packages/openldap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

init

Browse Source
This commit is contained in:
zhangrui 2019-12-29 17:30:53 +08:00
parent 324a6c13a5
commit 474bdd82f2
59 changed files with 3522 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
CVE-2019-13057-1.patch Normal file
View File

@ -0,0 +1,35 @@
From f120d0e461178b5974694876ba2d2bdba4f7d122 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 19 Jun 2019 12:29:02 +0100
Subject: [PATCH] ITS#9038 restrict rootDN proxyauthz to its own DBs.
Treat as normal user for any other DB.
---
servers/slapd/saslauthz.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index 64c7053..b3727ea 100644
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -2062,12 +2062,13 @@ int slap_sasl_authorized( Operation *op,
goto DONE;
}
- /* Allow the manager to authorize as any DN. */
- if( op->o_conn->c_authz_backend &&
- be_isroot_dn( op->o_conn->c_authz_backend, authcDN ))
+ /* Allow the manager to authorize as any DN in its own DBs. */
{
- rc = LDAP_SUCCESS;
- goto DONE;
+ Backend *zbe = select_backend( authzDN, 1 );
+ if ( zbe && be_isroot_dn( zbe, authcDN )) {
+ rc = LDAP_SUCCESS;
+ goto DONE;
+ }
}
/* Check source rules */
--
1.7.10.4

102
CVE-2019-13057-2.patch Normal file
View File

@ -0,0 +1,102 @@
From ce5869c89a0cf1a9ec23bde014cb4c11f4d0360c Mon Sep 17 00:00:00 2001
From: =?utf8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
Date: Wed, 19 Jun 2019 18:47:32 +0200
Subject: [PATCH] ITS#9038 Update test028 to test this is enforced
---
tests/data/idassert.out | 5 +++++
tests/data/slapd-idassert.conf | 1 +
tests/data/test-idassert1.ldif | 6 ++++++
tests/scripts/test028-idassert | 24 ++++++++++++++++++++++++
4 files changed, 36 insertions(+)
diff --git a/tests/data/idassert.out b/tests/data/idassert.out
index 53d76bb..fa51c25 100644
--- a/tests/data/idassert.out
+++ b/tests/data/idassert.out
@@ -4,6 +4,11 @@ objectClass: dcObject
o: Example, Inc.
dc: example
+dn: cn=Manager,o=Example,c=US
+objectClass: inetOrgPerson
+cn: Manager
+sn: Parson
+
dn: ou=People,o=Example,c=US
objectClass: organizationalUnit
ou: People
diff --git a/tests/data/slapd-idassert.conf b/tests/data/slapd-idassert.conf
index 88d66a3..561c5cc 100644
--- a/tests/data/slapd-idassert.conf
+++ b/tests/data/slapd-idassert.conf
@@ -36,6 +36,7 @@ argsfile @TESTDIR@/slapd.1.args
#######################################################################
authz-policy both
+authz-regexp "^uid=manager,.+" "cn=Manager,dc=example,dc=com"
authz-regexp "^uid=admin/([^,]+),.+" "ldap:///ou=Admin,dc=example,dc=com??sub?(cn=$1)"
authz-regexp "^uid=it/([^,]+),.+" "ldap:///ou=People,dc=example,dc=it??sub?(uid=$1)"
authz-regexp "^uid=(us/)?([^,]+),.+" "ldap:///ou=People,dc=example,dc=com??sub?(uid=$2)"
diff --git a/tests/data/test-idassert1.ldif b/tests/data/test-idassert1.ldif
index 063d6ec..3ccbd1a 100644
--- a/tests/data/test-idassert1.ldif
+++ b/tests/data/test-idassert1.ldif
@@ -4,6 +4,12 @@ objectClass: dcObject
o: Example, Inc.
dc: example
+dn: cn=Manager,dc=example,dc=com
+objectClass: inetOrgPerson
+cn: Manager
+sn: Parson
+userPassword: secret
+
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert
index b1e1674..9e5e107 100755
--- a/tests/scripts/test028-idassert
+++ b/tests/scripts/test028-idassert
@@ -191,6 +191,17 @@ if test $RC != 0 ; then
exit $RC
fi
+AUTHZID="u:it/jaj"
+echo "Checking another DB's rootdn can't assert identity from another DB..."
+$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD -e\!"authzid=$AUTHZID"
+
+RC=$?
+if test $RC != 1 ; then
+ echo "ldapwhoami should have failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+fi
+
ID="uid=jaj,ou=People,dc=example,dc=it"
BASE="o=Example,c=US"
echo "Testing ldapsearch as $ID for \"$BASE\"..."
@@ -231,6 +242,19 @@ if test $USE_SASL != "no" ; then
exit $RC
fi
+ ID="manager"
+ AUTHZID="u:it/jaj"
+ echo "Checking another DB's rootdn can't assert in another (with SASL bind this time)..."
+ $LDAPSASLWHOAMI -h $LOCALHOST -p $PORT1 \
+ -Q -U "$ID" -w $PASSWD -Y $MECH -X $AUTHZID
+
+ RC=$?
+ if test $RC != 50 ; then
+ echo "ldapwhoami should have failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+ fi
+
echo "Filtering ldapsearch results..."
$LDIFFILTER < $SEARCHOUT > $SEARCHFLT
echo "Filtering original ldif used to create database..."
--
1.7.10.4

25
CVE-2019-13057-3.patch Normal file
View File

@ -0,0 +1,25 @@
From c064d45c5d4551f2321276c3a5ed25b1c08e115d Mon Sep 17 00:00:00 2001
From: =?utf8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
Date: Mon, 24 Jun 2019 16:37:23 +0200
Subject: [PATCH] ITS#9038 Fix typo in test script
---
tests/scripts/test028-idassert | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert
index 9e5e107..564a615 100755
--- a/tests/scripts/test028-idassert
+++ b/tests/scripts/test028-idassert
@@ -199,7 +199,7 @@ RC=$?
if test $RC != 1 ; then
echo "ldapwhoami should have failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit $RC
+ exit 1
fi
ID="uid=jaj,ou=People,dc=example,dc=it"
--
1.7.10.4

25
CVE-2019-13057-4.patch Normal file
View File

@ -0,0 +1,25 @@
From 0832ec02f0679cf0862dca2cca5280be1e4fdb37 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
Date: Thu, 27 Jun 2019 00:45:29 +0200
Subject: [PATCH] ITS#9038 Another test028 typo
---
tests/scripts/test028-idassert | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert
index 564a615..dacd68d 100755
--- a/tests/scripts/test028-idassert
+++ b/tests/scripts/test028-idassert
@@ -252,7 +252,7 @@ if test $USE_SASL != "no" ; then
if test $RC != 50 ; then
echo "ldapwhoami should have failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit $RC
+ exit 1
fi
echo "Filtering ldapsearch results..."
--
1.7.10.4

24
CVE-2019-13565.patch Normal file
View File

@ -0,0 +1,24 @@
From 744a46a1acb93798f4e027290191d6a11dd4c18c Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 10 Jul 2019 21:29:39 +0100
Subject: [PATCH] ITS#9052 zero out sasl_ssf in connection_init
---
servers/slapd/connection.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c
index b85bcb4..704067c 100644
--- a/servers/slapd/connection.c
+++ b/servers/slapd/connection.c
@@ -554,7 +554,7 @@ Connection * connection_init(
c->c_close_reason = "?"; /* should never be needed */
c->c_ssf = c->c_transport_ssf = ssf;
- c->c_tls_ssf = 0;
+ c->c_tls_ssf = c->c_sasl_ssf = 0;
#ifdef HAVE_TLS
if ( flags & CONN_IS_TLS ) {
--
1.7.10.4

15
Fix-calls-to-SLAP_DEVPOLL_SOCK_LX-for-multi-listener.patch Normal file
View File

@ -0,0 +1,15 @@
diff --git a/servers/slapd/daemon.c b/servers/slapd/daemon.c
index a3e8713..329ed6d 100644
--- a/servers/slapd/daemon.c
+++ b/servers/slapd/daemon.c
@@ -438,8 +438,8 @@ static slap_daemon_st slap_daemon[SLAPD_MAX_DAEMON_THREADS];
# define SLAP_EVENT_IS_READ(i) SLAP_DEVPOLL_EVENT_CHK((i), POLLIN)
# define SLAP_EVENT_IS_WRITE(i) SLAP_DEVPOLL_EVENT_CHK((i), POLLOUT)
-# define SLAP_EVENT_IS_LISTENER(t,i) SLAP_DEVPOLL_EV_LISTENER(SLAP_DEVPOLL_SOCK_LX(SLAP_EVENT_FD(t,(i))))
-# define SLAP_EVENT_LISTENER(t,i) SLAP_DEVPOLL_SOCK_LX(SLAP_EVENT_FD(t,(i)))
+# define SLAP_EVENT_IS_LISTENER(t,i) SLAP_DEVPOLL_EV_LISTENER(SLAP_DEVPOLL_SOCK_LX(t, SLAP_EVENT_FD(t,(i))))
+# define SLAP_EVENT_LISTENER(t,i) SLAP_DEVPOLL_SOCK_LX(t, SLAP_EVENT_FD(t,(i)))
# define SLAP_SOCK_INIT(t) do { \
slap_daemon[t].sd_pollfd = ch_calloc( 1, \

48
Fix-index-delete.patch Normal file
View File

@ -0,0 +1,48 @@
From 86bd2da6ac69acc2df956260d081d03421116828 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Fri, 31 Aug 2018 14:28:22 +0100
Subject: [PATCH 034/109] Fix index delete
Deleting all indices should also reset default mask
---
servers/slapd/back-bdb/config.c | 3 ++-
servers/slapd/back-mdb/config.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/servers/slapd/back-bdb/config.c b/servers/slapd/back-bdb/config.c
index a1cd0d605..24c4753ba 100644
--- a/servers/slapd/back-bdb/config.c
+++ b/servers/slapd/back-bdb/config.c
@@ -602,10 +602,11 @@ bdb_cf_gen( ConfigArgs *c )
if ( c->valx == -1 ) {
int i;
- /* delete all (FIXME) */
+ /* delete all */
for ( i = 0; i < bdb->bi_nattrs; i++ ) {
bdb->bi_attrs[i]->ai_indexmask |= BDB_INDEX_DELETING;
}
+ bdb->bi_defaultmask = 0;
bdb->bi_flags |= BDB_DEL_INDEX;
c->cleanup = bdb_cf_cleanup;
diff --git a/servers/slapd/back-mdb/config.c b/servers/slapd/back-mdb/config.c
index d4c6f96aa..ded7a087c 100644
--- a/servers/slapd/back-mdb/config.c
+++ b/servers/slapd/back-mdb/config.c
@@ -423,10 +423,11 @@ mdb_cf_gen( ConfigArgs *c )
if ( c->valx == -1 ) {
int i;
- /* delete all (FIXME) */
+ /* delete all */
for ( i = 0; i < mdb->mi_nattrs; i++ ) {
mdb->mi_attrs[i]->ai_indexmask |= MDB_INDEX_DELETING;
}
+ mdb->mi_defaultmask = 0;
mdb->mi_flags |= MDB_DEL_INDEX;
c->cleanup = mdb_cf_cleanup;
--
2.19.1

25
Fix-quoting-example.patch Normal file
View File

@ -0,0 +1,25 @@
From 4626a7d0edf687c63452dc671a2fbb7f44aa64b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@openldap.org>
Date: Thu, 14 Jun 2018 16:08:36 +0100
Subject: [PATCH 018/109] Fix quoting example
---
doc/man/man5/ldap.conf.5 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
index 0c8ec8a0e..8c67bc0ae 100644
--- a/doc/man/man5/ldap.conf.5
+++ b/doc/man/man5/ldap.conf.5
@@ -85,7 +85,7 @@ For example,
# Right - DN syntax needs quoting for Example, Inc:
BASE ou=IT staff,o="Example, Inc",c=US
# or:
- BASE ou=IT staff,o=Example2C Inc,c=US
+ BASE ou=IT staff,o=Example\\2C Inc,c=US
# Wrong - comment on same line as option:
DEREF never # Never follow aliases
--
2.19.1

13
Fixup-for-binary-config-attrs.patch Normal file
View File

@ -0,0 +1,13 @@
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index 250f141..5aabcef 100644
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -4313,6 +4313,8 @@ config_find_table( ConfigOCs **colst, int nocs, AttributeDescription *ad,
ConfigArgs *ca )
{
int i, j;
+ if (ad->ad_flags & SLAP_DESC_BINARY)
+ ad = ad->ad_type->sat_ad;
for (j=0; j<nocs; j++) {
for (i=0; colst[j]->co_table[i].name; i++)

34
ITS-8472-only-do-index-cleanup-if-DB-is-running.patch Normal file
View File

@ -0,0 +1,34 @@
From 55daae4afc3cd2ee6dcbd97a73260113935d2676 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Fri, 25 Jan 2019 18:11:58 +0000
Subject: [PATCH 096/109] ITS#8472 only do index cleanup if DB is running
---
servers/slapd/back-mdb/config.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/servers/slapd/back-mdb/config.c b/servers/slapd/back-mdb/config.c
index df9db5edd..c404e58e7 100644
--- a/servers/slapd/back-mdb/config.c
+++ b/servers/slapd/back-mdb/config.c
@@ -260,6 +260,7 @@ mdb_cf_cleanup( ConfigArgs *c )
}
if ( mdb->mi_flags & MDB_OPEN_INDEX ) {
+ mdb->mi_flags ^= MDB_OPEN_INDEX;
rc = mdb_attr_dbs_open( c->be, NULL, &c->reply );
if ( rc )
rc = LDAP_OTHER;
@@ -631,8 +632,8 @@ mdb_cf_gen( ConfigArgs *c )
c->argc - 1, &c->argv[1], &c->reply);
if( rc != LDAP_SUCCESS ) return 1;
- mdb->mi_flags |= MDB_OPEN_INDEX;
if ( mdb->mi_flags & MDB_IS_OPEN ) {
+ mdb->mi_flags |= MDB_OPEN_INDEX;
c->cleanup = mdb_cf_cleanup;
if ( !mdb->mi_index_task ) {
/* Start the task as soon as we finish here. Set a long
--
2.19.1

34
ITS-8663-Fix-memberof-SLAP_CONFIG_EMIT.patch Normal file
View File

@ -0,0 +1,34 @@
From 7553afa6fd524181bd5d7c5fa8808bbd0fc09864 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@openldap.org>
Date: Mon, 14 Jan 2019 11:44:35 +0000
Subject: [PATCH 086/109] ITS#8663 Fix memberof SLAP_CONFIG_EMIT
---
servers/slapd/overlays/memberof.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/servers/slapd/overlays/memberof.c b/servers/slapd/overlays/memberof.c
index 54c24682a..7e0c8f22b 100644
--- a/servers/slapd/overlays/memberof.c
+++ b/servers/slapd/overlays/memberof.c
@@ -1895,15 +1895,11 @@ mo_cf_gen( ConfigArgs *c )
break;
case MO_MEMBER_AD:
- if ( mo->mo_ad_member != NULL ){
- value_add_one( &c->rvalue_vals, &mo->mo_ad_member->ad_cname );
- }
+ c->value_ad = mo->mo_ad_member;
break;
case MO_MEMBER_OF_AD:
- if ( mo->mo_ad_memberof != NULL ){
- value_add_one( &c->rvalue_vals, &mo->mo_ad_memberof->ad_cname );
- }
+ c->value_ad = mo->mo_ad_memberof;
break;
default:
--
2.19.1

26
ITS-8667-Do-not-finish-glue-initialisation-in-tool-m.patch Normal file
View File

@ -0,0 +1,26 @@
From 8c09d9a132d148ebad1e7f303ae99d357815ffff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@openldap.org>
Date: Wed, 27 Jun 2018 10:32:04 +0100
Subject: [PATCH 021/109] ITS#8667 Do not finish glue initialisation in tool
mode unless requested
---
servers/slapd/backglue.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/servers/slapd/backglue.c b/servers/slapd/backglue.c
index 53c92448f..c2cfed45c 100644
--- a/servers/slapd/backglue.c
+++ b/servers/slapd/backglue.c
@@ -1312,7 +1312,7 @@ glue_db_init(
SLAP_DBFLAGS( be ) |= SLAP_DBFLAG_GLUE_INSTANCE;
- if ( ga_list ) {
+ if ( ga_list && ( slapMode & SLAP_SERVER_MODE ) ) {
be->bd_info = (BackendInfo *)oi;
glue_sub_attach( 1 );
}
--
2.19.1

32
ITS-8727-plug-ber-leaks.patch Normal file
View File

@ -0,0 +1,32 @@
From 11320a9156e1306c251b27443439dc2e1db0107b Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Tue, 17 Jan 2017 11:35:54 +0000
Subject: [PATCH 076/109] ITS#8727 plug ber leaks
---
libraries/libldap/request.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libraries/libldap/request.c b/libraries/libldap/request.c
index 31145432f..7d2d7a458 100644
--- a/libraries/libldap/request.c
+++ b/libraries/libldap/request.c
@@ -315,6 +315,7 @@ ldap_send_server_request(
LDAP_MUTEX_UNLOCK( &ld->ld_options.ldo_mutex );
if ( rc == -1 ) {
ld->ld_errno = LDAP_ENCODING_ERROR;
+ ber_free( ber, 1 );
LDAP_CONN_UNLOCK_IF(m_noconn);
return rc;
}
@@ -334,6 +335,7 @@ ldap_send_server_request(
rc = -1;
}
if ( rc ) {
+ ber_free( ber, 1 );
LDAP_CONN_UNLOCK_IF(m_noconn);
return rc;
}
--
2.19.1

68
ITS-8752-maybe-related.patch Normal file
View File

@ -0,0 +1,68 @@
From 09aea7d84492dbfe61adf197214f206d99b43469 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 5 Dec 2018 10:41:47 +0000
Subject: [PATCH 062/109] ITS#8752 (maybe related)
Avoid incremental access to user-supplied bv in dupbv
---
libraries/liblber/memory.c | 27 ++++++++++++++++-----------
1 file changed, 16 insertions(+), 11 deletions(-)
diff --git a/libraries/liblber/memory.c b/libraries/liblber/memory.c
index a99f5044c..aa1d1e123 100644
--- a/libraries/liblber/memory.c
+++ b/libraries/liblber/memory.c
@@ -482,7 +482,7 @@ struct berval *
ber_dupbv_x(
struct berval *dst, struct berval *src, void *ctx )
{
- struct berval *new;
+ struct berval *new, tmp;
if( src == NULL ) {
ber_errno = LBER_ERROR_PARAM;
@@ -490,7 +490,7 @@ ber_dupbv_x(
}
if ( dst ) {
- new = dst;
+ new = &tmp;
} else {
if(( new = ber_memalloc_x( sizeof(struct berval), ctx )) == NULL ) {
return NULL;
@@ -500,18 +500,23 @@ ber_dupbv_x(
if ( src->bv_val == NULL ) {
new->bv_val = NULL;
new->bv_len = 0;
- return new;
- }
+ } else {
- if(( new->bv_val = ber_memalloc_x( src->bv_len + 1, ctx )) == NULL ) {
- if ( !dst )
- ber_memfree_x( new, ctx );
- return NULL;
+ if(( new->bv_val = ber_memalloc_x( src->bv_len + 1, ctx )) == NULL ) {
+ if ( !dst )
+ ber_memfree_x( new, ctx );
+ return NULL;
+ }
+
+ AC_MEMCPY( new->bv_val, src->bv_val, src->bv_len );
+ new->bv_val[src->bv_len] = '\0';
+ new->bv_len = src->bv_len;
}
- AC_MEMCPY( new->bv_val, src->bv_val, src->bv_len );
- new->bv_val[src->bv_len] = '\0';
- new->bv_len = src->bv_len;
+ if ( dst ) {
+ *dst = *new;
+ new = dst;
+ }
return new;
}
--
2.19.1

60
ITS-8756-remove-loose-pg-from-dirty-list-in-freelist.patch Normal file
View File

@ -0,0 +1,60 @@
From 1f33a6d9109792c0a2c88793092264080fe856b0 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Fri, 22 Jun 2018 16:30:13 +0100
Subject: [PATCH 038/109] ITS#8756 remove loose pg from dirty list in
freelist_save
---
libraries/liblmdb/mdb.c | 33 ++++++++++++++++++++++++++++++++-
1 file changed, 32 insertions(+), 1 deletion(-)
diff --git a/libraries/liblmdb/mdb.c b/libraries/liblmdb/mdb.c
index 0662f2d8b..e12af4482 100644
--- a/libraries/liblmdb/mdb.c
+++ b/libraries/liblmdb/mdb.c
@@ -3094,10 +3094,41 @@ mdb_freelist_save(MDB_txn *txn)
* we may be unable to return them to me_pghead.
*/
MDB_page *mp = txn->mt_loose_pgs;
+ MDB_ID2 *dl = txn->mt_u.dirty_list;
+ unsigned x;
if ((rc = mdb_midl_need(&txn->mt_free_pgs, txn->mt_loose_count)) != 0)
return rc;
- for (; mp; mp = NEXT_LOOSE_PAGE(mp))
+ for (; mp; mp = NEXT_LOOSE_PAGE(mp)) {
mdb_midl_xappend(txn->mt_free_pgs, mp->mp_pgno);
+ /* must also remove from dirty list */
+ if (txn->mt_flags & MDB_TXN_WRITEMAP) {
+ for (x=1; x<=dl[0].mid; x++)
+ if (dl[x].mid == mp->mp_pgno)
+ break;
+ mdb_tassert(txn, x <= dl[0].mid);
+ } else {
+ x = mdb_mid2l_search(dl, mp->mp_pgno);
+ mdb_tassert(txn, dl[x].mid == mp->mp_pgno);
+ }
+ dl[x].mptr = NULL;
+ mdb_dpage_free(env, mp);
+ }
+ {
+ /* squash freed slots out of the dirty list */
+ unsigned y;
+ for (y=1; dl[y].mptr && y <= dl[0].mid; y++);
+ if (y <= dl[0].mid) {
+ for(x=y, y++;;) {
+ while (!dl[y].mptr && y <= dl[0].mid) y++;
+ if (y > dl[0].mid) break;
+ dl[x++] = dl[y++];
+ }
+ dl[0].mid = x-1;
+ } else {
+ /* all slots freed */
+ dl[0].mid = 0;
+ }
+ }
txn->mt_loose_pgs = NULL;
txn->mt_loose_count = 0;
}
--
2.19.1

29
ITS-8840-Fix-domainScope-control-to-ensure-the-contr.patch Normal file
View File

@ -0,0 +1,29 @@
From 59681e0eb305262aeb93675c66f21727bfc7ab98 Mon Sep 17 00:00:00 2001
From: Quanah Gibson-Mount <quanah@openldap.org>
Date: Mon, 30 Apr 2018 17:27:36 +0000
Subject: [PATCH 009/109] ITS#8840 Fix domainScope control to ensure the
control value is absent as per Microsoft specification
(https://msdn.microsoft.com/en-us/library/aa366979%28v=vs.85%29.aspx).
---
servers/slapd/controls.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c
index b8edd39bc..16b580633 100644
--- a/servers/slapd/controls.c
+++ b/servers/slapd/controls.c
@@ -1660,8 +1660,8 @@ static int parseDomainScope (
return LDAP_PROTOCOL_ERROR;
}
- if ( BER_BVISNULL( &ctrl->ldctl_value )) {
- rs->sr_text = "domainScope control value not empty";
+ if ( !BER_BVISNULL( &ctrl->ldctl_value )) {
+ rs->sr_text = "domainScope control value not absent";
return LDAP_PROTOCOL_ERROR;
}
--
2.19.1

36
ITS-8842-Do-some-printability-checks-on-the-dc-RDN.patch Normal file
View File

@ -0,0 +1,36 @@
From 849f937d0aaf5911d438c49ccde2b036b62362d5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@openldap.org>
Date: Thu, 21 Jun 2018 16:01:43 +0100
Subject: [PATCH 025/109] ITS#8842 Do some printability checks on the dc RDN
---
libraries/libldap/getdn.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/libraries/libldap/getdn.c b/libraries/libldap/getdn.c
index 16ecd3055..69ff62ac8 100644
--- a/libraries/libldap/getdn.c
+++ b/libraries/libldap/getdn.c
@@ -27,6 +27,7 @@
#include "ldap-int.h"
#include "ldap_schema.h"
+#include "ldif.h"
/* extension to UFN that turns trailing "dc=value" rdns in DNS style,
* e.g. "ou=People,dc=openldap,dc=org" => "People, openldap.org" */
@@ -2478,6 +2479,11 @@ dn2domain( LDAPDN dn, struct berval *bv, int pos, int *iRDN )
break;
}
+ if ( ldif_is_not_printable( ava->la_value.bv_val, ava->la_value.bv_len ) ) {
+ domain = 0;
+ break;
+ }
+
domain = 1;
if ( first ) {
--
2.19.1

24
ITS-8843-check-for-NULL-modlist.patch Normal file
View File

@ -0,0 +1,24 @@
From cc24cf620470e600d31fd68f63decae82b9745f3 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 2 May 2018 16:51:49 +0100
Subject: [PATCH 011/109] ITS#8843 check for NULL modlist
---
servers/slapd/overlays/syncprov.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/servers/slapd/overlays/syncprov.c b/servers/slapd/overlays/syncprov.c
index 684421fb9..9051ec9c9 100644
--- a/servers/slapd/overlays/syncprov.c
+++ b/servers/slapd/overlays/syncprov.c
@@ -1924,6 +1924,7 @@ syncprov_op_response( Operation *op, SlapReply *rs )
/* Don't do any processing for consumer contextCSN updates */
if ( SLAPD_SYNC_IS_SYNCCONN( op->o_connid ) &&
op->o_tag == LDAP_REQ_MODIFY &&
+ op->orm_modlist &&
op->orm_modlist->sml_op == LDAP_MOD_REPLACE &&
op->orm_modlist->sml_desc == slap_schema.si_ad_contextCSN ) {
/* Catch contextCSN updates from syncrepl. We have to look at
--
2.19.1

30
ITS-8864-Fix-ber_realloc-after-a-partial-ber_flush.patch Normal file
View File

@ -0,0 +1,30 @@
diff --git a/libraries/liblber/io.c b/libraries/liblber/io.c
index e44a46c..8477794 100644
--- a/libraries/liblber/io.c
+++ b/libraries/liblber/io.c
@@ -128,7 +128,7 @@ ber_write(
int
ber_realloc( BerElement *ber, ber_len_t len )
{
- ber_len_t total, offset, sos_offset;
+ ber_len_t total, offset, sos_offset, rw_offset;
char *buf;
assert( ber != NULL );
@@ -165,6 +165,7 @@ ber_realloc( BerElement *ber, ber_len_t len )
offset = ber->ber_ptr - buf;
sos_offset = ber->ber_sos_ptr ? ber->ber_sos_ptr - buf : 0;
/* if ber_sos_ptr != NULL, it is > ber_buf so that sos_offset > 0 */
+ rw_offset = ber->ber_rwptr ? ber->ber_rwptr - buf : 0;
buf = (char *) ber_memrealloc_x( buf, total, ber->ber_memctx );
if ( buf == NULL ) {
@@ -176,6 +177,8 @@ ber_realloc( BerElement *ber, ber_len_t len )
ber->ber_ptr = buf + offset;
if ( sos_offset )
ber->ber_sos_ptr = buf + sos_offset;
+ if ( ber->ber_rwptr )
+ ber->ber_rwptr = buf + rw_offset;
return( 0 );
}

35
ITS-8878-Include-the-first-character-in-the-transfor.patch Normal file
View File

@ -0,0 +1,35 @@
From 110409ea828b6806c2003702b300652f2290d3d4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@openldap.org>
Date: Thu, 8 Nov 2018 11:09:38 +0000
Subject: [PATCH 054/109] ITS#8878 Include the first character in the
transformation
---
contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c b/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c
index 262534b7d..5f4a0271f 100644
--- a/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c
+++ b/contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c
@@ -59,15 +59,14 @@ const struct berval pbkdf2_sha512_scheme = BER_BVC("{PBKDF2-SHA512}");
static int b64_to_ab64(char *str)
{
char *p = str;
- while(*p++){
+ do {
if(*p == '+'){
*p = '.';
}
if(*p == '='){
*p = '\0';
- break;
}
- }
+ } while(*p++);
return 0;
}
--
2.19.1

26
ITS-8909-additional-tweak.patch Normal file
View File

@ -0,0 +1,26 @@
From 324fdd0c41fca50bd0bfacead6b5b7583ac233dc Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 29 Aug 2018 02:02:13 +0100
Subject: [PATCH 033/109] ITS#8909 additional tweak
Set error code on failure
---
servers/slapd/saslauthz.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index e4a74ea7f..d80370ff9 100644
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -2075,6 +2075,8 @@ int slap_sasl_authorized( Operation *op,
rc = slap_sasl_check_authz( op, authcDN, authzDN,
slap_schema.si_ad_saslAuthzTo, authcDN );
if(( rc == LDAP_SUCCESS ) ^ (( authz_policy & SASL_AUTHZ_AND) != 0)) {
+ if( rc != LDAP_SUCCESS )
+ rc = LDAP_INAPPROPRIATE_AUTH;
goto DONE;
}
}
--
2.19.1

26
ITS-8909-fix-authz-policy-all-condition.patch Normal file
View File

@ -0,0 +1,26 @@
From 37df43786bbb1918e28f3fb0117e58dd9d96cd1c Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 29 Aug 2018 01:13:05 +0100
Subject: [PATCH 031/109] ITS#8909 fix "authz-policy all" condition
Broken since original commit 113727ba
---
servers/slapd/saslauthz.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index e1ea0a1e9..e4a74ea7f 100644
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -2074,7 +2074,7 @@ int slap_sasl_authorized( Operation *op,
if( authz_policy & SASL_AUTHZ_TO ) {
rc = slap_sasl_check_authz( op, authcDN, authzDN,
slap_schema.si_ad_saslAuthzTo, authcDN );
- if( rc == LDAP_SUCCESS && !(authz_policy & SASL_AUTHZ_AND) ) {
+ if(( rc == LDAP_SUCCESS ) ^ (( authz_policy & SASL_AUTHZ_AND) != 0)) {
goto DONE;
}
}
--
2.19.1

25
ITS-8918-fix-typo.patch Normal file
View File

@ -0,0 +1,25 @@
From 83ade79c715dd9516dd2ba0675094b86d630c7b8 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Mon, 24 Sep 2018 13:47:09 +0100
Subject: [PATCH 046/109] ITS#8918 fix typo
---
servers/slapd/sasl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
index 73ac2a8a8..64e64d1d9 100644
--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@@ -323,7 +323,7 @@ slap_auxprop_lookup(
/* we don't know anything about this, ignore it */
if ( !conn ) {
- rc == LDAP_SUCCESS;
+ rc = LDAP_SUCCESS;
goto done;
}
--
2.19.1

70
ITS-8923-fix-dyngroup-NO_SUCH_OBJECT-error-handling.patch Normal file
View File

@ -0,0 +1,70 @@
From 84e0958b28fccb5cc36de90094aebc6902145c07 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 3 Oct 2018 21:58:32 +0100
Subject: [PATCH 049/109] ITS#8923 fix dyngroup NO_SUCH_OBJECT error handling
---
servers/slapd/backend.c | 2 +-
tests/data/dynlist.out | 3 +++
tests/scripts/test044-dynlist | 9 +++++----
3 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c
index 445a2cb57..0a3dafab8 100644
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@@ -1520,7 +1520,7 @@ fe_acl_group(
op->o_private = o_priv;
if ( rc2 != 0 ) {
/* give up... */
- rc = LDAP_OTHER;
+ rc = (rc2 == LDAP_NO_SUCH_OBJECT) ? rc2 : LDAP_OTHER;
goto loopit;
}
}
diff --git a/tests/data/dynlist.out b/tests/data/dynlist.out
index 429039b67..8caf0e22f 100644
--- a/tests/data/dynlist.out
+++ b/tests/data/dynlist.out
@@ -198,6 +198,9 @@ memberURL: ldap:///ou=People,dc=example,dc=com??sub?(objectClass=person)
# Testing list compare...
TRUE
+# Testing list compare... (should return FALSE)
+FALSE
+
# Testing list compare (should return FALSE)...
FALSE
diff --git a/tests/scripts/test044-dynlist b/tests/scripts/test044-dynlist
index e5a0c47dc..8caf50ded 100755
--- a/tests/scripts/test044-dynlist
+++ b/tests/scripts/test044-dynlist
@@ -477,12 +477,12 @@ $LDAPCOMPARE -h $LOCALHOST -p $PORT1 \
RC=$?
case $RC in
5)
- echo "ldapcompare returned FALSE ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit $RC
+ echo "ldapcompare returned FALSE ($RC)"
;;
6)
- echo "ldapcompare returned TRUE ($RC)"
+ echo "ldapcompare returned TRUE ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
;;
0)
echo "ldapcompare returned success ($RC)!"
@@ -497,6 +497,7 @@ case $RC in
esac
echo "" >> $SEARCHOUT
+CMPDN="$BJORNSDN"
echo "Testing list compare (should return FALSE)..."
echo "# Testing list compare (should return FALSE)..." >> $SEARCHOUT
$LDAPCOMPARE -h $LOCALHOST -p $PORT1 \
--
2.19.1

29
ITS-8932-check-rdnNormalize-success.patch Normal file
View File

@ -0,0 +1,29 @@
From 84a844cfd294a93b4fa2516a82d4f0e35e2c3d3d Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Fri, 9 Nov 2018 21:16:10 +0000
Subject: [PATCH 066/109] ITS#8932 check rdnNormalize success
---
servers/slapd/bconfig.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index 250f14100..4c7d53935 100644
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -4609,7 +4609,11 @@ config_renumber_one( Operation *op, SlapReply *rs, CfEntryInfo *parent,
/* Do the equivalent of ModRDN */
/* Replace DN / NDN */
newrdn.bv_len = ptr1 - newrdn.bv_val;
- rdnNormalize( 0, NULL, NULL, &newrdn, &nnewrdn, NULL );
+ rc = rdnNormalize( 0, NULL, NULL, &newrdn, &nnewrdn, NULL );
+ if ( rc ) {
+ free( newrdn.bv_val );
+ return LDAP_NAMING_VIOLATION;
+ }
rc = config_rename_one( op, rs, e, parent, a, &newrdn, &nnewrdn, use_ldif );
free( nnewrdn.bv_val );
--
2.19.1

32
ITS-8948-Fix-BDB-lib-to-only-be-linked-with-static-b.patch Normal file
View File

@ -0,0 +1,32 @@
From 42d441c810d7b6a6d72625d919e944a38363d6c8 Mon Sep 17 00:00:00 2001
From: Quanah Gibson-Mount <quanah@openldap.org>
Date: Mon, 31 Dec 2018 18:24:12 +0000
Subject: [PATCH 078/109] ITS#8948 - Fix BDB lib to only be linked with static
backend
---
configure.in | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/configure.in b/configure.in
index 2a4d29f78..2bd2a4382 100644
--- a/configure.in
+++ b/configure.in
@@ -1899,7 +1899,13 @@ if test $ol_enable_bdb/$ol_enable_hdb != no/no; then
BDB_LIBS="$BDB_LIBS $ol_cv_lib_db"
fi
- SLAPD_LIBS="$SLAPD_LIBS \$(BDB_LIBS)"
+ dnl link BDB library to slapd when there is a
+ dnl static BDB based backend in use
+ if test $ol_enable_bdb/$ol_enable_hdb != mod/mod ; then
+ if test $ol_enable_bdb = yes -o $ol_enable_hdb = yes ; then
+ SLAPD_LIBS="$SLAPD_LIBS \$(BDB_LIBS)"
+ fi
+ fi
ol_link_bdb=yes
fi
--
2.19.1

26
ITS-8957-Fix-ASYNC-TLS.patch Normal file
View File

@ -0,0 +1,26 @@
From a5a8739b4436b27387c652a8f423b582516d841a Mon Sep 17 00:00:00 2001
From: Quanah Gibson-Mount <quanah@openldap.org>
Date: Thu, 31 Jan 2019 02:33:17 +0000
Subject: [PATCH 100/109] ITS#8957 - Fix ASYNC TLS
Fix ASYNC TLS by correctly handling a return code of -2 in addition to 0
---
libraries/libldap/open.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libraries/libldap/open.c b/libraries/libldap/open.c
index 67a9353f9..5d70678d6 100644
--- a/libraries/libldap/open.c
+++ b/libraries/libldap/open.c
@@ -440,7 +440,7 @@ ldap_int_open_connection(
#endif
#ifdef HAVE_TLS
- if (rc == 0 && ( ld->ld_options.ldo_tls_mode == LDAP_OPT_X_TLS_HARD ||
+ if ((rc == 0 || rc == -2) && ( ld->ld_options.ldo_tls_mode == LDAP_OPT_X_TLS_HARD ||
strcmp( srv->lud_scheme, "ldaps" ) == 0 ))
{
++conn->lconn_refcnt; /* avoid premature free */
--
2.19.1

102
ITS-8980-fix-async-connections-with-non-blocking-TLS.patch Normal file
View File

@ -0,0 +1,102 @@
From d4a0a9b3a65bd1ce721d55845d4240942d17538b Mon Sep 17 00:00:00 2001
From: Vernon Smith <vsmith@interlinknetworks.com>
Date: Tue, 19 Feb 2019 05:57:00 +0000
Subject: [PATCH 109/109] ITS#8980 fix async connections with non-blocking TLS
---
libraries/libldap/os-ip.c | 2 +-
libraries/libldap/tls2.c | 17 ++++++++++++-----
libraries/libldap/tls_o.c | 14 +++++++++++++-
3 files changed, 26 insertions(+), 7 deletions(-)
diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c
index a823cc626..cb7b0a3b2 100644
--- a/libraries/libldap/os-ip.c
+++ b/libraries/libldap/os-ip.c
@@ -443,7 +443,7 @@ ldap_pvt_connect(LDAP *ld, ber_socket_t s,
if ( connect(s, sin, addrlen) != AC_SOCKET_ERROR ) {
osip_debug(ld, "connect success\n", 0, 0, 0);
- if ( opt_tv && ldap_pvt_ndelay_off(ld, s) == -1 )
+ if ( !async && opt_tv && ldap_pvt_ndelay_off(ld, s) == -1 )
return ( -1 );
return ( 0 );
}
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index 96da4d421..bc93e4d63 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -826,7 +826,7 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
Sockbuf *sb;
char *host;
void *ssl;
- int ret;
+ int ret, async;
#ifdef LDAP_USE_NON_BLOCKING_TLS
struct timeval start_time_tv, tv, tv0;
ber_socket_t sd = AC_SOCKET_ERROR;
@@ -853,8 +853,12 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
/*
* Use non-blocking io during SSL Handshake when a timeout is configured
*/
+ async = LDAP_BOOL_GET( &ld->ld_options, LDAP_BOOL_CONNECT_ASYNC );
if ( ld->ld_options.ldo_tm_net.tv_sec >= 0 ) {
- ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, (void*)1 );
+ if ( !async ) {
+ /* if async, this has already been set */
+ ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, (void*)1 );
+ }
ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_FD, &sd );
tv = ld->ld_options.ldo_tm_net;
tv0 = tv;
@@ -888,8 +892,10 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
ld->ld_errno = LDAP_TIMEOUT;
break;
} else {
- /* ldap_int_poll called ldap_pvt_ndelay_off */
- ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, (void*)1 );
+ /* ldap_int_poll called ldap_pvt_ndelay_off if not async */
+ if ( !async ) {
+ ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, (void*)1 );
+ }
ret = ldap_int_tls_connect( ld, conn, host );
if ( ret > 0 ) { /* need to call tls_connect once more */
struct timeval curr_time_tv, delta_tv;
@@ -936,7 +942,8 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
}
}
}
- if ( ld->ld_options.ldo_tm_net.tv_sec >= 0 ) {
+ /* Leave it nonblocking if async */
+ if ( !async && ld->ld_options.ldo_tm_net.tv_sec >= 0 ) {
ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, NULL );
}
#endif /* LDAP_USE_NON_BLOCKING_TLS */
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index 2b0c021a6..b10121d3a 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -452,7 +452,19 @@ tlso_session_connect( LDAP *ld, tls_session *sess )
tlso_session *s = (tlso_session *)sess;
/* Caller expects 0 = success, OpenSSL returns 1 = success */
- return SSL_connect( s ) - 1;
+ int rc = SSL_connect( s ) - 1;
+#ifdef LDAP_USE_NON_BLOCKING_TLS
+ if ( rc < 0 ) {
+ int sockerr = sock_errno();
+ int sslerr = SSL_get_error( s, rc+1 );
+ if ( sslerr == SSL_ERROR_WANT_READ || sslerr == SSL_ERROR_WANT_WRITE ) {
+ rc = 0;
+ } else if ( sslerr == SSL_ERROR_SYSCALL &&
+ ( sockerr == EAGAIN || sockerr == ENOTCONN )) {
+ rc = 0;
+ }
+ }
+#endif /* LDAP_USE_NON_BLOCKING_TLS */
}
static int
--
2.19.1

38
bugfix-openldap-autoconf-pkgconfig-nss.patch Normal file
View File

@ -0,0 +1,38 @@
diff --git a/configure.in b/configure.in
index 2134171..c643891 100644
--- a/configure.in
+++ b/configure.in
@@ -1230,28 +1230,16 @@ if test $ol_link_tls = no ; then
fi
fi
-dnl NOTE: caller must specify -I/path/to/nspr4 and -I/path/to/nss3
-dnl and -L/path/to/nspr4 libs and -L/path/to/nss3 libs if those libs
-dnl are not in the default system location
if test $ol_link_tls = no ; then
if test $ol_with_tls = moznss || test $ol_with_tls = auto ; then
- have_moznss=no
- AC_CHECK_HEADERS([nssutil.h])
- if test "$ac_cv_header_nssutil_h" = yes ; then
- AC_CHECK_LIB([nss3], [NSS_Initialize],
- [ have_moznss=yes ], [ have_moznss=no ])
- fi
+ PKG_CHECK_MODULES(MOZNSS, [nss nspr], [have_moznss=yes], [have_moznss=no])
- if test "$have_moznss" = yes ; then
+ if test $have_moznss = yes ; then
ol_with_tls=moznss
ol_link_tls=yes
- AC_DEFINE(HAVE_MOZNSS, 1,
- [define if you have MozNSS])
- TLS_LIBS="-lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4"
- else
- if test $ol_with_tls = moznss ; then
- AC_MSG_ERROR([MozNSS not found - please specify the location to the NSPR and NSS header files in CPPFLAGS and the location to the NSPR and NSS libraries in LDFLAGS (if not in the system location)])
- fi
+ AC_DEFINE(HAVE_MOZNSS, 1, [define if you have MozNSS])
+ TLS_LIBS="$MOZNSS_LIBS"
+ CFLAGS="$CFLAGS $MOZNSS_CFLAGS"
fi
fi
fi

22
bugfix-openldap-nss-ciphers-use-nss-defaults.patch Normal file
View File

@ -0,0 +1,22 @@
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index fb5554e..7d5ffea 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -557,7 +557,16 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
}
} else if (!strcmp(cipher, "DEFAULT")) {
for (i=0; i<ciphernum; i++) {
- cipher_list[i] = ciphers_def[i].enabled == SSL_ALLOWED ? 1 : 0;
+ PRBool enabled;
+ if (SSL_CipherPrefGetDefault(ciphers_def[i].num, &enabled) == SECSuccess) {
+ if (!(ciphers_def[i].attr & SSL_eNULL)) {
+ cipher_list[i] = enabled == SSL_ALLOWED ? 1 : 0;
+ } else {
+ cipher_list[i] = -1;
+ }
+ } else {
+ cipher_list[i] = -1;
+ }
}
} else {
int mask = 0;

236
bugfix-openldap-nss-ciphersuite-handle-masks-correctly.patch Normal file
View File

@ -0,0 +1,236 @@
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index bba215a..3139eaf 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -222,7 +222,6 @@ typedef struct {
/* cipher attributes */
#define SSL_kRSA 0x00000001L
#define SSL_aRSA 0x00000002L
-#define SSL_RSA (SSL_kRSA|SSL_aRSA)
#define SSL_aDSA 0x00000004L
#define SSL_DSA SSL_aDSA
#define SSL_eNULL 0x00000008L
@@ -232,19 +231,27 @@ typedef struct {
#define SSL_RC2 0x00000080L
#define SSL_AES128 0x00000100L
#define SSL_AES256 0x00000200L
-#define SSL_AES (SSL_AES128|SSL_AES256)
#define SSL_MD5 0x00000400L
#define SSL_SHA1 0x00000800L
#define SSL_kEDH 0x00001000L
#define SSL_CAMELLIA128 0x00002000L
#define SSL_CAMELLIA256 0x00004000L
-#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
#define SSL_SEED 0x00008000L
#define SSL_kECDH 0x00010000L
#define SSL_kECDHE 0x00020000L
#define SSL_aECDSA 0x00040000L
#define SSL_SHA256 0x00080000L
#define SSL_SHA384 0x00100000L
+#define SSL_kEECDH 0x00200000L
+#define SSL_AESGCM 0x00400000L
+#define SSL_AEAD 0x00800000L
+#define SSL_CHACHA20POLY1305 0x02000000L
+
+/* cipher attributes non-unique - do not use for definitions */
+#define SSL_RSA 0x00000001L
+#define SSL_AES 0x00000002L
+#define SSL_CAMELLIA 0x00000004L
+#define SSL_ECDH 0x00000008L
/* cipher strength */
#define SSL_NULL 0x00000001L
@@ -254,6 +261,9 @@ typedef struct {
#define SSL_MEDIUM 0x00000010L
#define SSL_HIGH 0x00000020L
+/* cipher strengths non-unique - do not use for definitions */
+#define SSL_EXPORT 0x00000001L
+
#define SSL2 0x00000001L
#define SSL3 0x00000002L
/* OpenSSL treats SSL3 and TLSv1 the same */
@@ -623,10 +633,12 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
while ((*cipher) && (isspace(*cipher)))
++cipher;
- action = 1;
switch(*cipher) {
- case '+': /* Add something */
- action = 1;
+ case '+': /* Do nothig. NSS does not support ordering. */
+ Debug( LDAP_DEBUG_ARGS,
+ "TLS: warning: parsing cipher string: ordering is not supported by NSS.\n",
+ 0, 0, 0 );
+ action = 2;
cipher++;
break;
case '-': /* Subtract something */
@@ -637,8 +649,8 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
action = -1;
cipher++;
break;
- default:
- /* do nothing */
+ default: /* Add something */
+ action = 1;
break;
}
@@ -672,7 +684,10 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
}
} else {
int mask = 0;
+ int multi_mask = 0;
+ int negative_mask = 0;
int strength = 0;
+ int multi_strength = 0;
int protocol = 0;
char *c;
@@ -683,16 +698,21 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
*c++ = '\0';
}
- if (!strcmp(cipher, "RSA")) {
- mask |= SSL_RSA;
+ if ((!strcmp(cipher, "RSA")) || (!strcmp(cipher, "kRSA"))) {
+ mask |= SSL_kRSA;
+ } else if (!strcmp(cipher, "aRSA")) {
+ mask |= SSL_aRSA;
+ negative_mask |= SSL_kECDH;
} else if ((!strcmp(cipher, "NULL")) || (!strcmp(cipher, "eNULL"))) {
mask |= SSL_eNULL;
} else if (!strcmp(cipher, "AES128")) {
mask |= SSL_AES128;
} else if (!strcmp(cipher, "AES256")) {
mask |= SSL_AES256;
+ } else if (!strcmp(cipher, "AESGCM")) {
+ mask |= SSL_AESGCM;
} else if (!strcmp(cipher, "AES")) {
- mask |= SSL_AES;
+ multi_mask |= SSL_AES;
} else if (!strcmp(cipher, "3DES")) {
mask |= SSL_3DES;
} else if (!strcmp(cipher, "DES")) {
@@ -703,28 +723,45 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
mask |= SSL_RC2;
} else if (!strcmp(cipher, "MD5")) {
mask |= SSL_MD5;
- } else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) {
- mask |= SSL_SHA1;
} else if (!strcmp(cipher, "SHA256")) {
mask |= SSL_SHA256;
- } else if (!strcmp(cipher, "EDH")) {
+ } else if (!strcmp(cipher, "SHA384")) {
+ mask |= SSL_SHA384;
+ } else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) {
+ mask |= SSL_SHA1;
+ } else if ((!strcmp(cipher, "EDH")) || (!strcmp(cipher, "DH"))) {
mask |= SSL_kEDH;
- } else if (!strcmp(cipher, "DSS")) {
+ } else if ((!strcmp(cipher, "DSS")) || (!strcmp(cipher, "aDSS"))) {
mask |= SSL_aDSA;
} else if (!strcmp(cipher, "CAMELLIA128")) {
mask |= SSL_CAMELLIA128;
} else if (!strcmp(cipher, "CAMELLIA256")) {
mask |= SSL_CAMELLIA256;
} else if (!strcmp(cipher, "CAMELLIA")) {
- mask |= SSL_CAMELLIA;
+ multi_mask |= SSL_CAMELLIA;
} else if (!strcmp(cipher, "SEED")) {
mask |= SSL_SEED;
- } else if (!strcmp(cipher, "ECDH")) {
+ } else if (!strcmp(cipher, "kECDHe")) {
+ mask |= SSL_kECDH|SSL_aECDSA;
+ } else if (!strcmp(cipher, "kECDHr")) {
+ mask |= SSL_kECDH|SSL_aRSA;
+ } else if (!strcmp(cipher, "kECDH")) {
mask |= SSL_kECDH;
+ } else if (!strcmp(cipher, "aECDH")) {
+ mask |= SSL_kECDH;
+ } else if (!strcmp(cipher, "EECDH")) {
+ mask |= SSL_kECDHE;
+ } else if (!strcmp(cipher, "kEECDH")) {
+ mask |= SSL_kECDHE;
} else if (!strcmp(cipher, "ECDHE")) {
mask |= SSL_kECDHE;
- } else if (!strcmp(cipher, "ECDSA")) {
+ } else if (!strcmp(cipher, "ECDH")) {
+ multi_mask |= SSL_ECDH;
+ } else if ((!strcmp(cipher, "ECDSA")) || (!strcmp(cipher, "aECDSA"))) {
mask |= SSL_aECDSA;
+ negative_mask |= SSL_kECDH;
+ } else if (!strcmp(cipher, "CHACHA20POLY1305")) {
+ mask |= SSL_CHACHA20POLY1305;
} else if (!strcmp(cipher, "SSLv2")) {
protocol |= SSL2;
} else if (!strcmp(cipher, "SSLv3")) {
@@ -739,12 +776,12 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
strength |= SSL_MEDIUM;
} else if (!strcmp(cipher, "LOW")) {
strength |= SSL_LOW;
- } else if ((!strcmp(cipher, "EXPORT")) || (!strcmp(cipher, "EXP"))) {
- strength |= SSL_EXPORT40|SSL_EXPORT56;
} else if (!strcmp(cipher, "EXPORT40")) {
strength |= SSL_EXPORT40;
} else if (!strcmp(cipher, "EXPORT56")) {
strength |= SSL_EXPORT56;
+ } else if ((!strcmp(cipher, "EXPORT")) || (!strcmp(cipher, "EXP"))) {
+ multi_strength |= SSL_EXPORT;
}
if (c)
@@ -752,23 +789,39 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
} /* while */
+ /* NSS does not support ordering */
+ if (action == 2)
+ continue;
+
/* If we have a mask, apply it. If not then perhaps they provided
* a specific cipher to enable.
+ * if more than one mask is provided then AND logic applies (to match openssl)
*/
- if (mask || strength || protocol) {
+ if (mask || negative_mask || multi_mask || strength || multi_strength || protocol) {
for (i=0; i<ciphernum; i++) {
- if (((ciphers_def[i].attr & mask) ||
- (ciphers_def[i].strength & strength) ||
- (ciphers_def[i].version & protocol)) &&
- (cipher_list[i] != -1)) {
- /* Enable the NULL ciphers only if explicity
- * requested */
- if (ciphers_def[i].attr & SSL_eNULL) {
- if (mask & SSL_eNULL)
- cipher_list[i] = action;
- } else
- cipher_list[i] = action;
- }
+ if ( cipher_list[i] == -1 )
+ continue;
+ if ( mask != (ciphers_def[i].attr & mask) )
+ continue;
+ if ( strength != (ciphers_def[i].strength & strength) )
+ continue;
+ if ( protocol != (ciphers_def[i].version & protocol) )
+ continue;
+ if ((multi_mask & SSL_AES) &&
+ !(ciphers_def[i].attr & (SSL_AES128|SSL_AES256|SSL_AESGCM)))
+ continue;
+ if ((multi_mask & SSL_ECDH) &&
+ !(ciphers_def[i].attr & (SSL_kECDH|SSL_kECDHE)))
+ continue;
+ if ((multi_mask & SSL_CAMELLIA) &&
+ !(ciphers_def[i].attr & (SSL_CAMELLIA128|SSL_CAMELLIA256)))
+ continue;
+ if ((multi_strength & SSL_EXPORT) &&
+ !(ciphers_def[i].strength & (SSL_EXPORT40|SSL_EXPORT56)))
+ continue;
+ if ( negative_mask & ciphers_def[i].attr )
+ continue;
+ cipher_list[i] = action;
}
} else {
for (i=0; i<ciphernum; i++) {

30
bugfix-openldap-nss-ignore-certdb-type-prefix.patch Normal file
View File

@ -0,0 +1,30 @@
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 7d5ffea..4b2ecfa 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -1579,6 +1579,7 @@ tlsm_get_certdb_prefix( const char *certdir, char **realcertdir, char **prefix )
{
char sep = PR_GetDirectorySeparator();
char *ptr = NULL;
+ char *chkpath = NULL;
struct PRFileInfo prfi;
PRStatus prc;
@@ -1589,8 +1590,16 @@ tlsm_get_certdb_prefix( const char *certdir, char **realcertdir, char **prefix )
return;
}
- prc = PR_GetFileInfo( certdir, &prfi );
+ /* ignore database type prefix (e.g. sql:, dbm:) if provided */
+ chkpath = strchr( certdir, ':' );
+ if ( chkpath != NULL ) {
+ chkpath += 1;
+ } else {
+ chkpath = certdir;
+ }
+
/* if certdir exists (file or directory) then it cannot specify a prefix */
+ prc = PR_GetFileInfo( chkpath, &prfi );
if ( prc == PR_SUCCESS ) {
return;
}

13
bugfix-openldap-nss-pk11-freeslot.patch Normal file
View File

@ -0,0 +1,13 @@
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 4b2ecfa..d69b186 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -2097,6 +2097,8 @@ tlsm_ctx_free ( tls_ctx *ctx )
"TLS: could not close certdb slot - error %d:%s.\n",
errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
}
+ PK11_FreeSlot( c->tc_certdb_slot );
+ c->tc_certdb_slot = NULL;
}
if ( c->tc_pin_file ) {
PL_strfree( c->tc_pin_file );

63
bugfix-openldap-nss-protocol-version-new-api.patch Normal file
View File

@ -0,0 +1,63 @@
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index d69b186..7f92783 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -2238,6 +2238,58 @@ tlsm_deferred_ctx_init( void *arg )
0, 0, 0 );
return -1;
}
+ if ( lt->lt_protocol_min >= LDAP_OPT_X_TLS_PROTOCOL_SSL3 ) {
+ SSLVersionRange supported_range, default_range, selected_range;
+ if ( SECSuccess != SSL_VersionRangeGetSupported(ssl_variant_stream, &supported_range) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: error: could not get SSL supported version range (SSL_VersionRangeGetSupported).\n",
+ 0, 0, 0 );
+ return -1;
+ } else {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: info: SSL supported protocol version range is (%#04x, %#04x) (SSL_VersionRangeGetSupported).\n",
+ supported_range.min, supported_range.max, 0);
+ }
+ if ( SECSuccess != SSL_VersionRangeGetDefault(ssl_variant_stream, &default_range) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: error: could not get SSL default protocol version range (SSL_VersionRangeGetDefault).\n",
+ 0, 0, 0 );
+ return -1;
+ } else {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: info: SSL default protocol version range is (%#04x, %#04x) (SSL_VersionRangeGetDefault).\n",
+ default_range.min, default_range.max, 0);
+ }
+ selected_range.min = lt->lt_protocol_min;
+ selected_range.max = supported_range.max;
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: info: TLS configured protocol minimal version is %#04x.\n",
+ selected_range.min, selected_range.max, 0);
+ if ( (selected_range.min > supported_range.max) ||
+ (selected_range.max < supported_range.min) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: error: selected protocol version range out of NSS-supported version range.\n",
+ 0, 0, 0);
+ return -1;
+ } else {
+ if ( SECSuccess != SSL_VersionRangeSet(ctx->tc_model, &selected_range) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: error: could not set protocol version range (SSL_VersionRangeSet).\n",
+ 0, 0, 0);
+ return -1;
+ }
+ if ( SECSuccess != SSL_VersionRangeGet(ctx->tc_model, &selected_range) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: error: could not get protocol version range (SSL_VersionRangeGet).\n",
+ 0, 0, 0);
+ return -1;
+ } else {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: info: SSL set protocol version range is (%#04x, %#04x) (SSL_VersionRangeGet).\n",
+ selected_range.min, selected_range.max, 0);
+ }
+ }
+ }
if ( SECSuccess != SSL_OptionSet( ctx->tc_model, SSL_HANDSHAKE_AS_CLIENT, !ctx->tc_is_server ) ) {
Debug( LDAP_DEBUG_ANY,

36
bugfix-openldap-nss-unregister-on-unload.patch Normal file
View File

@ -0,0 +1,36 @@
diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
index 9b877a9..9a8d661 100644
--- a/libraries/libldap/init.c
+++ b/libraries/libldap/init.c
@@ -473,7 +473,7 @@ static void openldap_ldap_init_w_env(
* Sorry, don't know how to handle this for non-GCC environments.
*/
static void ldap_int_destroy_global_options(void)
- __attribute__ ((destructor));
+ __attribute__ ((destructor (2)));
#endif
static void
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 7f92783..f6c27de 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -1951,6 +1951,18 @@ tlsm_clientauth_init( tlsm_ctx *ctx )
return ( status == SECSuccess ? 0 : -1 );
}
+#if defined(__GNUC__)
+static void
+tlsm_destroy_on_unload(void) __attribute__ ((destructor (1)));
+
+static void
+tlsm_destroy_on_unload(void)
+{
+ if (NSS_IsInitialized())
+ NSS_UnregisterShutdown(tlsm_nss_shutdown_cb, NULL);
+}
+#endif
+
/*
* Tear down the TLS subsystem. Should only be called once.
*/

257
bugfix-openldap-nss-update-list-of-ciphers.patch Normal file
View File

@ -0,0 +1,257 @@
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index f6c27de..bba215a 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -76,6 +76,11 @@
#define HAVE_SECMOD_RESTARTMODULES 1
#endif
+/* NSS 3.20.0 and later have SHA384 ciphers */
+#if NSS_VERSION_INT >= 0x03140000
+#define HAVE_SHA384_CIPHERS 1
+#endif
+
/* InitContext does not currently work in server mode */
/* #define INITCONTEXT_HACK 1 */
@@ -210,27 +215,36 @@ typedef struct {
int num; /* The cipher id */
int attr; /* cipher attributes: algorithms, etc */
int version; /* protocol version valid for this cipher */
- int bits; /* bits of strength */
- int alg_bits; /* bits of the algorithm */
int strength; /* LOW, MEDIUM, HIGH */
int enabled; /* Enabled by default? */
} cipher_properties;
/* cipher attributes */
-#define SSL_kRSA 0x00000001L
-#define SSL_aRSA 0x00000002L
-#define SSL_aDSS 0x00000004L
-#define SSL_DSS SSL_aDSS
-#define SSL_eNULL 0x00000008L
-#define SSL_DES 0x00000010L
-#define SSL_3DES 0x00000020L
-#define SSL_RC4 0x00000040L
-#define SSL_RC2 0x00000080L
-#define SSL_AES 0x00000100L
-#define SSL_MD5 0x00000200L
-#define SSL_SHA1 0x00000400L
-#define SSL_SHA SSL_SHA1
-#define SSL_RSA (SSL_kRSA|SSL_aRSA)
+#define SSL_kRSA 0x00000001L
+#define SSL_aRSA 0x00000002L
+#define SSL_RSA (SSL_kRSA|SSL_aRSA)
+#define SSL_aDSA 0x00000004L
+#define SSL_DSA SSL_aDSA
+#define SSL_eNULL 0x00000008L
+#define SSL_DES 0x00000010L
+#define SSL_3DES 0x00000020L
+#define SSL_RC4 0x00000040L
+#define SSL_RC2 0x00000080L
+#define SSL_AES128 0x00000100L
+#define SSL_AES256 0x00000200L
+#define SSL_AES (SSL_AES128|SSL_AES256)
+#define SSL_MD5 0x00000400L
+#define SSL_SHA1 0x00000800L
+#define SSL_kEDH 0x00001000L
+#define SSL_CAMELLIA128 0x00002000L
+#define SSL_CAMELLIA256 0x00004000L
+#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
+#define SSL_SEED 0x00008000L
+#define SSL_kECDH 0x00010000L
+#define SSL_kECDHE 0x00020000L
+#define SSL_aECDSA 0x00040000L
+#define SSL_SHA256 0x00080000L
+#define SSL_SHA384 0x00100000L
/* cipher strength */
#define SSL_NULL 0x00000001L
@@ -244,32 +258,120 @@ typedef struct {
#define SSL3 0x00000002L
/* OpenSSL treats SSL3 and TLSv1 the same */
#define TLS1 SSL3
+#define TLS1_2 0x00000004L
/* Cipher translation */
static cipher_properties ciphers_def[] = {
- /* SSL 2 ciphers */
- {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, 168, 168, SSL_HIGH, SSL_ALLOWED},
- {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
- {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
- {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, 56, 56, SSL_LOW, SSL_ALLOWED},
- {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
- {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
-
- /* SSL3 ciphers */
- {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
- {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
- {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, 168, 168, SSL_HIGH, SSL_ALLOWED},
- {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, 56, 56, SSL_LOW, SSL_ALLOWED},
- {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
- {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, 0, 0, SSL_EXPORT40, SSL_ALLOWED},
- {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED},
- {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED},
+
+ /*
+ * Use the same DEFAULT cipher list as OpenSSL, which is defined as: ALL:!aNULL:!eNULL:!SSLv2
+ */
+
+ /* SSLv2 ciphers */
+ {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, SSL_LOW},
+ {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, SSL_HIGH},
+ {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_MEDIUM},
+ {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_MEDIUM},
+ {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_EXPORT40},
+ {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_EXPORT40},
+
+ /* SSLv3 ciphers */
+ {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, SSL_NULL},
+ {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, SSL_NULL},
+ {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW},
+ {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH},
+ {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_MEDIUM},
+ {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, SSL_MEDIUM},
+ {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, SSL_EXPORT40},
+ {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_EXPORT40},
+ {"EDH-RSA-DES-CBC-SHA", SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW},
+ {"EDH-RSA-DES-CBC3-SHA", SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH},
+ {"EDH-DSS-DES-CBC-SHA", SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW},
+ {"EDH-DSS-DES-CBC3-SHA", SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH},
/* TLSv1 ciphers */
- {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
- {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
- {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_ALLOWED},
- {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_ALLOWED},
+ {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, TLS1, SSL_EXPORT56},
+ {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_EXPORT56},
+ {"SEED-SHA", TLS_RSA_WITH_SEED_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_SEED|SSL_SHA1, TLS1, SSL_MEDIUM},
+ {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
+ {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
+ {"CAMELLIA256-SHA", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH},
+ {"CAMELLIA128-SHA", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH},
+ {"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
+ {"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
+ {"DHE-RSA-CAMELLIA128-SHA", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH},
+ {"DHE-RSA-CAMELLIA256-SHA", TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH},
+ {"DHE-DSS-RC4-SHA", TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_kEDH|SSL_aDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM},
+ {"DHE-DSS-AES128-SHA", TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
+ {"DHE-DSS-AES256-SHA", TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
+ {"DHE-DSS-CAMELLIA128-SHA", TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH},
+ {"DHE-DSS-CAMELLIA256-SHA", TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDH-RSA-NULL-SHA", TLS_ECDH_RSA_WITH_NULL_SHA, SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL},
+ {"ECDH-RSA-RC4-SHA", TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM},
+ {"ECDH-RSA-DES-CBC3-SHA", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDH-RSA-AES128-SHA", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDH-RSA-AES256-SHA", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDH-ECDSA-NULL-SHA", TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL},
+ {"ECDH-ECDSA-RC4-SHA", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM},
+ {"ECDH-ECDSA-DES-CBC3-SHA", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDH-ECDSA-AES128-SHA", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDH-ECDSA-AES256-SHA", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDHE-RSA-NULL-SHA", TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL},
+ {"ECDHE-RSA-RC4-SHA", TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM},
+ {"ECDHE-RSA-DES-CBC3-SHA", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDHE-ECDSA-NULL-SHA", TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL},
+ {"ECDHE-ECDSA-RC4-SHA", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM},
+ {"ECDHE-ECDSA-DES-CBC3-SHA", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
+
+/* conditional on one of the newer defs */
+#ifdef TLS_RSA_WITH_AES_128_GCM_SHA256
+ /* TLSv1.2 ciphers */
+ /* The following ciphers appear in the openssl sources as TLSv1.2 but currently have no NSS equivalent
+
+ DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD
+ ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
+ ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
+ ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384
+ ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384
+ ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
+ ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
+ ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256
+ ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256
+
+ */
+ {"NULL-SHA256", TLS_RSA_WITH_NULL_SHA256, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA256, TLS1_2, SSL_NULL},
+ {"AES128-SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
+ {"AES256-SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA256, TLS1_2, SSL_HIGH},
+ {"AES128-GCM-SHA256", TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+ {"AES256-GCM-SHA384", TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+
+ {"DHE-RSA-AES256-SHA256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA256, TLS1_2, SSL_HIGH},
+ {"DHE-RSA-AES128-SHA256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
+ {"DHE-RSA-AES128-GCM-SHA256", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+ {"DHE-RSA-AES256-GCM-SHA384", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+
+ {"DHE-DSS-AES128-SHA256", TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
+ {"DHE-DSS-AES256-SHA256", TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA256, TLS1_2, SSL_HIGH},
+ {"DHE-DSS-AES128-GCM-SHA256", TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+ {"DHE-DSS-AES256-GCM-SHA384", TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+
+ {"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
+ {"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
+ {"ECDHE-ECDSA-AES128-GCM-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+ {"ECDHE-RSA-AES128-GCM-SHA256", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+ {"ECDHE-ECDSA-AES256-GCM-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+ {"ECDHE-RSA-AES256-GCM-SHA384", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+ {"ECDHE-ECDSA-AES256-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA384, TLS1_2, SSL_HIGH},
+ {"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA384, TLS1_2, SSL_HIGH},
+#endif
+
+ {"ECDHE-RSA-CHACHA20-POLY1305", 0xcca8 /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kECDHE|SSL_aRSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH},
+ {"ECDHE-ECDSA-CHACHA20-POLY1305", 0xcca9 /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kECDHE|SSL_aECDSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH},
+ {"DHE-RSA-CHACHA20-POLY1305", 0xccaa /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kEDH|SSL_aRSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH},
};
#define ciphernum (sizeof(ciphers_def)/sizeof(cipher_properties))
@@ -585,6 +687,10 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
mask |= SSL_RSA;
} else if ((!strcmp(cipher, "NULL")) || (!strcmp(cipher, "eNULL"))) {
mask |= SSL_eNULL;
+ } else if (!strcmp(cipher, "AES128")) {
+ mask |= SSL_AES128;
+ } else if (!strcmp(cipher, "AES256")) {
+ mask |= SSL_AES256;
} else if (!strcmp(cipher, "AES")) {
mask |= SSL_AES;
} else if (!strcmp(cipher, "3DES")) {
@@ -599,12 +705,34 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
mask |= SSL_MD5;
} else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) {
mask |= SSL_SHA1;
+ } else if (!strcmp(cipher, "SHA256")) {
+ mask |= SSL_SHA256;
+ } else if (!strcmp(cipher, "EDH")) {
+ mask |= SSL_kEDH;
+ } else if (!strcmp(cipher, "DSS")) {
+ mask |= SSL_aDSA;
+ } else if (!strcmp(cipher, "CAMELLIA128")) {
+ mask |= SSL_CAMELLIA128;
+ } else if (!strcmp(cipher, "CAMELLIA256")) {
+ mask |= SSL_CAMELLIA256;
+ } else if (!strcmp(cipher, "CAMELLIA")) {
+ mask |= SSL_CAMELLIA;
+ } else if (!strcmp(cipher, "SEED")) {
+ mask |= SSL_SEED;
+ } else if (!strcmp(cipher, "ECDH")) {
+ mask |= SSL_kECDH;
+ } else if (!strcmp(cipher, "ECDHE")) {
+ mask |= SSL_kECDHE;
+ } else if (!strcmp(cipher, "ECDSA")) {
+ mask |= SSL_aECDSA;
} else if (!strcmp(cipher, "SSLv2")) {
protocol |= SSL2;
} else if (!strcmp(cipher, "SSLv3")) {
protocol |= SSL3;
} else if (!strcmp(cipher, "TLSv1")) {
protocol |= TLS1;
+ } else if (!strcmp(cipher, "TLSv1.2")) {
+ protocol |= TLS1_2;
} else if (!strcmp(cipher, "HIGH")) {
strength |= SSL_HIGH;
} else if (!strcmp(cipher, "MEDIUM")) {

51
bugfix-openldap-ssl-deadlock-revert.patch Normal file
View File

@ -0,0 +1,51 @@
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 3139eaf..49dc9b1 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -146,7 +146,6 @@ static int tlsm_init( void );
*/
static ldap_pvt_thread_mutex_t tlsm_ctx_count_mutex;
static ldap_pvt_thread_mutex_t tlsm_init_mutex;
-static ldap_pvt_thread_mutex_t tlsm_pem_mutex;
static PRCallOnceType tlsm_init_mutex_callonce = {0,0};
static PRStatus PR_CALLBACK
@@ -164,12 +163,6 @@ tlsm_thr_init_callonce( void )
return PR_FAILURE;
}
- if ( ldap_pvt_thread_mutex_init( &tlsm_pem_mutex ) ) {
- Debug( LDAP_DEBUG_ANY,
- "TLS: could not create mutex for PEM module: %d\n", errno, 0, 0 );
- return PR_FAILURE;
- }
-
return PR_SUCCESS;
}
@@ -2153,7 +2146,6 @@ tlsm_destroy( void )
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_destroy( &tlsm_ctx_count_mutex );
ldap_pvt_thread_mutex_destroy( &tlsm_init_mutex );
- ldap_pvt_thread_mutex_destroy( &tlsm_pem_mutex );
#endif
}
@@ -2840,16 +2832,9 @@ static int
tlsm_session_accept_or_connect( tls_session *session, int is_accept )
{
tlsm_session *s = (tlsm_session *)session;
- int rc;
+ int rc = SSL_ForceHandshake( s );
const char *op = is_accept ? "accept" : "connect";
- if ( pem_module ) {
- LDAP_MUTEX_LOCK( &tlsm_pem_mutex );
- }
- rc = SSL_ForceHandshake( s );
- if ( pem_module ) {
- LDAP_MUTEX_UNLOCK( &tlsm_pem_mutex );
- }
if ( rc ) {
PRErrorCode err = PR_GetError();
rc = -1;

42
bugfix-openldap-support-tlsv1-and-later.patch Normal file
View File

@ -0,0 +1,42 @@
diff --git a/include/ldap.h b/include/ldap.h
index c245651..149b9ea 100644
--- a/include/ldap.h
+++ b/include/ldap.h
@@ -176,6 +176,7 @@ LDAP_BEGIN_DECL
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_0 ((3 << 8) + 1)
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1 ((3 << 8) + 2)
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 ((3 << 8) + 3)
+#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_3 ((3 << 8) + 4)
/* OpenLDAP SASL options */
#define LDAP_OPT_X_SASL_MECH 0x6100
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 49dc9b1..9e825c9 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -1849,6 +1849,8 @@ tlsm_deferred_init( void *arg )
NSSInitContext *initctx = NULL;
PK11SlotInfo *certdb_slot = NULL;
#endif
+ SSLVersionRange range;
+ SSLProtocolVariant variant;
SECStatus rc;
int done = 0;
@@ -2031,6 +2033,16 @@ tlsm_deferred_init( void *arg )
}
}
+ /*
+ * Set the SSL version range. MozNSS SSL versions are the same as openldap's:
+ *
+ * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_*
+ */
+ SSL_VersionRangeGetSupported(ssl_variant_stream, &range); /* this sets the max */
+ range.min = lt->lt_protocol_min ? lt->lt_protocol_min : range.min;
+ variant = ssl_variant_stream;
+ SSL_VersionRangeSetDefault(variant, &range);
+
NSS_SetDomesticPolicy();
PK11_SetPasswordFunc( tlsm_pin_prompt );

35
bugfix-openldap-temporary-ssl-thr-init-race.patch Normal file
View File

@ -0,0 +1,35 @@
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index d25c190..94399d7 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -149,6 +149,9 @@ ldap_pvt_tls_destroy( void )
tls_imp->ti_tls_destroy();
}
+#ifdef LDAP_R_COMPILE
+static pthread_once_t tlsm_initialized = PTHREAD_ONCE_INIT;
+#endif
/*
* Initialize a particular TLS implementation.
* Called once per implementation.
@@ -158,6 +161,10 @@ tls_init(tls_impl *impl )
{
static int tls_initialized = 0;
+#ifdef LDAP_R_COMPILE
+ (void)pthread_once(&tlsm_initialized, impl->ti_thr_init);
+#endif
+
if ( !tls_initialized++ ) {
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_init( &tls_def_ctx_mutex );
@@ -166,9 +173,6 @@ tls_init(tls_impl *impl )
if ( impl->ti_inited++ ) return 0;
-#ifdef LDAP_R_COMPILE
- impl->ti_thr_init();
-#endif
return impl->ti_tls_init();
}

41
check-password-makefile.patch Normal file
View File

@ -0,0 +1,41 @@
--- a/Makefile 2009-10-31 18:59:06.000000000 +0100
+++ b/Makefile 2014-12-17 09:42:37.586079225 +0100
@@ -13,22 +13,11 @@
#
CONFIG=/etc/openldap/check_password.conf
-OPT=-g -O2 -Wall -fpic \
- -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \
- -DCONFIG_FILE="\"$(CONFIG)\"" \
+CFLAGS+=-fpic \
+ -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \
+ -DCONFIG_FILE="\"$(CONFIG)\"" \
-DDEBUG
-# Where to find the OpenLDAP headers.
-#
-LDAP_INC=-I/home/pyb/tmp/openldap-2.3.39/include \
- -I/home/pyb/tmp/openldap-2.3.39/servers/slapd
-
-# Where to find the CrackLib headers.
-#
-CRACK_INC=
-
-INCS=$(LDAP_INC) $(CRACK_INC)
-
LDAP_LIB=-lldap_r -llber
# Comment out this line if you do NOT want to use the cracklib.
@@ -45,10 +34,10 @@
all: check_password
check_password.o:
- $(CC) $(OPT) -c $(INCS) check_password.c
+ $(CC) $(CFLAGS) -c $(LDAP_INC) check_password.c
check_password: clean check_password.o
- $(CC) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
+ $(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
install: check_password
cp -f check_password.so ../../../usr/lib/openldap/modules/

321
check-password.patch Normal file
View File

@ -0,0 +1,321 @@
--- a/check_password.c 2009-10-31 18:59:06.000000000 +0100
+++ b/check_password.c 2014-12-17 12:25:00.148900907 +0100
@@ -10,7 +10,7 @@
#include <slap.h>
#ifdef HAVE_CRACKLIB
-#include "crack.h"
+#include <crack.h>
#endif
#if defined(DEBUG)
@@ -34,18 +34,77 @@
#define PASSWORD_TOO_SHORT_SZ \
"Password for dn=\"%s\" is too short (%d/6)"
#define PASSWORD_QUALITY_SZ \
- "Password for dn=\"%s\" does not pass required number of strength checks (%d of %d)"
+ "Password for dn=\"%s\" does not pass required number of strength checks for the required character sets (%d of %d)"
#define BAD_PASSWORD_SZ \
"Bad password for dn=\"%s\" because %s"
+#define UNKNOWN_ERROR_SZ \
+ "An unknown error occurred, please see your systems administrator"
typedef int (*validator) (char*);
-static int read_config_file (char *);
+static int read_config_file ();
static validator valid_word (char *);
static int set_quality (char *);
static int set_cracklib (char *);
int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
+struct config_entry {
+ char* key;
+ char* value;
+ char* def_value;
+} config_entries[] = { { "minPoints", NULL, "3"},
+ { "useCracklib", NULL, "1"},
+ { "minUpper", NULL, "0"},
+ { "minLower", NULL, "0"},
+ { "minDigit", NULL, "0"},
+ { "minPunct", NULL, "0"},
+ { NULL, NULL, NULL }};
+
+int get_config_entry_int(char* entry) {
+ struct config_entry* centry = config_entries;
+
+ int i = 0;
+ char* key = centry[i].key;
+ while (key != NULL) {
+ if ( strncmp(key, entry, strlen(key)) == 0 ) {
+ if ( centry[i].value == NULL ) {
+ return atoi(centry[i].def_value);
+ }
+ else {
+ return atoi(centry[i].value);
+ }
+ }
+ i++;
+ key = centry[i].key;
+ }
+
+ return -1;
+}
+
+void dealloc_config_entries() {
+ struct config_entry* centry = config_entries;
+
+ int i = 0;
+ while (centry[i].key != NULL) {
+ if ( centry[i].value != NULL ) {
+ ber_memfree(centry[i].value);
+ }
+ i++;
+ }
+}
+
+char* chomp(char *s)
+{
+ char* t = ber_memalloc(strlen(s)+1);
+ strncpy (t,s,strlen(s)+1);
+
+ if ( t[strlen(t)-1] == '\n' ) {
+ t[strlen(t)-1] = '\0';
+ }
+
+ return t;
+}
+
static int set_quality (char *value)
{
#if defined(DEBUG)
@@ -84,12 +143,12 @@
char * parameter;
validator dealer;
} list[] = { { "minPoints", set_quality },
- { "useCracklib", set_cracklib },
- { "minUpper", set_digit },
- { "minLower", set_digit },
- { "minDigit", set_digit },
- { "minPunct", set_digit },
- { NULL, NULL } };
+ { "useCracklib", set_cracklib },
+ { "minUpper", set_digit },
+ { "minLower", set_digit },
+ { "minDigit", set_digit },
+ { "minPunct", set_digit },
+ { NULL, NULL } };
int index = 0;
#if defined(DEBUG)
@@ -98,7 +157,7 @@
while (list[index].parameter != NULL) {
if (strlen(word) == strlen(list[index].parameter) &&
- strcmp(list[index].parameter, word) == 0) {
+ strcmp(list[index].parameter, word) == 0) {
#if defined(DEBUG)
syslog(LOG_NOTICE, "check_password: Parameter accepted.");
#endif
@@ -114,13 +173,15 @@
return NULL;
}
-static int read_config_file (char *keyWord)
+static int read_config_file ()
{
FILE * config;
char * line;
int returnValue = -1;
- if ((line = ber_memcalloc(260, sizeof(char))) == NULL) {
+ line = ber_memcalloc(260, sizeof(char));
+
+ if ( line == NULL ) {
return returnValue;
}
@@ -133,6 +194,8 @@
return returnValue;
}
+ returnValue = 0;
+
while (fgets(line, 256, config) != NULL) {
char *start = line;
char *word, *value;
@@ -145,23 +208,40 @@
while (isspace(*start) && isascii(*start)) start++;
- if (! isascii(*start))
+ /* If we've got punctuation, just skip the line. */
+ if ( ispunct(*start)) {
+#if defined(DEBUG)
+ /* Debug traces to syslog. */
+ syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line);
+#endif
continue;
+ }
- if ((word = strtok(start, " \t")) && (dealer = valid_word(word)) && (strcmp(keyWord,word)==0)) {
- if ((value = strtok(NULL, " \t")) == NULL)
- continue;
+ if( isascii(*start)) {
+
+ struct config_entry* centry = config_entries;
+ int i = 0;
+ char* keyWord = centry[i].key;
+ if ((word = strtok(start, " \t")) && (value = strtok(NULL, " \t"))) {
+ while ( keyWord != NULL ) {
+ if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) {
#if defined(DEBUG)
- syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
+ syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
#endif
- returnValue = (*dealer)(value);
+ centry[i].value = chomp(value);
+ break;
+ }
+ i++;
+ keyWord = centry[i].key;
+ }
+ }
}
}
-
fclose(config);
ber_memfree(line);
+
return returnValue;
}
@@ -170,7 +250,7 @@
if (curlen < nextlen + MEMORY_MARGIN) {
#if defined(DEBUG)
syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to %d",
- curlen, nextlen + MEMORY_MARGIN);
+ curlen, nextlen + MEMORY_MARGIN);
#endif
ber_memfree(*target);
curlen = nextlen + MEMORY_MARGIN;
@@ -180,7 +260,7 @@
return curlen;
}
- int
+int
check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
{
@@ -210,20 +290,22 @@
nLen = strlen (pPasswd);
if ( nLen < 6) {
mem_len = realloc_error_message(&szErrStr, mem_len,
- strlen(PASSWORD_TOO_SHORT_SZ) +
- strlen(pEntry->e_name.bv_val) + 1);
+ strlen(PASSWORD_TOO_SHORT_SZ) +
+ strlen(pEntry->e_name.bv_val) + 1);
sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen);
goto fail;
}
- /* Read config file */
- minQuality = read_config_file("minPoints");
+ if (read_config_file() == -1) {
+ syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE);
+ }
- useCracklib = read_config_file("useCracklib");
- minUpper = read_config_file("minUpper");
- minLower = read_config_file("minLower");
- minDigit = read_config_file("minDigit");
- minPunct = read_config_file("minPunct");
+ minQuality = get_config_entry_int("minPoints");
+ useCracklib = get_config_entry_int("useCracklib");
+ minUpper = get_config_entry_int("minUpper");
+ minLower = get_config_entry_int("minLower");
+ minDigit = get_config_entry_int("minDigit");
+ minPunct = get_config_entry_int("minPunct");
/** The password must have at least minQuality strength points with one
* point for the first occurrance of a lower, upper, digit and
@@ -232,8 +314,6 @@
for ( i = 0; i < nLen; i++ ) {
- if ( nQuality >= minQuality ) break;
-
if ( islower (pPasswd[i]) ) {
minLower--;
if ( !nLower && (minLower < 1)) {
@@ -279,12 +359,23 @@
}
}
- if ( nQuality < minQuality ) {
+ /*
+ * If you have a required field, then it should be required in the strength
+ * checks.
+ */
+
+ if (
+ (minLower > 0 ) ||
+ (minUpper > 0 ) ||
+ (minDigit > 0 ) ||
+ (minPunct > 0 ) ||
+ (nQuality < minQuality)
+ ) {
mem_len = realloc_error_message(&szErrStr, mem_len,
- strlen(PASSWORD_QUALITY_SZ) +
- strlen(pEntry->e_name.bv_val) + 2);
+ strlen(PASSWORD_QUALITY_SZ) +
+ strlen(pEntry->e_name.bv_val) + 2);
sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val,
- nQuality, minQuality);
+ nQuality, minQuality);
goto fail;
}
@@ -306,7 +397,7 @@
for ( j = 0; j < 3; j++ ) {
snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \
- CRACKLIB_DICTPATH, ext[j]);
+ CRACKLIB_DICTPATH, ext[j]);
if (( fp = fopen ( filename, "r")) == NULL ) {
@@ -326,9 +417,9 @@
r = (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH);
if ( r != NULL ) {
mem_len = realloc_error_message(&szErrStr, mem_len,
- strlen(BAD_PASSWORD_SZ) +
- strlen(pEntry->e_name.bv_val) +
- strlen(r));
+ strlen(BAD_PASSWORD_SZ) +
+ strlen(pEntry->e_name.bv_val) +
+ strlen(r));
sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r);
goto fail;
}
@@ -342,15 +433,15 @@
}
#endif
-
+ dealloc_config_entries();
*ppErrStr = strdup ("");
ber_memfree(szErrStr);
return (LDAP_SUCCESS);
fail:
+ dealloc_config_entries();
*ppErrStr = strdup (szErrStr);
ber_memfree(szErrStr);
return (EXIT_FAILURE);
}
-

28
ldap.conf Normal file
View File

@ -0,0 +1,28 @@
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# When no CA certificates are specified the Shared System Certificates
# are in use. In order to have these available along with the ones specified
# by TLS_CACERTDIR one has to include them explicitly:
#TLS_CACERT /etc/pki/tls/cert.pem
# System-wide Crypto Policies provide up to date cipher suite which should
# be used unless one needs a finer grinded selection of ciphers. Hence, the
# PROFILE=SYSTEM value represents the default behavior which is in place
# when no explicit setting is used. (see openssl-ciphers(1) for more info)
#TLS_CIPHER_SUITE PROFILE=SYSTEM
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on

91
libexec-check-config.sh Normal file
View File

@ -0,0 +1,91 @@
#!/bin/sh
# Author: Jan Vcelak <jvcelak@redhat.com>
. /usr/libexec/openldap/functions
function check_config_syntax()
{
retcode=0
tmp_slaptest=`mktemp --tmpdir=/var/run/openldap`
run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &>$tmp_slaptest
if [ $? -ne 0 ]; then
error "Checking configuration file failed:"
cat $tmp_slaptest >&2
retcode=1
fi
rm $tmp_slaptest
return $retcode
}
function check_certs_perms()
{
retcode=0
for cert in `certificates`; do
run_as_ldap "/usr/bin/test -e \"$cert\""
if [ $? -ne 0 ]; then
error "TLS certificate/key/DB '%s' was not found." "$cert"
retcoder=1
continue
fi
run_as_ldap "/usr/bin/test -r \"$cert\""
if [ $? -ne 0 ]; then
error "TLS certificate/key/DB '%s' is not readable." "$cert"
retcode=1
fi
done
return $retcode
}
function check_db_perms()
{
retcode=0
for dbdir in `databases`; do
[ -d "$dbdir" ] || continue
for dbfile in `find ${dbdir} -maxdepth 1 -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name "alock"`; do
run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\""
if [ $? -ne 0 ]; then
error "Read/write permissions for DB file '%s' are required." "$dbfile"
retcode=1
fi
done
done
return $retcode
}
function check_everything()
{
retcode=0
check_config_syntax || retcode=1
# TODO: need support for Mozilla NSS, disabling temporarily
#check_certs_perms || retcode=1
check_db_perms || retcode=1
return $retcode
}
if [ `id -u` -ne 0 ]; then
error "You have to be root to run this script."
exit 4
fi
load_sysconfig
if [ -n "$SLAPD_CONFIG_DIR" ]; then
if [ ! -d "$SLAPD_CONFIG_DIR" ]; then
error "Configuration directory '%s' does not exist." "$SLAPD_CONFIG_DIR"
else
check_everything
exit $?
fi
fi
if [ -n "$SLAPD_CONFIG_FILE" ]; then
if [ ! -f "$SLAPD_CONFIG_FILE" ]; then
error "Configuration file '%s' does not exist." "$SLAPD_CONFIG_FILE"
else
error "Warning: Usage of a configuration file is obsolete!"
check_everything
exit $?
fi
fi
exit 1

134
libexec-functions Normal file
View File

@ -0,0 +1,134 @@
# Author: Jan Vcelak <jvcelak@redhat.com>
SLAPD_USER=
SLAPD_CONFIG_FILE=
SLAPD_CONFIG_DIR=
SLAPD_CONFIG_CUSTOM=
SLAPD_GLOBAL_OPTIONS=
SLAPD_SYSCONFIG_FILE=
function default_config()
{
SLAPD_USER=ldap
SLAPD_CONFIG_FILE=/etc/openldap/slapd.conf
SLAPD_CONFIG_DIR=/etc/openldap/slapd.d
SLAPD_CONFIG_CUSTOM=
SLAPD_GLOBAL_OPTIONS=
SLAPD_SYSCONFIG_FILE=/etc/sysconfig/slapd
}
function parse_config_options()
{
user=
config_file=
config_dir=
while getopts :u:f:F: opt; do
case "$opt" in
u)
user="$OPTARG"
;;
f)
config_file="$OPTARG"
;;
F)
config_dir="$OPTARG"
;;
esac
done
if [ -n "$user" ]; then
SLAPD_USER="$user"
fi
if [ -n "$config_dir" ]; then
SLAPD_CONFIG_DIR="$config_dir"
SLAPD_CONFIG_FILE=
SLAPD_CONFIG_CUSTOM=1
SLAPD_GLOBAL_OPTIONS="-F '$config_dir'"
elif [ -n "$config_file" ]; then
SLAPD_CONFIG_DIR=
SLAPD_CONFIG_FILE="$config_file"
SLAPD_CONFIG_CUSTOM=1
SLAPD_GLOBAL_OPTIONS="-f '$config_file'"
fi
}
function uses_new_config()
{
[ -n "$SLAPD_CONFIG_DIR" ]
return $?
}
function run_as_ldap()
{
/sbin/runuser --shell /bin/sh --session-command "$1" "$SLAPD_USER"
return $?
}
function ldif_unbreak()
{
sed ':a;N;s/\n //;ta;P;D'
}
function ldif_value()
{
sed 's/^[^:]*: //'
}
function databases_new()
{
slapcat $SLAPD_GLOBAL_OPTIONS -c \
-H 'ldap:///cn=config???(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig))' 2>/dev/null | \
ldif_unbreak | \
grep '^olcDbDirectory: ' | \
ldif_value
}
function databases_old()
{
awk 'begin { database="" }
$1 == "database" { database=$2 }
$1 == "directory" { if (database == "bdb" || database == "hdb") print $2}' \
"$SLAPD_CONFIG_FILE"
}
function certificates_new()
{
slapcat $SLAPD_GLOBAL_OPTIONS -c -H 'ldap:///cn=config???(cn=config)' 2>/dev/null | \
ldif_unbreak | \
grep '^olcTLS\(CACertificateFile\|CACertificatePath\|CertificateFile\|CertificateKeyFile\): ' | \
ldif_value
}
function certificates_old()
{
awk '$1 ~ "^TLS(CACertificate(File|Path)|CertificateFile|CertificateKeyFile)$" { print $2 } ' \
"$SLAPD_CONFIG_FILE"
}
function certificates()
{
uses_new_config && certificates_new || certificates_old
}
function databases()
{
uses_new_config && databases_new || databases_old
}
function error()
{
format="$1\n"; shift
printf "$format" $@ >&2
}
function load_sysconfig()
{
[ -r "$SLAPD_SYSCONFIG_FILE" ] || return
. "$SLAPD_SYSCONFIG_FILE"
[ -n "$SLAPD_OPTIONS" ] && parse_config_options $SLAPD_OPTIONS
}
default_config

40
libexec-upgrade-db.sh Normal file
View File

@ -0,0 +1,40 @@
#!/bin/sh
# Author: Jan Vcelak <jvcelak@redhat.com>
. /usr/libexec/openldap/functions
if [ `id -u` -ne 0 ]; then
error "You have to be root to run this command."
exit 4
fi
load_sysconfig
retcode=0
for dbdir in `databases`; do
upgrade_log="$dbdir/db_upgrade.`date +%Y%m%d%H%M%S`.log"
bdb_files=`find "$dbdir" -maxdepth 1 -name "*.bdb" -printf '"%f" '`
# skip uninitialized database
[ -z "$bdb_files"] || continue
printf "Updating '%s', logging into '%s'\n" "$dbdir" "$upgrade_log"
# perform the update
for command in \
"/usr/bin/db_recover -v -h \"$dbdir\"" \
"/usr/bin/db_upgrade -v -h \"$dbdir\" $bdb_files" \
"/usr/bin/db_checkpoint -v -h \"$dbdir\" -1" \
; do
printf "Executing: %s\n" "$command" &>>$upgrade_log
run_as_ldap "$command" &>>$upgrade_log
result=$?
printf "Exit code: %d\n" $result >>"$upgrade_log"
if [ $result -ne 0 ]; then
printf "Upgrade failed: %d\n" $result
retcode=1
fi
done
done
exit $retcode

BIN
ltb-project-openldap-ppolicy-check-password-1.1.tar.gz Normal file
View File

Binary file not shown.

BIN
openldap-2.4.46.tgz Normal file
View File

Binary file not shown.

20
openldap-ai-addrconfig.patch Normal file
View File

@ -0,0 +1,20 @@
use AI_ADDRCONFIG if defined in the environment
Author: Jan Vcelak <jvcelak@redhat.com>
Upstream ITS: #7326
Resolves: #835013
diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c
index b31e05d..fa361ab 100644
--- a/libraries/libldap/os-ip.c
+++ b/libraries/libldap/os-ip.c
@@ -594,8 +594,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb,
#if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP )
memset( &hints, '\0', sizeof(hints) );
-#ifdef USE_AI_ADDRCONFIG /* FIXME: configure test needed */
- /* Use AI_ADDRCONFIG only on systems where its known to be needed. */
+#ifdef AI_ADDRCONFIG
hints.ai_flags = AI_ADDRCONFIG;
#endif
hints.ai_family = ldap_int_inet4or6;

40
openldap-allop-overlay.patch Normal file
View File

@ -0,0 +1,40 @@
Compile AllOp together with other overlays.
Author: Matus Honek <mhonek@redhat.com>
Resolves: #1319782
diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
--- a/servers/slapd/overlays/Makefile.in
+++ b/servers/slapd/overlays/Makefile.in
@@ -33,7 +33,8 @@ SRCS = overlays.c \
translucent.c \
unique.c \
valsort.c \
- smbk5pwd.c
+ smbk5pwd.c \
+ allop.c
OBJS = statover.o \
@SLAPD_STATIC_OVERLAYS@ \
overlays.o
@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
LIBRARY = ../liboverlays.a
-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la
+PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la
XINCPATH = -I.. -I$(srcdir)/..
XDEFS = $(MODULES_CPPFLAGS)
@@ -125,6 +126,12 @@ unique.la : unique.lo
smbk5pwd.la : smbk5pwd.lo
$(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
+allop.lo : allop.c
+ $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $<
+
+allop.la : allop.lo
+ $(LTLINK_MOD) -module -o $@ allop.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
+
install-local: $(PROGRAMS)
@if test -n "$?" ; then \
$(MKDIR) $(DESTDIR)$(moduledir); \

55
openldap-ldapi-sasl.patch Normal file
View File

@ -0,0 +1,55 @@
From 69709289b083c53ba41d2cef7d65120220f8c59b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 7 May 2013 17:02:57 +0200
Subject: [PATCH] LDAPI SASL fix
Resolves: #960222
---
libraries/libldap/cyrus.c | 19 ++++++++++++++++---
1 Datei geändert, 16 Zeilen hinzugefügt(+), 3 Zeilen entfernt(-)
diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c
index 28c241b..a9acf36 100644
--- a/libraries/libldap/cyrus.c
+++ b/libraries/libldap/cyrus.c
@@ -394,6 +394,8 @@ ldap_int_sasl_bind(
struct berval ccred = BER_BVNULL;
int saslrc, rc;
unsigned credlen;
+ char my_hostname[HOST_NAME_MAX + 1];
+ int free_saslhost = 0;
Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_bind: %s\n",
mechs ? mechs : "<null>", 0, 0 );
@@ -454,14 +456,25 @@ ldap_int_sasl_bind(
/* If we don't need to canonicalize just use the host
* from the LDAP URI.
+ * Always use the result of gethostname() for LDAPI.
*/
- if ( nocanon )
+ if (ld->ld_defconn->lconn_server->lud_scheme != NULL &&
+ strcmp("ldapi", ld->ld_defconn->lconn_server->lud_scheme) == 0) {
+ rc = gethostname(my_hostname, HOST_NAME_MAX + 1);
+ if (rc == 0) {
+ saslhost = my_hostname;
+ } else {
+ saslhost = "localhost";
+ }
+ } else if ( nocanon )
saslhost = ld->ld_defconn->lconn_server->lud_host;
- else
+ else {
saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb,
"localhost" );
+ free_saslhost = 1;
+ }
rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost );
- if ( !nocanon )
+ if ( free_saslhost )
LDAP_FREE( saslhost );
}
--
1.7.11.7

73
openldap-manpages.patch Normal file
View File

@ -0,0 +1,73 @@
Various manual pages changes:
* removes LIBEXECDIR from slapd.8
* removes references to non-existing manpages (bz 624616)
diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1
index 3def6da..466c772 100644
--- a/doc/man/man1/ldapmodify.1
+++ b/doc/man/man1/ldapmodify.1
@@ -397,8 +397,7 @@ exit status and a diagnostic message being written to standard error.
.BR ldap_add_ext (3),
.BR ldap_delete_ext (3),
.BR ldap_modify_ext (3),
-.BR ldap_modrdn_ext (3),
-.BR ldif (5).
+.BR ldif (5)
.SH AUTHOR
The OpenLDAP Project <http://www.openldap.org/>
.SH ACKNOWLEDGEMENTS
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
index cfde143..63592cb 100644
--- a/doc/man/man5/ldap.conf.5
+++ b/doc/man/man5/ldap.conf.5
@@ -317,6 +317,7 @@ certificates in separate individual files. The
.B TLS_CACERT
is always used before
.B TLS_CACERTDIR.
+The specified directory must be managed with the OpenSSL c_rehash utility.
This parameter is ignored with GnuTLS.
When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8
index b739f4d..e2a1a00 100644
--- a/doc/man/man8/slapd.8
+++ b/doc/man/man8/slapd.8
@@ -5,7 +5,7 @@
.SH NAME
slapd \- Stand-alone LDAP Daemon
.SH SYNOPSIS
-.B LIBEXECDIR/slapd
+.B slapd
[\c
.BR \-4 | \-6 ]
[\c
@@ -317,7 +317,7 @@ the LDAP databases defined in the default config file, just type:
.LP
.nf
.ft tt
- LIBEXECDIR/slapd
+ slapd
.ft
.fi
.LP
@@ -328,7 +328,7 @@ on voluminous debugging which will be printed on standard error, type:
.LP
.nf
.ft tt
- LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255
+ slapd -f /var/tmp/slapd.conf -d 255
.ft
.fi
.LP
@@ -336,7 +336,7 @@ To test whether the configuration file is correct or not, type:
.LP
.nf
.ft tt
- LIBEXECDIR/slapd \-Tt
+ slapd -Tt
.ft
.fi
.LP
--
1.8.1.4

24
openldap-openssl-allow-ssl3.patch Normal file
View File

@ -0,0 +1,24 @@
Ensure SSLv3 is enabled when necessary
Either at compilation time, or as a system-wide configuration, OpenSSL
may have disabled SSLv3 protocol by default. This change ensures the
protocol NO flag is cleared when necessary, hence allowing for the
protocol to be used.
Author: Matus Honek <mhonek@redhat.com>
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -297,8 +297,10 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
#endif
if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL3 )
SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 );
- else if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL2 )
+ else if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL2 ) {
SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 );
+ SSL_CTX_clear_options( ctx, SSL_OP_NO_SSLv3 );
+ }
if ( lo->ldo_tls_ciphersuite &&
!SSL_CTX_set_cipher_list( ctx, lt->lt_ciphersuite ) )

33
openldap-reentrant-gethostby.patch Normal file
View File

@ -0,0 +1,33 @@
The non-reentrant gethostbyXXXX() functions deadlock if called recursively, for
example if libldap needs to be initialized from within gethostbyXXXX() (which
actually happens if nss_ldap is used for hostname resolution and earlier
modules can't resolve the local host name), so use the reentrant versions of
the functions, even if we're not being compiled for use in libldap_r
Resolves: #179730
Author: Jeffery Layton <jlayton@redhat.com>
diff --git a/libraries/libldap/util-int.c b/libraries/libldap/util-int.c
index 373c81c..a012062 100644
--- a/libraries/libldap/util-int.c
+++ b/libraries/libldap/util-int.c
@@ -52,8 +52,8 @@ extern int h_errno;
#ifndef LDAP_R_COMPILE
# undef HAVE_REENTRANT_FUNCTIONS
# undef HAVE_CTIME_R
-# undef HAVE_GETHOSTBYNAME_R
-# undef HAVE_GETHOSTBYADDR_R
+/* # undef HAVE_GETHOSTBYNAME_R */
+/* # undef HAVE_GETHOSTBYADDR_R */
#else
# include <ldap_pvt_thread.h>
@@ -317,7 +317,7 @@ ldap_pvt_csnstr(char *buf, size_t len, unsigned int replica, unsigned int mod)
#define BUFSTART (1024-32)
#define BUFMAX (32*1024-32)
-#if defined(LDAP_R_COMPILE)
+#if defined(LDAP_R_COMPILE) || defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R)
static char *safe_realloc( char **buf, int len );
#if !(defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R))

49
openldap-smbk5pwd-overlay.patch Normal file
View File

@ -0,0 +1,49 @@
Compile smbk5pwd together with other overlays.
Author: Jan Šafránek <jsafrane@redhat.com>
Resolves: #550895
Update to link against OpenSSL
Author: Jan Vcelak <jvcelak@redhat.com>
Resolves: #841560
diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
index 3af20e8..ef73663 100644
--- a/servers/slapd/overlays/Makefile.in
+++ b/servers/slapd/overlays/Makefile.in
@@ -33,7 +33,8 @@ SRCS = overlays.c \
syncprov.c \
translucent.c \
unique.c \
- valsort.c
+ valsort.c \
+ smbk5pwd.c
OBJS = statover.o \
@SLAPD_STATIC_OVERLAYS@ \
overlays.o
@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
LIBRARY = ../liboverlays.a
-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@
+PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la
XINCPATH = -I.. -I$(srcdir)/..
XDEFS = $(MODULES_CPPFLAGS)
@@ -125,6 +126,12 @@ unique.la : unique.lo
valsort.la : valsort.lo
$(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS)
+smbk5pwd.lo : smbk5pwd.c
+ $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $<
+
+smbk5pwd.la : smbk5pwd.lo
+ $(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
+
install-local: $(PROGRAMS)
@if test -n "$?" ; then \
$(MKDIR) $(DESTDIR)$(moduledir); \
--
1.7.10.4

41
openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch Normal file
View File

@ -0,0 +1,41 @@
From: Jan-Marek Glogowski <jan-marek.glogowski@muenchen.de>
Date: Tue, 18 May 2010 17:47:05 +0200
Subject: [PATCH] Switch to lt_dlopenadvise() to get RTLD_GLOBAL set.
Proof of concept for fixing http://bugs.debian.org/327585
(patch ported from freeradius bug http://bugs.debian.org/416266)
Resolves: #960048
---
--- openldap/servers/slapd/module.c.orig 2010-05-18 17:42:04.000000000 +0200
+++ openldap/servers/slapd/module.c 2010-05-18 17:45:46.000000000 +0200
@@ -117,6 +117,20 @@
return -1; /* not found */
}
+static lt_dlhandle slapd_lt_dlopenext_global( const char *filename )
+{
+ lt_dlhandle handle = 0;
+ lt_dladvise advise;
+
+ if (!lt_dladvise_init (&advise) && !lt_dladvise_ext (&advise)
+ && !lt_dladvise_global (&advise))
+ handle = lt_dlopenadvise (filename, advise);
+
+ lt_dladvise_destroy (&advise);
+
+ return handle;
+}
+
int module_load(const char* file_name, int argc, char *argv[])
{
module_loaded_t *module;
@@ -180,7 +194,7 @@
* to calling Debug. This is because Debug is a macro that expands
* into multiple function calls.
*/
- if ((module->lib = lt_dlopenext(file)) == NULL) {
+ if ((module->lib = slapd_lt_dlopenext_global(file)) == NULL) {
error = lt_dlerror();
#ifdef HAVE_EBCDIC
strcpy( ebuf, error );

476
openldap.spec Normal file
View File

@ -0,0 +1,476 @@
%global systemctl_bin /usr/bin/systemctl
Name: openldap
Version: 2.4.46
Release: 11
Summary: LDAP support libraries
License: OpenLDAP
URL: https://www.openldap.org/
Source0: https://www.openldap.org/software/download/OpenLDAP/openldap-release/openldap-%{version}.tgz
Source1: slapd.service
Source2: slapd.tmpfiles
Source3: slapd.ldif
Source4: ldap.conf
Source10: ltb-project-openldap-ppolicy-check-password-1.1.tar.gz
Source50: libexec-functions
Source52: libexec-check-config.sh
Source53: libexec-upgrade-db.sh
Patch0: openldap-manpages.patch
Patch2: openldap-reentrant-gethostby.patch
Patch3: openldap-smbk5pwd-overlay.patch
Patch5: openldap-ai-addrconfig.patch
Patch17: openldap-allop-overlay.patch
# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=327585
Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
Patch20: openldap-ldapi-sasl.patch
Patch21: openldap-openssl-allow-ssl3.patch
Patch90: check-password-makefile.patch
Patch91: check-password.patch
Patch6000: bugfix-openldap-autoconf-pkgconfig-nss.patch
Patch6001: bugfix-openldap-nss-ciphers-use-nss-defaults.patch
Patch6002: bugfix-openldap-nss-ignore-certdb-type-prefix.patch
Patch6003: bugfix-openldap-nss-pk11-freeslot.patch
Patch6004: bugfix-openldap-nss-protocol-version-new-api.patch
Patch6005: bugfix-openldap-nss-unregister-on-unload.patch
Patch6006: bugfix-openldap-nss-update-list-of-ciphers.patch
Patch6007: bugfix-openldap-nss-ciphersuite-handle-masks-correctly.patch
Patch6008: bugfix-openldap-ssl-deadlock-revert.patch
Patch6009: bugfix-openldap-support-tlsv1-and-later.patch
Patch6010: bugfix-openldap-temporary-ssl-thr-init-race.patch
Patch6011: Fix-calls-to-SLAP_DEVPOLL_SOCK_LX-for-multi-listener.patch
Patch6012: Fixup-for-binary-config-attrs.patch
Patch6013: ITS-8864-Fix-ber_realloc-after-a-partial-ber_flush.patch
Patch6014: ITS-8840-Fix-domainScope-control-to-ensure-the-contr.patch
Patch6015: ITS-8843-check-for-NULL-modlist.patch
Patch6016: Fix-quoting-example.patch
Patch6017: ITS-8667-Do-not-finish-glue-initialisation-in-tool-m.patch
Patch6018: ITS-8842-Do-some-printability-checks-on-the-dc-RDN.patch
Patch6019: ITS-8909-fix-authz-policy-all-condition.patch
Patch6020: ITS-8909-additional-tweak.patch
Patch6021: Fix-index-delete.patch
Patch6022: ITS-8756-remove-loose-pg-from-dirty-list-in-freelist.patch
Patch6023: ITS-8918-fix-typo.patch
Patch6024: ITS-8923-fix-dyngroup-NO_SUCH_OBJECT-error-handling.patch
Patch6025: ITS-8878-Include-the-first-character-in-the-transfor.patch
Patch6026: ITS-8752-maybe-related.patch
Patch6027: ITS-8932-check-rdnNormalize-success.patch
Patch6028: ITS-8727-plug-ber-leaks.patch
Patch6029: ITS-8948-Fix-BDB-lib-to-only-be-linked-with-static-b.patch
Patch6030: ITS-8663-Fix-memberof-SLAP_CONFIG_EMIT.patch
Patch6031: ITS-8472-only-do-index-cleanup-if-DB-is-running.patch
Patch6032: ITS-8957-Fix-ASYNC-TLS.patch
Patch6033: ITS-8980-fix-async-connections-with-non-blocking-TLS.patch
Patch6034: CVE-2019-13057-1.patch
Patch6035: CVE-2019-13057-2.patch
Patch6036: CVE-2019-13057-3.patch
Patch6037: CVE-2019-13057-4.patch
Patch6038: CVE-2019-13565.patch
BuildRequires: cyrus-sasl-devel openssl-devel krb5-devel unixODBC-devel
BuildRequires: glibc-devel libtool libtool-ltdl-devel groff perl-interpreter perl-devel perl-generators perl-ExtUtils-Embed
%description
OpenLDAP is an open source suite of LDAP (Lightweight Directory Access
Protocol) applications and development tools. LDAP is a set of
protocols for accessing directory services (usually phone book style
information, but other information is possible) over the Internet,
similar to the way DNS (Domain Name System) information is propagated
over the Internet. The openldap package contains configuration files,
libraries, and documentation for OpenLDAP.
%package devel
Summary: LDAP development libraries and header files
Requires: openldap = %{version}-%{release} cyrus-sasl-devel
%description devel
The openldap-devel package includes the development libraries and
header files needed for compiling applications that use LDAP
(Lightweight Directory Access Protocol) internals. LDAP is a set of
protocols for enabling directory services over the Internet. Install
this package only if you plan to develop or will need to compile
customized LDAP clients.
%package servers
Summary: LDAP server
License: OpenLDAP
Requires: openldap = %{version}-%{release} libdb-utils
Requires(pre): shadow-utils
%{?systemd_requires}
BuildRequires: systemd
BuildRequires: libdb-devel cracklib-devel
Provides: ldif2ldbm
%description servers
OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access
Protocol) applications and development tools. LDAP is a set of
protocols for accessing directory services (usually phone book style
information, but other information is possible) over the Internet,
similar to the way DNS (Domain Name System) information is propagated
over the Internet. This package contains the slapd server and related files.
%package clients
Summary: LDAP client utilities
Requires: openldap = %{version}-%{release}
%description clients
OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access
Protocol) applications and development tools. LDAP is a set of
protocols for accessing directory services (usually phone book style
information, but other information is possible) over the Internet,
similar to the way DNS (Domain Name System) information is propagated
over the Internet. The openldap-clients package contains the client
programs needed for accessing and modifying OpenLDAP directories.
%package_help
%prep
%setup -q -c -a 0 -a 10
pushd openldap-%{version}
AUTOMAKE=%{_bindir}/true autoreconf -fi
%patch0 -p1
%patch2 -p1
%patch3 -p1
%patch5 -p1
%patch17 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch6000 -p1
%patch6001 -p1
%patch6002 -p1
%patch6003 -p1
%patch6004 -p1
%patch6005 -p1
%patch6006 -p1
%patch6007 -p1
%patch6008 -p1
%patch6009 -p1
%patch6010 -p1
%patch6011 -p1
%patch6012 -p1
%patch6013 -p1
%patch6014 -p1
%patch6015 -p1
%patch6016 -p1
%patch6017 -p1
%patch6018 -p1
%patch6019 -p1
%patch6020 -p1
%patch6021 -p1
%patch6022 -p1
%patch6023 -p1
%patch6024 -p1
%patch6025 -p1
%patch6026 -p1
%patch6027 -p1
%patch6028 -p1
%patch6029 -p1
%patch6030 -p1
%patch6031 -p1
%patch6032 -p1
%patch6033 -p1
%patch6034 -p1
%patch6035 -p1
%patch6036 -p1
%patch6037 -p1
%patch6038 -p1
ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd
ln -s ../../../contrib/slapd-modules/allop/allop.c servers/slapd/overlays
mv contrib/slapd-modules/allop/README contrib/slapd-modules/allop/README.allop
mv contrib/slapd-modules/allop/slapo-allop.5 doc/man/man5/slapo-allop.5
mv servers/slapd/back-perl/README{,.back_perl}
for filename in doc/drafts/draft-ietf-ldapext-acl-model-xx.txt; do
iconv -f iso-8859-1 -t utf-8 "$filename" > "$filename.utf8"
mv "$filename.utf8" "$filename"
done
popd
pushd ltb-project-openldap-ppolicy-check-password-1.1
%patch90 -p1
%patch91 -p1
popd
%build
%set_build_flags
export CFLAGS="${CFLAGS} ${LDFLAGS} -Wl,--as-needed -DLDAP_CONNECTIONLESS -DLDAP_USE_NON_BLOCKING_TLS"
pushd openldap-%{version}
%configure \
--enable-debug --enable-dynamic --enable-dynacl \
--enable-cleartext --enable-crypt --enable-lmpasswd \
--enable-spasswd --enable-modules --enable-rewrite \
--enable-rlookups --enable-slapi --disable-slp \
--enable-backends=mod --enable-bdb=yes --enable-hdb=yes \
--enable-mdb=yes --enable-monitor=yes --disable-ndb \
--disable-sql --enable-overlays=mod --disable-static \
--with-cyrus-sasl --without-fetch --with-threads \
--with-pic --with-gnu-ld --libexecdir=%{_libdir}
%make_build
popd
pushd ltb-project-openldap-ppolicy-check-password-1.1
make LDAP_INC="-I../openldap-%{version}/include \
-I../openldap-%{version}/servers/slapd \
-I../openldap-%{version}/build-servers/include"
popd
%install
install -d %{buildroot}%{_libdir}/
pushd openldap-%{version}
%make_install STRIP=""
popd
pushd ltb-project-openldap-ppolicy-check-password-1.1
mv check_password.so check_password.so.1.1
ln -s check_password.so.1.1 %{buildroot}%{_libdir}/openldap/check_password.so
install -m 755 check_password.so.1.1 %{buildroot}%{_libdir}/openldap/
install -d -m 755 %{buildroot}%{_sysconfdir}/openldap
cat > %{buildroot}%{_sysconfdir}/openldap/check_password.conf <<EOF
# OpenLDAP pwdChecker library configuration
#useCracklib 1
#minPoints 3
#minUpper 0
#minLower 0
#minDigit 0
#minPunct 0
EOF
mv README{,.check_pwd}
popd
install -d %{buildroot}%{_sysconfdir}/openldap/certs
install -d %{buildroot}%{_sharedstatedir}
install -d %{buildroot}%{_localstatedir}
install -m 0700 -d %{buildroot}%{_sharedstatedir}/ldap
install -m 0755 -d %{buildroot}%{_localstatedir}/run/openldap
install -d %{buildroot}%{_tmpfilesdir}
install -m 0644 %SOURCE2 %{buildroot}%{_tmpfilesdir}/slapd.conf
install -m 0644 %SOURCE4 %{buildroot}%{_sysconfdir}/openldap/ldap.conf
install -d %{buildroot}%{_libexecdir}
install -m 0755 -d %{buildroot}%{_libexecdir}/openldap
install -m 0644 %SOURCE50 %{buildroot}%{_libexecdir}/openldap/functions
install -m 0755 %SOURCE52 %{buildroot}%{_libexecdir}/openldap/check-config.sh
install -m 0755 %SOURCE53 %{buildroot}%{_libexecdir}/openldap/upgrade-db.sh
perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_sysconfdir}/openldap/*.conf
perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_mandir}/*/*.*
rm -f %{buildroot}%{_sysconfdir}/openldap/*.default
rm -f %{buildroot}%{_sysconfdir}/openldap/schema/*.default
install -d %{buildroot}%{_unitdir}
install -m 0644 %SOURCE1 %{buildroot}%{_unitdir}/slapd.service
mv %{buildroot}%{_libdir}/slapd %{buildroot}%{_sbindir}/
for X in acl add auth cat dn index passwd test schema; do
rm -f %{buildroot}%{_sbindir}/slap$X
rm -f %{buildroot}%{_libdir}/slap$X
done
for X in acl add auth cat dn index passwd test schema; do
ln -s slapd %{buildroot}%{_sbindir}/slap$X
done
pushd %{buildroot}%{_libdir}
v=%{version}
version=$(echo ${v%.[0-9]*})
for lib in liblber libldap libldap_r libslapi; do
rm -f ${lib}.so
ln -s ${lib}-${version}.so.2 ${lib}.so
done
popd
chmod 0755 %{buildroot}%{_libdir}/lib*.so*
chmod 0644 %{buildroot}%{_libdir}/lib*.*a
install -d %{buildroot}%{_datadir}
install -m 0755 -d %{buildroot}%{_datadir}/openldap-servers
install -m 0644 %SOURCE3 %{buildroot}%{_datadir}/openldap-servers/slapd.ldif
install -m 0700 -d %{buildroot}%{_sysconfdir}/openldap/slapd.d
mv %{buildroot}%{_sysconfdir}/openldap/schema/README README.schema
mv %{buildroot}%{_sysconfdir}/openldap/DB_CONFIG.example %{buildroot}%{_datadir}/openldap-servers/DB_CONFIG.example
chmod 0644 %{buildroot}%{_datadir}/openldap-servers/DB_CONFIG.example
%delete_la
rm -f %{buildroot}%{_localstatedir}/openldap-data/DB_CONFIG.example
rmdir %{buildroot}%{_localstatedir}/openldap-data
%ldconfig_scriptlets
%pre servers
getent group ldap &>/dev/null || groupadd -r -g 55 ldap
getent passwd ldap &>/dev/null || \
useradd -r -g ldap -u 55 -d %{_sharedstatedir}/ldap -s /sbin/nologin -c "OpenLDAP server" ldap
if [ $1 -eq 2 ]; then
old_version=$(rpm -q --qf=%%{version} openldap-servers)
new_version=%{version}
if [ "$old_version" != "$new_version" ]; then
touch %{_sharedstatedir}/ldap/rpm_upgrade_openldap &>/dev/null
fi
fi
exit 0
%post servers
%systemd_post slapd.service
if [[ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif && \
! -f %{_sysconfdir}/openldap/slapd.conf
]]; then
install -d %{_sysconfdir}/openldap/slapd.d/ &>/dev/null || :
/usr/sbin/slapadd -F %{_sysconfdir}/openldap/slapd.d/ -n0 -l %{_datadir}/openldap-servers/slapd.ldif
chown -R ldap:ldap %{_sysconfdir}/openldap/slapd.d/
%{systemctl_bin} try-restart slapd.service &>/dev/null
fi
start_slapd=0
if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap ]; then
if %{systemctl_bin} --quiet is-active slapd.service; then
%{systemctl_bin} stop slapd.service
start_slapd=1
fi
%{_libexecdir}/openldap/upgrade-db.sh &>/dev/null
rm -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap
fi
if [ $1 -ge 1 ]; then
if [ $start_slapd -eq 1 ]; then
%{systemctl_bin} start slapd.service &>/dev/null || :
else
%{systemctl_bin} condrestart slapd.service &>/dev/null || :
fi
fi
exit 0
%preun servers
%systemd_preun slapd.service
%postun servers
%systemd_postun_with_restart slapd.service
%triggerin servers -- libdb
if [ $2 -eq 2 ]; then
if [ "$(rpm -q --qf="%%{version}\n" libdb | sed 's/\.[0-9]*$//' | sort -u | wc -l)" != "1" ]; then
touch %{_sharedstatedir}/ldap/rpm_upgrade_libdb
else
rm -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb
fi
fi
exit 0
%triggerun servers -- libdb
if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb ]; then
if %{systemctl_bin} --quiet is-active slapd.service; then
%{systemctl_bin} stop slapd.service
start=1
else
start=0
fi
%{_libexecdir}/openldap/upgrade-db.sh &>/dev/null
rm -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb
[ $start -eq 1 ] && %{systemctl_bin} start slapd.service &>/dev/null
fi
exit 0
%files
%defattr(-,root,root)
%license openldap-%{version}/COPYRIGHT
%license openldap-%{version}/LICENSE
%dir %{_sysconfdir}/openldap/certs
%config(noreplace) %{_sysconfdir}/openldap/ldap.conf
%dir %{_libexecdir}/openldap/
%{_libdir}/lib*.so.*
%exclude %{_sysconfdir}/openldap/ldap.conf
%exclude %{_sysconfdir}/openldap/slapd.conf
%exclude %{_sysconfdir}/openldap/slapd.ldif
%files servers
%defattr(-,root,root)
%config(noreplace) %dir %attr(0750,ldap,ldap) %{_sysconfdir}/openldap/slapd.d
%config(noreplace) %{_sysconfdir}/openldap/schema
%config(noreplace) %{_sysconfdir}/openldap/check_password.conf
%{_tmpfilesdir}/slapd.conf
%dir %attr(0700,ldap,ldap) %{_sharedstatedir}/ldap
%dir %attr(-,ldap,ldap) %{_localstatedir}/run/openldap
%{_unitdir}/slapd.service
%{_datadir}/openldap-servers/
%{_libdir}/openldap/*
%{_libexecdir}/openldap/functions
%{_libexecdir}/openldap/check-config.sh
%{_libexecdir}/openldap/upgrade-db.sh
%{_sbindir}/sl*
%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf
%files clients
%defattr(-,root,root)
%{_bindir}/*
%files devel
%defattr(-,root,root)
%{_libdir}/lib*.so
%{_includedir}/*
%files help
%defattr(-,root,root)
%{_mandir}/man*/*
%doc openldap-%{version}/ANNOUNCEMENT
%doc openldap-%{version}/CHANGES
%doc openldap-%{version}/README
%doc openldap-%{version}/doc/guide/admin/*.html
%doc openldap-%{version}/doc/guide/admin/*.png
%doc openldap-%{version}/servers/slapd/back-perl/SampleLDAP.pm
%doc openldap-%{version}/servers/slapd/back-perl/README.back_perl
%doc README.schema
%doc openldap-%{version}/doc/drafts openldap-%{version}/doc/rfc
%doc ltb-project-openldap-ppolicy-check-password-1.1/README.check_pwd
%changelog
* Sat Dec 21 2019 openEuler Buildteam <buildteam@openeuler.org> - 2.4.46-11
- Type:cves
- ID:CVE-2019-13565
- SUG:restart
- DESC:fix CVE--2019-13565
* Wed Sep 25 2019 openEuler Buildteam <buildteam@openeuler.org> - 2.4.46-10
- Type:cves
- ID:CVE-2019-13057
- SUG:NA
- DESC:fix CVE-2019-13057
* Tue Sep 17 2019 openEuler Buildteam <buildteam@openeuler.org> - 2.4.46-9
- Package init

158
slapd.ldif Normal file
View File

@ -0,0 +1,158 @@
#
# See slapd-config(5) for details on configuration options.
# This file should NOT be world readable.
#
dn: cn=config
objectClass: olcGlobal
cn: config
#
# TLS settings
#
# When no CA certificates are specified the Shared System Certificates
# are in use. In order to have these available along with the ones specified
# by oclTLSCACertificatePath one has to include them explicitly:
#olcTLSCACertificateFile: /etc/pki/tls/cert.pem
#
# Private cert and key are not pregenerated.
#olcTLSCertificateFile:
#olcTLSCertificateKeyFile:
#
# System-wide Crypto Policies provide up to date cipher suite which should
# be used unless one needs a finer grinded selection of ciphers. Hence, the
# PROFILE=SYSTEM value represents the default behavior which is in place
# when no explicit setting is used. (see openssl-ciphers(1) for more info)
#olcTLSCipherSuite: PROFILE=SYSTEM
#
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#
#olcReferral: ldap://root.openldap.org
#
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 64-bit encryption for simple bind
#
#olcSecurity: ssf=1 update_ssf=112 simple_bind=64
#
# Load dynamic backend modules:
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la backend requires openldap-servers-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
#
#dn: cn=module,cn=config
#objectClass: olcModuleList
#cn: module
#olcModulepath: /usr/lib/openldap
#olcModulepath: /usr/lib64/openldap
#olcModuleload: accesslog.la
#olcModuleload: auditlog.la
#olcModuleload: back_dnssrv.la
#olcModuleload: back_ldap.la
#olcModuleload: back_mdb.la
#olcModuleload: back_meta.la
#olcModuleload: back_null.la
#olcModuleload: back_passwd.la
#olcModuleload: back_relay.la
#olcModuleload: back_shell.la
#olcModuleload: back_sock.la
#olcModuleload: collect.la
#olcModuleload: constraint.la
#olcModuleload: dds.la
#olcModuleload: deref.la
#olcModuleload: dyngroup.la
#olcModuleload: dynlist.la
#olcModuleload: memberof.la
#olcModuleload: pcache.la
#olcModuleload: ppolicy.la
#olcModuleload: refint.la
#olcModuleload: retcode.la
#olcModuleload: rwm.la
#olcModuleload: seqmod.la
#olcModuleload: smbk5pwd.la
#olcModuleload: sssvlv.la
#olcModuleload: syncprov.la
#olcModuleload: translucent.la
#olcModuleload: unique.la
#olcModuleload: valsort.la
#
# Schema settings
#
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
include: file:///etc/openldap/schema/core.ldif
#
# Frontend settings
#
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
olcDatabase: frontend
#
# Sample global access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#olcAccess: to dn.base="" by * read
#olcAccess: to dn.base="cn=Subschema" by * read
#olcAccess: to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#
#
# Configuration database
#
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
n=auth" manage by * none
#
# Server status monitoring
#
dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
n=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
#
# Backend database definitions
#
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub

17
slapd.service Normal file
View File

@ -0,0 +1,17 @@
[Unit]
Description=OpenLDAP Server Daemon
After=syslog.target network-online.target
Documentation=man:slapd
Documentation=man:slapd-config
Documentation=man:slapd-hdb
Documentation=man:slapd-mdb
Documentation=file:///usr/share/doc/openldap-servers/guide.html
[Service]
Type=forking
ExecStartPre=/usr/libexec/openldap/check-config.sh
ExecStart=/usr/sbin/slapd -u ldap -h "ldap:/// ldaps:/// ldapi:///"
[Install]
WantedBy=multi-user.target
Alias=openldap.service

2
slapd.tmpfiles Normal file
View File

@ -0,0 +1,2 @@
# openldap runtime directory for slapd.arg and slapd.pid
d /var/run/openldap 0755 ldap ldap -