diff --git a/SOURCES/libexec-functions b/SOURCES/libexec-functions index 990d2b8..98c8631 100644 --- a/SOURCES/libexec-functions +++ b/SOURCES/libexec-functions @@ -36,6 +36,8 @@ function parse_config_options() esac done + unset OPTIND + if [ -n "$user" ]; then SLAPD_USER="$user" fi diff --git a/SOURCES/openldap-ITS8720-back-ldap-starttls-timeout.patch b/SOURCES/openldap-ITS8720-back-ldap-starttls-timeout.patch new file mode 100644 index 0000000..d40fecb --- /dev/null +++ b/SOURCES/openldap-ITS8720-back-ldap-starttls-timeout.patch @@ -0,0 +1,94 @@ +Fix back-ldap to respect the user configured timeout + +Upstream: ITS#8720 +Resolves: #1540336 + +diff --git a/servers/slapd/back-ldap/back-ldap.h b/servers/slapd/back-ldap/back-ldap.h +index 1e2c14a..e35f622 100644 +--- a/servers/slapd/back-ldap/back-ldap.h ++++ b/servers/slapd/back-ldap/back-ldap.h +@@ -89,6 +89,7 @@ typedef struct ldapconn_base_t { + (BER_BVISEMPTY(&(op)->o_ndn) ? \ + LDAP_BACK_PCONN_ANON_SET((lc), (op)) : LDAP_BACK_PCONN_ROOTDN_SET((lc), (op))) + ++ struct ldapinfo_t *lcb_ldapinfo; + struct berval lcb_local_ndn; + unsigned lcb_refcnt; + time_t lcb_create_time; +@@ -98,6 +99,7 @@ typedef struct ldapconn_base_t { + typedef struct ldapconn_t { + ldapconn_base_t lc_base; + #define lc_conn lc_base.lcb_conn ++#define lc_ldapinfo lc_base.lcb_ldapinfo + #define lc_local_ndn lc_base.lcb_local_ndn + #define lc_refcnt lc_base.lcb_refcnt + #define lc_create_time lc_base.lcb_create_time +diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c +index ff759d7..7808f7a 100644 +--- a/servers/slapd/back-ldap/bind.c ++++ b/servers/slapd/back-ldap/bind.c +@@ -532,7 +532,7 @@ ldap_back_start_tls( + int *is_tls, + const char *url, + unsigned flags, +- int retries, ++ int timeout, + const char **text ) + { + int rc = LDAP_SUCCESS; +@@ -567,22 +567,14 @@ ldap_back_start_tls( + LDAPMessage *res = NULL; + struct timeval tv; + +- LDAP_BACK_TV_SET( &tv ); +- +-retry:; ++ if ( timeout ) { ++ tv.tv_sec = timeout; ++ tv.tv_usec = 0; ++ } else { ++ LDAP_BACK_TV_SET( &tv ); ++ } + rc = ldap_result( ld, msgid, LDAP_MSG_ALL, &tv, &res ); +- if ( rc < 0 ) { +- rc = LDAP_UNAVAILABLE; +- +- } else if ( rc == 0 ) { +- if ( retries != LDAP_BACK_RETRY_NEVER ) { +- ldap_pvt_thread_yield(); +- if ( retries > 0 ) { +- retries--; +- } +- LDAP_BACK_TV_SET( &tv ); +- goto retry; +- } ++ if ( rc <= 0 ) { + rc = LDAP_UNAVAILABLE; + + } else if ( rc == LDAP_RES_EXTENDED ) { +@@ -754,7 +746,7 @@ ldap_back_prepare_conn( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_back_ + assert( li->li_uri_mutex_do_not_lock == 0 ); + li->li_uri_mutex_do_not_lock = 1; + rs->sr_err = ldap_back_start_tls( ld, op->o_protocol, &is_tls, +- li->li_uri, flags, li->li_nretries, &rs->sr_text ); ++ li->li_uri, flags, li->li_timeout[ SLAP_OP_EXTENDED ], &rs->sr_text ); + li->li_uri_mutex_do_not_lock = 0; + ldap_pvt_thread_mutex_unlock( &li->li_uri_mutex ); + if ( rs->sr_err != LDAP_SUCCESS ) { +@@ -980,6 +972,7 @@ retry_lock: + lc = (ldapconn_t *)ch_calloc( 1, sizeof( ldapconn_t ) ); + lc->lc_flags = li->li_flags; + lc->lc_lcflags = lc_curr.lc_lcflags; ++ lc->lc_ldapinfo = li; + if ( ldap_back_prepare_conn( lc, op, rs, sendok ) != LDAP_SUCCESS ) { + ch_free( lc ); + return NULL; +@@ -1649,7 +1642,7 @@ ldap_back_default_rebind( LDAP *ld, LDAP_CONST char *url, ber_tag_t request, + const char *text = NULL; + + rc = ldap_back_start_tls( ld, 0, &is_tls, url, lc->lc_flags, +- LDAP_BACK_RETRY_DEFAULT, &text ); ++ lc->lc_ldapinfo->li_timeout[ SLAP_OP_EXTENDED ], &text ); + if ( rc != LDAP_SUCCESS ) { + return rc; + } diff --git a/SOURCES/openldap-openssl-ITS7595-Add-EC-support-1.patch b/SOURCES/openldap-openssl-ITS7595-Add-EC-support-1.patch new file mode 100644 index 0000000..62af09f --- /dev/null +++ b/SOURCES/openldap-openssl-ITS7595-Add-EC-support-1.patch @@ -0,0 +1,227 @@ +ITS#7595 Add Elliptic Curve support for OpenSSL + +Cherry-picked upstream e631ce808ed56119e61321463d06db7999ba5a08 +Author: Howard Chu +Date: Sat Sep 7 09:47:19 2013 -0700 + +diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 +index 49a3959ae..9cd0a4dd1 100644 +--- a/doc/man/man5/slapd-config.5 ++++ b/doc/man/man5/slapd-config.5 +@@ -918,6 +918,13 @@ from the default, otherwise no certificate exchanges or verification will + be done. When using GnuTLS or Mozilla NSS these parameters are always generated randomly + so this directive is ignored. + .TP ++.B olcTLSECName: ++Specify the name of a curve to use for Elliptic curve Diffie-Hellman ++ephemeral key exchange. This is required to enable ECDHE algorithms in ++OpenSSL. This option is not used with GnuTLS; the curves may be ++chosen in the GnuTLS ciphersuite specification. This option is also ++ignored for Mozilla NSS. ++.TP + .B olcTLSProtocolMin: [.] + Specifies minimum SSL/TLS protocol version that will be negotiated. + If the server doesn't support at least that version, +diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 +index e2344547e..4eb238162 100644 +--- a/doc/man/man5/slapd.conf.5 ++++ b/doc/man/man5/slapd.conf.5 +@@ -1149,6 +1149,13 @@ from the default, otherwise no certificate exchanges or verification will + be done. When using GnuTLS these parameters are always generated randomly so + this directive is ignored. This directive is ignored when using Mozilla NSS. + .TP ++.B TLSECName ++Specify the name of a curve to use for Elliptic curve Diffie-Hellman ++ephemeral key exchange. This is required to enable ECDHE algorithms in ++OpenSSL. This option is not used with GnuTLS; the curves may be ++chosen in the GnuTLS ciphersuite specification. This option is also ++ignored for Mozilla NSS. ++.TP + .B TLSProtocolMin [.] + Specifies minimum SSL/TLS protocol version that will be negotiated. + If the server doesn't support at least that version, +diff --git a/include/ldap.h b/include/ldap.h +index d4d10fa79..9922c9fa8 100644 +--- a/include/ldap.h ++++ b/include/ldap.h +@@ -158,6 +158,7 @@ LDAP_BEGIN_DECL + #define LDAP_OPT_X_TLS_NEWCTX 0x600f + #define LDAP_OPT_X_TLS_CRLFILE 0x6010 /* GNUtls only */ + #define LDAP_OPT_X_TLS_PACKAGE 0x6011 ++#define LDAP_OPT_X_TLS_ECNAME 0x6012 + #define LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY 0x6050 + + #define LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY_DISABLED 0 +diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h +index 1a26b3cb0..5fff785d8 100644 +--- a/libraries/libldap/ldap-int.h ++++ b/libraries/libldap/ldap-int.h +@@ -165,6 +165,7 @@ struct ldaptls { + char *lt_ciphersuite; + char *lt_crlfile; + char *lt_randfile; /* OpenSSL only */ ++ char *lt_ecname; /* OpenSSL only */ + int lt_protocol_min; + }; + #endif +@@ -250,6 +251,7 @@ struct ldapoptions { + #define ldo_tls_certfile ldo_tls_info.lt_certfile + #define ldo_tls_keyfile ldo_tls_info.lt_keyfile + #define ldo_tls_dhfile ldo_tls_info.lt_dhfile ++#define ldo_tls_ecname ldo_tls_info.lt_ecname + #define ldo_tls_cacertfile ldo_tls_info.lt_cacertfile + #define ldo_tls_cacertdir ldo_tls_info.lt_cacertdir + #define ldo_tls_ciphersuite ldo_tls_info.lt_ciphersuite +diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c +index a616133da..f39546450 100644 +--- a/libraries/libldap/tls2.c ++++ b/libraries/libldap/tls2.c +@@ -121,6 +121,10 @@ ldap_int_tls_destroy( struct ldapoptions *lo ) + LDAP_FREE( lo->ldo_tls_dhfile ); + lo->ldo_tls_dhfile = NULL; + } ++ if ( lo->ldo_tls_ecname ) { ++ LDAP_FREE( lo->ldo_tls_ecname ); ++ lo->ldo_tls_ecname = NULL; ++ } + if ( lo->ldo_tls_cacertfile ) { + LDAP_FREE( lo->ldo_tls_cacertfile ); + lo->ldo_tls_cacertfile = NULL; +@@ -257,6 +261,10 @@ ldap_int_tls_init_ctx( struct ldapoptions *lo, int is_server ) + lts.lt_dhfile = LDAP_STRDUP( lts.lt_dhfile ); + __atoe( lts.lt_dhfile ); + } ++ if ( lts.lt_ecname ) { ++ lts.lt_ecname = LDAP_STRDUP( lts.lt_ecname ); ++ __atoe( lts.lt_ecname ); ++ } + #endif + lo->ldo_tls_ctx = ti->ti_ctx_new( lo ); + if ( lo->ldo_tls_ctx == NULL ) { +@@ -282,6 +290,7 @@ error_exit: + LDAP_FREE( lts.lt_crlfile ); + LDAP_FREE( lts.lt_cacertdir ); + LDAP_FREE( lts.lt_dhfile ); ++ LDAP_FREE( lts.lt_ecname ); + #endif + return rc; + } +@@ -674,6 +683,10 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg ) + *(char **)arg = lo->ldo_tls_dhfile ? + LDAP_STRDUP( lo->ldo_tls_dhfile ) : NULL; + break; ++ case LDAP_OPT_X_TLS_ECNAME: ++ *(char **)arg = lo->ldo_tls_ecname ? ++ LDAP_STRDUP( lo->ldo_tls_ecname ) : NULL; ++ break; + case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */ + *(char **)arg = lo->ldo_tls_crlfile ? + LDAP_STRDUP( lo->ldo_tls_crlfile ) : NULL; +@@ -796,6 +809,10 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) + if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile ); + lo->ldo_tls_dhfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; + return 0; ++ case LDAP_OPT_X_TLS_ECNAME: ++ if ( lo->ldo_tls_ecname ) LDAP_FREE( lo->ldo_tls_ecname ); ++ lo->ldo_tls_ecname = arg ? LDAP_STRDUP( (char *) arg ) : NULL; ++ return 0; + case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */ + if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile ); + lo->ldo_tls_crlfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; +diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c +index a2d9cd31f..1a81bc625 100644 +--- a/libraries/libldap/tls_o.c ++++ b/libraries/libldap/tls_o.c +@@ -296,10 +296,9 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) + return -1; + } + +- if ( lo->ldo_tls_dhfile ) { +- DH *dh = NULL; ++ if ( is_server && lo->ldo_tls_dhfile ) { ++ DH *dh; + BIO *bio; +- SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE ); + + if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) { + Debug( LDAP_DEBUG_ANY, +@@ -318,7 +317,35 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) + } + BIO_free( bio ); + SSL_CTX_set_tmp_dh( ctx, dh ); ++ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE ); ++ DH_free( dh ); ++ } ++ ++#ifdef SSL_OP_SINGLE_ECDH_USE ++ if ( is_server && lo->ldo_tls_ecname ) { ++ EC_KEY *ecdh; ++ ++ int nid = OBJ_sn2nid( lt->lt_ecname ); ++ if ( nid == NID_undef ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: could not use EC name `%s'.\n", ++ lo->ldo_tls_ecname,0,0); ++ tlso_report_error(); ++ return -1; ++ } ++ ecdh = EC_KEY_new_by_curve_name( nid ); ++ if ( ecdh == NULL ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: could not generate key for EC name `%s'.\n", ++ lo->ldo_tls_ecname,0,0); ++ tlso_report_error(); ++ return -1; ++ } ++ SSL_CTX_set_tmp_ecdh( ctx, ecdh ); ++ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE ); ++ EC_KEY_free( ecdh ); + } ++#endif + + if ( tlso_opt_trace ) { + SSL_CTX_set_info_callback( ctx, tlso_info_cb ); +diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c +index 8ade0c3f2..5a3c67a72 100644 +--- a/servers/slapd/bconfig.c ++++ b/servers/slapd/bconfig.c +@@ -194,6 +194,7 @@ enum { + CFG_ACL_ADD, + CFG_SYNC_SUBENTRY, + CFG_LTHREADS, ++ CFG_TLS_ECNAME, + + CFG_LAST + }; +@@ -738,6 +739,14 @@ static ConfigTable config_back_cf_table[] = { + #endif + "( OLcfgGlAt:77 NAME 'olcTLSDHParamFile' " + "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, ++ { "TLSECName", NULL, 2, 2, 0, ++#ifdef HAVE_TLS ++ CFG_TLS_ECNAME|ARG_STRING|ARG_MAGIC, &config_tls_option, ++#else ++ ARG_IGNORED, NULL, ++#endif ++ "( OLcfgGlAt:96 NAME 'olcTLSECName' " ++ "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, + { "TLSProtocolMin", NULL, 2, 2, 0, + #ifdef HAVE_TLS + CFG_TLS_PROTOCOL_MIN|ARG_STRING|ARG_MAGIC, &config_tls_config, +@@ -819,7 +828,7 @@ static ConfigOCs cf_ocs[] = { + "olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ " + "olcTLSCACertificatePath $ olcTLSCertificateFile $ " + "olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ " +- "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ " ++ "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSECName $ " + "olcTLSCRLFile $ olcTLSProtocolMin $ olcToolThreads $ olcWriteTimeout $ " + "olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ " + "olcDitContentRules $ olcLdapSyntaxes ) )", Cft_Global }, +@@ -3824,6 +3833,7 @@ config_tls_option(ConfigArgs *c) { + case CFG_TLS_CA_PATH: flag = LDAP_OPT_X_TLS_CACERTDIR; break; + case CFG_TLS_CA_FILE: flag = LDAP_OPT_X_TLS_CACERTFILE; break; + case CFG_TLS_DH_FILE: flag = LDAP_OPT_X_TLS_DHFILE; break; ++ case CFG_TLS_ECNAME: flag = LDAP_OPT_X_TLS_ECNAME; break; + #ifdef HAVE_GNUTLS + case CFG_TLS_CRL_FILE: flag = LDAP_OPT_X_TLS_CRLFILE; break; + #endif diff --git a/SOURCES/openldap-openssl-ITS7595-Add-EC-support-2.patch b/SOURCES/openldap-openssl-ITS7595-Add-EC-support-2.patch new file mode 100644 index 0000000..6c28f3f --- /dev/null +++ b/SOURCES/openldap-openssl-ITS7595-Add-EC-support-2.patch @@ -0,0 +1,34 @@ +ITS#7595 don't try to use EC if OpenSSL lacks it + +Cherry-picked upstream 721e46fe6695077d63a3df6ea2e397920a72308d +Author: Howard Chu +Date: Sun Sep 8 06:32:23 2013 -0700 + +diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c +index 1a81bc625..71c2b055c 100644 +--- a/libraries/libldap/tls_o.c ++++ b/libraries/libldap/tls_o.c +@@ -321,8 +321,12 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) + DH_free( dh ); + } + +-#ifdef SSL_OP_SINGLE_ECDH_USE + if ( is_server && lo->ldo_tls_ecname ) { ++#ifdef OPENSSL_NO_EC ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: Elliptic Curves not supported.\n", 0,0,0 ); ++ return -1; ++#else + EC_KEY *ecdh; + + int nid = OBJ_sn2nid( lt->lt_ecname ); +@@ -344,8 +348,8 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) + SSL_CTX_set_tmp_ecdh( ctx, ecdh ); + SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE ); + EC_KEY_free( ecdh ); +- } + #endif ++ } + + if ( tlso_opt_trace ) { + SSL_CTX_set_info_callback( ctx, tlso_info_cb ); diff --git a/SOURCES/openldap-openssl-its7506-fix-DH-params-1.patch b/SOURCES/openldap-openssl-its7506-fix-DH-params-1.patch new file mode 100644 index 0000000..5e105e2 --- /dev/null +++ b/SOURCES/openldap-openssl-its7506-fix-DH-params-1.patch @@ -0,0 +1,219 @@ +commit aa6c4c5a7425d5fb21c5e3f10cb025fb930d79c8 +Author: Ben Jencks +Date: Sun Jan 27 18:27:03 2013 -0500 + + ITS#7506 tls_o.c: Fix Diffie-Hellman parameter usage. + + If a DHParamFile or olcDHParamFile is specified, then it will be used, + otherwise a hardcoded 1024 bit parameter will be used. This allows the use of + larger parameters; previously only 512 or 1024 bit parameters would ever be + used. + +diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c +index 48ce1ceab..c6a3540c9 100644 +--- a/libraries/libldap/tls_o.c ++++ b/libraries/libldap/tls_o.c +@@ -59,15 +59,13 @@ static int tlso_verify_cb( int ok, X509_STORE_CTX *ctx ); + static int tlso_verify_ok( int ok, X509_STORE_CTX *ctx ); + static RSA * tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length ); + +-static DH * tlso_tmp_dh_cb( SSL *ssl, int is_export, int key_length ); +- +-typedef struct dhplist { +- struct dhplist *next; +- int keylength; +- DH *param; +-} dhplist; +- +-static dhplist *tlso_dhparams; ++/* From the OpenSSL 0.9.7 distro */ ++static const char tlso_dhpem1024[] = ++"-----BEGIN DH PARAMETERS-----\n\ ++MIGHAoGBAJf2QmHKtQXdKCjhPx1ottPb0PMTBH9A6FbaWMsTuKG/K3g6TG1Z1fkq\n\ ++/Gz/PWk/eLI9TzFgqVAuPvr3q14a1aZeVUMTgo2oO5/y2UHe6VaJ+trqCTat3xlx\n\ ++/mNbIK9HA2RgPC3gWfVLZQrY+gz3ASHHR5nXWHEyvpuZm7m3h+irAgEC\n\ ++-----END DH PARAMETERS-----\n"; + + static int tlso_seed_PRNG( const char *randfile ); + +@@ -76,7 +74,6 @@ static int tlso_seed_PRNG( const char *randfile ); + * provide mutexes for the OpenSSL library. + */ + static ldap_pvt_thread_mutex_t tlso_mutexes[CRYPTO_NUM_LOCKS]; +-static ldap_pvt_thread_mutex_t tlso_dh_mutex; + + static void tlso_locking_cb( int mode, int type, const char *file, int line ) + { +@@ -107,7 +104,6 @@ static void tlso_thr_init( void ) + for( i=0; i< CRYPTO_NUM_LOCKS ; i++ ) { + ldap_pvt_thread_mutex_init( &tlso_mutexes[i] ); + } +- ldap_pvt_thread_mutex_init( &tlso_dh_mutex ); + CRYPTO_set_locking_callback( tlso_locking_cb ); + CRYPTO_set_id_callback( tlso_thread_self ); + } +@@ -308,28 +304,32 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) + return -1; + } + +- if ( lo->ldo_tls_dhfile ) { ++ if (is_server) { + DH *dh = NULL; + BIO *bio; +- dhplist *p; ++ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE ); ++ if ( lo->ldo_tls_dhfile ) { + +- if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) { ++ if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: could not use DH parameters file `%s'.\n", ++ lo->ldo_tls_dhfile,0,0); ++ tlso_report_error(); ++ return -1; ++ } ++ } else { ++ bio = BIO_new_mem_buf( tlso_dhpem1024, -1 ); ++ } ++ if (!( dh=PEM_read_bio_DHparams( bio, NULL, NULL, NULL ))) { + Debug( LDAP_DEBUG_ANY, +- "TLS: could not use DH parameters file `%s'.\n", ++ "TLS: could not read DH parameters file `%s'.\n", + lo->ldo_tls_dhfile,0,0); + tlso_report_error(); ++ BIO_free( bio ); + return -1; + } +- while (( dh=PEM_read_bio_DHparams( bio, NULL, NULL, NULL ))) { +- p = LDAP_MALLOC( sizeof(dhplist) ); +- if ( p != NULL ) { +- p->keylength = DH_size( dh ) * 8; +- p->param = dh; +- p->next = tlso_dhparams; +- tlso_dhparams = p; +- } +- } + BIO_free( bio ); ++ SSL_CTX_set_tmp_dh( ctx, dh ); + } + + if ( tlso_opt_trace ) { +@@ -349,9 +349,6 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) + lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_ALLOW ? + tlso_verify_ok : tlso_verify_cb ); + SSL_CTX_set_tmp_rsa_callback( ctx, tlso_tmp_rsa_cb ); +- if ( lo->ldo_tls_dhfile ) { +- SSL_CTX_set_tmp_dh_callback( ctx, tlso_tmp_dh_cb ); +- } + #ifdef HAVE_OPENSSL_CRL + if ( lo->ldo_tls_crlcheck ) { + X509_STORE *x509_s = SSL_CTX_get_cert_store( ctx ); +@@ -1160,108 +1157,6 @@ tlso_seed_PRNG( const char *randfile ) + return 0; + } + +-struct dhinfo { +- int keylength; +- const char *pem; +- size_t size; +-}; +- +- +-/* From the OpenSSL 0.9.7 distro */ +-static const char tlso_dhpem512[] = +-"-----BEGIN DH PARAMETERS-----\n\ +-MEYCQQDaWDwW2YUiidDkr3VvTMqS3UvlM7gE+w/tlO+cikQD7VdGUNNpmdsp13Yn\n\ +-a6LT1BLiGPTdHghM9tgAPnxHdOgzAgEC\n\ +------END DH PARAMETERS-----\n"; +- +-static const char tlso_dhpem1024[] = +-"-----BEGIN DH PARAMETERS-----\n\ +-MIGHAoGBAJf2QmHKtQXdKCjhPx1ottPb0PMTBH9A6FbaWMsTuKG/K3g6TG1Z1fkq\n\ +-/Gz/PWk/eLI9TzFgqVAuPvr3q14a1aZeVUMTgo2oO5/y2UHe6VaJ+trqCTat3xlx\n\ +-/mNbIK9HA2RgPC3gWfVLZQrY+gz3ASHHR5nXWHEyvpuZm7m3h+irAgEC\n\ +------END DH PARAMETERS-----\n"; +- +-static const char tlso_dhpem2048[] = +-"-----BEGIN DH PARAMETERS-----\n\ +-MIIBCAKCAQEA7ZKJNYJFVcs7+6J2WmkEYb8h86tT0s0h2v94GRFS8Q7B4lW9aG9o\n\ +-AFO5Imov5Jo0H2XMWTKKvbHbSe3fpxJmw/0hBHAY8H/W91hRGXKCeyKpNBgdL8sh\n\ +-z22SrkO2qCnHJ6PLAMXy5fsKpFmFor2tRfCzrfnggTXu2YOzzK7q62bmqVdmufEo\n\ +-pT8igNcLpvZxk5uBDvhakObMym9mX3rAEBoe8PwttggMYiiw7NuJKO4MqD1llGkW\n\ +-aVM8U2ATsCun1IKHrRxynkE1/MJ86VHeYYX8GZt2YA8z+GuzylIOKcMH6JAWzMwA\n\ +-Gbatw6QwizOhr9iMjZ0B26TE3X8LvW84wwIBAg==\n\ +------END DH PARAMETERS-----\n"; +- +-static const char tlso_dhpem4096[] = +-"-----BEGIN DH PARAMETERS-----\n\ +-MIICCAKCAgEA/urRnb6vkPYc/KEGXWnbCIOaKitq7ySIq9dTH7s+Ri59zs77zty7\n\ +-vfVlSe6VFTBWgYjD2XKUFmtqq6CqXMhVX5ElUDoYDpAyTH85xqNFLzFC7nKrff/H\n\ +-TFKNttp22cZE9V0IPpzedPfnQkE7aUdmF9JnDyv21Z/818O93u1B4r0szdnmEvEF\n\ +-bKuIxEHX+bp0ZR7RqE1AeifXGJX3d6tsd2PMAObxwwsv55RGkn50vHO4QxtTARr1\n\ +-rRUV5j3B3oPMgC7Offxx+98Xn45B1/G0Prp11anDsR1PGwtaCYipqsvMwQUSJtyE\n\ +-EOQWk+yFkeMe4vWv367eEi0Sd/wnC+TSXBE3pYvpYerJ8n1MceI5GQTdarJ77OW9\n\ +-bGTHmxRsLSCM1jpLdPja5jjb4siAa6EHc4qN9c/iFKS3PQPJEnX7pXKBRs5f7AF3\n\ +-W3RIGt+G9IVNZfXaS7Z/iCpgzgvKCs0VeqN38QsJGtC1aIkwOeyjPNy2G6jJ4yqH\n\ +-ovXYt/0mc00vCWeSNS1wren0pR2EiLxX0ypjjgsU1mk/Z3b/+zVf7fZSIB+nDLjb\n\ +-NPtUlJCVGnAeBK1J1nG3TQicqowOXoM6ISkdaXj5GPJdXHab2+S7cqhKGv5qC7rR\n\ +-jT6sx7RUr0CNTxzLI7muV2/a4tGmj0PSdXQdsZ7tw7gbXlaWT1+MM2MCAQI=\n\ +------END DH PARAMETERS-----\n"; +- +-static const struct dhinfo tlso_dhpem[] = { +- { 512, tlso_dhpem512, sizeof(tlso_dhpem512) }, +- { 1024, tlso_dhpem1024, sizeof(tlso_dhpem1024) }, +- { 2048, tlso_dhpem2048, sizeof(tlso_dhpem2048) }, +- { 4096, tlso_dhpem4096, sizeof(tlso_dhpem4096) }, +- { 0, NULL, 0 } +-}; +- +-static DH * +-tlso_tmp_dh_cb( SSL *ssl, int is_export, int key_length ) +-{ +- struct dhplist *p = NULL; +- BIO *b = NULL; +- DH *dh = NULL; +- int i; +- +- /* Do we have params of this length already? */ +- LDAP_MUTEX_LOCK( &tlso_dh_mutex ); +- for ( p = tlso_dhparams; p; p=p->next ) { +- if ( p->keylength == key_length ) { +- LDAP_MUTEX_UNLOCK( &tlso_dh_mutex ); +- return p->param; +- } +- } +- +- /* No - check for hardcoded params */ +- +- for (i=0; tlso_dhpem[i].keylength; i++) { +- if ( tlso_dhpem[i].keylength == key_length ) { +- b = BIO_new_mem_buf( (char *)tlso_dhpem[i].pem, tlso_dhpem[i].size ); +- break; +- } +- } +- +- if ( b ) { +- dh = PEM_read_bio_DHparams( b, NULL, NULL, NULL ); +- BIO_free( b ); +- } +- +- /* Generating on the fly is expensive/slow... */ +- if ( !dh ) { +- dh = DH_generate_parameters( key_length, DH_GENERATOR_2, NULL, NULL ); +- } +- if ( dh ) { +- p = LDAP_MALLOC( sizeof(struct dhplist) ); +- if ( p != NULL ) { +- p->keylength = key_length; +- p->param = dh; +- p->next = tlso_dhparams; +- tlso_dhparams = p; +- } +- } +- +- LDAP_MUTEX_UNLOCK( &tlso_dh_mutex ); +- return dh; +-} + + tls_impl ldap_int_tls_impl = { + "OpenSSL", diff --git a/SOURCES/openldap-openssl-its7506-fix-DH-params-2.patch b/SOURCES/openldap-openssl-its7506-fix-DH-params-2.patch new file mode 100644 index 0000000..799c6e5 --- /dev/null +++ b/SOURCES/openldap-openssl-its7506-fix-DH-params-2.patch @@ -0,0 +1,58 @@ +commit eacd5798a5d83e6658a823c01bcb0f600e3b9898 +Author: Howard Chu +Date: Sat Sep 7 06:39:53 2013 -0700 + + ITS#7506 fix prev commit + + The patch unconditionally enabled DHparams, which is a significant + change of behavior. Reverting to previous behavior, which only enables + DH use if a DHparam file was configured. + +diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c +index c6a3540c9..a2d9cd31f 100644 +--- a/libraries/libldap/tls_o.c ++++ b/libraries/libldap/tls_o.c +@@ -59,14 +59,6 @@ static int tlso_verify_cb( int ok, X509_STORE_CTX *ctx ); + static int tlso_verify_ok( int ok, X509_STORE_CTX *ctx ); + static RSA * tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length ); + +-/* From the OpenSSL 0.9.7 distro */ +-static const char tlso_dhpem1024[] = +-"-----BEGIN DH PARAMETERS-----\n\ +-MIGHAoGBAJf2QmHKtQXdKCjhPx1ottPb0PMTBH9A6FbaWMsTuKG/K3g6TG1Z1fkq\n\ +-/Gz/PWk/eLI9TzFgqVAuPvr3q14a1aZeVUMTgo2oO5/y2UHe6VaJ+trqCTat3xlx\n\ +-/mNbIK9HA2RgPC3gWfVLZQrY+gz3ASHHR5nXWHEyvpuZm7m3h+irAgEC\n\ +------END DH PARAMETERS-----\n"; +- + static int tlso_seed_PRNG( const char *randfile ); + + #ifdef LDAP_R_COMPILE +@@ -304,21 +296,17 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) + return -1; + } + +- if (is_server) { ++ if ( lo->ldo_tls_dhfile ) { + DH *dh = NULL; + BIO *bio; + SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE ); +- if ( lo->ldo_tls_dhfile ) { + +- if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) { +- Debug( LDAP_DEBUG_ANY, +- "TLS: could not use DH parameters file `%s'.\n", +- lo->ldo_tls_dhfile,0,0); +- tlso_report_error(); +- return -1; +- } +- } else { +- bio = BIO_new_mem_buf( tlso_dhpem1024, -1 ); ++ if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: could not use DH parameters file `%s'.\n", ++ lo->ldo_tls_dhfile,0,0); ++ tlso_report_error(); ++ return -1; + } + if (!( dh=PEM_read_bio_DHparams( bio, NULL, NULL, NULL ))) { + Debug( LDAP_DEBUG_ANY, diff --git a/SOURCES/openldap-tlsmc.patch b/SOURCES/openldap-tlsmc.patch index 405e54f..6d327ec 100644 --- a/SOURCES/openldap-tlsmc.patch +++ b/SOURCES/openldap-tlsmc.patch @@ -1,7 +1,7 @@ MozNSS Interception Code Author: Matus Honek -Date: Wed Feb 21 20:04:11 CET 2018 +Date: Thu Jun 21 20:37:25 CEST 2018 diff --git a/configure.in b/configure.in --- a/configure.in +++ b/configure.in @@ -283,7 +283,7 @@ diff --git a/libraries/libldap/tls_mc.c b/libraries/libldap/tls_mc.c new file mode 100644 --- /dev/null +++ b/libraries/libldap/tls_mc.c -@@ -0,0 +1,1346 @@ +@@ -0,0 +1,1369 @@ +#include "portable.h" + +#ifdef HAVE_MOZNSS_COMPATIBILITY @@ -330,16 +330,16 @@ new file mode 100644 +#define TLSMC_IS_TEMPORARY 2 + +#define DONOTEDIT \ -+ "This file is auto-generated by MOZNSS Compatibility Layer of OpenLDAP software.\n" \ -+ "This layer is not a part of upstream distributed OpenLDAP software.\n" \ -+ "Please, file any related bugs with your GNU/Linux distribution.\n" \ -+ "Do not edit directly. Rather, change your configuration to use OpenSSL-style TLS options, so that this does not need to be generated anymore.\n" \ -+ "Please, refer to man (5) of slapd.conf, slapd-config, and ldap.conf for more information." ++ "This file is auto-generated by the MozNSS Compatibility Layer of OpenLDAP software.\n" \ ++ "This layer is not part of the OpenLDAP software distributed in upstream.\n" \ ++ "Please file any related bugs with your GNU/Linux distribution.\n" \ ++ "Do not edit contents of this directory structure directly. Rather, change your configuration to use the OpenSSL-style TLS options, so that this directory structure does not need to be generated anymore.\n" \ ++ "Please refer to the slapd.conf(5), slapd-config(5), and ldap.conf(5) man pages for more information." +#define PEM_CERT_HEADER "-----BEGIN CERTIFICATE-----" +#define PEM_CERT_FOOTER "-----END CERTIFICATE-----" +#define PEM_KEY_HEADER "-----BEGIN PRIVATE KEY-----" +#define PEM_KEY_FOOTER "-----END PRIVATE KEY-----" -+#define README_HEADER "Contents of this file are hashed and used as a part of a name of the parent directory.\n" ++#define README_HEADER "The contents of this file are hashed and used as part of the name of the parent directory.\n" + +#ifdef LDAP_R_COMPILE +ldap_pvt_thread_mutex_t tlsmc_mutex; @@ -365,23 +365,33 @@ new file mode 100644 + int rv = 0; + int fd = -1; + if ( 0 > ( fd = open( filename, O_WRONLY | O_CREAT | O_EXCL, S_IWUSR ) ) ) { -+ perror("IO ERROR: could not open file"); ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_write_file: ERROR: could not open file: `%s': %s.\n", ++ filename, strerror(errno), 0 ); + goto bail; + } + if ( -1 >= write( fd, buf, strlen(buf) ) ) { -+ perror("IO ERROR: could not write file"); ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_write_file: ERROR: could not write file: `%s': %s.\n", ++ filename, strerror(errno), 0 ); + goto bail; + } + if ( -1 >= fchmod( fd, final_mode ) ) { -+ perror("IO ERROR: could not set file mode"); ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_write_file: ERROR: could not set file mode: `%s': %s.\n", ++ filename, strerror(errno), 0 ); + goto bail; + } + if ( -1 >= fsync( fd ) ) { -+ perror("IO ERROR: could not fsync the file"); ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_write_file: ERROR: could not fsync file: `%s': %s.\n", ++ filename, strerror(errno), 0 ); + goto bail; + } + if ( 0 > close( fd ) ) { -+ perror("IO ERROR: could not close file"); ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_write_file: ERROR: could not close file: `%s': %s.\n", ++ filename, strerror(errno), 0 ); + fd = -1; + goto bail; + } @@ -845,7 +855,9 @@ new file mode 100644 + goto bail; + } + if ( 0 == strftime(stime, sizeof(stime), "%FT%T", localtime(&attr.st_mtime)) ) { -+ perror("IO ERROR: could not format mtime"); ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_filestamp: ERROR: could not format mtime: %s.\n", ++ strerror(errno), 0, 0 ); + goto bail; + } + @@ -930,9 +942,8 @@ new file mode 100644 + + if ( 0 != mkdir( dir, S_IRWXU /* u+rwx */ ) ) { + Debug( LDAP_DEBUG_ANY, -+ "tlsmc_prepare_dir: WARN: cound not create the PEM directory.\n", ++ "tlsmc_prepare_dir: WARN: could not create the PEM directory.\n", + 0, 0, 0 ); -+ perror( "tlsmc_prepare_dir: WARN: cound not create the PEM directory" ); + rv = 0; + goto bail; + } @@ -943,9 +954,8 @@ new file mode 100644 + cacerts_dir = PR_smprintf( "%s/%s", dir, TLSMC_CACERTS_DIR_NAME ); + if ( 0 != mkdir( cacerts_dir, S_IRWXU /* u+rwx */ ) ) { + Debug( LDAP_DEBUG_ANY, -+ "tlsmc_prepare_dir: WARN: cound not create the subdirectory.\n", ++ "tlsmc_prepare_dir: WARN: could not create the subdirectory.\n", + 0, 0, 0 ); -+ perror( "tlsmc_prepare_dir: WARN: cound not create the subdirectory" ); + rv = 0; + goto bail; + } @@ -1236,11 +1246,15 @@ new file mode 100644 + "tlsmc_extract_cert_key_pair: INFO: symlinking certificate file `%s' to file `%s'.\n", + nickname, cert_file_path, 0 ); + if ( NULL == ( file_realpath = realpath( nickname, NULL ) ) ) { -+ perror( "Could not get the realpath" ); ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_cert_key_pair: ERROR: could not get realpath of certificate file `%s'.\n", ++ nickname, 0, 0 ); + goto bail; + } + if ( -1 == symlink( file_realpath, cert_file_path ) ) { -+ perror( "Could not create a symlink" ); ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_cert_key_pair: ERROR: could not create a symlink of `%s' to `%s'.\n", ++ file_realpath, cert_file_path, 0 ); + goto bail; + } + if ( file_realpath ) free( file_realpath ); @@ -1249,11 +1263,15 @@ new file mode 100644 + "tlsmc_extract_cert_key_pair: INFO: symlinking PK file `%s' to file `%s'.\n", + pin_filename, key_file_path, 0 ); + if ( NULL == ( file_realpath = realpath( pin_filename, NULL ) ) ) { -+ perror( "Could not get the realpath" ); ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_cert_key_pair: ERROR: could not get realpath of PK file `%s'.\n", ++ pin_filename, 0, 0 ); + goto bail; + } + if ( -1 == symlink( file_realpath, key_file_path ) ) { -+ perror( "Could not create a symlink" ); ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_cert_key_pair: ERROR: could not create a symlink of `%s' to `%s'.\n", ++ file_realpath, key_file_path, 0 ); + goto bail; + } + } @@ -1525,6 +1543,7 @@ new file mode 100644 + Debug( LDAP_DEBUG_ANY, + "tlsmc_convert: WARN: extracted cacerts dir is not present.\n", + 0, 0, 0 ); ++ if ( *ld_cacertdir ) PR_smprintf_free( *ld_cacertdir ); + *ld_cacertdir = NULL; + } + @@ -1536,6 +1555,7 @@ new file mode 100644 + Debug( LDAP_DEBUG_ANY, + "tlsmc_convert: WARN: extracted cert file is not present.\n", + 0, 0, 0 ); ++ if ( *ld_cert ) PR_smprintf_free( *ld_cert ); + *ld_cert = NULL; + } + @@ -1547,13 +1567,16 @@ new file mode 100644 + Debug( LDAP_DEBUG_ANY, + "tlsmc_convert: WARN: extracted key file is not present.\n", + 0, 0, 0 ); ++ if ( *ld_key ) PR_smprintf_free( *ld_key ); + *ld_key = NULL; + } + + rv = 1; + +bail: ++ if ( checksum ) free( checksum ); + if ( pem_dir ) PR_smprintf_free( pem_dir ); ++ if ( readme_path ) PR_smprintf_free( readme_path ); + if ( data ) free( data ); + if ( nssdb_prefix ) free( nssdb_prefix ); + if ( nssdb_dir_path ) free( nssdb_dir_path ); diff --git a/SPECS/openldap.spec b/SPECS/openldap.spec index 85abac9..9252ea6 100644 --- a/SPECS/openldap.spec +++ b/SPECS/openldap.spec @@ -5,7 +5,7 @@ Name: openldap Version: 2.4.44 -Release: 15%{?dist} +Release: 20%{?dist} Summary: LDAP support libraries Group: System Environment/Daemons License: OpenLDAP @@ -53,6 +53,13 @@ Patch25: openldap-man-ldap-conf.patch Patch35: openldap-ITS8428-init-sc_writewait.patch Patch36: openldap-bdb_idl_fetch_key-correct-key-pointer.patch Patch37: openldap-ITS8655-fix-double-free-on-paged-search-with-pagesize-0.patch +Patch38: openldap-ITS8720-back-ldap-starttls-timeout.patch + +# fixes for DH and ECDH +Patch50: openldap-openssl-its7506-fix-DH-params-1.patch +Patch51: openldap-openssl-its7506-fix-DH-params-2.patch +Patch52: openldap-openssl-ITS7595-Add-EC-support-1.patch +Patch53: openldap-openssl-ITS7595-Add-EC-support-2.patch # check-password module specific patches Patch90: check-password-makefile.patch @@ -175,6 +182,11 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi %patch35 -p1 %patch36 -p1 %patch37 -p1 +%patch38 -p1 +%patch50 -p1 +%patch51 -p1 +%patch52 -p1 +%patch53 -p1 %patch102 -p1 @@ -217,7 +229,7 @@ popd export LDFLAGS="-pie" # avoid stray dependencies (linker flag --as-needed) # enable experimental support for LDAP over UDP (LDAP_CONNECTIONLESS) -export CFLAGS="${CFLAGS} %{optflags} -Wl,-z,relro,-z,now,--as-needed -DLDAP_CONNECTIONLESS" +export CFLAGS="${CFLAGS} %{optflags} -Wl,-z,relro,-z,now,--as-needed -DLDAP_CONNECTIONLESS -DLDAP_USE_NON_BLOCKING_TLS" pushd openldap-%{version} %configure \ @@ -660,11 +672,26 @@ exit 0 %{_mandir}/man3/* %changelog -* Tue Apr 3 2018 Matus Honek - 2.4.44-15 -- Bump release to version 2.4.44-15 +* Tue Aug 21 2018 Matus Honek - 2.4.44-20 +- Backport upstream fixes for ITS 7595 - add OpenSSL EC support (#1584922) + +* Tue Aug 14 2018 Matus Honek - 2.4.44-19 +- Backport upstream fixes for ITS 7506 - fix OpenSSL DH params usage (#1584922) + +* Thu Jun 21 2018 Matus Honek - 2.4.44-18 +- MozNSS Compat. Layer: Make log messages more clear (#1543955) +- Build with LDAP_USE_NON_BLOCKING_TLS (#1471039) + +* Thu Jun 21 2018 Matus Honek - 2.4.44-17 +- MozNSS Compat. Layer: Fix memleaks reported by valgrind (#1575549) +- Reset OPTIND in libexec/functions for getopts to work in subsequent calls (#1564382) +- MozNSS Compat. Layer: Fix typos, and spelling in the README file header (#1543451) + +* Wed Apr 4 2018 Matus Honek - 2.4.44-16 +- fix: back-ldap StartTLS short connection timeout with high latency connections (#1540336) * Thu Mar 29 2018 Matus Honek - 2.4.44-14 -- MozNSS Compat. Layer: Enforce fail when cannot extract CA certs (#1563080) +- MozNSS Compat. Layer: Enforce fail when cannot extract CA certs (#1547922) * Wed Jan 31 2018 Matus Honek - 2.4.44-13 - MozNSS Compat. Layer: fix recursive directory deletion (#1516409)