,8 @@ SRCS = overlays.c \ + syncprov.c \ + translucent.c \ + unique.c \ +- valsort.c ++ valsort.c \ ++ smbk5pwd.c + OBJS = statover.o \ + @SLAPD_STATIC_OVERLAYS@ \ + overlays.o +@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) + UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) + + LIBRARY = ../liboverlays.a +-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ ++PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la + + XINCPATH = -I.. -I$(srcdir)/.. + XDEFS = $(MODULES_CPPFLAGS) +@@ -125,6 +126,12 @@ unique.la : unique.lo + valsort.la : valsort.lo + $(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS) + ++smbk5pwd.lo : smbk5pwd.c ++ $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $< ++ ++smbk5pwd.la : smbk5pwd.lo ++ $(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs) ++ + install-local: $(PROGRAMS) + @if test -n "$?" ; then \ + $(MKDIR) $(DESTDIR)$(moduledir); \ +-- +1.7.10.4 + diff --git a/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch b/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch new file mode 100644 index 0000000000000000000000000000000000000000..ed4f2ad87528c9528e6c291617bceb579b28354e --- /dev/null +++ b/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch @@ -0,0 +1,41 @@ +From: Jan-Marek Glogowski +Date: Tue, 18 May 2010 17:47:05 +0200 +Subject: [PATCH] Switch to lt_dlopenadvise() to get RTLD_GLOBAL set. + +Proof of concept for fixing http://bugs.debian.org/327585 +(patch ported from freeradius bug http://bugs.debian.org/416266) + +Resolves: #960048 +--- +--- openldap/servers/slapd/module.c.orig 2010-05-18 17:42:04.000000000 +0200 ++++ openldap/servers/slapd/module.c 2010-05-18 17:45:46.000000000 +0200 +@@ -117,6 +117,20 @@ + return -1; /* not found */ + } + ++static lt_dlhandle slapd_lt_dlopenext_global( const char *filename ) ++{ ++ lt_dlhandle handle = 0; ++ lt_dladvise advise; ++ ++ if (!lt_dladvise_init (&advise) && !lt_dladvise_ext (&advise) ++ && !lt_dladvise_global (&advise)) ++ handle = lt_dlopenadvise (filename, advise); ++ ++ lt_dladvise_destroy (&advise); ++ ++ return handle; ++} ++ + int module_load(const char* file_name, int argc, char *argv[]) + { + module_loaded_t *module; +@@ -180,7 +194,7 @@ + * to calling Debug. This is because Debug is a macro that expands + * into multiple function calls. + */ +- if ((module->lib = lt_dlopenext(file)) == NULL) { ++ if ((module->lib = slapd_lt_dlopenext_global(file)) == NULL) { + error = lt_dlerror(); + #ifdef HAVE_EBCDIC + strcpy( ebuf, error ); diff --git a/openldap.spec b/openldap.spec new file mode 100644 index 0000000000000000000000000000000000000000..78c4edd50cb4c3d7460911acb0906eddeb3aa609 --- /dev/null +++ b/openldap.spec @@ -0,0 +1,476 @@ +%global systemctl_bin /usr/bin/systemctl + +Name: openldap +Version: 2.4.46 +Release: 11 +Summary: LDAP support libraries +License: OpenLDAP +URL: https://www.openldap.org/ +Source0: https://www.openldap.org/software/download/OpenLDAP/openldap-release/openldap-%{version}.tgz +Source1: slapd.service +Source2: slapd.tmpfiles +Source3: slapd.ldif +Source4: ldap.conf +Source10: ltb-project-openldap-ppolicy-check-password-1.1.tar.gz +Source50: libexec-functions +Source52: libexec-check-config.sh +Source53: libexec-upgrade-db.sh + +Patch0: openldap-manpages.patch +Patch2: openldap-reentrant-gethostby.patch +Patch3: openldap-smbk5pwd-overlay.patch +Patch5: openldap-ai-addrconfig.patch +Patch17: openldap-allop-overlay.patch + +# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=327585 +Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch +Patch20: openldap-ldapi-sasl.patch +Patch21: openldap-openssl-allow-ssl3.patch +Patch90: check-password-makefile.patch +Patch91: check-password.patch +Patch6000: bugfix-openldap-autoconf-pkgconfig-nss.patch +Patch6001: bugfix-openldap-nss-ciphers-use-nss-defaults.patch +Patch6002: bugfix-openldap-nss-ignore-certdb-type-prefix.patch +Patch6003: bugfix-openldap-nss-pk11-freeslot.patch +Patch6004: bugfix-openldap-nss-protocol-version-new-api.patch +Patch6005: bugfix-openldap-nss-unregister-on-unload.patch +Patch6006: bugfix-openldap-nss-update-list-of-ciphers.patch +Patch6007: bugfix-openldap-nss-ciphersuite-handle-masks-correctly.patch +Patch6008: bugfix-openldap-ssl-deadlock-revert.patch +Patch6009: bugfix-openldap-support-tlsv1-and-later.patch +Patch6010: bugfix-openldap-temporary-ssl-thr-init-race.patch +Patch6011: Fix-calls-to-SLAP_DEVPOLL_SOCK_LX-for-multi-listener.patch +Patch6012: Fixup-for-binary-config-attrs.patch +Patch6013: ITS-8864-Fix-ber_realloc-after-a-partial-ber_flush.patch + +Patch6014: ITS-8840-Fix-domainScope-control-to-ensure-the-contr.patch +Patch6015: ITS-8843-check-for-NULL-modlist.patch +Patch6016: Fix-quoting-example.patch +Patch6017: ITS-8667-Do-not-finish-glue-initialisation-in-tool-m.patch +Patch6018: ITS-8842-Do-some-printability-checks-on-the-dc-RDN.patch +Patch6019: ITS-8909-fix-authz-policy-all-condition.patch +Patch6020: ITS-8909-additional-tweak.patch +Patch6021: Fix-index-delete.patch +Patch6022: ITS-8756-remove-loose-pg-from-dirty-list-in-freelist.patch +Patch6023: ITS-8918-fix-typo.patch +Patch6024: ITS-8923-fix-dyngroup-NO_SUCH_OBJECT-error-handling.patch +Patch6025: ITS-8878-Include-the-first-character-in-the-transfor.patch +Patch6026: ITS-8752-maybe-related.patch +Patch6027: ITS-8932-check-rdnNormalize-success.patch +Patch6028: ITS-8727-plug-ber-leaks.patch +Patch6029: ITS-8948-Fix-BDB-lib-to-only-be-linked-with-static-b.patch +Patch6030: ITS-8663-Fix-memberof-SLAP_CONFIG_EMIT.patch +Patch6031: ITS-8472-only-do-index-cleanup-if-DB-is-running.patch +Patch6032: ITS-8957-Fix-ASYNC-TLS.patch +Patch6033: ITS-8980-fix-async-connections-with-non-blocking-TLS.patch +Patch6034: CVE-2019-13057-1.patch +Patch6035: CVE-2019-13057-2.patch +Patch6036: CVE-2019-13057-3.patch +Patch6037: CVE-2019-13057-4.patch +Patch6038: CVE-2019-13565.patch + +BuildRequires: cyrus-sasl-devel openssl-devel krb5-devel unixODBC-devel +BuildRequires: glibc-devel libtool libtool-ltdl-devel groff perl-interpreter perl-devel perl-generators perl-ExtUtils-Embed + +%description +OpenLDAP is an open source suite of LDAP (Lightweight Directory Access +Protocol) applications and development tools. LDAP is a set of +protocols for accessing directory services (usually phone book style +information, but other information is possible) over the Internet, +similar to the way DNS (Domain Name System) information is propagated +over the Internet. The openldap package contains configuration files, +libraries, and documentation for OpenLDAP. + +%package devel +Summary: LDAP development libraries and header files +Requires: openldap = %{version}-%{release} cyrus-sasl-devel + +%description devel +The openldap-devel package includes the development libraries and +header files needed for compiling applications that use LDAP +(Lightweight Directory Access Protocol) internals. LDAP is a set of +protocols for enabling directory services over the Internet. Install +this package only if you plan to develop or will need to compile +customized LDAP clients. + +%package servers +Summary: LDAP server +License: OpenLDAP +Requires: openldap = %{version}-%{release} libdb-utils +Requires(pre): shadow-utils +%{?systemd_requires} +BuildRequires: systemd +BuildRequires: libdb-devel cracklib-devel +Provides: ldif2ldbm + +%description servers +OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access +Protocol) applications and development tools. LDAP is a set of +protocols for accessing directory services (usually phone book style +information, but other information is possible) over the Internet, +similar to the way DNS (Domain Name System) information is propagated +over the Internet. This package contains the slapd server and related files. + +%package clients +Summary: LDAP client utilities +Requires: openldap = %{version}-%{release} + +%description clients +OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access +Protocol) applications and development tools. LDAP is a set of +protocols for accessing directory services (usually phone book style +information, but other information is possible) over the Internet, +similar to the way DNS (Domain Name System) information is propagated +over the Internet. The openldap-clients package contains the client +programs needed for accessing and modifying OpenLDAP directories. + +%package_help + +%prep +%setup -q -c -a 0 -a 10 + +pushd openldap-%{version} + +AUTOMAKE=%{_bindir}/true autoreconf -fi + +%patch0 -p1 +%patch2 -p1 +%patch3 -p1 +%patch5 -p1 +%patch17 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 + +%patch6000 -p1 +%patch6001 -p1 +%patch6002 -p1 +%patch6003 -p1 +%patch6004 -p1 +%patch6005 -p1 +%patch6006 -p1 +%patch6007 -p1 +%patch6008 -p1 +%patch6009 -p1 +%patch6010 -p1 +%patch6011 -p1 +%patch6012 -p1 +%patch6013 -p1 +%patch6014 -p1 +%patch6015 -p1 +%patch6016 -p1 +%patch6017 -p1 +%patch6018 -p1 +%patch6019 -p1 +%patch6020 -p1 +%patch6021 -p1 +%patch6022 -p1 +%patch6023 -p1 +%patch6024 -p1 +%patch6025 -p1 +%patch6026 -p1 +%patch6027 -p1 +%patch6028 -p1 +%patch6029 -p1 +%patch6030 -p1 +%patch6031 -p1 +%patch6032 -p1 +%patch6033 -p1 +%patch6034 -p1 +%patch6035 -p1 +%patch6036 -p1 +%patch6037 -p1 +%patch6038 -p1 + +ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays +mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd +ln -s ../../../contrib/slapd-modules/allop/allop.c servers/slapd/overlays +mv contrib/slapd-modules/allop/README contrib/slapd-modules/allop/README.allop +mv contrib/slapd-modules/allop/slapo-allop.5 doc/man/man5/slapo-allop.5 + +mv servers/slapd/back-perl/README{,.back_perl} + +for filename in doc/drafts/draft-ietf-ldapext-acl-model-xx.txt; do + iconv -f iso-8859-1 -t utf-8 "$filename" > "$filename.utf8" + mv "$filename.utf8" "$filename" +done + +popd + +pushd ltb-project-openldap-ppolicy-check-password-1.1 +%patch90 -p1 +%patch91 -p1 +popd + +%build + +%set_build_flags +export CFLAGS="${CFLAGS} ${LDFLAGS} -Wl,--as-needed -DLDAP_CONNECTIONLESS -DLDAP_USE_NON_BLOCKING_TLS" + +pushd openldap-%{version} +%configure \ + --enable-debug --enable-dynamic --enable-dynacl \ + --enable-cleartext --enable-crypt --enable-lmpasswd \ + --enable-spasswd --enable-modules --enable-rewrite \ + --enable-rlookups --enable-slapi --disable-slp \ + --enable-backends=mod --enable-bdb=yes --enable-hdb=yes \ + --enable-mdb=yes --enable-monitor=yes --disable-ndb \ + --disable-sql --enable-overlays=mod --disable-static \ + --with-cyrus-sasl --without-fetch --with-threads \ + --with-pic --with-gnu-ld --libexecdir=%{_libdir} + +%make_build +popd + +pushd ltb-project-openldap-ppolicy-check-password-1.1 +make LDAP_INC="-I../openldap-%{version}/include \ + -I../openldap-%{version}/servers/slapd \ + -I../openldap-%{version}/build-servers/include" +popd + +%install +install -d %{buildroot}%{_libdir}/ + +pushd openldap-%{version} +%make_install STRIP="" +popd + +pushd ltb-project-openldap-ppolicy-check-password-1.1 +mv check_password.so check_password.so.1.1 +ln -s check_password.so.1.1 %{buildroot}%{_libdir}/openldap/check_password.so +install -m 755 check_password.so.1.1 %{buildroot}%{_libdir}/openldap/ +install -d -m 755 %{buildroot}%{_sysconfdir}/openldap +cat > %{buildroot}%{_sysconfdir}/openldap/check_password.conf </dev/null || groupadd -r -g 55 ldap +getent passwd ldap &>/dev/null || \ + useradd -r -g ldap -u 55 -d %{_sharedstatedir}/ldap -s /sbin/nologin -c "OpenLDAP server" ldap + +if [ $1 -eq 2 ]; then + + old_version=$(rpm -q --qf=%%{version} openldap-servers) + new_version=%{version} + + if [ "$old_version" != "$new_version" ]; then + touch %{_sharedstatedir}/ldap/rpm_upgrade_openldap &>/dev/null + fi +fi + +exit 0 + + +%post servers +%systemd_post slapd.service + +if [[ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif && \ + ! -f %{_sysconfdir}/openldap/slapd.conf + ]]; then + install -d %{_sysconfdir}/openldap/slapd.d/ &>/dev/null || : + /usr/sbin/slapadd -F %{_sysconfdir}/openldap/slapd.d/ -n0 -l %{_datadir}/openldap-servers/slapd.ldif + chown -R ldap:ldap %{_sysconfdir}/openldap/slapd.d/ + %{systemctl_bin} try-restart slapd.service &>/dev/null +fi + +start_slapd=0 + +if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap ]; then + if %{systemctl_bin} --quiet is-active slapd.service; then + %{systemctl_bin} stop slapd.service + start_slapd=1 + fi + + %{_libexecdir}/openldap/upgrade-db.sh &>/dev/null + rm -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap +fi + +if [ $1 -ge 1 ]; then + if [ $start_slapd -eq 1 ]; then + %{systemctl_bin} start slapd.service &>/dev/null || : + else + %{systemctl_bin} condrestart slapd.service &>/dev/null || : + fi +fi + +exit 0 + +%preun servers +%systemd_preun slapd.service + +%postun servers +%systemd_postun_with_restart slapd.service + +%triggerin servers -- libdb + +if [ $2 -eq 2 ]; then + if [ "$(rpm -q --qf="%%{version}\n" libdb | sed 's/\.[0-9]*$//' | sort -u | wc -l)" != "1" ]; then + touch %{_sharedstatedir}/ldap/rpm_upgrade_libdb + else + rm -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb + fi +fi + +exit 0 + + +%triggerun servers -- libdb + +if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb ]; then + if %{systemctl_bin} --quiet is-active slapd.service; then + %{systemctl_bin} stop slapd.service + start=1 + else + start=0 + fi + + %{_libexecdir}/openldap/upgrade-db.sh &>/dev/null + rm -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb + + [ $start -eq 1 ] && %{systemctl_bin} start slapd.service &>/dev/null +fi + +exit 0 + + +%files +%defattr(-,root,root) +%license openldap-%{version}/COPYRIGHT +%license openldap-%{version}/LICENSE +%dir %{_sysconfdir}/openldap/certs +%config(noreplace) %{_sysconfdir}/openldap/ldap.conf +%dir %{_libexecdir}/openldap/ +%{_libdir}/lib*.so.* +%exclude %{_sysconfdir}/openldap/ldap.conf +%exclude %{_sysconfdir}/openldap/slapd.conf +%exclude %{_sysconfdir}/openldap/slapd.ldif + +%files servers +%defattr(-,root,root) +%config(noreplace) %dir %attr(0750,ldap,ldap) %{_sysconfdir}/openldap/slapd.d +%config(noreplace) %{_sysconfdir}/openldap/schema +%config(noreplace) %{_sysconfdir}/openldap/check_password.conf +%{_tmpfilesdir}/slapd.conf +%dir %attr(0700,ldap,ldap) %{_sharedstatedir}/ldap +%dir %attr(-,ldap,ldap) %{_localstatedir}/run/openldap +%{_unitdir}/slapd.service +%{_datadir}/openldap-servers/ +%{_libdir}/openldap/* +%{_libexecdir}/openldap/functions +%{_libexecdir}/openldap/check-config.sh +%{_libexecdir}/openldap/upgrade-db.sh +%{_sbindir}/sl* +%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf + +%files clients +%defattr(-,root,root) +%{_bindir}/* + +%files devel +%defattr(-,root,root) +%{_libdir}/lib*.so +%{_includedir}/* + +%files help +%defattr(-,root,root) +%{_mandir}/man*/* +%doc openldap-%{version}/ANNOUNCEMENT +%doc openldap-%{version}/CHANGES +%doc openldap-%{version}/README +%doc openldap-%{version}/doc/guide/admin/*.html +%doc openldap-%{version}/doc/guide/admin/*.png +%doc openldap-%{version}/servers/slapd/back-perl/SampleLDAP.pm +%doc openldap-%{version}/servers/slapd/back-perl/README.back_perl +%doc README.schema +%doc openldap-%{version}/doc/drafts openldap-%{version}/doc/rfc +%doc ltb-project-openldap-ppolicy-check-password-1.1/README.check_pwd + +%changelog +* Sat Dec 21 2019 openEuler Buildteam - 2.4.46-11 +- Type:cves +- ID:CVE-2019-13565 +- SUG:restart +- DESC:fix CVE--2019-13565 + +* Wed Sep 25 2019 openEuler Buildteam - 2.4.46-10 +- Type:cves +- ID:CVE-2019-13057 +- SUG:NA +- DESC:fix CVE-2019-13057 + +* Tue Sep 17 2019 openEuler Buildteam - 2.4.46-9 +- Package init diff --git a/slapd.ldif b/slapd.ldif new file mode 100644 index 0000000000000000000000000000000000000000..a4ae4c09b47c60369f9ef76d72fb26399770347e --- /dev/null +++ b/slapd.ldif @@ -0,0 +1,158 @@ +# +# See slapd-config(5) for details on configuration options. +# This file should NOT be world readable. +# + +dn: cn=config +objectClass: olcGlobal +cn: config +# +# TLS settings +# +# When no CA certificates are specified the Shared System Certificates +# are in use. In order to have these available along with the ones specified +# by oclTLSCACertificatePath one has to include them explicitly: +#olcTLSCACertificateFile: /etc/pki/tls/cert.pem +# +# Private cert and key are not pregenerated. +#olcTLSCertificateFile: +#olcTLSCertificateKeyFile: +# +# System-wide Crypto Policies provide up to date cipher suite which should +# be used unless one needs a finer grinded selection of ciphers. Hence, the +# PROFILE=SYSTEM value represents the default behavior which is in place +# when no explicit setting is used. (see openssl-ciphers(1) for more info) +#olcTLSCipherSuite: PROFILE=SYSTEM + + +# +# Do not enable referrals until AFTER you have a working directory +# service AND an understanding of referrals. +# +#olcReferral: ldap://root.openldap.org +# +# Sample security restrictions +# Require integrity protection (prevent hijacking) +# Require 112-bit (3DES or better) encryption for updates +# Require 64-bit encryption for simple bind +# +#olcSecurity: ssf=1 update_ssf=112 simple_bind=64 + + +# +# Load dynamic backend modules: +# - modulepath is architecture dependent value (32/64-bit system) +# - back_sql.la backend requires openldap-servers-sql package +# - dyngroup.la and dynlist.la cannot be used at the same time +# + +#dn: cn=module,cn=config +#objectClass: olcModuleList +#cn: module +#olcModulepath: /usr/lib/openldap +#olcModulepath: /usr/lib64/openldap +#olcModuleload: accesslog.la +#olcModuleload: auditlog.la +#olcModuleload: back_dnssrv.la +#olcModuleload: back_ldap.la +#olcModuleload: back_mdb.la +#olcModuleload: back_meta.la +#olcModuleload: back_null.la +#olcModuleload: back_passwd.la +#olcModuleload: back_relay.la +#olcModuleload: back_shell.la +#olcModuleload: back_sock.la +#olcModuleload: collect.la +#olcModuleload: constraint.la +#olcModuleload: dds.la +#olcModuleload: deref.la +#olcModuleload: dyngroup.la +#olcModuleload: dynlist.la +#olcModuleload: memberof.la +#olcModuleload: pcache.la +#olcModuleload: ppolicy.la +#olcModuleload: refint.la +#olcModuleload: retcode.la +#olcModuleload: rwm.la +#olcModuleload: seqmod.la +#olcModuleload: smbk5pwd.la +#olcModuleload: sssvlv.la +#olcModuleload: syncprov.la +#olcModuleload: translucent.la +#olcModuleload: unique.la +#olcModuleload: valsort.la + + +# +# Schema settings +# + +dn: cn=schema,cn=config +objectClass: olcSchemaConfig +cn: schema + +include: file:///etc/openldap/schema/core.ldif + +# +# Frontend settings +# + +dn: olcDatabase=frontend,cn=config +objectClass: olcDatabaseConfig +olcDatabase: frontend +# +# Sample global access control policy: +# Root DSE: allow anyone to read it +# Subschema (sub)entry DSE: allow anyone to read it +# Other DSEs: +# Allow self write access +# Allow authenticated users read access +# Allow anonymous users to authenticate +# +#olcAccess: to dn.base="" by * read +#olcAccess: to dn.base="cn=Subschema" by * read +#olcAccess: to * +# by self write +# by users read +# by anonymous auth +# +# if no access controls are present, the default policy +# allows anyone and everyone to read anything but restricts +# updates to rootdn. (e.g., "access to * by * read") +# +# rootdn can always read and write EVERYTHING! +# + +# +# Configuration database +# + +dn: olcDatabase=config,cn=config +objectClass: olcDatabaseConfig +olcDatabase: config +olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c + n=auth" manage by * none + +# +# Server status monitoring +# + +dn: olcDatabase=monitor,cn=config +objectClass: olcDatabaseConfig +olcDatabase: monitor +olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c + n=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none + +# +# Backend database definitions +# + +dn: olcDatabase=mdb,cn=config +objectClass: olcDatabaseConfig +objectClass: olcMdbConfig +olcDatabase: mdb +olcSuffix: dc=my-domain,dc=com +olcRootDN: cn=Manager,dc=my-domain,dc=com +olcDbDirectory: /var/lib/ldap +olcDbIndex: objectClass eq,pres +olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub diff --git a/slapd.service b/slapd.service new file mode 100644 index 0000000000000000000000000000000000000000..30821fd98310dbb31c724de786fbd8fe5bb0f091 --- /dev/null +++ b/slapd.service @@ -0,0 +1,17 @@ +[Unit] +Description=OpenLDAP Server Daemon +After=syslog.target network-online.target +Documentation=man:slapd +Documentation=man:slapd-config +Documentation=man:slapd-hdb +Documentation=man:slapd-mdb +Documentation=file:///usr/share/doc/openldap-servers/guide.html + +[Service] +Type=forking +ExecStartPre=/usr/libexec/openldap/check-config.sh +ExecStart=/usr/sbin/slapd -u ldap -h "ldap:/// ldaps:/// ldapi:///" + +[Install] +WantedBy=multi-user.target +Alias=openldap.service diff --git a/slapd.tmpfiles b/slapd.tmpfiles new file mode 100644 index 0000000000000000000000000000000000000000..56aa32eed6ef2678096dc8dd09281bfbfb2062cb --- /dev/null +++ b/slapd.tmpfiles @@ -0,0 +1,2 @@ +# openldap runtime directory for slapd.arg and slapd.pid +d /var/run/openldap 0755 ldap ldap -