packages/openldap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update openldap to 2.6.0

Browse Source
This commit is contained in:
eaglegai 2021-12-21 14:35:47 +08:00
parent 853474c1ba
commit 658dc294d7
51 changed files with 51 additions and 26959 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
CVE-2020-15719.patch
View File

@ -1,29 +0,0 @@
Do not check CN when checking SAN failed
This is to make it compliant with RFC 6125:
https://tools.ietf.org/html/rfc6125#section-6.4.4
Author: Matus Honek <mhonek@redhat.com>
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index 92c708be0..46b48a3fb 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -675,11 +675,16 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
GENERAL_NAMES_free(alt);
if (i < n) { /* Found a match */
ret = LDAP_SUCCESS;
+ } else { /* None matched */
+ Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match any "
+ "SAN in certificate.\n",
+ name, NULL, NULL );
+ ret = LDAP_CONNECT_ERROR;
}
}
}
- if (ret != LDAP_SUCCESS) {
+ if (ret == LDAP_LOCAL_ERROR) {
X509_NAME *xn;
X509_NAME_ENTRY *ne;
ASN1_OBJECT *obj;

29
CVE-2020-25692.patch
View File

@ -1,29 +0,0 @@
From 4c774220a752bf8e3284984890dc0931fe73165d Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Mon, 19 Oct 2020 14:03:41 +0100
Subject: [PATCH] ITS#9370 check for equality rule on old_rdn
Just skip normalization if there's no equality rule. We accept
DNs without equality rules already.
Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
---
servers/slapd/modrdn.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/servers/slapd/modrdn.c b/servers/slapd/modrdn.c
index c73dd8d..a229755 100644
--- a/servers/slapd/modrdn.c
+++ b/servers/slapd/modrdn.c
@@ -505,7 +505,7 @@ slap_modrdn2mods(
mod_tmp->sml_values = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) );
ber_dupbv( &mod_tmp->sml_values[0], &old_rdn[d_cnt]->la_value );
mod_tmp->sml_values[1].bv_val = NULL;
- if( desc->ad_type->sat_equality->smr_normalize) {
+ if( desc->ad_type->sat_equality && desc->ad_type->sat_equality->smr_normalize) {
mod_tmp->sml_nvalues = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) );
(void) (*desc->ad_type->sat_equality->smr_normalize)(
SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
--
1.8.3.1

25
CVE-2020-25709.patch
View File

@ -1,25 +0,0 @@
From 67670f4544e28fb09eb7319c39f404e1d3229e65 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Mon, 2 Nov 2020 13:12:10 +0000
Subject: [PATCH] ITS#9383 remove assert in certificateListValidate
---
servers/slapd/schema_init.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
index ea0d67aa62..28f9e71a16 100644
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -371,8 +371,7 @@ certificateListValidate( Syntax *syntax, struct berval *in )
/* Optional version */
if ( tag == LBER_INTEGER ) {
tag = ber_get_int( ber, &version );
- assert( tag == LBER_INTEGER );
- if ( version != SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX;
+ if ( tag != LBER_INTEGER || version != SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX;
}
tag = ber_skip_tag( ber, &len ); /* Signature Algorithm */
if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
--
GitLab

26
CVE-2020-25710.patch
View File

@ -1,26 +0,0 @@
From bdb0d459187522a6063df13871b82ba8dcc6efe2 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Mon, 2 Nov 2020 16:01:14 +0000
Subject: [PATCH] ITS#9384 remove assert in obsolete csnNormalize23()
---
servers/slapd/schema_init.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
index 5812bc4b66..ea0d67aa62 100644
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -5327,8 +5327,8 @@ csnNormalize23(
}
*ptr = '\0';
- assert( ptr == &bv.bv_val[bv.bv_len] );
- if ( csnValidate( syntax, &bv ) != LDAP_SUCCESS ) {
+ if ( ptr != &bv.bv_val[bv.bv_len] ||
+ csnValidate( syntax, &bv ) != LDAP_SUCCESS ) {
return LDAP_INVALID_SYNTAX;
}
--
GitLab

58
CVE-2020-36221-1.patch
View File

@ -1,58 +0,0 @@
From 38ac838e4150c626bbfa0082b7e2cf3a2bb4df31 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Mon, 23 Nov 2020 17:14:00 +0000
Subject: [PATCH] ITS#9404 fix serialNumberAndIssuerCheck
Tighten validity checks
---
servers/slapd/schema_init.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
index 834f54593..5b577607d 100644
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -3193,7 +3193,7 @@ serialNumberAndIssuerCheck(
if( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
- if( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) {
+ if( in->bv_val[0] != '{' || in->bv_val[in->bv_len-1] != '}' ) {
/* Parse old format */
is->bv_val = ber_bvchr( in, '$' );
if( BER_BVISNULL( is ) ) return LDAP_INVALID_SYNTAX;
@@ -3224,7 +3224,7 @@ serialNumberAndIssuerCheck(
HAVE_ALL = ( HAVE_ISSUER | HAVE_SN )
} have = HAVE_NONE;
- int numdquotes = 0;
+ int numdquotes = 0, gotquote;
struct berval x = *in;
struct berval ni;
x.bv_val++;
@@ -3266,11 +3266,12 @@ serialNumberAndIssuerCheck(
is->bv_val = x.bv_val;
is->bv_len = 0;
- for ( ; is->bv_len < x.bv_len; ) {
+ for ( gotquote=0; is->bv_len < x.bv_len; ) {
if ( is->bv_val[is->bv_len] != '"' ) {
is->bv_len++;
continue;
}
+ gotquote = 1;
if ( is->bv_val[is->bv_len+1] == '"' ) {
/* double dquote */
numdquotes++;
@@ -3279,6 +3280,8 @@ serialNumberAndIssuerCheck(
}
break;
}
+ if ( !gotquote ) return LDAP_INVALID_SYNTAX;
+
x.bv_val += is->bv_len + 1;
x.bv_len -= is->bv_len + 1;
--
GitLab

25
CVE-2020-36221-2.patch
View File

@ -1,25 +0,0 @@
From 58c1748e81c843c5b6e61648d2a4d1d82b47e842 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Mon, 14 Dec 2020 19:03:27 +0000
Subject: [PATCH] ITS#9424 fix serialNumberAndIssuerSerialCheck
---
servers/slapd/schema_init.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
index d697fa108..e035c1a6a 100644
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -4302,7 +4302,7 @@ serialNumberAndIssuerSerialCheck(
if ( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
/* no old format */
- if ( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) return LDAP_INVALID_SYNTAX;
+ if ( in->bv_val[0] != '{' || in->bv_val[in->bv_len-1] != '}' ) return LDAP_INVALID_SYNTAX;
x.bv_val++;
x.bv_len -= 2;
--
GitLab

33
CVE-2020-36222-1.patch
View File

@ -1,33 +0,0 @@
From 02dfc32d658fadc25e4040f78e36592f6e1e1ca0 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Fri, 27 Nov 2020 14:48:26 +0000
Subject: [PATCH] ITS#9406 fix debug msg
---
servers/slapd/saslauthz.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index 2e59eb559..982fe3120 100644
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -488,6 +488,7 @@ authzPrettyNormal(
assert( val != NULL );
assert( !BER_BVISNULL( val ) );
+ BER_BVZERO( normalized );
/*
* 2) dn[.{exact|children|subtree|onelevel}]:{*|<DN>}
@@ -906,7 +907,7 @@ authzPretty(
rc = authzPrettyNormal( val, out, ctx, 0 );
Debug( LDAP_DEBUG_TRACE, "<<< authzPretty: <%s> (%d)\n",
- out->bv_val, rc, 0 );
+ out->bv_val ? out->bv_val : "(null)" , rc, 0 );
return rc;
}
--
GitLab

69
CVE-2020-36222-2.patch
View File

@ -1,69 +0,0 @@
From 6ed057b5b728b50746c869bcc9c1f85d0bbbf6ed Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Fri, 27 Nov 2020 14:37:10 +0000
Subject: [PATCH] ITS#9406, #9407 remove saslauthz asserts
---
servers/slapd/saslauthz.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index e05f3f9cf..2e59eb559 100644
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -180,14 +180,16 @@ int slap_parse_user( struct berval *id, struct berval *user,
}
if ( !BER_BVISNULL( mech ) ) {
- assert( mech->bv_val == id->bv_val + 2 );
+ if ( mech->bv_val != id->bv_val + 2 )
+ return LDAP_PROTOCOL_ERROR;
AC_MEMCPY( mech->bv_val - 2, mech->bv_val, mech->bv_len + 1 );
mech->bv_val -= 2;
}
if ( !BER_BVISNULL( realm ) ) {
- assert( realm->bv_val >= id->bv_val + 2 );
+ if ( realm->bv_val < id->bv_val + 2 )
+ return LDAP_PROTOCOL_ERROR;
AC_MEMCPY( realm->bv_val - 2, realm->bv_val, realm->bv_len + 1 );
realm->bv_val -= 2;
@@ -449,9 +451,12 @@ is_dn: bv.bv_len = in->bv_len - ( bv.bv_val - in->bv_val );
}
/* Grab the searchbase */
- assert( ludp->lud_dn != NULL );
- ber_str2bv( ludp->lud_dn, 0, 0, &bv );
- rc = dnValidate( NULL, &bv );
+ if ( ludp->lud_dn != NULL ) {
+ ber_str2bv( ludp->lud_dn, 0, 0, &bv );
+ rc = dnValidate( NULL, &bv );
+ } else {
+ rc = LDAP_INVALID_SYNTAX;
+ }
done:
ldap_free_urldesc( ludp );
@@ -813,7 +818,6 @@ is_dn: bv.bv_len = val->bv_len - ( bv.bv_val - val->bv_val );
}
/* Grab the searchbase */
- assert( ludp->lud_dn != NULL );
if ( ludp->lud_dn ) {
struct berval out = BER_BVNULL;
@@ -831,6 +835,9 @@ is_dn: bv.bv_len = val->bv_len - ( bv.bv_val - val->bv_val );
}
ludp->lud_dn = out.bv_val;
+ } else {
+ rc = LDAP_INVALID_SYNTAX;
+ goto done;
}
ludp->lud_port = 0;
--
GitLab

28
CVE-2020-36223.patch
View File

@ -1,28 +0,0 @@
From 21981053a1195ae1555e23df4d9ac68d34ede9dd Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Sat, 28 Nov 2020 15:54:17 +0000
Subject: [PATCH] ITS#9408 fix vrfilter double-free
---
servers/slapd/controls.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c
index 345531940..28fa64eb0 100644
--- a/servers/slapd/controls.c
+++ b/servers/slapd/controls.c
@@ -1578,7 +1578,10 @@ static int parseValuesReturnFilter (
} else {
send_ldap_result( op, rs );
}
- if( op->o_vrFilter != NULL) vrFilter_free( op, op->o_vrFilter );
+ if( op->o_vrFilter != NULL) {
+ vrFilter_free( op, op->o_vrFilter );
+ op->o_vrFilter = NULL;
+ }
}
#ifdef LDAP_DEBUG
else {
--
GitLab

25
CVE-2020-36224_36225_36226-1.patch
View File

@ -1,25 +0,0 @@
From c0b61a9486508e5202aa2e0cfb68c9813731b439 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Mon, 30 Nov 2020 11:45:46 +0000
Subject: [PATCH] ITS#9409 saslauthz: use ch_free on normalized DN
---
servers/slapd/saslauthz.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index 982fe3120..cc5a292de 100644
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -860,7 +860,7 @@ done:
if ( lud_dn ) {
if ( ludp->lud_dn != lud_dn ) {
- ber_memfree( ludp->lud_dn );
+ ch_free( ludp->lud_dn );
}
ludp->lud_dn = lud_dn;
}
--
GitLab

25
CVE-2020-36224_36225_36226-2.patch
View File

@ -1,25 +0,0 @@
From 554dff1927176579d652f2fe60c90e9abbad4c65 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Mon, 30 Nov 2020 16:20:18 +0000
Subject: [PATCH] ITS#9409 saslauthz: use slap_sl_free in prev commit
---
servers/slapd/saslauthz.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index cc5a292de..4a9420b37 100644
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -860,7 +860,7 @@ done:
if ( lud_dn ) {
if ( ludp->lud_dn != lud_dn ) {
- ch_free( ludp->lud_dn );
+ slap_sl_free( ludp->lud_dn, ctx );
}
ludp->lud_dn = lud_dn;
}
--
GitLab

42
CVE-2020-36224_36225_36226-3.patch
View File

@ -1,42 +0,0 @@
From 5a2017d4e61a6ddc4dcb4415028e0d08eb6bca26 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Tue, 1 Dec 2020 18:32:35 +0000
Subject: [PATCH] ITS#9412 fix AVA_Sort on invalid RDN
---
servers/slapd/dn.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/servers/slapd/dn.c b/servers/slapd/dn.c
index 06698b089..7a095ba9e 100644
--- a/servers/slapd/dn.c
+++ b/servers/slapd/dn.c
@@ -233,6 +233,7 @@ AVA_Sort( LDAPRDN rdn, int nAVAs )
{
LDAPAVA *ava_i;
int i;
+ int rc = LDAP_SUCCESS;
assert( rdn != NULL );
@@ -250,7 +251,7 @@ AVA_Sort( LDAPRDN rdn, int nAVAs )
/* RFC4512 does not allow multiple AVAs
* with the same attribute type in RDN (ITS#5968) */
if ( a == 0 )
- return LDAP_INVALID_DN_SYNTAX;
+ rc = LDAP_INVALID_DN_SYNTAX;
if ( a > 0 )
break;
@@ -259,7 +260,7 @@ AVA_Sort( LDAPRDN rdn, int nAVAs )
}
rdn[ j+1 ] = ava_i;
}
- return LDAP_SUCCESS;
+ return rc;
}
static int
--
GitLab

38
CVE-2020-36224_36225_36226-4.patch
View File

@ -1,38 +0,0 @@
From d169e7958a3e0dc70f59c8374bf8a59833b7bdd8 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Tue, 1 Dec 2020 19:03:24 +0000
Subject: [PATCH] ITS#9413 fix slap_parse_user
---
servers/slapd/saslauthz.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index 4a9420b37..b17f34a21 100644
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -156,10 +156,9 @@ int slap_parse_user( struct berval *id, struct berval *user,
user->bv_val++;
user->bv_len = id->bv_len - ( user->bv_val - id->bv_val );
- mech->bv_val = ber_bvchr( id, '.' );
- if ( !BER_BVISNULL( mech ) ) {
- mech->bv_val[ 0 ] = '\0';
- mech->bv_val++;
+ if ( id->bv_val[1] == '.' ) {
+ id->bv_val[1] = '\0';
+ mech->bv_val = id->bv_val + 2;
mech->bv_len = user->bv_val - mech->bv_val - 1;
realm->bv_val = ber_bvchr( mech, '/' );
@@ -172,6 +171,7 @@ int slap_parse_user( struct berval *id, struct berval *user,
}
} else {
+ BER_BVZERO( mech );
BER_BVZERO( realm );
}
--
GitLab

28
CVE-2020-36227.patch
View File

@ -1,28 +0,0 @@
From 9d0e8485f3113505743baabf1167e01e4558ccf5 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Sun, 20 Dec 2020 21:31:15 +0000
Subject: [PATCH] ITS#9428 fix cancel exop
---
servers/slapd/cancel.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/servers/slapd/cancel.c b/servers/slapd/cancel.c
index 206031290..b972b18fc 100644
--- a/servers/slapd/cancel.c
+++ b/servers/slapd/cancel.c
@@ -65,6 +65,11 @@ int cancel_extop( Operation *op, SlapReply *rs )
return LDAP_PROTOCOL_ERROR;
}
+ if ( opid == op->o_msgid ) {
+ op->o_cancel = SLAP_CANCEL_DONE;
+ return LDAP_SUCCESS;
+ }
+
ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
if ( op->o_abandon ) {
--
GitLab

25
CVE-2020-36228.patch
View File

@ -1,25 +0,0 @@
From 91dccd25c347733b365adc74cb07d074512ed5ad Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 16 Dec 2020 18:52:42 +0000
Subject: [PATCH] ITS#9427 fix issuerAndThisUpdateCheck
---
servers/slapd/schema_init.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
index e035c1a6a..cc7c81693 100644
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -3809,7 +3809,7 @@ issuerAndThisUpdateCheck(
if ( in->bv_len < STRLENOF( "{issuer \"\",thisUpdate \"YYMMDDhhmmssZ\"}" ) ) return LDAP_INVALID_SYNTAX;
- if ( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) {
+ if ( in->bv_val[0] != '{' || in->bv_val[in->bv_len-1] != '}' ) {
return LDAP_INVALID_SYNTAX;
}
--
GitLab

45
CVE-2020-36229.patch
View File

@ -1,45 +0,0 @@
From 4bdfffd2889c0c5cdf58bebafbdc8fce4bb2bff0 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Mon, 14 Dec 2020 20:05:44 +0000
Subject: [PATCH] ITS#9425 add more checks to ldap_X509dn2bv
---
libraries/libldap/tls2.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index e0c82fa9f..193d20fdf 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -1248,6 +1248,8 @@ ldap_X509dn2bv( void *x509_name, struct berval *bv, LDAPDN_rewrite_func *func,
for ( tag = ber_first_element( ber, &len, &rdn_end );
tag == LBER_SEQUENCE;
tag = ber_next_element( ber, &len, rdn_end )) {
+ if ( rdn_end > dn_end )
+ return LDAP_DECODING_ERROR;
tag = ber_skip_tag( ber, &len );
ber_skip_data( ber, len );
navas++;
@@ -1257,7 +1259,7 @@ ldap_X509dn2bv( void *x509_name, struct berval *bv, LDAPDN_rewrite_func *func,
/* Rewind and prepare to extract */
ber_rewind( ber );
tag = ber_first_element( ber, &len, &dn_end );
- if ( tag == LBER_DEFAULT )
+ if ( tag != LBER_SET )
return LDAP_DECODING_ERROR;
/* Allocate the DN/RDN/AVA stuff as a single block */
@@ -1370,6 +1372,10 @@ allocd:
/* X.690 bitString value converted to RFC4517 Bit String */
rc = der_to_ldap_BitString( &Val, &newAVA->la_value );
goto allocd;
+ case LBER_DEFAULT:
+ /* decode error */
+ rc = LDAP_DECODING_ERROR;
+ goto nomem;
default:
/* Not a string type at all */
newAVA->la_flags = 0;
--
GitLab

48
CVE-2020-36230.patch
View File

@ -1,48 +0,0 @@
From 8c1d96ee36ed98b32cd0e28b7069c7b8ea09d793 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Sun, 13 Dec 2020 21:48:45 +0000
Subject: [PATCH] ITS#9423 ldap_X509dn2bv: check for invalid BER after RDN
count
---
libraries/libldap/tls2.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index ca5a44ab0..e0c82fa9f 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -1254,6 +1254,12 @@ ldap_X509dn2bv( void *x509_name, struct berval *bv, LDAPDN_rewrite_func *func,
}
}
+ /* Rewind and prepare to extract */
+ ber_rewind( ber );
+ tag = ber_first_element( ber, &len, &dn_end );
+ if ( tag == LBER_DEFAULT )
+ return LDAP_DECODING_ERROR;
+
/* Allocate the DN/RDN/AVA stuff as a single block */
dnsize = sizeof(LDAPRDN) * (nrdns+1);
dnsize += sizeof(LDAPAVA *) * (navas+nrdns);
@@ -1265,16 +1271,12 @@ ldap_X509dn2bv( void *x509_name, struct berval *bv, LDAPDN_rewrite_func *func,
} else {
newDN = (LDAPDN)(char *)ptrs;
}
-
+
newDN[nrdns] = NULL;
newRDN = (LDAPRDN)(newDN + nrdns+1);
newAVA = (LDAPAVA *)(newRDN + navas + nrdns);
baseAVA = newAVA;
- /* Rewind and start extracting */
- ber_rewind( ber );
-
- tag = ber_first_element( ber, &len, &dn_end );
for ( i = nrdns - 1; i >= 0; i-- ) {
newDN[i] = newRDN;
--
GitLab

28
CVE-2021-27212.patch
View File

@ -1,28 +0,0 @@
From 3539fc33212b528c56b716584f2c2994af7c30b0 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Sat, 6 Feb 2021 20:52:06 +0000
Subject: [PATCH] ITS#9454 fix issuerAndThisUpdateCheck
Reference:https://git.openldap.org/openldap/openldap/-/commit/3539fc33212b528c56b716584f2c2994af7c30b0
---
servers/slapd/schema_init.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
index 466899625..914df70eb 100644
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -3975,6 +3975,8 @@ issuerAndThisUpdateCheck(
break;
}
}
+ if ( tu->bv_len < STRLENOF("YYYYmmddHHmmssZ") ) return LDAP_INVALID_SYNTAX;
+
x.bv_val += tu->bv_len + 1;
x.bv_len -= tu->bv_len + 1;
--
GitLab

15
Fix-calls-to-SLAP_DEVPOLL_SOCK_LX-for-multi-listener.patch
View File

@ -1,15 +0,0 @@
diff --git a/servers/slapd/daemon.c b/servers/slapd/daemon.c
index a3e8713..329ed6d 100644
--- a/servers/slapd/daemon.c
+++ b/servers/slapd/daemon.c
@@ -438,8 +438,8 @@ static slap_daemon_st slap_daemon[SLAPD_MAX_DAEMON_THREADS];
# define SLAP_EVENT_IS_READ(i) SLAP_DEVPOLL_EVENT_CHK((i), POLLIN)
# define SLAP_EVENT_IS_WRITE(i) SLAP_DEVPOLL_EVENT_CHK((i), POLLOUT)
-# define SLAP_EVENT_IS_LISTENER(t,i) SLAP_DEVPOLL_EV_LISTENER(SLAP_DEVPOLL_SOCK_LX(SLAP_EVENT_FD(t,(i))))
-# define SLAP_EVENT_LISTENER(t,i) SLAP_DEVPOLL_SOCK_LX(SLAP_EVENT_FD(t,(i)))
+# define SLAP_EVENT_IS_LISTENER(t,i) SLAP_DEVPOLL_EV_LISTENER(SLAP_DEVPOLL_SOCK_LX(t, SLAP_EVENT_FD(t,(i))))
+# define SLAP_EVENT_LISTENER(t,i) SLAP_DEVPOLL_SOCK_LX(t, SLAP_EVENT_FD(t,(i)))
# define SLAP_SOCK_INIT(t) do { \
slap_daemon[t].sd_pollfd = ch_calloc( 1, \

13
Fixup-for-binary-config-attrs.patch
View File

@ -1,13 +0,0 @@
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index 250f141..5aabcef 100644
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -4313,6 +4313,8 @@ config_find_table( ConfigOCs **colst, int nocs, AttributeDescription *ad,
ConfigArgs *ca )
{
int i, j;
+ if (ad->ad_flags & SLAP_DESC_BINARY)
+ ad = ad->ad_type->sat_ad;
for (j=0; j<nocs; j++) {
for (i=0; colst[j]->co_table[i].name; i++)

23
add-ber_sockbuf_io_udp-to-liber.map.patch Normal file
View File

@ -0,0 +1,23 @@
From b39ae98eb55281422a391bade3bf648ce6180621 Mon Sep 17 00:00:00 2001
From: eaglegai <gaihuiying1@huawei.com>
Date: Fri, 17 Dec 2021 17:39:03 +0800
Subject: [PATCH] add ber_sockbuf_io_udp to liber.map
---
libraries/liblber/lber.map | 1 +
1 file changed, 1 insertion(+)
diff --git a/libraries/liblber/lber.map b/libraries/liblber/lber.map
index 9a4094b..083cd1f 100644
--- a/libraries/liblber/lber.map
+++ b/libraries/liblber/lber.map
@@ -121,6 +121,7 @@ OPENLDAP_2.200
ber_sockbuf_io_fd;
ber_sockbuf_io_readahead;
ber_sockbuf_io_tcp;
+ ber_sockbuf_io_udp;
ber_sockbuf_remove_io;
ber_sos_dump;
ber_start;
--
2.30.0

71
backport-Fix-test-suite.patch
View File

@ -1,71 +0,0 @@
From 70f87370f99e78ac3874501bfe5124dbb86185a8 Mon Sep 17 00:00:00 2001
From: zhangqiumiao <zhangqiumiao1@huawei.com>
Date: Fri, 25 Sep 2020 21:56:43 +0800
Subject: [PATCH] backport Fix test suite
---
tests/data/monitor2.out | 3 ---
tests/scripts/test052-memberof | 2 +-
tests/scripts/test056-monitor | 11 ++---------
3 files changed, 3 insertions(+), 13 deletions(-)
diff --git a/tests/data/monitor2.out b/tests/data/monitor2.out
index 26e9ce9..20209d1 100644
--- a/tests/data/monitor2.out
+++ b/tests/data/monitor2.out
@@ -10,9 +10,6 @@ structuralObjectClass: monitoredObject
monitorIsShadow: FALSE
namingContexts: o=OpenLDAP Project,l=Internet
readOnly: FALSE
-olmBDBEntryCache: 0
-olmBDBDNCache: 0
-olmBDBIDLCache: 0
entryDN: cn=Database 1,cn=Databases,cn=Monitor
dn: cn=Database 2,cn=Databases,cn=Monitor
diff --git a/tests/scripts/test052-memberof b/tests/scripts/test052-memberof
index a73a929..1dba946 100755
--- a/tests/scripts/test052-memberof
+++ b/tests/scripts/test052-memberof
@@ -72,7 +72,7 @@ EOF
fi
fi
-indexInclude="" mainInclude="" " nullExclude=""
+indexInclude="" mainInclude="" nullExclude=""
test $INDEXDB = indexdb || indexInclude="# "
test $MAINDB = maindb || mainInclude="# "
case $BACKEND in
diff --git a/tests/scripts/test056-monitor b/tests/scripts/test056-monitor
index 7a87eaa..0e1ba20 100755
--- a/tests/scripts/test056-monitor
+++ b/tests/scripts/test056-monitor
@@ -85,7 +85,7 @@ echo "Using ldapsearch to read database monitor entries..."
$LDAPSEARCH -S "" -b "$DATABASESMONITORDN" -h $LOCALHOST -p $PORT1 \
'objectclass=*' \
structuralObjectClass entryDN namingContexts readOnly \
- monitorIsShadow monitorContext
+ monitorIsShadow monitorContext \
> $SEARCHOUT 2>&1
RC=$?
@@ -98,15 +98,8 @@ fi
echo "Filtering ldapsearch results..."
$LDIFFILTER -b monitor < $SEARCHOUT > $SEARCHFLT
-TMPMONITOROUT2=$MONITOROUT2
-case $BACKEND in
-*)
- TMPMONITOROUT2=$TESTDIR/monitor2.out
- ;;
-esac
-
echo "Comparing filter output..."
-$CMP $SEARCHFLT $TMPMONITOROUT2 > $CMPOUT
+$CMP $SEARCHFLT $MONITOROUT2 > $CMPOUT
if test $? != 0 ; then
echo "comparison failed - database monitor output is not correct"
--
2.19.1

406
backport-ITS-9010-More-BDB-HDB-cleanup.patch
View File

@ -1,406 +0,0 @@
From ac37a67536d37ae059ed120f00b540429be6b4e0 Mon Sep 17 00:00:00 2001
From: zhangqiumiao <zhangqiumiao1@huawei.com>
Date: Sun, 27 Sep 2020 15:01:05 +0800
Subject: [PATCH] backport ITS#9010 More BDB/HDB cleanup
---
doc/guide/admin/aspell.en.pws | 7 -
tests/data/regressions/its4337/config.out | 129 ------------------
tests/data/regressions/its4337/its4337 | 157 ----------------------
tests/data/regressions/its4337/slapd.conf | 36 -----
4 files changed, 329 deletions(-)
delete mode 100644 tests/data/regressions/its4337/config.out
delete mode 100755 tests/data/regressions/its4337/its4337
delete mode 100644 tests/data/regressions/its4337/slapd.conf
diff --git a/doc/guide/admin/aspell.en.pws b/doc/guide/admin/aspell.en.pws
index ae777e2..ec24572 100644
--- a/doc/guide/admin/aspell.en.pws
+++ b/doc/guide/admin/aspell.en.pws
@@ -220,8 +220,6 @@ AVAs
associatedDomain
organizationalRole
initgroups
-olcDbCachesize
-olcDbCacheSize
ETCDIR
colaligns
olcReadOnly
@@ -426,10 +424,8 @@ txt
UTR
XER
roomNumber
-olcDbIDLcacheSize
namespace
LDAPControl
-dbconfig
olcAttributeOptions
dsaparam
searchResult
@@ -965,7 +961,6 @@ unwillingToPerform
PhotoURI
MyCompany
mkdep
-idlcachesize
irresponsive
PasswordModify
readOnly
@@ -1183,7 +1178,6 @@ monitorRuntimeConfig
olcAuditlogFile
namingContexts
referralAttrDN
-idlecachesize
moddn
calloc
LDFLAGS
@@ -1375,7 +1369,6 @@ spasswd
sprintf
monitorCounterObject
Instanstantiation
-olcDbConfig
olcLastMod
vals
param
diff --git a/tests/data/regressions/its4337/config.out b/tests/data/regressions/its4337/config.out
deleted file mode 100644
index bdcbbe5..0000000
--- a/tests/data/regressions/its4337/config.out
+++ /dev/null
@@ -1,129 +0,0 @@
-# Searching databases __before__ append...
-dn: olcDatabase={-1}frontend,cn=config
-objectClass: olcDatabaseConfig
-objectClass: olcFrontendConfig
-olcDatabase: {-1}frontend
-olcAddContentAcl: FALSE
-olcLastMod: TRUE
-olcMaxDerefDepth: 0
-olcReadOnly: FALSE
-olcSchemaDN: cn=Subschema
-olcSyncUseSubentry: FALSE
-olcMonitoring: FALSE
-
-dn: olcDatabase={0}config,cn=config
-objectClass: olcDatabaseConfig
-olcDatabase: {0}config
-olcAccess: {0}to * by * none
-olcAddContentAcl: TRUE
-olcLastMod: TRUE
-olcMaxDerefDepth: 15
-olcReadOnly: FALSE
-olcRootDN: cn=config
-olcRootPW: config
-olcSyncUseSubentry: FALSE
-olcMonitoring: FALSE
-
-dn: olcDatabase={1}monitor,cn=config
-objectClass: olcDatabaseConfig
-olcDatabase: {1}monitor
-olcAddContentAcl: FALSE
-olcLastMod: TRUE
-olcMaxDerefDepth: 15
-olcReadOnly: FALSE
-olcSyncUseSubentry: FALSE
-olcMonitoring: FALSE
-
-# Searching databases __after__ append...
-dn: olcDatabase={-1}frontend,cn=config
-objectClass: olcDatabaseConfig
-objectClass: olcFrontendConfig
-olcDatabase: {-1}frontend
-olcAddContentAcl: FALSE
-olcLastMod: TRUE
-olcMaxDerefDepth: 0
-olcReadOnly: FALSE
-olcSchemaDN: cn=Subschema
-olcSyncUseSubentry: FALSE
-olcMonitoring: FALSE
-
-dn: olcDatabase={0}config,cn=config
-objectClass: olcDatabaseConfig
-olcDatabase: {0}config
-olcAccess: {0}to * by * none
-olcAddContentAcl: TRUE
-olcLastMod: TRUE
-olcMaxDerefDepth: 15
-olcReadOnly: FALSE
-olcRootDN: cn=config
-olcRootPW: config
-olcSyncUseSubentry: FALSE
-olcMonitoring: FALSE
-
-dn: olcDatabase={1}monitor,cn=config
-objectClass: olcDatabaseConfig
-olcDatabase: {1}monitor
-olcAddContentAcl: FALSE
-olcLastMod: TRUE
-olcMaxDerefDepth: 15
-olcReadOnly: FALSE
-olcSyncUseSubentry: FALSE
-olcMonitoring: FALSE
-
-dn: olcDatabase={2}bdb,cn=config
-objectClass: olcDatabaseConfig
-objectClass: olcBdbConfig
-olcDatabase: {2}bdb
-olcDbDirectory: ./testrun/db.1.a
-olcSuffix: dc=com
-
-# Searching databases __after__ insert...
-dn: olcDatabase={-1}frontend,cn=config
-objectClass: olcDatabaseConfig
-objectClass: olcFrontendConfig
-olcDatabase: {-1}frontend
-olcAddContentAcl: FALSE
-olcLastMod: TRUE
-olcMaxDerefDepth: 0
-olcReadOnly: FALSE
-olcSchemaDN: cn=Subschema
-olcSyncUseSubentry: FALSE
-olcMonitoring: FALSE
-
-dn: olcDatabase={0}config,cn=config
-objectClass: olcDatabaseConfig
-olcDatabase: {0}config
-olcAccess: {0}to * by * none
-olcAddContentAcl: TRUE
-olcLastMod: TRUE
-olcMaxDerefDepth: 15
-olcReadOnly: FALSE
-olcRootDN: cn=config
-olcRootPW: config
-olcSyncUseSubentry: FALSE
-olcMonitoring: FALSE
-
-dn: olcDatabase={1}bdb,cn=config
-objectClass: olcDatabaseConfig
-objectClass: olcBdbConfig
-olcDatabase: {1}bdb
-olcDbDirectory: ./testrun/db.2.a
-olcSuffix: dc=org
-
-dn: olcDatabase={2}monitor,cn=config
-objectClass: olcDatabaseConfig
-olcDatabase: {2}monitor
-olcAddContentAcl: FALSE
-olcLastMod: TRUE
-olcMaxDerefDepth: 15
-olcReadOnly: FALSE
-olcSyncUseSubentry: FALSE
-olcMonitoring: FALSE
-
-dn: olcDatabase={3}bdb,cn=config
-objectClass: olcDatabaseConfig
-objectClass: olcBdbConfig
-olcDatabase: {3}bdb
-olcDbDirectory: ./testrun/db.1.a
-olcSuffix: dc=com
-
diff --git a/tests/data/regressions/its4337/its4337 b/tests/data/regressions/its4337/its4337
deleted file mode 100755
index 66bc716..0000000
--- a/tests/data/regressions/its4337/its4337
+++ /dev/null
@@ -1,157 +0,0 @@
-#! /bin/sh
-# $OpenLDAP$
-## This work is part of OpenLDAP Software <http://www.openldap.org/>.
-##
-## Copyright 1998-2020 The OpenLDAP Foundation.
-## All rights reserved.
-##
-## Redistribution and use in source and binary forms, with or without
-## modification, are permitted only as authorized by the OpenLDAP
-## Public License.
-##
-## A copy of this license is available in the file LICENSE in the
-## top-level directory of the distribution or, alternatively, at
-## <http://www.OpenLDAP.org/license.html>.
-
-echo "running defines.sh"
-. $SRCDIR/scripts/defines.sh
-
-if test $BACKEND != "bdb" ; then
- echo "BDB backend not available, test skipped"
- exit 0
-fi
-
-mkdir -p $TESTDIR $DBDIR1 $DBDIR2 $DBDIR3 $TESTDIR/slapd.d
-
-ITS=4337
-ITSDIR=$DATADIR/regressions/its$ITS
-
-echo "Starting slapd on TCP/IP port $PORT1..."
-. $CONFFILTER $BACKEND $MONITORDB < $ITSDIR/slapd.conf > $CONF1
-#$SLAPD -f $CONF1 -F $TESTDIR/slapd.d -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 &
-$SLAPD -f $CONF1 -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 &
-PID=$!
-if test $WAIT != 0 ; then
- echo PID $PID
- read foo
-fi
-KILLPIDS="$PID"
-
-sleep 1
-
-echo "Using ldapsearch to check that slapd is running..."
-for i in 0 1 2 3 4 5; do
- $LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \
- 'objectclass=*' > /dev/null 2>&1
- RC=$?
- if test $RC = 0 ; then
- break
- fi
- echo "Waiting 5 seconds for slapd to start..."
- sleep 5
-done
-
-if test $RC != 0 ; then
- echo "ldapsearch failed ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit $RC
-fi
-
-cat /dev/null > $TESTOUT
-cat /dev/null > $SEARCHOUT
-
-echo "Searching databases..."
-echo "# Searching databases __before__ append..." >> $SEARCHOUT
-$LDAPSEARCH -h $LOCALHOST -p $PORT1 \
- -D "cn=config" -w "config" -b "cn=config" \
- '(objectClass=olcDatabaseConfig)' >> $SEARCHOUT 2>> $TESTOUT
-RC=$?
-if test $RC != 0 ; then
- echo "ldapsearch failed ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit $RC
-fi
-
-echo "Appending a database..."
-$LDAPADD -v -D "cn=config" -w "config" -h $LOCALHOST -p $PORT1 \
- >> $TESTOUT 2>&1 << EOMODS
-dn: olcDatabase=bdb,cn=config
-objectClass: olcDatabaseConfig
-objectClass: olcBdbConfig
-olcDatabase: bdb
-olcSuffix: dc=com
-olcDbDirectory: ./testrun/db.1.a
-EOMODS
-RC=$?
-if test $RC != 0 ; then
- echo "ldapadd failed ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit $RC
-fi
-
-echo "Searching databases..."
-echo "# Searching databases __after__ append..." >> $SEARCHOUT
-$LDAPSEARCH -h $LOCALHOST -p $PORT1 \
- -D "cn=config" -w "config" -b "cn=config" \
- '(objectClass=olcDatabaseConfig)' >> $SEARCHOUT 2>> $TESTOUT
-RC=$?
-if test $RC != 0 ; then
- echo "ldapsearch failed ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit $RC
-fi
-
-echo "Inserting a database..."
-$LDAPADD -v -D "cn=config" -w "config" -h $LOCALHOST -p $PORT1 \
- >> $TESTOUT 2>&1 << EOMODS
-dn: olcDatabase={1}bdb,cn=config
-objectClass: olcDatabaseConfig
-objectClass: olcBdbConfig
-olcDatabase: {1}bdb
-olcSuffix: dc=org
-olcDbDirectory: ./testrun/db.2.a
-EOMODS
-RC=$?
-if test $RC != 0 ; then
- echo "ldapadd failed ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- if test $RC = 53 ; then
- echo "TODO"
- exit 0
- fi
- exit $RC
-fi
-
-echo "Searching databases..."
-echo "# Searching databases __after__ insert..." >> $SEARCHOUT
-$LDAPSEARCH -h $LOCALHOST -p $PORT1 \
- -D "cn=config" -w "config" -b "cn=config" \
- '(objectClass=olcDatabaseConfig)' >> $SEARCHOUT 2>> $TESTOUT
-RC=$?
-if test $RC != 0 ; then
- echo "ldapsearch failed ($RC)!"
- test $KILLSERVERS != no && kill -HUP $KILLPIDS
- exit $RC
-fi
-
-test $KILLSERVERS != no && kill -HUP $KILLPIDS
-
-LDIF=$ITSDIR/config.out
-
-echo "Filtering ldapsearch results..."
-$LDIFFILTER < $SEARCHOUT > $SEARCHFLT
-echo "Filtering original ldif..."
-$LDIFFILTER < $LDIF > $LDIFFLT
-echo "Comparing filter output..."
-$CMP $SEARCHFLT $LDIFFLT > $CMPOUT
-
-if test $? != 0 ; then
- echo "Comparison failed"
- exit 1
-fi
-
-echo ">>>>> Test succeeded"
-
-test $KILLSERVERS != no && wait
-
-exit 0
diff --git a/tests/data/regressions/its4337/slapd.conf b/tests/data/regressions/its4337/slapd.conf
deleted file mode 100644
index ee3108a..0000000
--- a/tests/data/regressions/its4337/slapd.conf
+++ /dev/null
@@ -1,36 +0,0 @@
-# stand-alone slapd config -- for testing (with indexing)
-# $OpenLDAP$
-## This work is part of OpenLDAP Software <http://www.openldap.org/>.
-##
-## Copyright 1998-2020 The OpenLDAP Foundation.
-## All rights reserved.
-##
-## Redistribution and use in source and binary forms, with or without
-## modification, are permitted only as authorized by the OpenLDAP
-## Public License.
-##
-## A copy of this license is available in the file LICENSE in the
-## top-level directory of the distribution or, alternatively, at
-## <http://www.OpenLDAP.org/license.html>.
-
-include @SCHEMADIR@/core.schema
-include @SCHEMADIR@/cosine.schema
-include @SCHEMADIR@/inetorgperson.schema
-include @SCHEMADIR@/openldap.schema
-include @SCHEMADIR@/nis.schema
-include @DATADIR@/test.schema
-
-#
-pidfile @TESTDIR@/slapd.2.pid
-argsfile @TESTDIR@/slapd.2.args
-
-#mod#modulepath ../servers/slapd/back-@BACKEND@/:../servers/slapd/overlays
-#mod#moduleload back_@BACKEND@.la
-
-#monitormod#modulepath ../servers/slapd/back-monitor/
-#monitormod#moduleload back_monitor.la
-
-database config
-rootpw config
-
-#monitor#database monitor
--
2.19.1

1783
backport-ITS-9010-regenerate-configure.patch
View File

File diff suppressed because it is too large Load Diff

0
check-password-makefile.patch → backport-check-password-makefile.patch
View File

0
check-password.patch → backport-check-password.patch
View File

22206
backport-delete-back-bdb-back-hdb.patch
View File

File diff suppressed because it is too large Load Diff

0
openldap-ai-addrconfig.patch → backport-openldap-ai-addrconfig.patch
View File

0
openldap-allop-overlay.patch → backport-openldap-allop-overlay.patch
View File

14
openldap-manpages.patch → backport-openldap-manpages.patch
View File

@ -16,18 +16,6 @@ index 3def6da..466c772 100644
.SH AUTHOR .SH AUTHOR
The OpenLDAP Project <http://www.openldap.org/> The OpenLDAP Project <http://www.openldap.org/>
.SH ACKNOWLEDGEMENTS .SH ACKNOWLEDGEMENTS
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
index cfde143..63592cb 100644
--- a/doc/man/man5/ldap.conf.5
+++ b/doc/man/man5/ldap.conf.5
@@ -317,6 +317,7 @@ certificates in separate individual files. The
.B TLS_CACERT
is always used before
.B TLS_CACERTDIR.
+The specified directory must be managed with the OpenSSL c_rehash utility.
This parameter is ignored with GnuTLS.
When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8 diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8
index b739f4d..e2a1a00 100644 index b739f4d..e2a1a00 100644
--- a/doc/man/man8/slapd.8 --- a/doc/man/man8/slapd.8
@ -39,7 +27,7 @@ index b739f4d..e2a1a00 100644
-.B LIBEXECDIR/slapd -.B LIBEXECDIR/slapd
+.B slapd +.B slapd
[\c [\c
.BR \-4 | \-6 ] .BR \-V [ V [ V ]]
[\c [\c
@@ -317,7 +317,7 @@ the LDAP databases defined in the default config file, just type: @@ -317,7 +317,7 @@ the LDAP databases defined in the default config file, just type:
.LP .LP

0
openldap-reentrant-gethostby.patch → backport-openldap-reentrant-gethostby.patch
View File

0
openldap-smbk5pwd-overlay.patch → backport-openldap-smbk5pwd-overlay.patch
View File

0
openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch → backport-openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
View File

36
bugfix-openldap-ITS-8650-Fix-Debug-usage-to-follow-RE24-format.patch
View File

@ -1,36 +0,0 @@
From 85fc8974f5c32a9a052baafaa9499c8484e043c2 Mon Sep 17 00:00:00 2001
From: Quanah Gibson-Mount <quanah@openldap.org>
Date: Tue, 28 Apr 2020 20:49:53 +0000
Subject: [PATCH] ITS#8650 - Fix Debug usage to follow RE24 format
---
libraries/libldap/tls2.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index c1f15cb..ebe5bf1 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -907,8 +907,8 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
} else if ( sb->sb_trans_needs_write ) {
wr=1;
}
- Debug1( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ldap_int_tls_connect needs %s\n",
- wr ? "write": "read" );
+ Debug( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ldap_int_tls_connect needs %s\n",
+ wr ? "write": "read", 0, 0 );
/* This is mostly copied from result.c:wait4msg(), should
* probably be moved into a separate function */
@@ -946,7 +946,7 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
start_time_tv.tv_sec = curr_time_tv.tv_sec;
start_time_tv.tv_usec = curr_time_tv.tv_usec;
tv = tv0;
- Debug3( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ld %p %ld s %ld us to go\n",
+ Debug( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ld %p %ld s %ld us to go\n",
(void *)ld, (long) tv.tv_sec, (long) tv.tv_usec );
ret = ldap_int_poll( ld, sd, &tv, wr);
if ( ret < 0 ) {
--
1.8.3.1

821
bugfix-openldap-ITS9160-OOM-Handing.patch
View File

@ -1,821 +0,0 @@
From 47e0e3fdb59d8be9cc44e814ba03684d352916a6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
Date: Thu, 30 Jan 2020 09:03:59 +0000
Subject: [PATCH] ITS#9160 OOM handling
https://bugs.openldap.org/show_bug.cgi?id=9160
diff --git a/contrib/slapd-modules/allowed/allowed.c b/contrib/slapd-modules/allowed/allowed.c
--- a/contrib/slapd-modules/allowed/allowed.c
+++ b/contrib/slapd-modules/allowed/allowed.c
@@ -277,10 +277,10 @@ aa_operational( Operation *op, SlapReply *rs )
/* just count */ ;
if ( got & GOT_A ) {
- bv_allowed = ber_memalloc( sizeof( struct berval ) * ( i + 1 ) );
+ bv_allowed = ch_calloc( i + 1, sizeof( struct berval ) );
}
if ( got & GOT_AE ) {
- bv_effective = ber_memalloc( sizeof( struct berval ) * ( i + 1 ) );
+ bv_effective = ch_calloc( i + 1, sizeof( struct berval ) );
}
for ( i = 0, ja = 0, je = 0; atp[ i ] != NULL; i++ ) {
@@ -310,7 +310,6 @@ aa_operational( Operation *op, SlapReply *rs )
ch_free( atp );
if ( ( got & GOT_A ) && ja > 0 ) {
- BER_BVZERO( &bv_allowed[ ja ] );
*ap = attr_alloc( ad_allowedAttributes );
(*ap)->a_vals = bv_allowed;
(*ap)->a_nvals = bv_allowed;
@@ -319,7 +318,6 @@ aa_operational( Operation *op, SlapReply *rs )
}
if ( ( got & GOT_AE ) && je > 0 ) {
- BER_BVZERO( &bv_effective[ je ] );
*ap = attr_alloc( ad_allowedAttributesEffective );
(*ap)->a_vals = bv_effective;
(*ap)->a_nvals = bv_effective;
@@ -348,10 +346,10 @@ do_oc:;
}
if ( got & GOT_C ) {
- bv_allowed = ber_memalloc( sizeof( struct berval ) * ( i + 1 ) );
+ bv_allowed = ch_calloc( i + 1, sizeof( struct berval ) );
}
if ( got & GOT_CE ) {
- bv_effective = ber_memalloc( sizeof( struct berval ) * ( i + 1 ) );
+ bv_effective = ch_calloc( i + 1, sizeof( struct berval ) );
}
for ( oc_start( &oc ); oc != NULL; oc_next( &oc ) ) {
@@ -398,7 +396,6 @@ done_ce:;
}
if ( ( got & GOT_C ) && ja > 0 ) {
- BER_BVZERO( &bv_allowed[ ja ] );
*ap = attr_alloc( ad_allowedChildClasses );
(*ap)->a_vals = bv_allowed;
(*ap)->a_nvals = bv_allowed;
@@ -407,7 +404,6 @@ done_ce:;
}
if ( ( got & GOT_CE ) && je > 0 ) {
- BER_BVZERO( &bv_effective[ je ] );
*ap = attr_alloc( ad_allowedChildClassesEffective );
(*ap)->a_vals = bv_effective;
(*ap)->a_nvals = bv_effective;
diff --git a/contrib/slapd-modules/samba4/rdnval.c b/contrib/slapd-modules/samba4/rdnval.c
--- a/contrib/slapd-modules/samba4/rdnval.c
+++ b/contrib/slapd-modules/samba4/rdnval.c
@@ -223,8 +223,8 @@ rdnval_rdn2vals(
/* NOTE: we assume rdn and nrdn contain the same AVAs! */
- *valsp = SLAP_CALLOC( sizeof( struct berval ), nAVA + 1 );
- *nvalsp = SLAP_CALLOC( sizeof( struct berval ), nAVA + 1 );
+ *valsp = ch_calloc( sizeof( struct berval ), nAVA + 1 );
+ *nvalsp = ch_calloc( sizeof( struct berval ), nAVA + 1 );
/* Add new attribute values to the entry */
for ( i = 0; rdn[ i ]; i++ ) {
@@ -354,7 +354,7 @@ rdnval_op_rename( Operation *op, SlapReply *rs )
send_ldap_result( op, rs );
}
- ml = SLAP_CALLOC( sizeof( Modifications ), 1 );
+ ml = ch_calloc( sizeof( Modifications ), 1 );
ml->sml_values = vals;
ml->sml_nvalues = nvals;
diff --git a/contrib/slapd-modules/samba4/vernum.c b/contrib/slapd-modules/samba4/vernum.c
--- a/contrib/slapd-modules/samba4/vernum.c
+++ b/contrib/slapd-modules/samba4/vernum.c
@@ -121,8 +121,8 @@ vernum_op_modify( Operation *op, SlapReply *rs )
/* ITS#6561 */
#ifdef SLAP_MOD_ADD_IF_NOT_PRESENT
/* the initial value is only added if the vernum attr is not present */
- ml = SLAP_CALLOC( sizeof( Modifications ), 1 );
- ml->sml_values = SLAP_CALLOC( sizeof( struct berval ) , 2 );
+ ml = ch_calloc( sizeof( Modifications ), 1 );
+ ml->sml_values = ch_calloc( sizeof( struct berval ) , 2 );
value_add_one( &ml->sml_values, &val_init );
ml->sml_nvalues = NULL;
ml->sml_numvals = 1;
@@ -136,8 +136,8 @@ vernum_op_modify( Operation *op, SlapReply *rs )
#endif /* SLAP_MOD_ADD_IF_NOT_PRESENT */
/* this increments by 1 the vernum attr */
- ml = SLAP_CALLOC( sizeof( Modifications ), 1 );
- ml->sml_values = SLAP_CALLOC( sizeof( struct berval ) , 2 );
+ ml = ch_calloc( sizeof( Modifications ), 1 );
+ ml->sml_values = ch_calloc( sizeof( struct berval ) , 2 );
value_add_one( &ml->sml_values, &val );
ml->sml_nvalues = NULL;
ml->sml_numvals = 1;
diff --git a/tests/progs/slapd-bind.c b/tests/progs/slapd-bind.c
index c9e3210b06..a832e809c1 100644
--- a/tests/progs/slapd-bind.c
+++ b/tests/progs/slapd-bind.c
@@ -412,11 +412,19 @@ do_base( struct tester_conn_args *config, char *dn, char *base, char *filter, ch
case LDAP_RES_SEARCH_ENTRY:
rc = ldap_get_dn_ber( ld, msg, &ber, &bv );
dns = realloc( dns, (ndns + 1)*sizeof(char *) );
+ if ( !dns ) {
+ tester_error( "realloc failed" );
+ exit( EXIT_FAILURE );
+ }
dns[ndns] = ber_strdup( bv.bv_val );
if ( pwattr != NULL ) {
struct berval **values = ldap_get_values_len( ld, msg, pwattr );
creds = realloc( creds, (ndns + 1)*sizeof(struct berval) );
+ if ( !creds ) {
+ tester_error( "realloc failed" );
+ exit( EXIT_FAILURE );
+ }
if ( values == NULL ) {
novals:;
creds[ndns].bv_len = 0;
diff --git a/tests/progs/slapd-modrdn.c b/tests/progs/slapd-modrdn.c
index 5bd823d72a..d82d82c69e 100644
--- a/tests/progs/slapd-modrdn.c
+++ b/tests/progs/slapd-modrdn.c
@@ -125,6 +125,10 @@ do_modrdn( struct tester_conn_args *config,
DNs[0] = entry;
DNs[1] = strdup( entry );
+ if ( DNs[1] == NULL ) {
+ tester_error( "strdup failed" );
+ exit( EXIT_FAILURE );
+ }
/* reverse the RDN, make new DN */
p1 = strchr( entry, '=' ) + 1;
@@ -132,6 +136,10 @@ do_modrdn( struct tester_conn_args *config,
*p2 = '\0';
rdns[1] = strdup( entry );
+ if ( rdns[1] == NULL ) {
+ tester_error( "strdup failed" );
+ exit( EXIT_FAILURE );
+ }
*p2-- = ',';
for (i = p1 - entry;p2 >= p1;)
@@ -139,6 +147,10 @@ do_modrdn( struct tester_conn_args *config,
DNs[1][i] = '\0';
rdns[0] = strdup( DNs[1] );
+ if ( rdns[0] == NULL ) {
+ tester_error( "strdup failed" );
+ exit( EXIT_FAILURE );
+ }
DNs[1][i] = ',';
i = 0;
diff --git a/tests/progs/slapd-mtread.c b/tests/progs/slapd-mtread.c
index 1b421af00b..c8024cb6e1 100644
--- a/tests/progs/slapd-mtread.c
+++ b/tests/progs/slapd-mtread.c
@@ -531,6 +531,10 @@ do_random( LDAP *ld,
}
values = malloc( ( nvalues + 1 ) * sizeof( char * ) );
+ if (values == NULL) {
+ thread_error( idx, "(failed to malloc)");
+ exit( EXIT_FAILURE );
+ }
for ( i = 0, e = ldap_first_entry( ld, res ); e != NULL; i++, e = ldap_next_entry( ld, e ) )
{
values[ i ] = ldap_get_dn( ld, e );
diff --git a/tests/progs/slapd-read.c b/tests/progs/slapd-read.c
index 4023a22d27..f95228317b 100644
--- a/tests/progs/slapd-read.c
+++ b/tests/progs/slapd-read.c
@@ -202,6 +202,10 @@ do_random( struct tester_conn_args *config, char *sbase, char *filter,
}
values = malloc( ( nvalues + 1 ) * sizeof( char * ) );
+ if ( !values ) {
+ tester_error( "malloc failed" );
+ exit( EXIT_FAILURE );
+ }
for ( i = 0, e = ldap_first_entry( ld, res ); e != NULL; i++, e = ldap_next_entry( ld, e ) )
{
values[ i ] = ldap_get_dn( ld, e );
@@ -251,6 +255,10 @@ do_read( struct tester_conn_args *config, char *entry, LDAP **ldp,
/* make room for msgid */
if ( swamp > 1 ) {
msgids = (int *)calloc( sizeof(int), maxloop );
+ if ( !msgids ) {
+ tester_error( "calloc failed" );
+ exit( EXIT_FAILURE );
+ }
}
retry:;
diff --git a/tests/progs/slapd-search.c b/tests/progs/slapd-search.c
index 8f791d6b3c..321fd80e38 100644
--- a/tests/progs/slapd-search.c
+++ b/tests/progs/slapd-search.c
@@ -226,6 +226,10 @@ do_random( struct tester_conn_args *config,
int j;
values = realloc( values, ( nvalues + n + 1 )*sizeof( char * ) );
+ if ( !values ) {
+ tester_error( "realloc failed" );
+ exit( EXIT_FAILURE );
+ }
for ( j = 0; j < n; j++ ) {
values[ nvalues + j ] = strdup( v[ j ]->bv_val );
}
@@ -298,6 +302,10 @@ do_search( struct tester_conn_args *config,
/* make room for msgid */
if ( swamp > 1 ) {
msgids = (int *)calloc( sizeof(int), innerloop );
+ if ( !msgids ) {
+ tester_error( "calloc failed" );
+ exit( EXIT_FAILURE );
+ }
}
retry:;
diff --git a/servers/slapd/aci.c b/servers/slapd/aci.c
index 86ace3f536..232c32fc89 100644
--- a/servers/slapd/aci.c
+++ b/servers/slapd/aci.c
@@ -1258,7 +1258,7 @@ OpenLDAPaciNormalizeRight(
len = nattrs.bv_len + ( !BER_BVISEMPTY( &nattrs ) ? STRLENOF( "," ) : 0 )
+ ad->ad_cname.bv_len;
- nattrs.bv_val = ber_memrealloc_x( nattrs.bv_val, len + 1, ctx );
+ nattrs.bv_val = slap_sl_realloc( nattrs.bv_val, len + 1, ctx );
ptr = &nattrs.bv_val[ nattrs.bv_len ];
if ( !BER_BVISEMPTY( &nattrs ) ) {
*ptr++ = ',';
@@ -1270,7 +1270,7 @@ OpenLDAPaciNormalizeRight(
}
- naction->bv_val = ber_memrealloc_x( naction->bv_val,
+ naction->bv_val = slap_sl_realloc( naction->bv_val,
naction->bv_len + STRLENOF( ";" )
+ perms.bv_len + STRLENOF( ";" )
+ nattrs.bv_len + 1,
@@ -1345,7 +1345,7 @@ OpenLDAPaciNormalizeRights(
*nactions = nbv;
} else {
- nactions->bv_val = ber_memrealloc_x( nactions->bv_val,
+ nactions->bv_val = slap_sl_realloc( nactions->bv_val,
nactions->bv_len + STRLENOF( "$" )
+ nbv.bv_len + 1,
ctx );
@@ -1703,7 +1703,7 @@ OpenLDAPaciPrettyNormal(
}
bv.bv_len += STRLENOF( "/" ) + oc->soc_cname.bv_len;
- bv.bv_val = ber_memalloc_x( bv.bv_len + 1, ctx );
+ bv.bv_val = slap_sl_malloc( bv.bv_len + 1, ctx );
ptr = bv.bv_val;
ptr = lutil_strncopy( ptr, ntype.bv_val, ntype.bv_len );
@@ -1762,7 +1762,7 @@ OpenLDAPaciPrettyNormal(
+ ntype.bv_len + STRLENOF( "#" )
+ nsubject.bv_len;
- out->bv_val = ber_memalloc_x( out->bv_len + 1, ctx );
+ out->bv_val = slap_sl_malloc( out->bv_len + 1, ctx );
ptr = lutil_strncopy( out->bv_val, oid.bv_val, oid.bv_len );
ptr[ 0 ] = '#';
ptr++;
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index 79a3fd1cfc..ceee648683 100644
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -3032,7 +3032,7 @@ tcp_buffer_unparse( int size, int rw, Listener *l, struct berval *val )
}
}
- val->bv_val = SLAP_MALLOC( val->bv_len + 1 );
+ val->bv_val = ch_malloc( val->bv_len + 1 );
ptr = val->bv_val;
@@ -3110,7 +3110,7 @@ tcp_buffer_add_one( int argc, char **argv )
if ( rw & SLAP_TCP_WMEM ) slapd_tcp_wmem = size;
}
- tcp_buffer = SLAP_REALLOC( tcp_buffer, sizeof( struct berval ) * ( tcp_buffer_num + 2 ) );
+ tcp_buffer = ch_realloc( tcp_buffer, sizeof( struct berval ) * ( tcp_buffer_num + 2 ) );
/* append */
tcp_buffer[ tcp_buffer_num ] = val;
diff --git a/servers/slapd/modify.c b/servers/slapd/modify.c
index fb1cc3f1c3..cfdd7b0aa9 100644
--- a/servers/slapd/modify.c
+++ b/servers/slapd/modify.c
@@ -619,7 +619,7 @@ int slap_mods_check(
if( nvals && ad->ad_type->sat_equality &&
ad->ad_type->sat_equality->smr_normalize )
{
- ml->sml_nvalues = ber_memalloc_x(
+ ml->sml_nvalues = slap_sl_malloc(
(nvals+1)*sizeof(struct berval), ctx );
for ( nvals = 0; !BER_BVISNULL( &ml->sml_values[nvals] ); nvals++ ) {
diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
index 92407391e9..c067ef825c 100644
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -3415,7 +3415,7 @@ serialNumberAndIssuerCheck(
ber_len_t src, dst;
ni.bv_len = is->bv_len - numdquotes;
- ni.bv_val = ber_memalloc_x( ni.bv_len + 1, ctx );
+ ni.bv_val = slap_sl_malloc( ni.bv_len + 1, ctx );
for ( src = 0, dst = 0; src < is->bv_len; src++, dst++ ) {
if ( is->bv_val[src] == '"' ) {
src++;
@@ -4004,7 +4004,7 @@ issuerAndThisUpdateCheck(
ber_len_t src, dst;
ni.bv_len = is->bv_len - numdquotes;
- ni.bv_val = ber_memalloc_x( ni.bv_len + 1, ctx );
+ ni.bv_val = slap_sl_malloc( ni.bv_len + 1, ctx );
for ( src = 0, dst = 0; src < is->bv_len; src++, dst++ ) {
if ( is->bv_val[src] == '"' ) {
src++;
@@ -4606,7 +4606,7 @@ serialNumberAndIssuerSerialCheck(
ber_len_t src, dst;
ni.bv_len = is->bv_len - numdquotes;
- ni.bv_val = ber_memalloc_x( ni.bv_len + 1, ctx );
+ ni.bv_val = slap_sl_malloc( ni.bv_len + 1, ctx );
for ( src = 0, dst = 0; src < is->bv_len; src++, dst++ ) {
if ( is->bv_val[src] == '"' ) {
src++;
diff --git a/servers/slapd/value.c b/servers/slapd/value.c
index 73c2052f16..c901236d5e 100644
--- a/servers/slapd/value.c
+++ b/servers/slapd/value.c
@@ -514,7 +514,7 @@ ordered_value_pretty(
bv = *out;
out->bv_len = idx.bv_len + bv.bv_len;
- out->bv_val = ber_memalloc_x( out->bv_len + 1, ctx );
+ out->bv_val = slap_sl_malloc( out->bv_len + 1, ctx );
AC_MEMCPY( out->bv_val, idx.bv_val, idx.bv_len );
AC_MEMCPY( &out->bv_val[ idx.bv_len ], bv.bv_val, bv.bv_len + 1 );
@@ -591,7 +591,7 @@ ordered_value_normalize(
bv = *normalized;
normalized->bv_len = idx.bv_len + bv.bv_len;
- normalized->bv_val = ber_memalloc_x( normalized->bv_len + 1, ctx );
+ normalized->bv_val = slap_sl_malloc( normalized->bv_len + 1, ctx );
AC_MEMCPY( normalized->bv_val, idx.bv_val, idx.bv_len );
AC_MEMCPY( &normalized->bv_val[ idx.bv_len ], bv.bv_val, bv.bv_len + 1 );
diff --git a/libraries/libldap/deref.c b/libraries/libldap/deref.c
index 6da6f2711c..9b66f19d95 100644
--- a/libraries/libldap/deref.c
+++ b/libraries/libldap/deref.c
@@ -191,6 +191,12 @@ ldap_parse_derefresponse_control(
char *last2;
dr = LDAP_CALLOC( 1, sizeof(LDAPDerefRes) );
+ if ( dr == NULL ) {
+ ldap_derefresponse_free( drhead );
+ *drp2 = NULL;
+ ld->ld_errno = LDAP_NO_MEMORY;
+ return ld->ld_errno;
+ }
dvp = &dr->attrVals;
tag = ber_scanf( ber, "{ao", &dr->derefAttr, &dr->derefVal );
@@ -207,6 +213,13 @@ ldap_parse_derefresponse_control(
LDAPDerefVal *dv;
dv = LDAP_CALLOC( 1, sizeof(LDAPDerefVal) );
+ if ( dv == NULL ) {
+ ldap_derefresponse_free( drhead );
+ LDAP_FREE( dr );
+ *drp2 = NULL;
+ ld->ld_errno = LDAP_NO_MEMORY;
+ return ld->ld_errno;
+ }
tag = ber_scanf( ber, "{a[W]}", &dv->type, &dv->vals );
if ( tag == LBER_ERROR ) {
diff --git a/libraries/libldap/getdn.c b/libraries/libldap/getdn.c
index 45910aba52..1228d9c76e 100644
--- a/libraries/libldap/getdn.c
+++ b/libraries/libldap/getdn.c
@@ -258,6 +258,9 @@ ldap_explode_rdn( LDAP_CONST char *rdn, int notypes )
l = vl + ava->la_attr.bv_len + 1;
str = LDAP_MALLOC( l + 1 );
+ if ( str == NULL ) {
+ goto error_return;
+ }
AC_MEMCPY( str, ava->la_attr.bv_val,
ava->la_attr.bv_len );
str[ al++ ] = '=';
@@ -265,6 +268,9 @@ ldap_explode_rdn( LDAP_CONST char *rdn, int notypes )
} else {
l = vl;
str = LDAP_MALLOC( l + 1 );
+ if ( str == NULL ) {
+ goto error_return;
+ }
}
if ( ava->la_flags & LDAP_AVA_BINARY ) {
@@ -1526,6 +1532,10 @@ str2strval( const char *str, ber_len_t stoplen, struct berval *val, const char *
if ( escapes == 0 ) {
if ( *retFlags & LDAP_AVA_NONPRINTABLE ) {
val->bv_val = LDAP_MALLOCX( len + 1, ctx );
+ if ( val->bv_val == NULL ) {
+ return( 1 );
+ }
+
AC_MEMCPY( val->bv_val, startPos, len );
val->bv_val[ len ] = '\0';
} else {
@@ -1536,6 +1546,10 @@ str2strval( const char *str, ber_len_t stoplen, struct berval *val, const char *
ber_len_t s, d;
val->bv_val = LDAP_MALLOCX( len + 1, ctx );
+ if ( val->bv_val == NULL ) {
+ return( 1 );
+ }
+
for ( s = 0, d = 0; d < len; ) {
if ( LDAP_DN_ESCAPE( startPos[ s ] ) ) {
s++;
@@ -1633,6 +1647,10 @@ DCE2strval( const char *str, struct berval *val, const char **next, unsigned fla
ber_len_t s, d;
val->bv_val = LDAP_MALLOCX( len + 1, ctx );
+ if ( val->bv_val == NULL ) {
+ return( 1 );
+ }
+
for ( s = 0, d = 0; d < len; ) {
/*
* This point is reached only if escapes
@@ -1714,6 +1732,10 @@ IA52strval( const char *str, struct berval *val, const char **next, unsigned fla
ber_len_t s, d;
val->bv_val = LDAP_MALLOCX( len + 1, ctx );
+ if ( val->bv_val == NULL ) {
+ return( 1 );
+ }
+
for ( s = 0, d = 0; d < len; ) {
if ( LDAP_DN_ESCAPE( startPos[ s ] ) ) {
s++;
@@ -1804,6 +1826,10 @@ quotedIA52strval( const char *str, struct berval *val, const char **next, unsign
ber_len_t s, d;
val->bv_val = LDAP_MALLOCX( len + 1, ctx );
+ if ( val->bv_val == NULL ) {
+ return( 1 );
+ }
+
val->bv_len = len;
for ( s = d = 0; d < len; ) {
@@ -2897,6 +2923,9 @@ ldap_rdn2bv_x( LDAPRDN rdn, struct berval *bv, unsigned flags, void *ctx )
}
bv->bv_val = LDAP_MALLOCX( l + 1, ctx );
+ if ( bv->bv_val == NULL ) {
+ return LDAP_NO_MEMORY;
+ }
switch ( LDAP_DN_FORMAT( flags ) ) {
case LDAP_DN_FORMAT_LDAPV3:
diff --git a/libraries/libldap/ldif.c b/libraries/libldap/ldif.c
index 5414e59334..1c29619cf3 100644
--- a/libraries/libldap/ldif.c
+++ b/libraries/libldap/ldif.c
@@ -357,6 +357,9 @@ ldif_must_b64_encode_register( LDAP_CONST char *name, LDAP_CONST char *oid )
if ( must_b64_encode == default_must_b64_encode ) {
must_b64_encode = ber_memalloc( sizeof( must_b64_encode_s ) * ( i + 2 ) );
+ if ( must_b64_encode == NULL ) {
+ return 1;
+ }
for ( i = 0; !BER_BVISNULL( &default_must_b64_encode[i].name ); i++ ) {
ber_dupbv( &must_b64_encode[i].name, &default_must_b64_encode[i].name );
@@ -728,6 +731,9 @@ ldif_open(
if ( fp ) {
lfp = ber_memalloc( sizeof( LDIFFP ));
+ if ( lfp == NULL ) {
+ return NULL;
+ }
lfp->fp = fp;
lfp->prev = NULL;
}
diff --git a/libraries/libldap/options.c b/libraries/libldap/options.c
index d8dbfea880..bc421dc6ba 100644
--- a/libraries/libldap/options.c
+++ b/libraries/libldap/options.c
@@ -151,10 +151,21 @@ ldap_get_option(
int i;
info->ldapai_extensions = LDAP_MALLOC(sizeof(char *) *
sizeof(features)/sizeof(LDAPAPIFeatureInfo));
+ if ( info->ldapai_extensions == NULL ) {
+ rc = LDAP_NO_MEMORY;
+ break;
+ }
for(i=0; features[i].ldapaif_name != NULL; i++) {
info->ldapai_extensions[i] =
LDAP_STRDUP(features[i].ldapaif_name);
+ if ( info->ldapai_extensions[i] == NULL ) {
+ rc = LDAP_NO_MEMORY;
+ break;
+ }
+ }
+ if ( features[i].ldapaif_name != NULL ) {
+ break; /* LDAP_NO_MEMORY */
}
info->ldapai_extensions[i] = NULL;
@@ -895,6 +906,11 @@ ldap_set_option(
/* setting pushes the callback */
ldaplist *ll;
ll = LDAP_MALLOC( sizeof( *ll ));
+ if ( ll == NULL ) {
+ rc = LDAP_NO_MEMORY;
+ break;
+ }
+
ll->ll_data = (void *)invalue;
ll->ll_next = lo->ldo_conn_cbs;
lo->ldo_conn_cbs = ll;
diff --git a/libraries/libldap/result.c b/libraries/libldap/result.c
index b4e478aacb..04ee48ea18 100644
--- a/libraries/libldap/result.c
+++ b/libraries/libldap/result.c
@@ -1027,6 +1027,11 @@ try_read1msg(
* to parse.
*/
ber = ldap_alloc_ber_with_options( ld );
+ if ( ber == NULL ) {
+ ld->ld_errno = LDAP_NO_MEMORY;
+ return -1;
+ }
+
if ( ber_sockbuf_ctrl( lc->lconn_sb, LBER_SB_OPT_DATA_READY, NULL ) ) ok = 1;
}
/* set up response chain */
diff --git a/libraries/libldap/schema.c b/libraries/libldap/schema.c
index 5cb30e7bfb..ef99a17c97 100644
--- a/libraries/libldap/schema.c
+++ b/libraries/libldap/schema.c
@@ -2126,6 +2126,11 @@ ldap_str2attributetype( LDAP_CONST char * s,
/* Non-numerical OID ... */
int len = ss-savepos;
at->at_oid = LDAP_MALLOC(len+1);
+ if ( !at->at_oid ) {
+ ldap_attributetype_free(at);
+ return NULL;
+ }
+
strncpy(at->at_oid, savepos, len);
at->at_oid[len] = 0;
}
@@ -2499,6 +2504,11 @@ ldap_str2objectclass( LDAP_CONST char * s,
/* Non-numerical OID, ignore */
int len = ss-savepos;
oc->oc_oid = LDAP_MALLOC(len+1);
+ if ( !oc->oc_oid ) {
+ ldap_objectclass_free(oc);
+ return NULL;
+ }
+
strncpy(oc->oc_oid, savepos, len);
oc->oc_oid[len] = 0;
}
@@ -2780,6 +2790,11 @@ ldap_str2contentrule( LDAP_CONST char * s,
/* Non-numerical OID, ignore */
int len = ss-savepos;
cr->cr_oid = LDAP_MALLOC(len+1);
+ if ( !cr->cr_oid ) {
+ ldap_contentrule_free(cr);
+ return NULL;
+ }
+
strncpy(cr->cr_oid, savepos, len);
cr->cr_oid[len] = 0;
}
diff --git a/servers/slapd/back-meta/config.c b/servers/slapd/back-meta/config.c
index fc0ec2cde5..5cb4d1c1dd 100644
--- a/servers/slapd/back-meta/config.c
+++ b/servers/slapd/back-meta/config.c
@@ -1481,7 +1481,7 @@ meta_back_cf_gen( ConfigArgs *c )
char *ptr;
int len = snprintf( buf, sizeof( buf ), SLAP_X_ORDERED_FMT, i );
bv.bv_len = ((*bvp)[ i ]).bv_len + len;
- bv.bv_val = ber_memrealloc( bv.bv_val, bv.bv_len + 1 );
+ bv.bv_val = ch_realloc( bv.bv_val, bv.bv_len + 1 );
ptr = bv.bv_val;
ptr = lutil_strcopy( ptr, buf );
ptr = lutil_strncopy( ptr, ((*bvp)[ i ]).bv_val, ((*bvp)[ i ]).bv_len );
@@ -2635,7 +2635,7 @@ idassert-authzFrom "dn:<rootdn>"
assert( !BER_BVISNULL( &mt->mt_idassert_authcDN ) );
bv.bv_len = STRLENOF( "dn:" ) + c->be->be_rootndn.bv_len;
- bv.bv_val = ber_memalloc( bv.bv_len + 1 );
+ bv.bv_val = ch_malloc( bv.bv_len + 1 );
AC_MEMCPY( bv.bv_val, "dn:", STRLENOF( "dn:" ) );
AC_MEMCPY( &bv.bv_val[ STRLENOF( "dn:" ) ], c->be->be_rootndn.bv_val, c->be->be_rootndn.bv_len + 1 );
diff --git a/servers/slapd/back-meta/map.c b/servers/slapd/back-meta/map.c
index 144dc693de..ee7aa2f086 100644
--- a/servers/slapd/back-meta/map.c
+++ b/servers/slapd/back-meta/map.c
@@ -381,6 +381,10 @@ ldap_back_int_filter_map_rewrite(
fstr->bv_len = atmp.bv_len + vtmp.bv_len
+ ( sizeof("(=)") - 1 );
fstr->bv_val = ber_memalloc_x( fstr->bv_len + 1, memctx );
+ if ( !fstr->bv_val ) {
+ ber_memfree_x( vtmp.bv_val, memctx );
+ return LDAP_NO_MEMORY;
+ }
snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=%s)",
atmp.bv_val, vtmp.bv_len ? vtmp.bv_val : "" );
@@ -398,6 +402,10 @@ ldap_back_int_filter_map_rewrite(
fstr->bv_len = atmp.bv_len + vtmp.bv_len
+ ( sizeof("(>=)") - 1 );
fstr->bv_val = ber_memalloc_x( fstr->bv_len + 1, memctx );
+ if ( !fstr->bv_val ) {
+ ber_memfree_x( vtmp.bv_val, memctx );
+ return LDAP_NO_MEMORY;
+ }
snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s>=%s)",
atmp.bv_val, vtmp.bv_len ? vtmp.bv_val : "" );
@@ -415,6 +423,10 @@ ldap_back_int_filter_map_rewrite(
fstr->bv_len = atmp.bv_len + vtmp.bv_len
+ ( sizeof("(<=)") - 1 );
fstr->bv_val = ber_memalloc_x( fstr->bv_len + 1, memctx );
+ if ( !fstr->bv_val ) {
+ ber_memfree_x( vtmp.bv_val, memctx );
+ return LDAP_NO_MEMORY;
+ }
snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s<=%s)",
atmp.bv_val, vtmp.bv_len ? vtmp.bv_val : "" );
@@ -432,6 +444,10 @@ ldap_back_int_filter_map_rewrite(
fstr->bv_len = atmp.bv_len + vtmp.bv_len
+ ( sizeof("(~=)") - 1 );
fstr->bv_val = ber_memalloc_x( fstr->bv_len + 1, memctx );
+ if ( !fstr->bv_val ) {
+ ber_memfree_x( vtmp.bv_val, memctx );
+ return LDAP_NO_MEMORY;
+ }
snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s~=%s)",
atmp.bv_val, vtmp.bv_len ? vtmp.bv_val : "" );
@@ -450,17 +466,27 @@ ldap_back_int_filter_map_rewrite(
fstr->bv_len = atmp.bv_len + ( STRLENOF( "(=*)" ) );
fstr->bv_val = ber_memalloc_x( fstr->bv_len + 128, memctx ); /* FIXME: why 128 ? */
+ if ( !fstr->bv_val ) {
+ return LDAP_NO_MEMORY;
+ }
snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=*)",
atmp.bv_val );
if ( !BER_BVISNULL( &f->f_sub_initial ) ) {
+ char *tmp;
+
len = fstr->bv_len;
filter_escape_value_x( &f->f_sub_initial, &vtmp, memctx );
fstr->bv_len += vtmp.bv_len;
- fstr->bv_val = ber_memrealloc_x( fstr->bv_val, fstr->bv_len + 1, memctx );
+ tmp = ber_memrealloc_x( fstr->bv_val, fstr->bv_len + 1, memctx );
+ if ( !tmp ) {
+ ber_memfree_x( vtmp.bv_val, memctx );
+ return LDAP_NO_MEMORY;
+ }
+ fstr->bv_val = tmp;
snprintf( &fstr->bv_val[len - 2], vtmp.bv_len + 3,
/* "(attr=" */ "%s*)",
@@ -471,11 +497,18 @@ ldap_back_int_filter_map_rewrite(
if ( f->f_sub_any != NULL ) {
for ( i = 0; !BER_BVISNULL( &f->f_sub_any[i] ); i++ ) {
+ char *tmp;
+
len = fstr->bv_len;
filter_escape_value_x( &f->f_sub_any[i], &vtmp, memctx );
fstr->bv_len += vtmp.bv_len + 1;
- fstr->bv_val = ber_memrealloc_x( fstr->bv_val, fstr->bv_len + 1, memctx );
+ tmp = ber_memrealloc_x( fstr->bv_val, fstr->bv_len + 1, memctx );
+ if ( !tmp ) {
+ ber_memfree_x( vtmp.bv_val, memctx );
+ return LDAP_NO_MEMORY;
+ }
+ fstr->bv_val = tmp;
snprintf( &fstr->bv_val[len - 1], vtmp.bv_len + 3,
/* "(attr=[init]*[any*]" */ "%s*)",
@@ -485,12 +518,19 @@ ldap_back_int_filter_map_rewrite(
}
if ( !BER_BVISNULL( &f->f_sub_final ) ) {
+ char *tmp;
+
len = fstr->bv_len;
filter_escape_value_x( &f->f_sub_final, &vtmp, memctx );
fstr->bv_len += vtmp.bv_len;
- fstr->bv_val = ber_memrealloc_x( fstr->bv_val, fstr->bv_len + 1, memctx );
+ tmp = ber_memrealloc_x( fstr->bv_val, fstr->bv_len + 1, memctx );
+ if ( !tmp ) {
+ ber_memfree_x( vtmp.bv_val, memctx );
+ return LDAP_NO_MEMORY;
+ }
+ fstr->bv_val = tmp;
snprintf( &fstr->bv_val[len - 1], vtmp.bv_len + 3,
/* "(attr=[init*][any*]" */ "%s)",
@@ -510,6 +550,9 @@ ldap_back_int_filter_map_rewrite(
fstr->bv_len = atmp.bv_len + ( STRLENOF( "(=*)" ) );
fstr->bv_val = ber_memalloc_x( fstr->bv_len + 1, memctx );
+ if ( !fstr->bv_val ) {
+ return LDAP_NO_MEMORY;
+ }
snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=*)",
atmp.bv_val );
@@ -537,6 +580,10 @@ ldap_back_int_filter_map_rewrite(
fstr->bv_len += vtmp.bv_len;
fstr->bv_val = ber_memrealloc_x( fstr->bv_val, fstr->bv_len + 1, memctx );
+ if ( !fstr->bv_val ) {
+ ber_memfree_x( vtmp.bv_val, memctx );
+ return LDAP_NO_MEMORY;
+ }
snprintf( &fstr->bv_val[len-1], vtmp.bv_len + 2,
/*"("*/ "%s)", vtmp.bv_len ? vtmp.bv_val : "" );
@@ -565,6 +612,10 @@ ldap_back_int_filter_map_rewrite(
( !BER_BVISEMPTY( &f->f_mr_rule_text ) ? f->f_mr_rule_text.bv_len + 1 : 0 ) +
vtmp.bv_len + ( STRLENOF( "(:=)" ) );
fstr->bv_val = ber_memalloc_x( fstr->bv_len + 1, memctx );
+ if ( !fstr->bv_val ) {
+ ber_memfree_x( vtmp.bv_val, memctx );
+ return LDAP_NO_MEMORY;
+ }
snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s%s%s%s:=%s)",
atmp.bv_val,
diff --git a/servers/slapd/back-meta/search.c b/servers/slapd/back-meta/search.c
index 438b324350..af4ae14397 100644
--- a/servers/slapd/back-meta/search.c
+++ b/servers/slapd/back-meta/search.c
@@ -1301,7 +1301,7 @@ really_bad:;
for ( cnt = 0; references[ cnt ]; cnt++ )
;
- rs->sr_ref = ber_memalloc_x( sizeof( struct berval ) * ( cnt + 1 ),
+ rs->sr_ref = op->o_tmpalloc( sizeof( struct berval ) * ( cnt + 1 ),
op->o_tmpmemctx );
for ( cnt = 0; references[ cnt ]; cnt++ ) {
@@ -1456,7 +1456,7 @@ really_bad:;
for ( cnt = 0; references[ cnt ]; cnt++ )
;
- sr_ref = ber_memalloc_x( sizeof( struct berval ) * ( cnt + 1 ),
+ sr_ref = op->o_tmpalloc( sizeof( struct berval ) * ( cnt + 1 ),
op->o_tmpmemctx );
for ( cnt = 0; references[ cnt ]; cnt++ ) {

38
bugfix-openldap-autoconf-pkgconfig-nss.patch
View File

@ -1,38 +0,0 @@
diff --git a/configure.in b/configure.in
index 2134171..c643891 100644
--- a/configure.in
+++ b/configure.in
@@ -1230,28 +1230,16 @@ if test $ol_link_tls = no ; then
fi
fi
-dnl NOTE: caller must specify -I/path/to/nspr4 and -I/path/to/nss3
-dnl and -L/path/to/nspr4 libs and -L/path/to/nss3 libs if those libs
-dnl are not in the default system location
if test $ol_link_tls = no ; then
if test $ol_with_tls = moznss || test $ol_with_tls = auto ; then
- have_moznss=no
- AC_CHECK_HEADERS([nssutil.h])
- if test "$ac_cv_header_nssutil_h" = yes ; then
- AC_CHECK_LIB([nss3], [NSS_Initialize],
- [ have_moznss=yes ], [ have_moznss=no ])
- fi
+ PKG_CHECK_MODULES(MOZNSS, [nss nspr], [have_moznss=yes], [have_moznss=no])
- if test "$have_moznss" = yes ; then
+ if test $have_moznss = yes ; then
ol_with_tls=moznss
ol_link_tls=yes
- AC_DEFINE(HAVE_MOZNSS, 1,
- [define if you have MozNSS])
- TLS_LIBS="-lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4"
- else
- if test $ol_with_tls = moznss ; then
- AC_MSG_ERROR([MozNSS not found - please specify the location to the NSPR and NSS header files in CPPFLAGS and the location to the NSPR and NSS libraries in LDFLAGS (if not in the system location)])
- fi
+ AC_DEFINE(HAVE_MOZNSS, 1, [define if you have MozNSS])
+ TLS_LIBS="$MOZNSS_LIBS"
+ CFLAGS="$CFLAGS $MOZNSS_CFLAGS"
fi
fi
fi

30
bugfix-openldap-fix-implicit-function-declaration.patch
View File

@ -1,30 +0,0 @@
From 57b7003a6473206e2526dcc91c7ddb357c7e66de Mon Sep 17 00:00:00 2001
From: Sergei Trofimovich <slyfox@gentoo.org>
Date: Mon, 19 Jun 2017 21:48:05 +0100
Subject: [PATCH] thr_posix.c: fix implicit function declaration for
'pthread_setconcurrency'
thr_posix.c: In function 'ldap_pvt_thread_set_concurrency':
thr_posix.c:96:9: error: implicit declaration of function 'pthread_setconcurrency'
return pthread_setconcurrency( n );
^~~~~~~~~~~~~~~~~~~~~~
pthread_setcanceltype
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
---
libraries/libldap_r/thr_posix.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libraries/libldap_r/thr_posix.c b/libraries/libldap_r/thr_posix.c
index 35bde07327..e0368cc1eb 100644
--- a/libraries/libldap_r/thr_posix.c
+++ b/libraries/libldap_r/thr_posix.c
@@ -14,6 +14,8 @@
* <http://www.OpenLDAP.org/license.html>.
*/
+#define _XOPEN_SOURCE 500 /* For pthread_setconcurrency() on glibc */
+
#include "portable.h"
#if defined( HAVE_PTHREADS )

22
bugfix-openldap-nss-ciphers-use-nss-defaults.patch
View File

@ -1,22 +0,0 @@
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index fb5554e..7d5ffea 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -557,7 +557,16 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
}
} else if (!strcmp(cipher, "DEFAULT")) {
for (i=0; i<ciphernum; i++) {
- cipher_list[i] = ciphers_def[i].enabled == SSL_ALLOWED ? 1 : 0;
+ PRBool enabled;
+ if (SSL_CipherPrefGetDefault(ciphers_def[i].num, &enabled) == SECSuccess) {
+ if (!(ciphers_def[i].attr & SSL_eNULL)) {
+ cipher_list[i] = enabled == SSL_ALLOWED ? 1 : 0;
+ } else {
+ cipher_list[i] = -1;
+ }
+ } else {
+ cipher_list[i] = -1;
+ }
}
} else {
int mask = 0;

236
bugfix-openldap-nss-ciphersuite-handle-masks-correctly.patch
View File

@ -1,236 +0,0 @@
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index bba215a..3139eaf 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -222,7 +222,6 @@ typedef struct {
/* cipher attributes */
#define SSL_kRSA 0x00000001L
#define SSL_aRSA 0x00000002L
-#define SSL_RSA (SSL_kRSA|SSL_aRSA)
#define SSL_aDSA 0x00000004L
#define SSL_DSA SSL_aDSA
#define SSL_eNULL 0x00000008L
@@ -232,19 +231,27 @@ typedef struct {
#define SSL_RC2 0x00000080L
#define SSL_AES128 0x00000100L
#define SSL_AES256 0x00000200L
-#define SSL_AES (SSL_AES128|SSL_AES256)
#define SSL_MD5 0x00000400L
#define SSL_SHA1 0x00000800L
#define SSL_kEDH 0x00001000L
#define SSL_CAMELLIA128 0x00002000L
#define SSL_CAMELLIA256 0x00004000L
-#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
#define SSL_SEED 0x00008000L
#define SSL_kECDH 0x00010000L
#define SSL_kECDHE 0x00020000L
#define SSL_aECDSA 0x00040000L
#define SSL_SHA256 0x00080000L
#define SSL_SHA384 0x00100000L
+#define SSL_kEECDH 0x00200000L
+#define SSL_AESGCM 0x00400000L
+#define SSL_AEAD 0x00800000L
+#define SSL_CHACHA20POLY1305 0x02000000L
+
+/* cipher attributes non-unique - do not use for definitions */
+#define SSL_RSA 0x00000001L
+#define SSL_AES 0x00000002L
+#define SSL_CAMELLIA 0x00000004L
+#define SSL_ECDH 0x00000008L
/* cipher strength */
#define SSL_NULL 0x00000001L
@@ -254,6 +261,9 @@ typedef struct {
#define SSL_MEDIUM 0x00000010L
#define SSL_HIGH 0x00000020L
+/* cipher strengths non-unique - do not use for definitions */
+#define SSL_EXPORT 0x00000001L
+
#define SSL2 0x00000001L
#define SSL3 0x00000002L
/* OpenSSL treats SSL3 and TLSv1 the same */
@@ -623,10 +633,12 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
while ((*cipher) && (isspace(*cipher)))
++cipher;
- action = 1;
switch(*cipher) {
- case '+': /* Add something */
- action = 1;
+ case '+': /* Do nothig. NSS does not support ordering. */
+ Debug( LDAP_DEBUG_ARGS,
+ "TLS: warning: parsing cipher string: ordering is not supported by NSS.\n",
+ 0, 0, 0 );
+ action = 2;
cipher++;
break;
case '-': /* Subtract something */
@@ -637,8 +649,8 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
action = -1;
cipher++;
break;
- default:
- /* do nothing */
+ default: /* Add something */
+ action = 1;
break;
}
@@ -672,7 +684,10 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
}
} else {
int mask = 0;
+ int multi_mask = 0;
+ int negative_mask = 0;
int strength = 0;
+ int multi_strength = 0;
int protocol = 0;
char *c;
@@ -683,16 +698,21 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
*c++ = '\0';
}
- if (!strcmp(cipher, "RSA")) {
- mask |= SSL_RSA;
+ if ((!strcmp(cipher, "RSA")) || (!strcmp(cipher, "kRSA"))) {
+ mask |= SSL_kRSA;
+ } else if (!strcmp(cipher, "aRSA")) {
+ mask |= SSL_aRSA;
+ negative_mask |= SSL_kECDH;
} else if ((!strcmp(cipher, "NULL")) || (!strcmp(cipher, "eNULL"))) {
mask |= SSL_eNULL;
} else if (!strcmp(cipher, "AES128")) {
mask |= SSL_AES128;
} else if (!strcmp(cipher, "AES256")) {
mask |= SSL_AES256;
+ } else if (!strcmp(cipher, "AESGCM")) {
+ mask |= SSL_AESGCM;
} else if (!strcmp(cipher, "AES")) {
- mask |= SSL_AES;
+ multi_mask |= SSL_AES;
} else if (!strcmp(cipher, "3DES")) {
mask |= SSL_3DES;
} else if (!strcmp(cipher, "DES")) {
@@ -703,28 +723,45 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
mask |= SSL_RC2;
} else if (!strcmp(cipher, "MD5")) {
mask |= SSL_MD5;
- } else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) {
- mask |= SSL_SHA1;
} else if (!strcmp(cipher, "SHA256")) {
mask |= SSL_SHA256;
- } else if (!strcmp(cipher, "EDH")) {
+ } else if (!strcmp(cipher, "SHA384")) {
+ mask |= SSL_SHA384;
+ } else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) {
+ mask |= SSL_SHA1;
+ } else if ((!strcmp(cipher, "EDH")) || (!strcmp(cipher, "DH"))) {
mask |= SSL_kEDH;
- } else if (!strcmp(cipher, "DSS")) {
+ } else if ((!strcmp(cipher, "DSS")) || (!strcmp(cipher, "aDSS"))) {
mask |= SSL_aDSA;
} else if (!strcmp(cipher, "CAMELLIA128")) {
mask |= SSL_CAMELLIA128;
} else if (!strcmp(cipher, "CAMELLIA256")) {
mask |= SSL_CAMELLIA256;
} else if (!strcmp(cipher, "CAMELLIA")) {
- mask |= SSL_CAMELLIA;
+ multi_mask |= SSL_CAMELLIA;
} else if (!strcmp(cipher, "SEED")) {
mask |= SSL_SEED;
- } else if (!strcmp(cipher, "ECDH")) {
+ } else if (!strcmp(cipher, "kECDHe")) {
+ mask |= SSL_kECDH|SSL_aECDSA;
+ } else if (!strcmp(cipher, "kECDHr")) {
+ mask |= SSL_kECDH|SSL_aRSA;
+ } else if (!strcmp(cipher, "kECDH")) {
mask |= SSL_kECDH;
+ } else if (!strcmp(cipher, "aECDH")) {
+ mask |= SSL_kECDH;
+ } else if (!strcmp(cipher, "EECDH")) {
+ mask |= SSL_kECDHE;
+ } else if (!strcmp(cipher, "kEECDH")) {
+ mask |= SSL_kECDHE;
} else if (!strcmp(cipher, "ECDHE")) {
mask |= SSL_kECDHE;
- } else if (!strcmp(cipher, "ECDSA")) {
+ } else if (!strcmp(cipher, "ECDH")) {
+ multi_mask |= SSL_ECDH;
+ } else if ((!strcmp(cipher, "ECDSA")) || (!strcmp(cipher, "aECDSA"))) {
mask |= SSL_aECDSA;
+ negative_mask |= SSL_kECDH;
+ } else if (!strcmp(cipher, "CHACHA20POLY1305")) {
+ mask |= SSL_CHACHA20POLY1305;
} else if (!strcmp(cipher, "SSLv2")) {
protocol |= SSL2;
} else if (!strcmp(cipher, "SSLv3")) {
@@ -739,12 +776,12 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
strength |= SSL_MEDIUM;
} else if (!strcmp(cipher, "LOW")) {
strength |= SSL_LOW;
- } else if ((!strcmp(cipher, "EXPORT")) || (!strcmp(cipher, "EXP"))) {
- strength |= SSL_EXPORT40|SSL_EXPORT56;
} else if (!strcmp(cipher, "EXPORT40")) {
strength |= SSL_EXPORT40;
} else if (!strcmp(cipher, "EXPORT56")) {
strength |= SSL_EXPORT56;
+ } else if ((!strcmp(cipher, "EXPORT")) || (!strcmp(cipher, "EXP"))) {
+ multi_strength |= SSL_EXPORT;
}
if (c)
@@ -752,23 +789,39 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
} /* while */
+ /* NSS does not support ordering */
+ if (action == 2)
+ continue;
+
/* If we have a mask, apply it. If not then perhaps they provided
* a specific cipher to enable.
+ * if more than one mask is provided then AND logic applies (to match openssl)
*/
- if (mask || strength || protocol) {
+ if (mask || negative_mask || multi_mask || strength || multi_strength || protocol) {
for (i=0; i<ciphernum; i++) {
- if (((ciphers_def[i].attr & mask) ||
- (ciphers_def[i].strength & strength) ||
- (ciphers_def[i].version & protocol)) &&
- (cipher_list[i] != -1)) {
- /* Enable the NULL ciphers only if explicity
- * requested */
- if (ciphers_def[i].attr & SSL_eNULL) {
- if (mask & SSL_eNULL)
- cipher_list[i] = action;
- } else
- cipher_list[i] = action;
- }
+ if ( cipher_list[i] == -1 )
+ continue;
+ if ( mask != (ciphers_def[i].attr & mask) )
+ continue;
+ if ( strength != (ciphers_def[i].strength & strength) )
+ continue;
+ if ( protocol != (ciphers_def[i].version & protocol) )
+ continue;
+ if ((multi_mask & SSL_AES) &&
+ !(ciphers_def[i].attr & (SSL_AES128|SSL_AES256|SSL_AESGCM)))
+ continue;
+ if ((multi_mask & SSL_ECDH) &&
+ !(ciphers_def[i].attr & (SSL_kECDH|SSL_kECDHE)))
+ continue;
+ if ((multi_mask & SSL_CAMELLIA) &&
+ !(ciphers_def[i].attr & (SSL_CAMELLIA128|SSL_CAMELLIA256)))
+ continue;
+ if ((multi_strength & SSL_EXPORT) &&
+ !(ciphers_def[i].strength & (SSL_EXPORT40|SSL_EXPORT56)))
+ continue;
+ if ( negative_mask & ciphers_def[i].attr )
+ continue;
+ cipher_list[i] = action;
}
} else {
for (i=0; i<ciphernum; i++) {

30
bugfix-openldap-nss-ignore-certdb-type-prefix.patch
View File

@ -1,30 +0,0 @@
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 7d5ffea..4b2ecfa 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -1579,6 +1579,7 @@ tlsm_get_certdb_prefix( const char *certdir, char **realcertdir, char **prefix )
{
char sep = PR_GetDirectorySeparator();
char *ptr = NULL;
+ char *chkpath = NULL;
struct PRFileInfo prfi;
PRStatus prc;
@@ -1589,8 +1590,16 @@ tlsm_get_certdb_prefix( const char *certdir, char **realcertdir, char **prefix )
return;
}
- prc = PR_GetFileInfo( certdir, &prfi );
+ /* ignore database type prefix (e.g. sql:, dbm:) if provided */
+ chkpath = strchr( certdir, ':' );
+ if ( chkpath != NULL ) {
+ chkpath += 1;
+ } else {
+ chkpath = certdir;
+ }
+
/* if certdir exists (file or directory) then it cannot specify a prefix */
+ prc = PR_GetFileInfo( chkpath, &prfi );
if ( prc == PR_SUCCESS ) {
return;
}

13
bugfix-openldap-nss-pk11-freeslot.patch
View File

@ -1,13 +0,0 @@
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 4b2ecfa..d69b186 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -2097,6 +2097,8 @@ tlsm_ctx_free ( tls_ctx *ctx )
"TLS: could not close certdb slot - error %d:%s.\n",
errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
}
+ PK11_FreeSlot( c->tc_certdb_slot );
+ c->tc_certdb_slot = NULL;
}
if ( c->tc_pin_file ) {
PL_strfree( c->tc_pin_file );

63
bugfix-openldap-nss-protocol-version-new-api.patch
View File

@ -1,63 +0,0 @@
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index d69b186..7f92783 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -2238,6 +2238,58 @@ tlsm_deferred_ctx_init( void *arg )
0, 0, 0 );
return -1;
}
+ if ( lt->lt_protocol_min >= LDAP_OPT_X_TLS_PROTOCOL_SSL3 ) {
+ SSLVersionRange supported_range, default_range, selected_range;
+ if ( SECSuccess != SSL_VersionRangeGetSupported(ssl_variant_stream, &supported_range) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: error: could not get SSL supported version range (SSL_VersionRangeGetSupported).\n",
+ 0, 0, 0 );
+ return -1;
+ } else {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: info: SSL supported protocol version range is (%#04x, %#04x) (SSL_VersionRangeGetSupported).\n",
+ supported_range.min, supported_range.max, 0);
+ }
+ if ( SECSuccess != SSL_VersionRangeGetDefault(ssl_variant_stream, &default_range) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: error: could not get SSL default protocol version range (SSL_VersionRangeGetDefault).\n",
+ 0, 0, 0 );
+ return -1;
+ } else {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: info: SSL default protocol version range is (%#04x, %#04x) (SSL_VersionRangeGetDefault).\n",
+ default_range.min, default_range.max, 0);
+ }
+ selected_range.min = lt->lt_protocol_min;
+ selected_range.max = supported_range.max;
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: info: TLS configured protocol minimal version is %#04x.\n",
+ selected_range.min, selected_range.max, 0);
+ if ( (selected_range.min > supported_range.max) ||
+ (selected_range.max < supported_range.min) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: error: selected protocol version range out of NSS-supported version range.\n",
+ 0, 0, 0);
+ return -1;
+ } else {
+ if ( SECSuccess != SSL_VersionRangeSet(ctx->tc_model, &selected_range) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: error: could not set protocol version range (SSL_VersionRangeSet).\n",
+ 0, 0, 0);
+ return -1;
+ }
+ if ( SECSuccess != SSL_VersionRangeGet(ctx->tc_model, &selected_range) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: error: could not get protocol version range (SSL_VersionRangeGet).\n",
+ 0, 0, 0);
+ return -1;
+ } else {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: info: SSL set protocol version range is (%#04x, %#04x) (SSL_VersionRangeGet).\n",
+ selected_range.min, selected_range.max, 0);
+ }
+ }
+ }
if ( SECSuccess != SSL_OptionSet( ctx->tc_model, SSL_HANDSHAKE_AS_CLIENT, !ctx->tc_is_server ) ) {
Debug( LDAP_DEBUG_ANY,

36
bugfix-openldap-nss-unregister-on-unload.patch
View File

@ -1,36 +0,0 @@
diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
index 9b877a9..9a8d661 100644
--- a/libraries/libldap/init.c
+++ b/libraries/libldap/init.c
@@ -473,7 +473,7 @@ static void openldap_ldap_init_w_env(
* Sorry, don't know how to handle this for non-GCC environments.
*/
static void ldap_int_destroy_global_options(void)
- __attribute__ ((destructor));
+ __attribute__ ((destructor (2)));
#endif
static void
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 7f92783..f6c27de 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -1951,6 +1951,18 @@ tlsm_clientauth_init( tlsm_ctx *ctx )
return ( status == SECSuccess ? 0 : -1 );
}
+#if defined(__GNUC__)
+static void
+tlsm_destroy_on_unload(void) __attribute__ ((destructor (1)));
+
+static void
+tlsm_destroy_on_unload(void)
+{
+ if (NSS_IsInitialized())
+ NSS_UnregisterShutdown(tlsm_nss_shutdown_cb, NULL);
+}
+#endif
+
/*
* Tear down the TLS subsystem. Should only be called once.
*/

257
bugfix-openldap-nss-update-list-of-ciphers.patch
View File

@ -1,257 +0,0 @@
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index f6c27de..bba215a 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -76,6 +76,11 @@
#define HAVE_SECMOD_RESTARTMODULES 1
#endif
+/* NSS 3.20.0 and later have SHA384 ciphers */
+#if NSS_VERSION_INT >= 0x03140000
+#define HAVE_SHA384_CIPHERS 1
+#endif
+
/* InitContext does not currently work in server mode */
/* #define INITCONTEXT_HACK 1 */
@@ -210,27 +215,36 @@ typedef struct {
int num; /* The cipher id */
int attr; /* cipher attributes: algorithms, etc */
int version; /* protocol version valid for this cipher */
- int bits; /* bits of strength */
- int alg_bits; /* bits of the algorithm */
int strength; /* LOW, MEDIUM, HIGH */
int enabled; /* Enabled by default? */
} cipher_properties;
/* cipher attributes */
-#define SSL_kRSA 0x00000001L
-#define SSL_aRSA 0x00000002L
-#define SSL_aDSS 0x00000004L
-#define SSL_DSS SSL_aDSS
-#define SSL_eNULL 0x00000008L
-#define SSL_DES 0x00000010L
-#define SSL_3DES 0x00000020L
-#define SSL_RC4 0x00000040L
-#define SSL_RC2 0x00000080L
-#define SSL_AES 0x00000100L
-#define SSL_MD5 0x00000200L
-#define SSL_SHA1 0x00000400L
-#define SSL_SHA SSL_SHA1
-#define SSL_RSA (SSL_kRSA|SSL_aRSA)
+#define SSL_kRSA 0x00000001L
+#define SSL_aRSA 0x00000002L
+#define SSL_RSA (SSL_kRSA|SSL_aRSA)
+#define SSL_aDSA 0x00000004L
+#define SSL_DSA SSL_aDSA
+#define SSL_eNULL 0x00000008L
+#define SSL_DES 0x00000010L
+#define SSL_3DES 0x00000020L
+#define SSL_RC4 0x00000040L
+#define SSL_RC2 0x00000080L
+#define SSL_AES128 0x00000100L
+#define SSL_AES256 0x00000200L
+#define SSL_AES (SSL_AES128|SSL_AES256)
+#define SSL_MD5 0x00000400L
+#define SSL_SHA1 0x00000800L
+#define SSL_kEDH 0x00001000L
+#define SSL_CAMELLIA128 0x00002000L
+#define SSL_CAMELLIA256 0x00004000L
+#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
+#define SSL_SEED 0x00008000L
+#define SSL_kECDH 0x00010000L
+#define SSL_kECDHE 0x00020000L
+#define SSL_aECDSA 0x00040000L
+#define SSL_SHA256 0x00080000L
+#define SSL_SHA384 0x00100000L
/* cipher strength */
#define SSL_NULL 0x00000001L
@@ -244,32 +258,120 @@ typedef struct {
#define SSL3 0x00000002L
/* OpenSSL treats SSL3 and TLSv1 the same */
#define TLS1 SSL3
+#define TLS1_2 0x00000004L
/* Cipher translation */
static cipher_properties ciphers_def[] = {
- /* SSL 2 ciphers */
- {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, 168, 168, SSL_HIGH, SSL_ALLOWED},
- {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
- {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
- {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, 56, 56, SSL_LOW, SSL_ALLOWED},
- {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
- {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
-
- /* SSL3 ciphers */
- {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
- {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
- {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, 168, 168, SSL_HIGH, SSL_ALLOWED},
- {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, 56, 56, SSL_LOW, SSL_ALLOWED},
- {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
- {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, 0, 0, SSL_EXPORT40, SSL_ALLOWED},
- {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED},
- {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED},
+
+ /*
+ * Use the same DEFAULT cipher list as OpenSSL, which is defined as: ALL:!aNULL:!eNULL:!SSLv2
+ */
+
+ /* SSLv2 ciphers */
+ {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, SSL_LOW},
+ {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, SSL_HIGH},
+ {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_MEDIUM},
+ {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_MEDIUM},
+ {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_EXPORT40},
+ {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_EXPORT40},
+
+ /* SSLv3 ciphers */
+ {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, SSL_NULL},
+ {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, SSL_NULL},
+ {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW},
+ {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH},
+ {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_MEDIUM},
+ {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, SSL_MEDIUM},
+ {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, SSL_EXPORT40},
+ {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_EXPORT40},
+ {"EDH-RSA-DES-CBC-SHA", SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW},
+ {"EDH-RSA-DES-CBC3-SHA", SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH},
+ {"EDH-DSS-DES-CBC-SHA", SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW},
+ {"EDH-DSS-DES-CBC3-SHA", SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH},
/* TLSv1 ciphers */
- {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
- {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
- {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_ALLOWED},
- {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_ALLOWED},
+ {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, TLS1, SSL_EXPORT56},
+ {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_EXPORT56},
+ {"SEED-SHA", TLS_RSA_WITH_SEED_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_SEED|SSL_SHA1, TLS1, SSL_MEDIUM},
+ {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
+ {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
+ {"CAMELLIA256-SHA", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH},
+ {"CAMELLIA128-SHA", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH},
+ {"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
+ {"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
+ {"DHE-RSA-CAMELLIA128-SHA", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH},
+ {"DHE-RSA-CAMELLIA256-SHA", TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH},
+ {"DHE-DSS-RC4-SHA", TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_kEDH|SSL_aDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM},
+ {"DHE-DSS-AES128-SHA", TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
+ {"DHE-DSS-AES256-SHA", TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
+ {"DHE-DSS-CAMELLIA128-SHA", TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH},
+ {"DHE-DSS-CAMELLIA256-SHA", TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDH-RSA-NULL-SHA", TLS_ECDH_RSA_WITH_NULL_SHA, SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL},
+ {"ECDH-RSA-RC4-SHA", TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM},
+ {"ECDH-RSA-DES-CBC3-SHA", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDH-RSA-AES128-SHA", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDH-RSA-AES256-SHA", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDH-ECDSA-NULL-SHA", TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL},
+ {"ECDH-ECDSA-RC4-SHA", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM},
+ {"ECDH-ECDSA-DES-CBC3-SHA", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDH-ECDSA-AES128-SHA", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDH-ECDSA-AES256-SHA", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDHE-RSA-NULL-SHA", TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL},
+ {"ECDHE-RSA-RC4-SHA", TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM},
+ {"ECDHE-RSA-DES-CBC3-SHA", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDHE-ECDSA-NULL-SHA", TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL},
+ {"ECDHE-ECDSA-RC4-SHA", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM},
+ {"ECDHE-ECDSA-DES-CBC3-SHA", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
+
+/* conditional on one of the newer defs */
+#ifdef TLS_RSA_WITH_AES_128_GCM_SHA256
+ /* TLSv1.2 ciphers */
+ /* The following ciphers appear in the openssl sources as TLSv1.2 but currently have no NSS equivalent
+
+ DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD
+ ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
+ ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
+ ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384
+ ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384
+ ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
+ ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
+ ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256
+ ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256
+
+ */
+ {"NULL-SHA256", TLS_RSA_WITH_NULL_SHA256, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA256, TLS1_2, SSL_NULL},
+ {"AES128-SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
+ {"AES256-SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA256, TLS1_2, SSL_HIGH},
+ {"AES128-GCM-SHA256", TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+ {"AES256-GCM-SHA384", TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+
+ {"DHE-RSA-AES256-SHA256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA256, TLS1_2, SSL_HIGH},
+ {"DHE-RSA-AES128-SHA256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
+ {"DHE-RSA-AES128-GCM-SHA256", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+ {"DHE-RSA-AES256-GCM-SHA384", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+
+ {"DHE-DSS-AES128-SHA256", TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
+ {"DHE-DSS-AES256-SHA256", TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA256, TLS1_2, SSL_HIGH},
+ {"DHE-DSS-AES128-GCM-SHA256", TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+ {"DHE-DSS-AES256-GCM-SHA384", TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+
+ {"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
+ {"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
+ {"ECDHE-ECDSA-AES128-GCM-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+ {"ECDHE-RSA-AES128-GCM-SHA256", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+ {"ECDHE-ECDSA-AES256-GCM-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+ {"ECDHE-RSA-AES256-GCM-SHA384", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+ {"ECDHE-ECDSA-AES256-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA384, TLS1_2, SSL_HIGH},
+ {"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA384, TLS1_2, SSL_HIGH},
+#endif
+
+ {"ECDHE-RSA-CHACHA20-POLY1305", 0xcca8 /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kECDHE|SSL_aRSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH},
+ {"ECDHE-ECDSA-CHACHA20-POLY1305", 0xcca9 /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kECDHE|SSL_aECDSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH},
+ {"DHE-RSA-CHACHA20-POLY1305", 0xccaa /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kEDH|SSL_aRSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH},
};
#define ciphernum (sizeof(ciphers_def)/sizeof(cipher_properties))
@@ -585,6 +687,10 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
mask |= SSL_RSA;
} else if ((!strcmp(cipher, "NULL")) || (!strcmp(cipher, "eNULL"))) {
mask |= SSL_eNULL;
+ } else if (!strcmp(cipher, "AES128")) {
+ mask |= SSL_AES128;
+ } else if (!strcmp(cipher, "AES256")) {
+ mask |= SSL_AES256;
} else if (!strcmp(cipher, "AES")) {
mask |= SSL_AES;
} else if (!strcmp(cipher, "3DES")) {
@@ -599,12 +705,34 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
mask |= SSL_MD5;
} else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) {
mask |= SSL_SHA1;
+ } else if (!strcmp(cipher, "SHA256")) {
+ mask |= SSL_SHA256;
+ } else if (!strcmp(cipher, "EDH")) {
+ mask |= SSL_kEDH;
+ } else if (!strcmp(cipher, "DSS")) {
+ mask |= SSL_aDSA;
+ } else if (!strcmp(cipher, "CAMELLIA128")) {
+ mask |= SSL_CAMELLIA128;
+ } else if (!strcmp(cipher, "CAMELLIA256")) {
+ mask |= SSL_CAMELLIA256;
+ } else if (!strcmp(cipher, "CAMELLIA")) {
+ mask |= SSL_CAMELLIA;
+ } else if (!strcmp(cipher, "SEED")) {
+ mask |= SSL_SEED;
+ } else if (!strcmp(cipher, "ECDH")) {
+ mask |= SSL_kECDH;
+ } else if (!strcmp(cipher, "ECDHE")) {
+ mask |= SSL_kECDHE;
+ } else if (!strcmp(cipher, "ECDSA")) {
+ mask |= SSL_aECDSA;
} else if (!strcmp(cipher, "SSLv2")) {
protocol |= SSL2;
} else if (!strcmp(cipher, "SSLv3")) {
protocol |= SSL3;
} else if (!strcmp(cipher, "TLSv1")) {
protocol |= TLS1;
+ } else if (!strcmp(cipher, "TLSv1.2")) {
+ protocol |= TLS1_2;
} else if (!strcmp(cipher, "HIGH")) {
strength |= SSL_HIGH;
} else if (!strcmp(cipher, "MEDIUM")) {

51
bugfix-openldap-ssl-deadlock-revert.patch
View File

@ -1,51 +0,0 @@
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 3139eaf..49dc9b1 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -146,7 +146,6 @@ static int tlsm_init( void );
*/
static ldap_pvt_thread_mutex_t tlsm_ctx_count_mutex;
static ldap_pvt_thread_mutex_t tlsm_init_mutex;
-static ldap_pvt_thread_mutex_t tlsm_pem_mutex;
static PRCallOnceType tlsm_init_mutex_callonce = {0,0};
static PRStatus PR_CALLBACK
@@ -164,12 +163,6 @@ tlsm_thr_init_callonce( void )
return PR_FAILURE;
}
- if ( ldap_pvt_thread_mutex_init( &tlsm_pem_mutex ) ) {
- Debug( LDAP_DEBUG_ANY,
- "TLS: could not create mutex for PEM module: %d\n", errno, 0, 0 );
- return PR_FAILURE;
- }
-
return PR_SUCCESS;
}
@@ -2153,7 +2146,6 @@ tlsm_destroy( void )
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_destroy( &tlsm_ctx_count_mutex );
ldap_pvt_thread_mutex_destroy( &tlsm_init_mutex );
- ldap_pvt_thread_mutex_destroy( &tlsm_pem_mutex );
#endif
}
@@ -2840,16 +2832,9 @@ static int
tlsm_session_accept_or_connect( tls_session *session, int is_accept )
{
tlsm_session *s = (tlsm_session *)session;
- int rc;
+ int rc = SSL_ForceHandshake( s );
const char *op = is_accept ? "accept" : "connect";
- if ( pem_module ) {
- LDAP_MUTEX_LOCK( &tlsm_pem_mutex );
- }
- rc = SSL_ForceHandshake( s );
- if ( pem_module ) {
- LDAP_MUTEX_UNLOCK( &tlsm_pem_mutex );
- }
if ( rc ) {
PRErrorCode err = PR_GetError();
rc = -1;

42
bugfix-openldap-support-tlsv1-and-later.patch
View File

@ -1,42 +0,0 @@
diff --git a/include/ldap.h b/include/ldap.h
index c245651..149b9ea 100644
--- a/include/ldap.h
+++ b/include/ldap.h
@@ -176,6 +176,7 @@ LDAP_BEGIN_DECL
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_0 ((3 << 8) + 1)
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1 ((3 << 8) + 2)
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 ((3 << 8) + 3)
+#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_3 ((3 << 8) + 4)
/* OpenLDAP SASL options */
#define LDAP_OPT_X_SASL_MECH 0x6100
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 49dc9b1..9e825c9 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -1849,6 +1849,8 @@ tlsm_deferred_init( void *arg )
NSSInitContext *initctx = NULL;
PK11SlotInfo *certdb_slot = NULL;
#endif
+ SSLVersionRange range;
+ SSLProtocolVariant variant;
SECStatus rc;
int done = 0;
@@ -2031,6 +2033,16 @@ tlsm_deferred_init( void *arg )
}
}
+ /*
+ * Set the SSL version range. MozNSS SSL versions are the same as openldap's:
+ *
+ * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_*
+ */
+ SSL_VersionRangeGetSupported(ssl_variant_stream, &range); /* this sets the max */
+ range.min = lt->lt_protocol_min ? lt->lt_protocol_min : range.min;
+ variant = ssl_variant_stream;
+ SSL_VersionRangeSetDefault(variant, &range);
+
NSS_SetDomesticPolicy();
PK11_SetPasswordFunc( tlsm_pin_prompt );

35
bugfix-openldap-temporary-ssl-thr-init-race.patch
View File

@ -1,35 +0,0 @@
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index d25c190..94399d7 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -149,6 +149,9 @@ ldap_pvt_tls_destroy( void )
tls_imp->ti_tls_destroy();
}
+#ifdef LDAP_R_COMPILE
+static pthread_once_t tlsm_initialized = PTHREAD_ONCE_INIT;
+#endif
/*
* Initialize a particular TLS implementation.
* Called once per implementation.
@@ -158,6 +161,10 @@ tls_init(tls_impl *impl )
{
static int tls_initialized = 0;
+#ifdef LDAP_R_COMPILE
+ (void)pthread_once(&tlsm_initialized, impl->ti_thr_init);
+#endif
+
if ( !tls_initialized++ ) {
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_init( &tls_def_ctx_mutex );
@@ -166,9 +173,6 @@ tls_init(tls_impl *impl )
if ( impl->ti_inited++ ) return 0;
-#ifdef LDAP_R_COMPILE
- impl->ti_thr_init();
-#endif
return impl->ti_tls_init();
}

BIN
openldap-2.4.50.tgz
View File

Binary file not shown.

BIN
openldap-2.6.0.tgz Normal file
View File

Binary file not shown.

24
openldap-openssl-allow-ssl3.patch
View File

@ -1,24 +0,0 @@
Ensure SSLv3 is enabled when necessary
Either at compilation time, or as a system-wide configuration, OpenSSL
may have disabled SSLv3 protocol by default. This change ensures the
protocol NO flag is cleared when necessary, hence allowing for the
protocol to be used.
Author: Matus Honek <mhonek@redhat.com>
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -297,8 +297,10 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
#endif
if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL3 )
SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 );
- else if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL2 )
+ else if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL2 ) {
SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 );
+ SSL_CTX_clear_options( ctx, SSL_OP_NO_SSLv3 );
+ }
if ( lo->ldo_tls_ciphersuite &&
!SSL_CTX_set_cipher_list( ctx, lt->lt_ciphersuite ) )

119
openldap.spec
View File

@ -1,8 +1,8 @@
%global systemctl_bin /usr/bin/systemctl %global systemctl_bin /usr/bin/systemctl
Name: openldap Name: openldap
Version: 2.4.50 Version: 2.6.0
Release: 8 Release: 1
Summary: LDAP support libraries Summary: LDAP support libraries
License: OpenLDAP License: OpenLDAP
URL: https://www.openldap.org/ URL: https://www.openldap.org/
@ -16,58 +16,19 @@ Source50: libexec-functions
Source52: libexec-check-config.sh Source52: libexec-check-config.sh
Source53: libexec-upgrade-db.sh Source53: libexec-upgrade-db.sh
Patch0: openldap-manpages.patch Patch0: backport-openldap-manpages.patch
Patch1: openldap-reentrant-gethostby.patch Patch1: backport-openldap-reentrant-gethostby.patch
Patch2: openldap-smbk5pwd-overlay.patch Patch2: backport-openldap-smbk5pwd-overlay.patch
Patch3: openldap-ai-addrconfig.patch Patch3: backport-openldap-ai-addrconfig.patch
Patch4: openldap-allop-overlay.patch Patch4: backport-openldap-allop-overlay.patch
# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=327585 Patch5: backport-openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
Patch5: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch Patch7: backport-check-password-makefile.patch
Patch6: openldap-openssl-allow-ssl3.patch Patch8: backport-check-password.patch
Patch7: check-password-makefile.patch Patch9: add-ber_sockbuf_io_udp-to-liber.map.patch
Patch8: check-password.patch
Patch9: bugfix-openldap-autoconf-pkgconfig-nss.patch
Patch10: bugfix-openldap-nss-ciphers-use-nss-defaults.patch
Patch11: bugfix-openldap-nss-ignore-certdb-type-prefix.patch
Patch12: bugfix-openldap-nss-pk11-freeslot.patch
Patch13: bugfix-openldap-nss-protocol-version-new-api.patch
Patch14: bugfix-openldap-nss-unregister-on-unload.patch
Patch15: bugfix-openldap-nss-update-list-of-ciphers.patch
Patch16: bugfix-openldap-nss-ciphersuite-handle-masks-correctly.patch
Patch17: bugfix-openldap-ssl-deadlock-revert.patch
Patch18: bugfix-openldap-support-tlsv1-and-later.patch
Patch19: bugfix-openldap-temporary-ssl-thr-init-race.patch
Patch20: Fix-calls-to-SLAP_DEVPOLL_SOCK_LX-for-multi-listener.patch
Patch21: Fixup-for-binary-config-attrs.patch
Patch22: bugfix-openldap-ITS9160-OOM-Handing.patch
Patch23: bugfix-openldap-fix-implicit-function-declaration.patch
Patch24: bugfix-openldap-ITS-8650-Fix-Debug-usage-to-follow-RE24-format.patch
Patch25: CVE-2020-15719.patch
Patch26: CVE-2020-25692.patch
Patch27: CVE-2020-36221-1.patch
Patch28: CVE-2020-36221-2.patch
Patch29: CVE-2020-36222-1.patch
Patch30: CVE-2020-36222-2.patch
Patch31: CVE-2020-36223.patch
Patch32: CVE-2020-36224_36225_36226-1.patch
Patch33: CVE-2020-36224_36225_36226-2.patch
Patch34: CVE-2020-36224_36225_36226-3.patch
Patch35: CVE-2020-36224_36225_36226-4.patch
Patch36: CVE-2020-36227.patch
Patch37: CVE-2020-36228.patch
Patch38: CVE-2020-36230.patch
Patch39: CVE-2020-36229.patch
Patch40: backport-delete-back-bdb-back-hdb.patch
Patch41: backport-Fix-test-suite.patch
Patch42: backport-ITS-9010-regenerate-configure.patch
Patch43: backport-ITS-9010-More-BDB-HDB-cleanup.patch
Patch44: CVE-2021-27212.patch
Patch45: CVE-2020-25709.patch
Patch46: CVE-2020-25710.patch
BuildRequires: cyrus-sasl-devel openssl-devel krb5-devel unixODBC-devel BuildRequires: cyrus-sasl-devel openssl-devel krb5-devel unixODBC-devel
BuildRequires: glibc-devel libtool libtool-ltdl-devel groff perl-interpreter perl-devel perl-generators perl-ExtUtils-Embed BuildRequires: glibc-devel libtool libtool-ltdl-devel groff perl-interpreter perl-devel perl-generators perl-ExtUtils-Embed
BuildRequires: openldap
%description %description
OpenLDAP is an open source suite of LDAP (Lightweight Directory Access OpenLDAP is an open source suite of LDAP (Lightweight Directory Access
Protocol) applications and development tools. LDAP is a set of Protocol) applications and development tools. LDAP is a set of
@ -135,46 +96,8 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
%patch3 -p1 %patch3 -p1
%patch4 -p1 %patch4 -p1
%patch5 -p1 %patch5 -p1
%patch6 -p1
%patch9 -p1 %patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
%patch25 -p1
%patch26 -p1
%patch27 -p1
%patch28 -p1
%patch29 -p1
%patch30 -p1
%patch31 -p1
%patch32 -p1
%patch33 -p1
%patch34 -p1
%patch35 -p1
%patch36 -p1
%patch37 -p1
%patch38 -p1
%patch39 -p1
%patch40 -p1
%patch41 -p1
%patch42 -p1
%patch43 -p1
%patch44 -p1
%patch45 -p1
%patch46 -p1
ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd
@ -208,7 +131,7 @@ pushd openldap-%{version}
--enable-spasswd --enable-modules --enable-rewrite \ --enable-spasswd --enable-modules --enable-rewrite \
--enable-rlookups --enable-slapi --disable-slp \ --enable-rlookups --enable-slapi --disable-slp \
--enable-backends=mod \ --enable-backends=mod \
--enable-mdb=yes --enable-monitor=yes --disable-ndb \ --enable-mdb=yes --enable-monitor=yes --disable-wt \
--disable-sql --enable-overlays=mod --disable-static \ --disable-sql --enable-overlays=mod --disable-static \
--with-cyrus-sasl --without-fetch --with-threads \ --with-cyrus-sasl --without-fetch --with-threads \
--with-pic --with-gnu-ld --libexecdir=%{_libdir} --with-pic --with-gnu-ld --libexecdir=%{_libdir}
@ -290,11 +213,11 @@ v=%{version}
version=$(echo ${v%.[0-9]*}) version=$(echo ${v%.[0-9]*})
for lib in liblber libldap libldap_r libslapi; do for lib in liblber libldap libldap_r libslapi; do
rm -f ${lib}.so rm -f ${lib}.so
ln -s ${lib}-${version}.so.2 ${lib}.so ln -s ${lib}.so.2 ${lib}.so
done done
popd popd
chmod 0755 %{buildroot}%{_libdir}/lib*.so* chmod 0755 %{buildroot}%{_libdir}/lib*.so.*
chmod 0644 %{buildroot}%{_libdir}/lib*.*a chmod 0644 %{buildroot}%{_libdir}/lib*.*a
install -d %{buildroot}%{_datadir} install -d %{buildroot}%{_datadir}
@ -306,6 +229,11 @@ mv %{buildroot}%{_sysconfdir}/openldap/schema/README README.schema
rm -f %{buildroot}%{_libdir}/*.la rm -f %{buildroot}%{_libdir}/*.la
rm -f %{buildroot}%{_localstatedir}/openldap-data/DB_CONFIG.example rm -f %{buildroot}%{_localstatedir}/openldap-data/DB_CONFIG.example
ln -fs libldap.so "%{buildroot}%{_libdir}/libldap_r.so"
cp -d %{_libdir}/liblber-2.4* %{buildroot}%{_libdir}/
cp -d %{_libdir}/libldap-2.4* %{buildroot}%{_libdir}/
cp -d %{_libdir}/libldap_r-2.4* %{buildroot}%{_libdir}/
%ldconfig_scriptlets %ldconfig_scriptlets
@ -438,6 +366,7 @@ popd
%defattr(-,root,root) %defattr(-,root,root)
%{_libdir}/lib*.so %{_libdir}/lib*.so
%{_includedir}/* %{_includedir}/*
%{_libdir}/pkgconfig/*.pc
%files help %files help
%defattr(-,root,root) %defattr(-,root,root)
@ -454,6 +383,12 @@ popd
%doc ltb-project-openldap-ppolicy-check-password-1.1/README.check_pwd %doc ltb-project-openldap-ppolicy-check-password-1.1/README.check_pwd
%changelog %changelog
* Tue Dec 21 2021 gaihuiying <gaihuiying1@huawei.com> - 2.6.0-1
- Type:requirement
- ID:NA
- SUG:restart
- DESC:update openldap to 2.6.0
* Fri Jul 09 2021 gaihuiying <gaihuiying1@huawei.com> - 2.4.50-8 * Fri Jul 09 2021 gaihuiying <gaihuiying1@huawei.com> - 2.4.50-8
- fix CVE-2020-25709 CVE-2020-25710 - fix CVE-2020-25709 CVE-2020-25710