diff --git a/.gitignore b/.gitignore index 7639ffb..6d6680b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz -SOURCES/openldap-2.4.39.tgz +SOURCES/openldap-2.4.40.tgz diff --git a/.openldap.metadata b/.openldap.metadata index 5df585c..e394c8f 100644 --- a/.openldap.metadata +++ b/.openldap.metadata @@ -1,2 +1,2 @@ 444fe85f8c42d97355d88ec295b18ecb58faeb52 SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz -2b8e8401214867c361f7212e7058f95118b5bd6c SOURCES/openldap-2.4.39.tgz +0cfac3b024b99de2e2456cc7254481b6644e0b96 SOURCES/openldap-2.4.40.tgz diff --git a/SOURCES/check-password-makefile.patch b/SOURCES/check-password-makefile.patch new file mode 100644 index 0000000..f39ba81 --- /dev/null +++ b/SOURCES/check-password-makefile.patch @@ -0,0 +1,41 @@ +--- a/Makefile 2009-10-31 18:59:06.000000000 +0100 ++++ b/Makefile 2014-12-17 09:42:37.586079225 +0100 +@@ -13,22 +13,11 @@ + # + CONFIG=/etc/openldap/check_password.conf + +-OPT=-g -O2 -Wall -fpic \ +- -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \ +- -DCONFIG_FILE="\"$(CONFIG)\"" \ ++CFLAGS+=-fpic \ ++ -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \ ++ -DCONFIG_FILE="\"$(CONFIG)\"" \ + -DDEBUG + +-# Where to find the OpenLDAP headers. +-# +-LDAP_INC=-I/home/pyb/tmp/openldap-2.3.39/include \ +- -I/home/pyb/tmp/openldap-2.3.39/servers/slapd +- +-# Where to find the CrackLib headers. +-# +-CRACK_INC= +- +-INCS=$(LDAP_INC) $(CRACK_INC) +- + LDAP_LIB=-lldap_r -llber + + # Comment out this line if you do NOT want to use the cracklib. +@@ -45,10 +34,10 @@ + all: check_password + + check_password.o: +- $(CC) $(OPT) -c $(INCS) check_password.c ++ $(CC) $(CFLAGS) -c $(LDAP_INC) check_password.c + + check_password: clean check_password.o +- $(CC) -shared -o check_password.so check_password.o $(CRACKLIB_LIB) ++ $(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB) + + install: check_password + cp -f check_password.so ../../../usr/lib/openldap/modules/ diff --git a/SOURCES/check-password.patch b/SOURCES/check-password.patch new file mode 100644 index 0000000..7a79e95 --- /dev/null +++ b/SOURCES/check-password.patch @@ -0,0 +1,321 @@ +--- a/check_password.c 2009-10-31 18:59:06.000000000 +0100 ++++ b/check_password.c 2014-12-17 12:25:00.148900907 +0100 +@@ -10,7 +10,7 @@ + #include + + #ifdef HAVE_CRACKLIB +-#include "crack.h" ++#include + #endif + + #if defined(DEBUG) +@@ -34,18 +34,77 @@ + #define PASSWORD_TOO_SHORT_SZ \ + "Password for dn=\"%s\" is too short (%d/6)" + #define PASSWORD_QUALITY_SZ \ +- "Password for dn=\"%s\" does not pass required number of strength checks (%d of %d)" ++ "Password for dn=\"%s\" does not pass required number of strength checks for the required character sets (%d of %d)" + #define BAD_PASSWORD_SZ \ + "Bad password for dn=\"%s\" because %s" ++#define UNKNOWN_ERROR_SZ \ ++ "An unknown error occurred, please see your systems administrator" + + typedef int (*validator) (char*); +-static int read_config_file (char *); ++static int read_config_file (); + static validator valid_word (char *); + static int set_quality (char *); + static int set_cracklib (char *); + + int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry); + ++struct config_entry { ++ char* key; ++ char* value; ++ char* def_value; ++} config_entries[] = { { "minPoints", NULL, "3"}, ++ { "useCracklib", NULL, "1"}, ++ { "minUpper", NULL, "0"}, ++ { "minLower", NULL, "0"}, ++ { "minDigit", NULL, "0"}, ++ { "minPunct", NULL, "0"}, ++ { NULL, NULL, NULL }}; ++ ++int get_config_entry_int(char* entry) { ++ struct config_entry* centry = config_entries; ++ ++ int i = 0; ++ char* key = centry[i].key; ++ while (key != NULL) { ++ if ( strncmp(key, entry, strlen(key)) == 0 ) { ++ if ( centry[i].value == NULL ) { ++ return atoi(centry[i].def_value); ++ } ++ else { ++ return atoi(centry[i].value); ++ } ++ } ++ i++; ++ key = centry[i].key; ++ } ++ ++ return -1; ++} ++ ++void dealloc_config_entries() { ++ struct config_entry* centry = config_entries; ++ ++ int i = 0; ++ while (centry[i].key != NULL) { ++ if ( centry[i].value != NULL ) { ++ ber_memfree(centry[i].value); ++ } ++ i++; ++ } ++} ++ ++char* chomp(char *s) ++{ ++ char* t = ber_memalloc(strlen(s)+1); ++ strncpy (t,s,strlen(s)+1); ++ ++ if ( t[strlen(t)-1] == '\n' ) { ++ t[strlen(t)-1] = '\0'; ++ } ++ ++ return t; ++} ++ + static int set_quality (char *value) + { + #if defined(DEBUG) +@@ -84,12 +143,12 @@ + char * parameter; + validator dealer; + } list[] = { { "minPoints", set_quality }, +- { "useCracklib", set_cracklib }, +- { "minUpper", set_digit }, +- { "minLower", set_digit }, +- { "minDigit", set_digit }, +- { "minPunct", set_digit }, +- { NULL, NULL } }; ++ { "useCracklib", set_cracklib }, ++ { "minUpper", set_digit }, ++ { "minLower", set_digit }, ++ { "minDigit", set_digit }, ++ { "minPunct", set_digit }, ++ { NULL, NULL } }; + int index = 0; + + #if defined(DEBUG) +@@ -98,7 +157,7 @@ + + while (list[index].parameter != NULL) { + if (strlen(word) == strlen(list[index].parameter) && +- strcmp(list[index].parameter, word) == 0) { ++ strcmp(list[index].parameter, word) == 0) { + #if defined(DEBUG) + syslog(LOG_NOTICE, "check_password: Parameter accepted."); + #endif +@@ -114,13 +173,15 @@ + return NULL; + } + +-static int read_config_file (char *keyWord) ++static int read_config_file () + { + FILE * config; + char * line; + int returnValue = -1; + +- if ((line = ber_memcalloc(260, sizeof(char))) == NULL) { ++ line = ber_memcalloc(260, sizeof(char)); ++ ++ if ( line == NULL ) { + return returnValue; + } + +@@ -133,6 +194,8 @@ + return returnValue; + } + ++ returnValue = 0; ++ + while (fgets(line, 256, config) != NULL) { + char *start = line; + char *word, *value; +@@ -145,23 +208,40 @@ + + while (isspace(*start) && isascii(*start)) start++; + +- if (! isascii(*start)) ++ /* If we've got punctuation, just skip the line. */ ++ if ( ispunct(*start)) { ++#if defined(DEBUG) ++ /* Debug traces to syslog. */ ++ syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line); ++#endif + continue; ++ } + +- if ((word = strtok(start, " \t")) && (dealer = valid_word(word)) && (strcmp(keyWord,word)==0)) { +- if ((value = strtok(NULL, " \t")) == NULL) +- continue; ++ if( isascii(*start)) { ++ ++ struct config_entry* centry = config_entries; ++ int i = 0; ++ char* keyWord = centry[i].key; ++ if ((word = strtok(start, " \t")) && (value = strtok(NULL, " \t"))) { ++ while ( keyWord != NULL ) { ++ if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) { + + #if defined(DEBUG) +- syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value); ++ syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value); + #endif + +- returnValue = (*dealer)(value); ++ centry[i].value = chomp(value); ++ break; ++ } ++ i++; ++ keyWord = centry[i].key; ++ } ++ } + } + } +- + fclose(config); + ber_memfree(line); ++ + return returnValue; + } + +@@ -170,7 +250,7 @@ + if (curlen < nextlen + MEMORY_MARGIN) { + #if defined(DEBUG) + syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to %d", +- curlen, nextlen + MEMORY_MARGIN); ++ curlen, nextlen + MEMORY_MARGIN); + #endif + ber_memfree(*target); + curlen = nextlen + MEMORY_MARGIN; +@@ -180,7 +260,7 @@ + return curlen; + } + +- int ++int + check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) + { + +@@ -210,20 +290,22 @@ + nLen = strlen (pPasswd); + if ( nLen < 6) { + mem_len = realloc_error_message(&szErrStr, mem_len, +- strlen(PASSWORD_TOO_SHORT_SZ) + +- strlen(pEntry->e_name.bv_val) + 1); ++ strlen(PASSWORD_TOO_SHORT_SZ) + ++ strlen(pEntry->e_name.bv_val) + 1); + sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen); + goto fail; + } + +- /* Read config file */ +- minQuality = read_config_file("minPoints"); ++ if (read_config_file() == -1) { ++ syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE); ++ } + +- useCracklib = read_config_file("useCracklib"); +- minUpper = read_config_file("minUpper"); +- minLower = read_config_file("minLower"); +- minDigit = read_config_file("minDigit"); +- minPunct = read_config_file("minPunct"); ++ minQuality = get_config_entry_int("minPoints"); ++ useCracklib = get_config_entry_int("useCracklib"); ++ minUpper = get_config_entry_int("minUpper"); ++ minLower = get_config_entry_int("minLower"); ++ minDigit = get_config_entry_int("minDigit"); ++ minPunct = get_config_entry_int("minPunct"); + + /** The password must have at least minQuality strength points with one + * point for the first occurrance of a lower, upper, digit and +@@ -232,8 +314,6 @@ + + for ( i = 0; i < nLen; i++ ) { + +- if ( nQuality >= minQuality ) break; +- + if ( islower (pPasswd[i]) ) { + minLower--; + if ( !nLower && (minLower < 1)) { +@@ -279,12 +359,23 @@ + } + } + +- if ( nQuality < minQuality ) { ++ /* ++ * If you have a required field, then it should be required in the strength ++ * checks. ++ */ ++ ++ if ( ++ (minLower > 0 ) || ++ (minUpper > 0 ) || ++ (minDigit > 0 ) || ++ (minPunct > 0 ) || ++ (nQuality < minQuality) ++ ) { + mem_len = realloc_error_message(&szErrStr, mem_len, +- strlen(PASSWORD_QUALITY_SZ) + +- strlen(pEntry->e_name.bv_val) + 2); ++ strlen(PASSWORD_QUALITY_SZ) + ++ strlen(pEntry->e_name.bv_val) + 2); + sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val, +- nQuality, minQuality); ++ nQuality, minQuality); + goto fail; + } + +@@ -306,7 +397,7 @@ + for ( j = 0; j < 3; j++ ) { + + snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \ +- CRACKLIB_DICTPATH, ext[j]); ++ CRACKLIB_DICTPATH, ext[j]); + + if (( fp = fopen ( filename, "r")) == NULL ) { + +@@ -326,9 +417,9 @@ + r = (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH); + if ( r != NULL ) { + mem_len = realloc_error_message(&szErrStr, mem_len, +- strlen(BAD_PASSWORD_SZ) + +- strlen(pEntry->e_name.bv_val) + +- strlen(r)); ++ strlen(BAD_PASSWORD_SZ) + ++ strlen(pEntry->e_name.bv_val) + ++ strlen(r)); + sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r); + goto fail; + } +@@ -342,15 +433,15 @@ + } + + #endif +- ++ dealloc_config_entries(); + *ppErrStr = strdup (""); + ber_memfree(szErrStr); + return (LDAP_SUCCESS); + + fail: ++ dealloc_config_entries(); + *ppErrStr = strdup (szErrStr); + ber_memfree(szErrStr); + return (EXIT_FAILURE); + + } +- diff --git a/SOURCES/openldap-dns-priority.patch b/SOURCES/openldap-dns-priority.patch deleted file mode 100644 index 8dc0923..0000000 --- a/SOURCES/openldap-dns-priority.patch +++ /dev/null @@ -1,192 +0,0 @@ -Implement priority/weight for DNS SRV records - -From RFC 2782: - - A client MUST attempt to contact the target host with the - lowest-numbered priority it can reach. - -This patch sorts the DNS SRV records by their priority, and -additionally gives records with a larger weight a higher probability -of appearing earlier. This way, the DNS SRV records are tried in the -order of their priority. - -Author: James M Leddy -Upstream ITS: #7027 -Resolves: #733078 - ---- - libraries/libldap/dnssrv.c | 106 ++++++++++++++++++++++++++++++++++---------- - 1 files changed, 83 insertions(+), 23 deletions(-) - -diff --git a/libraries/libldap/dnssrv.c b/libraries/libldap/dnssrv.c -index 16b1544..40f93b4 100644 ---- a/libraries/libldap/dnssrv.c -+++ b/libraries/libldap/dnssrv.c -@@ -174,6 +174,46 @@ int ldap_domain2dn( - return LDAP_SUCCESS; - } - -+#ifdef HAVE_RES_QUERY -+#define DNSBUFSIZ (64*1024) -+typedef struct srv_record { -+ u_short priority; -+ u_short weight; -+ u_short port; -+ char hostname[DNSBUFSIZ]; -+} srv_record; -+ -+ -+static int srv_cmp(const void *aa, const void *bb){ -+ srv_record *a=(srv_record *)aa; -+ srv_record *b=(srv_record *)bb; -+ u_long total; -+ -+ if(a->priority < b->priority) { -+ return -1; -+ } -+ if(a->priority > b->priority) { -+ return 1; -+ } -+ if(a->priority == b->priority){ -+ /* targets with same priority are in psudeo random order */ -+ if (a->weight == 0 && b->weight == 0) { -+ if (rand() % 2) { -+ return -1; -+ } else { -+ return 1; -+ } -+ } -+ total = a->weight + b->weight; -+ if (rand() % total < a->weight) { -+ return -1; -+ } else { -+ return 1; -+ } -+ } -+} -+#endif /* HAVE_RES_QUERY */ -+ - /* - * Lookup and return LDAP servers for domain (using the DNS - * SRV record _ldap._tcp.domain). -@@ -183,15 +223,16 @@ int ldap_domain2hostlist( - char **list ) - { - #ifdef HAVE_RES_QUERY --#define DNSBUFSIZ (64*1024) -- char *request; -- char *hostlist = NULL; -+ char *request; -+ char *hostlist = NULL; -+ srv_record *hostent_head=NULL; -+ int i; - int rc, len, cur = 0; - unsigned char reply[DNSBUFSIZ]; -+ int hostent_count=0; - - assert( domain != NULL ); - assert( list != NULL ); -- - if( *domain == '\0' ) { - return LDAP_PARAM_ERROR; - } -@@ -223,8 +264,7 @@ int ldap_domain2hostlist( - unsigned char *p; - char host[DNSBUFSIZ]; - int status; -- u_short port; -- /* int priority, weight; */ -+ u_short port, priority, weight; - - /* Parse out query */ - p = reply; -@@ -263,40 +303,56 @@ int ldap_domain2hostlist( - size = (p[0] << 8) | p[1]; - p += 2; - if (type == T_SRV) { -- int buflen; - status = dn_expand(reply, reply + len, p + 6, host, sizeof(host)); - if (status < 0) { - goto out; - } -- /* ignore priority and weight for now */ -- /* priority = (p[0] << 8) | p[1]; */ -- /* weight = (p[2] << 8) | p[3]; */ -+ -+ /* Get priority weight and port */ -+ priority = (p[0] << 8) | p[1]; -+ weight = (p[2] << 8) | p[3]; - port = (p[4] << 8) | p[5]; - - if ( port == 0 || host[ 0 ] == '\0' ) { - goto add_size; - } - -- buflen = strlen(host) + STRLENOF(":65355 "); -- hostlist = (char *) LDAP_REALLOC(hostlist, cur + buflen + 1); -- if (hostlist == NULL) { -- rc = LDAP_NO_MEMORY; -- goto out; -+ hostent_head = (srv_record *) LDAP_REALLOC(hostent_head, (hostent_count+1)*(sizeof(srv_record))); -+ if(hostent_head==NULL){ -+ rc=LDAP_NO_MEMORY; -+ goto out; -+ - } -- if (cur > 0) { -- /* not first time around */ -- hostlist[cur++] = ' '; -- } -- cur += sprintf(&hostlist[cur], "%s:%hu", host, port); -+ hostent_head[hostent_count].priority=priority; -+ hostent_head[hostent_count].weight=weight; -+ hostent_head[hostent_count].port=port; -+ strncpy(hostent_head[hostent_count].hostname, host,255); -+ hostent_count=hostent_count+1; - } - add_size:; - p += size; - } - } -+ qsort(hostent_head, hostent_count, sizeof(srv_record), srv_cmp); -+ -+ for(i=0; i0){ -+ hostlist[cur++]=' '; -+ } -+ cur += sprintf(&hostlist[cur], "%s:%hd", hostent_head[i].hostname, hostent_head[i].port); -+ } -+ - if (hostlist == NULL) { -- /* No LDAP servers found in DNS. */ -- rc = LDAP_UNAVAILABLE; -- goto out; -+ /* No LDAP servers found in DNS. */ -+ rc = LDAP_UNAVAILABLE; -+ goto out; - } - - rc = LDAP_SUCCESS; -@@ -308,8 +364,12 @@ add_size:; - if (request != NULL) { - LDAP_FREE(request); - } -+ if (hostent_head != NULL) { -+ LDAP_FREE(hostent_head); -+ } - if (rc != LDAP_SUCCESS && hostlist != NULL) { - LDAP_FREE(hostlist); -+ - } - return rc; - #else --- -1.7.6 - diff --git a/SOURCES/openldap-fix-missing-frontend-indexing.patch b/SOURCES/openldap-fix-missing-frontend-indexing.patch new file mode 100644 index 0000000..d2e8d4e --- /dev/null +++ b/SOURCES/openldap-fix-missing-frontend-indexing.patch @@ -0,0 +1,11 @@ +--- a/servers/slapd/bconfig.c 2015-06-02 14:37:10.930873419 +0200 ++++ b/servers/slapd/bconfig.c 2015-06-02 14:37:35.105233408 +0200 +@@ -4679,7 +4679,7 @@ + if ( ce_type == Cft_Database ) + nsibs--; + +- if ( index != nsibs ) { ++ if ( index != nsibs || isfrontend) { + if ( gotindex ) { + if ( index < nsibs ) { + if ( tailindex ) return LDAP_NAMING_VIOLATION; diff --git a/SOURCES/openldap-nss-ciphers-use-nss-defaults.patch b/SOURCES/openldap-nss-ciphers-use-nss-defaults.patch new file mode 100644 index 0000000..896dd75 --- /dev/null +++ b/SOURCES/openldap-nss-ciphers-use-nss-defaults.patch @@ -0,0 +1,26 @@ +Use what NSS considers default for DEFAULT cipher string. + +Author: Matus Honek +Resolves: #1245279 + +diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c +--- a/libraries/libldap/tls_m.c ++++ b/libraries/libldap/tls_m.c +@@ -645,7 +645,16 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) + } + } else if (!strcmp(cipher, "DEFAULT")) { + for (i=0; i +Original-Author: Martin Poole +Resolves: #1231522 +Related: #1238322 + +diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c +--- a/libraries/libldap/tls_m.c ++++ b/libraries/libldap/tls_m.c +@@ -215,7 +215,6 @@ typedef struct { + /* cipher attributes */ + #define SSL_kRSA 0x00000001L + #define SSL_aRSA 0x00000002L +-#define SSL_RSA (SSL_kRSA|SSL_aRSA) + #define SSL_aDSA 0x00000004L + #define SSL_DSA SSL_aDSA + #define SSL_eNULL 0x00000008L +@@ -225,19 +224,26 @@ typedef struct { + #define SSL_RC2 0x00000080L + #define SSL_AES128 0x00000100L + #define SSL_AES256 0x00000200L +-#define SSL_AES (SSL_AES128|SSL_AES256) + #define SSL_MD5 0x00000400L + #define SSL_SHA1 0x00000800L + #define SSL_kEDH 0x00001000L + #define SSL_CAMELLIA128 0x00002000L + #define SSL_CAMELLIA256 0x00004000L +-#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256) + #define SSL_SEED 0x00008000L + #define SSL_kECDH 0x00010000L + #define SSL_kECDHE 0x00020000L + #define SSL_aECDSA 0x00040000L + #define SSL_SHA256 0x00080000L + #define SSL_SHA384 0x00100000L ++#define SSL_kEECDH 0x00200000L ++#define SSL_AESGCM 0x00400000L ++#define SSL_AEAD 0x00800000L ++ ++/* cipher attributes non-unique - do not use for definitions */ ++#define SSL_RSA 0x00000001L ++#define SSL_AES 0x00000002L ++#define SSL_CAMELLIA 0x00000004L ++#define SSL_ECDH 0x00000008L + + /* cipher strength */ + #define SSL_NULL 0x00000001L +@@ -247,6 +253,9 @@ typedef struct { + #define SSL_MEDIUM 0x00000010L + #define SSL_HIGH 0x00000020L + ++/* cipher strengths non-unique - do not use for definitions */ ++#define SSL_EXPORT 0x00000001L ++ + #define SSL2 0x00000001L + #define SSL3 0x00000002L + /* OpenSSL treats SSL3 and TLSv1 the same */ +@@ -609,10 +618,12 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) + while ((*cipher) && (isspace(*cipher))) + ++cipher; + +- action = 1; + switch(*cipher) { +- case '+': /* Add something */ +- action = 1; ++ case '+': /* Do nothig. NSS does not support ordering. */ ++ Debug( LDAP_DEBUG_ARGS, ++ "TLS: warning: parsing cipher string: ordering is not supported by NSS.\n", ++ 0, 0, 0 ); ++ action = 2; + cipher++; + break; + case '-': /* Subtract something */ +@@ -623,8 +634,8 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) + action = -1; + cipher++; + break; +- default: +- /* do nothing */ ++ default: /* Add something */ ++ action = 1; + break; + } + +@@ -654,7 +665,9 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) + } + } else { + int mask = 0; ++ int multi_mask = 0; + int strength = 0; ++ int multi_strength = 0; + int protocol = 0; + char *c; + +@@ -665,16 +678,23 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) + *c++ = '\0'; + } + +- if (!strcmp(cipher, "RSA")) { +- mask |= SSL_RSA; ++ if ((!strcmp(cipher, "RSA")) || (!strcmp(cipher, "kRSA"))) { ++ mask |= SSL_kRSA; ++ } if (!strcmp(cipher, "aRSA")) { ++ if (!(mask & SSL_kECDH)) //kECDH means no aRSA ++ mask |= SSL_aRSA; ++ else if (mask & SSL_kECDHE) //kECDH and aRSA means kECDHE ++ mask |= SSL_kECDHE|SSL_aRSA; + } else if ((!strcmp(cipher, "NULL")) || (!strcmp(cipher, "eNULL"))) { + mask |= SSL_eNULL; + } else if (!strcmp(cipher, "AES128")) { + mask |= SSL_AES128; + } else if (!strcmp(cipher, "AES256")) { + mask |= SSL_AES256; ++ } else if (!strcmp(cipher, "AESGCM")) { ++ mask |= SSL_AESGCM; + } else if (!strcmp(cipher, "AES")) { +- mask |= SSL_AES; ++ multi_mask |= SSL_AES; + } else if (!strcmp(cipher, "3DES")) { + mask |= SSL_3DES; + } else if (!strcmp(cipher, "DES")) { +@@ -685,27 +705,42 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) + mask |= SSL_RC2; + } else if (!strcmp(cipher, "MD5")) { + mask |= SSL_MD5; +- } else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) { +- mask |= SSL_SHA1; + } else if (!strcmp(cipher, "SHA256")) { + mask |= SSL_SHA256; ++ } else if (!strcmp(cipher, "SHA384")) { ++ mask |= SSL_SHA384; ++ } else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) { ++ mask |= SSL_SHA1; + } else if (!strcmp(cipher, "EDH")) { + mask |= SSL_kEDH; +- } else if (!strcmp(cipher, "DSS")) { ++ } else if ((!strcmp(cipher, "DSS")) || (!strcmp(cipher, "aDSS"))) { + mask |= SSL_aDSA; + } else if (!strcmp(cipher, "CAMELLIA128")) { + mask |= SSL_CAMELLIA128; + } else if (!strcmp(cipher, "CAMELLIA256")) { + mask |= SSL_CAMELLIA256; + } else if (!strcmp(cipher, "CAMELLIA")) { +- mask |= SSL_CAMELLIA; ++ multi_mask |= SSL_CAMELLIA; + } else if (!strcmp(cipher, "SEED")) { + mask |= SSL_SEED; +- } else if (!strcmp(cipher, "ECDH")) { ++ } else if (!strcmp(cipher, "kECDHe")) { ++ mask |= SSL_kECDH|SSL_aECDSA; ++ } else if (!strcmp(cipher, "kECDHr")) { ++ mask |= SSL_kECDH|SSL_aRSA; ++ } else if (!strcmp(cipher, "kECDH")) { ++ if (!(mask & SSL_aRSA)) //kECDH does not use aRSA ++ mask |= SSL_kECDH; ++ } else if (!strcmp(cipher, "aECDH")) { + mask |= SSL_kECDH; ++ } else if (!strcmp(cipher, "EECDH")) { ++ mask |= SSL_kECDHE; ++ } else if (!strcmp(cipher, "kEECDH")) { ++ mask |= SSL_kECDHE; + } else if (!strcmp(cipher, "ECDHE")) { + mask |= SSL_kECDHE; +- } else if (!strcmp(cipher, "ECDSA")) { ++ } else if (!strcmp(cipher, "ECDH")) { ++ multi_mask |= SSL_ECDH; ++ } else if ((!strcmp(cipher, "ECDSA")) || (!strcmp(cipher, "aECDSA"))) { + mask |= SSL_aECDSA; + } else if (!strcmp(cipher, "SSLv2")) { + protocol |= SSL2; +@@ -721,12 +756,12 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) + strength |= SSL_MEDIUM; + } else if (!strcmp(cipher, "LOW")) { + strength |= SSL_LOW; +- } else if ((!strcmp(cipher, "EXPORT")) || (!strcmp(cipher, "EXP"))) { +- strength |= SSL_EXPORT40|SSL_EXPORT56; + } else if (!strcmp(cipher, "EXPORT40")) { + strength |= SSL_EXPORT40; + } else if (!strcmp(cipher, "EXPORT56")) { + strength |= SSL_EXPORT56; ++ } else if ((!strcmp(cipher, "EXPORT")) || (!strcmp(cipher, "EXP"))) { ++ multi_strength |= SSL_EXPORT; + } + + if (c) +@@ -734,23 +769,37 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) + + } /* while */ + ++ /* NSS does not support ordering */ ++ if (action == 2) ++ continue; ++ + /* If we have a mask, apply it. If not then perhaps they provided + * a specific cipher to enable. ++ * if more than one mask is provided then AND logic applies (to match openssl) + */ +- if (mask || strength || protocol) { ++ if (mask || multi_mask || strength || multi_strength || protocol) { + for (i=0; i +Modified-By: Matus Honek + +--- a/libraries/libldap/init.c ++++ b/libraries/libldap/init.c +@@ -473,7 +473,7 @@ static void openldap_ldap_init_w_env( + * Sorry, don't know how to handle this for non-GCC environments. + */ + static void ldap_int_destroy_global_options(void) +- __attribute__ ((destructor)); ++ __attribute__ ((destructor (2))); + #endif + + static void +--- a/libraries/libldap/tls_m.c ++++ b/libraries/libldap/tls_m.c +@@ -1931,6 +1931,18 @@ tlsm_clientauth_init( tlsm_ctx *ctx ) + return ( status == SECSuccess ? 0 : -1 ); + } + ++#if defined(__GNUC__) ++static void ++tlsm_destroy_on_unload(void) __attribute__ ((destructor (1))); ++ ++static void ++tlsm_destroy_on_unload(void) ++{ ++ if (NSS_IsInitialized()) ++ NSS_UnregisterShutdown(tlsm_nss_shutdown_cb, NULL); ++} ++#endif ++ + /* + * Tear down the TLS subsystem. Should only be called once. + */ diff --git a/SOURCES/openldap-nss-update-list-of-ciphers.patch b/SOURCES/openldap-nss-update-list-of-ciphers.patch index d5986c0..7b8510c 100644 --- a/SOURCES/openldap-nss-update-list-of-ciphers.patch +++ b/SOURCES/openldap-nss-update-list-of-ciphers.patch @@ -1,15 +1,30 @@ -MozNSS: update list of supported cipher suites +This patch updates MozNSS cipher suite definition in OpenLDAP. -The updated list includes all ciphers implemented in Mozilla NSS 3.13.15 +Author: Matus Honek +Related: #1245279 +Combined two previous patches into one: +Author: Martin Poole Author: Jan Vcelak +Related: #1231522 #1160467 Upstream ITS: #7374 diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c -index 1422ce2..5e49fc5 100644 --- a/libraries/libldap/tls_m.c +++ b/libraries/libldap/tls_m.c -@@ -211,27 +211,34 @@ typedef struct { +@@ -76,6 +76,11 @@ + #define HAVE_SECMOD_RESTARTMODULES 1 + #endif + ++/* NSS 3.20.0 and later have SHA384 ciphers */ ++#if NSS_VERSION_INT >= 0x03140000 ++#define HAVE_SHA384_CIPHERS 1 ++#endif ++ + /* InitContext does not currently work in server mode */ + /* #define INITCONTEXT_HACK 1 */ + +@@ -203,27 +208,36 @@ typedef struct { int num; /* The cipher id */ int attr; /* cipher attributes: algorithms, etc */ int version; /* protocol version valid for this cipher */ @@ -57,10 +72,16 @@ index 1422ce2..5e49fc5 100644 +#define SSL_kECDH 0x00010000L +#define SSL_kECDHE 0x00020000L +#define SSL_aECDSA 0x00040000L ++#define SSL_SHA256 0x00080000L ++#define SSL_SHA384 0x00100000L /* cipher strength */ #define SSL_NULL 0x00000001L -@@ -248,29 +255,70 @@ typedef struct { +@@ -237,32 +251,117 @@ typedef struct { + #define SSL3 0x00000002L + /* OpenSSL treats SSL3 and TLSv1 the same */ + #define TLS1 SSL3 ++#define TLS1_2 0x00000004L /* Cipher translation */ static cipher_properties ciphers_def[] = { @@ -87,72 +108,115 @@ index 1422ce2..5e49fc5 100644 + */ + + /* SSLv2 ciphers */ -+ {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, SSL_LOW, SSL_NOT_ALLOWED}, -+ {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, SSL_HIGH, SSL_NOT_ALLOWED}, -+ {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_MEDIUM, SSL_NOT_ALLOWED}, -+ {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_MEDIUM, SSL_NOT_ALLOWED}, -+ {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_EXPORT40, SSL_NOT_ALLOWED}, -+ {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_EXPORT40, SSL_NOT_ALLOWED}, ++ {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, SSL_LOW}, ++ {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, SSL_HIGH}, ++ {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_MEDIUM}, ++ {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_MEDIUM}, ++ {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_EXPORT40}, ++ {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_EXPORT40}, + + /* SSLv3 ciphers */ -+ {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, SSL_NULL, SSL_NOT_ALLOWED}, -+ {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, SSL_NULL, SSL_NOT_ALLOWED}, -+ {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED}, -+ {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED}, -+ {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_MEDIUM, SSL_ALLOWED}, -+ {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, SSL_MEDIUM, SSL_ALLOWED}, -+ {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, SSL_EXPORT40, SSL_ALLOWED}, -+ {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_EXPORT40, SSL_ALLOWED}, -+ {"EDH-RSA-DES-CBC-SHA", SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED}, -+ {"EDH-RSA-DES-CBC3-SHA", SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED}, -+ {"EDH-DSS-DES-CBC-SHA", SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED}, -+ {"EDH-DSS-DES-CBC3-SHA", SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED}, ++ {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, SSL_NULL}, ++ {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, SSL_NULL}, ++ {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW}, ++ {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH}, ++ {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_MEDIUM}, ++ {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, SSL_MEDIUM}, ++ {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, SSL_EXPORT40}, ++ {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_EXPORT40}, ++ {"EDH-RSA-DES-CBC-SHA", SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW}, ++ {"EDH-RSA-DES-CBC3-SHA", SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH}, ++ {"EDH-DSS-DES-CBC-SHA", SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW}, ++ {"EDH-DSS-DES-CBC3-SHA", SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH}, /* TLSv1 ciphers */ - {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED}, - {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED}, - {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_ALLOWED}, - {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_ALLOWED}, -+ {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, TLS1, SSL_EXPORT56, SSL_ALLOWED}, -+ {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_EXPORT56, SSL_ALLOWED}, -+ {"SEED-SHA", TLS_RSA_WITH_SEED_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_SEED|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED}, -+ {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"CAMELLIA256-SHA", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"CAMELLIA128-SHA", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"DHE-RSA-CAMELLIA128-SHA", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"DHE-RSA-CAMELLIA256-SHA", TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"DHE-DSS-RC4-SHA", TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_kEDH|SSL_aDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED}, -+ {"DHE-DSS-AES128-SHA", TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"DHE-DSS-AES256-SHA", TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"DHE-DSS-CAMELLIA128-SHA", TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"DHE-DSS-CAMELLIA256-SHA", TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDH-RSA-NULL-SHA", TLS_ECDH_RSA_WITH_NULL_SHA, SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED}, -+ {"ECDH-RSA-RC4-SHA", TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED}, -+ {"ECDH-RSA-DES-CBC3-SHA", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDH-RSA-AES128-SHA", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDH-RSA-AES256-SHA", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDH-ECDSA-NULL-SHA", TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED}, -+ {"ECDH-ECDSA-RC4-SHA", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED}, -+ {"ECDH-ECDSA-DES-CBC3-SHA", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDH-ECDSA-AES128-SHA", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDH-ECDSA-AES256-SHA", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDHE-RSA-NULL-SHA", TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED}, -+ {"ECDHE-RSA-RC4-SHA", TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED}, -+ {"ECDHE-RSA-DES-CBC3-SHA", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDHE-ECDSA-NULL-SHA", TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED}, -+ {"ECDHE-ECDSA-RC4-SHA", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED}, -+ {"ECDHE-ECDSA-DES-CBC3-SHA", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, ++ {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, TLS1, SSL_EXPORT56}, ++ {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_EXPORT56}, ++ {"SEED-SHA", TLS_RSA_WITH_SEED_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_SEED|SSL_SHA1, TLS1, SSL_MEDIUM}, ++ {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"CAMELLIA256-SHA", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"CAMELLIA128-SHA", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"DHE-RSA-CAMELLIA128-SHA", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"DHE-RSA-CAMELLIA256-SHA", TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"DHE-DSS-RC4-SHA", TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_kEDH|SSL_aDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM}, ++ {"DHE-DSS-AES128-SHA", TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"DHE-DSS-AES256-SHA", TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"DHE-DSS-CAMELLIA128-SHA", TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"DHE-DSS-CAMELLIA256-SHA", TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"ECDH-RSA-NULL-SHA", TLS_ECDH_RSA_WITH_NULL_SHA, SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL}, ++ {"ECDH-RSA-RC4-SHA", TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM}, ++ {"ECDH-RSA-DES-CBC3-SHA", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"ECDH-RSA-AES128-SHA", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"ECDH-RSA-AES256-SHA", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"ECDH-ECDSA-NULL-SHA", TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL}, ++ {"ECDH-ECDSA-RC4-SHA", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM}, ++ {"ECDH-ECDSA-DES-CBC3-SHA", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"ECDH-ECDSA-AES128-SHA", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"ECDH-ECDSA-AES256-SHA", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"ECDHE-RSA-NULL-SHA", TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL}, ++ {"ECDHE-RSA-RC4-SHA", TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM}, ++ {"ECDHE-RSA-DES-CBC3-SHA", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"ECDHE-ECDSA-NULL-SHA", TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL}, ++ {"ECDHE-ECDSA-RC4-SHA", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM}, ++ {"ECDHE-ECDSA-DES-CBC3-SHA", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH}, ++ {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH}, ++ ++/* conditional on one of the newer defs */ ++#ifdef TLS_RSA_WITH_AES_128_GCM_SHA256 ++ /* TLSv1.2 ciphers */ ++ /* The following ciphers appear in the openssl sources as TLSv1.2 but currently have no NSS equivalent ++ ++ DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD ++ ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD ++ ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD ++ ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384 ++ ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384 ++ ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD ++ ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD ++ ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256 ++ ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256 ++ ++ */ ++ {"NULL-SHA256", TLS_RSA_WITH_NULL_SHA256, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA256, TLS1_2, SSL_NULL}, ++ {"AES128-SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH}, ++ {"AES256-SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA256, TLS1_2, SSL_HIGH}, ++ {"AES128-GCM-SHA256", TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, ++ {"AES256-GCM-SHA384", TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, ++ ++ {"DHE-RSA-AES256-SHA256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA256, TLS1_2, SSL_HIGH}, ++ {"DHE-RSA-AES128-SHA256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH}, ++ {"DHE-RSA-AES128-GCM-SHA256", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, ++ {"DHE-RSA-AES256-GCM-SHA384", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, ++ ++ {"DHE-DSS-AES128-SHA256", TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH}, ++ {"DHE-DSS-AES256-SHA256", TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA256, TLS1_2, SSL_HIGH}, ++ {"DHE-DSS-AES128-GCM-SHA256", TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, ++ //{"DHE-DSS-AES128-GCM-SHA384", TLS_DHE_DSS_WITH_AES_128_GCM_SHA384, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, ++ ++ {"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH}, ++ {"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH}, ++ {"ECDHE-ECDSA-AES128-GCM-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, ++ {"ECDHE-RSA-AES128-GCM-SHA256", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, ++ {"ECDHE-ECDSA-AES256-GCM-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, ++ {"ECDHE-RSA-AES256-GCM-SHA384", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, ++ {"ECDHE-ECDSA-AES256-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA384, TLS1_2, SSL_HIGH}, ++ {"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA384, TLS1_2, SSL_HIGH}, ++#endif ++ }; #define ciphernum (sizeof(ciphers_def)/sizeof(cipher_properties)) -@@ -577,6 +625,10 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) +@@ -574,6 +673,10 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) mask |= SSL_RSA; } else if ((!strcmp(cipher, "NULL")) || (!strcmp(cipher, "eNULL"))) { mask |= SSL_eNULL; @@ -163,10 +227,12 @@ index 1422ce2..5e49fc5 100644 } else if (!strcmp(cipher, "AES")) { mask |= SSL_AES; } else if (!strcmp(cipher, "3DES")) { -@@ -591,6 +643,24 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) +@@ -588,12 +691,34 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) mask |= SSL_MD5; } else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) { mask |= SSL_SHA1; ++ } else if (!strcmp(cipher, "SHA256")) { ++ mask |= SSL_SHA256; + } else if (!strcmp(cipher, "EDH")) { + mask |= SSL_kEDH; + } else if (!strcmp(cipher, "DSS")) { @@ -188,6 +254,11 @@ index 1422ce2..5e49fc5 100644 } else if (!strcmp(cipher, "SSLv2")) { protocol |= SSL2; } else if (!strcmp(cipher, "SSLv3")) { --- -1.7.11.4 - + protocol |= SSL3; + } else if (!strcmp(cipher, "TLSv1")) { + protocol |= TLS1; ++ } else if (!strcmp(cipher, "TLSv1.2")) { ++ protocol |= TLS1_2; + } else if (!strcmp(cipher, "HIGH")) { + strength |= SSL_HIGH; + } else if (!strcmp(cipher, "MEDIUM")) { diff --git a/SOURCES/openldap-olcfrontend-config.patch b/SOURCES/openldap-olcfrontend-config.patch deleted file mode 100644 index d7b81a6..0000000 --- a/SOURCES/openldap-olcfrontend-config.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 6c0d57405831fdf51e778505000af3466a42af90 Mon Sep 17 00:00:00 2001 -From: Jan Synacek -Date: Mon, 8 Sep 2014 13:32:04 +0200 -Subject: [PATCH] fix frontend config - ---- - servers/slapd/slapd.ldif | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/servers/slapd/slapd.ldif b/servers/slapd/slapd.ldif -index 6c7c43c..18549d8 100644 ---- a/servers/slapd/slapd.ldif -+++ b/servers/slapd/slapd.ldif -@@ -47,6 +47,7 @@ include: file://%SYSCONFDIR%/schema/core.ldif - # - dn: olcDatabase=frontend,cn=config - objectClass: olcDatabaseConfig -+objectClass: olcFrontendConfig - olcDatabase: frontend - # - # Sample global access control policy: --- -1.9.3 - diff --git a/SOURCES/openldap-perl-fix-moduleconfig-config.patch b/SOURCES/openldap-perl-fix-moduleconfig-config.patch new file mode 100644 index 0000000..8103487 --- /dev/null +++ b/SOURCES/openldap-perl-fix-moduleconfig-config.patch @@ -0,0 +1,24 @@ +fix: slaptest doesn't convert perlModuleConfig lines + +Resolves: #1184585 +Upstream: ITS #8105 +Author: Jan Synacek + +diff --git a/servers/slapd/back-perl/config.c b/servers/slapd/back-perl/config.c +index fd00965..d1c7886 100644 +--- a/servers/slapd/back-perl/config.c ++++ b/servers/slapd/back-perl/config.c +@@ -219,9 +219,11 @@ perl_cf( + XPUSHs( pb->pb_obj_ref ); + + /* Put all arguments on the perl stack */ +- for( args = 1; args < c->argc; args++ ) { ++ for( args = 1; args < c->argc; args++ ) + XPUSHs(sv_2mortal(newSVpv(c->argv[args], 0))); +- } ++ ++ ber_str2bv( c->line + STRLENOF("perlModuleConfig "), 0, 0, &bv ); ++ value_add_one( &pb->pb_module_config, &bv ); + + PUTBACK ; + diff --git a/SOURCES/openldap-rwm-reference-counting.patch b/SOURCES/openldap-rwm-reference-counting.patch deleted file mode 100644 index 67f4a66..0000000 --- a/SOURCES/openldap-rwm-reference-counting.patch +++ /dev/null @@ -1,26 +0,0 @@ -Author: Jan Synáček -Resolves: #1061405 -Upstream ITS: #7723 - -Correctly count references in rwm overlay. - ---- a/libraries/librewrite/session.c 2010-04-13 22:23:09.000000000 +0200 -+++ b/libraries/librewrite/session.c 2013-11-08 08:47:26.000000000 +0100 -@@ -161,6 +161,7 @@ - #ifdef USE_REWRITE_LDAP_PVT_THREADS - if ( session ) { - ldap_pvt_thread_mutex_lock( &session->ls_mutex ); -+ session->ls_count++; - } - ldap_pvt_thread_rdwr_runlock( &info->li_cookies_mutex ); - #endif /* USE_REWRITE_LDAP_PVT_THREADS */ -@@ -178,6 +179,7 @@ - ) - { - assert( session != NULL ); -+ session->ls_count--; - ldap_pvt_thread_mutex_unlock( &session->ls_mutex ); - } - - - diff --git a/SOURCES/openldap-ssl-deadlock-revert.patch b/SOURCES/openldap-ssl-deadlock-revert.patch new file mode 100644 index 0000000..89ebed0 --- /dev/null +++ b/SOURCES/openldap-ssl-deadlock-revert.patch @@ -0,0 +1,54 @@ +fix: deadlock during SSL_ForceHandshake when getting connection to replica + +Resolves: #1125152 +Author: Jan Synacek + +--- a/libraries/libldap/tls_m.c 2015-05-25 12:28:30.326645997 +0200 ++++ b/libraries/libldap/tls_m.c 2015-05-25 12:33:38.143399149 +0200 +@@ -141,7 +141,6 @@ static int tlsm_init( void ); + */ + static ldap_pvt_thread_mutex_t tlsm_ctx_count_mutex; + static ldap_pvt_thread_mutex_t tlsm_init_mutex; +-static ldap_pvt_thread_mutex_t tlsm_pem_mutex; + static PRCallOnceType tlsm_init_mutex_callonce = {0,0}; + + static PRStatus PR_CALLBACK +@@ -159,12 +158,6 @@ tlsm_thr_init_callonce( void ) + return PR_FAILURE; + } + +- if ( ldap_pvt_thread_mutex_init( &tlsm_pem_mutex ) ) { +- Debug( LDAP_DEBUG_ANY, +- "TLS: could not create mutex for PEM module: %d\n", errno, 0, 0 ); +- return PR_FAILURE; +- } +- + return PR_SUCCESS; + } + +@@ -2037,7 +2030,6 @@ tlsm_destroy( void ) + #ifdef LDAP_R_COMPILE + ldap_pvt_thread_mutex_destroy( &tlsm_ctx_count_mutex ); + ldap_pvt_thread_mutex_destroy( &tlsm_init_mutex ); +- ldap_pvt_thread_mutex_destroy( &tlsm_pem_mutex ); + #endif + } + +@@ -2672,16 +2664,9 @@ static int + tlsm_session_accept_or_connect( tls_session *session, int is_accept ) + { + tlsm_session *s = (tlsm_session *)session; +- int rc; ++ int rc = SSL_ForceHandshake( s ); + const char *op = is_accept ? "accept" : "connect"; + +- if ( pem_module ) { +- LDAP_MUTEX_LOCK( &tlsm_pem_mutex ); +- } +- rc = SSL_ForceHandshake( s ); +- if ( pem_module ) { +- LDAP_MUTEX_UNLOCK( &tlsm_pem_mutex ); +- } + if ( rc ) { + PRErrorCode err = PR_GetError(); + rc = -1; diff --git a/SOURCES/slapd.service b/SOURCES/slapd.service index 050ee05..4a76c2f 100644 --- a/SOURCES/slapd.service +++ b/SOURCES/slapd.service @@ -1,6 +1,6 @@ [Unit] Description=OpenLDAP Server Daemon -After=syslog.target network.target +After=syslog.target NetworkManager-wait-online.service Documentation=man:slapd Documentation=man:slapd-config Documentation=man:slapd-hdb diff --git a/SPECS/openldap.spec b/SPECS/openldap.spec index 34647d7..d082ecb 100644 --- a/SPECS/openldap.spec +++ b/SPECS/openldap.spec @@ -4,8 +4,8 @@ %global check_password_version 1.1 Name: openldap -Version: 2.4.39 -Release: 7%{?dist} +Version: 2.4.40 +Release: 8%{?dist} Summary: LDAP support libraries Group: System Environment/Daemons License: OpenLDAP @@ -31,7 +31,6 @@ Patch3: openldap-reentrant-gethostby.patch Patch4: openldap-smbk5pwd-overlay.patch Patch5: openldap-ldaprc-currentdir.patch Patch6: openldap-userconfig-setgid.patch -Patch7: openldap-dns-priority.patch Patch8: openldap-syncrepl-unset-tls-options.patch Patch9: openldap-man-sasl-nocanon.patch Patch10: openldap-ai-addrconfig.patch @@ -41,6 +40,8 @@ Patch13: openldap-nss-regex-search-hashed-cacert-dir.patch Patch14: openldap-nss-ignore-certdb-type-prefix.patch Patch15: openldap-nss-certs-from-certdb-fallback-pem.patch Patch16: openldap-nss-pk11-freeslot.patch +Patch17: openldap-nss-unregister-on-unload.patch +Patch18: openldap-ssl-deadlock-revert.patch # fix back_perl problems with lt_dlopen() # might cause crashes because of symbol collisions # the proper fix is to link all perl modules against libperl @@ -48,16 +49,22 @@ Patch16: openldap-nss-pk11-freeslot.patch Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch # ldapi sasl fix pending upstream inclusion Patch20: openldap-ldapi-sasl.patch -# rwm reference counting fix, pending upstream inclusion -Patch21: openldap-rwm-reference-counting.patch # upstreamed, ITS #7979 Patch22: openldap-support-tlsv1-and-later.patch -# upstreamed, ITS #7933 -Patch23: openldap-olcfrontend-config.patch # pending upstream inclusion, ITS #7744 Patch24: openldap-man-tls-reqcert.patch +# already in upstream, see ITS #8105, incorporated by commits 25bbf11 and fb1bf1c +Patch25: openldap-perl-fix-moduleconfig-config.patch +# already in upstream, see ITS#8150, incorporated by commit 39b05c7 +Patch26: openldap-fix-missing-frontend-indexing.patch +Patch27: openldap-nss-ciphersuite-handle-masks-correctly.patch +Patch28: openldap-nss-ciphers-use-nss-defaults.patch # CVE-2015-6908, ITS#8240 -Patch25: openldap-ITS8240-remove-obsolete-assert.patch +Patch29: openldap-ITS8240-remove-obsolete-assert.patch + +# check-password module specific patches +Patch90: check-password-makefile.patch +Patch91: check-password.patch # Fedora specific patches Patch100: openldap-autoconf-pkgconfig-nss.patch @@ -68,7 +75,7 @@ BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl, perl-devel # smbk5pwd overlay: BuildRequires: openssl-devel Requires: nss-tools -Requires(post): rpm, coreutils +Requires(post): rpm, coreutils, findutils %description OpenLDAP is an open source suite of LDAP (Lightweight Directory Access @@ -163,7 +170,6 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi %patch4 -p1 %patch5 -p1 %patch6 -p1 -%patch7 -p1 %patch8 -p1 %patch9 -p1 %patch10 -p1 @@ -173,13 +179,17 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi %patch14 -p1 %patch15 -p1 %patch16 -p1 +%patch17 -p1 +%patch18 -p1 %patch19 -p1 %patch20 -p1 -%patch21 -p1 %patch22 -p1 -%patch23 -p1 %patch24 -p1 %patch25 -p1 +%patch26 -p1 +%patch27 -p1 +%patch28 -p1 +%patch29 -p1 %patch102 -p1 @@ -197,6 +207,11 @@ done popd +pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version} +%patch90 -p1 +%patch91 -p1 +popd + %build %ifarch s390 s390x @@ -207,7 +222,7 @@ popd export LDFLAGS="-pie" # avoid stray dependencies (linker flag --as-needed) # enable experimental support for LDAP over UDP (LDAP_CONNECTIONLESS) -export CFLAGS="${CFLAGS} %{optflags} -Wl,--as-needed -DLDAP_CONNECTIONLESS" +export CFLAGS="${CFLAGS} %{optflags} -Wl,-z,relro,-z,now,--as-needed -DLDAP_CONNECTIONLESS" pushd openldap-%{version} %configure \ @@ -272,7 +287,9 @@ popd # install check_password module pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version} -install -m 755 check_password.so %{buildroot}%{_libdir}/openldap/ +mv check_password.so check_password.so.%{check_password_version} +ln -s check_password.so.%{check_password_version} %{buildroot}%{_libdir}/openldap/check_password.so +install -m 755 check_password.so.%{check_password_version} %{buildroot}%{_libdir}/openldap/ # install -m 644 README %{buildroot}%{_libdir}/openldap install -d -m 755 %{buildroot}%{_sysconfdir}/openldap cat > %{buildroot}%{_sysconfdir}/openldap/check_password.conf < %{buildroot}%{_sysconfdir}/openldap/check_password.conf <&/dev/null || : -%postun -p /sbin/ldconfig +%postun +#update only on package erase +if [ $1 == 0 ]; then + /sbin/ldconfig +fi %pre servers @@ -400,7 +417,8 @@ exit 0 %post servers -/sbin/ldconfig +/sbin/ldconfig -n %{_libdir}/openldap + %systemd_post slapd.service # generate sample TLS certificate for server (will not replace) @@ -472,7 +490,7 @@ exit 0 %postun servers -/sbin/ldconfig +/sbin/ldconfig ${_libdir}/openldap %systemd_postun_with_restart slapd.service @@ -615,8 +633,45 @@ exit 0 %{_mandir}/man3/* %changelog -* Wed Sep 16 2015 Matúš Honěk - 2.4.39-7 -- CVE-2015-6908 openldap: ber_get_next denial of service vulnerability (#1263173) +* Wed Sep 23 2015 Matúš Honěk - 2.4.40-8 +- NSS does not support string ordering (#1231522) +- implement and correct order of parsing attributes (#1231522) +- add multi_mask and multi_strength to correctly handle sets of attributes (#1231522) +- add new cipher suites and correct AES-GCM attributes (#1245279) +- correct DEFAULT ciphers handling to exclude eNULL cipher suites (#1245279) + +* Mon Sep 14 2015 Matúš Honěk - 2.4.40-7 +- Merge two MozNSS cipher suite definition patches into one. (#1245279) +- Use what NSS considers default for DEFAULT cipher string. (#1245279) +- Remove unnecesary defaults from ciphers' definitions (#1245279) + +* Tue Sep 01 2015 Matúš Honěk - 2.4.40-6 +- fix: OpenLDAP shared library destructor triggers memory leaks in NSPR (#1249977) + +* Fri Jul 24 2015 Matúš Honěk - 2.4.40-5 +- enhancement: support TLS 1.1 and later (#1231522,#1160467) +- fix: openldap ciphersuite parsing code handles masks incorrectly (#1231522) +- fix the patch in commit da1b5c (fix: OpenLDAP crash in NSS shutdown handling) (#1231228) + +* Mon Jun 29 2015 Matúš Honěk - 2.4.40-4 +- fix: rpm -V complains (#1230263) -- make the previous fix do what was intended + +* Mon Jun 22 2015 Matúš Honěk - 2.4.40-3 +- fix: rpm -V complains (#1230263) + +* Wed Jun 3 2015 Matúš Honěk - 2.4.40-2 +- fix: missing frontend database indexing (#1226600) + +* Wed May 20 2015 Matúš Honěk - 2.4.40-1 +- new upstream release (#1147982) +- fix: PIE and RELRO check (#1092562) +- fix: slaptest doesn't convert perlModuleConfig lines (#1184585) +- fix: OpenLDAP crash in NSS shutdown handling (#1158005) +- fix: slapd.service may fail to start if binding to NIC ip (#1198781) +- fix: deadlock during SSL_ForceHandshake when getting connection to replica (#1125152) +- improve check_password (#1174723, #1196243) +- provide an unversioned symlink to check_password.so.1.1 (#1174634) +- add findutils to requires (#1209229) * Thu Dec 4 2014 Jan Synáček - 2.4.39-6 - refix: slapd.ldif olcFrontend missing important/required objectclass (#1132094)